Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On 11.01.2016 08:34, Alexander Bokovoy wrote: On Fri, 08 Jan 2016, Martin Basti wrote: On 08.01.2016 16:22, Martin Basti wrote: On 08.01.2016 16:19, Petr Vobornik wrote: On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: On Wed, 06 Jan 2016, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5507 Patch attached. Is proposed workaround in ticket enough or should I also prepare a update that will fix missing maps? The update you have is good but we need to recover missing maps. Given that we know which maps exist in the broken setup (those from 50-nis.update), it would make sense to check if only those CNs exist and then remove them and fire recovery. Could there be a situation where such state would be desired and the update would actually break user's setup? Only if user removed all these maps: "nis-domain={domain}+nis-map=passwd.byname,{suffix}", "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", "nis-domain={domain}+nis-map=group.byname,{suffix}", "nis-domain={domain}+nis-map=group.bygid,{suffix}", "nis-domain={domain}+nis-map=netid.byname,{suffix}", "nis-domain={domain}+nis-map=netgroup,{suffix}", Updated patch attached. ACK: I did upgrade of an install were NIS was enabled last December and it had broken records as can be seen by CreateTimestamp. During upgrade new entries were added, restoring the proper configuration: # ldapsearch -LLL -H ldapi://%2fvar%2frun%2fslapd-RH-VDA-LI.socket -b cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: nis-domain=rh.vda.li+nis-map=ethers.byaddr,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20151202162357Z ModifyTimestamp: 20151202162357Z dn: nis-domain=rh.vda.li+nis-map=ethers.byname,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20151202162357Z ModifyTimestamp: 20151202162357Z dn: nis-domain=rh.vda.li+nis-map=group.bygid,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071241Z ModifyTimestamp: 20160111071241Z dn: nis-domain=rh.vda.li+nis-map=group.byname,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071241Z ModifyTimestamp: 20160111071241Z dn: nis-domain=rh.vda.li+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071242Z ModifyTimestamp: 20160111071242Z dn: nis-domain=rh.vda.li+nis-map=netid.byname,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071242Z ModifyTimestamp: 20160111071242Z dn: nis-domain=rh.vda.li+nis-map=passwd.byname,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071240Z ModifyTimestamp: 20160111071240Z dn: nis-domain=rh.vda.li+nis-map=passwd.byuid,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071240Z ModifyTimestamp: 20160111071240Z Pushed to: master: 1d56665fd2ed7025131793bb4b0cda35b12bba9f ipa-4-3: aeafae40084798725b7ea99c86497c13567e10e8 ipa-4-2: 98a86d0efb5e3ecdc38eb51bf0e64dda52365a6d -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On Fri, 08 Jan 2016, Martin Basti wrote: On 08.01.2016 16:22, Martin Basti wrote: On 08.01.2016 16:19, Petr Vobornik wrote: On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: On Wed, 06 Jan 2016, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5507 Patch attached. Is proposed workaround in ticket enough or should I also prepare a update that will fix missing maps? The update you have is good but we need to recover missing maps. Given that we know which maps exist in the broken setup (those from 50-nis.update), it would make sense to check if only those CNs exist and then remove them and fire recovery. Could there be a situation where such state would be desired and the update would actually break user's setup? Only if user removed all these maps: "nis-domain={domain}+nis-map=passwd.byname,{suffix}", "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", "nis-domain={domain}+nis-map=group.byname,{suffix}", "nis-domain={domain}+nis-map=group.bygid,{suffix}", "nis-domain={domain}+nis-map=netid.byname,{suffix}", "nis-domain={domain}+nis-map=netgroup,{suffix}", Updated patch attached. ACK: I did upgrade of an install were NIS was enabled last December and it had broken records as can be seen by CreateTimestamp. During upgrade new entries were added, restoring the proper configuration: # ldapsearch -LLL -H ldapi://%2fvar%2frun%2fslapd-RH-VDA-LI.socket -b cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: nis-domain=rh.vda.li+nis-map=ethers.byaddr,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20151202162357Z ModifyTimestamp: 20151202162357Z dn: nis-domain=rh.vda.li+nis-map=ethers.byname,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20151202162357Z ModifyTimestamp: 20151202162357Z dn: nis-domain=rh.vda.li+nis-map=group.bygid,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071241Z ModifyTimestamp: 20160111071241Z dn: nis-domain=rh.vda.li+nis-map=group.byname,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071241Z ModifyTimestamp: 20160111071241Z dn: nis-domain=rh.vda.li+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071242Z ModifyTimestamp: 20160111071242Z dn: nis-domain=rh.vda.li+nis-map=netid.byname,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071242Z ModifyTimestamp: 20160111071242Z dn: nis-domain=rh.vda.li+nis-map=passwd.byname,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071240Z ModifyTimestamp: 20160111071240Z dn: nis-domain=rh.vda.li+nis-map=passwd.byuid,cn=NIS Server,cn=plugins,cn=config CreateTimestamp: 20160111071240Z ModifyTimestamp: 20160111071240Z -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On 08.01.2016 16:22, Martin Basti wrote: On 08.01.2016 16:19, Petr Vobornik wrote: On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: On Wed, 06 Jan 2016, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5507 Patch attached. Is proposed workaround in ticket enough or should I also prepare a update that will fix missing maps? The update you have is good but we need to recover missing maps. Given that we know which maps exist in the broken setup (those from 50-nis.update), it would make sense to check if only those CNs exist and then remove them and fire recovery. Could there be a situation where such state would be desired and the update would actually break user's setup? Only if user removed all these maps: "nis-domain={domain}+nis-map=passwd.byname,{suffix}", "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", "nis-domain={domain}+nis-map=group.byname,{suffix}", "nis-domain={domain}+nis-map=group.bygid,{suffix}", "nis-domain={domain}+nis-map=netid.byname,{suffix}", "nis-domain={domain}+nis-map=netgroup,{suffix}", Updated patch attached. From 81744590c2570da1e1477b464d3614052cf6d8b1 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 6 Jan 2016 19:47:22 +0100 Subject: [PATCH] Upgrade: Fix upgrade of NIS Server configuration Former upgrade file always created the NIS Server container, that caused the ipa-nis-manage did not set all required NIS maps. Default creation of container has been removed. Updating of NIS Server configuration and NIS maps is done only if the NIS Server container exists. https://fedorahosted.org/freeipa/ticket/5507 --- install/share/Makefile.am | 1 + .../50-nis.update => share/nis-update.uldif} | 19 + install/updates/50-nis.update | 58 +-- ipaplatform/base/paths.py | 1 + ipaserver/install/plugins/update_nis.py| 86 ++ 5 files changed, 92 insertions(+), 73 deletions(-) copy install/{updates/50-nis.update => share/nis-update.uldif} (91%) create mode 100644 ipaserver/install/plugins/update_nis.py diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 42f3972e1061fda5bfd23b2fa8f63d675f92f5ba..b4cb8312471a68d8cd855f542478afe10d200c39 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -61,6 +61,7 @@ app_DATA =\ memberof-task.ldif \ memberof-conf.ldif \ nis.uldif \ + nis-update.uldif \ opendnssec_conf.template \ opendnssec_kasp.template \ unique-attributes.ldif \ diff --git a/install/updates/50-nis.update b/install/share/nis-update.uldif similarity index 91% copy from install/updates/50-nis.update copy to install/share/nis-update.uldif index 149889ec7bdb38073eb6df88628792526cfe58e6..e602c1de061fbcece349b2d86970c4db5051473b 100644 --- a/install/updates/50-nis.update +++ b/install/share/nis-update.uldif @@ -1,20 +1,4 @@ -# NIS Server plugin must be disabled by default -# command 'ipa-nis-manage enable' enables NIS server -dn: cn=NIS Server,cn=plugins,cn=config -default:objectclass: top -default:objectclass: nsSlapdPlugin -default:objectclass: extensibleObject -default:cn: NIS Server -default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so -default:nsslapd-plugininitfunc: nis_plugin_init -default:nsslapd-plugintype: object -default:nsslapd-pluginbetxn: on -default:nsslapd-pluginenabled: off -default:nsslapd-pluginid: nis-server -default:nsslapd-pluginversion: 0.10 -default:nsslapd-pluginvendor: redhat.com -default:nsslapd-plugindescription: NIS Server Plugin -default:nis-tcp-wrappers-name: nis-server +# Updates for NIS # Correct syntax error that caused users to not appear dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config @@ -52,4 +36,3 @@ default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7") default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") default:nis-secure: no - diff --git a/install/updates/50-nis.update b/install/updates/50-nis.update index 149889ec7bdb38073eb6df88628792526cfe58e6..05a166f003aefc50fc25f10f01f7364d752425bc 100644 --- a/install/updates/50-nis.update +++ b/install/updates/50-nis.update @@ -1,55 +1,3 @@ -# NIS Server plugin must be disabled by default -# command 'ipa-nis-manage enable' enables NIS server -dn: cn=NIS Server,cn=plugins,cn=config -default:objectclass: top -default:objectclass: nsSlapdPlugin -default:objectclass: extensibleObject -default:cn: NIS Server -default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so -default:nsslapd-plugininitfunc: nis_plugin_init -default:nsslapd-plugintype: object -default:nsslapd-pluginbetxn: on -default:nsslapd-pluginenabled: off -default:nsslapd-pluginid: nis-server
Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On Fri, 08 Jan 2016, Petr Vobornik wrote: On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: On Wed, 06 Jan 2016, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5507 Patch attached. Is proposed workaround in ticket enough or should I also prepare a update that will fix missing maps? The update you have is good but we need to recover missing maps. Given that we know which maps exist in the broken setup (those from 50-nis.update), it would make sense to check if only those CNs exist and then remove them and fire recovery. Could there be a situation where such state would be desired and the update would actually break user's setup? It is highly unlikely someone would want to remove all maps but ethers.byaddr and ethers.byname. That's our bug right now. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On 08.01.2016 16:19, Petr Vobornik wrote: On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: On Wed, 06 Jan 2016, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5507 Patch attached. Is proposed workaround in ticket enough or should I also prepare a update that will fix missing maps? The update you have is good but we need to recover missing maps. Given that we know which maps exist in the broken setup (those from 50-nis.update), it would make sense to check if only those CNs exist and then remove them and fire recovery. Could there be a situation where such state would be desired and the update would actually break user's setup? Only if user removed all these maps: "nis-domain={domain}+nis-map=passwd.byname,{suffix}", "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", "nis-domain={domain}+nis-map=group.byname,{suffix}", "nis-domain={domain}+nis-map=group.bygid,{suffix}", "nis-domain={domain}+nis-map=netid.byname,{suffix}", "nis-domain={domain}+nis-map=netgroup,{suffix}", -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: On Wed, 06 Jan 2016, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5507 Patch attached. Is proposed workaround in ticket enough or should I also prepare a update that will fix missing maps? The update you have is good but we need to recover missing maps. Given that we know which maps exist in the broken setup (those from 50-nis.update), it would make sense to check if only those CNs exist and then remove them and fire recovery. Could there be a situation where such state would be desired and the update would actually break user's setup? -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On Wed, 06 Jan 2016, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5507 Patch attached. Is proposed workaround in ticket enough or should I also prepare a update that will fix missing maps? The update you have is good but we need to recover missing maps. Given that we know which maps exist in the broken setup (those from 50-nis.update), it would make sense to check if only those CNs exist and then remove them and fire recovery. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
https://fedorahosted.org/freeipa/ticket/5507 Patch attached. Is proposed workaround in ticket enough or should I also prepare a update that will fix missing maps? From 39e1124314a66578022f7d7810fd6252af96fd80 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 6 Jan 2016 19:47:22 +0100 Subject: [PATCH] Upgrade: Fix upgrade of NIS Server configuration Former upgrade file always created the NIS Server container, that caused the ipa-nis-manage did not set all required NIS maps. Default creation of container has been removed. Updating of NIS Server configuration and NIS maps is done only if the NIS Server container exists. https://fedorahosted.org/freeipa/ticket/5507 --- install/share/Makefile.am | 1 + .../50-nis.update => share/nis-update.uldif} | 19 +-- install/updates/50-nis.update | 58 ++ ipaplatform/base/paths.py | 1 + ipaserver/install/plugins/update_nis.py| 36 ++ 5 files changed, 42 insertions(+), 73 deletions(-) copy install/{updates/50-nis.update => share/nis-update.uldif} (91%) create mode 100644 ipaserver/install/plugins/update_nis.py diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 42f3972e1061fda5bfd23b2fa8f63d675f92f5ba..b4cb8312471a68d8cd855f542478afe10d200c39 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -61,6 +61,7 @@ app_DATA =\ memberof-task.ldif \ memberof-conf.ldif \ nis.uldif \ + nis-update.uldif \ opendnssec_conf.template \ opendnssec_kasp.template \ unique-attributes.ldif \ diff --git a/install/updates/50-nis.update b/install/share/nis-update.uldif similarity index 91% copy from install/updates/50-nis.update copy to install/share/nis-update.uldif index 149889ec7bdb38073eb6df88628792526cfe58e6..e602c1de061fbcece349b2d86970c4db5051473b 100644 --- a/install/updates/50-nis.update +++ b/install/share/nis-update.uldif @@ -1,20 +1,4 @@ -# NIS Server plugin must be disabled by default -# command 'ipa-nis-manage enable' enables NIS server -dn: cn=NIS Server,cn=plugins,cn=config -default:objectclass: top -default:objectclass: nsSlapdPlugin -default:objectclass: extensibleObject -default:cn: NIS Server -default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so -default:nsslapd-plugininitfunc: nis_plugin_init -default:nsslapd-plugintype: object -default:nsslapd-pluginbetxn: on -default:nsslapd-pluginenabled: off -default:nsslapd-pluginid: nis-server -default:nsslapd-pluginversion: 0.10 -default:nsslapd-pluginvendor: redhat.com -default:nsslapd-plugindescription: NIS Server Plugin -default:nis-tcp-wrappers-name: nis-server +# Updates for NIS # Correct syntax error that caused users to not appear dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config @@ -52,4 +36,3 @@ default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7") default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") default:nis-secure: no - diff --git a/install/updates/50-nis.update b/install/updates/50-nis.update index 149889ec7bdb38073eb6df88628792526cfe58e6..05a166f003aefc50fc25f10f01f7364d752425bc 100644 --- a/install/updates/50-nis.update +++ b/install/updates/50-nis.update @@ -1,55 +1,3 @@ -# NIS Server plugin must be disabled by default -# command 'ipa-nis-manage enable' enables NIS server -dn: cn=NIS Server,cn=plugins,cn=config -default:objectclass: top -default:objectclass: nsSlapdPlugin -default:objectclass: extensibleObject -default:cn: NIS Server -default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so -default:nsslapd-plugininitfunc: nis_plugin_init -default:nsslapd-plugintype: object -default:nsslapd-pluginbetxn: on -default:nsslapd-pluginenabled: off -default:nsslapd-pluginid: nis-server -default:nsslapd-pluginversion: 0.10 -default:nsslapd-pluginvendor: redhat.com -default:nsslapd-plugindescription: NIS Server Plugin -default:nis-tcp-wrappers-name: nis-server - -# Correct syntax error that caused users to not appear -dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config -replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\"memberHost\\\",\\\"fqdn\\\")\\\",\\\"%deref_r(\\\"member\\\",\\\"fqdn\\\")\\\",\\\"%deref_r(\\\"memberHost\\\",\\\"member\\\",\\\"fqdn\\\")\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%der