Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1726380 - Foreman-proxy parses /etc/ipa/default.conf incorrectly which results in ERROR -- : Unknown realm my-realm-server.example.com even when all config files are OK
Summary: Foreman-proxy parses /etc/ipa/default.conf incorrectly which results in ERROR...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Foreman Proxy
Version: 6.4.2
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: 6.6.0
Assignee: Lukas Zapletal
QA Contact: Lukas Pramuk
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-02 17:42 UTC by Pablo Hess
Modified: 2019-10-22 19:52 UTC (History)
3 users (show)

Fixed In Version: foreman-proxy-1.22.0.2-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-22 19:52:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 27218 0 None None None 2019-07-03 06:20:15 UTC
Red Hat Knowledge Base (Solution) 4264441 0 Troubleshoot None When a content host is being created it fails with “Failed to create host-test.demo1.freeipa.org l's realm entry: ERF12-... 2019-07-06 14:20:52 UTC

Description Pablo Hess 2019-07-02 17:42:20 UTC 
Description of problem:
Foreman-proxy parses the /etc/ipa/default.conf file incorrectly: it will consider _any_ line containing the string 'realm' as a realm name definition. The last line in this file containing 'realm' will then be used as realm definition, most often resulting in this error on /var/log/foreman-proxy/proxy.log:

   ERROR -- : Unknown realm EXAMPLE.COM

Example of an /etc/ipa/default.conf file that will trigger this error:
~~~
[global]
basedn = dc=example,dc=com
domain = example.com
server = phess-realm.usersys.redhat.com
host = sat64a.usersys.redhat.com
xmlrpc_uri = https://phess-realm.usersys.redhat.com/ipa/xml
enable_ra = True
realm = EXAMPLE.COM
## nice comment: this used to be realm = MY.OLD.DOMAIN.ORG
~~~

This file above will result in foreman-proxy considering the realm name to be MY.OLD.DOMAIN.ORG.


This is a result of poor config file parsing -- not really parsing but fetching values with the help of regexes -- in /usr/share/foreman-proxy/modules/realm_freeipa/ipa_config_parser.rb:
~~~
 38 
 39     def do_parse(io)
 40       parsed_uri, realm_name = nil
 41 
 42       io.readlines.each do |line|
 43         if line =~ /xmlrpc_uri/
 44           uri = line.split("=")[1].strip
 45           parsed_uri = URI.parse(uri)
 46           logger.debug "freeipa: uri is #{uri}"
 47         elsif line =~ /realm/
 48           realm_name = line.split("=")[1].strip
 49           logger.debug "freeipa: realm #{realm_name}"
 50         end
 51       end
~~~


Lines 47 and 48 will regex-match any line containing the string 'realm', even if the matching string is one of these below:

thisisrealmagic =
not my realm =


Then, the realm name is extracted by getting the "right-hand" value of the same line.

An actual real-life example hitting this issue is when the IPA/IdM server name in /etc/ipa/default.conf contains the string realm, e.g.:
~~~
[global]
basedn = dc=demo1,dc=freeipa,dc=org
realm = DEMO1.FREEIPA.ORG
domain = demo1.freeipa.org
server = realm-server.demo1.freeipa.org
host = lucid-nonsense
xmlrpc_uri = https://ipa.demo1.freeipa.org/ipa/xml
enable_ra = True
~~~


Since the line with the `server` directive contains the string 'realm', it will match the regex and foreman-proxy will consider the right-hand side of this line as the realm name. Then /var/log/foreman-proxy/proxy.log would read the realm name twice:
~~~
DEBUG -- : freeipa: uri is https://ipa.demo1.freeipa.org/ipa/xml
DEBUG -- : freeipa: realm DEMO1.FREEIPA.ORG
DEBUG -- : freeipa: realm realm-server.demo1.freeipa.org
~~~


The latter one would overwrite the realm variable and would thus cause foreman-proxy to fail when adding a new host to the IPA/IdM domain, with:
~~~
ERROR -- : Unknown realm realm-server.demo1.freeipa.org
~~~



Version-Release number of selected component (if applicable):
All currently released Satellite versions as of today contain this bug, as well as the upstream smart-proxy at https://github.com/theforeman/smart-proxy/blob/develop/modules/realm_freeipa/ipa_config_parser.rb.

How reproducible:
Every time if /etc/ipa/default.conf meets the required criteria.

Steps to Reproduce:
1. Set up foreman-proxy to communicate with IPA/IdM server realm-server.example.com for realm purposes.
2. Create a new host and set it up as a realm member.

Actual results:
Foreman-proxy will fail to add the host to the realm, stating it does not know the realm-server.example.com realm.

Expected results:
Foreman-proxy would add the host to the realm as set up by the 'realm' directive in /etc/ipa/default.conf

Additional info:
Simply reordering lines in /etc/ipa/default.conf so the `realm =` line is at the bottom of the file allows one to workaround the issue by forcing ipa_config_parser.rb to process the correct realm last.
Comment 4 Pablo Hess 2019-07-02 18:24:48 UTC 
Pull Request is ready at https://github.com/theforeman/smart-proxy/pull/665 but is failing due to missing redmine issue.
Comment 5 Adam Ruzicka 2019-07-03 06:20:14 UTC 
Created redmine issue http://projects.theforeman.org/issues/27218 from this bug
Comment 6 Bryan Kearney 2019-07-03 08:06:08 UTC 
Upstream bug assigned to lzap
Comment 8 Lukas Pramuk 2019-10-13 21:54:18 UTC 
VERIFIED.

@Satellite 6.6.0 Snap22
foreman-proxy-1.22.0.2-1.el7sat.noarch

by the following manual reproducer:

1) Have a Satellite enrolled to IdM server and setup for realm SATQE.EXAMPLE.COM

2) Change log level for foreman-proxy to debug and restart foreman-proxy service

3) Add offending line to the end of ipa config file

# echo "# Some random line containing = sign and realm word" >> /etc/ipa/default.conf

# grep realm /etc/ipa/default.conf 
realm = SATQE.EXAMPLE.COM
# Some random line containing = sign and realm word

4) Create a host and assign SATQE.EXAMPLE.COM realm while watching foreman-proxy log:

# tail -f /var/log/foreman-proxy/proxy.log 


2019-10-13T17:39:00 a63682ee [I] Started POST /SATQE.EXAMPLE.COM/ 
2019-10-13T17:39:00 a63682ee [D] verifying remote client ::ffff:192.168.100.1 against trusted_hosts ["sat.example.com"]
2019-10-13T17:39:00 a63682ee [D] freeipa: realm SATQE.EXAMPLE.COM
2019-10-13T17:39:00 a63682ee [D] freeipa: uri is https://ipa.example.com/ipa/xml
2019-10-13T17:39:00 a63682ee [D] Making IPA call: ["host_show", ["lora-delahunt.example.com"]]

>>> offending line is ignored as we can see in the log "freeipa: realm SATQE.EXAMPLE.COM"
Comment 9 Bryan Kearney 2019-10-22 19:52:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3172
Note You need to log in before you can comment on or make changes to this bug.