Bug 1437492

Summary: "ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check" in error log
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: nkinder, pvoborni, rcritten, rmeggins, tbordaz, tomek, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.6.1-14.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 21:16:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ipa-server install log
none
dirsrv error logs
none
ldapsearch logs none

Description Sudhir Menon 2017-03-30 12:02:35 UTC 
Description of problem: Fix the ERR seen in /var/log/dirsrv/slapd-TESTREAL-TEST/errors file "ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn"


Version-Release number of selected component (if applicable):
ipa-server-trust-ad-4.5.0-4.el7.x86_64
ipa-server-4.5.0-4.el7.x86_64
sssd-1.15.2-5.el7.x86_64
389-ds-base-1.3.6.1-5.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. Ensure SELINUX is in permissive mode.
2. Install IPA server 
3. Establish trust with AD
4. Check the /var/log/messages file.

Actual results:
Below message is seen in /var/log/dirsrv/slapd-TESTREAL-TEST/errors and /var/log/messages file.

Mar 30 07:38:54 localhost ns-slapd: [30/Mar/2017:07:38:54.487312570 -0400] - ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: cn=dns,dc=testreal,dc=test
Mar 30 07:38:54 localhost ns-slapd: [30/Mar/2017:07:38:54.488288913 -0400] - ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: cn=dns,dc=testreal,dc=test
Mar 30 07:38:54 localhost ns-slapd: [30/Mar/2017:07:38:54.490139602 -0400] - ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: cn=dns,dc=testreal,dc=test
Mar 30 07:38:54 localhost ns-slapd: [30/Mar/2017:07:38:54.493327986 -0400] - ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: cn=dns,dc=testreal,dc=test
Mar 30 07:38:54 localhost ns-slapd: [30/Mar/2017:07:38:54.494344891 -0400] - ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: cn=dns,dc=testreal,dc=test
Mar 30 07:38:54 localhost ns-slapd: [30/Mar/2017:07:38:54.496114571 -0400] - ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: cn=dns,dc=testreal,dc=test
Mar 30 07:38:54 localhost ns-slapd: [30/Mar/2017:07:38:54.498957073 -0400] - ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: cn=dns,dc=testreal,dc=test
Mar 30 07:38:54 localhost ns-slapd: [30/Mar/2017:07:38:54.499986296 -0400] - ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: cn=dns,dc=testreal,dc=test
Mar 30 07:38:54 localhost ns-slapd: [30/Mar/2017:07:38:54.501702431 -0400] - ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: cn=dns,dc=testreal,dc=test


Expected results: Need to fix the issue adding up in /var/log/messages file.

Additional info: Attaching the install log
Comment 2 Sudhir Menon 2017-03-30 12:11:59 UTC 
Created attachment 1267513 [details]
ipa-server install log
Comment 3 Sudhir Menon 2017-03-30 12:13:50 UTC 
Created attachment 1267514 [details]
dirsrv error logs
Comment 5 Sudhir Menon 2017-04-04 08:37:52 UTC 
Created attachment 1268584 [details]
ldapsearch logs
Comment 6 thierry bordaz 2017-05-04 16:50:35 UTC 
    - Problem can be reproduced with the following test case
                ipa-server-install --hostname=<vm.fqdn>  -p Secret123 -a Secret123 --domain test.com --realm TEST.COM -U
                ldapsearch -D "cn=directory manager" -w Secret123 -b "cn=<vm.fqdn>,cn=masters,cn=ipa,cn=etc,dc=test,dc=com" -s base "(objectClass=*)"

      It triggers this log in the error logs:
                [04/May/2017:18:25:47.230609040 +0200] - ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check on dn: cn=<vm.fqdn>,cn=masters,cn=ipa,cn=etc,dc=test,dc=com


    - It exists pointer COS definitions that adds a default value 'krbPwdPolicyReference'
        dn: cn=Default Password Policy,cn=computers,cn=accounts,dc=test,dc=com
        dn: cn=Default Password Policy,cn=services,cn=accounts,dc=test,dc=com
        dn: cn=Default Password Policy,cn=TEST.COM,cn=kerberos,dc=test,dc=com

    - Those COS are scoping entries under
        cn=computers,cn=accounts,dc=test,dc=com
        cn=services,cn=accounts,dc=test,dc=com
        cn=TEST.COM,cn=kerberos,dc=test,dc=com

    - Searching entry 'cn=<vm.fqdn>,cn=masters,cn=ipa,cn=etc,dc=test,dc=com', 
      cos plugin find in the cos cache that one of the above COS should add 'krbPwdPolicyReference' attribute
      The master entry is looking like
        dn: cn=<vm.fqdn>,cn=masters,cn=ipa,cn=etc,dc=test,dc=com
        objectClass: top
        objectClass: nsContainer
        objectClass: ipaReplTopoManagedServer
        objectClass: ipaConfigObject
        objectClass: ipaSupportedDomainLevelConfig
        cn: <vm.fqdn>
        ipaReplTopoManagedSuffix: dc=test,dc=com
        ipaReplTopoManagedSuffix: o=ipaca
        ipaMinDomainLevel: 0
        ipaMaxDomainLevel: 1
    
      This entry has no objectclass 'krbRealmContainer' or 'krbPrincipalAux' value.
      Schema checking being enforced, it triggers the log and skip adding 'krbPwdPolicyReference'


    In conclusion:
        This is as a bug in the COS plugin that erronously attempts selects/applies a COS definition
    on an entry (under 'cn=masters') although the entry is not in the scope of any COS definition
Comment 7 thierry bordaz 2017-05-10 17:20:43 UTC 
Upstream ticket https://pagure.io/389-ds-base/issue/49249 is tracking this issue.
The bug is minor as it is just an inappropriate log level.
Comment 8 thierry bordaz 2017-05-16 11:12:39 UTC 
Upstream ticket pushed. switch it to POST
Comment 9 Nathan Kinder 2017-05-18 15:08:43 UTC 
*** Bug 1450832 has been marked as a duplicate of this bug. ***
Comment 12 errata-xmlrpc 2017-08-01 21:16:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2086