Please I need help with "ipa permission-add" command.

I am implementing file server connected to freeipa and following problem showed up:

I am using bind user, who read end user attributes, but sambaNTPassword is protected for reading.

I tried "ipa permission-add" command, permissions was add, but does not work. I am not sure where am I doing mistake.

Here is entire command: ipa permission-add "Read sambaNTPassword" --permissions=read --type=user --attr=sambaNTPassword

Of course I add permission to privilege, privilege to role and finally assign user to role.

Thanks for your time and kindliness,
Jan Svenha