Notify user about necessary ports in ipa-client-install

Connection error message in ipa-client-install now warns the user about the need of opening of all the necessary ports for ipa-client enrollment when error that might have been caused by closed ports is encountered. Mentions the ports needed after the client enrollment as well. Improves other error messages during installation in various ways. https://fedorahosted.org/freeipa/ticket/2816
author: Tomas Babej <tbabej@redhat.com> 2012-09-26 08:52:50 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2012-10-09 16:57:06 -0400
commit: 00a54b8b7f1e6e157f4b5efe7f24462685194de5 (patch)
tree: c3e3da1ec16d4a02dd112093138b39767f818868
parent: 2ca7bb3134cc74daf9588b0a964a5572b49bc58a (diff)
download: freeipa-00a54b8b7f1e6e157f4b5efe7f24462685194de5.tar.gz
freeipa-00a54b8b7f1e6e157f4b5efe7f24462685194de5.tar.xz
freeipa-00a54b8b7f1e6e157f4b5efe7f24462685194de5.zip
2 files changed, 19 insertions, 2 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 7b057a987..8181e5a19 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1250,6 +1250,17 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
         if not do_nsupdate(update_txt):
             root_logger.warning("Could not update DNS SSHFP records.")
 
+def print_port_conf_info():
+    root_logger.info(
+        "Please make sure the following ports are opened "
+        "in the firewall settings:\n"
+        "     TCP: 80, 88, 389\n"
+        "     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\n"
+        "Also note that following ports are necessary for ipa-client "
+        "working properly after enrollment:\n"
+        "     TCP: 464\n"
+        "     UDP: 464, 123 (if NTP enabled)")
+
 def install(options, env, fstore, statestore):
     dnsok = False
 
@@ -1379,6 +1390,7 @@ def install(options, env, fstore, statestore):
 
     if ret == ipadiscovery.NOT_IPA_SERVER:
         root_logger.error("%s is not an IPA v2 Server.", cli_server[0])
+        print_port_conf_info()
         root_logger.debug("(%s: %s)", cli_server[0], cli_server_source)
         return CLIENT_INSTALL_ERROR
 
@@ -1392,8 +1404,9 @@ def install(options, env, fstore, statestore):
     if ret != 0:
         root_logger.error("Failed to verify that %s is an IPA Server.",
             cli_server[0])
-        root_logger.error("This may mean that the remote server is not up " +
+        root_logger.error("This may mean that the remote server is not up "
             "or is not reachable due to network or firewall settings.")
+        print_port_conf_info()
         root_logger.debug("(%s: %s)", cli_server[0], cli_server_source)
         return CLIENT_INSTALL_ERROR
 
@@ -1442,6 +1455,7 @@ def install(options, env, fstore, statestore):
             ret = ds.search(domain=cli_domain, server=server, hostname=hostname)
             if ret == ipadiscovery.NOT_IPA_SERVER:
                 root_logger.error("%s is not an IPA v2 Server.", server)
+                print_port_conf_info()
                 root_logger.debug("(%s: %s)", server, cli_server_source)
                 return CLIENT_INSTALL_ERROR
 
@@ -1521,7 +1535,8 @@ def install(options, env, fstore, statestore):
                 synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0])
             if not synced_ntp:
                 root_logger.warning("Unable to sync time with IPA NTP " +
-                    "server, assuming the time is in sync.")
+                    "server, assuming the time is in sync. Please check " +
+                    "that 123 UDP port is opened.")
             (krb_fd, krb_name) = tempfile.mkstemp()
             os.close(krb_fd)
             if configure_krb5_conf(
@@ -1575,6 +1590,7 @@ def install(options, env, fstore, statestore):
                 if returncode != 0:
                     root_logger.error("Kerberos authentication failed")
                     root_logger.info("%s", stdout)
+                    print_port_conf_info()
                     return CLIENT_INSTALL_ERROR
             elif options.password:
                 nolog = (options.password,)
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index f91d4075a..63acf6200 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -290,6 +290,7 @@ class IPADiscovery(object):
             run(["/usr/bin/wget", "-O", "%s/ca.crt" % temp_ca_dir, "-T", "15", "-t", "2",
                  "http://%s/ipa/config/ca.crt" % format_netloc(thost)])
         except CalledProcessError, e:
+            root_logger.error('Retrieving CA from %s failed', thost)
             root_logger.debug('Retrieving CA from %s failed: %s', thost, str(e))
             return [NOT_IPA_SERVER]
author	Tomas Babej <tbabej@redhat.com>	2012-09-26 08:52:50 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2012-10-09 16:57:06 -0400
commit	00a54b8b7f1e6e157f4b5efe7f24462685194de5 (patch)
tree	c3e3da1ec16d4a02dd112093138b39767f818868
parent	2ca7bb3134cc74daf9588b0a964a5572b49bc58a (diff)
download	freeipa-00a54b8b7f1e6e157f4b5efe7f24462685194de5.tar.gz freeipa-00a54b8b7f1e6e157f4b5efe7f24462685194de5.tar.xz freeipa-00a54b8b7f1e6e157f4b5efe7f24462685194de5.zip