Hi Guys
I need to add principal alias to a service from the client in which it is managed by.
From the client I have the following script:
--- kinit -k -t /etc/krb5.keytab ipa service-add myservice/myclient.example.com ipa service-add-principal myservice/myclient.example.com myservice/ myalias.example.com ---
On the last command it returns the following error:
--- ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPrincipalName' attribute of entry 'krbprincipalname=myservice/ myclient.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com'. ---
I tried create a role with the 'Service Administrators' privilege and attached it on the principal host: host/myclient.example.com (instead of myservice/myclient.example.com) and it worked.
However I need to set this role (or privilege) globally. On the other hand, any new host enrolled after ipa-client-install has that privilege allowed.
Thank you
freeipa-users@lists.fedorahosted.org