| Summary: | ipa-replica-conncheck --master shows "Kerberos Kpasswd: UDP" to be OK even though it is not. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | jgalipea, mkosek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.2.0-3.el6 | Doc Type: | Bug Fix |
| Doc Text: |
No documentation needed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 13:16:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 756082 | ||
I don't think this is a blocking issue, I will re-target this for 6.3.0. Testing of UDP port is tricky, due to stateless nature of UDP protocol. We should either find some way to correctly test these ports or don't test them at all. Upstream ticket: https://fedorahosted.org/freeipa/ticket/2062 master: 306bdccfa4ef02d72bbd4103ad413bd4ed024177 ipa-2-2: d0320b9198fb84198a7e927caa9f9ef388f1b551 A working iptables config generally looks something like: -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 7389 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT You can replace ACCEPT with DROP to test that this is properly detecting the state UDP is only tested from master to replica. Test 1: [root@goldbug ~]# ipa-replica-install /var/lib/ipa/replica-info-goldbug.lab.eng.pnq.redhat.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'primenova.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin.PNQ.REDHAT.COM password: Execute check on remote master Check connection from master to remote replica 'goldbug.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Adding iptables rules as: [root@goldbug ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP udp -- anywhere anywhere state NEW udp dpt:domain DROP udp -- anywhere anywhere state NEW udp dpt:kerberos DROP udp -- anywhere anywhere state NEW udp dpt:kpasswd [root@goldbug ~]# ipa-replica-install /var/lib/ipa/replica-info-goldbug.lab.eng.pnq.redhat.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'primenova.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin.PNQ.REDHAT.COM password: Execute check on remote master Check connection from master to remote replica 'goldbug.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): FAILED Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): FAILED HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Remote master check failed with following error message(s): Could not chdir to home directory /home/admin: No such file or directory Port check failed! Inaccessible port(s): 88 (UDP), 464 (UDP) Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. [root@goldbug ~]# Test 2: [root@goldbug ~]# ipa-replica-conncheck -m primenova.lab.eng.pnq.redhat.com Check connection from replica to remote master 'primenova.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Listeners are started. Use CTRL+C to terminate the listening part after the test. Please run the following command on remote master: /usr/sbin/ipa-replica-conncheck --replica goldbug.lab.eng.pnq.redhat.com ^C Cleaning up... [root@goldbug ~]# [root@primenova ~]# /usr/sbin/ipa-replica-conncheck --replica goldbug.lab.eng.pnq.redhat.com Check connection from master to remote replica 'goldbug.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): FAILED Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): FAILED HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Port check failed! Inaccessible port(s): 88 (UDP), 464 (UDP) [root@primenova ~]# Verified: ipa-server-2.2.0-3.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
No documentation needed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.1.3-8.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. MASTER: [root@decepticons ~]# service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@decepticons ~]# 2. SLAVE: [root@bumblebee ~]# ipa-replica-conncheck --master decepticons.lab.eng.pnq.redhat.com Check connection from replica to remote master 'decepticons.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK Connection from replica to master is OK. 3. MASTER: [root@decepticons ~]# service ipa stop Stopping CA Service Stopping pki-ca: [ OK ] Stopping HTTP Service Stopping httpd: [ OK ] Stopping DNS Service Stopping named: . [ OK ] Stopping KPASSWD Service Shutting down ipa_kpasswd: [ OK ] Stopping KDC Service Stopping Kerberos 5 KDC: [ OK ] Stopping Directory Service Shutting down dirsrv: LAB-ENG-PNQ-REDHAT-COM... [ OK ] PKI-IPA... [ OK ] [root@decepticons ~]# 3. SLAVE: [root@bumblebee ~]# ipa-replica-conncheck --master decepticons.lab.eng.pnq.redhat.com Actual results: SLAVE: [root@bumblebee ~]# ipa-replica-conncheck --master decepticons.lab.eng.pnq.redhat.com Check connection from replica to remote master 'decepticons.lab.eng.pnq.redhat.com': Directory Service: Unsecure port (389): FAILED Directory Service: Secure port (636): FAILED Kerberos KDC: TCP (88): FAILED Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): FAILED Kerberos Kpasswd: UDP (464): OK <<<<<<<<<<<<<<<<<<<<<<<< HTTP Server: port 80 (80): FAILED HTTP Server: port 443(https) (443): FAILED Port check failed! Inaccessible port(s): 389, 636, 88, 464, 80, 443 [root@bumblebee ~]# Expected results: Kerberos Kpasswd: UDP (464): FAILED Additional info: MASTER: [root@decepticons ~]# netstat -anup | grep 464 [root@decepticons ~]#