Bug 1269777
| Summary: | IPA restore overwrites /etc/passwd and /etc/group files | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.2 | CC: | jcholast, ksiddiqu, lmiksik, mbabinsk, mkosek, rcritten |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.2.0-13.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 12:07:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Petr Vobornik
2015-10-08 08:06:44 UTC
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/14977b5d84796c02a2c2a41f78919810cce83732/ ipa-4-2: https://fedorahosted.org/freeipa/changeset/d333a96bce6ee0073152d94cdd8bf58d3e9d6f09/ Verified. /etc/password, /etc/group, /etc/shadow and /etc/gshadow are not backuped any more. IPA Version: ============ [root@dhcp207-229 etc]# rpm -q ipa-server ipa-server-4.2.0-13.el7.x86_64 [root@dhcp207-229 etc]# console output: =============== [root@dhcp207-229 ~]# ipa-backup --logs Preparing backup on dhcp207-229.testrelm.test Stopping IPA services Backing up ipaca in TESTRELM-TEST to LDIF Backing up userRoot in TESTRELM-TEST to LDIF Backing up TESTRELM-TEST Backing up files Backed up to /var/lib/ipa/backup/ipa-full-2015-10-09-17-35-46 Starting IPA service The ipa-backup command was successful [root@dhcp207-229 ~]# cd /var/lib/ipa/backup/ [root@dhcp207-229 backup]# ls ipa-full-2015-10-09-17-35-46 [root@dhcp207-229 backup]# cd ipa-full-2015-10-09-17-35-46/ [root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# ls header ipa-full.tar [root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# tar -xf ipa-full.tar [root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# ls files.tar header ipa-full.tar TESTRELM-TEST TESTRELM-TEST-ipaca.ldif TESTRELM-TEST-userRoot.ldif [root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# [root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# tar -xf files.tar [root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# ls etc files.tar header ipa-full.tar root TESTRELM-TEST TESTRELM-TEST-ipaca.ldif TESTRELM-TEST-userRoot.ldif usr var [root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# cd etc/ [root@dhcp207-229 etc]# ls dirsrv httpd krb5.conf named.conf nsswitch.conf opendnssec pki samba ssh sysconfig hosts ipa krb5.keytab named.keytab ntp.conf openldap resolv.conf security sssd systemd [root@dhcp207-229 etc]# ls passwd ls: cannot access passwd: No such file or directory [root@dhcp207-229 etc]# ls group ls: cannot access group: No such file or directory [root@dhcp207-229 etc]# ls shadow ls: cannot access shadow: No such file or directory [root@dhcp207-229 etc]# ls gshadow ls: cannot access gshadow: No such file or directory [root@dhcp207-229 etc]# [root@dhcp207-229 etc]# pwd /var/lib/ipa/backup/ipa-full-2015-10-09-17-35-46/etc [root@dhcp207-229 etc]# Hi Kaleem, these files were never backed up in the files.tar /etc directory so you won't find them there. They were being backed by authconfig into the /var/lib/ipa/auth_backup. So the proper verification is: 1.) install IPA master 2.) backup IPA 3.) inspect /var/lib/ipa/auth_backup directory and verify that it does not contain passwd, shadow, gpasswd, gshadow files Alternatively, you can do the following: 1.) install IPA master 2.) backup IPA 3.) add a new local user, e.g. 'useradd testuser1' 4.) uninstall IPA master 5.) restore IPA from backup saved in 2.) 6.) verify that 'testuser1' is still resolvable e.g. by running 'id testuser1' You can also run our upstream CI tests for backup/restore and see if they pass. There is one scenario specifically testing this regression. snip from console output: ========================= ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password [root@dhcp207-115 ~]# [root@dhcp207-115 ~]# ipa-backup --logs Preparing backup on dhcp207-115.testrelm.test Stopping IPA services Backing up ipaca in TESTRELM-TEST to LDIF Backing up userRoot in TESTRELM-TEST to LDIF Backing up TESTRELM-TEST Backing up files Backed up to /var/lib/ipa/backup/ipa-full-2015-10-15-17-07-14 Starting IPA service The ipa-backup command was successful [root@dhcp207-115 ~]# cd /var/lib/ipa/auth_backup [root@dhcp207-115 auth_backup]# ls passwd;ls group;ls shadow;ls gshadow;ls gpasswd ls: cannot access passwd: No such file or directory ls: cannot access group: No such file or directory ls: cannot access shadow: No such file or directory ls: cannot access gshadow: No such file or directory ls: cannot access gpasswd: No such file or directory [root@dhcp207-115 auth_backup]# cd [root@dhcp207-115 ~]# useradd testuser1 [root@dhcp207-115 ~]# ipa-server-install --uninstall -U Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring ods-enforcerd Unconfiguring ipa-ods-exporter Unconfiguring named Unconfiguring ipa-dnskeysyncd Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa_memcached Unconfiguring ipa-otpd [root@dhcp207-115 ~]# ipa-restore -p xxxxxxxx /var/lib/ipa/backup/ipa-full-2015-10-15-17-07-14/ -U Preparing restore from /var/lib/ipa/backup/ipa-full-2015-10-15-17-07-14/ on dhcp207-115.testrelm.test Performing FULL restore from FULL backup Each master will individually need to be re-initialized or re-created from this one. The replication agreements on masters running IPA 3.1 or earlier will need to be manually re-enabled. See the man page for details. Disabling all replication. Unable to get connection, skipping disabling agreements: Unable to bind to LDAP server: [Errno 111] Connection refused Stopping IPA services Configuring certmonger to stop tracking system certificates for CA Restoring files Systemwide CA database updated. Restoring from userRoot in TESTRELM-TEST Restoring from ipaca in TESTRELM-TEST Starting IPA services Restarting SSSD The ipa-restore command was successful [root@dhcp207-115 ~]# id testuser1 uid=1000(testuser1) gid=1000(testuser1) groups=1000(testuser1) [root@dhcp207-115 ~]# [root@dhcp207-115 ~]# rpm -q ipa-server ipa-server-4.2.0-15.el7.x86_64 [root@dhcp207-115 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |