827162 – ipa-client uninstall causes a crash after installing using --preserve-sssd

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 827162 - ipa-client uninstall causes a crash after installing using --preserve-sssd

Summary: ipa-client uninstall causes a crash after installing using --preserve-sssd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-05-31 19:20 UTC by Namita Soman
Modified:	2013-06-20 16:56 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-3.0.0-1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 09:14:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ipaclient-uninstall.log sssd.conf ipaclient-install.log krb5.conf (40.00 KB, application/x-tar) 2012-05-31 19:35 UTC, Namita Soman	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0528	0	normal	SHIPPED_LIVE	Low: ipa security, bug fix and enhancement update	2013-02-21 08:22:21 UTC

Description Namita Soman 2012-05-31 19:20:03 UTC

Description of problem:

Automation seems to always have a crash, but doing it manually, it is not always crashing.

Sequence of events:
Install ipa-client using --preserve-sssd (attaching what sssd.conf and krb5.conf looked like before install)
Uninstall 

And the crash is as seen below:

Install:
# ipa-client-install --domain=testrelm.com --realm=TESTRELM.COM  -p admin -w Secret123 -U --server=qe-blade-05.testrelm.com --preserve-sssd
Discovery was successful!
Hostname: ipaqa64vmb.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: qe-blade-05.testrelm.com
BaseDN: dc=testrelm,dc=com


Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
Unable to activate the SSH service in SSSD config.
Please make sure you have SSSD built with SSH support installed.
Configure SSH support manually in /etc/sssd/sssd.conf.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
Warning: Hostname (ipaqa64vmb.testrelm.com) not found in DNS
DNS server record set to: ipaqa64vmb.testrelm.com -> 10.16.98.183
SSSD enabled
NTP enabled
Client configuration complete.

Uninstall:
# ipa-client-install --uninstall
Unenrolling client from IPA server
Unenrolling host failed: Error obtaining initial credentials: Preauthentication failed.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
The original configuration of SSSD included other domains than IPA-based one.
Original configuration file is restored, restarting SSSD service.
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1558, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 1538, in main
    return uninstall(options, env)
  File "/usr/sbin/ipa-client-install", line 409, in uninstall
    sssd.restart()
  File "/usr/lib/python2.6/site-packages/ipapython/platform/redhat.py", line 47, in restart
    ipautil.run(["/sbin/service", self.service_name, "restart", instance_name], capture_output=capture_output)
  File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 291, in run
    raise CalledProcessError(p.returncode, args)
subprocess.CalledProcessError: Command '/sbin/service sssd restart ' returned non-zero exit status 1


Version-Release number of selected component (if applicable):
ipa-client-2.2.0-16.el6.x86_64

How reproducible:
not always

Steps to Reproduce:
1. As indicated above
  
Actual results:
uninstall crashes

Expected results:
uninstall successfully

Additional info:

Comment 1 Namita Soman 2012-05-31 19:35:30 UTC

Created attachment 588181 [details]
ipaclient-uninstall.log  sssd.conf ipaclient-install.log  krb5.conf

Comment 3 Martin Kosek 2012-06-01 06:54:08 UTC

I tried to reproduce the issue manually, but the uninstall (with you configuration) worked for me as well.

Namita, can you please also include /etc/sssd/sssd.conf in the state after the IPA client uninstallation and what is in /var/log/messages? The reason why sssd failed to start should be there. sssd may have failed to start for example because of incorrect permissions on /etc/sssd/sssd.conf.

Comment 4 Namita Soman 2012-06-06 18:14:34 UTC

Yes - incorrect permissions was the most likely cause. i don't have the setup, but /var/log/messages had a message about the permission. After i had the corrected sssd.conf, didn't see the crash. But should the uninstall fail with a crash because of permissions? 
Also as far as i remember sssd.conf didn't change, because i had started with this sssd.conf to test preserve-sssd...so restores back to what i started with.

Comment 5 Martin Kosek 2012-06-07 11:13:15 UTC

I tested this use case again today and it worked for me - if /etc/sssd/sssd.conf permissions were right before ipa-client-install, they were preserved after uninstall as we edit the file in-place.

Namita, can you please check if the permissions in the failing scenario were in a correct state? When the permissions areright, you would see something like that (i.e. no access for group, others):

# ll /etc/sssd/sssd.conf
-rw-------. 1 root root 371 Jun  1 02:47 /etc/sssd/sssd.conf

Comment 6 Namita Soman 2012-06-11 13:50:23 UTC

the permissions were not correct, and looks like that was causing the crash. Can we give an error of some sort instead of crashing?

Comment 7 Martin Kosek 2012-06-11 14:50:22 UTC

Right, we can do that. I will open a ticket.

Comment 8 Martin Kosek 2012-06-11 15:26:41 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2827

Comment 9 Martin Kosek 2012-08-14 13:47:49 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/53967f21bd4c35dee2209d1d80b65deb2ad177d6

Comment 13 Kaleem 2012-11-26 15:44:40 UTC

Verified.

Now following message is displayed in ipa-client un-installation console messages instead of crashing

"SSSD service restart was unsuccessful."

ipa-client/sssd version:
=======================
[root@rhel64client1 ~]# rpm -q ipa-client sssd
ipa-client-3.0.0-8.el6.x86_64
sssd-1.9.2-21.el6.x86_64
[root@rhel64client1 ~]#

[root@rhel64client1 ~]# ipa-client-install -p admin -w xxxxxxxx --server=rhel64master.testrelm.com --domain=testrelm.com --preserve-sssd -U 
Hostname: rhel64client1.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: rhel64master.testrelm.com
BaseDN: dc=testrelm,dc=com

Synchronizing time with KDC...
Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
trying https://rhel64master.testrelm.com/ipa/xml
Hostname (rhel64client1.testrelm.com) not found in DNS
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'http://rhel64master.testrelm.com/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
[root@rhel64client1 ~]# 

[root@rhel64client1 ~]# ls -la /etc/sssd/sssd.conf
-rw-------. 1 root root 645 Nov 26 10:37 /etc/sssd/sssd.conf
[root@rhel64client1 ~]#

[root@rhel64client1 ~]# chmod 666 /etc/sssd/sssd.conf

[root@rhel64client1 ~]# ls -la /etc/sssd/sssd.conf
-rw-rw-rw-. 1 root root 645 Nov 26 10:37 /etc/sssd/sssd.conf
[root@rhel64client1 ~]# ipa-client-install --uninstall -U

[root@rhel64client1 ~]# ipa-client-install --uninstall -U
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
The original configuration of SSSD included other domains than the IPA-based one.
Original pre-IPA SSSD configuration file was restored to /etc/sssd/sssd.conf.bkp.
IPA domain removed from current one, restarting SSSD service
SSSD service restart was unsuccessful.
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
[root@rhel64client1 ~]#

Extract from /var/log/messages:
===============================
Nov 26 10:38:11 rhel64client1 oddjobd: oddjobd startup succeeded
Nov 26 10:38:11 rhel64client1 sssd: Cannot read config file /etc/sssd/sssd.conf, please check if permissions are 0600 and the file is owned by root.root
Nov 26 10:38:12 rhel64client1 ntpd[9208]: ntpd exiting on signal 15

Comment 15 errata-xmlrpc 2013-02-21 09:14:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.