Re: [Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount
Lynn Root wrote: On Mon 03 Dec 2012 05:20:32 AM PST, Lynn Root wrote: On 11/30/2012 10:35 PM, Rob Crittenden wrote: Lynn Root wrote: Returns a clearer hint when user is running ipa-client-automount with possible firewall up and blocking need ports. Not sure if this patch is worded correctly in order to address the potential firewall block when running ipa-client-automount. Perhaps a different error should be thrown, rather than NOT_IPA_SERVER. Ticket: https://fedorahosted.org/freeipa/ticket/3080 Tomas made a similar change recently in ipa-client-install which includes more information on the ports we need. You may want to take a look at that. It was for ticket https://fedorahosted.org/freeipa/ticket/2816 rob Thank you Rob - I adapted the same approach in this updated patch. Let me know if it addresses the blocked port issue better. Thanks! Just bumping this thread - I think this might have fallen on the way-side; certainly lost track of it myself after returning home/holidays. However I noticed that this ticket (https://fedorahosted.org/freeipa/ticket/3080) now has an RFE tag - don't _believe_ that was there when I started working on it in late November. I believe the whole design doc conversation was going on around then. I assume I'll need to start one for this? Thanks! I think this is still not quite right, and I think could be improved in ipa-client-install as well. ipacheckldap() only tries to connect to port 389 (optionally with StartTLS). It returns a number of different possible errors, I think we should have some way to report more specific error messages based on those (can't connect to server Y on port 389, Unable to find Kerberos container, etc) in addition to "Unable to confirm that X is an IPA server". We probably want to do something about the v2 part as well. I think a table in ipadiscovery to translate the possible return vals from ipacheckldap() into a string that can logged is the way to go. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount
On 01/11/2013 12:47 PM, Lynn Root wrote: > On Mon 03 Dec 2012 05:20:32 AM PST, Lynn Root wrote: >> On 11/30/2012 10:35 PM, Rob Crittenden wrote: >>> Lynn Root wrote: Returns a clearer hint when user is running ipa-client-automount with possible firewall up and blocking need ports. Not sure if this patch is worded correctly in order to address the potential firewall block when running ipa-client-automount. Perhaps a different error should be thrown, rather than NOT_IPA_SERVER. Ticket: https://fedorahosted.org/freeipa/ticket/3080 >>> >>> Tomas made a similar change recently in ipa-client-install which >>> includes more information on the ports we need. You may want to take >>> a look at that. It was for ticket >>> https://fedorahosted.org/freeipa/ticket/2816 >>> >>> rob >> Thank you Rob - I adapted the same approach in this updated patch. Let >> me know if it addresses the blocked port issue better. >> >> Thanks! > > Just bumping this thread - I think this might have fallen on the > way-side; certainly lost track of it myself after returning > home/holidays. > > However I noticed that this ticket > (https://fedorahosted.org/freeipa/ticket/3080) now has an RFE tag - > don't _believe_ that was there when I started working on it in late > November. I believe the whole design doc conversation was going on > around then. I assume I'll need to start one for this? > > Thanks! > It is an RFE, just was not marked as such. Good catch. Yes, since it is an RFE design page will be required. > -- > Lynn Root > > @roguelynn > Associate Software Engineer > Red Hat, Inc > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount
On Mon 03 Dec 2012 05:20:32 AM PST, Lynn Root wrote: On 11/30/2012 10:35 PM, Rob Crittenden wrote: Lynn Root wrote: Returns a clearer hint when user is running ipa-client-automount with possible firewall up and blocking need ports. Not sure if this patch is worded correctly in order to address the potential firewall block when running ipa-client-automount. Perhaps a different error should be thrown, rather than NOT_IPA_SERVER. Ticket: https://fedorahosted.org/freeipa/ticket/3080 Tomas made a similar change recently in ipa-client-install which includes more information on the ports we need. You may want to take a look at that. It was for ticket https://fedorahosted.org/freeipa/ticket/2816 rob Thank you Rob - I adapted the same approach in this updated patch. Let me know if it addresses the blocked port issue better. Thanks! Just bumping this thread - I think this might have fallen on the way-side; certainly lost track of it myself after returning home/holidays. However I noticed that this ticket (https://fedorahosted.org/freeipa/ticket/3080) now has an RFE tag - don't _believe_ that was there when I started working on it in late November. I believe the whole design doc conversation was going on around then. I assume I'll need to start one for this? Thanks! -- Lynn Root @roguelynn Associate Software Engineer Red Hat, Inc ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount
On 11/30/2012 10:35 PM, Rob Crittenden wrote:
Lynn Root wrote:
Returns a clearer hint when user is running ipa-client-automount with
possible firewall up and blocking need ports.
Not sure if this patch is worded correctly in order to address the
potential firewall block when running ipa-client-automount. Perhaps a
different error should be thrown, rather than NOT_IPA_SERVER.
Ticket: https://fedorahosted.org/freeipa/ticket/3080
Tomas made a similar change recently in ipa-client-install which
includes more information on the ports we need. You may want to take a
look at that. It was for ticket
https://fedorahosted.org/freeipa/ticket/2816
rob
Thank you Rob - I adapted the same approach in this updated patch. Let
me know if it addresses the blocked port issue better.
Thanks!
>From a39fa3befe771799092161e68e2c3f80a364c9af Mon Sep 17 00:00:00 2001
From: Lynn Root
Date: Mon, 26 Nov 2012 03:59:22 -0500
Subject: [PATCH] Clarified error message with ipa-client-automount.
Returns a clearer hint when user is running ipa-client-automount with possible firewall up and blocking need ports.
Ticket: https://fedorahosted.org/freeipa/ticket/3080
---
ipa-client/ipa-install/ipa-client-automount | 12
1 file changed, 12 insertions(+)
diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount
index fd922b8a9e3fafbe1c740642752ff9258f1260bd..b7771928a4327f1090aafe1bd6728135cda13241 100755
--- a/ipa-client/ipa-install/ipa-client-automount
+++ b/ipa-client/ipa-install/ipa-client-automount
@@ -354,6 +354,17 @@ def configure_nfs(fstore, statestore):
print "Failed to configure automatic startup of the %s daemon" % (rpcgssd.service_name)
root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (rpcgssd.service_name, str(e)))
+def print_port_conf_info():
+root_logger.info(
+"Please make sure the following ports are opened "
+"in the firewall settings:\n"
+" TCP: 80, 88, 389\n"
+" UDP: 88 (at least one of the TCP/UDP ports 88 has to be open)\n"
+"Also note that the following ports are necessary for ipa-client "
+"to properly mount: \n"
+" TCP: 464\n"
+" UDP: 464, 123 (if NTP enabled)")
+
def main():
fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore')
@@ -407,6 +418,7 @@ def main():
root_logger.debug("Verifying that %s is an IPA server" % server)
ldapret = ds.ipacheckldap(server, api.env.realm)
if ldapret[0] != 0:
+print_port_conf_info()
sys.exit('Unable to confirm that %s is an IPA v2 server' % server)
if not autodiscover:
--
1.7.12
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0005] Clarified error message with ipa-client-automount
Lynn Root wrote: Returns a clearer hint when user is running ipa-client-automount with possible firewall up and blocking need ports. Not sure if this patch is worded correctly in order to address the potential firewall block when running ipa-client-automount. Perhaps a different error should be thrown, rather than NOT_IPA_SERVER. Ticket: https://fedorahosted.org/freeipa/ticket/3080 Tomas made a similar change recently in ipa-client-install which includes more information on the ports we need. You may want to take a look at that. It was for ticket https://fedorahosted.org/freeipa/ticket/2816 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
