On Срд, 26 сак 2025, Andrew Nelson via FreeIPA-users wrote:
How would one go about scripting the updating of host attributes in IPA
such as MAC address form the host itself. Ideally I would love to use the
host kerberos key and never need a user credential, but I'm unsure of how
to start this.
Can the IPA command line utility use the host kerberos key to perform
host-mod activities? Likewise, can the python libraries leverage the host
kerberos key? If so, how does one start?
# kinit -k
# ipa host-show `hostname` --rights --all | grep attributelevelrights
...
Look at 'attributelevelrights' line, each element in that dictionary
describes what rights your Kerberos principal (in this case machine
account) has for each attribute. If you do not see an attribute, you
don't have write rights for sure.
# ipa host-mod `hostname` --macaddress=....
this will fail because machine's account has no rights to write to
macaddress attribute:
# kinit -k
# ipa host-mod `hostname` --macaddress=AA:BB:CC:DD:EE:FF
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'macAddress' attribute of entry
'fqdn=m1.ipa1demo.test,cn=computers,cn=accounts,dc=ipa1demo,dc=test'.
There is a system permission 'System: Modify Hosts' that allows write to
macaddress and other attributes but it is not assigned by default
because it gives more rights than required. In particular, it gives
right to write to 'objectClass' attribute which is the core of LDAP
object system. macAddress attribute is only allowed if LDAP object
includes an object class that permits the attribute. FreeIPA API knows
which objectclass needs to be added and attempts to add it automatically
and it will fail if no permission to write to 'objectclass' attribute is
granted. However, allowing applications to write to 'objectclass' means
they can transform that entry into something else. It is not something
you'd want, at least for hosts.
So you need to create a special permission that handle this case.
I am unable to create one on the fly, my brain is not working today...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
