[Freeipa-users] HostEnrol role does not seem to work

Rob Crittenden rcritten at redhat.com
Thu Jan 17 19:40:19 UTC 2013 

Qing Chang wrote:
>
> On 17/01/2013 1:42 PM, Rob Crittenden wrote:
>> Qing Chang wrote:
>>> I assigned an IPA user account the "HostEnrol" role and run
>>> "ipa-client-install",
>>> when it got to this "User authorized to enroll computers:", I used that
>>> account,
>>> then got following:
>>> Joining realm failed: No permission to join this host to the IPA domain.
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>>
>>> Am I missing something here?
>>
>> What privileges are in the HostEnrol role?
>>
> it's all default, I did not make any changes.
>> Or can you show the output of this, where tuser1 is the user you're
>> trying to enroll with?
>>
>> % ipa user-show tuser1 --all --raw |grep -i member
>>
> [root at ipa1 ~]# ipa user-show testipa --all --raw |grep -i member
>    memberof: cn=ipausers,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
>    memberof: cn=hostenrol,cn=roles,cn=accounts,dc=sri,dc=utoronto,dc=ca
>    memberof:
> ipauniqueid=d7f28bde-492f-11e2-b297-005056af688c,cn=sudorules,cn=sudo,dc=sri,dc=utoronto,dc=ca
>
>    memberofindirect: cn=host
> enrollment,cn=privileges,cn=pbac,dc=sri,dc=utoronto,dc=ca
>    memberofindirect: cn=manage host
> keytab,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
>    memberofindirect: cn=enroll a
> host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
>    memberofindirect: cn=add krbprincipalname to a
> host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
>

Ok, this is enough do do an enrollment (HostEnrol is not a default 
role). What it lacks is the ability to add a new host entry.

You can add this ability by adding the 'Add Hosts' privilege to the 
'Host Enrollment' privilege.

On the command line like this:

$ ipa privilege-add-permission 'Host Enrollment' --permissions='Add Hosts'

Note that this is expected. We delegate as few permissions by default as 
possible. The expectation is that a higher-level administrator 
pre-creates the hosts that should be allowed to be enrolled and this 
delegated role can enroll them.

rob

More information about the Freeipa-users mailing list