Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 719656 - Disabling ipa-nis-manage removes netgroup compat suffix in DS.
Disabling ipa-nis-manage removes netgroup compat suffix in DS.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.2
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-07 11:25 EDT by Gowrishankar Rajaiyan
Modified: 2015-01-04 18:49 EST (History)
5 users (show)

See Also:
Fixed In Version: ipa-2.1.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Running ipa-nis-manage disable disables the NIS listener and also removes the netgroup compatibility suffix. Consequence: If NIS is disabled then adding a host group will fail to automatically create a netgroup. Fix: When NIS was disabled the tool was also disabling the automatic creation of netgroups when host groups were created. This code was removed. Result: Disabling NIS has no effect on automatically creating netgroups when host groups are created.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-06 13:41:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-05 20:23:31 EST

  None (edit)
Description Gowrishankar Rajaiyan 2011-07-07 11:25:13 EDT 
Description of problem:
Disabling ipa-nis-manage removes the following suffix from DS causing "ipa hostgroup" command to fail to automatically add any netgroup info in cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com.

<snip>
# ng, compat, lab.eng.pnq.redhat.com
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng
</snip>

Version-Release number of selected component (if applicable):
ipa-server-2.0.0-25.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install ipa server
2. Make sure "# ng, compat, lab.eng.pnq.redhat.com" exists 
# /usr/bin/ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
# ng, compat, lab.eng.pnq.redhat.com
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng

3. Add hostgroup
# ipa hostgroup-add hostgrp1 --desc="host group1"
--------------------------
Added hostgroup "hostgrp1"
--------------------------
  Host-group: hostgrp1
  Description: host group1

4. Verify if netgroup info is automatically added to "cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" suffix
# /usr/bin/ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

# ng, compat, lab.eng.pnq.redhat.com
dn: cn=ng,cn=compat, dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: extensibleObject
cn: ng

# hostgrp1, ng, compat, lab.eng.pnq.redhat.com
dn: cn=hostgrp1,cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1

5. Now, disable ipa-nis-manage

6. Check if netgroup info exists in "ng, compat, lab.eng.pnq.redhat.com"
  
Actual results:

# /usr/bin/ldapsearch -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

# search result
search: 2
result: 32 No such object     <<<<<<<<<<<<<<<<<<
matchedDN: dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com

All netgroup data from cn=compat is removed.

Expected results:
Should not remove any existing data. 

Additional info:
1. Enabling ipa-nis-manage doesn't help.
2. This causes adding hostgroup to "ipa sudorule" to fail.
3. Also, affects SSSD while enumerating netgroups.
Comment 1 Rob Crittenden 2011-07-07 11:36:54 EDT 
Note that no data is removed, we simply drop netgroup support from compat when nis is not enabled. cn=compat is just a different view of the data.

I don't think this is a bug. netgroup support in compat is only useful when you have the nis server enabled AFAIK.
Comment 2 Stephen Gallagher 2011-07-07 11:44:49 EDT 
That's incorrect. SSSD can only make use of netgroups stored in the standard schema right now, so we rely on the compat tree to use netgroups with FreeIPA.

We have upstream ticket https://fedorahosted.org/sssd/ticket/793 open to address this.
Comment 3 Gowrishankar Rajaiyan 2011-07-07 12:12:26 EDT 
(In reply to comment #1)
> Note that no data is removed, we simply drop netgroup support from compat when
> nis is not enabled. cn=compat is just a different view of the data.
> 

"ipa-nis-manage enable" after step6 and then adding hostgroups does not create its corresponding private netgroups.
Comment 4 Dmitri Pal 2011-07-07 19:39:33 EDT 
(In reply to comment #1)
> Note that no data is removed, we simply drop netgroup support from compat when
> nis is not enabled. cn=compat is just a different view of the data.
> 
> I don't think this is a bug. netgroup support in compat is only useful when you
> have the nis server enabled AFAIK.

This is unfortunately incorrect any more.
Current implementation of SSSD relied on the compat tree for the netgroups.
Please create a ticket. I am giving ack.
Comment 5 Rob Crittenden 2011-07-12 14:21:31 EDT 
https://fedorahosted.org/freeipa/ticket/1469
Comment 9 Rob Crittenden 2011-10-31 16:47:28 EDT 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Running ipa-nis-manage disable disables the NIS listener and also removes the netgroup compatibility suffix.
Consequence: If NIS is disabled then adding a host group will fail to automatically create a netgroup.
Fix: When NIS was disabled the tool was also disabling the automatic creation of netgroups when host groups were created. This code was removed.
Result: Disabling NIS has no effect on automatically creating netgroups when host groups are created.
Comment 10 Gowrishankar Rajaiyan 2011-11-02 01:50:56 EDT 
[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm 
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng


[root@jetfire ~]# ipa hostgroup-add hostgrp1 --desc="host group1"
--------------------------
Added hostgroup "hostgrp1"
--------------------------
  Host-group: hostgrp1
  Description: host group1
[root@jetfire ~]# 


[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm 
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng

dn: cn=hostgrp1,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1
[root@jetfire ~]#


[root@jetfire ~]# ipa-nis-manage enable
Directory Manager password: 

Enabling plugin
Restarting IPA to initialize updates before performing deletes:
  [1/2]: stopping directory server
  [2/2]: starting directory server
done configuring dirsrv.
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.
[root@jetfire ~]# 
[root@jetfire ~]# 
[root@jetfire ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM...                                            [  OK  ]
Starting dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM...                                            [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Shutting down ipa_kpasswd:                                 [  OK  ]
Starting ipa_kpasswd:                                      [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd: [Wed Nov 02 01:43:44 2011] [warn] worker ajp://localhost:9447/ already used by another worker
[Wed Nov 02 01:43:44 2011] [warn] worker ajp://localhost:9447/ already used by another worker
                                                           [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]
[root@jetfire ~]# 
[root@jetfire ~]# 


[root@jetfire ~]# ipa-nis-manage disable
Directory Manager password: 

This setting will not take effect until you restart Directory Server.
[root@jetfire ~]# 


[root@jetfire ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM...                                            [  OK  ]
Starting dirsrv: 
    PKI-IPA...                                             [  OK  ]
    TESTRELM...                                            [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Shutting down ipa_kpasswd:                                 [  OK  ]
Starting ipa_kpasswd:                                      [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd: [Wed Nov 02 01:45:08 2011] [warn] worker ajp://localhost:9447/ already used by another worker
[Wed Nov 02 01:45:08 2011] [warn] worker ajp://localhost:9447/ already used by another worker
                                                           [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]



[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm 
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng

dn: cn=hostgrp1,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1


[root@jetfire ~]# ipa hostgroup-add hostgrp2 --desc="host group2"
--------------------------
Added hostgroup "hostgrp2"
--------------------------
  Host-group: hostgrp2
  Description: host group2
[root@jetfire ~]# 


[root@jetfire ~]# /usr/bin/ldapsearch -LLL -x -h localhost -D "cn=Directory Manager" -w Secret123 -b cn=ng,cn=compat,dc=testrelm 
dn: cn=ng,cn=compat, dc=testrelm
objectClass: extensibleObject
cn: ng

dn: cn=hostgrp2,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp2

dn: cn=hostgrp1,cn=ng,cn=compat,dc=testrelm
objectClass: nisNetgroup
objectClass: top
cn: hostgrp1

[root@jetfire ~]# 



Verified. Version: ipa-server-2.1.3-7.el6.x86_64
Comment 11 errata-xmlrpc 2011-12-06 13:41:04 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.