Host Administrators could not write to service keytab attribute and thus they could not run the host-disable command.
https://fedorahosted.org/freeipa/ticket/4284 -- Martin Kosek <mko...@redhat.com> Supervisor, Software Engineering - Identity Management Team Red Hat Inc.
From deea78acc09fe3da9885c0cda49b0bb39e62b26e Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Fri, 27 Jun 2014 16:14:56 +0200 Subject: [PATCH] Let Host Administrators use host-disable command Host Administrators could not write to service keytab attribute and thus they could not run the host-disable command. https://fedorahosted.org/freeipa/ticket/4284 --- ipalib/plugins/service.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 8d6a147115673796beea901b9f69d188d983402a..9f3791aab6cb1f52e370f08a2375c4cdb3e1469d 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -343,7 +343,7 @@ class service(LDAPObject): 'replaces': [ '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)', ], - 'default_privileges': {'Service Administrators'}, + 'default_privileges': {'Service Administrators', 'Host Administrators'}, }, 'System: Modify Services': { 'ipapermright': {'write'}, -- 1.9.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
