Alexander Frolushkin wrote: > Thank You, I'm stupid enough to forgot about debug mode. > Here the problem: > Insufficient access: Insufficient 'write' privilege to the 'krbLastPwdChange' > attribute of entry > 'fqdn=sib-rhel07.unix.ad.com,cn=computers,cn=accounts,dc=unix,dc=ad,dc=com'. > > This host is not new, it was removed from domain to test the privileges...
Try adding 'Manage host keytab' to your privilege. I'd use the privilege 'Host Enrollment' as a model of the minimum of what you need. This covers only the enrollment bit. Add creating hosts and others as needed. rob > > WBR, > Alexander Frolushkin > > -----Original Message----- > From: Rob Crittenden [mailto:[email protected]] > Sent: Monday, April 20, 2015 8:41 PM > To: Alexander Frolushkin (SIB); [email protected]; 'David Kupka' > Subject: Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update > > Alexander Frolushkin wrote: >> Very strange. If this user acts as a member of admins group - it can enroll >> host. If not - it can't. >> Only difference this group brings in permissions - a number of replication >> agreement permissions... > > admins can do nearly anything so that's not surprising. > > For host enrollment these permissions are quite broad IMHO, particularly the > replication bits. > > Run ipa-client-install with the debug flag and you should get more > information out of ipa-join. /var/log/ipaclient-install.log will log all fo > this so you shouldn't need to try capturing stdout. > > At the same time see if /var/log/httpd/error_log on the IPA master provides > any information on why the request was rejected, or at least which operation > failed. > > At a glance these permissions look sufficient, and then some. > > rob > > > ________________________________ > > Информация в этом сообщении предназначена исключительно для конкретных лиц, > которым она адресована. В сообщении может содержаться конфиденциальная > информация, которая не может быть раскрыта или использована кем-либо, кроме > адресатов. Если вы не адресат этого сообщения, то использование, > переадресация, копирование или распространение содержания сообщения или его > части незаконно и запрещено. Если Вы получили это сообщение ошибочно, > пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем > содержимым само сообщен�! �е и л� �бые возможные его копии и приложения. > > The information contained in this communication is intended solely for the > use of the individual or entity to whom it is addressed and others authorized > to receive it. It may contain confidential or legally privileged information. > The contents may not be disclosed or used by anyone other than the addressee. > If you are not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in reliance on it is > prohibited and may be unlawful. If you have received this communication in > error please notify us immediately by responding to this email and then > delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
