Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On 11.01.2016 08:34, Alexander Bokovoy wrote:
On Fri, 08 Jan 2016, Martin Basti wrote:
On 08.01.2016 16:22, Martin Basti wrote:
On 08.01.2016 16:19, Petr Vobornik wrote:
On 01/08/2016 02:54 PM, Alexander Bokovoy wrote:
On Wed, 06 Jan 2016, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/5507
Patch attached.
Is proposed workaround in ticket enough or should I also prepare a
update that will fix missing maps?
The update you have is good but we need to recover missing maps.
Given that we know which maps exist in the broken setup (those from
50-nis.update), it would make sense to check if only those CNs
exist and
then remove them and fire recovery.
Could there be a situation where such state would be desired and
the update would actually break user's setup?
Only if user removed all these maps:
"nis-domain={domain}+nis-map=passwd.byname,{suffix}",
"nis-domain={domain}+nis-map=passwd.byuid,{suffix}",
"nis-domain={domain}+nis-map=group.byname,{suffix}",
"nis-domain={domain}+nis-map=group.bygid,{suffix}",
"nis-domain={domain}+nis-map=netid.byname,{suffix}",
"nis-domain={domain}+nis-map=netgroup,{suffix}",
Updated patch attached.
ACK: I did upgrade of an install were NIS was enabled last December and
it had broken records as can be seen by CreateTimestamp. During upgrade
new entries were added, restoring the proper configuration:
# ldapsearch -LLL -H ldapi://%2fvar%2frun%2fslapd-RH-VDA-LI.socket -b
cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: nis-domain=rh.vda.li+nis-map=ethers.byaddr,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20151202162357Z
ModifyTimestamp: 20151202162357Z
dn: nis-domain=rh.vda.li+nis-map=ethers.byname,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20151202162357Z
ModifyTimestamp: 20151202162357Z
dn: nis-domain=rh.vda.li+nis-map=group.bygid,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20160111071241Z
ModifyTimestamp: 20160111071241Z
dn: nis-domain=rh.vda.li+nis-map=group.byname,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20160111071241Z
ModifyTimestamp: 20160111071241Z
dn: nis-domain=rh.vda.li+nis-map=netgroup,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20160111071242Z
ModifyTimestamp: 20160111071242Z
dn: nis-domain=rh.vda.li+nis-map=netid.byname,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20160111071242Z
ModifyTimestamp: 20160111071242Z
dn: nis-domain=rh.vda.li+nis-map=passwd.byname,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20160111071240Z
ModifyTimestamp: 20160111071240Z
dn: nis-domain=rh.vda.li+nis-map=passwd.byuid,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20160111071240Z
ModifyTimestamp: 20160111071240Z
Pushed to:
master: 1d56665fd2ed7025131793bb4b0cda35b12bba9f
ipa-4-3: aeafae40084798725b7ea99c86497c13567e10e8
ipa-4-2: 98a86d0efb5e3ecdc38eb51bf0e64dda52365a6d
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On Fri, 08 Jan 2016, Martin Basti wrote:
On 08.01.2016 16:22, Martin Basti wrote:
On 08.01.2016 16:19, Petr Vobornik wrote:
On 01/08/2016 02:54 PM, Alexander Bokovoy wrote:
On Wed, 06 Jan 2016, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/5507
Patch attached.
Is proposed workaround in ticket enough or should I also prepare a
update that will fix missing maps?
The update you have is good but we need to recover missing maps.
Given that we know which maps exist in the broken setup (those from
50-nis.update), it would make sense to check if only those CNs exist
and
then remove them and fire recovery.
Could there be a situation where such state would be desired and the
update would actually break user's setup?
Only if user removed all these maps:
"nis-domain={domain}+nis-map=passwd.byname,{suffix}",
"nis-domain={domain}+nis-map=passwd.byuid,{suffix}",
"nis-domain={domain}+nis-map=group.byname,{suffix}",
"nis-domain={domain}+nis-map=group.bygid,{suffix}",
"nis-domain={domain}+nis-map=netid.byname,{suffix}",
"nis-domain={domain}+nis-map=netgroup,{suffix}",
Updated patch attached.
ACK: I did upgrade of an install were NIS was enabled last December and
it had broken records as can be seen by CreateTimestamp. During upgrade
new entries were added, restoring the proper configuration:
# ldapsearch -LLL -H ldapi://%2fvar%2frun%2fslapd-RH-VDA-LI.socket -b
cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: nis-domain=rh.vda.li+nis-map=ethers.byaddr,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20151202162357Z
ModifyTimestamp: 20151202162357Z
dn: nis-domain=rh.vda.li+nis-map=ethers.byname,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20151202162357Z
ModifyTimestamp: 20151202162357Z
dn: nis-domain=rh.vda.li+nis-map=group.bygid,cn=NIS Server,cn=plugins,cn=config
CreateTimestamp: 20160111071241Z
ModifyTimestamp: 20160111071241Z
dn: nis-domain=rh.vda.li+nis-map=group.byname,cn=NIS Server,cn=plugins,cn=config
CreateTimestamp: 20160111071241Z
ModifyTimestamp: 20160111071241Z
dn: nis-domain=rh.vda.li+nis-map=netgroup,cn=NIS Server,cn=plugins,cn=config
CreateTimestamp: 20160111071242Z
ModifyTimestamp: 20160111071242Z
dn: nis-domain=rh.vda.li+nis-map=netid.byname,cn=NIS Server,cn=plugins,cn=config
CreateTimestamp: 20160111071242Z
ModifyTimestamp: 20160111071242Z
dn: nis-domain=rh.vda.li+nis-map=passwd.byname,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20160111071240Z
ModifyTimestamp: 20160111071240Z
dn: nis-domain=rh.vda.li+nis-map=passwd.byuid,cn=NIS Server,cn=plugins,cn=config
CreateTimestamp: 20160111071240Z
ModifyTimestamp: 20160111071240Z
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On 08.01.2016 16:22, Martin Basti wrote:
On 08.01.2016 16:19, Petr Vobornik wrote:
On 01/08/2016 02:54 PM, Alexander Bokovoy wrote:
On Wed, 06 Jan 2016, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/5507
Patch attached.
Is proposed workaround in ticket enough or should I also prepare a
update that will fix missing maps?
The update you have is good but we need to recover missing maps.
Given that we know which maps exist in the broken setup (those from
50-nis.update), it would make sense to check if only those CNs exist
and
then remove them and fire recovery.
Could there be a situation where such state would be desired and the
update would actually break user's setup?
Only if user removed all these maps:
"nis-domain={domain}+nis-map=passwd.byname,{suffix}",
"nis-domain={domain}+nis-map=passwd.byuid,{suffix}",
"nis-domain={domain}+nis-map=group.byname,{suffix}",
"nis-domain={domain}+nis-map=group.bygid,{suffix}",
"nis-domain={domain}+nis-map=netid.byname,{suffix}",
"nis-domain={domain}+nis-map=netgroup,{suffix}",
Updated patch attached.
From 81744590c2570da1e1477b464d3614052cf6d8b1 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 6 Jan 2016 19:47:22 +0100
Subject: [PATCH] Upgrade: Fix upgrade of NIS Server configuration
Former upgrade file always created the NIS Server container, that caused
the ipa-nis-manage did not set all required NIS maps. Default creation
of container has been removed.
Updating of NIS Server configuration and
NIS maps is done only if the NIS Server container exists.
https://fedorahosted.org/freeipa/ticket/5507
---
install/share/Makefile.am | 1 +
.../50-nis.update => share/nis-update.uldif} | 19 +
install/updates/50-nis.update | 58 +--
ipaplatform/base/paths.py | 1 +
ipaserver/install/plugins/update_nis.py| 86 ++
5 files changed, 92 insertions(+), 73 deletions(-)
copy install/{updates/50-nis.update => share/nis-update.uldif} (91%)
create mode 100644 ipaserver/install/plugins/update_nis.py
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 42f3972e1061fda5bfd23b2fa8f63d675f92f5ba..b4cb8312471a68d8cd855f542478afe10d200c39 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -61,6 +61,7 @@ app_DATA =\
memberof-task.ldif \
memberof-conf.ldif \
nis.uldif \
+ nis-update.uldif \
opendnssec_conf.template \
opendnssec_kasp.template \
unique-attributes.ldif \
diff --git a/install/updates/50-nis.update b/install/share/nis-update.uldif
similarity index 91%
copy from install/updates/50-nis.update
copy to install/share/nis-update.uldif
index 149889ec7bdb38073eb6df88628792526cfe58e6..e602c1de061fbcece349b2d86970c4db5051473b 100644
--- a/install/updates/50-nis.update
+++ b/install/share/nis-update.uldif
@@ -1,20 +1,4 @@
-# NIS Server plugin must be disabled by default
-# command 'ipa-nis-manage enable' enables NIS server
-dn: cn=NIS Server,cn=plugins,cn=config
-default:objectclass: top
-default:objectclass: nsSlapdPlugin
-default:objectclass: extensibleObject
-default:cn: NIS Server
-default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so
-default:nsslapd-plugininitfunc: nis_plugin_init
-default:nsslapd-plugintype: object
-default:nsslapd-pluginbetxn: on
-default:nsslapd-pluginenabled: off
-default:nsslapd-pluginid: nis-server
-default:nsslapd-pluginversion: 0.10
-default:nsslapd-pluginvendor: redhat.com
-default:nsslapd-plugindescription: NIS Server Plugin
-default:nis-tcp-wrappers-name: nis-server
+# Updates for NIS
# Correct syntax error that caused users to not appear
dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
@@ -52,4 +36,3 @@ default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7")
default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7")
default:nis-secure: no
-
diff --git a/install/updates/50-nis.update b/install/updates/50-nis.update
index 149889ec7bdb38073eb6df88628792526cfe58e6..05a166f003aefc50fc25f10f01f7364d752425bc 100644
--- a/install/updates/50-nis.update
+++ b/install/updates/50-nis.update
@@ -1,55 +1,3 @@
-# NIS Server plugin must be disabled by default
-# command 'ipa-nis-manage enable' enables NIS server
-dn: cn=NIS Server,cn=plugins,cn=config
-default:objectclass: top
-default:objectclass: nsSlapdPlugin
-default:objectclass: extensibleObject
-default:cn: NIS Server
-default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so
-default:nsslapd-plugininitfunc: nis_plugin_init
-default:nsslapd-plugintype: object
-default:nsslapd-pluginbetxn: on
-default:nsslapd-pluginenabled: off
-default:nsslapd-pluginid: nis-server
Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On Fri, 08 Jan 2016, Petr Vobornik wrote: On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: On Wed, 06 Jan 2016, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5507 Patch attached. Is proposed workaround in ticket enough or should I also prepare a update that will fix missing maps? The update you have is good but we need to recover missing maps. Given that we know which maps exist in the broken setup (those from 50-nis.update), it would make sense to check if only those CNs exist and then remove them and fire recovery. Could there be a situation where such state would be desired and the update would actually break user's setup? It is highly unlikely someone would want to remove all maps but ethers.byaddr and ethers.byname. That's our bug right now. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On 08.01.2016 16:19, Petr Vobornik wrote:
On 01/08/2016 02:54 PM, Alexander Bokovoy wrote:
On Wed, 06 Jan 2016, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/5507
Patch attached.
Is proposed workaround in ticket enough or should I also prepare a
update that will fix missing maps?
The update you have is good but we need to recover missing maps.
Given that we know which maps exist in the broken setup (those from
50-nis.update), it would make sense to check if only those CNs exist and
then remove them and fire recovery.
Could there be a situation where such state would be desired and the
update would actually break user's setup?
Only if user removed all these maps:
"nis-domain={domain}+nis-map=passwd.byname,{suffix}",
"nis-domain={domain}+nis-map=passwd.byuid,{suffix}",
"nis-domain={domain}+nis-map=group.byname,{suffix}",
"nis-domain={domain}+nis-map=group.bygid,{suffix}",
"nis-domain={domain}+nis-map=netid.byname,{suffix}",
"nis-domain={domain}+nis-map=netgroup,{suffix}",
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On 01/08/2016 02:54 PM, Alexander Bokovoy wrote: On Wed, 06 Jan 2016, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5507 Patch attached. Is proposed workaround in ticket enough or should I also prepare a update that will fix missing maps? The update you have is good but we need to recover missing maps. Given that we know which maps exist in the broken setup (those from 50-nis.update), it would make sense to check if only those CNs exist and then remove them and fire recovery. Could there be a situation where such state would be desired and the update would actually break user's setup? -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
On Wed, 06 Jan 2016, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5507 Patch attached. Is proposed workaround in ticket enough or should I also prepare a update that will fix missing maps? The update you have is good but we need to recover missing maps. Given that we know which maps exist in the broken setup (those from 50-nis.update), it would make sense to check if only those CNs exist and then remove them and fire recovery. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0399] Upgrade: fix upgrading of NIS Server configuration
https://fedorahosted.org/freeipa/ticket/5507
Patch attached.
Is proposed workaround in ticket enough or should I also prepare a
update that will fix missing maps?
From 39e1124314a66578022f7d7810fd6252af96fd80 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 6 Jan 2016 19:47:22 +0100
Subject: [PATCH] Upgrade: Fix upgrade of NIS Server configuration
Former upgrade file always created the NIS Server container, that caused
the ipa-nis-manage did not set all required NIS maps. Default creation
of container has been removed.
Updating of NIS Server configuration and
NIS maps is done only if the NIS Server container exists.
https://fedorahosted.org/freeipa/ticket/5507
---
install/share/Makefile.am | 1 +
.../50-nis.update => share/nis-update.uldif} | 19 +--
install/updates/50-nis.update | 58 ++
ipaplatform/base/paths.py | 1 +
ipaserver/install/plugins/update_nis.py| 36 ++
5 files changed, 42 insertions(+), 73 deletions(-)
copy install/{updates/50-nis.update => share/nis-update.uldif} (91%)
create mode 100644 ipaserver/install/plugins/update_nis.py
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 42f3972e1061fda5bfd23b2fa8f63d675f92f5ba..b4cb8312471a68d8cd855f542478afe10d200c39 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -61,6 +61,7 @@ app_DATA =\
memberof-task.ldif \
memberof-conf.ldif \
nis.uldif \
+ nis-update.uldif \
opendnssec_conf.template \
opendnssec_kasp.template \
unique-attributes.ldif \
diff --git a/install/updates/50-nis.update b/install/share/nis-update.uldif
similarity index 91%
copy from install/updates/50-nis.update
copy to install/share/nis-update.uldif
index 149889ec7bdb38073eb6df88628792526cfe58e6..e602c1de061fbcece349b2d86970c4db5051473b 100644
--- a/install/updates/50-nis.update
+++ b/install/share/nis-update.uldif
@@ -1,20 +1,4 @@
-# NIS Server plugin must be disabled by default
-# command 'ipa-nis-manage enable' enables NIS server
-dn: cn=NIS Server,cn=plugins,cn=config
-default:objectclass: top
-default:objectclass: nsSlapdPlugin
-default:objectclass: extensibleObject
-default:cn: NIS Server
-default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so
-default:nsslapd-plugininitfunc: nis_plugin_init
-default:nsslapd-plugintype: object
-default:nsslapd-pluginbetxn: on
-default:nsslapd-pluginenabled: off
-default:nsslapd-pluginid: nis-server
-default:nsslapd-pluginversion: 0.10
-default:nsslapd-pluginvendor: redhat.com
-default:nsslapd-plugindescription: NIS Server Plugin
-default:nis-tcp-wrappers-name: nis-server
+# Updates for NIS
# Correct syntax error that caused users to not appear
dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
@@ -52,4 +36,3 @@ default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7")
default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7")
default:nis-secure: no
-
diff --git a/install/updates/50-nis.update b/install/updates/50-nis.update
index 149889ec7bdb38073eb6df88628792526cfe58e6..05a166f003aefc50fc25f10f01f7364d752425bc 100644
--- a/install/updates/50-nis.update
+++ b/install/updates/50-nis.update
@@ -1,55 +1,3 @@
-# NIS Server plugin must be disabled by default
-# command 'ipa-nis-manage enable' enables NIS server
-dn: cn=NIS Server,cn=plugins,cn=config
-default:objectclass: top
-default:objectclass: nsSlapdPlugin
-default:objectclass: extensibleObject
-default:cn: NIS Server
-default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so
-default:nsslapd-plugininitfunc: nis_plugin_init
-default:nsslapd-plugintype: object
-default:nsslapd-pluginbetxn: on
-default:nsslapd-pluginenabled: off
-default:nsslapd-pluginid: nis-server
-default:nsslapd-pluginversion: 0.10
-default:nsslapd-pluginvendor: redhat.com
-default:nsslapd-plugindescription: NIS Server Plugin
-default:nis-tcp-wrappers-name: nis-server
-
-# Correct syntax error that caused users to not appear
-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
-replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\"memberHost\\\",\\\"fqdn\\\")\\\",\\\"%deref_r(\\\"member\\\",\\\"fqdn\\\")\\\",\\\"%deref_r(\\\"memberHost\\\",\\\"member\\\",\\\"fqdn\\\")\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%der
