Bug 719656 - Disabling ipa-nis-manage removes netgroup compat suffix in DS.
Summary: Disabling ipa-nis-manage removes netgroup compat suffix in DS.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-07 15:25 UTC by Gowrishankar Rajaiyan
Modified: 2015-01-04 23:49 UTC (History)
5 users (show)

Fixed In Version: ipa-2.1.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Running ipa-nis-manage disable disables the NIS listener and also removes the netgroup compatibility suffix. Consequence: If NIS is disabled then adding a host group will fail to automatically create a netgroup. Fix: When NIS was disabled the tool was also disabling the automatic creation of netgroups when host groups were created. This code was removed. Result: Disabling NIS has no effect on automatically creating netgroups when host groups are created.
Clone Of:
Environment:
Last Closed: 2011-12-06 18:41:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Gowrishankar Rajaiyan 2011-07-07 15:25:13 UTC
Description of problem:
Disabling ipa-nis-manage removes the following suffix from DS causing "ipa hostgroup" command to fail to automatically add any netgroup info in cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com.

<snip>
# ng, compat, lab.eng.pnq.redhat.com
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng
</snip>

Version-Release number of selected component (if applicable):
ipa-server-2.0.0-25.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install ipa server
2. Make sure "# ng, compat, lab.eng.pnq.redhat.com" exists 
# /usr/bin/ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
# ng, compat, lab.eng.pnq.redhat.com
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng

3. Add hostgroup
# ipa hostgroup-add hostgrp1 --desc="host group1"
--------------------------
Added hostgroup "hostgrp1"
--------------------------
  Host-group: hostgrp1
  Description: host group1

4. Verify if netgroup info is automatically added to "cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" suffix
# /usr/bin/ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

# ng, compat, lab.eng.pnq.redhat.com
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng

# hostgrp1, ng, compat, lab.eng.pnq.redhat.com
dn: cn=hostgrp1,cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1

5. Now, disable ipa-nis-manage

6. Check if netgroup info exists in "ng, compat, lab.eng.pnq.redhat.com"
  
Actual results:

# /usr/bin/ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

# search result
search: 2
result: 32 No such object     <<<<<<<<<<<<<<<<<<
matchedDN: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

All netgroup data from cn=compat is removed.

Expected results:
Should not remove any existing data. 

Additional info:
1. Enabling ipa-nis-manage doesn't help.
2. This causes adding hostgroup to "ipa sudorule" to fail.
3. Also, affects SSSD while enumerating netgroups.

Comment 1 Rob Crittenden 2011-07-07 15:36:54 UTC
Note that no data is removed, we simply drop netgroup support from compat when nis is not enabled. cn=compat is just a different view of the data.

I don't think this is a bug. netgroup support in compat is only useful when you have the nis server enabled AFAIK.

Comment 2 Stephen Gallagher 2011-07-07 15:44:49 UTC
That's incorrect. SSSD can only make use of netgroups stored in the standard schema right now, so we rely on the compat tree to use netgroups with FreeIPA.

We have upstream ticket https://fedorahosted.org/sssd/ticket/793 open to address this.

Comment 3 Gowrishankar Rajaiyan 2011-07-07 16:12:26 UTC
(In reply to comment #1)
> Note that no data is removed, we simply drop netgroup support from compat when
> nis is not enabled. cn=compat is just a different view of the data.
> 

"ipa-nis-manage enable" after step6 and then adding hostgroups does not create its corresponding private netgroups.

Comment 4 Dmitri Pal 2011-07-07 23:39:33 UTC
(In reply to comment #1)
> Note that no data is removed, we simply drop netgroup support from compat when
> nis is not enabled. cn=compat is just a different view of the data.
> 
> I don't think this is a bug. netgroup support in compat is only useful when you
> have the nis server enabled AFAIK.

This is unfortunately incorrect any more.
Current implementation of SSSD relied on the compat tree for the netgroups.
Please create a ticket. I am giving ack.

Comment 5 Rob Crittenden 2011-07-12 18:21:31 UTC
https://fedorahosted.org/freeipa/ticket/1469

Comment 9 Rob Crittenden 2011-10-31 20:47:28 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Running ipa-nis-manage disable disables the NIS listener and also removes the netgroup compatibility suffix.
Consequence: If NIS is disabled then adding a host group will fail to automatically create a netgroup.
Fix: When NIS was disabled the tool was also disabling the automatic creation of netgroups when host groups were created. This code was removed.
Result: Disabling NIS has no effect on automatically creating netgroups when host groups are created.

Comment 10 Gowrishankar Rajaiyan 2011-11-02 05:50:56 UTC
[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm 
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng


[root@jetfire ~]# ipa hostgroup-add hostgrp1 --desc="host group1"
--------------------------
Added hostgroup "hostgrp1"
--------------------------
  Host-group: hostgrp1
  Description: host group1
[root@jetfire ~]# 


[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm 
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng

dn: cn=hostgrp1,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1
[root@jetfire ~]#


[root@jetfire ~]# ipa-nis-manage enable
Directory Manager password: 

Enabling plugin
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.
[root@jetfire ~]# 
[root@jetfire ~]# 
[root@jetfire ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM...                                            [  OK  ]
Starting dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM...                                            [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Shutting down ipa_kpasswd:                                 [  OK  ]
Starting ipa_kpasswd:                                      [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd: [Wed Nov 02 01:43:44 2011] [warn] worker ajp://localhost:9447/ already used by another worker
[Wed Nov 02 01:43:44 2011] [warn] worker ajp://localhost:9447/ already used by another worker
                                                           [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]
[root@jetfire ~]# 
[root@jetfire ~]# 


[root@jetfire ~]# ipa-nis-manage disable
Directory Manager password: 

This setting will not take effect until you restart Directory Server.
[root@jetfire ~]# 


[root@jetfire ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM...                                            [  OK  ]
Starting dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM...                                            [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Shutting down ipa_kpasswd:                                 [  OK  ]
Starting ipa_kpasswd:                                      [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd: [Wed Nov 02 01:45:08 2011] [warn] worker ajp://localhost:9447/ already used by another worker
[Wed Nov 02 01:45:08 2011] [warn] worker ajp://localhost:9447/ already used by another worker
                                                           [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]



[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm 
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng

dn: cn=hostgrp1,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1


[root@jetfire ~]# ipa hostgroup-add hostgrp2 --desc="host group2"
--------------------------
Added hostgroup "hostgrp2"
--------------------------
  Host-group: hostgrp2
  Description: host group2
[root@jetfire ~]# 


[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm 
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng

dn: cn=hostgrp2,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp2

dn: cn=hostgrp1,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1

[root@jetfire ~]# 



Verified. Version: ipa-server-2.1.3-7.el6.x86_64

Comment 11 errata-xmlrpc 2011-12-06 18:41:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.