Host Administrators could not write to service keytab attribute and
thus they could not run the host-disable command.

https://fedorahosted.org/freeipa/ticket/4284

-- 
Martin Kosek <mko...@redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
From deea78acc09fe3da9885c0cda49b0bb39e62b26e Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Fri, 27 Jun 2014 16:14:56 +0200
Subject: [PATCH] Let Host Administrators use host-disable command

Host Administrators could not write to service keytab attribute and
thus they could not run the host-disable command.

https://fedorahosted.org/freeipa/ticket/4284
---
 ipalib/plugins/service.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 8d6a147115673796beea901b9f69d188d983402a..9f3791aab6cb1f52e370f08a2375c4cdb3e1469d 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -343,7 +343,7 @@ class service(LDAPObject):
             'replaces': [
                 '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Manage service keytab";allow (write) groupdn = "ldap:///cn=Manage service keytab,cn=permissions,cn=pbac,$SUFFIX";)',
             ],
-            'default_privileges': {'Service Administrators'},
+            'default_privileges': {'Service Administrators', 'Host Administrators'},
         },
         'System: Modify Services': {
             'ipapermright': {'write'},
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to