[Freeipa-users] headless ipa client join using kerberos ticket

Troels Hansen th at casalogic.dk
Thu Aug 11 08:18:30 UTC 2016 

I can see this have been discussed a lot here, but I still can't seem to find the correct answer, so bare with me if i'm asking a question already answered. 

I'm trying to create a user that can be used for (headless) joining out RHEL clients to IPA 

Here is what have been done: 
/etc/krb5.conf and /etc/ipa/ca.crt copied to the client. 

a user created on IPA: 

# ipa user-show joinipa 
User login: joinipa 
First name: Host 
Last name: Adder 
Home directory: /home/joinipa 
Login shell: /bin/sh 
Email address: joinipa at linux.dr.dk 
UID: 10006 
GID: 10006 
Account disabled: False 
Password: False 
Member of groups: ipausers 
Roles: joinipa 
Kerberos keys available: True 

has role joinipa 

# ipa role-show "joinipa" 
Role name: joinipa 
Member users: joinipa 
Privileges: Host Enrollment 

Host Enrollemnt provilege also has the 'System: Add Hosts' permission: 

# ipa privilege-show "Host Enrollment" 
Privilege name: Host Enrollment 
Description: Host Enrollment 
Permissions: System: Add Hosts, System: Add krbPrincipalName to a Host, System: Enroll a Host, System: Manage Host Certificates, 
System: Manage Host Enrollment Password, System: Manage Host Keytab 
Granting privilege to roles: joinipa 

Get the keytab from IPA server (run on IPA server): 
# ipa-getkeytab -s `hostname` -p joinipa at LINUX.DR.DK -k /tmp/joinipa.keytab 

Keytab copied to IPA client: 

kinit keytab: 
# kinit joinipa at LINUX.DR.DK -kt joinipa.keytab 

# klist 
Ticket cache: KEYRING:persistent:0:0 
Default principal: joinipa at LINUX.DR.DK 

Valid starting Expires Service principal 
08/11/2016 10:12:33 08/12/2016 10:12:33 krbtgt/LINUX.DR.DK at LINUX.DR.DK 

Try to join IPA server: 
# ipa-join --server ipa01tst.linux.dr.dk 
Failed to parse result: Insufficient access rights 

Retrying with pre-4.0 keytab retrieval method... 
Keytab successfully retrieved and stored in: /etc/krb5.keytab 
Certificate subject base is: O=LINUX.DR.DK 

Host gets created on IPA server, but what makes it fail? 

If I try to join again I also get told its already joined: 

# ipa-join --server ipa01tst.linux.dr.dk 
Host is already joined. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160811/98e82e84/attachment.htm>

More information about the Freeipa-users mailing list