Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 950014

Summary: Enrolling a host into IdM/IPA always takes two attempts
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.4CC: arubin, atolani, dpal, ldelouw, mdavis, mkosek, parsonsa, rmeggins, tscherf, xdong
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-31.el6 Doc Type: Bug Fix
Doc Text:
rolCause: Identity Management installation and upgrade process did not update user and user role membership information in correct order in some cases. Consequence: User roles may not correctly apply in some situations and for user may fail to proceed with privileged actions even though they are authorized for them (e.g. Identity Management client enrollment). Fix: Membership information is not applied in correct order. Result: Users' privileged actions no longer fails because of incomplete membership information.
 Story Points: ---
Clone Of: 903343 Environment:
Last Closed: 2013-11-21 20:53:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 903343, 1065971, 1072098, 1073530    
Bug Blocks: 960054    

Comment 1 Martin Kosek 2013-04-22 08:46:35 UTC 
Fixed upstream:

master: 8377f4e92f6c927d6303a4be9d22e71a90af9ab0

The problem is that the task to rebuild memberof is executed before some of the members are added which can sometimes leave things in a bad state. This patch commits to LDAP the updates in blocks of 10 so that members are added in LDAP before memberOf rebuild is executed.
Comment 5 Xiyang Dong 2013-09-25 16:59:11 UTC 
Verified.

Version : ipa-server-3.0.0-34.el6.x86_64


Test Results :
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1023 -bz950014 Enrolling a host into IdM/IPA always takes two attempts
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

kdestroy: No credentials cache found while destroying cache
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 12:45:10 ] ::  kinit as admin with password Secret123 was successful.
:: [ 12:45:10 ] ::  create ipa user: [bzuser950014], firstname: [bzuser950014], lastname: [bzuser950014]  password: [Secret123]
:: [ 12:45:12 ] ::  create ipa user: [bzuser950014], password: [Secret123]
-------------------------
Added user "bzuser950014"
-------------------------
  User login: bzuser950014
  First name: bzuser950014
  Last name: bzuser950014
  Full name: bzuser950014 bzuser950014
  Display name: bzuser950014 bzuser950014
  Initials: bb
  Home directory: /home/bzuser950014
  GECOS field: bzuser950014 bzuser950014
  Login shell: /bin/sh
  Kerberos principal: bzuser950014
  Email address: bzuser950014
  UID: 593800023
  GID: 593800023
  Password: True
  Kerberos keys available: True
:: [   PASS   ] :: add test user account (Expected 0, got 0)
spawn /usr/bin/kinit -V bzuser950014
Using default cache: /tmp/krb5cc_0
Using principal: bzuser950014
Password for bzuser950014: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
Authenticated to Kerberos v5
Default principal: bzuser950014
:: [ 12:45:21 ] ::  kinit as bzuser950014 with new password Secret123 was successful.
bzuser950014
:: [   PASS   ] :: Running 'create_ipauser bzuser950014 bzuser950014 bzuser950014 Secret123 dummy123' (Expected 0, got 0)
kdestroy: No credentials cache found while destroying cache
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 12:45:23 ] ::  kinit as admin with password Secret123 was successful.
--------------------------------
Added role "build administrator"
--------------------------------
  Role name: build administrator
  Description: build administrator
:: [   PASS   ] :: add role build administrator (Expected 0, got 0)
  Role name: build administrator
  Description: build administrator
  Privileges: Host Administrators
----------------------------
Number of privileges added 1
----------------------------
:: [   PASS   ] :: add priviledge host administrators to role build administrator (Expected 0, got 0)
  Role name: build administrator
  Description: build administrator
  Member users: bzuser950014
  Privileges: Host Administrators
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: add member user bzuser950014 to role build administrator (Expected 0, got 0)
--------------------------------------
Added host "bzhost950014.testrelm.com"
--------------------------------------
  Host name: bzhost950014.testrelm.com
  Principal name: host/bzhost950014.testrelm.com
  Password: False
  Keytab: False
  Managed by: bzhost950014.testrelm.com
:: [ 12:45:28 ] ::  Adding new host bzhost950014.testrelm.com successful with force option.
:: [   PASS   ] :: add host bzhost950014.testrelm.com to enroll (Expected 0, got 0)
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=TESTRELM.COM
:: [   PASS   ] :: first attempt to enroll a host to ipa succeeded (Expected 0, got 0)
spawn /usr/bin/kinit -V admin
Using default cache: /tmp/krb5cc_0
Using principal: admin
Password for admin: 
Authenticated to Kerberos v5
Default principal: admin
:: [ 12:45:31 ] ::  kinit as admin with password Secret123 was successful.
----------------------------------
Deleted role "build administrator"
----------------------------------
:: [   PASS   ] :: delete role build administrator (Expected 0, got 0)
----------------------------------------
Deleted host "bzhost950014.testrelm.com"
----------------------------------------
:: [ 12:45:33 ] ::  Host bzhost950014.testrelm.com deleted successfully.
:: [   PASS   ] :: delete test host bzhost950014.testrelm.com (Expected 0, got 0)
---------------------------
Deleted user "bzuser950014"
---------------------------
:: [   PASS   ] :: delete account [bzuser950014] (Expected 0, got 0)
:: [   PASS   ] :: delete test user bzuser950014 (Expected 0, got 0)
Comment 7 errata-xmlrpc 2013-11-21 20:53:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1651.html