Bug 797567

Summary: ipa-client-install does not handle exception from certutil call
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: jgalipea, ksiddiqu, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-4.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:19:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dmitri Pal 2012-02-26 18:10:26 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2415

If certutil call fails for some reason, exception is not handled and client installation is not rolled back. 

Attachments:
Client_first_try attachment: ipa-client-install with failing certutil. Certutil failed because mess in filesystem. Client was accidentaly installed on ipa-server. Problem with messed files solved by "ipa-server-install --uninstall".

Client_second_try - ipa-client-install fails, probably because duplicated host is in LDAP - result of missing rollback/exception handling in first try

Affected version:
freeipa-client-2.1.4-4.fc16.x86_64
Comment 1 Jenny Severance 2012-02-27 14:08:15 UTC 
delete /etc/pki/nssdb directory and then run ipa-client-install to verify this issue
Comment 2 Martin Kosek 2012-03-09 14:50:14 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/71d134dfa03eb86066eeb331815647bdff04aaa8
ipa-2-2: https://fedorahosted.org/freeipa/changeset/cada19d71f832a9ae9109f8de1050a462300e3a3
Comment 5 Martin Kosek 2012-04-24 13:01:57 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 6 Kaleem 2012-04-27 09:58:22 UTC 
Verified.

Now, ipa-client installation is rolledback properly when exception raised from certutil call.

"Failed to add CA to the default NSS database.
Installation failed. Rolling back changes."

ipa-client version:
===================
[root@ipaclient1 ~]# rpm -q ipa-client
ipa-client-2.2.0-11.el6.x86_64
[root@ipaclient1 ~]#

Steps used to verify:
====================
(1)Rename /etc/pki/nssdb which will raise exception for certutil call from ipa-client

(2)Run ipa-client-install

[root@ipaclient1 ~]# ipa-client-install -p admin -w Secret123 -U
Discovery was successful!
Hostname: ipaclient1.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: ipa63server.testrelm.com
BaseDN: dc=testrelm,dc=com

Synchronizing time with KDC...

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
Domain testrelm.com is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Failed to add CA to the default NSS database.
Installation failed. Rolling back changes.
[root@ipaclient1 ~]#
Comment 8 errata-xmlrpc 2012-06-20 13:19:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html