719656 – Disabling ipa-nis-manage removes netgroup compat suffix in DS.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 719656 - Disabling ipa-nis-manage removes netgroup compat suffix in DS.

Summary: Disabling ipa-nis-manage removes netgroup compat suffix in DS.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-07 15:25 UTC by Gowrishankar Rajaiyan
Modified:	2015-01-04 23:49 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-2.1.0-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Running ipa-nis-manage disable disables the NIS listener and also removes the netgroup compatibility suffix. Consequence: If NIS is disabled then adding a host group will fail to automatically create a netgroup. Fix: When NIS was disabled the tool was also disabling the automatic creation of netgroups when host groups were created. This code was removed. Result: Disabling NIS has no effect on automatically creating netgroups when host groups are created.
Clone Of:
Environment:
Last Closed:	2011-12-06 18:41:04 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Description Gowrishankar Rajaiyan 2011-07-07 15:25:13 UTC

Description of problem:
Disabling ipa-nis-manage removes the following suffix from DS causing "ipa hostgroup" command to fail to automatically add any netgroup info in cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com.

<snip>
# ng, compat, lab.eng.pnq.redhat.com
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng
</snip>

Version-Release number of selected component (if applicable):
ipa-server-2.0.0-25.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install ipa server
2. Make sure "# ng, compat, lab.eng.pnq.redhat.com" exists 
# /usr/bin/ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
# ng, compat, lab.eng.pnq.redhat.com
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng

3. Add hostgroup
# ipa hostgroup-add hostgrp1 --desc="host group1"
--------------------------
Added hostgroup "hostgrp1"
--------------------------
  Host-group: hostgrp1
  Description: host group1

4. Verify if netgroup info is automatically added to "cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" suffix
# /usr/bin/ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

# ng, compat, lab.eng.pnq.redhat.com
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng

# hostgrp1, ng, compat, lab.eng.pnq.redhat.com
dn: cn=hostgrp1,cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1

5. Now, disable ipa-nis-manage

6. Check if netgroup info exists in "ng, compat, lab.eng.pnq.redhat.com"
  
Actual results:

# /usr/bin/ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

# search result
search: 2
result: 32 No such object     <<<<<<<<<<<<<<<<<<
matchedDN: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

All netgroup data from cn=compat is removed.

Expected results:
Should not remove any existing data. 

Additional info:
1. Enabling ipa-nis-manage doesn't help.
2. This causes adding hostgroup to "ipa sudorule" to fail.
3. Also, affects SSSD while enumerating netgroups.

Comment 1 Rob Crittenden 2011-07-07 15:36:54 UTC

Note that no data is removed, we simply drop netgroup support from compat when nis is not enabled. cn=compat is just a different view of the data.

I don't think this is a bug. netgroup support in compat is only useful when you have the nis server enabled AFAIK.

Comment 2 Stephen Gallagher 2011-07-07 15:44:49 UTC

That's incorrect. SSSD can only make use of netgroups stored in the standard schema right now, so we rely on the compat tree to use netgroups with FreeIPA.

We have upstream ticket https://fedorahosted.org/sssd/ticket/793 open to address this.

Comment 3 Gowrishankar Rajaiyan 2011-07-07 16:12:26 UTC

(In reply to comment #1)
> Note that no data is removed, we simply drop netgroup support from compat when
> nis is not enabled. cn=compat is just a different view of the data.
> 

"ipa-nis-manage enable" after step6 and then adding hostgroups does not create its corresponding private netgroups.

Comment 4 Dmitri Pal 2011-07-07 23:39:33 UTC

(In reply to comment #1)
> Note that no data is removed, we simply drop netgroup support from compat when
> nis is not enabled. cn=compat is just a different view of the data.
> 
> I don't think this is a bug. netgroup support in compat is only useful when you
> have the nis server enabled AFAIK.

This is unfortunately incorrect any more.
Current implementation of SSSD relied on the compat tree for the netgroups.
Please create a ticket. I am giving ack.

Comment 5 Rob Crittenden 2011-07-12 18:21:31 UTC

https://fedorahosted.org/freeipa/ticket/1469

Comment 6 Martin Kosek 2011-07-19 11:46:13 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/c1f5dadc4e9c5ed0c9c1a132c4fe5c66b0244882
ipa-2-0: https://fedorahosted.org/freeipa/changeset/fe3fd0e2f4ef28fe53abbd8195ad23b09c2e9420

Comment 9 Rob Crittenden 2011-10-31 20:47:28 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Running ipa-nis-manage disable disables the NIS listener and also removes the netgroup compatibility suffix.
Consequence: If NIS is disabled then adding a host group will fail to automatically create a netgroup.
Fix: When NIS was disabled the tool was also disabling the automatic creation of netgroups when host groups were created. This code was removed.
Result: Disabling NIS has no effect on automatically creating netgroups when host groups are created.

Comment 10 Gowrishankar Rajaiyan 2011-11-02 05:50:56 UTC

[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm 
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng


[root@jetfire ~]# ipa hostgroup-add hostgrp1 --desc="host group1"
--------------------------
Added hostgroup "hostgrp1"
--------------------------
  Host-group: hostgrp1
  Description: host group1
[root@jetfire ~]# 


[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm 
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng

dn: cn=hostgrp1,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1
[root@jetfire ~]#


[root@jetfire ~]# ipa-nis-manage enable
Directory Manager password: 

Enabling plugin
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.
[root@jetfire ~]# 
[root@jetfire ~]# 
[root@jetfire ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM...                                            [  OK  ]
Starting dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM...                                            [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Shutting down ipa_kpasswd:                                 [  OK  ]
Starting ipa_kpasswd:                                      [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd: [Wed Nov 02 01:43:44 2011] [warn] worker ajp://localhost:9447/ already used by another worker
[Wed Nov 02 01:43:44 2011] [warn] worker ajp://localhost:9447/ already used by another worker
                                                           [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]
[root@jetfire ~]# 
[root@jetfire ~]# 


[root@jetfire ~]# ipa-nis-manage disable
Directory Manager password: 

This setting will not take effect until you restart Directory Server.
[root@jetfire ~]# 


[root@jetfire ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM...                                            [  OK  ]
Starting dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM...                                            [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Shutting down ipa_kpasswd:                                 [  OK  ]
Starting ipa_kpasswd:                                      [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd: [Wed Nov 02 01:45:08 2011] [warn] worker ajp://localhost:9447/ already used by another worker
[Wed Nov 02 01:45:08 2011] [warn] worker ajp://localhost:9447/ already used by another worker
                                                           [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]



[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm 
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng

dn: cn=hostgrp1,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1


[root@jetfire ~]# ipa hostgroup-add hostgrp2 --desc="host group2"
--------------------------
Added hostgroup "hostgrp2"
--------------------------
  Host-group: hostgrp2
  Description: host group2
[root@jetfire ~]# 


[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm 
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng

dn: cn=hostgrp2,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp2

dn: cn=hostgrp1,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1

[root@jetfire ~]# 



Verified. Version: ipa-server-2.1.3-7.el6.x86_64

Comment 11 errata-xmlrpc 2011-12-06 18:41:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.