[Freeipa-devel] [PATCH] 134 Improve handling of GIDs when migrating groups

Rob Crittenden rcritten at redhat.com
Wed Oct 12 20:33:11 UTC 2011 

Martin Kosek wrote:
> On Thu, 2011-10-06 at 21:31 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Wed, 2011-10-05 at 13:44 -0400, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> Since IPA v2 server already contain predefined groups that may collide
>>>>> with groups in migrated (IPA v1) server (for example admins, ipausers),
>>>>> users having colliding group as their primary group may happen to belong
>>>>> to an unknown group on new IPA v2 server.
>>>>>
>>>>> Implement --group-overwrite-gid option to overwrite GID of already
>>>>> existing groups to prevent this issue.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/1866
>>>>
>>>> For argument's sake, what is the user going to see the first time they
>>>> run this? I assume they won't think about these duplicate groups and
>>>> just do the migration. This means that the result may be some users
>>>> pointing to non-existent GIDs.
>>>
>>> At first I was thinking about making the GID the default behavior and
>>> just add flag "--dont-overwrite-gid. But I was afraid this could do some
>>> damage and change GIDs where it is not required. However, I made some
>>> improvements in this area, please see below.
>>>
>>>>
>>>> If they re-run the migration with this option will it then fix
>>>> everything up?
>>>
>>> Yep.
>>>
>>>>
>>>> I'm wondering if we need a --test argument so people can run the
>>>> migration w/o writing entries to look for problems like this.
>>>>
>>>> rob
>>>
>>> If we want to do this, we would have to add a lot of LDAP query checks
>>> since mostly try doing the LDAP write and write failures in case of an
>>> exception.
>>>
>>> However, I updated the patch so that user is notified about existence of
>>> --group-overwrite-gid option better. If a migration of a group with a
>>> GID number fails because of DuplicateError, a notice about GID is
>>> displayed. This should make him check this situation and either use
>>> group-mod --gidnumber=... or re-run the migration with
>>> --group-overwrite-gid.
>>>
>>> I also updated the Password option not to ask user for LDAP password
>>> twice, because it makes me really mad :-)
>>>
>>> Martin
>>
>> # ipa migrate-ds ldap://panther.greyoak.com
>> --user-container=cn=users,cn=accounts
>> --group-container=cn=groups,cn=accounts
>> --user-ignore-objectclass=radiusprofile
>> Password:
>> ipa: ERROR: an internal error has occurred
>>
>> [Thu Oct 06 21:28:49 2011] [error] ipa: ERROR: non-public: TypeError:
>> _post_migrate_user() got an unexpected keyword argument 'options'
>> [Thu Oct 06 21:28:49 2011] [error] Traceback (most recent call last):
>> [Thu Oct 06 21:28:49 2011] [error]   File
>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 223, in
>> wsgi_execute
>> [Thu Oct 06 21:28:49 2011] [error]     result =
>> self.Command[name](*args, **options)
>> [Thu Oct 06 21:28:49 2011] [error]   File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 432, in __call__
>> [Thu Oct 06 21:28:49 2011] [error]     ret = self.run(*args, **options)
>> [Thu Oct 06 21:28:49 2011] [error]   File
>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 738, in run
>> [Thu Oct 06 21:28:49 2011] [error]     return self.execute(*args, **options)
>> [Thu Oct 06 21:28:49 2011] [error]   File
>> "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line
>> 633, in execute
>> [Thu Oct 06 21:28:49 2011] [error]     ldap, config, ds_ldap,
>> ds_base_dn, options
>> [Thu Oct 06 21:28:49 2011] [error]   File
>> "/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py", line
>> 602, in migrate
>> [Thu Oct 06 21:28:49 2011] [error]     options = options,
>> [Thu Oct 06 21:28:49 2011] [error] TypeError: _post_migrate_user() got
>> an unexpected keyword argument 'options'
>>
>> rob
>
> Ouch. This one must have come from some previous tries. And since the
> users were already migrated in my testing, it was left undiscovered. I
> wonder why pylint was quiet.
>
> Sending a fixed version, it should work fine now.
>
> Martin

ack, pushed to master and ipa-2-1

More information about the Freeipa-devel mailing list