Bug 1436642

Summary: [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Krizek <tkrizek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Nikhil Dehadrai <ndehadra>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.4CC: ipa-qe, ksiddiqu, ndehadra, nsoman, pvoborni, rcritten, slaznick, tscherf
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:46:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Krizek 2017-03-28 11:22:25 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/6775

When trying to troubleshoot failing "test_vault_plugin.py" tests, which are passing fine with fresh ipa-server installation but failing after uninstall and install again I am getting random issue with "maximum recursion depth exceeded" with ipa vault commands. Please see:

```text
    [root@system01 ~]# ipa vault-add another_try --type standard
    ipa: ERROR: non-public: RuntimeError: maximum recursion depth exceeded
    Traceback (most recent call last):
      File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 139, in execute
        result = self.Command[_name](*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
        return self.__do_call(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
        ret = self.run(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1199, in run
        return self.forward(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipaclient/plugins/vault.py", line 350, in forward
        response = self.api.Command.vault_add_internal(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
        return self.__do_call(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
        ret = self.run(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 798, in run
        return self.forward(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 821, in forward
        *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
    ...
    ...
    ...
    ...
    ...
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1047, in forward
        return self._call_command(command, params)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1028, in _call_command
        return command(*params)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1169, in _call
        return self.__request(name, args)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1136, in __request
        verbose=self.__verbose >= 3,
      File "/usr/lib64/python2.7/xmlrpclib.py", line 1283, in request
        return self.single_request(host, handler, request_body, verbose)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 652, in single_request
        h = SSLTransport.make_connection(self, host)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 542, in make_connection
        conn.connect()
      File "/usr/lib64/python2.7/httplib.py", line 1263, in connect
        server_hostname=server_hostname)
      File "/usr/lib64/python2.7/ssl.py", line 363, in wrap_socket
        _context=self)
      File "/usr/lib64/python2.7/ssl.py", line 605, in __init__
        server_hostname, ssl_sock=self)
      File "/usr/lib64/python2.7/encodings/idna.py", line 164, in encode
        result.append(ToASCII(label))
      File "/usr/lib64/python2.7/encodings/idna.py", line 65, in ToASCII
        label = label.encode("ascii")
    RuntimeError: maximum recursion depth exceeded
    ipa: ERROR: an internal error has occurred
```

When trying to retrieve the vault:

```text
[root@system01 ~]# ipa vault-add http_password --type standard
---------------------------
Added vault "http_password"
---------------------------
  Vault name: http_password
  Type: standard
  Owner users: admin
  Vault user: admin
[root@system01 ~]# ipa vault-archive http_password --in password.txt
----------------------------------------
Archived data into vault "http_password"
----------------------------------------
[root@system01 ~]# rm password.txt
rm: remove regular file 'password.txt'? y
[root@system01 ~]# ipa vault-retrieve http_password
ipa: ERROR: No archived data.
[root@system01 ~]# 
```

Thanks for taking a look!
Comment 2 Tomas Krizek 2017-03-28 11:38:32 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/9a6ac74eb4421b9ffa831dc6fed067d2ddc0618e
https://pagure.io/freeipa/c/fbbeb132bf37f8a03ef2f2184adb11796ab13d8b
https://pagure.io/freeipa/c/e07aefb886096a7d419a4f1a2dec287e5ecd1626
https://pagure.io/freeipa/c/d63326632b796a5ec9c6468c5ffe0c5a846501e1
Comment 3 Tomas Krizek 2017-03-28 14:54:29 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/f1d731a79c384c7406c52232ff291644137e100b
https://pagure.io/freeipa/c/ba828a53a4736ed326d95e30856daba2c060439c
https://pagure.io/freeipa/c/f41c9f476d678f9ecc4ca3338c7a58de0182f76f
https://pagure.io/freeipa/c/0912185b18599414e4f9302b1a80c6c7e9876821
https://pagure.io/freeipa/c/e94575f3466bbb8d4959ad0a1c436dcf745e3036
Comment 4 Petr Vobornik 2017-03-28 15:25:01 UTC 
This bug will probably need also mod_auth_gssapi bump.
Comment 6 Nikhil Dehadrai 2017-04-13 13:29:39 UTC 
ipa server: ipa-server-4.5.0-5.el7.x86_64

Tested the bug for DS-migration process over ldpas and had following observations.

[root@auto-hv-01-guest10 ~]# sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf
[root@auto-hv-01-guest10 ~]# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
[root@auto-hv-01-guest10 ~]# echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://auto-hv-01-guest05.testrelm.test:636
-----------
migrate-ds:
-----------
Migration mode is disabled.
Use 'ipa config-mod --enable-migration=TRUE' to enable it.
[root@auto-hv-01-guest10 ~]# ipa config-mod --enable-migration=TRUE
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: TRUE
  Certificate Subject base: O=TESTRELM.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: auto-hv-01-guest10.testrelm.test
  IPA CA servers: auto-hv-01-guest10.testrelm.test
  IPA NTP servers: auto-hv-01-guest10.testrelm.test
  IPA CA renewal master: auto-hv-01-guest10.testrelm.test
[root@auto-hv-01-guest10 ~]# echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://auto-hv-01-guest05.testrelm.test:636
ipa: ERROR: cannot connect to 'ldaps://auto-hv-01-guest05.testrelm.test:636': 

[root@auto-hv-01-guest10 var]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@auto-hv-01-guest10 var]# 

Thus on the basis of above observation changing status of bug to "ASSIGNED"
Comment 14 Nikhil Dehadrai 2017-05-03 12:45:52 UTC 
ipa-server version: ipa-server-4.5.0-9.el7.x86_64
DS Server version: 
389-ds-base-libs-1.3.6.1-9.el7.x86_64
389-ds-base-1.3.6.1-9.el7.x86_64
389-ds-base-debuginfo-1.3.6.1-9.el7.x86_64

Tested the bug for migration of DS to IPA server with following observations:

1. Verified that migration over ldaps runs successfully.
2. Refer the following console output:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: migration over ldaps
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf' (Expected 0, got 0)
:: [   PASS   ] :: Restarting httpd (Expected 0, got 0)
:: [   LOG    ] :: EXECUTING: ipa migrate-ds --with-compat --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://DSserver.testrelm.test:636
:: [   PASS   ] :: Command 'ipa-compat-manage disable' (Expected 0,1, got 1)
:: [   PASS   ] :: Command 'ipactl restart' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://DSserver.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt' (Expected 0, got 0)
:: [   PASS   ] :: Verifying puser1 was migrated (Expected 0, got 0)
:: [   PASS   ] :: Verifying 'puser2' was migrated (Expected 0, got 0)
:: [   PASS   ] :: Verifying 'philomena_hazen' was migrated (Expected 0, got 0)
:: [   PASS   ] :: Verifying group 'group1' was migrated (Expected 0, got 0)
:: [   PASS   ] :: Verifying group 'group2' was migrated (Expected 0, got 0)
:: [   LOG    ] :: Cleaning up migrated users
:: [   LOG    ] :: Duration: 52s
:: [   LOG    ] :: Assertions: 10 good, 0 bad
:: [   PASS   ] :: RESULT: migration over ldaps


Thus on the basis of above observations marking the status of bug to "VERIFIED"
Comment 16 errata-xmlrpc 2017-08-01 09:46:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304