Re: [Freeipa-users] Adding permissions to a service account.
William wrote: > On Tue, 2014-08-12 at 13:51 -0400, Rob Crittenden wrote: >> William wrote: >>> Hi, >>> >>> I am trying to allow a radius service account the ability to read >>> ipaNTHash. I carried out the following steps: >>> > >> >> You can't delegate permissions to a service. See >> https://fedorahosted.org/freeipa/ticket/3644 >> >> rob > > > For now, should I just add the service DN as a member of the role to > enable this? > Theoretically if you add the service as a member in the role using ldapmodify then yes, it should work functionally. What the IPA framework would do with this is another matter. Worst case it would blow up whenever trying to retrieve this role/privilege/permission/service (or a combination). rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding permissions to a service account.
On 08/13/2014 02:27 AM, William wrote: > On Tue, 2014-08-12 at 13:51 -0400, Rob Crittenden wrote: >> William wrote: >>> Hi, >>> >>> I am trying to allow a radius service account the ability to read >>> ipaNTHash. I carried out the following steps: >>> > >> >> You can't delegate permissions to a service. See >> https://fedorahosted.org/freeipa/ticket/3644 >> >> rob > > > For now, should I just add the service DN as a member of the role to > enable this? Rob used a wrong ticket, this is the one: https://fedorahosted.org/freeipa/ticket/3164 It is currently planned for FreeIPA 4.1. If you are interested in contributing a patch, please feel free to do so, this would be a simple one :-) Anyway, to fix your permission delegation problem, check this: # ipa service-show foo/`hostname` --all --raw | grep "dn:" dn: krbprincipalname=foo/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test # ipa role-show test_role --all --raw | grep "dn:" dn: cn=test_role,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test # kinit admin Password for ad...@mkosek-fedora20.test: # ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: ad...@mkosek-fedora20.test SASL SSF: 56 SASL data security layer installed. dn: cn=test_role,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test changetype: modify add: member member: krbprincipalname=foo/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test modifying entry "cn=test_role,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test" # ipa role-show test_role --all --raw ... member: krbprincipalname=foo/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test ... Then, the role and assigned privileges/permissions should work for this service. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding permissions to a service account.
On Tue, 2014-08-12 at 13:51 -0400, Rob Crittenden wrote: > William wrote: > > Hi, > > > > I am trying to allow a radius service account the ability to read > > ipaNTHash. I carried out the following steps: > > > > You can't delegate permissions to a service. See > https://fedorahosted.org/freeipa/ticket/3644 > > rob For now, should I just add the service DN as a member of the role to enable this? -- William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding permissions to a service account.
William wrote: > Hi, > > I am trying to allow a radius service account the ability to read > ipaNTHash. I carried out the following steps: > > > > ipa permission-add 'ipaNTHash service read' --attrs=ipaNTHash > --type=user --permissions=read > - > Added permission "ipaNTHash service read" > - > Permission name: ipaNTHash service read > Permissions: read > Attributes: ipanthash > Type: user > > ipa privilege-add 'Radius services' --desc='Privileges needed to allow > radiusd servers to operate' > > ipa privilege-add-permission 'Radius services' --permissions='ipaNTHash > service read' > Privilege name: Radius services > Description: Privileges needed to allow radiusd servers to operate > Permissions: ipaNTHash service read > - > Number of permissions added 1 > - > > > ipa role-add 'Radius server' --desc="Radius server role" > -- > Added role "Radius server" > -- > Role name: Radius server > Description: Radius server role > > > ipa service-add 'radius/lorna.dev.blackhats.net.au' > -- > Added service "radius/lorna.dev.blackhats.net...@dev.blackhats.net.au" > -- > Principal: radius/lorna.dev.blackhats.net...@dev.blackhats.net.au > Managed by: lorna.dev.blackhats.net.au > > > ipa role-add-member 'Radius server' --hosts='lorna.dev.blackhats.net.au' > Role name: Radius server > Description: Radius server role > Member hosts: lorna.dev.blackhats.net.au > Privileges: Radius services > - > Number of members added 1 > - > > ipa-getkeytab -p 'radius/lorna.dev.blackhats.net.au' -s > lorna.dev.blackhats.net.au -k /root/radiusd.keytab > kinit -t /root/radiusd.keytab -k radius/lorna.dev.blackhats.net.au > > > After these steps I did an ldapwhoami and attempted to get the ipaNTHast > from an account: It didn't work. I believe this is because the whoami > shows the account binds as a different DN than the host account, thus > the permission isn't applied. But there is no way to in the ui or cli > add permissions to a service account. How should I proceed? > You can't delegate permissions to a service. See https://fedorahosted.org/freeipa/ticket/3644 rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Adding permissions to a service account.
Hi, I am trying to allow a radius service account the ability to read ipaNTHash. I carried out the following steps: ipa permission-add 'ipaNTHash service read' --attrs=ipaNTHash --type=user --permissions=read - Added permission "ipaNTHash service read" - Permission name: ipaNTHash service read Permissions: read Attributes: ipanthash Type: user ipa privilege-add 'Radius services' --desc='Privileges needed to allow radiusd servers to operate' ipa privilege-add-permission 'Radius services' --permissions='ipaNTHash service read' Privilege name: Radius services Description: Privileges needed to allow radiusd servers to operate Permissions: ipaNTHash service read - Number of permissions added 1 - ipa role-add 'Radius server' --desc="Radius server role" -- Added role "Radius server" -- Role name: Radius server Description: Radius server role ipa service-add 'radius/lorna.dev.blackhats.net.au' -- Added service "radius/lorna.dev.blackhats.net...@dev.blackhats.net.au" -- Principal: radius/lorna.dev.blackhats.net...@dev.blackhats.net.au Managed by: lorna.dev.blackhats.net.au ipa role-add-member 'Radius server' --hosts='lorna.dev.blackhats.net.au' Role name: Radius server Description: Radius server role Member hosts: lorna.dev.blackhats.net.au Privileges: Radius services - Number of members added 1 - ipa-getkeytab -p 'radius/lorna.dev.blackhats.net.au' -s lorna.dev.blackhats.net.au -k /root/radiusd.keytab kinit -t /root/radiusd.keytab -k radius/lorna.dev.blackhats.net.au After these steps I did an ldapwhoami and attempted to get the ipaNTHast from an account: It didn't work. I believe this is because the whoami shows the account binds as a different DN than the host account, thus the permission isn't applied. But there is no way to in the ui or cli add permissions to a service account. How should I proceed? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project