RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1435718 - As a ID user I cannot call a command with --rights option
Summary: As a ID user I cannot call a command with --rights option
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Sudhir Menon
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-24 15:18 UTC by Petr Vobornik
Modified: 2017-08-01 09:46 UTC (History)
5 users (show)

Fixed In Version: ipa-4.5.0-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:46:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-03-24 15:18:04 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6797

Description:
As an ID user I try to call command i.e. (ipa config-show --rights or ipa idoverrideuser-show "id view" user ) and I get "ipa: ERROR: no matching entry found". So getting effective rights does not work for AD users. The problem is in CLI and also during performing API calls. 

Steps to reproduce:
1. Install FreeIPA and AD server
2. Establish trust between those two machines
3. kinit as AD user or Administrator (# kinit Administrator)
4. try to run any command with --rights options ($ ipa config-show --rights --all)
5. "ipa: ERROR: no matching entry found" is shown

Expected result:
Get entry with effective rights.

The following traceback is taken from /var/log/httpd/error_log, with "debug = True" set in /etc/ipa/default.conf and performing:
 $ ipa idoverrideuser-show "Default Trust View" Administrator --rights

```console
0x7fde76f0ae18>
[Wed Mar 22 10:27:51.943448 2017] [wsgi:error] [pid 36695] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
[Wed Mar 22 10:27:51.943480 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
[Wed Mar 22 10:27:51.943485 2017] [wsgi:error] [pid 36695]     result = command(*args, **options)
[Wed Mar 22 10:27:51.943489 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Wed Mar 22 10:27:51.943493 2017] [wsgi:error] [pid 36695]     return self.__do_call(*args, **options)
[Wed Mar 22 10:27:51.943504 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Wed Mar 22 10:27:51.943508 2017] [wsgi:error] [pid 36695]     ret = self.run(*args, **options)
[Wed Mar 22 10:27:51.943511 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Wed Mar 22 10:27:51.943515 2017] [wsgi:error] [pid 36695]     return self.execute(*args, **options)
[Wed Mar 22 10:27:51.943519 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1327, in execute
[Wed Mar 22 10:27:51.943522 2017] [wsgi:error] [pid 36695]     ldap, entry_attrs.dn)
[Wed Mar 22 10:27:51.943526 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 212, in get_effective_rights
[Wed Mar 22 10:27:51.943530 2017] [wsgi:error] [pid 36695]     rights = ldap.get_effective_rights(dn, attrs)
[Wed Mar 22 10:27:51.943533 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 291, in get_effective_rights
[Wed Mar 22 10:27:51.943537 2017] [wsgi:error] [pid 36695]     "krbPrincipalAux", base_dn=self.api.env.basedn)
[Wed Mar 22 10:27:51.943540 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1469, in find_entry_by_attr
[Wed Mar 22 10:27:51.943544 2017] [wsgi:error] [pid 36695]     base_dn, filter=filter, attrs_list=attrs_list)
[Wed Mar 22 10:27:51.943547 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1317, in get_entries
[Wed Mar 22 10:27:51.943551 2017] [wsgi:error] [pid 36695]     **kwargs)
[Wed Mar 22 10:27:51.943555 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1448, in find_entries
[Wed Mar 22 10:27:51.943558 2017] [wsgi:error] [pid 36695]     raise errors.EmptyResult(reason='no matching entry found')
[Wed Mar 22 10:27:51.943562 2017] [wsgi:error] [pid 36695] EmptyResult: no matching entry found
[Wed Mar 22 10:27:51.943565 2017] [wsgi:error] [pid 36695] 
```
Comment 2 Petr Vobornik 2017-03-24 15:18:18 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6797
Comment 3 Petr Vobornik 2017-03-24 15:19:24 UTC 
This is a prerequisite for self-service Web UI for AD users work.
Comment 4 Petr Vobornik 2017-03-24 15:37:13 UTC 
ipa-4-5:

    7d48fb841a23e9f036f3d449d80623d1225c820a ldap2: use LDAP whoami operation to retrieve bind DN for current connection
    master:

    7324451834ec03786fda947679f750fe2a72f29c ldap2: use LDAP whoami operation to retrieve bind DN for current connection
Comment 6 Sudhir Menon 2017-05-26 09:38:40 UTC 
Tested on RHEL7.4

ipa-server-4.5.0-13.el7.x86_64
krb5-server-1.15.1-8.el7.x86_64
pki-server-10.4.1-6.el7.noarch
389-ds-base-1.3.6.1-15.el7.x86_64
sssd-1.15.2-35.el7.x86_64
selinux-policy-3.13.1-152.el7.noarch

1. Establish trust with AD
2. Add override for trusted aduser to default trust view.
#ipa iduseroverride-add "default trust view" aduser2
3. [root@autohv01 ~]# echo **** | kinit aduser2
Password for aduser2: 
[root@autohv01 ~]# klist -l
Principal name                 Cache name
--------------                 ----------
aduser2                 KEYRING:persistent:0:krb_ccache_9Fc3Eqa

4. [root@autohv01 ~]# ipa config-show --rights --all
  dn: cn=ipaConfig,cn=etc,dc=testrelm,dc=test
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.TEST
  Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject
  Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: 
  IPA CA servers: 
  IPA NTP servers: 
  attributelevelrights: {u'cn': u'rsc', u'ipauserauthtype': u'rsc', u'ipadefaultprimarygroup': u'rsc', u'ipapwdexpadvnotify': u'rsc', u'ipasearchtimelimit': u'rsc', u'ipacustomfields': u'rsc', u'ipasearchrecordslimit': u'rsc', u'nsaccountlock': u'', u'ipausersearchfields': u'rsc', u'ipadefaultloginshell': u'rsc', u'ipacertificatesubjectbase': u'rsc', u'ipadomainresolutionorder': u'rsc', u'ipaconfigstring': u'rsc', u'ipakrbauthzdata': u'rsc', u'ipauserobjectclasses': u'rsc', u'ipagroupsearchfields': u'rsc', u'ipadefaultemaildomain': u'rsc', u'ipagroupobjectclasses': u'rsc', u'ipamaxusernamelength': u'rsc', u'ipaselinuxusermapdefault': u'rsc', u'objectclass': u'rsc', u'aci': u'', u'ipahomesrootdir': u'rsc', u'ipamigrationenabled': u'rsc', u'ipaselinuxusermaporder': u'rsc'}
  cn: ipaConfig
  objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObject, ipaUserAuthTypeClass, ipaNameResolutionData
[root@autohv01 ~]# ipa trust-find --all
---------------
1 trust matched
---------------
  dn: cn=pne.qe,cn=ad,cn=trusts,dc=testrelm,dc=test
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14,
                          S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14,
                          S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  UPN suffixes: test.qa, pune.in
  ipantsecurityidentifier: S-1-5-21-1074789812-2998660393-2210475529-1003
  ipanttrustdirection: 1
  ipanttrustpartner: pne.qe
  objectclass: ipaNTTrustedDomain, ipaIDobject, top
----------------------------
Number of entries returned 1
----------------------------
Comment 7 errata-xmlrpc 2017-08-01 09:46:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.