[Freeipa-users] Adding permissions to a service account.

William william at firstyear.id.au
Mon Aug 11 23:55:17 UTC 2014 

Hi,

I am trying to allow a radius service account the ability to read
ipaNTHash. I carried out the following steps:



ipa permission-add 'ipaNTHash service read' --attrs=ipaNTHash
--type=user  --permissions=read
-----------------------------------------
Added permission "ipaNTHash service read"
-----------------------------------------
  Permission name: ipaNTHash service read
  Permissions: read
  Attributes: ipanthash
  Type: user

ipa privilege-add 'Radius services' --desc='Privileges needed to allow
radiusd servers to operate'

ipa privilege-add-permission 'Radius services' --permissions='ipaNTHash
service read'
  Privilege name: Radius services
  Description: Privileges needed to allow radiusd servers to operate
  Permissions: ipaNTHash service read
-----------------------------
Number of permissions added 1
-----------------------------


 ipa role-add 'Radius server' --desc="Radius server role"
--------------------------
Added role "Radius server"
--------------------------
  Role name: Radius server
  Description: Radius server role


ipa service-add 'radius/lorna.dev.blackhats.net.au'
----------------------------------------------------------------------
Added service "radius/lorna.dev.blackhats.net.au at DEV.BLACKHATS.NET.AU"
----------------------------------------------------------------------
  Principal: radius/lorna.dev.blackhats.net.au at DEV.BLACKHATS.NET.AU
  Managed by: lorna.dev.blackhats.net.au


ipa role-add-member 'Radius server' --hosts='lorna.dev.blackhats.net.au'
  Role name: Radius server
  Description: Radius server role
  Member hosts: lorna.dev.blackhats.net.au
  Privileges: Radius services
-------------------------
Number of members added 1
-------------------------

 ipa-getkeytab -p 'radius/lorna.dev.blackhats.net.au' -s
lorna.dev.blackhats.net.au -k /root/radiusd.keytab
 kinit -t /root/radiusd.keytab -k radius/lorna.dev.blackhats.net.au


After these steps I did an ldapwhoami and attempted to get the ipaNTHast
from an account: It didn't work. I believe this is because the whoami
shows the account binds as a different DN than the host account, thus
the permission isn't applied. But there is no way to in the ui or cli
add permissions to a service account. How should I proceed?

More information about the Freeipa-users mailing list