Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread James James 
SOLVED.

realm-proxy has to be indirect member of :
memberofindirect: cn=manage host
keytab,cn=privileges,cn=pbac,dc=example,dc=com

Thanks for your help.

2014-09-09 16:59 GMT+02:00 Rob Crittenden :

> James James wrote:
> > My user : realm-proxy is in a group (Smart Proxy Host Management) which
> > has the Manager host  keytab permission :
> >
> >   Permission name: Manage host keytab
> >   Permissions: write
> >   Attributes: krbprincipalkey, krblastpwdchange
> >   Type: host
> >   Granted to Privilege: Host Administrators, Host Enrollment, Smart
> > Proxy Host Management
> >
> >
> > When I try to retreive a keytab from another host when my principal is
> > the realm-proxy :
> >
> >
> > [root@client1 ~]#  kinit realm-pr...@example.com
> >  -k -t /tmp/freeipa.keytab
> >
> > [root@client1 ~]# klist
> >
> > Ticket cache: KEYRING:persistent:0:0
> > Default principal: realm-pr...@example.com  realm-pr...@example.com>
> >
> > Valid starting   Expires  Service principal
> > 09/09/2014 14:35:50  09/10/2014 14:35:50  krbtgt/example@example.com
> > 
> >
> > [root@client1 ~]# ipa-getkeytab  --server=ipa.example.com
> >  --principal=host/client1.example.com
> >  --keytab=/etc/krb5.keytab
> > Operation failed! Insufficient access rights
> >
> >
> > I can't retrieve the key ..
>
> I'd need to see the smart-proxy user, show --all --raw would be best.
>
> I just tested this on a RHEL-6 instance I had handy and it worked fine:
>
> # ipa user-add --first=test --last=user tuser1 --password
> # ipa role-add 'host keytab' --desc 'manage host keytabs'
> # ipa privilege-add 'manage host keytab' --desc 'manage host keytabs'
> # ipa privilege-add-permission 'manage host keytab'
> --permissions='manage host keytab'
> # ipa role-add-privilege 'host keytab' --privileges='manage host keytab'
> # ipa role-add-member --users=tuser1 'host keytab'
> # kinit tuser1
> # ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p host/test.example.com
> Keytab successfully retrieved and stored in: /tmp/test.keytab
>
> rob
>
> >
> > 2014-09-09 16:14 GMT+02:00 Rob Crittenden  > >:
> >
> > James James wrote:
> > > My IPA version is 3.0.0 .
> > > Thanks
> >
> > The permission 'Manage host keytab' should do the trick.
> >
> > rob
> >
> > >
> > > 2014-09-09 1:22 GMT+02:00 Dmitri Pal  d...@redhat.com>
> > > >>:
> > >
> > > On 09/08/2014 06:52 PM, James James wrote:
> > >> Hi everybody,
> > >>
> > >> I want a user to be able to do ipa-getkeytab to retrieve the
> keys
> > >> from any host in the realm.
> > >>
> > >> How can I do this ?
> > >>
> > >> Where I can find an ACI example
> > >>
> >  (
> https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
> > >> which can helps me ?
> > >>
> > >>
> > >> Thanks for your help.
> > >>
> > >>
> > >>
> > >>
> > > Which version of IPA?
> > > There reason for the question is because in FreeIPA 4.0 the
> ACIs
> > > were significantly reworked.
> > >
> > > --
> > > Thank you,
> > > Dmitri Pal
> > >
> > > Sr. Engineering Manager IdM portfolio
> > > Red Hat, Inc.
> > >
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go To http://freeipa.org for more info on the project
> > >
> > >
> > >
> > >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread Rob Crittenden 
James James wrote:
> My user : realm-proxy is in a group (Smart Proxy Host Management) which
> has the Manager host  keytab permission :
> 
>   Permission name: Manage host keytab
>   Permissions: write
>   Attributes: krbprincipalkey, krblastpwdchange
>   Type: host
>   Granted to Privilege: Host Administrators, Host Enrollment, Smart
> Proxy Host Management
> 
> 
> When I try to retreive a keytab from another host when my principal is
> the realm-proxy :
> 
> 
> [root@client1 ~]#  kinit realm-pr...@example.com
>  -k -t /tmp/freeipa.keytab
> 
> [root@client1 ~]# klist
> 
> Ticket cache: KEYRING:persistent:0:0
> Default principal: realm-pr...@example.com 
> 
> Valid starting   Expires  Service principal
> 09/09/2014 14:35:50  09/10/2014 14:35:50  krbtgt/example@example.com
> 
> 
> [root@client1 ~]# ipa-getkeytab  --server=ipa.example.com
>  --principal=host/client1.example.com
>  --keytab=/etc/krb5.keytab
> Operation failed! Insufficient access rights
> 
> 
> I can't retrieve the key ..

I'd need to see the smart-proxy user, show --all --raw would be best.

I just tested this on a RHEL-6 instance I had handy and it worked fine:

# ipa user-add --first=test --last=user tuser1 --password
# ipa role-add 'host keytab' --desc 'manage host keytabs'
# ipa privilege-add 'manage host keytab' --desc 'manage host keytabs'
# ipa privilege-add-permission 'manage host keytab'
--permissions='manage host keytab'
# ipa role-add-privilege 'host keytab' --privileges='manage host keytab'
# ipa role-add-member --users=tuser1 'host keytab'
# kinit tuser1
# ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p host/test.example.com
Keytab successfully retrieved and stored in: /tmp/test.keytab

rob

> 
> 2014-09-09 16:14 GMT+02:00 Rob Crittenden  >:
> 
> James James wrote:
> > My IPA version is 3.0.0 .
> > Thanks
> 
> The permission 'Manage host keytab' should do the trick.
> 
> rob
> 
> >
> > 2014-09-09 1:22 GMT+02:00 Dmitri Pal  
> > >>:
> >
> > On 09/08/2014 06:52 PM, James James wrote:
> >> Hi everybody,
> >>
> >> I want a user to be able to do ipa-getkeytab to retrieve the keys
> >> from any host in the realm.
> >>
> >> How can I do this ?
> >>
> >> Where I can find an ACI example
> >>   
>  (https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
> >> which can helps me ?
> >>
> >>
> >> Thanks for your help.
> >>
> >>
> >>
> >>
> > Which version of IPA?
> > There reason for the question is because in FreeIPA 4.0 the ACIs
> > were significantly reworked.
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IdM portfolio
> > Red Hat, Inc.
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
> >
> >
> >
> >
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread Rob Crittenden 
James James wrote:
> My IPA version is 3.0.0 .
> Thanks

The permission 'Manage host keytab' should do the trick.

rob

> 
> 2014-09-09 1:22 GMT+02:00 Dmitri Pal  >:
> 
> On 09/08/2014 06:52 PM, James James wrote:
>> Hi everybody,
>>
>> I want a user to be able to do ipa-getkeytab to retrieve the keys
>> from any host in the realm.
>>
>> How can I do this ?
>>
>> Where I can find an ACI example
>> (https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
>> which can helps me ?
>>
>>
>> Thanks for your help.
>>
>>
>>
>>
> Which version of IPA?
> There reason for the question is because in FreeIPA 4.0 the ACIs
> were significantly reworked.
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread James James 
My IPA version is 3.0.0 .
Thanks

2014-09-09 1:22 GMT+02:00 Dmitri Pal :

>  On 09/08/2014 06:52 PM, James James wrote:
>
>   Hi everybody,
>
>  I want a user to be able to do ipa-getkeytab to retrieve the keys from
> any host in the realm.
>
>  How can I do this ?
>
> Where I can find an ACI example (
> https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
> which can helps me ?
>
>
>  Thanks for your help.
>
>
>
>
>  Which version of IPA?
> There reason for the question is because in FreeIPA 4.0 the ACIs were
> significantly reworked.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-08 Thread Dmitri Pal 

On 09/08/2014 06:52 PM, James James wrote:

Hi everybody,

I want a user to be able to do ipa-getkeytab to retrieve the keys from 
any host in the realm.


How can I do this ?

Where I can find an ACI example 
(https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which 
can helps me ?



Thanks for your help.





Which version of IPA?
There reason for the question is because in FreeIPA 4.0 the ACIs were 
significantly reworked.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] ACI for ipa-getkeytab

2014-09-08 Thread James James 
Hi everybody,

I want a user to be able to do ipa-getkeytab to retrieve the keys from any
host in the realm.

How can I do this ?

Where I can find an ACI example (
https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
which can helps me ?


Thanks for your help.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project