Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread James James
My IPA version is 3.0.0 . Thanks 2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com: On 09/08/2014 06:52 PM, James James wrote: Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread Rob Crittenden
James James wrote: My IPA version is 3.0.0 . Thanks The permission 'Manage host keytab' should do the trick. rob 2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com mailto:d...@redhat.com: On 09/08/2014 06:52 PM, James James wrote: Hi everybody, I want a user to be able

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread Rob Crittenden
James James wrote: My user : realm-proxy is in a group (Smart Proxy Host Management) which has the Manager host keytab permission : Permission name: Manage host keytab Permissions: write Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread James James
SOLVED. realm-proxy has to be indirect member of : memberofindirect: cn=manage host keytab,cn=privileges,cn=pbac,dc=example,dc=com Thanks for your help. 2014-09-09 16:59 GMT+02:00 Rob Crittenden rcrit...@redhat.com: James James wrote: My user : realm-proxy is in a group (Smart Proxy Host

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-08 Thread Dmitri Pal
On 09/08/2014 06:52 PM, James James wrote: Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI example (https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which can