1269777 – IPA restore overwrites /etc/passwd and /etc/group files

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1269777 - IPA restore overwrites /etc/passwd and /etc/group files

Summary: IPA restore overwrites /etc/passwd and /etc/group files

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-08 08:06 UTC by Petr Vobornik
Modified:	2015-11-19 12:07 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.2.0-13.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 12:07:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2362	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2015-11-19 10:40:46 UTC

Description Petr Vobornik 2015-10-08 08:06:44 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5328

Commit db88985c0d4920191b840b5d04d133015293dbe0 introduced a regression into {{{ipa-restore}}} by overwriting /etc/passwd and /etc/group files after dirsrv and pki system users are created during restore. 

This causes the regression test for [https://fedorahosted.org/freeipa/ticket/3866 3866] to fail.

Subsequent test for [https://fedorahosted.org/freeipa/ticket/4157 4157] also fails because /var/run/dirsrv ownership gets messed up.

Inspecting the directory reveals
{{{
[root@vm-218 ~]# ls -ldZ /var/run/dirsrv/
drwxrwx---. 2 988 985 unconfined_u:object_r:dirsrv_var_run_t:s0 60 Sep 25 15:32 /var/run/dirsrv/
}}}
while in {{{/etc/passwd}}} we have
{{{
dirsrv:x:989:986:DS System User:/var/lib/dirsrv:/sbin/nologin
}}}

This is the corresponding excerpt from systemd journal.
{{{
-- Unit dirsrv has begun starting up.
Sep 25 15:34:09 vm-218.ipadom.org ns-slapd[9495]: [25/Sep/2015:15:34:09 +0200] - Unable to access nsslapd-rundir: Permission denied
Sep 25 15:34:09 vm-218.ipadom.org ns-slapd[9495]: [25/Sep/2015:15:34:09 +0200] - Ensure that user "dirsrv" has read and write permissions on /var/run/dirsrv
Sep 25 15:34:09 vm-218.ipadom.org ns-slapd[9495]: [25/Sep/2015:15:34:09 +0200] - Shutting down.
Sep 25 15:34:09 vm-218.ipadom.org systemd[1]: dirsrv: control process exited, code=exited status=1
Sep 25 15:34:09 vm-218.ipadom.org systemd[1]: Failed to start 389 Directory Server IPADOM-ORG..
-- Subject: Unit dirsrv has failed
}}}

Comment 3 Jan Cholasta 2015-10-08 12:04:13 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/14977b5d84796c02a2c2a41f78919810cce83732/
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/d333a96bce6ee0073152d94cdd8bf58d3e9d6f09/

Comment 5 Kaleem 2015-10-09 12:18:24 UTC

Verified. 
/etc/password, /etc/group, /etc/shadow and /etc/gshadow are not backuped any more.

IPA Version:
============
[root@dhcp207-229 etc]# rpm -q ipa-server
ipa-server-4.2.0-13.el7.x86_64
[root@dhcp207-229 etc]# 

console output:
===============
[root@dhcp207-229 ~]# ipa-backup --logs
Preparing backup on dhcp207-229.testrelm.test
Stopping IPA services
Backing up ipaca in TESTRELM-TEST to LDIF
Backing up userRoot in TESTRELM-TEST to LDIF
Backing up TESTRELM-TEST
Backing up files
Backed up to /var/lib/ipa/backup/ipa-full-2015-10-09-17-35-46
Starting IPA service
The ipa-backup command was successful
[root@dhcp207-229 ~]# cd /var/lib/ipa/backup/
[root@dhcp207-229 backup]# ls
ipa-full-2015-10-09-17-35-46
[root@dhcp207-229 backup]# cd ipa-full-2015-10-09-17-35-46/
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# ls
header  ipa-full.tar
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# tar -xf ipa-full.tar 
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# ls
files.tar  header  ipa-full.tar  TESTRELM-TEST  TESTRELM-TEST-ipaca.ldif  TESTRELM-TEST-userRoot.ldif
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# 
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# tar -xf files.tar 
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# ls
etc  files.tar  header  ipa-full.tar  root  TESTRELM-TEST  TESTRELM-TEST-ipaca.ldif  TESTRELM-TEST-userRoot.ldif  usr  var
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# cd etc/
[root@dhcp207-229 etc]# ls
dirsrv  httpd  krb5.conf    named.conf    nsswitch.conf  opendnssec  pki          samba     ssh   sysconfig
hosts   ipa    krb5.keytab  named.keytab  ntp.conf       openldap    resolv.conf  security  sssd  systemd
[root@dhcp207-229 etc]# ls passwd
ls: cannot access passwd: No such file or directory
[root@dhcp207-229 etc]# ls group
ls: cannot access group: No such file or directory
[root@dhcp207-229 etc]# ls shadow
ls: cannot access shadow: No such file or directory
[root@dhcp207-229 etc]# ls gshadow
ls: cannot access gshadow: No such file or directory
[root@dhcp207-229 etc]# 
[root@dhcp207-229 etc]# pwd
/var/lib/ipa/backup/ipa-full-2015-10-09-17-35-46/etc
[root@dhcp207-229 etc]#

Comment 6 Martin Babinsky 2015-10-14 12:30:52 UTC

Hi Kaleem,

these files were never backed up in the files.tar /etc directory so you won't find them there. They were being backed by authconfig into the /var/lib/ipa/auth_backup.

So the proper verification is:

1.) install IPA master
2.) backup IPA
3.) inspect /var/lib/ipa/auth_backup directory and verify that it does not contain passwd, shadow, gpasswd, gshadow files

Alternatively, you can do the following:

1.) install IPA master
2.) backup IPA
3.) add a new local user, e.g. 'useradd testuser1'
4.) uninstall IPA master
5.) restore IPA from backup saved in 2.)
6.) verify that 'testuser1' is still resolvable e.g. by running 'id testuser1'

You can also run our upstream CI tests for backup/restore and see if they pass. There is one scenario specifically testing this regression.

Comment 7 Kaleem 2015-10-15 11:49:02 UTC

snip from console output:
=========================

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@dhcp207-115 ~]# 
[root@dhcp207-115 ~]# ipa-backup --logs
Preparing backup on dhcp207-115.testrelm.test
Stopping IPA services
Backing up ipaca in TESTRELM-TEST to LDIF
Backing up userRoot in TESTRELM-TEST to LDIF
Backing up TESTRELM-TEST
Backing up files
Backed up to /var/lib/ipa/backup/ipa-full-2015-10-15-17-07-14
Starting IPA service
The ipa-backup command was successful
[root@dhcp207-115 ~]# cd /var/lib/ipa/auth_backup
[root@dhcp207-115 auth_backup]# ls passwd;ls group;ls shadow;ls gshadow;ls gpasswd
ls: cannot access passwd: No such file or directory
ls: cannot access group: No such file or directory
ls: cannot access shadow: No such file or directory
ls: cannot access gshadow: No such file or directory
ls: cannot access gpasswd: No such file or directory
[root@dhcp207-115 auth_backup]# cd
[root@dhcp207-115 ~]# useradd testuser1
[root@dhcp207-115 ~]# ipa-server-install --uninstall -U
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring CA
Unconfiguring ods-enforcerd
Unconfiguring ipa-ods-exporter
Unconfiguring named
Unconfiguring ipa-dnskeysyncd
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa_memcached
Unconfiguring ipa-otpd
[root@dhcp207-115 ~]# ipa-restore -p xxxxxxxx /var/lib/ipa/backup/ipa-full-2015-10-15-17-07-14/ -U
Preparing restore from /var/lib/ipa/backup/ipa-full-2015-10-15-17-07-14/ on dhcp207-115.testrelm.test
Performing FULL restore from FULL backup
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
Disabling all replication.
Unable to get connection, skipping disabling agreements: Unable to bind to LDAP server: [Errno 111] Connection refused
Stopping IPA services
Configuring certmonger to stop tracking system certificates for CA
Restoring files
Systemwide CA database updated.
Restoring from userRoot in TESTRELM-TEST
Restoring from ipaca in TESTRELM-TEST
Starting IPA services
Restarting SSSD
The ipa-restore command was successful
[root@dhcp207-115 ~]# id testuser1
uid=1000(testuser1) gid=1000(testuser1) groups=1000(testuser1)
[root@dhcp207-115 ~]# 
[root@dhcp207-115 ~]# rpm -q ipa-server
ipa-server-4.2.0-15.el7.x86_64
[root@dhcp207-115 ~]#

Comment 8 errata-xmlrpc 2015-11-19 12:07:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.