William wrote: > Hi, > > I am trying to allow a radius service account the ability to read > ipaNTHash. I carried out the following steps: > > > > ipa permission-add 'ipaNTHash service read' --attrs=ipaNTHash > --type=user --permissions=read > ----------------------------------------- > Added permission "ipaNTHash service read" > ----------------------------------------- > Permission name: ipaNTHash service read > Permissions: read > Attributes: ipanthash > Type: user > > ipa privilege-add 'Radius services' --desc='Privileges needed to allow > radiusd servers to operate' > > ipa privilege-add-permission 'Radius services' --permissions='ipaNTHash > service read' > Privilege name: Radius services > Description: Privileges needed to allow radiusd servers to operate > Permissions: ipaNTHash service read > ----------------------------- > Number of permissions added 1 > ----------------------------- > > > ipa role-add 'Radius server' --desc="Radius server role" > -------------------------- > Added role "Radius server" > -------------------------- > Role name: Radius server > Description: Radius server role > > > ipa service-add 'radius/lorna.dev.blackhats.net.au' > ---------------------------------------------------------------------- > Added service "radius/lorna.dev.blackhats.net...@dev.blackhats.net.au" > ---------------------------------------------------------------------- > Principal: radius/lorna.dev.blackhats.net...@dev.blackhats.net.au > Managed by: lorna.dev.blackhats.net.au > > > ipa role-add-member 'Radius server' --hosts='lorna.dev.blackhats.net.au' > Role name: Radius server > Description: Radius server role > Member hosts: lorna.dev.blackhats.net.au > Privileges: Radius services > ------------------------- > Number of members added 1 > ------------------------- > > ipa-getkeytab -p 'radius/lorna.dev.blackhats.net.au' -s > lorna.dev.blackhats.net.au -k /root/radiusd.keytab > kinit -t /root/radiusd.keytab -k radius/lorna.dev.blackhats.net.au > > > After these steps I did an ldapwhoami and attempted to get the ipaNTHast > from an account: It didn't work. I believe this is because the whoami > shows the account binds as a different DN than the host account, thus > the permission isn't applied. But there is no way to in the ui or cli > add permissions to a service account. How should I proceed? >
You can't delegate permissions to a service. See https://fedorahosted.org/freeipa/ticket/3644 rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project