979197 – ipa-client-install : ambiguity in option --force

Bug 979197 - ipa-client-install : ambiguity in option --force

Summary: ipa-client-install : ambiguity in option --force

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-27 22:07 UTC by Yi Zhang
Modified:	2013-12-09 01:53 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-07-01 13:06:54 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Yi Zhang 2013-06-27 22:07:16 UTC

Description of problem:
It appears to me that the option "--force" in ipa-client-install have different meaning when ipa host connect to ipa server ipa-server-2.2.0-16.el6.i686 & ipa-server-selinux-3.0.0-25.el6.i686

when try ipa-client-install against ipa-server 2.2 (release bits in rhel6.3), "--force" has to be used when (1) under "unattended" mode (2) no /etc/ipa/ca.crt file exist on ipa client host

If I try the same command on the same ipa client host, but against ipa-server 3.0 (release bit in rhel6.4), "--force" is not required. 

Please check the following output:

======= test one: rhel5.10 client --> rhel6.3 ipa server (ver 2.2) =====
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=eggfruit.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: eggfruit.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

root        : ERROR    In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
root        : ERROR    Cannot obtain CA certificate
HTTP certificate download requires --force
Installation failed. Rolling back changes.
IPA client is not configured on this system.

======= test two: rhel5.10 client --> rhel6.4 ipa server (ver 3.0) =====
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: apple.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm YZHANG.REDHAT.COM
Created /etc/ipa/default.conf
Unable to parse existing SSSD config. As option --preserve-sssd was not specified, new config will override the old one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
root        : ERROR    Unable to parse existing SSSD config and --preserve-sssd was not specified: [Errno 2] No such file or directory: '/etc/sssd/sssd.conf'
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YZHANG.REDHAT.COM
SSSD enabled
NTP enabled
Client configuration complete.




Version-Release number of selected component (if applicable):
ipa-client-2.1.3-7.el5
ipa-server-2.2.0-16.el6.i686
ipa-server-3.0.0-25.el6.i686

How reproducible: always


Steps to Reproduce:
1.
2.
3.

Actual results: without use "--force", ipa-client-install would fail if ipa master is 2.2 version, and it would success if ipa server version is 3.0


Expected results: consistent behave regarding "--force" option. 


Additional info:
one all 3 version (rhel5.10, rhel6.3 & rhel6.4), ipa-client-install -h outputs same message for "--force":
-f, --force         force setting of LDAP/Kerberos conf

I don't expect this option is relate to ca.crt download.

Comment 2 Martin Kosek 2013-06-28 05:42:56 UTC

I do not think this has anything to do with --force option. I rather think that after your first test, /etc/ipa/ca.crt was created on the system, thus the second test with rhel6.4 ipa server succeeded - it did not need to download the cert, it already had it in /etc/ipa/ca.crt.

Yi, can you please confirm that this is the case? If yes, please close the bug as NOTABUG.

Comment 3 Yi Zhang 2013-06-28 15:37:44 UTC

Martin:
I still insist my finding. 
I redo the above test by removing /etc/ipa/ca.crt file first, I get same result

== test one: against rhel6.4 ipa master ====
[root@green (RH5.10-x86_64) install-client-cli] ls /etc/ipa/ca.crt 
/etc/ipa/ca.crt
[root@green (RH5.10-x86_64) install-client-cli] rm /etc/ipa/ca.crt 
rm: remove regular file `/etc/ipa/ca.crt'? yes
[root@green (RH5.10-x86_64) install-client-cli] ls -l /etc/ipa
total 0
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=apple.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: apple.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

Enrolled in IPA realm YZHANG.REDHAT.COM
Created /etc/ipa/default.conf
Domain yzhang.redhat.com is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YZHANG.REDHAT.COM
SSSD enabled
NTP enabled
Client configuration complete.
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --uninstall -U
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Restoring client configuration files

==== test two: against rhel6.3 ipa master on the same ipa client host ====
[root@green (RH5.10-x86_64) install-client-cli] ls /etc/ipa/ca.crt 
/etc/ipa/ca.crt
[root@green (RH5.10-x86_64) install-client-cli] rm /etc/ipa/ca.crt 
rm: remove regular file `/etc/ipa/ca.crt'? yes
[root@green (RH5.10-x86_64) install-client-cli] ls -l /etc/ipa
total 0
[root@green (RH5.10-x86_64) install-client-cli] ipa-client-install --server=eggfruit.yzhang.redhat.com --domain=yzhang.redhat.com -p admin -w Secret123 --realm=YZHANG.REDHAT.COM -U
Hostname: green.yzhang.redhat.com
Realm: YZHANG.REDHAT.COM
DNS Domain: yzhang.redhat.com
IPA Server: eggfruit.yzhang.redhat.com
BaseDN: dc=yzhang,dc=redhat,dc=com


Synchronizing time with KDC...

root        : ERROR    In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
root        : ERROR    Cannot obtain CA certificate
HTTP certificate download requires --force
Installation failed. Rolling back changes.
IPA client is not configured on this system.

Comment 4 Rob Crittenden 2013-06-30 17:48:35 UTC

This is because the 2.2 server does not store the certificate in LDAP and the 3.x server does.

Retrieving the CA over HTTP is insecure, hence the --force requirement.

Comment 5 Alexander Bokovoy 2013-07-01 08:58:48 UTC

3.0 specifically introduced storage in LDAP for the certificate to be able to fetch it securely. I think at most we may mention that difference in the documentation.

Comment 6 Yi Zhang 2013-07-01 13:06:54 UTC

already send email to doc writer about this issue.

Note You need to log in before you can comment on or make changes to this bug.