Bug 2160399
| Summary: | get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Sudhir Menon <sumenon> |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | CLOSED ERRATA | QA Contact: | Sudhir Menon <sumenon> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 9.2 | CC: | gkaihoro, pasik, rcritten, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.10.2-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-07 08:34:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Sudhir Menon
2023-01-12 09:34:16 UTC
The master installation has the following steps: * [25/42]: adding default layout This step creates cn=xx_id_range,cn=ranges,cn=etc,$SUFFIX with ipaBaseID and ipaIDRangeSize. * [40/42]: activating sidgen plugin This step creates the entry cn=IPA SIGEN,cn=plugins,cn=config with nsslapd-pluginenabled: on At this point the plugin is enabled but skips any processing as there is no domain SID below $SUFFIX: https://github.com/freeipa/freeipa/blob/5419864c7ef893abc4717847fa6ea272d0c659fe/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c#L104 if (ctx->dom_sid == NULL) { ret = get_dom_sid(ctx->plugin_id, ctx->base_dn, &ctx->dom_sid); if (ret != 0) { LOG("Domain SID not available, nothing to do.\n"); ret = 0; goto done; } } * [1/8]: creating samba domain object This step creates the entry cn=$DOMAIN,cn=ad,cn=etc,dc=ipa,dc=test with ipaNTSecurityIdentifier=SID of the ipa domain. From this point, the sidgen plugin is enabled and is able to find the domain sid, meaning it gets triggered for all ldap operations. It starts by getting the RID ranges but the cn=xx_id_range entry doesn't contain ipaBaseRID or ipaSecondaryBaseRID and this is the cause for the error message: ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. * [3/8]: adding RID bases This step adds the ipaBaseRID and ipaSecondaryBaseRID values to cn=xx_id_range, fixing the plugin issue. It looks ok to call "adding RID bases" earlier but should be tested. Anyway, the issue is really minor: if entries are created before the baseRID is added, they won't get a SID but the sidgen task is called later and generates the missing SIDs. I am removing the Regression keyword as it's not a regression. The installation of ipa server in RHEL 7.9 (ipa-server-trust-ad-4.6.8-5.el7.x86_64) with adtrust was already producing the same log. So the error has not been introduced recently. Upstream ticket: https://pagure.io/freeipa/issue/9309 Fixed upstream master: https://pagure.io/freeipa/c/ad05218450876a302f80b3e851d4f7cef931fdb6 Planning to fix in 9.3, the fix will be picked with the rebase to 4.10.next Fixed upstream ipa-4-10: https://pagure.io/freeipa/c/7d1a35852fa53bcf3b88a8a80a2e86ef88a75795 Verified using nightly with ipa-server-4.10.2-1.el9.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ipa bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6477 |