Red Hat Bugzilla – Bug 1441593
error adding authenticator indicators to host
Last modified: 2017-08-01 05:48:56 EDT
Description of problem: customer is having an error of attribute value already exists while doing: ipa host-mod --auth-ind=otp <host> We have enabled "fail audit log" and we had the exact operation that is failing and that is being attempted by the command line: ======================================================= time: 20170412101350 dn: fqdn=rhtest2.ncsd.corp,cn=computers,cn=accounts,dc=ipa,dc=ncsd,dc=corp result: 20 changetype: modify add: objectClass objectClass: krbprincipalaux - replace: krbPrincipalAuthInd krbPrincipalAuthInd: otp - replace: modifiersname modifiersname: uid=extsyto,cn=users,cn=accounts,dc=ipa,dc=ncsd,dc=corp - replace: modifytimestamp modifytimestamp: 20170412071350Z - replace: entryusn entryusn: 453907 - ======================================================= It's quite evident that error 20 is because of ============================== add: objectClass objectClass: krbprincipalaux ============================== that already exists in the entry. I have tried to reproduce it on my side but I had not the same modify operation: ================================================= time: 20170412043112 dn: fqdn=newhost.cgparente.local,cn=computers,cn=accounts,dc=cgparente,dc=local result: 0 changetype: modify replace: krbPrincipalAuthInd krbPrincipalAuthInd: otp - replace: modifiersname modifiersname: uid=admin,cn=users,cn=accounts,dc=cgparente,dc=local - replace: modifytimestamp modifytimestamp: 20170412083112Z - replace: entryusn entryusn: 39407 - =================================================== For a certain reason, something provoked the objectclass add that drove to the err=20 in customer environment. Customer is running same version than me. Version-Release number of selected component (if applicable): ipa-server-4.4.0-14.el7_3.6.x86_64 How reproducible: only customer. Steps to Reproduce: just add the otp indicator to a host.
A theory: I'm not sure if objectclasses attr is normalized to lower case chars. If not then following can be the culprit: ipaserver/plugins/host.py: if 'krbprincipalauthind' in entry_attrs: if 'objectclass' not in entry_attrs: entry_attrs_old = ldap.get_entry(dn, ['objectclass']) entry_attrs['objectclass'] = entry_attrs_old['objectclass'] if 'krbprincipalaux' not in entry_attrs['objectclass']: entry_attrs['objectclass'].append('krbprincipalaux') I.e. the entry has: objectClass: ipaobject objectClass: nshost objectClass: ipahost objectClass: pkiuser objectClass: ipaservice objectClass: ieee802device objectClass: ipasshhost objectClass: top objectClass: ipaSshGroupOfPubKeys objectClass: krbPrincipalAux objectClass: krbticketpolicyaux So, krbPrincipalAux is not krbprincipalaux and therefore it tries to add krbprincipalaux which results in error 20.
I have confirmed your assumption: 1) ipa host-add testnewhost.gparente.local --raw --all --force 2) ldapmodify -D "cn=directory manager" -w secret12 << EOF dn: fqdn=testnewhost.gparente.local,cn=computers,cn=accounts,dc=gparente,dc=local changetype: modify replace: objectclass objectClass: ipaobject objectClass: ieee802device objectClass: nshost objectClass: ipaservice objectClass: pkiuser objectClass: ipahost objectClass: krbprincipal objectClass: KrbPrincipalAux objectClass: ipasshhost objectClass: top objectClass: ipaSshGroupOfPubKeys EOF ipa host-mod --auth-ind=otp testnewhost.gparente.local Fails. This diff is fixing the bug: diff /usr/lib/python2.7/site-packages/ipaserver/plugins/host.py.ori /usr/lib/python2.7/site-packages/ipaserver/plugins/host.py 962c962 < if 'krbprincipalaux' not in entry_attrs['objectclass']: --- > if 'krbprincipalaux' not in set(obj.lower() for obj in entry_attrs['objectclass']):
Confirming this as a bug as well and the fix you noted worked for me.
Upstream ticket: https://pagure.io/freeipa/issue/6911
Done in https://github.com/freeipa/freeipa/pull/761
Fixed upstream master: https://pagure.io/freeipa/c/d51af28bdbef8386b6d3bde683be2fc5f73b904e ipa-4-5: https://pagure.io/freeipa/c/81ae5f4d655bb052c6c0961760dba34e70dcd3c3
Created attachment 1285365 [details] output Verified ipa-server-4.5.0-14.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304