[Freeipa-users] Auto discover of the IPA server failing with LDAP anonymous binds off

Martin Kosek

2013-04-08 09:10:34 UTC

Hi,
I am trying to install the IPA client on a CentOS 6.4 host, however the auto
discovery of the IPA server is failing, from what seem to be caused by my IPA
servers having anonymous binds switched off.
Is this expected behaviour?
# rpm -qa|grep ^ipa|sort
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-python-3.0.0-26.el6_4.2.x86_64
# ipa-client-install -U --domain=unix.nuexample.com --password='somepassword'
--enable-dns-updates -d
'unix.nuexample.com', 'force': False, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True,
'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None,
'principal': None, 'hostname': None, 'no_ac': False, 'unattended': True,
'sssd': True, 'trust_sshfp': False, 'dns_updates': True, 'realm_name': None,
'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False,
'debug': True, 'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
[IPA Discovery]
Starting IPA discovery with domain=unix.nuexample.com, servers=None,
hostname=clienthost.unix.nuexample.com
Search for LDAP SRV record in unix.nuexample.com
Search DNS for SRV record of _ldap._tcp.unix.nuexample.com.
DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa01.unix.nuexample.com.}
DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa02.unix.nuexample.com.}
DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:5,port:389,weight:100,server:ipa03.unix.nuexample.com.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.unix.nuexample.com.
DNSResult::name:_kerberos.unix.nuexample.com.,type:16,class:1,rdata={data:UNIX.NUEXAMPLE.COM}
Search DNS for SRV record of _kerberos._udp.unix.nuexample.com.
DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa02.unix.nuexample.com.}
DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:5,port:88,weight:100,server:ipa03.unix.nuexample.com.}
DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa01.unix.nuexample.com.}
[LDAP server check]
Verifying that ipa01.unix.nuexample.com (realm UNIX.NUEXAMPLE.COM) is an IPA
server
Init LDAP connection with: ldap://ipa01.unix.nuexample.com:389
Search LDAP server for IPA base DN
Check if naming context 'dc=unix,dc=nuexample,dc=com' is for IPA
Naming context 'dc=unix,dc=nuexample,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=unix,dc=nuexample,dc=com (sub)
LDAP Error: Anonymous access not allowed
Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=unix.nuexample.com,
kdc=ipa02.unix.nuexample.com,ipa03.unix.nuexample.com,ipa01.unix.nuexample.com,
basedn=dc=unix,dc=nuexample,dc=com
Validated servers: ipa01.unix.nuexample.com
will use discovered domain: unix.nuexample.com
IPA Server not found
Unable to find IPA Server to join
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Regards,
Siggi

Hello Sigbjorn,

This is caused by an unfortunate regression in RHEL-6.4 client which emerges
when cn=config's nsslapd-allow-anonymous-access is set to "rootdse". This was
already fixed upstream (ticket 3519) and there is a bugzilla filed for RHEL-6.5:

https://bugzilla.redhat.com/show_bug.cgi?id=922843

If this is not satisfactory, you can contact your customer service and we will
look for alternative solutions for you.

Thanks,
Martin