SOLVED. realm-proxy has to be indirect member of : memberofindirect: cn=manage host keytab,cn=privileges,cn=pbac,dc=example,dc=com
Thanks for your help. 2014-09-09 16:59 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: > James James wrote: > > My user : realm-proxy is in a group (Smart Proxy Host Management) which > > has the Manager host keytab permission : > > > > Permission name: Manage host keytab > > Permissions: write > > Attributes: krbprincipalkey, krblastpwdchange > > Type: host > > Granted to Privilege: Host Administrators, Host Enrollment, Smart > > Proxy Host Management > > > > > > When I try to retreive a keytab from another host when my principal is > > the realm-proxy : > > > > > > [root@client1 ~]# kinit realm-pr...@example.com > > <mailto:realm-pr...@example.com> -k -t /tmp/freeipa.keytab > > > > [root@client1 ~]# klist > > > > Ticket cache: KEYRING:persistent:0:0 > > Default principal: realm-pr...@example.com <mailto: > realm-pr...@example.com> > > > > Valid starting Expires Service principal > > 09/09/2014 14:35:50 09/10/2014 14:35:50 krbtgt/example....@example.com > > <mailto:example....@example.com> > > > > [root@client1 ~]# ipa-getkeytab --server=ipa.example.com > > <http://ipa.example.com> --principal=host/client1.example.com > > <http://client1.example.com> --keytab=/etc/krb5.keytab > > Operation failed! Insufficient access rights > > > > > > I can't retrieve the key .. > > I'd need to see the smart-proxy user, show --all --raw would be best. > > I just tested this on a RHEL-6 instance I had handy and it worked fine: > > # ipa user-add --first=test --last=user tuser1 --password > # ipa role-add 'host keytab' --desc 'manage host keytabs' > # ipa privilege-add 'manage host keytab' --desc 'manage host keytabs' > # ipa privilege-add-permission 'manage host keytab' > --permissions='manage host keytab' > # ipa role-add-privilege 'host keytab' --privileges='manage host keytab' > # ipa role-add-member --users=tuser1 'host keytab' > # kinit tuser1 > # ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p host/test.example.com > Keytab successfully retrieved and stored in: /tmp/test.keytab > > rob > > > > > 2014-09-09 16:14 GMT+02:00 Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>>: > > > > James James wrote: > > > My IPA version is 3.0.0 . > > > Thanks > > > > The permission 'Manage host keytab' should do the trick. > > > > rob > > > > > > > > 2014-09-09 1:22 GMT+02:00 Dmitri Pal <d...@redhat.com <mailto: > d...@redhat.com> > > > <mailto:d...@redhat.com <mailto:d...@redhat.com>>>: > > > > > > On 09/08/2014 06:52 PM, James James wrote: > > >> Hi everybody, > > >> > > >> I want a user to be able to do ipa-getkeytab to retrieve the > keys > > >> from any host in the realm. > > >> > > >> How can I do this ? > > >> > > >> Where I can find an ACI example > > >> > > ( > https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) > > >> which can helps me ? > > >> > > >> > > >> Thanks for your help. > > >> > > >> > > >> > > >> > > > Which version of IPA? > > > There reason for the question is because in FreeIPA 4.0 the > ACIs > > > were significantly reworked. > > > > > > -- > > > Thank you, > > > Dmitri Pal > > > > > > Sr. Engineering Manager IdM portfolio > > > Red Hat, Inc. > > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go To http://freeipa.org for more info on the project > > > > > > > > > > > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project