Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.2.0-7.el6.x86_64 How reproducible: Steps to Reproduce: 1. Create hostgroup 2. Add more than 2000 members to this hostgroup 3. Try removing a member. Actual results: See the following error message every other time while removing a member. "ipa: ERROR: hostgroup772150: host group not found" Expected results: Member should be removed successfully. Additional info: [root@primenova ~]# ipa -d hostgroup-remove-member hostgroup772150 --hosts=host816.lab.eng.pnq.redhat.com ... ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=primenova.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM" ipa: DEBUG: handshake complete, peer = 10.65.201.100:443 ipa: DEBUG: Created connection context.xmlclient ipa: DEBUG: raw: hostgroup_remove_member(u'hostgroup772150', all=False, raw=False, version=u'2.32', host=(u'host816.lab.eng.pnq.redhat.com',)) ipa: DEBUG: hostgroup_remove_member(u'hostgroup772150', all=False, raw=False, version=u'2.32', host=(u'host816.lab.eng.pnq.redhat.com',)) ipa: INFO: Forwarding 'hostgroup_remove_member' to server u'http://primenova.lab.eng.pnq.redhat.com/ipa/xml' ipa: DEBUG: NSSConnection init primenova.lab.eng.pnq.redhat.com ipa: DEBUG: connect_socket_family: host=primenova.lab.eng.pnq.redhat.com port=443 family=PR_AF_INET ipa: DEBUG: connecting: 10.65.201.100:443 ipa: DEBUG: handshake complete, peer = 10.65.201.100:443 ipa: DEBUG: Caught fault 4001 from server http://primenova.lab.eng.pnq.redhat.com/ipa/xml: hostgroup772150: host group not found ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: hostgroup772150: host group not found [root@primenova ~]# Script used to populate data: #!/bin/bash domain="lab.eng.pnq.redhat.com" ipa sudocmd-add "/bin/ls" ipa sudocmd-add "/bin/rm" ipa hostgroup-add hostgroup772150 --desc="hostgroup772150" for j in {1..253}; do for i in {1..253}; do echo Secret123 | kinit admin ipa dnsrecord-add $domain host$j$i --a-rec=1.1.$j.$i ipa user-add user$j$i --first=user$j$i --last=user$j$i ipa host-add host$j$i.$domain ipa hostgroup-add hostgrp$j$i --desc="hostgrp$j$i" ipa hostgroup-add-member hostgrp$j$i --hosts=host$j$i.$domain ipa hostgroup-add-member hostgroup772150 --hosts=host$j$i.$domain ipa hbacrule-add hbacrulehost$j$i ipa hbacrule-add-user hbacrulehost$j$i --users=user$j$i ipa hbacrule-add-service hbacrulehost$j$i --hbacsvcs=sshd ipa hbacrule-add-sourcehost hbacrulehost$j$i --hostgroups=hostgrp$j$i ipa hbacrule-add-host hbacrulehost$j$i --hostgroups=hostgrp$j$i ipa sudorule-add sudorulehost$j$i --desc="sudorulehost$j$i" ipa sudorule-add-user sudorulehost$j$i --users=user$j$i ipa sudorule-add-host sudorulehost$j$i --hosts=host$j$i.$domain ipa sudorule-add-host sudorulehost$j$i --hostgroups=hostgrp$j$i ipa sudorule-add-allow-command sudorulehost$j$i --sudocmds="/bin/ls" ipa sudorule-add-deny-command sudorulehost$j$i --sudocmds="/bin/rm" done done
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2606
Fixed upstream. Detect when the results have been truncated when trying to retrieve a single entry and raise a Limits error instead of Not Found. master: a663e83cb2717ac4cf831261c93c1582f562a07f ipa-2-2: 4a48efe636c0036334d4d3afadc933b0408de0f0
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed.
results :: ipa hostgroup-find --hosts=host18108.testrelm.com | grep hostgroup772150 Host-group: hostgroup772150 Description: hostgroup772150 # ipa hostgroup-remove-member --hosts=host18108.testrelm.com hostgroup772150 ipa: ERROR: limits exceeded for this query however the host is removed from the hostgroup # ipa hostgroup-find --hosts=host18108.testrelm.com | grep hostgroup772150 # expected success on removing the member an not an ipa ERROR
This is a perfectly legitimate error. The operation took too long which is why it failed. If this happens the user will need to either specify --timelimit=XX or increase the default searchtimelimit in the configuration.
(In reply to comment #11) > This is a perfectly legitimate error. The operation took too long which is > why it failed. If this happens the user will need to either specify > --timelimit=XX or increase the default searchtimelimit in the configuration. ahhh okay .. marking bug verified :) version : ipa-2.2.0-14.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html