Bug 1261586 - ipa config-mod addattr fails for ipauserobjectclasses
ipa config-mod addattr fails for ipauserobjectclasses
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: Regression
Depends On:
  Show dependency treegraph
Reported: 2015-09-09 13:51 EDT by Scott Poore
Modified: 2015-11-19 07:06 EST (History)
6 users (show)

See Also:
Fixed In Version: ipa-4.2.0-11.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-19 07:06:27 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2015-09-09 13:51:31 EDT
Description of problem:

Failing to add attribute for ipaUserObjectClasses.

[root@master ~]# ipa config-mod --addattr="ipauserobjectclasses=sambasamaccount"
ipa: ERROR: invalid 'ipauserobjectclasses': user default attribute usercertificate;binary would not be allowed!

Version-Release number of selected component (if applicable):
It appears from test results that this may have started at 4.2.0-5
Seeing it now at ipa-server-4.2.0-8.el7.x86_64

How reproducible:

Steps to Reproduce:
1. Setup IPA Master
2. ipa config-mod --addattr="ipauserobjectclasses=sambasamaccount"

Actual results:
error above

Expected results:
no error.

Additional info:
[root@master ~]# ipa config-show --all --raw
  dn: cn=ipaConfig,cn=etc,dc=testrelm,dc=test
  ipamaxusernamelength: 32
  ipahomesrootdir: /home
  ipadefaultloginshell: /bin/sh
  ipadefaultprimarygroup: ipausers
  ipadefaultemaildomain: testrelm.test
  ipasearchtimelimit: 2
  ipasearchrecordslimit: 100
  ipausersearchfields: uid,givenname,sn,telephonenumber,ou,title
  ipagroupsearchfields: cn,description
  ipamigrationenabled: FALSE
  ipacertificatesubjectbase: O=TESTRELM.TEST
  ipapwdexpadvnotify: 4
  ipaconfigstring: AllowNThash
  ipaselinuxusermaporder: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  ipaselinuxusermapdefault: unconfined_u:s0-s0:c0.c1023
  ipakrbauthzdata: MS-PAC
  ipakrbauthzdata: nfs:NONE
  aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
  cn: ipaConfig
  ipaGroupObjectClasses: top
  ipaGroupObjectClasses: groupofnames
  ipaGroupObjectClasses: nestedgroup
  ipaGroupObjectClasses: ipausergroup
  ipaGroupObjectClasses: ipaobject
  ipaUserObjectClasses: top
  ipaUserObjectClasses: person
  ipaUserObjectClasses: organizationalperson
  ipaUserObjectClasses: inetorgperson
  ipaUserObjectClasses: inetuser
  ipaUserObjectClasses: posixaccount
  ipaUserObjectClasses: krbprincipalaux
  ipaUserObjectClasses: krbticketpolicyaux
  ipaUserObjectClasses: ipaobject
  ipaUserObjectClasses: ipasshuser
  objectClass: nsContainer
  objectClass: top
  objectClass: ipaGuiConfig
  objectClass: ipaConfigObject
  objectClass: ipaUserAuthTypeClass
[root@master ~]#
Comment 3 Petr Vobornik 2015-09-10 08:46:20 EDT
Upstream ticket:
Comment 6 Scott Poore 2015-09-17 16:21:33 EDT

Version ::


Results ::

[root@master ~]# ipa config-mod --addattr="ipauserobjectclasses=sambasamaccount"
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.TEST
  Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, sambasamaccount,
                              organizationalperson, krbticketpolicyaux, krbprincipalaux, inetuser,
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC

[root@master ~]# ipa config-show --all --raw|grep -i samba
  ipaUserObjectClasses: sambasamaccount
Comment 7 errata-xmlrpc 2015-11-19 07:06:27 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.