Hide Forgot
Description of problem: With the IPA NIS Listener enabled, I cannot see nested netgroups by running the ypcat command. Nested/member netgroups appear to be stored in the member attribute: # test, ng, alt, example.com dn: cn=test,cn=ng,cn=alt,dc=example,dc=com objectClass: ipaobject objectClass: ipaassociation objectClass: ipanisnetgroup cn: test description: test nisDomainName: example.com ipaUniqueID: 7a5b95f4-51ca-11e1-8dcf-5254008ea76d member: cn=test1,cn=ng,cn=alt,dc=example,dc=com # test1, ng, alt, example.com dn: cn=test1,cn=ng,cn=alt,dc=example,dc=com objectClass: ipaobject objectClass: ipaassociation objectClass: ipanisnetgroup cn: test1 description: test1 nisDomainName: example.com ipaUniqueID: 7ce62078-51ca-11e1-b7f9-5254008ea76d memberUser: uid=admin,cn=users,cn=accounts,dc=example,dc=com memberOf: cn=test,cn=ng,cn=alt,dc=example,dc=com Version-Release number of selected component (if applicable): ipa-admintools-2.2.0-101.20120206T0930zgitc080c65.el6.x86_64 ipa-server-2.2.0-101.20120206T0930zgitc080c65.el6.x86_64 389-ds-base-1.2.9.16-1.el6.x86_64 389-ds-base-libs-1.2.9.16-1.el6.x86_64 How reproducible: always Steps to Reproduce: 1. <setup IPA server> 2. kinit admin 3. ipa netgroup-add test1 --desc=test1 4. ipa netgroup-add-member test1 --users=admin 5. ipa netgroup-add test --desc=test 6. ipa netgroup-add-member test1 --netgroups=test1 7. ipa-compat-manage enable 8. ipa-nis-manage enable 9. service rpcbind restart 10. service dirsrv restart 11. yum install yp-tools 12. ypcat -d <DOMAIN> -h localhost -k netgroup Actual results: You see test as an empty netgroup: # ypcat -d $DOMAIN -h localhost -k netgroup test test1 (-,admin,example.com) Expected results: I'd expect to see the netgroup test1 listed as a member of test like this: # ypcat -d $DOMAIN -h localhost -k netgroup test test1 test1 (-,admin,example.com) Additional info:
> From Nalin: > Try stopping the server, locating the entry in its dse.ldif for > "nis-domain=testrelm.com+nis-map=netgroup,cn=NIS > Server,cn=plugins,cn=config", > and replacing this part of it: > "%{memberNisNetgroup}" > with: > "%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")" > > That should correctly pull the names of the member netgroups from > their > entries. Yep, that did the trick: # ypcat -k -d $DOMAIN -h localhost netgroup test1 (-,admin,testrelm.com) test test1 So workaround seems to be: service dirsrv stop edit /etc/dirsrv/slapd-<REALM>/dse.ldif Change: <snip> dn: nis-domain=testrelm.com+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=confi g objectClass: top objectClass: extensibleObject nis-value-format: %merge(" ","%{memberNisNetgroup}", </snip> To: <snip> dn: nis-domain=testrelm.com+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=confi g objectClass: top objectClass: extensibleObject nis-value-format: %merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgrou < p)\",\"cn\")", </snip> Then run: service dirsrv start ypcat -d $DOMAIN -h localhost -k netgroup And you should now see nested netgroups: # ypcat -k -d $DOMAIN -h localhost netgroup test1 (-,admin,testrelm.com) test test1 Thanks.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2359
Step 6 in the reproduction steps should read: ipa netgroup-add-member test --netgroups=test1 You'll want to test a fresh installation and an upgrade.
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/c48d34fa433e9472d196b0258cac16934a1dae48 ipa-2-2: https://fedorahosted.org/freeipa/changeset/f23d5c6475b81782816cc1196751f8842969bc78
Verified. Version :: ipa-server-2.2.0-4.el6.x86_64 Automated Test Results :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: netgroup_bz_788625: IPA nested netgroups not seen from ypcat :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'ipa netgroup-add netgroup_bz_788625_test1 --desc=netgroup_bz_788625_test1' :: [ PASS ] :: Running 'ipa netgroup-add-member netgroup_bz_788625_test1 --users=admin' :: [ PASS ] :: Running 'ipa netgroup-add netgroup_bz_788625_test --desc=netgroup_bz_788625_test' :: [ PASS ] :: Running 'ipa netgroup-add-member netgroup_bz_788625_test --netgroups=netgroup_bz_788625_test1' :: [ PASS ] :: Running 'echo ******** | ipa-compat-manage enable' :: [ PASS ] :: Running 'echo ******** | ipa-nis-manage enable' :: [ PASS ] :: Running 'service rpcbind restart' :: [ PASS ] :: Running 'service dirsrv restart' :: [ PASS ] :: Running 'yum -y install yp-tools' :: [ PASS ] :: BZ 788625 not found :: [ PASS ] :: Running 'ipa netgroup-del netgroup_bz_788625_test1' :: [ PASS ] :: Running 'ipa netgroup-del netgroup_bz_788625_test' :: [ LOG ] :: Duration: 46s :: [ LOG ] :: Assertions: 12 good, 0 bad :: [ PASS ] :: RESULT: netgroup_bz_788625: IPA nested netgroups not seen from ypcat Manual Test Results :: # ipa netgroup-add ng788625 --desc=test ------------------------- Added netgroup "ng788625" ------------------------- Netgroup name: ng788625 Description: test NIS domain name: testrelm.com IPA unique ID: 4df6b4a2-7368-11e1-a6cd-0019bbea4c2b # ipa netgroup-add-member ng788625 --users=admin Netgroup name: ng788625 Description: test NIS domain name: testrelm.com Member User: admin ------------------------- Number of members added 1 ------------------------- # ipa netgroup-add ng788625_container --desc=container ----------------------------------- Added netgroup "ng788625_container" ----------------------------------- Netgroup name: ng788625_container Description: container NIS domain name: testrelm.com IPA unique ID: 8d19d650-7368-11e1-9ce1-0019bbea4c2b # ipa netgroup-add-member ng788625_container --netgroups=ng788625 Netgroup name: ng788625_container Description: container NIS domain name: testrelm.com Member netgroups: ng788625 ------------------------- Number of members added 1 ------------------------- # echo ******** | ipa-compat-manage enable Plugin already Enabled # echo ******** | ipa-nis-manage enable Enabling plugin This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. # service rpcbind restart Stopping rpcbind: [ OK ] Starting rpcbind: [ OK ] # service dirsrv restart Shutting down dirsrv: PKI-IPA...[ OK ] TESTRELM-COM...[ OK ] Starting dirsrv: PKI-IPA...[ OK ] TESTRELM-COM...[ OK ] # ypcat -d $DOMAIN -h localhost -k netgroup | grep ^ng788625 ng788625_container ng788625 ng788625 (-,admin,testrelm.com)
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html