Matt . wrote: > Hi Rob, > > Thanks, but what do you mean here ? The Foreman has a script which > should be OK for it: > > https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm > > Can you check this maybe ?
Like I said, it's wrong. add grants the ability to add new entries, not updating existing ones. The right needs to be "write". rob > > Thanks, > > Matt > > 2017-03-10 17:21 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: >> Matt . wrote: >>> I'm trying to add a host using Foreman to the FreeIPA realm but this >>> doesn't work, all things seem to be fine and some other tests from >>> people are working: >>> >>> The issue is reported here: http://projects.theforeman.org/issues/18850 >>> >>> >>> My settings are like this: >>> >>> >>> [root@ipa-01 ~]# ipa role-find >>> --------------- >>> 6 roles matched >>> --------------- >>> Role name: helpdesk >>> Description: Helpdesk >>> >>> Role name: IT Security Specialist >>> Description: IT Security Specialist >>> >>> Role name: IT Specialist >>> Description: IT Specialist >>> >>> Role name: Security Architect >>> Description: Security Architect >>> >>> Role name: Smart Proxy Host Manager >>> Description: Smart Proxy management >>> >>> Role name: User Administrator >>> Description: Responsible for creating Users and Groups >>> ---------------------------- >>> Number of entries returned 6 >>> ---------------------------- >>> [root@ipa-01 ~]# ipa role-show "Smart Proxy Host Manager" >>> Role name: Smart Proxy Host Manager >>> Description: Smart Proxy management >>> Member users: foreman-proxy, foreman-realm-proxy >>> Privileges: Smart Proxy Host Management >>> [root@ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management" >>> Privilege name: Smart Proxy Host Management >>> Description: Smart Proxy Host Management >>> Permissions: Retrieve Certificates from the CA, System: Add DNS >>> Entries, System: Read DNS Entries, System: Remove DNS Entries, System: >>> Update DNS >>> Entries, System: Manage Host Certificates, System: >>> Manage Host Enrollment Password, System: Manage Host Keytab, System: >>> Modify Hosts, >>> System: Remove Hosts, System: Manage Service Keytab, >>> System: Modify Services, Add Host Enrollment Password >>> Granting privilege to roles: Smart Proxy Host Manager >>> [root@ipa-01 ~]# >>> [root@ipa-01 ~]# ipa permission-find "Add Host" >>> --------------------- >>> 3 permissions matched >>> --------------------- >>> Permission name: Add Host Enrollment Password >>> Granted rights: add >>> Effective attributes: userpassword >>> Bind rule type: permission >>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld >>> Type: host >>> Permission flags: V2, SYSTEM >>> >>> Permission name: System: Add Hostgroups >>> Granted rights: add >>> Bind rule type: permission >>> Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld >>> Type: hostgroup >>> Permission flags: V2, MANAGED, SYSTEM >>> >>> Permission name: System: Add Hosts >>> Granted rights: add >>> Bind rule type: permission >>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld >>> Type: host >>> Permission flags: V2, MANAGED, SYSTEM >>> ---------------------------- >>> Number of entries returned 3 >>> ---------------------------- >>> >>> >>> Can anyone help me out as I'm unsure where this goes wrong. >>> >> >> For 'Add Host Enrollment Password' the granted rights should be write >> not add. >> >> add is for adding entries, not writing attributes. >> >> rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project