RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1638545 - ipa-advise command points to old URL's.
Summary: ipa-advise command points to old URL's.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.5
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1658287
TreeView+ depends on / blocked
 
Reported: 2018-10-11 21:08 UTC by Gaurav Swami
Modified: 2019-08-06 13:09 UTC (History)
10 users (show)

Fixed In Version: ipa-4.6.5-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1658287 (view as bug list)
Environment:
Last Closed: 2019-08-06 13:09:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2241 0 None None None 2019-08-06 13:09:37 UTC

Description Gaurav Swami 2018-10-11 21:08:57 UTC 
Description of problem:

The scripts generated by ipa-advise call:

https://fedoraproject.org/authconfig/browser/cacertdir_rehash?format=txt

Above page redirects to as it no longer exists:
https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement?format=txt

Version-Release number of selected component (if applicable):

# ipa --version
VERSION: 4.5.4, API_VERSION: 2.228

How reproducible:

Steps to Reproduce:

1. Run ipa-advise command.

Actual results:

The script points to the non-working URL.

Expected results:

The script should point to the working URL.


Additional info:
Comment 2 Gaurav Swami 2018-10-11 21:21:22 UTC 
Steps to Reproduce:

1. Run ipa-advise command.

---------
[root@rhel7-ipa-1 ~]# ipa-advise config-generic-linux-sssd-before-1-9
#!/bin/sh
# ----------------------------------------------------------------------
# Instructions for configuring a system with an old version of SSSD
# (1.5-1.8) as a IPA client. This set of instructions is targeted for
# linux systems that do not include the authconfig utility.
# ----------------------------------------------------------------------
trying https://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/session/json
[try 1]: Forwarding 'compat_is_enabled/1' to json server 'https://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/session/json'
# Schema Compatibility plugin has not been configured on this server. To
# configure it, run "ipa-adtrust-install --enable-compat"
# Install required packages using your system's package manager. E.g:
apt-get -y install sssd curl openssl

# Please note that this script assumes /etc/openldap/cacerts as the
# default CA certificate location. If this value is different on your
# system the script needs to be modified accordingly.
# Download the CA certificate of the IPA server
mkdir -p -m 755 /etc/openldap/cacerts
curl http://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/config/ca.crt -o /etc/openldap/cacerts/ipa.crt

# Generate hashes for the openldap library
command -v cacertdir_rehash
if [ $? -ne 0 ] ; then
 curl "https://fedorahosted.org/authconfig/browser/cacertdir_rehash?format=txt" -o cacertdir_rehash ;
 chmod 755 ./cacertdir_rehash ;
 ./cacertdir_rehash /etc/openldap/cacerts/ ;
else
 cacertdir_rehash /etc/openldap/cacerts/ ;
fi

# Configure ldap.conf. Set the value of TLS_CACERTDIR to
# /etc/openldap/cacerts. Make sure that the location of ldap.conf file
# matches your system's configuration.
echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/ldap/ldap.conf

# Configure nsswitch.conf. Append sss to the lines beginning with passwd
# and group.
grep "^passwd.*sss" /etc/nsswitch.conf
if [ $? -ne 0 ] ; then sed -i '/^passwd/s|$| sss|' /etc/nsswitch.conf ; fi
grep "^group.*sss" /etc/nsswitch.conf
if [ $? -ne 0 ] ; then sed -i '/^group/s|$| sss|' /etc/nsswitch.conf ; fi

# Configure PAM. Configuring the PAM stack differs on particular
# distributions. The resulting PAM stack should look like this:
cat > /etc/pam.conf << EOF 
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

EOF

# Configure SSSD
cat > /etc/sssd/sssd.conf << EOF 
[sssd]
services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P<name>.+)

[domain/default]
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://rhel7-ipa-1.gsslab.pnq.redhat.com
ldap_search_base = cn=compat,dc=gsslab,dc=pnq,dc=redhat,dc=com
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt

EOF
chmod 0600 /etc/sssd/sssd.conf

# Start SSSD
service sssd start
[root@rhel7-ipa-1 ~]# 
---------



------------
[root@rhel7-ipa-1 ~]# ipa-advise config-redhat-sssd-before-1-9
#!/bin/sh
# ----------------------------------------------------------------------
# Instructions for configuring a system with an old version of SSSD
# (1.5-1.8) as a IPA client. This set of instructions is targeted for
# platforms that include the authconfig utility, which are all Red Hat
# based platforms.
# ----------------------------------------------------------------------
trying https://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/session/json
[try 1]: Forwarding 'compat_is_enabled/1' to json server 'https://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/session/json'
# Schema Compatibility plugin has not been configured on this server. To
# configure it, run "ipa-adtrust-install --enable-compat"
# Install required packages via yum
yum install -y sssd authconfig curl openssl

# NOTE: IPA certificate uses the SHA-256 hash function. SHA-256 was
# introduced in RHEL5.2. Therefore, clients older than RHEL5.2 will not
# be able to interoperate with IPA server 3.x.
# Please note that this script assumes /etc/openldap/cacerts as the
# default CA certificate location. If this value is different on your
# system the script needs to be modified accordingly.
# Download the CA certificate of the IPA server
mkdir -p -m 755 /etc/openldap/cacerts
curl http://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/config/ca.crt -o /etc/openldap/cacerts/ipa.crt

# Generate hashes for the openldap library
command -v cacertdir_rehash
if [ $? -ne 0 ] ; then
 curl "https://fedorahosted.org/authconfig/browser/cacertdir_rehash?format=txt" -o cacertdir_rehash ;
 chmod 755 ./cacertdir_rehash ;
 ./cacertdir_rehash /etc/openldap/cacerts/ ;
else
 cacertdir_rehash /etc/openldap/cacerts/ ;
fi

# Use the authconfig to configure nsswitch.conf and the PAM stack
authconfig --updateall --enablesssd --enablesssdauth

# Configure SSSD
cat > /etc/sssd/sssd.conf << EOF 
[sssd]
services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P<name>.+)

[domain/default]
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://rhel7-ipa-1.gsslab.pnq.redhat.com
ldap_search_base = cn=compat,dc=gsslab,dc=pnq,dc=redhat,dc=com
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt

EOF
chmod 0600 /etc/sssd/sssd.conf

# Start SSSD
service sssd start
[root@rhel7-ipa-1 ~]# 
------------
Comment 3 Rob Crittenden 2018-10-11 21:25:18 UTC 
/sbin/cacertdir_rehash is provided by authconfig so I wonder if it is ever reaching the curl command.
Comment 5 Petr Vobornik 2018-10-12 12:14:14 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7731
Comment 6 Florence Blanc-Renaud 2018-10-23 08:25:20 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/0e22314c9bafb684e5e18f7d3937dfc7e04c8561
Comment 7 Christian Heimes 2018-10-23 14:49:59 UTC 
Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/9cfd07e87964f37465dd699a50444e6953291f59
ipa-4-6:
https://pagure.io/freeipa/c/9af6bb596ea98292a7228a8fb2c886fbb03ad59c
Comment 11 Sumedh Sidhaye 2019-06-12 11:24:03 UTC 
Build used for verification:

[root@qe-blade-10 ~]# rpm -qa ipa-server
ipa-server-4.6.5-9.el7.x86_64
[root@qe-blade-10 ~]# 

[root@qe-blade-10 ~]# ipa-advise config-generic-linux-sssd-before-1-9
#!/bin/sh
# ----------------------------------------------------------------------
# Instructions for configuring a system with an old version of SSSD
# (1.5-1.8) as a IPA client. This set of instructions is targeted for
# linux systems that do not include the authconfig utility.
# ----------------------------------------------------------------------
trying https://qe-blade-10.testrelm.test/ipa/session/json
[try 1]: Forwarding 'compat_is_enabled/1' to json server 'https://qe-blade-10.testrelm.test/ipa/session/json'
# Schema Compatibility plugin has not been configured on this server. To
# configure it, run "ipa-adtrust-install --enable-compat"
# Install required packages using your system's package manager. E.g:
apt-get -y install sssd curl openssl

# Please note that this script assumes /etc/openldap/cacerts as the
# default CA certificate location. If this value is different on your
# system the script needs to be modified accordingly.
# Download the CA certificate of the IPA server
mkdir -p -m 755 /etc/openldap/cacerts
curl http://qe-blade-10.testrelm.test/ipa/config/ca.crt -o /etc/openldap/cacerts/ipa.crt

# Generate hashes for the openldap library
command -v cacertdir_rehash
if [ $? -ne 0 ] ; then
 curl "https://pagure.io/authconfig/raw/master/f/cacertdir_rehash" -o cacertdir_rehash ;
 chmod 755 ./cacertdir_rehash ;
 ./cacertdir_rehash /etc/openldap/cacerts/ ;
else
 cacertdir_rehash /etc/openldap/cacerts/ ;
fi

# Configure ldap.conf. Set the value of TLS_CACERTDIR to
# /etc/openldap/cacerts. Make sure that the location of ldap.conf file
# matches your system's configuration.
echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/ldap/ldap.conf

# Configure nsswitch.conf. Append sss to the lines beginning with passwd
# and group.
grep "^passwd.*sss" /etc/nsswitch.conf
if [ $? -ne 0 ] ; then sed -i '/^passwd/s|$| sss|' /etc/nsswitch.conf ; fi
grep "^group.*sss" /etc/nsswitch.conf
if [ $? -ne 0 ] ; then sed -i '/^group/s|$| sss|' /etc/nsswitch.conf ; fi

# Configure PAM. Configuring the PAM stack differs on particular
# distributions. The resulting PAM stack should look like this:
cat > /etc/pam.conf << EOF 
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

EOF

# Configure SSSD
cat > /etc/sssd/sssd.conf << EOF 
[sssd]
services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P<name>.+)

[domain/default]
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://qe-blade-10.testrelm.test
ldap_search_base = cn=compat,dc=testrelm,dc=test
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt

EOF
chmod 0600 /etc/sssd/sssd.conf

# Start SSSD
service sssd start



Based on above observations marking bugzilla verified.
Comment 13 errata-xmlrpc 2019-08-06 13:09:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241
Note You need to log in before you can comment on or make changes to this bug.