RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2132731 - [ansible-freeipa] ipaserver: Add missing idstart check
Summary: [ansible-freeipa] ipaserver: Add missing idstart check
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: ansible-freeipa
Version: 9.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Thomas Woerner
QA Contact: Varun Mylaraiah
URL:
Whiteboard:
Depends On: 2132729
Blocks: 2132976 2132977
TreeView+ depends on / blocked
 
Reported: 2022-10-06 13:42 UTC by Thomas Woerner
Modified: 2023-05-09 08:04 UTC (History)
3 users (show)

Fixed In Version: ansible-freeipa-1.9.0-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2132729
: 2132976 2132977 (view as bug list)
Environment:
Last Closed: 2023-05-09 07:25:56 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-8895 0 None None None 2022-10-06 13:49:46 UTC
Red Hat Issue Tracker RHELPLAN-135854 0 None None None 2022-10-06 13:49:56 UTC
Red Hat Product Errata RHEA-2023:2168 0 None None None 2023-05-09 07:26:05 UTC

Description Thomas Woerner 2022-10-06 13:42:23 UTC 
+++ This bug was initially created as a clone of Bug #2132729 +++

Description of problem:
The idstart needs to be larger than UID_MAX or GID_MAX from /etc/login.defs.
The check is missing in ipaserver role.

Version-Release number of selected component (if applicable):
ansible-freeipa-1.8.3

How reproducible:
Always

Steps to Reproduce:
1. Deploy using "ipaserver_idstart: 1000"
2. Check UID_MAX/GID_MAX in /etc/login.defs
3. Check for ipaRangeType errors in sssd_sub.example.com.log file.

Actual results:
No failure if ipaserver_idstart is too low.

Expected results:
Failure if ipaserver_idstart is too low.

--- Additional comment from Thomas Woerner on 2022-10-06 13:40:55 UTC ---

Upstream PR: https://github.com/freeipa/ansible-freeipa/pull/897
Comment 7 Varun Mylaraiah 2022-12-20 13:47:27 UTC 
Verified
ansible-core-2.14.1-1.el9.x86_64
ansible-freeipa-1.9.0-1.el9.noarch

Passed	ansible_freeipa_tests/master/test_idm_deploy_master.py::TestMaster_Verify_Idstart::test_server_install_with_idstart

DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 PLAYBOOK: install-server.yaml **************************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 1 plays in install-server.yaml
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 PLAY [Playbook to configure IPA servers] ***************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [Gathering Facts] *********************************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /root/install-server.yaml:2
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 ok: [master.ipadomain.test]
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Import variables specific to distribution] *******************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:4
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 ok: [master.ipadomain.test] => (item=/usr/share/ansible/roles/ipaserver/vars/default.yml) => {"ansible_facts": {"ipaserver_packages": ["ipa-server", "python3-libselinux"], "ipaserver_packages_adtrust": ["freeipa-server-trust-ad"], "ipaserver_packages_dns": ["ipa-server-dns"], "ipaserver_packages_firewalld": ["firewalld"]}, "ansible_included_var_files": ["/usr/share/ansible/roles/ipaserver/vars/default.yml"], "ansible_loop_var": "item", "changed": false, "item": "/usr/share/ansible/roles/ipaserver/vars/default.yml"}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Install IPA server] ******************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:19
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 included: /usr/share/ansible/roles/ipaserver/tasks/install.yml for master.ipadomain.test
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Install - Ensure that IPA server packages are installed] *****
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:5
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 ok: [master.ipadomain.test] => {"changed": false, "msg": "Nothing to do", "rc": 0, "results": []}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Install - Ensure that IPA server packages for dns are installed] ***
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:10
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 skipping: [master.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Install - Ensure that IPA server packages for adtrust are installed] ***
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:16
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 skipping: [master.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Install - Ensure that firewall packages installed] ***********
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:22
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 ok: [master.ipadomain.test] => {"changed": false, "msg": "Nothing to do", "rc": 0, "results": []}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Firewalld service - Ensure that firewalld is running] ********
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:31
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 ok: [master.ipadomain.test] => {"changed": false, "enabled": true, "name": "firewalld", "state": "started", "status": {"AccessSELinuxContext": "system_u:object_r:firewalld_unit_file_t:s0", "ActiveEnterTimestamp": "Sun 2022-12-18 22:53:34 EST", "ActiveEnterTimestampMonotonic": "158262980", "ActiveExitTimestamp": "Sun 2022-12-18 22:52:22 EST", "ActiveExitTimestampMonotonic": "86740203", "ActiveState": "active", "After": "system.slice polkit.service dbus-broker.service basic.target sysinit.target dbus.socket", "AllowIsolate": "no", "AssertResult": "yes", "AssertTimestamp": "Sun 2022-12-18 22:53:34 EST", "AssertTimestampMonotonic": "158114354", "Before": "multi-user.target shutdown.target network-pre.target", "BlockIOAccounting": "no", "BlockIOWeight": "[not set]", "BusName": "org.fedoraproject.FirewallD1", "CPUAccounting": "yes", "CPUAffinityFromNUMA": "no", "CPUQuotaPerSecUSec": "infinity", "CPUQuotaPeriodUSec": "infinity", "CPUSchedulingPolicy": "0", "CPUSchedulingPriority": "0", "CPUSchedulingResetOnFork": "no", "CPUShares": "[not set]", "CPUUsageNSec": "1064712000", "CPUWeight": "[not set]", "CacheDirectoryMode": "0755", "CanFreeze": "yes", "CanIsolate": "no", "CanReload": "yes", "CanStart": "yes", "CanStop": "yes", "CapabilityBoundingSet": "cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend cap_audit_read cap_perfmon cap_bpf cap_checkpoint_restore", "CleanResult": "success", "CollectMode": "inactive", "ConditionResult": "yes", "ConditionTimestamp": "Sun 2022-12-18 22:53:34 EST", "ConditionTimestampMonotonic": "158114351", "ConfigurationDirectoryMode": "0755", "Conflicts": "nftables.service iptables.service ipset.service shutdown.target ip6tables.service ebtables.service", "ControlGroup": "/system.slice/firewalld.service", "ControlGroupId": "5325", "ControlPID": "0", "CoredumpFilter": "0x33", "DefaultDependencies": "yes", "DefaultMemoryLow": "0", "DefaultMemoryMin": "0", "Delegate": "no", "Description": "firewalld - dynamic firewall daemon", "DevicePolicy": "auto", "Documentation": "\"man:firewalld(1)\"", "DynamicUser": "no", "EnvironmentFiles": "/etc/sysconfig/firewalld (ignore_errors=yes)", "ExecMainCode": "0", "ExecMainExitTimestampMonotonic": "0", "ExecMainPID": "21701", "ExecMainStartTimestamp": "Sun 2022-12-18 22:53:34 EST", "ExecMainStartTimestampMonotonic": "158118252", "ExecMainStatus": "0", "ExecReload": "{ path=/bin/kill ; argv[]=/bin/kill -HUP $MAINPID ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }", "ExecReloadEx": "{ path=/bin/kill ; argv[]=/bin/kill -HUP $MAINPID ; flags= ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }", "ExecStart": "{ path=/usr/sbin/firewalld ; argv[]=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }", "ExecStartEx": "{ path=/usr/sbin/firewalld ; argv[]=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS ; flags= ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }", "ExitType": "main", "FailureAction": "none", "FileDescriptorStoreMax": "0", "FinalKillSignal": "9", "FragmentPath": "/usr/lib/systemd/system/firewalld.service", "FreezerState": "running", "GID": "[not set]", "GuessMainPID": "yes", "IOAccounting": "no", "IOReadBytes": "18446744073709551615", "IOReadOperations": "18446744073709551615", "IOSchedulingClass": "2", "IOSchedulingPriority": "4", "IOWeight": "[not set]", "IOWriteBytes": "18446744073709551615", "IOWriteOperations": "18446744073709551615", "IPAccounting": "no", "IPEgressBytes": "[no data]", "IPEgressPackets": "[no data]", "IPIngressBytes": "[no data]", "IPIngressPackets": "[no data]", "Id": "firewalld.service", "IgnoreOnIsolate": "no", "IgnoreSIGPIPE": "yes", "InactiveEnterTimestamp": "Sun 2022-12-18 22:52:22 EST", "InactiveEnterTimestampMonotonic": "86818969", "InactiveExitTimestamp": "Sun 2022-12-18 22:53:34 EST", "InactiveExitTimestampMonotonic": "158118695", "InvocationID": "b1a56ad6f7984ee6bf99ba8fda8e7c3b", "JobRunningTimeoutUSec": "infinity", "JobTimeoutAction": "none", "JobTimeoutUSec": "infinity", "KeyringMode": "private", "KillMode": "mixed", "KillSignal": "15", "LimitAS": "infinity", "LimitASSoft": "infinity", "LimitCORE": "infinity", "LimitCORESoft": "0", "LimitCPU": "infinity", "LimitCPUSoft": "infinity", "LimitDATA": "infinity", "LimitDATASoft": "infinity", "LimitFSIZE": "infinity", "LimitFSIZESoft": "infinity", "LimitLOCKS": "infinity", "LimitLOCKSSoft": "infinity", "LimitMEMLOCK": "8388608", "LimitMEMLOCKSoft": "8388608", "LimitMSGQUEUE": "819200", "LimitMSGQUEUESoft": "819200", "LimitNICE": "0", "LimitNICESoft": "0", "LimitNOFILE": "524288", "LimitNOFILESoft": "1024", "LimitNPROC": "14342", "LimitNPROCSoft": "14342", "LimitRSS": "infinity", "LimitRSSSoft": "infinity", "LimitRTPRIO": "0", "LimitRTPRIOSoft": "0", "LimitRTTIME": "infinity", "LimitRTTIMESoft": "infinity", "LimitSIGPENDING": "14342", "LimitSIGPENDINGSoft": "14342", "LimitSTACK": "infinity", "LimitSTACKSoft": "8388608", "LoadState": "loaded", "LockPersonality": "no", "LogLevelMax": "-1", "LogRateLimitBurst": "0", "LogRateLimitIntervalUSec": "0", "LogsDirectoryMode": "0755", "MainPID": "21701", "ManagedOOMMemoryPressure": "auto", "ManagedOOMMemoryPressureLimit": "0", "ManagedOOMPreference": "none", "ManagedOOMSwap": "auto", "MemoryAccounting": "yes", "MemoryAvailable": "infinity", "MemoryCurrent": "25841664", "MemoryDenyWriteExecute": "no", "MemoryHigh": "infinity", "MemoryLimit": "infinity", "MemoryLow": "0", "MemoryMax": "infinity", "MemoryMin": "0", "MemorySwapMax": "infinity", "MountAPIVFS": "no", "NFileDescriptorStore": "0", "NRestarts": "0", "NUMAPolicy": "n/a", "Names": "firewalld.service dbus-org.fedoraproject.FirewallD1.service", "NeedDaemonReload": "no", "Nice": "0", "NoNewPrivileges": "no", "NonBlocking": "no", "NotifyAccess": "none", "OOMPolicy": "stop", "OOMScoreAdjust": "0", "OnFailureJobMode": "replace", "OnSuccessJobMode": "fail", "Perpetual": "no", "PrivateDevices": "no", "PrivateIPC": "no", "PrivateMounts": "no", "PrivateNetwork": "no", "PrivateTmp": "no", "PrivateUsers": "no", "ProcSubset": "all", "ProtectClock": "no", "ProtectControlGroups": "no", "ProtectHome": "no", "ProtectHostname": "no", "ProtectKernelLogs": "no", "ProtectKernelModules": "no", "ProtectKernelTunables": "no", "ProtectProc": "default", "ProtectSystem": "no", "RefuseManualStart": "no", "RefuseManualStop": "no", "ReloadResult": "success", "RemainAfterExit": "no", "RemoveIPC": "no", "Requires": "sysinit.target dbus.socket system.slice", "Restart": "no", "RestartKillSignal": "15", "RestartUSec": "100ms", "RestrictNamespaces": "no", "RestrictRealtime": "no", "RestrictSUIDSGID": "no", "Result": "success", "RootDirectoryStartOnly": "no", "RuntimeDirectoryMode": "0755", "RuntimeDirectoryPreserve": "no", "RuntimeMaxUSec": "infinity", "RuntimeRandomizedExtraUSec": "0", "SameProcessGroup": "no", "SecureBits": "0", "SendSIGHUP": "no", "SendSIGKILL": "yes", "Slice": "system.slice", "StandardError": "null", "StandardInput": "null", "StandardOutput": "null", "StartLimitAction": "none", "StartLimitBurst": "5", "StartLimitIntervalUSec": "10s", "StartupBlockIOWeight": "[not set]", "StartupCPUShares": "[not set]", "StartupCPUWeight": "[not set]", "StartupIOWeight": "[not set]", "StateChangeTimestamp": "Sun 2022-12-18 23:26:22 EST", "StateChangeTimestampMonotonic": "2126908434", "StateDirectoryMode": "0755", "StatusErrno": "0", "StopWhenUnneeded": "no", "SubState": "running", "SuccessAction": "none", "SyslogFacility": "3", "SyslogLevel": "6", "SyslogLevelPrefix": "yes", "SyslogPriority": "30", "SystemCallErrorNumber": "2147483646", "TTYReset": "no", "TTYVHangup": "no", "TTYVTDisallocate": "no", "TasksAccounting": "yes", "TasksCurrent": "2", "TasksMax": "22947", "TimeoutAbortUSec": "1min 30s", "TimeoutCleanUSec": "infinity", "TimeoutStartFailureMode": "terminate", "TimeoutStartUSec": "1min 30s", "TimeoutStopFailureMode": "terminate", "TimeoutStopUSec": "1min 30s", "TimerSlackNSec": "50000", "Transient": "no", "Type": "dbus", "UID": "[not set]", "UMask": "0022", "UnitFilePreset": "enabled", "UnitFileState": "enabled", "UtmpMode": "init", "WantedBy": "multi-user.target", "Wants": "network-pre.target", "WatchdogSignal": "6", "WatchdogTimestampMonotonic": "0", "WatchdogUSec": "0"}}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Firewalld - Verify runtime zone "{{ ipaserver_firewalld_zone }}"] ***
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:37
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 skipping: [master.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Firewalld - Verify permanent zone "{{ ipaserver_firewalld_zone }}"] ***
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:44
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 skipping: [master.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : include_tasks] ***********************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:54
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 skipping: [master.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Install - Server installation test] **************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:60
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 fatal: [master.ipadomain.test]: FAILED! => {"changed": false, "msg": "idstart (1000) must be larger than UID_MAX/GID_MAX (60000) setting in /etc/login.defs."}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 PLAY RECAP *********************************************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 master.ipadomain.test      : ok=6    changed=0    unreachable=0    failed=1    skipped=5    rescued=0    ignored=0   


Based on the test result, marking the bug Verified
Comment 10 errata-xmlrpc 2023-05-09 07:25:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ansible-freeipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:2168
Note You need to log in before you can comment on or make changes to this bug.