Bug 1638545 - ipa-advise command points to old URL's.
Summary: ipa-advise command points to old URL's.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.5
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1658287
TreeView+ depends on / blocked
 
Reported: 2018-10-11 21:08 UTC by Gaurav Swami
Modified: 2019-08-06 13:09 UTC (History)
10 users (show)

Fixed In Version: ipa-4.6.5-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1658287 (view as bug list)
Environment:
Last Closed: 2019-08-06 13:09:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2241 None None None 2019-08-06 13:09:37 UTC

Description Gaurav Swami 2018-10-11 21:08:57 UTC
Description of problem:

The scripts generated by ipa-advise call:

https://fedoraproject.org/authconfig/browser/cacertdir_rehash?format=txt

Above page redirects to as it no longer exists:
https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement?format=txt

Version-Release number of selected component (if applicable):

# ipa --version
VERSION: 4.5.4, API_VERSION: 2.228

How reproducible:

Steps to Reproduce:

1. Run ipa-advise command.

Actual results:

The script points to the non-working URL.

Expected results:

The script should point to the working URL.


Additional info:

Comment 2 Gaurav Swami 2018-10-11 21:21:22 UTC
Steps to Reproduce:

1. Run ipa-advise command.

---------
[root@rhel7-ipa-1 ~]# ipa-advise config-generic-linux-sssd-before-1-9
#!/bin/sh
# ----------------------------------------------------------------------
# Instructions for configuring a system with an old version of SSSD
# (1.5-1.8) as a IPA client. This set of instructions is targeted for
# linux systems that do not include the authconfig utility.
# ----------------------------------------------------------------------
trying https://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/session/json
[try 1]: Forwarding 'compat_is_enabled/1' to json server 'https://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/session/json'
# Schema Compatibility plugin has not been configured on this server. To
# configure it, run "ipa-adtrust-install --enable-compat"
# Install required packages using your system's package manager. E.g:
apt-get -y install sssd curl openssl

# Please note that this script assumes /etc/openldap/cacerts as the
# default CA certificate location. If this value is different on your
# system the script needs to be modified accordingly.
# Download the CA certificate of the IPA server
mkdir -p -m 755 /etc/openldap/cacerts
curl http://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/config/ca.crt -o /etc/openldap/cacerts/ipa.crt

# Generate hashes for the openldap library
command -v cacertdir_rehash
if [ $? -ne 0 ] ; then
 curl "https://fedorahosted.org/authconfig/browser/cacertdir_rehash?format=txt" -o cacertdir_rehash ;
 chmod 755 ./cacertdir_rehash ;
 ./cacertdir_rehash /etc/openldap/cacerts/ ;
else
 cacertdir_rehash /etc/openldap/cacerts/ ;
fi

# Configure ldap.conf. Set the value of TLS_CACERTDIR to
# /etc/openldap/cacerts. Make sure that the location of ldap.conf file
# matches your system's configuration.
echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/ldap/ldap.conf

# Configure nsswitch.conf. Append sss to the lines beginning with passwd
# and group.
grep "^passwd.*sss" /etc/nsswitch.conf
if [ $? -ne 0 ] ; then sed -i '/^passwd/s|$| sss|' /etc/nsswitch.conf ; fi
grep "^group.*sss" /etc/nsswitch.conf
if [ $? -ne 0 ] ; then sed -i '/^group/s|$| sss|' /etc/nsswitch.conf ; fi

# Configure PAM. Configuring the PAM stack differs on particular
# distributions. The resulting PAM stack should look like this:
cat > /etc/pam.conf << EOF 
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

EOF

# Configure SSSD
cat > /etc/sssd/sssd.conf << EOF 
[sssd]
services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P<name>.+)

[domain/default]
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://rhel7-ipa-1.gsslab.pnq.redhat.com
ldap_search_base = cn=compat,dc=gsslab,dc=pnq,dc=redhat,dc=com
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt

EOF
chmod 0600 /etc/sssd/sssd.conf

# Start SSSD
service sssd start
[root@rhel7-ipa-1 ~]# 
---------



------------
[root@rhel7-ipa-1 ~]# ipa-advise config-redhat-sssd-before-1-9
#!/bin/sh
# ----------------------------------------------------------------------
# Instructions for configuring a system with an old version of SSSD
# (1.5-1.8) as a IPA client. This set of instructions is targeted for
# platforms that include the authconfig utility, which are all Red Hat
# based platforms.
# ----------------------------------------------------------------------
trying https://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/session/json
[try 1]: Forwarding 'compat_is_enabled/1' to json server 'https://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/session/json'
# Schema Compatibility plugin has not been configured on this server. To
# configure it, run "ipa-adtrust-install --enable-compat"
# Install required packages via yum
yum install -y sssd authconfig curl openssl

# NOTE: IPA certificate uses the SHA-256 hash function. SHA-256 was
# introduced in RHEL5.2. Therefore, clients older than RHEL5.2 will not
# be able to interoperate with IPA server 3.x.
# Please note that this script assumes /etc/openldap/cacerts as the
# default CA certificate location. If this value is different on your
# system the script needs to be modified accordingly.
# Download the CA certificate of the IPA server
mkdir -p -m 755 /etc/openldap/cacerts
curl http://rhel7-ipa-1.gsslab.pnq.redhat.com/ipa/config/ca.crt -o /etc/openldap/cacerts/ipa.crt

# Generate hashes for the openldap library
command -v cacertdir_rehash
if [ $? -ne 0 ] ; then
 curl "https://fedorahosted.org/authconfig/browser/cacertdir_rehash?format=txt" -o cacertdir_rehash ;
 chmod 755 ./cacertdir_rehash ;
 ./cacertdir_rehash /etc/openldap/cacerts/ ;
else
 cacertdir_rehash /etc/openldap/cacerts/ ;
fi

# Use the authconfig to configure nsswitch.conf and the PAM stack
authconfig --updateall --enablesssd --enablesssdauth

# Configure SSSD
cat > /etc/sssd/sssd.conf << EOF 
[sssd]
services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P<name>.+)

[domain/default]
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://rhel7-ipa-1.gsslab.pnq.redhat.com
ldap_search_base = cn=compat,dc=gsslab,dc=pnq,dc=redhat,dc=com
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt

EOF
chmod 0600 /etc/sssd/sssd.conf

# Start SSSD
service sssd start
[root@rhel7-ipa-1 ~]# 
------------

Comment 3 Rob Crittenden 2018-10-11 21:25:18 UTC
/sbin/cacertdir_rehash is provided by authconfig so I wonder if it is ever reaching the curl command.

Comment 5 Petr Vobornik 2018-10-12 12:14:14 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7731

Comment 6 Florence Blanc-Renaud 2018-10-23 08:25:20 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/0e22314c9bafb684e5e18f7d3937dfc7e04c8561

Comment 11 Sumedh Sidhaye 2019-06-12 11:24:03 UTC
Build used for verification:

[root@qe-blade-10 ~]# rpm -qa ipa-server
ipa-server-4.6.5-9.el7.x86_64
[root@qe-blade-10 ~]# 

[root@qe-blade-10 ~]# ipa-advise config-generic-linux-sssd-before-1-9
#!/bin/sh
# ----------------------------------------------------------------------
# Instructions for configuring a system with an old version of SSSD
# (1.5-1.8) as a IPA client. This set of instructions is targeted for
# linux systems that do not include the authconfig utility.
# ----------------------------------------------------------------------
trying https://qe-blade-10.testrelm.test/ipa/session/json
[try 1]: Forwarding 'compat_is_enabled/1' to json server 'https://qe-blade-10.testrelm.test/ipa/session/json'
# Schema Compatibility plugin has not been configured on this server. To
# configure it, run "ipa-adtrust-install --enable-compat"
# Install required packages using your system's package manager. E.g:
apt-get -y install sssd curl openssl

# Please note that this script assumes /etc/openldap/cacerts as the
# default CA certificate location. If this value is different on your
# system the script needs to be modified accordingly.
# Download the CA certificate of the IPA server
mkdir -p -m 755 /etc/openldap/cacerts
curl http://qe-blade-10.testrelm.test/ipa/config/ca.crt -o /etc/openldap/cacerts/ipa.crt

# Generate hashes for the openldap library
command -v cacertdir_rehash
if [ $? -ne 0 ] ; then
 curl "https://pagure.io/authconfig/raw/master/f/cacertdir_rehash" -o cacertdir_rehash ;
 chmod 755 ./cacertdir_rehash ;
 ./cacertdir_rehash /etc/openldap/cacerts/ ;
else
 cacertdir_rehash /etc/openldap/cacerts/ ;
fi

# Configure ldap.conf. Set the value of TLS_CACERTDIR to
# /etc/openldap/cacerts. Make sure that the location of ldap.conf file
# matches your system's configuration.
echo "TLS_CACERTDIR /etc/openldap/cacerts" >> /etc/ldap/ldap.conf

# Configure nsswitch.conf. Append sss to the lines beginning with passwd
# and group.
grep "^passwd.*sss" /etc/nsswitch.conf
if [ $? -ne 0 ] ; then sed -i '/^passwd/s|$| sss|' /etc/nsswitch.conf ; fi
grep "^group.*sss" /etc/nsswitch.conf
if [ $? -ne 0 ] ; then sed -i '/^group/s|$| sss|' /etc/nsswitch.conf ; fi

# Configure PAM. Configuring the PAM stack differs on particular
# distributions. The resulting PAM stack should look like this:
cat > /etc/pam.conf << EOF 
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

EOF

# Configure SSSD
cat > /etc/sssd/sssd.conf << EOF 
[sssd]
services = nss, pam
config_file_version = 2
domains = default
re_expression = (?P<name>.+)

[domain/default]
cache_credentials = True
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://qe-blade-10.testrelm.test
ldap_search_base = cn=compat,dc=testrelm,dc=test
ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt

EOF
chmod 0600 /etc/sssd/sssd.conf

# Start SSSD
service sssd start



Based on above observations marking bugzilla verified.

Comment 13 errata-xmlrpc 2019-08-06 13:09:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241


Note You need to log in before you can comment on or make changes to this bug.