[Freeipa-users] HostEnrol role does not seem to work
Rob Crittenden
rcritten at redhat.com
Thu Jan 17 19:40:19 UTC 2013
Qing Chang wrote:
>
> On 17/01/2013 1:42 PM, Rob Crittenden wrote:
>> Qing Chang wrote:
>>> I assigned an IPA user account the "HostEnrol" role and run
>>> "ipa-client-install",
>>> when it got to this "User authorized to enroll computers:", I used that
>>> account,
>>> then got following:
>>> Joining realm failed: No permission to join this host to the IPA domain.
>>> Installation failed. Rolling back changes.
>>> IPA client is not configured on this system.
>>>
>>> Am I missing something here?
>>
>> What privileges are in the HostEnrol role?
>>
> it's all default, I did not make any changes.
>> Or can you show the output of this, where tuser1 is the user you're
>> trying to enroll with?
>>
>> % ipa user-show tuser1 --all --raw |grep -i member
>>
> [root at ipa1 ~]# ipa user-show testipa --all --raw |grep -i member
> memberof: cn=ipausers,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
> memberof: cn=hostenrol,cn=roles,cn=accounts,dc=sri,dc=utoronto,dc=ca
> memberof:
> ipauniqueid=d7f28bde-492f-11e2-b297-005056af688c,cn=sudorules,cn=sudo,dc=sri,dc=utoronto,dc=ca
>
> memberofindirect: cn=host
> enrollment,cn=privileges,cn=pbac,dc=sri,dc=utoronto,dc=ca
> memberofindirect: cn=manage host
> keytab,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
> memberofindirect: cn=enroll a
> host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
> memberofindirect: cn=add krbprincipalname to a
> host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
>
Ok, this is enough do do an enrollment (HostEnrol is not a default
role). What it lacks is the ability to add a new host entry.
You can add this ability by adding the 'Add Hosts' privilege to the
'Host Enrollment' privilege.
On the command line like this:
$ ipa privilege-add-permission 'Host Enrollment' --permissions='Add Hosts'
Note that this is expected. We delegate as few permissions by default as
possible. The expectation is that a higher-level administrator
pre-creates the hosts that should be allowed to be enrolled and this
delegated role can enroll them.
rob
More information about the Freeipa-users
mailing list