[Freeipa-users] Found new problem after 3.3 - 4.1 update

Tue Apr 21 04:05:48 UTC 2015

Alexander Frolushkin wrote:
> Thank You, I'm stupid enough to forgot about debug mode.
> Here the problem:
> Insufficient access: Insufficient 'write' privilege to the 'krbLastPwdChange' attribute of entry 'fqdn=sib-rhel07.unix.ad.com,cn=computers,cn=accounts,dc=unix,dc=ad,dc=com'.
> 
> This host is not new, it was removed from domain to test the privileges...

Try adding 'Manage host keytab' to your privilege.

I'd use the privilege 'Host Enrollment' as a model of the minimum of
what you need. This covers only the enrollment bit. Add creating hosts
and others as needed.

rob

> 
> WBR,
> Alexander Frolushkin
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Monday, April 20, 2015 8:41 PM
> To: Alexander Frolushkin (SIB); freeipa-users at redhat.com; 'David Kupka'
> Subject: Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update
> 
> Alexander Frolushkin wrote:
>> Very strange. If this user acts as a member of admins group - it can enroll host. If not - it can't.
>> Only difference this group brings in permissions - a number of replication agreement permissions...
> 
> admins can do nearly anything so that's not surprising.
> 
> For host enrollment these permissions are quite broad IMHO, particularly the replication bits.
> 
> Run ipa-client-install with the debug flag and you should get more information out of ipa-join. /var/log/ipaclient-install.log will log all fo this so you shouldn't need to try capturing stdout.
> 
> At the same time see if /var/log/httpd/error_log on the IPA master provides any information on why the request was rejected, or at least which operation failed.
> 
> At a glance these permissions look sufficient, and then some.
> 
> rob
> 
> 
> ________________________________
> 
> Ð˜Ð½Ñ„Ð¾Ñ€Ð¼Ð°Ñ†Ð¸Ñ Ð² ÑÑ‚Ð¾Ð¼ ÑÐ¾Ð¾Ð±Ñ‰ÐµÐ½Ð¸Ð¸ Ð¿Ñ€ÐµÐ´Ð½Ð°Ð·Ð½Ð°Ñ‡ÐµÐ½Ð° Ð¸ÑÐºÐ»ÑŽÑ‡Ð¸Ñ‚ÐµÐ»ÑŒÐ½Ð¾ Ð´Ð»Ñ ÐºÐ¾Ð½ÐºÑ€ÐµÑ‚Ð½Ñ‹Ñ… Ð»Ð¸Ñ†, ÐºÐ¾Ñ‚Ð¾Ñ€Ñ‹Ð¼ Ð¾Ð½Ð° Ð°Ð´Ñ€ÐµÑÐ¾Ð²Ð°Ð½Ð°. Ð’ ÑÐ¾Ð¾Ð±Ñ‰ÐµÐ½Ð¸Ð¸ Ð¼Ð¾Ð¶ÐµÑ‚ ÑÐ¾Ð´ÐµÑ€Ð¶Ð°Ñ‚ÑŒÑÑ ÐºÐ¾Ð½Ñ„Ð¸Ð´ÐµÐ½Ñ†Ð¸Ð°Ð»ÑŒÐ½Ð°Ñ Ð¸Ð½Ñ„Ð¾Ñ€Ð¼Ð°Ñ†Ð¸Ñ, ÐºÐ¾Ñ‚Ð¾Ñ€Ð°Ñ Ð½Ðµ Ð¼Ð¾Ð¶ÐµÑ‚ Ð±Ñ‹Ñ‚ÑŒ Ñ€Ð°ÑÐºÑ€Ñ‹Ñ‚Ð° Ð¸Ð»Ð¸ Ð¸ÑÐ¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ð½Ð° ÐºÐµÐ¼-Ð»Ð¸Ð±Ð¾, ÐºÑ€Ð¾Ð¼Ðµ Ð°Ð´Ñ€ÐµÑÐ°Ñ‚Ð¾Ð². Ð•ÑÐ»Ð¸ Ð²Ñ‹ Ð½Ðµ Ð°Ð´Ñ€ÐµÑÐ°Ñ‚ ÑÑ‚Ð¾Ð³Ð¾ ÑÐ¾Ð¾Ð±Ñ‰ÐµÐ½Ð¸Ñ, Ñ‚Ð¾ Ð¸ÑÐ¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ð½Ð¸Ðµ, Ð¿ÐµÑ€ÐµÐ°Ð´Ñ€ÐµÑÐ°Ñ†Ð¸Ñ, ÐºÐ¾Ð¿Ð¸Ñ€Ð¾Ð²Ð°Ð½Ð¸Ðµ Ð¸Ð»Ð¸ Ñ€Ð°ÑÐ¿Ñ€Ð¾ÑÑ‚Ñ€Ð°Ð½ÐµÐ½Ð¸Ðµ ÑÐ¾Ð´ÐµÑ€Ð¶Ð°Ð½Ð¸Ñ ÑÐ¾Ð¾Ð±Ñ‰ÐµÐ½Ð¸Ñ Ð¸Ð»Ð¸ ÐµÐ³Ð¾ Ñ‡Ð°ÑÑ‚Ð¸ Ð½ÐµÐ·Ð°ÐºÐ¾Ð½Ð½Ð¾ Ð¸ Ð·Ð°Ð¿Ñ€ÐµÑ‰ÐµÐ½Ð¾. Ð•ÑÐ»Ð¸ Ð’Ñ‹ Ð¿Ð¾Ð»ÑƒÑ‡Ð¸Ð»Ð¸ ÑÑ‚Ð¾ ÑÐ¾Ð¾Ð±Ñ‰ÐµÐ½Ð¸Ðµ Ð¾ÑˆÐ¸Ð±Ð¾Ñ‡Ð½Ð¾, Ð¿Ð¾Ð¶Ð°Ð»ÑƒÐ¹ÑÑ‚Ð°, Ð½ÐµÐ·Ð°Ð¼ÐµÐ´Ð»Ð¸Ñ‚ÐµÐ»ÑŒÐ½Ð¾ ÑÐ¾Ð¾Ð±Ñ‰Ð¸Ñ‚Ðµ Ð¾Ñ‚Ð¿Ñ€Ð°Ð²Ð¸Ñ‚ÐµÐ»ÑŽ Ð¾Ð± ÑÑ‚Ð¾Ð¼ Ð¸ ÑƒÐ´Ð°Ð»Ð¸Ñ‚Ðµ ÑÐ¾ Ð²ÑÐµÐ¼ ÑÐ¾Ð´ÐµÑ€Ð¶Ð¸Ð¼Ñ‹Ð¼ ÑÐ°Ð¼Ð¾ ÑÐ¾Ð¾Ð±Ñ‰ÐµÐ½Ð!
 ¸Ðµ Ð¸ Ð»Ñ
ŽÐ±Ñ‹Ðµ Ð²Ð¾Ð·Ð¼Ð¾Ð¶Ð½Ñ‹Ðµ ÐµÐ³Ð¾ ÐºÐ¾Ð¿Ð¸Ð¸ Ð¸ Ð¿Ñ€Ð¸Ð»Ð¾Ð¶ÐµÐ½Ð¸Ñ.
> 
> The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof.
> 
> (c)20mf50
> 