| Summary: | incompatible nsEncryptionConfig object definition prevents RHEL 7->6 schema replication | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||||
| Component: | 389-ds-base | Assignee: | Noriko Hosoi <nhosoi> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> | ||||||
| Severity: | urgent | Docs Contact: | Marc Muehlfeld <mmuehlfe> | ||||||
| Priority: | urgent | ||||||||
| Version: | 7.3 | CC: | mreynolds, msauton, nhosoi, nkinder, pvoborni, rcritten, rmeggins, tbordaz | ||||||
| Target Milestone: | rc | Keywords: | Regression, TestBlocker, ZStream | ||||||
| Target Release: | 7.4 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | 389-ds-base-1.3.6.1-3.el7 | Doc Type: | Known Issue | ||||||
| Doc Text: |
IdM schema replications from Red Hat Enterprise Linux 7 to 6.9 fail
Identity Management (IdM) in Red Hat Enterprise Linux 6.9 uses a different schema definition in the `nsEncryptionConfig` object class than IdM on Red Hat Enterprise Linux 7.3. Because the schema learning mechanism is unable to merge definitions, schema replications between servers fail. As a consequence, mechanisms relying on the schema can fail. For example, schema violations and plug-in failures can occur, replication can fail, and access control instructions (ACI) can be ignored. In an upcoming Red Hat Enterprise Linux 7.3 update, the `nsTLS10`, `nsTLS11`, and `nsTLS12` attributes will be added to the list of allowed attributes in the `nsEncryptionConfig` object class, and as a consequence, mechanisms relying on the schema no longer fails in the described scenario.
|
Story Points: | --- | ||||||
| Clone Of: | |||||||||
| : | 1410080 (view as bug list) | Environment: | |||||||
| Last Closed: | 2017-08-01 21:12:24 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1410080 | ||||||||
| Attachments: |
|
||||||||
Also, note to prevent NetworkManager from overwriting /etc/resolv.conf I added dns=none to /etc/NetworkManager/NetworkManager.conf. Created attachment 1231338 [details]
var log from master
I see a lot of errors in dirsrv logs. maybe corruption there?
Created attachment 1231339 [details]
var log from replica
There is some ACI problem: $ grep NSACLPlugin /var/log/dirsrv/slapd-TESTRELM-TEST/error* [06/Dec/2016:21:53:27 -0500] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation" does not exist in schema. Please add attributeTypes "ipaProtectedOpera tion" to schema if necessary. [06/Dec/2016:21:53:27 -0500] NSACLPlugin - ACL PARSE ERR(rv=-5): (targetattr = "userPassword [06/Dec/2016:21:53:27 -0500] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation" does not exist in schema. Please add attributeTypes "ipaProtectedOpera tion" to schema if necessary. [06/Dec/2016:21:53:27 -0500] NSACLPlugin - ACL PARSE ERR(rv=-5): (targetattr = "userPassword [06/Dec/2016:21:53:27 -0500] NSACLPlugin - Error: This ((targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbPwdHistory || krbLastPwdChange || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || ipaUni queId || memberOf || enrolledBy || ipaNTHash || ipaProtectedOperation")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn= accounts,dc=testrelm,dc=test";)) ACL will not be considered for evaluation because of syntax errors. [06/Dec/2016:21:53:27 -0500] NSACLPlugin - Can't add the rest of the acls for entry:dc=testrelm,dc=test after delete [06/Dec/2016:21:53:27 -0500] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation" does not exist in schema. Please add attributeTypes "ipaProtectedOpera tion" to schema if necessary. [06/Dec/2016:21:53:27 -0500] NSACLPlugin - ACL PARSE ERR(rv=-5): (targetattr = "userPassword and so on. There is a problem of replication of the schema RHEL7 to RHEL6. The side effect is that aci definitions that rely on attributes only defined in RHEL7, will be ignore during access control evaluations.
Some data
The update of the domain schema (from RHEL7 to RHEL6) relies on replication of the schema that did not occur because
[06/Dec/2016:21:53:29.320981372 -0500] NSMMReplicationPlugin - [S] Schema agmt="cn=meToqe-blade-14.testrelm.test" (qe-blade-14:389) must not be overwritten (set replication log for additional info)
The problem is that RHEL7 defines new acis with RHEL7 schema specific definitions
For example:
# update on RHEL7 that added
aci;vucsn-584779e4002c00030000: (targetattr="ipaProtectedOperati
on;write_keys")(version 3.0; acl "Allow trust agents to set keys for cross re
alm principals"; allow(write) groupdn="ldap:///cn=adtrust agents,cn=sysaccoun
ts,cn=etc,dc=testrelm,dc=test";)
Then RHEL7 replicates those aci
[06/Dec/2016:21:53:25 -0500] conn=35 fd=75 slot=75 connection from 10.19.34.9 to 10.19.34.84
[06/Dec/2016:21:53:25 -0500] conn=35 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Dec/2016:21:53:25 -0500] conn=35 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[06/Dec/2016:21:53:25 -0500] conn=35 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Dec/2016:21:53:25 -0500] conn=35 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[06/Dec/2016:21:53:25 -0500] conn=35 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Dec/2016:21:53:25 -0500] conn=35 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ldap/auto-hv-02-guest04.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test"
..
[06/Dec/2016:21:54:31 -0500] conn=35 op=133 MOD dn="cn=trusts,dc=testrelm,dc=test"
[06/Dec/2016:21:54:31 -0500] conn=35 op=133 RESULT err=0 tag=103 nentries=0 etime=0 csn=584779e4002c00030000
But they can not be parsed/evaluated on RHEL6
[06/Dec/2016:21:53:27 -0500] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation" does not exist in schema. Please add attributeTypes "ipaProtectedOperation" to schema if necessary.
Problems are
nsEncryptionConfig allowed attribute
RHEL7 specific: sslVersionMin, sslVersionMax
RHEL6 specific: nsTLS10, nsTLS11, nsTLS12
--> RHEL7 definition should support nsTLS10, nsTLS11, nsTLS12
nsViewFilter syntax change:
RHEL7: 1.3.6.1.4.1.1466.115.121.1.15
RHEL6: 1.3.6.1.4.1.1466.115.121.1.26
mgrpRFC822MailMember
RHEL7
15rfc2307bis.ldif: 1.3.6.1.4.1.1466.115.121.1.26
50ns-mail.ldif: 1.3.6.1.4.1.1466.115.121.1.15 <-- selected
RHEL6:
50ns-mail.ldif: 1.3.6.1.4.1.1466.115.121.1.15
99user.ldif: 1.3.6.1.4.1.1466.115.121.1.26 <-- selected
The problems comes from the nsEncryptionConfig objectclass definition that differs in RHEL6 and RHEL7. Both versions have specific attributes. RHEL 7 allows sslVersionMin, sslVersionMax but not nsTLS10, nsTLS11, nsTLS12. This is the opposite for RHEL6. There is in RHEL7 a schema learning mechanism that should address this. It does not because it does not implement a merge, where the final result would be: allows sslVersionMin, sslVersionMax , nsTLS10, nsTLS11, nsTLS12. So the problematic objectclass is not learned/merged and RHEL7 is unable to push its schema. A possible workaround (needs to be confirmed) is to stop RHEL7, edit nsEncryptionConfig definition to add nsTLS10, nsTLS11, nsTLS12. So that it will be a true superset of RHEL6 definition. The workaround is verified:
RHEL7: stop ipa, edit 99user.ldif to add the definition
objectclasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netsca
pe defined objectclass' SUP top STRUCTURAL MUST cn MAY ( nsCertfile $ nsKeyfi
le $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsTLS10 $ nsTLS11 $ nsTLS12 $ sslVersionMin $
sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth
$ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher $
CACertExtractFile $ allowWeakDHParam ) X-ORIGIN ( 'Netscape' 'user defined' )
)
It basically adds 'nsTLS10 $ nsTLS11 $ nsTLS12'
start ipa
Then the schema is replicated RHEL7 to RHEL6 (ldapsearch -D "cn=directory manager" -W -b "cn=schema" nsSchemaCSN)
RHEL6: ipa restart (to reread the aci definitions that were ignored)
Then the command ipa dnsrecord-find testrelm.test gives the same result on RHEL6 and RHEL7
It is bit unclear to me. Should it be fixed on RHEL6 side or RHEL7? In ipa or 389-ds? My understanding is that starting https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=522309 RHEL6 standard DS schema contains a nsEncryptionConfig definition that diverge from RHEL7. This prevents replication of the schema RHEL6 to/from RHEL7 (and creates the aci/dns issue). A workaround exists https://bugzilla.redhat.com/show_bug.cgi?id=1404443#c11 A fix for this is needed in 389-ds (improve schema learning mechanism to support diverging defintions, enhance RHEL7 nsEncryptionConfig defintion, others ...) Moving to the proper component. Upstream ticket: https://fedorahosted.org/389/ticket/49074 Fix pushed upstream. Moving BZ to POST. Justification: this is a test stopper. Without this fix, the QE team cannot test the rhel-7.3 -> rhel-6.8 replication. IMHO the description looks really good but the possible consequences aspect may be more precise: "...schema replications from Red Hat Enterprise Linux 7 to 6.9 fail, and schema violation errors are logged." with something like "...schema replication between the servers fails. The consequence is that mechanisms relying on schema may fails: operation logged in schema violations, operation failing because of plugin failures, replication breakage, ACI being ignored, ..." Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2086 |
Description of problem: After doing an ipa-replica-install on a RHEL7 host, I can no longer see DNS entries in IPA from my RHEL6 IPA Master. After what appears to be a successful ipa-replica-install, I see this: [root@rhel6-1 yum.repos.d]# ipa dnsrecord-find testrelm.test ---------------------------- Number of entries returned 0 ---------------------------- But, on the RHEL7 Replica, I see: [root@rhel7-1 ~]# ipa dnsrecord-find testrelm.test Record name: @ NS record: rhel7-1.testrelm.test., rhel6-1.testrelm.test. Record name: _kerberos TXT record: "TESTRELM.TEST" Record name: _kerberos._tcp SRV record: 0 100 88 rhel7-1.testrelm.test., 0 100 88 rhel6-1.testrelm.test. Record name: _kerberos-master._tcp SRV record: 0 100 88 rhel7-1.testrelm.test., 0 100 88 rhel6-1.testrelm.test. Record name: _kpasswd._tcp SRV record: 0 100 464 rhel6-1.testrelm.test., 0 100 464 rhel7-1.testrelm.test. Record name: _ldap._tcp SRV record: 0 100 389 rhel6-1.testrelm.test., 0 100 389 rhel7-1.testrelm.test. Record name: _kerberos._udp SRV record: 0 100 88 rhel7-1.testrelm.test., 0 100 88 rhel6-1.testrelm.test. Record name: _kerberos-master._udp SRV record: 0 100 88 rhel7-1.testrelm.test., 0 100 88 rhel6-1.testrelm.test. Record name: _kpasswd._udp SRV record: 0 100 464 rhel6-1.testrelm.test., 0 100 464 rhel7-1.testrelm.test. Record name: _ntp._udp SRV record: 0 100 123 rhel7-1.testrelm.test. Record name: ipa-ca A record: 192.168.122.71, 192.168.122.61 Record name: rhel6-1 A record: 192.168.122.61 SSHFP record: 2 1 25E56BD64B1AF74DAD7EF1602764370E5EBF7768, 1 1 079868C7C370853AE500D5AC51DA09DE298C3A71 Record name: rhel7-1 A record: 192.168.122.71 SSHFP record: 4 2 FDB4EC53A9852259A7B4C7683F2E732E5F22159A2FEFCC56EC4C6EDF 1E802778, 3 2 C16330C457DB62F57E354C3B5AB691D3971E2541BA3D35CE2B94D602 40633F14, 1 1 5ECFC03B91EAC1BA899EFEC96FE4D5907335AE02, 3 1 38624BD4358FC5875C0A5AA33F18AFCD21C1BBF3, 4 1 0DEE9239A41FFF1343A29EEAD195AA9F84B6FE2A, 1 2 68A7A65399233DD0A01A6D6CFBF57DFCE351EE143657FD4D86FF6F9E 9CCBC0C6 ----------------------------- Number of entries returned 13 ----------------------------- [root@rhel7-1 ~]# Version-Release number of selected component (if applicable): on RHEL6 IPA Master: ipa-server-3.0.0-51.el6.x86_64 pki-ca-9.0.3-51.el6.noarch on RHEL7 IPA Replica: ipa-server-4.4.0-14.el7_3.1.x86_64 pki-ca-10.3.3-14.el7_3.noarch How reproducible: always Steps to Reproduce: On IPA Master: 1. ipa-server-install --setup-dns --forwarder=192.168.122.1 --hostname=rhel6-1.testrelm.test --ip-address=192.168.122.61 -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U On IPA Replica: 2. scp /usr/share/ipa/copy-schema-to-ca.py root@rhel6-1:/root 3. ssh root@rhel6-1 "python /root/copy-schema-to-ca.py" On IPA Master: 4. ipa-replica-prepare -p Secret123 --ip-address=192.168.122.71 --reverse-zone=122.168.192.in-addr.arpa. rhel7-1.testrelm.test On IPA Replica: 5. ipa-replica-install --setup-ca --setup-dns --forwarder=192.168.122.1 -p Secret123 -w Secret123 /root/replica-info-rhel7-1.testrelm.test.gpg -U note, firewall was disabled on both hosts to test. Actual results: Cannot see DNS records from IPA commands after installing newer replica. Expected results: Can still see DNS records as expected. Additional info: