Alexander Frolushkin wrote:
> Thank You, I'm stupid enough to forgot about debug mode.
> Here the problem:
> Insufficient access: Insufficient 'write' privilege to the 'krbLastPwdChange' 
> attribute of entry 
> ',cn=computers,cn=accounts,dc=unix,dc=ad,dc=com'.
> This host is not new, it was removed from domain to test the privileges...

Try adding 'Manage host keytab' to your privilege.

I'd use the privilege 'Host Enrollment' as a model of the minimum of
what you need. This covers only the enrollment bit. Add creating hosts
and others as needed.


> WBR,
> Alexander Frolushkin
> -----Original Message-----
> From: Rob Crittenden []
> Sent: Monday, April 20, 2015 8:41 PM
> To: Alexander Frolushkin (SIB);; 'David Kupka'
> Subject: Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update
> Alexander Frolushkin wrote:
>> Very strange. If this user acts as a member of admins group - it can enroll 
>> host. If not - it can't.
>> Only difference this group brings in permissions - a number of replication 
>> agreement permissions...
> admins can do nearly anything so that's not surprising.
> For host enrollment these permissions are quite broad IMHO, particularly the 
> replication bits.
> Run ipa-client-install with the debug flag and you should get more 
> information out of ipa-join. /var/log/ipaclient-install.log will log all fo 
> this so you shouldn't need to try capturing stdout.
> At the same time see if /var/log/httpd/error_log on the IPA master provides 
> any information on why the request was rejected, or at least which operation 
> failed.
> At a glance these permissions look sufficient, and then some.
> rob
> ________________________________
> Информация в этом сообщении предназначена исключительно для конкретных лиц, 
> которым она адресована. В сообщении может содержаться конфиденциальная 
> информация, которая не может быть раскрыта или использована кем-либо, кроме 
> адресатов. Если вы не адресат этого сообщения, то использование, 
> переадресация, копирование или распространение содержания сообщения или его 
> части незаконно и запрещено. Если Вы получили это сообщение ошибочно, 
> пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем 
> содержимым само сообщен�!
 �е и л�
�бые возможные его копии и приложения.
> The information contained in this communication is intended solely for the 
> use of the individual or entity to whom it is addressed and others authorized 
> to receive it. It may contain confidential or legally privileged information. 
> The contents may not be disclosed or used by anyone other than the addressee. 
> If you are not the intended recipient(s), any use, disclosure, copying, 
> distribution or any action taken or omitted to be taken in reliance on it is 
> prohibited and may be unlawful. If you have received this communication in 
> error please notify us immediately by responding to this email and then 
> delete the e-mail and all attachments and any copies thereof.
> (c)20mf50

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to