Today we did not manage to enroll new hosts with our enrollment user. The only thing we changed is that we added the Permission "System: Remove hosts" to the "Host Enrollment" role. The error we get is:
Joining realm failed: Failed to parse result: Insufficient access rights Retrying with pre-4.0 keytab retrieval method... Failed to parse result: Insufficient access rights Failed to get keytab! Failed to get keytab child exited with 9
When I try to add the same host with my admin user it works without any problems.
Cheers, Ronald
On 19.10.20 11:38, Ronald Wimmer via FreeIPA-users wrote:
Today we did not manage to enroll new hosts with our enrollment user. The only thing we changed is that we added the Permission "System: Remove hosts" to the "Host Enrollment" role. The error we get is:
Joining realm failed: Failed to parse result: Insufficient access rights Retrying with pre-4.0 keytab retrieval method... Failed to parse result: Insufficient access rights Failed to get keytab! Failed to get keytab child exited with 9
Can somebody state precisely which permissions/roles are needed in order to enroll a new host by issuing the ipa-client-install command?
Cheers, Ronald
On 2/17/21 12:56 PM, Ronald Wimmer via FreeIPA-users wrote:
On 19.10.20 11:38, Ronald Wimmer via FreeIPA-users wrote:
Today we did not manage to enroll new hosts with our enrollment user. The only thing we changed is that we added the Permission "System: Remove hosts" to the "Host Enrollment" role. The error we get is:
Joining realm failed: Failed to parse result: Insufficient access rights Retrying with pre-4.0 keytab retrieval method... Failed to parse result: Insufficient access rights Failed to get keytab! Failed to get keytab child exited with 9
Can somebody state precisely which permissions/roles are needed in order to enroll a new host by issuing the ipa-client-install command?
If the client is enrolled in one step (host entry creation + join done through ipa-client-install), I remember needing 2 privileges: - Host Enrollment - Host Administrators
"Host Enrollment" privilege can be obtained via the role "Enrollment Administrator" and "Host Administrators" privilege can be obtained via the role "IT Specialist".
flo
Cheers, Ronald _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org