I'm trying to create a set of limited users who have the ability to unlock all other user accounts and change their passwords. I've got the password portion figured out, however when a user with the limited permissions tries to run the `unlock` operation they get the following message:
Insufficient access: Insufficient 'write' privilege to the 'krbLoginFailedCount' attribute of entry...
I have attempted to create a permission granting this access, but it does not appear to work.
I'll attach an image of the existing permission, not sure how the list will handle the image.
--Russ
Russell Long via FreeIPA-users wrote:
I'm trying to create a set of limited users who have the ability to unlock all other user accounts and change their passwords. I've got the password portion figured out, however when a user with the limited permissions tries to run the `unlock` operation they get the following message:
Insufficient access: Insufficient 'write' privilege to the 'krbLoginFailedCount' attribute of entry...
I have attempted to create a permission granting this access, but it does not appear to work.
I'll attach an image of the existing permission, not sure how the list will handle the image.
What isn't clear is whether you added the permission to a privilege and a role.
This sequence worked for me.
Create a user with limited rights and reset the p/w # echo password | ipa user-add --first limited --last user limited --password # ipa passwd limited # kinit limited
Add a new permission to unlock users # kinit admin # ipa permission-add unlock --type user --right write --right read {krbloginfailedcount,krblastadminunlock} # ipa privilege-add unlock # ipa privilege-add-permission --permission unlock unlock # ipa role-add unlock # ipa role-add-privilege --privilege=unlock unlock # ipa role-add-member --users limited unlock
Create a user which we'll lock and reset the p/w # echo password | ipa user-add lockme --first tim --last user --password # kinit lockme
kinit with the wrong password until the account is locked # ipa user-unlock lockme
Test the now unlocked user # kinit lockme
Profit!
Note that the rights add and delete are entry-level rights. They don't apply to individual attributes.
rob
Rob,
Thanks, as usual your info was correct. Issue on my end was twofold, I did not have the `krblastadminunlock` and somehow the privilege had gotten removed from the role in my testing. After fixing that, all is working.
--Russ
freeipa-users@lists.fedorahosted.org