Re: [Freeipa-users] Adding permissions to a service account.
On 08/13/2014 02:27 AM, William wrote: On Tue, 2014-08-12 at 13:51 -0400, Rob Crittenden wrote: William wrote: Hi, I am trying to allow a radius service account the ability to read ipaNTHash. I carried out the following steps: You can't delegate permissions to a service. See https://fedorahosted.org/freeipa/ticket/3644 rob For now, should I just add the service DN as a member of the role to enable this? Rob used a wrong ticket, this is the one: https://fedorahosted.org/freeipa/ticket/3164 It is currently planned for FreeIPA 4.1. If you are interested in contributing a patch, please feel free to do so, this would be a simple one :-) Anyway, to fix your permission delegation problem, check this: # ipa service-show foo/`hostname` --all --raw | grep dn: dn: krbprincipalname=foo/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test # ipa role-show test_role --all --raw | grep dn: dn: cn=test_role,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test # kinit admin Password for ad...@mkosek-fedora20.test: # ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: ad...@mkosek-fedora20.test SASL SSF: 56 SASL data security layer installed. dn: cn=test_role,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test changetype: modify add: member member: krbprincipalname=foo/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test modifying entry cn=test_role,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test # ipa role-show test_role --all --raw ... member: krbprincipalname=foo/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test ... Then, the role and assigned privileges/permissions should work for this service. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding permissions to a service account.
William wrote: On Tue, 2014-08-12 at 13:51 -0400, Rob Crittenden wrote: William wrote: Hi, I am trying to allow a radius service account the ability to read ipaNTHash. I carried out the following steps: You can't delegate permissions to a service. See https://fedorahosted.org/freeipa/ticket/3644 rob For now, should I just add the service DN as a member of the role to enable this? Theoretically if you add the service as a member in the role using ldapmodify then yes, it should work functionally. What the IPA framework would do with this is another matter. Worst case it would blow up whenever trying to retrieve this role/privilege/permission/service (or a combination). rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding permissions to a service account.
William wrote: Hi, I am trying to allow a radius service account the ability to read ipaNTHash. I carried out the following steps: ipa permission-add 'ipaNTHash service read' --attrs=ipaNTHash --type=user --permissions=read - Added permission ipaNTHash service read - Permission name: ipaNTHash service read Permissions: read Attributes: ipanthash Type: user ipa privilege-add 'Radius services' --desc='Privileges needed to allow radiusd servers to operate' ipa privilege-add-permission 'Radius services' --permissions='ipaNTHash service read' Privilege name: Radius services Description: Privileges needed to allow radiusd servers to operate Permissions: ipaNTHash service read - Number of permissions added 1 - ipa role-add 'Radius server' --desc=Radius server role -- Added role Radius server -- Role name: Radius server Description: Radius server role ipa service-add 'radius/lorna.dev.blackhats.net.au' -- Added service radius/lorna.dev.blackhats.net...@dev.blackhats.net.au -- Principal: radius/lorna.dev.blackhats.net...@dev.blackhats.net.au Managed by: lorna.dev.blackhats.net.au ipa role-add-member 'Radius server' --hosts='lorna.dev.blackhats.net.au' Role name: Radius server Description: Radius server role Member hosts: lorna.dev.blackhats.net.au Privileges: Radius services - Number of members added 1 - ipa-getkeytab -p 'radius/lorna.dev.blackhats.net.au' -s lorna.dev.blackhats.net.au -k /root/radiusd.keytab kinit -t /root/radiusd.keytab -k radius/lorna.dev.blackhats.net.au After these steps I did an ldapwhoami and attempted to get the ipaNTHast from an account: It didn't work. I believe this is because the whoami shows the account binds as a different DN than the host account, thus the permission isn't applied. But there is no way to in the ui or cli add permissions to a service account. How should I proceed? You can't delegate permissions to a service. See https://fedorahosted.org/freeipa/ticket/3644 rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding permissions to a service account.
On Tue, 2014-08-12 at 13:51 -0400, Rob Crittenden wrote: William wrote: Hi, I am trying to allow a radius service account the ability to read ipaNTHash. I carried out the following steps: You can't delegate permissions to a service. See https://fedorahosted.org/freeipa/ticket/3644 rob For now, should I just add the service DN as a member of the role to enable this? -- William will...@firstyear.id.au -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project