I am trying my best to figure out why any FreeIPA internal 'administrators' that I create cannot search DNS entries.
The builtin admin user can search and get results for DNS entries just fine, but we would rather not share this account with every sysadmin in our staff. I have created a new role called "Super Admin". On the privileges tab for this user, I have added every single privlege in the 'Add' menu. This role now has all 29 privileges defined on the system. However, even after assigned a user to have this role, and loggging out and back in again, he cannot search DNS entries. He can see every dns entry if he manually pages through them one at a time (we have several thousand so this is not workable as you would have to scroll through hundreds of pages). The problem is any search always returns zero entries. I though maybe something was missing so I created a new privilege called "All privileges". I then tried to add each individual permission to this privilege. I could only add 76 permissions. All other permissions would give the following error when I try to add them : "invalid 'permission': cannot add permission "System: Read Automount Configuration" with bindtype "anonymous" to a privilege" I can see if I go to the permissions menu that there are actually 174 possible permissions so to only be able to add 76 of them seems really strange. So my questions are : 1)Why can a user with 'all' privileges not search DNS entries? 2)Why am I only able to add 76 out of the 174 permissions to a privilege? 3)Is there anything that can be done to allow a user that is not the builtin 'admin' user to search dns entries or actually be alloted all permissions on the system? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project