On 09/03/2016 22:14, Rob Crittenden wrote: > Bob Hinton wrote: >> Hi, >> >> I've been trying to add a password policy for an existing user group >> called "services" in IPA version 4.2.0. >> >> ipa pwpolicy-add services >> ipa: ERROR: entry with name "services" already exists >> >> ipa pwpolicy-show services >> ipa: ERROR: services: password policy not found >> >> ipa pwpolicy-del services >> ipa: ERROR: services: password policy not found >> >> ipa pwpolicy-mod services >> ipa: ERROR: services: password policy not found >> >> ipa pwpolicy-find >> doesn't list it. >> >> As an experiment I've tried to add additional pwpolicy entries. If these >> fail due to insufficient privileges then I get the same symptoms, so >> it's possible that this is what happened with the services pwpolicy. >> >> How do I correct this situation? >> >> Many thanks > I'd use ldapsearch to narrow things down. A group-based password policy > consists of two entries so I'd look in both: > > $ kinit admin > $ ldapsearch -Y GSSAPI -b cn=costemplates,cn=accounts,dc=example,dc=com > $ ldapsearch -Y GSSAPI -b cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com > '(objectclass=krbPwdPolicy)' > > There could, for example, be a replication conflict entry. > > rob > . > Hi Rob,
The culprit turned-out to be a "cn=costemplates,cn=accounts,..." record. Attempting to create a pwpolicy that failed with a permissions error created a costemplates record, but not the corresponding "cn=DOMAIN,cn=kerberos,..." record. After removing the offending record with ldapdelete I could create the pwpolicy entry. Many thanks Bob Hinton -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
