Bug 1467675 - Login fails at WebUi for replica server setup using ipa-server-docker image
Login fails at WebUi for replica server setup using ipa-server-docker image
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa-server-container (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Petr Vobornik
Nikhil Dehadrai
: Extras, Regression
Depends On:
Blocks: 1469246
  Show dependency treegraph
 
Reported: 2017-07-04 10:14 EDT by Nikhil Dehadrai
Modified: 2017-08-01 09:20 EDT (History)
5 users (show)

See Also:
Fixed In Version: rhel7/ipa-server:4.5.0-7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1469246 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:20:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ipa-replica fails with ipa-docker image. (186.03 KB, image/png)
2017-07-04 10:14 EDT, Nikhil Dehadrai
no flags Details
login successful for Replica server on RHEL system (78.32 KB, image/png)
2017-07-04 10:15 EDT, Nikhil Dehadrai
no flags Details

  None (edit)
Description Nikhil Dehadrai 2017-07-04 10:14:44 EDT
Created attachment 1294229 [details]
ipa-replica fails with ipa-docker image.

Description of problem:
Login fails at WebUi for replica server setup using ipa-server-docker image

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-20.el7.x86_64
ipa-server image: ipa-server-docker-4.5.0-5


How reproducible:
Always

Steps to Reproduce:
1. Setup ipa master using ipa-docker image.
# atomic install --name ipa-server-container rhel7/ipa-server net-host --hostname=`hostname` --setup-dns --ip-address=<ip address> --forwarder=1x.x.x.-r TESTRELm.TEST -a Secret123 -p Secret123 --no-ntp -U
 
2. Configure ipa-replica using ipa-docker image
#atomic install --name ipa-replica-container rhel7/ipa-server net-host ipa-replica-install --setup-dns --setup-ca --server=ipa-server.testrelm.test --domain testrelm.test --forwarder=1x.x.x.x --admin-password Secret123 --principal admin -U
 
3. Start the ipa-replica container configurred.
4. Now try accessing the WebUi for IPA-master.
5. Now try accessing the WebUi for IPA-replica.

Actual results:
1. After step4, login to ipa-master is successful.
2. After step5, login to ipa-replica fails with error "Login failed due to unknown reason"

Expected results:
The login should be successful for ipa-replica configured using ipa-docker image.

Additional info:
The login for ipa-replica configured on RHEL system is successful.
Comment 2 Nikhil Dehadrai 2017-07-04 10:15 EDT
Created attachment 1294230 [details]
login successful for Replica server on RHEL system
Comment 7 Martin Babinsky 2017-07-10 13:19:16 EDT
The root cause seems to be that on replica container the /var/run/ipa/ccaches directory is not created which makes it impossible for Kerberos library to store both armor and user ccaches:

```
args=/usr/bin/kinit -n -c /var/run/ipa/ccaches/armo
r_580 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.
pem
[Mon Jul 10 16:45:58.869812 2017] [:error] [pid 580] ipa: DEBUG: Process finished, return code=1
[Mon Jul 10 16:45:58.869897 2017] [:error] [pid 580] ipa: DEBUG: stdout=
[Mon Jul 10 16:45:58.869950 2017] [:error] [pid 580] ipa: DEBUG: stderr=kinit: Failed to store credentials: No crede
ntials cache found (filename: /var/run/ipa/ccaches/armor_580) while getting initial credentials
```

This means that for some reason the directory either is not created (and fails silently) at the beginning of replica installation, or it is being removed in some subsequent step. Incidentally, while /etc/tmpfiles.d/ipa.conf exists on master container, it is absent on the replica. I need more time to investigate why this happens, I currently have no idea why replica behaves differently from master.
Comment 8 Martin Babinsky 2017-07-10 13:29:05 EDT
After poking around the code I have found out that the issue is indeed in IPA code. For some reason the tmpfiles.d configuration is modified at runtime during server/replica install but the configuration on replica side is incomplete and does not work.

I will clone this BZ to ipa-server.
Comment 14 Nikhil Dehadrai 2017-07-28 09:42:58 EDT
ipa-docker image: 4.5.0.8

BIND:
bind-dyndb-ldap-11.1-4.el7.x86_64
bind-9.9.4-51.el7.x86_64

IPA-VERSION:
ipa-server-4.5.0-21.el7.x86_64

Atomic host version:
-bash-4.2# atomic host status
State: idle
Deployments:
● atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-07-28 00:26:01)
                 Commit: 846fb0e18e65bd9a62fc9d952627413c6467c33c2d726449a1d7ad7690bbb93a

Tested the bug with following observations:
1. Tested that when IPA and REPLICA server are setup using ipa-docker image (4.5.0.8), then server UI  is accessible for both and we can login to server UI successfully.
2. Noticed that when IPA server and REPLICA server setup using ipa-docker image(4.4.0.45 i.e RHEL 7.3.z) can be successfully upgraded to latest version (RHEL 7.4.z) using latest ipa-docker image (4.5.0.8). But, after upgrade the user is unable to login to server UI for IPA/Replica both and same error message "Login failed due to an unknown reason." is noticed. (In my case from rhel 7.3.z to rhel 7.4.z)

#httpd error log:
[Fri Jul 28 12:46:18.524602 2017] [:error] [pid 1207] [remote x.x.x.x:76] mod_wsgi (pid=1207): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Fri Jul 28 12:46:18.524663 2017] [:error] [pid 1207] [remote x.x.x.x:76] Traceback (most recent call last):
[Fri Jul 28 12:46:18.524688 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/share/ipa/wsgi.py", line 51, in application
[Fri Jul 28 12:46:18.524731 2017] [:error] [pid 1207] [remote x.x.x.x:76]     return api.Backend.wsgi_dispatch(environ, start_response)
[Fri Jul 28 12:46:18.524741 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 262, in __call__
[Fri Jul 28 12:46:18.524757 2017] [:error] [pid 1207] [remote x.x.x.x:76]     return self.route(environ, start_response)
[Fri Jul 28 12:46:18.524763 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 274, in route
[Fri Jul 28 12:46:18.524771 2017] [:error] [pid 1207] [remote x.x.x.x:76]     return app(environ, start_response)
[Fri Jul 28 12:46:18.524789 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 929, in __call__
[Fri Jul 28 12:46:18.524799 2017] [:error] [pid 1207] [remote x.x.x.x:76]     self.kinit(user_principal, password, ipa_ccache_name)
[Fri Jul 28 12:46:18.524804 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit
[Fri Jul 28 12:46:18.524812 2017] [:error] [pid 1207] [remote x.x.x.x:76]     pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
[Fri Jul 28 12:46:18.524819 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 125, in kinit_armor
[Fri Jul 28 12:46:18.524830 2017] [:error] [pid 1207] [remote x.x.x.x:76]    run(args, env=env, raiseonerr=True, capture_error=True)
[Fri Jul 28 12:46:18.524836 2017] [:error] [pid 1207] [remote x.x.x.x:76]   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 511, in run
[Fri Jul 28 12:46:18.524847 2017] [:error] [pid 1207] [remote x.x.x.x:76]     raise CalledProcessError(p.returncode, arg_string, str(output))
[Fri Jul 28 12:46:18.524875 2017] [:error] [pid 1207] [remote x.x.x.x:76] CalledProcessError: Command '/usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_1207 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem' returned non-zero exit status 1

thus on the basis of above observations, marking the status to "ASSIGNED"
Comment 15 Nikhil Dehadrai 2017-07-31 09:12:11 EDT
ipa-docker image: 4.5.0.8

BIND:
bind-dyndb-ldap-11.1-4.el7.x86_64
bind-9.9.4-51.el7.x86_64

IPA-VERSION:
ipa-server-4.5.0-21.el7.x86_64

Atomic host version:
-bash-4.2# atomic host status
State: idle
Deployments:
● atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-07-28 00:26:01)
                 Commit: 846fb0e18e65bd9a62fc9d952627413c6467c33c2d726449a1d7ad7690bbb93a

Verified the bug on the basis of following observations:
1. Tested that when IPA and REPLICA server are setup using ipa-docker image (4.5.0.8), then server UI  is accessible for both and we can login to server UI successfully for IPA Master as well as REPLICA.
2. For log in to server UI after upgrade we have logged a separate bug BZ#1476782.

Thus on the basis of above observations, marking status of bug to "VERIFIED".
Comment 17 errata-xmlrpc 2017-08-01 09:20:32 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2373

Note You need to log in before you can comment on or make changes to this bug.