Re: [Freeipa-devel] [PATCH 0023 Do not display ports to open when password is incorrect during ipa-client-install
On 04/30/2013 04:33 PM, Petr Viktorin wrote: > On 04/30/2013 04:03 PM, Ana Krivokapic wrote: >> On 04/30/2013 10:42 AM, Petr Viktorin wrote: >>> On 04/23/2013 12:17 PM, Ana Krivokapic wrote: On 04/23/2013 12:06 AM, Rob Crittenden wrote: > Ana Krivokapic wrote: >> Do not display ports to open when password is incorrect during >> ipa-client-install >> >> https://fedorahosted.org/freeipa/ticket/3573 >> > > What happens if port 88 is not open so it can't connect to the KDC? > I'm not sure how the best way to determine one vs the other, I don't > think there are distinct return values. > > We could use the fact that Kerberos isn't translated to look for > specific strings maybe, but that is hackish and could break. > > rob The return value from kinit is always 1 in case of failure. So the only way to determine the reason for failure would be to look into the message string. I agree this is hackish as Rob pointed out. Personally, I am for leaving everything as it is now. In the case of incorrect password, the user _does_ get the message that the password was incorrect (kinit: Password incorrect while getting initial credentials). So I don't think that displaying the message about ports, in addition to this message, is confusing/misleading. >>> >>> I think displaying the error messages after the port information would >>> make it clearer that this is the reason for failed installation. >>> >> >> I think this is a good compromise. Updated patch attached. > > So now we have, with bad password: > > $ sudo ipa-client-install -p admin -w bad-password > Discovery was successful! > Hostname: vm-050.idm.lab.eng.brq.redhat.com > Realm: IDM.LAB.ENG.BRQ.REDHAT.COM > DNS Domain: idm.lab.eng.brq.redhat.com > IPA Server: vm-109.idm.lab.eng.brq.redhat.com > BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > > Continue to configure the system with these values? [no]: y > Synchronizing time with KDC... > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working properly > after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Kerberos authentication failed > kinit: Password incorrect while getting initial credentials > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > > and with no connection: > > $ sudo ipa-client-install -p admin -w good-password > Discovery was successful! > Hostname: vm-050.idm.lab.eng.brq.redhat.com > Realm: IDM.LAB.ENG.BRQ.REDHAT.COM > DNS Domain: idm.lab.eng.brq.redhat.com > IPA Server: vm-109.idm.lab.eng.brq.redhat.com > BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com > > Continue to configure the system with these values? [no]: y > Synchronizing time with KDC... > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working properly > after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Kerberos authentication failed > kinit: Cannot contact any KDC for realm 'IDM.LAB.ENG.BRQ.REDHAT.COM' while > getting initial credentials > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > Rob, is the behavior OK? > > ACK for the implementation. > Looks good to me. Pushed to master: f67268db6855738350481491119b9be29ba1f22d Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023 Do not display ports to open when password is incorrect during ipa-client-install
On 04/30/2013 04:03 PM, Ana Krivokapic wrote: On 04/30/2013 10:42 AM, Petr Viktorin wrote: On 04/23/2013 12:17 PM, Ana Krivokapic wrote: On 04/23/2013 12:06 AM, Rob Crittenden wrote: Ana Krivokapic wrote: Do not display ports to open when password is incorrect during ipa-client-install https://fedorahosted.org/freeipa/ticket/3573 What happens if port 88 is not open so it can't connect to the KDC? I'm not sure how the best way to determine one vs the other, I don't think there are distinct return values. We could use the fact that Kerberos isn't translated to look for specific strings maybe, but that is hackish and could break. rob The return value from kinit is always 1 in case of failure. So the only way to determine the reason for failure would be to look into the message string. I agree this is hackish as Rob pointed out. Personally, I am for leaving everything as it is now. In the case of incorrect password, the user _does_ get the message that the password was incorrect (kinit: Password incorrect while getting initial credentials). So I don't think that displaying the message about ports, in addition to this message, is confusing/misleading. I think displaying the error messages after the port information would make it clearer that this is the reason for failed installation. I think this is a good compromise. Updated patch attached. So now we have, with bad password: $ sudo ipa-client-install -p admin -w bad-password Discovery was successful! Hostname: vm-050.idm.lab.eng.brq.redhat.com Realm: IDM.LAB.ENG.BRQ.REDHAT.COM DNS Domain: idm.lab.eng.brq.redhat.com IPA Server: vm-109.idm.lab.eng.brq.redhat.com BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Continue to configure the system with these values? [no]: y Synchronizing time with KDC... Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed kinit: Password incorrect while getting initial credentials Installation failed. Rolling back changes. IPA client is not configured on this system. and with no connection: $ sudo ipa-client-install -p admin -w good-password Discovery was successful! Hostname: vm-050.idm.lab.eng.brq.redhat.com Realm: IDM.LAB.ENG.BRQ.REDHAT.COM DNS Domain: idm.lab.eng.brq.redhat.com IPA Server: vm-109.idm.lab.eng.brq.redhat.com BaseDN: dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Continue to configure the system with these values? [no]: y Synchronizing time with KDC... Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed kinit: Cannot contact any KDC for realm 'IDM.LAB.ENG.BRQ.REDHAT.COM' while getting initial credentials Installation failed. Rolling back changes. IPA client is not configured on this system. Rob, is the behavior OK? ACK for the implementation. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023 Do not display ports to open when password is incorrect during ipa-client-install
On 04/30/2013 10:42 AM, Petr Viktorin wrote:
> On 04/23/2013 12:17 PM, Ana Krivokapic wrote:
>> On 04/23/2013 12:06 AM, Rob Crittenden wrote:
>>> Ana Krivokapic wrote:
Do not display ports to open when password is incorrect during
ipa-client-install
https://fedorahosted.org/freeipa/ticket/3573
>>>
>>> What happens if port 88 is not open so it can't connect to the KDC?
>>> I'm not sure how the best way to determine one vs the other, I don't
>>> think there are distinct return values.
>>>
>>> We could use the fact that Kerberos isn't translated to look for
>>> specific strings maybe, but that is hackish and could break.
>>>
>>> rob
>>
>> The return value from kinit is always 1 in case of failure. So the only
>> way to determine the reason for failure would be to look into the
>> message string. I agree this is hackish as Rob pointed out. Personally,
>> I am for leaving everything as it is now. In the case of incorrect
>> password, the user _does_ get the message that the password was
>> incorrect (kinit: Password incorrect while getting initial credentials).
>> So I don't think that displaying the message about ports, in addition to
>> this message, is confusing/misleading.
>
> I think displaying the error messages after the port information would
> make it clearer that this is the reason for failed installation.
>
I think this is a good compromise. Updated patch attached.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From 84b6a013ae79f8791ac9d6810698d4158a182ef5 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic
Date: Mon, 22 Apr 2013 17:09:47 +0200
Subject: [PATCH] Improve error message on failed Kerberos authentication
When ipa client installation fails due to failed Kerberos authentication,
make sure that the message about the failed authentication is displayed last.
This makes it clear to the user that this was the reason for failed
installation.
https://fedorahosted.org/freeipa/ticket/3573
---
ipa-client/ipa-install/ipa-client-install | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index a60124bb7873ff4a14cf7a02e778b94b832a6a0e..b60b5dff8be2f76ca8507a4323cf0c3e074275be 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2066,9 +2066,9 @@ def install(options, env, fstore, statestore):
stdin=stdin,
env=env)
if returncode != 0:
+print_port_conf_info()
root_logger.error("Kerberos authentication failed")
root_logger.info("%s", stdout)
-print_port_conf_info()
return CLIENT_INSTALL_ERROR
elif options.keytab:
join_args.append("-f")
@@ -2080,10 +2080,10 @@ def install(options, env, fstore, statestore):
raiseonerr=False)
if returncode != 0:
+print_port_conf_info()
root_logger.error("Kerberos authentication failed "
"using keytab: %s", options.keytab)
root_logger.info("%s", stdout)
-print_port_conf_info()
return CLIENT_INSTALL_ERROR
else:
root_logger.error("Keytab file could not be found: %s"
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023 Do not display ports to open when password is incorrect during ipa-client-install
On 04/23/2013 12:17 PM, Ana Krivokapic wrote: On 04/23/2013 12:06 AM, Rob Crittenden wrote: Ana Krivokapic wrote: Do not display ports to open when password is incorrect during ipa-client-install https://fedorahosted.org/freeipa/ticket/3573 What happens if port 88 is not open so it can't connect to the KDC? I'm not sure how the best way to determine one vs the other, I don't think there are distinct return values. We could use the fact that Kerberos isn't translated to look for specific strings maybe, but that is hackish and could break. rob The return value from kinit is always 1 in case of failure. So the only way to determine the reason for failure would be to look into the message string. I agree this is hackish as Rob pointed out. Personally, I am for leaving everything as it is now. In the case of incorrect password, the user _does_ get the message that the password was incorrect (kinit: Password incorrect while getting initial credentials). So I don't think that displaying the message about ports, in addition to this message, is confusing/misleading. I think displaying the error messages after the port information would make it clearer that this is the reason for failed installation. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023 Do not display ports to open when password is incorrect during ipa-client-install
On 04/23/2013 12:06 AM, Rob Crittenden wrote: > Ana Krivokapic wrote: >> Do not display ports to open when password is incorrect during >> ipa-client-install >> >> https://fedorahosted.org/freeipa/ticket/3573 >> > > What happens if port 88 is not open so it can't connect to the KDC? > I'm not sure how the best way to determine one vs the other, I don't > think there are distinct return values. > > We could use the fact that Kerberos isn't translated to look for > specific strings maybe, but that is hackish and could break. > > rob The return value from kinit is always 1 in case of failure. So the only way to determine the reason for failure would be to look into the message string. I agree this is hackish as Rob pointed out. Personally, I am for leaving everything as it is now. In the case of incorrect password, the user _does_ get the message that the password was incorrect (kinit: Password incorrect while getting initial credentials). So I don't think that displaying the message about ports, in addition to this message, is confusing/misleading. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0023 Do not display ports to open when password is incorrect during ipa-client-install
Ana Krivokapic wrote: Do not display ports to open when password is incorrect during ipa-client-install https://fedorahosted.org/freeipa/ticket/3573 What happens if port 88 is not open so it can't connect to the KDC? I'm not sure how the best way to determine one vs the other, I don't think there are distinct return values. We could use the fact that Kerberos isn't translated to look for specific strings maybe, but that is hackish and could break. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
