This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 800119 - Should not be allowed to run host-disable on an IPA Server or service-disable on an IPA Server service
Should not be allowed to run host-disable on an IPA Server or service-disable...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.3
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Rob Crittenden
IDM QE LIST
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-05 14:27 EST by Jenny Galipeau
Modified: 2013-05-21 16:29 EDT (History)
1 user (show)

See Also:
Fixed In Version: ipa-2.2.0-9.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-20 09:20:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jenny Galipeau 2012-03-05 14:27:00 EST
Description of problem:

You should not be allowed to run host-disable on an IPA server, because it will Disable the Kerberos key, SSL certificate and all services for the IPA Server.

# ipa host-disable `hostname`
ipa: ERROR: no modifications to be performed


# ipa user-find
ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('KDC has no support for encryption type', -1765328370)


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-103.20120302T0507zgitc611d89.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. see description
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Jenny Galipeau 2012-03-05 14:29:27 EST
same is true for not being able to service-disable and IPA Server service
Comment 2 Rob Crittenden 2012-03-06 14:47:20 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2487
Comment 6 Jenny Galipeau 2012-04-05 10:59:30 EDT
FailedQA :

Still allowed to disable services for DNS and dogtagldap

dogtag and DNS ::


  Principal: DNS/dhcp-185-247.testrelm.com@TESTRELM.COM
  Keytab: False
  Managed by: dhcp-185-247.testrelm.com

  Principal: dogtagldap/dhcp-185-247.testrelm.com@TESTRELM.COM
  Keytab: False
  Managed by: dhcp-185-247.testrelm.com
Comment 7 Jenny Galipeau 2012-04-05 11:00:16 EDT
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Setup for ipa service tests
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Checking for the presence of ipa-admintools rpm
:: [   PASS   ] :: Checking for the presence of ipa-client rpm
:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Creating tmp directory
:: [   PASS   ] :: Running 'pushd /tmp/tmp.W7dT0ClWrP'
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: Setup for ipa service tests

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz800119 Should not be allowed to run service-disable on an IPA Server
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: EXECUTING: ipa service-disable ldap/dhcp-185-247.testrelm.com@TESTRELM.COM
:: [   LOG    ] :: Executing: ipa service-disable ldap/dhcp-185-247.testrelm.com@TESTRELM.COM
:: [   LOG    ] :: "ipa service-disable ldap/dhcp-185-247.testrelm.com@TESTRELM.COM" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master
:: [   PASS   ] :: Verify expected error message
:: [   LOG    ] :: EXECUTING: ipa service-disable dogtagldap/dhcp-185-247.testrelm.com@TESTRELM.COM
:: [   LOG    ] :: Executing: ipa service-disable dogtagldap/dhcp-185-247.testrelm.com@TESTRELM.COM
:: [   LOG    ] :: ERROR: Expected "ipa service-disable dogtagldap/dhcp-185-247.testrelm.com@TESTRELM.COM" to fail.
:: [   FAIL   ] :: Verify expected error message (Expected 0, got 1)
:: [   LOG    ] :: EXECUTING: ipa service-disable HTTP/dhcp-185-247.testrelm.com@TESTRELM.COM
:: [   LOG    ] :: Executing: ipa service-disable HTTP/dhcp-185-247.testrelm.com@TESTRELM.COM
:: [   LOG    ] :: "ipa service-disable HTTP/dhcp-185-247.testrelm.com@TESTRELM.COM" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master
:: [   PASS   ] :: Verify expected error message
:: [   LOG    ] :: EXECUTING: ipa service-disable DNS/dhcp-185-247.testrelm.com@TESTRELM.COM
:: [   LOG    ] :: Executing: ipa service-disable DNS/dhcp-185-247.testrelm.com@TESTRELM.COM
:: [   LOG    ] :: "ipa service-disable DNS/dhcp-185-247.testrelm.com@TESTRELM.COM" failed as expected.
:: [   FAIL   ] :: ERROR: Message not as expected. GOT: ipa: ERROR: This entry is already disabled  EXP: ipa: ERROR: invalid 'principal': This principal is required by the IPA master 
:: [   FAIL   ] :: Verify expected error message (Expected 0, got 1)
:: [   LOG    ] :: Duration: 19s
:: [   LOG    ] :: Assertions: 4 good, 3 bad
:: [   FAIL   ] :: RESULT: bz800119 Should not be allowed to run service-disable on an IPA Server
Comment 8 Rob Crittenden 2012-04-05 11:25:16 EDT
Caused by a missing comma in the list of mandatory services. Upstream ticket re-opened.
Comment 11 Jenny Galipeau 2012-04-23 10:06:50 EDT
verified ::

Services ...

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz800119 Should not be allowed to run host-disable on an IPA Server or service-disable on an IPA Server service
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Checking return code attempting to disable ldap/dhcp-185-247.testrelm.com@testrelm.com
:: [   LOG    ] :: Executing: ipa service-disable ldap/dhcp-185-247.testrelm.com@testrelm.com
:: [   LOG    ] :: "ipa service-disable ldap/dhcp-185-247.testrelm.com@testrelm.com" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   PASS   ] :: Checking return code attempting to disable dogtagldap/dhcp-185-247.testrelm.com@testrelm.com
:: [   LOG    ] :: Executing: ipa service-disable dogtagldap/dhcp-185-247.testrelm.com@testrelm.com
:: [   LOG    ] :: "ipa service-disable dogtagldap/dhcp-185-247.testrelm.com@testrelm.com" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   PASS   ] :: Checking return code attempting to disable HTTP/dhcp-185-247.testrelm.com@testrelm.com
:: [   LOG    ] :: Executing: ipa service-disable HTTP/dhcp-185-247.testrelm.com@testrelm.com
:: [   LOG    ] :: "ipa service-disable HTTP/dhcp-185-247.testrelm.com@testrelm.com" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   PASS   ] :: Checking return code attempting to disable DNS/dhcp-185-247.testrelm.com@testrelm.com
:: [   LOG    ] :: Executing: ipa service-disable DNS/dhcp-185-247.testrelm.com@testrelm.com
:: [   LOG    ] :: "ipa service-disable DNS/dhcp-185-247.testrelm.com@testrelm.com" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   LOG    ] :: Duration: 28s
:: [   LOG    ] :: Assertions: 12 good, 0 bad
:: [   PASS   ] :: RESULT: bz800119 Should not be allowed to run host-disable on an IPA Server or service-disable on an IPA Server service


hosts ...

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz800119 Should not be allowed to run host-disable on an IPA Server
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Get administrator credentials
:: [   LOG    ] :: EXECUTING: ipa host-disable dhcp-185-247.testrelm.com
:: [   LOG    ] :: Executing: ipa host-disable dhcp-185-247.testrelm.com
:: [   LOG    ] :: "ipa host-disable dhcp-185-247.testrelm.com" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled
:: [   PASS   ] :: Verify expected error message.
:: [   LOG    ] :: Duration: 7s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: bz800119 Should not be allowed to run host-disable on an IPA Server


version ::

ipa-server-2.2.0-10.el6.x86_64
Comment 13 Martin Kosek 2012-04-24 09:34:08 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 15 errata-xmlrpc 2012-06-20 09:20:17 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.