On 08/13/2014 02:27 AM, William wrote: > On Tue, 2014-08-12 at 13:51 -0400, Rob Crittenden wrote: >> William wrote: >>> Hi, >>> >>> I am trying to allow a radius service account the ability to read >>> ipaNTHash. I carried out the following steps: >>> > >> >> You can't delegate permissions to a service. See >> https://fedorahosted.org/freeipa/ticket/3644 >> >> rob > > > For now, should I just add the service DN as a member of the role to > enable this?
Rob used a wrong ticket, this is the one: https://fedorahosted.org/freeipa/ticket/3164 It is currently planned for FreeIPA 4.1. If you are interested in contributing a patch, please feel free to do so, this would be a simple one :-) Anyway, to fix your permission delegation problem, check this: # ipa service-show foo/`hostname` --all --raw | grep "dn:" dn: krbprincipalname=foo/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test # ipa role-show test_role --all --raw | grep "dn:" dn: cn=test_role,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test # kinit admin Password for ad...@mkosek-fedora20.test: # ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: ad...@mkosek-fedora20.test SASL SSF: 56 SASL data security layer installed. dn: cn=test_role,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test changetype: modify add: member member: krbprincipalname=foo/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test modifying entry "cn=test_role,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test" # ipa role-show test_role --all --raw ... member: krbprincipalname=foo/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test ... Then, the role and assigned privileges/permissions should work for this service. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project