Thanks, that was actually very helpful. "Host Enrollment" privilege does not actually allow you to enroll hosts, not sure what that is about. But "Host Administrators" worked just fine.
-M On Fri, Aug 15, 2014 at 1:18 AM, Martin Kosek <mko...@redhat.com> wrote: > On 08/14/2014 10:23 PM, Michael Lasevich wrote: > > Is there somewhere a documented minimum set of permissions required to > > create a special role/account/principal to auto-join machines to the > domain? > > > > I am not all too comfortable to run this as admin user and not quite > ready > > to set up the orchestration needed to pre-join the host. > > > > Thanks, > > > > -M > > > > > > > > You can simply create a system user or a joiner service and assign it a > "Host > Administrators" privilege: > > # ipa privilege-show "Host Administrators" > Privilege name: Host Administrators > Description: Host Administrators > Permissions: add hosts, remove hosts, modify hosts, manage host ssh > public keys, > manage host keytab, enroll a host, retrieve certificates > from > the ca, > revoke certificate, add krbprincipalname to a host > Granting privilege to roles: IT Specialist > > HTH, > Martin >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project