Bug 903230

Summary: [abrt] freeipa-client-3.0.0-3.fc18: xmlrpc_env_clean: Process /usr/sbin/ipa-join was killed by signal 11 (SIGSEGV)
Product: Red Hat Enterprise Linux 7 Reporter: Ann Marie Rubin <arubin>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: mkosek, nsoman
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.2.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 961132 (view as bug list) Environment:
Last Closed: 2014-06-13 10:14:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 961132    

Description Ann Marie Rubin 2013-01-23 14:31:45 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3275

https://bugzilla.redhat.com/show_bug.cgi?id=880563 (''Fedora'')

{{{
Description of problem:
Ran this:

/usr/sbin/ipa-client-install --domain idm.lab.bos.redhat.com --realm
IDM.LAB.BOS.REDHAT.COM --principal admin -W --mkhomedir --no-ntp
--enable-dns-updates --permit --unattended

Output:

Discovery was successful!
Hostname: stef-rawhide.thewalter.lan
Realm: IDM.LAB.BOS.REDHAT.COM
DNS Domain: idm.lab.bos.redhat.com
IPA Server: vm-101.idm.lab.bos.redhat.com
BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
Synchronizing time with KDC...
Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM
trying https://vm-101.idm.lab.bos.redhat.com/ipa/xml
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server 'http://vm-101.idm.lab.bos.redhat.com/ipa/xml'
host_mod: invalid 'sshpubkey': must be binary data
Failed to upload host SSH public keys.
SSSD enabled
Configured /etc/openldap/ldap.conf


Version-Release number of selected component:
freeipa-client-3.0.0-3.fc18

Additional info:
libreport version: 2.0.18
abrt_version:   2.0.18
backtrace_rating: 4
cmdline:        /usr/sbin/ipa-join --unenroll -h stef-rawhide.thewalter.lan
crash_function: xmlrpc_env_clean
kernel:         3.6.6-3.fc18.x86_64

truncated backtrace:
:Thread no. 1 (2 frames)
: #1 xmlrpc_env_clean at /usr/src/debug/xmlrpc-c-1.32.1/lib/libutil/error.c:52
: #2 unenroll_host at ipa-join.c:919
}}}
Comment 2 Martin Kosek 2013-02-21 09:10:37 UTC 
Fixed upstream:

master: 0d836cd6ee9d7b29808cbf36582eed71a5b6a32a
ipa-3-0: babde7374ad946fa7617b56b662ab4fb3211b14f
Comment 5 Namita Soman 2014-01-29 20:37:31 UTC 
Verified using ipa-client-3.3.3-13.el7.x86_64

Followed steps as in https://bugzilla.redhat.com/show_bug.cgi?id=961132#c7

tested that the client install had to be rolled back, and there was no seg fault.

Steps taken:
# cp -f /dev/null /etc/pki/nssdb/cert8.db
# cp -f /dev/null /etc/pki/nssdb/key3.db
# cp -f /dev/null /etc/pki/nssdb/secmod.db

# ls -l /etc/pki/nssdb/
total 60
-rw-r--r--. 1 root root     0 Jan 29 15:28 cert8.db
-rw-r--r--. 1 root root  9216 Jan 29 15:14 cert9.db
-rw-r--r--. 1 root root 16384 Jan 29 15:20 key3.db
-rw-r--r--. 1 root root 11264 Jan 29 15:14 key4.db
-rw-r--r--. 1 root root   451 Jan 17 18:57 pkcs11.txt
-rw-r--r--. 1 root root 16384 Jan 12  2010 secmod.db

# ipa-client-install 
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Hostname: sparks.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: cloud-qe-17.testrelm.com
BaseDN: dc=testrelm,dc=com

Continue to configure the system with these values? [no]: y
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.COM
    Issuer:      CN=Certificate Authority,O=TESTRELM.COM
    Valid From:  Wed Jan 29 14:58:18 2014 UTC
    Valid Until: Sun Jan 29 14:58:18 2034 UTC

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Failed to add CA to the default NSS database.
Installation failed. Rolling back changes.
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.


ipaclient-install.log includes:
<..snip..>
2014-01-29T20:29:37Z DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2014-01-29T20:29:37Z DEBUG Process finished, return code=255
2014-01-29T20:29:37Z DEBUG stdout=
2014-01-29T20:29:37Z DEBUG stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

2014-01-29T20:29:37Z INFO Failed to add CA to the default NSS database.
2014-01-29T20:29:37Z ERROR Installation failed. Rolling back changes.
<..snip..>
2014-01-29T20:29:42Z DEBUG args=/usr/sbin/ipa-join --unenroll -h sparks.testrelm.com
2014-01-29T20:29:43Z DEBUG Process finished, return code=0
2014-01-29T20:29:43Z DEBUG stdout=
2014-01-29T20:29:43Z DEBUG stderr=Unenrollment successful.
<..snip..>
Comment 6 Ludek Smid 2014-06-13 10:14:39 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.