817915 – Helpdesk admin unable to change a user's lastname

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 817915 - Helpdesk admin unable to change a user's lastname

Summary: Helpdesk admin unable to change a user's lastname

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-05-01 19:14 UTC by Namita Soman
Modified:	2013-08-19 15:53 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-05-07 14:23:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Namita Soman 2012-05-01 19:14:16 UTC

Description of problem:
Add a user, assign it to have the helpdesk role. Kinit as this user. Change another user's lastname. This fails in ipa-server.x86_64 0:2.2.0-12.el6 with error:

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'sn' attribute of entry 'uid=test,cn=users,cn=accounts,dc=testrelm,dc=com'.

But used to work as expected - that is updated another user's lastname successfully in ipa-server.x86_64 0:2.2.0-11.el6


Version-Release number of selected component (if applicable):
ipa-server.x86_64 0:2.2.0-12.el6

How reproducible:
always

Steps to Reproduce:
1. Add 2 users, say helpdeskadmin, and test and assign passwd
2. Assign role helpdesk to helpdeskadmin
3. kinit as helpdeskadmin
4. change test's last name as:
ipa user-mod --last="testtest" test

  
Actual results:
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'sn' attribute of entry 'uid=test,cn=users,cn=accounts,dc=testrelm,dc=com'.

Expected results:
be ale to update test's last name

Additional info:
added user nk with helpdesk role:
# ipa user-show nk
  User login: nk
  First name: nk
  Last name: nk
  Home directory: /home/nk
  Login shell: /bin/sh
  UID: 1111600018
  GID: 1111600018
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Roles: helpdesk
  Kerberos keys available: True

kinit'd as nk
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nk

Valid starting     Expires            Service principal
05/01/12 14:53:09  05/02/12 14:53:09  krbtgt/TESTRELM.COM
05/01/12 14:53:38  05/02/12 14:53:09  HTTP/sgi-xe320-01.testrelm.com

modified user one's last name:
# ipa user-mod --last=oneone one
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'sn' attribute of entry 'uid=one,cn=users,cn=accounts,dc=testrelm,dc=com'.

Comment 2 Rob Crittenden 2012-05-01 22:07:20 UTC

Are you sure the permissions are unchanged? I wasn't able to reproduce this on a new install:

$ kinit admin
Password for admin: 
$ ipa user-add --first=tim --last=user tuser1
-------------------
Added user "tuser1"
-------------------
  User login: tuser1
  First name: tim
  Last name: user
  Full name: tim user
  Display name: tim user
  Initials: tu
  Home directory: /home/tuser1
  GECOS field: tim user
  Login shell: /bin/sh
  Kerberos principal: tuser1
  UID: 1314400011
  GID: 1314400011
  Password: False
  Kerberos keys available: False
$ ipa role-add-member --users=tuser1 helpdesk
ipa passwd   Role name: helpdesk
  Description: Helpdesk
  Member users: tuser1
  Privileges: modify users and reset passwords, modify group membership
-------------------------
Number of members added 1
-------------------------
$ ipa passwd tuser1
New Password: 
Enter New Password again to verify: 
-----------------------------------------
Changed password for "tuser1"
-----------------------------------------
$ ipa user-add --first=jane --last=user juser1
-------------------
Added user "juser1"
-------------------
  User login: juser1
  First name: jane
  Last name: user
  Full name: jane user
  Display name: jane user
  Initials: ju
  Home directory: /home/juser1
  GECOS field: jane user
  Login shell: /bin/sh
  Kerberos principal: juser1
  UID: 1314400011
  GID: 1314400011
  Password: False
  Kerberos keys available: False
$ kinit tuser1
Password for tuser1: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
$ ipa user-mod --last=new juser1
----------------------
Modified user "juser1"
----------------------
  User login: juser1
  First name: jane
  Last name: new
  Home directory: /home/juser1
  Login shell: /bin/sh
  UID: 1314400011
  GID: 1314400011
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

Comment 3 Namita Soman 2012-05-07 14:23:59 UTC

tried on ipa-server-2.2.0-12.el6.x86_64
and it is working. I suspect my automation tests that run before this might be causing this failure. And trying manually on that machine - i repeatedly see the error. But re-tested on separate machine, and confirmed it is working.

Note You need to log in before you can comment on or make changes to this bug.