1119218 – ipa-client-install needs user interaction and join to IPA domain from authconfig-gtk fails

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1119218 - ipa-client-install needs user interaction and join to IPA domain from authconfig-gtk fails

Summary: ipa-client-install needs user interaction and join to IPA domain from authcon...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1119797
TreeView+	depends on / blocked

Reported:	2014-07-14 10:02 UTC by David Spurek
Modified:	2015-03-02 05:29 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-08-20 07:35:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description David Spurek 2014-07-14 10:02:01 UTC

Description of problem:
ipa-client-install needs user's interaction and join to IPA domain from authconfig-gtk fails.



Version-Release number of selected component (if applicable):
ipa-client-3.0.0-37.el6
authconfig-gtk-6.1.12-13.el6

How reproducible:


Steps to Reproduce:
1.run authconfig-gtk
2.choose 'IPAv2' as User Account Databse
3.fill IPA realm,domain and server fields
4. click to join Domain, pass user and password

Actual results:
Join fails (timeout). In cmdline I see following output:

[/usr/sbin/ipa-client-install --noac --domain=IPA --server=sec-ipa1.ipa.baseos.qe --realm=IPA.BASEOS.QE --principal=admin  -W]
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]:

Expected results:
ipa-client-install requests only password and authconfig join pass.


Additional info:

Comment 1 Petr Viktorin (pviktori) 2014-07-15 08:22:25 UTC

We should allow passing the password by filename, then authconfig-gtk can run with --unattended

Comment 2 Tomas Mraz 2014-07-15 08:41:51 UTC

That would require changing authconfig as well.

What about using the --noac option as equivalent of --unattended with the modification that password would be still queried.

Comment 3 Petr Viktorin (pviktori) 2014-07-15 08:49:21 UTC

With my upstream hat on, I don't see why --noac ("do not modify the nsswitch.conf and PAM configuration") should mean "don't prompt the user". We already have an option for that.

Comment 6 Dmitri Pal 2014-07-15 13:11:54 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4439

Comment 7 Petr Viktorin (pviktori) 2014-07-18 09:55:37 UTC

With current IPA you can use the --unattended option, and provide the password on stdin. Could authconfig use that?

Comment 8 Tomas Mraz 2014-07-18 11:26:52 UTC

Yes, we just need to change authconfig to pass the --unattended option along with --noac.

Comment 9 Tomas Mraz 2014-07-18 11:29:25 UTC

Is the 'Password:' prompt still outputted by ipa_client_install in the --unattended case? Authconfig uses that prompt to detect whether it should send the password to the stdin of ipa_client_install.

Comment 10 Martin Kosek 2014-07-18 12:21:21 UTC

Not in ipa-client-3.0.0-42.el6.x86_64:

# echo Secret123 | ipa-client-install -p admin --unattended
Discovery was successful!
Hostname: vm-089.idm.lab.bos.redhat.com
Realm: IDM.LAB.BOS.REDHAT.COM
DNS Domain: idm.lab.bos.redhat.com
IPA Server: vm-086.idm.lab.bos.redhat.com
BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

Synchronizing time with KDC...
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
    Issuer:      CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
    Valid From:  Fri Jul 18 20:58:36 2014 UTC
    Valid Until: Tue Jul 18 20:58:36 2034 UTC

Enrolled in IPA realm IDM.LAB.BOS.REDHAT.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IDM.LAB.BOS.REDHAT.COM
trying https://vm-086.idm.lab.bos.redhat.com/ipa/xml
Forwarding 'env' to server u'https://vm-086.idm.lab.bos.redhat.com/ipa/xml'
Hostname (vm-089.idm.lab.bos.redhat.com) not found in DNS
DNS server record set to: vm-089.idm.lab.bos.redhat.com -> 10.16.78.89
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://vm-086.idm.lab.bos.redhat.com/ipa/xml'
SSSD enabled
Configuring idm.lab.bos.redhat.com as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

Comment 11 Tomas Mraz 2014-07-18 12:25:03 UTC

OK, that means the changes will have to be more substantial than just passing the --unattended option.

Comment 12 Petr Viktorin (pviktori) 2014-07-18 12:25:54 UTC

The prompt is not there, but with --unattended the password is the only thing expected on stdin, so it can be sent unconditionally.

Comment 16 Martin Kosek 2014-08-20 07:35:45 UTC

This problem was fixed on authconfig side, it can pass the password via stdin as demonstrated in Comment 10.

Upstream already plans to provide more options to reading password (https://fedorahosted.org/freeipa/ticket/4040), we should file a bug to authconfig when this is ready.

For now, closing this Bugzilla as issue was resolved.

Note You need to log in before you can comment on or make changes to this bug.