[Freeipa-users] HostEnrol role does not seem to work
Qing Chang
qchang at sri.utoronto.ca
Thu Jan 17 19:09:47 UTC 2013
On 17/01/2013 1:42 PM, Rob Crittenden wrote:
> Qing Chang wrote:
>> I assigned an IPA user account the "HostEnrol" role and run
>> "ipa-client-install",
>> when it got to this "User authorized to enroll computers:", I used that
>> account,
>> then got following:
>> Joining realm failed: No permission to join this host to the IPA domain.
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>> Am I missing something here?
>
> What privileges are in the HostEnrol role?
>
it's all default, I did not make any changes.
> Or can you show the output of this, where tuser1 is the user you're trying to enroll with?
>
> % ipa user-show tuser1 --all --raw |grep -i member
>
[root at ipa1 ~]# ipa user-show testipa --all --raw |grep -i member
memberof: cn=ipausers,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
memberof: cn=hostenrol,cn=roles,cn=accounts,dc=sri,dc=utoronto,dc=ca
memberof:
ipauniqueid=d7f28bde-492f-11e2-b297-005056af688c,cn=sudorules,cn=sudo,dc=sri,dc=utoronto,dc=ca
memberofindirect: cn=host enrollment,cn=privileges,cn=pbac,dc=sri,dc=utoronto,dc=ca
memberofindirect: cn=manage host keytab,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
memberofindirect: cn=enroll a host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
memberofindirect: cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
> rob
More information about the Freeipa-users
mailing list