On 17/01/2013 1:42 PM, Rob Crittenden wrote:
Qing Chang wrote:
I assigned an IPA user account the "HostEnrol" role and run
"ipa-client-install",
when it got to this "User authorized to enroll computers:", I used that
account,
then got following:
Joining realm failed: No permission to join this host to the IPA domain.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
Am I missing something here?
What privileges are in the HostEnrol role?
it's all default, I did not make any changes.
Or can you show the output of this, where tuser1 is the user you're trying to
enroll with?
% ipa user-show tuser1 --all --raw |grep -i member
[root@ipa1 ~]# ipa user-show testipa --all --raw |grep -i member
memberof: cn=ipausers,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
memberof: cn=hostenrol,cn=roles,cn=accounts,dc=sri,dc=utoronto,dc=ca
memberof:
ipauniqueid=d7f28bde-492f-11e2-b297-005056af688c,cn=sudorules,cn=sudo,dc=sri,dc=utoronto,dc=ca
memberofindirect: cn=host
enrollment,cn=privileges,cn=pbac,dc=sri,dc=utoronto,dc=ca
memberofindirect: cn=manage host
keytab,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
memberofindirect: cn=enroll a
host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
memberofindirect: cn=add krbprincipalname to a
host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
