Bug 1261586

Summary: ipa config-mod addattr fails for ipauserobjectclasses
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: dpal, jcholast, ksiddiqu, lmiksik, rcritten, tlavigne
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-11.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:06:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2015-09-09 17:51:31 UTC 
Description of problem:

Failing to add attribute for ipaUserObjectClasses.

[root@master ~]# ipa config-mod --addattr="ipauserobjectclasses=sambasamaccount"
ipa: ERROR: invalid 'ipauserobjectclasses': user default attribute usercertificate;binary would not be allowed!

Version-Release number of selected component (if applicable):
It appears from test results that this may have started at 4.2.0-5
Seeing it now at ipa-server-4.2.0-8.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Setup IPA Master
2. ipa config-mod --addattr="ipauserobjectclasses=sambasamaccount"


Actual results:
error above

Expected results:
no error.

Additional info:
[root@master ~]# ipa config-show --all --raw
  dn: cn=ipaConfig,cn=etc,dc=testrelm,dc=test
  ipamaxusernamelength: 32
  ipahomesrootdir: /home
  ipadefaultloginshell: /bin/sh
  ipadefaultprimarygroup: ipausers
  ipadefaultemaildomain: testrelm.test
  ipasearchtimelimit: 2
  ipasearchrecordslimit: 100
  ipausersearchfields: uid,givenname,sn,telephonenumber,ou,title
  ipagroupsearchfields: cn,description
  ipamigrationenabled: FALSE
  ipacertificatesubjectbase: O=TESTRELM.TEST
  ipapwdexpadvnotify: 4
  ipaconfigstring: AllowNThash
  ipaselinuxusermaporder: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  ipaselinuxusermapdefault: unconfined_u:s0-s0:c0.c1023
  ipakrbauthzdata: MS-PAC
  ipakrbauthzdata: nfs:NONE
  aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
  cn: ipaConfig
  ipaGroupObjectClasses: top
  ipaGroupObjectClasses: groupofnames
  ipaGroupObjectClasses: nestedgroup
  ipaGroupObjectClasses: ipausergroup
  ipaGroupObjectClasses: ipaobject
  ipaUserObjectClasses: top
  ipaUserObjectClasses: person
  ipaUserObjectClasses: organizationalperson
  ipaUserObjectClasses: inetorgperson
  ipaUserObjectClasses: inetuser
  ipaUserObjectClasses: posixaccount
  ipaUserObjectClasses: krbprincipalaux
  ipaUserObjectClasses: krbticketpolicyaux
  ipaUserObjectClasses: ipaobject
  ipaUserObjectClasses: ipasshuser
  objectClass: nsContainer
  objectClass: top
  objectClass: ipaGuiConfig
  objectClass: ipaConfigObject
  objectClass: ipaUserAuthTypeClass
[root@master ~]#
Comment 3 Petr Vobornik 2015-09-10 12:46:20 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5295
Comment 4 Jan Cholasta 2015-09-16 13:02:12 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/60dd90cf77097cd305f9cad4b03d28f2977dd38b
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/bbcbbf3480fb30a7f963d6083a656cc19b8a7ed6
Comment 6 Scott Poore 2015-09-17 20:21:33 UTC 
Verified.

Version ::

ipa-server-4.2.0-11.el7.x86_64

Results ::

[root@master ~]# ipa config-mod --addattr="ipauserobjectclasses=sambasamaccount"
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.TEST
  Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, sambasamaccount,
                              organizationalperson, krbticketpolicyaux, krbprincipalaux, inetuser,
                              posixaccount
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC

[root@master ~]# ipa config-show --all --raw|grep -i samba
  ipaUserObjectClasses: sambasamaccount
Comment 7 errata-xmlrpc 2015-11-19 12:06:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html