[Freeipa-users] Found new problem after 3.3 - 4.1 update

Mon Apr 20 11:21:02 UTC 2015

Very strange. If this user acts as a member of admins group - it can enroll host. If not - it can't.
Only difference this group brings in permissions - a number of replication agreement permissions...

-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Alexander Frolushkin
Sent: Monday, April 20, 2015 5:06 PM
To: 'David Kupka'; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update

>Hello!
>This thread seams to solve similar issue:
>https://www.redhat.com/archives/freeipa-users/2013-January/msg00153.html

Thank You, but...
On 3.3 I used this thread to make it work.
But on 4.1:

User, able to enroll:
memberofindirect: cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Read DNA Range,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Replication Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=System: Add Hosts,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru

User, not able to enroll:
memberofindirect: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Read DNA Range,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=System: Add Hosts,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: ipaUniqueID=05b0d3f4-d2e1-11e4-b40b-00505698162f,cn=sudorules,cn=sudo,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru
  memberofindirect: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru

I used to try made it looks as close as possible in terms of permissions (replication agreement not looks like a required permission). But - first one works (enroll a new host to IPA), second one - not.

--
David Kupka

________________________________

Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения.

The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof.

(c)20mf50