See https://www.redhat.com/archives/freeipa-users/2012-November/msg00085.html for a full description of the issue. In short, after upgrading an IPA server from 2.2.0 to 2.2.1, the fqdn indices that are created in [changeset:ce11a7c] aren't followed by an index task, so existing hosts aren't retrieved by SSSD, and logins fail.
After creating the following fqdn_index_task.ldif
dn: cn=indextask_fqdn, cn=index, cn=tasks, cn=config objectclass: top objectclass: extensibleObject cn: indextask_fqdn nsInstance: userRoot nsIndexAttribute: fqdn
and issuing
1
ldapadd -vvv -x -D "cn=directory manager" -W -f fqdn_index_task.ldif
I see the following in my error log
[12/Nov/2012:10:28:29 -0600] - userRoot: Indexing attribute: fqdn [12/Nov/2012:10:28:29 -0600] - userRoot: Finished indexing.
and login via SSSD resumes immediately.
I can look at it.
This is indeed a bug in a code processing index updates. Index task is supposed to be run automatically for every new or updated index, but it is only processed in the update code path.
To workaround the issue, one can run the following script to trigger LDAP upgrade procedure which will fire index task this time:
# ipa-ldap-updater --upgrade # grep "Creating task to index" /var/log/ipaupgrade.log 2012-11-13T12:17:23Z INFO Creating task to index attribute: memberuid 2012-11-13T12:17:29Z INFO Creating task to index attribute: memberOf 2012-11-13T12:17:35Z INFO Creating task to index attribute: memberHost 2012-11-13T12:17:41Z INFO Creating task to index attribute: memberUser 2012-11-13T12:17:47Z INFO Creating task to index attribute: fqdn 2012-11-13T12:17:53Z INFO Creating task to index attribute: ntUniqueId 2012-11-13T12:17:59Z INFO Creating task to index attribute: ntUserDomainId
When fixing this one, I may also backport the 2ecfe57 from #2866.
attachment freeipa-mkosek-333-run-index-task-for-new-indexes.patch
Patch freeipa-mkosek-333-run-index-task-for-new-indexes.patch sent for review
ipa-2-2: 1addbc9
Metadata Update from @amessina: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.2 Stabilization
Login to comment on this ticket.