Bug 1274488
| Summary: | ipa-client-install should use previously entered username when performing setup validation | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Brian Mathis <brian.mathis> | ||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.1 | CC: | amore, frenaud, ndehadra, pasik, pvoborni, rcritten, Silvio.Wanka, sumenon | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-4.6.4-1.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-10-30 10:55:57 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1085671 [details]
Use options.principal in getent call
I looked into the script file and it seems that the --principal option allows passing the username on the command-line (however the man page does not indicate that a value can be accepted for this option).
This patch changes the getent call to use the options.principal parameter instead of hard-coded 'admin'.
One issue is that there is no default for options.principal. I considered adding one, but it seems there are some checks if this is None elsewhere within the script. Reviewing that logic is beyond my current ability/familiarity with this.
Hello Brian, thanks for the bug, I'll clone it upstream. Note that it won't be backported to older RHELs. Please open a support case if you want to backport it. FYI: there is also similar bug in ipa-replica-install: https://fedorahosted.org/freeipa/ticket/5060 Upstream ticket: https://fedorahosted.org/freeipa/ticket/5406 *** Bug 1399606 has been marked as a duplicate of this bug. *** Fixed upstream
master:
eae8714 client.py: Replace hardcoded 'admin' with options.principal
ipa-4-5:
7bef8c7 client.py: Replace hardcoded 'admin' with options.principal
Tested on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo) using [root@master ~]# rpm -q ipa-server sssd samba krb5-server pki-server selinux-policy 389-ds-base ipa-server-4.6.4-6.el7.x86_64 sssd-1.16.2-12.el7.x86_64 samba-4.8.3-4.el7.x86_64 krb5-server-1.15.1-34.el7.x86_64 pki-server-10.5.9-6.el7.noarch selinux-policy-3.13.1-219.el7.noarch 389-ds-base-1.3.8.4-11.el7.x86_64 Steps: [root@master ~]# ipa role-add useradmin ---------------------- Added role "useradmin" ---------------------- Role name: useradmin [root@master ~]# ipa privilege-add 'Add hosts' --------------------------- Added privilege "Add hosts" --------------------------- Privilege name: Add hosts [root@master ~]# ipa privilege-add-permission --permissions 'System: Add Hosts' 'Add Hosts' Privilege name: Add hosts Permissions: System: Add Hosts ----------------------------- Number of permissions added 1 ----------------------------- [root@master ~]# ipa role-add-privilege useradmin --privileges 'Host Enrollment' Role name: useradmin Privileges: Host Enrollment ---------------------------- Number of privileges added 1 ---------------------------- [root@master ~]# ipa role-add-privilege useradmin --privileges 'Add Hosts' Role name: useradmin Privileges: Host Enrollment, Add hosts ---------------------------- Number of privileges added 1 ---------------------------- [root@master ~]# ipa role-add-member useradmin --users='ipauser1' Role name: useradmin Member users: ipauser1 Privileges: Host Enrollment, Add hosts ------------------------- Number of members added 1 ------------------------- [root@client ~]# ipa-client-install --principal ipauser1 Discovery was successful! Client hostname: client.apollo.test Realm: APOLLO.TEST DNS Domain: apollo.test IPA Server: master.apollo.test BaseDN: dc=apollo,dc=test Continue to configure the system with these values? [no]: yes Skipping synchronizing time with NTP server. Password for ipauser1: Successfully retrieved CA cert ......... Client configuration complete. The ipa-client-install command was successful 2018-08-24T10:18:39Z DEBUG args=getent passwd ipauser1 2018-08-24T10:18:45Z DEBUG Process finished, return code=0 2018-08-24T10:18:45Z DEBUG stdout=ipauser1:*:301400001:301400001:ipauser1 s:/home/ipauser1:/bin/sh Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3187 |
Description of problem: When running ipa-client-install, the ipaclient-install.log shows: getent passwd admin The 'admin' username is hard-coded, so this check will fail if the admin account has been renamed. This check should use the username that was entered earlier in the install process at the prompt: User authorized to enroll computers: as this user is guaranteed to exist. Version-Release number of selected component (if applicable): ipa-client-2.1.3-7.el5 How reproducible: Always Steps to Reproduce: 1. Perform installation with 'ipa-client-install' 2. Review log in /var/log/ipaclient-install.log Actual results: Observe lines in log: DEBUG args=getent passwd admin DEBUG stdout= DEBUG stderr= Expected results: Username 'admin' should show the username that was input at the prompt earlier in the process.