On 17/01/2013 2:40 PM, Rob Crittenden wrote:
Qing Chang wrote:

On 17/01/2013 1:42 PM, Rob Crittenden wrote:
Qing Chang wrote:
I assigned an IPA user account the "HostEnrol" role and run
when it got to this "User authorized to enroll computers:", I used that
then got following:
Joining realm failed: No permission to join this host to the IPA domain.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

Am I missing something here?

What privileges are in the HostEnrol role?

it's all default, I did not make any changes.
Or can you show the output of this, where tuser1 is the user you're
trying to enroll with?

% ipa user-show tuser1 --all --raw |grep -i member

[root@ipa1 ~]# ipa user-show testipa --all --raw |grep -i member
   memberof: cn=ipausers,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
   memberof: cn=hostenrol,cn=roles,cn=accounts,dc=sri,dc=utoronto,dc=ca

   memberofindirect: cn=host
   memberofindirect: cn=manage host
   memberofindirect: cn=enroll a
   memberofindirect: cn=add krbprincipalname to a

Ok, this is enough do do an enrollment (HostEnrol is not a default role). What it lacks is the ability to add a new host entry.

You can add this ability by adding the 'Add Hosts' privilege to the 'Host 
Enrollment' privilege.

On the command line like this:

$ ipa privilege-add-permission 'Host Enrollment' --permissions='Add Hosts'

Note that this is expected. We delegate as few permissions by default as possible. The expectation is that a higher-level administrator pre-creates the hosts that should be allowed to be enrolled and this delegated role can enroll them.

agreed. Maybe this sort of thing can be put into a FAQ?



Freeipa-users mailing list

Reply via email to