1437951 – Remove pkinit-related options from server/replica-install on DL0

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1437951 - Remove pkinit-related options from server/replica-install on DL0

Summary: Remove pkinit-related options from server/replica-install on DL0

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Scott Poore
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-31 14:11 UTC by Petr Vobornik
Modified:	2017-08-01 09:47 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.5.0-5.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 09:47:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-03-31 14:11:35 UTC

Cloned from upstream: https://pagure.io/freeipa/issue/6801

pkinit is not allowed on DL0 so new master/replica installations should not allow any PKINIT options to be set and should force `--no-pkinit`.

Comment 2 Petr Vobornik 2017-03-31 14:11:50 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/6801

Comment 3 Petr Vobornik 2017-03-31 14:12:46 UTC

master:
    6cda1509a68d7a21578280d381a6b9e994fd4f49 Fix the order of cert-files check
    9e3ae785ac9b62b8e0809a4aa56363c458316135 Don't allow setting pkinit-related options on DL0
    8af884d0489d5d57895959d27ca6eb8815c6c922 replica-prepare man: remove pkinit option refs
    fe7cf1e854b7dc28861455011091df3cbe45abe9 Remove redundant option check for cert files

ipa-4-5:
    497e766427b3ced865ff88a51cd0c2c96e8b24f9 Fix the order of cert-files check
    a1ad1ffa3540da4b5d5c1963b3818d9c9260e1a2 Don't allow setting pkinit-related options on DL0
    85720b6bdc764b98dd471799ccc1045e1379709e replica-prepare man: remove pkinit option refs
    8f7b6c349f4e81e88ef36f014e26de6b1f3f3e41 Remove redundant option check for cert files

Comment 5 Scott Poore 2017-05-25 00:22:52 UTC

How can I attempt to install a master with DL0 with pkinit options?  I thought those weren't introduced until 4.5.  So can I attempt a DL0 Master install somehow with those or is this really just for replica installs?

Thanks,
Scott

Comment 6 Scott Poore 2017-05-25 02:17:45 UTC

Testing on a replica.  Just checking that this is the intended behavior?

I setup a RHEL6.9 IPA Master and ran 

[root@rhel6-1 ~]# ipa-replica-prepare --ip-address=192.168.122.73 --reverse-zone=122.168.192.in-addr.arpa. rhel7-3.example.com
Directory Manager (existing master) password: 

Preparing replica for rhel7-3.example.com from rhel6-1.example.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-rhel7-3.example.com.gpg
Adding DNS records for rhel7-3.example.com
Using reverse zone 122.168.192.in-addr.arpa.

...

Checking that pkinit options don't work for 

[root@rhel7-3 ~]# ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.122.1 -w Secret123 -n example.com -r EXAMPLE.COM -P Secret123 --pkinit-cert-file=/dev/null --pkinit-pin=123456 --pkinit-cert-name=KDC /var/lib/ipa/replica-info-rhel7-3.example.com.gpg 
Usage: ipa-replica-install [options] [REPLICA_FILE]

ipa-replica-install: error: pkinit on domain level 0 is not supported. Please don't use any pkinit-related options.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Comment 7 Petr Vobornik 2017-05-25 12:31:47 UTC

Domain level 0 master can also be a IPA 4.5 upgraded from IPA 4.2 or IPA 4.4 (which was still on domain level 0).  

Alternative, quick, but not supported option is to use undocumented '--domain-level 0' option to test this without upgrading.

Comment 9 Scott Poore 2017-05-25 15:37:54 UTC

Verified.

Version ::

ipa-server-4.5.0-13.el7.x86_64

Results ::

Since we can't run ipa-server-install on IPA 4.5 after it was already run on 4.2 and then upgraded, we are focused here on the replica-install on domain level 0.

See comment #6

Comment 10 errata-xmlrpc 2017-08-01 09:47:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.