Re: [Freeipa-users] Cannot add password policy SOLVED
On 09/03/2016 22:14, Rob Crittenden wrote: > Bob Hinton wrote: >> Hi, >> >> I've been trying to add a password policy for an existing user group >> called "services" in IPA version 4.2.0. >> >> ipa pwpolicy-add services >> ipa: ERROR: entry with name "services" already exists >> >> ipa pwpolicy-show services >> ipa: ERROR: services: password policy not found >> >> ipa pwpolicy-del services >> ipa: ERROR: services: password policy not found >> >> ipa pwpolicy-mod services >> ipa: ERROR: services: password policy not found >> >> ipa pwpolicy-find >> doesn't list it. >> >> As an experiment I've tried to add additional pwpolicy entries. If these >> fail due to insufficient privileges then I get the same symptoms, so >> it's possible that this is what happened with the services pwpolicy. >> >> How do I correct this situation? >> >> Many thanks > I'd use ldapsearch to narrow things down. A group-based password policy > consists of two entries so I'd look in both: > > $ kinit admin > $ ldapsearch -Y GSSAPI -b cn=costemplates,cn=accounts,dc=example,dc=com > $ ldapsearch -Y GSSAPI -b cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com > '(objectclass=krbPwdPolicy)' > > There could, for example, be a replication conflict entry. > > rob > . > Hi Rob, The culprit turned-out to be a "cn=costemplates,cn=accounts,..." record. Attempting to create a pwpolicy that failed with a permissions error created a costemplates record, but not the corresponding "cn=DOMAIN,cn=kerberos,..." record. After removing the offending record with ldapdelete I could create the pwpolicy entry. Many thanks Bob Hinton -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot add password policy
Bob Hinton wrote: > Hi, > > I've been trying to add a password policy for an existing user group > called "services" in IPA version 4.2.0. > > ipa pwpolicy-add services > ipa: ERROR: entry with name "services" already exists > > ipa pwpolicy-show services > ipa: ERROR: services: password policy not found > > ipa pwpolicy-del services > ipa: ERROR: services: password policy not found > > ipa pwpolicy-mod services > ipa: ERROR: services: password policy not found > > ipa pwpolicy-find > doesn't list it. > > As an experiment I've tried to add additional pwpolicy entries. If these > fail due to insufficient privileges then I get the same symptoms, so > it's possible that this is what happened with the services pwpolicy. > > How do I correct this situation? > > Many thanks I'd use ldapsearch to narrow things down. A group-based password policy consists of two entries so I'd look in both: $ kinit admin $ ldapsearch -Y GSSAPI -b cn=costemplates,cn=accounts,dc=example,dc=com $ ldapsearch -Y GSSAPI -b cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com '(objectclass=krbPwdPolicy)' There could, for example, be a replication conflict entry. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Cannot add password policy
Hi, I've been trying to add a password policy for an existing user group called "services" in IPA version 4.2.0. ipa pwpolicy-add services ipa: ERROR: entry with name "services" already exists ipa pwpolicy-show services ipa: ERROR: services: password policy not found ipa pwpolicy-del services ipa: ERROR: services: password policy not found ipa pwpolicy-mod services ipa: ERROR: services: password policy not found ipa pwpolicy-find doesn't list it. As an experiment I've tried to add additional pwpolicy entries. If these fail due to insufficient privileges then I get the same symptoms, so it's possible that this is what happened with the services pwpolicy. How do I correct this situation? Many thanks Bob Hinton -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project