| Summary: | IPA nested netgroups not seen from ypcat | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3 | CC: | dpal, jgalipea, mkosek, nalin |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.2.0-3.el6 | Doc Type: | Bug Fix |
| Doc Text: |
No documentation needed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 13:32:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Scott Poore
2012-02-08 16:21:30 UTC
> From Nalin: > Try stopping the server, locating the entry in its dse.ldif for > "nis-domain=testrelm.com+nis-map=netgroup,cn=NIS > Server,cn=plugins,cn=config", > and replacing this part of it: > "%{memberNisNetgroup}" > with: > "%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")" > > That should correctly pull the names of the member netgroups from > their > entries. Yep, that did the trick: # ypcat -k -d $DOMAIN -h localhost netgroup test1 (-,admin,testrelm.com) test test1 So workaround seems to be: service dirsrv stop edit /etc/dirsrv/slapd-<REALM>/dse.ldif Change: <snip> dn: nis-domain=testrelm.com+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=confi g objectClass: top objectClass: extensibleObject nis-value-format: %merge(" ","%{memberNisNetgroup}", </snip> To: <snip> dn: nis-domain=testrelm.com+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=confi g objectClass: top objectClass: extensibleObject nis-value-format: %merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgrou < p)\",\"cn\")", </snip> Then run: service dirsrv start ypcat -d $DOMAIN -h localhost -k netgroup And you should now see nested netgroups: # ypcat -k -d $DOMAIN -h localhost netgroup test1 (-,admin,testrelm.com) test test1 Thanks. Upstream ticket: https://fedorahosted.org/freeipa/ticket/2359 Step 6 in the reproduction steps should read: ipa netgroup-add-member test --netgroups=test1 You'll want to test a fresh installation and an upgrade. Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/c48d34fa433e9472d196b0258cac16934a1dae48 ipa-2-2: https://fedorahosted.org/freeipa/changeset/f23d5c6475b81782816cc1196751f8842969bc78 Verified. Version :: ipa-server-2.2.0-4.el6.x86_64 Automated Test Results :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: netgroup_bz_788625: IPA nested netgroups not seen from ypcat :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'ipa netgroup-add netgroup_bz_788625_test1 --desc=netgroup_bz_788625_test1' :: [ PASS ] :: Running 'ipa netgroup-add-member netgroup_bz_788625_test1 --users=admin' :: [ PASS ] :: Running 'ipa netgroup-add netgroup_bz_788625_test --desc=netgroup_bz_788625_test' :: [ PASS ] :: Running 'ipa netgroup-add-member netgroup_bz_788625_test --netgroups=netgroup_bz_788625_test1' :: [ PASS ] :: Running 'echo ******** | ipa-compat-manage enable' :: [ PASS ] :: Running 'echo ******** | ipa-nis-manage enable' :: [ PASS ] :: Running 'service rpcbind restart' :: [ PASS ] :: Running 'service dirsrv restart' :: [ PASS ] :: Running 'yum -y install yp-tools' :: [ PASS ] :: BZ 788625 not found :: [ PASS ] :: Running 'ipa netgroup-del netgroup_bz_788625_test1' :: [ PASS ] :: Running 'ipa netgroup-del netgroup_bz_788625_test' :: [ LOG ] :: Duration: 46s :: [ LOG ] :: Assertions: 12 good, 0 bad :: [ PASS ] :: RESULT: netgroup_bz_788625: IPA nested netgroups not seen from ypcat Manual Test Results :: # ipa netgroup-add ng788625 --desc=test ------------------------- Added netgroup "ng788625" ------------------------- Netgroup name: ng788625 Description: test NIS domain name: testrelm.com IPA unique ID: 4df6b4a2-7368-11e1-a6cd-0019bbea4c2b # ipa netgroup-add-member ng788625 --users=admin Netgroup name: ng788625 Description: test NIS domain name: testrelm.com Member User: admin ------------------------- Number of members added 1 ------------------------- # ipa netgroup-add ng788625_container --desc=container ----------------------------------- Added netgroup "ng788625_container" ----------------------------------- Netgroup name: ng788625_container Description: container NIS domain name: testrelm.com IPA unique ID: 8d19d650-7368-11e1-9ce1-0019bbea4c2b # ipa netgroup-add-member ng788625_container --netgroups=ng788625 Netgroup name: ng788625_container Description: container NIS domain name: testrelm.com Member netgroups: ng788625 ------------------------- Number of members added 1 ------------------------- # echo ******** | ipa-compat-manage enable Plugin already Enabled # echo ******** | ipa-nis-manage enable Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. # service rpcbind restart Stopping rpcbind: [ OK ] Starting rpcbind: [ OK ] # service dirsrv restart Shutting down dirsrv: PKI-IPA...[ OK ] TESTRELM-COM...[ OK ] Starting dirsrv: PKI-IPA...[ OK ] TESTRELM-COM...[ OK ] # ypcat -d $DOMAIN -h localhost -k netgroup | grep ^ng788625 ng788625_container ng788625 ng788625 (-,admin,testrelm.com)
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
No documentation needed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |