Bug 745392

Summary: ipa-client-install hangs if the discovered server is unresponsive
Product: Red Hat Enterprise Linux 6 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: ckannan, dpal, mkosek, nsoman, shaines
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.3-1.el6 Doc Type: Bug Fix
Doc Text:
Cause: When ipa-client-install tries to autodiscover IPA server in its domain, it does not use any timeout when a server is found and is being checked Consequence: If the found server is unresponsive during the autodiscovery, the whole ipa-client-install gets stuck Fix: A 30 second timeout is added to ipa-client-install autodiscovery server check Result: ipa-client-install reports autodiscovery failure when the tested checked server is unresponsive and lets user set IPA server address manually
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:42:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 748554    

Description Martin Kosek 2011-10-12 08:50:27 UTC
Description of problem:
When ipa-client-install is run, it autodiscovers for existing LDAP servers and checks if it is a valid IPA server. During the process, it tries to download ca.crt. If the discovered target is unresponsive, ipa-client-install hangs and does not let user to override the autodiscovered server/domain.

Version-Release number of selected component (if applicable):
ipa-client-2.1.1-101.20111004T0103zgita013597.el6.x86_64

How reproducible:
Have an LDAP server with proper _ldap._tcp DNS SRV records in client domain and which would not return ca.crt (in my test it was ldap.corp.redhat.com) and run ipa-client-install.


Steps to Reproduce:
1. Have the LDAP server with DNS SRV records as described
2. Run ipa-client-install without --server or --domain options
  
Actual results:
ipa-client-install hangs:

# ipa-client-install -d
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None}
root        : DEBUG    missing options might be asked for interactively later

root        : DEBUG    Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
root        : DEBUG    [ipadnssearchldap(idm.lab.bos.redhat.com)]
root        : DEBUG    [ipadnssearchldap(lab.bos.redhat.com)]
root        : DEBUG    [ipadnssearchldap(bos.redhat.com)]
root        : DEBUG    [ipadnssearchldap(redhat.com)]
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]


Expected results:
ipa-client-install should timeout, inform the user that the autodiscovery has failed and let user enter his IPA server (which obviously does not have proper DNS SRV records)

Comment 1 Martin Kosek 2011-10-12 08:52:32 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1960

Comment 2 Rob Crittenden 2011-10-12 22:01:25 UTC
Fixed upstream

master: 17f247d6c2aef177c40a690f886b0773a88a6dfa

ipa-2-1: 7227ffe86485bcfc9d97ce302120cfae56541a03

Comment 6 Martin Kosek 2011-10-31 19:16:24 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When ipa-client-install tries to autodiscover IPA server in its domain, it does not use any timeout when a server is found and is being checked
Consequence: If the found server is unresponsive during the autodiscovery, the whole ipa-client-install gets stuck
Fix: A 30 second timeout is added to ipa-client-install autodiscovery server check
Result: ipa-client-install reports autodiscovery failure when the tested checked server is unresponsive and lets user set IPA server address manually

Comment 7 Namita Soman 2011-11-04 14:42:07 UTC
testing

Comment 8 Namita Soman 2011-11-04 15:04:17 UTC
Verified using ipa-client-2.1.3-8.el6.x86_64


# ipa-client-install -d
root        : DEBUG    /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'preserve_sssd': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': False, 'permit': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None}
root        : DEBUG    missing options might be asked for interactively later

root        : DEBUG    Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
root        : DEBUG    Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
root        : DEBUG    [ipadnssearchldap(testrelm)]
root        : DEBUG    [ipadnssearchldap(bos.redhat.com)]
root        : DEBUG    [ipadnssearchldap(redhat.com)]
root        : DEBUG    [ipadnssearchkrb]
root        : DEBUG    [ipacheckldap]
root        : DEBUG    args=/usr/bin/wget -O /tmp/tmp0INq5Z/ca.crt -T 15 -t 2 http://ldap.corp.redhat.com/ipa/config/ca.crt
root        : DEBUG    stdout=
root        : DEBUG    stderr=--2011-11-04 10:43:23--  http://ldap.corp.redhat.com/ipa/config/ca.crt
Resolving ldap.corp.redhat.com... failed: Name or service not known.
wget: unable to resolve host address “ldap.corp.redhat.com”

root        : DEBUG    Retrieving CA from ldap.corp.redhat.com failed.
Command '/usr/bin/wget -O /tmp/tmp0INq5Z/ca.crt -T 15 -t 2 http://ldap.corp.redhat.com/ipa/config/ca.crt' returned non-zero exit status 4
root        : DEBUG    Domain not found
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com):

Comment 9 errata-xmlrpc 2011-12-06 18:42:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html