Bug 797567 - ipa-client-install does not handle exception from certutil call
Summary: ipa-client-install does not handle exception from certutil call
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-26 18:10 UTC by Dmitri Pal
Modified: 2012-06-20 13:19 UTC (History)
3 users (show)

Fixed In Version: ipa-2.2.0-4.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2012-06-20 13:19:47 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Dmitri Pal 2012-02-26 18:10:26 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2415

If certutil call fails for some reason, exception is not handled and client installation is not rolled back. 

Attachments:
Client_first_try attachment: ipa-client-install with failing certutil. Certutil failed because mess in filesystem. Client was accidentaly installed on ipa-server. Problem with messed files solved by "ipa-server-install --uninstall".

Client_second_try - ipa-client-install fails, probably because duplicated host is in LDAP - result of missing rollback/exception handling in first try

Affected version:
freeipa-client-2.1.4-4.fc16.x86_64
Comment 1 Jenny Severance 2012-02-27 14:08:15 UTC 
delete /etc/pki/nssdb directory and then run ipa-client-install to verify this issue
Comment 2 Martin Kosek 2012-03-09 14:50:14 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/71d134dfa03eb86066eeb331815647bdff04aaa8
ipa-2-2: https://fedorahosted.org/freeipa/changeset/cada19d71f832a9ae9109f8de1050a462300e3a3
Comment 5 Martin Kosek 2012-04-24 13:01:57 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 6 Kaleem 2012-04-27 09:58:22 UTC 
Verified.

Now, ipa-client installation is rolledback properly when exception raised from certutil call.

"Failed to add CA to the default NSS database.
Installation failed. Rolling back changes."

ipa-client version:
===================
[root@ipaclient1 ~]# rpm -q ipa-client
ipa-client-2.2.0-11.el6.x86_64
[root@ipaclient1 ~]#

Steps used to verify:
====================
(1)Rename /etc/pki/nssdb which will raise exception for certutil call from ipa-client

(2)Run ipa-client-install

[root@ipaclient1 ~]# ipa-client-install -p admin -w Secret123 -U
Discovery was successful!
Hostname: ipaclient1.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: ipa63server.testrelm.com
BaseDN: dc=testrelm,dc=com

Synchronizing time with KDC...

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
Domain testrelm.com is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Failed to add CA to the default NSS database.
Installation failed. Rolling back changes.
[root@ipaclient1 ~]#
Comment 8 errata-xmlrpc 2012-06-20 13:19:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html
Note You need to log in before you can comment on or make changes to this bug.