Bug 1357488
| Summary: | ipa command stuck forever on higher versioned client with lower versioned server | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Abhijeet Kasurde <akasurde> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | unspecified | Docs Contact: | Aneta Šteflová Petrová <apetrova> |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | dkupka, jcholast, jhrozek, lmiksik, pvoborni, rcritten |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.4.0-10.el7 | Doc Type: | Bug Fix |
| Doc Text: |
Running commands on servers with an earlier version of IdM no longer takes unexpectedly long
When a user on an Identity Management (IdM) client running IdM version 4.4 executes a command, IdM checks if the server contacted by the client supports the new command schema. Because this information is not cached, the check is performed every time the client contacts the server, which previously prolonged the time required to invoke commands on servers running an earlier version of IdM. If the user executed a new command introduced in IdM 4.4, it sometimes even seemed that the operation would not complete at all, because the server did not recognize the command. This bug has been fixed, and executing IdM commands in the described situation no longer takes unexpectedly long.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 05:58:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1366991 | ||
|
Description
Abhijeet Kasurde
2016-07-18 10:47:46 UTC
root cause sounds similar to https://fedorahosted.org/freeipa/ticket/6089, Honza, do you want to clone this or just link it? Petr, clone please, this is not related to #6089. Upstream ticket: https://fedorahosted.org/freeipa/ticket/6095 Upstream ticket: https://fedorahosted.org/freeipa/ticket/6069 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/47a693d17430e82787d9704637c022a2fcac531a https://fedorahosted.org/freeipa/changeset/229e2a1ed9ea9877cb5e879fadd99f9040f77c96 Following are some observations while using IPA 4.4 client with IPA 4.2 server [root@vm-idm-010 ~]# ipa -v commands ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ^Cexception in SSLSocket.auth_certificate_func Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 43, in auth_certificate_callback def auth_certificate_callback(sock, check_sig, is_server, certdb): KeyboardInterrupt ipa: ERROR: cannot connect to 'https://vm-idm-003.testrelm.test/ipa/session/json': (SEC_ERROR_EXTENSION_NOT_FOUND) Certificate extension not found. [root@vm-idm-010 ~]# ipa -v ca-add/1 ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ^C ipa: INFO: operation aborted Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6e6cbda036559e741ead0ab5ba18b0be0b41621e Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ec2401917456d6f643532c0d0218c9e75172c2d8 ipa-4-4: https://fedorahosted.org/freeipa/changeset/2be232f67074ef052debb91962dbc8acd09d45bd Verified using IPA version:: ipa-server-4.4.0-10.el7.x86_64 Verification Steps :: 1. Install IPA Server on RHEL 7.2 2. Install IPA Client on RHEL 7.3 3. Try IPA 4.4 version command [root@beast ~]# ipa ca-add ipa: ERROR: unknown command 'ca-add' [root@beast ~]# ipa topologysegment-show ipa: ERROR: unknown command 'topologysegment-show' [root@beast ~]# ipa topologysuffix-show ipa: ERROR: unknown command 'topologysuffix-show' [root@beast ~]# echo Secret123 |kinit 123 kinit: Client '123' not found in Kerberos database while getting initial credentials [root@beast ~]# echo Secret123 |kinit admin Password for admin: [root@beast ~]# ipa ping ------------------------------------------- IPA server version 4.2.0. API version 2.156 ------------------------------------------- [root@beast ~]# rpm -q ipa-server ipa-server-4.4.0-10.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |