Project

General

Profile

Bug #18850

FreeIPA REALM > Insufficient 'add' privilege to the 'userPassword' attribute

Added by Yama Kasi almost 2 years ago. Updated almost 2 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Realm
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

When following the docs I get the following error on adding a host to a realm:

D, [2017-03-08T21:43:59.500605 ] DEBUG -- : freeipa: realm DOMAIN.TLD
D, [2017-03-08T21:43:59.500704 ] DEBUG -- : freeipa: server is https://ipa-01.domain.tld/ipa/xml
D, [2017-03-08T21:43:59.500936 ] DEBUG -- : Requesting credentials for Kerberos principal foreman-realm-proxy/ipa-01.domain.tld@DOMAIN.TLD using keytab /etc/foreman-proxy/foreman-realm-proxy.keytab
D, [2017-03-08T21:43:59.535006 ] DEBUG -- : Kerberos credential cache initialised with principal: foreman-realm-proxy/ipa-01.domain.tld@DOMAIN.TLD
E, [2017-03-08T21:43:59.821596 ] ERROR -- : Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute
D, [2017-03-08T21:43:59.821708 ] DEBUG -- : Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute (XMLRPC::FaultException)
/usr/share/ruby/xmlrpc/client.rb:272:in `call'
/usr/share/foreman-proxy/modules/realm/freeipa.rb:160:in `ipa_call'
/usr/share/foreman-proxy/modules/realm/freeipa.rb:109:in `create'
/usr/share/foreman-proxy/modules/realm/realm_api.rb:28:in `block in <class:Api>'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1611:in `call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1611:in `block in compile!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:975:in `block (3 levels) in route!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:994:in `route_eval'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:975:in `block (2 levels) in route!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1015:in `block in process_route'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1013:in `catch'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1013:in `process_route'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:973:in `block in route!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:972:in `each'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:972:in `route!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1085:in `block in dispatch!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `block in invoke'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `catch'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `invoke'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1082:in `dispatch!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:907:in `block in call!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `block in invoke'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `catch'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `invoke'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:907:in `call!'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:895:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/commonlogger.rb:33:in `call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:219:in `call'
/usr/share/foreman-proxy/lib/proxy/log.rb:109:in `call'
/usr/share/foreman-proxy/lib/proxy/request_id_middleware.rb:9:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/xss_header.rb:18:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb:16:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/json_csrf.rb:18:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in `call'
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/frame_options.rb:31:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/nulllogger.rb:9:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/head.rb:13:in `call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/show_exceptions.rb:25:in `call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:182:in `call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:2013:in `call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1487:in `block in call'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1787:in `synchronize'
/usr/share/gems/gems/sinatra-1.4.7/lib/sinatra/base.rb:1487:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:66:in `block in call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in `each'
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:153:in `call'
/usr/share/gems/gems/rack-1.6.4/lib/rack/handler/webrick.rb:88:in `service'
/usr/share/ruby/webrick/httpserver.rb:140:in `service'
/usr/share/ruby/webrick/httpserver.rb:96:in `run'
/usr/share/ruby/webrick/server.rb:296:in `block in start_thread'
I, [2017-03-08T21:43:59.823241 ]  INFO -- : 172.16.3.211 - - [08/Mar/2017:21:43:59 +0100] "POST /realm/DOMAIN.TLD/ HTTP/1.1" 400 81 0.3236

The user has the right group for the userpassword and has the add attribute to it as well.

I have tried another user, same issue.


Related issues

Related to Smart Proxy - Bug #8926: foreman-prepare-realm on EL6 fails to set correct permissions for ipa-server-4Resolved2015-01-13

History

#1 Updated by Dmitri Dolguikh almost 2 years ago

  • Tracker changed from Bug to Support

Did you configure freeipa server and smart-proxy as described in documentation (https://theforeman.org/manuals/1.14/index.html#4.3.8Realm)? In particular, did you use foreman-prepare-realm tool?

#2 Updated by Dmitri Dolguikh almost 2 years ago

  • Category set to Realm

#3 Updated by Yama Kasi almost 2 years ago

Dmitri Dolguikh wrote:

Did you configure freeipa server and smart-proxy as described in documentation (https://theforeman.org/manuals/1.14/index.html#4.3.8Realm)? In particular, did you use foreman-prepare-realm tool?

Yes I did all of it. When I create another user it also says all groups are already in place and only creates the user and add the proper groups to it.

#4 Updated by Dmitri Dolguikh almost 2 years ago

What version of freeipa server are you running?

#5 Updated by Yama Kasi almost 2 years ago

Dmitri Dolguikh wrote:

What version of freeipa server are you running?

  1. ipa --version
    VERSION: 4.4.2, API_VERSION: 2.215

#6 Updated by Dmitri Dolguikh almost 2 years ago

  • Related to Bug #8926: foreman-prepare-realm on EL6 fails to set correct permissions for ipa-server-4 added

#7 Updated by Dmitri Dolguikh almost 2 years ago

From the linked issue: copy foreman-prepare-realm to a server running IPA v4 tools (e.g. the IPA server itself), and run the script from there.

Could you try the above please?

#8 Updated by Dmitri Dolguikh almost 2 years ago

  • Tracker changed from Support to Bug
  • Status changed from New to Duplicate

#9 Updated by Yama Kasi almost 2 years ago

Dmitri Dolguikh wrote:

From the linked issue: copy foreman-prepare-realm to a server running IPA v4 tools (e.g. the IPA server itself), and run the script from there.

Could you try the above please?

The proxy is already on the IPA server, how would that be done otherwise ?

#10 Updated by Dmitri Dolguikh almost 2 years ago

Could you check that:
- "Smart Proxy Host Management" privilege (created by foreman-prepare-realm) has permissions defined between lines 56-62 here: https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm#L56
- "Smart Proxy Host Manager" role has "Smart Proxy Host Management" privilege
- smart-proxy user account has "Smart Proxy Host Manager" role assigned to it

#11 Updated by Yama Kasi almost 2 years ago

Dmitri Dolguikh wrote:

Could you check that:
- "Smart Proxy Host Management" privilege (created by foreman-prepare-realm) has permissions defined between lines 56-62 here: https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm#L56
- "Smart Proxy Host Manager" role has "Smart Proxy Host Management" privilege
- smart-proxy user account has "Smart Proxy Host Manager" role assigned to it

All seem to be in the right order.

#12 Updated by Dmitri Dolguikh almost 2 years ago

I couldn't replicate the bug when using freeipa 4.4.3 -- I was able to successfully create and delete a host.

#13 Updated by Yama Kasi almost 2 years ago

Rob Crittenden on the FreeIPA mailing list made something more clear it seems:

https://www.redhat.com/archives/freeipa-users/2017-March/msg00153.html

#14 Updated by Yama Kasi almost 2 years ago

I need to update this bug as it goes wrong when I update a host that didn't had a realm through Foreman but already exists in FreeIPA. So write or add is not good when editing a host, can someone test that ?

#15 Updated by Yama Kasi almost 2 years ago

Other update, on a host add it doesn't work as well.

Also available in: Atom PDF