Hi Alexander,
the main reason for us was that AD user can export keytab files for their managed services. With current FreeIPA it's not possible, so the admin team will do the job.
Thx for linking to documentation for RedHat 8, this is what we want (in the future).
Greetings,
Micha
On ma, 26 marras 2018, Michael Gusek via FreeIPA-users wrote:
Thx a lot. So we will export keytabs for our AD users.Sorry, how this would help? Your real issue is that you cannot assign
group membership in LDAP to AD users, this is where access rights are
checked.
You can read a basic explanation at
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-beta/html/installing_identity_management_and_access_control/enabling-ad-user-to-administer-idm-fin-fin
or more details at https://github.com/abbra/freeipa-adusers-admins
Micha
Am 23.11.18 um 16:25 schrieb Alexander Bokovoy via FreeIPA-users:
Not possible in centos 7.--
Possible in RHEL8 beta.
(Sorry for being short, I'm on the phone)
----- Michael Gusek via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hi,
we are running FreeIPA 4.5.4 on Centos 7 with a one way trust to an
Active Directory. We want to allow AD users to retrieve service keytab
on FreeIPA managed hosts. AD users are linked to a external group, and
these group to a FreeIPA group. We've created a service and allowed
FreeIPA group (for testing external group too) to retrieve keytab. Now
we logged in with AD credentials to a FreeIPA managed host, got an
ticket with kinit user@AD-domain and tried to retrieve keytab for
service, which runs in an error "Failed to parse result: Insufficient
access rights". With an FreeIPA user, added to FreeIPA group above, it
works.
So what we are missing here ? Is it possible to retrieve service keytabs
as a trusted AD user ?
Thanks.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
________________________________________________
*Michael**Gusek*| System Administrator| Webtrekk GmbH |
*t*+49 30 755 415 302| *f *+49 30 755 415 100 | *w *www.webtrekk.com
<https://www.webtrekk.com/?wt_mc=signature.-.-.-.homepageURL>
Amtsgericht/Local Court Berlin, HRB 93435 B | Geschäftsführer/CEO
Christian Sauer und Norman Wahnschaff
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
________________________________________________
Michael
Gusek
|
System Administrator |
Webtrekk GmbH |
t
+49
30 755 415 302
|
f
+49
30 755 415 100 | w
www.webtrekk.com
Amtsgericht/Local
Court Berlin, HRB 93435 B | Geschäftsführer/CEO Christian
Sauer und Norman Wahnschaff