Bug 1597809

Summary: unable to connect to IPA server during setup in appliance_console
Product: Red Hat CloudForms Management Engine Reporter: Felix Dewaleyne <fdewaley>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED NOTABUG QA Contact: Mike Shriver <mshriver>
Severity: high Docs Contact:
Priority: medium    
Version: 5.9.0CC: abellott, fdewaley, jvlcek, mpusater, obarenbo
Target Milestone: GA   
Target Release: cfme-future   
Hardware: All   
OS: All   
Whiteboard: auth:externalauth:freeipa
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-09 13:48:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1595269    

Description Felix Dewaleyne 2018-07-03 16:16:47 UTC 
Description of problem:
during the application_console part of ipa authentication setup, cloudforms reports it is unable to reach the ipa server but setting it up with rhel7 tools works entirely.

Version-Release number of selected component (if applicable):
5.9.2

How reproducible:
all the time in customer environment

Steps to Reproduce:
1.set up a rhel7 based IPA setup
2.edit configuration as documented in https://access.redhat.com/solutions/2751431
3.configure ntp
4.use appliance_console to enable IPA

Actual results:
IPA Server Parameters:

Enter the IPA Server Hostname: ipa-02.sample.network
Enter the IPA Server Domain: |sample.network| 
Enter the IPA Server Realm: |SAMPLE.NETWORK| 
Enter the IPA Server Principal: |admin| otheradmin
Enter the IPA Server Principal Password: ***********

External Authentication (httpd) Configuration:
IPA Server Details:
  Hostname:       ipa-02.sample.network
  Domain:         sample.network
  Realm:          SAMPLE.NETWORK
  Naming Context: dc=sample,dc=network
  Principal:      otheradmin

Proceed? (Y/N): Y
Checking connectivity to ipa-02.sample.network ... 
Failed.
Could not connect to ipa-02.sample.network,
the IPA Server must be reachable by name.

Expected results:
able to connect to the IPA server or better error message

Additional info:
using the base rhel7 tools doesn't result in a connectivity error :

[root@mcloudforms01 vmdb]# /usr/sbin/ipa-client-install --mkhomedir --hostname=$(hostname -s).sample.network
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: cloudforms01.sample.network
Realm: SAMPLE.NETWORK
DNS Domain: sample.network
IPA Server: ipa-02.sample.network
BaseDN: dc=sample,dc=network

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: mara
Password for otheradmin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=SAMPLE.NETWORK
    Issuer:      CN=Certificate Authority,O=SAMPLE.NETWORK
    Valid From:  2016-10-26 10:50:46
    Valid Until: 2036-10-26 11:50:46

Enrolled in IPA realm SAMPLE.NETWORK
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm SAMPLE.NETWORK
trying https://ipa02.sample.network/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa02.sample.network/ipa/json'
trying https://ipa02.sample.network/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://ipa02.sample.network/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa02.sample.network/ipa/session/json'
Systemwide CA database updated.
Hostname (cloudforms01.sample.network) does not have A/AAAA record.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://ipa02.sample.network/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring dibs.network as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
Comment 5 Felix Dewaleyne 2018-08-09 11:38:39 UTC 
the customer was able to setup the IPA server swapping the /etc/hosts mid setup because the IPA server is behind a serie of networks that do not allow ping. 

the official documentation for IPA do not specify that a ping is required :
  https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#prereq-ports-list

this could be a design issue with the ipa implementation in cloudforms... I've opened a feature request but in retroaspect this may actually be more of a bug.

see bz https://bugzilla.redhat.com/show_bug.cgi?id=1613921 for the RFE.

at this point I'm not sure if that was entirely the right move to make anymore and would appreciate feedback.
Comment 6 Joe Vlcek 2018-08-09 13:48:32 UTC 
(In reply to Felix Dewaleyne from comment #5)
> the customer was able to setup the IPA server swapping the /etc/hosts mid
> setup because the IPA server is behind a serie of networks that do not allow
> ping. 
> 
> the official documentation for IPA do not specify that a ping is required :
>  
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
> html/linux_domain_identity_authentication_and_policy_guide/installing-
> ipa#prereq-ports-list
> 
> this could be a design issue with the ipa implementation in cloudforms...
> I've opened a feature request but in retroaspect this may actually be more
> of a bug.
> 
> see bz https://bugzilla.redhat.com/show_bug.cgi?id=1613921 for the RFE.
> 
> at this point I'm not sure if that was entirely the right move to make
> anymore and would appreciate feedback.


IPA client configuration can do server discovery, which is why the IPA
documentation does not require the ping is required.

Cloudforms engineering made the decision to ensure the IPA server be secified
and reachable. This was done by design for Cloudforms configuration. We want to ensure the IPA server selected is not left up to IPA, which could result in
configurations using an IPA server that was not intended.

If we change it to allow IPA server auto discovery we'd be changing the
currently accepted behavior and could confuse or even upset existing customers
who have come to expect and rely on the current behavior.

Having a network configuration where the desired IPA server is not ping-able
is not a common configuration and should not be done.

Having the IPA server behind a series of networks that do not allow ping is
not a good network configuration and an edge case that I am not sure Cloudforms
should need to support.

Because the customer was able to setup the IPA server I am going to close this
bug and ask that, if you feel this odd network configuration is something
Cloudforms should support that you open a separate RFE and we can have PM
evaluate the need.

If you feel this BZ should remain open please just reopen it and provide your perspective and justification.

Thank you. JoeV