[Freeipa-users] Found new problem after 3.3 - 4.1 update
Rob Crittenden
rcritten at redhat.com
Mon Apr 20 14:41:00 UTC 2015
Alexander Frolushkin wrote:
> Very strange. If this user acts as a member of admins group - it can enroll host. If not - it can't.
> Only difference this group brings in permissions - a number of replication agreement permissions...
admins can do nearly anything so that's not surprising.
For host enrollment these permissions are quite broad IMHO, particularly
the replication bits.
Run ipa-client-install with the debug flag and you should get more
information out of ipa-join. /var/log/ipaclient-install.log will log all
fo this so you shouldn't need to try capturing stdout.
At the same time see if /var/log/httpd/error_log on the IPA master
provides any information on why the request was rejected, or at least
which operation failed.
At a glance these permissions look sufficient, and then some.
rob
More information about the Freeipa-users
mailing list