[Freeipa-users] how to allow a remote realm user to be an IPA admin?
Brian Cook
bcook at redhat.com
Mon Dec 10 06:39:14 UTC 2012
How do you let a remote user be an admin for IPA?
I followed the fedora group example
external group:ad_admins_external
Posix Group: ad_admins
Then I made ad_admins a group member of ipa group 'admins' - theoretically now MSAD\Administrator is an IPA admin? I get the following. How does this work?
Thanks,
Brian
sh-4.1$ kinit administrator at MSAD.TEST
Password for administrator at MSAD.TEST:
sh-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_1653800500
Default principal: administrator at MSAD.TEST
Valid starting Expires Service principal
12/09/12 22:34:43 12/10/12 08:35:09 krbtgt/MSAD.TEST at MSAD.TEST
renew until 12/10/12 22:34:43
sh-4.1$
sh-4.1$ kinit administrator at MSAD.TEST^C
sh-4.1$
sh-4.1$ ipa user-add
ipa: ERROR: Could not create log_dir u'/home/msad.test/administrator/.ipa/log'
First name: joe
Last name: blo
User login [jblo]:
ipa: ERROR: Insufficient access: SASL(-14): authorization failure: Invalid credentials
sh-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_1653800500
Default principal: administrator at MSAD.TEST
Valid starting Expires Service principal
12/09/12 22:34:43 12/10/12 08:35:09 krbtgt/MSAD.TEST at MSAD.TEST
renew until 12/10/12 22:34:43
12/09/12 22:35:31 12/10/12 08:35:09 krbtgt/IPA.TEST at MSAD.TEST
renew until 12/10/12 22:34:43
12/09/12 22:35:09 12/10/12 08:35:09 HTTP/ipa1.ipa.test at IPA.TEST
renew until 12/10/12 22:34:43
sh-4.1$
More information about the Freeipa-users
mailing list