Bug 1529444

Summary: ObjectclassViolation seen while adding idview with domain-resolution-order option.
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: cheimes, enewland, frenaud, ksiddiqu, lmiksik, pasik, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.4-8.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 16:49:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sudhir Menon 2017-12-28 06:33:48 UTC 
Description of problem: ObjectclassViolation seen while adding idview with domain-resolution-order option.


Version-Release number of selected component (if applicable):
ipa-server-4.5.4-7.el7.x86_64
389-ds-base-1.3.7.5-11.el7.x86_64

How reproducible:Always


Steps to Reproduce:
1. Install IPA server and establish with Windows AD
2. Run the domain resolution order command
 
#ipa config-mod --domain-resolution-order='testrelm.test:pne.qe' 
Domain resolution order: testrelm.test:pne.qe

3. Add a view with the domain resolution order 
#ipa idview-add special_host_view --desc 'ID view' --domain-resolution-order='testrelm.test:pne.qe'

Actual results:
[root@master ~]# ipa config-mod --domain-resolution-order='testrelm.test:pne.qe' Domain resolution order: testrelm.test:pne.qe
[root@master ~]# ipa idview-add special_host_view --desc 'ID view' --domain-resolution-order='testrelm.test:pne.qe'
ipa: ERROR: attribute "ipaDomainResolutionOrder" not allowed

[Wed Dec 27 08:38:06.749234 2017] [:error] [pid 30252] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Wed Dec 27 08:38:06.749382 2017] [:error] [pid 30252] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Wed Dec 27 08:38:06.794961 2017] [:error] [pid 30252] ipa: DEBUG: Created connection context.ldap2_140579793685584
[Wed Dec 27 08:38:06.795154 2017] [:error] [pid 30252] ipa: DEBUG: WSGI jsonserver.__call__:
[Wed Dec 27 08:38:06.795242 2017] [:error] [pid 30252] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
[Wed Dec 27 08:38:06.810186 2017] [:error] [pid 30252] ipa: DEBUG: raw: idview_add(u'special_host_view', description=u'ID view', ipadomainresolutionorder=u'testrelm.test:pne.qe', version=u'2.228')
[Wed Dec 27 08:38:06.810545 2017] [:error] [pid 30252] ipa: DEBUG: idview_add(u'special_host_view', description=u'ID view', ipadomainresolutionorder=u'testrelm.test:pne.qe', all=False, raw=False, version=u'2.228')
[Wed Dec 27 08:38:06.811450 2017] [:error] [pid 30252] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fdb480fa0e0>
[Wed Dec 27 08:38:07.282325 2017] [:error] [pid 30252] ipa: DEBUG: raw: trust_find(None, sizelimit=0, version=u'2.228')
[Wed Dec 27 08:38:07.282723 2017] [:error] [pid 30252] ipa: DEBUG: trust_find(None, sizelimit=0, all=False, raw=False, version=u'2.228', pkey_only=False)
[Wed Dec 27 08:38:07.304696 2017] [:error] [pid 30252] ipa: DEBUG: raw: trustdomain_find(u'ipaad2016.test', None, sizelimit=0, version=u'2.228')
[Wed Dec 27 08:38:07.305166 2017] [:error] [pid 30252] ipa: DEBUG: trustdomain_find(u'ipaad2016.test', None, sizelimit=0, all=False, raw=False, version=u'2.228', pkey_only=False)
[Wed Dec 27 08:38:07.317303 2017] [:error] [pid 30252] ipa: DEBUG: raw: trustdomain_find(u'pne.qe', None, sizelimit=0, version=u'2.228')
[Wed Dec 27 08:38:07.317703 2017] [:error] [pid 30252] ipa: DEBUG: trustdomain_find(u'pne.qe', None, sizelimit=0, all=False, raw=False, version=u'2.228', pkey_only=False)
[Wed Dec 27 08:38:07.347503 2017] [:error] [pid 30252] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
[Wed Dec 27 08:38:07.347543 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
[Wed Dec 27 08:38:07.347549 2017] [:error] [pid 30252]     result = command(*args, **options)
[Wed Dec 27 08:38:07.347555 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Wed Dec 27 08:38:07.347559 2017] [:error] [pid 30252]     return self.__do_call(*args, **options)
[Wed Dec 27 08:38:07.347564 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Wed Dec 27 08:38:07.347569 2017] [:error] [pid 30252]     ret = self.run(*args, **options)
[Wed Dec 27 08:38:07.347573 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Wed Dec 27 08:38:07.347578 2017] [:error] [pid 30252]     return self.execute(*args, **options)
[Wed Dec 27 08:38:07.347582 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1190, in execute
[Wed Dec 27 08:38:07.347587 2017] [:error] [pid 30252]     self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs)
[Wed Dec 27 08:38:07.347607 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1100, in wrapped
[Wed Dec 27 08:38:07.347613 2017] [:error] [pid 30252]     return func(*call_args, **call_kwargs)
[Wed Dec 27 08:38:07.347618 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1109, in exc_func
[Wed Dec 27 08:38:07.347622 2017] [:error] [pid 30252]     self, keys, options, e, call_func, *args, **kwargs)
[Wed Dec 27 08:38:07.347627 2017] [:error] [pid 30252]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1253, in exc_callback
[Wed Dec 27 08:38:07.347632 2017] [:error] [pid 30252]     raise exc
[Wed Dec 27 08:38:07.347636 2017] [:error] [pid 30252] ObjectclassViolation: attribute "ipaDomainResolutionOrder" not allowed
[Wed Dec 27 08:38:07.347640 2017] [:error] [pid 30252] 
[Wed Dec 27 08:38:07.347894 2017] [:error] [pid 30252] ipa: INFO: [jsonserver_session] admin: idview_add/1(u'special_host_view', description=u'ID view', ipadomainresolutionorder=u'testrelm.test:pne.qe', version=u'2.228'): ObjectclassViolation
[Wed Dec 27 08:38:07.349809 2017] [:error] [pid 30252] ipa: DEBUG: Destroyed connection context.ldap2_140579793685584

Expected results:
Objectclass violation error should be fixed and view should be created as in the  example mentioned in the below url.

Additional info:
Tried testcase specified in https://www.freeipa.org/page/V4/AD_User_Short_Names
Comment 3 Sudhir Menon 2017-12-28 07:42:27 UTC 
slapd error log.

[28/Dec/2017:01:31:31.423622106 -0500] - ERR - oc_check_allowed_sv - Entry "cn=special_host_view,cn=views,cn=accounts,dc=testrelm,dc=test" -- attribute "ipaDomainResolutionOrder" not allowed
Comment 4 Florence Blanc-Renaud 2018-01-05 08:49:07 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7350
Comment 5 Christian Heimes 2018-01-09 17:07:51 UTC 
master:

    830866d Idviews: fix objectclass violation on idview-add


4.5 and 4.6 backports didn't apply cleanly. Florence, please backport your fix manually.
Comment 6 Christian Heimes 2018-01-10 08:31:33 UTC 
ipa-4-5:
    53047d6 Idviews: fix objectclass violation on idview-add
ipa-4-6:
    6c89b26 Idviews: fix objectclass violation on idview-add
Comment 8 Sudhir Menon 2018-01-22 08:57:03 UTC 
Fix is seen. Verified using 

[root@master ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.5 Beta (Maipo)

ipa-server-4.5.4-8.el7.x86_64
389-ds-base-1.3.7.5-13.el7.x86_64

[root@master ~]# ipa trust-add --two-way=true
Realm name: pne.qe
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
-----------------------------------------------
Added Active Directory trust for realm "pne.qe"
-----------------------------------------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@master ~]# id aduser1
uid=1261605281(aduser1) gid=1261605281(aduser1) groups=1261605281(aduser1),1261601629(adgroup2),1261601559(adgroup1),1261600513(domain users),1261602139(adunigroup1)

[root@master ~]# ipa config-mod --domain-resolution-order='testrelm.test:pne.qe'
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: master.testrelm.test
  IPA CA servers: master.testrelm.test
  IPA NTP servers: master.testrelm.test
  IPA CA renewal master: master.testrelm.test
  IPA master capable of PKINIT: master.testrelm.test
  Domain resolution order: testrelm.test:pne.qe

[root@master ~]# ipa idview-add special_host_view --desc 'ID view' --domain-resolution-order='testrelm.test:pne.qe'
---------------------------------
Added ID View "special_host_view"
---------------------------------
  ID View Name: special_host_view
  Description: ID view
  Domain resolution order: testrelm.test:pne.qe

[Mon Jan 22 03:46:59.822978 2018] [:error] [pid 16710] ipa: INFO: [jsonserver_session] admin: config_mod/1(ipadomainresolutionorder=u'testrelm.test:pne.qe', version=u'2.228'): SUCCESS
[Mon Jan 22 03:49:11.835471 2018] [:error] [pid 16709] ipa: INFO: [jsonserver_session] admin: idview_add/1(u'special_host_view', description=u'ID view', ipadomainresolutionorder=u'testrelm.test:pne.qe', version=u'2.228'): SUCCESS
Comment 11 errata-xmlrpc 2018-04-10 16:49:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918