Alexander Frolushkin wrote: > Very strange. If this user acts as a member of admins group - it can enroll > host. If not - it can't. > Only difference this group brings in permissions - a number of replication > agreement permissions...
admins can do nearly anything so that's not surprising. For host enrollment these permissions are quite broad IMHO, particularly the replication bits. Run ipa-client-install with the debug flag and you should get more information out of ipa-join. /var/log/ipaclient-install.log will log all fo this so you shouldn't need to try capturing stdout. At the same time see if /var/log/httpd/error_log on the IPA master provides any information on why the request was rejected, or at least which operation failed. At a glance these permissions look sufficient, and then some. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
