Bug 1357488 - ipa command stuck forever on higher versioned client with lower versioned server
Summary: ipa command stuck forever on higher versioned client with lower versioned server
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks: 1366991
TreeView+ depends on / blocked
 
Reported: 2016-07-18 10:47 UTC by Abhijeet Kasurde
Modified: 2016-11-04 05:58 UTC (History)
6 users (show)

Fixed In Version: ipa-4.4.0-10.el7
Doc Type: Bug Fix
Doc Text:
Running commands on servers with an earlier version of IdM no longer takes unexpectedly long When a user on an Identity Management (IdM) client running IdM version 4.4 executes a command, IdM checks if the server contacted by the client supports the new command schema. Because this information is not cached, the check is performed every time the client contacts the server, which previously prolonged the time required to invoke commands on servers running an earlier version of IdM. If the user executed a new command introduced in IdM 4.4, it sometimes even seemed that the operation would not complete at all, because the server did not recognize the command. This bug has been fixed, and executing IdM commands in the described situation no longer takes unexpectedly long.
Clone Of:
Environment:
Last Closed: 2016-11-04 05:58:34 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Abhijeet Kasurde 2016-07-18 10:47:46 UTC 
Description of problem:
Install IPA Server 4.2 and join client with IPA Client 4.4
If user invoke any unsupported command on client, then it triggers following error message 

# kdestroy -A

# kinit admin
Password for admin@TESTRELM.TEST: 

# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@TESTRELM.TEST

Valid starting       Expires              Service principal
07/18/2016 16:05:10  07/19/2016 16:05:08  krbtgt/TESTRELM.TEST@TESTRELM.TEST

# ipa -vvv ca-add
ipa: INFO: trying https://dhcp201-172.testrelm.test/ipa/json
ipa: INFO: Forwarding 'schema' to json server 'https://dhcp201-172.testrelm.test/ipa/json'
ipa: INFO: trying https://dhcp201-172.testrelm.test/ipa/json
ipa: INFO: Forwarding 'env' to json server 'https://dhcp201-172.testrelm.test/ipa/json'
<snip>
</snip>
ipa: INFO: operation aborted

# rpm -q ipa-client
ipa-client-4.4.0-2.1.el7.x86_64


File /var/log/httpd/error_log on Server contains

[Mon Jul 18 06:34:01.725121 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS
[Mon Jul 18 06:34:08.872626 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError
[Mon Jul 18 06:34:08.958584 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS
[Mon Jul 18 06:34:17.307152 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError
[Mon Jul 18 06:34:17.392404 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS
[Mon Jul 18 06:34:37.415954 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError
[Mon Jul 18 06:34:37.666269 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS
[Mon Jul 18 06:34:45.663847 2016] [:error] [pid 7023] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: schema: CommandError
[Mon Jul 18 06:34:45.765081 2016] [:error] [pid 7030] ipa: INFO: [jsonserver_kerb] admin@TESTRELM.TEST: env((u'api_version',), version=u'2.0'): SUCCESS




Version-Release number of selected component (if applicable):
IPA Server = ipa-server-4.2.0-15.el7_2.17.x86_64
IPA Client = ipa-client-4.4.0-2.1.el7.x86_64

How reproducible:
100%

Actual results:
Command goes in infinite loop.

Expected results:
Command should warn about non-availability of feature or command 

ipa: ERROR: unknown command 'ca-add' or something similar
Comment 1 Petr Vobornik 2016-07-18 11:01:53 UTC 
root cause sounds similar to https://fedorahosted.org/freeipa/ticket/6089, Honza, do you want to clone this or just link it?
Comment 3 Jan Cholasta 2016-07-19 12:05:16 UTC 
Petr, clone please, this is not related to #6089.
Comment 4 Petr Vobornik 2016-07-19 12:25:30 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6095
Comment 5 Jan Cholasta 2016-08-03 14:40:21 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6069
Comment 6 Jan Cholasta 2016-08-03 14:41:59 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/47a693d17430e82787d9704637c022a2fcac531a
https://fedorahosted.org/freeipa/changeset/229e2a1ed9ea9877cb5e879fadd99f9040f77c96
Comment 7 Abhijeet Kasurde 2016-08-12 16:50:49 UTC 
Following are some observations while using IPA 4.4 client with IPA 4.2 server 

[root@vm-idm-010 ~]# ipa -v commands
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
^Cexception in SSLSocket.auth_certificate_func
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 43, in auth_certificate_callback
    def auth_certificate_callback(sock, check_sig, is_server, certdb):
KeyboardInterrupt
ipa: ERROR: cannot connect to 'https://vm-idm-003.testrelm.test/ipa/session/json': (SEC_ERROR_EXTENSION_NOT_FOUND) Certificate extension not found.


[root@vm-idm-010 ~]# ipa -v ca-add/1
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'schema' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
ipa: INFO: Forwarding 'env' to json server 'https://vm-idm-003.testrelm.test/ipa/session/json'
ipa: INFO: trying https://vm-idm-003.testrelm.test/ipa/session/json
^C
ipa: INFO: operation aborted
Comment 8 Jan Cholasta 2016-08-17 12:14:46 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6e6cbda036559e741ead0ab5ba18b0be0b41621e
Comment 13 Petr Vobornik 2016-09-06 15:56:22 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ec2401917456d6f643532c0d0218c9e75172c2d8
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/2be232f67074ef052debb91962dbc8acd09d45bd
Comment 16 Abhijeet Kasurde 2016-09-09 10:19:53 UTC 
Verified using IPA version::
ipa-server-4.4.0-10.el7.x86_64

Verification Steps ::

1. Install IPA Server on RHEL 7.2 
2. Install IPA Client on RHEL 7.3 
3. Try IPA 4.4 version command 

[root@beast ~]# ipa ca-add
ipa: ERROR: unknown command 'ca-add'
[root@beast ~]# ipa topologysegment-show
ipa: ERROR: unknown command 'topologysegment-show'
[root@beast ~]# ipa topologysuffix-show
ipa: ERROR: unknown command 'topologysuffix-show'
[root@beast ~]# echo Secret123 |kinit 123
kinit: Client '123@TESTRELM.TEST' not found in Kerberos database while getting initial credentials
[root@beast ~]# echo Secret123 |kinit admin
Password for admin@TESTRELM.TEST: 
[root@beast ~]# ipa ping
-------------------------------------------
IPA server version 4.2.0. API version 2.156
-------------------------------------------
[root@beast ~]# rpm -q ipa-server
ipa-server-4.4.0-10.el7.x86_64
Comment 20 errata-xmlrpc 2016-11-04 05:58:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Note You need to log in before you can comment on or make changes to this bug.