Bug 1618845
| Summary: | ipa user-disable fails with error type or value exits | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | esawtelle | ||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | ipa-qe <ipa-qe> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5 | CC: | abokovoy, esawtelle, fcami, pasik, pcech, pvoborni, rcritten, tscherf | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-04-08 12:55:54 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Can you provide the output of: $ user-show --all --raw some-broken-user Feel free to sanitize the data. Sorry for the slow response... dn: uid=sedlaar,cn=users,cn=accounts,dc=ace,dc=com uid: sedlaar givenname: Aric sn: Sedlacek cn: Aric Sedlacek initials: AS homedirectory: /home/sedlaar gecos: Aric Sedlacek loginshell: /bin/bash mail: sedlaar uidnumber: 1000033 gidnumber: 1000033 usercertificate: MIICKTCCAa+gAwIBAgIBBzAKBggqhkjOPQQDAzArMRAwDgYDVQQKDAdhY2UuY29tMRcwFQYDVQQDDA5hY2VzdnIuYWNlLmNvbTAeFw0xNzAxMDkxNjIzMjFaFw0xOTAxMDkxNjIzMjFaMCwxEDAOBgNVBAoMB2FjZS5jb20xGDAWBgNVBAMMD3NlZGxhYXJAYWNlLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABChS472mHTlo2zOVqmbDuDCyapJ/9FRLm/YiXMZwT1r+7n0z0lJYvfEtGBw0GqX+afSEKLKUkdgGWs6z55U22b6DqJHpFDyzP+L20Qtd30p94c2xWiHToCBFAWNYyf2ZraOBpTCBojAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUwc/9HF1mhK5enVvp0oERXUglmjYwHwYDVR0jBBgwFoAUU13tEfWjnM1Dzo+fzcAffORiHzAwGgYDVR0RBBMwEYEPc2VkbGFhckBhY2UuY29tMAsGA1UdDwQEAwIF4DAKBggqhkjOPQQDAwNoADBlAjEAkbaRcPhhOqR8AtoViK0wZdC0zlxENVFVMeONL6bJU0JoEGUbvqXY7ZuG6oNNthvxAjBzFEM/PTU6CHxM+rIrgjU4psUFBro+hASVw9vUDn/n7gQxlqzg3gItZr7NcN262nM= nsaccountlock: FALSE iscsiconfig: sedlaar;acesvr.ace.com;>]uOQJ[6,_?mI23^;zRR$C[Izyf-HEnNy;q[w6ph,AKsWtplm~;kk(M,4c=+k7KSbcV cardid: 5012320000130100 has_password: TRUE has_keytab: TRUE displayName: Aric Sedlacek ipaUniqueID: 8dd020ce-d45f-11e6-89e9-109836a56411 krbExtraData: AAK6Dt5Zc2VkbGFhckBBQ0UuQ09NAA== krbLastFailedAuth: 20171011195550Z krbLastPwdChange: 20171011122946Z krbLastSuccessfulAuth: 20171012124140Z krbLoginFailedCount: 0 krbPasswordExpiration: 20171210122946Z krbPrincipalName: sedlaar memberof: cn=ace_firefox,cn=groups,cn=accounts,dc=ace,dc=com memberof: cn=ace_lvl_nt,cn=groups,cn=accounts,dc=ace,dc=com memberof: cn=ipausers,cn=groups,cn=accounts,dc=ace,dc=com memberof: cn=ace_room_allthin,cn=groups,cn=accounts,dc=ace,dc=com memberof: cn=ace_lvl_a,cn=groups,cn=accounts,dc=ace,dc=com memberof: cn=ace_terminal,cn=groups,cn=accounts,dc=ace,dc=com memberof: cn=ace_room_allthick,cn=groups,cn=accounts,dc=ace,dc=com memberof: cn=ace_room_allnets,cn=groups,cn=accounts,dc=ace,dc=com memberof: cn=ace_lvl_dt,cn=groups,cn=accounts,dc=ace,dc=com memberof: cn=ace_lvl_at,cn=groups,cn=accounts,dc=ace,dc=com memberofindirect: cn=Read nt Info,cn=roles,cn=accounts,dc=ace,dc=com memberofindirect: cn=Read allthick Info,cn=privileges,cn=pbac,dc=ace,dc=com memberofindirect: cn=ACE USB Read,cn=permissions,cn=pbac,dc=ace,dc=com memberofindirect: cn=Read at Info,cn=roles,cn=accounts,dc=ace,dc=com memberofindirect: cn=Read allthick Info,cn=roles,cn=accounts,dc=ace,dc=com memberofindirect: cn=Read nt Info,cn=privileges,cn=pbac,dc=ace,dc=com memberofindirect: ipaUniqueID=21474f90-d428-11e6-a675-109836a56411,cn=hbac,dc=ace,dc=com memberofindirect: cn=Read a Info,cn=privileges,cn=pbac,dc=ace,dc=com memberofindirect: cn=ACE USB Read,cn=privileges,cn=pbac,dc=ace,dc=com memberofindirect: cn=Read allnets Info,cn=permissions,cn=pbac,dc=ace,dc=com memberofindirect: cn=Read a Info,cn=roles,cn=accounts,dc=ace,dc=com memberofindirect: cn=Read at Info,cn=permissions,cn=pbac,dc=ace,dc=com memberofindirect: cn=Read allnets Info,cn=roles,cn=accounts,dc=ace,dc=com memberofindirect: ipaUniqueID=2a049da4-d428-11e6-a0ee-109836a56411,cn=hbac,dc=ace,dc=com memberofindirect: cn=Read a Info,cn=permissions,cn=pbac,dc=ace,dc=com memberofindirect: cn=Read dt Info,cn=permissions,cn=pbac,dc=ace,dc=com memberofindirect: cn=Read at Info,cn=privileges,cn=pbac,dc=ace,dc=com memberofindirect: cn=Read allthin Info,cn=privileges,cn=pbac,dc=ace,dc=com memberofindirect: cn=Read nt Info,cn=permissions,cn=pbac,dc=ace,dc=com memberofindirect: cn=Read allthin Info,cn=permissions,cn=pbac,dc=ace,dc=com memberofindirect: ipaUniqueID=2b3b30a2-d428-11e6-b457-109836a56411,cn=hbac,dc=ace,dc=com memberofindirect: cn=Read dt Info,cn=roles,cn=accounts,dc=ace,dc=com memberofindirect: ipaUniqueID=256eaafa-d428-11e6-aec4-109836a56411,cn=hbac,dc=ace,dc=com memberofindirect: cn=Read allnets Info,cn=privileges,cn=pbac,dc=ace,dc=com memberofindirect: ipaUniqueID=22a9c4b2-d428-11e6-b209-109836a56411,cn=hbac,dc=ace,dc=com memberofindirect: cn=Read allthick Info,cn=permissions,cn=pbac,dc=ace,dc=com memberofindirect: ipaUniqueID=2c5f6e30-d428-11e6-b6cf-109836a56411,cn=hbac,dc=ace,dc=com memberofindirect: ipaUniqueID=245fa376-d428-11e6-ae51-109836a56411,cn=hbac,dc=ace,dc=com memberofindirect: cn=ACE USB Read,cn=roles,cn=accounts,dc=ace,dc=com memberofindirect: cn=Read allthin Info,cn=roles,cn=accounts,dc=ace,dc=com memberofindirect: cn=Read dt Info,cn=privileges,cn=pbac,dc=ace,dc=com mepManagedEntry: cn=sedlaar,cn=groups,cn=accounts,dc=ace,dc=com objectClass: aceuser objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry userPrivateKey;binary: MIGkAgEBBDCUc7EMKXoeNJSmNuYLP4EF5YSfEaMcWnP2v0m22cURdQFGSPS1uVOM8zR+SXe88GugBwYFK4EEACKhZANiAAQoUuO9ph05aNszlapmw7gwsmqSf/RUS5v2IlzGcE9a/u59M9JSWL3xLRgcNBql/mn0hCiylJHYBlrOs+eVNtm+g6iR6RQ8sz/i9tELXd9KfeHNsVoh06AgRQFjWMn9ma0= userPrivateKey;binary: MIGkAgEBBDCUc7EMKXoeNJSmNuYLP4EF5YSfEaMcWnP2v0m22cURdQFGSPS1uVOM8zR+SXe88GugBwYFK4EEACKhZANiAAQoUuO9ph05aNszlapmw7gwsmqSf/RUS5v2IlzGcE9a/u59M9JSWL3xLRgcNBql/mn0hCiylJHYBlrOs+eVNtm+g6iR6RQ8sz/i9tELXd9KfeHNsVoh06AgRQFjWMn9ma0= In this case the user is disabled, nsaccountlock: FALSE Does it throw the error if you try to both enable and disable the user? What is strange about it is the error you're seeing is related to a multi-valued attribute and IPA treats this one as single-valued. It would suggest that we are trying to set it to something like ['FALSE','FALSE']. I think the nsaccountlock FALSE means the account is NOT disabled. Removing the --raw from the command produces: Account Disabled: False When trying to enable the user the error received is: This entry is already enabled Right, the reversed meaning always gets me... So when the user is enabled (accountlock false) you get the proper error message when trying to enable the user. And when the user is enabled (accountlock false) you get an exception when trying to disable them, is that right? I corrected your statements slightly: When the user is enabled (accountlock false) you get the proper error message when trying to enable the user. When the user is DISABLED (accountlock TRUE) you get an exception when trying to disable them, is that right? Your original statement is true as well: And when the user is enabled (accountlock false) you get an exception when trying to disable them, is that right? Ignore the comment 7 and 8. You are correct in your statements: So when the user is enabled (accountlock false) you get the proper error message when trying to enable the user. And when the user is enabled (accountlock false) you get an exception when trying to disable them, is that right? The "type of value exists" means that some MOD is being attempted. The easiest way to see that change attempt is to enable the 389-ds audit log. This can impact performance so I'd propose: kinit someuser enable audit log ipa user-disable someotheruser disable audit log This should also keep the number of changes to sift through at a minimum. Enable the log: $ ldapmodify -x -D 'cn=Directory Manager' -W <enter password> dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on <blank line here> ^D Run the ipa user-disable command $ ipa user-disable someotheruser Then disable the log $ ldapmodify -x -D 'cn=Directory Manager' -W <enter password> dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: off <blank line here> ^D The log will be in /var/log/dirsrv/slapd-YOUR-REALM/audit. You can just provide the relevant change(s). The 389-ds docs for managing the log(s) is https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/configuring_logs You also need to set nsslapd-auditfaillog-logging-enabled to on at the same time. dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on - replace:nsslapd-auditfaillog-logging-enabled nsslapd-auditfaillog-logging-enabled: on <blank line here> And the converse to disable it. I am using freeipa version 4.2 api version 2.156. In the initial description I had put 4.5.4. With version 4.2 it appears nsslapd-auditfaillog-logging-enabled does not exist. So I am not sure if the audit log below is helpful. time: 20180925164123 dn: cn=config changetype: modify replace: nsslapd-auditlog-logging-enabled nsslapd-auditlog-logging-enabled: on - replace: modifiersname modifiersname: cn=directory manager - replace: modifytimestamp modifytimestamp: 20180925214123Z - time: 20180925164202 dn: cn=MasterCRL,ou=crlIssuingPoints, ou=ca, o=ipaca changetype: modify replace: crlSize crlSize: 010 - replace: revokedCerts revokedCerts:: rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmF jdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAncIAAAAAwAAAAB4 - replace: unrevokedCerts unrevokedCerts:: rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkR mFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAncIAAAAAwAAAAB4 - replace: expiredCerts expiredCerts:: rO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmF jdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAncIAAAAAwAAAAB4 - replace: firstUnsaved firstUnsaved: -1 - replace: modifiersname modifiersname: uid=pkidbuser,ou=people,o=ipaca - replace: modifytimestamp modifytimestamp: 20180925214202Z - replace: entryusn entryusn: 2403295 - I guess you need to configure the log completely, something like: dn: cn=config changetype: modify add: nsslapd-auditfaillog nsslapd-auditfaillog: /var/log/dirsrv/slapd-YOUR-REALM/audit-failure - add: nsslapd-auditfaillog-mode nsslapd-auditfaillog-mode: 600 - add: nsslapd-auditfaillog-maxlogsize nsslapd-auditfaillog-maxlogsize: 100 - add: nsslapd-auditfaillog-logrotationtime nsslapd-auditfaillog-logrotationtime: 1 - add: nsslapd-auditfaillog-logrotationtimeunit nsslapd-auditfaillog-logrotationtimeunit: day None of the *auditfaillog* attributes exist in the schema. What version of 389-ds-base do you have? Most of DS config is not defined in schema but I suppose its possible your 389-ds does not have this log. To extend Rob's question, could you provide an output of the following command? $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server # uname -a Linux server.ace.com 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/centos-release CentOS Linux release 7.2.1511 (Core) # rpm -qa | egrep "ipa|pki|389" sssd-ipa-1.13.0-40.el7_2.4.x86_64 python-iniparse-0.4-9.el7.noarch device-mapper-multipath-libs-0.4.9-85.el7_2.4.x86_64 389-ds-base-libs-1.3.4.0-30.el7_2.x86_64 389-ds-base-1.3.4.0-30.el7_2.x86_64 libipa_hbac-1.13.0-40.el7_2.4.x86_64 ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 pki-kra-10.2.5-10.el7_2.noarch python-libipa_hbac-1.13.0-40.el7_2.4.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 pki-base-10.2.5-10.el7_2.noarch pki-ca-10.2.5-10.el7_2.noarch device-mapper-multipath-0.4.9-85.el7_2.4.x86_64 krb5-pkinit-1.13.2-12.el7_2.x86_64 pki-tools-10.2.5-10.el7_2.x86_64 ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 pki-server-10.2.5-10.el7_2.noarch ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 Looks like the auditfaillog logging was added in RHEL 7.3 (upstream in 389-ds-base-1.3.5.0). Is there a reason you need to stay with such an old release of CentOS or can you upgrade? We do plan on upgrading at a later time, however I really need to know if there is a fix for the issue using the versions post above. I can't guarantee anything since I don't know what is causing the issue. I can't reproduce it myself. Upgrading to at least 7.3. will make the logging possible so we can see what is going on. Hello, could you please share with us, if this issue is still valid? Closing as there has not been any answer for two months. Please feel free to reopen and add the auditfaillog data that was requested. |
Created attachment 1476690 [details] debug output from ipa user-disable command Description of problem: Disabling a user account using cli or web interface fails for random users. The error received is "type or value exists". Some users can be disabled others can not. Over time some of the users that have been disabled and then re-enabled can not no longer be disabled. Version-Release number of selected component (if applicable): freeipa version 4.5.4 api version 2.228 How reproducible: This is an intermittent problem. Once a user can not be disable the account can never be disabled. Others user accounts can be disabled. Steps to Reproduce: 1.# ipa user-disable testuser 2. 3. Actual results: Type of value exists Expected results: successful operation Additional info: