Saw something very weird today but my setup was also a bit odd so it may not be worthy of a ticket. Need a second opinion.
Ok, so I wanted to test Jan's CA patches. They don't apply to current master due to the churn pre-4.0, so I just rewound the world to July 3 and applied them on the master branch. I don't believe the issues I'm seeing are related to his patches in any way. My environment is two masters, F-20, reasonably updated. Ok, so I started with them with 3.3.5 installs as I wanted to test upgrades. As a goof I ran the ipatests on one of them to simulate a bunch of work. There were some failures but I didn't pay close attention because testing in a replicated environment is a bit of an unknown (there are some timing issues IIRC). Anyway, so then I updated one of the masters to this pre-4.0 CA-patches build. Then I re-ran the tests. These I took more notice of as about half of them failed. Most of them related to adding users and this is due to the user objectclasses test we have. It can't revert a change: On the 4.0-ish master: # ipa config-mod --delattr ipauserobjectclasses=ipahost ipa: ERROR: change collided with another change Ouch. With ipahost in there nothing really adds correctly: # ipa user-add --first=tim --last=user testuser2 ipa: ERROR: missing attribute "fqdn" required by object class "ipaHost" On the 3.3.5 server I get a different, ACI-related error: # ipa user-add --first=tim --last=user testuser ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=ipausers,cn=groups,cn=accounts,dc=greyoak,dc=com'. The user is actually added, just not to the ipausers group. And how, might you ask, did it get added at all? The config entry is out-of-sync between the masters: 3.3.5: Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser 4.0.0: Default user objectclasses: ipahost, ipaobject, person, top, ipasshuser, inetorgperson, organizationalperson, krbticketpolicyaux, krbprincipalaux, inetuser, posixaccount So yeah, I've got a bit of a Frankenstein install going on here, but has anyone else seen anything remotely similar? rob _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
