Bug 817915

Summary:	Helpdesk admin unable to change a user's lastname
Product:	Red Hat Enterprise Linux 6	Reporter:	Namita Soman <nsoman>
Component:	ipa	Assignee:	Rob Crittenden <rcritten>
Status:	CLOSED WORKSFORME	QA Contact:	IDM QE LIST <seceng-idm-qe-list>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	6.3	CC:	dpal, jgalipea, mkosek
Target Milestone:	rc	Keywords:	Regression
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-05-07 14:23:59 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Namita Soman 2012-05-01 19:14:16 UTC

Description of problem:
Add a user, assign it to have the helpdesk role. Kinit as this user. Change another user's lastname. This fails in ipa-server.x86_64 0:2.2.0-12.el6 with error:

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'sn' attribute of entry 'uid=test,cn=users,cn=accounts,dc=testrelm,dc=com'.

But used to work as expected - that is updated another user's lastname successfully in ipa-server.x86_64 0:2.2.0-11.el6


Version-Release number of selected component (if applicable):
ipa-server.x86_64 0:2.2.0-12.el6

How reproducible:
always

Steps to Reproduce:
1. Add 2 users, say helpdeskadmin, and test and assign passwd
2. Assign role helpdesk to helpdeskadmin
3. kinit as helpdeskadmin
4. change test's last name as:
ipa user-mod --last="testtest" test

  
Actual results:
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'sn' attribute of entry 'uid=test,cn=users,cn=accounts,dc=testrelm,dc=com'.

Expected results:
be ale to update test's last name

Additional info:
added user nk with helpdesk role:
# ipa user-show nk
  User login: nk
  First name: nk
  Last name: nk
  Home directory: /home/nk
  Login shell: /bin/sh
  UID: 1111600018
  GID: 1111600018
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Roles: helpdesk
  Kerberos keys available: True

kinit'd as nk
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nk

Valid starting     Expires            Service principal
05/01/12 14:53:09  05/02/12 14:53:09  krbtgt/TESTRELM.COM
05/01/12 14:53:38  05/02/12 14:53:09  HTTP/sgi-xe320-01.testrelm.com

modified user one's last name:
# ipa user-mod --last=oneone one
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'sn' attribute of entry 'uid=one,cn=users,cn=accounts,dc=testrelm,dc=com'.

Comment 2 Rob Crittenden 2012-05-01 22:07:20 UTC

Are you sure the permissions are unchanged? I wasn't able to reproduce this on a new install:

$ kinit admin
Password for admin: 
$ ipa user-add --first=tim --last=user tuser1
-------------------
Added user "tuser1"
-------------------
  User login: tuser1
  First name: tim
  Last name: user
  Full name: tim user
  Display name: tim user
  Initials: tu
  Home directory: /home/tuser1
  GECOS field: tim user
  Login shell: /bin/sh
  Kerberos principal: tuser1
  UID: 1314400011
  GID: 1314400011
  Password: False
  Kerberos keys available: False
$ ipa role-add-member --users=tuser1 helpdesk
ipa passwd   Role name: helpdesk
  Description: Helpdesk
  Member users: tuser1
  Privileges: modify users and reset passwords, modify group membership
-------------------------
Number of members added 1
-------------------------
$ ipa passwd tuser1
New Password: 
Enter New Password again to verify: 
-----------------------------------------
Changed password for "tuser1"
-----------------------------------------
$ ipa user-add --first=jane --last=user juser1
-------------------
Added user "juser1"
-------------------
  User login: juser1
  First name: jane
  Last name: user
  Full name: jane user
  Display name: jane user
  Initials: ju
  Home directory: /home/juser1
  GECOS field: jane user
  Login shell: /bin/sh
  Kerberos principal: juser1
  UID: 1314400011
  GID: 1314400011
  Password: False
  Kerberos keys available: False
$ kinit tuser1
Password for tuser1: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
$ ipa user-mod --last=new juser1
----------------------
Modified user "juser1"
----------------------
  User login: juser1
  First name: jane
  Last name: new
  Home directory: /home/juser1
  Login shell: /bin/sh
  UID: 1314400011
  GID: 1314400011
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

Comment 3 Namita Soman 2012-05-07 14:23:59 UTC

tried on ipa-server-2.2.0-12.el6.x86_64
and it is working. I suspect my automation tests that run before this might be causing this failure. And trying manually on that machine - i repeatedly see the error. But re-tested on separate machine, and confirmed it is working.