Originally I had just a normal user of a role "Build Administrator".
It worked perfectly.
Service account doesn't seem to recognize its privileges either way
(explicit membership assignment or through roles).
Originally it was like this (working perfectly):
However, I don't like hostadmin hanging amount regular users.
So I moved this account away to its own ldif:
krbPrincipalName: hostadmin@<%= @realm %>
memberOf: cn=Build Administrator,cn=roles,cn=accounts,dc=contoso,dc=com
userPassword: <%= @hostadmin_pwd %>
passwordExpirationTime: <%= @pwd_expiration %>
krbpasswordexpiration: <%= @pwd_expiration %>
This didn't work (same error: not enough privileges), so I started
experimenting with explicit privileges assignment by basically copying
them from default "admin" user. Didn't work too.
I wonder what am I doing wrong.
On Thu, Jan 28, 2016 at 1:03 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Marat Vyshegorodtsev wrote:
>> I'm trying to build an auto-enrollment script that would leverage a
>> service account to enroll hosts.
>> Here is the LDIF for this service account:
>> This service account is created successfully, but when I try to:
>> 1) kinit hostadmin
>> 2) ipa host-add foobar.contoso.com
>> The following error appears:
>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add
>> the entry
>> Which privilege am I missing? A normal (posix) user, with the same set
>> of privileges worked fine, the problem started to happen when I moved
>> user from normal users to cn=sysaccounts,cn=etc.
>> Also, is my set of privileges minimal? Which privileges do I need to
>> just add host entries?
> You should not directly add memberOf values. You should add the user as
> a member of the respective roles and the rest should follow naturally.
> So you'll need to add this entry then do a modify to add it as a member
> of one or more roles.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project