Hide Forgot
Description of problem: You should not be allowed to run host-disable on an IPA server, because it will Disable the Kerberos key, SSL certificate and all services for the IPA Server. # ipa host-disable `hostname` ipa: ERROR: no modifications to be performed # ipa user-find ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC has no support for encryption type', -1765328370) Version-Release number of selected component (if applicable): ipa-server-2.2.0-103.20120302T0507zgitc611d89.el6.x86_64 How reproducible: always Steps to Reproduce: 1. see description 2. 3. Actual results: Expected results: Additional info:
same is true for not being able to service-disable and IPA Server service
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2487
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/35521ad6bb92057d5faefa2059d7d800bebb1af0 ipa-2-2: https://fedorahosted.org/freeipa/changeset/133a0f07976e56323ffb8d4996d4cf21c3263a91
FailedQA : Still allowed to disable services for DNS and dogtagldap dogtag and DNS :: Principal: DNS/dhcp-185-247.testrelm.com Keytab: False Managed by: dhcp-185-247.testrelm.com Principal: dogtagldap/dhcp-185-247.testrelm.com Keytab: False Managed by: dhcp-185-247.testrelm.com
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Setup for ipa service tests :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Checking for the presence of ipa-admintools rpm :: [ PASS ] :: Checking for the presence of ipa-client rpm :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Creating tmp directory :: [ PASS ] :: Running 'pushd /tmp/tmp.W7dT0ClWrP' :: [ LOG ] :: Duration: 2s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: Setup for ipa service tests :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz800119 Should not be allowed to run service-disable on an IPA Server :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: EXECUTING: ipa service-disable ldap/dhcp-185-247.testrelm.com :: [ LOG ] :: Executing: ipa service-disable ldap/dhcp-185-247.testrelm.com :: [ LOG ] :: "ipa service-disable ldap/dhcp-185-247.testrelm.com" failed as expected. :: [ PASS ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master :: [ PASS ] :: Verify expected error message :: [ LOG ] :: EXECUTING: ipa service-disable dogtagldap/dhcp-185-247.testrelm.com :: [ LOG ] :: Executing: ipa service-disable dogtagldap/dhcp-185-247.testrelm.com :: [ LOG ] :: ERROR: Expected "ipa service-disable dogtagldap/dhcp-185-247.testrelm.com" to fail. :: [ FAIL ] :: Verify expected error message (Expected 0, got 1) :: [ LOG ] :: EXECUTING: ipa service-disable HTTP/dhcp-185-247.testrelm.com :: [ LOG ] :: Executing: ipa service-disable HTTP/dhcp-185-247.testrelm.com :: [ LOG ] :: "ipa service-disable HTTP/dhcp-185-247.testrelm.com" failed as expected. :: [ PASS ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master :: [ PASS ] :: Verify expected error message :: [ LOG ] :: EXECUTING: ipa service-disable DNS/dhcp-185-247.testrelm.com :: [ LOG ] :: Executing: ipa service-disable DNS/dhcp-185-247.testrelm.com :: [ LOG ] :: "ipa service-disable DNS/dhcp-185-247.testrelm.com" failed as expected. :: [ FAIL ] :: ERROR: Message not as expected. GOT: ipa: ERROR: This entry is already disabled EXP: ipa: ERROR: invalid 'principal': This principal is required by the IPA master :: [ FAIL ] :: Verify expected error message (Expected 0, got 1) :: [ LOG ] :: Duration: 19s :: [ LOG ] :: Assertions: 4 good, 3 bad :: [ FAIL ] :: RESULT: bz800119 Should not be allowed to run service-disable on an IPA Server
Caused by a missing comma in the list of mandatory services. Upstream ticket re-opened.
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/7e26517840847b344a607d017dcf94d7905c41b4 ipa-2-2: https://fedorahosted.org/freeipa/changeset/06e4b4aea6d9bbc3401344c4f2e2096cc11b1f54
verified :: Services ... :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz800119 Should not be allowed to run host-disable on an IPA Server or service-disable on an IPA Server service :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Checking return code attempting to disable ldap/dhcp-185-247.testrelm.com :: [ LOG ] :: Executing: ipa service-disable ldap/dhcp-185-247.testrelm.com :: [ LOG ] :: "ipa service-disable ldap/dhcp-185-247.testrelm.com" failed as expected. :: [ PASS ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master :: [ PASS ] :: Verify expected error message for --setattr. :: [ PASS ] :: Checking return code attempting to disable dogtagldap/dhcp-185-247.testrelm.com :: [ LOG ] :: Executing: ipa service-disable dogtagldap/dhcp-185-247.testrelm.com :: [ LOG ] :: "ipa service-disable dogtagldap/dhcp-185-247.testrelm.com" failed as expected. :: [ PASS ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master :: [ PASS ] :: Verify expected error message for --setattr. :: [ PASS ] :: Checking return code attempting to disable HTTP/dhcp-185-247.testrelm.com :: [ LOG ] :: Executing: ipa service-disable HTTP/dhcp-185-247.testrelm.com :: [ LOG ] :: "ipa service-disable HTTP/dhcp-185-247.testrelm.com" failed as expected. :: [ PASS ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master :: [ PASS ] :: Verify expected error message for --setattr. :: [ PASS ] :: Checking return code attempting to disable DNS/dhcp-185-247.testrelm.com :: [ LOG ] :: Executing: ipa service-disable DNS/dhcp-185-247.testrelm.com :: [ LOG ] :: "ipa service-disable DNS/dhcp-185-247.testrelm.com" failed as expected. :: [ PASS ] :: Error message as expected: ipa: ERROR: invalid 'principal': This principal is required by the IPA master :: [ PASS ] :: Verify expected error message for --setattr. :: [ LOG ] :: Duration: 28s :: [ LOG ] :: Assertions: 12 good, 0 bad :: [ PASS ] :: RESULT: bz800119 Should not be allowed to run host-disable on an IPA Server or service-disable on an IPA Server service hosts ... :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bz800119 Should not be allowed to run host-disable on an IPA Server :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Get administrator credentials :: [ LOG ] :: EXECUTING: ipa host-disable dhcp-185-247.testrelm.com :: [ LOG ] :: Executing: ipa host-disable dhcp-185-247.testrelm.com :: [ LOG ] :: "ipa host-disable dhcp-185-247.testrelm.com" failed as expected. :: [ PASS ] :: Error message as expected: ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled :: [ PASS ] :: Verify expected error message. :: [ LOG ] :: Duration: 7s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: bz800119 Should not be allowed to run host-disable on an IPA Server version :: ipa-server-2.2.0-10.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html