Project

General

Profile

Bug #8926

foreman-prepare-realm on EL6 fails to set correct permissions for ipa-server-4

Added by Josh Baird over 4 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Realm
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

When running the 'foreman-prepare-realm' script on a EL6 host against a FreeIPA/IdM 4 server, the script will set the incorrect permissions and cause the 'Add Host Enrollment' action to fail:

[Tue Jan 13 08:09:36.467528 2015] [:error] [pid 8158] ipa: INFO: [xmlserver] : host_add(u'imqa-d1-cl01.corp.follett.com', random=1, setattr=(u'userclass=role-corp-base',), force=1, version=u'2.51'): ACIError


Related issues

Related to Smart Proxy - Bug #18850: FreeIPA REALM > Insufficient 'add' privilege to the 'userPassword' attributeDuplicate2017-03-08

History

#1 Updated by Dominic Cleal over 4 years ago

  • Project changed from Foreman to Smart Proxy
  • Category changed from Realm to Realm

#2 Updated by Josh Baird over 4 years ago

Actual error in ipa log:

[Tue Jan 13 08:09:36.467641 2015] [:error] [pid 8158] ipa: DEBUG: response: ACIError: Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute

#3 Updated by Stephen Benjamin over 4 years ago

Thanks! Looks like I need to figure out the IPA server version based on 'ipa ping' instead of 'ipa --version'.

If anyone else comes here looking for a solution, for now copy foreman-prepare-realm to a server running IPA v4 tools (e.g. the IPA server itself), and run the script from there.

#4 Updated by Dmitri Dolguikh about 2 years ago

  • Related to Bug #18850: FreeIPA REALM > Insufficient 'add' privilege to the 'userPassword' attribute added

#5 Updated by Yama Kasi about 2 years ago

Stephen Benjamin wrote:

Thanks! Looks like I need to figure out the IPA server version based on 'ipa ping' instead of 'ipa --version'.

If anyone else comes here looking for a solution, for now copy foreman-prepare-realm to a server running IPA v4 tools (e.g. the IPA server itself), and run the script from there.

As this is my setup it didn't fix it. Any other solution for now ?

#6 Updated by Dmitri Dolguikh about 2 years ago

You copied the script to the ipa server and executed it there, and it didn't fix the issue?

#7 Updated by Yama Kasi about 2 years ago

Dmitri Dolguikh wrote:

You copied the script to the ipa server and executed it there, and it didn't fix the issue?

The proxy is installed on the IPA server so it's runned there.

#8 Updated by Michael Moll about 2 years ago

What's the status here?

#9 Updated by Michael Moll almost 2 years ago

  • Status changed from New to Resolved

no reaction, closing

Also available in: Atom PDF