[Freeipa-users] Re: Insufficient 'delete' privilege

[Sieferlinger, Andreas via FreeIPA-users]

Hi,

so finally I managed to fix the issue.
The user used was ‘admin’ the ticket was a fresh one obtained immediately 
before the command.

After digging through many mails on this list I was pretty sure it had 
something todo with ACIs and them maybe not being readded after an upgrade.
What I did to fix the issue was the following:

I used a slightly modified version of 
https://github.com/freeipa/freeipa/blob/master/install/share/replica-acis.ldif 
(changing the add to a replace) and loaded it onto the master.
Afterwards I was able to delete the replica and add a new one.

Altough when running a “list-ruv” I stell get some error messages (but also  
output of actual RUVs)

-snip-
ipa-replica-manage list-ruv
Directory Manager password:

unable to decode: {replica 7} 58456abc00040007 58456abc00040007
unable to decode: {replica 9} 578864f600010009 578864f600010009
Replica Update Vectors:
-snap-

So this is a different issue, but I would be glad If I somehow could remove 
these orphaned RUVs.


Am 23.06.17, 15:36 schrieb "Rob Crittenden" :

Sieferlinger, Andreas via FreeIPA-users wrote:
> Hi all,
> 
>  
> 
> after an upgrade von 4.1 to 4.4 (4.4.0-14.el7.centos.7)  I have some
> trouble in changing replication agreements.
> 
>  
> 
> #ipa-replica-manage del auth4.example.com
> 
> 'auth9.example.com' has no replication agreement for 'auth4.example.com'
> 
> # ipa-replica-manage del auth4.example.com --force --clean
> 
> Cleaning a master is irreversible.
> 
> This should not normally be require, so use cautiously.
> 
> Continue to clean master? [no]: yes
> 
> Re-run /sbin/ipa-replica-manage with --verbose option to get more
> information
> 
> Unexpected error: Insufficient access: Insufficient 'delete' privilege
> to delete the entry
> 
'krbprincipalname=ldap/auth4.example@example.com,cn=services,cn=accounts,dc=example,dc=com'.
> 
>  
> 
> I suspect some missing ACLs that probably got lost during an update,
> although I do not know which and how to read.

What credentials do you currently have? klist will show you.

If you are admin, or a member of the admins group, then the output of
this will show what rights the user has:

$ ipa user-show --all --raw  |grep memberof

rob


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Insufficient 'delete' privilege

[Rob Crittenden via FreeIPA-users]

Sieferlinger, Andreas via FreeIPA-users wrote:
> Hi all,
> 
>  
> 
> after an upgrade von 4.1 to 4.4 (4.4.0-14.el7.centos.7)  I have some
> trouble in changing replication agreements.
> 
>  
> 
> #ipa-replica-manage del auth4.example.com
> 
> 'auth9.example.com' has no replication agreement for 'auth4.example.com'
> 
> # ipa-replica-manage del auth4.example.com --force --clean
> 
> Cleaning a master is irreversible.
> 
> This should not normally be require, so use cautiously.
> 
> Continue to clean master? [no]: yes
> 
> Re-run /sbin/ipa-replica-manage with --verbose option to get more
> information
> 
> Unexpected error: Insufficient access: Insufficient 'delete' privilege
> to delete the entry
> 'krbprincipalname=ldap/auth4.example@example.com,cn=services,cn=accounts,dc=example,dc=com'.
> 
>  
> 
> I suspect some missing ACLs that probably got lost during an update,
> although I do not know which and how to read.

What credentials do you currently have? klist will show you.

If you are admin, or a member of the admins group, then the output of
this will show what rights the user has:

$ ipa user-show --all --raw  |grep memberof

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org