On 08/14/2014 10:23 PM, Michael Lasevich wrote:
> Is there somewhere a documented minimum set of permissions required to
> create a special role/account/principal to auto-join machines to the domain?
>
> I am not all too comfortable to run this as admin user and not quite ready
> to set up the orchestration needed to pre-join the host.
>
> Thanks,
>
> -M
>
>
>
You can simply create a system user or a joiner service and assign it a "Host
Administrators" privilege:
# ipa privilege-show "Host Administrators"
Privilege name: Host Administrators
Description: Host Administrators
Permissions: add hosts, remove hosts, modify hosts, manage host ssh public
keys,
manage host keytab, enroll a host, retrieve certificates from
the ca,
revoke certificate, add krbprincipalname to a host
Granting privilege to roles: IT Specialist
HTH,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
