Bug 1437951 - Remove pkinit-related options from server/replica-install on DL0
Summary: Remove pkinit-related options from server/replica-install on DL0
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Scott Poore
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-31 14:11 UTC by Petr Vobornik
Modified: 2017-08-01 09:47 UTC (History)
6 users (show)

Fixed In Version: ipa-4.5.0-5.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:47:49 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-03-31 14:11:35 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6801

pkinit is not allowed on DL0 so new master/replica installations should not allow any PKINIT options to be set and should force `--no-pkinit`.

Comment 2 Petr Vobornik 2017-03-31 14:11:50 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6801

Comment 3 Petr Vobornik 2017-03-31 14:12:46 UTC
master:
    6cda1509a68d7a21578280d381a6b9e994fd4f49 Fix the order of cert-files check
    9e3ae785ac9b62b8e0809a4aa56363c458316135 Don't allow setting pkinit-related options on DL0
    8af884d0489d5d57895959d27ca6eb8815c6c922 replica-prepare man: remove pkinit option refs
    fe7cf1e854b7dc28861455011091df3cbe45abe9 Remove redundant option check for cert files

ipa-4-5:
    497e766427b3ced865ff88a51cd0c2c96e8b24f9 Fix the order of cert-files check
    a1ad1ffa3540da4b5d5c1963b3818d9c9260e1a2 Don't allow setting pkinit-related options on DL0
    85720b6bdc764b98dd471799ccc1045e1379709e replica-prepare man: remove pkinit option refs
    8f7b6c349f4e81e88ef36f014e26de6b1f3f3e41 Remove redundant option check for cert files

Comment 5 Scott Poore 2017-05-25 00:22:52 UTC
How can I attempt to install a master with DL0 with pkinit options?  I thought those weren't introduced until 4.5.  So can I attempt a DL0 Master install somehow with those or is this really just for replica installs?

Thanks,
Scott

Comment 6 Scott Poore 2017-05-25 02:17:45 UTC
Testing on a replica.  Just checking that this is the intended behavior?

I setup a RHEL6.9 IPA Master and ran 

[root@rhel6-1 ~]# ipa-replica-prepare --ip-address=192.168.122.73 --reverse-zone=122.168.192.in-addr.arpa. rhel7-3.example.com
Directory Manager (existing master) password: 

Preparing replica for rhel7-3.example.com from rhel6-1.example.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-rhel7-3.example.com.gpg
Adding DNS records for rhel7-3.example.com
Using reverse zone 122.168.192.in-addr.arpa.

...

Checking that pkinit options don't work for 

[root@rhel7-3 ~]# ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.122.1 -w Secret123 -n example.com -r EXAMPLE.COM -P Secret123 --pkinit-cert-file=/dev/null --pkinit-pin=123456 --pkinit-cert-name=KDC /var/lib/ipa/replica-info-rhel7-3.example.com.gpg 
Usage: ipa-replica-install [options] [REPLICA_FILE]

ipa-replica-install: error: pkinit on domain level 0 is not supported. Please don't use any pkinit-related options.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Comment 7 Petr Vobornik 2017-05-25 12:31:47 UTC
Domain level 0 master can also be a IPA 4.5 upgraded from IPA 4.2 or IPA 4.4 (which was still on domain level 0).  

Alternative, quick, but not supported option is to use undocumented '--domain-level 0' option to test this without upgrading.

Comment 9 Scott Poore 2017-05-25 15:37:54 UTC
Verified.

Version ::

ipa-server-4.5.0-13.el7.x86_64

Results ::

Since we can't run ipa-server-install on IPA 4.5 after it was already run on 4.2 and then upgraded, we are focused here on the replica-install on domain level 0.

See comment #6

Comment 10 errata-xmlrpc 2017-08-01 09:47:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.