Tried that.

Originally I had just a normal user of a role "Build Administrator".
It worked perfectly.

Service account doesn't seem to recognize its privileges either way
(explicit membership assignment or through roles).

Originally it was like this (working perfectly):

However, I don't like hostadmin hanging amount regular users.

So I moved this account away to its own ldif:
dn: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
objectclass: inetuser
objectclass: krbprincipalaux
objectclass: krbticketpolicyaux
krbPrincipalName: hostadmin@<%= @realm %>
memberOf: cn=Build Administrator,cn=roles,cn=accounts,dc=contoso,dc=com
userPassword: <%= @hostadmin_pwd %>
passwordExpirationTime: <%= @pwd_expiration %>
krbpasswordexpiration: <%= @pwd_expiration %>
nsIdleTimeout: 0

This didn't work (same error: not enough privileges), so I started
experimenting with explicit privileges assignment by basically copying
them from default "admin" user. Didn't work too.

I wonder what am I doing wrong.

On Thu, Jan 28, 2016 at 1:03 AM, Rob Crittenden <> wrote:
> Marat Vyshegorodtsev wrote:
>> Hi!
>> I'm trying to build an auto-enrollment script that would leverage a
>> service account to enroll hosts.
>> Here is the LDIF for this service account:
>> This service account is created successfully, but when I try to:
>> 1) kinit hostadmin
>> 2) ipa host-add
>> The following error appears:
>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add
>> the entry 
>> ',cn=computers,cn=accounts,dc=contoso,dc=com'.
>> Which privilege am I missing? A normal (posix) user, with the same set
>> of privileges worked fine, the problem started to happen when I moved
>> user from normal users to cn=sysaccounts,cn=etc.
>> Also, is my set of privileges minimal? Which privileges do I need to
>> just add host entries?
> You should not directly add memberOf values. You should add the user as
> a member of the respective roles and the rest should follow naturally.
> So you'll need to add this entry then do a modify to add it as a member
> of one or more roles.
> rob

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to