Super that worked a treat thanks, however I see that the host can run the
automember rebuild on any other host which might not be desirable.
I'll have a loot at Alexander's previous suggestion too with regards to
creating a host entry with particular attributes set prior to running the
ipa-client-install command.
Thanks again
Angus
________________________________
From: Rob Crittenden <rcrit...@redhat.com>
Sent: 25 May 2022 20:24
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>; Alexander
Bokovoy <aboko...@redhat.com>
Cc: Angus Clarke <an...@charworth.com>
Subject: Re: [Freeipa-users] Re: hostgroup automember rules
This is controlled by the permission 'Add Automember Rebuild Membership
Task'. There is a related privilege, 'Automember Task Administrator'.
To limit what you're allowing to the minimum I'd create a new role like
'Hosts can rebuild automember' and add your host(s) to it.
rob
Angus Clarke via FreeIPA-users wrote:
> Hi Alexander
>
>> There are two ways of setting these fields:
>>
>> - prior to enrollment, by pre-creating a host and setting the
>> attributes at that time.
>>
>> - after the enrollment, right from the host using host keytab
>
> I started looking at the latter as it seems a simpler route, the host
> principal seems to lack the write to rebuild automembership for itself -
> is this something I can change?
>
> [root@blah ~]# kinit -k
> [root@blah ~]# ipa automember-rebuild --hosts=`hostname`
> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the
> entry 'cn=automember rebuild membership,cn=tasks,cn=config'.
>
> Thanks a lot
> Angus
>
>
>
> ------------------------------------------------------------------------
> *From:* Alexander Bokovoy <aboko...@redhat.com>
> *Sent:* 20 May 2022 13:39
> *To:* FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> *Cc:* Angus Clarke <an...@charworth.com>
> *Subject:* Re: [Freeipa-users] hostgroup automember rules
>
> Hi Angus,
>
> On pe, 20 touko 2022, Angus Clarke via FreeIPA-users wrote:
>>Hello
>>
>>FreeIPA 4.6.8
>>
>>We are very happy with hostgroup automember rules based on servername
>>attribute however one of our internal customers uses a generic
>>servername template for all of their servers regardless of its
>>function.
>>
>>So I'm wondering what other attributes I might use for hostgroup
>>automember - perhaps some of the attributes can be configured by the
>>ipa-client-install (the host's "description" field perhaps) although I
>>don't see such mention in the man page ... Presumably they could use a
>>different enrollment user ("enrolledby") for each of their hostgroup
>>functions (not ideal.)
>>
>>There are various attribute fields in the WebUI but I don't find much
>>documentation for them. What is the "|" field - perhaps I can exploit
>>this somehow?
>
> Few years ago a customer of mine asked a similar question. Here is what
> I answered:
>
> ----------------------------------------------------------------------
> You can use nsHardwarePlatform attribute (part of nsHost objectclass).
> It is exposed as '--platform' in IPA CLI for 'ipa host-*' commands.
>
> Originally it was supposed to be filled by the IPA client join process
> to 'uname -m' value. ipa-join tools still sends it to the server but the
> value is ignored completely by the join process. As the result,
> nsHardwarePlatform attribute is never set on the host object.
>
> I don't see any code in IPA itself that would rely on the content of
> nsHardwarePlatform attribute. We have web UI tests upstream that modify
> the field to test that you can modify it but that's all.
>
> Alternatively, one can use userClass attribute (--class in IPA CLI for
> host-* commands). This one is also not utilized and is left specifically
> for the customers to define its semantics.
>
> Another alternative is nsHostLocation attribute (--location in IPA CLI
> for host-*
> commands). Again, the semantics is totally left for customers to define.
>
> ----------------------------------------------------------------------
>
> There are two ways of setting these fields:
>
> - prior to enrollment, by pre-creating a host and setting the
> attributes at that time.
>
> - after the enrollment, right from the host using host keytab
>
> The former can be done by a designated user/service account and can be
> tuned with custom permissions to allow such modification. The latter
> relies on the fact that the host principal has some write rights
> already:
>
> # kinit -k
>
> # ipa host-show `hostname` --rights --all
> dn: fqdn=dc.ipa.test,cn=computers,cn=accounts,dc=ipa,dc=test
> Host name: dc.ipa.test
> Principal name: host/dc.ipa.t...@ipa.test
> Principal alias: host/dc.ipa.t...@ipa.test
> SSH public key: [skip]
> SSH public key fingerprint: [skip]
> Requires pre-authentication: True
> Trusted for delegation: False
> Trusted to authenticate as user: False
> Password: False
> Member of host-groups: ipaservers
> Keytab: True
> Managed by: dc.ipa.test
> Managing: dc.ipa.test
> attributelevelrights: {'aci': '', 'cn': 'rscwo', 'description':
> 'rscwo', 'enrolledby': 'rsc', 'fqdn': 'rsc', 'ipaassignedidview': 'rsc',
> 'ipaclientversion': 'rsc', 'ipakrbauthzdata': 'rsc', 'ipasshpubkey':
> 'rscwo', 'ipauniqueid': 'rsc', 'krballowedtodelegateto': '',
> 'krbauthindmaxrenewableage': '', 'krbauthindmaxticketlife': '',
> 'krbcanonicalname': 'rsc', 'krbextradata': '', 'krblastadminunlock': '',
> 'krblastfailedauth': '', 'krblastpwdchange': 'rscwo',
> 'krblastsuccessfulauth': '', 'krbloginfailedcount': '',
> 'krbmaxrenewableage': '', 'krbmaxticketlife': '', 'krbobjectreferences':
> '', 'krbpasswordexpiration': 'rsc', 'krbprincipalaliases': 'rsc',
> 'krbprincipalauthind': 'rsc', 'krbprincipalexpiration': 'rsc',
> 'krbprincipalkey': 'swo', 'krbprincipalname': 'rsc', 'krbprincipaltype':
> '', 'krbpwdhistory': '', 'krbpwdpolicyreference': '', 'krbticketflags':
> '', 'krbticketpolicyreference': '', 'krbupenabled': '', 'l': 'rscwo',
> 'managedby': 'rsc', 'memberof': 'rsc', 'nsaccountlock': '',
> 'nshardwareplatform': 'rscwo', 'nshostlocation': 'rscwo', 'nsosversion':
> 'rscwo', 'objectclass': 'rsc', 'serverhostname': 'rsc',
> 'usercertificate': 'rscwo', 'userclass': 'rsc', 'userpassword': 'swo'}
> cn: dc.ipa.test
> ipauniqueid: b179f1ea-c4b8-11ec-9e86-52540083ff9d
> krblastpwdchange: 20220425165647Z
> objectclass: top, ipaobject, nshost, ipahost, ipaservice, pkiuser,
> krbprincipalaux, krbprincipal, krbticketpolicyaux, ipasshhost,
> ipaSshGroupOfPubKeys
> serverhostname: dc
>
> So, the host/dc.ipa.t...@ipa.test principal can write to:
>
> - nsHardwarePlatform
> - nsHostLocation
> - nsOSVersion
> - l (locality)
> - description
>
> but it cannot write to 'userClass' attribute.
>
> A handy mapping between attributes and command parameters is
> 'show-mappings' command:
>
> # ipa show-mappings host-mod
> Parameter : LDAP attribute
> ========= : ==============
> desc : description?
> locality : l?
> location : nshostlocation?
> platform : nshardwareplatform?
> os : nsosversion?
> password : userpassword?
> random : random?
> certificate : usercertificate*
> krbprincipalname : krbprincipalname*
> macaddress : macaddress*
> sshpubkey : ipasshpubkey*
> class : userclass*
> auth-ind : krbprincipalauthind*
> requires-pre-auth : ipakrbrequirespreauth?
> ok-as-delegate : ipakrbokasdelegate?
> ok-to-auth-as-delegate : ipakrboktoauthasdelegate?
> rights : rights
> updatedns : updatedns?
>
> If you want to change parameters from the host itself, it would be
> possible with
>
> # kinit -k
> # ipa host-mod `hostname` --locality=foo --location=bar
> --platform=some-platform --desc=some-host
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=05%7C01%7C%7C120c9397a8344b81d60908da3e7bd444%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637890998808897156%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ozj1%2F%2F1VqYpIM5N%2FWfW%2FCeHyCTYlwKe%2FSKAw4Q1N3kA%3D&reserved=0
> List Guidelines:
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=05%7C01%7C%7C120c9397a8344b81d60908da3e7bd444%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637890998808897156%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D6Ul%2B5RevVjwOM4CIjqk%2FJeL0eGTMikDXuTdF88%2FgGo%3D&reserved=0
> List Archives:
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=05%7C01%7C%7C120c9397a8344b81d60908da3e7bd444%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637890998808897156%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jOY8uymTqHQeQPFNEqsU4XMIJa5xzwcrSp0EjYRsEpA%3D&reserved=0
> Do not reply to spam on the list, report it:
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=05%7C01%7C%7C120c9397a8344b81d60908da3e7bd444%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637890998808897156%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NwAVCooLqyyI7Ro3bJqs%2BMKmdKLU6YFSanPTDgrSgP4%3D&reserved=0
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
