Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1515374 - Custodia keys are not removed on uninstall
Summary: Custodia keys are not removed on uninstall
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-20 17:19 UTC by Florence Blanc-Renaud
Modified: 2018-10-30 10:58 UTC (History)
6 users (show)

Fixed In Version: ipa-4.6.4-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:57:10 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3187 None None None 2018-10-30 10:58:17 UTC

Description Florence Blanc-Renaud 2017-11-20 17:19:40 UTC
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/7253

The Custodia files custodia.conf  and server.keys are not removed from /etc/ipa/custodia when IPA is uninstalled.

There are per-master keys that are not removed on uninstall (Custodia currently uses the simple uninstall method).

Comment 1 Florence Blanc-Renaud 2018-02-20 08:42:04 UTC
Fixed upstream

master:
    8700101 Remove Custodia keys on uninstall

ipa-4-6:
    fef419b Remove Custodia keys on uninstall

Comment 5 Nikhil Dehadrai 2018-07-18 13:16:27 UTC
Version: 
ipa-server-4.6.4-2.el7.x86_64
custodia-0.3.1-4.el7.noarch

Verified the bug on the basis of below observations:
Verified that custodia files at '/etc/ipa/custodia' are removed from the location when ipa-server is uninstalled.

Console:
------------
[root@auto-hv-01-guest01 ~]# rpm -q ipa-server custodia
ipa-server-4.6.4-2.el7.x86_64
custodia-0.3.1-4.el7.noarch

[root@auto-hv-01-guest01 ~]# ls -l /etc/ipa/custodia
total 8
-rw-r--r--. 1 root root  638 Jul 18 05:51 custodia.conf
-rw-------. 1 root root 3377 Jul 18 05:51 server.keys

[root@auto-hv-01-guest01 ~]# ipa-server-install --uninstall -U
Updating DNS system records
ipaserver.dns_data_management: ERROR    unable to resolve host name auto-hv-01-guest01.testrelm.test. to IP address, ipa-ca DNS record will be incomplete
-----------------------------------------------------
Deleted IPA server "auto-hv-01-guest01.testrelm.test"
-----------------------------------------------------
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring CA
Unconfiguring named
Unconfiguring ipa-dnskeysyncd
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Unconfiguring ipa-otpd
Removing IPA client configuration
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The ipa-client-install command was successful


[root@auto-hv-01-guest01 ~]# ls -l /etc/ipa/custodia
total 0

Thus on the basis of above observations and comment#4, marking the status of bug to 'VERIFIED'.

Comment 7 errata-xmlrpc 2018-10-30 10:57:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187


Note You need to log in before you can comment on or make changes to this bug.