1978748 – Regression: cn=views,cn=compat broken with slapi-nis-0.56.5-3.el7_9.x86_64

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1978748 - Regression: cn=views,cn=compat broken with slapi-nis-0.56.5-3.el7_9.x86_64

Summary: Regression: cn=views,cn=compat broken with slapi-nis-0.56.5-3.el7_9.x86_64

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	slapi-nis
Sub Component:
Version:	7.9
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Alexander Bokovoy
QA Contact:	anuja
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1984010
TreeView+	depends on / blocked

Reported:	2021-07-02 15:58 UTC by joel
Modified:	2022-11-08 12:18 UTC (History)
CC List:	10 users (show)
Fixed In Version:	slapi-nis-0.60.0-1.el7_9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1984010 (view as bug list)
Environment:
Last Closed:	2022-11-02 16:33:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7828	0	None	None	None	2022-02-10 13:02:54 UTC
Red Hat Product Errata	RHBA-2022:7336	0	None	None	None	2022-11-02 16:33:25 UTC

Description joel 2021-07-02 15:58:13 UTC

Description of problem:

Identity Management (IdM) ID Views under cn=compat broken starting with
slapi-nis-0.56.5-3.el7_9.x86_64. The only item in the changelog from the
previous (working) version, slapi-nis-0.56.5-2.el7.x86_64, was a fix for
BZ 1866113, which addressed a memory leak.


Version-Release number of selected component (if applicable):

* slapi-nis-0.56.5-3.el7_9.x86_64
* slapi-nis-0.56.5-4.el7_9.x86_64
* Bug is still present in upstream, so RHEL 8 is probably also affected
  (https://pagure.io/slapi-nis/history/src/back-sch.c)


How reproducible:

Queries for any account or group under cn=views,cn=compat,dc=DOMAIN will
return LDAP error code 32 (NO_SUCH_OBJECT).


Steps to Reproduce:

1. Create any view, such as "myview". It doesn't even need to contain
   any attribute overrides.

2. Perform an LDAP query for any known user against cn=views,cn=compat
   using the named view you just created. (Assumes local query from an
   IdM replica using GSSAPI authentication and the local Unix socket.)

   ldapsearch -LLLQ -b 'cn=myview,cn=views,cn=compat,dc=DOMAIN' 'uid=admin' uid


Actual results:

result: 32 No such object
matchedDN: dc=DOMAIN


Expected results:

dn: uid=admin,cn=users,cn=compat,dc=DOMAIN
uid: admin


Additional info:

Queries against just cn=compat (not cn=views,cn=compat) are not affected.
Only queries meant to apply an ID View are affected.

Comment 3 Florence Blanc-Renaud 2021-07-06 14:41:55 UTC

The issue looks similar to BZ#1958909 for which a fix was recently found.

@tbordaz could you check if this is the same issue? Thanks

Comment 4 thierry bordaz 2021-07-06 15:51:13 UTC

Difficult to be sure without debugging but I think it is a different issue.
#1958909 was triggered by an incorrect test if the target base search is a subtree of IDview. This with the target base search being a child of IDview base and scope being 'base'

Here the base search is the IDview itself and the scope subtree, so it should work (IIUC).

An option to be sure is to test with idm-client-8050020210701113027.de73ecb2 that fixes 1958909.

Comment 6 joel 2021-07-09 19:35:23 UTC

Hello Francois,

Attaching one sosreport. Requested same from rest of servers.

Comment 7 joel 2021-07-12 17:22:51 UTC

Hello,

Sorry for the delay, here is the link to the sosreport:

 https://drive.google.com/drive/folders/1kSrdRjqTdgijdQrVuh_hMKikUzBdp5Ht?usp=sharing

If you have any problems accessing this please notify me.

Comment 9 joel 2021-07-14 22:05:11 UTC

hello,

customer has provided other 3 sosreport, they are at  https://drive.google.com/drive/folders/1kSrdRjqTdgijdQrVuh_hMKikUzBdp5Ht?usp=sharing

Thank you

Comment 12 anuja 2022-09-08 08:05:04 UTC

Pre-verified with :
http://brew-task-repos.usersys.redhat.com/repos/official/slapi-nis/0.60.0/1.el7_9/

[root@master ~]# ipa idview-add test79
ipa: ERROR: did not receive Kerberos credentials
[root@master ~]# echo Secret123 | kinit admin
Password for admin: 
[root@master ~]# ipa idview-add test79
----------------------
Added ID View "test79"
----------------------
  ID View Name: test79
[root@master ~]# ipa user-add user79 --first user79 --last user79
-------------------
Added user "user79"
-------------------
  User login: user79
  First name: user79
  Last name: user79
  Full name: user79 user79
  Display name: user79 user79
  Initials: uu
  Home directory: /home/user79
  GECOS: user79 user79
  Login shell: /bin/sh
  Principal name: user79
  Principal alias: user79
  Email address: user79
  UID: 603600001
  GID: 603600001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@master ~]# ldapsearch -LLLQ -b 'cn=test79,cn=views,cn=compat,dc=ipa,dc=test' 'uid=user79'
dn: uid=user79,cn=users,cn=test79,cn=views,cn=compat,dc=ipa,dc=test
objectClass: posixAccount
objectClass: top
gecos: user79 user79
cn: user79 user79
uidNumber: 603600001
gidNumber: 603600001
loginShell: /bin/sh
homeDirectory: /home/user79
uid: user79

[root@master ~]# rpm -qa slapi-nis
slapi-nis-0.60.0-1.el7_9.x86_64
[root@master ~]#

Comment 17 anuja 2022-09-19 08:12:28 UTC

[root@master ~]# echo Secret123  | kinit admin
Password for admin: 
[root@master ~]# ipa idview-add test79nightly
-----------------------------
Added ID View "test79nightly"
-----------------------------
  ID View Name: test79nightly
[root@master ~]# ipa user-add user79n --first user79n --last user79n
--------------------
Added user "user79n"
--------------------
  User login: user79n
  First name: user79n
  Last name: user79n
  Full name: user79n user79n
  Display name: user79n user79n
  Initials: uu
  Home directory: /home/user79n
  GECOS: user79n user79n
  Login shell: /bin/sh
  Principal name: user79n
  Principal alias: user79n
  Email address: user79n
  UID: 1315400001
  GID: 1315400001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@master ~]# ldapsearch -LLLQ -b 'cn=test79n,cn=views,cn=compat,dc=ipa,dc=test' 'uid=user79n'
dn: uid=user79n,cn=users,cn=compat,dc=ipa,dc=test
objectClass: posixAccount
objectClass: top
gecos: user79n user79n
cn: user79n user79n
uidNumber: 1315400001
gidNumber: 1315400001
loginShell: /bin/sh
homeDirectory: /home/user79n
uid: user79n

[root@master ~]# rpm -qa ipa-server slapi-nis
ipa-server-4.6.8-5.el7_9.11.x86_64
slapi-nis-0.60.0-1.el7_9.x86_64
[root@master ~]#

Comment 22 errata-xmlrpc 2022-11-02 16:33:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (slapi-nis bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7336

Note You need to log in before you can comment on or make changes to this bug.