#3777 ipa-server may be depend on openssh-clients package
Closed: Fixed None Opened 7 years ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 983463

Description of problem:
When you try to install an ipa replica server they try to contact it's ipa
server master with openssh-clients tools (like ssh)

Version-Release number of selected component (if applicable):
[root@itpvsldaps002 ~]# rpm -qa | grep ipa
ipa-admintools-3.0.0-26.el6_4.4.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
ipa-python-3.0.0-26.el6_4.4.x86_64
ipa-client-3.0.0-26.el6_4.4.x86_64
ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-1.9.2-82.7.el6_4.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-server-3.0.0-26.el6_4.4.x86_64
[root@itpvsldaps002 ~]#


How reproducible:
1. Install ipa server master
2. Install rhel host that will become ipa replica with only @core packages
(without openss-clients installed!)
3. Install ipa-server packages on ipa replica host (but without launch
ipa-server-install)
4. Launch ipa-replica-prepare on ipa master
5. Transfer gpg with sftp client and not with scp client (because scp will fail
due to ipa replica server doesn' has scp program!)
6. Launch ipa-replica-install on ip replica server and you got:

# ipa-replica-install --setup-ca -p foopw -w foopw
/var/lib/ipa/replica-info-XXXXX.gpg
Run connection check to master
Check connection from replica to remote master 'YYYYYYY':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Execute check on remote master
Traceback (most recent call last):
  File "/usr/sbin/ipa-replica-conncheck", line 392, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-replica-conncheck", line 371, in main
    raiseonerr=False)
  File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 295, in
run
    close_fds=True, env=env, cwd=cwd)
  File "/usr/lib64/python2.6/subprocess.py", line 639, in __init__
    errread, errwrite)
  File "/usr/lib64/python2.6/subprocess.py", line 1228, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory
Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck
parameter.

7. Install openssh-clients on ipa replica host
8. Re-Launch ipa-replica-install and all works fine!


Steps to Reproduce:
Same as above


Actual results:
No openssh-clients dependencies when install ipa-server packages


Expected results:
openssh-clients dependencies when install ipa-server packages

Additional info:

Nathaniel, as I said on this week's meeting, I do not think that this fixes the issue. ipa-replica-conncheck runs ssh to run other part of the connection check, see ipareplica-conncheck.log:

2013-05-23T20:55:55Z DEBUG args=ssh -v -o StrictHostKeychecking=no -o UserKnownHostsFile=/tmp/tmpP71IcA admin@vm-037.idm.lab.bos.redhat.com echo OK

As ssh is not present, ssh of course cannot be called, thus this exception. I think we need to rather update ipa-replica-conncheck to check at the beginning to see if ssh is installed, if not, report "WARNING: cannot proceed with connection check due to missing ssh command" (or similar) and return.

Any update on this one?

Nathaniel, what is current status with this ticket?

Untested patch submitted to the list. Either someone can test it, or I will test it when I get back from Flock.

Moving all non-critical bugs to 3.3.x bug fixing bucket (FreeIPA 3.3 final was released).

Metadata Update from @rcritten:
- Issue assigned to npmccallum
- Issue set to the milestone: FreeIPA 3.3.x - 2013/08 (bug fixing)

4 years ago

Login to comment on this ticket.

Metadata