<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 03.08.2016 20:21, Martin Basti
wrote:<br>
</div>
<blockquote
cite="mid:b2b2e4c2-0d9a-016c-caa9-e36a1e3eb078@redhat.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 03.08.2016 19:18, Martin Basti
wrote:<br>
</div>
<blockquote
cite="mid:72042d4c-cd89-b30c-dc35-679360d96e0c@redhat.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 02.08.2016 20:02, Christian
Heimes wrote:<br>
</div>
<blockquote
cite="mid:5159a7b0-7942-3a8b-ff16-94925488f303@redhat.com"
type="cite">
<pre wrap="">On 2016-07-19 17:03, Martin Basti wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 12.07.2016 16:45, Christian Heimes wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.
The server.keys file and all keys are now removed when during
uninstallation of a server, too.
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=1353936">https://bugzilla.redhat.com/show_bug.cgi?id=1353936</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/6015">https://fedorahosted.org/freeipa/ticket/6015</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/6056">https://fedorahosted.org/freeipa/ticket/6056</a>
</pre>
</blockquote>
<pre wrap="">NACK
ipa-server-install --uninstall doesn't work
</pre>
</blockquote>
<pre wrap="">I fixed it by splitting up uninstallation into two parts:
1) the server_del plugin takes care of the LDAP entries
2) CustodiaInstance.uninstall() removes the local key file
</pre>
</blockquote>
<br>
Hello,<br>
<br>
1)<br>
Is expected that after removing replica, ipa server-del
vm-012.abc.idm.lab.eng.brq.redhat.com, I have these entries in
LDAP on master (vm-058-107)?<br>
<br>
# sig/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc,
abc.idm.lab.en<br>
g.brq.redhat.com<br>
dn:
cn=sig/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=<br>
abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com<br>
objectClass: nsContainer<br>
objectClass: ipaKeyPolicy<br>
objectClass: ipaPublicKeyObject<br>
objectClass: groupOfPrincipals<br>
objectClass: top<br>
cn: sig/vm-012.abc.idm.lab.eng.brq.redhat.com<br>
ipaKeyUsage: digitalSignature<br>
memberPrincipal: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:host/vm-012.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BR">host/vm-012.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BR</a><br>
Q.REDHAT.COM<br>
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqV4NGWu8224ar3IdwlD<br>
cOpNBjcQKY0gznMuAjlikHKxnpfzmGCf/GYxfealet64ek3RE3oLmYhITqX3NkLKw51KhuwGcEw31<br>
hBa6YB/6uzx3tr/ruO++vk+U7Myz4eFzp7+Zryjk7ohVb3w/XhBcVbC+d9qyKGzM0OUaQgGOjy7eq<br>
3tiI+VugfyawvAvItCwyo56R8fO1jS1uKA+NDz5ltIymE9sySpVWfTMhCDUEjy9iEMiPixtiyVbHd<br>
g8A80H7W4fe7mTcqkKPD6sfYr2QwKh4pF7wU+RHfXsoXIu5gYNPgxdsHd/1p914EQ9U6RYTFsSEzk<br>
DR8V2H1rJ0AiVPQIDAQAB<br>
<br>
# enc/vm-012.abc.idm.lab.eng.brq.redhat.com, custodia, ipa, etc,
abc.idm.lab.en<br>
g.brq.redhat.com<br>
dn:
cn=enc/vm-012.abc.idm.lab.eng.brq.redhat.com,cn=custodia,cn=ipa,cn=etc,dc=<br>
abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com<br>
objectClass: nsContainer<br>
objectClass: ipaKeyPolicy<br>
objectClass: ipaPublicKeyObject<br>
objectClass: groupOfPrincipals<br>
objectClass: top<br>
cn: enc/vm-012.abc.idm.lab.eng.brq.redhat.com<br>
ipaKeyUsage: dataEncipherment<br>
memberPrincipal: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:host/vm-012.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BR">host/vm-012.abc.idm.lab.eng.brq.redhat.com@ABC.IDM.LAB.ENG.BR</a><br>
Q.REDHAT.COM<br>
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5vdu9LLl7Pa+cN+ivNO<br>
eOon1BOI3bbBzYAu8+l1ch8iepKJrom4O5yYT7qhz5aYgq4Pd2kuxuvcuf3OlGTizuKlqRELbVnG0<br>
ogWN/YAqPExS6L2hEHcyIZTiOQk19jT/ynEqayjH/OM499aE1H3vc7FD30Cy9wBQNUzYuY8pWpaWd<br>
Jj8nbvEKLX7JYPSx5/3Bqx+tqK5ApAGutJ6lF3+9acuG6ADVwUY3hAqXcqu4Oy463LKIhdatqMv2r<br>
j0FEFHJYPG2GTOIhFF8jee2Q7iidgPNdfbvKCYbnAkXtT73hxJWTckoupGHpUo+5b/wl8pI1Lxhyz<br>
TIp7oPmFWMG/q1QIDAQAB<br>
<br>
Also see them on replica as well (which was removed from
topology)<br>
I did not find any errors in http log<br>
<br>
2)<br>
I tried hard, but I cannot see relation between <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/6015">https://fedorahosted.org/freeipa/ticket/6015</a>
and <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/6056">https://fedorahosted.org/freeipa/ticket/6056</a><br>
IMO it should be separated into two patches, to make easier
backports, patching and make life easier in future with git
blame<br>
<br>
There should not be a BZ, only upstream tickets in commit<br>
<br>
3)<br>
IMO ti should be 'Removing' not 'Remove', I'm not native
speaker, but it looks more consistent with the rest of log
entries<br>
<br>
INFO Remove Custodia keys<br>
<br>
4)<br>
the same for <br>
root_logger.info("Secure server.keys mode"), IMHO it should be
'Securing'<br>
<br>
5)<br>
What is the purpose of remove_server_keys() in KEM.py . I see
usage only in manual testing. Can it be reused in server.py ?
Because it looks like duplicated code for me, but correct me if
I'm wrong.<br>
<br>
Martin^2<br>
<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
I received this when I tried to uninstall already uninstalled
replica (calling ipa-replica-install -U --uninstall twice)<br>
<br>
2016-08-03T17:45:13Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'<br>
2016-08-03T17:45:13Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'<br>
2016-08-03T17:45:13Z INFO Remove Custodia keys<br>
2016-08-03T17:45:13Z DEBUG Traceback (most recent call last):<br>
File
"/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 91, in _handle_exception<br>
super(Continuous, self)._handle_exception(exc_info)<br>
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
394, in _handle_exception<br>
six.reraise(*exc_info)<br>
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
446, in _handle_exception<br>
super(ComponentBase, self)._handle_exception(exc_info)<br>
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
394, in _handle_exception<br>
six.reraise(*exc_info)<br>
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
362, in __runner<br>
step()<br>
File
"/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
359, in <lambda><br>
step = lambda: next(self.__gen)<br>
File
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
81, in run_generator_with_yield_from<br>
six.reraise(*exc_info)<br>
File
"/usr/lib/python2.7/site-packages/ipapython/install/util.py", line
59, in run_generator_with_yield_from<br>
value = gen.send(prev_value)<br>
File
"/usr/lib/python2.7/site-packages/ipapython/install/common.py",
line 71, in _uninstall<br>
for nothing in self._uninstaller(self.parent):<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1375, in main<br>
uninstall(self)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 266, in decorated<br>
func(installer)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
line 1076, in uninstall<br>
custodiainstance.CustodiaInstance().uninstall()<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line 88, in uninstall<br>
self.__remove_keys()<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line 72, in __remove_keys<br>
keystore = IPAKEMKeys({'server_keys': self.server_keys})<br>
File
"/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line
193, in __init__<br>
self.host = conf.get('global', 'host')<br>
File "/usr/lib64/python2.7/ConfigParser.py", line 607, in get<br>
raise NoSectionError(section)<br>
NoSectionError: No section: 'global'<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
Please unfollow this thread, separated patches were send in new
threads.<br>
Martin^2<br>
</body>
</html>