Alexander Frolushkin wrote:
> Very strange. If this user acts as a member of admins group - it can enroll
> host. If not - it can't.
> Only difference this group brings in permissions - a number of replication
> agreement permissions...
admins can do nearly anything so that's not surprising.
For host enrollment these permissions are quite broad IMHO, particularly
the replication bits.
Run ipa-client-install with the debug flag and you should get more
information out of ipa-join. /var/log/ipaclient-install.log will log all
fo this so you shouldn't need to try capturing stdout.
At the same time see if /var/log/httpd/error_log on the IPA master
provides any information on why the request was rejected, or at least
which operation failed.
At a glance these permissions look sufficient, and then some.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project