Hide Forgot
Description of problem: Hi, this is very simple bug to reproduce and fix. externalhost: A non fully qualified in a netgroup ipa host-add A.DOMAIN if I do: ipa netgroup-remove-member mynetgroup [member host]: A if will fail because as it's finding the host under "cn=cmnputers", the command line will try to remove the host instead of the externalhost attibute. See the details below. Version-Release number of selected component (if applicable): ipa-server-4.2.0-15.el7.x86_64 Steps to Reproduce: [root@dell-r530-10 ~]# ipa netgroup-show mynetgroup --raw --all dn: ipaUniqueID=e4b744ec-95c8-11e6-a92f-1866da5af007,cn=ng,cn=alt,dc=testrelm,dc=test cn: mynetgroup nisdomainname: testrelm.test externalhost: mynode ipaUniqueID: e4b744ec-95c8-11e6-a92f-1866da5af007 objectClass: ipaassociation objectClass: ipaobject objectClass: ipanisnetgroup external host called mynode + host added with the same name: ipa host-add mynode.testrealm.test --force ---------------------------------- Added host "mynode.testrealm.test" ---------------------------------- Host name: mynode.testrealm.test Principal name: host/mynode.testrealm.test Password: False Keytab: False Managed by: mynode.testrealm.test ipa host-show mynode --raw --all dn: fqdn=mynode.testrealm.test,cn=computers,cn=accounts,dc=testrelm,dc=test fqdn: mynode.testrealm.test krbprincipalname: host/mynode.testrealm.test has_password: FALSE has_keytab: FALSE managedby: fqdn=mynode.testrealm.test,cn=computers,cn=accounts,dc=testrelm,dc=test cn: mynode.testrealm.test ipaUniqueID: 6fa5b3e4-95ca-11e6-9c7a-1866da5af007 managing: fqdn=mynode.testrealm.test,cn=computers,cn=accounts,dc=testrelm,dc=test objectClass: ipaobject objectClass: ieee802device objectClass: nshost objectClass: ipaservice objectClass: pkiuser objectClass: ipahost objectClass: krbprincipal objectClass: krbprincipalaux objectClass: ipasshhost objectClass: top objectClass: ipaSshGroupOfPubKeys serverHostName: mynode [root@dell-r530-10 ~]# Now, there's no way to delete the externalhost: [root@dell-r530-10 ~]# ipa netgroup-remove-member mynetgroup [member user]: [member group]: [member host]: mynode [member host group]: [member netgroup]: Netgroup name: mynetgroup NIS domain name: testrelm.test External host: mynode Failed hosts/hostgroups: member host: mynode.testrealm.test: This entry is not a member member host group: --------------------------- Number of members removed 0 --------------------------- what we see is that the client application searches if there's a host already called mynode: [19/Oct/2016:12:47:44 +051800] conn=40 op=7 SRCH base="cn=computers,cn=accounts,dc=testrelm,dc=test" scope=2 filter="(&(&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass=pkiuser)(objectClass=ipaservice))(serverHostName=mynode))" attrs="" [19/Oct/2016:12:47:44 +051800] conn=40 op=7 RESULT err=0 tag=101 nentries=1 etime=0 So, it will try to apply the MOD operation on a "host" attribute and not an externalhost and it will fail: [19/Oct/2016:12:47:44 +051800] conn=40 op=10 MOD dn="ipaUniqueID=e4b744ec-95c8-11e6-a92f-1866da5af007,cn=ng,cn=alt,dc=testrelm,dc=test" [19/Oct/2016:12:47:44 +051800] conn=40 op=10 RESULT err=16 tag=103 nentries=0 etime=0 csn=58071e19000200040000 err=16 ===> LDAP_NO_SUCH_ATTRIBUTE Workaround is very simple: ldapmodify -D "cn=directory manager" -w Secret123 dn: ipaUniqueID=e4b744ec-95c8-11e6-a92f-1866da5af007,cn=ng,cn=alt,dc=testrelm,dc=test changetype: modify delete: externalhost externalhost: mynode
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6440