1801791 – Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1801791 - Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems

Summary: Compatibility Schema difference in functionality for systems following RHEL 7...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1860262 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-02-11 16:11 UTC by Dave
Modified:	2023-12-15 17:18 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ipa-4.6.6-12.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-29 19:58:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Fedora Pagure	freeipa issue 8193	None	None	None	2020-02-12 05:51:05 UTC
Red Hat Issue Tracker	FREEIPA-10357	None	None	None	2023-09-07 21:50:47 UTC
Red Hat Knowledge Base (Solution)	4909731	None	None	None	2020-03-17 14:19:21 UTC
Red Hat Product Errata	RHSA-2020:3936	None	None	None	2020-09-29 19:59:23 UTC

Description Dave 2020-02-11 16:11:16 UTC

Description of problem: Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems

Version-Release number of selected component (if applicable):
ipa-server-4.6.4-10.el7_6.3.x86_64
python2-ipaserver-4.6.4-10.el7_6.3.noarch
389-ds-base-1.3.8.4-23.el7_6.x86_64

How reproducible:
consistent

Steps to Reproduce:
1. setup IPA server under RHEL 7.5
2. upgrade IPA server to RHEL 7.6
3. add new RHEL 7.6 IPA replica to existing IPA env

Actual results:
7.5-7.6 system compat tree behaves differently than new 7.6 compat data

Expected results:
should not matter how we got to 7.6, functionality should be same

Additional info:
7.5->7.6 creates compat data for Posix groups only and adds 'objectClass: ipaexternalgroup'
7.6 creates compat data for Posix groups only but (probably correctly) does not add 'objectClass: ipaexternalgroup'

Comment 2 Alexander Bokovoy 2020-02-11 17:23:45 UTC

This looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1585020. What matters is that you created a new replica, not the upgrade path.

*** This bug has been marked as a duplicate of bug 1585020 ***

Comment 3 Dave 2020-02-11 18:24:27 UTC

We do not agree this is a duplicate of 1585020, as our compat data is generated only for Posix groups, and we have zero AD related info under cn=groups,cn=compat

Comment 4 Alexander Bokovoy 2020-02-11 18:56:02 UTC

There are two parts here.

1. ipaExternalGroup is only handled for trust to AD configurations. The compat tree configuration for that is only set up when you run ipa-adtrust-install --enable-compat on the specific master (turning the master into a trust controller). When you have no external group members configured for some external groups (this is a concept in IPA, 'ipa group-add --external' and 'ipa group-add-member --external'), and these groups aren't included into some POSIX groups, you should not see any of AD groups pulled in.

2. Second part is actual addition of the 'objectclass: ipaExternalGroup' into the entries under cn=groups,cn=compat,$BASEDN. This happens after /usr/share/ipa/updates/50-externalmembers.update file is automatically imported on IPA upgrade. The file content is:

$ cat install/updates/50-externalmembers.update
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup

The upgrade should happen during replica deployment as one of last steps before enabling optional services. You can see that in the replica installation log with 'Applying LDAP updates'. But I think there might be an ordering discrepancy because the base compat tree configuration is in install/updates/80-schema_compat.update so it is ran after 50-externalmembers.update. And since at that point cn=groups,cn=Schema ... does not exist yet, it is not applied.

You can re-run ipa-server-upgrade manually once to see if objectclass=ipaexternalgroup would be added. Please report if that fixes your observed difference.

Comment 5 Dave 2020-02-11 21:11:36 UTC

this did in fact create objectclass=ipaexternalgroup for all our Posix groups, our data now matches on new replicas vs existing servers

Comment 6 Alexander Bokovoy 2020-02-12 05:51:06 UTC

I'm going to reuse this bug to move the update file around.
Upstream ticket: https://pagure.io/freeipa/issue/8193

Comment 7 Alexander Bokovoy 2020-02-12 05:54:42 UTC

Upstream PR: https://github.com/freeipa/freeipa/pull/4229

Comment 8 Alexander Bokovoy 2020-02-12 06:01:03 UTC

QE: in order to verify this change, set up a replica and see if 'cn=groups,cn=Schema Compatibility,cn=plugins,cn=config' on the replica contains 'schema-compat-entry-attribute: objectclass=ipaexternalgroup' attribute.

Comment 9 Florence Blanc-Renaud 2020-02-12 10:47:49 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/ff547a2777d63609faba42101e9802f5e988fa00

Comment 10 Florence Blanc-Renaud 2020-02-12 14:20:05 UTC

Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/14dbf04148c6284b176eca34aa70df4bef09b857

ipa-4-7:
https://pagure.io/freeipa/c/9db61a51f4cfcaae5e51d10c9ce2ed751cce4c49

ipa-4-6:
https://pagure.io/freeipa/c/a5a201fc008b19841f98bb70d44ede7d04ef1126

Comment 11 Christian Heimes 2020-03-24 12:50:59 UTC

Test case added to upstream
master:
https://pagure.io/freeipa/c/9120d65e881e582cc37ee8445fb66a54f6fb4d75
https://pagure.io/freeipa/c/312d00df90fc40c1c4c934945c3c73053b6ea18a

Comment 12 Christian Heimes 2020-03-24 14:45:57 UTC

ipa-4-8:
https://pagure.io/freeipa/c/210619a98f0d8a042a181bab5891bdd595aa5351
https://pagure.io/freeipa/c/3f3fa403a944035cf5531939fe3a2e338da99612

Comment 13 Christian Heimes 2020-03-26 09:13:38 UTC

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/e6960b7af2e8d8e4746245d8ba82a46225174529
https://pagure.io/freeipa/c/b739bc2089774cea0437347283c821ac86f8251d
ipa-4-7:
https://pagure.io/freeipa/c/405363baa62c7a2e875aae516abc8080031094f2
https://pagure.io/freeipa/c/651d97a47d1f60875648ae72c2c0e6fe6ffabe04

Comment 18 Mohammad Rizwan 2020-04-16 11:34:49 UTC

Both the automation passed. Hence marking the bug as verified.

Comment 21 Florence Blanc-Renaud 2020-08-27 11:51:15 UTC

*** Bug 1860262 has been marked as a duplicate of this bug. ***

Comment 23 errata-xmlrpc 2020-09-29 19:58:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: ipa security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3936

Note You need to log in before you can comment on or make changes to this bug.