Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 985234 - ipa-client-install --uninstall starts nscd service
Summary: ipa-client-install --uninstall starts nscd service
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
: 821945 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-17 06:59 UTC by David Spurek
Modified: 2015-03-05 10:09 UTC (History)
6 users (show)

Fixed In Version: ipa-4.0.3-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:09:45 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 14:50:39 UTC

Description David Spurek 2013-07-17 06:59:23 UTC
Description of problem:
ipa-client-install --uninstall starts nscd service, but it was stopped before uninstall.

This may cause problem if hostname is changed after uninstall, but nscd has cached some information and user doesn't know that nscd is running now.

ipa-client-install is used with realmd component, we are changing the hostname in realmd tests.Here is the scenario that cause problems:

change hostname
realm join
realm leave
restore hostname

Next run of this scenarion fails (realm join doesn't work) if nscd is installed, because realm leave (ipa-client-install --uninstall) starts nscd service and nobody knows that.

Version-Release number of selected component (if applicable):
ipa-client-3.2.1-1.el7

How reproducible:
always

Steps to Reproduce:
1.install nscd service
2.make sure that it is stopped
3.run ipa-client-install
4.run ipa-client-install --uninstall
5. check status of nscd service

Actual results:
nscd running

Expected results:
nscd is stopped

Additional info:
[test]service nscd status
Redirecting to /bin/systemctl status  nscd.service
nscd.service - Name Service Cache Daemon
   Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled)
   Active: inactive (dead) since Wed 2013-07-17 02:34:40 EDT; 44s ago
 Main PID: 6450 (code=exited, status=0/SUCCESS)
   CGroup: name=systemd:/system/nscd.service

Jul 17 02:32:00 client.ipa.baseos.qe systemd[1]: Starting Name Service Cache....
Jul 17 02:32:00 client.ipa.baseos.qe systemd[1]: Started Name Service Cache ....
Jul 17 02:32:00 client.ipa.baseos.qe nscd[6450]: 6450 cannot stat() file `/e...y
Jul 17 02:32:00 client.ipa.baseos.qe nscd[6450]: 6450 Access Vector Cache (A...d
Jul 17 02:34:40 client.security.baseos.qe systemd[1]: Stopping Name Service C...
Jul 17 02:34:40 client.security.baseos.qe systemd[1]: Stopped Name Service Ca...
Jul 17 02:35:07 client.ipa.baseos.qe systemd[1]: Stopped Name Service Cache ....
Jul 17 02:35:08 client.ipa.baseos.qe systemd[1]: Stopped Name Service Cache ....
[test]ipa-client-install --uninstall --unattended
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
nslcd daemon is not installed, skip configuration
Client uninstall complete.
[test]service nscd status
Redirecting to /bin/systemctl status  nscd.service
nscd.service - Name Service Cache Daemon
   Loaded: loaded (/usr/lib/systemd/system/nscd.service; enabled)
   Active: active (running) since Wed 2013-07-17 02:35:36 EDT; 3s ago
 Main PID: 9362 (nscd)
   CGroup: name=systemd:/system/nscd.service
           └─9362 /usr/sbin/nscd --foreground

Jul 17 02:35:36 client.ipa.baseos.qe systemd[1]: Started Name Service Cache ....
Jul 17 02:35:36 client.ipa.baseos.qe nscd[9362]: 9362 cannot stat() file `/e...y
Jul 17 02:35:36 client.ipa.baseos.qe nscd[9362]: 9362 Access Vector Cache (A...d

Comment 1 Martin Kosek 2013-07-17 07:44:51 UTC
In general, ipa-client-install/ipa-server-install try to leave the system in a way it was before IPA installation. So in general, if you temporarily stop a service the uninstall process may start it if was running before installation.

But in this case, this logic is not applied as nscd/nslcd is started unconditionally:

# service nscd status
Redirecting to /bin/systemctl status  nscd.service
nscd.service - Name Service Cache Daemon
	  Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled)
	  Active: inactive (dead)

# ipa-client-install
Discovery was successful!
Hostname: client.example.com
...
Client configuration complete.
# service nscd status
Redirecting to /bin/systemctl status  nscd.service
nscd.service - Name Service Cache Daemon
	  Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled)
	  Active: inactive (dead)

Jul 17 03:42:56 client.example.com systemd[1]: Stopped Name Service Cache Daemon.
Jul 17 03:42:57 client.example.com systemd[1]: Stopped Name Service Cache Daemon.

# ipa-client-install --uninstall --unattended
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nslcd daemon is not installed, skip configuration
Client uninstall complete.

# service nscd status
Redirecting to /bin/systemctl status  nscd.service
nscd.service - Name Service Cache Daemon
	  Loaded: loaded (/usr/lib/systemd/system/nscd.service; enabled)
	  Active: active (running) since Wed 2013-07-17 03:43:20 EDT; 3s ago
	Main PID: 30312 (nscd)
	  CGroup: name=systemd:/system/nscd.service
		  `-30312 /usr/sbin/nscd --foreground

Jul 17 03:43:20 client.example.com systemd[1]: Started Name Service Cache Daemon.
Jul 17 03:43:20 client.example.com nscd[30312]: 30312 cannot stat() file `/etc/netgroup': No such ...ory
Jul 17 03:43:20 client.example.com nscd[30312]: 30312 Access Vector Cache (AVC) started

I will open an upstream ticket.

Comment 2 Martin Kosek 2013-07-17 07:47:01 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3790

Comment 3 David Spurek 2013-07-17 08:03:41 UTC
Yes, I understand that uninstall try to leave the system in a way it was before IPA installation, but nscd wasn't run before realm join (ipa-client-install).
My case is similiar to yours in comment #1.

Comment 5 Martin Kosek 2013-11-22 12:13:03 UTC
*** Bug 821945 has been marked as a duplicate of this bug. ***

Comment 6 Martin Kosek 2014-01-14 08:29:46 UTC
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/367c1301857f475baa1ed58c06ca0379d42847d5

Comment 8 Xiyang Dong 2015-01-06 20:13:28 UTC
Verified on ipa-client-4.1.0-13.el7.x86_64

[root@qe-blade-05 ~]# systemctl status nscd
nscd.service - Name Service Cache Daemon
   Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled)
   Active: inactive (dead)

1月 05 13:49:26 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:49:26 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:49:29 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:51:27 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:51:27 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:52:20 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:52:21 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 05 13:52:24 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service C...
Hint: Some lines were ellipsized, use -l to show in full.
[root@qe-blade-05 ~]# ipa-client-install 
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Hostname: qe-blade-05.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: hp-dl380pgen8-01.testrelm.test
BaseDN: dc=testrelm,dc=test

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin@TESTRELM.TEST: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  Sat Jan 03 16:14:07 2015 UTC
    Valid Until: Wed Jan 03 16:14:07 2035 UTC

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://hp-dl380pgen8-01.testrelm.test/ipa/json
Forwarding 'ping' to json server 'https://hp-dl380pgen8-01.testrelm.test/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://hp-dl380pgen8-01.testrelm.test/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://hp-dl380pgen8-01.testrelm.test/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.
[root@qe-blade-05 ~]# systemctl status nscd
nscd.service - Name Service Cache Daemon
   Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled)
   Active: inactive (dead)

1月 05 13:51:27 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 05 13:51:27 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 05 13:52:20 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 05 13:52:21 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 05 13:52:24 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:38 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:39 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:41 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
[root@qe-blade-05 ~]# ipa-client-install --uninstall
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The original nsswitch.conf configuration has been restored.
You may need to restart services or reboot the machine.
Do you want to reboot the machine? [no]: 
[root@qe-blade-05 ~]# systemctl status nscd
nscd.service - Name Service Cache Daemon
   Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled)
   Active: inactive (dead)

1月 05 13:52:20 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 05 13:52:21 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 05 13:52:24 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:03:43 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:38 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:39 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:41 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:54 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.
1月 06 15:04:54 qe-blade-05.testrelm.test systemd[1]: Stopped Name Service Cache Daemon.

Comment 11 errata-xmlrpc 2015-03-05 10:09:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html


Note You need to log in before you can comment on or make changes to this bug.