ipa-client-install never runs

[amdonov]

I'm attempting to use puppet to install everything on clean CentOS 6.5 machines. Right now it's just a master with a couple of clients. The server install goes smoothly. When, I add the client to nodes, it installs the software and your module is adding the host to the ipa master. However, ipa-client-install never executes. I'm having trouble following the code. What's the purpose of the ldapsearch for the admin user?

I'm running version 1.5.5 of your module with puppet 3.4.3 and puppetdb 1.6.2.

[robruma]

Can you attach the output of a manual Puppet run on the client with a --debug. I know this may be a lot of information so I think I would just need the last 10 lines or so.

Thanks
Rob

[amdonov]

Thanks for the reply. Hopefully the lines below help. For this test, I'm trying to install the client on a server named apache.example.com. The master is ipa.example.com. The only thing that looked a little odd to me was that the fqdn in the search was that of the master. Should it be the name of the client machine?

Notice: Running IPA client install, please wait.
Notice: /Stage[main]/Ipa::Client/Ipa::Clientinstall[ipa.example.com]/Notify[Running IPA client install, please wait.]/message: defined 'message' as 'Running IPA client install, please wait.'
Debug: /Stage[main]/Ipa::Client/Ipa::Clientinstall[ipa.example.com]/Notify[Running IPA client install, please wait.]: The container Ipa::Clientinstall[ipa.example.com] will propagate my refresh event
Debug: Execclient-install-ipa.example.com: Executing check '/bin/bash -c "LDAPTLS_REQCERT=never /usr/bin/ldapsearch -LLL -x -H ldaps://ipa.example.com -D uid=admin,cn=users,cn=accounts,dc=example,dc=com -b dc=example,dc=com -w XXXXXXXX fqdn=ipa.example.com | /bin/grep ^krbPrincipalName"'
Debug: Executing '/bin/bash -c "LDAPTLS_REQCERT=never /usr/bin/ldapsearch -LLL -x -H ldaps://ipa.example.com -D uid=admin,cn=users,cn=accounts,dc=example,dc=com -b dc=example,dc=com -w XXXXXXXX fqdn=ipa.example.com | /bin/grep ^krbPrincipalName"'
Debug: /Stage[main]/Ipa::Client/Ipa::Clientinstall[ipa.example.com]/Exec[client-install-ipa.example.com]/unless: krbPrincipalName: host/[email protected]
Debug: Executing '/sbin/service sssd status'
Debug: Executing '/sbin/chkconfig sssd'
Debug: Executing '/sbin/service sssd start'
Error: Could not start Service[sssd]: Execution of '/sbin/service sssd start' returned 1:
Error: /Stage[main]/Ipa/Service[sssd]/ensure: change from stopped to running failed: Could not start Service[sssd]: Execution of '/sbin/service sssd start' returned 1:

[robruma]

By the looks of these messages, it seems like you have an error on your sssd.conf. I'm not sure if this is a problem with the module though. Can you check the logs in /var/log/sssd to find what the problem is or manually inspect your sssd.conf file?

[amdonov]

Rob,

The sssd.conf is generated by running ipa-client-install. As this command never runs, I don't have an sssd.conf file.

It seems to me that the unless command part of the following exec is wrong in some way. When I run it the value of ${host} is the same as ${masterfqdn} which doesn't seem correct. Shouldn't ${host} have the value of the client machine's fqdn?

exec { "client-install-${host}":
command => "/bin/echo | $clientinstallcmd",
unless => shellquote('/bin/bash','-c',"LDAPTLS_REQCERT=never /usr/bin/ldapsearch -LLL -x -H ldaps://${masterfqdn} -D uid=admin,cn=users,cn=accounts,${dc} -b ${dc} -w ${adminpw} fqdn=${host} | /bin/grep ^krbPrincipalName"),
timeout => '0',
tries => '60',
try_sleep => '90',
returns => ['0','1'],
logoutput => "on_failure"
}<- notify { "Running IPA client install, please wait.": }

[jyaworski]

I can confirm that ipa-client-install generates sssd.conf when not run with this module, but manually. I have encountered this issue as well.

[robruma]

You may want to try running against the current git master branch... There have been a lot of changes since the last 1.5.5 release.

Thanks
Rob

[jyaworski]

@robruma I'm actually at commit 5616e44 as I follow the master branch. Do you mean even more recently?

[robruma]

Yes, as of 7425b8960a

[jonuwz]

This is a plausibe bug.
The ldap search looks for krbPrincipalName - This still exists in ldap if you unenroll the client
i.e.
# ipa-client-install --uninstall --unattended
Client uninstall complete
# LDAPTLS_REQCERT=never ldapsearch -LLL ... fqdn=$(facter fqdn) | grep krbPrincipalName
krbPrincipalName: host/[email protected]

and the install never re-runs.

krbLastPwdChange is removed from ldap when its unenrolled though ..

[robruma]

Good find! I'll put together a patch

[jonuwz]

Hi.

another problem - you need ldaptools installed to do the search.

If you read ipa-client-install, the installer thinks its installed if there are files in /var/lib/ipa-client/sysrestore/sysrestore.index or if /etc/ipa/default.conf exists

If you are looking to see whether the system is enrolled, you can simply do
kinit -c /dev/null/foo -k -t /etc/krb5.keytab host/${host}

return code of 0 is good.

[xbezdick]

Should be fixed in #57