Red Hat Bugzilla – Bug 1436642
[ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands
Last modified: 2017-08-01 05:46:16 EDT
This bug is created as a clone of upstream ticket: https://pagure.io/freeipa/issue/6775 When trying to troubleshoot failing "test_vault_plugin.py" tests, which are passing fine with fresh ipa-server installation but failing after uninstall and install again I am getting random issue with "maximum recursion depth exceeded" with ipa vault commands. Please see: ```text [root@system01 ~]# ipa vault-add another_try --type standard ipa: ERROR: non-public: RuntimeError: maximum recursion depth exceeded Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 139, in execute result = self.Command[_name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1199, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipaclient/plugins/vault.py", line 350, in forward response = self.api.Command.vault_add_internal(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 798, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 821, in forward *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) ... ... ... ... ... File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward return self.forward(name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1047, in forward return self._call_command(command, params) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1028, in _call_command return command(*params) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1169, in _call return self.__request(name, args) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1136, in __request verbose=self.__verbose >= 3, File "/usr/lib64/python2.7/xmlrpclib.py", line 1283, in request return self.single_request(host, handler, request_body, verbose) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 652, in single_request h = SSLTransport.make_connection(self, host) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 542, in make_connection conn.connect() File "/usr/lib64/python2.7/httplib.py", line 1263, in connect server_hostname=server_hostname) File "/usr/lib64/python2.7/ssl.py", line 363, in wrap_socket _context=self) File "/usr/lib64/python2.7/ssl.py", line 605, in __init__ server_hostname, ssl_sock=self) File "/usr/lib64/python2.7/encodings/idna.py", line 164, in encode result.append(ToASCII(label)) File "/usr/lib64/python2.7/encodings/idna.py", line 65, in ToASCII label = label.encode("ascii") RuntimeError: maximum recursion depth exceeded ipa: ERROR: an internal error has occurred ``` When trying to retrieve the vault: ```text [root@system01 ~]# ipa vault-add http_password --type standard --------------------------- Added vault "http_password" --------------------------- Vault name: http_password Type: standard Owner users: admin Vault user: admin [root@system01 ~]# ipa vault-archive http_password --in password.txt ---------------------------------------- Archived data into vault "http_password" ---------------------------------------- [root@system01 ~]# rm password.txt rm: remove regular file 'password.txt'? y [root@system01 ~]# ipa vault-retrieve http_password ipa: ERROR: No archived data. [root@system01 ~]# ``` Thanks for taking a look!
Fixed upstream master: https://pagure.io/freeipa/c/9a6ac74eb4421b9ffa831dc6fed067d2ddc0618e https://pagure.io/freeipa/c/fbbeb132bf37f8a03ef2f2184adb11796ab13d8b https://pagure.io/freeipa/c/e07aefb886096a7d419a4f1a2dec287e5ecd1626 https://pagure.io/freeipa/c/d63326632b796a5ec9c6468c5ffe0c5a846501e1
Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/f1d731a79c384c7406c52232ff291644137e100b https://pagure.io/freeipa/c/ba828a53a4736ed326d95e30856daba2c060439c https://pagure.io/freeipa/c/f41c9f476d678f9ecc4ca3338c7a58de0182f76f https://pagure.io/freeipa/c/0912185b18599414e4f9302b1a80c6c7e9876821 https://pagure.io/freeipa/c/e94575f3466bbb8d4959ad0a1c436dcf745e3036
This bug will probably need also mod_auth_gssapi bump.
ipa server: ipa-server-4.5.0-5.el7.x86_64 Tested the bug for DS-migration process over ldpas and had following observations. [root@auto-hv-01-guest10 ~]# sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf [root@auto-hv-01-guest10 ~]# service httpd restart Redirecting to /bin/systemctl restart httpd.service [root@auto-hv-01-guest10 ~]# echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://auto-hv-01-guest05.testrelm.test:636 ----------- migrate-ds: ----------- Migration mode is disabled. Use 'ipa config-mod --enable-migration=TRUE' to enable it. [root@auto-hv-01-guest10 ~]# ipa config-mod --enable-migration=TRUE Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.test Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: TRUE Certificate Subject base: O=TESTRELM.TEST Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: auto-hv-01-guest10.testrelm.test IPA CA servers: auto-hv-01-guest10.testrelm.test IPA NTP servers: auto-hv-01-guest10.testrelm.test IPA CA renewal master: auto-hv-01-guest10.testrelm.test [root@auto-hv-01-guest10 ~]# echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://auto-hv-01-guest05.testrelm.test:636 ipa: ERROR: cannot connect to 'ldaps://auto-hv-01-guest05.testrelm.test:636': [root@auto-hv-01-guest10 var]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 [root@auto-hv-01-guest10 var]# Thus on the basis of above observation changing status of bug to "ASSIGNED"
ipa-server version: ipa-server-4.5.0-9.el7.x86_64 DS Server version: 389-ds-base-libs-1.3.6.1-9.el7.x86_64 389-ds-base-1.3.6.1-9.el7.x86_64 389-ds-base-debuginfo-1.3.6.1-9.el7.x86_64 Tested the bug for migration of DS to IPA server with following observations: 1. Verified that migration over ldaps runs successfully. 2. Refer the following console output: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: migration over ldaps :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf' (Expected 0, got 0) :: [ PASS ] :: Restarting httpd (Expected 0, got 0) :: [ LOG ] :: EXECUTING: ipa migrate-ds --with-compat --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://DSserver.testrelm.test:636 :: [ PASS ] :: Command 'ipa-compat-manage disable' (Expected 0,1, got 1) :: [ PASS ] :: Command 'ipactl restart' (Expected 0, got 0) :: [ PASS ] :: Command 'echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://DSserver.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt' (Expected 0, got 0) :: [ PASS ] :: Verifying puser1 was migrated (Expected 0, got 0) :: [ PASS ] :: Verifying 'puser2' was migrated (Expected 0, got 0) :: [ PASS ] :: Verifying 'philomena_hazen' was migrated (Expected 0, got 0) :: [ PASS ] :: Verifying group 'group1' was migrated (Expected 0, got 0) :: [ PASS ] :: Verifying group 'group2' was migrated (Expected 0, got 0) :: [ LOG ] :: Cleaning up migrated users :: [ LOG ] :: Duration: 52s :: [ LOG ] :: Assertions: 10 good, 0 bad :: [ PASS ] :: RESULT: migration over ldaps Thus on the basis of above observations marking the status of bug to "VERIFIED"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304