[Freeipa-users] Found new problem after 3.3 - 4.1 update
Rob Crittenden
rcritten at redhat.com
Tue Apr 21 04:05:48 UTC 2015
Alexander Frolushkin wrote:
> Thank You, I'm stupid enough to forgot about debug mode.
> Here the problem:
> Insufficient access: Insufficient 'write' privilege to the 'krbLastPwdChange' attribute of entry 'fqdn=sib-rhel07.unix.ad.com,cn=computers,cn=accounts,dc=unix,dc=ad,dc=com'.
>
> This host is not new, it was removed from domain to test the privileges...
Try adding 'Manage host keytab' to your privilege.
I'd use the privilege 'Host Enrollment' as a model of the minimum of
what you need. This covers only the enrollment bit. Add creating hosts
and others as needed.
rob
>
> WBR,
> Alexander Frolushkin
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Monday, April 20, 2015 8:41 PM
> To: Alexander Frolushkin (SIB); freeipa-users at redhat.com; 'David Kupka'
> Subject: Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update
>
> Alexander Frolushkin wrote:
>> Very strange. If this user acts as a member of admins group - it can enroll host. If not - it can't.
>> Only difference this group brings in permissions - a number of replication agreement permissions...
>
> admins can do nearly anything so that's not surprising.
>
> For host enrollment these permissions are quite broad IMHO, particularly the replication bits.
>
> Run ipa-client-install with the debug flag and you should get more information out of ipa-join. /var/log/ipaclient-install.log will log all fo this so you shouldn't need to try capturing stdout.
>
> At the same time see if /var/log/httpd/error_log on the IPA master provides any information on why the request was rejected, or at least which operation failed.
>
> At a glance these permissions look sufficient, and then some.
>
> rob
>
>
> ________________________________
>
> ÐнÑоÑмаÑÐ¸Ñ Ð² ÑÑом ÑообÑении пÑедназнаÑена иÑклÑÑиÑелÑно Ð´Ð»Ñ ÐºÐ¾Ð½ÐºÑеÑнÑÑ
лиÑ, коÑоÑÑм она адÑеÑована. Ð ÑообÑении Ð¼Ð¾Ð¶ÐµÑ ÑодеÑжаÑÑÑÑ ÐºÐ¾Ð½ÑиденÑиалÑÐ½Ð°Ñ Ð¸Ð½ÑоÑмаÑиÑ, коÑоÑÐ°Ñ Ð½Ðµ Ð¼Ð¾Ð¶ÐµÑ Ð±ÑÑÑ ÑаÑкÑÑÑа или иÑполÑзована кем-либо, кÑоме адÑеÑаÑов. ÐÑли Ð²Ñ Ð½Ðµ адÑеÑÐ°Ñ ÑÑого ÑообÑениÑ, Ñо иÑполÑзование, пеÑеадÑеÑаÑиÑ, копиÑование или ÑаÑпÑоÑÑÑанение ÑодеÑÐ¶Ð°Ð½Ð¸Ñ ÑообÑÐµÐ½Ð¸Ñ Ð¸Ð»Ð¸ его ÑаÑÑи незаконно и запÑеÑено. ÐÑли ÐÑ Ð¿Ð¾Ð»ÑÑили ÑÑо ÑообÑение оÑибоÑно, пожалÑйÑÑа, незамедлиÑелÑно ÑообÑиÑе оÑпÑавиÑÐµÐ»Ñ Ð¾Ð± ÑÑом и ÑдалиÑе Ñо вÑем ÑодеÑжимÑм Ñамо ÑообÑенÐ!
¸Ðµ и лÑ
бÑе возможнÑе его копии и пÑиложениÑ.
>
> The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof.
>
> (c)20mf50
>
More information about the Freeipa-users
mailing list