Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1543182
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: After migrating IPA from version 3.0 to version 4.0, "ipa privilege-show" does not have any permissions that were existing before migration. After migration to IPA v4.0 ---------------------------- $ ipa privilege-show 'IPA Access Admins' Privilege name: IPA Access Admins Description: Access Control Unit Permissions: add users, add user to default group, remove users, modify users, manage user ssh public keys, add groups, remove groups, modify groups, modify group membership, add hostgroups, remove hostgroups, modify hostgroups, modify hostgroup membership, add netgroups, remove netgroups, modify netgroups, modify netgroup membership Granting privilege to roles: IPA Access Admins Version-Release number of selected component (if applicable): After migration to IPA v4.0 ---------------------------- $ ipa privilege-show 'IPA Access Admins' Privilege name: IPA Access Admins Description: Access Control Unit Granting privilege to roles: IPA Access Admins How reproducible: Steps to Reproduce: 1- Setup RHEL6.9 IdM server 2- Setup a sample custom role/privilege: ~~~ # ipa privilege-add dns-admin --desc="My custom admin privliges" # ipa role-add dns-admin --desc="My custom admin role" # ipa privilege-add-permission "dns-admin" --permission="add dns entries,Read DNS Entries,remove dns entries,update dns entries" # ipa role-add-privilege dns-admin --privileges=dns-admin ~~~ 3- Follow RHEL7 migrtion guide[1] 4- The permissions will disappear from the custom privilege, of course on both sides [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ht ml/linux_domain_identity_authentication_and_policy_guide/migrate-6-to-7 Actual results: No permissions exist after the migration. Expected results: Permissions stay intact on "privilege" after the migration. Additional info: * Is that a known issues? * Any way to export/import custom roles/privleges part of migration to RHEL7?
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1543182
The migration from a 3.0 master to a IPA 4.x replica as described in "Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7" requires domain-level 0 in order to prepare a replica file.
FreeIPA upstream has deprecated domain-level 0 and will not support any more this use case. As a consequence, this ticket will be closed as Won't fix.
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrate-6-to-7
Metadata Update from @frenaud: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.