[Freeipa-users] Service account to enroll hosts

Rob Crittenden rcritten at redhat.com
Thu Jan 28 02:25:18 UTC 2016 

Marat Vyshegorodtsev wrote:
> Tried that.
> 
> Originally I had just a normal user of a role "Build Administrator".
> It worked perfectly.
> 
> Service account doesn't seem to recognize its privileges either way
> (explicit membership assignment or through roles).
> 
> Originally it was like this (working perfectly):
> http://pastebin.com/baqcthy5
> 
> However, I don't like hostadmin hanging amount regular users.
> 
> So I moved this account away to its own ldif:
> dn: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com
> changetype: add
> objectclass: account
> objectclass: simplesecurityobject
> objectclass: inetuser
> objectclass: krbprincipalaux
> objectclass: krbticketpolicyaux
> krbPrincipalName: hostadmin@<%= @realm %>
> memberOf: cn=Build Administrator,cn=roles,cn=accounts,dc=contoso,dc=com
> userPassword: <%= @hostadmin_pwd %>
> passwordExpirationTime: <%= @pwd_expiration %>
> krbpasswordexpiration: <%= @pwd_expiration %>
> nsIdleTimeout: 0
> 
> This didn't work (same error: not enough privileges), so I started
> experimenting with explicit privileges assignment by basically copying
> them from default "admin" user. Didn't work too.
> 
> I wonder what am I doing wrong.

I already told you: don't add an explicit memberOf.

You need a separate modify to add this user as a member of (NOT
memberOf) the role:

dn: cn=Build Administrator,cn=roles,cn=accounts,dc=contoso,dc=com
changetype: modify
add: member
member: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com

rob

> 
> On Thu, Jan 28, 2016 at 1:03 AM, Rob Crittenden <rcritten at redhat.com> wrote:
>> Marat Vyshegorodtsev wrote:
>>> Hi!
>>>
>>> I'm trying to build an auto-enrollment script that would leverage a
>>> service account to enroll hosts.
>>>
>>> Here is the LDIF for this service account:
>>> https://gist.github.com/touzoku/2b03a47d3f0bcfbdf30a
>>>
>>> This service account is created successfully, but when I try to:
>>> 1) kinit hostadmin
>>> 2) ipa host-add foobar.contoso.com
>>>
>>> The following error appears:
>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add
>>> the entry 'fqdn=foobar.contoso.com,cn=computers,cn=accounts,dc=contoso,dc=com'.
>>>
>>> Which privilege am I missing? A normal (posix) user, with the same set
>>> of privileges worked fine, the problem started to happen when I moved
>>> user from normal users to cn=sysaccounts,cn=etc.
>>>
>>> Also, is my set of privileges minimal? Which privileges do I need to
>>> just add host entries?
>>>
>>
>> You should not directly add memberOf values. You should add the user as
>> a member of the respective roles and the rest should follow naturally.
>> So you'll need to add this entry then do a modify to add it as a member
>> of one or more roles.
>>
>> rob
>>
>>

More information about the Freeipa-users mailing list