On 11/14/2012 09:49 AM, Petr Viktorin wrote: > On 11/13/2012 06:20 PM, Martin Kosek wrote: >> On 11/13/2012 06:05 PM, Simo Sorce wrote: >>> On Tue, 2012-11-13 at 17:46 +0100, Martin Kosek wrote: >>>> Index task need to be run for both index updates and new indexes, >>>> otherwise some current values may not be indexed and could cause >>>> issues when searching LDAP (like fqdn did). >>>> >>>> https://fedorahosted.org/freeipa/ticket/3253 >>>> >>>> --- >>>> >>>> This patch should be the only patch in the upcoming FreeIPA 2.2.2 bug fix >>>> release (unless we want to backport more patches to 2.2 line). It should >>>> fix a >>>> severe issue when SSSD was no longer able to authenticate users against the >>>> update 2.2.1 FreeIPA server. >>>> >>>> I specifically updated all index updates (even when the index definition is >>>> already in LDAP) to make sure we fix any index that where the upgrade >>>> failed >>>> previously due to this bug. FreeIPA 3.0+ packages already contains a patch >>>> (2ecfe571faf9291eab7ffacea2a1e94d5be0d689) to run index task for really >>>> new/updated indexes only, but I would not backport that patch due to messed >>>> fqdn index in 2.2.1. >>>> >>>> After the patch, 2.2.0 (2.2.1) -> 2.2.2 upgrade procedure should create all >>>> required indexes, including fqdn index: >>>> >>>> # rpm -Uvh --force ~/freeipa-2-2-0/dist/rpms/freeipa-* >>>> Preparing... ########################################### >>>> [100%] >>>> 1:freeipa-python ########################################### [ >>>> 17%] >>>> 2:freeipa-client ########################################### [ >>>> 33%] >>>> 3:freeipa-admintools ########################################### [ >>>> 50%] >>>> 4:freeipa-server ########################################### [ >>>> 67%] >>>> ipa: INFO: /usr/share/ipa/html/krb.js exists, skipping install of Firefox >>>> extension >>>> 5:freeipa-server-selinux ########################################### [ >>>> 83%] >>>> 6:freeipa-debuginfo ########################################### >>>> [100%] >>>> >>>> # grep "Creating task to index" /var/log/ipaupgrade.log >>>> 2012-11-13T16:06:35Z INFO Creating task to index attribute: memberuid >>>> 2012-11-13T16:06:41Z INFO Creating task to index attribute: memberOf >>>> 2012-11-13T16:06:47Z INFO Creating task to index attribute: memberHost >>>> 2012-11-13T16:06:53Z INFO Creating task to index attribute: memberUser >>>> 2012-11-13T16:06:59Z INFO Creating task to index attribute: fqdn <<<<<< >>>> 2012-11-13T16:07:05Z INFO Creating task to index attribute: ntUniqueId >>>> 2012-11-13T16:07:11Z INFO Creating task to index attribute: ntUserDomainId >>>> >>> >>> Martin, does this means we run these task for every rpm upgrade >>> regardless ? Or do we mark indexes as regenerated and do not repeat on >>> the following rpm upgrade ? >>> >>> Simo. >>> >> >> In FreeIPA 2.* we run these task for every RPM upgrade - regardless to the >> update status. I fixed that behavior in FreeIPA 3.0 where we now only run the >> index task when the index is really updated or added (there is more reasoning >> above, but I am open to suggestions). >> >> Martin > > Does this mean that if someone upgrades from 2.2.1 straight to 3.x, the > indexes > will be broken? > >
Correct. Although I doubt there would be people be running 2.2.1-1 without fixing the indexes at least with the workaround I provided and described on freeipa-users and freeipa.org as sssd does not work in that case. I have been already thinking about this issue previously, we may either add a note to FreeIPA 3.x upgrade procedure for 2.2.1-1 users or make sure that https://fedorahosted.org/freeipa/ticket/3255 is implemented before Fedora 18 GA. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel