Bug 1145584

Summary: ipaserver/install/cainstance.py creates pkiuser not matching uidgid
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: akasurde, alee, dkupka, edewata, jhrozek, jpazdziora, mkosek, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-0.1.alpha1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:00:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1143067    
Bug Blocks:    
Attachments:
Description Flags
pki-user-cmd.log none

Description Jan Pazdziora (Red Hat) 2014-09-23 10:30:54 UTC 
Description of problem:

The uid/gid allocated for user/group pkiuser is 17:

# rpm -qf /usr/share/doc/setup-2.8.71/uidgid 
setup-2.8.71-4.el7.noarch
# grep pkiuser /usr/share/doc/setup-2.8.71/uidgid 
pkiuser	17	17	/usr/share/pki		/sbin/nologin	pki-ca,rhpki-ca
# 

The user is not created by rpm scriptlets even if it probably should to comply with https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Soft_static_allocation. There is a bug 1143067 about that issue.

However, the user is created (maybe as a workaround for it not being created by rpm) upon ipa-server-install run:

# grep pkiuser /etc/passwd /etc/group
# ipa-server-install 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

[...]

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
# grep pkiuser /etc/passwd /etc/group
/etc/passwd:pkiuser:x:994:993:CA System User:/var/lib:/sbin/nologin
/etc/group:pkiuser:x:993:
#

The uid, gid, and home directory do not match the allocated values from uidgid.

Looking at the log,

# grep pkiuser /var/log/ipaserver-install.log 
2014-09-23T10:06:29Z DEBUG adding ca user pkiuser
2014-09-23T10:06:29Z DEBUG args=/usr/sbin/useradd -c CA System User -d /var/lib -s /sbin/nologin -M -r pkiuser

it seems to be created by /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py.

Version-Release number of selected component (if applicable):

ipa-server-3.3.3-28.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Before ipa-server-install is run, check for pkiuser in /etc/passwd.
2. Run ipa-server-install, configure IdM.
3. Check for pkiuser in /etc/passwd.
4. Compare the uid, gid, and home directory with values from uidgid file.

Actual results:

Mismatch.

Expected results:

Match.

Additional info:
Comment 2 Martin Kosek 2014-09-29 10:33:14 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4585
Comment 3 Martin Kosek 2014-10-01 15:16:40 UTC 
Ade, Endi - what is your recommendation to fix this ticket in FreeIPA? Should we just add pkiuser with fixed UID in ipa-server-install or would you add it in %post in your packages?
Comment 4 Jan Pazdziora (Red Hat) 2014-10-30 11:00:31 UTC 
(In reply to Martin Kosek from comment #3)
> Ade, Endi - what is your recommendation to fix this ticket in FreeIPA?
> Should we just add pkiuser with fixed UID in ipa-server-install or would you
> add it in %post in your packages?

I'd like both to happen, independently.

Incidently, I don't feel this bug depends on bug 1143067.
Comment 5 Endi Sukma Dewata 2014-11-01 03:51:15 UTC 
I think Dogtag packages should create the pkiuser with the proper attributes (standard UID/GID, home dir, etc.) by default in %pre, but an admin should be able to optionally specify/create a different user when creating a Dogtag instance. If IPA wants to use a specific user for Dogtag instance the IPA installer can certainly specify/create the user, but if the user is the standard pkiuser anyway it shouldn't be necessary once bug 1143067 is fixed since it will guarantee the pkiuser will exist on the system.
Comment 6 Martin Kosek 2014-11-03 11:17:12 UTC 
Makes sense.
Comment 7 Martin Kosek 2014-11-05 14:26:05 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/364d466fd7def3589ddb9e4a9f8d73fc2df80439
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/71c24b187a8d4b8990c0899d2c907d600b7bcc21

FreeIPA installer now respects the pkiuser default UID&GID.
Comment 10 Abhijeet Kasurde 2015-10-07 13:04:32 UTC 
Created attachment 1080675 [details]
pki-user-cmd.log
Comment 11 Abhijeet Kasurde 2015-10-07 13:06:23 UTC 
Verified.

IPA server version ::
ipa-server-4.2.0-12.el7.x86_64
Comment 12 errata-xmlrpc 2015-11-19 12:00:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html
Comment 13 Red Hat Bugzilla 2023-09-14 02:48:03 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days