Bug 1253045
| Summary: | handle_exceptions() raises JSONDecodeError | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> |
| Component: | pki-core | Assignee: | Christian Heimes <cheimes> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | alee, cheimes, edewata, ftweedal, jcholast, mharmsen, pvoborni, rpattath |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.2.5-5.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 09:22:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1250093 | ||
|
Description
Matthew Harmsen
2015-08-12 19:46:18 UTC
Please provide verification steps for this bug. I have not tried this, but per discussion with alee this bug probably can be verified as follows: 1. Create a master with pki-9.0.3 (or IPA 3.0) on RHEL 6.7. 2. Create a replica with pki-10.2.5 (or IPA 4.2) on RHEL 7.2 with a wrong pki_security_domain_password (or provide a wrong password for ipa-replica-prepare). Without the fix pkispawn will generate the following error message: simplejson.scanner.JSONDecodeError: Expecting value: line 1 column 1 (char 0) With the fix pkispawn will generate a more descriptive error message (not sure the exact error), for example: * HTTPError: 403 Client Error: Forbidden * HTTPError: 404 Client Error: Not Found Endi, I was trying out your suggestions and I see the following: After installing ipa-server on a RHEL 6.7 machine using IPA 3.0, I copied /usr/share/ipa/copy-schema-to-ca.py from the RHEL 7.2 (IPA 4.2) machine to the RHEL 6.7 machine. I did the following on the RHEL 6.7 machine then [root@sparks ~]# python /root/copy-schema-to-ca.py ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60kerberos.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60samba.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60ipaconfig.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60basev2.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60basev3.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60ipadns.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/61kerberos-ipav3.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/65ipasudo.ldif ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/05rfc2247.ldif ipa : INFO Restarting CA DS ipa : INFO Schema updated successfully [root@sparks ~]# ipa-replica-prepare mgmt7.rhq.lab.eng.bos.redhat.com Directory Manager (existing master) password: The password provided is incorrect for LDAP server sparks.idmqe.lab.eng.bos.redhat.com The only password prompted during ipa-replica-prepare was for the directory server instance password. Then I copied /var/lib/ipa/replica-info-mgmt7.rhq.lab.eng.bos.redhat.com.gpg to the RHEL 7.2 replica machine and did the following [root@mgmt7 ~]# ipa-replica-install replica-info-mgmt7.rhq.lab.eng.bos.redhat.com.gpg --setup-ca WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Directory Manager (existing master) password: ipa : ERROR Failed to decrypt or open the replica file. ERROR: Failed to decrypt or open the replica file. Verify you entered the correct Directory Manager password. [root@mgmt7 ~]# ipa-replica-install replica-info-mgmt7.rhq.lab.eng.bos.redhat.com.gpg --setup-ca WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'sparks.idmqe.lab.eng.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin.ENG.BOS.REDHAT.COM password: Cannot acquire Kerberos ticket: kinit: Password incorrect while getting initial credentials ipa.ipapython.install.cli.install_tool(Replica): ERROR Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. Please let me know if I am testing the right way, I did not see any HTTP error messages when provided the wrong password during the above test. I checked the ca debug log and ipareplica-install log, did not see any HTTP error messages there either Thanks for trying this. So it looks like we cannot provide an incorrect password to the ipa-replica-prepare. It's strange that the GPG file is still generated with the incorrect password. Are you sure it's not from a previous execution? Could you try this instead? 1. Create a RHEL 6.7 master (or use the existing one). 2. Run ipa-replica-prepare on master with the correct Directory Manager password. 3. Change the security domain admin password to something else by modifying the userPassword attribute in uid=admin,ou=people,o=ipaca in the DS. 4. Run ipa-replica-install on RHEL 7.2 replica with the correct Directory Manager password as in #2. I suppose the replica installation will fail and generate the proper error message when connecting to the security domain in master. Please let me know if there are any issues. Hi Endi, The followed you instructions in comment 5 and got the following output for step 4: [root@mgmt7 ~]# ipa-replica-install replica-info-mgmt7.rhq.lab.eng.bos.redhat.com.gpg --setup-ca WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipaqa64vme.idmqe.lab.eng.bos.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin.ENG.BOS.REDHAT.COM password: Cannot acquire Kerberos ticket: kinit: Password incorrect while getting initial credentials ipa.ipapython.install.cli.install_tool(Replica): ERROR Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. Is this sufficient to verify the bug? Thanks, Roshni. It's a little bit hard to properly verify this bug since the bug can only be reproduced if there's another bug (as mentioned in the original bug description) and now the other bug has been fixed. Per discussion with aakkiang the latest test is sufficient for sanity only verification. [root@mgmt7 ~]# rpm -qi ipa-server Name : ipa-server Version : 4.2.0 Release : 5.el7 Architecture: x86_64 Install Date: Fri 04 Sep 2015 04:18:55 PM EDT Group : System Environment/Base Size : 5133823 License : GPLv3+ Signature : RSA/SHA256, Thu 20 Aug 2015 06:11:44 AM EDT, Key ID 938a80caf21541eb Source RPM : ipa-4.2.0-5.el7.src.rpm Build Date : Wed 19 Aug 2015 09:03:05 AM EDT Build Host : x86-034.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://www.freeipa.org/ Summary : The IPA authentication server [root@mgmt7 ~]# rpm -qi pki-ca Name : pki-ca Version : 10.2.6 Release : 8.el7pki Architecture: noarch Install Date: Tue 08 Sep 2015 01:39:46 PM EDT Group : System Environment/Daemons Size : 2416291 License : GPLv2 Signature : (none) Source RPM : pki-core-10.2.6-8.el7pki.src.rpm Build Date : Tue 25 Aug 2015 01:18:45 AM EDT Build Host : x86-025.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - Certificate Authority Using the above builds I was able to verify a sanity test in comment 6. Verifying the bug based on Endi's comment 7. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2276.html |