Hi, On Sat, Oct 29, 2022 at 4:19 PM Abhishek Dasgupta via FreeIPA-users < [email protected]> wrote:
> As I mentioned it will also try to remove any DNS entries for the host >> and revoke any certificates issued to the host and services. You'll need >> to add those permissions as well. > > > The role which the admin is a member of, has the following privileges: > "Service Administrators" and "Host Administrators'' (ipa role > -add-privilege $role_name --privelege="Service Administrators" > --privelege="Host Administrators'') ? If you can direct me to what those > exact permissions/privileges are ? and how to add them? Will they be the > same as adding another privilege option flag? > It'd be really helpful if anyone can answer it or provide some > pointers/references. Thank you! > Are you using the "admin" user or an alternate user? If this user is a member of the "admins" group he should inherit all the required privileges, no need to assign individual roles. flo > > Regards, > Abhishek > > On Fri, Oct 28, 2022, 23:14 Rob Crittenden <[email protected]> wrote: > >> Abhishek Dasgupta via FreeIPA-users wrote: >> > Thanks Alexander! Do you have any pointers on why it may be failing ? >> > and how to proceed to solve the problem? I am happy to provide any >> > information that is needed. >> >> As I mentioned it will also try to remove any DNS entries for the host >> and revoke any certificates issued to the host and services. You'll need >> to add those permissions as well. >> >> rob >> >> > >> > On Thu, Oct 27, 2022 at 9:49 PM Alexander Bokovoy <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > On to, 27 loka 2022, Abhishek Dasgupta via FreeIPA-users wrote: >> > >Hi Rob, >> > >Thanks for answering my doubts! The admin in my case has these >> > privileges = >> > >{"Service Administrator", "Host Administrator"}. Is some other >> > >privilege needed to delete a host ? >> > >> > 'Host Administrators' privilege should cover 'Remove Sosts' >> permission: >> > >> > 'System: Remove Hosts': { >> > 'ipapermright': {'delete'}, >> > 'replaces': [ >> > '(target = >> > "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl >> > "permission:Remove Hosts";allow (delete) groupdn = >> > "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)', >> > ], >> > 'default_privileges': {'Host Administrators'}, >> > }, >> > >> > Accordingly, 'Service Administrators' privilege should cover 'Remove >> > Services' permission: >> > >> > 'System: Remove Services': { >> > 'ipapermright': {'delete'}, >> > 'replaces': [ >> > '(target = >> > >> "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version >> 3.0;acl >> > "permission:Remove Services";allow (delete) groupdn = >> > "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)', >> > ], >> > 'default_privileges': {'Service Administrators'}, >> > }, >> > >> > These are the definitions of the actual permissions in IPA code. >> > >> > > >> > >On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden >> > <[email protected] <mailto:[email protected]>> wrote: >> > > >> > >> Abhishek Dasgupta via FreeIPA-users wrote: >> > >> > Hello, If you can provide some pointers, it would be great! . >> > Thanks >> > >> > >> > >> > Best, >> > >> > Abhishek >> > >> > >> > >> > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta >> > >> > <[email protected] >> > <mailto:[email protected]> >> > <mailto:[email protected] >> > <mailto:[email protected]>>> >> > >> > wrote: >> > >> > >> > >> > Newbie here. I have a use-case where I need to delete host >> > >> > principals only when no service principals exist on the >> > host. Does >> > >> > "ipa host-del" perform this check? If No, then when I run >> this >> > >> > command would it delete the host principal and along with >> > it delete >> > >> > all the service principals associated ? >> > >> >> > >> A service can't exist without an accompanying host. If you use >> > host-del >> > >> it will delete the host and all services, no questions asked. >> > >> >> > >> > I tried to run the command on a host but got the following >> > error: >> > >> > >> > >> > ipa: ERROR: Insufficient access: Insufficient 'delete' >> > privilege to >> > >> > delete the entry >> > >> > >> > >> > >> > >> > What privileges are needed to run this command ? I was >> > already kinit >> > >> > as an admin. >> > >> >> > >> In a stock install admin should have sufficient privileges to >> > remove any >> > >> host that is not also an IPA server. >> > >> >> > >> It will delete: >> > >> >> > >> - the host >> > >> - all services >> > >> - revoke all certificates issued to the host/service >> > >> - all DNS records for the host/service >> > >> >> > >> rob >> > >> >> > >> >> > >> > >> > >> > >> > -- >> > / Alexander Bokovoy >> > Sr. Principal Software Engineer >> > Security / Identity Management Engineering >> > Red Hat Limited, Finland >> > >> > >> > _______________________________________________ >> > FreeIPA-users mailing list -- [email protected] >> > To unsubscribe send an email to >> [email protected] >> > Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > >> >> _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
