#7929 ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
Closed: fixed 4 years ago by rcritten. Opened 4 years ago by rcritten.

Issue

If a replica installation fails before all the services have been enabled then it could leave things in a bad state.

The server-role code will try to enforce that all masters with a given service have that service as enabled.

We delay enablement until the successful end of installation so things are left in a non-working state.

This can be confirmed with: ipa config-show

This has been reported multiple times upstream but we never were able to gather enough information at the time:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/UEROPENXUV4IVNCU346GLU62Q7KWEJC3/

Hats off to Doub Ledford for tracking down the issue to ipaConfigString being set to configuredService rather than enabledService

Steps to Reproduce

  1. ipa-server-install <your-favorite-options, I don't think it matters>
  2. ldapmodify some service and set enabledService to configuredService
  3. ipa config-show will blow up with some error about all masters needing whatever service you broke

Ideas for fixing

Off the top of my head in no particular order.

  1. Ignore configuredService masters in servrole.py (this could lead to other issues perhaps but is probably the most correct way to deal with it).
  2. leave servrole the way it is, find out where the exception is thrown and catch it and allow a server-del to proceed

The reproducer works best with HTTP service. It didn't make a difference when I modified CA or KRA service. After I enabled debug mode, I got this traceback:

 ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
   File "/usr/lib/python3.7/site-packages/ipaserver/rpcserver.py", line 370, in wsgi_execute
     result = command(*args, **options)
   File "/usr/lib/python3.7/site-packages/ipalib/frontend.py", line 450, in __call__
     return self.__do_call(*args, **options)
   File "/usr/lib/python3.7/site-packages/ipalib/frontend.py", line 478, in __do_call
     ret = self.run(*args, **options)
   File "/usr/lib/python3.7/site-packages/ipalib/frontend.py", line 800, in run
     return self.execute(*args, **options)
   File "/usr/lib/python3.7/site-packages/ipaserver/plugins/baseldap.py", line 1340, in execute
     self, ldap, entry_attrs.dn, entry_attrs, *keys, **options)
   File "/usr/lib/python3.7/site-packages/ipaserver/plugins/config.py", line 567, in post_callback
     entry_attrs, "CA server", "IPA master", **options)
   File "/usr/lib/python3.7/site-packages/ipaserver/plugins/config.py", line 306, in show_servroles_attributes
     self.update_entry_with_role_config(role, entry_attrs)
   File "/usr/lib/python3.7/site-packages/ipaserver/plugins/config.py", line 286, in update_entry_with_role_config
     role_config = backend.config_retrieve(role_name)
   File "/usr/lib/python3.7/site-packages/ipaserver/plugins/serverroles.py", line 143, in config_retrieve
     attr_value = attr.get(self.api)
   File "/usr/lib/python3.7/site-packages/ipaserver/servroles.py", line 289, in get
     {'role': self.associated_role.name})
 ipalib.errors.ValidationError: invalid 'PKINIT enabled server': all masters must have IPA master role enabled

I dont' know why we have the check in the first place. It looks like a sanity check. I had to modify the _get_assoc_role_providers method for hidden replicas. We could consider configured services as valid services, too.

https://github.com/freeipa/freeipa/blob/713c9b0ce89ce9835b78c25d3c7b46bb0d71bd83/ipaserver/servroles.py#L346-L353

Metadata Update from @cheimes:
- Issue priority set to: critical (was: important)
- Issue set to the milestone: FreeIPA 4.6.6

4 years ago

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/3093

4 years ago

master:

  • 3c98187 Consider configured servers as valid

ipa-4-7:

  • 7b63b88 Consider configured servers as valid

ipa-4-6:

  • 2f9793c Consider configured servers as valid

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

A workaround to be able to remove the master causing the issue is to mark its services as enabled and then immediately delete it.

To mark the services as enabled run this python script:

from ipaserver.install import service
from ipalib import api

api.bootstrap(in_server=True, context='fixme')
api.finalize()

api.Backend.ldap2.connect()

service.enable_services(u'master_that_failed_install')

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1712794

4 years ago

master:

  • b52d40b Test: To check ipa replica-manage del <FQDN> does not fail

ipa-4-8:

  • 184b60b Test: To check ipa replica-manage del <FQDN> does not fail

Login to comment on this ticket.

Metadata