RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1821181 - Delete operation protection for admin user
Summary: Delete operation protection for admin user
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: ---
Hardware: All
OS: All
medium
medium
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: Ganna Kaihorodova
URL:
Whiteboard:
: 2003877 (view as bug list)
Depends On:
Blocks: 2229712
TreeView+ depends on / blocked
 
Reported: 2020-04-06 09:08 UTC by Daniele
Modified: 2023-12-01 11:43 UTC (History)
10 users (show)

Fixed In Version: ipa-4.9.12-6.module+el8.9.0+19634+c162f948
Doc Type: Bug Fix
Doc Text:
.Deleting the IdM `admin` user is now no longer permitted Previously, nothing prevented you from deleting the Identity Management (IdM) `admin` user if you were a member of the `admins` group. The absence of the `admin` user causes the trust between IdM and Active Directory (AD) to stop functioning correctly. With this update, you can no longer delete the `admin` user. As a result, the IdM-AD trust works correctly.
Clone Of:
: 2229712 (view as bug list)
Environment:
Last Closed: 2023-11-14 15:32:50 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 8878 0 None None None 2023-08-01 11:54:16 UTC
Red Hat Bugzilla 2003877 1 unspecified CLOSED ipa default admin can be deleted from another admin user. 2021-09-14 15:33:03 UTC
Red Hat Issue Tracker FREEIPA-7831 0 None None None 2022-02-10 13:35:55 UTC
Red Hat Product Errata RHBA-2023:6977 0 None None None 2023-11-14 15:33:36 UTC

Description Daniele 2020-04-06 09:08:53 UTC
1. Proposed title of this feature request
[RFE] Delete operation protection for admin user
2. Who is the customer behind the request?
Account: 5584962 - Sberbank Rossii OAO
TAM customer: yes
CSM customer: no
Strategic: yes

3. What is the nature and description of the request?
An user belonging to the admin group can delete the admin user, even though this is not a supported operation.
Such an operation can be performed by mistake and recovering requires manual steps.

4. Why does the customer need this? (List the business requirements here)
While we do rely on common sense, human mistake can happen, especially in a large organization. Having a way to avoid getting in this situation can potentially save a lot of time.

5. How would the customer like to achieve this? (List the functional requirements here)
Being able to prevent the admin user to be deleted.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Try to delete admin user from a user in the admin group.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
As soon as possible

9. Is the sales team involved in this request and do they have any additional input?
This is one of the requests that Sberbank raised as part of a large escalation around their overall dissatisfaction about IPA's stability and reliability.

10. List any affected packages or components.

11. Would the customer be able to assist in testing this functionality if implemented?
Yes

Comment 3 Florence Blanc-Renaud 2020-04-06 09:27:25 UTC
Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Unfortunately, this RFE cannot be kept even as a stretch goal and is moved to RHEL8 for proper evaluation.

Comment 8 Florence Blanc-Renaud 2020-05-15 12:40:18 UTC
RHEL 7.9 is already near the end of a development phase and this bug cannot be kept for 7.9, hence it is moved to RHEL 8 for proper evaluation and planning.

Comment 10 Theodoros Apazoglou 2021-09-14 15:32:44 UTC
*** Bug 2003877 has been marked as a duplicate of this bug. ***

Comment 15 Florence Blanc-Renaud 2023-08-01 11:54:15 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/8878

Comment 16 Florence Blanc-Renaud 2023-08-01 11:56:44 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/dea35922cd086883c0699646ec39fdef8f0ba579

Comment 19 Florence Blanc-Renaud 2023-08-08 10:54:53 UTC
Additional fix for the webui test:
master:
https://pagure.io/freeipa/c/e49ec1048db85f514e2db5960f773e5d56fa0cec

Comment 20 Florence Blanc-Renaud 2023-08-08 14:51:44 UTC
Additional fix for the webui test:
ipa-4-10:
https://pagure.io/freeipa/c/13d5e88eb4ebb7a0132cbb050a9d230304ecbcff

ipa-4-9:
https://pagure.io/freeipa/c/7d62d84bdd3c2acd2f4bf70bb5fabf14c72e8ee7

Comment 21 Michal Polovka 2023-08-11 08:53:24 UTC
Pre-verified using automation from test_webui/test_user.py with ipa-server-4.9.12-6.module+el8.9.0+19634+c162f948.x86_64

Failed 	test_webui/test_user.py::test_user::()::test_certificate_serial 		
Passed 	test_webui/test_user.py::test_user::()::test_crud 		
Passed 	test_webui/test_user.py::test_user::()::test_associations 	 	
Passed 	test_webui/test_user.py::test_user::()::test_indirect_associations 	
Passed 	test_webui/test_user.py::test_user::()::test_actions  	
Passed 	test_webui/test_user.py::test_user::()::test_certificates 	 	
Passed 	test_webui/test_user.py::test_user::()::test_password_expiration_notification 	 	
Passed 	test_webui/test_user.py::test_user::()::test_grace_login_limit 	
Passed 	test_webui/test_user.py::test_user::()::test_login_without_username 	
Passed 	test_webui/test_user.py::test_user::()::test_disable_delete_admin 	 	
Passed 	test_webui/test_user.py::test_user::()::test_add_user_special 	 	
Passed 	test_webui/test_user.py::test_user::()::test_add_delete_undo_reset_multivalue 	
Passed 	test_webui/test_user.py::test_user::()::test_user_misc 	
Passed 	test_webui/test_user.py::test_user::()::test_menu_click_minimized_window 	
Passed 	test_webui/test_user.py::test_user::()::test_enabled_by_default 	
Passed 	test_webui/test_user.py::test_user_no_private_group::()::test_noprivate_nonposix 	 	
Passed 	test_webui/test_user.py::test_user_no_private_group::()::test_noprivate_posix 	
Passed 	test_webui/test_user.py::test_user_no_private_group::()::test_noprivate_gidnumber 	
Passed 	test_webui/test_user.py::TestLifeCycles::()::test_life_cycles 	
Passed 	test_webui/test_user.py::TestSSHkeys::()::test_ssh_keys 	

The failure in test_certificate_serial is a known issue. Marking as pre-verified - tested.

Comment 26 errata-xmlrpc 2023-11-14 15:32:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6977


Note You need to log in before you can comment on or make changes to this bug.