Bug 979197 - ipa-client-install : ambiguity in option --force
ipa-client-install : ambiguity in option --force
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
Unspecified Unspecified
unspecified Severity medium
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-27 18:07 EDT by Yi Zhang
Modified: 2013-12-08 20:53 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-01 09:06:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Yi Zhang 2013-06-27 18:07:16 EDT
Description of problem:
It appears to me that the option "--force" in ipa-client-install have different meaning when ipa host connect to ipa server ipa-server-2.2.0-16.el6.i686 & ipa-server-selinux-3.0.0-25.el6.i686

when try ipa-client-install against ipa-server 2.2 (release bits in rhel6.3), "--force" has to be used when (1) under "unattended" mode (2) no /etc/ipa/ca.crt file exist on ipa client host

If I try the same command on the same ipa client host, but against ipa-server 3.0 (release bit in rhel6.4), "--force" is not required. 

Please check the following output:

======= test one: rhel5.10 client --> rhel6.3 ipa server (ver 2.2) =====
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=eggfruit.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: eggfruit.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

root        : ERROR    In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
root        : ERROR    Cannot obtain CA certificate
HTTP certificate download requires --force
Installation failed. Rolling back changes.
IPA client is not configured on this system.

======= test two: rhel5.10 client --> rhel6.4 ipa server (ver 3.0) =====
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: apple.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm YZHANG.REDHAT.COM
Created /etc/ipa/default.conf
Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
root        : ERROR    Unable to parse existing SSSD config and --preserve-sssd was not specified: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf'
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YZHANG.REDHAT.COM
SSSD enabled
NTP enabled
Client configuration complete.




Version-Release number of selected component (if applicable):
ipa-client-2.1.3-7.el5
ipa-server-2.2.0-16.el6.i686
ipa-server-3.0.0-25.el6.i686

How reproducible: always


Steps to Reproduce:
1.
2.
3.

Actual results: without use "--force", ipa-client-install would fail if ipa master is 2.2 version, and it would success if ipa server version is 3.0


Expected results: consistent behave regarding "--force" option. 


Additional info:
one all 3 version (rhel5.10, rhel6.3 & rhel6.4), ipa-client-install -h outputs same message for "--force":
-f, --force         force setting of LDAP/Kerberos conf

I don't expect this option is relate to ca.crt download.
Comment 2 Martin Kosek 2013-06-28 01:42:56 EDT
I do not think this has anything to do with --force option. I rather think that after your first test, /etc/ipa/ca.crt was created on the system, thus the second test with rhel6.4 ipa server succeeded - it did not need to download the cert, it already had it in /etc/ipa/ca.crt.

Yi, can you please confirm that this is the case? If yes, please close the bug as NOTABUG.
Comment 3 Yi Zhang 2013-06-28 11:37:44 EDT
Martin:
I still insist my finding. 
I redo the above test by removing /etc/ipa/ca.crt file first, I get same result

== test one: against rhel6.4 ipa master ====
[root@green (RH5.10-x86_64) install-client-cli] ls /etc/ipa/ca.crt 
/etc/ipa/ca.crt
[root@green (RH5.10-x86_64) install-client-cli] rm /etc/ipa/ca.crt 
rm: remove regular file `/etc/ipa/ca.crt'? yes
[root@green (RH5.10-x86_64) install-client-cli] ls -l /etc/ipa
total 0
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: apple.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm YZHANG.REDHAT.COM
Created /etc/ipa/default.conf
Domain yzhang.redhat.com is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YZHANG.REDHAT.COM
SSSD enabled
NTP enabled
Client configuration complete.
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --uninstall -U
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Restoring client configuration files

==== test two: against rhel6.3 ipa master on the same ipa client host ====
[root@green (RH5.10-x86_64) install-client-cli] ls /etc/ipa/ca.crt 
/etc/ipa/ca.crt
[root@green (RH5.10-x86_64) install-client-cli] rm /etc/ipa/ca.crt 
rm: remove regular file `/etc/ipa/ca.crt'? yes
[root@green (RH5.10-x86_64) install-client-cli] ls -l /etc/ipa
total 0
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=eggfruit.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: eggfruit.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

root        : ERROR    In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
root        : ERROR    Cannot obtain CA certificate
HTTP certificate download requires --force
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Comment 4 Rob Crittenden 2013-06-30 13:48:35 EDT
This is because the 2.2 server does not store the certificate in LDAP and the 3.x server does.

Retrieving the CA over HTTP is insecure, hence the --force requirement.
Comment 5 Alexander Bokovoy 2013-07-01 04:58:48 EDT
3.0 specifically introduced storage in LDAP for the certificate to be able to fetch it securely. I think at most we may mention that difference in the documentation.
Comment 6 Yi Zhang 2013-07-01 09:06:54 EDT
already send email to doc writer about this issue.

Note You need to log in before you can comment on or make changes to this bug.