Description of problem: Foreman-proxy parses the /etc/ipa/default.conf file incorrectly: it will consider _any_ line containing the string 'realm' as a realm name definition. The last line in this file containing 'realm' will then be used as realm definition, most often resulting in this error on /var/log/foreman-proxy/proxy.log: ERROR -- : Unknown realm EXAMPLE.COM Example of an /etc/ipa/default.conf file that will trigger this error: ~~~ [global] basedn = dc=example,dc=com domain = example.com server = phess-realm.usersys.redhat.com host = sat64a.usersys.redhat.com xmlrpc_uri = https://phess-realm.usersys.redhat.com/ipa/xml enable_ra = True realm = EXAMPLE.COM ## nice comment: this used to be realm = MY.OLD.DOMAIN.ORG ~~~ This file above will result in foreman-proxy considering the realm name to be MY.OLD.DOMAIN.ORG. This is a result of poor config file parsing -- not really parsing but fetching values with the help of regexes -- in /usr/share/foreman-proxy/modules/realm_freeipa/ipa_config_parser.rb: ~~~ 38 39 def do_parse(io) 40 parsed_uri, realm_name = nil 41 42 io.readlines.each do |line| 43 if line =~ /xmlrpc_uri/ 44 uri = line.split("=")[1].strip 45 parsed_uri = URI.parse(uri) 46 logger.debug "freeipa: uri is #{uri}" 47 elsif line =~ /realm/ 48 realm_name = line.split("=")[1].strip 49 logger.debug "freeipa: realm #{realm_name}" 50 end 51 end ~~~ Lines 47 and 48 will regex-match any line containing the string 'realm', even if the matching string is one of these below: thisisrealmagic = not my realm = Then, the realm name is extracted by getting the "right-hand" value of the same line. An actual real-life example hitting this issue is when the IPA/IdM server name in /etc/ipa/default.conf contains the string realm, e.g.: ~~~ [global] basedn = dc=demo1,dc=freeipa,dc=org realm = DEMO1.FREEIPA.ORG domain = demo1.freeipa.org server = realm-server.demo1.freeipa.org host = lucid-nonsense xmlrpc_uri = https://ipa.demo1.freeipa.org/ipa/xml enable_ra = True ~~~ Since the line with the `server` directive contains the string 'realm', it will match the regex and foreman-proxy will consider the right-hand side of this line as the realm name. Then /var/log/foreman-proxy/proxy.log would read the realm name twice: ~~~ DEBUG -- : freeipa: uri is https://ipa.demo1.freeipa.org/ipa/xml DEBUG -- : freeipa: realm DEMO1.FREEIPA.ORG DEBUG -- : freeipa: realm realm-server.demo1.freeipa.org ~~~ The latter one would overwrite the realm variable and would thus cause foreman-proxy to fail when adding a new host to the IPA/IdM domain, with: ~~~ ERROR -- : Unknown realm realm-server.demo1.freeipa.org ~~~ Version-Release number of selected component (if applicable): All currently released Satellite versions as of today contain this bug, as well as the upstream smart-proxy at https://github.com/theforeman/smart-proxy/blob/develop/modules/realm_freeipa/ipa_config_parser.rb. How reproducible: Every time if /etc/ipa/default.conf meets the required criteria. Steps to Reproduce: 1. Set up foreman-proxy to communicate with IPA/IdM server realm-server.example.com for realm purposes. 2. Create a new host and set it up as a realm member. Actual results: Foreman-proxy will fail to add the host to the realm, stating it does not know the realm-server.example.com realm. Expected results: Foreman-proxy would add the host to the realm as set up by the 'realm' directive in /etc/ipa/default.conf Additional info: Simply reordering lines in /etc/ipa/default.conf so the `realm =` line is at the bottom of the file allows one to workaround the issue by forcing ipa_config_parser.rb to process the correct realm last.
Pull Request is ready at https://github.com/theforeman/smart-proxy/pull/665 but is failing due to missing redmine issue.
Created redmine issue http://projects.theforeman.org/issues/27218 from this bug
Upstream bug assigned to lzap
VERIFIED. @Satellite 6.6.0 Snap22 foreman-proxy-1.22.0.2-1.el7sat.noarch by the following manual reproducer: 1) Have a Satellite enrolled to IdM server and setup for realm SATQE.EXAMPLE.COM 2) Change log level for foreman-proxy to debug and restart foreman-proxy service 3) Add offending line to the end of ipa config file # echo "# Some random line containing = sign and realm word" >> /etc/ipa/default.conf # grep realm /etc/ipa/default.conf realm = SATQE.EXAMPLE.COM # Some random line containing = sign and realm word 4) Create a host and assign SATQE.EXAMPLE.COM realm while watching foreman-proxy log: # tail -f /var/log/foreman-proxy/proxy.log 2019-10-13T17:39:00 a63682ee [I] Started POST /SATQE.EXAMPLE.COM/ 2019-10-13T17:39:00 a63682ee [D] verifying remote client ::ffff:192.168.100.1 against trusted_hosts ["sat.example.com"] 2019-10-13T17:39:00 a63682ee [D] freeipa: realm SATQE.EXAMPLE.COM 2019-10-13T17:39:00 a63682ee [D] freeipa: uri is https://ipa.example.com/ipa/xml 2019-10-13T17:39:00 a63682ee [D] Making IPA call: ["host_show", ["lora-delahunt.example.com"]] >>> offending line is ignored as we can see in the log "freeipa: realm SATQE.EXAMPLE.COM"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3172