RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1274488 - ipa-client-install should use previously entered username when performing setup validation
Summary: ipa-client-install should use previously entered username when performing set...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
: 1399606 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-22 19:46 UTC by Brian Mathis
Modified: 2018-10-30 10:56 UTC (History)
8 users (show)

Fixed In Version: ipa-4.6.4-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:55:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Use options.principal in getent call (862 bytes, patch)
2015-10-22 23:04 UTC, Brian Mathis 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3187 0 None None None 2018-10-30 10:56:33 UTC

Description Brian Mathis 2015-10-22 19:46:07 UTC 
Description of problem:
When running ipa-client-install, the ipaclient-install.log shows:
    getent passwd admin
The 'admin' username is hard-coded, so this check will fail if the admin account has been renamed.

This check should use the username that was entered earlier in the install process at the prompt:
    User authorized to enroll computers:
as this user is guaranteed to exist.


Version-Release number of selected component (if applicable):
ipa-client-2.1.3-7.el5


How reproducible:
Always


Steps to Reproduce:
1. Perform installation with 'ipa-client-install'
2. Review log in /var/log/ipaclient-install.log


Actual results:
Observe lines in log:
    DEBUG args=getent passwd admin
    DEBUG stdout=
    DEBUG stderr=


Expected results:
Username 'admin' should show the username that was input at the prompt earlier in the process.
Comment 2 Brian Mathis 2015-10-22 23:04:26 UTC 
Created attachment 1085671 [details]
Use options.principal in getent call

I looked into the script file and it seems that the --principal option allows passing the username on the command-line (however the man page does not indicate that a value can be accepted for this option).

This patch changes the getent call to use the options.principal parameter instead of hard-coded 'admin'.

One issue is that there is no default for options.principal.  I considered adding one, but it seems there are some checks if this is None elsewhere within the script.  Reviewing that logic is beyond my current ability/familiarity with this.
Comment 3 Petr Vobornik 2015-10-26 14:28:59 UTC 
Hello Brian, 

thanks for the bug, I'll clone it upstream. Note that it won't be backported to older RHELs. Please open a support case if you want to backport it.

FYI: there is also similar bug in ipa-replica-install: https://fedorahosted.org/freeipa/ticket/5060
Comment 4 Petr Vobornik 2015-10-26 14:29:58 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5406
Comment 5 Petr Vobornik 2016-12-09 17:19:44 UTC 
*** Bug 1399606 has been marked as a duplicate of this bug. ***
Comment 6 Florence Blanc-Renaud 2018-02-20 08:55:12 UTC 
Fixed upstream

master:
    eae8714 client.py: Replace hardcoded 'admin' with options.principal

ipa-4-5:
    7bef8c7 client.py: Replace hardcoded 'admin' with options.principal
Comment 13 Sudhir Menon 2018-08-24 10:22:03 UTC 
Tested on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo) using

[root@master ~]# rpm -q ipa-server sssd samba krb5-server pki-server selinux-policy 389-ds-base
ipa-server-4.6.4-6.el7.x86_64
sssd-1.16.2-12.el7.x86_64
samba-4.8.3-4.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
pki-server-10.5.9-6.el7.noarch
selinux-policy-3.13.1-219.el7.noarch
389-ds-base-1.3.8.4-11.el7.x86_64


Steps:

[root@master ~]# ipa role-add useradmin
----------------------
Added role "useradmin"
----------------------
  Role name: useradmin

[root@master ~]# ipa privilege-add 'Add hosts'
---------------------------
Added privilege "Add hosts"
---------------------------
  Privilege name: Add hosts

[root@master ~]# ipa privilege-add-permission --permissions 'System: Add Hosts' 'Add Hosts'
  Privilege name: Add hosts
  Permissions: System: Add Hosts
-----------------------------
Number of permissions added 1
-----------------------------

[root@master ~]# ipa role-add-privilege useradmin --privileges 'Host Enrollment'
  Role name: useradmin
  Privileges: Host Enrollment
----------------------------
Number of privileges added 1
----------------------------

[root@master ~]# ipa role-add-privilege useradmin --privileges 'Add Hosts'
  Role name: useradmin
  Privileges: Host Enrollment, Add hosts
----------------------------
Number of privileges added 1
----------------------------

[root@master ~]# ipa role-add-member useradmin --users='ipauser1'
  Role name: useradmin
  Member users: ipauser1
  Privileges: Host Enrollment, Add hosts
-------------------------
Number of members added 1
-------------------------

[root@client ~]# ipa-client-install --principal ipauser1
Discovery was successful!
Client hostname: client.apollo.test
Realm: APOLLO.TEST
DNS Domain: apollo.test
IPA Server: master.apollo.test
BaseDN: dc=apollo,dc=test

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
Password for ipauser1: 
Successfully retrieved CA cert
.........
Client configuration complete.
The ipa-client-install command was successful

2018-08-24T10:18:39Z DEBUG args=getent passwd ipauser1
2018-08-24T10:18:45Z DEBUG Process finished, return code=0
2018-08-24T10:18:45Z DEBUG stdout=ipauser1:*:301400001:301400001:ipauser1 s:/home/ipauser1:/bin/sh
Comment 15 errata-xmlrpc 2018-10-30 10:55:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187
Note You need to log in before you can comment on or make changes to this bug.