1754494 – ipa-replica-install does not enforce --server option

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1754494 - ipa-replica-install does not enforce --server option

Summary: ipa-replica-install does not enforce --server option

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	ipa-qe
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-23 12:25 UTC by Florence Blanc-Renaud
Modified:	2023-09-07 20:42 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-4.6.6-7.el7
Doc Type:	Bug Fix
Doc Text:	.The `ipa-replica-install` utility now verifies that the server specified in `--server` provides all required roles The `ipa-replica-install` utility provides a `--server` option to specify the Identity Management (IdM) server which the installer should use for the enrollment. Previously, `ipa-replica-install` did not verify that the supplied server provided the certificate authority (CA) and key recovery authority (KRA) roles. As a consequence, the installer replicated domain data from the specified server and CA data from a different server that provided the CA and KRA roles. With this update, `ipa-replica-install` verifies that the specified server provides all required roles. As a result, if the administrator uses the `--server` option, `ipa-replica-install` only replicates data from the specified server.
Clone Of:
Environment:
Last Closed:	2020-03-31 19:55:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-10349	0	None	None	None	2023-09-07 20:42:01 UTC
Red Hat Product Errata	RHBA-2020:1083	0	None	None	None	2020-03-31 19:56:20 UTC

Description Florence Blanc-Renaud 2019-09-23 12:25:57 UTC

Description of problem:
The command "ipa-replica-install --server server.example.com" does not enforce the --server parameter. When it is provided, the installation should contact only the master provided and refuse to execute if the master does not offer all the required services.


Version-Release number of selected component (if applicable):
ipa-4.6.5-11.el7

How reproducible:
Always

Steps to Reproduce:
1. install master with CA
2. install replica1 without CA
3. try to install replica2 from replica1, by specifying ipa-replica-install --server replica1

Actual results:
replica2 established replication for the domain data with replica1 and for the ipaca data with  master.

Expected results:
replica2 should use only replica1 during its enrollment and promotion. If replica1 does not provide CA and KRA, the installation should refuse to proceed and provide a message explaining the reason.

Additional info:
See also BZ 1591824

Comment 2 Florence Blanc-Renaud 2019-09-23 12:27:33 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7566

Comment 3 Florence Blanc-Renaud 2019-09-23 12:37:19 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/802e54dd0e33be6015b22853767fc37a9ec02f39

Comment 4 Rob Crittenden 2019-09-23 17:53:08 UTC

ipa-4-8:
https://pagure.io/freeipa/c/c845ef07892eb22118f381e9cb1f05b017099896
ipa-4-7:
https://pagure.io/freeipa/c/6c5e72aee4dffb353b79b99324858bf2a1ec7314
ipa-4-6:
https://pagure.io/freeipa/c/22e4eef6cb54c74fc9907db1385549db670094fa

Comment 6 Florence Blanc-Renaud 2019-10-07 06:11:21 UTC

Test added upstream in  ipatests/test_integration/test_installation.py::TestInstallReplicaAgainstSpecificServer

Fixed upstream
master:
https://pagure.io/freeipa/c/c2c1000e2d5481d4be377feb12588fdb09d12de0
https://pagure.io/freeipa/c/c77bbe7899577cb14b42625953f1b9a868e6f237

Comment 9 Florence Blanc-Renaud 2019-10-14 08:55:19 UTC

Test backported upstream:

Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/b6134e86b377a2804efbfac1d78091a460898d0c
https://pagure.io/freeipa/c/b585e58b845ccecd48934f55c664a12b8ed06fc8

ipa-4-7:
https://pagure.io/freeipa/c/e12fa0b88371962e3684c6b932980c3ac0ab8e1d
https://pagure.io/freeipa/c/16c794d8a3d7d690883da5b29c5c04a203a2b8db

Comment 10 Florence Blanc-Renaud 2019-10-14 11:37:30 UTC

Test backported upstream:

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/f4dc0ee169689974020a4a77b8bb58b26f360369
https://pagure.io/freeipa/c/9b3855ec486990ecd08a9f3a0ca408425ee7fbf7

Comment 11 Mohammad Rizwan 2019-12-13 09:35:47 UTC

version:
ipa-server-4.6.6-11.el7.x86_64

Steps:
1. Install master with ca and kra setup
2. Install replica1 without ca and stop ipa-custidia service on it.

scenario 1:
 3. Try to install replica2 with --setup-ca option from replica1 as a server

scenario 2:
 4. Install CA on replica1
 5. Try to install replica2 with --setup-kra option form replica1 as a server

scenario 3:
 6. Install replica2 against master


Scenario 1 and 2 failed and scenario 3 passed. Based on these observations marking the bug as verified.

Comment 13 Florence Blanc-Renaud 2020-01-03 08:21:29 UTC

Test backported upstream
ipa-4-6:
https://pagure.io/freeipa/c/0d91a78ee409e66f96e7b2555ca33fb2128fdfa3

Comment 15 errata-xmlrpc 2020-03-31 19:55:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1083

Note You need to log in before you can comment on or make changes to this bug.