Bug 749352

Summary: users not in ypcat netgroup output
Product: Red Hat Enterprise Linux 6 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: ddumas, grajaiya, jgalipea, mgregg, mkosek, nalin
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.3-9.el6 Doc Type: Bug Fix
Doc Text:
Cause: Users would not show in ypcat netgroup triples. Consequence: NIS-based authorization would not work as expected. This would result in denying access where it should be allowed. Fix: A syntax error in the triple rule was fixed. Result: Users are now properly included in netgroup triples.
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:43:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 752757    

Description Rob Crittenden 2011-10-26 19:04:06 UTC
Description of problem:

Users are not showing in ypcat output but they show in cn=compat.

# ipa netgroup-add --desc=ng1 ng1
# ipa netgroup-add-member --users=admin --hosts=dane ng1

# ypcat -k -h dane -d greyoak.com netgroup
ng1 (dane.greyoak.com,-,greyoak.com)

# ldapsearch -LLL -x -b 'cn=ng,cn=compat,dc=greyoak,dc=com'
dn: cn=ng,cn=compat, dc=greyoak,dc=com
objectClass: extensibleObject
cn: ng

dn: cn=ng1,cn=ng,cn=compat,dc=greyoak,dc=com
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (dane.greyoak.com,admin,greyoak.com)
cn: ng1

Adding additional users to the netgroup don't show either:

# ipa netgroup-add-member --users=ttest ng1
  Netgroup name: ng1
  Description: ng1
  NIS domain name: greyoak.com
  Member User: admin, ttest
  Member Host: dane.greyoak.com
-------------------------
Number of members added 1
-------------------------
# ypcat -k -h dane -d greyoak.com netgroup
ng1 (dane.greyoak.com,-,greyoak.com)

#  ldapsearch -LLL -x -b 'cn=ng,cn=compat,dc=greyoak,dc=com'
dn: cn=ng,cn=compat, dc=greyoak,dc=com
objectClass: extensibleObject
cn: ng

dn: cn=ng1,cn=ng,cn=compat,dc=greyoak,dc=com
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (dane.greyoak.com,admin,greyoak.com)
nisNetgroupTriple: (-,ttest,greyoak.com)
cn: ng1

Version-Release number of selected component (if applicable):

ipa-server-2.1.3-4.el6.i686

Comment 1 Rob Crittenden 2011-10-26 20:47:50 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2028

Comment 3 Rob Crittenden 2011-10-28 17:33:45 UTC
Backported patch to RHEL 6.2

Comment 6 Martin Kosek 2011-10-31 15:40:06 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 7 Rob Crittenden 2011-10-31 16:04:13 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1,4 @@
-Do not document+Cause: Users would not show in ypcat netgroup triples.
+Consequence: NIS-based authorization would not work as expected. This would result in denying access where it should be allowed.
+Fix: A syntax error in the triple rule was fixed.
+Result: Users are now properly included in netgroup triples.

Comment 8 Gowrishankar Rajaiyan 2011-11-05 07:29:30 UTC
[root@decepticons yp]# ipa netgroup-add --desc=ng1 ng1
--------------------
Added netgroup "ng1"
--------------------
  Netgroup name: ng1
  Description: ng1
  NIS domain name: lab.eng.pnq.redhat.com
  IPA unique ID: c1aa4cb6-0779-11e1-847a-525400f56e2e
[root@decepticons yp]# 

[root@decepticons yp]# ipa netgroup-add-member --users=admin --hosts=decepticons ng1
  Netgroup name: ng1
  Description: ng1
  NIS domain name: lab.eng.pnq.redhat.com
  Member User: admin
  Member Host: decepticons.lab.eng.pnq.redhat.com
-------------------------
Number of members added 2
-------------------------
[root@decepticons yp]#

[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com)'
[root@decepticons ~]# 


[root@decepticons ~]# ipa netgroup-add-member --users=ypuser2 --hosts=decepticons ng2
  Netgroup name: ng2
  Description: ng2
  NIS domain name: lab.eng.pnq.redhat.com
  Member User: ypuser2
  Member Host: decepticons.lab.eng.pnq.redhat.com
-------------------------
Number of members added 2
-------------------------
[root@decepticons ~]# 

[root@decepticons ~]# ipa netgroup-add-member --users=ypuser2 --hosts=decepticons ng1
  Netgroup name: ng1
  Description: ng1
  NIS domain name: lab.eng.pnq.redhat.com
  Member User: admin, ypuser2
  Member Host: decepticons.lab.eng.pnq.redhat.com
  Failed hosts/hostgroups: 
    member host: decepticons.lab.eng.pnq.redhat.com: This entry is already a member
-------------------------
Number of members added 1
-------------------------
[root@decepticons ~]# 

[root@decepticons ~]# ldapsearch -LLL -x -b 'cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com'
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng

dn: cn=ng2,cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (decepticons.lab.eng.pnq.redhat.com,ypuser2,lab.eng.pnq.red
 hat.com)
cn: ng2

dn: cn=ng1,cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redha
 t.com)
nisNetgroupTriple: (-,ypuser2,lab.eng.pnq.redhat.com)
cn: ng1

[root@decepticons ~]# 


[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng2 (decepticons.lab.eng.pnq.redhat.com,ypuser2,lab.eng.pnq.redhat.com)'
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com) (-,ypuser2,lab.eng.pnq.redhat.com)'
[root@decepticons ~]# 


[root@decepticons ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@decepticons ~]#

Comment 9 Rob Crittenden 2011-11-07 19:53:26 UTC
If you look very closely at the output there is a trailing single quote at the end of each netgroup line.

Re-opening bug.

Comment 10 Rob Crittenden 2011-11-07 20:09:08 UTC
Updated patch to remove extraneous '.

Comment 11 Gowrishankar Rajaiyan 2011-11-08 12:57:36 UTC
[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com)


[root@decepticons ~]# ipa netgroup-add-member ng2 --users=shanks --hosts=decepticons
  Netgroup name: ng2
  Description: ng2
  NIS domain name: lab.eng.pnq.redhat.com
  Member User: shanks
  Member Host: decepticons.lab.eng.pnq.redhat.com
-------------------------
Number of members added 2
-------------------------
[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng2 (decepticons.lab.eng.pnq.redhat.com,shanks,lab.eng.pnq.redhat.com)
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com)
[root@decepticons ~]# 


[root@decepticons ~]# ipa netgroup-add ng3 --desc=ng3
--------------------
Added netgroup "ng3"
--------------------
  Netgroup name: ng3
  Description: ng3
  NIS domain name: lab.eng.pnq.redhat.com
  IPA unique ID: 074a54b8-0a00-11e1-a907-525400f56e2e
[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng3 
ng2 (decepticons.lab.eng.pnq.redhat.com,shanks,lab.eng.pnq.redhat.com)
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com)
[root@decepticons ~]# 


[root@decepticons ~]# ipa netgroup-add-member --users=shanks --hosts=decepticons ng1
  Netgroup name: ng1
  Description: ng1
  NIS domain name: lab.eng.pnq.redhat.com
  Member User: admin, shanks
  Member Host: decepticons.lab.eng.pnq.redhat.com
  Failed hosts/hostgroups: 
    member host: decepticons.lab.eng.pnq.redhat.com: This entry is already a member
-------------------------
Number of members added 1
-------------------------
[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com) (-,shanks,lab.eng.pnq.redhat.com)
ng3 
ng2 (decepticons.lab.eng.pnq.redhat.com,shanks,lab.eng.pnq.redhat.com)
[root@decepticons ~]# 

[root@decepticons ~]# ipa group-add-member biggroup1 
[member user]: biguser1
[member group]: 
  Group name: biggroup1
  Description: bg1
  GID: 896600005
  Member users: biguser1
  Member of groups: biggroup
  Indirect Member of netgroup: ng3
-------------------------
Number of members added 1
-------------------------
[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng3 (decepticons.lab.eng.pnq.redhat.com,biguser1,lab.eng.pnq.redhat.com)
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com) (-,shanks,lab.eng.pnq.redhat.com)
ng2 (decepticons.lab.eng.pnq.redhat.com,shanks,lab.eng.pnq.redhat.com)
[root@decepticons ~]# 


Trailing single quote no longer exists.

[root@decepticons ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 9.el6                         Build Date: Tue 08 Nov 2011 01:30:54 AM IST
Install Date: Tue 08 Nov 2011 11:14:36 AM IST      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-9.el6.src.rpm
Size        : 3382131                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@decepticons ~]#

Comment 12 errata-xmlrpc 2011-12-06 18:43:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html