Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1204054

Summary: SSSD database is not cleared between installs and uninstalls of ipa
Product: Red Hat Enterprise Linux 7 Reporter: prasun.gera
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: jhrozek, mkosek, prasun.gera, pvoborni, rcritten, sumenon
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:03:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description prasun.gera 2015-03-20 09:43:48 UTC 
Description of problem:

/var/lib/sss/db is not cleared between subsequent installs and uninstalls of the ipa-server with the same domain name. Since the server is also a client, this creates problems with SSSD's authentication on the server. The database entries from the first installation are still referred to even after the server itself has been uninstalled, and a new one (same config as the previous one) has been installed.  

Version-Release number of selected component (if applicable):

ipa  4.1.0
sssd 1.12.2

How reproducible:
Easily

Steps to Reproduce:

1. ipa-server-install
2. service sshd restart
3. kinit admin   <- This always works
4. ssh admin@localhost  <- This works for the first time, fails second time onwards
   ssh admin@ipa_server from external system   <- This also works the first time, fails second time onwards
5. ipa-server-install --uninstall
6. goto 1

Actual results:

Permission denied

Expected results:

Successful login

Additional info:

Although this happens on the server, this is a client issue as experienced by the client implicitly installed on the server. It should also be verified that actual clients don't face this problem when the ipa server is re-installed or migrated to a different system, and the client needs to re-register.
Comment 2 Petr Vobornik 2015-03-23 09:52:33 UTC 
Jakub, 

I'm not sure if ipa-client-install should touch files in /var/lib/sss/db on install/uninstall. Shouldn't this case be rather handled by SSSD(if possible)?
Comment 3 Jakub Hrozek 2015-03-23 10:06:16 UTC 
(In reply to Petr Vobornik from comment #2)
> Jakub, 
> 
> I'm not sure if ipa-client-install should touch files in /var/lib/sss/db on
> install/uninstall. Shouldn't this case be rather handled by SSSD(if
> possible)?

I don't think so, the sssd doesn't have any install or uninstall script. Everything is handled by an upper layer, like realmd or ipa-client-install. SSSD just presumes it's set up in a sane manner itself.

In some cases, it's even expected that would be some cache file on first startup Consider a case of shipping a laptop to a remote user who has never connected to a VPN before.
Comment 4 Petr Vobornik 2015-03-23 10:53:20 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4956
Comment 5 Martin Kosek 2015-07-08 07:41:41 UTC 
Fixed upstream:

master:
37729936dd6fe9c3396cbb8a682a4674af8b5537 Clear SSSD caches when uninstalling the client

ipa-4-1:
222427cb37a037f24ca76a9bcf614a2711a2ba96 Clear SSSD caches when uninstalling the client
Comment 7 Sudhir Menon 2015-10-12 14:31:06 UTC 
Observations:-

1. When ipa-server is installed the below files are created for LAB01.TEST domain name in /var/lib/sss/db folder.

-rw-------. 1 root root 1609728 Oct 12 17:39 cache_labs01.test.ldb
-rw-------. 1 root root    1106 Oct 12 17:34 ccache_LABS01.TEST
-rw-------. 1 root root 1286144 Oct 12 17:34 config.ldb
-rw-------. 1 root root    1184 Oct 12 14:34 fast_ccache_LABS01.TEST
-rw-------. 1 root root 1286144 Oct  9 20:20 sssd.ldb

2. When ipa-server in uninstalled the below two files are removed.
-rw-------. 1 root root 1609728 Oct 12 17:39 cache_labs01.test.ldb
-rw-------. 1 root root    1106 Oct 12 17:34 ccache_LABS01.TEST

3. Need to do the below and then the login works for the first time.

systemctl stop sssd.service
rm -frv /var/lib/sss/db/*
systemctl start sssd.service 

4. Logging in as admin@localhost for the first time.
[root@ipa01 ~]# ssh admin@localhost
admin@localhost's password: 
Last failed login: Mon Oct 12 19:30:06 IST 2015 from localhost on ssh:notty
There were 83 failed login attempts since the last successful login.
Could not chdir to home directory /home/admin: No such file or directory
-bash-4.2$ logout

5. Logging in as admin@IPAServer for the first time.
[root@ipaclient02 ~]# ssh admin.207.66
admin.207.66's password: 
Last login: Mon Oct 12 19:31:39 2015 from localhost
Could not chdir to home directory /home/admin: No such file or directory
-bash-4.2$ logout
Comment 8 Jakub Hrozek 2015-10-13 07:13:59 UTC 
Please inspect the logs on the new install to see why you can't login.
Comment 9 Sudhir Menon 2015-10-13 10:12:52 UTC 
Verified using RHEL7.2

ipa-server-4.2.0-14.el7.x86_64
ipa-server-trust-ad-4.2.0-14.el7.x86_64
ipa-server-dns-4.2.0-14.el7.x86_64
sssd-ldap-1.13.0-39.el7.x86_64

Observations:

a. Installed IPA server and client and checked ssh login for admin user from ipaserver and client which works

[root@ipa01 db]# service sshd restart
Redirecting to /bin/systemctl restart  sshd.service

[root@ipa01 db]# kinit admin
Password for admin: 

[root@ipa01 db]# ssh admin@localhost
admin@localhost's password: 
Last failed login: Mon Oct 12 20:03:13 IST 2015 from localhost on ssh:notty
There were 86 failed login attempts since the last successful login.
Could not chdir to home directory /home/admin: No such file or directory
-bash-4.2$ logout
Connection to localhost closed.

[root@ipa03 ~]# ssh admin.test
admin.test's password: 
Last login: Tue Oct 13 14:52:10 2015 from 10.65.207.170
Could not chdir to home directory /home/admin: No such file or directory
-bash-4.2$ 

b. Uninstalled IPA-server and found that the cache files are removed from /var/lib/sss/{db,mc} folder.

===Prior to uninstalling IPA-server===
[root@ipa01 db]# pwd
/var/lib/sss/db
[root@ipa01 db]# ls -l
total 4092
-rw-------. 1 root root 1609728 Oct 13 14:53 cache_labs01.test.ldb
-rw-------. 1 root root    1126 Oct 13 14:44 ccache_LABS01.TEST
-rw-------. 1 root root 1286144 Oct 13 14:44 config.ldb
-rw-------. 1 root root     571 Oct 13 14:50 fast_ccache_LABS01.TEST
-rw-------. 1 root root 1286144 Oct 12 21:05 sssd.ldb

/var/lib/sss/mc
[root@ipa01 mc]# ls -l
total 24636
-rw-r--r--. 1 root root  6406312 Oct 13 14:50 group
-rw-r--r--. 1 root root 10406312 Oct 13 14:50 initgroups
-rw-r--r--. 1 root root  8406312 Oct 13 14:49 passwd

===After uninstalling IPA-Server===
[root@ipa01 db]# ls -l
total 2516
-rw-------. 1 root root 1286144 Oct 13 14:44 config.ldb
-rw-------. 1 root root     571 Oct 13 14:50 fast_ccache_LABS01.TEST
-rw-------. 1 root root 1286144 Oct 12 21:05 sssd.ldb

[root@ipa01 db]# cd /var/lib/sss/mc/
[root@ipa01 mc]# ls -l
total 10164
-rw-r--r--. 1 root root 10406312 Oct 13 14:50 initgroups

c. Now the below works once sssd cache is cleared on IPA server.

ssh admin@localhost  <- This works for the second time.
[root@ipa01 db]# ssh admin@localhost
admin@localhost's password: 
Last login: Tue Oct 13 15:47:54 2015 from localhost
Could not chdir to home directory /home/admin: No such file or directory
-bash-4.2$ 

ssh admin@ipa_server from external system   <- This also works the second time.
[root@ipa03 ~]# ssh admin.test
admin.test's password: 
Last login: Tue Oct 13 15:30:07 2015 from localhost
Could not chdir to home directory /home/admin: No such file or directory
Comment 10 errata-xmlrpc 2015-11-19 12:03:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html