On Tue, 26 Jul 2016, Alexander Bokovoy wrote:
On Tue, 26 Jul 2016, Martin Babinsky wrote:
> Fix for https://fedorahosted.org/freeipa/ticket/6097
> > Since this issue was found during investigation of other ticket[1], you > can test it by performing steps to reproduce #6041, but instead of > internal error you should see the MidairCollision raised as public error > with the right error message. > > [1] https://fedorahosted.org/freeipa/ticket/6041
I have a preliminary patch for slapi-nis to fix 6041 (attached).
Tested the slapi-nis patch:

# kinit administra...@ad.test
Password for administra...@ad.test: # ipa idoverrideuser-find 'default trust view' administra...@ad.test --raw --all
--------------------------
1 User ID override matched
--------------------------
 dn: 
ipaanchoruuid=:SID:S-1-5-21-2275361654-3393353068-3720134936-500,cn=Default 
Trust View,cn=views,cn=accounts,dc=ipa,dc=ad,dc=test
 ipaanchoruuid: :SID:S-1-5-21-2275361654-3393353068-3720134936-500
 loginshell: /bin/bash
 ipaoriginaluid: administra...@ad.test
 objectclass: ipaOverrideAnchor
 objectclass: top
 objectclass: ipaUserOverride
 objectclass: ipasshuser
 objectclass: ipaSshGroupOfPubKeys
----------------------------
Number of entries returned 1
----------------------------
# ipa idoverrideuser-mod 'default trust view' administra...@ad.test 
--addattr='objectclass=nestedGroup'
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'objectClass' attribute of entry
'ipaanchoruuid=:sid:s-1-5-21-2275361654-3393353068-3720134936-500,cn=default 
trust view,cn=views,cn=accounts,dc=ipa,dc=ad,dc=test'.
# klist -A
Ticket cache: KEYRING:persistent:0:0
Default principal: administra...@ad.test

Valid starting       Expires              Service principal
07/26/2016 18:45:46  07/27/2016 04:45:30
HTTP/f24-master.ipa.ad.t...@ipa.ad.test
        renew until 07/27/2016 18:45:27
07/26/2016 18:45:46  07/27/2016 04:45:30  krbtgt/ipa.ad.t...@ad.test
        renew until 07/27/2016 18:45:27
07/26/2016 18:45:30  07/27/2016 04:45:30  krbtgt/ad.t...@ad.test
        renew until 07/27/2016 18:45:27
# ipa idoverrideuser-mod 'default trust view' administra...@ad.test 
--desc='Administrator of a trusted domain'
----------------------------------------------------
Modified an User ID override "administra...@ad.test"
----------------------------------------------------
 Anchor to override: administra...@ad.test
 Description: Administrator of a trusted domain
 Login shell: /bin/bash

So no MidairCollision anymore and editing ID override as the AD user
associated with the override works for those attributes that are
allowed.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to