Hi all, I have been exploring using a service account with restricted permissions to add and enrol hosts, rather than using an administrative user. I based the account details on an earlier posting to this list ( https://www.redhat.com/archives/freeipa-users/2016-January/msg00524.html), but ran into a couple of things that I found odd:
1. The service account needs to be explicitly granted permission to read itself. When a host was previously enrolled with FreeIPA and has run `ipa-client-install --uninstall`, a fresh `ipa-client-install` using a service user fails unless the host is manually deleted with `ipa host-del`, or the service user is explicitly granted permission to read itself. Without either of the above, `ipa-client-install` fails with an error "Joining realm failed: RPC failed at server. host with name "my.hostname.domain" already exists". On the server side, for some reason the service user tries to look itself up to check if it's got permissions to modify the host (which it does). It does not seem to have permissions to look itself up by default in the cn=sysaccounts,cn=etc tree, so the permission check fails, and throws the error above. I'm granting the service account the following permission to work around this, but I'm a little confused as to why it's required: ipa permission-add 'Read Host Join User' --target=uid=my-join-user,cn=sysaccounts,cn=etc,dc=example,dc=com --right=read --right=search --right=compare --attrs='*' Is that permission going to cause the service account to be able to do anything it shouldn't, or does it look okay? 2. The service account's password expiry must be set in a separate ldapmodify call I tried to create the service account with a password that does not expire by setting "krbPasswordExpiration: 20380119031407Z" on the account when it is created, but it seems to be immediately overwritten. If I create the account in one ldapmodify call, and set the password expiration in a separate call, the expiration seems to stick. Is that expected, or am I setting the expiration incorrectly? I've included the full set of commands I'm using the setup my service account for host enrolment, in case something I'm doing wrong is causing the above strangeness. I'm running FreeIPA 4.2.0 on CentOS 7. I'd be keen for some feedback on this approach, and whether it's normal to have to use the workarounds above. Thanks, Nicholas. ## Configure the account used by hosts to join the domain # Authenticate so the ipa commands can run kinit admin # (System account needs special permissions to read itself) ipa permission-add 'Read Host Join User' --target=uid=my-join-user,cn=sysaccounts,cn=etc,dc=example,dc=com --right=read --right=search --right=compare --attrs='*' ipa privilege-add 'Read Host Join User' ipa privilege-add-permission --permissions='Read Host Join User' 'Read Host Join User' ipa privilege-add 'Add Hosts' ipa privilege-add-permission --permissions='System: Add Hosts' 'Add Hosts' # Role to assign to the system account, with permissions to enrol hosts, add hosts, and read itself ipa role-add --desc="Host Joining" 'Host Joining' ipa role-add-privilege --privileges='Host Enrollment' 'Host Joining' ipa role-add-privilege --privileges='Add Hosts' 'Host Joining' ipa role-add-privilege --privileges='Read Host Join User' 'Host Joining' # Drop admin permissions kdestroy # Create the system account in LDAP and add it to the new role cat <<LDIF_END | ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=my-join-user,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject objectclass: inetUser objectClass: krbprincipalaux objectClass: krbticketpolicyaux uid: my-join-user krbPrincipalName: my-join-u...@example.com userPassword: averysecurepassword passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 dn: cn=Host Joining,cn=roles,cn=accounts,dc=example,dc=com changetype: modify add: member member: uid=my-join-user,cn=sysaccounts,cn=etc,dc=example,dc=com LDIF_END # Ensure the join user's password does not expire. This must be set in a separate ldapmodify call or it gets overwritten cat <<LDIF_END | ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=my-join-user,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 20380119031407Z LDIF_END # NB: the trailing empty line after each entry is required in the above LDIFs
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
