Bug 1436642
Summary: | [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomas Krizek <tkrizek> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Nikhil Dehadrai <ndehadra> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.4 | CC: | ipa-qe, ksiddiqu, ndehadra, nsoman, pvoborni, rcritten, slaznick, tscherf |
Target Milestone: | rc | Keywords: | Regression, TestBlocker |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.0-3.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 09:46:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomas Krizek
2017-03-28 11:22:25 UTC
Fixed upstream master: https://pagure.io/freeipa/c/9a6ac74eb4421b9ffa831dc6fed067d2ddc0618e https://pagure.io/freeipa/c/fbbeb132bf37f8a03ef2f2184adb11796ab13d8b https://pagure.io/freeipa/c/e07aefb886096a7d419a4f1a2dec287e5ecd1626 https://pagure.io/freeipa/c/d63326632b796a5ec9c6468c5ffe0c5a846501e1 Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/f1d731a79c384c7406c52232ff291644137e100b https://pagure.io/freeipa/c/ba828a53a4736ed326d95e30856daba2c060439c https://pagure.io/freeipa/c/f41c9f476d678f9ecc4ca3338c7a58de0182f76f https://pagure.io/freeipa/c/0912185b18599414e4f9302b1a80c6c7e9876821 https://pagure.io/freeipa/c/e94575f3466bbb8d4959ad0a1c436dcf745e3036 This bug will probably need also mod_auth_gssapi bump. ipa server: ipa-server-4.5.0-5.el7.x86_64 Tested the bug for DS-migration process over ldpas and had following observations. [root@auto-hv-01-guest10 ~]# sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf [root@auto-hv-01-guest10 ~]# service httpd restart Redirecting to /bin/systemctl restart httpd.service [root@auto-hv-01-guest10 ~]# echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://auto-hv-01-guest05.testrelm.test:636 ----------- migrate-ds: ----------- Migration mode is disabled. Use 'ipa config-mod --enable-migration=TRUE' to enable it. [root@auto-hv-01-guest10 ~]# ipa config-mod --enable-migration=TRUE Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.test Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: TRUE Certificate Subject base: O=TESTRELM.TEST Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: auto-hv-01-guest10.testrelm.test IPA CA servers: auto-hv-01-guest10.testrelm.test IPA NTP servers: auto-hv-01-guest10.testrelm.test IPA CA renewal master: auto-hv-01-guest10.testrelm.test [root@auto-hv-01-guest10 ~]# echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://auto-hv-01-guest05.testrelm.test:636 ipa: ERROR: cannot connect to 'ldaps://auto-hv-01-guest05.testrelm.test:636': [root@auto-hv-01-guest10 var]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 [root@auto-hv-01-guest10 var]# Thus on the basis of above observation changing status of bug to "ASSIGNED" ipa-server version: ipa-server-4.5.0-9.el7.x86_64 DS Server version: 389-ds-base-libs-1.3.6.1-9.el7.x86_64 389-ds-base-1.3.6.1-9.el7.x86_64 389-ds-base-debuginfo-1.3.6.1-9.el7.x86_64 Tested the bug for migration of DS to IPA server with following observations: 1. Verified that migration over ldaps runs successfully. 2. Refer the following console output: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: migration over ldaps :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf' (Expected 0, got 0) :: [ PASS ] :: Restarting httpd (Expected 0, got 0) :: [ LOG ] :: EXECUTING: ipa migrate-ds --with-compat --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://DSserver.testrelm.test:636 :: [ PASS ] :: Command 'ipa-compat-manage disable' (Expected 0,1, got 1) :: [ PASS ] :: Command 'ipactl restart' (Expected 0, got 0) :: [ PASS ] :: Command 'echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://DSserver.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt' (Expected 0, got 0) :: [ PASS ] :: Verifying puser1 was migrated (Expected 0, got 0) :: [ PASS ] :: Verifying 'puser2' was migrated (Expected 0, got 0) :: [ PASS ] :: Verifying 'philomena_hazen' was migrated (Expected 0, got 0) :: [ PASS ] :: Verifying group 'group1' was migrated (Expected 0, got 0) :: [ PASS ] :: Verifying group 'group2' was migrated (Expected 0, got 0) :: [ LOG ] :: Cleaning up migrated users :: [ LOG ] :: Duration: 52s :: [ LOG ] :: Assertions: 10 good, 0 bad :: [ PASS ] :: RESULT: migration over ldaps Thus on the basis of above observations marking the status of bug to "VERIFIED" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |