Red Hat Bugzilla – Bug 1108195
MOD command returns duplicate memberships
Last modified: 2015-03-05 05:11:11 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/4175 permission-mod command returned duplicate memberships: {{{ # ipa permission-show "Manage host keytab" Permission name: Manage host keytab Permissions: write, add Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment Indirect Member of roles: Build Administrator, IT Specialist # ipa permission-mod "Manage host keytab" --permissions=write ---------------------------------------- Modified permission "Manage host keytab" ---------------------------------------- Permission name: Manage host keytab Permissions: write Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment >>Indirect Member of roles: Build Administrator, IT Specialist, Build Administrator, IT Specialist<< # ipa permission-show "Manage host keytab" Permission name: Manage host keytab Permissions: write Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment Indirect Member of roles: Build Administrator, IT Specialist }}} As you see, this only appears to be an issue with MOD display, not storage in LDAP
This request is already fixed in upstream FreeIPA project. Please refer to the linked ticket for additional details and related commits.
Please add steps to verify this issue .. # ipa permission-show "Manage host keytab" ipa: ERROR: Manage host keytab: permission not found
Verified using ipa-server-4.1.0-16.el7.x86_64 # ipa permission-show "System: Manage Host Keytab" Permission name: System: Manage Host Keytab Granted rights: write Effective attributes: krblastpwdchange, krbprincipalkey Default attributes: krbprincipalkey, krblastpwdchange Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=testrelm,dc=test Type: host Granted to Privilege: Host Administrators, Host Enrollment Indirect Member of roles: IT Specialist # ipa permission-mod "System: Manage Host Keytab" --attrs= ------------------------------------------------ Modified permission "System: Manage Host Keytab" ------------------------------------------------ Permission name: System: Manage Host Keytab Granted rights: write Excluded attributes: krbprincipalkey, krblastpwdchange Default attributes: krbprincipalkey, krblastpwdchange Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=testrelm,dc=test Type: host Granted to Privilege: Host Administrators, Host Enrollment Indirect Member of roles: IT Specialist # ipa permission-mod "System: Manage Host Keytab" --attrs=objectclass ------------------------------------------------ Modified permission "System: Manage Host Keytab" ------------------------------------------------ Permission name: System: Manage Host Keytab Granted rights: write Effective attributes: objectclass Included attributes: objectclass Excluded attributes: krbprincipalkey, krblastpwdchange Default attributes: krbprincipalkey, krblastpwdchange Bind rule type: permission Subtree: cn=computers,cn=accounts,dc=testrelm,dc=test Type: host Granted to Privilege: Host Administrators, Host Enrollment Indirect Member of roles: IT Specialist Duplicate memberships not seen when modifying
Thanks Namita, this is correct.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html