| Summary: | cannot delete external host from a netgroup if a host with the same name exists. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | German Parente <gparente> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED UPSTREAM | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 | CC: | hkhot, pasik, pvoborni, rcritten, rmj, tapazogl, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-22 14:54:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6440 |
Description of problem: Hi, this is very simple bug to reproduce and fix. externalhost: A non fully qualified in a netgroup ipa host-add A.DOMAIN if I do: ipa netgroup-remove-member mynetgroup [member host]: A if will fail because as it's finding the host under "cn=cmnputers", the command line will try to remove the host instead of the externalhost attibute. See the details below. Version-Release number of selected component (if applicable): ipa-server-4.2.0-15.el7.x86_64 Steps to Reproduce: [root@dell-r530-10 ~]# ipa netgroup-show mynetgroup --raw --all dn: ipaUniqueID=e4b744ec-95c8-11e6-a92f-1866da5af007,cn=ng,cn=alt,dc=testrelm,dc=test cn: mynetgroup nisdomainname: testrelm.test externalhost: mynode ipaUniqueID: e4b744ec-95c8-11e6-a92f-1866da5af007 objectClass: ipaassociation objectClass: ipaobject objectClass: ipanisnetgroup external host called mynode + host added with the same name: ipa host-add mynode.testrealm.test --force ---------------------------------- Added host "mynode.testrealm.test" ---------------------------------- Host name: mynode.testrealm.test Principal name: host/mynode.testrealm.test Password: False Keytab: False Managed by: mynode.testrealm.test ipa host-show mynode --raw --all dn: fqdn=mynode.testrealm.test,cn=computers,cn=accounts,dc=testrelm,dc=test fqdn: mynode.testrealm.test krbprincipalname: host/mynode.testrealm.test has_password: FALSE has_keytab: FALSE managedby: fqdn=mynode.testrealm.test,cn=computers,cn=accounts,dc=testrelm,dc=test cn: mynode.testrealm.test ipaUniqueID: 6fa5b3e4-95ca-11e6-9c7a-1866da5af007 managing: fqdn=mynode.testrealm.test,cn=computers,cn=accounts,dc=testrelm,dc=test objectClass: ipaobject objectClass: ieee802device objectClass: nshost objectClass: ipaservice objectClass: pkiuser objectClass: ipahost objectClass: krbprincipal objectClass: krbprincipalaux objectClass: ipasshhost objectClass: top objectClass: ipaSshGroupOfPubKeys serverHostName: mynode [root@dell-r530-10 ~]# Now, there's no way to delete the externalhost: [root@dell-r530-10 ~]# ipa netgroup-remove-member mynetgroup [member user]: [member group]: [member host]: mynode [member host group]: [member netgroup]: Netgroup name: mynetgroup NIS domain name: testrelm.test External host: mynode Failed hosts/hostgroups: member host: mynode.testrealm.test: This entry is not a member member host group: --------------------------- Number of members removed 0 --------------------------- what we see is that the client application searches if there's a host already called mynode: [19/Oct/2016:12:47:44 +051800] conn=40 op=7 SRCH base="cn=computers,cn=accounts,dc=testrelm,dc=test" scope=2 filter="(&(&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass=pkiuser)(objectClass=ipaservice))(serverHostName=mynode))" attrs="" [19/Oct/2016:12:47:44 +051800] conn=40 op=7 RESULT err=0 tag=101 nentries=1 etime=0 So, it will try to apply the MOD operation on a "host" attribute and not an externalhost and it will fail: [19/Oct/2016:12:47:44 +051800] conn=40 op=10 MOD dn="ipaUniqueID=e4b744ec-95c8-11e6-a92f-1866da5af007,cn=ng,cn=alt,dc=testrelm,dc=test" [19/Oct/2016:12:47:44 +051800] conn=40 op=10 RESULT err=16 tag=103 nentries=0 etime=0 csn=58071e19000200040000 err=16 ===> LDAP_NO_SUCH_ATTRIBUTE Workaround is very simple: ldapmodify -D "cn=directory manager" -w Secret123 dn: ipaUniqueID=e4b744ec-95c8-11e6-a92f-1866da5af007,cn=ng,cn=alt,dc=testrelm,dc=test changetype: modify delete: externalhost externalhost: mynode