Re: [Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount
Lynn Root wrote: On Mon 03 Dec 2012 05:20:32 AM PST, Lynn Root wrote: On 11/30/2012 10:35 PM, Rob Crittenden wrote: Lynn Root wrote: Returns a clearer hint when user is running ipa-client-automount with possible firewall up and blocking need ports. Not sure if this patch is worded correctly in order to address the potential firewall block when running ipa-client-automount. Perhaps a different error should be thrown, rather than NOT_IPA_SERVER. Ticket: https://fedorahosted.org/freeipa/ticket/3080 Tomas made a similar change recently in ipa-client-install which includes more information on the ports we need. You may want to take a look at that. It was for ticket https://fedorahosted.org/freeipa/ticket/2816 rob Thank you Rob - I adapted the same approach in this updated patch. Let me know if it addresses the blocked port issue better. Thanks! Just bumping this thread - I think this might have fallen on the way-side; certainly lost track of it myself after returning home/holidays. However I noticed that this ticket (https://fedorahosted.org/freeipa/ticket/3080) now has an RFE tag - don't _believe_ that was there when I started working on it in late November. I believe the whole design doc conversation was going on around then. I assume I'll need to start one for this? Thanks! I think this is still not quite right, and I think could be improved in ipa-client-install as well. ipacheckldap() only tries to connect to port 389 (optionally with StartTLS). It returns a number of different possible errors, I think we should have some way to report more specific error messages based on those (can't connect to server Y on port 389, Unable to find Kerberos container, etc) in addition to "Unable to confirm that X is an IPA server". We probably want to do something about the v2 part as well. I think a table in ipadiscovery to translate the possible return vals from ipacheckldap() into a string that can logged is the way to go. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount
On 01/11/2013 12:47 PM, Lynn Root wrote: > On Mon 03 Dec 2012 05:20:32 AM PST, Lynn Root wrote: >> On 11/30/2012 10:35 PM, Rob Crittenden wrote: >>> Lynn Root wrote: Returns a clearer hint when user is running ipa-client-automount with possible firewall up and blocking need ports. Not sure if this patch is worded correctly in order to address the potential firewall block when running ipa-client-automount. Perhaps a different error should be thrown, rather than NOT_IPA_SERVER. Ticket: https://fedorahosted.org/freeipa/ticket/3080 >>> >>> Tomas made a similar change recently in ipa-client-install which >>> includes more information on the ports we need. You may want to take >>> a look at that. It was for ticket >>> https://fedorahosted.org/freeipa/ticket/2816 >>> >>> rob >> Thank you Rob - I adapted the same approach in this updated patch. Let >> me know if it addresses the blocked port issue better. >> >> Thanks! > > Just bumping this thread - I think this might have fallen on the > way-side; certainly lost track of it myself after returning > home/holidays. > > However I noticed that this ticket > (https://fedorahosted.org/freeipa/ticket/3080) now has an RFE tag - > don't _believe_ that was there when I started working on it in late > November. I believe the whole design doc conversation was going on > around then. I assume I'll need to start one for this? > > Thanks! > It is an RFE, just was not marked as such. Good catch. Yes, since it is an RFE design page will be required. > -- > Lynn Root > > @roguelynn > Associate Software Engineer > Red Hat, Inc > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount
On Mon 03 Dec 2012 05:20:32 AM PST, Lynn Root wrote: On 11/30/2012 10:35 PM, Rob Crittenden wrote: Lynn Root wrote: Returns a clearer hint when user is running ipa-client-automount with possible firewall up and blocking need ports. Not sure if this patch is worded correctly in order to address the potential firewall block when running ipa-client-automount. Perhaps a different error should be thrown, rather than NOT_IPA_SERVER. Ticket: https://fedorahosted.org/freeipa/ticket/3080 Tomas made a similar change recently in ipa-client-install which includes more information on the ports we need. You may want to take a look at that. It was for ticket https://fedorahosted.org/freeipa/ticket/2816 rob Thank you Rob - I adapted the same approach in this updated patch. Let me know if it addresses the blocked port issue better. Thanks! Just bumping this thread - I think this might have fallen on the way-side; certainly lost track of it myself after returning home/holidays. However I noticed that this ticket (https://fedorahosted.org/freeipa/ticket/3080) now has an RFE tag - don't _believe_ that was there when I started working on it in late November. I believe the whole design doc conversation was going on around then. I assume I'll need to start one for this? Thanks! -- Lynn Root @roguelynn Associate Software Engineer Red Hat, Inc ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount
On 11/30/2012 10:35 PM, Rob Crittenden wrote: Lynn Root wrote: Returns a clearer hint when user is running ipa-client-automount with possible firewall up and blocking need ports. Not sure if this patch is worded correctly in order to address the potential firewall block when running ipa-client-automount. Perhaps a different error should be thrown, rather than NOT_IPA_SERVER. Ticket: https://fedorahosted.org/freeipa/ticket/3080 Tomas made a similar change recently in ipa-client-install which includes more information on the ports we need. You may want to take a look at that. It was for ticket https://fedorahosted.org/freeipa/ticket/2816 rob Thank you Rob - I adapted the same approach in this updated patch. Let me know if it addresses the blocked port issue better. Thanks! >From a39fa3befe771799092161e68e2c3f80a364c9af Mon Sep 17 00:00:00 2001 From: Lynn Root Date: Mon, 26 Nov 2012 03:59:22 -0500 Subject: [PATCH] Clarified error message with ipa-client-automount. Returns a clearer hint when user is running ipa-client-automount with possible firewall up and blocking need ports. Ticket: https://fedorahosted.org/freeipa/ticket/3080 --- ipa-client/ipa-install/ipa-client-automount | 12 1 file changed, 12 insertions(+) diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount index fd922b8a9e3fafbe1c740642752ff9258f1260bd..b7771928a4327f1090aafe1bd6728135cda13241 100755 --- a/ipa-client/ipa-install/ipa-client-automount +++ b/ipa-client/ipa-install/ipa-client-automount @@ -354,6 +354,17 @@ def configure_nfs(fstore, statestore): print "Failed to configure automatic startup of the %s daemon" % (rpcgssd.service_name) root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (rpcgssd.service_name, str(e))) +def print_port_conf_info(): +root_logger.info( +"Please make sure the following ports are opened " +"in the firewall settings:\n" +" TCP: 80, 88, 389\n" +" UDP: 88 (at least one of the TCP/UDP ports 88 has to be open)\n" +"Also note that the following ports are necessary for ipa-client " +"to properly mount: \n" +" TCP: 464\n" +" UDP: 464, 123 (if NTP enabled)") + def main(): fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore') @@ -407,6 +418,7 @@ def main(): root_logger.debug("Verifying that %s is an IPA server" % server) ldapret = ds.ipacheckldap(server, api.env.realm) if ldapret[0] != 0: +print_port_conf_info() sys.exit('Unable to confirm that %s is an IPA v2 server' % server) if not autodiscover: -- 1.7.12 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount
Lynn Root wrote: Returns a clearer hint when user is running ipa-client-automount with possible firewall up and blocking need ports. Not sure if this patch is worded correctly in order to address the potential firewall block when running ipa-client-automount. Perhaps a different error should be thrown, rather than NOT_IPA_SERVER. Ticket: https://fedorahosted.org/freeipa/ticket/3080 Tomas made a similar change recently in ipa-client-install which includes more information on the ports we need. You may want to take a look at that. It was for ticket https://fedorahosted.org/freeipa/ticket/2816 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel