permission-mod command returned duplicate memberships:
# ipa permission-show "Manage host keytab" Permission name: Manage host keytab Permissions: write, add Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment Indirect Member of roles: Build Administrator, IT Specialist # ipa permission-mod "Manage host keytab" --permissions=write ---------------------------------------- Modified permission "Manage host keytab" ---------------------------------------- Permission name: Manage host keytab Permissions: write Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment >>Indirect Member of roles: Build Administrator, IT Specialist, Build Administrator, IT Specialist<< # ipa permission-show "Manage host keytab" Permission name: Manage host keytab Permissions: write Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment Indirect Member of roles: Build Administrator, IT Specialist
As you see, this only appears to be an issue with MOD display, not storage in LDAP
Honza, you played with memberships AFAIR, please check if this is more severe than it appears.
Membership processing is OK, the source of this error is somewhere in permission_mod.post_callback.
I get a different error on current master:
$ ipa permission-mod "Manage host keytab" --permissions=read ipa: ERROR: attribute "memberindirect" not allowed
Petr, did you forget to handle memberindirect in the new permission code by any chance?
This is for version 3.3.4, before the new permission code.
It seems there's a different bug in master; I filed it as https://fedorahosted.org/freeipa/ticket/4178. Thanks for finding it!
Right. The problem is in permission-mod post_callback:
# all common options to permission-mod and show need to be listed here common_options = filter_options(options, ['all', 'raw', 'rights']) result = self.api.Command.permission_show(cn, **common_options)['result'] for r in result: if not r.startswith('member_'): entry_attrs[r] = result[r]
Previously, permission objects did not contain memberindirect_role so this was not a problem.
memberindirect_role
ipa-3-3:
Moving to 3.3.5 milestone as this patch was only for that branch in the end.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1108195
Metadata Update from @mkosek: - Issue assigned to amisnyov - Issue set to the milestone: FreeIPA 3.3.5 (bug fixing)
Login to comment on this ticket.