Bug 1754494

Summary: ipa-replica-install does not enforce --server option
Product: Red Hat Enterprise Linux 7 Reporter: Florence Blanc-Renaud <frenaud>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.7CC: myusuf, pasik, rcritten, ssidhaye, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.6-7.el7 Doc Type: Bug Fix
Doc Text:
.The `ipa-replica-install` utility now verifies that the server specified in `--server` provides all required roles The `ipa-replica-install` utility provides a `--server` option to specify the Identity Management (IdM) server which the installer should use for the enrollment. Previously, `ipa-replica-install` did not verify that the supplied server provided the certificate authority (CA) and key recovery authority (KRA) roles. As a consequence, the installer replicated domain data from the specified server and CA data from a different server that provided the CA and KRA roles. With this update, `ipa-replica-install` verifies that the specified server provides all required roles. As a result, if the administrator uses the `--server` option, `ipa-replica-install` only replicates data from the specified server.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 19:55:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florence Blanc-Renaud 2019-09-23 12:25:57 UTC
Description of problem:
The command "ipa-replica-install --server server.example.com" does not enforce the --server parameter. When it is provided, the installation should contact only the master provided and refuse to execute if the master does not offer all the required services.


Version-Release number of selected component (if applicable):
ipa-4.6.5-11.el7

How reproducible:
Always

Steps to Reproduce:
1. install master with CA
2. install replica1 without CA
3. try to install replica2 from replica1, by specifying ipa-replica-install --server replica1

Actual results:
replica2 established replication for the domain data with replica1 and for the ipaca data with  master.

Expected results:
replica2 should use only replica1 during its enrollment and promotion. If replica1 does not provide CA and KRA, the installation should refuse to proceed and provide a message explaining the reason.

Additional info:
See also BZ 1591824

Comment 2 Florence Blanc-Renaud 2019-09-23 12:27:33 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7566

Comment 3 Florence Blanc-Renaud 2019-09-23 12:37:19 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/802e54dd0e33be6015b22853767fc37a9ec02f39

Comment 6 Florence Blanc-Renaud 2019-10-07 06:11:21 UTC
Test added upstream in  ipatests/test_integration/test_installation.py::TestInstallReplicaAgainstSpecificServer

Fixed upstream
master:
https://pagure.io/freeipa/c/c2c1000e2d5481d4be377feb12588fdb09d12de0
https://pagure.io/freeipa/c/c77bbe7899577cb14b42625953f1b9a868e6f237

Comment 10 Florence Blanc-Renaud 2019-10-14 11:37:30 UTC
Test backported upstream:

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/f4dc0ee169689974020a4a77b8bb58b26f360369
https://pagure.io/freeipa/c/9b3855ec486990ecd08a9f3a0ca408425ee7fbf7

Comment 11 Mohammad Rizwan 2019-12-13 09:35:47 UTC
version:
ipa-server-4.6.6-11.el7.x86_64

Steps:
1. Install master with ca and kra setup
2. Install replica1 without ca and stop ipa-custidia service on it.

scenario 1:
 3. Try to install replica2 with --setup-ca option from replica1 as a server

scenario 2:
 4. Install CA on replica1
 5. Try to install replica2 with --setup-kra option form replica1 as a server

scenario 3:
 6. Install replica2 against master


Scenario 1 and 2 failed and scenario 3 passed. Based on these observations marking the bug as verified.

Comment 13 Florence Blanc-Renaud 2020-01-03 08:21:29 UTC
Test backported upstream
ipa-4-6:
https://pagure.io/freeipa/c/0d91a78ee409e66f96e7b2555ca33fb2128fdfa3

Comment 15 errata-xmlrpc 2020-03-31 19:55:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1083