Bug 907917
Summary: | Internal error when user triggers trusted domain communication | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ann Marie Rubin <arubin> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | mkosek, mvarun, nsoman |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.2.1-1.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 09:18:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ann Marie Rubin
2013-02-05 14:21:31 UTC
Fixed upstream. master: a41e10f0ebdd0be543d36b3bbe795d92974b0a2e ipa-3-1: b238fc13ef98afb0bae4c479be1fc2c7fa94468d This is the steps I followed. Let me know if I am missing anything? ----------------------------------------- [root@rhel7ad ~]# ipa user-show fbar User login: fbar First name: Foo Last name: Bar Home directory: /home/fbar Login shell: /bin/sh Email address: fbar UID: 1875600045 GID: 1875600045 Account disabled: False Password: True Member of groups: ipausers Roles: helpdesk Kerberos keys available: True [root@rhel7ad ~]# kinit fbar Password for fbar: [root@rhel7ad ~]# klist Ticket cache: KEYRINGersistent:0:krb_ccache_Y7YH42Q Default principal: fbar Valid starting Expires Service principal 01/31/2014 00:22:29 02/01/2014 00:22:29 krbtgt/TESTRELM.COM [root@rhel7ad ~]# ipa group-add-member ext_all_admins --external "IPAQE1\Administrator" [member user]: [member group]: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'ipaExternalMember' attribute of entry 'cn=ext_all_admins,cn=groups,cn=accounts,dc=testrelm,dc=com'. /var/log/httpd/error_log [Fri Jan 31 00:23:13.974923 2014] [:error] [pid 13506] ipa: INFO: fbar: group_add_member(u'ext_all_admins', ipaexternalmember=(u'IPAQE1\\\\Administrator',), all=False, raw=False, version=u'2.65', no_members=False): ACIError [Fri Jan 31 00:23:13.974994 2014] [:error] [pid 13506] ipa: DEBUG: response: ACIError: Insufficient access: Insufficient 'write' privilege to the 'ipaExternalMember' attribute of entry 'cn=ext_all_admins,cn=groups,cn=accounts,dc=testrelm,dc=com'. [Fri Jan 31 00:23:13.975645 2014] [:error] [pid 13506] ipa: DEBUG: no session id in request, generating empty session data with id=b3ef224f9bc21c11e2d694d217c86e89 [Fri Jan 31 00:23:13.975818 2014] [:error] [pid 13506] ipa: DEBUG: store session: session_id=b3ef224f9bc21c11e2d694d217c86e89 start_timestamp=2014-01-31T00:23:13 access_timestamp=2014-01-31T00:23:13 expiration_timestamp=1970-01-01T05:30:00 Yes, it should be enough. But it would be also interesting to assign role "User Administrator" to the user "fbar" so that it has the actual write permission to the membership attribute: $ kinit admin $ ipa role-add-member "User Administrator" --users "fbar" $ kinit fbar $ ipa group-add-member ext_all_admins --external "IPAQE1\Administrator" Verified in ipa-server-3.3.3-17.el7.x86_64 [root@rhel7ad ~]# kinit admin Password for admin: [root@rhel7ad ~]# ipa role-add-member "User Administrator" --users "fbar" Role name: User Administrator Description: Responsible for creating Users and Groups Member users: fbar Privileges: User Administrators, Group Administrators ------------------------- Number of members added 1 ------------------------- [root@rhel7ad ~]# kinit fbar Password for fbar: [root@rhel7ad ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_zDiWSuc Default principal: fbar Valid starting Expires Service principal 02/26/2014 17:47:22 02/27/2014 17:47:22 krbtgt/TESTRELM.COM [root@rhel7ad ~]# ipa group-add-member ext_all_admins --external "IPAQE1\Administrator" [member user]: [member group]: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'ipaExternalMember' attribute of entry 'cn=ext_all_admins,cn=groups,cn=accounts,dc=testrelm,dc=com'. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |