Bug 1435718
Summary: | As a ID user I cannot call a command with --rights option | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Sudhir Menon <sumenon> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.4 | CC: | nsoman, pvoborni, rcritten, sumenon, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.0-3.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 09:46:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Vobornik
2017-03-24 15:18:04 UTC
Upstream ticket: https://pagure.io/freeipa/issue/6797 This is a prerequisite for self-service Web UI for AD users work. ipa-4-5: 7d48fb841a23e9f036f3d449d80623d1225c820a ldap2: use LDAP whoami operation to retrieve bind DN for current connection master: 7324451834ec03786fda947679f750fe2a72f29c ldap2: use LDAP whoami operation to retrieve bind DN for current connection Tested on RHEL7.4 ipa-server-4.5.0-13.el7.x86_64 krb5-server-1.15.1-8.el7.x86_64 pki-server-10.4.1-6.el7.noarch 389-ds-base-1.3.6.1-15.el7.x86_64 sssd-1.15.2-35.el7.x86_64 selinux-policy-3.13.1-152.el7.noarch 1. Establish trust with AD 2. Add override for trusted aduser to default trust view. #ipa iduseroverride-add "default trust view" aduser2 3. [root@autohv01 ~]# echo **** | kinit aduser2 Password for aduser2: [root@autohv01 ~]# klist -l Principal name Cache name -------------- ---------- aduser2 KEYRING:persistent:0:krb_ccache_9Fc3Eqa 4. [root@autohv01 ~]# ipa config-show --rights --all dn: cn=ipaConfig,cn=etc,dc=testrelm,dc=test Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.test Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM.TEST Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: IPA CA servers: IPA NTP servers: attributelevelrights: {u'cn': u'rsc', u'ipauserauthtype': u'rsc', u'ipadefaultprimarygroup': u'rsc', u'ipapwdexpadvnotify': u'rsc', u'ipasearchtimelimit': u'rsc', u'ipacustomfields': u'rsc', u'ipasearchrecordslimit': u'rsc', u'nsaccountlock': u'', u'ipausersearchfields': u'rsc', u'ipadefaultloginshell': u'rsc', u'ipacertificatesubjectbase': u'rsc', u'ipadomainresolutionorder': u'rsc', u'ipaconfigstring': u'rsc', u'ipakrbauthzdata': u'rsc', u'ipauserobjectclasses': u'rsc', u'ipagroupsearchfields': u'rsc', u'ipadefaultemaildomain': u'rsc', u'ipagroupobjectclasses': u'rsc', u'ipamaxusernamelength': u'rsc', u'ipaselinuxusermapdefault': u'rsc', u'objectclass': u'rsc', u'aci': u'', u'ipahomesrootdir': u'rsc', u'ipamigrationenabled': u'rsc', u'ipaselinuxusermaporder': u'rsc'} cn: ipaConfig objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObject, ipaUserAuthTypeClass, ipaNameResolutionData [root@autohv01 ~]# ipa trust-find --all --------------- 1 trust matched --------------- dn: cn=pne.qe,cn=ad,cn=trusts,dc=testrelm,dc=test Realm name: pne.qe Domain NetBIOS name: PNE Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 UPN suffixes: test.qa, pune.in ipantsecurityidentifier: S-1-5-21-1074789812-2998660393-2210475529-1003 ipanttrustdirection: 1 ipanttrustpartner: pne.qe objectclass: ipaNTTrustedDomain, ipaIDobject, top ---------------------------- Number of entries returned 1 ---------------------------- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |