Bug 1386539

Summary: cannot delete external host from a netgroup if a host with the same name exists.
Product: Red Hat Enterprise Linux 8 Reporter: German Parente <gparente>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED UPSTREAM QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: hkhot, pasik, pvoborni, rcritten, rmj, tapazogl, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-22 14:54:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description German Parente 2016-10-19 08:38:38 UTC 
Description of problem:

Hi, this is very simple bug to reproduce and fix.

externalhost: A 

non fully qualified in a netgroup

ipa host-add A.DOMAIN

if I do: 

ipa netgroup-remove-member mynetgroup
[member host]: A

if will fail because as it's finding the host under "cn=cmnputers", the command line will try to remove the host instead of the externalhost attibute.

See the details below.


Version-Release number of selected component (if applicable): 

ipa-server-4.2.0-15.el7.x86_64



Steps to Reproduce:

[root@dell-r530-10 ~]# ipa netgroup-show mynetgroup --raw --all
  dn: ipaUniqueID=e4b744ec-95c8-11e6-a92f-1866da5af007,cn=ng,cn=alt,dc=testrelm,dc=test
  cn: mynetgroup
  nisdomainname: testrelm.test
  externalhost: mynode
  ipaUniqueID: e4b744ec-95c8-11e6-a92f-1866da5af007
  objectClass: ipaassociation
  objectClass: ipaobject
  objectClass: ipanisnetgroup


external host called mynode

+ host added with the same name:

ipa host-add mynode.testrealm.test --force
----------------------------------
Added host "mynode.testrealm.test"
----------------------------------
  Host name: mynode.testrealm.test
  Principal name: host/mynode.testrealm.test
  Password: False
  Keytab: False
  Managed by: mynode.testrealm.test


 ipa host-show mynode --raw --all
  dn: fqdn=mynode.testrealm.test,cn=computers,cn=accounts,dc=testrelm,dc=test
  fqdn: mynode.testrealm.test
  krbprincipalname: host/mynode.testrealm.test
  has_password: FALSE
  has_keytab: FALSE
  managedby: fqdn=mynode.testrealm.test,cn=computers,cn=accounts,dc=testrelm,dc=test
  cn: mynode.testrealm.test
  ipaUniqueID: 6fa5b3e4-95ca-11e6-9c7a-1866da5af007
  managing: fqdn=mynode.testrealm.test,cn=computers,cn=accounts,dc=testrelm,dc=test
  objectClass: ipaobject
  objectClass: ieee802device
  objectClass: nshost
  objectClass: ipaservice
  objectClass: pkiuser
  objectClass: ipahost
  objectClass: krbprincipal
  objectClass: krbprincipalaux
  objectClass: ipasshhost
  objectClass: top
  objectClass: ipaSshGroupOfPubKeys
  serverHostName: mynode
[root@dell-r530-10 ~]# 


Now, there's no way to delete the externalhost:


[root@dell-r530-10 ~]# ipa netgroup-remove-member mynetgroup
[member user]: 
[member group]: 
[member host]: mynode
[member host group]: 
[member netgroup]: 
  Netgroup name: mynetgroup
  NIS domain name: testrelm.test
  External host: mynode
  Failed hosts/hostgroups: 
    member host: mynode.testrealm.test: This entry is not a member
    member host group: 
---------------------------
Number of members removed 0
---------------------------

what we see is that the client application searches if there's a host already called mynode:

[19/Oct/2016:12:47:44 +051800] conn=40 op=7 SRCH base="cn=computers,cn=accounts,dc=testrelm,dc=test" scope=2 filter="(&(&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass=pkiuser)(objectClass=ipaservice))(serverHostName=mynode))" attrs=""
[19/Oct/2016:12:47:44 +051800] conn=40 op=7 RESULT err=0 tag=101 nentries=1 etime=0

So, it will try to apply the MOD operation on a "host" attribute and not an externalhost and it will fail:

[19/Oct/2016:12:47:44 +051800] conn=40 op=10 MOD dn="ipaUniqueID=e4b744ec-95c8-11e6-a92f-1866da5af007,cn=ng,cn=alt,dc=testrelm,dc=test"
[19/Oct/2016:12:47:44 +051800] conn=40 op=10 RESULT err=16 tag=103 nentries=0 etime=0 csn=58071e19000200040000

err=16 ===> LDAP_NO_SUCH_ATTRIBUTE 


Workaround is very simple:

ldapmodify -D "cn=directory manager" -w Secret123
dn: ipaUniqueID=e4b744ec-95c8-11e6-a92f-1866da5af007,cn=ng,cn=alt,dc=testrelm,dc=test
changetype: modify
delete: externalhost
externalhost: mynode
Comment 3 Petr Vobornik 2016-10-31 09:24:28 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6440