[Freeipa-users] Service account to enroll hosts
Marat Vyshegorodtsev
marat.vyshegorodtsev at gmail.com
Thu Jan 28 02:36:51 UTC 2016
Wow, that worked! Thanks, you ended my week of torture :-)
For those who interested, this is my final ldif for the host provisioning user:
dn: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
objectclass: inetuser
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
krbPrincipalName: hostadmin at CONTOSO.COM
userPassword: SomePassword123
passwordExpirationTime: 20371231011529Z
krbpasswordexpiration: 20371231011529Z
nsIdleTimeout: 0
dn: cn=Build Administrator,cn=roles,cn=accounts,dc=contoso,dc=com
changetype: modify
add: member
member: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com
On Thu, Jan 28, 2016 at 11:25 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> Marat Vyshegorodtsev wrote:
>> Tried that.
>>
>> Originally I had just a normal user of a role "Build Administrator".
>> It worked perfectly.
>>
>> Service account doesn't seem to recognize its privileges either way
>> (explicit membership assignment or through roles).
>>
>> Originally it was like this (working perfectly):
>> http://pastebin.com/baqcthy5
>>
>> However, I don't like hostadmin hanging amount regular users.
>>
>> So I moved this account away to its own ldif:
>> dn: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com
>> changetype: add
>> objectclass: account
>> objectclass: simplesecurityobject
>> objectclass: inetuser
>> objectclass: krbprincipalaux
>> objectclass: krbticketpolicyaux
>> krbPrincipalName: hostadmin@<%= @realm %>
>> memberOf: cn=Build Administrator,cn=roles,cn=accounts,dc=contoso,dc=com
>> userPassword: <%= @hostadmin_pwd %>
>> passwordExpirationTime: <%= @pwd_expiration %>
>> krbpasswordexpiration: <%= @pwd_expiration %>
>> nsIdleTimeout: 0
>>
>> This didn't work (same error: not enough privileges), so I started
>> experimenting with explicit privileges assignment by basically copying
>> them from default "admin" user. Didn't work too.
>>
>> I wonder what am I doing wrong.
>
> I already told you: don't add an explicit memberOf.
>
> You need a separate modify to add this user as a member of (NOT
> memberOf) the role:
>
> dn: cn=Build Administrator,cn=roles,cn=accounts,dc=contoso,dc=com
> changetype: modify
> add: member
> member: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com
>
> rob
>
>>
>> On Thu, Jan 28, 2016 at 1:03 AM, Rob Crittenden <rcritten at redhat.com> wrote:
>>> Marat Vyshegorodtsev wrote:
>>>> Hi!
>>>>
>>>> I'm trying to build an auto-enrollment script that would leverage a
>>>> service account to enroll hosts.
>>>>
>>>> Here is the LDIF for this service account:
>>>> https://gist.github.com/touzoku/2b03a47d3f0bcfbdf30a
>>>>
>>>> This service account is created successfully, but when I try to:
>>>> 1) kinit hostadmin
>>>> 2) ipa host-add foobar.contoso.com
>>>>
>>>> The following error appears:
>>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add
>>>> the entry 'fqdn=foobar.contoso.com,cn=computers,cn=accounts,dc=contoso,dc=com'.
>>>>
>>>> Which privilege am I missing? A normal (posix) user, with the same set
>>>> of privileges worked fine, the problem started to happen when I moved
>>>> user from normal users to cn=sysaccounts,cn=etc.
>>>>
>>>> Also, is my set of privileges minimal? Which privileges do I need to
>>>> just add host entries?
>>>>
>>>
>>> You should not directly add memberOf values. You should add the user as
>>> a member of the respective roles and the rest should follow naturally.
>>> So you'll need to add this entry then do a modify to add it as a member
>>> of one or more roles.
>>>
>>> rob
>>>
>>>
>
More information about the Freeipa-users
mailing list