REALM > Insufficient 'add' privilege to the 'userPassword' attribute

Hi Guys,

Following the docs I tried to setup the IPA Realm part for the proxy
and I get this error:

D, [2017-02-25T00:41:25.038075 #12948] DEBUG – : Kerberos credential
cache initialised with principal:
foreman-proxy/host.domain.tld@DOMAIN.TLD
E, [2017-02-25T00:41:25.526166 #12948] ERROR – : Insufficient access:
Insufficient 'add' privilege to the 'userPassword' attribute
D, [2017-02-25T00:41:25.526568 #12948] DEBUG – : Insufficient access:
Insufficient 'add' privilege to the 'userPassword' attribute
(XMLRPC::FaultException)

I have checked the attribute and the add privilege exists, so what
could be wrong ?

Thanks,

Matt

did you first join the satellite to the freeipa and create the user with
the necessary permissions to execute the modifications on the ipa server?

Normally just need to run
foreman-prepare-realm

as per instructions as i said your Smart Proxy must be registered to the
FreeIPA realm already, and have the ipa-admintools package installed.

··· Am Samstag, 25. Februar 2017 00:48:54 UTC+1 schrieb Matt: > > Hi Guys, > > Following the docs I tried to setup the IPA Realm part for the proxy > and I get this error: > > > D, [2017-02-25T00:41:25.038075 #12948] DEBUG -- : Kerberos credential > cache initialised with principal: > foreman-proxy/host.domain.tld@DOMAIN.TLD > E, [2017-02-25T00:41:25.526166 #12948] ERROR -- : Insufficient access: > Insufficient 'add' privilege to the 'userPassword' attribute > D, [2017-02-25T00:41:25.526568 #12948] DEBUG -- : Insufficient access: > Insufficient 'add' privilege to the 'userPassword' attribute > (XMLRPC::FaultException) > > I have checked the attribute and the add privilege exists, so what > could be wrong ? > > Thanks, > > Matt >

Hi,

(i didn't recieve your reply in my mailbox so that is why I respond later)

Both things you mentioned are done, so I'm kinda lost how to debug futher.

Thanks,

Matt

··· Op zaterdag 25 februari 2017 19:55:20 UTC+1 schreef Mario Gamboa: > > did you first join the satellite to the freeipa and create the user with > the necessary permissions to execute the modifications on the ipa server? > > > Normally just need to run > foreman-prepare-realm > > as per instructions as i said your Smart Proxy must be registered to the > FreeIPA realm already, and have the ipa-admintools package installed. > > Am Samstag, 25. Februar 2017 00:48:54 UTC+1 schrieb Matt: >> >> Hi Guys, >> >> Following the docs I tried to setup the IPA Realm part for the proxy >> and I get this error: >> >> >> D, [2017-02-25T00:41:25.038075 #12948] DEBUG -- : Kerberos credential >> cache initialised with principal: >> foreman-proxy/host.domain.tld@DOMAIN.TLD >> E, [2017-02-25T00:41:25.526166 #12948] ERROR -- : Insufficient access: >> Insufficient 'add' privilege to the 'userPassword' attribute >> D, [2017-02-25T00:41:25.526568 #12948] DEBUG -- : Insufficient access: >> Insufficient 'add' privilege to the 'userPassword' attribute >> (XMLRPC::FaultException) >> >> I have checked the attribute and the add privilege exists, so what >> could be wrong ? >> >> Thanks, >> >> Matt >> >

Have you copied the keytab to the proxy as the manual mentions?

https://www.theforeman.org/manuals/1.14/index.html#4.3.8Realm

Best,

··· On 02/27, Matt wrote: > Hi, > > (i didn't recieve your reply in my mailbox so that is why I respond later) > > Both things you mentioned are done, so I'm kinda lost how to debug futher. > > Thanks, > > Matt > > Op zaterdag 25 februari 2017 19:55:20 UTC+1 schreef Mario Gamboa: > > > > did you first join the satellite to the freeipa and create the user with > > the necessary permissions to execute the modifications on the ipa server? > > > > > > Normally just need to run > > foreman-prepare-realm > > > > as per instructions as i said your Smart Proxy must be registered to the > > FreeIPA realm already, and have the ipa-admintools package installed. > > > > Am Samstag, 25. Februar 2017 00:48:54 UTC+1 schrieb Matt: > >> > >> Hi Guys, > >> > >> Following the docs I tried to setup the IPA Realm part for the proxy > >> and I get this error: > >> > >> > >> D, [2017-02-25T00:41:25.038075 #12948] DEBUG -- : Kerberos credential > >> cache initialised with principal: > >> foreman-proxy/host.domain.tld@DOMAIN.TLD > >> E, [2017-02-25T00:41:25.526166 #12948] ERROR -- : Insufficient access: > >> Insufficient 'add' privilege to the 'userPassword' attribute > >> D, [2017-02-25T00:41:25.526568 #12948] DEBUG -- : Insufficient access: > >> Insufficient 'add' privilege to the 'userPassword' attribute > >> (XMLRPC::FaultException) > >> > >> I have checked the attribute and the add privilege exists, so what > >> could be wrong ? > >> > >> Thanks, > >> > >> Matt > >> > > > > -- > You received this message because you are subscribed to the Google Groups "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at https://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout.


Daniel Lobato Garcia

@dLobatog
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: https://keybase.io/elobato

Yes I did, the same machine is also doing DHCP fine with it.

··· Op dinsdag 28 februari 2017 12:04:06 UTC+1 schreef Daniel Lobato: > > Have you copied the keytab to the proxy as the manual mentions? > > https://www.theforeman.org/manuals/1.14/index.html#4.3.8Realm > > Best, > > On 02/27, Matt wrote: > > Hi, > > > > (i didn't recieve your reply in my mailbox so that is why I respond > later) > > > > Both things you mentioned are done, so I'm kinda lost how to debug > futher. > > > > Thanks, > > > > Matt > > > > Op zaterdag 25 februari 2017 19:55:20 UTC+1 schreef Mario Gamboa: > > > > > > did you first join the satellite to the freeipa and create the user > with > > > the necessary permissions to execute the modifications on the ipa > server? > > > > > > > > > Normally just need to run > > > foreman-prepare-realm > > > > > > as per instructions as i said your Smart Proxy must be registered to > the > > > FreeIPA realm already, and have the ipa-admintools package installed. > > > > > > Am Samstag, 25. Februar 2017 00:48:54 UTC+1 schrieb Matt: > > >> > > >> Hi Guys, > > >> > > >> Following the docs I tried to setup the IPA Realm part for the proxy > > >> and I get this error: > > >> > > >> > > >> D, [2017-02-25T00:41:25.038075 #12948] DEBUG -- : Kerberos credential > > >> cache initialised with principal: > > >> foreman-proxy/host.domain.tld@DOMAIN.TLD > > >> E, [2017-02-25T00:41:25.526166 #12948] ERROR -- : Insufficient > access: > > >> Insufficient 'add' privilege to the 'userPassword' attribute > > >> D, [2017-02-25T00:41:25.526568 #12948] DEBUG -- : Insufficient > access: > > >> Insufficient 'add' privilege to the 'userPassword' attribute > > >> (XMLRPC::FaultException) > > >> > > >> I have checked the attribute and the add privilege exists, so what > > >> could be wrong ? > > >> > > >> Thanks, > > >> > > >> Matt > > >> > > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Foreman users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to foreman-user...@googlegroups.com . > > To post to this group, send email to forema...@googlegroups.com > . > > Visit this group at https://groups.google.com/group/foreman-users. > > For more options, visit https://groups.google.com/d/optout. > > > -- > Daniel Lobato Garcia > > @dLobatog > blog.daniellobato.me > daniellobato.me > > GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30 > Keybase: https://keybase.io/elobato >

Any update on this ?

··· Op dinsdag 28 februari 2017 23:50:31 UTC+1 schreef Matt: > > Yes I did, the same machine is also doing DHCP fine with it. > > Op dinsdag 28 februari 2017 12:04:06 UTC+1 schreef Daniel Lobato: >> >> Have you copied the keytab to the proxy as the manual mentions? >> >> https://www.theforeman.org/manuals/1.14/index.html#4.3.8Realm >> >> Best, >> >> On 02/27, Matt wrote: >> > Hi, >> > >> > (i didn't recieve your reply in my mailbox so that is why I respond >> later) >> > >> > Both things you mentioned are done, so I'm kinda lost how to debug >> futher. >> > >> > Thanks, >> > >> > Matt >> > >> > Op zaterdag 25 februari 2017 19:55:20 UTC+1 schreef Mario Gamboa: >> > > >> > > did you first join the satellite to the freeipa and create the user >> with >> > > the necessary permissions to execute the modifications on the ipa >> server? >> > > >> > > >> > > Normally just need to run >> > > foreman-prepare-realm >> > > >> > > as per instructions as i said your Smart Proxy must be registered to >> the >> > > FreeIPA realm already, and have the ipa-admintools package installed. >> > > >> > > Am Samstag, 25. Februar 2017 00:48:54 UTC+1 schrieb Matt: >> > >> >> > >> Hi Guys, >> > >> >> > >> Following the docs I tried to setup the IPA Realm part for the proxy >> > >> and I get this error: >> > >> >> > >> >> > >> D, [2017-02-25T00:41:25.038075 #12948] DEBUG -- : Kerberos >> credential >> > >> cache initialised with principal: >> > >> foreman-proxy/host.domain.tld@DOMAIN.TLD >> > >> E, [2017-02-25T00:41:25.526166 #12948] ERROR -- : Insufficient >> access: >> > >> Insufficient 'add' privilege to the 'userPassword' attribute >> > >> D, [2017-02-25T00:41:25.526568 #12948] DEBUG -- : Insufficient >> access: >> > >> Insufficient 'add' privilege to the 'userPassword' attribute >> > >> (XMLRPC::FaultException) >> > >> >> > >> I have checked the attribute and the add privilege exists, so what >> > >> could be wrong ? >> > >> >> > >> Thanks, >> > >> >> > >> Matt >> > >> >> > > >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Foreman users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to foreman-user...@googlegroups.com. >> > To post to this group, send email to forema...@googlegroups.com. >> > Visit this group at https://groups.google.com/group/foreman-users. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> Daniel Lobato Garcia >> >> @dLobatog >> blog.daniellobato.me >> daniellobato.me >> >> GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30 >> Keybase: https://keybase.io/elobato >> >