Bug 800119

Summary: Should not be allowed to run host-disable on an IPA Server or service-disable on an IPA Server service
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.3CC: mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-9.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:20:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jenny Severance 2012-03-05 19:27:00 UTC 
Description of problem:

You should not be allowed to run host-disable on an IPA server, because it will Disable the Kerberos key, SSL certificate and all services for the IPA Server.

# ipa host-disable `hostname`
ipa: ERROR: no modifications to be performed


# ipa user-find
ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('KDC has no support for encryption type', -1765328370)


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-103.20120302T0507zgitc611d89.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. see description
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Jenny Severance 2012-03-05 19:29:27 UTC 
same is true for not being able to service-disable and IPA Server service
Comment 2 Rob Crittenden 2012-03-06 19:47:20 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2487
Comment 3 Martin Kosek 2012-03-19 15:11:32 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/35521ad6bb92057d5faefa2059d7d800bebb1af0
ipa-2-2: https://fedorahosted.org/freeipa/changeset/133a0f07976e56323ffb8d4996d4cf21c3263a91
Comment 6 Jenny Severance 2012-04-05 14:59:30 UTC 
FailedQA :

Still allowed to disable services for DNS and dogtagldap

dogtag and DNS ::


  Principal: DNS/dhcp-185-247.testrelm.com
  Keytab: False
  Managed by: dhcp-185-247.testrelm.com

  Principal: dogtagldap/dhcp-185-247.testrelm.com
  Keytab: False
  Managed by: dhcp-185-247.testrelm.com
Comment 7 Jenny Severance 2012-04-05 15:00:16 UTC 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Setup for ipa service tests
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Checking for the presence of ipa-admintools rpm
:: [   PASS   ] :: Checking for the presence of ipa-client rpm
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Creating tmp directory
:: [   PASS   ] :: Running 'pushd /tmp/tmp.W7dT0ClWrP'
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: Setup for ipa service tests

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz800119 Should not be allowed to run service-disable on an IPA Server
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: EXECUTING: ipa service-disable ldap/dhcp-185-247.testrelm.com
:: [   LOG    ] :: Executing: ipa service-disable ldap/dhcp-185-247.testrelm.com
:: [   LOG    ] :: "ipa service-disable ldap/dhcp-185-247.testrelm.com" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master
:: [   PASS   ] :: Verify expected error message
:: [   LOG    ] :: EXECUTING: ipa service-disable dogtagldap/dhcp-185-247.testrelm.com
:: [   LOG    ] :: Executing: ipa service-disable dogtagldap/dhcp-185-247.testrelm.com
:: [   LOG    ] :: ERROR: Expected "ipa service-disable dogtagldap/dhcp-185-247.testrelm.com" to fail.
:: [   FAIL   ] :: Verify expected error message (Expected 0, got 1)
:: [   LOG    ] :: EXECUTING: ipa service-disable HTTP/dhcp-185-247.testrelm.com
:: [   LOG    ] :: Executing: ipa service-disable HTTP/dhcp-185-247.testrelm.com
:: [   LOG    ] :: "ipa service-disable HTTP/dhcp-185-247.testrelm.com" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master
:: [   PASS   ] :: Verify expected error message
:: [   LOG    ] :: EXECUTING: ipa service-disable DNS/dhcp-185-247.testrelm.com
:: [   LOG    ] :: Executing: ipa service-disable DNS/dhcp-185-247.testrelm.com
:: [   LOG    ] :: "ipa service-disable DNS/dhcp-185-247.testrelm.com" failed as expected.
:: [   FAIL   ] :: ERROR: Message not as expected. GOT: ipa: ERROR: This entry is already disabled  EXP: ipa: ERROR: invalid 'principal': This principal is required by the IPA master 
:: [   FAIL   ] :: Verify expected error message (Expected 0, got 1)
:: [   LOG    ] :: Duration: 19s
:: [   LOG    ] :: Assertions: 4 good, 3 bad
:: [   FAIL   ] :: RESULT: bz800119 Should not be allowed to run service-disable on an IPA Server
Comment 8 Rob Crittenden 2012-04-05 15:25:16 UTC 
Caused by a missing comma in the list of mandatory services. Upstream ticket re-opened.
Comment 9 Martin Kosek 2012-04-05 20:20:03 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/7e26517840847b344a607d017dcf94d7905c41b4
ipa-2-2: https://fedorahosted.org/freeipa/changeset/06e4b4aea6d9bbc3401344c4f2e2096cc11b1f54
Comment 11 Jenny Severance 2012-04-23 14:06:50 UTC 
verified ::

Services ...

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz800119 Should not be allowed to run host-disable on an IPA Server or service-disable on an IPA Server service
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Checking return code attempting to disable ldap/dhcp-185-247.testrelm.com
:: [   LOG    ] :: Executing: ipa service-disable ldap/dhcp-185-247.testrelm.com
:: [   LOG    ] :: "ipa service-disable ldap/dhcp-185-247.testrelm.com" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   PASS   ] :: Checking return code attempting to disable dogtagldap/dhcp-185-247.testrelm.com
:: [   LOG    ] :: Executing: ipa service-disable dogtagldap/dhcp-185-247.testrelm.com
:: [   LOG    ] :: "ipa service-disable dogtagldap/dhcp-185-247.testrelm.com" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   PASS   ] :: Checking return code attempting to disable HTTP/dhcp-185-247.testrelm.com
:: [   LOG    ] :: Executing: ipa service-disable HTTP/dhcp-185-247.testrelm.com
:: [   LOG    ] :: "ipa service-disable HTTP/dhcp-185-247.testrelm.com" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   PASS   ] :: Checking return code attempting to disable DNS/dhcp-185-247.testrelm.com
:: [   LOG    ] :: Executing: ipa service-disable DNS/dhcp-185-247.testrelm.com
:: [   LOG    ] :: "ipa service-disable DNS/dhcp-185-247.testrelm.com" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   LOG    ] :: Duration: 28s
:: [   LOG    ] :: Assertions: 12 good, 0 bad
:: [   PASS   ] :: RESULT: bz800119 Should not be allowed to run host-disable on an IPA Server or service-disable on an IPA Server service


hosts ...

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz800119 Should not be allowed to run host-disable on an IPA Server
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Get administrator credentials
:: [   LOG    ] :: EXECUTING: ipa host-disable dhcp-185-247.testrelm.com
:: [   LOG    ] :: Executing: ipa host-disable dhcp-185-247.testrelm.com
:: [   LOG    ] :: "ipa host-disable dhcp-185-247.testrelm.com" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled
:: [   PASS   ] :: Verify expected error message.
:: [   LOG    ] :: Duration: 7s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: bz800119 Should not be allowed to run host-disable on an IPA Server


version ::

ipa-server-2.2.0-10.el6.x86_64
Comment 13 Martin Kosek 2012-04-24 13:34:08 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 15 errata-xmlrpc 2012-06-20 13:20:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html