On 10.11.2016 12:08, lejeczek wrote: > > > On 10/11/16 10:44, Petr Spacek wrote: >> This is non-standard situation so it asks for non-standard commands. >> >> I would try: >> $ ipa privilege-mod 'DNS Servers' >> --addattr=member=krbprincipalname=DNS/[email protected],cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x' >> >> $ ipa privilege-mod 'DNS Servers' >> --addattr=member=krbprincipalname=ipa-dnskeysyncd/[email protected],cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x' >> >> >> Be very careful when constructing these DNs, --addattr do not validate the >> input! > > well, I realize these can be trivial trifles, but man, you saved the... week! > And to finish (hopefully) - maybe even more of a puzzle: how it happened? > This box member was fine, suddenly (I was recovering/reconnecting replication > agreements), maybe not suddenly, but when I noticed at some point, it did > that. It lost those ldap bits?
Good question! I really do not know. You may dig into /var/log/dirsrv/* and look for modifications in the privilege LDAP entry but that is the only advice I have. Please let us know if you found out how it happened. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
