Red Hat Bugzilla – Bug 1435718
As a ID user I cannot call a command with --rights option
Last modified: 2017-08-01 05:46:16 EDT
Cloned from upstream: https://pagure.io/freeipa/issue/6797 Description: As an ID user I try to call command i.e. (ipa config-show --rights or ipa idoverrideuser-show "id view" user@DOM-AD.EXAMPLE ) and I get "ipa: ERROR: no matching entry found". So getting effective rights does not work for AD users. The problem is in CLI and also during performing API calls. Steps to reproduce: 1. Install FreeIPA and AD server 2. Establish trust between those two machines 3. kinit as AD user or Administrator (# kinit Administrator@DOM-AD.EXAMPLE) 4. try to run any command with --rights options ($ ipa config-show --rights --all) 5. "ipa: ERROR: no matching entry found" is shown Expected result: Get entry with effective rights. The following traceback is taken from /var/log/httpd/error_log, with "debug = True" set in /etc/ipa/default.conf and performing: $ ipa idoverrideuser-show "Default Trust View" Administrator@DOM-AD.EXAMPLE --rights ```console 0x7fde76f0ae18> [Wed Mar 22 10:27:51.943448 2017] [wsgi:error] [pid 36695] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Wed Mar 22 10:27:51.943480 2017] [wsgi:error] [pid 36695] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute [Wed Mar 22 10:27:51.943485 2017] [wsgi:error] [pid 36695] result = command(*args, **options) [Wed Mar 22 10:27:51.943489 2017] [wsgi:error] [pid 36695] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__ [Wed Mar 22 10:27:51.943493 2017] [wsgi:error] [pid 36695] return self.__do_call(*args, **options) [Wed Mar 22 10:27:51.943504 2017] [wsgi:error] [pid 36695] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call [Wed Mar 22 10:27:51.943508 2017] [wsgi:error] [pid 36695] ret = self.run(*args, **options) [Wed Mar 22 10:27:51.943511 2017] [wsgi:error] [pid 36695] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run [Wed Mar 22 10:27:51.943515 2017] [wsgi:error] [pid 36695] return self.execute(*args, **options) [Wed Mar 22 10:27:51.943519 2017] [wsgi:error] [pid 36695] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1327, in execute [Wed Mar 22 10:27:51.943522 2017] [wsgi:error] [pid 36695] ldap, entry_attrs.dn) [Wed Mar 22 10:27:51.943526 2017] [wsgi:error] [pid 36695] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 212, in get_effective_rights [Wed Mar 22 10:27:51.943530 2017] [wsgi:error] [pid 36695] rights = ldap.get_effective_rights(dn, attrs) [Wed Mar 22 10:27:51.943533 2017] [wsgi:error] [pid 36695] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 291, in get_effective_rights [Wed Mar 22 10:27:51.943537 2017] [wsgi:error] [pid 36695] "krbPrincipalAux", base_dn=self.api.env.basedn) [Wed Mar 22 10:27:51.943540 2017] [wsgi:error] [pid 36695] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1469, in find_entry_by_attr [Wed Mar 22 10:27:51.943544 2017] [wsgi:error] [pid 36695] base_dn, filter=filter, attrs_list=attrs_list) [Wed Mar 22 10:27:51.943547 2017] [wsgi:error] [pid 36695] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1317, in get_entries [Wed Mar 22 10:27:51.943551 2017] [wsgi:error] [pid 36695] **kwargs) [Wed Mar 22 10:27:51.943555 2017] [wsgi:error] [pid 36695] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1448, in find_entries [Wed Mar 22 10:27:51.943558 2017] [wsgi:error] [pid 36695] raise errors.EmptyResult(reason='no matching entry found') [Wed Mar 22 10:27:51.943562 2017] [wsgi:error] [pid 36695] EmptyResult: no matching entry found [Wed Mar 22 10:27:51.943565 2017] [wsgi:error] [pid 36695] ```
Upstream ticket: https://pagure.io/freeipa/issue/6797
This is a prerequisite for self-service Web UI for AD users work.
ipa-4-5: 7d48fb841a23e9f036f3d449d80623d1225c820a ldap2: use LDAP whoami operation to retrieve bind DN for current connection master: 7324451834ec03786fda947679f750fe2a72f29c ldap2: use LDAP whoami operation to retrieve bind DN for current connection
Tested on RHEL7.4 ipa-server-4.5.0-13.el7.x86_64 krb5-server-1.15.1-8.el7.x86_64 pki-server-10.4.1-6.el7.noarch 389-ds-base-1.3.6.1-15.el7.x86_64 sssd-1.15.2-35.el7.x86_64 selinux-policy-3.13.1-152.el7.noarch 1. Establish trust with AD 2. Add override for trusted aduser to default trust view. #ipa iduseroverride-add "default trust view" aduser2@pne.qe 3. [root@autohv01 ~]# echo **** | kinit aduser2@PNE.QE Password for aduser2@PNE.QE: [root@autohv01 ~]# klist -l Principal name Cache name -------------- ---------- aduser2@PNE.QE KEYRING:persistent:0:krb_ccache_9Fc3Eqa 4. [root@autohv01 ~]# ipa config-show --rights --all dn: cn=ipaConfig,cn=etc,dc=testrelm,dc=test Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.test Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM.TEST Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: IPA CA servers: IPA NTP servers: attributelevelrights: {u'cn': u'rsc', u'ipauserauthtype': u'rsc', u'ipadefaultprimarygroup': u'rsc', u'ipapwdexpadvnotify': u'rsc', u'ipasearchtimelimit': u'rsc', u'ipacustomfields': u'rsc', u'ipasearchrecordslimit': u'rsc', u'nsaccountlock': u'', u'ipausersearchfields': u'rsc', u'ipadefaultloginshell': u'rsc', u'ipacertificatesubjectbase': u'rsc', u'ipadomainresolutionorder': u'rsc', u'ipaconfigstring': u'rsc', u'ipakrbauthzdata': u'rsc', u'ipauserobjectclasses': u'rsc', u'ipagroupsearchfields': u'rsc', u'ipadefaultemaildomain': u'rsc', u'ipagroupobjectclasses': u'rsc', u'ipamaxusernamelength': u'rsc', u'ipaselinuxusermapdefault': u'rsc', u'objectclass': u'rsc', u'aci': u'', u'ipahomesrootdir': u'rsc', u'ipamigrationenabled': u'rsc', u'ipaselinuxusermaporder': u'rsc'} cn: ipaConfig objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObject, ipaUserAuthTypeClass, ipaNameResolutionData [root@autohv01 ~]# ipa trust-find --all --------------- 1 trust matched --------------- dn: cn=pne.qe,cn=ad,cn=trusts,dc=testrelm,dc=test Realm name: pne.qe Domain NetBIOS name: PNE Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 UPN suffixes: test.qa, pune.in ipantsecurityidentifier: S-1-5-21-1074789812-2998660393-2210475529-1003 ipanttrustdirection: 1 ipanttrustpartner: pne.qe objectclass: ipaNTTrustedDomain, ipaIDobject, top ---------------------------- Number of entries returned 1 ----------------------------
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304