Bug 749352
| Summary: | users not in ypcat netgroup output | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Rob Crittenden <rcritten> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | ddumas, grajaiya, jgalipea, mgregg, mkosek, nalin |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.1.3-9.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: Users would not show in ypcat netgroup triples.
Consequence: NIS-based authorization would not work as expected. This would result in denying access where it should be allowed.
Fix: A syntax error in the triple rule was fixed.
Result: Users are now properly included in netgroup triples.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 18:43:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 752757 | ||
|
Description
Rob Crittenden
2011-10-26 19:04:06 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2028 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/4322370942b92c7778a96b6622be95ec8fa1cfda ipa-2-1: https://fedorahosted.org/freeipa/changeset/c10db54aeedad18e04a18d664687b147043b6bbd Backported patch to RHEL 6.2
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Do not document
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1 +1,4 @@
-Do not document+Cause: Users would not show in ypcat netgroup triples.
+Consequence: NIS-based authorization would not work as expected. This would result in denying access where it should be allowed.
+Fix: A syntax error in the triple rule was fixed.
+Result: Users are now properly included in netgroup triples.
[root@decepticons yp]# ipa netgroup-add --desc=ng1 ng1
--------------------
Added netgroup "ng1"
--------------------
Netgroup name: ng1
Description: ng1
NIS domain name: lab.eng.pnq.redhat.com
IPA unique ID: c1aa4cb6-0779-11e1-847a-525400f56e2e
[root@decepticons yp]#
[root@decepticons yp]# ipa netgroup-add-member --users=admin --hosts=decepticons ng1
Netgroup name: ng1
Description: ng1
NIS domain name: lab.eng.pnq.redhat.com
Member User: admin
Member Host: decepticons.lab.eng.pnq.redhat.com
-------------------------
Number of members added 2
-------------------------
[root@decepticons yp]#
[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com)'
[root@decepticons ~]#
[root@decepticons ~]# ipa netgroup-add-member --users=ypuser2 --hosts=decepticons ng2
Netgroup name: ng2
Description: ng2
NIS domain name: lab.eng.pnq.redhat.com
Member User: ypuser2
Member Host: decepticons.lab.eng.pnq.redhat.com
-------------------------
Number of members added 2
-------------------------
[root@decepticons ~]#
[root@decepticons ~]# ipa netgroup-add-member --users=ypuser2 --hosts=decepticons ng1
Netgroup name: ng1
Description: ng1
NIS domain name: lab.eng.pnq.redhat.com
Member User: admin, ypuser2
Member Host: decepticons.lab.eng.pnq.redhat.com
Failed hosts/hostgroups:
member host: decepticons.lab.eng.pnq.redhat.com: This entry is already a member
-------------------------
Number of members added 1
-------------------------
[root@decepticons ~]#
[root@decepticons ~]# ldapsearch -LLL -x -b 'cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com'
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng
dn: cn=ng2,cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (decepticons.lab.eng.pnq.redhat.com,ypuser2,lab.eng.pnq.red
hat.com)
cn: ng2
dn: cn=ng1,cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redha
t.com)
nisNetgroupTriple: (-,ypuser2,lab.eng.pnq.redhat.com)
cn: ng1
[root@decepticons ~]#
[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng2 (decepticons.lab.eng.pnq.redhat.com,ypuser2,lab.eng.pnq.redhat.com)'
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com) (-,ypuser2,lab.eng.pnq.redhat.com)'
[root@decepticons ~]#
[root@decepticons ~]# rpm -qi ipa-server | head
Name : ipa-server Relocations: (not relocatable)
Version : 2.1.3 Vendor: Red Hat, Inc.
Release : 8.el6 Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST Build Host: x86-012.build.bos.redhat.com
Group : System Environment/Base Source RPM: ipa-2.1.3-8.el6.src.rpm
Size : 3381421 License: GPLv3+
Signature : (none)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://www.freeipa.org/
Summary : The IPA authentication server
[root@decepticons ~]#
If you look very closely at the output there is a trailing single quote at the end of each netgroup line. Re-opening bug. Updated patch to remove extraneous '. [root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com)
[root@decepticons ~]# ipa netgroup-add-member ng2 --users=shanks --hosts=decepticons
Netgroup name: ng2
Description: ng2
NIS domain name: lab.eng.pnq.redhat.com
Member User: shanks
Member Host: decepticons.lab.eng.pnq.redhat.com
-------------------------
Number of members added 2
-------------------------
[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng2 (decepticons.lab.eng.pnq.redhat.com,shanks,lab.eng.pnq.redhat.com)
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com)
[root@decepticons ~]#
[root@decepticons ~]# ipa netgroup-add ng3 --desc=ng3
--------------------
Added netgroup "ng3"
--------------------
Netgroup name: ng3
Description: ng3
NIS domain name: lab.eng.pnq.redhat.com
IPA unique ID: 074a54b8-0a00-11e1-a907-525400f56e2e
[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng3
ng2 (decepticons.lab.eng.pnq.redhat.com,shanks,lab.eng.pnq.redhat.com)
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com)
[root@decepticons ~]#
[root@decepticons ~]# ipa netgroup-add-member --users=shanks --hosts=decepticons ng1
Netgroup name: ng1
Description: ng1
NIS domain name: lab.eng.pnq.redhat.com
Member User: admin, shanks
Member Host: decepticons.lab.eng.pnq.redhat.com
Failed hosts/hostgroups:
member host: decepticons.lab.eng.pnq.redhat.com: This entry is already a member
-------------------------
Number of members added 1
-------------------------
[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com) (-,shanks,lab.eng.pnq.redhat.com)
ng3
ng2 (decepticons.lab.eng.pnq.redhat.com,shanks,lab.eng.pnq.redhat.com)
[root@decepticons ~]#
[root@decepticons ~]# ipa group-add-member biggroup1
[member user]: biguser1
[member group]:
Group name: biggroup1
Description: bg1
GID: 896600005
Member users: biguser1
Member of groups: biggroup
Indirect Member of netgroup: ng3
-------------------------
Number of members added 1
-------------------------
[root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup
ng3 (decepticons.lab.eng.pnq.redhat.com,biguser1,lab.eng.pnq.redhat.com)
ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com) (-,shanks,lab.eng.pnq.redhat.com)
ng2 (decepticons.lab.eng.pnq.redhat.com,shanks,lab.eng.pnq.redhat.com)
[root@decepticons ~]#
Trailing single quote no longer exists.
[root@decepticons ~]# rpm -qi ipa-server | head
Name : ipa-server Relocations: (not relocatable)
Version : 2.1.3 Vendor: Red Hat, Inc.
Release : 9.el6 Build Date: Tue 08 Nov 2011 01:30:54 AM IST
Install Date: Tue 08 Nov 2011 11:14:36 AM IST Build Host: x86-001.build.bos.redhat.com
Group : System Environment/Base Source RPM: ipa-2.1.3-9.el6.src.rpm
Size : 3382131 License: GPLv3+
Signature : (none)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://www.freeipa.org/
Summary : The IPA authentication server
[root@decepticons ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |