Bug 1441593 - error adding authenticator indicators to host
Summary: error adding authenticator indicators to host
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Pavel Picka
QA Contact: Pavel Picka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-12 09:49 UTC by German Parente
Modified: 2017-08-01 09:48 UTC (History)
7 users (show)

Fixed In Version: ipa-4.5.0-12.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:48:56 UTC
Target Upstream Version:


Attachments (Terms of Use)
output (1.51 KB, text/plain)
2017-06-06 12:52 UTC, Pavel Picka
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description German Parente 2017-04-12 09:49:26 UTC
Description of problem:

customer is having an error of attribute value already exists while doing:

ipa host-mod --auth-ind=otp <host>

We have enabled "fail audit log" and we had the exact operation that is failing and that is being attempted by the command line:

=======================================================
time: 20170412101350
dn: fqdn=rhtest2.ncsd.corp,cn=computers,cn=accounts,dc=ipa,dc=ncsd,dc=corp
result: 20
changetype: modify
add: objectClass
objectClass: krbprincipalaux
-
replace: krbPrincipalAuthInd
krbPrincipalAuthInd: otp
-
replace: modifiersname
modifiersname: uid=extsyto,cn=users,cn=accounts,dc=ipa,dc=ncsd,dc=corp
-
replace: modifytimestamp
modifytimestamp: 20170412071350Z
-
replace: entryusn
entryusn: 453907
-
=======================================================

It's quite evident that error 20 is because of 
==============================
add: objectClass
objectClass: krbprincipalaux
==============================

that already exists in the entry.

I have tried to reproduce it on my side but I had not the same modify operation:

=================================================
time: 20170412043112
dn: fqdn=newhost.cgparente.local,cn=computers,cn=accounts,dc=cgparente,dc=local
result: 0
changetype: modify
replace: krbPrincipalAuthInd
krbPrincipalAuthInd: otp
-
replace: modifiersname
modifiersname: uid=admin,cn=users,cn=accounts,dc=cgparente,dc=local
-
replace: modifytimestamp
modifytimestamp: 20170412083112Z
-
replace: entryusn
entryusn: 39407
-
===================================================

For a certain reason, something provoked the objectclass add that drove to the err=20 in customer environment.

Customer is running same version than me.


Version-Release number of selected component (if applicable): ipa-server-4.4.0-14.el7_3.6.x86_64


How reproducible: only customer.


Steps to Reproduce: just add the otp indicator to a host.

Comment 2 Petr Vobornik 2017-04-13 17:10:28 UTC
A theory: I'm not sure if objectclasses attr is normalized to lower case chars. If not then following can be the culprit:

ipaserver/plugins/host.py:

        if 'krbprincipalauthind' in entry_attrs:
            if 'objectclass' not in entry_attrs:
                entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
                entry_attrs['objectclass'] = entry_attrs_old['objectclass']
            if 'krbprincipalaux' not in entry_attrs['objectclass']:
                entry_attrs['objectclass'].append('krbprincipalaux')

I.e. the entry has: 
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: pkiuser
objectClass: ipaservice
objectClass: ieee802device
objectClass: ipasshhost
objectClass: top
objectClass: ipaSshGroupOfPubKeys
objectClass: krbPrincipalAux
objectClass: krbticketpolicyaux

So, krbPrincipalAux is not krbprincipalaux and therefore it tries to add krbprincipalaux which results in error 20.

Comment 3 German Parente 2017-04-18 14:41:03 UTC
I have confirmed your assumption:

1) 

ipa host-add testnewhost.gparente.local --raw --all --force 

2) 

ldapmodify -D "cn=directory manager" -w secret12 << EOF
dn: fqdn=testnewhost.gparente.local,cn=computers,cn=accounts,dc=gparente,dc=local
changetype: modify
replace: objectclass
objectClass: ipaobject
objectClass: ieee802device
objectClass: nshost
objectClass: ipaservice
objectClass: pkiuser
objectClass: ipahost
objectClass: krbprincipal
objectClass: KrbPrincipalAux
objectClass: ipasshhost
objectClass: top
objectClass: ipaSshGroupOfPubKeys
EOF

ipa host-mod --auth-ind=otp testnewhost.gparente.local

Fails.

This diff is fixing the bug:


diff /usr/lib/python2.7/site-packages/ipaserver/plugins/host.py.ori /usr/lib/python2.7/site-packages/ipaserver/plugins/host.py
962c962
<             if 'krbprincipalaux' not in entry_attrs['objectclass']:
---
>             if 'krbprincipalaux' not in set(obj.lower() for obj in entry_attrs['objectclass']):

Comment 5 Mike LoSapio 2017-04-19 18:15:37 UTC
Confirming this as a bug as well and the fix you noted worked for me.

Comment 6 Petr Vobornik 2017-04-28 12:46:24 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6911

Comment 7 fbarreto 2017-05-03 17:27:40 UTC
Done in https://github.com/freeipa/freeipa/pull/761

Comment 10 Pavel Picka 2017-06-06 12:52:40 UTC
Created attachment 1285365 [details]
output

Verified ipa-server-4.5.0-14.el7.x86_64

Comment 11 errata-xmlrpc 2017-08-01 09:48:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.