1436642 – [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1436642 - [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands

Summary: [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Nikhil Dehadrai
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-28 11:22 UTC by Tomas Krizek
Modified:	2017-08-01 09:46 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-4.5.0-3.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 09:46:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 12:41:35 UTC

Description Tomas Krizek 2017-03-28 11:22:25 UTC

This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/6775

When trying to troubleshoot failing "test_vault_plugin.py" tests, which are passing fine with fresh ipa-server installation but failing after uninstall and install again I am getting random issue with "maximum recursion depth exceeded" with ipa vault commands. Please see:

```text
    [root@system01 ~]# ipa vault-add another_try --type standard
    ipa: ERROR: non-public: RuntimeError: maximum recursion depth exceeded
    Traceback (most recent call last):
      File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 139, in execute
        result = self.Command[_name](*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
        return self.__do_call(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
        ret = self.run(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1199, in run
        return self.forward(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipaclient/plugins/vault.py", line 350, in forward
        response = self.api.Command.vault_add_internal(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
        return self.__do_call(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
        ret = self.run(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 798, in run
        return self.forward(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 821, in forward
        *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
    ...
    ...
    ...
    ...
    ...
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1047, in forward
        return self._call_command(command, params)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1028, in _call_command
        return command(*params)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1169, in _call
        return self.__request(name, args)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1136, in __request
        verbose=self.__verbose >= 3,
      File "/usr/lib64/python2.7/xmlrpclib.py", line 1283, in request
        return self.single_request(host, handler, request_body, verbose)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 652, in single_request
        h = SSLTransport.make_connection(self, host)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 542, in make_connection
        conn.connect()
      File "/usr/lib64/python2.7/httplib.py", line 1263, in connect
        server_hostname=server_hostname)
      File "/usr/lib64/python2.7/ssl.py", line 363, in wrap_socket
        _context=self)
      File "/usr/lib64/python2.7/ssl.py", line 605, in __init__
        server_hostname, ssl_sock=self)
      File "/usr/lib64/python2.7/encodings/idna.py", line 164, in encode
        result.append(ToASCII(label))
      File "/usr/lib64/python2.7/encodings/idna.py", line 65, in ToASCII
        label = label.encode("ascii")
    RuntimeError: maximum recursion depth exceeded
    ipa: ERROR: an internal error has occurred
```

When trying to retrieve the vault:

```text
[root@system01 ~]# ipa vault-add http_password --type standard
---------------------------
Added vault "http_password"
---------------------------
  Vault name: http_password
  Type: standard
  Owner users: admin
  Vault user: admin
[root@system01 ~]# ipa vault-archive http_password --in password.txt
----------------------------------------
Archived data into vault "http_password"
----------------------------------------
[root@system01 ~]# rm password.txt
rm: remove regular file 'password.txt'? y
[root@system01 ~]# ipa vault-retrieve http_password
ipa: ERROR: No archived data.
[root@system01 ~]# 
```

Thanks for taking a look!

Comment 2 Tomas Krizek 2017-03-28 11:38:32 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/9a6ac74eb4421b9ffa831dc6fed067d2ddc0618e
https://pagure.io/freeipa/c/fbbeb132bf37f8a03ef2f2184adb11796ab13d8b
https://pagure.io/freeipa/c/e07aefb886096a7d419a4f1a2dec287e5ecd1626
https://pagure.io/freeipa/c/d63326632b796a5ec9c6468c5ffe0c5a846501e1

Comment 3 Tomas Krizek 2017-03-28 14:54:29 UTC

Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/f1d731a79c384c7406c52232ff291644137e100b
https://pagure.io/freeipa/c/ba828a53a4736ed326d95e30856daba2c060439c
https://pagure.io/freeipa/c/f41c9f476d678f9ecc4ca3338c7a58de0182f76f
https://pagure.io/freeipa/c/0912185b18599414e4f9302b1a80c6c7e9876821
https://pagure.io/freeipa/c/e94575f3466bbb8d4959ad0a1c436dcf745e3036

Comment 4 Petr Vobornik 2017-03-28 15:25:01 UTC

This bug will probably need also mod_auth_gssapi bump.

Comment 6 Nikhil Dehadrai 2017-04-13 13:29:39 UTC

ipa server: ipa-server-4.5.0-5.el7.x86_64

Tested the bug for DS-migration process over ldpas and had following observations.

[root@auto-hv-01-guest10 ~]# sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf
[root@auto-hv-01-guest10 ~]# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
[root@auto-hv-01-guest10 ~]# echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://auto-hv-01-guest05.testrelm.test:636
-----------
migrate-ds:
-----------
Migration mode is disabled.
Use 'ipa config-mod --enable-migration=TRUE' to enable it.
[root@auto-hv-01-guest10 ~]# ipa config-mod --enable-migration=TRUE
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: TRUE
  Certificate Subject base: O=TESTRELM.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: auto-hv-01-guest10.testrelm.test
  IPA CA servers: auto-hv-01-guest10.testrelm.test
  IPA NTP servers: auto-hv-01-guest10.testrelm.test
  IPA CA renewal master: auto-hv-01-guest10.testrelm.test
[root@auto-hv-01-guest10 ~]# echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://auto-hv-01-guest05.testrelm.test:636
ipa: ERROR: cannot connect to 'ldaps://auto-hv-01-guest05.testrelm.test:636': 

[root@auto-hv-01-guest10 var]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@auto-hv-01-guest10 var]# 

Thus on the basis of above observation changing status of bug to "ASSIGNED"

Comment 14 Nikhil Dehadrai 2017-05-03 12:45:52 UTC

ipa-server version: ipa-server-4.5.0-9.el7.x86_64
DS Server version: 
389-ds-base-libs-1.3.6.1-9.el7.x86_64
389-ds-base-1.3.6.1-9.el7.x86_64
389-ds-base-debuginfo-1.3.6.1-9.el7.x86_64

Tested the bug for migration of DS to IPA server with following observations:

1. Verified that migration over ldaps runs successfully.
2. Refer the following console output:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: migration over ldaps
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf' (Expected 0, got 0)
:: [   PASS   ] :: Restarting httpd (Expected 0, got 0)
:: [   LOG    ] :: EXECUTING: ipa migrate-ds --with-compat --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://DSserver.testrelm.test:636
:: [   PASS   ] :: Command 'ipa-compat-manage disable' (Expected 0,1, got 1)
:: [   PASS   ] :: Command 'ipactl restart' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://DSserver.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt' (Expected 0, got 0)
:: [   PASS   ] :: Verifying puser1 was migrated (Expected 0, got 0)
:: [   PASS   ] :: Verifying 'puser2' was migrated (Expected 0, got 0)
:: [   PASS   ] :: Verifying 'philomena_hazen' was migrated (Expected 0, got 0)
:: [   PASS   ] :: Verifying group 'group1' was migrated (Expected 0, got 0)
:: [   PASS   ] :: Verifying group 'group2' was migrated (Expected 0, got 0)
:: [   LOG    ] :: Cleaning up migrated users
:: [   LOG    ] :: Duration: 52s
:: [   LOG    ] :: Assertions: 10 good, 0 bad
:: [   PASS   ] :: RESULT: migration over ldaps


Thus on the basis of above observations marking the status of bug to "VERIFIED"

Comment 16 errata-xmlrpc 2017-08-01 09:46:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.