[Freeipa-users] FreeIPA 4.2 on CentOS 7.2 restricts an access to krb* attributes
Alexander Bokovoy
abokovoy at redhat.com
Tue Jun 7 14:08:53 UTC 2016
On Tue, 07 Jun 2016, Konstantin M. Khankin wrote:
>Hi Alexander!
>
>Here's the config (mostly auto-generated by ipa-client-install):
>-------------------------------------------------------------------------------------------------------------------------------------
>[domain/gsk.loc]
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = gsk.loc
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = garage.gsk.loc
>chpass_provider = ipa
>ipa_server = _srv_, drone.gsk.loc
>ldap_tls_cacert = /etc/ipa/ca.crt
>#ldap_search_base = cn=accounts,dc=gsk,dc=loc
>ldap_user_extra_attrs = uid, krbLastSuccessfulAuth, krbLastFailedAuth
>
>[sssd]
>services = nss, sudo, pam, ssh, ifp
>config_file_version = 2
>
>domains = gsk.loc
>[nss]
>homedir_substring = /home
>
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
>[pac]
>
>[ifp]
>allowed_uids = apache, root
>user_attributes = +uid, +krbLastSuccessfulAuth, +krbLastFailedAuth
>-------------------------------------------------------------------------------------------------------------------------------------
Ok, for these there is a separate permission, 'System: Read User Kerberos Login Attributes'.
ipa permission-show 'System: Read User Kerberos Login Attributes'
It is by default assigned to 'User administrators' role. You can use
'ipa role-add-member' to add others, like hosts:
ipa role-add-member 'User Administrator' --hosts=garage.gsk.loc
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list