Bug 802860

Summary: Fix UDP port check during ipa-ca-install
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: grajaiya, jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-6.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:21:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2012-03-13 16:36:38 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2514

Ticket #2062 fixed UDP checks in `ipa-replica-conncheck`.  However, these now fail in ipa-ca-install where UDP checks are performed against live KDC which is running on the replica:

{{{
# ipa-ca-install /home/mkosek/replica-info-vm-115.idm.lab.bos.redhat.com.gpg 
Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'vm-068.idm.lab.bos.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin.BOS.REDHAT.COM password: 

Execute check on remote master
Check connection from master to remote replica 'vm-115.idm.lab.bos.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): FAILED
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): FAILED
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Remote master check failed with following error message(s):
Port check failed! Inaccessible port(s): 88 (UDP), 464 (UDP)

Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck parameter.
}}}

I think we should either skip UDP checks during ipa-ca-install or check only the new CA ports that were not checked during ipa-replica-install.
Comment 1 Rob Crittenden 2012-03-28 14:15:00 UTC 
Fixed upstream.

master: 159e848d85779e8fb3a9b2ed84490423014bf609

ipa-2-2: f1f6b1dfca3d9f296ab57a26ef893073e3d415a8

You will be warning about UDP ports that fail or are not checked, rather than failing the entire check.
Comment 3 Gowrishankar Rajaiyan 2012-04-05 14:14:39 UTC 
[root@rodimus ~]# ipa-replica-install /var/lib/ipa/replica-info-rodimus.lab.eng.pnq.redhat.com.gpg 
Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'primenova.lab.eng.pnq.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin.PNQ.REDHAT.COM password: 

Execute check on remote master
Check connection from master to remote replica 'rodimus.lab.eng.pnq.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK



[root@rodimus ~]# iptables -A INPUT -p udp --dport 464 -j DROP



[root@rodimus ~]# ipa-replica-install /var/lib/ipa/replica-info-rodimus.lab.eng.pnq.redhat.com.gpg 
Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'primenova.lab.eng.pnq.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin.PNQ.REDHAT.COM password: 

Execute check on remote master
Check connection from master to remote replica 'rodimus.lab.eng.pnq.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): WARNING     <<<<<<<<<<<<<
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
The following UDP ports could not be verified as open: 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.

Connection from master to replica is OK.

Connection check OK


Verified: ipa-server-2.2.0-8.el6.x86_64
Comment 5 Martin Kosek 2012-04-24 13:48:34 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 7 errata-xmlrpc 2012-06-20 13:21:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html