3:41 p.m.
Kerberos has kadmin.local, and I'm looking for a similar way to execute admin commands
as the local root user. Looks like I could create a keytab, and use kinit on it, but
ipa-getkey doesn't seem to work for the admin principal. So I could create a new
service account instead, but I can't seem to find a role that grabs everything like
the special admin group does. Any tips?
10:20 p.m.
On to, 26 heinä 2018, Ryan Slominski via FreeIPA-users wrote:
Kerberos has kadmin.local, and I'm looking for a similar way to
execute
admin commands as the local root user. Looks like I could create a
keytab, and use kinit on it, but ipa-getkey doesn't seem to work for
the admin principal. So I could create a new service account instead,
but I can't seem to find a role that grabs everything like the special
admin group does. Any tips?
Anything that is a member of admins group would
suffice.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
1 p.m.
Hi Alexander,
I'm actually looking for a way to execute a command as local root without being
prompted for a password. My understanding is adding an account for root to IPA is not a
good idea as it would then be a domain account. I don't see how I can add root to
"admins" group then. Also, I don't see how to add a service principal to a
user group. What are my options?
Thanks,
Ryan
2:23 p.m.
New subject: How can local root execute admin IPA commands?
On pe, 27 heinä 2018, Ryan Slominski via FreeIPA-users wrote:
Hi Alexander,
I'm actually looking for a way to execute a command as local root
without being prompted for a password. My understanding is adding
an account for root to IPA is not a good idea as it would then be a
domain account. I don't see how I can add root to "admins" group
then. Also, I don't see how to add a service principal to a user
group. What are my options?
Can you show examples of what you'd like to
achieve. "Execute a command
as local root" sounds unrelated to IPA commands.
Can you demonstrate what you'd like to achieve without IPA in use?
Do you simply want 'sudo /some/path/to/command' without password asked?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
2:51 p.m.
I would like to be able to use the ipa command line interface, which generally requires a
Kerberos ticket. For example to add a user to a group - I want to allow root to do
anything the admin user can do. Perhaps I’m overlooking something but simply using “su
admin” won’t work because it doesn’t kinit ticket.
On Jul 27, 2018, at 3:23 PM, Alexander Bokovoy
<abokovoy(a)redhat.com> wrote:
> On pe, 27 heinä 2018, Ryan Slominski via FreeIPA-users wrote:
> Hi Alexander,
> I'm actually looking for a way to execute a command as local root
> without being prompted for a password. My understanding is adding
> an account for root to IPA is not a good idea as it would then be a
> domain account. I don't see how I can add root to "admins" group
> then. Also, I don't see how to add a service principal to a user
> group. What are my options?
Can you show examples of what you'd like to achieve. "Execute a command
as local root" sounds unrelated to IPA commands.
Can you demonstrate what you'd like to achieve without IPA in use?
Do you simply want 'sudo /some/path/to/command' without password asked?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3:14 p.m.
New subject: How can local root execute admin IPA commands?
Ryan Slominski via FreeIPA-users wrote:
I would like to be able to use the ipa command line interface, which
generally requires a Kerberos ticket. For example to add a user to a group - I want to
allow root to do anything the admin user can do. Perhaps I’m overlooking something but
simply using “su admin” won’t work because it doesn’t kinit ticket.
You can create a user, add it to the admins group then use ipa-getkeytab
to get a keytab for that user.
# kinit -kt /path/to/keytab username
profit
rob
> On Jul 27, 2018, at 3:23 PM, Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
>
>> On pe, 27 heinä 2018, Ryan Slominski via FreeIPA-users wrote:
>> Hi Alexander,
>> I'm actually looking for a way to execute a command as local root
>> without being prompted for a password. My understanding is adding
>> an account for root to IPA is not a good idea as it would then be a
>> domain account. I don't see how I can add root to "admins" group
>> then. Also, I don't see how to add a service principal to a user
>> group. What are my options?
> Can you show examples of what you'd like to achieve. "Execute a command
> as local root" sounds unrelated to IPA commands.
>
> Can you demonstrate what you'd like to achieve without IPA in use?
> Do you simply want 'sudo /some/path/to/command' without password asked?
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
6:51 a.m.
Creating a new user, adding them to the admins group, obtaining a keytab for the new user,
then having root use kinit -kt on the keytab does work. Thanks.
2091
days inactive
2095
days old
freeipa-users@lists.fedorahosted.org
6 comments
3 participants
participants (3)
-
Alexander Bokovoy -
Rob Crittenden -
Ryan Slominski