On 07/10/15 12:40, Martin Basti wrote:

On 10/07/2015 01:26 PM, Alex Williams wrote:
On 07/10/15 11:31, Martin Basti wrote:

On 10/07/2015 12:28 PM, Martin Basti wrote:

On 10/07/2015 12:10 PM, Alex Williams wrote:
On 07/10/15 10:57, Martin Basti wrote:

On 10/07/2015 11:23 AM, Alex Williams wrote:
On 07/10/15 09:53, Martin Basti wrote:

On 10/07/2015 09:49 AM, Alex Williams wrote:
Hi guys,

yesterday I finally managed to get our IPA3.0.0 servers in a state that I could upgrade the schema to dogtag 10, using the migration script and launched a new RHEL7.1 IPA4.1 server as a replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server AND the old RHEL6.6 IPA3.0.0 server that I replicated from (Also happens to be our CRL master), I can no longer search for hosts or DNS entries, or host groups, either in the UI, or on the command line.

They're there, they show up when you go to the hosts, dns or user page in a list, but you cannot then refine the search. This is also true of ipa host-find and ipa hostgroup-find on the command line. Is this a bug in IPA4.1? Is it a schema issue? Is it just because we still have an IPA3 server running the show and an IPA4 replica? I can't really justify dropping our production IPA3 servers, if searching for records doesn't work in IPA4.1.

I still appear to be able to search in the UI of one of our other IPA3 servers, despite the fact it has had its schema updated and it has been connected to the new IPA4 server.

Thanks in advance for any help anyone can offer.




can you provide more info please:

* are you kinited as admin user?
* does ipa dnszone-find returns all results?
* does ipa dnszone-find <name of zone> return something?
* does ipa dnszone-show <name of zone> return the zone?

We had issue with access control, where non admin users cannot search for zones, I'm not sure about hosts, and host groups. I do not think that this is a schema upgrade issue nor related to Dogtag 10.


Hi Martin,

thanks for the quick response. So, I have not kinited as the admin user, however as root and as my own username (A member of the admins group in IPA), all of the commands you requested that I test, work fine. As it turns out, I can run all of the following on the command line, as my user, or as root and it all works fine. My colleague who attempted to do so this morning under his username, can do so if he kinits to admin. So I'm assuming the CLI bit, might be an ACL issue? Unfortunately, my user still cannot search for hosts, hostgroups, or DNS entries within the UI.

ipa user-find - returns a list of 100 users
ipa user-find $username - returns the details of that user
ipa host-find returns a list of 100 hosts
ipa host-find $hostname - returns the details of the host
ipa host-find $partial-hostname - returns a list of hosts which have the search string inside their hostname
ipa hostgroup-find - returns a list of hostgroups
ipa hostgroup-find $hostgroupname - returns details of the hostgroup



If I understand correctly, you as admin group user, can search in CLI and cannot search in webUI? That is weird.

For CLI part, IIRC this bug has been fixed in IPA 4.2, ACI in DS disallow some queries from user that are not in admin group.


Hi Martin,

yes, that's exactly right, we seem to be able to search in the CLI, provided we're in the admin group, or kinit to the admin user. For some reason though, searching in the UI brings back nothing at all. It works ok for users, but not for hosts, hostgroups, or DNS entries. All of the entries are there, they are listed in full when you visit the respective page, but even searching for a full hostname doesn't work, let alone part of it. CLI is always an option obviously, but we don't really want everyone who uses this to have to use the CLI, just to search for a hostname or DNS entry.
Please login in webUI as admin and try search, in this case search should work, if not, there is something broken.

I found related tickets:

But I found nothing about hosts and hostsgroup, I will prepare test environment and try.
Nevermind, here is hosts/hostgroup/service/netgroup ticket https://fedorahosted.org/freeipa/ticket/5167

I've also verified that replication of things like hosts and DNS entries is working perfectly well between the IPA4 and IPA3 servers. If I add a new DNS entry in IPA3, it shows up immediately in IPA4 and I can then delete it in IPA4 and it's removed instantly from the IPA3 server.



Hi Martin,

thanks for that, that does in fact seem to be the issue. As per your instructions, logging in as 'admin' to the UI, allows the search feature to work. That does beg the question as to how my user can use its kerberos ticket on the CLI, but not in the UI though? Either way, the fix for the issue looks to be trivial (Replacing a few python files by the looks of things), so I'll give that a go and at worst, I guess we may have to wait until RHEL7.2 becomes a release and we'll upgrade to that.



I see you have RHEL, please contact customer support, they may help you, don't do hotfixing by yourself.
Please share the tickets and information listed in this thread with them.
They may:
* approve hotfix for you
* or do z-stream release which will fix this
* or something else, I do not know

I do not understand what you mean by kerberos and webUI. WebUI uses the same commands as CLI, what does not work in CLI will not work in WebUI and vice versa. Also webUI do not need kerberos, there is also form based authentication (username/password)

Hi Martin,

thanks, I do have a ticket open with RHEL, but in all honesty, I tend to find they just don't answer very quickly at all through the support portal and it's much faster to find answers to these issues by speaking to you guys. The last issue I had, was in creating a replica of my existing IPA3 server, it took support 3 days, just to ask me for clarification on what I meant. Meanwhile, I fixed it by staying up late and talking to the PKI guys on IRC in the USA, who not only told me what my problem was, but created a new freeipa document, to back it up as well and make sure future users with the same issue can refer to it.

I'll point support at this thread and see what they come up with.

Thanks again for your help.

Kind Regards


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to