On 07/10/15 12:40, Martin Basti wrote:
On 10/07/2015 01:26 PM, Alex Williams wrote:
On 07/10/15 11:31, Martin Basti wrote:
On 10/07/2015 12:28 PM, Martin Basti wrote:
On 10/07/2015 12:10 PM, Alex Williams wrote:
On 07/10/15 10:57, Martin Basti wrote:
On 10/07/2015 11:23 AM, Alex Williams wrote:
On 07/10/15 09:53, Martin Basti wrote:
On 10/07/2015 09:49 AM, Alex Williams wrote:
Hi guys,
yesterday I finally managed to get our IPA3.0.0 servers in a
state that I could upgrade the schema to dogtag 10, using the
migration script and launched a new RHEL7.1 IPA4.1 server as a
replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server
AND the old RHEL6.6 IPA3.0.0 server that I replicated from
(Also happens to be our CRL master), I can no longer search
for hosts or DNS entries, or host groups, either in the UI, or
on the command line.
They're there, they show up when you go to the hosts, dns or
user page in a list, but you cannot then refine the search.
This is also true of ipa host-find and ipa hostgroup-find on
the command line. Is this a bug in IPA4.1? Is it a schema
issue? Is it just because we still have an IPA3 server running
the show and an IPA4 replica? I can't really justify dropping
our production IPA3 servers, if searching for records doesn't
work in IPA4.1.
I still appear to be able to search in the UI of one of our
other IPA3 servers, despite the fact it has had its schema
updated and it has been connected to the new IPA4 server.
Thanks in advance for any help anyone can offer.
Cheers
Alex
Hello,
can you provide more info please:
* are you kinited as admin user?
* does ipa dnszone-find returns all results?
* does ipa dnszone-find <name of zone> return something?
* does ipa dnszone-show <name of zone> return the zone?
We had issue with access control, where non admin users cannot
search for zones, I'm not sure about hosts, and host groups.
I do not think that this is a schema upgrade issue nor related
to Dogtag 10.
Martin
Hi Martin,
thanks for the quick response. So, I have not kinited as the
admin user, however as root and as my own username (A member of
the admins group in IPA), all of the commands you requested that
I test, work fine. As it turns out, I can run all of the
following on the command line, as my user, or as root and it all
works fine. My colleague who attempted to do so this morning
under his username, can do so if he kinits to admin. So I'm
assuming the CLI bit, might be an ACL issue? Unfortunately, my
user still cannot search for hosts, hostgroups, or DNS entries
within the UI.
ipa user-find - returns a list of 100 users
ipa user-find $username - returns the details of that user
ipa host-find returns a list of 100 hosts
ipa host-find $hostname - returns the details of the host
ipa host-find $partial-hostname - returns a list of hosts which
have the search string inside their hostname
ipa hostgroup-find - returns a list of hostgroups
ipa hostgroup-find $hostgroupname - returns details of the
hostgroup
Regards
Alex
If I understand correctly, you as admin group user, can search in
CLI and cannot search in webUI? That is weird.
For CLI part, IIRC this bug has been fixed in IPA 4.2, ACI in DS
disallow some queries from user that are not in admin group.
Martin
Hi Martin,
yes, that's exactly right, we seem to be able to search in the
CLI, provided we're in the admin group, or kinit to the admin
user. For some reason though, searching in the UI brings back
nothing at all. It works ok for users, but not for hosts,
hostgroups, or DNS entries. All of the entries are there, they are
listed in full when you visit the respective page, but even
searching for a full hostname doesn't work, let alone part of it.
CLI is always an option obviously, but we don't really want
everyone who uses this to have to use the CLI, just to search for
a hostname or DNS entry.
Please login in webUI as admin and try search, in this case search
should work, if not, there is something broken.
I found related tickets:
https://fedorahosted.org/freeipa/ticket/5055
https://fedorahosted.org/freeipa/ticket/5130
But I found nothing about hosts and hostsgroup, I will prepare test
environment and try.
Nevermind, here is hosts/hostgroup/service/netgroup ticket
https://fedorahosted.org/freeipa/ticket/5167
I've also verified that replication of things like hosts and DNS
entries is working perfectly well between the IPA4 and IPA3
servers. If I add a new DNS entry in IPA3, it shows up immediately
in IPA4 and I can then delete it in IPA4 and it's removed
instantly from the IPA3 server.
Cheers
Alex
Hi Martin,
thanks for that, that does in fact seem to be the issue. As per your
instructions, logging in as 'admin' to the UI, allows the search
feature to work. That does beg the question as to how my user can use
its kerberos ticket on the CLI, but not in the UI though? Either way,
the fix for the issue looks to be trivial (Replacing a few python
files by the looks of things), so I'll give that a go and at worst, I
guess we may have to wait until RHEL7.2 becomes a release and we'll
upgrade to that.
Cheers
Alex
I see you have RHEL, please contact customer support, they may help
you, don't do hotfixing by yourself.
Please share the tickets and information listed in this thread with them.
They may:
* approve hotfix for you
* or do z-stream release which will fix this
* or something else, I do not know
I do not understand what you mean by kerberos and webUI. WebUI uses
the same commands as CLI, what does not work in CLI will not work in
WebUI and vice versa. Also webUI do not need kerberos, there is also
form based authentication (username/password)
Martin
Hi Martin,
thanks, I do have a ticket open with RHEL, but in all honesty, I tend to
find they just don't answer very quickly at all through the support
portal and it's much faster to find answers to these issues by speaking
to you guys. The last issue I had, was in creating a replica of my
existing IPA3 server, it took support 3 days, just to ask me for
clarification on what I meant. Meanwhile, I fixed it by staying up late
and talking to the PKI guys on IRC in the USA, who not only told me what
my problem was, but created a new freeipa document, to back it up as
well and make sure future users with the same issue can refer to it.
I'll point support at this thread and see what they come up with.
Thanks again for your help.
Kind Regards
Alex
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
