Marat Vyshegorodtsev wrote: > Tried that. > > Originally I had just a normal user of a role "Build Administrator". > It worked perfectly. > > Service account doesn't seem to recognize its privileges either way > (explicit membership assignment or through roles). > > Originally it was like this (working perfectly): > http://pastebin.com/baqcthy5 > > However, I don't like hostadmin hanging amount regular users. > > So I moved this account away to its own ldif: > dn: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com > changetype: add > objectclass: account > objectclass: simplesecurityobject > objectclass: inetuser > objectclass: krbprincipalaux > objectclass: krbticketpolicyaux > krbPrincipalName: hostadmin@<%= @realm %> > memberOf: cn=Build Administrator,cn=roles,cn=accounts,dc=contoso,dc=com > userPassword: <%= @hostadmin_pwd %> > passwordExpirationTime: <%= @pwd_expiration %> > krbpasswordexpiration: <%= @pwd_expiration %> > nsIdleTimeout: 0 > > This didn't work (same error: not enough privileges), so I started > experimenting with explicit privileges assignment by basically copying > them from default "admin" user. Didn't work too. > > I wonder what am I doing wrong.
I already told you: don't add an explicit memberOf. You need a separate modify to add this user as a member of (NOT memberOf) the role: dn: cn=Build Administrator,cn=roles,cn=accounts,dc=contoso,dc=com changetype: modify add: member member: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com rob > > On Thu, Jan 28, 2016 at 1:03 AM, Rob Crittenden <rcrit...@redhat.com> wrote: >> Marat Vyshegorodtsev wrote: >>> Hi! >>> >>> I'm trying to build an auto-enrollment script that would leverage a >>> service account to enroll hosts. >>> >>> Here is the LDIF for this service account: >>> https://gist.github.com/touzoku/2b03a47d3f0bcfbdf30a >>> >>> This service account is created successfully, but when I try to: >>> 1) kinit hostadmin >>> 2) ipa host-add foobar.contoso.com >>> >>> The following error appears: >>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add >>> the entry >>> 'fqdn=foobar.contoso.com,cn=computers,cn=accounts,dc=contoso,dc=com'. >>> >>> Which privilege am I missing? A normal (posix) user, with the same set >>> of privileges worked fine, the problem started to happen when I moved >>> user from normal users to cn=sysaccounts,cn=etc. >>> >>> Also, is my set of privileges minimal? Which privileges do I need to >>> just add host entries? >>> >> >> You should not directly add memberOf values. You should add the user as >> a member of the respective roles and the rest should follow naturally. >> So you'll need to add this entry then do a modify to add it as a member >> of one or more roles. >> >> rob >> >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project