Hi, I am trying to allow a radius service account the ability to read ipaNTHash. I carried out the following steps:
ipa permission-add 'ipaNTHash service read' --attrs=ipaNTHash --type=user --permissions=read ----------------------------------------- Added permission "ipaNTHash service read" ----------------------------------------- Permission name: ipaNTHash service read Permissions: read Attributes: ipanthash Type: user ipa privilege-add 'Radius services' --desc='Privileges needed to allow radiusd servers to operate' ipa privilege-add-permission 'Radius services' --permissions='ipaNTHash service read' Privilege name: Radius services Description: Privileges needed to allow radiusd servers to operate Permissions: ipaNTHash service read ----------------------------- Number of permissions added 1 ----------------------------- ipa role-add 'Radius server' --desc="Radius server role" -------------------------- Added role "Radius server" -------------------------- Role name: Radius server Description: Radius server role ipa service-add 'radius/lorna.dev.blackhats.net.au' ---------------------------------------------------------------------- Added service "radius/lorna.dev.blackhats.net...@dev.blackhats.net.au" ---------------------------------------------------------------------- Principal: radius/lorna.dev.blackhats.net...@dev.blackhats.net.au Managed by: lorna.dev.blackhats.net.au ipa role-add-member 'Radius server' --hosts='lorna.dev.blackhats.net.au' Role name: Radius server Description: Radius server role Member hosts: lorna.dev.blackhats.net.au Privileges: Radius services ------------------------- Number of members added 1 ------------------------- ipa-getkeytab -p 'radius/lorna.dev.blackhats.net.au' -s lorna.dev.blackhats.net.au -k /root/radiusd.keytab kinit -t /root/radiusd.keytab -k radius/lorna.dev.blackhats.net.au After these steps I did an ldapwhoami and attempted to get the ipaNTHast from an account: It didn't work. I believe this is because the whoami shows the account binds as a different DN than the host account, thus the permission isn't applied. But there is no way to in the ui or cli add permissions to a service account. How should I proceed? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project