Hello again,
We're using salt for automation and have created a salt service account for the express permissions of joining machines to our domain. This user has been assigned the "Enrollment Administrator" roll but when attempting to join clients the log output is as follows:
Client hostname: ubuntu.domain.com Realm: DOMAIN.COM DNS Domain: domain.com IPA Server: server1.domain.com BaseDN: dc=domain,dc=com
Continue to configure the system with these values? [no]: yes Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: test-join Password for test@DOMAIN.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=DOMAIN.COMIPA environment is 4.4 Issuer: CN=Certificate Authority,O=DOMAIN.COM Valid From: 2017-01-26 18:47:36 Valid Until: 2037-01-26 18:47:36
Joining realm failed: No permission to join this host to the IPA domain.
The FreeIPA version is 4.6.5 and its running on Centos 7.7. Can someone assist me in troubleshooting? Is there another pre-defined role or permission that I need to assign?
Thanks,
Jeff
Jeff Goddard via FreeIPA-users wrote:
Hello again,
We're using salt for automation and have created a salt service account for the express permissions of joining machines to our domain. This user has been assigned the "Enrollment Administrator" roll but when attempting to join clients the log output is as follows:
Client hostname: ubuntu.domain.com http://ubuntu.domain.com Realm: DOMAIN.COM http://DOMAIN.COM DNS Domain: domain.com http://domain.com IPA Server: server1.domain.com http://server1.domain.com BaseDN: dc=domain,dc=com
Continue to configure the system with these values? [no]: yes Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: test-join Password for test@DOMAIN.COM mailto:test@DOMAIN.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=DOMAIN.COMIPA environment is 4.4 Issuer: CN=Certificate Authority,O=DOMAIN.COM http://DOMAIN.COM Valid From: 2017-01-26 18:47:36 Valid Until: 2037-01-26 18:47:36
Joining realm failed: No permission to join this host to the IPA domain.
The FreeIPA version is 4.6.5 and its running on Centos 7.7. Can someone assist me in troubleshooting? Is there another pre-defined role or permission that I need to assign?
Does the host already exist in IPA? The Enrollment Administrator role allows for enrollment, not host creation. You can add the host add capability it just ships with the minimum required.
rob
On Wed, Feb 12, 2020 at 1:10 PM Rob Crittenden rcritten@redhat.com wrote:
Jeff Goddard via FreeIPA-users wrote:
Hello again,
We're using salt for automation and have created a salt service account for the express permissions of joining machines to our domain. This user has been assigned the "Enrollment Administrator" roll but when attempting to join clients the log output is as follows:
Client hostname: ubuntu.domain.com http://ubuntu.domain.com Realm: DOMAIN.COM http://DOMAIN.COM DNS Domain: domain.com http://domain.com IPA Server: server1.domain.com http://server1.domain.com BaseDN: dc=domain,dc=com
Continue to configure the system with these values? [no]: yes Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: test-join Password for test@DOMAIN.COM mailto:test@DOMAIN.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=DOMAIN.COMIPA environment is
4.4
Issuer: CN=Certificate Authority,O=DOMAIN.COM <Valid From: 2017-01-26 18:47:36 Valid Until: 2037-01-26 18:47:36Joining realm failed: No permission to join this host to the IPA domain.
The FreeIPA version is 4.6.5 and its running on Centos 7.7. Can someone assist me in troubleshooting? Is there another pre-defined role or permission that I need to assign?
Does the host already exist in IPA? The Enrollment Administrator role allows for enrollment, not host creation. You can add the host add capability it just ships with the minimum required.
rob
Rob,
Thanks for the prompt reply. That was just the thing.
Cheers,
Jeff
freeipa-users@lists.fedorahosted.org
-
Jeff Goddard -
Rob Crittenden