[Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges

Martin Kosek mkosek at redhat.com
Mon Jul 2 10:34:00 UTC 2012 

On 07/02/2012 12:16 PM, Klaus Eckel wrote:
> hi all,
> when I tried to install FreeIPA 2.99.0 on Fedora 17 I got the following error:
> 
> [root at linux yum.repos.d]# cat ipa-devel.repo
> [ipa-devel]
> name=IPA development $releasever - $basearch
> baseurl=http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/
> 
> enabled=1
> gpgcheck=0
> 
> new yum update ..
> 
> [root at linux yum.repos.d]# uname -a
> Linux linux.fritz.box 3.4.4-3.fc17.x86_64 #1 SMP Tue Jun 26 20:54:56 UTC 2012
> x86_64 x86_64 x86_64 GNU/Linux
> 
> freeipa-server-2.99.0-0.20120630T2358Zgit50ebd1a.fc17.x86_64..
> 
> ipa-server-install  -a ###t --hostname=linux.fritz.box -r fritz.box -p ######
> -n fritz.box  -U
> 
>   [21/36]: adding default layout
> Unexpected error - see /var/log/ipaserver-install.log for details:
> KeyError: 'REALM_id_range'
> 
> log ..
> 
> 2012-07-02T10:07:32Z DEBUG   [21/36]: adding default layout
> 2012-07-02T10:07:32Z INFO   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 696,
> in run_script
>     return_value = main_function()
> 
>   File "/sbin/ipa-server-install", line 958, in main
>     hbac_allow=not options.hbac_allow)
> 
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
> 249, in create_instance
>     self.start_creation("Configuring directory server", 60)
> 
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 259, in start_creation
>     method()
> 
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
> 569, in __add_default_layout
>     self._ldap_mod("bootstrap-template.ldif", self.sub_dict)
> 
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 98, in _ldap_mod
>     txt = ipautil.template_file(path, sub_dict)
> 
>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 218, in
> template_file
>     return template_str(txt, vars)
> 
>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 206, in
> template_str
>     val = string.Template(txt).substitute(vars)
> 
>   File "/usr/lib64/python2.7/string.py", line 172, in substitute
>     return self.pattern.sub(convert, self.template)
> 
>   File "/usr/lib64/python2.7/string.py", line 162, in convert
>     val = mapping[named]
> 
> 2012-07-02T10:07:32Z INFO The ipa-server-install command failed, exception:
> KeyError: 'REALM_id_range'
> 
> thx klaus
> 
> Best Regards,
> Klaus Eckel
> <http://w3.ibm.com/bluepages/simpleSearch.wss?searchBy=name&searchFor=Eckel,
> Klaus>, UNIX
> Consultant HPC (AIX,Linux) GPFS, BIA, SAP
> ITS/STG (SSIS)
> Server, Storage & Data Infrastructure Services 	IBM Deutschland GmbH
> <http://www.ibm.com/de/>
> Laatzener str, 1
> 30539 Hannover
> Germany 	Email: keckel at de.ibm.com <mailto:keckel at de.ibm.com>
> Phone: +49-(0)52319489906
> Handy: +49 (0)170 6323416
> 
> 
> Visit the IBM Deutschland ITS <http://www-03.ibm.com/solutions/sap/>Pages.
> 
> 
> IBM Deutschland GmbH / Vorsitzender des Aufsichtsrats: Erich Clementi
>  Geschäftsführung: Martin Jetter (Vorsitzender), Reinhard Reschke,
> Dieter Scholz, Klaus Lintelmann, Michael Diemer, Martina Koederitz Sitz der
> Gesellschaft:
>  Ehningen / Registergericht: Amtsgericht Stuttgart, HRB 14562 WEEE-Reg.-Nr. DE
> 99369940
> 
> freeipa-devel-bounces at redhat.com wrote on 07/02/2012 09:55:36 AM:
> 
>> From:
>>
>> Martin Kosek <mkosek at redhat.com>
>>
>> To:
>>
>> Rob Crittenden <rcritten at redhat.com>,
>>
>> Cc:
>>
>> freeipa-devel at redhat.com
>>
>> Date:
>>
>> 07/02/2012 09:57 AM
>>
>> Subject:
>>
>> Re: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges
>>
>> Sent by:
>>
>> freeipa-devel-bounces at redhat.com
>>
>> On 06/30/2012 12:01 AM, Rob Crittenden wrote:
>> > Rob Crittenden wrote:
>> >> Rob Crittenden wrote:
>> >>> Alexander Bokovoy wrote:
>> >>>> On Fri, 29 Jun 2012, Sumit Bose wrote:
>> >>>>> On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote:
>> >>>>>> On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote:
>> >>>>>> > On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote:
>> >>>>>> > > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote:
>> >>>>>> > > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote:
>> >>>>>> > > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote:
>> >>>>>> > > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote:
>> >>>>>> > > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote:
>> >>>>>> > > > > > > >
>> >>>>>> > > > > > > > to keep track of the different ranges we use for
>> >>>>>> UIDs/GIDs for local
>> >>>>>> > > > > > > > users/groups and users from trusted domains new range
>> >>>>>> objects are
>> >>>>>> > > > > > > > introduced which are stored below
>> >>>>>> cn=range,cn=etc,$SUFFIX.
>> >>>>>> > > > > > > >
>> >>>>>> > > > > > > > 0022: LDAP schema update
>> >>>>>> > > > > > >
>> >>>>>> > > > > > > ack
>> >>>>>> > > > > > >
>> >>>>>> > > > > > > > 0023: Create a range object during installation fir the
>> >>>>>> local ID range
>> >>>>>> > > > > > >
>> >>>>>> > > > > > > nack, I think we need to find a way to handle adding at
>> >>>>>> least the base
>> >>>>>> > > > > > > range on update. Otherwise an updated server won't be
>> >>>>>> able to have IDs
>> >>>>>> > > > > > > for most of its users.
>> >>>>>> > > > > >
>> >>>>>> > > > > > I fully agree, but since we said that we concentrate on
>> >>>>>> update issues in
>> >>>>>> > > > > > beta2 I wanted to send the version for the fresh install
>> >>>>>> first to allow
>> >>>>>> > > > > > testing.
>> >>>>>> > > > >
>> >>>>>> > > > > The reason I'd like updates is that this patchset can be
>> >>>>>> installed on
>> >>>>>> > > > > top of existing servers for testing w/o having to reinstall
>> >>>>>> from scratch
>> >>>>>> > > > > or manually creating the ipaDomainIDRange object :):)
>> >>>>>> > > >
>> >>>>>> > > > ok, will do.
>> >>>>>> > > >
>> >>>>>> > > > Do you otherwise agree with the patches or is there something I
>> >>>>>> should
>> >>>>>> > > > change while adding the updates?
>> >>>>>> > > >
>> >>>>>> > > > bye,
>> >>>>>> > > > Sumit
>> >>>>>> > > >
>> >>>>>> > > > >
>> >>>>>> > > > > > >
>> >>>>>> > > > > > > > 0024: add primary and secondary RID base to the local
>> >>>>>> range object
>> >>>>>> > > > > > > >       during ipa-adtrust-install
>> >>>>>> > > > > > >
>> >>>>>> > > > > > > Not sure if setting the range belongs in the previous
>> >>>>>> patch or this one.
>> >>>>>> > > > > >
>> >>>>>> > > > > > I think it is right here, because a plain IPA server does
>> >>>>>> not need the
>> >>>>>> > > > > > RID related attributes.
>> >>>>>> > > > > >
>> >>>>>> > > > > > > We might decide to ask questions during
>> >>>>>> ipa-adtrust-install if the range
>> >>>>>> > > > > > > is not available, maybe presenting a set of pre-canned
>> >>>>>> choices if we can
>> >>>>>> > > > > > > detect them.
>> >>>>>> > > > > >
>> >>>>>> > > > > > I agree here, too. But as above I would like to handle
>> >>>>>> update issues
>> >>>>>> > > > > > in a second round.
>> >>>>>> > > > > >
>> >>>>>> > > > > > >
>> >>>>>> > > > > > > Finally I think we need to do a search with uid/gidNmber
>> >>>>>> < base and
>> >>>>>> > > > > > > uid/gidNumber > max and prompt/warn the user if we detect
>> >>>>>> any ID the
>> >>>>>> > > > > > > falls outside the configured range (either because we
>> >>>>>> failed to detect
>> >>>>>> > > > > > > ranges on upgrade and the user botched the question or
>> >>>>>> because the admin
>> >>>>>> > > > > > > added arbitrary IDs.
>> >>>>>> > > > > > > If a warning we should warn that missing a range that
>> >>>>>> suitably covers
>> >>>>>> > > > > > > these IDs, those users/groups will not be available for
>> >>>>>> the trust.
>> >>>>>> > > > > > >
>> >>>>>> > > > > > > Maybe we should also have a simple ipa command that can
>> >>>>>> list all
>> >>>>>> > > > > > > users/groups that fall outside the ranges as well.
>> >>>>>> > > > > >
>> >>>>>> > > > > > I'm working on the ranges cli plugin to allow 'ipa
>> >>>>>> range-add', 'ipa
>> >>>>>> > > > > > range-find' etc. I can add it there.
>> >>>>>> > > > > >
>> >>>>>> > >
>> >>>>>> > > Hi,
>> >>>>>> > >
>> >>>>>> > > this new series of patches add the cli plugin to create the ID
>> >>>>>> ranges
>> >>>>>> > > manually. I'm still working on a detection of the locally used id
>> >>>>>> range
>> >>>>>> > > of an upgrade domain in ipa-adtrust-install and an plugin which
>> >>>>>> rejects
>> >>>>>> > > new ranges which overlaps with existing ones.
>> >>>>>> > >
>> >>>>>> > > bye,
>> >>>>>> > > Sumit
>> >>>>>> >
>> >>>>>> > the attached patch adds a preop plugin which checks for overlaps
>> >>>>>> with
>> >>>>>> > existing ranges.
>> >>>>>> >
>> >>>>>> > bye,
>> >>>>>> > Sumit
>> >>>>>>
>> >>>>>> Finally I added a method to guess and create the initial ID range,
>> >>>>>> if no
>> >>>>>> one is preset, e.g. when updating from an older version of freeIPA. A
>> >>>>>> full series of patches is attached.
>> >>>>>>
>> >>>>>> bye,
>> >>>>>> Sumit
>> >>>>>
>> >>>>> This version of patches fixes review comments by Alexander and also
>> >>>>> adds
>> >>>>> some test for the range CLI plugin which were kindly provided by
>> >>>>> Alexander.
>> >>>> ACK
>> >>>>
>> >>>
>> >>> These patches aren't applying for me.
>> >>>
>> >>> rob
>> >>
>> >> Hmm. Pulled a fresh tree and they imported fine.
>> >>
>> >> pushed to master
>> >>
>> >> rob
>> >
>> > I had only pushed 22-24 before, pushed 25 and 29 as well.
>> >
>> > rob
>> >
>>
>> I examined the latest changes and found several rather serious issues which
>> will break this functionality on upgraded servers:
>>
>> https://fedorahosted.org/freeipa/ticket/2891
>>
>> Martin
>>

Hello Klaus,

Thanks for reporting this. We already know about this issue and it will be
fixed soon in a scope of ticket 2891 I filed and which I am working on right now.

Martin

More information about the Freeipa-devel mailing list