Notify user about necessary ports in ipa-client-install

Connection error message in ipa-client-install now warns the user
about the need of opening of all the necessary ports for ipa-client
enrollment when error that might have been caused by closed ports
is encountered. Mentions the ports needed after the client
enrollment as well.

Improves other error messages during installation in various ways.

https://fedorahosted.org/freeipa/ticket/2816

ipa-client/ipa-install/ipa-client-install

@@ -1250,6 +1250,17 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp):
         if not do_nsupdate(update_txt):
             root_logger.warning("Could not update DNS SSHFP records.")
 
+def print_port_conf_info():
+    root_logger.info(
+        "Please make sure the following ports are opened "
+        "in the firewall settings:\n"
+        "     TCP: 80, 88, 389\n"
+        "     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)\n"
+        "Also note that following ports are necessary for ipa-client "
+        "working properly after enrollment:\n"
+        "     TCP: 464\n"
+        "     UDP: 464, 123 (if NTP enabled)")
+
 def install(options, env, fstore, statestore):
     dnsok = False
 
@@ -1379,6 +1390,7 @@ def install(options, env, fstore, statestore):
 
     if ret == ipadiscovery.NOT_IPA_SERVER:
         root_logger.error("%s is not an IPA v2 Server.", cli_server[0])
+        print_port_conf_info()
         root_logger.debug("(%s: %s)", cli_server[0], cli_server_source)
         return CLIENT_INSTALL_ERROR
 
@@ -1392,8 +1404,9 @@ def install(options, env, fstore, statestore):
     if ret != 0:
         root_logger.error("Failed to verify that %s is an IPA Server.",
             cli_server[0])
-        root_logger.error("This may mean that the remote server is not up " +
+        root_logger.error("This may mean that the remote server is not up "
             "or is not reachable due to network or firewall settings.")
+        print_port_conf_info()
         root_logger.debug("(%s: %s)", cli_server[0], cli_server_source)
         return CLIENT_INSTALL_ERROR
 
@@ -1442,6 +1455,7 @@ def install(options, env, fstore, statestore):
             ret = ds.search(domain=cli_domain, server=server, hostname=hostname)
             if ret == ipadiscovery.NOT_IPA_SERVER:
                 root_logger.error("%s is not an IPA v2 Server.", server)
+                print_port_conf_info()
                 root_logger.debug("(%s: %s)", server, cli_server_source)
                 return CLIENT_INSTALL_ERROR
 
@@ -1521,7 +1535,8 @@ def install(options, env, fstore, statestore):
                 synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0])
             if not synced_ntp:
                 root_logger.warning("Unable to sync time with IPA NTP " +
-                    "server, assuming the time is in sync.")
+                    "server, assuming the time is in sync. Please check " +
+                    "that 123 UDP port is opened.")
             (krb_fd, krb_name) = tempfile.mkstemp()
             os.close(krb_fd)
             if configure_krb5_conf(
@@ -1575,6 +1590,7 @@ def install(options, env, fstore, statestore):
                 if returncode != 0:
                     root_logger.error("Kerberos authentication failed")
                     root_logger.info("%s", stdout)
+                    print_port_conf_info()
                     return CLIENT_INSTALL_ERROR
             elif options.password:
                 nolog = (options.password,)

ipa-client/ipaclient/ipadiscovery.py

@@ -290,6 +290,7 @@ class IPADiscovery(object):
             run(["/usr/bin/wget", "-O", "%s/ca.crt" % temp_ca_dir, "-T", "15", "-t", "2",
                  "http://%s/ipa/config/ca.crt" % format_netloc(thost)])
         except CalledProcessError, e:
+            root_logger.error('Retrieving CA from %s failed', thost)
             root_logger.debug('Retrieving CA from %s failed: %s', thost, str(e))
             return [NOT_IPA_SERVER]