Bug 739068 - ipa-client-install --password=$PASSWORD will cause /var/log/ipaclient-install.log to contain the password.
Summary: ipa-client-install --password=$PASSWORD will cause /var/log/ipaclient-install...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ipa-client
Version: 5.6
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 741677
TreeView+ depends on / blocked
 
Reported: 2011-09-16 13:32 UTC by Rob Crittenden
Modified: 2012-02-21 05:42 UTC (History)
3 users (show)

Fixed In Version: ipa-client-2.0-19.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 741677 (view as bug list)
Environment:
Last Closed: 2012-02-21 05:42:28 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0190 normal SHIPPED_LIVE ipa-client bug fix update 2012-02-20 14:54:29 UTC

Description Rob Crittenden 2011-09-16 13:32:49 UTC
Description of problem:

https://fedorahosted.org/freeipa/ticket/1801

We should obfuscate the password in the log when it is provided at the cli.

Comment 1 Rob Crittenden 2011-09-16 16:58:09 UTC
This is in the RHEL 5 ipa-client, not the 6.x ipa-client.

RHEL 5.7 x86_64, ipa-client-2.0-14.el5_7.1

Comment 4 Rob Crittenden 2011-10-18 21:33:04 UTC
Checking in ipa-client.spec;
/cvs/dist/rpms/ipa-client/RHEL-5/ipa-client.spec,v  <--  ipa-client.spec
new revision: 1.11; previous revision: 1.10
done
RCS file: /cvs/dist/rpms/ipa-client/RHEL-5/ipa-otp-nolog.patch,v
done
Checking in ipa-otp-nolog.patch;
/cvs/dist/rpms/ipa-client/RHEL-5/ipa-otp-nolog.patch,v  <--  ipa-otp-nolog.patch
initial revision: 1.1
done
Checking in ipa-python24.patch;
/cvs/dist/rpms/ipa-client/RHEL-5/ipa-python24.patch,v  <--  ipa-python24.patch
new revision: 1.2; previous revision: 1.1
done

Comment 6 Gowrishankar Rajaiyan 2011-12-15 09:37:19 UTC
[root@hp-dl360g5-01 ~]# ipa-client-install --principal=admin --password=Secret123 
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): lab.eng.pnq.redhat.com
DNS discovery failed to find the IPA Server
Provide your IPA server name (ex: ipa.example.com): bumblebee.lab.eng.pnq.redhat.com

The failure to use DNS to find your IPA server indicates that your
resolv.conf file is not properly configured.

Autodiscovery of servers for failover cannot work with this configuration.

If you proceed with the installation, services will be configured to always
access the discovered server for all operation and will not fail over to
other servers in case of failure.

Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: hp-dl360g5-01.rhts.eng.bos.redhat.com
Realm: LAB.ENG.PNQ.REDHAT.COM
DNS Domain: lab.eng.pnq.redhat.com
IPA Server: bumblebee.lab.eng.pnq.redhat.com
BaseDN: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com


Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.

Enrolled in IPA realm LAB.ENG.PNQ.REDHAT.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm LAB.ENG.PNQ.REDHAT.COM
SSSD enabled
NTP enabled
Client configuration complete.
[root@hp-dl360g5-01 ~]# 



/var/log/ipaclient-install.log:
2011-12-15 04:07:56,383 DEBUG [ipadnssearchldap]
2011-12-15 04:07:56,410 DEBUG IPA Server not found
2011-12-15 04:08:03,602 DEBUG will use server: bumblebee.lab.eng.pnq.redhat.com

2011-12-15 04:08:03,602 DEBUG [ipadnssearchkrb]
2011-12-15 04:08:03,626 DEBUG [ipacheckldap]
2011-12-15 04:08:04,314 DEBUG args=/usr/bin/wget -O /tmp/tmpZJF47D/ca.crt -T 15 -t 2 http://bumblebee.lab.eng.pnq.redhat.com/ipa/config/ca.crt
2011-12-15 04:08:04,315 DEBUG stdout=
2011-12-15 04:08:04,315 DEBUG stderr=--2011-12-15 04:08:03--  http://bumblebee.lab.eng.pnq.redhat.com/ipa/config/ca.crt
Resolving bumblebee.lab.eng.pnq.redhat.com... 10.65.201.64
Connecting to bumblebee.lab.eng.pnq.redhat.com|10.65.201.64|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1361 (1.3K) [application/x-x509-ca-cert]
Saving to: `/tmp/tmpZJF47D/ca.crt'

     0K .                                                     100% 92.7M=0s

2011-12-15 04:08:04 (92.7 MB/s) - `/tmp/tmpZJF47D/ca.crt' saved [1361/1361]


2011-12-15 04:08:04,315 DEBUG Init ldap with: ldap://bumblebee.lab.eng.pnq.redhat.com:389
2011-12-15 04:08:06,038 DEBUG Search LDAP server for IPA base DN
2011-12-15 04:08:06,374 DEBUG Check if naming context 'dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com' is for IPA
2011-12-15 04:08:06,710 DEBUG Naming context 'dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com' is a valid IPA context
2011-12-15 04:08:06,710 DEBUG Search for (objectClass=krbRealmContainer) in dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com(sub)
2011-12-15 04:08:07,063 DEBUG Found: [('cn=LAB.ENG.PNQ.REDHAT.COM,cn=kerberos,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com', {'krbSubTrees': ['dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com'], 'cn': ['LAB.ENG.PNQ.REDHAT.COM'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})]
2011-12-15 04:08:09,515 DEBUG will use cli_realm: LAB.ENG.PNQ.REDHAT.COM

2011-12-15 04:08:09,515 DEBUG will use cli_basedn: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

2011-12-15 04:08:12,291 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://bumblebee.lab.eng.pnq.redhat.com/ipa/config/ca.crt
2011-12-15 04:08:12,291 DEBUG stdout=
2011-12-15 04:08:12,291 DEBUG stderr=--2011-12-15 04:08:11--  http://bumblebee.lab.eng.pnq.redhat.com/ipa/config/ca.crt
Resolving bumblebee.lab.eng.pnq.redhat.com... 10.65.201.64
Connecting to bumblebee.lab.eng.pnq.redhat.com|10.65.201.64|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1361 (1.3K) [application/x-x509-ca-cert]
Saving to: `/etc/ipa/ca.crt'

     0K .                                                     100% 92.7M=0s

2011-12-15 04:08:12 (92.7 MB/s) - `/etc/ipa/ca.crt' saved [1361/1361]


2011-12-15 04:08:12,332 DEBUG args=/usr/sbin/ntpdate -U ntp -s -b bumblebee.lab.eng.pnq.redhat.com
2011-12-15 04:08:12,332 DEBUG stdout=
2011-12-15 04:08:12,332 DEBUG stderr=
2011-12-15 04:08:12,347 DEBUG args=/usr/sbin/ntpdate -U ntp -s -b bumblebee.lab.eng.pnq.redhat.com
2011-12-15 04:08:12,347 DEBUG stdout=
2011-12-15 04:08:12,347 DEBUG stderr=
2011-12-15 04:08:12,361 DEBUG args=/usr/sbin/ntpdate -U ntp -s -b bumblebee.lab.eng.pnq.redhat.com
2011-12-15 04:08:12,361 DEBUG stdout=
2011-12-15 04:08:12,361 DEBUG stderr=
2011-12-15 04:08:12,362 DEBUG Writing Kerberos configuration to /tmp/tmpAp0KUM:
#File modified by ipa-client-install

[libdefaults]
  default_realm = LAB.ENG.PNQ.REDHAT.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  LAB.ENG.PNQ.REDHAT.COM = {
    kdc = bumblebee.lab.eng.pnq.redhat.com:88
    admin_server = bumblebee.lab.eng.pnq.redhat.com:749
    default_domain = lab.eng.pnq.redhat.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .lab.eng.pnq.redhat.com = LAB.ENG.PNQ.REDHAT.COM
  lab.eng.pnq.redhat.com = LAB.ENG.PNQ.REDHAT.COM


2011-12-15 04:08:13,245 DEBUG args=kinit admin@LAB.ENG.PNQ.REDHAT.COM
2011-12-15 04:08:13,245 DEBUG stdout=Password for admin@LAB.ENG.PNQ.REDHAT.COM: 

2011-12-15 04:08:13,245 DEBUG stderr=
2011-12-15 04:08:19,990 DEBUG args=/usr/sbin/ipa-join -s bumblebee.lab.eng.pnq.redhat.com -b dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
2011-12-15 04:08:19,990 DEBUG stdout=
2011-12-15 04:08:19,990 DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=LAB.ENG.PNQ.REDHAT.COM

2011-12-15 04:08:20,140 DEBUG args=kdestroy
2011-12-15 04:08:20,140 DEBUG stdout=
2011-12-15 04:08:20,141 DEBUG stderr=
2011-12-15 04:08:20,141 DEBUG Backing up system configuration file '/etc/ipa/default.conf'
2011-12-15 04:08:20,141 DEBUG   -> Not backing up - '/etc/ipa/default.conf' doesn't exist
2011-12-15 04:08:20,142 DEBUG Backing up system configuration file '/etc/sssd/sssd.conf'
2011-12-15 04:08:20,142 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-12-15 04:08:20,183 DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2011-12-15 04:08:20,183 DEBUG stdout=
2011-12-15 04:08:20,183 DEBUG stderr=
2011-12-15 04:08:20,184 DEBUG Backing up system configuration file '/etc/krb5.conf'
2011-12-15 04:08:20,184 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-12-15 04:08:20,185 DEBUG Writing Kerberos configuration to /etc/krb5.conf:
#File modified by ipa-client-install

[libdefaults]
  default_realm = LAB.ENG.PNQ.REDHAT.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  LAB.ENG.PNQ.REDHAT.COM = {
    kdc = bumblebee.lab.eng.pnq.redhat.com:88
    admin_server = bumblebee.lab.eng.pnq.redhat.com:749
    default_domain = lab.eng.pnq.redhat.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .lab.eng.pnq.redhat.com = LAB.ENG.PNQ.REDHAT.COM
  lab.eng.pnq.redhat.com = LAB.ENG.PNQ.REDHAT.COM


2011-12-15 04:08:20,237 DEBUG args=/sbin/service messagebus start 
2011-12-15 04:08:20,237 DEBUG stdout=Starting system message bus: 

2011-12-15 04:08:20,238 DEBUG stderr=
2011-12-15 04:08:20,359 DEBUG args=/sbin/service certmonger restart 
2011-12-15 04:08:20,359 DEBUG stdout=Stopping certmonger: [FAILED]
Starting certmonger: [  OK  ]

2011-12-15 04:08:20,360 DEBUG stderr=
2011-12-15 04:08:20,518 DEBUG args=/sbin/service certmonger restart 
2011-12-15 04:08:20,519 DEBUG stdout=Stopping certmonger: [  OK  ]
Starting certmonger: [  OK  ]

2011-12-15 04:08:20,519 DEBUG stderr=
2011-12-15 04:08:20,553 DEBUG args=/sbin/chkconfig certmonger on
2011-12-15 04:08:20,553 DEBUG stdout=
2011-12-15 04:08:20,553 DEBUG stderr=
2011-12-15 04:08:20,738 DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - hp-dl360g5-01.rhts.eng.bos.redhat.com -N CN=hp-dl360g5-01.rhts.eng.bos.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM -K host/hp-dl360g5-01.rhts.eng.bos.redhat.com@LAB.ENG.PNQ.REDHAT.COM
2011-12-15 04:08:20,739 DEBUG stdout=New signing request "20111215090820" added.

2011-12-15 04:08:20,739 DEBUG stderr=
2011-12-15 04:08:20,803 DEBUG args=/sbin/service nscd status
2011-12-15 04:08:20,804 DEBUG stdout=nscd (pid 11544) is running...

2011-12-15 04:08:20,804 DEBUG stderr=
2011-12-15 04:08:20,854 DEBUG args=/sbin/service nscd stop 
2011-12-15 04:08:20,854 DEBUG stdout=Stopping nscd: [  OK  ]

2011-12-15 04:08:20,854 DEBUG stderr=
2011-12-15 04:08:20,886 DEBUG args=/sbin/chkconfig nscd off
2011-12-15 04:08:20,887 DEBUG stdout=
2011-12-15 04:08:20,887 DEBUG stderr=
2011-12-15 04:08:20,887 DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2011-12-15 04:08:20,888 DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2011-12-15 04:08:21,403 DEBUG args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd
2011-12-15 04:08:21,404 DEBUG stdout=Stopping sssd: [FAILED]
[  OK  ] sssd: [  OK  ]

2011-12-15 04:08:21,404 DEBUG stderr=cat: /var/run/sssd.pid: No such file or directory

2011-12-15 04:08:21,418 DEBUG args=getent passwd admin
2011-12-15 04:08:21,418 DEBUG stdout=
2011-12-15 04:08:21,418 DEBUG stderr=
2011-12-15 04:08:26,128 DEBUG args=getent passwd admin
2011-12-15 04:08:26,128 DEBUG stdout=admin:*:715400000:715400000:Administrator:/home/admin:/bin/bash

2011-12-15 04:08:26,128 DEBUG stderr=
2011-12-15 04:08:26,129 DEBUG Backing up system configuration file '/etc/ntp/step-tickers'
2011-12-15 04:08:26,130 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-12-15 04:08:26,286 DEBUG args=/sbin/restorecon /etc/ntp/step-tickers
2011-12-15 04:08:26,287 DEBUG stdout=
2011-12-15 04:08:26,287 DEBUG stderr=
2011-12-15 04:08:26,303 DEBUG args=/sbin/chkconfig ntpd
2011-12-15 04:08:26,304 DEBUG stdout=
2011-12-15 04:08:26,304 DEBUG stderr=
2011-12-15 04:08:26,304 DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2011-12-15 04:08:26,304 DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
2011-12-15 04:08:26,304 DEBUG Backing up system configuration file '/etc/ntp.conf'
2011-12-15 04:08:26,305 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-12-15 04:08:26,442 DEBUG args=/sbin/restorecon /etc/ntp.conf
2011-12-15 04:08:26,442 DEBUG stdout=
2011-12-15 04:08:26,442 DEBUG stderr=
2011-12-15 04:08:26,443 DEBUG Backing up system configuration file '/etc/sysconfig/ntpd'
2011-12-15 04:08:26,443 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-12-15 04:08:26,599 DEBUG args=/sbin/restorecon /etc/sysconfig/ntpd
2011-12-15 04:08:26,599 DEBUG stdout=
2011-12-15 04:08:26,600 DEBUG stderr=
2011-12-15 04:08:26,613 DEBUG args=/sbin/chkconfig ntpd on
2011-12-15 04:08:26,613 DEBUG stdout=
2011-12-15 04:08:26,613 DEBUG stderr=
2011-12-15 04:10:20,012 DEBUG args=/sbin/service ntpd restart 
2011-12-15 04:10:20,012 DEBUG stdout=Shutting down ntpd: [  OK  ]
ntpd: Synchronizing with time server: [  OK  ]
Syncing hardware clock to system time [  OK  ]
Starting ntpd: [  OK  ]

2011-12-15 04:10:20,012 DEBUG stderr=

[root@hp-dl360g5-01 ~]# 


Verified in version: ipa-client-2.1.3-1.el5

Comment 7 errata-xmlrpc 2012-02-21 05:42:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0190.html


Note You need to log in before you can comment on or make changes to this bug.