<div dir="ltr">I saw in the upstream foreman-prepare-realm script that the new permission names should include a prefix "System: "<div>That Prefix is not there, what did change was that some permissions where no longer lower case only.</div><div>ie in 3.3.5 the permission is 'write dns configuration' and in 4.1 it becomes 'Write DNS Configuration'</div><div> </div><div>Rob</div></div><div class="gmail_extra"> <div class="gmail_quote">2014-11-05 16:25 GMT+01:00 Petr Spacek <<a href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 5.11.2014 16:20, Rob Verduijn wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hello, Yes I noticed the name change it took me a while to realise it was a known ruby bug in katello that caused the real problem. I also checked after I updated the 'katello integrated' update from 3.3.5 to 4.1 and the permissions were neatly renamed to their new counterparts. However the internal dns no longer worked :( </blockquote> So the permissions broke after upgrade to 4.1, right? pviktori, can you give us some advice? Thanks! Petr^2 Spacek <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Rob 2014-11-05 16:17 GMT+01:00 Stephen Benjamin <<a href="mailto:stephen@redhat.com" target="_blank">stephen@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Wed, Nov 05, 2014 at 09:41:59AM -0500, Rob Crittenden wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Also when I look at the permissions in ipa there are no longer any permissions that have the 'System: ' prefix. </blockquote> AFAIK the foreman proxy is not necessary (and not supported) with IPA 4.x because it was obsoleted by 'native' proxy delivered by Foreman upstream. Am I right, Rob (Crittenden)? :-) </blockquote> I believe he's referring to the native smart proxy here. It includes a script to setup permissions. I guess it hasn't been tested against a 4.x IPA master. </blockquote> The permissions have changed names in FreeIPA 4.0, which means the script won't work. I've tested this one against 4.1 on F21 and it works: <a href="https://raw.githubusercontent.com/stbenjam/smart-proxy/8278/sbin/foreman-prepare-realm" target="_blank">https://raw.githubusercontent.com/stbenjam/smart-proxy/8278/sbin/foreman-prepare-realm</a> There's an open pull request against foreman's Smart Proxy to include that in the next release: <a href="https://github.com/theforeman/smart-proxy/pull/231--" target="_blank">https://github.com/theforeman/smart-proxy/pull/231--</a> </blockquote></blockquote> Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek </blockquote></div> </div>