1658294 – ipa-replica-install allows to use --setup-adtrust without the package freeipa-server-trust-ad installed

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1658294 - ipa-replica-install allows to use --setup-adtrust without the package freeipa-server-trust-ad installed

Summary: ipa-replica-install allows to use --setup-adtrust without the package freeip...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	IPA Maintainers
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-11 17:10 UTC by Thomas Woerner
Modified:	2019-06-14 01:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1589558
Environment:
Last Closed:	2019-06-14 01:32:01 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Thomas Woerner 2018-12-11 17:10:52 UTC

+++ This bug was initially created as a clone of Bug #1589558 +++

Description of problem:
Trying to setup a FreeIPA replica with the --setup-adtrust command line option setup, makes the setup fail due to the missing freeipa-server-trust-ad package (not pulled automatically for any package)


Version-Release number of selected component (if applicable):
freeipa-server-4.6.90.pre2

How reproducible:


Steps to Reproduce:
1. dnf install freeipa-server
2. ipa-replica-install --setup-adtrust

Actual results:
It fails in the end when it tries to restart smb, and the logs show "No builtin nor plugin backend for ipasam found"

Expected results:
Replica should be installed sucessfully

--- Additional comment from Alexander Bokovoy on 2018-06-10 19:00:48 UTC ---

We do the check at https://pagure.io/freeipa/blob/master/f/ipaserver/install/adtrustinstance.py#_67-77 but it doesn't include checking for 'freeipa-server-trust-ad' package being installed -- like we supposed to do with 'freeipa-server-dns' in https://pagure.io/freeipa/blob/master/f/ipaserver/install/dns.py#_118-120

A freeipa-server-trust-ad package has following content:
---
$ rpm -ql freeipa-server-trust-ad
/etc/dbus-1/system.d/oddjob-ipa-trust.conf
/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
/usr/lib/.build-id
/usr/lib/.build-id/10
/usr/lib/.build-id/10/d4038f6015541ee8685be9238d46328c7d869e
/usr/lib64/krb5/plugins/libkrb5/winbind_krb5_locator.so
/usr/lib64/samba/pdb/ipasam.so
/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains
/usr/sbin/ipa-adtrust-install
/usr/share/doc/freeipa-server-trust-ad
/usr/share/doc/freeipa-server-trust-ad/Contributors.txt
/usr/share/doc/freeipa-server-trust-ad/README.md
/usr/share/ipa/smb.conf.empty
/usr/share/licenses/freeipa-server-trust-ad
/usr/share/licenses/freeipa-server-trust-ad/COPYING
/usr/share/man/man1/ipa-adtrust-install.1.gz
---

In a way similar to DNS check, we can depend on /usr/share/ipa/smb.conf.empty which is only packaged in freeipa-server-trust-ad.

--- Additional comment from Florence Blanc-Renaud on 2018-06-25 15:21:13 UTC ---

Upstream ticket:
https://pagure.io/freeipa/issue/7602

--- Additional comment from Florence Blanc-Renaud on 2018-10-24 12:22:04 UTC ---

Fixed upstream
master:
https://pagure.io/freeipa/c/4600e62b6b4547c16eee085e216a56478dd8dd50

--- Additional comment from Christian Heimes on 2018-10-24 14:23:23 UTC ---

Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/be968ea01adf1721b0afd7393872a8d311d89d0c
ipa-4-6:
https://pagure.io/freeipa/c/0c2bdcb1184cf034f62e523c88045f9efcb8c302

Comment 2 anuja 2019-01-22 14:51:02 UTC

Thomas Woerner,
How this can be verified?

Comment 3 Thomas Woerner 2019-01-22 15:45:51 UTC

(In reply to anuja from comment #2)
> Thomas Woerner,
> How this can be verified?

Description of problem:
Trying to setup a FreeIPA replica with the --setup-adtrust command line option setup, makes the setup fail due to the missing freeipa-server-trust-ad package (not pulled automatically for any package)


Version-Release number of selected component (if applicable):
freeipa-server-4.6.90.pre2

How reproducible:

Steps to Reproduce:
1. dnf install freeipa-server
2. ipa-replica-install --setup-adtrust

Actual results:
It fails in the end when it tries to restart smb, and the logs show "No builtin nor plugin backend for ipasam found"

Expected results:
Replica should be installed sucessfully

---

Additionally from https://pagure.io/freeipa/c/be968ea01adf1721b0afd7393872a8d311d89d0c
ipaserver/install/adtrustinstance.py:
+     # Check that ipa-server-trust-ad package is installed,
+     # by looking for the file /usr/share/ipa/smb.conf.empty 
+     if not os.path.exists(os.path.join(paths.USR_SHARE_IPA_DIR,
+                                        "smb.conf.empty")):
+         print("AD Trust requires the '%s' package" %
+               constants.IPA_ADTRUST_PACKAGE_NAME)
+         print("Please install the package and start the installation again")
+         return False 

That means that the fixed version will fail early and print a message.

Comment 4 anuja 2019-01-22 16:19:03 UTC

Verified using :
ipa-server-4.7.1-10.module+el8+2699+aa606a46.x86_64
ipa-server-trust-ad-4.7.1-10.module+el8+2699+aa606a46.x86_64

Verification Steps:
1: dnf module install idm:DL1/dns
2: yum install ipa-server-trust-ad
3: ipa-replica-install --setup-adtrust

Console Output :
# ipa-replica-install --ip-address= -P admin -w --server --domain --setup-adtrust -U
Configuring client side components
This program will set up IPA client.
Version 4.7.1

  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
Configuring CIFS
  [1/23]: validate server hostname
  [2/23]: stopping smbd
  [3/23]: creating samba domain object
  [4/23]: creating samba config registry
  [5/23]: writing samba config file
  [6/23]: adding cifs Kerberos principal
  [7/23]: adding cifs and host Kerberos principals to the adtrust agents group
  [8/23]: check for cifs services defined on other replicas
  [9/23]: adding cifs principal to S4U2Proxy targets
  [10/23]: adding admin(group) SIDs
  [11/23]: adding RID bases
  [12/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [13/23]: activating CLDAP plugin
  [14/23]: activating sidgen task
  [15/23]: map BUILTIN\Guests to nobody group
  [16/23]: configuring smbd to start on boot
  [17/23]: adding special DNS service records
  [18/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [19/23]: adding fallback group
  [20/23]: adding Default Trust View
  [21/23]: setting SELinux booleans
  [22/23]: starting CIFS services
  [23/23]: restarting smbd
Done configuring CIFS.

WARNING: The CA service is only installed on one server (vm-idm-040.replica.test).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.

Comment 6 anuja 2019-01-22 16:22:53 UTC

Based on comment #4 marking bz as verified.

Note You need to log in before you can comment on or make changes to this bug.