Bug 1023294 - authconfig --disableipav2 should call ipa-client-install --uninstall
authconfig --disableipav2 should call ipa-client-install --uninstall
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: authconfig (Show other bugs)
6.5
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: Tomas Mraz
David Spurek
:
Depends On: 1014992
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-25 02:41 EDT by David Spurek
Modified: 2015-03-02 00:28 EST (History)
3 users (show)

See Also:
Fixed In Version: authconfig-6.1.12-14.el6
Doc Type: Bug Fix
Doc Text:
Cause: When authconfig --disableipav2 --update command was used the ipa-client-install --uninstall was not run. Consequence: In such case the ipa client was not properly deinitialized on the machine and the machine was not removed from the previously joined domain. Fix: Authconfig now calls ipa-client-install --uninstall in this case. Result: The machine ipa client is properly deinitialized and machine removed from the domain.
Story Points: ---
Clone Of: 1014992
Environment:
Last Closed: 2014-10-14 03:44:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Spurek 2013-10-25 02:41:37 EDT
The same problem on rhel6, tested with authconfig-6.1.12-13.el6

+++ This bug was initially created as a clone of Bug #1014992 +++

Description of problem:
authconfig --disableipav2 should call ipa-client-install --uninstall if authconfig was called with authconfig --enableipav2 --ipav2join and machine was successfully enrolled to IPA domain.

Version-Release number of selected component (if applicable):
authconfig-6.2.7-1.el7

How reproducible:
always

Steps to Reproduce:
1.authconfig --enableipav2 --ipav2domain=domain--ipav2join=user --update
2.authconfig --disableipav2 --update
3.again authconfig --enableipav2 --ipav2domain=domain--ipav2join=user --update

Actual results:
second authconfig --enableipav2 fail

Expected results:
second authconfig --enableipav2 success

Additional info:
[test]authconfig --enableipav2 --ipav2domain=ipa.baseos.qe --ipav2join=admin --update
[/usr/sbin/ipa-client-install --noac --domain=ipa.baseos.qe   --principal=admin  ]
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Hostname: ibm-x3650m4-01-vm-02.lab.eng.bos.redhat.com
Realm: IPA.BASEOS.QE
DNS Domain: ipa.baseos.qe
IPA Server: sec-ipa1.ipa.baseos.qe
BaseDN: dc=ipa,dc=baseos,dc=qe

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Password for admin@IPA.BASEOS.QE: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.BASEOS.QE
    Issuer:      CN=Certificate Authority,O=IPA.BASEOS.QE
    Valid From:  Tue Jul 23 12:18:48 2013 UTC
    Valid Until: Sat Jul 23 12:18:48 2033 UTC

Enrolled in IPA realm IPA.BASEOS.QE
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.BASEOS.QE
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
host_mod: Unknown option: no_members
Failed to upload host SSH public keys.
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.


[test]authconfig --disableipav2 --update
[test]authconfig --enableipav2 --ipav2domain=ipa.baseos.qe --ipav2join=admin --update
[/usr/sbin/ipa-client-install --noac --domain=ipa.baseos.qe   --principal=admin  ]
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
authconfig: IPAv2 domain join was not succesful. The ipa-client-install command failed.

--- Additional comment from David Spurek on 2013-10-03 08:51:27 EDT ---

'authconfig --disableipav2' doesn't remove pam_sss from pam configuration and sss from /etc/nsswitch.conf
Comment 6 errata-xmlrpc 2014-10-14 03:44:54 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1558.html

Note You need to log in before you can comment on or make changes to this bug.