Bug 1436642 - [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands
Summary: [ipalib/rpc.py] - "maximum recursion depth exceeded" with ipa vault commands
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Nikhil Dehadrai
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-28 11:22 UTC by Tomas Krizek
Modified: 2017-08-01 09:46 UTC (History)
8 users (show)

Fixed In Version: ipa-4.5.0-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:46:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Tomas Krizek 2017-03-28 11:22:25 UTC
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/6775

When trying to troubleshoot failing "test_vault_plugin.py" tests, which are passing fine with fresh ipa-server installation but failing after uninstall and install again I am getting random issue with "maximum recursion depth exceeded" with ipa vault commands. Please see:

```text
    [root@system01 ~]# ipa vault-add another_try --type standard
    ipa: ERROR: non-public: RuntimeError: maximum recursion depth exceeded
    Traceback (most recent call last):
      File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 139, in execute
        result = self.Command[_name](*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
        return self.__do_call(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
        ret = self.run(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1199, in run
        return self.forward(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipaclient/plugins/vault.py", line 350, in forward
        response = self.api.Command.vault_add_internal(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
        return self.__do_call(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
        ret = self.run(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 798, in run
        return self.forward(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 821, in forward
        *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
    ...
    ...
    ...
    ...
    ...
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1080, in forward
        return self.forward(name, *args, **kw)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1047, in forward
        return self._call_command(command, params)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1028, in _call_command
        return command(*params)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1169, in _call
        return self.__request(name, args)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1136, in __request
        verbose=self.__verbose >= 3,
      File "/usr/lib64/python2.7/xmlrpclib.py", line 1283, in request
        return self.single_request(host, handler, request_body, verbose)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 652, in single_request
        h = SSLTransport.make_connection(self, host)
      File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 542, in make_connection
        conn.connect()
      File "/usr/lib64/python2.7/httplib.py", line 1263, in connect
        server_hostname=server_hostname)
      File "/usr/lib64/python2.7/ssl.py", line 363, in wrap_socket
        _context=self)
      File "/usr/lib64/python2.7/ssl.py", line 605, in __init__
        server_hostname, ssl_sock=self)
      File "/usr/lib64/python2.7/encodings/idna.py", line 164, in encode
        result.append(ToASCII(label))
      File "/usr/lib64/python2.7/encodings/idna.py", line 65, in ToASCII
        label = label.encode("ascii")
    RuntimeError: maximum recursion depth exceeded
    ipa: ERROR: an internal error has occurred
```

When trying to retrieve the vault:

```text
[root@system01 ~]# ipa vault-add http_password --type standard
---------------------------
Added vault "http_password"
---------------------------
  Vault name: http_password
  Type: standard
  Owner users: admin
  Vault user: admin
[root@system01 ~]# ipa vault-archive http_password --in password.txt
----------------------------------------
Archived data into vault "http_password"
----------------------------------------
[root@system01 ~]# rm password.txt
rm: remove regular file 'password.txt'? y
[root@system01 ~]# ipa vault-retrieve http_password
ipa: ERROR: No archived data.
[root@system01 ~]# 
```

Thanks for taking a look!

Comment 4 Petr Vobornik 2017-03-28 15:25:01 UTC
This bug will probably need also mod_auth_gssapi bump.

Comment 6 Nikhil Dehadrai 2017-04-13 13:29:39 UTC
ipa server: ipa-server-4.5.0-5.el7.x86_64

Tested the bug for DS-migration process over ldpas and had following observations.

[root@auto-hv-01-guest10 ~]# sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf
[root@auto-hv-01-guest10 ~]# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
[root@auto-hv-01-guest10 ~]# echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://auto-hv-01-guest05.testrelm.test:636
-----------
migrate-ds:
-----------
Migration mode is disabled.
Use 'ipa config-mod --enable-migration=TRUE' to enable it.
[root@auto-hv-01-guest10 ~]# ipa config-mod --enable-migration=TRUE
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: TRUE
  Certificate Subject base: O=TESTRELM.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: auto-hv-01-guest10.testrelm.test
  IPA CA servers: auto-hv-01-guest10.testrelm.test
  IPA NTP servers: auto-hv-01-guest10.testrelm.test
  IPA CA renewal master: auto-hv-01-guest10.testrelm.test
[root@auto-hv-01-guest10 ~]# echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://auto-hv-01-guest05.testrelm.test:636
ipa: ERROR: cannot connect to 'ldaps://auto-hv-01-guest05.testrelm.test:636': 

[root@auto-hv-01-guest10 var]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@auto-hv-01-guest10 var]# 

Thus on the basis of above observation changing status of bug to "ASSIGNED"

Comment 14 Nikhil Dehadrai 2017-05-03 12:45:52 UTC
ipa-server version: ipa-server-4.5.0-9.el7.x86_64
DS Server version: 
389-ds-base-libs-1.3.6.1-9.el7.x86_64
389-ds-base-1.3.6.1-9.el7.x86_64
389-ds-base-debuginfo-1.3.6.1-9.el7.x86_64

Tested the bug for migration of DS to IPA server with following observations:

1. Verified that migration over ldaps runs successfully.
2. Refer the following console output:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: migration over ldaps
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf' (Expected 0, got 0)
:: [   PASS   ] :: Restarting httpd (Expected 0, got 0)
:: [   LOG    ] :: EXECUTING: ipa migrate-ds --with-compat --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://DSserver.testrelm.test:636
:: [   PASS   ] :: Command 'ipa-compat-manage disable' (Expected 0,1, got 1)
:: [   PASS   ] :: Command 'ipactl restart' (Expected 0, got 0)
:: [   PASS   ] :: Command 'echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://DSserver.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt' (Expected 0, got 0)
:: [   PASS   ] :: Verifying puser1 was migrated (Expected 0, got 0)
:: [   PASS   ] :: Verifying 'puser2' was migrated (Expected 0, got 0)
:: [   PASS   ] :: Verifying 'philomena_hazen' was migrated (Expected 0, got 0)
:: [   PASS   ] :: Verifying group 'group1' was migrated (Expected 0, got 0)
:: [   PASS   ] :: Verifying group 'group2' was migrated (Expected 0, got 0)
:: [   LOG    ] :: Cleaning up migrated users
:: [   LOG    ] :: Duration: 52s
:: [   LOG    ] :: Assertions: 10 good, 0 bad
:: [   PASS   ] :: RESULT: migration over ldaps


Thus on the basis of above observations marking the status of bug to "VERIFIED"

Comment 16 errata-xmlrpc 2017-08-01 09:46:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.