Bug 1519723

Summary: admins group is not including all permissions of Role "User Administrator"
Product: Red Hat Enterprise Linux 7 Reporter: German Parente <gparente>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: amarecek, amore, frenaud, ndehadra, pasik, pvoborni, rcritten, sumenon, tdudlak, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:57:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description German Parente 2017-12-01 10:16:14 UTC 
Description of problem:

I don't know if this has been on purpose as a feature or if it could be considered as a bug. Customers are confused about this.

For them, adding a user to the group "cn=admins" is enough to make a user have the same rights of "admin" user.

But there's at least a Permission missing, that is to be able to do this:

aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalk
 ey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=
 provisioning,dc=cgparente,dc=local")(targetfilter = "(objectclass=posixaccoun
 t)")(version 3.0;acl "permission:System: Reset Preserved User password";allow
  (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User passw
 ord,cn=permissions,cn=pbac,dc=cgparente,dc=local";)

Example:

user "example" is member of admin groups:

ipa group-show admins
  Group name: admins
  Description: Account administrators group
  GID: 142600000
  Member users: admin, example
  Member of groups: ad_users


kinit example
Password for example: 

ipa user-del test --preserve
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbLastPwdChange' attribute of entry 'uid=test,cn=deleted users,cn=accounts,cn=provisioning,dc=cgparente,dc=local'

ipa role-add-member "User Administrator" --user=example

kinit example
ipa user-del test --preserve

Works.
Comment 2 Florence Blanc-Renaud 2017-12-04 08:12:20 UTC 
The behavior described by German is reproduced. Will check with the team if it is expected or if the role was mistakenly forgotten for the admins group.
Comment 3 Florence Blanc-Renaud 2017-12-21 18:39:27 UTC 
The file install/updates/30-provisioning.update defines the following acis that are specific to the admin user, but should be rather granted to the admins group:

dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)


dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
Comment 4 Florence Blanc-Renaud 2018-01-02 15:23:39 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7342
Comment 5 Tibor Dudlák 2018-02-19 14:53:06 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/d647072642bdf01d0bfee31a7b5615b145583da5
Comment 6 Florence Blanc-Renaud 2018-03-28 09:20:17 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/35f6a1a11baadf0f69c3d3ec7cc9933c87dd4abf
Comment 10 Sudhir Menon 2018-08-24 05:02:58 UTC 
Tested on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

[root@master ~]# rpm -q ipa-server sssd samba krb5-server pki-server selinux-policy 389-ds-base
ipa-server-4.6.4-6.el7.x86_64
sssd-1.16.2-12.el7.x86_64
samba-4.8.3-4.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
pki-server-10.5.9-6.el7.noarch
selinux-policy-3.13.1-219.el7.noarch
389-ds-base-1.3.8.4-11.el7.x86_64

[root@master ~]# ipa group-add-member --users=ipauser1 admins
  Group name: admins
  Description: Account administrators group
  GID: 28600000
  Member users: admin, ipauser1
-------------------------
Number of members added 1
-------------------------

[root@master ~]# ipa group-show admins
  Group name: admins
  Description: Account administrators group
  GID: 28600000
  Member users: admin, ipauser1

[root@master ~]# kinit ipauser1
Password for ipauser1: 

[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
ipauser1           KEYRING:persistent:0:krb_ccache_xZgOMrU


[root@master ~]# ipa user-del test2 --preserve
--------------------
Deleted user "test2"
--------------------

[root@master ~]# ipa user-show test1
  User login: test1
  First name: test1
  Last name: s
  Home directory: /home/test1
  Login shell: /bin/sh
  Principal name: test1
  Principal alias: test1
  Email address: test1
  UID: 28600007
  GID: 28600007
  Account disabled: True
  Preserved user: True
  Password: False
  Kerberos keys available: False

[root@master ~]# ipa user-find
---------------
2 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin
  UID: 28600000
  GID: 28600000
  Account disabled: False
Comment 12 errata-xmlrpc 2018-10-30 10:57:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187