Tried that. Originally I had just a normal user of a role "Build Administrator". It worked perfectly.
Service account doesn't seem to recognize its privileges either way (explicit membership assignment or through roles). Originally it was like this (working perfectly): http://pastebin.com/baqcthy5 However, I don't like hostadmin hanging amount regular users. So I moved this account away to its own ldif: dn: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com changetype: add objectclass: account objectclass: simplesecurityobject objectclass: inetuser objectclass: krbprincipalaux objectclass: krbticketpolicyaux krbPrincipalName: hostadmin@<%= @realm %> memberOf: cn=Build Administrator,cn=roles,cn=accounts,dc=contoso,dc=com userPassword: <%= @hostadmin_pwd %> passwordExpirationTime: <%= @pwd_expiration %> krbpasswordexpiration: <%= @pwd_expiration %> nsIdleTimeout: 0 This didn't work (same error: not enough privileges), so I started experimenting with explicit privileges assignment by basically copying them from default "admin" user. Didn't work too. I wonder what am I doing wrong. On Thu, Jan 28, 2016 at 1:03 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Marat Vyshegorodtsev wrote: >> Hi! >> >> I'm trying to build an auto-enrollment script that would leverage a >> service account to enroll hosts. >> >> Here is the LDIF for this service account: >> https://gist.github.com/touzoku/2b03a47d3f0bcfbdf30a >> >> This service account is created successfully, but when I try to: >> 1) kinit hostadmin >> 2) ipa host-add foobar.contoso.com >> >> The following error appears: >> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add >> the entry >> 'fqdn=foobar.contoso.com,cn=computers,cn=accounts,dc=contoso,dc=com'. >> >> Which privilege am I missing? A normal (posix) user, with the same set >> of privileges worked fine, the problem started to happen when I moved >> user from normal users to cn=sysaccounts,cn=etc. >> >> Also, is my set of privileges minimal? Which privileges do I need to >> just add host entries? >> > > You should not directly add memberOf values. You should add the user as > a member of the respective roles and the rest should follow naturally. > So you'll need to add this entry then do a modify to add it as a member > of one or more roles. > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project