On 08/14/2014 10:23 PM, Michael Lasevich wrote:
> Is there somewhere a documented minimum set of permissions required to
> create a special role/account/principal to auto-join machines to the domain?
> 
> I am not all too comfortable to run this as admin user and not quite ready
> to set up the orchestration needed to pre-join the host.
> 
> Thanks,
> 
> -M
> 
> 
> 

You can simply create a system user or a joiner service and assign it a "Host
Administrators" privilege:

# ipa privilege-show "Host Administrators"
  Privilege name: Host Administrators
  Description: Host Administrators
  Permissions: add hosts, remove hosts, modify hosts, manage host ssh public 
keys,
               manage host keytab, enroll a host, retrieve certificates from
the ca,
               revoke certificate, add krbprincipalname to a host
  Granting privilege to roles: IT Specialist

HTH,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to