2229712 – Delete operation protection for admin user

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2229712 - Delete operation protection for admin user

Summary: Delete operation protection for admin user

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	9.3
Hardware:	All
OS:	All
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	Ganna Kaihorodova
Docs Contact:
URL:
Whiteboard:
Depends On:	1821181
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-07 12:26 UTC by Florence Blanc-Renaud
Modified:	2023-12-01 11:44 UTC (History)
CC List:	11 users (show)
Fixed In Version:	ipa-4.10.2-3.el9
Doc Type:	Bug Fix
Doc Text:	.Deleting the IdM `admin` user is now no longer permitted Previously, nothing prevented you from deleting the Identity Management (IdM) `admin` user if you were a member of the `admins` group. The absence of the `admin` user causes the trust between IdM and Active Directory (AD) to stop functioning correctly. With this update, you can no longer delete the `admin` user. As a result, the IdM-AD trust works correctly.
Clone Of:	1821181
Environment:
Last Closed:	2023-11-07 08:34:14 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-10224	None	None	None	2023-08-07 12:29:14 UTC
Red Hat Issue Tracker	RHELPLAN-164731	None	None	None	2023-08-07 12:29:22 UTC
Red Hat Product Errata	RHBA-2023:6477	None	None	None	2023-11-07 08:35:00 UTC

Comment 1 Florence Blanc-Renaud 2023-08-07 12:30:56 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/dea35922cd086883c0699646ec39fdef8f0ba579

Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/4b02322fc786ee9caaa0380659507a2cec0d4101

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/f215d3f45396fa29bdd69f56096b50842df14908

Comment 3 Florence Blanc-Renaud 2023-08-08 10:54:50 UTC

Additional fix for the webui test:
master:
https://pagure.io/freeipa/c/e49ec1048db85f514e2db5960f773e5d56fa0cec

Comment 4 Florence Blanc-Renaud 2023-08-08 14:52:02 UTC

Additional fix for the webui test:
ipa-4-10:
https://pagure.io/freeipa/c/13d5e88eb4ebb7a0132cbb050a9d230304ecbcff

ipa-4-9:
https://pagure.io/freeipa/c/7d62d84bdd3c2acd2f4bf70bb5fabf14c72e8ee7

Comment 5 Michal Polovka 2023-08-14 13:33:27 UTC

Pre-verified using automation from webui/test_user.py with ipa-server-4.10.2-3.el9.x86_64

Error message thrown: 'user admin cannot be deleted/modified: privileged user'. (see the attached screenshot)
Therefore marking as pre-verified - tested.

Comment 11 errata-xmlrpc 2023-11-07 08:34:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6477

Note You need to log in before you can comment on or make changes to this bug.