Bug 1678517
| Summary: | ipa role-mod DatabaseError changing cn | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Scott Poore <spoore> | ||||
| Component: | 389-ds-base | Assignee: | mreynolds | ||||
| Status: | CLOSED ERRATA | QA Contact: | RHDS QE <ds-qe-bugs> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 8.0 | CC: | dpal, lkrispen, mkosek, mreynolds, nkinder, nsoman, pvoborni, rcritten, rmeggins, snagar, spichugi, tbordaz, toneata, tscherf, vashirov | ||||
| Target Milestone: | rc | Keywords: | TestBlocker, ZStream | ||||
| Target Release: | 8.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 389-ds-base-1.4.1.3-5.module+el8.1.0+3776+ece1ae4c | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1690024 (view as bug list) | Environment: | |||||
| Last Closed: | 2019-11-05 21:00:18 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1683259 | ||||||
| Bug Blocks: | 1690024 | ||||||
| Attachments: |
|
||||||
|
Description
Scott Poore
2019-02-19 01:06:45 UTC
Thierry, what data should we gather for this? I suspect it is a bug in 389. I'm not sure if this helps but, I re-ran the test with ACI summary and plugin debugging enabled and I see this:
[root@master slapd-TESTRELM-TEST]# grep 12:21:42 *
access:[19/Feb/2019:12:21:42.214505986 -0600] conn=38 op=1 RESULT err=1 tag=109 nentries=0 etime=0.1176775035
access:[19/Feb/2019:12:21:42.216843595 -0600] conn=38 op=2 UNBIND
access:[19/Feb/2019:12:21:42.216892479 -0600] conn=38 op=2 fd=106 closed - U1
errors:[19/Feb/2019:12:21:42.005295408 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=rolebb,cn=roles,cn=accounts,dc=testrelm,dc=test" ("replace:modifiersname,replace:entryusn" not in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:12:21:42.011204958 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=rolebb,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:modifiersname,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:12:21:42.017033877 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=rolebb,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:modifiersname,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:12:21:42.022794024 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:12:21:42.028625821 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:12:21:42.034314711 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:12:21:42.040182006 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:12:21:42.048650844 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:12:21:42.053833029 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:12:21:42.059597142 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:12:21:42.065030877 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:12:21:42.108468678 -0600] - DEBUG - schema-compat-plugin - renamed "cn=roleb,cn=roles,cn=accounts,dc=testrelm,dc=test" to "cn=rolebb,cn=roles,cn=accounts,dc=testrelm,dc=test"
errors:[19/Feb/2019:12:21:42.112578245 -0600] - DEBUG - memberof-plugin - memberof_modop_one_replace_r - REPLACE cn=roleb,cn=roles,cn=accounts,dc=testrelm,dc=test in uid=userb,cn=users,cn=accounts,dc=testrelm,dc=test
errors:[19/Feb/2019:12:21:42.116592712 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:12:21:42.120574229 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:12:21:42.124308479 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:12:21:42.128114203 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:12:21:42.131893761 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:12:21:42.135929137 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:12:21:42.140612696 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:12:21:42.146250758 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:12:21:42.151759643 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:12:21:42.157417374 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:12:21:42.163278600 -0600] - ERR - memberof-plugin - memberof_postop_modrdn - Update failed for (cn=roleB,cn=roles,cn=accounts,dc=testrelm,dc=test), error (1)
errors:[19/Feb/2019:12:21:42.168789170 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:12:21:42.174476342 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:12:21:42.180302984 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:12:21:42.185864632 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:12:21:42.191434613 -0600] - DEBUG - schema-compat-plugin - post-modrdn entry is NULL
errors:[19/Feb/2019:12:21:42.197212265 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:12:21:42.202796720 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:12:21:42.208214776 -0600] - DEBUG - roles-plugin - <-- roles_post_op
I tried also running with ACL processing (128) but, when I do, I get ipa timeout exceeded errors
FYI, I also saw similar with an "ipa privilege-mod --rename" command:
[root@master slapd-TESTRELM-TEST]# ipa privilege-mod 'HBAC Administrator' --rename 'hbacadmins'
ipa: ERROR: Operations error:
[root@master slapd-TESTRELM-TEST]# less /var/log/httpd/error_log
[root@master slapd-TESTRELM-TEST]# grep 14:36:47 *
errors:[19/Feb/2019:14:36:47.005874133 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.011784939 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.017889265 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.024003603 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.029694977 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:14:36:47.035757609 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.045234220 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.050907126 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.056471446 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:14:36:47.061990726 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.071592385 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.077576128 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.083824412 -0600] - DEBUG - NS7bitAttr - preop_modify - MODIFY begin
errors:[19/Feb/2019:14:36:47.090074775 -0600] - DEBUG - dna-plugin - dna_be_txn_pre_op - Entry does not match filter
errors:[19/Feb/2019:14:36:47.097281027 -0600] - DEBUG - schema-compat-plugin - modified "cn=System: Add HBAC Rule,cn=permissions,cn=pbac,dc=testrelm,dc=test"
errors:[19/Feb/2019:14:36:47.102859991 -0600] - DEBUG - schema-compat-plugin - "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=users", before or after modify
errors:[19/Feb/2019:14:36:47.108377824 -0600] - DEBUG - schema-compat-plugin - "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=ng", before or after modify
errors:[19/Feb/2019:14:36:47.114141853 -0600] - DEBUG - schema-compat-plugin - "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=groups", before or after modify
errors:[19/Feb/2019:14:36:47.119805368 -0600] - DEBUG - schema-compat-plugin - "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=computers", before or after modify
errors:[19/Feb/2019:14:36:47.125793162 -0600] - DEBUG - schema-compat-plugin - "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" not in "ou=sudoers,dc=testrelm,dc=test"/"", before or after modify
errors:[19/Feb/2019:14:36:47.131795587 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=users" made in "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" not in "uid,cn,uidNumber,gidNumber,loginShell,homeDirectory,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.138140596 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=ng" made in ("cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test") ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.144006643 -0600] - DEBUG - schema-compat-plugin - interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.150155421 -0600] - DEBUG - schema-compat-plugin - updating deref_r[0] references for "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test"
errors:[19/Feb/2019:14:36:47.156184511 -0600] - DEBUG - schema-compat-plugin - searching for references to "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" (link=1, attributes="","member")
errors:[19/Feb/2019:14:36:47.162056662 -0600] - DEBUG - schema-compat-plugin - searching from "cn=groups,cn=accounts,dc=testrelm,dc=test" for "(member=cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test)" with scope 1
errors:[19/Feb/2019:14:36:47.168323211 -0600] - DEBUG - schema-compat-plugin - searching from "cn=users,cn=accounts,dc=testrelm,dc=test" for "(member=cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test)" with scope 1
errors:[19/Feb/2019:14:36:47.174693807 -0600] - DEBUG - schema-compat-plugin - no more references to chase (link=1, attributes="","member")
errors:[19/Feb/2019:14:36:47.180617163 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test") ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.186746717 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test") ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.192667818 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=users" made in "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" not in "uid,cn,uidNumber,gidNumber,loginShell,homeDirectory,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.198712348 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=ng" made in ("cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test") ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.204486735 -0600] - DEBUG - schema-compat-plugin - interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.210529937 -0600] - DEBUG - schema-compat-plugin - updating deref_r[0] references for "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test"
errors:[19/Feb/2019:14:36:47.216611765 -0600] - DEBUG - schema-compat-plugin - searching for references to "cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test" (link=1, attributes="","member")
errors:[19/Feb/2019:14:36:47.222617380 -0600] - DEBUG - schema-compat-plugin - searching from "cn=groups,cn=accounts,dc=testrelm,dc=test" for "(member=cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test)" with scope 1
errors:[19/Feb/2019:14:36:47.228913518 -0600] - DEBUG - schema-compat-plugin - searching from "cn=users,cn=accounts,dc=testrelm,dc=test" for "(member=cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test)" with scope 1
errors:[19/Feb/2019:14:36:47.234961213 -0600] - DEBUG - schema-compat-plugin - no more references to chase (link=1, attributes="","member")
errors:[19/Feb/2019:14:36:47.240824972 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test") ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.246612074 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test") ("delete:member,add:member,replace:modifiersname,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.253299712 -0600] - DEBUG - memberof-plugin - memberof_modop_one_replace_r - ADD cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test in cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test
errors:[19/Feb/2019:14:36:47.259168262 -0600] - DEBUG - memberof-plugin - memberof_modop_one_replace_r - Descending into group cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test
errors:[19/Feb/2019:14:36:47.265268806 -0600] - DEBUG - memberof-plugin - memberof_modop_one_replace_r - ADD cn=system: add hbac rule,cn=permissions,cn=pbac,dc=testrelm,dc=test in cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test
errors:[19/Feb/2019:14:36:47.277695210 -0600] - DEBUG - memberof-plugin - memberof_fix_memberof_callback: free cached values for cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test
errors:[19/Feb/2019:14:36:47.284693513 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.290826252 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.297022597 -0600] - DEBUG - NS7bitAttr - preop_modify - MODIFY begin
errors:[19/Feb/2019:14:36:47.302922402 -0600] - DEBUG - dna-plugin - dna_be_txn_pre_op - Entry does not match filter
errors:[19/Feb/2019:14:36:47.310074386 -0600] - DEBUG - schema-compat-plugin - modified "cn=IT Security Specialist,cn=roles,cn=accounts,dc=testrelm,dc=test"
errors:[19/Feb/2019:14:36:47.316209897 -0600] - DEBUG - schema-compat-plugin - "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=users", before or after modify
errors:[19/Feb/2019:14:36:47.321907092 -0600] - DEBUG - schema-compat-plugin - "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=ng", before or after modify
errors:[19/Feb/2019:14:36:47.327314137 -0600] - DEBUG - schema-compat-plugin - "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=groups", before or after modify
errors:[19/Feb/2019:14:36:47.332851044 -0600] - DEBUG - schema-compat-plugin - "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=computers", before or after modify
errors:[19/Feb/2019:14:36:47.338558617 -0600] - DEBUG - schema-compat-plugin - "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" not in "ou=sudoers,dc=testrelm,dc=test"/"", before or after modify
errors:[19/Feb/2019:14:36:47.344255559 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=users" made in "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "uid,cn,uidNumber,gidNumber,loginShell,homeDirectory,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.349880139 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=ng" made in ("cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.355800304 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.361753006 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.367820603 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.373738695 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=users" made in "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "uid,cn,uidNumber,gidNumber,loginShell,homeDirectory,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.379734576 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=ng" made in ("cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.385814881 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.391121474 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.396775802 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.402508308 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.407995833 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.414067760 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:14:36:47.419812857 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.434115705 -0600] - DEBUG - memberof-plugin - add_ancestors_cbdata: Ancestors of cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test contained 9 groups. 9 added.
errors:[19/Feb/2019:14:36:47.440803537 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.446602798 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.453002965 -0600] - DEBUG - NS7bitAttr - preop_modify - MODIFY begin
errors:[19/Feb/2019:14:36:47.459039805 -0600] - DEBUG - dna-plugin - dna_be_txn_pre_op - Entry does not match filter
errors:[19/Feb/2019:14:36:47.465671988 -0600] - DEBUG - schema-compat-plugin - modified "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test"
errors:[19/Feb/2019:14:36:47.472072264 -0600] - DEBUG - schema-compat-plugin - "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=users", before or after modify
errors:[19/Feb/2019:14:36:47.477766291 -0600] - DEBUG - schema-compat-plugin - "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=ng", before or after modify
errors:[19/Feb/2019:14:36:47.483828158 -0600] - DEBUG - schema-compat-plugin - "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=groups", before or after modify
errors:[19/Feb/2019:14:36:47.489778929 -0600] - DEBUG - schema-compat-plugin - "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" not in "cn=compat,dc=testrelm,dc=test"/"cn=computers", before or after modify
errors:[19/Feb/2019:14:36:47.495524421 -0600] - DEBUG - schema-compat-plugin - "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" not in "ou=sudoers,dc=testrelm,dc=test"/"", before or after modify
errors:[19/Feb/2019:14:36:47.501204939 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=users" made in "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "uid,cn,uidNumber,gidNumber,loginShell,homeDirectory,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.506993671 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=ng" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.512915076 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.518962175 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.525032346 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.530987807 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=users" made in "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "uid,cn,uidNumber,gidNumber,loginShell,homeDirectory,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.537015419 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=ng" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.543779330 -0600] - DEBUG - schema-compat-plugin - no interesting reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=groups" made in "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test" ("replace:memberOf,replace:modifytimestamp,replace:entryusn" not in "cn,gidNumber,memberUid,member,uid,ipauniqueid,ipaanchoruuid")
errors:[19/Feb/2019:14:36:47.551314250 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "cn=compat,dc=testrelm,dc=test"/"cn=computers" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.557105988 -0600] - DEBUG - schema-compat-plugin - reference-based changes for "ou=sudoers,dc=testrelm,dc=test"/"" made in ("cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test") ("replace:memberOf,replace:modifytimestamp,replace:entryusn" in list "" or list empty)
errors:[19/Feb/2019:14:36:47.562974814 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.568982782 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.574993197 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:14:36:47.581190569 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.594254071 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.599866842 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.605666542 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:14:36:47.611420292 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.637204049 -0600] - DEBUG - schema-compat-plugin - renamed "cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=test" to "cn=hbacadmins,cn=privileges,cn=pbac,dc=testrelm,dc=test"
errors:[19/Feb/2019:14:36:47.643377139 -0600] - DEBUG - memberof-plugin - memberof_modop_one_replace_r - REPLACE cn=hbac administrator,cn=privileges,cn=pbac,dc=testrelm,dc=test in cn=it security specialist,cn=roles,cn=accounts,dc=testrelm,dc=test
errors:[19/Feb/2019:14:36:47.649891256 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.656026183 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.662052522 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.667881698 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.673747944 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.680402165 -0600] - DEBUG - ipa-topology-plugin - --> ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.686332205 -0600] - DEBUG - ipa-topology-plugin - <-- ipa_topo_pre_mod
errors:[19/Feb/2019:14:36:47.692342492 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.697859998 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.703512229 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.709242056 -0600] - ERR - memberof-plugin - memberof_postop_modrdn - Update failed for (cn=HBAC Administrator,cn=privileges,cn=pbac,dc=testrelm,dc=test), error (1)
errors:[19/Feb/2019:14:36:47.714938834 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.720268459 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.725826499 -0600] - DEBUG - roles-plugin - <-- roles_cache_change_notify - Not a role entry
errors:[19/Feb/2019:14:36:47.731746083 -0600] - DEBUG - roles-plugin - <-- roles_post_op
errors:[19/Feb/2019:14:36:47.738002644 -0600] - DEBUG - schema-compat-plugin - post-modrdn entry is NULL
errors:[19/Feb/2019:14:36:47.743587535 -0600] - DEBUG - roles-plugin - --> roles_post_op
errors:[19/Feb/2019:14:36:47.750806474 -0600] - DEBUG - roles-plugin - --> roles_cache_change_notify
errors:[19/Feb/2019:14:36:47.756985650 -0600] - DEBUG - roles-plugin - <-- roles_post_op
I can't (yet anyway) seem to reproduce this with users/groups. [root@master ~]# ipa user-mod testuser --rename=user1 ------------------------ Modified user "testuser" ------------------------ User login: user1 First name: test Last name: user Home directory: /home/testuser Login shell: /bin/sh Principal name: user1 Principal alias: user1, testuser Email address: testuser UID: 954800003 GID: 954800003 Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# ipa group-mod testgroup --setattr='cn=testgroup1' -------------------------- Modified group "testgroup" -------------------------- Group name: testgroup1 GID: 954800005 [root@master ~]# ipa group-show testgroup1 Group name: testgroup1 GID: 954800005 Created attachment 1536527 [details]
dirsrv logs for privilege mod with trace enabled
FYI,version: 389-ds-base-1.4.0.20-7.module+el8+2750+1f4079fb.x86_64 We need an exception for this bug, as it causes incorrect error codes to be returned, which incorrectly causes normal operations to fail. But worse it also corrupts the entry cache, and causes invalid entries to be returned to clients, and valid entries can become hidden to clients. https://pagure.io/389-ds-base/issue/50236 --> this is the cause of the error 1, which then triggered ticket 50238 https://pagure.io/389-ds-base/issue/50238 --> this is the cause of the error 32 following the modrdn failure Build tested: 389-ds-base-1.4.1.3-5.module+el8.1.0+3776+ece1ae4c.x86_64 I executed reproducer from the description: [root@ci-vm-10-0-138-8 ~]# ipa user-add --first=user --last=one userA ------------------ Added user "usera" ------------------ User login: usera First name: user Last name: one Full name: user one Display name: user one Initials: uo Home directory: /home/usera GECOS: user one Login shell: /bin/sh Principal name: usera Principal alias: usera Email address: usera UID: 1112400001 GID: 1112400001 Password: False Member of groups: ipausers Kerberos keys available: False [root@ci-vm-10-0-138-8 ~]# ipa group-add groupA -------------------- Added group "groupa" -------------------- Group name: groupa GID: 1112400003 [root@ci-vm-10-0-138-8 ~]# ipa group-add-member groupA --users=userA Group name: groupa GID: 1112400003 Member users: usera ------------------------- Number of members added 1 ------------------------- [root@ci-vm-10-0-138-8 ~]# ipa permission-add permA --right=write --targetgroup=groupA --attr=description ------------------------ Added permission "permA" ------------------------ Permission name: permA Granted rights: write Effective attributes: description Bind rule type: permission Subtree: dc=ipa,dc=test Target DN: cn=groupa,cn=groups,cn=accounts,dc=ipa,dc=test Target group: groupa Permission flags: SYSTEM, V2 [root@ci-vm-10-0-138-8 ~]# ipa privilege-add privA --desc=privA ----------------------- Added privilege "privA" ----------------------- Privilege name: privA Description: privA [root@ci-vm-10-0-138-8 ~]# ipa privilege-add-permission privA --permission=permA Privilege name: privA Description: privA Permissions: permA ----------------------------- Number of permissions added 1 ----------------------------- [root@ci-vm-10-0-138-8 ~]# ipa role-add roleA --desc=roleA ------------------ Added role "roleA" ------------------ Role name: roleA Description: roleA [root@ci-vm-10-0-138-8 ~]# ipa role-add-privilege roleA --privileges=privA Role name: roleA Description: roleA Privileges: privA ---------------------------- Number of privileges added 1 ---------------------------- [root@ci-vm-10-0-138-8 ~]# ipa role-add-member roleA --users=userA --all dn: cn=roleA,cn=roles,cn=accounts,dc=ipa,dc=test Role name: roleA Description: roleA Member users: usera Privileges: privA objectclass: groupofnames, nestedgroup, top ------------------------- Number of members added 1 ------------------------- [root@ci-vm-10-0-138-8 ~]# ipa permission-mod permA --attrs=description --attrs=member --------------------------- Modified permission "permA" --------------------------- Permission name: permA Granted rights: write Effective attributes: description, member Bind rule type: permission Subtree: dc=ipa,dc=test Target DN: cn=groupa,cn=groups,cn=accounts,dc=ipa,dc=test Target group: groupa Permission flags: SYSTEM, V2 Granted to Privilege: privA Indirect Member of roles: roleA [root@ci-vm-10-0-138-8 ~]# ipa --debug role-mod roleA --setattr='cn=roleAb' --all ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$8d45a670... ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$8d45a670.plugins ipa: DEBUG: importing all plugin modules in ipaclient.plugins... ipa: DEBUG: importing plugin module ipaclient.plugins.automember ipa: DEBUG: importing plugin module ipaclient.plugins.automount ipa: DEBUG: importing plugin module ipaclient.plugins.ca ipa: DEBUG: importing plugin module ipaclient.plugins.cert ipa: DEBUG: importing plugin module ipaclient.plugins.certmap ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile ipa: DEBUG: importing plugin module ipaclient.plugins.dns ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest ipa: DEBUG: importing plugin module ipaclient.plugins.host ipa: DEBUG: importing plugin module ipaclient.plugins.idrange ipa: DEBUG: importing plugin module ipaclient.plugins.internal ipa: DEBUG: importing plugin module ipaclient.plugins.location ipa: DEBUG: importing plugin module ipaclient.plugins.migration ipa: DEBUG: importing plugin module ipaclient.plugins.misc ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipaclient.plugins.passwd ipa: DEBUG: importing plugin module ipaclient.plugins.permission ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient ipa: DEBUG: importing plugin module ipaclient.plugins.server ipa: DEBUG: importing plugin module ipaclient.plugins.service ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule ipa: DEBUG: importing plugin module ipaclient.plugins.topology ipa: DEBUG: importing plugin module ipaclient.plugins.trust ipa: DEBUG: importing plugin module ipaclient.plugins.user ipa: DEBUG: importing plugin module ipaclient.plugins.vault ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d;' ipa: DEBUG: trying https://ci-vm-10-0-138-8.hosted.upshift.rdu2.redhat.com/ipa/session/json ipa: DEBUG: Created connection context.rpcclient_140655540021064 ipa: DEBUG: raw: role_mod('roleA', setattr='cn=roleAb', all=True, version='2.233') ipa: DEBUG: role_mod('roleA', setattr=('cn=roleAb',), all=True, version='2.233') ipa: DEBUG: [try 1]: Forwarding 'role_mod/1' to json server 'https://ci-vm-10-0-138-8.hosted.upshift.rdu2.redhat.com/ipa/session/json' ipa: DEBUG: New HTTP connection (ci-vm-10-0-138-8.hosted.upshift.rdu2.redhat.com) ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d;path=/ipa;httponly;secure;']' ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d;' for principal admin ipa: DEBUG: Destroyed connection context.rpcclient_140655540021064 --------------------- Modified role "roleA" --------------------- dn: cn=roleAb,cn=roles,cn=accounts,dc=ipa,dc=test Role name: roleAb Description: roleA Member users: usera Privileges: privA objectclass: groupofnames, nestedgroup, top [root@ci-vm-10-0-138-8 ~]# ipa --debug privilege-mod 'HBAC Administrator' --rename 'hbacadmins' ipa: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$8d45a670... ipa: DEBUG: importing plugin module ipaclient.remote_plugins.schema$8d45a670.plugins ipa: DEBUG: importing all plugin modules in ipaclient.plugins... ipa: DEBUG: importing plugin module ipaclient.plugins.automember ipa: DEBUG: importing plugin module ipaclient.plugins.automount ipa: DEBUG: importing plugin module ipaclient.plugins.ca ipa: DEBUG: importing plugin module ipaclient.plugins.cert ipa: DEBUG: importing plugin module ipaclient.plugins.certmap ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile ipa: DEBUG: importing plugin module ipaclient.plugins.dns ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest ipa: DEBUG: importing plugin module ipaclient.plugins.host ipa: DEBUG: importing plugin module ipaclient.plugins.idrange ipa: DEBUG: importing plugin module ipaclient.plugins.internal ipa: DEBUG: importing plugin module ipaclient.plugins.location ipa: DEBUG: importing plugin module ipaclient.plugins.migration ipa: DEBUG: importing plugin module ipaclient.plugins.misc ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipaclient.plugins.passwd ipa: DEBUG: importing plugin module ipaclient.plugins.permission ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient ipa: DEBUG: importing plugin module ipaclient.plugins.server ipa: DEBUG: importing plugin module ipaclient.plugins.service ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule ipa: DEBUG: importing plugin module ipaclient.plugins.topology ipa: DEBUG: importing plugin module ipaclient.plugins.trust ipa: DEBUG: importing plugin module ipaclient.plugins.user ipa: DEBUG: importing plugin module ipaclient.plugins.vault ipa: DEBUG: found session_cookie in persistent storage for principal 'admin', cookie: 'ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d' ipa: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d;' ipa: DEBUG: trying https://ci-vm-10-0-138-8.hosted.upshift.rdu2.redhat.com/ipa/session/json ipa: DEBUG: Created connection context.rpcclient_140610891309520 ipa: DEBUG: raw: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.233') ipa: DEBUG: privilege_mod('HBAC Administrator', rename='hbacadmins', version='2.233') ipa: DEBUG: [try 1]: Forwarding 'privilege_mod/1' to json server 'https://ci-vm-10-0-138-8.hosted.upshift.rdu2.redhat.com/ipa/session/json' ipa: DEBUG: New HTTP connection (ci-vm-10-0-138-8.hosted.upshift.rdu2.redhat.com) ipa: DEBUG: received Set-Cookie (<class 'list'>)'['ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d;path=/ipa;httponly;secure;']' ipa: DEBUG: storing cookie 'ipa_session=MagBearerToken=yx7ay9P3VvoUqkTLDGBNr24Xm0jqGaRd0J%2b419%2fYJ%2bzkmFzZ0VMLepGeF%2bLj8KD0EItGofEZ4sUg7oJRRxQ0mp26sexJaHOuFwHziIYen9WCDAnWJ5kugS07YhrItblkXU%2b%2bPqukxB%2fbUAtGR2Hj9E%2b1op%2fqQ1%2fLEo9D6%2bBYvHU%3d;' for principal admin ipa: DEBUG: Destroyed connection context.rpcclient_140610891309520 --------------------------------------- Modified privilege "HBAC Administrator" --------------------------------------- Privilege name: hbacadmins Description: HBAC Administrator Permissions: System: Add HBAC Rule, System: Delete HBAC Rule, System: Manage HBAC Rule Membership, System: Modify HBAC Rule, System: Add HBAC Services, System: Delete HBAC Services, System: Add HBAC Service Groups, System: Delete HBAC Service Groups, System: Manage HBAC Service Group Membership Granting privilege to roles: IT Security Specialist ipa role-mod doesn't fail, marking as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3401 |