Bug 1441262
| Summary: | ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jens Timmerman <bugzilla> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | abokovoy, bugzilla, cheimes, frenaud, gparente, kludhwan, ndehadra, pasik, pvoborni, rcritten, sumenon, tscherf |
| Target Milestone: | rc | Keywords: | TestCaseProvided |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.6.4-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 10:56:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jens Timmerman
2017-04-11 13:57:21 UTC
using -vvv gives
ipa: INFO: Response: {
"error": {
"code": 2100,
"data": {
"info": ""
},
"message": "Insufficient access: ",
"name": "ACIError"
},
"id": 0,
"principal": "user_admin@MYREALM",
"result": null,
"version": "4.4.0"
}
ipa: ERROR: Insufficient access:
Hello, can you please provide "sufficient permissions" preferably as a list of permissions assigned to user? Hi Martin, The user was created with ipa user-add user_admin --first=first --last=last --random ipa role-add-member --users=user_admin "User Administrator" Thank you for reporting error and reproducer.
This is bug in IPA, however it happened in post_callback (after group was already removed), it is caused by 'pwpolicy_del' call.
Log from dirsrv:
[11/Apr/2017:16:38:09.975909624 +0200] conn=647 op=10 DEL dn="cn=testgrp,cn=groups,cn=accounts,dc=dom-126,dc=example,dc=com"
[11/Apr/2017:16:38:09.995712795 +0200] conn=647 op=10 RESULT err=0 tag=107 nentries=0 etime=0
[11/Apr/2017:16:38:09.997009946 +0200] conn=647 op=11 DEL dn="cn=testgrp,cn=DOM-126.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=example,dc=com"
[11/Apr/2017:16:38:09.997609505 +0200] conn=647 op=11 RESULT err=50 tag=107 nentries=0 etime=0
Server traceback:
ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
result = command(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
return self.__do_call(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
return self.execute(*args, **options)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1579, in execute
delete_entry(pkey)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1564, in delete_entry
result = callback(self, ldap, dn, *nkeys, **options)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/group.py", line 369, in post_callback
api.Command['pwpolicy_del'](keys[-1])
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
return self.__do_call(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
return self.execute(*args, **options)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1579, in execute
delete_entry(pkey)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1554, in delete_entry
self._exc_wrapper(nkeys, options, ldap.delete_entry)(dn)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1098, in wrapped
return func(*call_args, **call_kwargs)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1565, in delete_entry
self.conn.delete_s(str(dn))
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 977, in error_handler
raise errors.ACIError(info=info)
ACIError: Insufficient access:
Upstream ticket: https://pagure.io/freeipa/issue/6884 *** Bug 1474283 has been marked as a duplicate of this bug. *** I have open a similar bug for RHEL-6 https://bugzilla.redhat.com/show_bug.cgi?id=1571749 I submitted a fix as https://github.com/freeipa/freeipa/pull/1886 Fixed upstream master: https://pagure.io/freeipa/c/1adc941d1f1caeffa8cf490783b7819298e828ce Needs to be backported to ipa-4-6 branch. ipa-4-6:
164d907 group-del: add a warning to logs when password policy could not be removed
Fix is seen. Verified on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo) using ipa-server-4.6.4-3.el7.x86_64 sssd-1.16.2-11.el7.x86_64 389-ds-base-1.3.8.4-9.el7.x86_64 krb5-server-1.15.1-34.el7.x86_64 pki-server-10.5.9-4.el7.noarch selinux-policy-3.13.1-211.el7.noarch [root@master yubico]# ipa user-add user_admin --first=first --last=last --random ----------------------- Added user "user_admin" ----------------------- User login: user_admin First name: first Last name: last Full name: first last Display name: first last Initials: fl Home directory: /home/user_admin GECOS: first last Login shell: /bin/sh Principal name: user_admin Principal alias: user_admin User password expiration: 20180807085610Z Email address: user_admin Random password: 7Tz^cu29z925s9}Am*}s^4 UID: 477400003 GID: 477400003 Password: True Member of groups: ipausers Kerberos keys available: True [root@master yubico]# ipa role-add-member --users=user_admin "User Administrator" Role name: User Administrator Description: Responsible for creating Users and Groups Member users: user_admin Privileges: User Administrators, Group Administrators, Stage User Administrators ------------------------- Number of members added 1 ------------------------- [root@master yubico]# kdestroy -A [root@master yubico]# kinit user_admin Password for user_admin: Password expired. You must change it now. Enter new password: Enter it again: [root@master yubico]# klist l klist: No credentials cache found (filename: l) [root@master yubico]# klist -l Principal name Cache name -------------- ---------- user_admin KEYRING:persistent:0:0 [root@master yubico]# ipa group-add gtest ------------------- Added group "gtest" ------------------- Group name: gtest GID: 477400004 [root@master yubico]# ipa group-del gtest --------------------- Deleted group "gtest" --------------------- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3187 Test case added upstream in test_integration/test_user_permissions.py::TestUserPermissions::test_delete_group_by_user_administrator master: https://pagure.io/freeipa/c/3dd5053cdd55adf6888ef38bfc927fc255bd7019 Test added upstream: ipa-4-6: https://pagure.io/freeipa/c/b5ac930f3ccca32d6d4536aebb46cfd9af7ade59 ipa-4-8: https://pagure.io/freeipa/c/a457b79d1e5af3c1bd1d9517db07c5a85154c932 |