Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1248524
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: User can't find any hosts using "ipa host-find $HOSTNAME" When trying to executu "ipa host-find $HOSTNAME" using the non-admin user, It doesnt return any information. If I execute "ipa host-find --hostname=$HOSTNAME" I'll get an successful result. Where as ipa host-find shows no. of hosts added in system. Version-Release number of selected component (if applicable): ipa-server-4.1.0-18.el7_1.3.x86_64 How reproducible: 100% Steps to Reproduce: 1. Setup IPA server 2. Add some hosts 3. Get a ticket using non-admin user & try to search hosts. Actual results: # ipa host-find ipaserver.example.com --------------- 0 hosts matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- [root@ipaserver ~]# ipa host-find --host ipaserver.example.com -------------- 1 host matched -------------- Host name: ipaserver.example.com Principal name: host/ipaserver.example.com@EXAMPLE.COM Password: False Keytab: True Managed by: ipaserver.example.com ---------------------------- Number of entries returned 1 --------------------------- Additional info: When a general TERM search is issued, all host possible fields are searched, so it is likely there will be at least one is not searchable. Results of both command should be same. When searched like this. # ipa host-find ipaserver.example.com --------------- 0 hosts matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- It created a seach request like this. [01/Jul/2015:12:57:34 +051800] conn=25 op=4 SRCH base="cn=computers,cn=accounts,dc=example,dc=com" scope=1 filter="(&(|(descript ion=*ipaserver.example.com*)(nsHardwarePlatform=*ipaserver.example.com*)(ipaAll owedToPerform=*ipaserver.example.com*)(l=*ipaserver.example.com*)(nsOsVersion=* ipaserver.example.com*)(fqdn=*ipaserver.example.com*)(managedBy=*ipaserver.exam ple.com*)(krbPrincipalName=*ipaserver.example.com*)(nsHostLocation=*ipaserver.e xample.com*))(&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost) (objectClass=pkiuser)(objectClass=ipaservice)))" attrs="macAddress memberOf description nsHardwarePlatform ipaAllowedToPerform l nsOsVersion fqdn managedBy ipaAssignedIDView userCertificate krbPrincipalName nsHostLocation userClass" [01/Jul/2015:12:57:34 +051800] conn=25 op=4 RESULT err=0 tag=101 nentries=0 etime=0 notes=U It never returns. # ldapsearch -LLL -Y GSSAPI -b "cn=computers,cn=accounts,dc=example,dc=com" '( &(|(description=*ipaserver.example.com*)(nsHardwarePlatform=*ipaserver.example. com*)(ipaAllowedToPerform=*ipaserver.example.com*)(l=*ipaserver.example.com*)(n sOsVersion=*ipaserver.example.com*)(fqdn=*ipaserver.example.com*)(managedBy=*ip aserver.example.com*)(krbPrincipalName=*ipaserver.example.com*)(nsHostLocation= *ipaserver.example.com*))(&(objectClass=ipaobject)(objectClass=nshost)(objectCl ass=ipahost)(objectClass=pkiuser)(objectClass=ipaservice)))' SASL/GSSAPI authentication started SASL username: tuser123@EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. But when searched like [root@ipaserver ~]# ipa host-find --host ipaserver.example.com -------------- 1 host matched -------------- Host name: ipaserver.example.com Principal name: host/ipaserver.example.com@EXAMPLE.COM Password: False Keytab: True Managed by: ipaserver.example.com SSH public key fingerprint: AA:0A:2E:30:F6:FC:8F:6E:57:9D:63:8B:43:CC:95:BD (ssh-rsa), 93:F6:88:B4:4D:FE:0A:AC:CE:CD:81:34:B0:CE:3E:35 (ecdsa-sha2-nistp256), AF:6B:72:81:D2:93:63:0C:5D:C1:0F:45:63:3A:EE:04 (ssh-ed25519) ---------------------------- Number of entries returned 1 ---------------------------- The first search is created like. [01/Jul/2015:12:57:51 +051800] conn=26 op=4 SRCH base="cn=computers,cn=accounts,dc=example,dc=com" scope=1 filter="(&(&(objectCl ass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass=pkiuser)(ob jectClass=ipaservice))(fqdn=ipaserver.example.com))" attrs="macAddress memberOf description nsHardwarePlatform ipaAllowedToPerform l nsOsVersion fqdn managedBy ipaAssignedIDView userCertificate krbPrincipalName nsHostLocation userClass" [01/Jul/2015:12:57:51 +051800] conn=26 op=4 RESULT err=0 tag=101 nentries=1 etime=0 Which is returned. # ldapsearch -LLL -Y GSSAPI -b "cn=computers,cn=accounts,dc=example,dc=com" '(& (&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass= pkiuser)(objectClass=ipaservice))(fqdn=ipaserver.example.com))' SASL/GSSAPI authentication started SASL username: tuser123@EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. dn: fqdn=ipaserver.example.com,cn=computers,cn=accounts,dc=example,dc=com cn: ipaserver.example.com objectClass: ipaobject objectClass: krbprincipal objectClass: nshost objectClass: top objectClass: ipaservice objectClass: pkiuser objectClass: ipahost objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: ipasshhost objectClass: ipaSshGroupOfPubKeys krbLastPwdChange: 20150630054454Z fqdn: ipaserver.example.com managedBy: fqdn=ipaserver.example.com,cn=computers,cn=accounts,dc=example,dc=c om krbPrincipalName: host/ipaserver.example.com@EXAMPLE.COM serverHostName: ipaserver ipaUniqueID: 21f94072-1eeb-11e5-9756-00163e740a9e
Caused by ipaallowedtoperform in default_attributes. Same issue in services.
See also #5168
master:
ipa-4-2:
Metadata Update from @pvoborni: - Issue assigned to pvoborni - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.