740830 – Intermittently see "search criteria was not specific enough." while adding a hbacrule

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 740830 - Intermittently see "search criteria was not specific enough." while adding a hbacrule

Summary: Intermittently see "search criteria was not specific enough." while adding a ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.2
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-23 13:44 UTC by Gowrishankar Rajaiyan
Modified:	2011-12-06 18:32 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-2.1.2-1.el6
Doc Type:	Bug Fix
Doc Text:	Do not document
Clone Of:
Environment:
Last Closed:	2011-12-06 18:32:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Description Gowrishankar Rajaiyan 2011-09-23 13:44:12 UTC

Description of problem:
Occasionally we hit this issue while creating a hbacrule. Error message displaying "search criteria was not specific" while add a hbacrule. Not sure what triggered this, logging as a bug to have covered.

Version-Release number of selected component (if applicable):
ipa-server-2.1.1-4.el6.x86_64

How reproducible:
intermittently

Steps to Reproduce:
1. root@kungfupanda ~]# ipa hbacrule-add kaleem
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.

2.Again, executing the same command shows:
[root@kungfupanda ~]# ipa hbacrule-add kaleem
ipa: ERROR: HBAC rule with name "kaleem" already exists
  
Actual results:
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.

Expected results:
rule should be added successfully if it doesn't exist. 

Additional info:

[root@kungfupanda ~]# ipa -d hbacrule-add kaleem
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.9

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
ipa: INFO: trying https://kungfupanda.lab.eng.pnq.redhat.com/ipa/xml
ipa: DEBUG: Created connection context.xmlclient
ipa: DEBUG: raw: hbacrule_add(u'kaleem', accessruletype=u'allow', all=False, raw=False, version=u'2.11')
ipa: DEBUG: hbacrule_add(u'kaleem', accessruletype=u'allow', all=False, raw=False, version=u'2.11')
ipa: INFO: Forwarding 'hbacrule_add' to server u'https://kungfupanda.lab.eng.pnq.redhat.com/ipa/xml'
ipa: DEBUG: NSSConnection init kungfupanda.lab.eng.pnq.redhat.com
ipa: DEBUG: connect_socket_family: host=kungfupanda.lab.eng.pnq.redhat.com port=443 family=PR_AF_INET
ipa: DEBUG: connecting: 10.65.201.78:443
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM
        Validity:
            Not Before: Thu Sep 22 05:17:03 2011 UTC
            Not After : Sun Sep 22 05:17:03 2013 UTC
        Subject: CN=kungfupanda.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
                RSA Public Key:
                    Modulus:
                        ba:89:8c:98:00:39:23:e9:1a:d7:bd:c7:b7:68:20:de:
                        bf:5f:ba:a0:e4:72:4a:88:dc:4e:d3:56:a7:bb:d0:51:
                        7c:ef:40:59:82:b5:af:d5:98:56:47:23:a5:ed:1f:70:
                        8e:f8:83:d9:a4:f3:12:9f:24:93:e3:b2:a2:46:0e:06:
                        00:e5:bb:f3:d8:e9:af:db:78:1b:3d:aa:e5:c0:c0:97:
                        ac:2c:0a:07:ee:36:50:86:3f:7c:47:8f:ab:83:70:b8:
                        ec:ad:a0:e6:6e:fe:ca:8a:03:ed:bf:c9:ad:2a:93:11:
                        87:d1:54:02:cb:ec:56:87:33:6f:ac:85:ec:ac:83:70:
                        86:3a:73:37:f2:13:3a:27:a6:84:0f:9a:a2:ad:5d:ca:
                        34:fb:ff:ea:dd:79:ab:23:2e:19:d7:26:43:3f:bb:dd:
                        17:a1:6a:2e:6d:ec:76:db:62:3a:24:22:78:70:c6:68:
                        44:a2:eb:78:0a:66:38:65:1b:18:bb:f3:d8:22:43:f6:
                        01:62:c4:4d:aa:ec:36:b3:43:fa:be:7d:c1:99:e9:29:
                        d3:d6:ee:61:c2:1a:27:86:cb:66:24:24:04:59:8e:75:
                        54:cf:d6:d0:c5:c9:4d:c6:9f:9b:df:4b:0c:c4:5e:66:
                        3b:5e:7e:9e:b0:a4:3c:eb:67:04:fc:2c:32:c6:97:01
                    Exponent: 65537 (0x10001)
    Signed Extensions: (4)
        Name: Certificate Authority Key Identifier
        Critical: False
        Key ID:
            1e:52:7b:d3:e5:e7:94:03:df:68:6c:90:3e:10:cc:a1:
            86:07:9c:3e
        Serial Number: None
        General Names: [0 total]

        Name: Authority Information Access
        Critical: False

        Name: Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name: Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate

    Fingerprint (MD5):
        65:e6:70:dd:74:6a:80:34:7a:7d:2f:20:78:64:f7:e8
    Fingerprint (SHA1):
        13:ee:5b:e7:8c:7a:45:8e:d7:0e:ed:5f:26:89:80:41:
        66:a8:9d:ab
    Signature:
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Signature Data:
            1c:52:82:c0:d0:d2:62:42:46:80:96:8d:4c:5e:aa:18:
            25:9a:65:51:1a:44:16:fe:6f:49:d2:41:59:9b:43:8d:
            36:01:60:3e:27:21:a4:d6:65:f4:46:dd:89:fa:ca:e6:
            d5:8b:7c:77:21:6f:11:3f:f9:ba:07:c8:fe:dd:cd:e0:
            44:09:c7:66:51:b0:30:e8:62:c6:95:63:dc:3f:99:03:
            a4:8c:9e:3b:f3:a9:3f:f3:6c:a2:ff:43:dd:41:fa:5e:
            8e:4e:a4:f5:0a:e4:9e:00:62:d0:5c:f7:33:60:8f:68:
            48:5a:63:01:40:5d:b1:bb:2e:15:b0:f0:f2:a2:28:88:
            3b:18:f9:ad:ad:b7:23:c8:69:4c:9e:ec:59:a9:e6:41:
            7b:bd:20:97:1b:3b:14:91:fe:53:79:b2:dc:0f:6e:70:
            aa:64:49:e2:2f:f4:03:67:33:ec:48:4a:b8:98:cf:01:
            28:10:6e:bb:27:7a:b9:4e:11:90:6c:91:77:82:f9:28:
            68:fe:d6:6e:f7:bd:43:02:aa:60:39:35:6e:c4:16:55:
            9f:e8:83:15:1e:27:93:5c:c2:fd:10:fd:5b:55:aa:89:
            f6:e1:ab:9e:8b:ef:72:4d:93:ee:73:15:17:e3:4d:28:
            2c:55:6b:9f:0f:5f:39:07:75:81:61:6c:dd:57:01:1e
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=kungfupanda.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM"
ipa: DEBUG: handshake complete, peer = 10.65.201.78:443
ipa: DEBUG: Caught fault 4027 from server https://kungfupanda.lab.eng.pnq.redhat.com/ipa/xml: The search criteria was not specific enough. Expected 1 and found 2.
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.

Comment 2 Rob Crittenden 2011-09-23 17:47:00 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1864

Comment 3 Rob Crittenden 2011-09-23 20:56:44 UTC

Do you have users/hosts/groups or anything else named kaleem in your database?

Comment 4 Rob Crittenden 2011-09-23 21:10:59 UTC

or more specifically, you somehow seem to have two entries with the same krbprincipalname. Can you do a search for the principal of the user you were when you ran these (whose ticket you held)?

Comment 5 Gowrishankar Rajaiyan 2011-09-26 06:10:36 UTC

(In reply to comment #3)
> Do you have users/hosts/groups or anything else named kaleem in your database?

[root@kungfupanda ~]# ipa user-show kaleem
  User login: kaleem
  First name: Kaleemullah
  Last name: Siddiqui
  Home directory: /home/kaleem
  Login shell: /bin/sh
  UID: 19200016
  GID: 19200016
  Account disabled: False
  Keytab: True
  Password: True
  Member of groups: ipausers
[root@kungfupanda ~]# ipa group-show kaleem
  Group name: kaleem
  Description: User private group for kaleem
  GID: 19200016

Comment 6 Gowrishankar Rajaiyan 2011-09-26 07:02:40 UTC

(In reply to comment #4)
> or more specifically, you somehow seem to have two entries with the same
> krbprincipalname. Can you do a search for the principal of the user you were
> when you ran these (whose ticket you held)?

[root@kungfupanda ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
09/26/11 05:47:58  09/27/11 05:47:56  krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM
09/26/11 05:48:00  09/27/11 05:47:56  HTTP/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM


[root@kungfupanda ~]# ipa hbacrule-add kaleem
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.


[root@kungfupanda ~]# ipa hbacrule-add kaleem
ipa: ERROR: HBAC rule with name "kaleem" already exists


[root@kungfupanda ~]# ipa hbacrule-show kaleem
  Rule name: kaleem
  Enabled: TRUE


[root@kungfupanda ~]# kadmin.local 
Authenticating as principal admin/admin.PNQ.REDHAT.COM with password.
kadmin.local:  listprincs 
admin.PNQ.REDHAT.COM
dogtagldap/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
K/M.PNQ.REDHAT.COM
krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM
kadmin/admin.PNQ.REDHAT.COM
kadmin/changepw.PNQ.REDHAT.COM
kadmin/history.PNQ.REDHAT.COM
kadmin/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
ldap/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
host/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
HTTP/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
host/cavenger.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
host/decepticons.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
host/longhaul.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
host/ravage.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
host/scroponok.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
test1.PNQ.REDHAT.COM
nirtest1.PNQ.REDHAT.COM
nirtest2.PNQ.REDHAT.COM
nc.PNQ.REDHAT.COM
host/jetfire.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM
ipauser1.PNQ.REDHAT.COM
jfireuser1.PNQ.REDHAT.COM
ipauser2.PNQ.REDHAT.COM
peter.PNQ.REDHAT.COM
paul.PNQ.REDHAT.COM
kaushik.PNQ.REDHAT.COM
mary.PNQ.REDHAT.COM
kaleem.PNQ.REDHAT.COM
sghai.PNQ.REDHAT.COM
jon.PNQ.REDHAT.COM
sam.PNQ.REDHAT.COM
kash.PNQ.REDHAT.COM
ramesh.PNQ.REDHAT.COM
shanks.PNQ.REDHAT.COM
kadmin.local:

Comment 7 Rob Crittenden 2011-09-27 02:32:32 UTC

Ok, still doesn't quite show what is going on. Can you provide a snippet of the 389-ds access log that shows the queries that were done while creating the rule? I need to see what query is returning two entries when we expect only one.

Comment 8 Gowrishankar Rajaiyan 2011-09-27 05:43:20 UTC

/var/log/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM/access:

[27/Sep/2011:05:31:40 +051800] conn=7 op=884 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=884 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=885 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=885 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=886 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=886 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=887 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=887 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=888 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=888 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=889 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=889 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=890 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=890 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=891 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=891 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=892 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=892 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=95 fd=70 slot=70 connection from 10.65.201.78 to 10.65.201.78
[27/Sep/2011:05:31:40 +051800] conn=7 op=893 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=893 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=894 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ldap/kungfupanda.lab.eng.pnq.redhat.com.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=894 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=895 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=95 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[27/Sep/2011:05:31:40 +051800] conn=7 op=895 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=95 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[27/Sep/2011:05:31:40 +051800] conn=95 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[27/Sep/2011:05:31:40 +051800] conn=95 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[27/Sep/2011:05:31:40 +051800] conn=95 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[27/Sep/2011:05:31:40 +051800] conn=95 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com"
[27/Sep/2011:05:31:40 +051800] conn=95 op=3 SRCH base="cn=ipaconfig,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[27/Sep/2011:05:31:40 +051800] conn=95 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=95 op=4 SRCH base="cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(&(objectClass=ipaassociation)(objectClass=ipahbacrule))(cn=kaleem))" attrs=""
[27/Sep/2011:05:31:40 +051800] conn=95 op=4 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=95 op=5 SRCH base="ipauniqueid=c2659ad6-e89b-11e0-b3aa-5254006c92b9,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=1 filter="(objectClass=*)" attrs=""
[27/Sep/2011:05:31:40 +051800] conn=95 op=5 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[27/Sep/2011:05:31:40 +051800] conn=95 op=6 DEL dn="ipauniqueid=c2659ad6-e89b-11e0-b3aa-5254006c92b9,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com"
[27/Sep/2011:05:31:40 +051800] conn=95 op=6 RESULT err=0 tag=107 nentries=0 etime=0 csn=4e8112640000ffff0000
[27/Sep/2011:05:31:40 +051800] conn=95 op=7 UNBIND
[27/Sep/2011:05:31:40 +051800] conn=95 op=7 fd=70 closed - U1

Comment 9 Martin Kosek 2011-09-30 08:24:00 UTC

The problem here is that there is "kaleem" hbacsvcgroup on the machine. When the LDAP object is searched in LDAPCreate so that it can be passed to POST_CALLBACK, it matches both hbacrule and hbacsvcgroup and crashes.

Since hbacrules are not in own container I will have to pass objectclass to find_entry_by_attr call.

Comment 10 Martin Kosek 2011-09-30 10:26:47 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/759ae9e2ef6ce9e4674177cb7892f0cc1c7186cd
ipa-2-1: https://fedorahosted.org/freeipa/changeset/7c884f1205916cca4c683b9ba8dd823d7f934aaa

Comment 11 Martin Kosek 2011-09-30 10:28:26 UTC

How to reproduce and test:

1. ipa hbacsvcgroup-add foo --desc=bar
2. ipa hbacrule-add foo --desc=bar

After the fix, the second step should suceed without error.

Comment 14 Gowrishankar Rajaiyan 2011-10-08 05:47:23 UTC

[root@bumblebee ~]# ipa hbacsvcgroup-add foo --desc=bar
------------------------------
Added HBAC service group "foo"
------------------------------
  Service group name: foo
  Description: bar
[root@bumblebee ~]# ipa hbacrule-add foo --desc=bar
---------------------
Added HBAC rule "foo"
---------------------
  Rule name: foo
  Description: bar
  Enabled: TRUE
[root@bumblebee ~]# 


Verified.
[root@bumblebee ~]# rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.2                             Vendor: Red Hat, Inc.
Release     : 2.el6                         Build Date: Fri 07 Oct 2011 05:09:04 PM EDT
Install Date: Sat 08 Oct 2011 07:36:33 AM EDT      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.2-2.el6.src.rpm
Size        : 3363225                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Comment 16 Martin Kosek 2011-11-01 09:16:38 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 17 errata-xmlrpc 2011-12-06 18:32:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.