https://bugzilla.redhat.com/show_bug.cgi?id=740830
Description of problem: Occasionally we hit this issue while creating a hbacrule. Error message displaying "search criteria was not specific" while add a hbacrule. Not sure what triggered this, logging as a bug to have covered. Version-Release number of selected component (if applicable): ipa-server-2.1.1-4.el6.x86_64 How reproducible: intermittently Steps to Reproduce: 1. root@kungfupanda ~]# ipa hbacrule-add kaleem ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. 2.Again, executing the same command shows: [root@kungfupanda ~]# ipa hbacrule-add kaleem ipa: ERROR: HBAC rule with name "kaleem" already exists Actual results: ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. Expected results: rule should be added successfully if it doesn't exist. Additional info: [root@kungfupanda ~]# ipa -d hbacrule-add kaleem ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: args=klist -V ipa: DEBUG: stdout=Kerberos 5 version 1.9 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' ipa: INFO: trying https://kungfupanda.lab.eng.pnq.redhat.com/ipa/xml ipa: DEBUG: Created connection context.xmlclient ipa: DEBUG: raw: hbacrule_add(u'kaleem', accessruletype=u'allow', all=False, raw=False, version=u'2.11') ipa: DEBUG: hbacrule_add(u'kaleem', accessruletype=u'allow', all=False, raw=False, version=u'2.11') ipa: INFO: Forwarding 'hbacrule_add' to server u'https://kungfupanda.lab.eng.pnq.redhat.com/ipa/xml' ipa: DEBUG: NSSConnection init kungfupanda.lab.eng.pnq.redhat.com ipa: DEBUG: connect_socket_family: host=kungfupanda.lab.eng.pnq.redhat.com port=443 family=PR_AF_INET ipa: DEBUG: connecting: 10.65.201.78:443 ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=LAB.ENG.PNQ.REDHAT.COM Validity: Not Before: Thu Sep 22 05:17:03 2011 UTC Not After : Sun Sep 22 05:17:03 2013 UTC Subject: CN=kungfupanda.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ba:89:8c:98:00:39:23:e9:1a:d7:bd:c7:b7:68:20:de: bf:5f:ba:a0:e4:72:4a:88:dc:4e:d3:56:a7:bb:d0:51: 7c:ef:40:59:82:b5:af:d5:98:56:47:23:a5:ed:1f:70: 8e:f8:83:d9:a4:f3:12:9f:24:93:e3:b2:a2:46:0e:06: 00:e5:bb:f3:d8:e9:af:db:78:1b:3d:aa:e5:c0:c0:97: ac:2c:0a:07:ee:36:50:86:3f:7c:47:8f:ab:83:70:b8: ec:ad:a0:e6:6e:fe:ca:8a:03:ed:bf:c9:ad:2a:93:11: 87:d1:54:02:cb:ec:56:87:33:6f:ac:85:ec:ac:83:70: 86:3a:73:37:f2:13:3a:27:a6:84:0f:9a:a2:ad:5d:ca: 34:fb:ff:ea:dd:79:ab:23:2e:19:d7:26:43:3f:bb:dd: 17:a1:6a:2e:6d:ec:76:db:62:3a:24:22:78:70:c6:68: 44:a2:eb:78:0a:66:38:65:1b:18:bb:f3:d8:22:43:f6: 01:62:c4:4d:aa:ec:36:b3:43:fa:be:7d:c1:99:e9:29: d3:d6:ee:61:c2:1a:27:86:cb:66:24:24:04:59:8e:75: 54:cf:d6:d0:c5:c9:4d:c6:9f:9b:df:4b:0c:c4:5e:66: 3b:5e:7e:9e:b0:a4:3c:eb:67:04:fc:2c:32:c6:97:01 Exponent: 65537 (0x10001) Signed Extensions: (4) Name: Certificate Authority Key Identifier Critical: False Key ID: 1e:52:7b:d3:e5:e7:94:03:df:68:6c:90:3e:10:cc:a1: 86:07:9c:3e Serial Number: None General Names: [0 total] Name: Authority Information Access Critical: False Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Fingerprint (MD5): 65:e6:70:dd:74:6a:80:34:7a:7d:2f:20:78:64:f7:e8 Fingerprint (SHA1): 13:ee:5b:e7:8c:7a:45:8e:d7:0e:ed:5f:26:89:80:41: 66:a8:9d:ab Signature: Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature Data: 1c:52:82:c0:d0:d2:62:42:46:80:96:8d:4c:5e:aa:18: 25:9a:65:51:1a:44:16:fe:6f:49:d2:41:59:9b:43:8d: 36:01:60:3e:27:21:a4:d6:65:f4:46:dd:89:fa:ca:e6: d5:8b:7c:77:21:6f:11:3f:f9:ba:07:c8:fe:dd:cd:e0: 44:09:c7:66:51:b0:30:e8:62:c6:95:63:dc:3f:99:03: a4:8c:9e:3b:f3:a9:3f:f3:6c:a2:ff:43:dd:41:fa:5e: 8e:4e:a4:f5:0a:e4:9e:00:62:d0:5c:f7:33:60:8f:68: 48:5a:63:01:40:5d:b1:bb:2e:15:b0:f0:f2:a2:28:88: 3b:18:f9:ad:ad:b7:23:c8:69:4c:9e:ec:59:a9:e6:41: 7b:bd:20:97:1b:3b:14:91:fe:53:79:b2:dc:0f:6e:70: aa:64:49:e2:2f:f4:03:67:33:ec:48:4a:b8:98:cf:01: 28:10:6e:bb:27:7a:b9:4e:11:90:6c:91:77:82:f9:28: 68:fe:d6:6e:f7:bd:43:02:aa:60:39:35:6e:c4:16:55: 9f:e8:83:15:1e:27:93:5c:c2:fd:10:fd:5b:55:aa:89: f6:e1:ab:9e:8b:ef:72:4d:93:ee:73:15:17:e3:4d:28: 2c:55:6b:9f:0f:5f:39:07:75:81:61:6c:dd:57:01:1e ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=kungfupanda.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM" ipa: DEBUG: handshake complete, peer = 10.65.201.78:443 ipa: DEBUG: Caught fault 4027 from server https://kungfupanda.lab.eng.pnq.redhat.com/ipa/xml: The search criteria was not specific enough. Expected 1 and found 2. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2.
Putting into 2.1.2 now for more investigation.
This error occurs when we search by attribute. Right now we only expect one result back (usually the search is for principal). Perhaps this needs to be expanded.
The only place we would throw this is in get_effective_rights() as far as I can tell, and that would happen AFTER the record is added which matches up with what he is seeing.
This means that there are multiple users with same principal though.
master: 759ae9e[[BR]] ipa-2-1: 7c884f1
I also pushed a fix for HBAC test suite:
master: 79e9feb[[BR]] ipa-2-1: f9e277b
Metadata Update from @rcritten: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.1.2 (bug fixing)
Login to comment on this ticket.