Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread James James
SOLVED. realm-proxy has to be indirect member of : memberofindirect: cn=manage host keytab,cn=privileges,cn=pbac,dc=example,dc=com Thanks for your help. 2014-09-09 16:59 GMT+02:00 Rob Crittenden : > James James wrote: > > My user : realm-proxy is in a group (Smart Proxy Host Management) which >

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread Rob Crittenden
James James wrote: > My user : realm-proxy is in a group (Smart Proxy Host Management) which > has the Manager host keytab permission : > > Permission name: Manage host keytab > Permissions: write > Attributes: krbprincipalkey, krblastpwdchange > Type: host > Granted to Privilege: Host

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread Rob Crittenden
James James wrote: > My IPA version is 3.0.0 . > Thanks The permission 'Manage host keytab' should do the trick. rob > > 2014-09-09 1:22 GMT+02:00 Dmitri Pal >: > > On 09/08/2014 06:52 PM, James James wrote: >> Hi everybody, >> >> I want a user to be able t

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread James James
My IPA version is 3.0.0 . Thanks 2014-09-09 1:22 GMT+02:00 Dmitri Pal : > On 09/08/2014 06:52 PM, James James wrote: > > Hi everybody, > > I want a user to be able to do ipa-getkeytab to retrieve the keys from > any host in the realm. > > How can I do this ? > > Where I can find an ACI examp

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-08 Thread Dmitri Pal
On 09/08/2014 06:52 PM, James James wrote: Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI example (https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which can helps