1357488 – ipa command stuck forever on higher versioned client with lower versioned server

Bug 1357488 - ipa command stuck forever on higher versioned client with lower versioned server

Summary: ipa command stuck forever on higher versioned client with lower versioned server

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:	(Show other bugs)
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Kaleem
Docs Contact:	Aneta Šteflová Petrová
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:	1366991
TreeView+	depends on / blocked

Reported:	2016-07-18 10:47 UTC by Abhijeet Kasurde
Modified:	2016-11-04 05:58 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.4.0-10.el7
Doc Type:	Bug Fix
Doc Text:	Running commands on servers with an earlier version of IdM no longer takes unexpectedly long When a user on an Identity Management (IdM) client running IdM version 4.4 executes a command, IdM checks if the server contacted by the client supports the new command schema. Because this information is not cached, the check is performed every time the client contacts the server, which previously prolonged the time required to invoke commands on servers running an earlier version of IdM. If the user executed a new command introduced in IdM 4.4, it sometimes even seemed that the operation would not complete at all, because the server did not recognize the command. This bug has been fixed, and executing IdM commands in the described situation no longer takes unexpectedly long.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-11-04 05:58:34 UTC
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2404	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 13:56:18 UTC

Description Abhijeet Kasurde 2016-07-18 10:47:46 UTC

Description of problem:
Install IPA Server 4.2 and join client with IPA Client 4.4
If user invoke any unsupported command on client, then it triggers following error message 

# kdestroy -A

# kinit admin
Password for admin@TESTRELM.TEST: 

# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@TESTRELM.TEST

Valid starting       Expires              Service principal
07/18/2016 16:05:10  07/19/2016 16:05:08  krbtgt/TESTRELM.TEST@TESTRELM.TEST

# ipa -vvv ca-add
ipa: INFO: trying https://dhcp201-172.testrelm.test/ipa/json
ipa: INFO: Forwarding 'schema' to json server 'https://dhcp201-172.testrelm.test/ipa/json'
ipa: INFO: trying https://dhcp201-172.testrelm.test/ipa/json
ipa: INFO: Forwarding 'env' to json server 'https://dhcp201-172.testrelm.test/ipa/json'
<snip>
</snip>
ipa: INFO: operation aborted

# rpm -q ipa-client
ipa-client-4.4.0-2.1.el7.x86_64


File /var/log/httpd/error_log on Server contains

[Mon Jul 18 06:34:01.725121 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS
[Mon Jul 18 06:34:08.872626 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError
[Mon Jul 18 06:34:08.958584 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS
[Mon Jul 18 06:34:17.307152 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError
[Mon Jul 18 06:34:17.392404 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS
[Mon Jul 18 06:34:37.415954 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError
[Mon Jul 18 06:34:37.666269 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS
[Mon Jul 18 06:34:45.663847 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError
[Mon Jul 18 06:34:45.765081 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS




Version-Release number of selected component (if applicable):
IPA Server = ipa-server-4.2.0-15.el7_2.17.x86_64
IPA Client = ipa-client-4.4.0-2.1.el7.x86_64

How reproducible:
100%

Actual results:
Command goes in infinite loop.

Expected results:
Command should warn about non-availability of feature or command 

ipa: ERROR: unknown command 'ca-add' or something similar

Comment 1 Petr Vobornik 2016-07-18 11:01:53 UTC

root cause sounds similar to https://fedorahosted.org/freeipa/ticket/6089, Honza, do you want to clone this or just link it?

Comment 3 Jan Cholasta 2016-07-19 12:05:16 UTC

Petr, clone please, this is not related to #6089.

Comment 4 Petr Vobornik 2016-07-19 12:25:30 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6095

Comment 5 Jan Cholasta 2016-08-03 14:40:21 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6069

Comment 6 Jan Cholasta 2016-08-03 14:41:59 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/47a693d17430e82787d9704637c022a2fcac531a
https://fedorahosted.org/freeipa/changeset/229e2a1ed9ea9877cb5e879fadd99f9040f77c96

Comment 7 Abhijeet Kasurde 2016-08-12 16:50:49 UTC

Following are some observations while using IPA 4.4 client with IPA 4.2 server 

[root@vm-idm-010 ~]# ipa -v commands
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
^Cexception in SSLSocket.auth_certificate_func
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 43, in auth_certificate_callback
    def auth_certificate_callback(sock, check_sig, is_server, certdb):
KeyboardInterrupt
ipa: ERROR: cannot connect to 'https://vm-idm-003.testrelm.test/ipa/session/json': (SEC_ERROR_EXTENSION_NOT_FOUND) Certificate extension not found.


[root@vm-idm-010 ~]# ipa -v ca-add/1
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
^C
ipa: INFO: operation aborted

Comment 8 Jan Cholasta 2016-08-17 12:14:46 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6e6cbda036559e741ead0ab5ba18b0be0b41621e

Comment 13 Petr Vobornik 2016-09-06 15:56:22 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ec2401917456d6f643532c0d0218c9e75172c2d8
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/2be232f67074ef052debb91962dbc8acd09d45bd

Comment 16 Abhijeet Kasurde 2016-09-09 10:19:53 UTC

Verified using IPA version::
ipa-server-4.4.0-10.el7.x86_64

Verification Steps ::

1. Install IPA Server on RHEL 7.2 
2. Install IPA Client on RHEL 7.3 
3. Try IPA 4.4 version command 

[root@beast ~]# ipa ca-add
ipa: ERROR: unknown command 'ca-add'
[root@beast ~]# ipa topologysegment-show
ipa: ERROR: unknown command 'topologysegment-show'
[root@beast ~]# ipa topologysuffix-show
ipa: ERROR: unknown command 'topologysuffix-show'
[root@beast ~]# echo Secret123 |kinit 123
kinit: Client '123@TESTRELM.TEST' not found in Kerberos database while getting initial credentials
[root@beast ~]# echo Secret123 |kinit admin
Password for admin@TESTRELM.TEST: 
[root@beast ~]# ipa ping
-------------------------------------------
IPA server version 4.2.0. API version 2.156
-------------------------------------------
[root@beast ~]# rpm -q ipa-server
ipa-server-4.4.0-10.el7.x86_64

Comment 20 errata-xmlrpc 2016-11-04 05:58:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.