Description of problem: Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. setup IPA server under RHEL 7.5
2. upgrade IPA server to RHEL 7.6
3. add new RHEL 7.6 IPA replica to existing IPA env
7.5-7.6 system compat tree behaves differently than new 7.6 compat data
should not matter how we got to 7.6, functionality should be same
7.5->7.6 creates compat data for Posix groups only and adds 'objectClass: ipaexternalgroup'
7.6 creates compat data for Posix groups only but (probably correctly) does not add 'objectClass: ipaexternalgroup'
This looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1585020. What matters is that you created a new replica, not the upgrade path.
*** This bug has been marked as a duplicate of bug 1585020 ***
We do not agree this is a duplicate of 1585020, as our compat data is generated only for Posix groups, and we have zero AD related info under cn=groups,cn=compat
There are two parts here.
1. ipaExternalGroup is only handled for trust to AD configurations. The compat tree configuration for that is only set up when you run ipa-adtrust-install --enable-compat on the specific master (turning the master into a trust controller). When you have no external group members configured for some external groups (this is a concept in IPA, 'ipa group-add --external' and 'ipa group-add-member --external'), and these groups aren't included into some POSIX groups, you should not see any of AD groups pulled in.
2. Second part is actual addition of the 'objectclass: ipaExternalGroup' into the entries under cn=groups,cn=compat,$BASEDN. This happens after /usr/share/ipa/updates/50-externalmembers.update file is automatically imported on IPA upgrade. The file content is:
$ cat install/updates/50-externalmembers.update
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup
The upgrade should happen during replica deployment as one of last steps before enabling optional services. You can see that in the replica installation log with 'Applying LDAP updates'. But I think there might be an ordering discrepancy because the base compat tree configuration is in install/updates/80-schema_compat.update so it is ran after 50-externalmembers.update. And since at that point cn=groups,cn=Schema ... does not exist yet, it is not applied.
You can re-run ipa-server-upgrade manually once to see if objectclass=ipaexternalgroup would be added. Please report if that fixes your observed difference.
this did in fact create objectclass=ipaexternalgroup for all our Posix groups, our data now matches on new replicas vs existing servers
I'm going to reuse this bug to move the update file around.
Upstream ticket: https://pagure.io/freeipa/issue/8193
Upstream PR: https://github.com/freeipa/freeipa/pull/4229
QE: in order to verify this change, set up a replica and see if 'cn=groups,cn=Schema Compatibility,cn=plugins,cn=config' on the replica contains 'schema-compat-entry-attribute: objectclass=ipaexternalgroup' attribute.
Test case added to upstream
Both the automation passed. Hence marking the bug as verified.
*** Bug 1860262 has been marked as a duplicate of this bug. ***