Bug 1782572

Summary: "Internal Server Error" reported for minor issues implies IPA is broken [IdmHackfest2019]
Product: Red Hat Enterprise Linux 8 Reporter: Josip Vilicic <jvilicic>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.1CC: abokovoy, fcami, frenaud, ksiddiqu, myusuf, pasik, pcech, rcritten, tscherf
Target Milestone: rcKeywords: TestCaseProvided
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 15:44:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josip Vilicic 2019-12-11 21:14:54 UTC 
Description of problem:
Receiving "Internal Server Error" or "ipa: ERROR: cannot connect to 'any of the configured servers'" from IPA when performing a non-critical task may imply to customers that a fully-functional IPA instance is somehow broken


Version-Release number of selected component (if applicable):
RHEL 8.1 / IPA 4.8


How reproducible:
Consistent


Steps to Reproduce:
1. Set up IPA and Establish Trust with an AD domain
2. kinit as an AD user, but do not have them in the "Default Trust View"
3. Perform an IPA command, like `ipa ping`


Actual results:
"Internal Server Error" or "cannot connect to 'any of the configured servers'" message is displayed


Expected results:
Report a less-general, less-alarming error message like "you do not have permissions to run this command" so customers know IPA is still working as expected


Additional info:
1) At one point at IdM Hackfest 2019, we received "Internal Server Error" on a fresh install when performing `ipa ping` with an unprivileged user, but was unable to reproduce this afterwards.

2) Received another misleading error:

   [root@replica ~]# kinit Administrator
   Password for Administrator: 

   [root@replica ~]# id Administrator
   id: ‘Administrator’: no such user

   [root@replica ~]# ipa ping
   ipa: ERROR: cannot connect to 'any of the configured servers': https://replica.ipa.test/ipa/json, https://master.ipa.test/ipa/json
Comment 2 Florence Blanc-Renaud 2020-01-09 13:29:17 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8163
Comment 3 Florence Blanc-Renaud 2020-01-10 16:10:34 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/e2d69380fbae6dab244fce3fd5afe5fdc28a2663
Comment 4 Florence Blanc-Renaud 2020-01-13 12:10:10 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/4db18be5467c0b8f7633b281c724f469f907e573

ipa-4-7:
https://pagure.io/freeipa/c/f9f822ac10c0a5fffca906d5f5412c8d35adcc18
Comment 8 Mohammad Rizwan 2020-03-03 12:40:40 UTC 
~~~~~~~~~~~~~~
older version:
~~~~~~~~~~~~~~
ipa-server-4.8.0-13.module+el8.1.0+4923+c6efe041.x86_64
ipa-server-trust-ad-4.8.0-13.module+el8.1.0+4923+c6efe041.x86_64
ipa-server-dns-4.8.0-13.module+el8.1.0+4923+c6efe041.noarch

Default principal: Administrator

Valid starting       Expires              Service principal
03/03/2020 07:38:29  03/03/2020 17:38:29  krbtgt/WIN2016.TEST
	renew until 03/04/2020 07:38:26
[root@master ~]# 
[root@master ~]# 
[root@master ~]# ipa ping
ipa: ERROR: cannot connect to 'https://master.testrealm.test/ipa/json': Internal Server Error


~~~~~~~~~~~~~~
Fixed version:
~~~~~~~~~~~~~~
version:
ipa-server-trust-ad-4.8.4-6.module+el8.2.0+5773+68ace8c5.x86_64
ipa-server-4.8.4-6.module+el8.2.0+5773+68ace8c5.x86_64
ipa-server-dns-4.8.4-6.module+el8.2.0+5773+68ace8c5.noarch

Steps: mentioned in description

Actual result:
[root@master ~]# kinit etuser1
Password for etuser1: 
[root@master ~]# ipa ping
ipa: ERROR: Insufficient access: SASL(-14): authorization failure: Invalid credentials

The error message seems more promising after the fix. Thus marking the bug verifed.
Comment 9 François Cami 2020-04-02 12:37:51 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/a02df530a6b4b5f5f6f9661da33aa2fb0cd47211
Comment 10 François Cami 2020-04-03 09:49:57 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/90eef2f84d3ad61894a1656c529000072e6cb036
Comment 12 errata-xmlrpc 2020-04-28 15:44:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1640