See https://www.redhat.com/archives/freeipa-users/2012-November/msg00085.html for a full description of the issue. In short, after upgrading an IPA server from 2.2.0 to 2.2.1, the fqdn indices that are created in [changeset:ce11a7c] aren't followed by an index task, so existing hosts aren't retrieved by SSSD, and logins fail.
After creating the following fqdn_index_task.ldif
dn: cn=indextask_fqdn, cn=index, cn=tasks, cn=config
ldapadd -vvv -x -D "cn=directory manager" -W -f fqdn_index_task.ldif
I see the following in my error log
[12/Nov/2012:10:28:29 -0600] - userRoot: Indexing attribute: fqdn
[12/Nov/2012:10:28:29 -0600] - userRoot: Finished indexing.
and login via SSSD resumes immediately.
I can look at it.
This is indeed a bug in a code processing index updates. Index task is supposed to be run automatically for every new or updated index, but it is only processed in the update code path.
To workaround the issue, one can run the following script to trigger LDAP upgrade procedure which will fire index task this time:
# ipa-ldap-updater --upgrade
# grep "Creating task to index" /var/log/ipaupgrade.log
2012-11-13T12:17:23Z INFO Creating task to index attribute: memberuid
2012-11-13T12:17:29Z INFO Creating task to index attribute: memberOf
2012-11-13T12:17:35Z INFO Creating task to index attribute: memberHost
2012-11-13T12:17:41Z INFO Creating task to index attribute: memberUser
2012-11-13T12:17:47Z INFO Creating task to index attribute: fqdn
2012-11-13T12:17:53Z INFO Creating task to index attribute: ntUniqueId
2012-11-13T12:17:59Z INFO Creating task to index attribute: ntUserDomainId
When fixing this one, I may also backport the 2ecfe57 from #2866.
Patch freeipa-mkosek-333-run-index-task-for-new-indexes.patch sent for review
Metadata Update from @amessina:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.2 Stabilization
to comment on this ticket.