Hide Forgot
+++ This bug was initially created as a clone of Bug #770952 +++ Description of problem: When you create an NIS netgroup named +(hostgroup), 389 crashes and then crashes on startup (last log item is a note about database recovery). Version-Release number of selected component (if applicable): 2.1.4-3.fc16.x86_64 (from updates-testing as of 2011-12-29) How reproducible: Haven't tried on a test setup, consistently crashed, however. Steps to Reproduce: 1. Create a hostgroup "buildserv" 2. Add a server to it 3. Create a sudo command-group "software-install" that mirrors the standard SOFTWARE cmnd_alias. 4. Create a sudo rule "developers_buildserv" which allows members of the "developers" group to run softare on the host named "+buildserv" 5. Create an NIS netgroup "+buildserv" Actual results: 389 crashes, crashes again when restarting. Expected results: The server refuses to create +buildserv, lets you know you're doing something dumb. Additional info: The corrective action was: 1. Use db2ldif to dump the database to LDIF 2. Manually edit the dump to rename the "buildserv" netgroup 3. Re-import with ldif2db 4. Delete the host group 5. Delete the netgroup 6. Re-add the host group.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2221
Allowed characters are a-z, 0-9, -, _ and . Also restricting hostgroup names with same list. Fixed upstream master: 7d7322de2eb0de61ea917d03662452d3efa4c834 ipa-2-2: 85462d063453f8614b63eddbba568fed034b0037
Verified. Version :: ipa-server-2.2.0-4.el6.x86_64 Automated Test Results :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: netgroup_bz_772043: Adding a netgroup with a + in the name that overlaps hostgroup causes crash :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'ipa netgroup-add +badtestnetgroup --desc=netgroup_with_plus_kills_dirsrv > /netgroup_bz_772043.29569.out 2>&1' :: [ PASS ] :: BZ 772043 not found...fix is in place for ipa command :: [ PASS ] :: Running 'ipactl status > /netgroup_bz_772043.29569.out 2>&1' :: [ LOG ] :: Duration: 5s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: netgroup_bz_772043: Adding a netgroup with a + in the name that overlaps hostgroup causes crash Manual Test Results :: [root@hp-xw6600-01 ipa-netgroup-cli]# ipa-compat-manage status Directory Manager password: Plugin Enabled [root@hp-xw6600-01 ipa-netgroup-cli]# ipa netgroup-add +badtestnetgroup --desc=netgroup_with_plus_kills_dirsrv ipa: ERROR: invalid 'name': may only include letters, numbers, _, -, and . [root@hp-xw6600-01 ipa-netgroup-cli]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: IPA netgroup plugin does not validate netgroup names. Consequence: A netgroup with invalid name can be stored in LDAP server which may then crash when the invalid value is processed by NIS plugin. Fix: IPA netgroup plugin enforces stricter validation for netgroup names. Result: User cannot accidentally enter invalid netgroup and thus cause an LDAP server to crash because of NIS plugin processing.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html