2183822 – [ansible-freeipa] The group module throws an error while adding members for an external group.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2183822 - [ansible-freeipa] The group module throws an error while adding members for an external group.

Summary: [ansible-freeipa] The group module throws an error while adding members for a...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ansible-freeipa
Sub Component:
Version:	9.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Thomas Woerner
QA Contact:	Varun Mylaraiah
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2174310 (view as bug list)
Depends On:	2183820
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-02 13:57 UTC by Varun Mylaraiah
Modified:	2023-11-07 09:09 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ansible-freeipa-1.10.0-1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2183820
Environment:
Last Closed:	2023-11-07 08:25:33 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-9650	None	None	None	2023-04-02 13:57:39 UTC
Red Hat Issue Tracker	RHELPLAN-153823	None	None	None	2023-04-02 13:57:44 UTC
Red Hat Product Errata	RHBA-2023:6354	None	None	None	2023-11-07 08:25:55 UTC

Description Varun Mylaraiah 2023-04-02 13:57:04 UTC

+++ This bug was initially created as a clone of Bug #2183820 +++

Description of problem:
While using the ansible-freeipa group module to add members for an external group, I noticed an error [1], but the members were still added. However, when I tested it on the CLI, I did not encounter any errors. Even though the ipa-server-ad was not installed during the CLI testing, no error messages appeared. However, when I attempted to add members using ansible-freeipa, I received an error message.

[1]Error: Cannot perform external member validation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA on the serve

[root@ansible ~]# rpm -qa ansible-freeipa
ansible-freeipa-1.9.2-1.el8

Steps to Reproduce:
================
CLI Console output:
================

[root@master ~]# rpm -qa ipa-server-trust-ad
[root@master ~]#

[root@master ~]# ipa group-add testgroup02
-------------------------
Added group "testgroup02"
-------------------------
  Group name: testgroup02
  GID: 1834400014
  
 [root@master ~]# ipa group-add 02externaltestgroup --external
---------------------------------
Added group "02externaltestgroup"
---------------------------------
  Group name: 02externaltestgroup
  
 [root@master ~]# ipa group-add-member 02externaltestgroup --group=testgroup02
  Group name: 02externaltestgroup
  Member groups: testgroup02
-------------------------
Number of members added 1
-------------------------

[root@master ~]# ipa group-show 02externaltestgroup --all
  dn: cn=02externaltestgroup,cn=groups,cn=accounts,dc=ipadomain,dc=test
  Group name: 02externaltestgroup
  Member groups: testgroup02
  ipauniqueid: f915df96-cf9d-11ed-b09c-fa163ede193d
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup



=======================
anisble-freeipa console output
=======================
[root@master ~]# rpm -qa ipa-server-trust-ad

[root@master ~]# ipa group-add testgroup01
-------------------------
Added group "testgroup01"
-------------------------
  Group name: testgroup01
  GID: 1078400013


[root@master ~]# ipa group-add 01externaltestgroup --external
---------------------------------
Added group "01externaltestgroup"
---------------------------------
  Group name: 01externaltestgroup

[root@ansible ~]# cat extergroupmembers.yaml
---
- name: Playbook to ensure a group member is present
  hosts: ipaserver
  become: true

  tasks:
  # add group member
  - ipagroup:
      ipaadmin_password: Secret.123
      name: 01externaltestgroup
      action: member
      group:
      - testgroup01


# ansible-playbook -v -i inventory/group.hosts extergroupmembers.yaml
Using /root/ansible.cfg as config file

PLAY [Playbook to ensure a group member is present] *************************************************************

TASK [Gathering Facts] ******************************************************************************************
ok: [master.ipadomain.test]

TASK [ipagroup] *************************************************************************************************
fatal: [master.ipadomain.test]: FAILED! => {"changed": false, "msg": "group_add_member: 01externaltestgroup: Cannot perform external member validation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA on the server"}

PLAY RECAP ******************************************************************************************************
master.ipadomain.test      : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0



Additional info:
https://github.com/freeipa/freeipa/blob/master/ipaserver/plugins/group.py#L629

Comment 1 Thomas Woerner 2023-04-03 12:20:14 UTC

This is an API inonsistentcy in IPA:

https://github.com/freeipa/freeipa/blob/master/ipaserver/plugins/group.py#L628

"if 'ipaexternalmember' in options:" triggers all tests for external members, including the _dcerpc_bindings_installed check. But this is also triggered if options["ipaexternalmember"] is and empty list.

The line in group.py#L628 should have been something like:
if 'ipaexternalmember' in options and len(options['ipaexternalmember']) > 0:

Same for removal in https://github.com/freeipa/freeipa/blob/master/ipaserver/plugins/group.py#L685

The solution is to simply not add empty arrays for ipaexternalmember in the ipagroup module in ansible-freeipa.

Comment 2 Thomas Woerner 2023-04-03 13:21:15 UTC

Upstream PR: https://github.com/freeipa/ansible-freeipa/pull/1072

Comment 7 Varun Mylaraiah 2023-04-20 05:09:01 UTC

Verified
ansible-core-2.14.2-4.el9.x86_64
ansible-freeipa-1.10.0-1.el9.noarch

Passed	ansible_freeipa_tests/group/test_group.py::TestExternalGroupWithMembers::test_add_group_member_to_externalgroup

------------------------------ Captured log call -------------------------------
INFO     pytest_multihost.host.Host.master.OpenSSHTransport:transport.py:397 RUN ['ipactl', 'status']
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:519 RUN ['ipactl', 'status']
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:563 bash: line 1: cd: /root/multihost_tests: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:563 bash: line 2: /root/multihost_tests/env.sh: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:563 Directory Service: RUNNING
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:563 ipa: INFO: The ipactl command was successful
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:563 krb5kdc Service: RUNNING
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:563 kadmin Service: RUNNING
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:563 named Service: RUNNING
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:563 httpd Service: RUNNING
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:563 ipa-custodia Service: RUNNING
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:563 pki-tomcatd Service: RUNNING
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:563 ipa-otpd Service: RUNNING
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:563 ipa-dnskeysyncd Service: RUNNING
DEBUG    pytest_multihost.host.Host.master.cmd68:transport.py:217 Exit code: 0
INFO     pytest_multihost.host.Host.master.OpenSSHTransport:transport.py:397 RUN ['yum', 'remove', 'ipa-server-ad', '-y']
DEBUG    pytest_multihost.host.Host.master.cmd69:transport.py:519 RUN ['yum', 'remove', 'ipa-server-ad', '-y']
DEBUG    pytest_multihost.host.Host.master.cmd69:transport.py:563 bash: line 1: cd: /root/multihost_tests: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd69:transport.py:563 bash: line 2: /root/multihost_tests/env.sh: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd69:transport.py:563 No match for argument: ipa-server-ad
DEBUG    pytest_multihost.host.Host.master.cmd69:transport.py:563 No packages marked for removal.
DEBUG    pytest_multihost.host.Host.master.cmd69:transport.py:563 Dependencies resolved.
DEBUG    pytest_multihost.host.Host.master.cmd69:transport.py:563 Nothing to do.
DEBUG    pytest_multihost.host.Host.master.cmd69:transport.py:563 Complete!
DEBUG    pytest_multihost.host.Host.master.cmd69:transport.py:217 Exit code: 0
INFO     pytest_multihost.host.Host.master.OpenSSHTransport:transport.py:397 RUN ['kinit', 'admin']
DEBUG    pytest_multihost.host.Host.master.cmd70:transport.py:519 RUN ['kinit', 'admin']
DEBUG    pytest_multihost.host.Host.master.cmd70:transport.py:563 bash: line 1: cd: /root/multihost_tests: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd70:transport.py:563 bash: line 2: /root/multihost_tests/env.sh: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd70:transport.py:563 Password for admin: 
DEBUG    pytest_multihost.host.Host.master.cmd70:transport.py:217 Exit code: 0
INFO     pytest_multihost.host.Host.master.OpenSSHTransport:transport.py:397 RUN ['ipa', 'group-add', '51externaltestgroup', '--external']
DEBUG    pytest_multihost.host.Host.master.cmd71:transport.py:519 RUN ['ipa', 'group-add', '51externaltestgroup', '--external']
DEBUG    pytest_multihost.host.Host.master.cmd71:transport.py:563 bash: line 1: cd: /root/multihost_tests: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd71:transport.py:563 bash: line 2: /root/multihost_tests/env.sh: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd71:transport.py:563 ---------------------------------
DEBUG    pytest_multihost.host.Host.master.cmd71:transport.py:563 Added group "51externaltestgroup"
DEBUG    pytest_multihost.host.Host.master.cmd71:transport.py:563 ---------------------------------
DEBUG    pytest_multihost.host.Host.master.cmd71:transport.py:563   Group name: 51externaltestgroup
DEBUG    pytest_multihost.host.Host.master.cmd71:transport.py:217 Exit code: 0
INFO     pytest_multihost.host.Host.master.OpenSSHTransport:transport.py:397 RUN ['ipa', 'group-add', '52externaltestgroup', '--external']
DEBUG    pytest_multihost.host.Host.master.cmd72:transport.py:519 RUN ['ipa', 'group-add', '52externaltestgroup', '--external']
DEBUG    pytest_multihost.host.Host.master.cmd72:transport.py:563 bash: line 1: cd: /root/multihost_tests: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd72:transport.py:563 bash: line 2: /root/multihost_tests/env.sh: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd72:transport.py:563 ---------------------------------
DEBUG    pytest_multihost.host.Host.master.cmd72:transport.py:563 Added group "52externaltestgroup"
DEBUG    pytest_multihost.host.Host.master.cmd72:transport.py:563 ---------------------------------
DEBUG    pytest_multihost.host.Host.master.cmd72:transport.py:563   Group name: 52externaltestgroup
DEBUG    pytest_multihost.host.Host.master.cmd72:transport.py:217 Exit code: 0
INFO     pytest_multihost.host.Host.ansible.OpenSSHTransport:transport.py:433 PUT inventory/group.hosts
DEBUG    pytest_multihost.host.Host.ansible.cmd41:transport.py:519 RUN ['tee', 'inventory/group.hosts']
DEBUG    pytest_multihost.host.Host.ansible.cmd41:transport.py:217 Exit code: 0
INFO     pytest_multihost.host.Host.ansible.OpenSSHTransport:transport.py:433 PUT group_module.yml
DEBUG    pytest_multihost.host.Host.ansible.cmd42:transport.py:519 RUN ['tee', 'group_module.yml']
DEBUG    pytest_multihost.host.Host.ansible.cmd42:transport.py:217 Exit code: 0
INFO     pytest_multihost.host.Host.ansible.OpenSSHTransport:transport.py:397 RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/group.hosts', 'group_module.yml']
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:519 RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/group.hosts', 'group_module.yml']
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 bash: line 1: cd: /root/multihost_tests: No such file or directory
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 bash: line 2: /root/multihost_tests/env.sh: No such file or directory
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 ansible-playbook [core 2.14.2]
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563   config file = /etc/ansible/ansible.cfg
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563   configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563   ansible python module location = /usr/lib/python3.11/site-packages/ansible
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563   ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563   executable location = /usr/bin/ansible-playbook
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563   python version = 3.11.2 (main, Feb 16 2023, 00:00:00) [GCC 11.3.1 20221121 (Red Hat 11.3.1-4)] (/usr/bin/python3.11)
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563   jinja version = 3.1.2
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563   libyaml = True
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 Using /etc/ansible/ansible.cfg as config file
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 Skipping callback 'default', as we already have a stdout callback.
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 Skipping callback 'minimal', as we already have a stdout callback.
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 Skipping callback 'oneline', as we already have a stdout callback.
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 PLAYBOOK: group_module.yml *****************************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 1 plays in group_module.yml
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 PLAY [Playbook to ensure members are added to the external group (without trust-ad) Bug#2183820/Bug#2183822] ***
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 TASK [Gathering Facts] *********************************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 task path: /root/group_module.yml:2
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 ok: [master.ipadomain.test]
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 TASK [ipagroup] ****************************************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 task path: /root/group_module.yml:8
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 changed: [master.ipadomain.test] => {"changed": true}
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 PLAY RECAP *********************************************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 master.ipadomain.test      : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd43:transport.py:217 Exit code: 0
INFO     pytest_multihost.host.Host.master.OpenSSHTransport:transport.py:397 RUN ['kinit', 'admin']
DEBUG    pytest_multihost.host.Host.master.cmd73:transport.py:519 RUN ['kinit', 'admin']
DEBUG    pytest_multihost.host.Host.master.cmd73:transport.py:563 bash: line 1: cd: /root/multihost_tests: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd73:transport.py:563 bash: line 2: /root/multihost_tests/env.sh: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd73:transport.py:563 Password for admin: 
DEBUG    pytest_multihost.host.Host.master.cmd73:transport.py:217 Exit code: 0
INFO     pytest_multihost.host.Host.master.OpenSSHTransport:transport.py:397 RUN ['ipa', 'group-show', '51externaltestgroup', '--all']
DEBUG    pytest_multihost.host.Host.master.cmd74:transport.py:519 RUN ['ipa', 'group-show', '51externaltestgroup', '--all']
DEBUG    pytest_multihost.host.Host.master.cmd74:transport.py:563 bash: line 1: cd: /root/multihost_tests: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd74:transport.py:563 bash: line 2: /root/multihost_tests/env.sh: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd74:transport.py:563   dn: cn=51externaltestgroup,cn=groups,cn=accounts,dc=ipadomain,dc=test
DEBUG    pytest_multihost.host.Host.master.cmd74:transport.py:563   Group name: 51externaltestgroup
DEBUG    pytest_multihost.host.Host.master.cmd74:transport.py:563   Member users: gmm_user01, gmm_user02
DEBUG    pytest_multihost.host.Host.master.cmd74:transport.py:563   Member groups: gmm_group01, 52externaltestgroup
DEBUG    pytest_multihost.host.Host.master.cmd74:transport.py:563   ipauniqueid: 58b9ea80-dea0-11ed-9282-fa163e839213
DEBUG    pytest_multihost.host.Host.master.cmd74:transport.py:563   objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup
DEBUG    pytest_multihost.host.Host.master.cmd74:transport.py:217 Exit code: 0
INFO     pytest_multihost.host.Host.master.OpenSSHTransport:transport.py:397 RUN ['kdestroy', '-A']
DEBUG    pytest_multihost.host.Host.master.cmd75:transport.py:519 RUN ['kdestroy', '-A']
DEBUG    pytest_multihost.host.Host.master.cmd75:transport.py:563 bash: line 1: cd: /root/multihost_tests: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd75:transport.py:563 bash: line 2: /root/multihost_tests/env.sh: No such file or directory
DEBUG    pytest_multihost.host.Host.master.cmd75:transport.py:217 Exit code: 0

Comment 9 Varun Mylaraiah 2023-04-20 05:49:56 UTC

*** Bug 2174310 has been marked as a duplicate of this bug. ***

Comment 11 errata-xmlrpc 2023-11-07 08:25:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ansible-freeipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6354

Note You need to log in before you can comment on or make changes to this bug.