#5167 User can't find any hosts using "ipa host-find $HOSTNAME"
Closed: Fixed None Opened 3 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1248524

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
User can't find any hosts using "ipa host-find $HOSTNAME"

When trying to executu "ipa host-find $HOSTNAME" using the non-admin user, It
doesnt return any information.

If I execute "ipa host-find --hostname=$HOSTNAME" I'll get an successful
result.

Where as ipa host-find shows no. of hosts added in system.

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-18.el7_1.3.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Setup IPA server
2. Add some hosts
3. Get a ticket using non-admin user & try to search hosts.

Actual results:
# ipa host-find ipaserver.example.com
---------------
0 hosts matched
---------------
----------------------------
Number of entries returned 0
----------------------------

[root@ipaserver ~]# ipa host-find --host ipaserver.example.com
--------------
1 host matched
--------------
  Host name: ipaserver.example.com
  Principal name: host/ipaserver.example.com@EXAMPLE.COM
  Password: False
  Keytab: True
  Managed by: ipaserver.example.com
----------------------------
Number of entries returned 1
---------------------------


Additional info:

When a general TERM search is issued, all host possible fields are searched, so
it is likely there will be at least one is not searchable.

Results of both command should be same.

When searched like this.

# ipa host-find ipaserver.example.com
---------------
0 hosts matched
---------------
----------------------------
Number of entries returned 0
----------------------------

It created a seach request like this.

[01/Jul/2015:12:57:34 +051800] conn=25 op=4 SRCH
base="cn=computers,cn=accounts,dc=example,dc=com" scope=1 filter="(&(|(descript
ion=*ipaserver.example.com*)(nsHardwarePlatform=*ipaserver.example.com*)(ipaAll
owedToPerform=*ipaserver.example.com*)(l=*ipaserver.example.com*)(nsOsVersion=*
ipaserver.example.com*)(fqdn=*ipaserver.example.com*)(managedBy=*ipaserver.exam
ple.com*)(krbPrincipalName=*ipaserver.example.com*)(nsHostLocation=*ipaserver.e
xample.com*))(&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost)
(objectClass=pkiuser)(objectClass=ipaservice)))" attrs="macAddress memberOf
description nsHardwarePlatform ipaAllowedToPerform l nsOsVersion fqdn managedBy
ipaAssignedIDView userCertificate krbPrincipalName nsHostLocation userClass"
[01/Jul/2015:12:57:34 +051800] conn=25 op=4 RESULT err=0 tag=101 nentries=0
etime=0 notes=U

It never returns.

# ldapsearch -LLL -Y GSSAPI -b "cn=computers,cn=accounts,dc=example,dc=com"  '(
&(|(description=*ipaserver.example.com*)(nsHardwarePlatform=*ipaserver.example.
com*)(ipaAllowedToPerform=*ipaserver.example.com*)(l=*ipaserver.example.com*)(n
sOsVersion=*ipaserver.example.com*)(fqdn=*ipaserver.example.com*)(managedBy=*ip
aserver.example.com*)(krbPrincipalName=*ipaserver.example.com*)(nsHostLocation=
*ipaserver.example.com*))(&(objectClass=ipaobject)(objectClass=nshost)(objectCl
ass=ipahost)(objectClass=pkiuser)(objectClass=ipaservice)))'
SASL/GSSAPI authentication started
SASL username: tuser123@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.


But when searched like

[root@ipaserver ~]# ipa host-find --host ipaserver.example.com
--------------
1 host matched
--------------
  Host name: ipaserver.example.com
  Principal name: host/ipaserver.example.com@EXAMPLE.COM
  Password: False
  Keytab: True
  Managed by: ipaserver.example.com
  SSH public key fingerprint: AA:0A:2E:30:F6:FC:8F:6E:57:9D:63:8B:43:CC:95:BD
(ssh-rsa), 93:F6:88:B4:4D:FE:0A:AC:CE:CD:81:34:B0:CE:3E:35
(ecdsa-sha2-nistp256), AF:6B:72:81:D2:93:63:0C:5D:C1:0F:45:63:3A:EE:04
(ssh-ed25519)
----------------------------
Number of entries returned 1
----------------------------


The first search is created like.

[01/Jul/2015:12:57:51 +051800] conn=26 op=4 SRCH
base="cn=computers,cn=accounts,dc=example,dc=com" scope=1 filter="(&(&(objectCl
ass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass=pkiuser)(ob
jectClass=ipaservice))(fqdn=ipaserver.example.com))" attrs="macAddress memberOf
description nsHardwarePlatform ipaAllowedToPerform l nsOsVersion fqdn managedBy
ipaAssignedIDView userCertificate krbPrincipalName nsHostLocation userClass"
[01/Jul/2015:12:57:51 +051800] conn=26 op=4 RESULT err=0 tag=101 nentries=1
etime=0


Which is returned.

# ldapsearch -LLL -Y GSSAPI -b "cn=computers,cn=accounts,dc=example,dc=com" '(&
(&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass=
pkiuser)(objectClass=ipaservice))(fqdn=ipaserver.example.com))'
SASL/GSSAPI authentication started
SASL username: tuser123@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn: fqdn=ipaserver.example.com,cn=computers,cn=accounts,dc=example,dc=com
cn: ipaserver.example.com
objectClass: ipaobject
objectClass: krbprincipal
objectClass: nshost
objectClass: top
objectClass: ipaservice
objectClass: pkiuser
objectClass: ipahost
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: ipasshhost
objectClass: ipaSshGroupOfPubKeys
krbLastPwdChange: 20150630054454Z
fqdn: ipaserver.example.com
managedBy: fqdn=ipaserver.example.com,cn=computers,cn=accounts,dc=example,dc=c
 om
krbPrincipalName: host/ipaserver.example.com@EXAMPLE.COM
serverHostName: ipaserver
ipaUniqueID: 21f94072-1eeb-11e5-9756-00163e740a9e

Caused by ipaallowedtoperform in default_attributes. Same issue in services.

See also #5168

master:

  • 196ef09 adjust search so that it works for non-admin users

ipa-4-2:

  • e37821a adjust search so that it works for non-admin users

Metadata Update from @pvoborni:
- Issue assigned to pvoborni
- Issue set to the milestone: FreeIPA 4.2.1

2 years ago

Login to comment on this ticket.

Metadata