[Freeipa-users] FreeIPA 4.2 on CentOS 7.2 restricts an access to krb* attributes

[Konstantin M. Khankin]

Thanks a ton Alexander, this permission fixed everything :)

2016-06-07 17:08 GMT+03:00 Alexander Bokovoy <abokovoy at redhat.com>:

> On Tue, 07 Jun 2016, Konstantin M. Khankin wrote:
>
>> Hi Alexander!
>>
>> Here's the config (mostly auto-generated by ipa-client-install):
>>
>> -------------------------------------------------------------------------------------------------------------------------------------
>> [domain/gsk.loc]
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = gsk.loc
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = garage.gsk.loc
>> chpass_provider = ipa
>> ipa_server = _srv_, drone.gsk.loc
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> #ldap_search_base = cn=accounts,dc=gsk,dc=loc
>> ldap_user_extra_attrs = uid, krbLastSuccessfulAuth, krbLastFailedAuth
>>
>> [sssd]
>> services = nss, sudo, pam, ssh, ifp
>> config_file_version = 2
>>
>> domains = gsk.loc
>> [nss]
>> homedir_substring = /home
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>> [ifp]
>> allowed_uids = apache, root
>> user_attributes = +uid, +krbLastSuccessfulAuth, +krbLastFailedAuth
>>
>> -------------------------------------------------------------------------------------------------------------------------------------
>>
> Ok, for these there is a separate permission, 'System: Read User Kerberos
> Login Attributes'.
>
> ipa permission-show 'System: Read User Kerberos Login Attributes'
>
> It is by default assigned to 'User administrators' role. You can use
> 'ipa role-add-member' to add others, like hosts:
>
> ipa role-add-member 'User Administrator' --hosts=garage.gsk.loc
>
> --
> / Alexander Bokovoy
>



-- 
Ханкин Константин
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160607/7bcc651b/attachment.htm>