Red Hat Bugzilla – Bug 985234
ipa-client-install --uninstall starts nscd service
Last modified: 2015-03-05 05:09:45 EST
Description of problem: ipa-client-install --uninstall starts nscd service, but it was stopped before uninstall. This may cause problem if hostname is changed after uninstall, but nscd has cached some information and user doesn't know that nscd is running now. ipa-client-install is used with realmd component, we are changing the hostname in realmd tests.Here is the scenario that cause problems: change hostname realm join realm leave restore hostname Next run of this scenarion fails (realm join doesn't work) if nscd is installed, because realm leave (ipa-client-install --uninstall) starts nscd service and nobody knows that. Version-Release number of selected component (if applicable): ipa-client-3.2.1-1.el7 How reproducible: always Steps to Reproduce: 1.install nscd service 2.make sure that it is stopped 3.run ipa-client-install 4.run ipa-client-install --uninstall 5. check status of nscd service Actual results: nscd running Expected results: nscd is stopped Additional info: [test]service nscd status Redirecting to /bin/systemctl status nscd.service nscd.service - Name Service Cache Daemon Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled) Active: inactive (dead) since Wed 2013-07-17 02:34:40 EDT; 44s ago Main PID: 6450 (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/nscd.service Jul 17 02:32:00 client.ipa.baseos.qe systemd[1]: Starting Name Service Cache.... Jul 17 02:32:00 client.ipa.baseos.qe systemd[1]: Started Name Service Cache .... Jul 17 02:32:00 client.ipa.baseos.qe nscd[6450]: 6450 cannot stat() file `/e...y Jul 17 02:32:00 client.ipa.baseos.qe nscd[6450]: 6450 Access Vector Cache (A...d Jul 17 02:34:40 client.security.baseos.qe systemd[1]: Stopping Name Service C... Jul 17 02:34:40 client.security.baseos.qe systemd[1]: Stopped Name Service Ca... Jul 17 02:35:07 client.ipa.baseos.qe systemd[1]: Stopped Name Service Cache .... Jul 17 02:35:08 client.ipa.baseos.qe systemd[1]: Stopped Name Service Cache .... [test]ipa-client-install --uninstall --unattended Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Restoring client configuration files nslcd daemon is not installed, skip configuration Client uninstall complete. [test]service nscd status Redirecting to /bin/systemctl status nscd.service nscd.service - Name Service Cache Daemon Loaded: loaded (/usr/lib/systemd/system/nscd.service; enabled) Active: active (running) since Wed 2013-07-17 02:35:36 EDT; 3s ago Main PID: 9362 (nscd) CGroup: name=systemd:/system/nscd.service └─9362 /usr/sbin/nscd --foreground Jul 17 02:35:36 client.ipa.baseos.qe systemd[1]: Started Name Service Cache .... Jul 17 02:35:36 client.ipa.baseos.qe nscd[9362]: 9362 cannot stat() file `/e...y Jul 17 02:35:36 client.ipa.baseos.qe nscd[9362]: 9362 Access Vector Cache (A...d
In general, ipa-client-install/ipa-server-install try to leave the system in a way it was before IPA installation. So in general, if you temporarily stop a service the uninstall process may start it if was running before installation. But in this case, this logic is not applied as nscd/nslcd is started unconditionally: # service nscd status Redirecting to /bin/systemctl status nscd.service nscd.service - Name Service Cache Daemon Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled) Active: inactive (dead) # ipa-client-install Discovery was successful! Hostname: client.example.com ... Client configuration complete. # service nscd status Redirecting to /bin/systemctl status nscd.service nscd.service - Name Service Cache Daemon Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled) Active: inactive (dead) Jul 17 03:42:56 client.example.com systemd[1]: Stopped Name Service Cache Daemon. Jul 17 03:42:57 client.example.com systemd[1]: Stopped Name Service Cache Daemon. # ipa-client-install --uninstall --unattended Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files nslcd daemon is not installed, skip configuration Client uninstall complete. # service nscd status Redirecting to /bin/systemctl status nscd.service nscd.service - Name Service Cache Daemon Loaded: loaded (/usr/lib/systemd/system/nscd.service; enabled) Active: active (running) since Wed 2013-07-17 03:43:20 EDT; 3s ago Main PID: 30312 (nscd) CGroup: name=systemd:/system/nscd.service `-30312 /usr/sbin/nscd --foreground Jul 17 03:43:20 client.example.com systemd[1]: Started Name Service Cache Daemon. Jul 17 03:43:20 client.example.com nscd[30312]: 30312 cannot stat() file `/etc/netgroup': No such ...ory Jul 17 03:43:20 client.example.com nscd[30312]: 30312 Access Vector Cache (AVC) started I will open an upstream ticket.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3790
Yes, I understand that uninstall try to leave the system in a way it was before IPA installation, but nscd wasn't run before realm join (ipa-client-install). My case is similiar to yours in comment #1.
*** Bug 821945 has been marked as a duplicate of this bug. ***
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/367c1301857f475baa1ed58c06ca0379d42847d5
Verified on ipa-client-4.1.0-13.el7.x86_64 [root@qe-blade-05 ~]# systemctl status nscd nscd.service - Name Service Cache Daemon Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled) Active: inactive (dead) 1月 05 13:49:26 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C... 1月 05 13:49:26 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C... 1月 05 13:49:29 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C... 1月 05 13:51:27 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C... 1月 05 13:51:27 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C... 1月 05 13:52:20 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C... 1月 05 13:52:21 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C... 1月 05 13:52:24 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C... 1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C... 1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C... Hint: Some lines were ellipsized, use -l to show in full. [root@qe-blade-05 ~]# ipa-client-install WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Discovery was successful! Hostname: qe-blade-05.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: hp-dl380pgen8-01.testrelm.test BaseDN: dc=testrelm,dc=test Continue to configure the system with these values? [no]: y Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: admin Password for admin@TESTRELM.TEST: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Valid From: Sat Jan 03 16:14:07 2015 UTC Valid Until: Wed Jan 03 16:14:07 2035 UTC Enrolled in IPA realm TESTRELM.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.TEST trying https://hp-dl380pgen8-01.testrelm.test/ipa/json Forwarding 'ping' to json server 'https://hp-dl380pgen8-01.testrelm.test/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://hp-dl380pgen8-01.testrelm.test/ipa/json' Systemwide CA database updated. Added CA certificates to the default NSS database. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://hp-dl380pgen8-01.testrelm.test/ipa/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring testrelm.test as NIS domain. Client configuration complete. [root@qe-blade-05 ~]# systemctl status nscd nscd.service - Name Service Cache Daemon Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled) Active: inactive (dead) 1月 05 13:51:27 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 05 13:51:27 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 05 13:52:20 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 05 13:52:21 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 05 13:52:24 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 06 15:04:38 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 06 15:04:39 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 06 15:04:41 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. [root@qe-blade-05 ~]# ipa-client-install --uninstall Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nslcd daemon is not installed, skip configuration Systemwide CA database updated. Client uninstall complete. The original nsswitch.conf configuration has been restored. You may need to restart services or reboot the machine. Do you want to reboot the machine? [no]: [root@qe-blade-05 ~]# systemctl status nscd nscd.service - Name Service Cache Daemon Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled) Active: inactive (dead) 1月 05 13:52:20 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 05 13:52:21 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 05 13:52:24 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 06 15:04:38 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 06 15:04:39 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 06 15:04:41 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 06 15:04:54 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon. 1月 06 15:04:54 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html