[Freeipa-users] Internal FreeIPA Administrators cannot search DNS records

[nathan at nathanpeters.com]

I am trying my best to figure out why any FreeIPA internal
'administrators' that I create cannot search DNS entries.

The builtin admin user can search and get results for DNS entries just
fine, but we would rather not share this account with every sysadmin in
our staff.

I have created a new role called "Super Admin".  On the privileges tab for
this user, I have added every single privlege in the 'Add' menu.  This
role now has all 29 privileges defined on the system.  However, even after
assigned a user to have this role, and loggging out and back in again, he
cannot search DNS entries.  He can see every dns entry if he manually
pages through them one at a time (we have several thousand so this is not
workable as you would have to scroll through hundreds of pages).  The
problem is any search always returns zero entries.

I though maybe something was missing so I created a new privilege called
"All privileges".  I then tried to add each individual permission to this
privilege.  I could only add 76 permissions.  All other permissions would
give the following error when I try to add them : "invalid 'permission':
cannot add permission "System: Read Automount Configuration" with bindtype
"anonymous" to a privilege"

I can see if I go to the permissions menu that there are actually 174
possible permissions so to only be able to add 76 of them seems really
strange.

So my questions are :
1)Why can a user with 'all' privileges not search DNS entries?
2)Why am I only able to add 76 out of the 174 permissions to a privilege?
3)Is there anything that can be done to allow a user that is not the
builtin 'admin' user to search dns entries or actually be alloted all
permissions on the system?