Bug 719656
| Summary: | Disabling ipa-nis-manage removes netgroup compat suffix in DS. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.2 | CC: | benl, dpal, jgalipea, mkosek, sgallagh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.1.0-1.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: Running ipa-nis-manage disable disables the NIS listener and also removes the netgroup compatibility suffix.
Consequence: If NIS is disabled then adding a host group will fail to automatically create a netgroup.
Fix: When NIS was disabled the tool was also disabling the automatic creation of netgroups when host groups were created. This code was removed.
Result: Disabling NIS has no effect on automatically creating netgroups when host groups are created.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 18:41:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Gowrishankar Rajaiyan
2011-07-07 15:25:13 UTC
Note that no data is removed, we simply drop netgroup support from compat when nis is not enabled. cn=compat is just a different view of the data. I don't think this is a bug. netgroup support in compat is only useful when you have the nis server enabled AFAIK. That's incorrect. SSSD can only make use of netgroups stored in the standard schema right now, so we rely on the compat tree to use netgroups with FreeIPA. We have upstream ticket https://fedorahosted.org/sssd/ticket/793 open to address this. (In reply to comment #1) > Note that no data is removed, we simply drop netgroup support from compat when > nis is not enabled. cn=compat is just a different view of the data. > "ipa-nis-manage enable" after step6 and then adding hostgroups does not create its corresponding private netgroups. (In reply to comment #1) > Note that no data is removed, we simply drop netgroup support from compat when > nis is not enabled. cn=compat is just a different view of the data. > > I don't think this is a bug. netgroup support in compat is only useful when you > have the nis server enabled AFAIK. This is unfortunately incorrect any more. Current implementation of SSSD relied on the compat tree for the netgroups. Please create a ticket. I am giving ack. Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/c1f5dadc4e9c5ed0c9c1a132c4fe5c66b0244882 ipa-2-0: https://fedorahosted.org/freeipa/changeset/fe3fd0e2f4ef28fe53abbd8195ad23b09c2e9420
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: Running ipa-nis-manage disable disables the NIS listener and also removes the netgroup compatibility suffix.
Consequence: If NIS is disabled then adding a host group will fail to automatically create a netgroup.
Fix: When NIS was disabled the tool was also disabling the automatic creation of netgroups when host groups were created. This code was removed.
Result: Disabling NIS has no effect on automatically creating netgroups when host groups are created.
[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng
[root@jetfire ~]# ipa hostgroup-add hostgrp1 --desc="host group1"
--------------------------
Added hostgroup "hostgrp1"
--------------------------
Host-group: hostgrp1
Description: host group1
[root@jetfire ~]#
[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng
dn: cn=hostgrp1,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1
[root@jetfire ~]#
[root@jetfire ~]# ipa-nis-manage enable
Directory Manager password:
Enabling plugin
Restarting IPA to initialize updates before performing deletes:
[1/2]: stopping directory server
[2/2]: starting directory server
done configuring dirsrv.
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.
[root@jetfire ~]#
[root@jetfire ~]#
[root@jetfire ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv:
PKI-IPA... [ OK ]
TESTRELM... [ OK ]
Starting dirsrv:
PKI-IPA... [ OK ]
TESTRELM... [ OK ]
Restarting KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 KDC: [ OK ]
Restarting KPASSWD Service
Shutting down ipa_kpasswd: [ OK ]
Starting ipa_kpasswd: [ OK ]
Restarting DNS Service
Stopping named: . [ OK ]
Starting named: [ OK ]
Restarting HTTP Service
Stopping httpd: [ OK ]
Starting httpd: [Wed Nov 02 01:43:44 2011] [warn] worker ajp://localhost:9447/ already used by another worker
[Wed Nov 02 01:43:44 2011] [warn] worker ajp://localhost:9447/ already used by another worker
[ OK ]
Restarting CA Service
Stopping pki-ca: [ OK ]
Starting pki-ca: [ OK ]
[root@jetfire ~]#
[root@jetfire ~]#
[root@jetfire ~]# ipa-nis-manage disable
Directory Manager password:
This setting will not take effect until you restart Directory Server.
[root@jetfire ~]#
[root@jetfire ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv:
PKI-IPA... [ OK ]
TESTRELM... [ OK ]
Starting dirsrv:
PKI-IPA... [ OK ]
TESTRELM... [ OK ]
Restarting KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 KDC: [ OK ]
Restarting KPASSWD Service
Shutting down ipa_kpasswd: [ OK ]
Starting ipa_kpasswd: [ OK ]
Restarting DNS Service
Stopping named: . [ OK ]
Starting named: [ OK ]
Restarting HTTP Service
Stopping httpd: [ OK ]
Starting httpd: [Wed Nov 02 01:45:08 2011] [warn] worker ajp://localhost:9447/ already used by another worker
[Wed Nov 02 01:45:08 2011] [warn] worker ajp://localhost:9447/ already used by another worker
[ OK ]
Restarting CA Service
Stopping pki-ca: [ OK ]
Starting pki-ca: [ OK ]
[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng
dn: cn=hostgrp1,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1
[root@jetfire ~]# ipa hostgroup-add hostgrp2 --desc="host group2"
--------------------------
Added hostgroup "hostgrp2"
--------------------------
Host-group: hostgrp2
Description: host group2
[root@jetfire ~]#
[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng
dn: cn=hostgrp2,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp2
dn: cn=hostgrp1,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1
[root@jetfire ~]#
Verified. Version: ipa-server-2.1.3-7.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |