1304618 – Residual Files After IPA Server Uninstall

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1304618 - Residual Files After IPA Server Uninstall

Summary: Residual Files After IPA Server Uninstall

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-04 08:19 UTC by ilmostro7
Modified:	2019-10-10 11:06 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.4.0-0.el7.1.alpha1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 05:50:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
FedoraHosted FreeIPA	2694	None	None	None	2016-02-04 08:31:33 UTC
FedoraHosted FreeIPA	5508	None	None	None	2016-02-04 08:31:49 UTC
Red Hat Product Errata	RHBA-2016:2404	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 13:56:18 UTC

Description ilmostro7 2016-02-04 08:19:37 UTC

Description of problem:
Decommissioning a system as the IPA Server(IdM) using `ipa-server-install --uninstall` and/or `ipa-server-install --uninstall -U` leaves residual IPA/IdM related files on system; e.g. during the installation, I presume the httpd.service file is copied into /etc/systemd/system/httpd.service and modified to suit the needs of the IPA server instance.  This is evident in bug 1044994.


Version-Release number of selected component (if applicable):

ipa-server-4.2.0-15.el7_2.3.x86_64

How reproducible:

Assuming user executes uninstall script as referenced in first line the `/etc/systemd/system/httpd.service` file is left in place with residual, irrelevant environment variables/links, rendering the Apache web server unable to start.

~~~
# cat /etc/systemd/system/httpd.service 
.include /usr/lib/systemd/system/httpd.service

[Service]
Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
ExecStopPost=-/usr/bin/kdestroy -A
~~~

Actual results:

~~~
Feb 04 01:33:24 fedpadssd.opensourceinfo.ba systemd[1]: Starting The Apache HTTP Server...
Feb 04 01:33:26 fedpadssd.opensourceinfo.ba ipa-httpd-kdcproxy[14110]: ipa         : WARNING  Unable to connect to dirsrv: Timeout exceeded
Feb 04 01:33:26 fedpadssd.opensourceinfo.ba ipa-httpd-kdcproxy[14110]: ipa         : WARNING  Disabling KDC proxy
Feb 04 01:33:26 fedpadssd.opensourceinfo.ba systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Feb 04 01:33:26 fedpadssd.opensourceinfo.ba kill[14119]: kill: cannot find process ""
Feb 04 01:33:26 fedpadssd.opensourceinfo.ba systemd[1]: httpd.service: control process exited, code=exited status=1
Feb 04 01:33:26 fedpadssd.opensourceinfo.ba systemd[1]: Failed to start The Apache HTTP Server.
Feb 04 01:33:26 fedpadssd.opensourceinfo.ba systemd[1]: Unit httpd.service entered failed state.
Feb 04 01:33:26 fedpadssd.opensourceinfo.ba systemd[1]: httpd.service failed.
~~~

Comment 2 Petr Vobornik 2016-02-16 16:33:25 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5681

Comment 3 Martin Bašti 2016-04-22 08:21:34 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/586fee293f42388510fa5436af19460bbe1fdec5

Comment 5 Sudhir Menon 2016-09-15 16:31:39 UTC

Fix is seen in RHEL7.3 using ipa-server-4.4.0-11.el7.x86_64

[root@ipa01 dirsrv]# date
Thu Sep 15 16:30:52 IST 2016

1. After installation
[root@ipa01 dirsrv]# ll /etc/systemd/system/httpd.service.d/ipa.conf
-rw-r--r--. 1 root root 258 Sep 15 16:24 /etc/systemd/system/httpd.service.d/ipa.conf

2. Uninstallation
[root@ipa01 dirsrv]# ipa-server-install --uninstall -U
Updating DNS system records
ipa : ERROR unable to resolve host name ipa01.labs03.test. to IP address, ipa-ca DNS record will be incomplete
--------------------------------------
Deleted IPA server "ipa01.labs03.test"
--------------------------------------
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring CA
Unconfiguring named
Unconfiguring ipa-dnskeysyncd
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Unconfiguring ipa_memcached
Unconfiguring ipa-otpd
Removing IPA client configuration
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.

3. File is removed.
[root@ipa01 dirsrv]# ll /etc/systemd/system/httpd.service.d/ipa.conf
ls: cannot access /etc/systemd/system/httpd.service.d/ipa.conf: No such file or directory

Comment 7 errata-xmlrpc 2016-11-04 05:50:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.