Alexander Bokovoy via FreeIPA-users wrote: > On Срд, 26 сак 2025, Andrew Nelson via FreeIPA-users wrote: >> How would one go about scripting the updating of host attributes in IPA >> such as MAC address form the host itself. Ideally I would love to use >> the >> host kerberos key and never need a user credential, but I'm unsure of how >> to start this. >> >> Can the IPA command line utility use the host kerberos key to perform >> host-mod activities? Likewise, can the python libraries leverage the >> host >> kerberos key? If so, how does one start? > > # kinit -k > # ipa host-show `hostname` --rights --all | grep attributelevelrights > ... > > Look at 'attributelevelrights' line, each element in that dictionary > describes what rights your Kerberos principal (in this case machine > account) has for each attribute. If you do not see an attribute, you > don't have write rights for sure. > > # ipa host-mod `hostname` --macaddress=.... > > this will fail because machine's account has no rights to write to > macaddress attribute: > > # kinit -k > # ipa host-mod `hostname` --macaddress=AA:BB:CC:DD:EE:FF > ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the > 'macAddress' attribute of entry > 'fqdn=m1.ipa1demo.test,cn=computers,cn=accounts,dc=ipa1demo,dc=test'. > > There is a system permission 'System: Modify Hosts' that allows write to > macaddress and other attributes but it is not assigned by default > because it gives more rights than required. In particular, it gives > right to write to 'objectClass' attribute which is the core of LDAP > object system. macAddress attribute is only allowed if LDAP object > includes an object class that permits the attribute. FreeIPA API knows > which objectclass needs to be added and attempts to add it automatically > and it will fail if no permission to write to 'objectclass' attribute is > granted. However, allowing applications to write to 'objectclass' means > they can transform that entry into something else. It is not something > you'd want, at least for hosts. > > So you need to create a special permission that handle this case. > I am unable to create one on the fly, my brain is not working today...
The root of the problem is that the macaddress attribute is not available by default in a host but if it is set then the ieee802device is added at the same time. I strongly agree with Alexander and wouldn't recommend hosts be able to modify their own set of objectclasses. A workaround is to add the missing objectclass in advance: $ kinit admin $ ipa host-mod --addattr objectclass=ieee802device client.example.test Then you can add a new permission: $ ipa permission-add "Hosts can modify their own MAC address" --right write --type host --bindtype self --attrs macaddress Then you can do as Alexander suggested: # kinit -k # ipa host-mod $(hostname) --macaddress 00:11:22:33:44:55 There is no way to change the default objectclasses for hosts in configuration like there is with users and groups. You'd need to write a short plugin to inject it into a host as the host is created. For existing hosts you'd need to do them one at a time. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
