Hi all,

I have been exploring using a service account with restricted permissions
to add and enrol hosts, rather than using an administrative user. I based
the account details on an earlier posting to this list (
but ran into a couple of things that I found odd:

1. The service account needs to be explicitly granted permission to read

When a host was previously enrolled with FreeIPA and has run
`ipa-client-install --uninstall`, a fresh `ipa-client-install` using a
service user fails unless the host is manually deleted with `ipa host-del`,
or the service user is explicitly granted permission to read itself.

Without either of the above, `ipa-client-install` fails with an error
"Joining realm failed: RPC failed at server.  host with name
"my.hostname.domain" already exists". On the server side, for some reason
the service user tries to look itself up to check if it's got permissions
to modify the host (which it does). It does not seem to have permissions to
look itself up by default in the cn=sysaccounts,cn=etc tree, so the
permission check fails, and throws the error above.

I'm granting the service account the following permission to work around
this, but I'm a little confused as to why it's required:
ipa permission-add 'Read Host Join User'
--right=read --right=search --right=compare --attrs='*'

Is that permission going to cause the service account to be able to do
anything it shouldn't, or does it look okay?

2. The service account's password expiry must be set in a separate
ldapmodify call

I tried to create the service account with a password that does not expire
by setting "krbPasswordExpiration: 20380119031407Z" on the account when it
is created, but it seems to be immediately overwritten. If I create the
account in one ldapmodify call, and set the password expiration in a
separate call, the expiration seems to stick. Is that expected, or am I
setting the expiration incorrectly?

I've included the full set of commands I'm using the setup my service
account for host enrolment, in case something I'm doing wrong is causing
the above strangeness. I'm running FreeIPA 4.2.0 on CentOS 7.

I'd be keen for some feedback on this approach, and whether it's normal to
have to use the workarounds above.


## Configure the account used by hosts to join the domain

# Authenticate so the ipa commands can run
kinit admin

# (System account needs special permissions to read itself)
ipa permission-add 'Read Host Join User'
--right=read --right=search --right=compare --attrs='*'
ipa privilege-add 'Read Host Join User'
ipa privilege-add-permission --permissions='Read Host Join User' 'Read Host
Join User'
ipa privilege-add 'Add Hosts'
ipa privilege-add-permission --permissions='System: Add Hosts' 'Add Hosts'

# Role to assign to the system account, with permissions to enrol hosts,
add hosts, and read itself
ipa role-add --desc="Host Joining" 'Host Joining'
ipa role-add-privilege --privileges='Host Enrollment' 'Host Joining'
ipa role-add-privilege --privileges='Add Hosts' 'Host Joining'
ipa role-add-privilege --privileges='Read Host Join User' 'Host Joining'

# Drop admin permissions

# Create the system account in LDAP and add it to the new role
cat <<LDIF_END | ldapmodify -x -D 'cn=Directory Manager' -W
dn: uid=my-join-user,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
objectclass: inetUser
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
uid: my-join-user
krbPrincipalName: my-join-u...@example.com
userPassword: averysecurepassword
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

dn: cn=Host Joining,cn=roles,cn=accounts,dc=example,dc=com
changetype: modify
add: member
member: uid=my-join-user,cn=sysaccounts,cn=etc,dc=example,dc=com

# Ensure the join user's password does not expire. This must be set in a
separate ldapmodify call or it gets overwritten
cat <<LDIF_END | ldapmodify -x -D 'cn=Directory Manager' -W
dn: uid=my-join-user,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 20380119031407Z

# NB: the trailing empty line after each entry is required in the above
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to