On 09/06/15 12:58, Martin Basti wrote:
On 08/06/15 20:59, nat...@nathanpeters.com wrote:
I am trying my best to figure out why any FreeIPA internal
'administrators' that I create cannot search DNS entries.

The builtin admin user can search and get results for DNS entries just
fine, but we would rather not share this account with every sysadmin in
our staff.

I have created a new role called "Super Admin". On the privileges tab for
this user, I have added every single privlege in the 'Add' menu.  This
role now has all 29 privileges defined on the system. However, even after assigned a user to have this role, and loggging out and back in again, he
cannot search DNS entries.  He can see every dns entry if he manually
pages through them one at a time (we have several thousand so this is not
workable as you would have to scroll through hundreds of pages).  The
problem is any search always returns zero entries.

I though maybe something was missing so I created a new privilege called
"All privileges". I then tried to add each individual permission to this privilege. I could only add 76 permissions. All other permissions would
give the following error when I try to add them : "invalid 'permission':
cannot add permission "System: Read Automount Configuration" with bindtype
"anonymous" to a privilege"

I can see if I go to the permissions menu that there are actually 174
possible permissions so to only be able to add 76 of them seems really

So my questions are :
1)Why can a user with 'all' privileges not search DNS entries?
2)Why am I only able to add 76 out of the 174 permissions to a privilege?
3)Is there anything that can be done to allow a user that is not the
builtin 'admin' user to search dns entries or actually be alloted all
permissions on the system?


which version of IPA do you use?

I was able to find all zones with new user on IPA 4.1.
I just add the 'DNS administrators' privilege for the new user.


I reproduce this issue, IMO it is not related to permissions, but the search command itself, I will investigate.

Martin Basti

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to