Project

General

Profile

Actions

Bug #27218

closed

Foreman-proxy parses /etc/ipa/default.conf incorrectly which results in ERROR -- : Unknown realm my-realm-server.example.com even when all config files are OK

Added by Adam Ruzicka over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1726380

Description of problem:
Foreman-proxy parses the /etc/ipa/default.conf file incorrectly: it will consider any line containing the string 'realm' as a realm name definition. The last line in this file containing 'realm' will then be used as realm definition, most often resulting in this error on /var/log/foreman-proxy/proxy.log:

ERROR -- : Unknown realm EXAMPLE.COM

Example of an /etc/ipa/default.conf file that will trigger this error:
~~~
[global]
basedn = dc=example,dc=com
domain = example.com
server = realm.foo.example.com
host = sat64a.foo.example.com
xmlrpc_uri = https://realm.foo.example.com/ipa/xml
enable_ra = True
realm = EXAMPLE.COM
  1. nice comment: this used to be realm = MY.OLD.DOMAIN.ORG
    ~~~

This file above will result in foreman-proxy considering the realm name to be MY.OLD.DOMAIN.ORG.

This is a result of poor config file parsing -- not really parsing but fetching values with the help of regexes -- in /usr/share/foreman-proxy/modules/realm_freeipa/ipa_config_parser.rb:
~~
38
39 def do_parse(io)
40 parsed_uri, realm_name = nil
41
42 io.readlines.each do |line|
43 if line =
/xmlrpc_uri/
44 uri = line.split("=")[1].strip
45 parsed_uri = URI.parse(uri)
46 logger.debug "freeipa: uri is #{uri}"
47 elsif line =~ /realm/
48 realm_name = line.split("=")[1].strip
49 logger.debug "freeipa: realm #{realm_name}"
50 end
51 end
~~~

Lines 47 and 48 will regex-match any line containing the string 'realm', even if the matching string is one of these below:

thisisrealmagic =
not my realm =

Then, the realm name is extracted by getting the "right-hand" value of the same line.

An actual real-life example hitting this issue is when the IPA/IdM server name in /etc/ipa/default.conf contains the string realm, e.g.:
~~
[global]
basedn = dc=demo1,dc=freeipa,dc=org
realm = DEMO1.FREEIPA.ORG
domain = demo1.freeipa.org
server = realm-server.demo1.freeipa.org
host = lucid-nonsense
xmlrpc_uri = https://ipa.demo1.freeipa.org/ipa/xml
enable_ra = True
~~

Since the line with the `server` directive contains the string 'realm', it will match the regex and foreman-proxy will consider the right-hand side of this line as the realm name. Then /var/log/foreman-proxy/proxy.log would read the realm name twice:
~~
DEBUG -- : freeipa: uri is https://ipa.demo1.freeipa.org/ipa/xml
DEBUG -- : freeipa: realm DEMO1.FREEIPA.ORG
DEBUG -- : freeipa: realm realm-server.demo1.freeipa.org
~~

The latter one would overwrite the realm variable and would thus cause foreman-proxy to fail when adding a new host to the IPA/IdM domain, with:
~~
ERROR -- : Unknown realm realm-server.demo1.freeipa.org
~~

Version-Release number of selected component (if applicable):
All currently released Satellite versions as of today contain this bug, as well as the upstream smart-proxy at https://github.com/theforeman/smart-proxy/blob/develop/modules/realm_freeipa/ipa_config_parser.rb.

How reproducible:
Every time if /etc/ipa/default.conf meets the required criteria.

Steps to Reproduce:
1. Set up foreman-proxy to communicate with IPA/IdM server realm-server.example.com for realm purposes.
2. Create a new host and set it up as a realm member.

Actual results:
Foreman-proxy will fail to add the host to the realm, stating it does not know the realm-server.example.com realm.

Expected results:
Foreman-proxy would add the host to the realm as set up by the 'realm' directive in /etc/ipa/default.conf

Additional info:
Simply reordering lines in /etc/ipa/default.conf so the `realm =` line is at the bottom of the file allows one to workaround the issue by forcing ipa_config_parser.rb to process the correct realm last.

Actions

Also available in: Atom PDF