Sieferlinger, Andreas via FreeIPA-users wrote:
Hi all,
after an upgrade von 4.1 to 4.4 (4.4.0-14.el7.centos.7) I have some trouble in changing replication agreements.
#ipa-replica-manage del auth4.example.com
'auth9.example.com' has no replication agreement for 'auth4.example.com'
# ipa-replica-manage del auth4.example.com --force --clean
Cleaning a master is irreversible.
This should not normally be require, so use cautiously.
Continue to clean master? [no]: yes
Re-run /sbin/ipa-replica-manage with --verbose option to get more information
Unexpected error: Insufficient access: Insufficient 'delete' privilege to delete the entry 'krbprincipalname=ldap/auth4.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com'.
I suspect some missing ACLs that probably got lost during an update, although I do not know which and how to read.
What credentials do you currently have? klist will show you.
If you are admin, or a member of the admins group, then the output of this will show what rights the user has:
$ ipa user-show --all --raw <your user> |grep memberof
rob