979197 – ipa-client-install : ambiguity in option --force

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 979197 - ipa-client-install : ambiguity in option --force

Summary: ipa-client-install : ambiguity in option --force

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-27 22:07 UTC by Yi Zhang
Modified:	2013-12-09 01:53 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-07-01 13:06:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Yi Zhang 2013-06-27 22:07:16 UTC

Description of problem:
It appears to me that the option "--force" in ipa-client-install have different meaning when ipa host connect to ipa server ipa-server-2.2.0-16.el6.i686 & ipa-server-selinux-3.0.0-25.el6.i686

when try ipa-client-install against ipa-server 2.2 (release bits in rhel6.3), "--force" has to be used when (1) under "unattended" mode (2) no /etc/ipa/ca.crt file exist on ipa client host

If I try the same command on the same ipa client host, but against ipa-server 3.0 (release bit in rhel6.4), "--force" is not required. 

Please check the following output:

======= test one: rhel5.10 client --> rhel6.3 ipa server (ver 2.2) =====
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=eggfruit.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: eggfruit.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

root        : ERROR    In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
root        : ERROR    Cannot obtain CA certificate
HTTP certificate download requires --force
Installation failed. Rolling back changes.
IPA client is not configured on this system.

======= test two: rhel5.10 client --> rhel6.4 ipa server (ver 3.0) =====
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: apple.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm YZHANG.REDHAT.COM
Created /etc/ipa/default.conf
Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
root        : ERROR    Unable to parse existing SSSD config and --preserve-sssd was not specified: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf'
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YZHANG.REDHAT.COM
SSSD enabled
NTP enabled
Client configuration complete.




Version-Release number of selected component (if applicable):
ipa-client-2.1.3-7.el5
ipa-server-2.2.0-16.el6.i686
ipa-server-3.0.0-25.el6.i686

How reproducible: always


Steps to Reproduce:
1.
2.
3.

Actual results: without use "--force", ipa-client-install would fail if ipa master is 2.2 version, and it would success if ipa server version is 3.0


Expected results: consistent behave regarding "--force" option. 


Additional info:
one all 3 version (rhel5.10, rhel6.3 & rhel6.4), ipa-client-install -h outputs same message for "--force":
-f, --force         force setting of LDAP/Kerberos conf

I don't expect this option is relate to ca.crt download.

Comment 2 Martin Kosek 2013-06-28 05:42:56 UTC

I do not think this has anything to do with --force option. I rather think that after your first test, /etc/ipa/ca.crt was created on the system, thus the second test with rhel6.4 ipa server succeeded - it did not need to download the cert, it already had it in /etc/ipa/ca.crt.

Yi, can you please confirm that this is the case? If yes, please close the bug as NOTABUG.

Comment 3 Yi Zhang 2013-06-28 15:37:44 UTC

Martin:
I still insist my finding. 
I redo the above test by removing /etc/ipa/ca.crt file first, I get same result

== test one: against rhel6.4 ipa master ====
[root@green (RH5.10-x86_64) install-client-cli] ls /etc/ipa/ca.crt 
/etc/ipa/ca.crt
[root@green (RH5.10-x86_64) install-client-cli] rm /etc/ipa/ca.crt 
rm: remove regular file `/etc/ipa/ca.crt'? yes
[root@green (RH5.10-x86_64) install-client-cli] ls -l /etc/ipa
total 0
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: apple.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm YZHANG.REDHAT.COM
Created /etc/ipa/default.conf
Domain yzhang.redhat.com is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YZHANG.REDHAT.COM
SSSD enabled
NTP enabled
Client configuration complete.
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --uninstall -U
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Restoring client configuration files

==== test two: against rhel6.3 ipa master on the same ipa client host ====
[root@green (RH5.10-x86_64) install-client-cli] ls /etc/ipa/ca.crt 
/etc/ipa/ca.crt
[root@green (RH5.10-x86_64) install-client-cli] rm /etc/ipa/ca.crt 
rm: remove regular file `/etc/ipa/ca.crt'? yes
[root@green (RH5.10-x86_64) install-client-cli] ls -l /etc/ipa
total 0
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=eggfruit.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: eggfruit.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

root        : ERROR    In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
root        : ERROR    Cannot obtain CA certificate
HTTP certificate download requires --force
Installation failed. Rolling back changes.
IPA client is not configured on this system.

Comment 4 Rob Crittenden 2013-06-30 17:48:35 UTC

This is because the 2.2 server does not store the certificate in LDAP and the 3.x server does.

Retrieving the CA over HTTP is insecure, hence the --force requirement.

Comment 5 Alexander Bokovoy 2013-07-01 08:58:48 UTC

3.0 specifically introduced storage in LDAP for the certificate to be able to fetch it securely. I think at most we may mention that difference in the documentation.

Comment 6 Yi Zhang 2013-07-01 13:06:54 UTC

already send email to doc writer about this issue.

Note You need to log in before you can comment on or make changes to this bug.