I don't know if this is expected or not. It could be intentional:
# kinit dnsadmin ... # ipa dnszone-add-permission 128/25.0.168.192.in-arpa ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=Manage DNS zone 128/25.0.168.192.in-arpa.,cn=permissions,cn=pbac,dc=ipa,dc=example'. # ipa user-show dnsadmin User login: dnsadmin First name: d Last name: d Home directory: /home/dnsadmin Login shell: /bin/sh Email address: dnsadmin@ipa.example UID: 370600003 GID: 370600003 Account disabled: False Password: True Member of groups: ipausers Indirect Member of role: dns majster Kerberos keys available: True # ipa role-show "DNS majster" Role name: DNS majster Description: . Member users: dnsadmin Privileges: DNS Administrators
DNS per-zone permissions need some love. For example it's impossible to add "*" in a permission name; special zones might need that.
This is not a priority for next release, pushing out. Help welcome!
Metadata Update from @pspacek: - Issue assigned to someone - Issue set to the milestone: Future Releases
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.