Hi Guys I'm trying to disable admin user in Freeipa 4.10.2 and I get this:
user admin cannot be deleted/modified: privileged user
I did create new user with admin privileges add to group admins. But I can't disable admin user. This worked up to version FreeIPA 4.10.1 but not anymore. anyone know why is that or how can I disable admin user in 4.10.2.
thanks Ales
Ales Rozmarin via FreeIPA-users wrote:
Hi Guys I'm trying to disable admin user in Freeipa 4.10.2 and I get this:
user admin cannot be deleted/modified: privileged user
I did create new user with admin privileges add to group admins. But I can't disable admin user. This worked up to version FreeIPA 4.10.1 but not anymore. anyone know why is that or how can I disable admin user in 4.10.2.
It looks like an unexpected side-effect of the change in https://pagure.io/freeipa/issue/8878 which made the admin user undeletable.
The original check ensured that the last member of the admins group wasn't deleted or disabled. That check now prevents protected users, but it was only intended to affect delete and not disable.
I filed https://pagure.io/freeipa/issue/9489 to track this.
rob
Hi Rob,
Any update on this. I just tested latest FreeIPA, version: 4.11.0 on RockyLinux 9.4 and I can't disable or remove admin user. I can remove it form admins and trust admins group. But I would prefer if I could move him to persevered users.
Ales
On Аўт, 22 кас 2024, Ales Rozmarin via FreeIPA-users wrote:
Hi Rob,
Any update on this. I just tested latest FreeIPA, version: 4.11.0 on RockyLinux 9.4 and I can't disable or remove admin user. I can remove it form admins and trust admins group. But I would prefer if I could move him to persevered users.
Deleting or moving admin user or admins group is not supported. See warnings in the following sections:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-sin...
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-sin...
We are working on enabling FreeIPA deployments where an admin user can have no passwords at all, using only passwordless authentication methods. This is not complete yet.
However, even when that work is completed, removing/moving admin user and group will not be supported.
On Аўт, 22 кас 2024, Alexander Bokovoy via FreeIPA-users wrote:
On Аўт, 22 кас 2024, Ales Rozmarin via FreeIPA-users wrote:
Hi Rob,
Any update on this. I just tested latest FreeIPA, version: 4.11.0 on RockyLinux 9.4 and I can't disable or remove admin user. I can remove it form admins and trust admins group. But I would prefer if I could move him to persevered users.
Deleting or moving admin user or admins group is not supported. See warnings in the following sections:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-sin...
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-sin...
We are working on enabling FreeIPA deployments where an admin user can have no passwords at all, using only passwordless authentication methods. This is not complete yet.
However, even when that work is completed, removing/moving admin user and group will not be supported.
Forgot to add: I'll look into the 'disable' ticket soon.
On Аўт, 22 кас 2024, Alexander Bokovoy via FreeIPA-users wrote:
On Аўт, 22 кас 2024, Alexander Bokovoy via FreeIPA-users wrote:
On Аўт, 22 кас 2024, Ales Rozmarin via FreeIPA-users wrote:
Hi Rob,
Any update on this. I just tested latest FreeIPA, version: 4.11.0 on RockyLinux 9.4 and I can't disable or remove admin user. I can remove it form admins and trust admins group. But I would prefer if I could move him to persevered users.
Deleting or moving admin user or admins group is not supported. See warnings in the following sections:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-sin...
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-sin...
We are working on enabling FreeIPA deployments where an admin user can have no passwords at all, using only passwordless authentication methods. This is not complete yet.
However, even when that work is completed, removing/moving admin user and group will not be supported.
Forgot to add: I'll look into the 'disable' ticket soon.
Judging by https://issues.redhat.com/browse/RHEL-34757, referenced in the upstream ticket, it is going to be in RHEL 9.5, in 4.12.0-1.el9 or later.
As RHEL 9.5 is not yet released, CentOS 9 Stream can be used to judge the fix availability: 4.12.2-1.el9 is there: https://mirror.stream.centos.org/9-stream/AppStream/source/tree/Packages/ipa...
freeipa-users@lists.fedorahosted.org
-
Ales Rozmarin -
Alexander Bokovoy -
Rob Crittenden