Hi Alexander, This doc is really great.
I have added the delegation target but we still get an err=50 on when running our "add_user" script on the webserver. On the IPA server we see a keytab file configured in the php.ini and on the webserver we don't. Configs are quite the same here actually. Something simple must be wrong I guess. Thanks so far for the effort! Cheers, Matt 2013/7/29 Alexander Bokovoy <aboko...@redhat.com> > Hi! > > > On Mon, 29 Jul 2013, Matt . wrote: > >> Hi Alexander, >> >> That is great! >> >> I hope that someone can find this topic and use it as reference as it tool >> us some time to find the other one :) >> > You can find my blog post here: > http://vda.li/en/posts/2013/**07/29/Setting-up-S4U2Proxy-** > with-FreeIPA/index.html<http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html> > > Hope it helps. I've tested the scenario on Fedora 19. > > >> Thanks! >> >> Cheers, >> >> Matt >> >> 2013/7/29 Alexander Bokovoy <aboko...@redhat.com> >> >> Hi Matt, >>> >>> >>> On Mon, 29 Jul 2013, Matt . wrote: >>> >>> Hi all, >>>> >>>> Refering to this topic: >>>> https://www.redhat.com/****archives/freeipa-users/2013-**** >>>> July/msg00318.html<https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html> >>>> <https://**www.redhat.com/archives/**freeipa-users/2013-July/** >>>> msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html> >>>> > >>>> >>>> >>>> We are no able to do a show_user from a webserver on an IPA server, but >>>> user_add gives a problem in rights. >>>> >>>> On the IPA server there is added to the services: >>>> HTTP/test-webserver.dev.****domain.local@DEV.DOMAIN.LOCAL<**** >>>> https://test-zip.dev.msp.****cullie.local/ipa/ui/#HTTP/** >>>> test-zip-2.dev.msp.cullie.****lo...@dev.msp.CULLIE.LOCAL<htt** >>>> ps://test-zip.dev.msp.cullie.**local/ipa/ui/#HTTP/test-zip-2.** >>>> dev.msp.cullie.lo...@dev.msp.**CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL> >>>> > >>>> >>>> > >>>> >>>> >>>> We installed mod_auth_kerb on the webserver and the IPA-server and >>>> created >>>> a keytab also on both servers. >>>> <https://test-zip.dev.msp.****cullie.local/ipa/ui/#HTTP/** >>>> test-zip-2.dev.msp.cullie.****lo...@dev.msp.CULLIE.LOCAL<htt** >>>> ps://test-zip.dev.msp.cullie.**local/ipa/ui/#HTTP/test-zip-2.** >>>> dev.msp.cullie.lo...@dev.msp.**CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL> >>>> > >>>> >>>> > >>>> >>>> >>>> With our script we still get the following error because the rights that >>>> the user has: >>>> >>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the >>>> 'userPassword' attribute >>>> >>>> When we add a user "apache" to the IPA server and give it admin rights >>>> and >>>> set it to the "User Administrator" Role we still don't have the right >>>> privileges to do so. >>>> >>>> We need to setup a S4U2Proxy where we thought of that we did by >>>> installing >>>> the mod_auth_kerb on the webserver, but this seems to be on the IPA >>>> servers. >>>> >>>> The same question for the keytab, where do we use it when we use a >>>> simple >>>> webserver form to add a user ? It's the same as in the topic here where >>>> there is spoken about the "User privileges": >>>> http://comments.gmane.org/****gmane.linux.redhat.freeipa.****user/8244<http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244> >>>> <http://comments.**gmane.org/gmane.linux.redhat.**freeipa.user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244> >>>> > >>>> >>>> >>>> What do we have to do on which server ? We have put a lot of time into >>>> the >>>> user_show part and that works, now westill need the user_add (and so >>>> on). >>>> >>>> Has anyone some sort of sample/howto for this ? >>>> >>>> As I said on IRC, I'm working on the article which explains all that. >>> Stay tuned. >>> >>> >>> -- >>> / Alexander Bokovoy >>> >>> > > > -- > / Alexander Bokovoy >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users