On Tue, 26 Jul 2016, Alexander Bokovoy wrote:
On Tue, 26 Jul 2016, Martin Babinsky wrote:
> Fix for https://fedorahosted.org/freeipa/ticket/6097
> > Since this issue was found during investigation of other ticket[1], you > can test it by performing steps to reproduce #6041, but instead of > internal error you should see the MidairCollision raised as public error > with the right error message. > > [1] https://fedorahosted.org/freeipa/ticket/6041
I have a preliminary patch for slapi-nis to fix 6041 (attached).
Tested the slapi-nis patch:

# kinit administra...@ad.test
Password for administra...@ad.test: # ipa idoverrideuser-find 'default trust view' administra...@ad.test --raw --all
1 User ID override matched
Trust View,cn=views,cn=accounts,dc=ipa,dc=ad,dc=test
 ipaanchoruuid: :SID:S-1-5-21-2275361654-3393353068-3720134936-500
 loginshell: /bin/bash
 ipaoriginaluid: administra...@ad.test
 objectclass: ipaOverrideAnchor
 objectclass: top
 objectclass: ipaUserOverride
 objectclass: ipasshuser
 objectclass: ipaSshGroupOfPubKeys
Number of entries returned 1
# ipa idoverrideuser-mod 'default trust view' administra...@ad.test 
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'objectClass' attribute of entry
trust view,cn=views,cn=accounts,dc=ipa,dc=ad,dc=test'.
# klist -A
Ticket cache: KEYRING:persistent:0:0
Default principal: administra...@ad.test

Valid starting       Expires              Service principal
07/26/2016 18:45:46  07/27/2016 04:45:30
        renew until 07/27/2016 18:45:27
07/26/2016 18:45:46  07/27/2016 04:45:30  krbtgt/ipa.ad.t...@ad.test
        renew until 07/27/2016 18:45:27
07/26/2016 18:45:30  07/27/2016 04:45:30  krbtgt/ad.t...@ad.test
        renew until 07/27/2016 18:45:27
# ipa idoverrideuser-mod 'default trust view' administra...@ad.test 
--desc='Administrator of a trusted domain'
Modified an User ID override "administra...@ad.test"
 Anchor to override: administra...@ad.test
 Description: Administrator of a trusted domain
 Login shell: /bin/bash

So no MidairCollision anymore and editing ID override as the AD user
associated with the override works for those attributes that are

/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to