Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread James James
My IPA version is 3.0.0 .
Thanks

2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com:

  On 09/08/2014 06:52 PM, James James wrote:

   Hi everybody,

  I want a user to be able to do ipa-getkeytab to retrieve the keys from
 any host in the realm.

  How can I do this ?

 Where I can find an ACI example (
 https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
 which can helps me ?


  Thanks for your help.




  Which version of IPA?
 There reason for the question is because in FreeIPA 4.0 the ACIs were
 significantly reworked.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread Rob Crittenden
James James wrote:
 My IPA version is 3.0.0 .
 Thanks

The permission 'Manage host keytab' should do the trick.

rob

 
 2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com
 mailto:d...@redhat.com:
 
 On 09/08/2014 06:52 PM, James James wrote:
 Hi everybody,

 I want a user to be able to do ipa-getkeytab to retrieve the keys
 from any host in the realm.

 How can I do this ?

 Where I can find an ACI example
 (https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
 which can helps me ?


 Thanks for your help.




 Which version of IPA?
 There reason for the question is because in FreeIPA 4.0 the ACIs
 were significantly reworked.
 
 -- 
 Thank you,
 Dmitri Pal
 
 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.
 
 
 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project
 
 
 
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread Rob Crittenden
James James wrote:
 My user : realm-proxy is in a group (Smart Proxy Host Management) which
 has the Manager host  keytab permission :
 
   Permission name: Manage host keytab
   Permissions: write
   Attributes: krbprincipalkey, krblastpwdchange
   Type: host
   Granted to Privilege: Host Administrators, Host Enrollment, Smart
 Proxy Host Management
 
 
 When I try to retreive a keytab from another host when my principal is
 the realm-proxy :
 
 
 [root@client1 ~]#  kinit realm-pr...@example.com
 mailto:realm-pr...@example.com -k -t /tmp/freeipa.keytab
 
 [root@client1 ~]# klist
 
 Ticket cache: KEYRING:persistent:0:0
 Default principal: realm-pr...@example.com mailto:realm-pr...@example.com
 
 Valid starting   Expires  Service principal
 09/09/2014 14:35:50  09/10/2014 14:35:50  krbtgt/example@example.com
 mailto:example@example.com
 
 [root@client1 ~]# ipa-getkeytab  --server=ipa.example.com
 http://ipa.example.com --principal=host/client1.example.com
 http://client1.example.com --keytab=/etc/krb5.keytab
 Operation failed! Insufficient access rights
 
 
 I can't retrieve the key ..

I'd need to see the smart-proxy user, show --all --raw would be best.

I just tested this on a RHEL-6 instance I had handy and it worked fine:

# ipa user-add --first=test --last=user tuser1 --password
# ipa role-add 'host keytab' --desc 'manage host keytabs'
# ipa privilege-add 'manage host keytab' --desc 'manage host keytabs'
# ipa privilege-add-permission 'manage host keytab'
--permissions='manage host keytab'
# ipa role-add-privilege 'host keytab' --privileges='manage host keytab'
# ipa role-add-member --users=tuser1 'host keytab'
# kinit tuser1
# ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p host/test.example.com
Keytab successfully retrieved and stored in: /tmp/test.keytab

rob

 
 2014-09-09 16:14 GMT+02:00 Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com:
 
 James James wrote:
  My IPA version is 3.0.0 .
  Thanks
 
 The permission 'Manage host keytab' should do the trick.
 
 rob
 
 
  2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com 
 mailto:d...@redhat.com
  mailto:d...@redhat.com mailto:d...@redhat.com:
 
  On 09/08/2014 06:52 PM, James James wrote:
  Hi everybody,
 
  I want a user to be able to do ipa-getkeytab to retrieve the keys
  from any host in the realm.
 
  How can I do this ?
 
  Where I can find an ACI example

  (https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
  which can helps me ?
 
 
  Thanks for your help.
 
 
 
 
  Which version of IPA?
  There reason for the question is because in FreeIPA 4.0 the ACIs
  were significantly reworked.
 
  --
  Thank you,
  Dmitri Pal
 
  Sr. Engineering Manager IdM portfolio
  Red Hat, Inc.
 
 
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go To http://freeipa.org for more info on the project
 
 
 
 
 
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-09 Thread James James
SOLVED.

realm-proxy has to be indirect member of :
memberofindirect: cn=manage host
keytab,cn=privileges,cn=pbac,dc=example,dc=com

Thanks for your help.

2014-09-09 16:59 GMT+02:00 Rob Crittenden rcrit...@redhat.com:

 James James wrote:
  My user : realm-proxy is in a group (Smart Proxy Host Management) which
  has the Manager host  keytab permission :
 
Permission name: Manage host keytab
Permissions: write
Attributes: krbprincipalkey, krblastpwdchange
Type: host
Granted to Privilege: Host Administrators, Host Enrollment, Smart
  Proxy Host Management
 
 
  When I try to retreive a keytab from another host when my principal is
  the realm-proxy :
 
 
  [root@client1 ~]#  kinit realm-pr...@example.com
  mailto:realm-pr...@example.com -k -t /tmp/freeipa.keytab
 
  [root@client1 ~]# klist
 
  Ticket cache: KEYRING:persistent:0:0
  Default principal: realm-pr...@example.com mailto:
 realm-pr...@example.com
 
  Valid starting   Expires  Service principal
  09/09/2014 14:35:50  09/10/2014 14:35:50  krbtgt/example@example.com
  mailto:example@example.com
 
  [root@client1 ~]# ipa-getkeytab  --server=ipa.example.com
  http://ipa.example.com --principal=host/client1.example.com
  http://client1.example.com --keytab=/etc/krb5.keytab
  Operation failed! Insufficient access rights
 
 
  I can't retrieve the key ..

 I'd need to see the smart-proxy user, show --all --raw would be best.

 I just tested this on a RHEL-6 instance I had handy and it worked fine:

 # ipa user-add --first=test --last=user tuser1 --password
 # ipa role-add 'host keytab' --desc 'manage host keytabs'
 # ipa privilege-add 'manage host keytab' --desc 'manage host keytabs'
 # ipa privilege-add-permission 'manage host keytab'
 --permissions='manage host keytab'
 # ipa role-add-privilege 'host keytab' --privileges='manage host keytab'
 # ipa role-add-member --users=tuser1 'host keytab'
 # kinit tuser1
 # ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p host/test.example.com
 Keytab successfully retrieved and stored in: /tmp/test.keytab

 rob

 
  2014-09-09 16:14 GMT+02:00 Rob Crittenden rcrit...@redhat.com
  mailto:rcrit...@redhat.com:
 
  James James wrote:
   My IPA version is 3.0.0 .
   Thanks
 
  The permission 'Manage host keytab' should do the trick.
 
  rob
 
  
   2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com mailto:
 d...@redhat.com
   mailto:d...@redhat.com mailto:d...@redhat.com:
  
   On 09/08/2014 06:52 PM, James James wrote:
   Hi everybody,
  
   I want a user to be able to do ipa-getkeytab to retrieve the
 keys
   from any host in the realm.
  
   How can I do this ?
  
   Where I can find an ACI example
  
   (
 https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
   which can helps me ?
  
  
   Thanks for your help.
  
  
  
  
   Which version of IPA?
   There reason for the question is because in FreeIPA 4.0 the
 ACIs
   were significantly reworked.
  
   --
   Thank you,
   Dmitri Pal
  
   Sr. Engineering Manager IdM portfolio
   Red Hat, Inc.
  
  
   --
   Manage your subscription for the Freeipa-users mailing list:
   https://www.redhat.com/mailman/listinfo/freeipa-users
   Go To http://freeipa.org for more info on the project
  
  
  
  
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ACI for ipa-getkeytab

2014-09-08 Thread Dmitri Pal

On 09/08/2014 06:52 PM, James James wrote:

Hi everybody,

I want a user to be able to do ipa-getkeytab to retrieve the keys from 
any host in the realm.


How can I do this ?

Where I can find an ACI example 
(https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which 
can helps me ?



Thanks for your help.





Which version of IPA?
There reason for the question is because in FreeIPA 4.0 the ACIs were 
significantly reworked.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project