Bug 740830

Summary:	Intermittently see "search criteria was not specific enough." while adding a hbacrule
Product:	Red Hat Enterprise Linux 6	Reporter:	Gowrishankar Rajaiyan <grajaiya>
Component:	ipa	Assignee:	Martin Kosek <mkosek>
Status:	CLOSED ERRATA	QA Contact:	IDM QE LIST <seceng-idm-qe-list>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	6.2	CC:	dpal, jgalipea, mkosek
Target Milestone:	rc
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	ipa-2.1.2-1.el6	Doc Type:	Bug Fix
Doc Text:	Do not document	Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-12-06 18:32:15 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Gowrishankar Rajaiyan 2011-09-23 13:44:12 UTC

Description of problem:
Occasionally we hit this issue while creating a hbacrule. Error message displaying "search criteria was not specific" while add a hbacrule. Not sure what triggered this, logging as a bug to have covered.

Version-Release number of selected component (if applicable):
ipa-server-2.1.1-4.el6.x86_64

How reproducible:
intermittently

Steps to Reproduce:
1. root@kungfupanda ~]# ipa hbacrule-add kaleem
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.

2.Again, executing the same command shows:
[root@kungfupanda ~]# ipa hbacrule-add kaleem
ipa: ERROR: HBAC rule with name "kaleem" already exists
  
Actual results:
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.

Expected results:
rule should be added successfully if it doesn't exist. 

Additional info:

[root@kungfupanda ~]# ipa -d hbacrule-add kaleem
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.9

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
ipa: INFO: trying https://kungfupanda.lab.eng.pnq.redhat.com/ipa/xml
ipa: DEBUG: Created connection context.xmlclient
ipa: DEBUG: raw: hbacrule_add(u'kaleem', accessruletype=u'allow', all=False, raw=False, version=u'2.11')
ipa: DEBUG: hbacrule_add(u'kaleem', accessruletype=u'allow', all=False, raw=False, version=u'2.11')
ipa: INFO: Forwarding 'hbacrule_add' to server u'https://kungfupanda.lab.eng.pnq.redhat.com/ipa/xml'
ipa: DEBUG: NSSConnection init kungfupanda.lab.eng.pnq.redhat.com
ipa: DEBUG: connect_socket_family: host=kungfupanda.lab.eng.pnq.redhat.com port=443 family=PR_AF_INET
ipa: DEBUG: connecting: 10.65.201.78:443
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM
        Validity:
            Not Before: Thu Sep 22 05:17:03 2011 UTC
            Not After : Sun Sep 22 05:17:03 2013 UTC
        Subject: CN=kungfupanda.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
                RSA Public Key:
                    Modulus:
                        ba:89:8c:98:00:39:23:e9:1a:d7:bd:c7:b7:68:20:de:
                        bf:5f:ba:a0:e4:72:4a:88:dc:4e:d3:56:a7:bb:d0:51:
                        7c:ef:40:59:82:b5:af:d5:98:56:47:23:a5:ed:1f:70:
                        8e:f8:83:d9:a4:f3:12:9f:24:93:e3:b2:a2:46:0e:06:
                        00:e5:bb:f3:d8:e9:af:db:78:1b:3d:aa:e5:c0:c0:97:
                        ac:2c:0a:07:ee:36:50:86:3f:7c:47:8f:ab:83:70:b8:
                        ec:ad:a0:e6:6e:fe:ca:8a:03:ed:bf:c9:ad:2a:93:11:
                        87:d1:54:02:cb:ec:56:87:33:6f:ac:85:ec:ac:83:70:
                        86:3a:73:37:f2:13:3a:27:a6:84:0f:9a:a2:ad:5d:ca:
                        34:fb:ff:ea:dd:79:ab:23:2e:19:d7:26:43:3f:bb:dd:
                        17:a1:6a:2e:6d:ec:76:db:62:3a:24:22:78:70:c6:68:
                        44:a2:eb:78:0a:66:38:65:1b:18:bb:f3:d8:22:43:f6:
                        01:62:c4:4d:aa:ec:36:b3:43:fa:be:7d:c1:99:e9:29:
                        d3:d6:ee:61:c2:1a:27:86:cb:66:24:24:04:59:8e:75:
                        54:cf:d6:d0:c5:c9:4d:c6:9f:9b:df:4b:0c:c4:5e:66:
                        3b:5e:7e:9e:b0:a4:3c:eb:67:04:fc:2c:32:c6:97:01
                    Exponent: 65537 (0x10001)
    Signed Extensions: (4)
        Name: Certificate Authority Key Identifier
        Critical: False
        Key ID:
            1e:52:7b:d3:e5:e7:94:03:df:68:6c:90:3e:10:cc:a1:
            86:07:9c:3e
        Serial Number: None
        General Names: [0 total]

        Name: Authority Information Access
        Critical: False

        Name: Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name: Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate

    Fingerprint (MD5):
        65:e6:70:dd:74:6a:80:34:7a:7d:2f:20:78:64:f7:e8
    Fingerprint (SHA1):
        13:ee:5b:e7:8c:7a:45:8e:d7:0e:ed:5f:26:89:80:41:
        66:a8:9d:ab
    Signature:
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Signature Data:
            1c:52:82:c0:d0:d2:62:42:46:80:96:8d:4c:5e:aa:18:
            25:9a:65:51:1a:44:16:fe:6f:49:d2:41:59:9b:43:8d:
            36:01:60:3e:27:21:a4:d6:65:f4:46:dd:89:fa:ca:e6:
            d5:8b:7c:77:21:6f:11:3f:f9:ba:07:c8:fe:dd:cd:e0:
            44:09:c7:66:51:b0:30:e8:62:c6:95:63:dc:3f:99:03:
            a4:8c:9e:3b:f3:a9:3f:f3:6c:a2:ff:43:dd:41:fa:5e:
            8e:4e:a4:f5:0a:e4:9e:00:62:d0:5c:f7:33:60:8f:68:
            48:5a:63:01:40:5d:b1:bb:2e:15:b0:f0:f2:a2:28:88:
            3b:18:f9:ad:ad:b7:23:c8:69:4c:9e:ec:59:a9:e6:41:
            7b:bd:20:97:1b:3b:14:91:fe:53:79:b2:dc:0f:6e:70:
            aa:64:49:e2:2f:f4:03:67:33:ec:48:4a:b8:98:cf:01:
            28:10:6e:bb:27:7a:b9:4e:11:90:6c:91:77:82:f9:28:
            68:fe:d6:6e:f7:bd:43:02:aa:60:39:35:6e:c4:16:55:
            9f:e8:83:15:1e:27:93:5c:c2:fd:10:fd:5b:55:aa:89:
            f6:e1:ab:9e:8b:ef:72:4d:93:ee:73:15:17:e3:4d:28:
            2c:55:6b:9f:0f:5f:39:07:75:81:61:6c:dd:57:01:1e
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=kungfupanda.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM"
ipa: DEBUG: handshake complete, peer = 10.65.201.78:443
ipa: DEBUG: Caught fault 4027 from server https://kungfupanda.lab.eng.pnq.redhat.com/ipa/xml: The search criteria was not specific enough. Expected 1 and found 2.
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.

Comment 2 Rob Crittenden 2011-09-23 17:47:00 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1864

Comment 3 Rob Crittenden 2011-09-23 20:56:44 UTC

Do you have users/hosts/groups or anything else named kaleem in your database?

Comment 4 Rob Crittenden 2011-09-23 21:10:59 UTC

or more specifically, you somehow seem to have two entries with the same krbprincipalname. Can you do a search for the principal of the user you were when you ran these (whose ticket you held)?

Comment 5 Gowrishankar Rajaiyan 2011-09-26 06:10:36 UTC

(In reply to comment #3)
> Do you have users/hosts/groups or anything else named kaleem in your database?

[root@kungfupanda ~]# ipa user-show kaleem
  User login: kaleem
  First name: Kaleemullah
  Last name: Siddiqui
  Home directory: /home/kaleem
  Login shell: /bin/sh
  UID: 19200016
  GID: 19200016
  Account disabled: False
  Keytab: True
  Password: True
  Member of groups: ipausers
[root@kungfupanda ~]# ipa group-show kaleem
  Group name: kaleem
  Description: User private group for kaleem
  GID: 19200016

Comment 6 Gowrishankar Rajaiyan 2011-09-26 07:02:40 UTC

(In reply to comment #4)
> or more specifically, you somehow seem to have two entries with the same
> krbprincipalname. Can you do a search for the principal of the user you were
> when you ran these (whose ticket you held)?

[root@kungfupanda ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
09/26/11 05:47:58  09/27/11 05:47:56  krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM
09/26/11 05:48:00  09/27/11 05:47:56  HTTP/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM


[root@kungfupanda ~]# ipa hbacrule-add kaleem
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.


[root@kungfupanda ~]# ipa hbacrule-add kaleem
ipa: ERROR: HBAC rule with name "kaleem" already exists


[root@kungfupanda ~]# ipa hbacrule-show kaleem
  Rule name: kaleem
  Enabled: TRUE


[root@kungfupanda ~]# kadmin.local 
Authenticating as principal admin/admin.PNQ.REDHAT.COM with password.
kadmin.local:  listprincs 
admin.PNQ.REDHAT.COM
dogtagldap/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
K/M.PNQ.REDHAT.COM
krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM
kadmin/admin.PNQ.REDHAT.COM
kadmin/changepw.PNQ.REDHAT.COM
kadmin/history.PNQ.REDHAT.COM
kadmin/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
ldap/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
host/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
HTTP/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
host/cavenger.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
host/decepticons.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
host/longhaul.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
host/ravage.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
host/scroponok.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
test1.PNQ.REDHAT.COM
nirtest1.PNQ.REDHAT.COM
nirtest2.PNQ.REDHAT.COM
nc.PNQ.REDHAT.COM
host/jetfire.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
ipauser1.PNQ.REDHAT.COM
jfireuser1.PNQ.REDHAT.COM
ipauser2.PNQ.REDHAT.COM
peter.PNQ.REDHAT.COM
paul.PNQ.REDHAT.COM
kaushik.PNQ.REDHAT.COM
mary.PNQ.REDHAT.COM
kaleem.PNQ.REDHAT.COM
sghai.PNQ.REDHAT.COM
jon.PNQ.REDHAT.COM
sam.PNQ.REDHAT.COM
kash.PNQ.REDHAT.COM
ramesh.PNQ.REDHAT.COM
shanks.PNQ.REDHAT.COM
kadmin.local:

Comment 7 Rob Crittenden 2011-09-27 02:32:32 UTC

Ok, still doesn't quite show what is going on. Can you provide a snippet of the 389-ds access log that shows the queries that were done while creating the rule? I need to see what query is returning two entries when we expect only one.

Comment 8 Gowrishankar Rajaiyan 2011-09-27 05:43:20 UTC

/var/log/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM/access:

[27/Sep/2011:05:31:40 +051800] conn=7 op=884 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=884 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=885 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=885 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=886 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=886 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=887 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=887 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=888 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=888 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=889 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=889 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=890 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=890 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=891 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=891 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=892 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=892 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=95 fd=70 slot=70 connection from 10.65.201.78 to 10.65.201.78
[27/Sep/2011:05:31:40 +051800] conn=7 op=893 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=893 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=894 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ldap/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=894 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=895 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=95 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[27/Sep/2011:05:31:40 +051800] conn=7 op=895 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=95 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[27/Sep/2011:05:31:40 +051800] conn=95 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[27/Sep/2011:05:31:40 +051800] conn=95 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[27/Sep/2011:05:31:40 +051800] conn=95 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[27/Sep/2011:05:31:40 +051800] conn=95 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com"
[27/Sep/2011:05:31:40 +051800] conn=95 op=3 SRCH base="cn=ipaconfig,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[27/Sep/2011:05:31:40 +051800] conn=95 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=95 op=4 SRCH base="cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(&(objectClass=ipaassociation)(objectClass=ipahbacrule))(cn=kaleem))" attrs=""
[27/Sep/2011:05:31:40 +051800] conn=95 op=4 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=95 op=5 SRCH base="ipauniqueid=c2659ad6-e89b-11e0-b3aa-5254006c92b9,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=1 filter="(objectClass=*)" attrs=""
[27/Sep/2011:05:31:40 +051800] conn=95 op=5 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[27/Sep/2011:05:31:40 +051800] conn=95 op=6 DEL dn="ipauniqueid=c2659ad6-e89b-11e0-b3aa-5254006c92b9,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com"
[27/Sep/2011:05:31:40 +051800] conn=95 op=6 RESULT err=0 tag=107 nentries=0 etime=0 csn=4e8112640000ffff0000
[27/Sep/2011:05:31:40 +051800] conn=95 op=7 UNBIND
[27/Sep/2011:05:31:40 +051800] conn=95 op=7 fd=70 closed - U1

Comment 9 Martin Kosek 2011-09-30 08:24:00 UTC

The problem here is that there is "kaleem" hbacsvcgroup on the machine. When the LDAP object is searched in LDAPCreate so that it can be passed to POST_CALLBACK, it matches both hbacrule and hbacsvcgroup and crashes.

Since hbacrules are not in own container I will have to pass objectclass to find_entry_by_attr call.

Comment 10 Martin Kosek 2011-09-30 10:26:47 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/759ae9e2ef6ce9e4674177cb7892f0cc1c7186cd
ipa-2-1: https://fedorahosted.org/freeipa/changeset/7c884f1205916cca4c683b9ba8dd823d7f934aaa

Comment 11 Martin Kosek 2011-09-30 10:28:26 UTC

How to reproduce and test:

1. ipa hbacsvcgroup-add foo --desc=bar
2. ipa hbacrule-add foo --desc=bar

After the fix, the second step should suceed without error.

Comment 14 Gowrishankar Rajaiyan 2011-10-08 05:47:23 UTC

[root@bumblebee ~]# ipa hbacsvcgroup-add foo --desc=bar
------------------------------
Added HBAC service group "foo"
------------------------------
  Service group name: foo
  Description: bar
[root@bumblebee ~]# ipa hbacrule-add foo --desc=bar
---------------------
Added HBAC rule "foo"
---------------------
  Rule name: foo
  Description: bar
  Enabled: TRUE
[root@bumblebee ~]# 


Verified.
[root@bumblebee ~]# rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.2                             Vendor: Red Hat, Inc.
Release     : 2.el6                         Build Date: Fri 07 Oct 2011 05:09:04 PM EDT
Install Date: Sat 08 Oct 2011 07:36:33 AM EDT      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.2-2.el6.src.rpm
Size        : 3363225                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Comment 16 Martin Kosek 2011-11-01 09:16:38 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 17 errata-xmlrpc 2011-12-06 18:32:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html