On Tue, 07 Jun 2016, Konstantin M. Khankin wrote:
Hi Alexander!

Here's the config (mostly auto-generated by ipa-client-install):
-------------------------------------------------------------------------------------------------------------------------------------
[domain/gsk.loc]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = gsk.loc
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = garage.gsk.loc
chpass_provider = ipa
ipa_server = _srv_, drone.gsk.loc
ldap_tls_cacert = /etc/ipa/ca.crt
#ldap_search_base = cn=accounts,dc=gsk,dc=loc
ldap_user_extra_attrs = uid, krbLastSuccessfulAuth, krbLastFailedAuth

[sssd]
services = nss, sudo, pam, ssh, ifp
config_file_version = 2

domains = gsk.loc
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]
allowed_uids = apache, root
user_attributes = +uid, +krbLastSuccessfulAuth, +krbLastFailedAuth
-------------------------------------------------------------------------------------------------------------------------------------
Ok, for these there is a separate permission, 'System: Read User Kerberos Login 
Attributes'.

ipa permission-show 'System: Read User Kerberos Login Attributes'

It is by default assigned to 'User administrators' role. You can use
'ipa role-add-member' to add others, like hosts:

ipa role-add-member 'User Administrator' --hosts=garage.gsk.loc

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to