Bug 1351119
| Summary: | Multiple issues while uninstalling ipa-server | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Abhijeet Kasurde <akasurde> | ||||||||||||||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||||||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||||||||
| Priority: | unspecified | ||||||||||||||||||
| Version: | 7.3 | CC: | mbasti, pvoborni, rcritten, sumenon | ||||||||||||||||
| Target Milestone: | rc | ||||||||||||||||||
| Target Release: | --- | ||||||||||||||||||
| Hardware: | Unspecified | ||||||||||||||||||
| OS: | Unspecified | ||||||||||||||||||
| Whiteboard: | |||||||||||||||||||
| Fixed In Version: | ipa-4.4.0-3.el7 | Doc Type: | If docs needed, set a value | ||||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||||
| Clone Of: | Environment: | ||||||||||||||||||
| Last Closed: | 2016-11-04 05:55:38 UTC | Type: | Bug | ||||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||
| Embargoed: | |||||||||||||||||||
| Attachments: |
|
||||||||||||||||||
|
Description
Abhijeet Kasurde
2016-06-29 10:00:54 UTC
Created attachment 1173736 [details]
ipaserver-install.log
Created attachment 1173737 [details]
ipa-client-install.log
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6012 Settting to post, we can't reproduce with most recent upstream build which was used for rebase. I am able to reproduce this using latest build, # rpm -qa |grep ipa-server ipa-server-dns-4.4.0-1.el7.noarch ipa-server-common-4.4.0-1.el7.noarch ipa-server-4.4.0-1.el7.x86_64 # ipa-server-install --uninstall -U Updating DNS system records ipa : ERROR unable to resolve host name server1.testrelm.test. to IP address, ipa-ca DNS record will be incomplete ------------------------------------------ Deleted IPA server "server1.testrelm.test" ------------------------------------------ Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring named Unconfiguring ipa-dnskeysyncd Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa-custodia Unconfiguring ipa_memcached Unconfiguring ipa-otpd Removing IPA client configuration Removing Kerberos service principals from /etc/krb5.keytab Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r TESTRELM.TEST' returned non-zero exit status 5 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Systemwide CA database updated. Client uninstall complete. [root@server1 ~]# sestatus SELinux status: disabled Able to reproduce the below issue with ipa-server-4.4.0-1.el7.x86_64 on Red Hat Enterprise Linux Server release 7.3 Beta (Maipo) during uninstall. Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r TESTRELM.TEST' returned non-zero exit status 5 Exit code 5 means Principal name or realm not found in keytab. It would be helpful to see the contents of the keytab prior to and after running uninstall. Rob, this is what is seen on the test system 1. Upon Installation of ipa-server ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 host/server.testrelm.test 2 2 host/server.testrelm.test 3 2 host/server.testrelm.test 4 2 host/server.testrelm.test 5 2 host/server.testrelm.test 6 2 host/server.testrelm.test ktutil: q 2. Post uninstall of ipa-server [root@server ~]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- Need the client and server uninstall logs. Unable to see Krb5 Keytab related issue on fresh installation of RHEL 7.3 and IPA ipa-server-4.4.0-1.el7.x86_64.
Attaching console.log, ipa-{client,server}-{install,uninstall}.log
Created attachment 1177137 [details]
ipa-server-install.latest.log
Created attachment 1177138 [details]
console.log
Created attachment 1177140 [details]
ipa-client-install.latest.log
Created attachment 1177141 [details]
ipa-server-uninstall.latest.log
Created attachment 1177142 [details]
ipa-client-uninstall.latest.log
This bz has incorrect state it should be on QA or assigned(provided it is not fixed). From the comments it seems that it can be reproduce only under certain conditions which are not known yet. moving to assigned, reproduction scenario of #3 is known: """ it happens because the server uninstaller first restores all the files (including /etc/krb5.keytab), then call client-uninstall which tries to run ipa-rmkeytab """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a0d90263d62f48f0c04b8b9e7da3aaa10201c3a0 Verified using ipa-server-4.4.0-3.el7.x86_64 The below issue is no more seen when ipa-server --uninstall is run "Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r TESTRELM.TEST' returned non-zero exit status 5" [root@vm92 httpd]# ipa-server-install --uninstall -U Updating DNS system records ipa: ERROR unable to resolve host name vm92.ipa73.test. to IP address, ipa-ca DNS record will be incomplete ------------------------------------ Deleted IPA server "vm92.ipa73.test" ------------------------------------ Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring named Unconfiguring ipa-dnskeysyncd Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring smb Unconfiguring ipa-custodia Unconfiguring ipa_memcached Unconfiguring ipa-otpd Removing IPA client configuration Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Systemwide CA database updated. Client uninstall complete. 2. Checkingkeytab file entries ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- ktutil: Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |