we create an administrator and delete admin. it failed to ipa-server-upgrade.
2021-11-20T21:55:30Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2021-11-20T21:55:30Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1961, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1836, in upgrade_configuration add_admin_root_alias() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1375, in add_admin_root_alias api.Command.user_add_principal("admin", rootprinc) File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in call return self.do_call(args, options) File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call ret = self.run(*args, options) File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run return self.execute(args, options) File "/usr/lib/python3.6/site-packages/ipaserver/plugins/baseldap.py", line 2465, in execute *keys, options) File "/usr/lib/python3.6/site-packages/ipaserver/plugins/baseuser.py", line 777, in pre_callback ensure_krbcanonicalname_set(ldap, entry_attrs) File "/usr/lib/python3.6/site-packages/ipalib/util.py", line 1194, in ensure_krbcanonicalname_set ['krbcanonicalname', 'krbprincipalname', 'objectclass']) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1941, in get_entry dn, attrs_list, time_limit, size_limit, get_effective_rights File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1644, in get_entry size_limit=size_limit, get_effective_rights=get_effective_rights, File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1456, in get_entries **kwargs) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1594, in find_entries break File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit self.gen.throw(type, value, traceback) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1097, in error_handler raise errors.NotFound(reason=arg_desc or 'no such entry')
def add_admin_root_alias(): """Make root principal an alias of admin
Fix for CVE-2020-10747 """ rootprinc = "root@{}".format(api.env.realm) logger.info("[Add %s alias to admin account]", rootprinc) try: api.Command.user_add_principal("admin", rootprinc) except ipalib.errors.DuplicateEntry: results = api.Command.user_find(krbprincipalname=rootprinc) uid = results["result"][0]["uid"][0] logger.warning( "WARN: '%s' alias is assigned to user '%s'!", rootprinc, uid ) except ipalib.errors.AlreadyContainsValueError: logger.info("Alias already exists") else: logger.info("Added '%s' alias to admin account", rootprinc)
when we commented following line code, upgrade works:
api.Command.user_add_principal("admin", rootprinc)
FreeIPA does not support removing 'admin' user or 'admins' group.
Metadata Update from @abbra: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/managing-user-accounts-using-the-idm-web-ui_configuring-and-managing-idm
WARNING Do not delete the admin user. As admin is a pre-defined user required by IdM, this operation causes problems with certain commands. If you want to define and use an alternative admin user, disable the pre-defined admin user with ipa user-disable admin after you granted admin permissions to at least one different user.
WARNING
Do not delete the admin user. As admin is a pre-defined user required by IdM, this operation causes problems with certain commands. If you want to define and use an alternative admin user, disable the pre-defined admin user with ipa user-disable admin after you granted admin permissions to at least one different user.
how can i add admin user? like other administrator?
i think freeipa should disable the function to delete user admin.
It is a bit complicated. Attached is an update file that needs to be modified before applying.
Please run on the initial master
# ipa idrange-show EXAMPLE.COM_id_range
where EXAMPLE.COM is replaced by your realm name.
It should display an ID range assigned to this master. Something like
Range name: EXAMPLE.COM_id_range First Posix ID of the range: 1536000000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Take the value from 'First Posix ID of the range' and replace string VALUE in the attached file with it. E.g., replace
default: uidNumber: VALUE
with
default: uidNumber: 1536000000
and the same for gidNumber.
After that change domain SID value to the one that you have in the output of ipa trustconfig-show prepended with -500, like in the attached file.
ipa trustconfig-show
-500
If you do not have that one, you should remove ipaNTSecurityIdentifier and ipaNTUserAttrs lines from the file before using it.
ipaNTSecurityIdentifier
ipaNTUserAttrs
After that, apply the update file:
# ipa-ldap-updater ./80-admin-user.update
This should create an admin user with the correct uidNumber and SID.
After that, you need to add 'admin' user to admins group with
# ipa group-add-member admins --users=admin
If you had SID for your domain, re-run ipa-adtrust-install
# ipa-adtrust-install --add-sids
Then verify that admins group has a SID ending with -512, like before.
<img alt="80-admin-user.update" src="/freeipa/issue/raw/files/f5fb0cb6ef09fe784485ba7166f8be0e51b2591de901a935b94a23281c372233-80-admin-user.update" />
Login to comment on this ticket.