Hide Forgot
Running commands on servers with an earlier version of IdM no longer takes unexpectedly long When a user on an Identity Management (IdM) client running IdM version 4.4 executes a command, IdM checks if the server contacted by the client supports the new command schema. Because this information is not cached, the check is performed every time the client contacts the server, which previously prolonged the time required to invoke commands on servers running an earlier version of IdM. If the user executed a new command introduced in IdM 4.4, it sometimes even seemed that the operation would not complete at all, because the server did not recognize the command. This bug has been fixed, and executing IdM commands in the described situation no longer takes unexpectedly long.
Description of problem: Install IPA Server 4.2 and join client with IPA Client 4.4 If user invoke any unsupported command on client, then it triggers following error message # kdestroy -A # kinit admin Password for admin@TESTRELM.TEST: # klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@TESTRELM.TEST Valid starting Expires Service principal 07/18/2016 16:05:10 07/19/2016 16:05:08 krbtgt/TESTRELM.TEST@TESTRELM.TEST # ipa -vvv ca-add ipa: INFO: trying https://dhcp201-172.testrelm.test/ipa/json ipa: INFO: Forwarding 'schema' to json server 'https://dhcp201-172.testrelm.test/ipa/json' ipa: INFO: trying https://dhcp201-172.testrelm.test/ipa/json ipa: INFO: Forwarding 'env' to json server 'https://dhcp201-172.testrelm.test/ipa/json' <snip> </snip> ipa: INFO: operation aborted # rpm -q ipa-client ipa-client-4.4.0-2.1.el7.x86_64 File /var/log/httpd/error_log on Server contains [Mon Jul 18 06:34:01.725121 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS [Mon Jul 18 06:34:08.872626 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError [Mon Jul 18 06:34:08.958584 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS [Mon Jul 18 06:34:17.307152 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError [Mon Jul 18 06:34:17.392404 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS [Mon Jul 18 06:34:37.415954 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError [Mon Jul 18 06:34:37.666269 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS [Mon Jul 18 06:34:45.663847 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError [Mon Jul 18 06:34:45.765081 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS Version-Release number of selected component (if applicable): IPA Server = ipa-server-4.2.0-15.el7_2.17.x86_64 IPA Client = ipa-client-4.4.0-2.1.el7.x86_64 How reproducible: 100% Actual results: Command goes in infinite loop. Expected results: Command should warn about non-availability of feature or command ipa: ERROR: unknown command 'ca-add' or something similar
root cause sounds similar to https://fedorahosted.org/freeipa/ticket/6089, Honza, do you want to clone this or just link it?
Petr, clone please, this is not related to #6089.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6095
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6069
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/47a693d17430e82787d9704637c022a2fcac531a https://fedorahosted.org/freeipa/changeset/229e2a1ed9ea9877cb5e879fadd99f9040f77c96
Following are some observations while using IPA 4.4 client with IPA 4.2 server [root@vm-idm-010 ~]# ipa -v commands ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ^Cexception in SSLSocket.auth_certificate_func Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 43, in auth_certificate_callback def auth_certificate_callback(sock, check_sig, is_server, certdb): KeyboardInterrupt ipa: ERROR: cannot connect to 'https://vm-idm-003.testrelm.test/ipa/session/json': (SEC_ERROR_EXTENSION_NOT_FOUND) Certificate extension not found. [root@vm-idm-010 ~]# ipa -v ca-add/1 ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json' ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json ^C ipa: INFO: operation aborted
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6e6cbda036559e741ead0ab5ba18b0be0b41621e
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ec2401917456d6f643532c0d0218c9e75172c2d8 ipa-4-4: https://fedorahosted.org/freeipa/changeset/2be232f67074ef052debb91962dbc8acd09d45bd
Verified using IPA version:: ipa-server-4.4.0-10.el7.x86_64 Verification Steps :: 1. Install IPA Server on RHEL 7.2 2. Install IPA Client on RHEL 7.3 3. Try IPA 4.4 version command [root@beast ~]# ipa ca-add ipa: ERROR: unknown command 'ca-add' [root@beast ~]# ipa topologysegment-show ipa: ERROR: unknown command 'topologysegment-show' [root@beast ~]# ipa topologysuffix-show ipa: ERROR: unknown command 'topologysuffix-show' [root@beast ~]# echo Secret123 |kinit 123 kinit: Client '123@TESTRELM.TEST' not found in Kerberos database while getting initial credentials [root@beast ~]# echo Secret123 |kinit admin Password for admin@TESTRELM.TEST: [root@beast ~]# ipa ping ------------------------------------------- IPA server version 4.2.0. API version 2.156 ------------------------------------------- [root@beast ~]# rpm -q ipa-server ipa-server-4.4.0-10.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html