Bug 1452081

Summary: Suggest user to install libyubikey package instead of traceback
Product: Red Hat Enterprise Linux 7 Reporter: Abhijeet Kasurde <akasurde>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: myusuf, ndehadra, pasik, pvoborni, rcritten, slaznick, tdudlak, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:56:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Abhijeet Kasurde 2017-05-18 10:10:44 UTC 
Description of problem:
In order to work with IPA and Yubikey, libyubikey is required. Right now, it doesn't get installed by default and not available in official repo.

[root@master1 ~]# ipa -v otptoken-add-yubikey --owner=testuser1
ipa: INFO: trying https://master1.testrelm.test/ipa/session/json
ipa: ERROR: non-public: ValueError: No backend available
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 139, in execute
    result = self.Command[_name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 798, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipaclient/plugins/otptoken_yubikey.py", line 124, in forward
    yk = yubico.find_yubikey()
  File "/usr/lib/python2.7/site-packages/yubico/yubikey.py", line 229, in find_key
    YK = YubiKeyUSBHID(debug=debug, skip=skip)
  File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 165, in __init__
    if not self._open(skip):
  File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 447, in _open
    usb_device = self._get_usb_device(skip)
  File "/usr/lib/python2.7/site-packages/yubico/yubikey_usb_hid.py", line 497, in _get_usb_device
    find_all=True, idVendor=_YUBICO_VID)]
  File "/usr/lib/python2.7/site-packages/usb/core.py", line 864, in find
    raise ValueError('No backend available')
ValueError: No backend available
ipa: ERROR: an internal error has occurred

[root@master1 ~]# dmesg | tail -10
[ 2700.319957] usb 1-1: New USB device found, idVendor=1050, idProduct=0407
[ 2700.319961] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2700.319964] usb 1-1: Product: Yubikey 4 OTP+U2F+CCID
[ 2700.319966] usb 1-1: Manufacturer: Yubico
[ 2700.337995] input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:06.0/usb1/1-1/1-1:1.0/input/input6
[ 2700.389167] hid-generic 0003:1050:0407.0001: input,hidraw0: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:06.0-1/input0
[ 2700.403784] hid-generic 0003:1050:0407.0002: hiddev0,hidraw1: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:06.0-1/input1

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-12.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install IPA server and create IPA user
2. Attach YubiKey
3. Add OTP token for user using Yubikey

Actual results:
Traceback like above.

Expected results:
OTP Token should get added.

Additional info:
After installing libyubikey package traceback disappears.
Comment 2 Petr Vobornik 2017-05-25 15:43:58 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6979
Comment 3 Tomas Krizek 2017-08-11 11:52:13 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/76357283ec522aef8aaf3d3b8eea7155263e3517
Comment 5 Standa Laznicka 2017-10-09 11:17:40 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/1b33cdad14d7d5978266bac07c68dbe66cd298ce
Comment 7 Mohammad Rizwan 2018-08-27 11:13:21 UTC 
version:
ipa-server-4.6.4-6.el7.x86_64

Steps:

1. Install ipa server
2. Add test user
3. try to add YubiKey
   $ ipa -v otptoken-add-yubikey --owner=test1


Actual result:

[root@master ~]#  ipa -v otptoken-add-yubikey --owner=test1
ipa: INFO: trying https://master.testrelm.test/ipa/json
ipa: ERROR: No backend available. Please install 'libyubikey' and 'libusb' packages first.

[root@master ~]# yum install libyubikey libusb
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
No package libyubikey available.
Resolving Dependencies
--> Running transaction check
---> Package libusb.x86_64 1:0.1.4-3.el7 will be installed
--> Processing Dependency: libusb-1.0.so.0()(64bit) for package: 1:libusb-0.1.4-3.el7.x86_64
--> Running transaction check
---> Package libusbx.x86_64 0:1.0.21-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================================================
 Package                         Arch                           Version                               Repository                             Size
==================================================================================================================================================
Installing:
 libusb                          x86_64                         1:0.1.4-3.el7                         beaker-Server                          19 k
Installing for dependencies:
 libusbx                         x86_64                         1.0.21-1.el7                          beaker-Server                          61 k

Transaction Summary
==================================================================================================================================================
Install  1 Package (+1 Dependent package)

Total download size: 81 k
Installed size: 163 k
Is this ok [y/d/N]: y
Downloading packages:
(1/2): libusb-0.1.4-3.el7.x86_64.rpm                                                                                       |  19 kB  00:00:00     
(2/2): libusbx-1.0.21-1.el7.x86_64.rpm                                                                                     |  61 kB  00:00:00     
--------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                             655 kB/s |  81 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : libusbx-1.0.21-1.el7.x86_64                                                                                                    1/2 
  Installing : 1:libusb-0.1.4-3.el7.x86_64                                                                                                    2/2 
  Verifying  : 1:libusb-0.1.4-3.el7.x86_64                                                                                                    1/2 
  Verifying  : libusbx-1.0.21-1.el7.x86_64                                                                                                    2/2 

Installed:
  libusb.x86_64 1:0.1.4-3.el7                                                                                                                     

Dependency Installed:
  libusbx.x86_64 0:1.0.21-1.el7                                                                                                                   

Complete!
[root@master ~]# 
[root@master ~]#  ipa -v otptoken-add-yubikey --owner=test1
ipa: INFO: trying https://master.testrelm.test/ipa/session/json
ipa: ERROR: No YubiKey found


Traceback not appeared as reported in bz initially. Suggestion for installing respective packages thrown while command fire to add YubiKey.

Thus based on above observations marking the bug as verified.
Comment 9 errata-xmlrpc 2018-10-30 10:56:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187
Comment 10 Tibor Dudlák 2018-12-06 13:35:46 UTC 
Test on master:

* e7581cc0d88c3f7d83a551a3decd054589b1d86e Test error when yubikey hardware not present
Comment 11 Rob Crittenden 2018-12-06 19:23:06 UTC 
Test in ipa-4-7:

https://pagure.io/freeipa/c/256c11bf0b4e0d721837f3f976899135c739eacf

ipa-4-6:

https://pagure.io/freeipa/c/9cf3570c1a8ded77dffde0892bf8e61c0dfde0fc