[Freeipa-users] Internal FreeIPA Administrators cannot search DNS records

Martin Basti mbasti at redhat.com
Tue Jun 9 10:58:34 UTC 2015 

On 08/06/15 20:59, nathan at nathanpeters.com wrote:
> I am trying my best to figure out why any FreeIPA internal
> 'administrators' that I create cannot search DNS entries.
>
> The builtin admin user can search and get results for DNS entries just
> fine, but we would rather not share this account with every sysadmin in
> our staff.
>
> I have created a new role called "Super Admin".  On the privileges tab for
> this user, I have added every single privlege in the 'Add' menu.  This
> role now has all 29 privileges defined on the system.  However, even after
> assigned a user to have this role, and loggging out and back in again, he
> cannot search DNS entries.  He can see every dns entry if he manually
> pages through them one at a time (we have several thousand so this is not
> workable as you would have to scroll through hundreds of pages).  The
> problem is any search always returns zero entries.
>
> I though maybe something was missing so I created a new privilege called
> "All privileges".  I then tried to add each individual permission to this
> privilege.  I could only add 76 permissions.  All other permissions would
> give the following error when I try to add them : "invalid 'permission':
> cannot add permission "System: Read Automount Configuration" with bindtype
> "anonymous" to a privilege"
>
> I can see if I go to the permissions menu that there are actually 174
> possible permissions so to only be able to add 76 of them seems really
> strange.
>
> So my questions are :
> 1)Why can a user with 'all' privileges not search DNS entries?
> 2)Why am I only able to add 76 out of the 174 permissions to a privilege?
> 3)Is there anything that can be done to allow a user that is not the
> builtin 'admin' user to search dns entries or actually be alloted all
> permissions on the system?
>
>
Hello,

which version of IPA do you use?

I was able to find all zones with new user on IPA 4.1.
I just add the 'DNS administrators' privilege for the new user.

Martin

-- 
Martin Basti

More information about the Freeipa-users mailing list