Bug 1801791 - Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems
Summary: Compatibility Schema difference in functionality for systems following RHEL 7...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
: 1860262 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2020-02-11 16:11 UTC by Dave
Modified: 2020-08-27 11:51 UTC (History)
10 users (show)

Fixed In Version: ipa-4.6.6-12.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-02-11 17:23:45 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Fedora Pagure freeipa issue 8193 None None None 2020-02-12 05:51:05 UTC
Red Hat Knowledge Base (Solution) 4909731 None None None 2020-03-17 14:19:21 UTC

Description Dave 2020-02-11 16:11:16 UTC
Description of problem: Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. setup IPA server under RHEL 7.5
2. upgrade IPA server to RHEL 7.6
3. add new RHEL 7.6 IPA replica to existing IPA env

Actual results:
7.5-7.6 system compat tree behaves differently than new 7.6 compat data

Expected results:
should not matter how we got to 7.6, functionality should be same

Additional info:
7.5->7.6 creates compat data for Posix groups only and adds 'objectClass: ipaexternalgroup'
7.6 creates compat data for Posix groups only but (probably correctly) does not add 'objectClass: ipaexternalgroup'

Comment 2 Alexander Bokovoy 2020-02-11 17:23:45 UTC
This looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1585020. What matters is that you created a new replica, not the upgrade path.

*** This bug has been marked as a duplicate of bug 1585020 ***

Comment 3 Dave 2020-02-11 18:24:27 UTC
We do not agree this is a duplicate of 1585020, as our compat data is generated only for Posix groups, and we have zero AD related info under cn=groups,cn=compat

Comment 4 Alexander Bokovoy 2020-02-11 18:56:02 UTC
There are two parts here.

1. ipaExternalGroup is only handled for trust to AD configurations. The compat tree configuration for that is only set up when you run ipa-adtrust-install --enable-compat on the specific master (turning the master into a trust controller). When you have no external group members configured for some external groups (this is a concept in IPA, 'ipa group-add --external' and 'ipa group-add-member --external'), and these groups aren't included into some POSIX groups, you should not see any of AD groups pulled in.

2. Second part is actual addition of the 'objectclass: ipaExternalGroup' into the entries under cn=groups,cn=compat,$BASEDN. This happens after /usr/share/ipa/updates/50-externalmembers.update file is automatically imported on IPA upgrade. The file content is:

$ cat install/updates/50-externalmembers.update
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup

The upgrade should happen during replica deployment as one of last steps before enabling optional services. You can see that in the replica installation log with 'Applying LDAP updates'. But I think there might be an ordering discrepancy because the base compat tree configuration is in install/updates/80-schema_compat.update so it is ran after 50-externalmembers.update. And since at that point cn=groups,cn=Schema ... does not exist yet, it is not applied.

You can re-run ipa-server-upgrade manually once to see if objectclass=ipaexternalgroup would be added. Please report if that fixes your observed difference.

Comment 5 Dave 2020-02-11 21:11:36 UTC
this did in fact create objectclass=ipaexternalgroup for all our Posix groups, our data now matches on new replicas vs existing servers

Comment 6 Alexander Bokovoy 2020-02-12 05:51:06 UTC
I'm going to reuse this bug to move the update file around.
Upstream ticket: https://pagure.io/freeipa/issue/8193

Comment 7 Alexander Bokovoy 2020-02-12 05:54:42 UTC
Upstream PR: https://github.com/freeipa/freeipa/pull/4229

Comment 8 Alexander Bokovoy 2020-02-12 06:01:03 UTC
QE: in order to verify this change, set up a replica and see if 'cn=groups,cn=Schema Compatibility,cn=plugins,cn=config' on the replica contains 'schema-compat-entry-attribute: objectclass=ipaexternalgroup' attribute.

Comment 9 Florence Blanc-Renaud 2020-02-12 10:47:49 UTC
Fixed upstream

Comment 18 Mohammad Rizwan 2020-04-16 11:34:49 UTC
Both the automation passed. Hence marking the bug as verified.

Comment 21 Florence Blanc-Renaud 2020-08-27 11:51:15 UTC
*** Bug 1860262 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.