Bug #8926
closed
foreman-prepare-realm on EL6 fails to set correct permissions for ipa-server-4
Added by Josh Baird about 10 years ago.
Updated almost 8 years ago.
Description
When running the 'foreman-prepare-realm' script on a EL6 host against a FreeIPA/IdM 4 server, the script will set the incorrect permissions and cause the 'Add Host Enrollment' action to fail:
[Tue Jan 13 08:09:36.467528 2015] [:error] [pid 8158] ipa: INFO: [xmlserver] realm-proxy@QA-UNIX.FOLLETT.COM: host_add(u'imqa-d1-cl01.corp.follett.com', random=1, setattr=(u'userclass=role-corp-base',), force=1, version=u'2.51'): ACIError
- Project changed from Foreman to Smart Proxy
- Category changed from Realm to Realm
Actual error in ipa log:
[Tue Jan 13 08:09:36.467641 2015] [:error] [pid 8158] ipa: DEBUG: response: ACIError: Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute
Thanks! Looks like I need to figure out the IPA server version based on 'ipa ping' instead of 'ipa --version'.
If anyone else comes here looking for a solution, for now copy foreman-prepare-realm to a server running IPA v4 tools (e.g. the IPA server itself), and run the script from there.
- Related to Bug #18850: FreeIPA REALM > Insufficient 'add' privilege to the 'userPassword' attribute added
Stephen Benjamin wrote:
Thanks! Looks like I need to figure out the IPA server version based on 'ipa ping' instead of 'ipa --version'.
If anyone else comes here looking for a solution, for now copy foreman-prepare-realm to a server running IPA v4 tools (e.g. the IPA server itself), and run the script from there.
As this is my setup it didn't fix it. Any other solution for now ?
You copied the script to the ipa server and executed it there, and it didn't fix the issue?
Dmitri Dolguikh wrote:
You copied the script to the ipa server and executed it there, and it didn't fix the issue?
The proxy is installed on the IPA server so it's runned there.
- Status changed from New to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by Anonymous 
Updated by