Bug 1477870 - IPA Installation fails when kdcproxy user is not present
IPA Installation fails when kdcproxy user is not present
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
ipa-qe
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-03 02:18 EDT by Abhijeet Kasurde
Modified: 2017-09-06 01:14 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-05 12:40:16 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Abhijeet Kasurde 2017-08-03 02:18:19 EDT
Description of problem:
If user kdcproxy is not available or deleted, then IPA server installation fails while restarting HTTPD server.

  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [error] CalledProcessError: Command '/bin/systemctl start httpd.service' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Command '/bin/systemctl start httpd.service' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information


Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7_4.1.x86_64

How reproducible:
100%

Steps to Reproduce:
1. userdel kdcproxy
2. ipa-server-install

Actual results:
Installation fails as script fails to restart httpd server. 

Expected results:
Installation should create kdcproxy user or check existence of user before proceeding.

Additional info:
I remember, script used to create kdcproxy user but due to some change, RPM installation creates the kdcproxy user.
Comment 2 Abhijeet Kasurde 2017-08-03 02:25:56 EDT
# id kdcproxy
uid=386(kdcproxy) gid=385(kdcproxy) groups=385(kdcproxy)
# userdel kdcproxy
# rpm -e ipa-server ipa-server-dns
# id kdcproxy
id: kdcproxy: no such user
# yum install -y ipa-server ipa-server-dns
---snipped---
Warning: RPMDB altered outside of yum.
  Installing : ipa-server-4.5.0-21.el7_4.1.x86_64                                                                           1/2
  Installing : ipa-server-dns-4.5.0-21.el7_4.1.noarch                                                                       2/2
  Verifying  : ipa-server-4.5.0-21.el7_4.1.x86_64                                                                           1/2
  Verifying  : ipa-server-dns-4.5.0-21.el7_4.1.noarch                                                                       2/2

Installed:
  ipa-server.x86_64 0:4.5.0-21.el7_4.1                         ipa-server-dns.noarch 0:4.5.0-21.el7_4.1

Complete!
# id kdcproxy
uid=386(kdcproxy) gid=385(kdcproxy) groups=385(kdcproxy)

If user kdcproxy is added, installation succeeds successfully.
Comment 3 Petr Vobornik 2017-08-11 15:23:08 EDT
Upstream ticket:
https://pagure.io/freeipa/issue/7101
Comment 4 Stanislav Laznicka 2017-09-05 07:52:10 EDT
Why would you remove the kdcproxy user?
Comment 5 Abhijeet Kasurde 2017-09-05 10:29:12 EDT
(In reply to Stanislav Laznicka from comment #4)
> Why would you remove the kdcproxy user?

This is part of negative testcase. Imagine, if kdcproxy user is deleted by system administrator then installation would fail and there is no way to find why installation failed.
Comment 6 Stanislav Laznicka 2017-09-05 11:12:48 EDT
(In reply to Abhijeet Kasurde from comment #5)
> (In reply to Stanislav Laznicka from comment #4)
> > Why would you remove the kdcproxy user?
> 
> This is part of negative testcase. Imagine, if kdcproxy user is deleted by
> system administrator then installation would fail and there is no way to
> find why installation failed.

You can just as well do, e.g. `# chmod 006 /usr/libexec/ipa/certmonger/renew_ra_cert` and be surprised that RA cert renewal is not working.

You can also remove the kdcproxy user at any time FreeIPA is installed and the service restart would probably fail just as well. You can remove the ipaapi user at any time IPA is installed and everything will go to ruins.

So no, I don't think this is a valid testcase.

Also, I removed the private tag of your comment, we are having an open discussion here, please, keep it that way.
Comment 7 Stanislav Laznicka 2017-09-05 11:19:38 EDT
That chmod in comment 6 is probably a bad example, but you get the picture.
Comment 8 Stanislav Laznicka 2017-09-05 12:40:16 EDT
One thing to note here - you can make this invalid testcase into a valid one by removing the kdcproxy user before you install the ipa packages, but definitely not after you install them. In that case, however, the installation won't (shouldn't) fail for you.
Thus closing this as NOTABUG.
Comment 9 Abhijeet Kasurde 2017-09-06 01:14:46 EDT
I totally disagree with this as I feel you can not predict/assume/force user environment. Least thing we can do is to check if kdcproxy user exists or not and depending upon that perform some action. Giving traceback is not good thing.

Note You need to log in before you can comment on or make changes to this bug.