Bug 1390757

Summary: automember-rebuild crashes
Product: Red Hat Enterprise Linux 7 Reporter: Amy Farley <afarley>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.2CC: amore, cpelland, cww, frenaud, gparente, ipa-maint, msauton, pasik, pcech, pvoborni, rcritten, tscherf, twoerner
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: ipa-4.6.5-1.el7 Doc Type: Enhancement
Doc Text:
.A command to detect and remove orphaned automember rules has been added to IdM Automember rules in Identity Management (IdM) can refer to a hostgroup or a group that has been deleted. Previously, the `ipa automember-rebuild` command failed unexpectedly and it was difficult to diagnose the reason of the failure. This enhancement adds `ipa automember-find-orphans` to IdM to IdM to identify and remove such orphaned automember rules.
 Story Points: ---
Clone Of:
: 1638373 1659499 (view as bug list) Environment:
Last Closed: 2019-08-06 13:09:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1298243, 1638373, 1647919, 1659499    

Comment 1 Amy Farley 2016-11-01 20:32:42 UTC 
# ipa automember-rebuild --type=hostgroup
ipa: ERROR: Automember rebuild task aborted.  Error (-1): Task DN = 'cn=5167237e-a0ec-424d-b987-ba4108b84d1b,cn=automember rebuild membership,cn=tasks,cn=config'

# rpm -qa | grep -i ipa-server
ipa-server-4.2.0-15.el7_2.6.x86_64
ipa-server-dns-4.2.0-15.el7_2.6.x86_64errors: 

[26/Oct/2016:18:03:18 +0000] get_dom_sid - [file ipa_sidgen_common.c, line 75]: Internal search failed.
[26/Oct/2016:18:03:18 +0000] auto-membership-plugin - automember_add_member_value: Unable to add "fqdn=sugar-app1....s,dc=net" as a "member" value to group "cn=hg-sugar-dev-qa-servers,cn=hostgroups,cn=accounts,dc=...,dc=net" (No such object).

if the hostgroup is deleted the corresponding automember rule should have been deleted ,but it did not. 

I have manually removed the automember hostgroup rule, then the automember rebuild process has started working.
Comment 3 Petr Vobornik 2016-11-03 08:44:18 UTC 
Also when there is an automember rule which targets non-existing hostgroup, then adding a host which matches the rulle will also fail with:

"""
Server is unwilling to perform: Automember Plugin update unexpectedly failed.
"""
Comment 4 Petr Vobornik 2016-11-11 15:12:19 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6476
Comment 6 Rob Crittenden 2018-05-30 15:18:14 UTC 
Reproduction steps:

ipa hostgroup-add test

ipa automember-add --type hostgroup test

ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com test

ipa host-add web1.example.com

ipa hostgroup-show test

ipa automember-rebuild --type hostgroup

ipa hostgroup-del test

ipa automember-rebuild --type hostgroup
ipa: ERROR: Automember rebuild task aborted...
Comment 7 Rob Crittenden 2018-05-30 18:37:18 UTC 
You can also reproduce this by creating the automember entry, deleting the hostgroup, then adding a condition.

Trying to add a host entry that matches the condition will also fail:

[30/May/2018:14:34:22.811521568 -0400] - ERR - auto-membership-plugin - automember_add_member_value - Unable to add "fqdn=web1.example.com,cn=computers,cn=accounts,dc=example,dc=com" as a "member" value to group "cn=test,cn=hostgroups,cn=accounts,dc=example,dc=com" (No such object).
[30/May/2018:14:34:22.834836405 -0400] - ERR - auto-membership-plugin - automember_add_member_value - Unable to add "fqdn=web1.example.com,cn=computers,cn=accounts,dc=example,dc=com" as a "member" value to group "cn=test,cn=hostgroups,cn=accounts,dc=example,dc=com" (No such object).
Comment 8 Rob Crittenden 2018-05-30 19:02:52 UTC 
I talked to Mark Reynolds about this and suggested that the automembership plugin could reject a delete if its associated host/hostgroup entry exists.
Comment 12 Florence Blanc-Renaud 2018-10-10 07:58:42 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/7f507519d4acb85c1e8e98bb29e26039751db8ff
Comment 13 Florence Blanc-Renaud 2018-10-12 07:51:02 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/890b8aa474c4b2248b2b1bcc97412300d5e7bd82

ipa-4-7:
https://pagure.io/freeipa/c/67875c3b75ad1af493ff5930f9c5fd5e9797b775
Comment 15 Thomas Woerner 2018-11-12 14:23:02 UTC 
I am sorry, wrong bug.
Comment 20 anuja 2019-05-14 12:14:33 UTC 
Verified using version :
ipa-4.6.5-8.el7

Verified using upstream test automation:

TestAutomemberFindOrphans::test_create_deps_for_find_orphans()
TestAutomemberFindOrphans::test_find_orphan_automember_rules()
Comment 22 anuja 2019-05-14 12:20:59 UTC 
Automation exist in:
ipatests/test_xmlrpc/test_automember_plugin.py
test_create_deps_for_find_orphans()
test_find_orphan_automember_rules()
Comment 23 anuja 2019-05-15 07:50:13 UTC 
Additional verification step :
Using :
389-ds-base-1.3.9.1-6.el7.x86_64
ipa-server-4.6.5-8.el7.x86_64

[root@master ~]# ipa hostgroup-add test
----------------------
Added hostgroup "test"
----------------------
  Host-group: test
[root@master ~]#  ipa automember-add --type hostgroup test
----------------------------
Added automember rule "test"
----------------------------
  Automember Rule: test
[root@master ~]#  ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.testrelm\.test test
----------------------------
Added condition(s) to "test"
----------------------------
  Automember Rule: test
  Inclusive Regex: fqdn=^web[1-9]+.testrelm.test
----------------------------
Number of conditions added 1
----------------------------
[root@master ~]# ipa host-add web9.testrelm.test
-------------------------------
Added host "web9.testrelm.test"
-------------------------------
  Host name: web9.testrelm.test
  Principal name: host/web9.testrelm.test
  Principal alias: host/web9.testrelm.test
  Password: False
  Member of host-groups: test
  Indirect Member of netgroup: test
  Keytab: False
  Managed by: web9.testrelm.test
[root@master ~]# ipa hostgroup-show test
  Host-group: test
  Member hosts: web9.testrelm.test
[root@master ~]# 
[root@master ~]# ipa hostgroup-del test
------------------------
Deleted hostgroup "test"
------------------------
[root@master ~]# 
[root@master ~]# ipa automember-find-orphans
Grouping Type: hostgroup
---------------
1 rules matched
---------------
  Automember Rule: test
  Inclusive Regex: fqdn=^web[1-9]+.testrelm.test
----------------------------
Number of entries returned 1
----------------------------
[root@master ~]# 
[root@master ~]# ipa automember-del --type hostgroup test
------------------------------
Deleted automember rule "test"
------------------------------
[root@master ~]# ipa automember-find-orphans hostgroup
Grouping Type: hostgroup
---------------
0 rules matched
---------------
----------------------------
Number of entries returned 0
----------------------------

[root@master ~]# ipa automember-rebuild --type hostgroup
--------------------------------------------------------
Automember rebuild task finished. Processed (2) entries.
--------------------------------------------------------
[root@master ~]#
Comment 27 errata-xmlrpc 2019-08-06 13:09:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241