Hi all,
after an upgrade von 4.1 to 4.4 (4.4.0-14.el7.centos.7) I have some trouble in changing replication agreements.
#ipa-replica-manage del auth4.example.com 'auth9.example.com' has no replication agreement for 'auth4.example.com' # ipa-replica-manage del auth4.example.com --force --clean Cleaning a master is irreversible. This should not normally be require, so use cautiously. Continue to clean master? [no]: yes Re-run /sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: Insufficient access: Insufficient 'delete' privilege to delete the entry 'krbprincipalname=ldap/auth4.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com'.
I suspect some missing ACLs that probably got lost during an update, although I do not know which and how to read.
Any help would be appreciated.
Andreas Sieferlinger Site Reliability Engineer
glomex GmbH A Company of ProSiebenSat.1 Media SE
Landsberger Straße 110 D-80339 Munich Germany Tel. +49 89 9507 8964
Executive Board: Michael Jaschke (CEO), Arnd Mückenberger (CFO)
Registered Office: Unterfoehring HRB 224542 AG München VAT number DE 305765704 Tax No. 143/314/40826
Sieferlinger, Andreas via FreeIPA-users wrote:
Hi all,
after an upgrade von 4.1 to 4.4 (4.4.0-14.el7.centos.7) I have some trouble in changing replication agreements.
#ipa-replica-manage del auth4.example.com
'auth9.example.com' has no replication agreement for 'auth4.example.com'
# ipa-replica-manage del auth4.example.com --force --clean
Cleaning a master is irreversible.
This should not normally be require, so use cautiously.
Continue to clean master? [no]: yes
Re-run /sbin/ipa-replica-manage with --verbose option to get more information
Unexpected error: Insufficient access: Insufficient 'delete' privilege to delete the entry 'krbprincipalname=ldap/auth4.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com'.
I suspect some missing ACLs that probably got lost during an update, although I do not know which and how to read.
What credentials do you currently have? klist will show you.
If you are admin, or a member of the admins group, then the output of this will show what rights the user has:
$ ipa user-show --all --raw <your user> |grep memberof
rob
Hi,
so finally I managed to fix the issue. The user used was ‘admin’ the ticket was a fresh one obtained immediately before the command.
After digging through many mails on this list I was pretty sure it had something todo with ACIs and them maybe not being readded after an upgrade. What I did to fix the issue was the following:
I used a slightly modified version of https://github.com/freeipa/freeipa/blob/master/install/share/replica-acis.ld... (changing the add to a replace) and loaded it onto the master. Afterwards I was able to delete the replica and add a new one.
Altough when running a “list-ruv” I stell get some error messages (but also output of actual RUVs)
-snip- ipa-replica-manage list-ruv Directory Manager password:
unable to decode: {replica 7} 58456abc000400070000 58456abc000400070000 unable to decode: {replica 9} 578864f6000100090000 578864f6000100090000 Replica Update Vectors: -snap-
So this is a different issue, but I would be glad If I somehow could remove these orphaned RUVs.
Am 23.06.17, 15:36 schrieb "Rob Crittenden" rcritten@redhat.com:
Sieferlinger, Andreas via FreeIPA-users wrote: > Hi all, > > > > after an upgrade von 4.1 to 4.4 (4.4.0-14.el7.centos.7) I have some > trouble in changing replication agreements. > > > > #ipa-replica-manage del auth4.example.com > > 'auth9.example.com' has no replication agreement for 'auth4.example.com' > > # ipa-replica-manage del auth4.example.com --force --clean > > Cleaning a master is irreversible. > > This should not normally be require, so use cautiously. > > Continue to clean master? [no]: yes > > Re-run /sbin/ipa-replica-manage with --verbose option to get more > information > > Unexpected error: Insufficient access: Insufficient 'delete' privilege > to delete the entry > 'krbprincipalname=ldap/auth4.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com'. > > > > I suspect some missing ACLs that probably got lost during an update, > although I do not know which and how to read.
What credentials do you currently have? klist will show you.
If you are admin, or a member of the admins group, then the output of this will show what rights the user has:
$ ipa user-show --all --raw <your user> |grep memberof
rob
freeipa-users@lists.fedorahosted.org