Issue #4680: Upgrade failure cn=ADTrust Agents,cn=privileges - freeipa

freeipa

#4680 Upgrade failure cn=ADTrust Agents,cn=privileges

Closed: Fixed None Opened 9 years ago by mbasti.

Upgrade ipa 3.3.5 -> 4.1.0

2014-11-04T02:07:54Z INFO New entry: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com
2014-11-04T02:07:54Z DEBUG ---------------------------------------------
2014-11-04T02:07:54Z DEBUG Initial value
2014-11-04T02:07:54Z DEBUG dn: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com
2014-11-04T02:07:54Z DEBUG objectClass:
2014-11-04T02:07:54Z DEBUG      top
2014-11-04T02:07:54Z DEBUG      groupofnames
2014-11-04T02:07:54Z DEBUG      nestedgroup
2014-11-04T02:07:54Z DEBUG member:
2014-11-04T02:07:54Z DEBUG      cn=adtrust agents,cn=sysaccounts,cn=etc,dc=example,dc=com
2014-11-04T02:07:54Z DEBUG cn:
2014-11-04T02:07:54Z DEBUG      ADTrust Agents
2014-11-04T02:07:54Z DEBUG description:
2014-11-04T02:07:54Z DEBUG      System accounts able to access trust information
2014-11-04T02:07:54Z DEBUG ---------------------------------------------
2014-11-04T02:07:54Z DEBUG Final value after applying updates
2014-11-04T02:07:54Z DEBUG dn: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com
2014-11-04T02:07:54Z DEBUG objectClass:
2014-11-04T02:07:54Z DEBUG      top
2014-11-04T02:07:54Z DEBUG      groupofnames
2014-11-04T02:07:54Z DEBUG      nestedgroup
2014-11-04T02:07:54Z DEBUG member:
2014-11-04T02:07:54Z DEBUG      cn=adtrust agents,cn=sysaccounts,cn=etc,dc=example,dc=com
2014-11-04T02:07:54Z DEBUG cn:
2014-11-04T02:07:54Z DEBUG      ADTrust Agents
2014-11-04T02:07:54Z DEBUG description:
2014-11-04T02:07:54Z DEBUG      System accounts able to access trust information
2014-11-04T02:07:54Z ERROR Add failure

dirsrv access log

[03/Nov/2014:21:07:54 -0500] conn=11 op=233 SRCH base="cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[03/Nov/2014:21:07:54 -0500] conn=11 op=233 RESULT err=32 tag=101 nentries=0 etime=0
[03/Nov/2014:21:07:54 -0500] conn=11 op=234 ADD dn="cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com"

dirsrv error log

[03/Nov/2014:21:07:54 -0500] - Entry "cn=adtrust agents,cn=sysaccounts,cn=etc,dc=example,dc=com" -- attribute "memberOf" not allowed
[03/Nov/2014:21:07:54 -0500] memberof-plugin - memberof_postop_add: failed to add dn(cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com), error (65)

Error 65 = Objectclass violation

mbasti commented 9 years ago

To reproduce is required to have applied patch fixing #4670

mbasti commented 9 years ago

I accidentally copy/paste access log without last line

[03/Nov/2014:21:07:54 -0500] conn=11 op=233 SRCH base="cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs="aci * attributeTypes objectClasses"
[03/Nov/2014:21:07:54 -0500] conn=11 op=233 RESULT err=32 tag=101 nentries=0 etime=0
[03/Nov/2014:21:07:54 -0500] conn=11 op=234 ADD dn="cn=ADTrust Agents,cn=privileges,cn=pbac,dc=example,dc=com"
[03/Nov/2014:21:07:54 -0500] conn=11 op=234 RESULT err=65 tag=105 nentries=0 etime=0

mbasti commented 9 years ago

This bug could be caused by #4622

mkosek commented 9 years ago

My guess is that

dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
add: objectClass: nestedgroup
default: objectClass: GroupOfNames
default: objectClass: top
default: cn: adtrust agents

is done after

dn: cn=ADTrust Agents,cn=privileges,cn=pbac,$SUFFIX
default: objectClass: top
default: objectClass: groupofnames
default: objectClass: nestedgroup
default: cn: ADTrust Agents
default: description: System accounts able to access trust information
default: member: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX

and the nestedgroup objectclass is missing. You need to make sure the

dn: cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX
add: objectClass: nestedgroup

is done first.

mkosek commented 9 years ago

All 4.1 upgrade issues need to be fixed.

mkosek commented 9 years ago

FreeIPA 4.1.1 was released.

dkupka commented 9 years ago

Bug is also in 4.0.x.

mkosek commented 9 years ago

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1161128 (Red Hat Enterprise Linux 7)

pvoborni commented 9 years ago

master:

2712b60 Upgrade: fix trusts objectclass violationi

ipa-4-1:

60ff57b Upgrade: fix trusts objectclass violationi

ipa-4-0:

ae9e684 Upgrade: fix trusts objectclass violationi

Metadata Update from @mbasti:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.0.4

7 years ago

Metadata

Assignee

mbasti

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.0.4

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Upgrade

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

dkupka

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1161128

tester

None

changelog

None

design

None

freeipa

Source Code

#4680 Upgrade failure cn=ADTrust Agents,cn=privileges Closed: Fixed None Opened 9 years ago by mbasti.

Metadata

#4680 Upgrade failure cn=ADTrust Agents,cn=privileges

Closed: Fixed None Opened 9 years ago by mbasti.