[Freeipa-users] Internal FreeIPA Administrators cannot search DNS records

Martin Basti mbasti at redhat.com
Tue Jun 9 11:05:30 UTC 2015 

On 09/06/15 12:58, Martin Basti wrote:
> On 08/06/15 20:59, nathan at nathanpeters.com wrote:
>> I am trying my best to figure out why any FreeIPA internal
>> 'administrators' that I create cannot search DNS entries.
>>
>> The builtin admin user can search and get results for DNS entries just
>> fine, but we would rather not share this account with every sysadmin in
>> our staff.
>>
>> I have created a new role called "Super Admin".  On the privileges 
>> tab for
>> this user, I have added every single privlege in the 'Add' menu.  This
>> role now has all 29 privileges defined on the system.  However, even 
>> after
>> assigned a user to have this role, and loggging out and back in 
>> again, he
>> cannot search DNS entries.  He can see every dns entry if he manually
>> pages through them one at a time (we have several thousand so this is 
>> not
>> workable as you would have to scroll through hundreds of pages).  The
>> problem is any search always returns zero entries.
>>
>> I though maybe something was missing so I created a new privilege called
>> "All privileges".  I then tried to add each individual permission to 
>> this
>> privilege.  I could only add 76 permissions.  All other permissions 
>> would
>> give the following error when I try to add them : "invalid 'permission':
>> cannot add permission "System: Read Automount Configuration" with 
>> bindtype
>> "anonymous" to a privilege"
>>
>> I can see if I go to the permissions menu that there are actually 174
>> possible permissions so to only be able to add 76 of them seems really
>> strange.
>>
>> So my questions are :
>> 1)Why can a user with 'all' privileges not search DNS entries?
>> 2)Why am I only able to add 76 out of the 174 permissions to a 
>> privilege?
>> 3)Is there anything that can be done to allow a user that is not the
>> builtin 'admin' user to search dns entries or actually be alloted all
>> permissions on the system?
>>
>>
> Hello,
>
> which version of IPA do you use?
>
> I was able to find all zones with new user on IPA 4.1.
> I just add the 'DNS administrators' privilege for the new user.
>
> Martin
>

I reproduce this issue, IMO it is not related to permissions, but the 
search command itself, I will investigate.

-- 
Martin Basti

More information about the Freeipa-users mailing list