1477870 – IPA Installation fails when kdcproxy user is not present

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1477870 - IPA Installation fails when kdcproxy user is not present

Summary: IPA Installation fails when kdcproxy user is not present

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-03 06:18 UTC by Abhijeet Kasurde
Modified:	2017-09-06 05:14 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-09-05 16:40:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Abhijeet Kasurde 2017-08-03 06:18:19 UTC

Description of problem:
If user kdcproxy is not available or deleted, then IPA server installation fails while restarting HTTPD server.

  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [error] CalledProcessError: Command '/bin/systemctl start httpd.service' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Command '/bin/systemctl start httpd.service' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information


Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7_4.1.x86_64

How reproducible:
100%

Steps to Reproduce:
1. userdel kdcproxy
2. ipa-server-install

Actual results:
Installation fails as script fails to restart httpd server. 

Expected results:
Installation should create kdcproxy user or check existence of user before proceeding.

Additional info:
I remember, script used to create kdcproxy user but due to some change, RPM installation creates the kdcproxy user.

Comment 2 Abhijeet Kasurde 2017-08-03 06:25:56 UTC

# id kdcproxy
uid=386(kdcproxy) gid=385(kdcproxy) groups=385(kdcproxy)
# userdel kdcproxy
# rpm -e ipa-server ipa-server-dns
# id kdcproxy
id: kdcproxy: no such user
# yum install -y ipa-server ipa-server-dns
---snipped---
Warning: RPMDB altered outside of yum.
  Installing : ipa-server-4.5.0-21.el7_4.1.x86_64                                                                           1/2
  Installing : ipa-server-dns-4.5.0-21.el7_4.1.noarch                                                                       2/2
  Verifying  : ipa-server-4.5.0-21.el7_4.1.x86_64                                                                           1/2
  Verifying  : ipa-server-dns-4.5.0-21.el7_4.1.noarch                                                                       2/2

Installed:
  ipa-server.x86_64 0:4.5.0-21.el7_4.1                         ipa-server-dns.noarch 0:4.5.0-21.el7_4.1

Complete!
# id kdcproxy
uid=386(kdcproxy) gid=385(kdcproxy) groups=385(kdcproxy)

If user kdcproxy is added, installation succeeds successfully.

Comment 3 Petr Vobornik 2017-08-11 19:23:08 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7101

Comment 4 Standa Laznicka 2017-09-05 11:52:10 UTC

Why would you remove the kdcproxy user?

Comment 5 Abhijeet Kasurde 2017-09-05 14:29:12 UTC

(In reply to Stanislav Laznicka from comment #4)
> Why would you remove the kdcproxy user?

This is part of negative testcase. Imagine, if kdcproxy user is deleted by system administrator then installation would fail and there is no way to find why installation failed.

Comment 6 Standa Laznicka 2017-09-05 15:12:48 UTC

(In reply to Abhijeet Kasurde from comment #5)
> (In reply to Stanislav Laznicka from comment #4)
> > Why would you remove the kdcproxy user?
> 
> This is part of negative testcase. Imagine, if kdcproxy user is deleted by
> system administrator then installation would fail and there is no way to
> find why installation failed.

You can just as well do, e.g. `# chmod 006 /usr/libexec/ipa/certmonger/renew_ra_cert` and be surprised that RA cert renewal is not working.

You can also remove the kdcproxy user at any time FreeIPA is installed and the service restart would probably fail just as well. You can remove the ipaapi user at any time IPA is installed and everything will go to ruins.

So no, I don't think this is a valid testcase.

Also, I removed the private tag of your comment, we are having an open discussion here, please, keep it that way.

Comment 7 Standa Laznicka 2017-09-05 15:19:38 UTC

That chmod in comment 6 is probably a bad example, but you get the picture.

Comment 8 Standa Laznicka 2017-09-05 16:40:16 UTC

One thing to note here - you can make this invalid testcase into a valid one by removing the kdcproxy user before you install the ipa packages, but definitely not after you install them. In that case, however, the installation won't (shouldn't) fail for you.
Thus closing this as NOTABUG.

Comment 9 Abhijeet Kasurde 2017-09-06 05:14:46 UTC

I totally disagree with this as I feel you can not predict/assume/force user environment. Least thing we can do is to check if kdcproxy user exists or not and depending upon that perform some action. Giving traceback is not good thing.

Note You need to log in before you can comment on or make changes to this bug.