1 files changed, 18 insertions, 2 deletions

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 7b057a987..8181e5a19 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1250,6 +1250,17 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
         if not do_nsupdate(update_txt):
             root_logger.warning("Could not update DNS SSHFP records.")
 
+def print_port_conf_info():
+    root_logger.info(
+        "Please make sure the following ports are opened "
+        "in the firewall settings:\n"
+        "     TCP: 80, 88, 389\n"
+        "     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\n"
+        "Also note that following ports are necessary for ipa-client "
+        "working properly after enrollment:\n"
+        "     TCP: 464\n"
+        "     UDP: 464, 123 (if NTP enabled)")
+
 def install(options, env, fstore, statestore):
     dnsok = False
 
@@ -1379,6 +1390,7 @@ def install(options, env, fstore, statestore):
 
     if ret == ipadiscovery.NOT_IPA_SERVER:
         root_logger.error("%s is not an IPA v2 Server.", cli_server[0])
+        print_port_conf_info()
         root_logger.debug("(%s: %s)", cli_server[0], cli_server_source)
         return CLIENT_INSTALL_ERROR
 
@@ -1392,8 +1404,9 @@ def install(options, env, fstore, statestore):
     if ret != 0:
         root_logger.error("Failed to verify that %s is an IPA Server.",
             cli_server[0])
-        root_logger.error("This may mean that the remote server is not up " +
+        root_logger.error("This may mean that the remote server is not up "
             "or is not reachable due to network or firewall settings.")
+        print_port_conf_info()
         root_logger.debug("(%s: %s)", cli_server[0], cli_server_source)
         return CLIENT_INSTALL_ERROR
 
@@ -1442,6 +1455,7 @@ def install(options, env, fstore, statestore):
             ret = ds.search(domain=cli_domain, server=server, hostname=hostname)
             if ret == ipadiscovery.NOT_IPA_SERVER:
                 root_logger.error("%s is not an IPA v2 Server.", server)
+                print_port_conf_info()
                 root_logger.debug("(%s: %s)", server, cli_server_source)
                 return CLIENT_INSTALL_ERROR
 
@@ -1521,7 +1535,8 @@ def install(options, env, fstore, statestore):
                 synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0])
             if not synced_ntp:
                 root_logger.warning("Unable to sync time with IPA NTP " +
-                    "server, assuming the time is in sync.")
+                    "server, assuming the time is in sync. Please check " +
+                    "that 123 UDP port is opened.")
             (krb_fd, krb_name) = tempfile.mkstemp()
             os.close(krb_fd)
             if configure_krb5_conf(
@@ -1575,6 +1590,7 @@ def install(options, env, fstore, statestore):
                 if returncode != 0:
                     root_logger.error("Kerberos authentication failed")
                     root_logger.info("%s", stdout)
+                    print_port_conf_info()
                     return CLIENT_INSTALL_ERROR
             elif options.password:
                 nolog = (options.password,)