[Freeipa-users] Adding permissions to a service account.
William
william at firstyear.id.au
Mon Aug 11 23:55:17 UTC 2014
Hi,
I am trying to allow a radius service account the ability to read
ipaNTHash. I carried out the following steps:
ipa permission-add 'ipaNTHash service read' --attrs=ipaNTHash
--type=user --permissions=read
-----------------------------------------
Added permission "ipaNTHash service read"
-----------------------------------------
Permission name: ipaNTHash service read
Permissions: read
Attributes: ipanthash
Type: user
ipa privilege-add 'Radius services' --desc='Privileges needed to allow
radiusd servers to operate'
ipa privilege-add-permission 'Radius services' --permissions='ipaNTHash
service read'
Privilege name: Radius services
Description: Privileges needed to allow radiusd servers to operate
Permissions: ipaNTHash service read
-----------------------------
Number of permissions added 1
-----------------------------
ipa role-add 'Radius server' --desc="Radius server role"
--------------------------
Added role "Radius server"
--------------------------
Role name: Radius server
Description: Radius server role
ipa service-add 'radius/lorna.dev.blackhats.net.au'
----------------------------------------------------------------------
Added service "radius/lorna.dev.blackhats.net.au at DEV.BLACKHATS.NET.AU"
----------------------------------------------------------------------
Principal: radius/lorna.dev.blackhats.net.au at DEV.BLACKHATS.NET.AU
Managed by: lorna.dev.blackhats.net.au
ipa role-add-member 'Radius server' --hosts='lorna.dev.blackhats.net.au'
Role name: Radius server
Description: Radius server role
Member hosts: lorna.dev.blackhats.net.au
Privileges: Radius services
-------------------------
Number of members added 1
-------------------------
ipa-getkeytab -p 'radius/lorna.dev.blackhats.net.au' -s
lorna.dev.blackhats.net.au -k /root/radiusd.keytab
kinit -t /root/radiusd.keytab -k radius/lorna.dev.blackhats.net.au
After these steps I did an ldapwhoami and attempted to get the ipaNTHast
from an account: It didn't work. I believe this is because the whoami
shows the account binds as a different DN than the host account, thus
the permission isn't applied. But there is no way to in the ui or cli
add permissions to a service account. How should I proceed?
More information about the Freeipa-users
mailing list