1519723 – admins group is not including all permissions of Role "User Administrator"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1519723 - admins group is not including all permissions of Role "User Administrator"

Summary: admins group is not including all permissions of Role "User Administrator"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-12-01 10:16 UTC by German Parente
Modified:	2021-12-10 15:29 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ipa-4.6.4-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 10:57:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7526	0	None	None	None	2021-12-10 15:29:48 UTC
Red Hat Product Errata	RHBA-2018:3187	0	None	None	None	2018-10-30 10:58:18 UTC

Description German Parente 2017-12-01 10:16:14 UTC

Description of problem:

I don't know if this has been on purpose as a feature or if it could be considered as a bug. Customers are confused about this.

For them, adding a user to the group "cn=admins" is enough to make a user have the same rights of "admin" user.

But there's at least a Permission missing, that is to be able to do this:

aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalk
 ey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=
 provisioning,dc=cgparente,dc=local")(targetfilter = "(objectclass=posixaccoun
 t)")(version 3.0;acl "permission:System: Reset Preserved User password";allow
  (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User passw
 ord,cn=permissions,cn=pbac,dc=cgparente,dc=local";)

Example:

user "example" is member of admin groups:

ipa group-show admins
  Group name: admins
  Description: Account administrators group
  GID: 142600000
  Member users: admin, example
  Member of groups: ad_users


kinit example
Password for example: 

ipa user-del test --preserve
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbLastPwdChange' attribute of entry 'uid=test,cn=deleted users,cn=accounts,cn=provisioning,dc=cgparente,dc=local'

ipa role-add-member "User Administrator" --user=example

kinit example
ipa user-del test --preserve

Works.

Comment 2 Florence Blanc-Renaud 2017-12-04 08:12:20 UTC

The behavior described by German is reproduced. Will check with the team if it is expected or if the role was mistakenly forgotten for the admins group.

Comment 3 Florence Blanc-Renaud 2017-12-21 18:39:27 UTC

The file install/updates/30-provisioning.update defines the following acis that are specific to the admin user, but should be rather granted to the admins group:

dn: cn=staged users,cn=accounts,cn=provisioning,$SUFFIX
aci: (targetattr="userPassword || krbPrincipalKey")(version 3.0; acl "Search existence of password and kerberos keys"; allow(read, search) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)


dn: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
aci: (targetattr="userPassword || krbPrincipalKey || krbPasswordExpiration || krbLastPwdChange")(version 3.0; acl "Admins allowed to reset password and kerberos keys"; allow(read, search, write) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)

Comment 4 Florence Blanc-Renaud 2018-01-02 15:23:39 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7342

Comment 5 Tibor Dudlák 2018-02-19 14:53:06 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/d647072642bdf01d0bfee31a7b5615b145583da5

Comment 6 Florence Blanc-Renaud 2018-03-28 09:20:17 UTC

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/35f6a1a11baadf0f69c3d3ec7cc9933c87dd4abf

Comment 10 Sudhir Menon 2018-08-24 05:02:58 UTC

Tested on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

[root@master ~]# rpm -q ipa-server sssd samba krb5-server pki-server selinux-policy 389-ds-base
ipa-server-4.6.4-6.el7.x86_64
sssd-1.16.2-12.el7.x86_64
samba-4.8.3-4.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
pki-server-10.5.9-6.el7.noarch
selinux-policy-3.13.1-219.el7.noarch
389-ds-base-1.3.8.4-11.el7.x86_64

[root@master ~]# ipa group-add-member --users=ipauser1 admins
  Group name: admins
  Description: Account administrators group
  GID: 28600000
  Member users: admin, ipauser1
-------------------------
Number of members added 1
-------------------------

[root@master ~]# ipa group-show admins
  Group name: admins
  Description: Account administrators group
  GID: 28600000
  Member users: admin, ipauser1

[root@master ~]# kinit ipauser1
Password for ipauser1: 

[root@master ~]# klist -l
Principal name                 Cache name
--------------                 ----------
ipauser1           KEYRING:persistent:0:krb_ccache_xZgOMrU


[root@master ~]# ipa user-del test2 --preserve
--------------------
Deleted user "test2"
--------------------

[root@master ~]# ipa user-show test1
  User login: test1
  First name: test1
  Last name: s
  Home directory: /home/test1
  Login shell: /bin/sh
  Principal name: test1
  Principal alias: test1
  Email address: test1
  UID: 28600007
  GID: 28600007
  Account disabled: True
  Preserved user: True
  Password: False
  Kerberos keys available: False

[root@master ~]# ipa user-find
---------------
2 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin
  UID: 28600000
  GID: 28600000
  Account disabled: False

Comment 12 errata-xmlrpc 2018-10-30 10:57:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187

Note You need to log in before you can comment on or make changes to this bug.