Bug 1477870

Summary: IPA Installation fails when kdcproxy user is not present
Product: Red Hat Enterprise Linux 7 Reporter: Abhijeet Kasurde <akasurde>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED NOTABUG QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: pvoborni, rcritten, slaznick, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-05 16:40:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Abhijeet Kasurde 2017-08-03 06:18:19 UTC 
Description of problem:
If user kdcproxy is not available or deleted, then IPA server installation fails while restarting HTTPD server.

  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [error] CalledProcessError: Command '/bin/systemctl start httpd.service' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Command '/bin/systemctl start httpd.service' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information


Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7_4.1.x86_64

How reproducible:
100%

Steps to Reproduce:
1. userdel kdcproxy
2. ipa-server-install

Actual results:
Installation fails as script fails to restart httpd server. 

Expected results:
Installation should create kdcproxy user or check existence of user before proceeding.

Additional info:
I remember, script used to create kdcproxy user but due to some change, RPM installation creates the kdcproxy user.
Comment 2 Abhijeet Kasurde 2017-08-03 06:25:56 UTC 
# id kdcproxy
uid=386(kdcproxy) gid=385(kdcproxy) groups=385(kdcproxy)
# userdel kdcproxy
# rpm -e ipa-server ipa-server-dns
# id kdcproxy
id: kdcproxy: no such user
# yum install -y ipa-server ipa-server-dns
---snipped---
Warning: RPMDB altered outside of yum.
  Installing : ipa-server-4.5.0-21.el7_4.1.x86_64                                                                           1/2
  Installing : ipa-server-dns-4.5.0-21.el7_4.1.noarch                                                                       2/2
  Verifying  : ipa-server-4.5.0-21.el7_4.1.x86_64                                                                           1/2
  Verifying  : ipa-server-dns-4.5.0-21.el7_4.1.noarch                                                                       2/2

Installed:
  ipa-server.x86_64 0:4.5.0-21.el7_4.1                         ipa-server-dns.noarch 0:4.5.0-21.el7_4.1

Complete!
# id kdcproxy
uid=386(kdcproxy) gid=385(kdcproxy) groups=385(kdcproxy)

If user kdcproxy is added, installation succeeds successfully.
Comment 3 Petr Vobornik 2017-08-11 19:23:08 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7101
Comment 4 Standa Laznicka 2017-09-05 11:52:10 UTC 
Why would you remove the kdcproxy user?
Comment 5 Abhijeet Kasurde 2017-09-05 14:29:12 UTC 
(In reply to Stanislav Laznicka from comment #4)
> Why would you remove the kdcproxy user?

This is part of negative testcase. Imagine, if kdcproxy user is deleted by system administrator then installation would fail and there is no way to find why installation failed.
Comment 6 Standa Laznicka 2017-09-05 15:12:48 UTC 
(In reply to Abhijeet Kasurde from comment #5)
> (In reply to Stanislav Laznicka from comment #4)
> > Why would you remove the kdcproxy user?
> 
> This is part of negative testcase. Imagine, if kdcproxy user is deleted by
> system administrator then installation would fail and there is no way to
> find why installation failed.

You can just as well do, e.g. `# chmod 006 /usr/libexec/ipa/certmonger/renew_ra_cert` and be surprised that RA cert renewal is not working.

You can also remove the kdcproxy user at any time FreeIPA is installed and the service restart would probably fail just as well. You can remove the ipaapi user at any time IPA is installed and everything will go to ruins.

So no, I don't think this is a valid testcase.

Also, I removed the private tag of your comment, we are having an open discussion here, please, keep it that way.
Comment 7 Standa Laznicka 2017-09-05 15:19:38 UTC 
That chmod in comment 6 is probably a bad example, but you get the picture.
Comment 8 Standa Laznicka 2017-09-05 16:40:16 UTC 
One thing to note here - you can make this invalid testcase into a valid one by removing the kdcproxy user before you install the ipa packages, but definitely not after you install them. In that case, however, the installation won't (shouldn't) fail for you.
Thus closing this as NOTABUG.
Comment 9 Abhijeet Kasurde 2017-09-06 05:14:46 UTC 
I totally disagree with this as I feel you can not predict/assume/force user environment. Least thing we can do is to check if kdcproxy user exists or not and depending upon that perform some action. Giving traceback is not good thing.