Bug 979197

Summary: ipa-client-install : ambiguity in option --force
Product: Red Hat Enterprise Linux 6 Reporter: Yi Zhang <yzhang>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED NOTABUG QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: abokovoy, jgalipea, rcritten, yzhang
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-01 13:06:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yi Zhang 2013-06-27 22:07:16 UTC 
Description of problem:
It appears to me that the option "--force" in ipa-client-install have different meaning when ipa host connect to ipa server ipa-server-2.2.0-16.el6.i686 & ipa-server-selinux-3.0.0-25.el6.i686

when try ipa-client-install against ipa-server 2.2 (release bits in rhel6.3), "--force" has to be used when (1) under "unattended" mode (2) no /etc/ipa/ca.crt file exist on ipa client host

If I try the same command on the same ipa client host, but against ipa-server 3.0 (release bit in rhel6.4), "--force" is not required. 

Please check the following output:

======= test one: rhel5.10 client --> rhel6.3 ipa server (ver 2.2) =====
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=eggfruit.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: eggfruit.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

root        : ERROR    In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
root        : ERROR    Cannot obtain CA certificate
HTTP certificate download requires --force
Installation failed. Rolling back changes.
IPA client is not configured on this system.

======= test two: rhel5.10 client --> rhel6.4 ipa server (ver 3.0) =====
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: apple.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm YZHANG.REDHAT.COM
Created /etc/ipa/default.conf
Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
root        : ERROR    Unable to parse existing SSSD config and --preserve-sssd was not specified: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf'
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YZHANG.REDHAT.COM
SSSD enabled
NTP enabled
Client configuration complete.




Version-Release number of selected component (if applicable):
ipa-client-2.1.3-7.el5
ipa-server-2.2.0-16.el6.i686
ipa-server-3.0.0-25.el6.i686

How reproducible: always


Steps to Reproduce:
1.
2.
3.

Actual results: without use "--force", ipa-client-install would fail if ipa master is 2.2 version, and it would success if ipa server version is 3.0


Expected results: consistent behave regarding "--force" option. 


Additional info:
one all 3 version (rhel5.10, rhel6.3 & rhel6.4), ipa-client-install -h outputs same message for "--force":
-f, --force         force setting of LDAP/Kerberos conf

I don't expect this option is relate to ca.crt download.
Comment 2 Martin Kosek 2013-06-28 05:42:56 UTC 
I do not think this has anything to do with --force option. I rather think that after your first test, /etc/ipa/ca.crt was created on the system, thus the second test with rhel6.4 ipa server succeeded - it did not need to download the cert, it already had it in /etc/ipa/ca.crt.

Yi, can you please confirm that this is the case? If yes, please close the bug as NOTABUG.
Comment 3 Yi Zhang 2013-06-28 15:37:44 UTC 
Martin:
I still insist my finding. 
I redo the above test by removing /etc/ipa/ca.crt file first, I get same result

== test one: against rhel6.4 ipa master ====
[root@green (RH5.10-x86_64) install-client-cli] ls /etc/ipa/ca.crt 
/etc/ipa/ca.crt
[root@green (RH5.10-x86_64) install-client-cli] rm /etc/ipa/ca.crt 
rm: remove regular file `/etc/ipa/ca.crt'? yes
[root@green (RH5.10-x86_64) install-client-cli] ls -l /etc/ipa
total 0
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: apple.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm YZHANG.REDHAT.COM
Created /etc/ipa/default.conf
Domain yzhang.redhat.com is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YZHANG.REDHAT.COM
SSSD enabled
NTP enabled
Client configuration complete.
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --uninstall -U
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Restoring client configuration files

==== test two: against rhel6.3 ipa master on the same ipa client host ====
[root@green (RH5.10-x86_64) install-client-cli] ls /etc/ipa/ca.crt 
/etc/ipa/ca.crt
[root@green (RH5.10-x86_64) install-client-cli] rm /etc/ipa/ca.crt 
rm: remove regular file `/etc/ipa/ca.crt'? yes
[root@green (RH5.10-x86_64) install-client-cli] ls -l /etc/ipa
total 0
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=eggfruit.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: eggfruit.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

root        : ERROR    In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
root        : ERROR    Cannot obtain CA certificate
HTTP certificate download requires --force
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Comment 4 Rob Crittenden 2013-06-30 17:48:35 UTC 
This is because the 2.2 server does not store the certificate in LDAP and the 3.x server does.

Retrieving the CA over HTTP is insecure, hence the --force requirement.
Comment 5 Alexander Bokovoy 2013-07-01 08:58:48 UTC 
3.0 specifically introduced storage in LDAP for the certificate to be able to fetch it securely. I think at most we may mention that difference in the documentation.
Comment 6 Yi Zhang 2013-07-01 13:06:54 UTC 
already send email to doc writer about this issue.