Bug 1286781 - ipa-nis-manage does not update ldap with all NIS maps
Summary: ipa-nis-manage does not update ldap with all NIS maps
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks: 1298098
TreeView+ depends on / blocked
 
Reported: 2015-11-30 17:46 UTC by Scott Poore
Modified: 2019-12-16 05:08 UTC (History)
8 users (show)

Fixed In Version: ipa-4.2.0-16.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1298098 (view as bug list)
Environment:
Last Closed: 2016-11-04 05:41:48 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Scott Poore 2015-11-30 17:46:59 UTC 
Description of problem:

NIS maps are not being added when ipa-nis-manage is run on a freshly installed IPA server.

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.3.x86_64

How reproducible:
always

Steps to Reproduce:
1.  ipa-server-install
2.  ipa-nis-manage enable
3.  systemctl restart dirsrv.target
4.  ldapsearch -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket -b cn=NIS\ Server,cn=plugins,cn=config dn

Actual results:
Only see a couple maps listed.  Do not see passwd, group, or netgroup maps.

[root@rhel7-1 ~]# ipa-nis-manage enable
Directory Manager password: 

Enabling plugin
This setting will not take effect until you restart Directory Server.
The portmap service may need to be started.
[root@rhel7-1 ~]# systemctl restart dirsrv.target

[root@rhel7-1 ~]# ldapsearch -xLLL -D "cn=Directory Manager" -w Secret123 -b "cn=NIS Server,cn=plugins,cn=config" dn
dn: cn=NIS Server,cn=plugins,cn=config

dn: nis-domain=testrelm.test+nis-map=ethers.byaddr,cn=NIS Server,cn=plugins,cn
 =config

dn: nis-domain=testrelm.test+nis-map=ethers.byname,cn=NIS Server,cn=plugins,cn
 =config


Expected results:
Should see all expected maps.


Additional info:
Comment 1 Scott Poore 2015-11-30 17:58:58 UTC 
Alexander helped me with a workaround for this one:

ipa-nis-manage disable
systemctl stop dirsrv.target
cp /etc/dirsrv/slapd-$SUFFIX/dse.ldif /root/dse.ldif.backup.pre-workaround
vi /etc/dirsrv/slapd-$SUFFIX/dse.ldif
# remove all NIS plugin entries
systemctl start dirsrv.target
ipa-nis-manage enable
systemctl restart dirsrv.target

Now you should be able to see the missing NIS maps.

Alexander explained the problem as ipa-nis-manage not handling the case where its configuration is not fully populated.
Comment 2 Petr Vobornik 2015-12-02 13:17:15 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5507
Comment 6 Martin Kosek 2016-01-12 16:00:31 UTC 
Upgrade breakage - high prio/sev.
Comment 10 Scott Poore 2016-07-14 22:20:17 UTC 
Verified.

Version ::

ipa-server-4.4.0-2.1.el7.x86_64

Results ::

[root@rhel7-1 ~]# ipa-nis-manage enable
Directory Manager password: 

Enabling plugin
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.

[root@rhel7-1 ~]# service rpcbind restart
Redirecting to /bin/systemctl restart  rpcbind.service

[root@rhel7-1 ~]# systemctl restart dirsrv@EXAMPLE-COM.service

[root@rhel7-1 ~]# ypcat -d example.com -h $(hostname) passwd
admin:*:137000000:137000000:Administrator:/home/admin:/bin/bash

[root@rhel7-1 ~]# rpm -q ipa-server
ipa-server-4.4.0-2.1.el7.x86_64

[root@rhel7-1 ~]# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -b cn=NIS\ Server,cn=plugins,cn=config dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=NIS Server,cn=plugins,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: dn 
#

# NIS Server, plugins, config
dn: cn=NIS Server,cn=plugins,cn=config

# example.com + ethers.byaddr, NIS Server, plugins, config
dn: nis-domain=example.com+nis-map=ethers.byaddr,cn=NIS Server,cn=plugins,cn=c
 onfig

# example.com + ethers.byname, NIS Server, plugins, config
dn: nis-domain=example.com+nis-map=ethers.byname,cn=NIS Server,cn=plugins,cn=c
 onfig

# example.com + group.bygid, NIS Server, plugins, config
dn: nis-domain=example.com+nis-map=group.bygid,cn=NIS Server,cn=plugins,cn=con
 fig

# example.com + group.byname, NIS Server, plugins, config
dn: nis-domain=example.com+nis-map=group.byname,cn=NIS Server,cn=plugins,cn=co
 nfig

# example.com + netgroup, NIS Server, plugins, config
dn: nis-domain=example.com+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=config

# example.com + netid.byname, NIS Server, plugins, config
dn: nis-domain=example.com+nis-map=netid.byname,cn=NIS Server,cn=plugins,cn=co
 nfig

# example.com + passwd.byname, NIS Server, plugins, config
dn: nis-domain=example.com+nis-map=passwd.byname,cn=NIS Server,cn=plugins,cn=c
 onfig

# example.com + passwd.byuid, NIS Server, plugins, config
dn: nis-domain=example.com+nis-map=passwd.byuid,cn=NIS Server,cn=plugins,cn=co
 nfig

# search result
search: 3
result: 0 Success

# numResponses: 10
# numEntries: 9

[root@rhel7-1 ~]#
Comment 12 errata-xmlrpc 2016-11-04 05:41:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Note You need to log in before you can comment on or make changes to this bug.