On 08/18/2014 09:35 PM, Michael Lasevich wrote:
I wanted to use the python ipalib directly, but like you mentioned, I found
very little documentation and what I found indicated I was going to just
pass cli arguments to it, it seemed to be not much better than calling the
wrapper directly :-(
Michael Lasevich wrote:
Thanks, that was actually very helpful.
Host Enrollment privilege does not actually allow you to enroll hosts,
not sure what that is about. But Host Administrators worked just fine.
I'd be curious to know how it was failing. It should be enough to do
just an
I wanted to use the python ipalib directly, but like you mentioned, I found
very little documentation and what I found indicated I was going to just
pass cli arguments to it, it seemed to be not much better than calling the
wrapper directly :-(
I will clean up my salt reactor of things specific
On 08/14/2014 10:23 PM, Michael Lasevich wrote:
Is there somewhere a documented minimum set of permissions required to
create a special role/account/principal to auto-join machines to the domain?
I am not all too comfortable to run this as admin user and not quite ready
to set up the
Sorry, I did not intend to belittle your efforts - just misread the code
(saw you pass in $admin and $password and made wrong assumption that $admin
was admin username) as well as trying to avoid puppet as I find Salt much
quicker and much simpler (and already established in my setup)
I sat down
Thanks, that was actually very helpful.
Host Enrollment privilege does not actually allow you to enroll hosts,
not sure what that is about. But Host Administrators worked just fine.
-M
On Fri, Aug 15, 2014 at 1:18 AM, Martin Kosek mko...@redhat.com wrote:
On 08/14/2014 10:23 PM, Michael
This may also be a bug. Host Enrollment privilege should be enough to join
FreeIPA. We did many access control related fixes in FreeIPA 4.0 (like
https://fedorahosted.org/freeipa/ticket/4252), it may got fixed there.
If Host Enrollment permission is still failing for you in 4.0+, we would be
On 08/15/2014 11:25 AM, Michael Lasevich wrote:
...
The only thing that bugs me is that I am calling IPA python code from my
salt reactor python code via subprocess - there has got to be a better,
more direct way - but I found documentation too confusing to follow at 1
am - will be a project
On 15.8.2014 12:51, Martin Kosek wrote:
On 08/15/2014 11:25 AM, Michael Lasevich wrote:
...
The only thing that bugs me is that I am calling IPA python code from my
salt reactor python code via subprocess - there has got to be a better,
more direct way - but I found documentation too confusing
On Fri, Aug 15, 2014 at 5:25 AM, Michael Lasevich
mlasev...@lasevich.net wrote:
Sorry, I did not intend to belittle your efforts - just misread the code
Didn't take it that way, no worries :)
(saw you pass in $admin and $password and made wrong assumption that $admin
was admin username) as
On 08/15/2014 06:02 PM, James wrote:
On Fri, Aug 15, 2014 at 5:25 AM, Michael Lasevich
mlasev...@lasevich.net wrote:
Sorry, I did not intend to belittle your efforts - just misread the code
Didn't take it that way, no worries :)
(saw you pass in $admin and $password and made wrong assumption
Is there somewhere a documented minimum set of permissions required to
create a special role/account/principal to auto-join machines to the domain?
I am not all too comfortable to run this as admin user and not quite ready
to set up the orchestration needed to pre-join the host.
Thanks,
-M
--
Not that much. For one, I am using Salt instead if Puppet, but more
importantly, if I am reading this correctly it seems to be just using full
admin account. I can already do that. By orchestration I meant setting up
the OTP for client join on the server, then passing that OTP to the client
to
On Thu, Aug 14, 2014 at 7:29 PM, Michael Lasevich
mlasev...@lasevich.net wrote:
Not that much. For one, I am using Salt instead if Puppet, but more
importantly, if I am reading this correctly it seems to be just using full
admin account. I can already do that. By orchestration I meant setting
I appreciate it. Maybe I did not read it close enough, but it seemed to
send the admin password to every client, which is what I am trying to
avoid.
I will take a closer look, maybe I can bite the bullet and implement the
few lines of code that are required to make this work in Salt (it would
On Thu, Aug 14, 2014 at 8:29 PM, Michael Lasevich
mlasev...@lasevich.net wrote:
I appreciate it. Maybe I did not read it close enough, but it seemed to send
the admin password to every client, which is what I am trying to avoid.
Oh no!! Definitely not :) I went to great pains to specifically
16 matches
Mail list logo