[Freeipa-devel] weird data interaction
Rob Crittenden
rcritten at redhat.com
Thu Jul 17 20:31:30 UTC 2014
Saw something very weird today but my setup was also a bit odd so it may
not be worthy of a ticket. Need a second opinion.
Ok, so I wanted to test Jan's CA patches. They don't apply to current
master due to the churn pre-4.0, so I just rewound the world to July 3
and applied them on the master branch. I don't believe the issues I'm
seeing are related to his patches in any way.
My environment is two masters, F-20, reasonably updated.
Ok, so I started with them with 3.3.5 installs as I wanted to test
upgrades. As a goof I ran the ipatests on one of them to simulate a
bunch of work. There were some failures but I didn't pay close attention
because testing in a replicated environment is a bit of an unknown
(there are some timing issues IIRC). Anyway, so then I updated one of
the masters to this pre-4.0 CA-patches build.
Then I re-ran the tests. These I took more notice of as about half of
them failed.
Most of them related to adding users and this is due to the user
objectclasses test we have. It can't revert a change:
On the 4.0-ish master:
# ipa config-mod --delattr ipauserobjectclasses=ipahost
ipa: ERROR: change collided with another change
Ouch. With ipahost in there nothing really adds correctly:
# ipa user-add --first=tim --last=user testuser2
ipa: ERROR: missing attribute "fqdn" required by object class "ipaHost"
On the 3.3.5 server I get a different, ACI-related error:
# ipa user-add --first=tim --last=user testuser
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'member' attribute of entry
'cn=ipausers,cn=groups,cn=accounts,dc=greyoak,dc=com'.
The user is actually added, just not to the ipausers group.
And how, might you ask, did it get added at all? The config entry is
out-of-sync between the masters:
3.3.5: Default user objectclasses: top, person, organizationalperson,
inetorgperson, inetuser, posixaccount, krbprincipalaux,
krbticketpolicyaux, ipaobject, ipasshuser
4.0.0: Default user objectclasses: ipahost, ipaobject, person, top,
ipasshuser, inetorgperson, organizationalperson, krbticketpolicyaux,
krbprincipalaux, inetuser, posixaccount
So yeah, I've got a bit of a Frankenstein install going on here, but has
anyone else seen anything remotely similar?
rob
More information about the Freeipa-devel
mailing list