After permission V2 refactoring, DNS permissions are created before DNS service and privileges are installed. This means memberOf plugin cannot create the memberOf links and ACI then do not work correctly.
memberOf
This only affects DNS configuration via ipa-dns-install (and not via --setup-dns) as LDAP updater that is run as part of server installation fixes the memberOf links.
ipa-dns-install
--setup-dns
After I run
# ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update Directory Manager password: Parsing update file '/usr/share/ipa/updates/55-pbacmemberof.update' New entry: cn=Update Role memberOf 1413471919,cn=memberof task,cn=tasks,cn=config New entry: cn=Update PBAC memberOf 1413471919,cn=memberof task,cn=tasks,cn=config The ipa-ldap-updater command was successful
the memberOf links in DNS Server privilege correctly appeared.
DNS Server
Solution is to either run the fixup task as part of ipa-dns-install or to create the privileges in default installation.
This is a regression caused by the managed permissions, we need to fix in 4.0.x.
master:
ipa-4-1:
ipa-4-0:
Metadata Update from @mkosek: - Issue assigned to pvoborni - Issue set to the milestone: FreeIPA 4.0.4
Login to comment on this ticket.