Bug 1485217
Summary: | [RFE] Warn or adjust umask if it is too restrictive to break installation | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Raul Mahiques <rmahique> |
Component: | ipa | Assignee: | François Cami <fcami> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.4 | CC: | aheverle, amitkuma, apeddire, arajendr, brault, cww, frenaud, gparente, gswami, ipa-maint, mkosek, ndehadra, pasik, pvoborni, rcritten, redhat, rmahique, tmihinto, tscherf, tumeya |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | https://pagure.io/freeipa/issue/7193 | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.6.5-1.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-06 13:09:02 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1500891, 1518616, 1647919, 1707454 |
Description
Raul Mahiques
2017-08-25 06:50:38 UTC
Hello, what were the "certain parts" which "won't work as expected"? i don't have access to the environment now in order to reproduce, but the solution is simply setting the right umask in the installation scripts. Upstream ticket: https://pagure.io/freeipa/issue/7193 *** Bug 1523468 has been marked as a duplicate of this bug. *** When the master is installed with umask 077, the files /etc/ipa/ca.crt and /var/lib/ipa/ra-agent.{key|pem} cannot be read by non-root users. IPA server is running as apache user and cannot read ca.crt, leading to a communication issue with Dogtag. The immediate consequence is that replica installation fails with the following log in the master's /var/log/httpd_error_log: [...date...] [:error] [pid 9337] ipa: INFO: [xmlserver] host/vm-replica.ipadomain.com: cert_request(u'MII...MJUs6', profile_id=u'caIPAserviceCert', principal=u'ldap/replica.ipadomain.com', add=True, version=u'2.51'): NetworkError [Fri Jan 05 13:10:44.580527 2018] [:error] [pid 9337] ipa: DEBUG: response: NetworkError: cannot connect to 'https://master.ipadomain.com:443/ca/rest/account/login': [Errno 13] Permission denied *** Bug 1568261 has been marked as a duplicate of this bug. *** *** Bug 1577525 has been marked as a duplicate of this bug. *** *** Bug 1585142 has been marked as a duplicate of this bug. *** Fixed upstream master: https://pagure.io/freeipa/c/f2e7c3f68b691f180acd201a81fe10c7c1491071 https://pagure.io/freeipa/c/f90a4b9554656c984c8ac47e3503d83fb52d0b1f Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/d37afbcd38a75bb4892c4ce2ef0836feaada23a2 https://pagure.io/freeipa/c/c6e6a7afd3e14cecb3b9d993b4384e8ac301fe9a ipa-4-7: https://pagure.io/freeipa/c/270ccca746c4818d4f324f0c166ed53012f87e83 https://pagure.io/freeipa/c/d82388bc6e211b7cb98d629c925e84f06cfb4e71 ipa version: ipa-server-4.6.5-8.el7.x86_64 Verified the bug on the basis of following observations: 1. Verified that when umask is not 0022, then user is prompted with message: "Unexpected system mask: 0027, expected 0022 Do you want to continue anyway? [yes]:" 2. When umask is set to other value than 0022, then upon agreeing with prompt message, the installation is successful 3. When umask is set to other value than 0022, then upon not agreeing with prompt message, the installation FAILs as expected. 4. Upon revising the umask value back to '0022', the user is not prompted with message and ipa-server installation is successful 5. For Replica, when umask is set to anything other than 0022, then replica installation fails, with error message: [root@kvm-01-guest02 ~]# /usr/sbin/ipa-replica-install -U --setup-ca --setup-dns --forwarder=x.x.x.x --ip-address=x.x.x.x -P admin -w Secret123 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR Unexpected system mask: 0027, expected 0022 ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Logs on IPA Master: ---------------------- ipa-server-4.6.5-8.el7.x86_64 [root@auto-hv-01-guest07 ~]# umask 0022 [root@auto-hv-01-guest07 ~]# umask 0027 [root@auto-hv-01-guest07 ~]# umask 0027 [root@auto-hv-01-guest07 ~]# ipa-server-install Unexpected system mask: 0027, expected 0022 Do you want to continue anyway? [yes]: yes The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT [root@auto-hv-01-guest07 ~]# tail -1 /var/log/ipaserver-install.log 2019-05-15T08:27:36Z INFO The ipa-server-install command was successful [root@auto-hv-01-guest07 ~]# kinit admin Password for admin: [root@auto-hv-01-guest07 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin Valid starting Expires Service principal 05/15/2019 04:36:01 05/16/2019 04:35:59 krbtgt/ND14MAY.PNQ [root@auto-hv-01-guest07 ~]# [root@auto-hv-01-guest07 ~]# kdestroy [root@auto-hv-01-guest07 ~]# klist klist: Credentials cache keyring 'persistent:0:0' not found [root@auto-hv-01-guest07 ~]# ipa user-add --first test --last user tuser Full name: ipa: ERROR: Could not get Full name interactively [root@auto-hv-01-guest07 ~]# ipa user-add --first=test --last=user tuser Full name: tuser ipa: ERROR: did not receive Kerberos credentials [root@auto-hv-01-guest07 ~]# kinit admin Password for admin: [root@auto-hv-01-guest07 ~]# ipa user-add --first=test --last=user tuser --password Password: Enter Password again to verify: ------------------ Added user "tuser" ------------------ User login: tuser First name: test Last name: user Full name: test user Display name: test user Initials: tu Home directory: /home/tuser GECOS: test user Login shell: /bin/sh Principal name: tuser Principal alias: tuser User password expiration: 20190515083728Z Email address: tuser UID: 701600001 GID: 701600001 Password: True Member of groups: ipausers Kerberos keys available: True [root@auto-hv-01-guest07 ~]# ipa user-add --first=test --last=user User login [tuser]: ipa: ERROR: user with name "tuser" already exists [root@auto-hv-01-guest07 ~]# ipa user-add --first=test --last=user User login [tuser]: tuser1 ------------------- Added user "tuser1" ------------------- User login: tuser1 First name: test Last name: user Full name: test user Display name: test user Initials: tu Home directory: /home/tuser1 GECOS: test user Login shell: /bin/sh Principal name: tuser1 Principal alias: tuser1 Email address: tuser1 UID: 701600003 GID: 701600003 Password: False Member of groups: ipausers Kerberos keys available: False [root@auto-hv-01-guest07 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@auto-hv-01-guest07 ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@auto-hv-01-guest07 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@auto-hv-01-guest07 ~]# [root@auto-hv-01-guest07 ~]# ipa-server-install --uninstall -U [root@auto-hv-01-guest07 ~]# rpm -q ipa-server ipa-server-4.6.5-8.el7.x86_64 [root@auto-hv-01-guest07 ~]# tail -1 /var/log/ipaserver-install.log 2019-05-15T09:19:34Z INFO The ipa-server-install command was successful [root@auto-hv-01-guest07 ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@auto-hv-01-guest07 ~]# umask 0022 Thus on the basis of above observations, marking status to 'VERIFIED'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2241 |