Alexander Frolushkin wrote:
> Very strange. If this user acts as a member of admins group - it can enroll 
> host. If not - it can't.
> Only difference this group brings in permissions - a number of replication 
> agreement permissions...

admins can do nearly anything so that's not surprising.

For host enrollment these permissions are quite broad IMHO, particularly
the replication bits.

Run ipa-client-install with the debug flag and you should get more
information out of ipa-join. /var/log/ipaclient-install.log will log all
fo this so you shouldn't need to try capturing stdout.

At the same time see if /var/log/httpd/error_log on the IPA master
provides any information on why the request was rejected, or at least
which operation failed.

At a glance these permissions look sufficient, and then some.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to