Bug #18850
closed
FreeIPA REALM > Insufficient 'add' privilege to the 'userPassword' attribute
Description
When following the docs I get the following error on adding a host to a realm:
D, [2017-03-08T21:43:59.500605 ] DEBUG -- : freeipa: realm DOMAIN.TLD
D, [2017-03-08T21:43:59.500704 ] DEBUG -- : freeipa: server is https://ipa-01.domain.tld/ipa/xml
D, [2017-03-08T21:43:59.500936 ] DEBUG -- : Requesting credentials for Kerberos principal foreman-realm-proxy/ipa-01.domain.tld@DOMAIN.TLD using keytab /etc/foreman-proxy/foreman-realm-proxy.keytab
D, [2017-03-08T21:43:59.535006 ] DEBUG -- : Kerberos credential cache initialised with principal: foreman-realm-proxy/ipa-01.domain.tld@DOMAIN.TLD
E, [2017-03-08T21:43:59.821596 ] ERROR -- : Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute
D, [2017-03-08T21:43:59.821708 ] DEBUG -- : Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute (XMLRPC::FaultException)
/usr/share/ruby/xmlrpc/client.rb:272:in `call'
/usr/share/foreman-proxy/modules/realm/freeipa.rb:160:in `ipa_call'
/usr/share/foreman-proxy/modules/realm/freeipa.rb:109:in `create'
/usr/share/foreman-proxy/modules/realm/realm_api.rb:28:in `block in <class:Api>'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1611:in `call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1611:in `block in compile!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:975:in `block (3 levels) in route!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:994:in `route_eval'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:975:in `block (2 levels) in route!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1015:in `block in process_route'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1013:in `catch'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1013:in `process_route'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:973:in `block in route!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:972:in `each'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:972:in `route!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1085:in `block in dispatch!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `block in invoke'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `catch'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `invoke'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1082:in `dispatch!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:907:in `block in call!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `block in invoke'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `catch'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `invoke'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:907:in `call!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:895:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/commonlogger.rb:33:in `call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:219:in `call'
/usr/share/foreman-proxy/lib/proxy/log.rb:109:in `call'
/usr/share/foreman-proxy/lib/proxy/request_id_middleware.rb:9:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/xss_header.rb:18:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb:16:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/json_csrf.rb:18:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/frame_options.rb:31:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/nulllogger.rb:9:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/head.rb:13:in `call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/show_exceptions.rb:25:in `call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:182:in `call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:2013:in `call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1487:in `block in call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1787:in `synchronize'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1487:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:66:in `block in call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in `each'
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:153:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/handler/webrick.rb:88:in `service'
/usr/share/ruby/webrick/httpserver.rb:140:in `service'
/usr/share/ruby/webrick/httpserver.rb:96:in `run'
/usr/share/ruby/webrick/server.rb:296:in `block in start_thread'
I, [2017-03-08T21:43:59.823241 ] INFO -- : 172.16.3.211 - - [08/Mar/2017:21:43:59 +0100] "POST /realm/DOMAIN.TLD/ HTTP/1.1" 400 81 0.3236
The user has the right group for the userpassword and has the add attribute to it as well.
I have tried another user, same issue.
Updated by Anonymous about 7 years ago
- Tracker changed from Bug to Support
Did you configure freeipa server and smart-proxy as described in documentation (https://theforeman.org/manuals/1.14/index.html#4.3.8Realm)? In particular, did you use foreman-prepare-realm tool?
Updated by Yama Kasi about 7 years ago
Dmitri Dolguikh wrote:
Did you configure freeipa server and smart-proxy as described in documentation (https://theforeman.org/manuals/1.14/index.html#4.3.8Realm)? In particular, did you use foreman-prepare-realm tool?
Yes I did all of it. When I create another user it also says all groups are already in place and only creates the user and add the proper groups to it.
Updated by Anonymous about 7 years ago
What version of freeipa server are you running?
Updated by Yama Kasi about 7 years ago
Dmitri Dolguikh wrote:
What version of freeipa server are you running?
- ipa --version
VERSION: 4.4.2, API_VERSION: 2.215
Updated by Anonymous about 7 years ago
- Related to Bug #8926: foreman-prepare-realm on EL6 fails to set correct permissions for ipa-server-4 added
Updated by Anonymous about 7 years ago
From the linked issue: copy foreman-prepare-realm to a server running IPA v4 tools (e.g. the IPA server itself), and run the script from there.
Could you try the above please?
Updated by Anonymous about 7 years ago
- Tracker changed from Support to Bug
- Status changed from New to Duplicate
Updated by Yama Kasi about 7 years ago
Dmitri Dolguikh wrote:
From the linked issue: copy foreman-prepare-realm to a server running IPA v4 tools (e.g. the IPA server itself), and run the script from there.
Could you try the above please?
The proxy is already on the IPA server, how would that be done otherwise ?
Updated by Anonymous about 7 years ago
Could you check that:
- "Smart Proxy Host Management" privilege (created by foreman-prepare-realm) has permissions defined between lines 56-62 here: https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm#L56
- "Smart Proxy Host Manager" role has "Smart Proxy Host Management" privilege
- smart-proxy user account has "Smart Proxy Host Manager" role assigned to it
Updated by Yama Kasi about 7 years ago
Dmitri Dolguikh wrote:
Could you check that:
- "Smart Proxy Host Management" privilege (created by foreman-prepare-realm) has permissions defined between lines 56-62 here: https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm#L56
- "Smart Proxy Host Manager" role has "Smart Proxy Host Management" privilege
- smart-proxy user account has "Smart Proxy Host Manager" role assigned to it
All seem to be in the right order.
Updated by Anonymous about 7 years ago
I couldn't replicate the bug when using freeipa 4.4.3 -- I was able to successfully create and delete a host.
Updated by Yama Kasi about 7 years ago
Rob Crittenden on the FreeIPA mailing list made something more clear it seems:
https://www.redhat.com/archives/freeipa-users/2017-March/msg00153.html
Updated by Yama Kasi about 7 years ago
I need to update this bug as it goes wrong when I update a host that didn't had a realm through Foreman but already exists in FreeIPA. So write or add is not good when editing a host, can someone test that ?
Updated by Yama Kasi about 7 years ago
Other update, on a host add it doesn't work as well.