Bug 827162 - ipa-client uninstall causes a crash after installing using --preserve-sssd
ipa-client uninstall causes a crash after installing using --preserve-sssd
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.3
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-31 15:20 EDT by Namita Soman
Modified: 2013-06-20 12:56 EDT (History)
3 users (show)

See Also:
Fixed In Version: ipa-3.0.0-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:14:41 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ipaclient-uninstall.log sssd.conf ipaclient-install.log krb5.conf (40.00 KB, application/x-tar)
2012-05-31 15:35 EDT, Namita Soman
no flags Details

  None (edit)
Description Namita Soman 2012-05-31 15:20:03 EDT
Description of problem:

Automation seems to always have a crash, but doing it manually, it is not always crashing.

Sequence of events:
Install ipa-client using --preserve-sssd (attaching what sssd.conf and krb5.conf looked like before install)
Uninstall 

And the crash is as seen below:

Install:
# ipa-client-install --domain=testrelm.com --realm=TESTRELM.COM  -p admin -w Secret123 -U --server=qe-blade-05.testrelm.com --preserve-sssd
Discovery was successful!
Hostname: ipaqa64vmb.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: qe-blade-05.testrelm.com
BaseDN: dc=testrelm,dc=com


Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
Unable to activate the SSH service in SSSD config.
Please make sure you have SSSD built with SSH support installed.
Configure SSH support manually in /etc/sssd/sssd.conf.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
Warning: Hostname (ipaqa64vmb.testrelm.com) not found in DNS
DNS server record set to: ipaqa64vmb.testrelm.com -> 10.16.98.183
SSSD enabled
NTP enabled
Client configuration complete.

Uninstall:
# ipa-client-install --uninstall
Unenrolling client from IPA server
Unenrolling host failed: Error obtaining initial credentials: Preauthentication failed.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
The original configuration of SSSD included other domains than IPA-based one.
Original configuration file is restored, restarting SSSD service.
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1558, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 1538, in main
    return uninstall(options, env)
  File "/usr/sbin/ipa-client-install", line 409, in uninstall
    sssd.restart()
  File "/usr/lib/python2.6/site-packages/ipapython/platform/redhat.py", line 47, in restart
    ipautil.run(["/sbin/service", self.service_name, "restart", instance_name], capture_output=capture_output)
  File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 291, in run
    raise CalledProcessError(p.returncode, args)
subprocess.CalledProcessError: Command '/sbin/service sssd restart ' returned non-zero exit status 1


Version-Release number of selected component (if applicable):
ipa-client-2.2.0-16.el6.x86_64

How reproducible:
not always

Steps to Reproduce:
1. As indicated above
  
Actual results:
uninstall crashes

Expected results:
uninstall successfully

Additional info:
Comment 1 Namita Soman 2012-05-31 15:35:30 EDT
Created attachment 588181 [details]
ipaclient-uninstall.log  sssd.conf ipaclient-install.log  krb5.conf
Comment 3 Martin Kosek 2012-06-01 02:54:08 EDT
I tried to reproduce the issue manually, but the uninstall (with you configuration) worked for me as well.

Namita, can you please also include /etc/sssd/sssd.conf in the state after the IPA client uninstallation and what is in /var/log/messages? The reason why sssd failed to start should be there. sssd may have failed to start for example because of incorrect permissions on /etc/sssd/sssd.conf.
Comment 4 Namita Soman 2012-06-06 14:14:34 EDT
Yes - incorrect permissions was the most likely cause. i don't have the setup, but /var/log/messages had a message about the permission. After i had the corrected sssd.conf, didn't see the crash. But should the uninstall fail with a crash because of permissions? 
Also as far as i remember sssd.conf didn't change, because i had started with this sssd.conf to test preserve-sssd...so restores back to what i started with.
Comment 5 Martin Kosek 2012-06-07 07:13:15 EDT
I tested this use case again today and it worked for me - if /etc/sssd/sssd.conf permissions were right before ipa-client-install, they were preserved after uninstall as we edit the file in-place.

Namita, can you please check if the permissions in the failing scenario were in a correct state? When the permissions areright, you would see something like that (i.e. no access for group, others):

# ll /etc/sssd/sssd.conf
-rw-------. 1 root root 371 Jun  1 02:47 /etc/sssd/sssd.conf
Comment 6 Namita Soman 2012-06-11 09:50:23 EDT
the permissions were not correct, and looks like that was causing the crash. Can we give an error of some sort instead of crashing?
Comment 7 Martin Kosek 2012-06-11 10:50:22 EDT
Right, we can do that. I will open a ticket.
Comment 8 Martin Kosek 2012-06-11 11:26:41 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2827
Comment 9 Martin Kosek 2012-08-14 09:47:49 EDT
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/53967f21bd4c35dee2209d1d80b65deb2ad177d6
Comment 13 Kaleem 2012-11-26 10:44:40 EST
Verified.

Now following message is displayed in ipa-client un-installation console messages instead of crashing

"SSSD service restart was unsuccessful."

ipa-client/sssd version:
=======================
[root@rhel64client1 ~]# rpm -q ipa-client sssd
ipa-client-3.0.0-8.el6.x86_64
sssd-1.9.2-21.el6.x86_64
[root@rhel64client1 ~]#

[root@rhel64client1 ~]# ipa-client-install -p admin -w xxxxxxxx --server=rhel64master.testrelm.com --domain=testrelm.com --preserve-sssd -U 
Hostname: rhel64client1.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: rhel64master.testrelm.com
BaseDN: dc=testrelm,dc=com

Synchronizing time with KDC...
Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
trying https://rhel64master.testrelm.com/ipa/xml
Hostname (rhel64client1.testrelm.com) not found in DNS
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'http://rhel64master.testrelm.com/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
[root@rhel64client1 ~]# 

[root@rhel64client1 ~]# ls -la /etc/sssd/sssd.conf
-rw-------. 1 root root 645 Nov 26 10:37 /etc/sssd/sssd.conf
[root@rhel64client1 ~]#

[root@rhel64client1 ~]# chmod 666 /etc/sssd/sssd.conf

[root@rhel64client1 ~]# ls -la /etc/sssd/sssd.conf
-rw-rw-rw-. 1 root root 645 Nov 26 10:37 /etc/sssd/sssd.conf
[root@rhel64client1 ~]# ipa-client-install --uninstall -U

[root@rhel64client1 ~]# ipa-client-install --uninstall -U
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
The original configuration of SSSD included other domains than the IPA-based one.
Original pre-IPA SSSD configuration file was restored to /etc/sssd/sssd.conf.bkp.
IPA domain removed from current one, restarting SSSD service
SSSD service restart was unsuccessful.
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
[root@rhel64client1 ~]#

Extract from /var/log/messages:
===============================
Nov 26 10:38:11 rhel64client1 oddjobd: oddjobd startup succeeded
Nov 26 10:38:11 rhel64client1 sssd: Cannot read config file /etc/sssd/sssd.conf, please check if permissions are 0600 and the file is owned by root.root
Nov 26 10:38:12 rhel64client1 ntpd[9208]: ntpd exiting on signal 15
Comment 15 errata-xmlrpc 2013-02-21 04:14:41 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.