ipa-replica-install: fails to update schema

Solution Verified - Updated -

Environment

RHEL7.4
IPA4.5

Issue

Where a root user is defined, an IPA replica may fail to install due to the following error:

  [29/40]: updating schema
ipa         : CRITICAL Failed to load schema-update.ldif: Command '/usr/bin/ldapmodify -v -f /usr/share/ipa/schema-update.ldif -H ldapi://%2Fvar%2Frun%2Fslapd-LINUX-TESTREALM-LOCAL.socket -Y EXTERNAL' returned non-zero exit status 50
  [error] CalledProcessError: Command '/usr/bin/ldapmodify -v -f /usr/share/ipa/schema-update.ldif -H ldapi://%2Fvar%2Frun%2Fslapd-LINUX-TESTREALM-LOCAL.socket -Y EXTERNAL' returned non-zero exit status 50

Resolution

Change uidnumber and gidnumber of the root user, e.g. "uid=root,cn=users,cn=accounts,dc=linux,dc=testrealm,dc=local" to within the defined idrange. For example:

# ldapmodify -D "cn=directory manager" -W
dn: uid=root,cn=users,cn=accounts,dc=linux,dc=testrealm,dc=local
changetype: modify
replace: uidnumber
uidnumber: 1308800023
-
replace: gidnumber
gidnumber: 1308800023

Root Cause

The uidnumber and gidnumber of the root user, e.g. "uid=root,cn=users,cn=accounts,dc=linux,dc=testrealm,dc=local" is set to zero!

# ipa user-find root --raw --all
--------------
1 user matched
--------------
  dn: uid=root,cn=users,cn=accounts,dc=linux,dc=testrealm,dc=local
  uid: root
  ...
  uidnumber: 0
  gidnumber: 0

The chapter 14.5. Manual ID Range Extension and Assigning a New ID Range clearly states:

Do not set ID ranges that include UID values of 1000 and lower; these values are reserved for system use. Also, DO NOT set an ID range that would include the 0 value; the SSSD service does not handle the 0 ID value. 

Diagnostic Steps

The IPA replica installation log (/var/log/ipareplica-install.log) shows:

modifying entry "cn=schema"

2018-02-22T09:13:54Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-LINUX-TESTREALM-LOCAL.socket/??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Insufficient access (50)   <<<<<<<<<<<<
        additional info: Insufficient 'write' privilege to the 'objectClasses' attribute of entry 'cn=schema'.

The corresponding DS' access log shows:

[22/Feb/2018:09:13:54.312987217 +0000] conn=7 fd=64 slot=64 connection from local to /var/run/slapd-LINUX-TESTREALM-LOCAL.socket
[22/Feb/2018:09:13:54.316552634 +0000] conn=7 AUTOBIND dn="uid=root,cn=users,cn=accounts,dc=linux,dc=testrealm,dc=local"
[22/Feb/2018:09:13:54.316558927 +0000] conn=7 op=0 BIND dn="uid=root,cn=users,cn=accounts,dc=linux,dc=testrealm,dc=local" method=sasl version=3 mech=EXTERNAL
[22/Feb/2018:09:13:54.317179855 +0000] conn=7 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=root,cn=users,cn=accounts,dc=linux,dc=testrealm,dc=local"
[22/Feb/2018:09:13:54.329355921 +0000] conn=7 op=1 MOD dn="cn=schema"
[22/Feb/2018:09:13:54.496026920 +0000] conn=7 op=1 RESULT err=50 tag=103 nentries=0 etime=0  <<<<<<<<<<<<<<<<
[22/Feb/2018:09:13:54.496572349 +0000] conn=7 op=2 UNBIND
[22/Feb/2018:09:13:54.496586146 +0000] conn=7 op=2 fd=64 closed - U1

Notice that the AUTOBIND is "uid=root,cn=users,cn=accounts,dc=linux,dc=testrealm,dc=local" rather than "cn=Directory Manager". The "uid=root,cn=users,cn=accounts,dc=linux,dc=testrealm,dc=local" user doesn't have the necessary rights to update the "cn=schema" tree. An attempt to update the "cn=schema" tree will result in err=50", i.e. Insufficient access.

  • Component
  • ipa

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments