IPA version: git master: 76ec938 + patches:
fc69f05 webui: display messages contained in API responses 54a29d6 webui: new navigation structure 791db77 Non IDNA zonename should be normalized to lowercase 69d0979 Restore privileges after forward zones update b9f8d4b ipa-ldap-updater: make possible to use LDAPI with autobind in case of hardened LDAP configuration
Reproducer:
# ipa dnszone-add TEST --name-server=ns Administrator e-mail address [hostmaster.test.]: Nameserver IP address: 192.0.2.1 ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'associatedDomain' attribute of entry 'cn=realm domains,cn=ipa,cn=etc,dc=ipa,dc=example'. # ipa user-show dnsadmin --all --raw dn: uid=dnsadmin,cn=users,cn=accounts,dc=ipa,dc=example uid: dnsadmin givenname: d sn: d cn: d d initials: dd homedirectory: /home/dnsadmin gecos: d d loginshell: /bin/sh mail: dnsadmin@ipa.example uidnumber: 370600003 gidnumber: 370600003 nsaccountlock: FALSE has_password: TRUE has_keytab: TRUE displayName: d d ipaUniqueID: 6225027a-01ec-11e4-8226-001a4a22219d krbExtraData: AAIuCbRTa2FkbWluZEBJUEEuRVhBTVBMRQA= krbLastFailedAuth: 20140702132913Z krbLastPwdChange: 20140702132918Z krbLastSuccessfulAuth: 20140703193113Z krbLoginFailedCount: 0 krbPasswordExpiration: 20140930132918Z krbPrincipalName: dnsadmin@IPA.EXAMPLE krbTicketFlags: 128 memberof: cn=DNS majster,cn=roles,cn=accounts,dc=ipa,dc=example memberof: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example memberofindirect: cn=system: add dns entries,cn=permissions,cn=pbac,dc=ipa,dc=example memberofindirect: cn=system: update dns entries,cn=permissions,cn=pbac,dc=ipa,dc=example memberofindirect: cn=dns administrators,cn=privileges,cn=pbac,dc=ipa,dc=example memberofindirect: cn=system: read dns entries,cn=permissions,cn=pbac,dc=ipa,dc=example memberofindirect: cn=system: read dns configuration,cn=permissions,cn=pbac,dc=ipa,dc=example memberofindirect: cn=system: remove dns entries,cn=permissions,cn=pbac,dc=ipa,dc=example memberofindirect: cn=system: write dns configuration,cn=permissions,cn=pbac,dc=ipa,dc=example mepManagedEntry: cn=dnsadmin,cn=groups,cn=accounts,dc=ipa,dc=example objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry # ipa role-show "DNS majster" --all --raw dn: cn=DNS majster,cn=roles,cn=accounts,dc=ipa,dc=example cn: DNS majster description: . member: uid=dnsadmin,cn=users,cn=accounts,dc=ipa,dc=example memberof: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=example memberofindirect: cn=system: add dns entries,cn=permissions,cn=pbac,dc=ipa,dc=example memberofindirect: cn=system: update dns entries,cn=permissions,cn=pbac,dc=ipa,dc=example memberofindirect: cn=system: read dns configuration,cn=permissions,cn=pbac,dc=ipa,dc=example memberofindirect: cn=system: write dns configuration,cn=permissions,cn=pbac,dc=ipa,dc=example memberofindirect: cn=system: remove dns entries,cn=permissions,cn=pbac,dc=ipa,dc=example memberofindirect: cn=system: read dns entries,cn=permissions,cn=pbac,dc=ipa,dc=example objectClass: groupofnames objectClass: nestedgroup objectClass: top # ipa privilege-show "DNS Administrators" --all --raw dn: cn=DNS Administrators,cn=privileges,cn=pbac,dc=ipa,dc=example cn: DNS Administrators description: DNS Administrators member: cn=DNS majster,cn=roles,cn=accounts,dc=ipa,dc=example memberof: cn=system: read dns configuration,cn=permissions,cn=pbac,dc=ipa,dc=example memberof: cn=system: write dns configuration,cn=permissions,cn=pbac,dc=ipa,dc=example memberof: cn=system: add dns entries,cn=permissions,cn=pbac,dc=ipa,dc=example memberof: cn=system: read dns entries,cn=permissions,cn=pbac,dc=ipa,dc=example memberof: cn=system: remove dns entries,cn=permissions,cn=pbac,dc=ipa,dc=example memberof: cn=system: update dns entries,cn=permissions,cn=pbac,dc=ipa,dc=example objectClass: top objectClass: groupofnames objectClass: nestedgroup
Surprisingly, the DNS was created:
# ipa dnszone-show --all --raw TEST dn: idnsname=test.,cn=dns,dc=ipa,dc=example idnsname: test. idnszoneactive: TRUE idnssoamname: ns idnssoarname: hostmaster.test. idnssoaserial: 1404415874 idnssoarefresh: 3600 idnssoaretry: 900 idnssoaexpire: 1209600 idnssoaminimum: 3600 idnsallowquery: any; idnsallowtransfer: none; idnsAllowDynUpdate: FALSE idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-self * AAAA; grant IPA.EXAMPLE krb5-self * SSHFP; nsrecord: ns objectClass: idnszone objectClass: top objectClass: idnsrecord
This is an easy fix, we should do it before GA.
attachment freeipa-mkosek-477-add-modify-realm-domains-permission.patch
Patch freeipa-mkosek-477-add-modify-realm-domains-permission.patch sent for review
master:
Metadata Update from @pspacek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 4.0 GA
Login to comment on this ticket.