Bug 950014 - Enrolling a host into IdM/IPA always takes two attempts
Enrolling a host into IdM/IPA always takes two attempts
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
: Reopened
Depends On: 903343 1065971 1072098 1073530
Blocks: 960054
  Show dependency treegraph
 
Reported: 2013-04-09 09:11 EDT by Dmitri Pal
Modified: 2014-03-06 10:49 EST (History)
10 users (show)

See Also:
Fixed In Version: ipa-3.0.0-31.el6
Doc Type: Bug Fix
Doc Text:
rolCause: Identity Management installation and upgrade process did not update user and user role membership information in correct order in some cases. Consequence: User roles may not correctly apply in some situations and for user may fail to proceed with privileged actions even though they are authorized for them (e.g. Identity Management client enrollment). Fix: Membership information is not applied in correct order. Result: Users' privileged actions no longer fails because of incomplete membership information.
Story Points: ---
Clone Of: 903343
Environment:
Last Closed: 2013-11-21 15:53:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 1 Martin Kosek 2013-04-22 04:46:35 EDT
Fixed upstream:

master: 8377f4e92f6c927d6303a4be9d22e71a90af9ab0

The problem is that the task to rebuild memberof is executed before some of the members are added which can sometimes leave things in a bad state. This patch commits to LDAP the updates in blocks of 10 so that members are added in LDAP before memberOf rebuild is executed.
Comment 5 Xiyang Dong 2013-09-25 12:59:11 EDT
Verified.

Version : ipa-server-3.0.0-34.el6.x86_64


Test Results :
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1023 -bz950014 Enrolling a host into IdM/IPA always takes two attempts
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

kdestroy: No credentials cache found while destroying cache
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin@TESTRELM.COM
Password for admin@TESTRELM.COM: 
Authenticated to Kerberos v5
Default principal: admin@TESTRELM.COM
:: [ 12:45:10 ] ::  kinit as admin with password Secret123 was successful.
:: [ 12:45:10 ] ::  create ipa user: [bzuser950014], firstname: [bzuser950014], lastname: [bzuser950014]  password: [Secret123]
:: [ 12:45:12 ] ::  create ipa user: [bzuser950014], password: [Secret123]
-------------------------
Added user "bzuser950014"
-------------------------
  User login: bzuser950014
  First name: bzuser950014
  Last name: bzuser950014
  Full name: bzuser950014 bzuser950014
  Display name: bzuser950014 bzuser950014
  Initials: bb
  Home directory: /home/bzuser950014
  GECOS field: bzuser950014 bzuser950014
  Login shell: /bin/sh
  Kerberos principal: bzuser950014@TESTRELM.COM
  Email address: bzuser950014@testrelm.com
  UID: 593800023
  GID: 593800023
  Password: True
  Kerberos keys available: True
:: [   PASS   ] :: add test user account (Expected 0, got 0)
spawn /usr/bin/kinit -V bzuser950014
Using default cache: /tmp/krb5cc_0
Using principal: bzuser950014@TESTRELM.COM
Password for bzuser950014@TESTRELM.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
Authenticated to Kerberos v5
Default principal: bzuser950014@TESTRELM.COM
:: [ 12:45:21 ] ::  kinit as bzuser950014 with new password Secret123 was successful.
bzuser950014
:: [   PASS   ] :: Running 'create_ipauser bzuser950014 bzuser950014 bzuser950014 Secret123 dummy123' (Expected 0, got 0)
kdestroy: No credentials cache found while destroying cache
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin@TESTRELM.COM
Password for admin@TESTRELM.COM: 
Authenticated to Kerberos v5
Default principal: admin@TESTRELM.COM
:: [ 12:45:23 ] ::  kinit as admin with password Secret123 was successful.
--------------------------------
Added role "build administrator"
--------------------------------
  Role name: build administrator
  Description: build administrator
:: [   PASS   ] :: add role build administrator (Expected 0, got 0)
  Role name: build administrator
  Description: build administrator
  Privileges: Host Administrators
----------------------------
Number of privileges added 1
----------------------------
:: [   PASS   ] :: add priviledge host administrators to role build administrator (Expected 0, got 0)
  Role name: build administrator
  Description: build administrator
  Member users: bzuser950014
  Privileges: Host Administrators
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: add member user bzuser950014 to role build administrator (Expected 0, got 0)
--------------------------------------
Added host "bzhost950014.testrelm.com"
--------------------------------------
  Host name: bzhost950014.testrelm.com
  Principal name: host/bzhost950014.testrelm.com@TESTRELM.COM
  Password: False
  Keytab: False
  Managed by: bzhost950014.testrelm.com
:: [ 12:45:28 ] ::  Adding new host bzhost950014.testrelm.com successful with force option.
:: [   PASS   ] :: add host bzhost950014.testrelm.com to enroll (Expected 0, got 0)
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=TESTRELM.COM
:: [   PASS   ] :: first attempt to enroll a host to ipa succeeded (Expected 0, got 0)
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin@TESTRELM.COM
Password for admin@TESTRELM.COM: 
Authenticated to Kerberos v5
Default principal: admin@TESTRELM.COM
:: [ 12:45:31 ] ::  kinit as admin with password Secret123 was successful.
----------------------------------
Deleted role "build administrator"
----------------------------------
:: [   PASS   ] :: delete role build administrator (Expected 0, got 0)
----------------------------------------
Deleted host "bzhost950014.testrelm.com"
----------------------------------------
:: [ 12:45:33 ] ::  Host bzhost950014.testrelm.com deleted successfully.
:: [   PASS   ] :: delete test host bzhost950014.testrelm.com (Expected 0, got 0)
---------------------------
Deleted user "bzuser950014"
---------------------------
:: [   PASS   ] :: delete account [bzuser950014] (Expected 0, got 0)
:: [   PASS   ] :: delete test user bzuser950014 (Expected 0, got 0)
Comment 7 errata-xmlrpc 2013-11-21 15:53:03 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html

Note You need to log in before you can comment on or make changes to this bug.