RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1441262 - ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
Summary: ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
: 1474283 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-11 13:57 UTC by Jens Timmerman
Modified: 2021-12-10 15:17 UTC (History)
12 users (show)

Fixed In Version: ipa-4.6.4-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:56:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7522 0 None None None 2021-12-10 15:17:58 UTC
Red Hat Product Errata RHBA-2018:3187 0 None None None 2018-10-30 10:56:48 UTC

Description Jens Timmerman 2017-04-11 13:57:21 UTC 
Description of problem:
When a user with sufficient permissions creates a group using ipa group-add and then deletes it again with group-del ipa gives an Insufficient access error, but still deletes the group.

Version-Release number of selected component (if applicable):
Name        : ipa-server
Arch        : x86_64
Version     : 4.4.0
Release     : 14.el7.centos.6

How reproducible:
Every time

Steps to Reproduce:
1. create a user with Indirect Member of role: User Administrator
2. kinit user_admin
3. ipa group-add gtest
-------------------
Added group "gtest"
-------------------
  Group name: gtest
  GID: 1850000008
4. ipa group-del gtest

Actual results:
ipa: ERROR: Insufficient access:
ipa group-show gtest
ipa: ERROR: gtest: group not found


Expected results:
---------------------
Deleted group "gtest"
---------------------

Additional info:
works ok with user admin
Comment 2 Jens Timmerman 2017-04-11 13:59:23 UTC 
using -vvv gives
ipa: INFO: Response: {
    "error": {
        "code": 2100,
        "data": {
            "info": ""
        },
        "message": "Insufficient access: ",
        "name": "ACIError"
    },
    "id": 0,
    "principal": "user_admin@MYREALM",
    "result": null,
    "version": "4.4.0"
}
ipa: ERROR: Insufficient access:
Comment 3 Martin Bašti 2017-04-11 14:30:09 UTC 
Hello, can you please provide "sufficient permissions" preferably as a list of permissions assigned to user?
Comment 4 Jens Timmerman 2017-04-11 14:34:22 UTC 
Hi Martin,

The user was created with
ipa user-add user_admin --first=first --last=last --random 
ipa role-add-member --users=user_admin "User Administrator"
Comment 5 Martin Bašti 2017-04-11 14:45:11 UTC 
Thank you for reporting error and reproducer.


This is bug in IPA, however it happened in post_callback (after group was already removed), it is caused by 'pwpolicy_del' call.

Log from dirsrv:
[11/Apr/2017:16:38:09.975909624 +0200] conn=647 op=10 DEL dn="cn=testgrp,cn=groups,cn=accounts,dc=dom-126,dc=example,dc=com"
[11/Apr/2017:16:38:09.995712795 +0200] conn=647 op=10 RESULT err=0 tag=107 nentries=0 etime=0
[11/Apr/2017:16:38:09.997009946 +0200] conn=647 op=11 DEL dn="cn=testgrp,cn=DOM-126.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM,cn=kerberos,dc=example,dc=com"
[11/Apr/2017:16:38:09.997609505 +0200] conn=647 op=11 RESULT err=50 tag=107 nentries=0 etime=0


Server traceback:
ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
     result = command(*args, **options)
   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
     return self.__do_call(*args, **options)
   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
     ret = self.run(*args, **options)
   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
     return self.execute(*args, **options)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1579, in execute
     delete_entry(pkey)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1564, in delete_entry
     result = callback(self, ldap, dn, *nkeys, **options)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/group.py", line 369, in post_callback
     api.Command['pwpolicy_del'](keys[-1])
   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
     return self.__do_call(*args, **options)
   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
     ret = self.run(*args, **options)
   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
     return self.execute(*args, **options)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1579, in execute
     delete_entry(pkey)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1554, in delete_entry
     self._exc_wrapper(nkeys, options, ldap.delete_entry)(dn)
   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1098, in wrapped
     return func(*call_args, **call_kwargs)
   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1565, in delete_entry
     self.conn.delete_s(str(dn))
   File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
     self.gen.throw(type, value, traceback)
   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 977, in error_handler
     raise errors.ACIError(info=info)
 ACIError: Insufficient access:
Comment 6 Petr Vobornik 2017-04-20 16:23:53 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6884
Comment 11 Petr Vobornik 2017-08-04 22:10:28 UTC 
*** Bug 1474283 has been marked as a duplicate of this bug. ***
Comment 12 kludhwan 2018-04-25 11:02:08 UTC 
I have open a similar bug for RHEL-6

https://bugzilla.redhat.com/show_bug.cgi?id=1571749
Comment 13 Alexander Bokovoy 2018-04-30 12:44:31 UTC 
I submitted a fix as https://github.com/freeipa/freeipa/pull/1886
Comment 14 Christian Heimes 2018-05-03 14:46:01 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/1adc941d1f1caeffa8cf490783b7819298e828ce
Comment 15 Rob Crittenden 2018-05-11 14:11:05 UTC 
Needs to be backported to ipa-4-6 branch.
Comment 16 Rob Crittenden 2018-05-30 14:35:42 UTC 
ipa-4-6:

    164d907 group-del: add a warning to logs when password policy could not be removed
Comment 19 Sudhir Menon 2018-08-07 08:59:36 UTC 
Fix is seen. 
Verified on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)  using

ipa-server-4.6.4-3.el7.x86_64
sssd-1.16.2-11.el7.x86_64
389-ds-base-1.3.8.4-9.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
pki-server-10.5.9-4.el7.noarch
selinux-policy-3.13.1-211.el7.noarch


[root@master yubico]# ipa user-add user_admin --first=first --last=last --random 
-----------------------
Added user "user_admin"
-----------------------
  User login: user_admin
  First name: first
  Last name: last
  Full name: first last
  Display name: first last
  Initials: fl
  Home directory: /home/user_admin
  GECOS: first last
  Login shell: /bin/sh
  Principal name: user_admin
  Principal alias: user_admin
  User password expiration: 20180807085610Z
  Email address: user_admin
  Random password: 7Tz^cu29z925s9}Am*}s^4
  UID: 477400003
  GID: 477400003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@master yubico]# ipa role-add-member --users=user_admin "User Administrator"
  Role name: User Administrator
  Description: Responsible for creating Users and Groups
  Member users: user_admin
  Privileges: User Administrators, Group Administrators, Stage User Administrators
-------------------------
Number of members added 1
-------------------------

[root@master yubico]# kdestroy -A

[root@master yubico]# kinit user_admin
Password for user_admin: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@master yubico]# klist l
klist: No credentials cache found (filename: l)
[root@master yubico]# klist -l
Principal name                 Cache name
--------------                 ----------
user_admin      KEYRING:persistent:0:0

[root@master yubico]# ipa group-add gtest
-------------------
Added group "gtest"
-------------------
  Group name: gtest
  GID: 477400004

[root@master yubico]# ipa group-del gtest
---------------------
Deleted group "gtest"
---------------------
Comment 21 errata-xmlrpc 2018-10-30 10:56:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187
Comment 22 Florence Blanc-Renaud 2020-05-20 07:26:51 UTC 
Test case added upstream in test_integration/test_user_permissions.py::TestUserPermissions::test_delete_group_by_user_administrator

master:
https://pagure.io/freeipa/c/3dd5053cdd55adf6888ef38bfc927fc255bd7019
Comment 23 Florence Blanc-Renaud 2020-05-20 12:30:46 UTC 
Test added upstream:
ipa-4-6:
https://pagure.io/freeipa/c/b5ac930f3ccca32d6d4536aebb46cfd9af7ade59

ipa-4-8:
https://pagure.io/freeipa/c/a457b79d1e5af3c1bd1d9517db07c5a85154c932
Note You need to log in before you can comment on or make changes to this bug.