Hi Flo, Thanks for the great hint! I reran the ipa-client-install on the rhel6 box(ipadev6), and monitored the access log file you mentioned on the replica:
# ipa-client-install --domain=ipa.example.com --server=ipaprd2.example.com --hostname=ipadev6.example.com -d ( ipaprd2 = primary IPA server on RHEL7; ipadev6 = replica on RHEL6 ) AFTER about 3 seconds, I saw these on the replica ipaprd2: [14/Dec/2016:13:11:41.071421132 -0500] conn=1040 fd=73 slot=73 connection from <IP of ipadev6> to <IP of ipaprd2> [14/Dec/2016:13:11:41.071880026 -0500] conn=1040 op=0 EXT oid="1.3.6.1.4.1.1466.20037" [14/Dec/2016:13:11:41.071964217 -0500] conn=1040 op=0 RESULT err=2 tag=120 nentries=0 etime=0 [14/Dec/2016:13:11:41.073275674 -0500] conn=1040 op=1 UNBIND [14/Dec/2016:13:11:41.073307101 -0500] conn=1040 op=1 fd=73 closed - U1 [14/Dec/2016:13:11:41.074782496 -0500] conn=1041 fd=73 slot=73 connection from <IP of ipadev6> to <IP of ipaprd2> [14/Dec/2016:13:11:41.074985233 -0500] conn=1041 op=0 EXT oid="1.3.6.1.4.1.1466.20037" [14/Dec/2016:13:11:41.075022849 -0500] conn=1041 op=0 RESULT err=2 tag=120 nentries=0 etime=0 [14/Dec/2016:13:11:41.075448887 -0500] conn=1041 op=1 UNBIND [14/Dec/2016:13:11:41.075460964 -0500] conn=1041 op=1 fd=73 closed - U1 [14/Dec/2016:13:11:49.006146850 -0500] conn=1029 op=8 UNBIND [14/Dec/2016:13:11:49.006181982 -0500] conn=1029 op=8 fd=66 closed - U1 So I did see the err=2, and oid="1.3.6.1.4.1.1466.20037", I checked the oid and got: 1.3.6.1.4.1.1466.20037: StartTLS Request (RFC 4511) It looked to be related with TLS... pease advise. Thanks! On Wed, Dec 14, 2016 at 7:57 AM, Florence Blanc-Renaud <[email protected]> wrote: > On 12/14/2016 01:08 PM, beeth beeth wrote: > >> Thanks David. I installed both the master and replica IPA servers with >> third-party certificates(Verisign), but I doubt that could be the issue, >> because I had no problem to run the same ipa-client-install command on a >> RHEL7 machine(of course, the --hostname used a different hostname of the >> server). And I had no problem to run the ipa-client-install command with >> --server=<master> on such RHEL6 machine. So what could cause the LDAP >> communication failed during the client enrollment with the replica? Is >> there a way I can troubleshoot this by running some commands? So far I >> did telnet to check the open ports, as well as run the ldapsearch >> towards the replica. Thanks again! >> >> >> On Tue, Dec 13, 2016 at 8:46 AM, David Kupka <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 13/12/16 05:44, beeth beeth wrote: >> >> I have two IPA servers ipaprd1.example.com >> <http://ipaprd1.example.com> and ipaprd2.example.com >> <http://ipaprd2.example.com>, running >> ipa 4.4 on RHEL7. When I tried to install/configure the client >> on a RHEL6 >> system(called ipadev6), I had issue when I tried to enroll it >> with the >> replica(ipaprd2), while no issue with the primary(ipaprd1): >> >> # ipa-client-install --domain=ipa.example.com >> <http://ipa.example.com> --server=ipaprd1.example.com >> <http://ipaprd1.example.com> >> --server=ipaprd2.example.com <http://ipaprd2.example.com> >> --hostname=ipadev6.example.com <http://ipadev6.example.com> >> LDAP Error: Protocol error: unsupported extended operation >> Autodiscovery of servers for failover cannot work with this >> configuration. >> If you proceed with the installation, services will be >> configured to always >> access the discovered server for all operations and will not >> fail over to >> other servers in case of failure. >> Proceed with fixed values and no DNS discovery? [no] >> >> Then I tried to run ipa-client-install to enroll with the >> replica(ipaprd2), >> with debug mode, I got this: >> >> # ipa-client-install --domain=ipa.example.com >> <http://ipa.example.com> --server=ipaprd2.example.com >> <http://ipaprd2.example.com> >> --hostname=ipadev6.example.com <http://ipadev6.example.com> -d >> /usr/sbin/ipa-client-install was invoked with options: {'domain': >> ' >> ipa.example.com <http://ipa.example.com>', 'force': False, >> 'realm_name': None, >> 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': >> False, >> 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, >> 'on_master': >> False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': >> False, >> 'principal': None, 'hostname': 'ipadev6.example.com >> <http://ipadev6.example.com>', 'no_ac': False, >> 'unattended': None, 'sssd': True, 'trust_sshfp': False, >> 'kinit_attempts': >> 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, >> 'force_join': >> False, 'ca_cert_file': None, 'server': ['ipaprd2.example.com >> <http://ipaprd2.example.com>'], >> 'prompt_password': False, 'permit': False, 'debug': True, >> 'preserve_sssd': >> False, 'uninstall': False} >> missing options might be asked for interactively later >> Loading Index file from >> '/var/lib/ipa-client/sysrestore/sysrestore.index' >> Loading StateFile from >> '/var/lib/ipa-client/sysrestore/sysrestore.state' >> [IPA Discovery] >> Starting IPA discovery with domain=ipa.example.com >> <http://ipa.example.com>, servers=[' >> ipaprd2.example.com <http://ipaprd2.example.com>'], >> hostname=ipadev6.example.com <http://ipadev6.example.com> >> Server and domain forced >> [Kerberos realm search] >> Search DNS for TXT record of _kerberos.ipa.example.com >> <http://kerberos.ipa.example.com>. >> No DNS record found >> Search DNS for SRV record of _kerberos._udp.ipa.example.com >> <http://udp.ipa.example.com>. >> No DNS record found >> SRV record for KDC not found! Domain: ipa.example.com >> <http://ipa.example.com> >> [LDAP server check] >> Verifying that ipaprd2.example.com <http://ipaprd2.example.com> >> (realm None) is an IPA server >> Init LDAP connection with: ldap://ipaprd2.example.com:389 >> <http://ipaprd2.example.com:389> >> LDAP Error: Protocol error: unsupported extended operation >> Discovery result: UNKNOWN_ERROR; server=None, >> domain=ipa.example.com <http://ipa.example.com>, >> kdc=None, basedn=None >> Validated servers: >> will use discovered domain: ipa.example.com < >> http://ipa.example.com> >> IPA Server not found >> [IPA Discovery] >> Starting IPA discovery with domain=ipa.example.com >> <http://ipa.example.com>, servers=[' >> ipaprd2.example.com <http://ipaprd2.example.com>'], >> hostname=ipadev6.example.com <http://ipadev6.example.com> >> Server and domain forced >> [Kerberos realm search] >> Search DNS for TXT record of _kerberos.ipa.example.com >> <http://kerberos.ipa.example.com>. >> No DNS record found >> Search DNS for SRV record of _kerberos._udp.ipa.example.com >> <http://udp.ipa.example.com>. >> No DNS record found >> SRV record for KDC not found! Domain: ipa.example.com >> <http://ipa.example.com> >> [LDAP server check] >> Verifying that ipaprd2.example.com <http://ipaprd2.example.com> >> (realm None) is an IPA server >> Init LDAP connection with: ldap://ipaprd2.example.com:389 >> <http://ipaprd2.example.com:389> >> LDAP Error: Protocol error: unsupported extended operation >> Discovery result: UNKNOWN_ERROR; server=None, >> domain=ipa.example.com <http://ipa.example.com>, >> kdc=None, basedn=None >> Validated servers: >> Failed to verify that ipaprd2.example.com >> <http://ipaprd2.example.com> is an IPA Server. >> This may mean that the remote server is not up or is not >> reachable due to >> network or firewall settings. >> Please make sure the following ports are opened in the firewall >> settings: >> TCP: 80, 88, 389 >> UDP: 88 (at least one of TCP/UDP ports 88 has to be open) >> Also note that following ports are necessary for ipa-client >> working >> properly after enrollment: >> TCP: 464 >> UDP: 464, 123 (if NTP enabled) >> (ipaprd2.example.com <http://ipaprd2.example.com>: Provided as >> option) >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> >> >> I double checked the services running on the replica, all looked >> well: >> ports are listening, and I could telnet the ports from the >> client(ipadev6). >> I could run "ldapserach" command to talk to the replica(ipaprd2) >> from this >> client(ipadev6), with pulling out all the LDAP records. >> >> Also, I have another test box running RHEL7, and no issue at all >> to run the >> exact same ipa-client-install command on that RHEL7 box. So >> could there be >> a bug on the ipa-client software on RHEL6, to talk to IPA sever >> running on >> RHEL7? Please advise. Thank you! >> >> Hi Beeth, > > you may want to check the access and errors log of the Directory Server in > /var/log/dirsrv/slapd-DOMAIN. The extended operations are logged in the > access log with the tag "EXT oid=...", but a failing operation related to > unsupported extended operation will probably log a "RESULT err=2". > > So I would first check access log and look for such a failure. With the > OID we will be able to understand which operation is failing and which part > could be misconfigured. > > HTH, > Flo. > > Best regards, >> Beeth >> >> >> >> Hello Beeth, >> I've tried to reproduce the problem you described with 7.3 >> (ipa-server 4.4.0-12) on master and replica and 6.9 (ipa-client >> 3.0.0-51) on client and it worked for me as expected. >> I've done these steps: >> [master] # ipa-server-install -a Secret123 -p Secret123 --domain >> example.test --realm EXAMPLE.TEST --setup-dns --auto-forwarders -U >> [replica] # ipa-client-install -p admin -w Secret123 --domain >> example.test --server master.example.test -U >> [replica] # ipa-replica-install >> [client] # ipa-client-install -p admin -w Secret123 --domain >> example.test --server replica.example.test -U >> [client] # id admin >> >> Is there anything you've done differently? >> >> -- >> David Kupka >> >> >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
