2128549 – Remove adtrust controller / agent role without having to reinstall

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2128549 - Remove adtrust controller / agent role without having to reinstall

Summary: Remove adtrust controller / agent role without having to reinstall

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-21 02:13 UTC by toasty
Modified:	2023-05-19 12:52 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-07 16:58:38 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Fedora Pagure	freeipa issue 3993	None	None	None	2022-09-26 12:53:21 UTC
Red Hat Issue Tracker	FREEIPA-8782	None	None	None	2022-09-21 02:37:50 UTC
Red Hat Issue Tracker	RHELPLAN-134464	None	None	None	2022-09-21 02:37:55 UTC

Description toasty 2022-09-21 02:13:58 UTC

Description of problem:

I have a cu that tried to set up a trust when they set up their IPA topology, but it failed, and then they realized they did not need / want it. It gave their Primary server the adtrust controller / adtrust agent role.

This role, when enabled (and there is not actual trust set up) will cause ipa-healthcheck to continuously show errors like this:

_________________________________________________________________ 

 {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPAsidgenpluginCheck",
    "result": "ERROR",
    "uuid": "e241539a-a8bb-48a2-8751-ce43491f5caf",
    "when": "20211216115357Z",
    "duration": "0.001417",
    "kw": {
      "key": "ipa-sidgen-task",
      "error": "no such entry",
      "msg": "Error retrieving 389-ds plugin {key}: {error}"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustAgentMemberCheck",
    "result": "ERROR",
    "uuid": "714fd6e0-2d6c-4879-9119-90657c5c351f",
    "when": "20211216115357Z",
    "duration": "0.001182",
    "kw": {
      "key": "server.example.com",
      "group": "adtrust agents",
      "msg": "{key} is not a member of {group}"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerPrincipalCheck",
    "result": "ERROR",
    "uuid": "fd7ce7d7-4763-4fb1-8100-a234e2823672",
    "when": "20211216115357Z",
    "duration": "0.000616",
    "kw": {
      "key": "krbprincipalname=cifs/server.example.com,cn=services,cn=accounts,dc=example,dc=com",
      "error": "no such entry",
      "msg": "Error retrieving ldap entry {key}: {error}"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerServiceCheck",
    "result": "ERROR",
    "uuid": "a6cead08-d6cd-4876-a354-5f4278fc93d2",
    "when": "20211216115357Z",
    "duration": "0.001139",
    "kw": {
      "key": "cn=ADTRUST,cn=server.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com",
      "error": "no such entry",
      "msg": "Error retrieving ldap entry {key}: {error}"
    }
  },
  {
    "source": "ipahealthcheck.ipa.trust",
    "check": "IPATrustControllerConfCheck",
    "result": "ERROR",
    "uuid": "fa238704-6c32-4ff1-943c-0498fa42d574",
    "when": "20211216115357Z",
    "duration": "0.359184",
    "kw": {
      "key": "net conf list",
      "error": "No section: 'global'",
      "section": "global",
      "option": "passdb backend",
      "msg": "Unable to read '{option}' in section {section} in {key} output: {error}"
    }
  }
]
_________________________________________________________________ 

The Cu understands that these errors are not hurting anything, but want them to go away.
Unfortunately the only way to get them to go away is to uninstall the server, and add it back, which they do not want to do, since this is their primary server that has a lot riding on it. They also refuse to move the CRL generation to a replica, in order to remove the problem system and add it back. 

I feel like there should be like an `ipa config-mod` command to do this


How reproducible:

Install IPA, attempt to install a trust with AD, but not complete the trust setup.


Actual results:

not able to remove the server role via commands

Expected results:

Should be able to remove the server role via commands (not having to uninstall reinstall the server)

Additional info:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/X645QM5OTZ5PEVPBOIUCOIVK7T2Y2SOD/

This says there is no tool to do this, and that it requires uninstall / reinstall.

Comment 1 Florence Blanc-Renaud 2022-09-26 12:53:20 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/3993

Comment 2 Florence Blanc-Renaud 2022-11-07 16:58:38 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Comment 3 Steven Mercurio 2023-05-15 20:48:04 UTC

One BIG reason to be able to uninstall adtrust is because of security issues.  Each service like https, smb, nfs_server, etc. must be justified and have an exception for passing the server2 /800-53 171 OpenSCAP and related scans.  If adtrust is NOT needed then it should be removed as per security best pratice and the smb/winbind services removed.

The main point here is not so much a full reversion but at a minimum the removal enough so that services smb and winbind and any ports they use can be removed/closed.

Comment 4 Rob Crittenden 2023-05-19 12:52:41 UTC

Dealing with half uninstalled services is exactly why reinstalling the server is the preferred method.

Note You need to log in before you can comment on or make changes to this bug.