Bug 1658294

Summary: ipa-replica-install allows to use --setup-adtrust without the package freeipa-server-trust-ad installed
Product: Red Hat Enterprise Linux 8 Reporter: Thomas Woerner <twoerner>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: abokovoy, amore, ksiddiqu, pvoborni, rcritten, tscherf, twoerner
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1589558 Environment:
Last Closed: 2019-06-14 01:32:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Woerner 2018-12-11 17:10:52 UTC 
+++ This bug was initially created as a clone of Bug #1589558 +++

Description of problem:
Trying to setup a FreeIPA replica with the --setup-adtrust command line option setup, makes the setup fail due to the missing freeipa-server-trust-ad package (not pulled automatically for any package)


Version-Release number of selected component (if applicable):
freeipa-server-4.6.90.pre2

How reproducible:


Steps to Reproduce:
1. dnf install freeipa-server
2. ipa-replica-install --setup-adtrust

Actual results:
It fails in the end when it tries to restart smb, and the logs show "No builtin nor plugin backend for ipasam found"

Expected results:
Replica should be installed sucessfully

--- Additional comment from Alexander Bokovoy on 2018-06-10 19:00:48 UTC ---

We do the check at https://pagure.io/freeipa/blob/master/f/ipaserver/install/adtrustinstance.py#_67-77 but it doesn't include checking for 'freeipa-server-trust-ad' package being installed -- like we supposed to do with 'freeipa-server-dns' in https://pagure.io/freeipa/blob/master/f/ipaserver/install/dns.py#_118-120

A freeipa-server-trust-ad package has following content:
---
$ rpm -ql freeipa-server-trust-ad
/etc/dbus-1/system.d/oddjob-ipa-trust.conf
/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
/usr/lib/.build-id
/usr/lib/.build-id/10
/usr/lib/.build-id/10/d4038f6015541ee8685be9238d46328c7d869e
/usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so
/usr/lib64/samba/pdb/ipasam.so
/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains
/usr/sbin/ipa-adtrust-install
/usr/share/doc/freeipa-server-trust-ad
/usr/share/doc/freeipa-server-trust-ad/Contributors.txt
/usr/share/doc/freeipa-server-trust-ad/README.md
/usr/share/ipa/smb.conf.empty
/usr/share/licenses/freeipa-server-trust-ad
/usr/share/licenses/freeipa-server-trust-ad/COPYING
/usr/share/man/man1/ipa-adtrust-install.1.gz
---

In a way similar to DNS check, we can depend on /usr/share/ipa/smb.conf.empty which is only packaged in freeipa-server-trust-ad.

--- Additional comment from Florence Blanc-Renaud on 2018-06-25 15:21:13 UTC ---

Upstream ticket:
https://pagure.io/freeipa/issue/7602

--- Additional comment from Florence Blanc-Renaud on 2018-10-24 12:22:04 UTC ---

Fixed upstream
master:
https://pagure.io/freeipa/c/4600e62b6b4547c16eee085e216a56478dd8dd50

--- Additional comment from Christian Heimes on 2018-10-24 14:23:23 UTC ---

Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/be968ea01adf1721b0afd7393872a8d311d89d0c
ipa-4-6:
https://pagure.io/freeipa/c/0c2bdcb1184cf034f62e523c88045f9efcb8c302
Comment 2 anuja 2019-01-22 14:51:02 UTC 
Thomas Woerner,
How this can be verified?
Comment 3 Thomas Woerner 2019-01-22 15:45:51 UTC 
(In reply to anuja from comment #2)
> Thomas Woerner,
> How this can be verified?

Description of problem:
Trying to setup a FreeIPA replica with the --setup-adtrust command line option setup, makes the setup fail due to the missing freeipa-server-trust-ad package (not pulled automatically for any package)


Version-Release number of selected component (if applicable):
freeipa-server-4.6.90.pre2

How reproducible:

Steps to Reproduce:
1. dnf install freeipa-server
2. ipa-replica-install --setup-adtrust

Actual results:
It fails in the end when it tries to restart smb, and the logs show "No builtin nor plugin backend for ipasam found"

Expected results:
Replica should be installed sucessfully

---

Additionally from https://pagure.io/freeipa/c/be968ea01adf1721b0afd7393872a8d311d89d0c
ipaserver/install/adtrustinstance.py:
+     # Check that ipa-server-trust-ad package is installed,
+     # by looking for the file /usr/share/ipa/smb.conf.empty 
+     if not os.path.exists(os.path.join(paths.USR_SHARE_IPA_DIR,
+                                        "smb.conf.empty")):
+         print("AD Trust requires the '%s' package" %
+               constants.IPA_ADTRUST_PACKAGE_NAME)
+         print("Please install the package and start the installation again")
+         return False 

That means that the fixed version will fail early and print a message.
Comment 4 anuja 2019-01-22 16:19:03 UTC 
Verified using :
ipa-server-4.7.1-10.module+el8+2699+aa606a46.x86_64
ipa-server-trust-ad-4.7.1-10.module+el8+2699+aa606a46.x86_64

Verification Steps:
1: dnf module install idm:DL1/dns
2: yum install ipa-server-trust-ad
3: ipa-replica-install --setup-adtrust

Console Output :
# ipa-replica-install --ip-address= -P admin -w --server --domain --setup-adtrust -U
Configuring client side components
This program will set up IPA client.
Version 4.7.1

  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
Configuring CIFS
  [1/23]: validate server hostname
  [2/23]: stopping smbd
  [3/23]: creating samba domain object
  [4/23]: creating samba config registry
  [5/23]: writing samba config file
  [6/23]: adding cifs Kerberos principal
  [7/23]: adding cifs and host Kerberos principals to the adtrust agents group
  [8/23]: check for cifs services defined on other replicas
  [9/23]: adding cifs principal to S4U2Proxy targets
  [10/23]: adding admin(group) SIDs
  [11/23]: adding RID bases
  [12/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [13/23]: activating CLDAP plugin
  [14/23]: activating sidgen task
  [15/23]: map BUILTIN\Guests to nobody group
  [16/23]: configuring smbd to start on boot
  [17/23]: adding special DNS service records
  [18/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [19/23]: adding fallback group
  [20/23]: adding Default Trust View
  [21/23]: setting SELinux booleans
  [22/23]: starting CIFS services
  [23/23]: restarting smbd
Done configuring CIFS.

WARNING: The CA service is only installed on one server (vm-idm-040.replica.test).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.
Comment 6 anuja 2019-01-22 16:22:53 UTC 
Based on comment #4 marking bz as verified.