[Freeipa-users] HostEnrol role does not seem to work

Qing Chang qchang at sri.utoronto.ca
Thu Jan 17 22:11:58 UTC 2013 

On 17/01/2013 2:40 PM, Rob Crittenden wrote:
> Qing Chang wrote:
>>
>> On 17/01/2013 1:42 PM, Rob Crittenden wrote:
>>> Qing Chang wrote:
>>>> I assigned an IPA user account the "HostEnrol" role and run
>>>> "ipa-client-install",
>>>> when it got to this "User authorized to enroll computers:", I used that
>>>> account,
>>>> then got following:
>>>> Joining realm failed: No permission to join this host to the IPA domain.
>>>> Installation failed. Rolling back changes.
>>>> IPA client is not configured on this system.
>>>>
>>>> Am I missing something here?
>>>
>>> What privileges are in the HostEnrol role?
>>>
>> it's all default, I did not make any changes.
>>> Or can you show the output of this, where tuser1 is the user you're
>>> trying to enroll with?
>>>
>>> % ipa user-show tuser1 --all --raw |grep -i member
>>>
>> [root at ipa1 ~]# ipa user-show testipa --all --raw |grep -i member
>>    memberof: cn=ipausers,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
>>    memberof: cn=hostenrol,cn=roles,cn=accounts,dc=sri,dc=utoronto,dc=ca
>>    memberof:
>> ipauniqueid=d7f28bde-492f-11e2-b297-005056af688c,cn=sudorules,cn=sudo,dc=sri,dc=utoronto,dc=ca
>>
>>    memberofindirect: cn=host
>> enrollment,cn=privileges,cn=pbac,dc=sri,dc=utoronto,dc=ca
>>    memberofindirect: cn=manage host
>> keytab,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
>>    memberofindirect: cn=enroll a
>> host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
>>    memberofindirect: cn=add krbprincipalname to a
>> host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
>>
>
> Ok, this is enough do do an enrollment (HostEnrol is not a default role). What it lacks is the 
> ability to add a new host entry.
>
> You can add this ability by adding the 'Add Hosts' privilege to the 'Host Enrollment' privilege.
>
> On the command line like this:
>
> $ ipa privilege-add-permission 'Host Enrollment' --permissions='Add Hosts'
>
> Note that this is expected. We delegate as few permissions by default as possible. The expectation 
> is that a higher-level administrator pre-creates the hosts that should be allowed to be enrolled 
> and this delegated role can enroll them.
>
agreed. Maybe this sort of thing can be put into a FAQ?

Appreciated!

Qing
> rob

More information about the Freeipa-users mailing list