RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1390757 - automember-rebuild crashes
Summary: automember-rebuild crashes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: All
OS: All
high
high
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1298243 1638373 1647919 1659499
TreeView+ depends on / blocked
 
Reported: 2016-11-01 20:28 UTC by Amy Farley
Modified: 2022-03-13 14:08 UTC (History)
13 users (show)

Fixed In Version: ipa-4.6.5-1.el7
Doc Type: Enhancement
Doc Text:
.A command to detect and remove orphaned automember rules has been added to IdM Automember rules in Identity Management (IdM) can refer to a hostgroup or a group that has been deleted. Previously, the `ipa automember-rebuild` command failed unexpectedly and it was difficult to diagnose the reason of the failure. This enhancement adds `ipa automember-find-orphans` to IdM to IdM to identify and remove such orphaned automember rules.
Clone Of:
: 1638373 1659499 (view as bug list)
Environment:
Last Closed: 2019-08-06 13:09:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7507 0 None None None 2021-12-10 14:50:48 UTC
Red Hat Product Errata RHBA-2019:2241 0 None None None 2019-08-06 13:09:26 UTC

Comment 1 Amy Farley 2016-11-01 20:32:42 UTC 
# ipa automember-rebuild --type=hostgroup
ipa: ERROR: Automember rebuild task aborted.  Error (-1): Task DN = 'cn=5167237e-a0ec-424d-b987-ba4108b84d1b,cn=automember rebuild membership,cn=tasks,cn=config'

# rpm -qa | grep -i ipa-server
ipa-server-4.2.0-15.el7_2.6.x86_64
ipa-server-dns-4.2.0-15.el7_2.6.x86_64errors: 

[26/Oct/2016:18:03:18 +0000] get_dom_sid - [file ipa_sidgen_common.c, line 75]: Internal search failed.
[26/Oct/2016:18:03:18 +0000] auto-membership-plugin - automember_add_member_value: Unable to add "fqdn=sugar-app1....s,dc=net" as a "member" value to group "cn=hg-sugar-dev-qa-servers,cn=hostgroups,cn=accounts,dc=...,dc=net" (No such object).

if the hostgroup is deleted the corresponding automember rule should have been deleted ,but it did not. 

I have manually removed the automember hostgroup rule, then the automember rebuild process has started working.
Comment 3 Petr Vobornik 2016-11-03 08:44:18 UTC 
Also when there is an automember rule which targets non-existing hostgroup, then adding a host which matches the rulle will also fail with:

"""
Server is unwilling to perform: Automember Plugin update unexpectedly failed.
"""
Comment 4 Petr Vobornik 2016-11-11 15:12:19 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6476
Comment 6 Rob Crittenden 2018-05-30 15:18:14 UTC 
Reproduction steps:

ipa hostgroup-add test

ipa automember-add --type hostgroup test

ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com test

ipa host-add web1.example.com

ipa hostgroup-show test

ipa automember-rebuild --type hostgroup

ipa hostgroup-del test

ipa automember-rebuild --type hostgroup
ipa: ERROR: Automember rebuild task aborted...
Comment 7 Rob Crittenden 2018-05-30 18:37:18 UTC 
You can also reproduce this by creating the automember entry, deleting the hostgroup, then adding a condition.

Trying to add a host entry that matches the condition will also fail:

[30/May/2018:14:34:22.811521568 -0400] - ERR - auto-membership-plugin - automember_add_member_value - Unable to add "fqdn=web1.example.com,cn=computers,cn=accounts,dc=example,dc=com" as a "member" value to group "cn=test,cn=hostgroups,cn=accounts,dc=example,dc=com" (No such object).
[30/May/2018:14:34:22.834836405 -0400] - ERR - auto-membership-plugin - automember_add_member_value - Unable to add "fqdn=web1.example.com,cn=computers,cn=accounts,dc=example,dc=com" as a "member" value to group "cn=test,cn=hostgroups,cn=accounts,dc=example,dc=com" (No such object).
Comment 8 Rob Crittenden 2018-05-30 19:02:52 UTC 
I talked to Mark Reynolds about this and suggested that the automembership plugin could reject a delete if its associated host/hostgroup entry exists.
Comment 12 Florence Blanc-Renaud 2018-10-10 07:58:42 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/7f507519d4acb85c1e8e98bb29e26039751db8ff
Comment 13 Florence Blanc-Renaud 2018-10-12 07:51:02 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/890b8aa474c4b2248b2b1bcc97412300d5e7bd82

ipa-4-7:
https://pagure.io/freeipa/c/67875c3b75ad1af493ff5930f9c5fd5e9797b775
Comment 15 Thomas Woerner 2018-11-12 14:23:02 UTC 
I am sorry, wrong bug.
Comment 20 anuja 2019-05-14 12:14:33 UTC 
Verified using version :
ipa-4.6.5-8.el7

Verified using upstream test automation:

TestAutomemberFindOrphans::test_create_deps_for_find_orphans()
TestAutomemberFindOrphans::test_find_orphan_automember_rules()
Comment 22 anuja 2019-05-14 12:20:59 UTC 
Automation exist in:
ipatests/test_xmlrpc/test_automember_plugin.py
test_create_deps_for_find_orphans()
test_find_orphan_automember_rules()
Comment 23 anuja 2019-05-15 07:50:13 UTC 
Additional verification step :
Using :
389-ds-base-1.3.9.1-6.el7.x86_64
ipa-server-4.6.5-8.el7.x86_64

[root@master ~]# ipa hostgroup-add test
----------------------
Added hostgroup "test"
----------------------
  Host-group: test
[root@master ~]#  ipa automember-add --type hostgroup test
----------------------------
Added automember rule "test"
----------------------------
  Automember Rule: test
[root@master ~]#  ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.testrelm\.test test
----------------------------
Added condition(s) to "test"
----------------------------
  Automember Rule: test
  Inclusive Regex: fqdn=^web[1-9]+.testrelm.test
----------------------------
Number of conditions added 1
----------------------------
[root@master ~]# ipa host-add web9.testrelm.test
-------------------------------
Added host "web9.testrelm.test"
-------------------------------
  Host name: web9.testrelm.test
  Principal name: host/web9.testrelm.test
  Principal alias: host/web9.testrelm.test
  Password: False
  Member of host-groups: test
  Indirect Member of netgroup: test
  Keytab: False
  Managed by: web9.testrelm.test
[root@master ~]# ipa hostgroup-show test
  Host-group: test
  Member hosts: web9.testrelm.test
[root@master ~]# 
[root@master ~]# ipa hostgroup-del test
------------------------
Deleted hostgroup "test"
------------------------
[root@master ~]# 
[root@master ~]# ipa automember-find-orphans
Grouping Type: hostgroup
---------------
1 rules matched
---------------
  Automember Rule: test
  Inclusive Regex: fqdn=^web[1-9]+.testrelm.test
----------------------------
Number of entries returned 1
----------------------------
[root@master ~]# 
[root@master ~]# ipa automember-del --type hostgroup test
------------------------------
Deleted automember rule "test"
------------------------------
[root@master ~]# ipa automember-find-orphans hostgroup
Grouping Type: hostgroup
---------------
0 rules matched
---------------
----------------------------
Number of entries returned 0
----------------------------

[root@master ~]# ipa automember-rebuild --type hostgroup
--------------------------------------------------------
Automember rebuild task finished. Processed (2) entries.
--------------------------------------------------------
[root@master ~]#
Comment 27 errata-xmlrpc 2019-08-06 13:09:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241
Note You need to log in before you can comment on or make changes to this bug.