Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
Tomas Babej wrote: On 10/04/2012 11:06 AM, Tomas Babej wrote: On 10/03/2012 07:27 PM, Rob Crittenden wrote: Tomas Babej wrote: On 10/03/2012 03:31 PM, Tomas Babej wrote: On 10/02/2012 08:48 PM, Rob Crittenden wrote: Tomas Babej wrote: On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. I think we should list all ports that are required for client enrollment. From my calculations we need at a minimum tcp ports 80 and 389, either or both udp/tcp for port 88 and if NTP is enabled 123 udp for enrollment alone. The NTP failure won't cause enrollment to fail though, so we may be able to skip that. Similarly 464 should be enabled but we don't use it during enrollment. rob I improved the error message. Please check if there are any issues. Thanks Tomas This only works if port 389 is blocked, not 88 or 80. rob I tested and added the port configuration info message at the appropriate places for TCP 80, 88, 389 ports. I also added the info message at the end of installation output. Please consider if you agree with this approach. Tomas I reworded the commit message, due to the scope of changes made since the first revision of the patch. Tomas Works a lot better, just a few more suggestions: 1. When we fail to retrieve the CA from the remote server we log it but don't print it. I think this would make it clearer why we think this isn't an IPA server. 2. Do we need to print the ports message at the end? If it gets this far then at least ports 80, 88 and 389 are open. I would suggest dropping the last message. I think we should also open a new ticket and do port checks on the things we need so we can confirm it up front instead of one-at-a-time. rob 1.) Done. 2.) Well I had a feeling it was not really necessary too - it adds a lot to the output of the installation, but the user wouldn't be informed about the need of opening 464 port. However, your proposed ticket should solve this issue, and will give more specific information rather than a general advice. See more: https://fedorahosted.org/freeipa/ticket/3138 I suggest opening a similar ticket for ipa-server-install, at the end we print a general info message about which ports should be open for IPA Server to work properly. Re-using the work done in ticket 3138, we could rather check which particular ports are not opened and therefore give the user more specific information too. Tomas Patch now attached, sorry. Tomas ACK, pushed to master and ipa-3-0 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
On 10/03/2012 07:27 PM, Rob Crittenden wrote: Tomas Babej wrote: On 10/03/2012 03:31 PM, Tomas Babej wrote: On 10/02/2012 08:48 PM, Rob Crittenden wrote: Tomas Babej wrote: On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. I think we should list all ports that are required for client enrollment. From my calculations we need at a minimum tcp ports 80 and 389, either or both udp/tcp for port 88 and if NTP is enabled 123 udp for enrollment alone. The NTP failure won't cause enrollment to fail though, so we may be able to skip that. Similarly 464 should be enabled but we don't use it during enrollment. rob I improved the error message. Please check if there are any issues. Thanks Tomas This only works if port 389 is blocked, not 88 or 80. rob I tested and added the port configuration info message at the appropriate places for TCP 80, 88, 389 ports. I also added the info message at the end of installation output. Please consider if you agree with this approach. Tomas I reworded the commit message, due to the scope of changes made since the first revision of the patch. Tomas Works a lot better, just a few more suggestions: 1. When we fail to retrieve the CA from the remote server we log it but don't print it. I think this would make it clearer why we think this isn't an IPA server. 2. Do we need to print the ports message at the end? If it gets this far then at least ports 80, 88 and 389 are open. I would suggest dropping the last message. I think we should also open a new ticket and do port checks on the things we need so we can confirm it up front instead of one-at-a-time. rob 1.) Done. 2.) Well I had a feeling it was not really necessary too - it adds a lot to the output of the installation, but the user wouldn't be informed about the need of opening 464 port. However, your proposed ticket should solve this issue, and will give more specific information rather than a general advice. See more: https://fedorahosted.org/freeipa/ticket/3138 I suggest opening a similar ticket for ipa-server-install, at the end we print a general info message about which ports should be open for IPA Server to work properly. Re-using the work done in ticket 3138, we could rather check which particular ports are not opened and therefore give the user more specific information too. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
On 10/02/2012 08:48 PM, Rob Crittenden wrote: Tomas Babej wrote: On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. I think we should list all ports that are required for client enrollment. From my calculations we need at a minimum tcp ports 80 and 389, either or both udp/tcp for port 88 and if NTP is enabled 123 udp for enrollment alone. The NTP failure won't cause enrollment to fail though, so we may be able to skip that. Similarly 464 should be enabled but we don't use it during enrollment. rob I improved the error message. Please check if there are any issues. Thanks Tomas This only works if port 389 is blocked, not 88 or 80. rob I tested and added the port configuration info message at the appropriate places for TCP 80, 88, 389 ports. I also added the info message at the end of installation output. Please consider if you agree with this approach. Tomas From 2601be3b4373d7449daedefbcad82f034efb266d Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 26 Sep 2012 08:52:50 -0400 Subject: [PATCH] Adds port to connection error message in ipa-client-install Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 --- ipa-client/ipa-install/ipa-client-install | 24 ++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index ee8e5831866e1f5d960cbbca290606a944b0f357..e32c4979b0fd5decaf7bcb7022dc890782b33e3c 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1248,6 +1248,17 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): if not do_nsupdate(update_txt): root_logger.warning(Could not update DNS SSHFP records.) +def print_port_conf_info(): +root_logger.info( +Please make sure the following ports are opened +in the firewall settings:\n + TCP: 80, 88, 389\n + UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\n +Also note that following ports are necessary for ipa-client +working properly after enrollment:\n + TCP: 464\n + UDP: 464, 123 (if NTP enabled)) + def install(options, env, fstore, statestore): dnsok = False @@ -1377,6 +1388,7 @@ def install(options, env, fstore, statestore): if ret == ipadiscovery.NOT_IPA_SERVER: root_logger.error(%s is not an IPA v2 Server., cli_server[0]) +print_port_conf_info() root_logger.debug((%s: %s), cli_server[0], cli_server_source) return CLIENT_INSTALL_ERROR @@ -1390,8 +1402,9 @@ def install(options, env, fstore, statestore): if ret != 0: root_logger.error(Failed to verify that %s is an IPA Server., cli_server[0]) -root_logger.error(This may mean that the remote server is not up + +root_logger.error(This may mean that the remote server is not up or is not reachable due to network or firewall settings.) +print_port_conf_info() root_logger.debug((%s: %s), cli_server[0], cli_server_source) return CLIENT_INSTALL_ERROR @@ -1440,6 +1453,7 @@ def install(options, env, fstore, statestore): ret = ds.search(domain=cli_domain, server=server, hostname=hostname) if ret == ipadiscovery.NOT_IPA_SERVER: root_logger.error(%s is not an IPA v2 Server., server) +print_port_conf_info() root_logger.debug((%s: %s), server, cli_server_source) return CLIENT_INSTALL_ERROR @@ -1519,7 +1533,8 @@ def install(options, env, fstore, statestore): synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0]) if not synced_ntp: root_logger.warning(Unable to sync time with IPA NTP + -server, assuming the time is in sync.) +server, assuming the time is in sync. Please check + +that 123 UDP port is opened.) (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) if configure_krb5_conf( @@ -1573,6 +1588,7 @@ def install(options, env, fstore, statestore): if returncode != 0: root_logger.error(Kerberos authentication failed) root_logger.info(%s, stdout) +print_port_conf_info() return CLIENT_INSTALL_ERROR elif options.password: nolog = (options.password,) @@ -1869,6 +1885,10 @@ def install(options, env, fstore, statestore):
Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
On 10/03/2012 03:31 PM, Tomas Babej wrote: On 10/02/2012 08:48 PM, Rob Crittenden wrote: Tomas Babej wrote: On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. I think we should list all ports that are required for client enrollment. From my calculations we need at a minimum tcp ports 80 and 389, either or both udp/tcp for port 88 and if NTP is enabled 123 udp for enrollment alone. The NTP failure won't cause enrollment to fail though, so we may be able to skip that. Similarly 464 should be enabled but we don't use it during enrollment. rob I improved the error message. Please check if there are any issues. Thanks Tomas This only works if port 389 is blocked, not 88 or 80. rob I tested and added the port configuration info message at the appropriate places for TCP 80, 88, 389 ports. I also added the info message at the end of installation output. Please consider if you agree with this approach. Tomas I reworded the commit message, due to the scope of changes made since the first revision of the patch. Tomas From 589703d57518b304c06d321961e7985edd7f5b9c Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 26 Sep 2012 08:52:50 -0400 Subject: [PATCH] Notify user about necessary ports in ipa-client-install Connection error message in ipa-client-install now warns the user about the need of opening of all the necessary ports for ipa-client enrollment when error that might have been caused by closed ports is encountered. Mentions the ports needed after the client enrollment as well. Also prints the same info message at the end of the installation process. https://fedorahosted.org/freeipa/ticket/2816 --- ipa-client/ipa-install/ipa-client-install | 24 ++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index ee8e5831866e1f5d960cbbca290606a944b0f357..e32c4979b0fd5decaf7bcb7022dc890782b33e3c 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1248,6 +1248,17 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): if not do_nsupdate(update_txt): root_logger.warning(Could not update DNS SSHFP records.) +def print_port_conf_info(): +root_logger.info( +Please make sure the following ports are opened +in the firewall settings:\n + TCP: 80, 88, 389\n + UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\n +Also note that following ports are necessary for ipa-client +working properly after enrollment:\n + TCP: 464\n + UDP: 464, 123 (if NTP enabled)) + def install(options, env, fstore, statestore): dnsok = False @@ -1377,6 +1388,7 @@ def install(options, env, fstore, statestore): if ret == ipadiscovery.NOT_IPA_SERVER: root_logger.error(%s is not an IPA v2 Server., cli_server[0]) +print_port_conf_info() root_logger.debug((%s: %s), cli_server[0], cli_server_source) return CLIENT_INSTALL_ERROR @@ -1390,8 +1402,9 @@ def install(options, env, fstore, statestore): if ret != 0: root_logger.error(Failed to verify that %s is an IPA Server., cli_server[0]) -root_logger.error(This may mean that the remote server is not up + +root_logger.error(This may mean that the remote server is not up or is not reachable due to network or firewall settings.) +print_port_conf_info() root_logger.debug((%s: %s), cli_server[0], cli_server_source) return CLIENT_INSTALL_ERROR @@ -1440,6 +1453,7 @@ def install(options, env, fstore, statestore): ret = ds.search(domain=cli_domain, server=server, hostname=hostname) if ret == ipadiscovery.NOT_IPA_SERVER: root_logger.error(%s is not an IPA v2 Server., server) +print_port_conf_info() root_logger.debug((%s: %s), server, cli_server_source) return CLIENT_INSTALL_ERROR @@ -1519,7 +1533,8 @@ def install(options, env, fstore, statestore): synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0]) if not synced_ntp: root_logger.warning(Unable to sync time with IPA NTP + -server, assuming the time is in sync.) +server, assuming the time is in sync. Please check + +that 123 UDP port is opened.) (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) if configure_krb5_conf( @@ -1573,6 +1588,7 @@ def install(options, env, fstore, statestore): if returncode !=
Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
Tomas Babej wrote: On 10/03/2012 03:31 PM, Tomas Babej wrote: On 10/02/2012 08:48 PM, Rob Crittenden wrote: Tomas Babej wrote: On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. I think we should list all ports that are required for client enrollment. From my calculations we need at a minimum tcp ports 80 and 389, either or both udp/tcp for port 88 and if NTP is enabled 123 udp for enrollment alone. The NTP failure won't cause enrollment to fail though, so we may be able to skip that. Similarly 464 should be enabled but we don't use it during enrollment. rob I improved the error message. Please check if there are any issues. Thanks Tomas This only works if port 389 is blocked, not 88 or 80. rob I tested and added the port configuration info message at the appropriate places for TCP 80, 88, 389 ports. I also added the info message at the end of installation output. Please consider if you agree with this approach. Tomas I reworded the commit message, due to the scope of changes made since the first revision of the patch. Tomas Works a lot better, just a few more suggestions: 1. When we fail to retrieve the CA from the remote server we log it but don't print it. I think this would make it clearer why we think this isn't an IPA server. 2. Do we need to print the ports message at the end? If it gets this far then at least ports 80, 88 and 389 are open. I would suggest dropping the last message. I think we should also open a new ticket and do port checks on the things we need so we can confirm it up front instead of one-at-a-time. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
Tomas Babej wrote: On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. I think we should list all ports that are required for client enrollment. From my calculations we need at a minimum tcp ports 80 and 389, either or both udp/tcp for port 88 and if NTP is enabled 123 udp for enrollment alone. The NTP failure won't cause enrollment to fail though, so we may be able to skip that. Similarly 464 should be enabled but we don't use it during enrollment. rob I improved the error message. Please check if there are any issues. Thanks Tomas This only works if port 389 is blocked, not 88 or 80. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. I think we should list all ports that are required for client enrollment. From my calculations we need at a minimum tcp ports 80 and 389, either or both udp/tcp for port 88 and if NTP is enabled 123 udp for enrollment alone. The NTP failure won't cause enrollment to fail though, so we may be able to skip that. Similarly 464 should be enabled but we don't use it during enrollment. rob I improved the error message. Please check if there are any issues. Thanks Tomas From 397745847ad1612e37c093a803a6f2a3b06d6b3d Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 26 Sep 2012 08:52:50 -0400 Subject: [PATCH] Adds port to connection error message in ipa-client-install Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 --- ipa-client/ipa-install/ipa-client-install | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index ee8e5831866e1f5d960cbbca290606a944b0f357..9323b22be4b8e8746804eb849689775389fa961b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1390,8 +1390,16 @@ def install(options, env, fstore, statestore): if ret != 0: root_logger.error(Failed to verify that %s is an IPA Server., cli_server[0]) -root_logger.error(This may mean that the remote server is not up + -or is not reachable due to network or firewall settings.) +root_logger.error(This may mean that the remote server is not up +or is not reachable due to network or firewall settings. +Please make sure the following ports are opened in the firewall settings:\n + TCP: 80, 88, 389\n + UDP: 88\n +Also note that following ports are necessary for ipa-client +working properly after enrollment:\n + TCP: 464\n + UDP: 464, 123 (if NTP enabled) + ) root_logger.debug((%s: %s), cli_server[0], cli_server_source) return CLIENT_INSTALL_ERROR -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. Tomas From 0f4ad3917ecf8a9d290923c7fae0a55f4f8d2448 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 26 Sep 2012 08:52:50 -0400 Subject: [PATCH] Adds port to connection error message in ipa-client-install Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 --- ipa-client/ipa-install/ipa-client-install | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index a1233fd8ae265df138097757b861163f410b3c92..7c37d11595922b997fc1a63ccda6052898b6ae9d 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1391,7 +1391,8 @@ def install(options, env, fstore, statestore): root_logger.error(Failed to verify that %s is an IPA Server., cli_server[0]) root_logger.error(This may mean that the remote server is not up + -or is not reachable due to network or firewall settings.) +or is not reachable due to network or firewall settings. + +Please make sure 389 port is opened in the firewall settings.) root_logger.debug((%s: %s), cli_server[0], cli_server_source) return CLIENT_INSTALL_ERROR -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. I think we should list all ports that are required for client enrollment. From my calculations we need at a minimum tcp ports 80 and 389, either or both udp/tcp for port 88 and if NTP is enabled 123 udp for enrollment alone. The NTP failure won't cause enrollment to fail though, so we may be able to skip that. Similarly 464 should be enabled but we don't use it during enrollment. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel