Bug 437565 - Running admin tools on unconfigured client returns strange results
Running admin tools on unconfigured client returns strange results
Status: CLOSED ERRATA
Product: freeIPA
Classification: Community
Component: ipa-admintools (Show other bugs)
1.0
All Linux
low Severity low
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks: freeipa10 429034
  Show dependency treegraph
 
Reported: 2008-03-14 17:50 EDT by Rob Crittenden
Modified: 2015-01-04 18:31 EST (History)
2 users (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Play nice on unconfigured systems (8.44 KB, patch)
2008-03-17 13:39 EDT, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Rob Crittenden 2008-03-14 17:50:17 EDT
Description of problem:

You can install ipa-admintools onto any random client and they may simply fail
to work with very strange GSSAPI results, particularly if you aren't using DNS
discovery.

Expected results:

We need to see what is being returned to the tools in this case. It may be an
empty set which we can catch and display.

The default /etc/ipa/ipa.conf has bogus entries for server and realm. We
probably need to NULL those out
Comment 1 Simo Sorce 2008-03-17 09:38:00 EDT
One way to make sure the machine is properly configure could be to have a
non-default option in ipa.conf
When running tools we check for that and direct users to use ipa-client-install
or to proper documentation on what need to be configured (I mean we do both).

Would that suffice ?
Comment 2 Rob Crittenden 2008-03-17 09:50:18 EDT
I think if we just put blank entries into /etc/ipa/ipa.conf by default will do
the trick.

rpcclient.py will need to be updated to handle this case as well. If it gets no
servers to try it should say so in a helpful way. Currently an unconfigured
client tries to connect to realm.foo.bar which is why we get the GSSAPI error.
Comment 3 Rob Crittenden 2008-03-17 13:39:02 EDT
Created attachment 298288 [details]
Play nice on unconfigured systems
Comment 4 Rob Crittenden 2008-03-25 10:16:28 EDT
Committed in changeset 720
Comment 5 Chandrasekar Kannan 2008-04-07 10:17:00 EDT
I ran all the ipa-admintools on an unconfigured system. The system has
rhel 5.1 and then I installed ipa-admintools on top of it. thats it.

All tools behave the same except ipa-pwpolicy. don't know why. 

/usr/sbin/ipa-adddelegation
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-addgroup
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-addservice
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-adduser
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-deldelegation
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-delgroup
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-delservice
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-deluser
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-findgroup
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-findservice
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-finduser
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-listdelegation
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-lockuser
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-moddelegation
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-modgroup
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-moduser
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-passwd
IPA server not found in DNS, in the config file (/etc/ipa/ipa.conf) or on the
command line.
/usr/sbin/ipa-pwpolicy
No module named validate


re-opening for dev to look at it... in any case, not a beta blocker. 
i'll lower the priority down...

Comment 6 Rob Crittenden 2008-04-29 10:53:19 EDT
I can't reproduce this.

The validate module is installed in RHEL 5 in python-configobj as a dependency
on TurboGears.

Did you run this on a client after installing just ipa-client and
ipa-admintools? We may need a new dependency on ipa-admintools.
Comment 7 Yi Zhang 2008-05-29 11:52:04 EDT
QA Verified on May 29, 2008 (Yi)

Build used: May 29, 2008 (i386)


What I see from current implementation is below:

[root@ipaclient ~]# /usr/sbin/ipa-addgroup
Group name: uio
Description: hkiluoiuoi
Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may provide
more information/No credentials cache found

And it makes sense since there is no way to do kinit if client hasn't initialized. 

Bug closed

Note You need to log in before you can comment on or make changes to this bug.