#8455 ipaNTAdditionalSuffixes attribute is not writable for admin / cifs principals
Opened 3 years ago by abbra. Modified 3 years ago

Found in https://github.com/freeipa/ansible-freeipa/issues/340

[Mon Aug 10 10:29:53.474320 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] ipa: ERROR: Helper fetch_domains was called for forest corp.redacted-domain.com, return code is 1
[Mon Aug 10 10:29:53.474498 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] ipa: ERROR: Standard output from the helper:
[Mon Aug 10 10:29:53.474515 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] ---
[Mon Aug 10 10:29:53.474523 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] 
[Mon Aug 10 10:29:53.474627 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] ipa: ERROR: Error output from the helper:
[Mon Aug 10 10:29:53.474663 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] Traceback (most recent call last):
[Mon Aug 10 10:29:53.474672 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line 1076, in error_handler
[Mon Aug 10 10:29:53.474680 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     yield
[Mon Aug 10 10:29:53.474706 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line 1697, in update_entry
[Mon Aug 10 10:29:53.474723 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     self.conn.modify_s(str(entry.dn), modlist)
[Mon Aug 10 10:29:53.474730 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 629, in modify_s
[Mon Aug 10 10:29:53.474738 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     return self.modify_ext_s(dn,modlist,None,None)
[Mon Aug 10 10:29:53.474746 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 602, in modify_ext_s
[Mon Aug 10 10:29:53.474753 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
[Mon Aug 10 10:29:53.474761 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 749, in result3
[Mon Aug 10 10:29:53.474768 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     resp_ctrl_classes=resp_ctrl_classes
[Mon Aug 10 10:29:53.474776 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 756, in result4
[Mon Aug 10 10:29:53.474788 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
[Mon Aug 10 10:29:53.474804 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
[Mon Aug 10 10:29:53.474818 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     reraise(exc_type, exc_value, exc_traceback)
[Mon Aug 10 10:29:53.474831 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib64/python3.7/site-packages/ldap/compat.py", line 44, in reraise
[Mon Aug 10 10:29:53.474846 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     raise exc_value
[Mon Aug 10 10:29:53.474856 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
[Mon Aug 10 10:29:53.474863 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     result = func(*args,**kwargs)
[Mon Aug 10 10:29:53.474871 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] ldap.INSUFFICIENT_ACCESS: {'desc': 'Insufficient access', 'info': "Insufficient 'write' privilege to the 'ipaNTAdditionalSuffixes' attribute of entry 'cn=corp.redacted-domain.com,cn=ad,cn=trusts,dc=lx,dc=corp,dc=redacted-domain,dc=com'.\\n"}
[Mon Aug 10 10:29:53.474880 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] 
[Mon Aug 10 10:29:53.474887 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] During handling of the above exception, another exception occurred:
[Mon Aug 10 10:29:53.474895 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] 
[Mon Aug 10 10:29:53.474902 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] Traceback (most recent call last):
[Mon Aug 10 10:29:53.474915 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains", line 329, in <module>
[Mon Aug 10 10:29:53.474923 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     trust.add_new_domains_from_trust(api, None, trust_domain_object, domains)
[Mon Aug 10 10:29:53.474931 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib/python3.7/site-packages/ipaserver/plugins/trust.py", line 1747, in add_new_domains_from_trust
[Mon Aug 10 10:29:53.474939 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     ldap.update_entry(entry)
[Mon Aug 10 10:29:53.474946 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line 1697, in update_entry
[Mon Aug 10 10:29:53.474954 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     self.conn.modify_s(str(entry.dn), modlist)
[Mon Aug 10 10:29:53.474962 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib64/python3.7/contextlib.py", line 130, in __exit__
[Mon Aug 10 10:29:53.474969 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     self.gen.throw(type, value, traceback)
[Mon Aug 10 10:29:53.474977 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]   File "/usr/lib/python3.7/site-packages/ipapython/ipaldap.py", line 1102, in error_handler
[Mon Aug 10 10:29:53.474985 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760]     raise errors.ACIError(info=info)
[Mon Aug 10 10:29:53.475023 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] ipalib.errors.ACIError: Insufficient access: Insufficient 'write' privilege to the 'ipaNTAdditionalSuffixes' attribute of entry 'cn=corp.redacted-domain.com,cn=ad,cn=trusts,dc=lx,dc=corp,dc=redacted-domain,dc=com'.
[Mon Aug 10 10:29:53.475032 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] --
[Mon Aug 10 10:29:53.475039 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] 
[Mon Aug 10 10:29:53.475335 2020] [wsgi:error] [pid 19575:tid 140123149063936] [remote 10.2.0.89:57760] ipa: INFO: [jsonserver_session] admin@LX.CORP.REDACTED-DOMAIN.COM: trust_fetch_domains('corp.redacted-domain.com', version='2.236'): ServerCommandError

Metadata Update from @abbra:
- Issue assigned to abbra
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.8.9

3 years ago

Login to comment on this ticket.

Metadata