Hi Alexander, the main reason for us was that AD user can export keytab files for their managed services. With current FreeIPA it's not possible, so the admin team will do the job.
Thx for linking to documentation for RedHat 8, this is what we want (in the future). Greetings, Micha Am 26.11.18 um 09:58 schrieb Alexander Bokovoy: > On ma, 26 marras 2018, Michael Gusek via FreeIPA-users wrote: >> Thx a lot. So we will export keytabs for our AD users. > Sorry, how this would help? Your real issue is that you cannot assign > group membership in LDAP to AD users, this is where access rights are > checked. > > You can read a basic explanation at > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html/installing_identity_management_and_access_control/enabling-ad-user-to-administer-idm-fin-fin > > > or more details at https://github.com/abbra/freeipa-adusers-admins > >> >> Micha >> >> >> Am 23.11.18 um 16:25 schrieb Alexander Bokovoy via FreeIPA-users: >>> Not possible in centos 7. >>> >>> Possible in RHEL8 beta. >>> >>> (Sorry for being short, I'm on the phone) >>> >>> ----- Michael Gusek via FreeIPA-users >>> <freeipa-users@lists.fedorahosted.org> wrote: >>>> Hi, >>>> >>>> we are running FreeIPA 4.5.4 on Centos 7 with a one way trust to an >>>> Active Directory. We want to allow AD users to retrieve service keytab >>>> on FreeIPA managed hosts. AD users are linked to a external group, and >>>> these group to a FreeIPA group. We've created a service and allowed >>>> FreeIPA group (for testing external group too) to retrieve keytab. Now >>>> we logged in with AD credentials to a FreeIPA managed host, got an >>>> ticket with kinit user@AD-domain and tried to retrieve keytab for >>>> service, which runs in an error "Failed to parse result: Insufficient >>>> access rights". With an FreeIPA user, added to FreeIPA group above, it >>>> works. >>>> >>>> So what we are missing here ? Is it possible to retrieve service >>>> keytabs >>>> as a trusted AD user ? >>>> >>>> Thanks. >>>> >>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to >>>> freeipa-users-le...@lists.fedorahosted.org >>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>>> List Guidelines: >>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> -- >> >> ________________________________________________ >> >> >> *Michael**Gusek*| System Administrator| Webtrekk GmbH | >> *t*+49 30 755 415 302| *f *+49 30 755 415 100 | *w *www.webtrekk.com >> <https://www.webtrekk.com/?wt_mc=signature.-.-.-.homepageURL> >> Amtsgericht/Local Court Berlin, HRB 93435 B | Geschäftsführer/CEO >> Christian Sauer und Norman Wahnschaff >> >> > >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > -- ________________________________________________ *Michael**Gusek*| System Administrator| Webtrekk GmbH | *t*+49 30 755 415 302| *f *+49 30 755 415 100 | *w *www.webtrekk.com <https://www.webtrekk.com/?wt_mc=signature.-.-.-.homepageURL> Amtsgericht/Local Court Berlin, HRB 93435 B | Geschäftsführer/CEO Christian Sauer und Norman Wahnschaff
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
