Bug 749352
Summary: | users not in ypcat netgroup output | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Rob Crittenden <rcritten> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2 | CC: | ddumas, grajaiya, jgalipea, mgregg, mkosek, nalin |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.1.3-9.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: Users would not show in ypcat netgroup triples.
Consequence: NIS-based authorization would not work as expected. This would result in denying access where it should be allowed.
Fix: A syntax error in the triple rule was fixed.
Result: Users are now properly included in netgroup triples.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 18:43:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 752757 |
Description
Rob Crittenden
2011-10-26 19:04:06 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2028 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/4322370942b92c7778a96b6622be95ec8fa1cfda ipa-2-1: https://fedorahosted.org/freeipa/changeset/c10db54aeedad18e04a18d664687b147043b6bbd Backported patch to RHEL 6.2 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Do not document Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1,4 @@ -Do not document+Cause: Users would not show in ypcat netgroup triples. +Consequence: NIS-based authorization would not work as expected. This would result in denying access where it should be allowed. +Fix: A syntax error in the triple rule was fixed. +Result: Users are now properly included in netgroup triples. [root@decepticons yp]# ipa netgroup-add --desc=ng1 ng1 -------------------- Added netgroup "ng1" -------------------- Netgroup name: ng1 Description: ng1 NIS domain name: lab.eng.pnq.redhat.com IPA unique ID: c1aa4cb6-0779-11e1-847a-525400f56e2e [root@decepticons yp]# [root@decepticons yp]# ipa netgroup-add-member --users=admin --hosts=decepticons ng1 Netgroup name: ng1 Description: ng1 NIS domain name: lab.eng.pnq.redhat.com Member User: admin Member Host: decepticons.lab.eng.pnq.redhat.com ------------------------- Number of members added 2 ------------------------- [root@decepticons yp]# [root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com)' [root@decepticons ~]# [root@decepticons ~]# ipa netgroup-add-member --users=ypuser2 --hosts=decepticons ng2 Netgroup name: ng2 Description: ng2 NIS domain name: lab.eng.pnq.redhat.com Member User: ypuser2 Member Host: decepticons.lab.eng.pnq.redhat.com ------------------------- Number of members added 2 ------------------------- [root@decepticons ~]# [root@decepticons ~]# ipa netgroup-add-member --users=ypuser2 --hosts=decepticons ng1 Netgroup name: ng1 Description: ng1 NIS domain name: lab.eng.pnq.redhat.com Member User: admin, ypuser2 Member Host: decepticons.lab.eng.pnq.redhat.com Failed hosts/hostgroups: member host: decepticons.lab.eng.pnq.redhat.com: This entry is already a member ------------------------- Number of members added 1 ------------------------- [root@decepticons ~]# [root@decepticons ~]# ldapsearch -LLL -x -b 'cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com' dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: extensibleObject cn: ng dn: cn=ng2,cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: nisNetgroup objectClass: top nisNetgroupTriple: (decepticons.lab.eng.pnq.redhat.com,ypuser2,lab.eng.pnq.red hat.com) cn: ng2 dn: cn=ng1,cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com objectClass: nisNetgroup objectClass: top nisNetgroupTriple: (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redha t.com) nisNetgroupTriple: (-,ypuser2,lab.eng.pnq.redhat.com) cn: ng1 [root@decepticons ~]# [root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup ng2 (decepticons.lab.eng.pnq.redhat.com,ypuser2,lab.eng.pnq.redhat.com)' ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com) (-,ypuser2,lab.eng.pnq.redhat.com)' [root@decepticons ~]# [root@decepticons ~]# rpm -qi ipa-server | head Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 8.el6 Build Date: Wed 02 Nov 2011 03:21:27 AM IST Install Date: Thu 03 Nov 2011 10:13:53 AM IST Build Host: x86-012.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-8.el6.src.rpm Size : 3381421 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server [root@decepticons ~]# If you look very closely at the output there is a trailing single quote at the end of each netgroup line. Re-opening bug. Updated patch to remove extraneous '. [root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com) [root@decepticons ~]# ipa netgroup-add-member ng2 --users=shanks --hosts=decepticons Netgroup name: ng2 Description: ng2 NIS domain name: lab.eng.pnq.redhat.com Member User: shanks Member Host: decepticons.lab.eng.pnq.redhat.com ------------------------- Number of members added 2 ------------------------- [root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup ng2 (decepticons.lab.eng.pnq.redhat.com,shanks,lab.eng.pnq.redhat.com) ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com) [root@decepticons ~]# [root@decepticons ~]# ipa netgroup-add ng3 --desc=ng3 -------------------- Added netgroup "ng3" -------------------- Netgroup name: ng3 Description: ng3 NIS domain name: lab.eng.pnq.redhat.com IPA unique ID: 074a54b8-0a00-11e1-a907-525400f56e2e [root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup ng3 ng2 (decepticons.lab.eng.pnq.redhat.com,shanks,lab.eng.pnq.redhat.com) ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com) [root@decepticons ~]# [root@decepticons ~]# ipa netgroup-add-member --users=shanks --hosts=decepticons ng1 Netgroup name: ng1 Description: ng1 NIS domain name: lab.eng.pnq.redhat.com Member User: admin, shanks Member Host: decepticons.lab.eng.pnq.redhat.com Failed hosts/hostgroups: member host: decepticons.lab.eng.pnq.redhat.com: This entry is already a member ------------------------- Number of members added 1 ------------------------- [root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com) (-,shanks,lab.eng.pnq.redhat.com) ng3 ng2 (decepticons.lab.eng.pnq.redhat.com,shanks,lab.eng.pnq.redhat.com) [root@decepticons ~]# [root@decepticons ~]# ipa group-add-member biggroup1 [member user]: biguser1 [member group]: Group name: biggroup1 Description: bg1 GID: 896600005 Member users: biguser1 Member of groups: biggroup Indirect Member of netgroup: ng3 ------------------------- Number of members added 1 ------------------------- [root@decepticons ~]# ypcat -k -h decepticons -d lab.eng.pnq.redhat.com netgroup ng3 (decepticons.lab.eng.pnq.redhat.com,biguser1,lab.eng.pnq.redhat.com) ng1 (decepticons.lab.eng.pnq.redhat.com,admin,lab.eng.pnq.redhat.com) (-,shanks,lab.eng.pnq.redhat.com) ng2 (decepticons.lab.eng.pnq.redhat.com,shanks,lab.eng.pnq.redhat.com) [root@decepticons ~]# Trailing single quote no longer exists. [root@decepticons ~]# rpm -qi ipa-server | head Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 9.el6 Build Date: Tue 08 Nov 2011 01:30:54 AM IST Install Date: Tue 08 Nov 2011 11:14:36 AM IST Build Host: x86-001.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-9.el6.src.rpm Size : 3382131 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server [root@decepticons ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |