Bug 1108220
| Summary: | Broken Firefox configuration files in freeipa-client package | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.1 | CC: | jgalipea, pvoborni, rcritten, spoore |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.0.3-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:11:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Martin Kosek
2014-06-11 14:57:28 UTC
This request is already fixed in upstream FreeIPA project. Please refer to the linked ticket for additional details and related commits. Please add steps to verify There are two parts:
1. Check that ipa-client package doesn't contain files:
%{_usr}/share/ipa/ipaclient/ipa.cfg
%{_usr}/share/ipa/ipaclient/ipa.js
2. Check functionality of ipa-client-install options:
--configure-firefox, --firefox-dir=DIR
--firefox-dir specifies where is firefox installed, usually it can be omitted. By default it is set to: /usr/lib64/firefox or /usr/lib/firefox
--configure-firefox
Will create global configuration file which will affect default settings for firefox configuration options as follows:
pref("network.negotiate-auth.trusted-uris", ".$DOMAIN"); <-- IPA domain
pref("network.negotiate-auth.gsslib", "");
pref("network.negotiate-auth.using-native-gsslib", true);
pref("network.negotiate-auth.allow-proxies", true);
The config file should be located at `$firefox_dir/browser/defaults/preferences/all-ipa.js`
Basically if this is run on a system with Firefox along with https://bugzilla.redhat.com/show_bug.cgi?id=1031111 , user then doesn't have to run browser configuration from Web UI, i.e., this config should have the same effect as the kerberos firefox extension.
Verified.
Version ::
ipa-client-4.1.0-16.el7.x86_64
firefox-31.4.0-1.el7_0.x86_64
Results ::
[root@rhel7-3 ~]# rpm -ql ipa-client|egrep "ipa.cfg|ipa.js"
[root@rhel7-3 ~]#
[root@rhel7-3 ~]# find /usr/share|egrep "ipa.cfg|ipa.js"
[root@rhel7-3 ~]#
* Check install without --configure-firefox:
[root@rhel7-3 ~]# ipa-client-install -U --domain=example.com --realm=EXAMPLE.COM -p admin -w Secret123 --server=rhel7-1.example.com
Hostname: rhel7-3.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: rhel7-1.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Mon Jan 26 17:07:40 2015 UTC
Valid Until: Fri Jan 26 17:07:40 2035 UTC
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://rhel7-1.example.com/ipa/json
Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname (rhel7-3.example.com) not found in DNS
DNS server record set to: rhel7-3.example.com -> 192.168.122.73
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
[root@rhel7-3 ~]# ls -l /usr/lib64/firefox/browser/defaults/preferences/all-ipa.jsls: cannot access /usr/lib64/firefox/browser/defaults/preferences/all-ipa.js: No such file or directory
* Check install with --configure-firefox without --firefox-dir
[root@rhel7-3 ~]# ipa-client-install -U --domain=example.com --realm=EXAMPLE.COM -p admin -w Secret123 --server=rhel7-1.example.com --configure-firefox
Hostname: rhel7-3.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: rhel7-1.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Mon Jan 26 17:07:40 2015 UTC
Valid Until: Fri Jan 26 17:07:40 2035 UTC
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://rhel7-1.example.com/ipa/json
Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Firefox sucessfully configured.
Configuring example.com as NIS domain.
Client configuration complete.
[root@rhel7-3 ~]# ls -l /usr/lib64/firefox/browser/defaults/preferences/all-ipa.js
-rw-r--r--. 1 root root 279 Jan 26 20:05 /usr/lib64/firefox/browser/defaults/preferences/all-ipa.js
[root@rhel7-3 ~]# wc -l /usr/lib64/firefox/browser/defaults/preferences/all-ipa.js
9 /usr/lib64/firefox/browser/defaults/preferences/all-ipa.js
[root@rhel7-3 ~]# cat /usr/lib64/firefox/browser/defaults/preferences/all-ipa.js
/* Kerberos SSO configuration */
pref("network.negotiate-auth.trusted-uris", ".example.com");
/* These are the defaults */
pref("network.negotiate-auth.gsslib", "");
pref("network.negotiate-auth.using-native-gsslib", true);
pref("network.negotiate-auth.allow-proxies", true);
* Make sure uninstall removes firefox config
[root@rhel7-3 ~]# ipa-client-install --uninstall -U
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Removing Firefox configuration.
Systemwide CA database updated.
Client uninstall complete.
[root@rhel7-3 ~]# cat /usr/lib64/firefox/browser/defaults/preferences/all-ipa.js
cat: /usr/lib64/firefox/browser/defaults/preferences/all-ipa.js: No such file or directory
* Check install with --configure-firefox and --firefox-dir for dir not exists
[root@rhel7-3 ~]# ipa-client-install -U --domain=example.com --realm=EXAMPLE.COM -p admin -w Secret123 --server=rhel7-1.example.com --configure-firefox --firefox-dir=/tmp/firefox
Hostname: rhel7-3.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: rhel7-1.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Mon Jan 26 17:07:40 2015 UTC
Valid Until: Fri Jan 26 17:07:40 2035 UTC
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://rhel7-1.example.com/ipa/json
Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Directory '/tmp/firefox/browser/defaults/preferences' does not exists.
Firefox configuration failed.
Configuring example.com as NIS domain.
Client configuration complete.
[root@rhel7-3 ~]# grep "/tmp/firefox.*does not exist" /var/log/ipaclient-install.log
2015-01-27T02:08:17Z ERROR Directory '/tmp/firefox/browser/defaults/preferences' does not exists.
* Check install for --configure-firefox and --firefox-dir does exist
[root@rhel7-3 ~]# mkdir -p /tmp/firefox/browser/defaults/preferences
[root@rhel7-3 ~]# ipa-client-install -U --domain=example.com --realm=EXAMPLE.COM -p admin -w Secret123 --server=rhel7-1.example.com --configure-firefox --firefox-dir=/tmp/firefox
Hostname: rhel7-3.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: rhel7-1.example.com
BaseDN: dc=example,dc=com
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Mon Jan 26 17:07:40 2015 UTC
Valid Until: Fri Jan 26 17:07:40 2035 UTC
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://rhel7-1.example.com/ipa/json
Forwarding 'ping' to json server 'https://rhel7-1.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://rhel7-1.example.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://rhel7-1.example.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Firefox sucessfully configured.
Configuring example.com as NIS domain.
Client configuration complete.
[root@rhel7-3 ~]# grep "/tmp/firefox.*does not exist" /var/log/ipaclient-install.log[root@rhel7-3 ~]# cat /tmp/firefox/browser/defaults/preferences/all-ipa.js
/* Kerberos SSO configuration */
pref("network.negotiate-auth.trusted-uris", ".example.com");
/* These are the defaults */
pref("network.negotiate-auth.gsslib", "");
pref("network.negotiate-auth.using-native-gsslib", true);
pref("network.negotiate-auth.allow-proxies", true);
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html |