Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1261586

Summary: ipa config-mod addattr fails for ipauserobjectclasses
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: dpal, jcholast, ksiddiqu, lmiksik, rcritten, tlavigne
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-11.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:06:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2015-09-09 17:51:31 UTC 
Description of problem:

Failing to add attribute for ipaUserObjectClasses.

[root@master ~]# ipa config-mod --addattr="ipauserobjectclasses=sambasamaccount"
ipa: ERROR: invalid 'ipauserobjectclasses': user default attribute usercertificate;binary would not be allowed!

Version-Release number of selected component (if applicable):
It appears from test results that this may have started at 4.2.0-5
Seeing it now at ipa-server-4.2.0-8.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Setup IPA Master
2. ipa config-mod --addattr="ipauserobjectclasses=sambasamaccount"


Actual results:
error above

Expected results:
no error.

Additional info:
[root@master ~]# ipa config-show --all --raw
  dn: cn=ipaConfig,cn=etc,dc=testrelm,dc=test
  ipamaxusernamelength: 32
  ipahomesrootdir: /home
  ipadefaultloginshell: /bin/sh
  ipadefaultprimarygroup: ipausers
  ipadefaultemaildomain: testrelm.test
  ipasearchtimelimit: 2
  ipasearchrecordslimit: 100
  ipausersearchfields: uid,givenname,sn,telephonenumber,ou,title
  ipagroupsearchfields: cn,description
  ipamigrationenabled: FALSE
  ipacertificatesubjectbase: O=TESTRELM.TEST
  ipapwdexpadvnotify: 4
  ipaconfigstring: AllowNThash
  ipaselinuxusermaporder: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  ipaselinuxusermapdefault: unconfined_u:s0-s0:c0.c1023
  ipakrbauthzdata: MS-PAC
  ipakrbauthzdata: nfs:NONE
  aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
  cn: ipaConfig
  ipaGroupObjectClasses: top
  ipaGroupObjectClasses: groupofnames
  ipaGroupObjectClasses: nestedgroup
  ipaGroupObjectClasses: ipausergroup
  ipaGroupObjectClasses: ipaobject
  ipaUserObjectClasses: top
  ipaUserObjectClasses: person
  ipaUserObjectClasses: organizationalperson
  ipaUserObjectClasses: inetorgperson
  ipaUserObjectClasses: inetuser
  ipaUserObjectClasses: posixaccount
  ipaUserObjectClasses: krbprincipalaux
  ipaUserObjectClasses: krbticketpolicyaux
  ipaUserObjectClasses: ipaobject
  ipaUserObjectClasses: ipasshuser
  objectClass: nsContainer
  objectClass: top
  objectClass: ipaGuiConfig
  objectClass: ipaConfigObject
  objectClass: ipaUserAuthTypeClass
[root@master ~]#
Comment 3 Petr Vobornik 2015-09-10 12:46:20 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5295
Comment 4 Jan Cholasta 2015-09-16 13:02:12 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/60dd90cf77097cd305f9cad4b03d28f2977dd38b
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/bbcbbf3480fb30a7f963d6083a656cc19b8a7ed6
Comment 6 Scott Poore 2015-09-17 20:21:33 UTC 
Verified.

Version ::

ipa-server-4.2.0-11.el7.x86_64

Results ::

[root@master ~]# ipa config-mod --addattr="ipauserobjectclasses=sambasamaccount"
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.TEST
  Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, sambasamaccount,
                              organizationalperson, krbticketpolicyaux, krbprincipalaux, inetuser,
                              posixaccount
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC

[root@master ~]# ipa config-show --all --raw|grep -i samba
  ipaUserObjectClasses: sambasamaccount
Comment 7 errata-xmlrpc 2015-11-19 12:06:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html