Bug 1269777 - IPA restore overwrites /etc/passwd and /etc/group files
IPA restore overwrites /etc/passwd and /etc/group files
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-08 04:06 EDT by Petr Vobornik
Modified: 2015-11-19 07:07 EST (History)
6 users (show)

See Also:
Fixed In Version: ipa-4.2.0-13.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 07:07:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Vobornik 2015-10-08 04:06:44 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5328

Commit db88985c0d4920191b840b5d04d133015293dbe0 introduced a regression into {{{ipa-restore}}} by overwriting /etc/passwd and /etc/group files after dirsrv and pki system users are created during restore. 

This causes the regression test for [https://fedorahosted.org/freeipa/ticket/3866 3866] to fail.

Subsequent test for [https://fedorahosted.org/freeipa/ticket/4157 4157] also fails because /var/run/dirsrv ownership gets messed up.

Inspecting the directory reveals
{{{
[root@vm-218 ~]# ls -ldZ /var/run/dirsrv/
drwxrwx---. 2 988 985 unconfined_u:object_r:dirsrv_var_run_t:s0 60 Sep 25 15:32 /var/run/dirsrv/
}}}
while in {{{/etc/passwd}}} we have
{{{
dirsrv:x:989:986:DS System User:/var/lib/dirsrv:/sbin/nologin
}}}

This is the corresponding excerpt from systemd journal.
{{{
-- Unit dirsrv@IPADOM-ORG.service has begun starting up.
Sep 25 15:34:09 vm-218.ipadom.org ns-slapd[9495]: [25/Sep/2015:15:34:09 +0200] - Unable to access nsslapd-rundir: Permission denied
Sep 25 15:34:09 vm-218.ipadom.org ns-slapd[9495]: [25/Sep/2015:15:34:09 +0200] - Ensure that user "dirsrv" has read and write permissions on /var/run/dirsrv
Sep 25 15:34:09 vm-218.ipadom.org ns-slapd[9495]: [25/Sep/2015:15:34:09 +0200] - Shutting down.
Sep 25 15:34:09 vm-218.ipadom.org systemd[1]: dirsrv@IPADOM-ORG.service: control process exited, code=exited status=1
Sep 25 15:34:09 vm-218.ipadom.org systemd[1]: Failed to start 389 Directory Server IPADOM-ORG..
-- Subject: Unit dirsrv@IPADOM-ORG.service has failed
}}}
Comment 5 Kaleem 2015-10-09 08:18:24 EDT
Verified. 
/etc/password, /etc/group, /etc/shadow and /etc/gshadow are not backuped any more.

IPA Version:
============
[root@dhcp207-229 etc]# rpm -q ipa-server
ipa-server-4.2.0-13.el7.x86_64
[root@dhcp207-229 etc]# 

console output:
===============
[root@dhcp207-229 ~]# ipa-backup --logs
Preparing backup on dhcp207-229.testrelm.test
Stopping IPA services
Backing up ipaca in TESTRELM-TEST to LDIF
Backing up userRoot in TESTRELM-TEST to LDIF
Backing up TESTRELM-TEST
Backing up files
Backed up to /var/lib/ipa/backup/ipa-full-2015-10-09-17-35-46
Starting IPA service
The ipa-backup command was successful
[root@dhcp207-229 ~]# cd /var/lib/ipa/backup/
[root@dhcp207-229 backup]# ls
ipa-full-2015-10-09-17-35-46
[root@dhcp207-229 backup]# cd ipa-full-2015-10-09-17-35-46/
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# ls
header  ipa-full.tar
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# tar -xf ipa-full.tar 
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# ls
files.tar  header  ipa-full.tar  TESTRELM-TEST  TESTRELM-TEST-ipaca.ldif  TESTRELM-TEST-userRoot.ldif
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# 
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# tar -xf files.tar 
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# ls
etc  files.tar  header  ipa-full.tar  root  TESTRELM-TEST  TESTRELM-TEST-ipaca.ldif  TESTRELM-TEST-userRoot.ldif  usr  var
[root@dhcp207-229 ipa-full-2015-10-09-17-35-46]# cd etc/
[root@dhcp207-229 etc]# ls
dirsrv  httpd  krb5.conf    named.conf    nsswitch.conf  opendnssec  pki          samba     ssh   sysconfig
hosts   ipa    krb5.keytab  named.keytab  ntp.conf       openldap    resolv.conf  security  sssd  systemd
[root@dhcp207-229 etc]# ls passwd
ls: cannot access passwd: No such file or directory
[root@dhcp207-229 etc]# ls group
ls: cannot access group: No such file or directory
[root@dhcp207-229 etc]# ls shadow
ls: cannot access shadow: No such file or directory
[root@dhcp207-229 etc]# ls gshadow
ls: cannot access gshadow: No such file or directory
[root@dhcp207-229 etc]# 
[root@dhcp207-229 etc]# pwd
/var/lib/ipa/backup/ipa-full-2015-10-09-17-35-46/etc
[root@dhcp207-229 etc]#
Comment 6 Martin Babinsky 2015-10-14 08:30:52 EDT
Hi Kaleem,

these files were never backed up in the files.tar /etc directory so you won't find them there. They were being backed by authconfig into the /var/lib/ipa/auth_backup.

So the proper verification is:

1.) install IPA master
2.) backup IPA
3.) inspect /var/lib/ipa/auth_backup directory and verify that it does not contain passwd, shadow, gpasswd, gshadow files

Alternatively, you can do the following:

1.) install IPA master
2.) backup IPA
3.) add a new local user, e.g. 'useradd testuser1'
4.) uninstall IPA master
5.) restore IPA from backup saved in 2.)
6.) verify that 'testuser1' is still resolvable e.g. by running 'id testuser1'

You can also run our upstream CI tests for backup/restore and see if they pass. There is one scenario specifically testing this regression.
Comment 7 Kaleem 2015-10-15 07:49:02 EDT
snip from console output:
=========================

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@dhcp207-115 ~]# 
[root@dhcp207-115 ~]# ipa-backup --logs
Preparing backup on dhcp207-115.testrelm.test
Stopping IPA services
Backing up ipaca in TESTRELM-TEST to LDIF
Backing up userRoot in TESTRELM-TEST to LDIF
Backing up TESTRELM-TEST
Backing up files
Backed up to /var/lib/ipa/backup/ipa-full-2015-10-15-17-07-14
Starting IPA service
The ipa-backup command was successful
[root@dhcp207-115 ~]# cd /var/lib/ipa/auth_backup
[root@dhcp207-115 auth_backup]# ls passwd;ls group;ls shadow;ls gshadow;ls gpasswd
ls: cannot access passwd: No such file or directory
ls: cannot access group: No such file or directory
ls: cannot access shadow: No such file or directory
ls: cannot access gshadow: No such file or directory
ls: cannot access gpasswd: No such file or directory
[root@dhcp207-115 auth_backup]# cd
[root@dhcp207-115 ~]# useradd testuser1
[root@dhcp207-115 ~]# ipa-server-install --uninstall -U
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring CA
Unconfiguring ods-enforcerd
Unconfiguring ipa-ods-exporter
Unconfiguring named
Unconfiguring ipa-dnskeysyncd
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa_memcached
Unconfiguring ipa-otpd
[root@dhcp207-115 ~]# ipa-restore -p xxxxxxxx /var/lib/ipa/backup/ipa-full-2015-10-15-17-07-14/ -U
Preparing restore from /var/lib/ipa/backup/ipa-full-2015-10-15-17-07-14/ on dhcp207-115.testrelm.test
Performing FULL restore from FULL backup
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
Disabling all replication.
Unable to get connection, skipping disabling agreements: Unable to bind to LDAP server: [Errno 111] Connection refused
Stopping IPA services
Configuring certmonger to stop tracking system certificates for CA
Restoring files
Systemwide CA database updated.
Restoring from userRoot in TESTRELM-TEST
Restoring from ipaca in TESTRELM-TEST
Starting IPA services
Restarting SSSD
The ipa-restore command was successful
[root@dhcp207-115 ~]# id testuser1
uid=1000(testuser1) gid=1000(testuser1) groups=1000(testuser1)
[root@dhcp207-115 ~]# 
[root@dhcp207-115 ~]# rpm -q ipa-server
ipa-server-4.2.0-15.el7.x86_64
[root@dhcp207-115 ~]#
Comment 8 errata-xmlrpc 2015-11-19 07:07:42 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.