Bug 817915 - Helpdesk admin unable to change a user's lastname
Helpdesk admin unable to change a user's lastname
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
IDM QE LIST
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-01 15:14 EDT by Namita Soman
Modified: 2013-08-19 11:53 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-07 10:23:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Namita Soman 2012-05-01 15:14:16 EDT
Description of problem:
Add a user, assign it to have the helpdesk role. Kinit as this user. Change another user's lastname. This fails in ipa-server.x86_64 0:2.2.0-12.el6 with error:

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'sn' attribute of entry 'uid=test,cn=users,cn=accounts,dc=testrelm,dc=com'.

But used to work as expected - that is updated another user's lastname successfully in ipa-server.x86_64 0:2.2.0-11.el6


Version-Release number of selected component (if applicable):
ipa-server.x86_64 0:2.2.0-12.el6

How reproducible:
always

Steps to Reproduce:
1. Add 2 users, say helpdeskadmin, and test and assign passwd
2. Assign role helpdesk to helpdeskadmin
3. kinit as helpdeskadmin
4. change test's last name as:
ipa user-mod --last="testtest" test

  
Actual results:
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'sn' attribute of entry 'uid=test,cn=users,cn=accounts,dc=testrelm,dc=com'.

Expected results:
be ale to update test's last name

Additional info:
added user nk with helpdesk role:
# ipa user-show nk
  User login: nk
  First name: nk
  Last name: nk
  Home directory: /home/nk
  Login shell: /bin/sh
  UID: 1111600018
  GID: 1111600018
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Roles: helpdesk
  Kerberos keys available: True

kinit'd as nk
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nk@TESTRELM.COM

Valid starting     Expires            Service principal
05/01/12 14:53:09  05/02/12 14:53:09  krbtgt/TESTRELM.COM@TESTRELM.COM
05/01/12 14:53:38  05/02/12 14:53:09  HTTP/sgi-xe320-01.testrelm.com@TESTRELM.COM

modified user one's last name:
# ipa user-mod --last=oneone one
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'sn' attribute of entry 'uid=one,cn=users,cn=accounts,dc=testrelm,dc=com'.
Comment 2 Rob Crittenden 2012-05-01 18:07:20 EDT
Are you sure the permissions are unchanged? I wasn't able to reproduce this on a new install:

$ kinit admin
Password for admin@GREYOAK.COM: 
$ ipa user-add --first=tim --last=user tuser1
-------------------
Added user "tuser1"
-------------------
  User login: tuser1
  First name: tim
  Last name: user
  Full name: tim user
  Display name: tim user
  Initials: tu
  Home directory: /home/tuser1
  GECOS field: tim user
  Login shell: /bin/sh
  Kerberos principal: tuser1@GREYOAK.COM
  UID: 1314400011
  GID: 1314400011
  Password: False
  Kerberos keys available: False
$ ipa role-add-member --users=tuser1 helpdesk
ipa passwd   Role name: helpdesk
  Description: Helpdesk
  Member users: tuser1
  Privileges: modify users and reset passwords, modify group membership
-------------------------
Number of members added 1
-------------------------
$ ipa passwd tuser1
New Password: 
Enter New Password again to verify: 
-----------------------------------------
Changed password for "tuser1@GREYOAK.COM"
-----------------------------------------
$ ipa user-add --first=jane --last=user juser1
-------------------
Added user "juser1"
-------------------
  User login: juser1
  First name: jane
  Last name: user
  Full name: jane user
  Display name: jane user
  Initials: ju
  Home directory: /home/juser1
  GECOS field: jane user
  Login shell: /bin/sh
  Kerberos principal: juser1@GREYOAK.COM
  UID: 1314400011
  GID: 1314400011
  Password: False
  Kerberos keys available: False
$ kinit tuser1
Password for tuser1@GREYOAK.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
$ ipa user-mod --last=new juser1
----------------------
Modified user "juser1"
----------------------
  User login: juser1
  First name: jane
  Last name: new
  Home directory: /home/juser1
  Login shell: /bin/sh
  UID: 1314400011
  GID: 1314400011
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
Comment 3 Namita Soman 2012-05-07 10:23:59 EDT
tried on ipa-server-2.2.0-12.el6.x86_64
and it is working. I suspect my automation tests that run before this might be causing this failure. And trying manually on that machine - i repeatedly see the error. But re-tested on separate machine, and confirmed it is working.

Note You need to log in before you can comment on or make changes to this bug.