Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 740830 - Intermittently see "search criteria was not specific enough." while adding a hbacrule
Intermittently see "search criteria was not specific enough." while adding a ...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.2
x86_64 Linux
medium Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
IDM QE LIST
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-23 09:44 EDT by Gowrishankar Rajaiyan
Modified: 2011-12-06 13:32 EST (History)
3 users (show)

See Also:
Fixed In Version: ipa-2.1.2-1.el6
Doc Type: Bug Fix
Doc Text:
Do not document
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-06 13:32:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-05 20:23:31 EST

  None (edit)
Description Gowrishankar Rajaiyan 2011-09-23 09:44:12 EDT 
Description of problem:
Occasionally we hit this issue while creating a hbacrule. Error message displaying "search criteria was not specific" while add a hbacrule. Not sure what triggered this, logging as a bug to have covered.

Version-Release number of selected component (if applicable):
ipa-server-2.1.1-4.el6.x86_64

How reproducible:
intermittently

Steps to Reproduce:
1. root@kungfupanda ~]# ipa hbacrule-add kaleem
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.

2.Again, executing the same command shows:
[root@kungfupanda ~]# ipa hbacrule-add kaleem
ipa: ERROR: HBAC rule with name "kaleem" already exists
  
Actual results:
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.

Expected results:
rule should be added successfully if it doesn't exist. 

Additional info:

[root@kungfupanda ~]# ipa -d hbacrule-add kaleem
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.9

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
ipa: INFO: trying https://kungfupanda.lab.eng.pnq.redhat.com/ipa/xml
ipa: DEBUG: Created connection context.xmlclient
ipa: DEBUG: raw: hbacrule_add(u'kaleem', accessruletype=u'allow', all=False, raw=False, version=u'2.11')
ipa: DEBUG: hbacrule_add(u'kaleem', accessruletype=u'allow', all=False, raw=False, version=u'2.11')
ipa: INFO: Forwarding 'hbacrule_add' to server u'https://kungfupanda.lab.eng.pnq.redhat.com/ipa/xml'
ipa: DEBUG: NSSConnection init kungfupanda.lab.eng.pnq.redhat.com
ipa: DEBUG: connect_socket_family: host=kungfupanda.lab.eng.pnq.redhat.com port=443 family=PR_AF_INET
ipa: DEBUG: connecting: 10.65.201.78:443
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM
        Validity:
            Not Before: Thu Sep 22 05:17:03 2011 UTC
            Not After : Sun Sep 22 05:17:03 2013 UTC
        Subject: CN=kungfupanda.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
                RSA Public Key:
                    Modulus:
                        ba:89:8c:98:00:39:23:e9:1a:d7:bd:c7:b7:68:20:de:
                        bf:5f:ba:a0:e4:72:4a:88:dc:4e:d3:56:a7:bb:d0:51:
                        7c:ef:40:59:82:b5:af:d5:98:56:47:23:a5:ed:1f:70:
                        8e:f8:83:d9:a4:f3:12:9f:24:93:e3:b2:a2:46:0e:06:
                        00:e5:bb:f3:d8:e9:af:db:78:1b:3d:aa:e5:c0:c0:97:
                        ac:2c:0a:07:ee:36:50:86:3f:7c:47:8f:ab:83:70:b8:
                        ec:ad:a0:e6:6e:fe:ca:8a:03:ed:bf:c9:ad:2a:93:11:
                        87:d1:54:02:cb:ec:56:87:33:6f:ac:85:ec:ac:83:70:
                        86:3a:73:37:f2:13:3a:27:a6:84:0f:9a:a2:ad:5d:ca:
                        34:fb:ff:ea:dd:79:ab:23:2e:19:d7:26:43:3f:bb:dd:
                        17:a1:6a:2e:6d:ec:76:db:62:3a:24:22:78:70:c6:68:
                        44:a2:eb:78:0a:66:38:65:1b:18:bb:f3:d8:22:43:f6:
                        01:62:c4:4d:aa:ec:36:b3:43:fa:be:7d:c1:99:e9:29:
                        d3:d6:ee:61:c2:1a:27:86:cb:66:24:24:04:59:8e:75:
                        54:cf:d6:d0:c5:c9:4d:c6:9f:9b:df:4b:0c:c4:5e:66:
                        3b:5e:7e:9e:b0:a4:3c:eb:67:04:fc:2c:32:c6:97:01
                    Exponent: 65537 (0x10001)
    Signed Extensions: (4)
        Name: Certificate Authority Key Identifier
        Critical: False
        Key ID:
            1e:52:7b:d3:e5:e7:94:03:df:68:6c:90:3e:10:cc:a1:
            86:07:9c:3e
        Serial Number: None
        General Names: [0 total]

        Name: Authority Information Access
        Critical: False

        Name: Certificate Key Usage
        Critical: True
        Usages:
            Digital Signature
            Non-Repudiation
            Key Encipherment
            Data Encipherment

        Name: Extended Key Usage
        Critical: False
        Usages:
            TLS Web Server Authentication Certificate
            TLS Web Client Authentication Certificate

    Fingerprint (MD5):
        65:e6:70:dd:74:6a:80:34:7a:7d:2f:20:78:64:f7:e8
    Fingerprint (SHA1):
        13:ee:5b:e7:8c:7a:45:8e:d7:0e:ed:5f:26:89:80:41:
        66:a8:9d:ab
    Signature:
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Signature Data:
            1c:52:82:c0:d0:d2:62:42:46:80:96:8d:4c:5e:aa:18:
            25:9a:65:51:1a:44:16:fe:6f:49:d2:41:59:9b:43:8d:
            36:01:60:3e:27:21:a4:d6:65:f4:46:dd:89:fa:ca:e6:
            d5:8b:7c:77:21:6f:11:3f:f9:ba:07:c8:fe:dd:cd:e0:
            44:09:c7:66:51:b0:30:e8:62:c6:95:63:dc:3f:99:03:
            a4:8c:9e:3b:f3:a9:3f:f3:6c:a2:ff:43:dd:41:fa:5e:
            8e:4e:a4:f5:0a:e4:9e:00:62:d0:5c:f7:33:60:8f:68:
            48:5a:63:01:40:5d:b1:bb:2e:15:b0:f0:f2:a2:28:88:
            3b:18:f9:ad:ad:b7:23:c8:69:4c:9e:ec:59:a9:e6:41:
            7b:bd:20:97:1b:3b:14:91:fe:53:79:b2:dc:0f:6e:70:
            aa:64:49:e2:2f:f4:03:67:33:ec:48:4a:b8:98:cf:01:
            28:10:6e:bb:27:7a:b9:4e:11:90:6c:91:77:82:f9:28:
            68:fe:d6:6e:f7:bd:43:02:aa:60:39:35:6e:c4:16:55:
            9f:e8:83:15:1e:27:93:5c:c2:fd:10:fd:5b:55:aa:89:
            f6:e1:ab:9e:8b:ef:72:4d:93:ee:73:15:17:e3:4d:28:
            2c:55:6b:9f:0f:5f:39:07:75:81:61:6c:dd:57:01:1e
ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer
ipa: DEBUG: cert valid True for "CN=kungfupanda.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM"
ipa: DEBUG: handshake complete, peer = 10.65.201.78:443
ipa: DEBUG: Caught fault 4027 from server https://kungfupanda.lab.eng.pnq.redhat.com/ipa/xml: The search criteria was not specific enough. Expected 1 and found 2.
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.
Comment 2 Rob Crittenden 2011-09-23 13:47:00 EDT 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1864
Comment 3 Rob Crittenden 2011-09-23 16:56:44 EDT 
Do you have users/hosts/groups or anything else named kaleem in your database?
Comment 4 Rob Crittenden 2011-09-23 17:10:59 EDT 
or more specifically, you somehow seem to have two entries with the same krbprincipalname. Can you do a search for the principal of the user you were when you ran these (whose ticket you held)?
Comment 5 Gowrishankar Rajaiyan 2011-09-26 02:10:36 EDT 
(In reply to comment #3)
> Do you have users/hosts/groups or anything else named kaleem in your database?

[root@kungfupanda ~]# ipa user-show kaleem
  User login: kaleem
  First name: Kaleemullah
  Last name: Siddiqui
  Home directory: /home/kaleem
  Login shell: /bin/sh
  UID: 19200016
  GID: 19200016
  Account disabled: False
  Keytab: True
  Password: True
  Member of groups: ipausers
[root@kungfupanda ~]# ipa group-show kaleem
  Group name: kaleem
  Description: User private group for kaleem
  GID: 19200016
Comment 6 Gowrishankar Rajaiyan 2011-09-26 03:02:40 EDT 
(In reply to comment #4)
> or more specifically, you somehow seem to have two entries with the same
> krbprincipalname. Can you do a search for the principal of the user you were
> when you ran these (whose ticket you held)?

[root@kungfupanda ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@LAB.ENG.PNQ.REDHAT.COM

Valid starting     Expires            Service principal
09/26/11 05:47:58  09/27/11 05:47:56  krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
09/26/11 05:48:00  09/27/11 05:47:56  HTTP/kungfupanda.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM


[root@kungfupanda ~]# ipa hbacrule-add kaleem
ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.


[root@kungfupanda ~]# ipa hbacrule-add kaleem
ipa: ERROR: HBAC rule with name "kaleem" already exists


[root@kungfupanda ~]# ipa hbacrule-show kaleem
  Rule name: kaleem
  Enabled: TRUE


[root@kungfupanda ~]# kadmin.local 
Authenticating as principal admin/admin@LAB.ENG.PNQ.REDHAT.COM with password.
kadmin.local:  listprincs 
admin@LAB.ENG.PNQ.REDHAT.COM
dogtagldap/kungfupanda.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
K/M@LAB.ENG.PNQ.REDHAT.COM
krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM
kadmin/admin@LAB.ENG.PNQ.REDHAT.COM
kadmin/changepw@LAB.ENG.PNQ.REDHAT.COM
kadmin/history@LAB.ENG.PNQ.REDHAT.COM
kadmin/kungfupanda.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
ldap/kungfupanda.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
host/kungfupanda.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
HTTP/kungfupanda.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
host/cavenger.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
host/decepticons.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
host/longhaul.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
host/ravage.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
host/scroponok.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
test1@LAB.ENG.PNQ.REDHAT.COM
nirtest1@LAB.ENG.PNQ.REDHAT.COM
nirtest2@LAB.ENG.PNQ.REDHAT.COM
nc@LAB.ENG.PNQ.REDHAT.COM
host/jetfire.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM
ipauser1@LAB.ENG.PNQ.REDHAT.COM
jfireuser1@LAB.ENG.PNQ.REDHAT.COM
ipauser2@LAB.ENG.PNQ.REDHAT.COM
peter@LAB.ENG.PNQ.REDHAT.COM
paul@LAB.ENG.PNQ.REDHAT.COM
kaushik@LAB.ENG.PNQ.REDHAT.COM
mary@LAB.ENG.PNQ.REDHAT.COM
kaleem@LAB.ENG.PNQ.REDHAT.COM
sghai@LAB.ENG.PNQ.REDHAT.COM
jon@LAB.ENG.PNQ.REDHAT.COM
sam@LAB.ENG.PNQ.REDHAT.COM
kash@LAB.ENG.PNQ.REDHAT.COM
ramesh@LAB.ENG.PNQ.REDHAT.COM
shanks@LAB.ENG.PNQ.REDHAT.COM
kadmin.local:
Comment 7 Rob Crittenden 2011-09-26 22:32:32 EDT 
Ok, still doesn't quite show what is going on. Can you provide a snippet of the 389-ds access log that shows the queries that were done while creating the rule? I need to see what query is returning two entries when we expect only one.
Comment 8 Gowrishankar Rajaiyan 2011-09-27 01:43:20 EDT 
/var/log/dirsrv/slapd-LAB-ENG-PNQ-REDHAT-COM/access:

[27/Sep/2011:05:31:40 +051800] conn=7 op=884 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=884 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=885 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=885 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=886 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin@LAB.ENG.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=886 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=887 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=887 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=888 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=888 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=889 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin@LAB.ENG.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=889 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=890 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=890 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=891 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=891 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=892 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin@LAB.ENG.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=892 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=95 fd=70 slot=70 connection from 10.65.201.78 to 10.65.201.78
[27/Sep/2011:05:31:40 +051800] conn=7 op=893 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=893 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=894 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ldap/kungfupanda.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=7 op=894 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=7 op=895 SRCH base="dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin@LAB.ENG.PNQ.REDHAT.COM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krballowedtodelegateto"
[27/Sep/2011:05:31:40 +051800] conn=95 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[27/Sep/2011:05:31:40 +051800] conn=7 op=895 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=95 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[27/Sep/2011:05:31:40 +051800] conn=95 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[27/Sep/2011:05:31:40 +051800] conn=95 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[27/Sep/2011:05:31:40 +051800] conn=95 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[27/Sep/2011:05:31:40 +051800] conn=95 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com"
[27/Sep/2011:05:31:40 +051800] conn=95 op=3 SRCH base="cn=ipaconfig,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[27/Sep/2011:05:31:40 +051800] conn=95 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=95 op=4 SRCH base="cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=2 filter="(&(&(objectClass=ipaassociation)(objectClass=ipahbacrule))(cn=kaleem))" attrs=""
[27/Sep/2011:05:31:40 +051800] conn=95 op=4 RESULT err=0 tag=101 nentries=1 etime=0
[27/Sep/2011:05:31:40 +051800] conn=95 op=5 SRCH base="ipauniqueid=c2659ad6-e89b-11e0-b3aa-5254006c92b9,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com" scope=1 filter="(objectClass=*)" attrs=""
[27/Sep/2011:05:31:40 +051800] conn=95 op=5 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[27/Sep/2011:05:31:40 +051800] conn=95 op=6 DEL dn="ipauniqueid=c2659ad6-e89b-11e0-b3aa-5254006c92b9,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com"
[27/Sep/2011:05:31:40 +051800] conn=95 op=6 RESULT err=0 tag=107 nentries=0 etime=0 csn=4e8112640000ffff0000
[27/Sep/2011:05:31:40 +051800] conn=95 op=7 UNBIND
[27/Sep/2011:05:31:40 +051800] conn=95 op=7 fd=70 closed - U1
Comment 9 Martin Kosek 2011-09-30 04:24:00 EDT 
The problem here is that there is "kaleem" hbacsvcgroup on the machine. When the LDAP object is searched in LDAPCreate so that it can be passed to POST_CALLBACK, it matches both hbacrule and hbacsvcgroup and crashes.

Since hbacrules are not in own container I will have to pass objectclass to find_entry_by_attr call.
Comment 11 Martin Kosek 2011-09-30 06:28:26 EDT 
How to reproduce and test:

1. ipa hbacsvcgroup-add foo --desc=bar
2. ipa hbacrule-add foo --desc=bar

After the fix, the second step should suceed without error.
Comment 14 Gowrishankar Rajaiyan 2011-10-08 01:47:23 EDT 
[root@bumblebee ~]# ipa hbacsvcgroup-add foo --desc=bar
------------------------------
Added HBAC service group "foo"
------------------------------
  Service group name: foo
  Description: bar
[root@bumblebee ~]# ipa hbacrule-add foo --desc=bar
---------------------
Added HBAC rule "foo"
---------------------
  Rule name: foo
  Description: bar
  Enabled: TRUE
[root@bumblebee ~]# 


Verified.
[root@bumblebee ~]# rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.2                             Vendor: Red Hat, Inc.
Release     : 2.el6                         Build Date: Fri 07 Oct 2011 05:09:04 PM EDT
Install Date: Sat 08 Oct 2011 07:36:33 AM EDT      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.2-2.el6.src.rpm
Size        : 3363225                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
Comment 16 Martin Kosek 2011-11-01 05:16:38 EDT 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document
Comment 17 errata-xmlrpc 2011-12-06 13:32:15 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.