[Freeipa-users] Service account to enroll hosts
Marat Vyshegorodtsev
marat.vyshegorodtsev at gmail.com
Thu Jan 28 02:18:12 UTC 2016
Tried that.
Originally I had just a normal user of a role "Build Administrator".
It worked perfectly.
Service account doesn't seem to recognize its privileges either way
(explicit membership assignment or through roles).
Originally it was like this (working perfectly):
http://pastebin.com/baqcthy5
However, I don't like hostadmin hanging amount regular users.
So I moved this account away to its own ldif:
dn: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
objectclass: inetuser
objectclass: krbprincipalaux
objectclass: krbticketpolicyaux
krbPrincipalName: hostadmin@<%= @realm %>
memberOf: cn=Build Administrator,cn=roles,cn=accounts,dc=contoso,dc=com
userPassword: <%= @hostadmin_pwd %>
passwordExpirationTime: <%= @pwd_expiration %>
krbpasswordexpiration: <%= @pwd_expiration %>
nsIdleTimeout: 0
This didn't work (same error: not enough privileges), so I started
experimenting with explicit privileges assignment by basically copying
them from default "admin" user. Didn't work too.
I wonder what am I doing wrong.
On Thu, Jan 28, 2016 at 1:03 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> Marat Vyshegorodtsev wrote:
>> Hi!
>>
>> I'm trying to build an auto-enrollment script that would leverage a
>> service account to enroll hosts.
>>
>> Here is the LDIF for this service account:
>> https://gist.github.com/touzoku/2b03a47d3f0bcfbdf30a
>>
>> This service account is created successfully, but when I try to:
>> 1) kinit hostadmin
>> 2) ipa host-add foobar.contoso.com
>>
>> The following error appears:
>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add
>> the entry 'fqdn=foobar.contoso.com,cn=computers,cn=accounts,dc=contoso,dc=com'.
>>
>> Which privilege am I missing? A normal (posix) user, with the same set
>> of privileges worked fine, the problem started to happen when I moved
>> user from normal users to cn=sysaccounts,cn=etc.
>>
>> Also, is my set of privileges minimal? Which privileges do I need to
>> just add host entries?
>>
>
> You should not directly add memberOf values. You should add the user as
> a member of the respective roles and the rest should follow naturally.
> So you'll need to add this entry then do a modify to add it as a member
> of one or more roles.
>
> rob
>
>
More information about the Freeipa-users
mailing list