[Freeipa-users] Adding permissions to a service account.
Rob Crittenden
rcritten at redhat.com
Tue Aug 12 17:51:24 UTC 2014
William wrote:
> Hi,
>
> I am trying to allow a radius service account the ability to read
> ipaNTHash. I carried out the following steps:
>
>
>
> ipa permission-add 'ipaNTHash service read' --attrs=ipaNTHash
> --type=user --permissions=read
> -----------------------------------------
> Added permission "ipaNTHash service read"
> -----------------------------------------
> Permission name: ipaNTHash service read
> Permissions: read
> Attributes: ipanthash
> Type: user
>
> ipa privilege-add 'Radius services' --desc='Privileges needed to allow
> radiusd servers to operate'
>
> ipa privilege-add-permission 'Radius services' --permissions='ipaNTHash
> service read'
> Privilege name: Radius services
> Description: Privileges needed to allow radiusd servers to operate
> Permissions: ipaNTHash service read
> -----------------------------
> Number of permissions added 1
> -----------------------------
>
>
> ipa role-add 'Radius server' --desc="Radius server role"
> --------------------------
> Added role "Radius server"
> --------------------------
> Role name: Radius server
> Description: Radius server role
>
>
> ipa service-add 'radius/lorna.dev.blackhats.net.au'
> ----------------------------------------------------------------------
> Added service "radius/lorna.dev.blackhats.net.au at DEV.BLACKHATS.NET.AU"
> ----------------------------------------------------------------------
> Principal: radius/lorna.dev.blackhats.net.au at DEV.BLACKHATS.NET.AU
> Managed by: lorna.dev.blackhats.net.au
>
>
> ipa role-add-member 'Radius server' --hosts='lorna.dev.blackhats.net.au'
> Role name: Radius server
> Description: Radius server role
> Member hosts: lorna.dev.blackhats.net.au
> Privileges: Radius services
> -------------------------
> Number of members added 1
> -------------------------
>
> ipa-getkeytab -p 'radius/lorna.dev.blackhats.net.au' -s
> lorna.dev.blackhats.net.au -k /root/radiusd.keytab
> kinit -t /root/radiusd.keytab -k radius/lorna.dev.blackhats.net.au
>
>
> After these steps I did an ldapwhoami and attempted to get the ipaNTHast
> from an account: It didn't work. I believe this is because the whoami
> shows the account binds as a different DN than the host account, thus
> the permission isn't applied. But there is no way to in the ui or cli
> add permissions to a service account. How should I proceed?
>
You can't delegate permissions to a service. See
https://fedorahosted.org/freeipa/ticket/3644
rob
More information about the Freeipa-users
mailing list