985234 – ipa-client-install --uninstall starts nscd service

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 985234 - ipa-client-install --uninstall starts nscd service

Summary: ipa-client-install --uninstall starts nscd service

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	821945 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-17 06:59 UTC by David Spurek
Modified:	2015-03-05 10:09 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.0.3-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:09:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description David Spurek 2013-07-17 06:59:23 UTC

Description of problem:
ipa-client-install --uninstall starts nscd service, but it was stopped before uninstall.

This may cause problem if hostname is changed after uninstall, but nscd has cached some information and user doesn't know that nscd is running now.

ipa-client-install is used with realmd component, we are changing the hostname in realmd tests.Here is the scenario that cause problems:

change hostname
realm join
realm leave
restore hostname

Next run of this scenarion fails (realm join doesn't work) if nscd is installed, because realm leave (ipa-client-install --uninstall) starts nscd service and nobody knows that.

Version-Release number of selected component (if applicable):
ipa-client-3.2.1-1.el7

How reproducible:
always

Steps to Reproduce:
1.install nscd service
2.make sure that it is stopped
3.run ipa-client-install
4.run ipa-client-install --uninstall
5. check status of nscd service

Actual results:
nscd running

Expected results:
nscd is stopped

Additional info:
[test]service nscd status
Redirecting to /bin/systemctl status  nscd.service
nscd.service - Name Service Cache Daemon
   Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled)
   Active: inactive (dead) since Wed 2013-07-17 02:34:40 EDT; 44s ago
 Main PID: 6450 (code=exited, status=0/SUCCESS)
   CGroup: name=systemd:/system/nscd.service

Jul 17 02:32:00 client.ipa.baseos.qe systemd[1]: Starting Name Service Cache....
Jul 17 02:32:00 client.ipa.baseos.qe systemd[1]: Started Name Service Cache ....
Jul 17 02:32:00 client.ipa.baseos.qe nscd[6450]: 6450 cannot stat() file `/e...y
Jul 17 02:32:00 client.ipa.baseos.qe nscd[6450]: 6450 Access Vector Cache (A...d
Jul 17 02:34:40 client.security.baseos.qe systemd[1]: Stopping Name Service C...
Jul 17 02:34:40 client.security.baseos.qe systemd[1]: Stopped Name Service Ca...
Jul 17 02:35:07 client.ipa.baseos.qe systemd[1]: Stopped Name Service Cache ....
Jul 17 02:35:08 client.ipa.baseos.qe systemd[1]: Stopped Name Service Cache ....
[test]ipa-client-install --uninstall --unattended
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
nslcd daemon is not installed, skip configuration
Client uninstall complete.
[test]service nscd status
Redirecting to /bin/systemctl status  nscd.service
nscd.service - Name Service Cache Daemon
   Loaded: loaded (/usr/lib/systemd/system/nscd.service; enabled)
   Active: active (running) since Wed 2013-07-17 02:35:36 EDT; 3s ago
 Main PID: 9362 (nscd)
   CGroup: name=systemd:/system/nscd.service
           └─9362 /usr/sbin/nscd --foreground

Jul 17 02:35:36 client.ipa.baseos.qe systemd[1]: Started Name Service Cache ....
Jul 17 02:35:36 client.ipa.baseos.qe nscd[9362]: 9362 cannot stat() file `/e...y
Jul 17 02:35:36 client.ipa.baseos.qe nscd[9362]: 9362 Access Vector Cache (A...d

Comment 1 Martin Kosek 2013-07-17 07:44:51 UTC

In general, ipa-client-install/ipa-server-install try to leave the system in a way it was before IPA installation. So in general, if you temporarily stop a service the uninstall process may start it if was running before installation.

But in this case, this logic is not applied as nscd/nslcd is started unconditionally:

# service nscd status
Redirecting to /bin/systemctl status  nscd.service
nscd.service - Name Service Cache Daemon
	  Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled)
	  Active: inactive (dead)

# ipa-client-install
Discovery was successful!
Hostname: client.example.com
...
Client configuration complete.
# service nscd status
Redirecting to /bin/systemctl status  nscd.service
nscd.service - Name Service Cache Daemon
	  Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled)
	  Active: inactive (dead)

Jul 17 03:42:56 client.example.com systemd[1]: Stopped Name Service Cache Daemon.
Jul 17 03:42:57 client.example.com systemd[1]: Stopped Name Service Cache Daemon.

# ipa-client-install --uninstall --unattended
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nslcd daemon is not installed, skip configuration
Client uninstall complete.

# service nscd status
Redirecting to /bin/systemctl status  nscd.service
nscd.service - Name Service Cache Daemon
	  Loaded: loaded (/usr/lib/systemd/system/nscd.service; enabled)
	  Active: active (running) since Wed 2013-07-17 03:43:20 EDT; 3s ago
	Main PID: 30312 (nscd)
	  CGroup: name=systemd:/system/nscd.service
		  `-30312 /usr/sbin/nscd --foreground

Jul 17 03:43:20 client.example.com systemd[1]: Started Name Service Cache Daemon.
Jul 17 03:43:20 client.example.com nscd[30312]: 30312 cannot stat() file `/etc/netgroup': No such ...ory
Jul 17 03:43:20 client.example.com nscd[30312]: 30312 Access Vector Cache (AVC) started

I will open an upstream ticket.

Comment 2 Martin Kosek 2013-07-17 07:47:01 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3790

Comment 3 David Spurek 2013-07-17 08:03:41 UTC

Yes, I understand that uninstall try to leave the system in a way it was before IPA installation, but nscd wasn't run before realm join (ipa-client-install).
My case is similiar to yours in comment #1.

Comment 5 Martin Kosek 2013-11-22 12:13:03 UTC

*** Bug 821945 has been marked as a duplicate of this bug. ***

Comment 6 Martin Kosek 2014-01-14 08:29:46 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/367c1301857f475baa1ed58c06ca0379d42847d5

Comment 8 Xiyang Dong 2015-01-06 20:13:28 UTC

Verified on ipa-client-4.1.0-13.el7.x86_64

[root@qe-blade-05 ~]# systemctl status nscd
nscd.service - Name Service Cache Daemon
   Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled)
   Active: inactive (dead)

1月 05 13:49:26 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:49:26 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:49:29 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:51:27 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:51:27 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:52:20 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:52:21 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:52:24 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
Hint: Some lines were ellipsized, use -l to show in full.
[root@qe-blade-05 ~]# ipa-client-install 
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Hostname: qe-blade-05.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: hp-dl380pgen8-01.testrelm.test
BaseDN: dc=testrelm,dc=test

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  Sat Jan 03 16:14:07 2015 UTC
    Valid Until: Wed Jan 03 16:14:07 2035 UTC

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://hp-dl380pgen8-01.testrelm.test/ipa/json
Forwarding 'ping' to json server 'https://hp-dl380pgen8-01.testrelm.test/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://hp-dl380pgen8-01.testrelm.test/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://hp-dl380pgen8-01.testrelm.test/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.
[root@qe-blade-05 ~]# systemctl status nscd
nscd.service - Name Service Cache Daemon
   Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled)
   Active: inactive (dead)

1月 05 13:51:27 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 05 13:51:27 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 05 13:52:20 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 05 13:52:21 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 05 13:52:24 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:38 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:39 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:41 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
[root@qe-blade-05 ~]# ipa-client-install --uninstall
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The original nsswitch.conf configuration has been restored.
You may need to restart services or reboot the machine.
Do you want to reboot the machine? [no]: 
[root@qe-blade-05 ~]# systemctl status nscd
nscd.service - Name Service Cache Daemon
   Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled)
   Active: inactive (dead)

1月 05 13:52:20 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 05 13:52:21 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 05 13:52:24 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:38 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:39 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:41 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:54 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:54 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.

Comment 11 errata-xmlrpc 2015-03-05 10:09:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.