Hello again,
We're using salt for automation and have created a salt service account for
the express permissions of joining machines to our domain. This user has
been assigned the "Enrollment Administrator" roll but when attempting to
join clients the log output is as follows:
Client hostname:
ubuntu.domain.com
Realm:
DOMAIN.COM
DNS Domain:
domain.com
IPA Server:
server1.domain.com
BaseDN: dc=domain,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: test-join
Password for test(a)DOMAIN.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=DOMAIN.COMIPA environment is 4.4
Issuer: CN=Certificate
Authority,O=DOMAIN.COM
Valid From: 2017-01-26 18:47:36
Valid Until: 2037-01-26 18:47:36
Joining realm failed: No permission to join this host to the IPA domain.
The FreeIPA version is 4.6.5 and its running on Centos 7.7. Can someone
assist me in troubleshooting? Is there another pre-defined role or
permission that I need to assign?
Thanks,
Jeff