This may also be a bug. Host Enrollment privilege should be enough to join FreeIPA. We did many access control related fixes in FreeIPA 4.0 (like https://fedorahosted.org/freeipa/ticket/4252), it may got fixed there.
If "Host Enrollment" permission is still failing for you in 4.0+, we would be interested to see the actual error so that we can fix it. Martin On 08/15/2014 11:27 AM, Michael Lasevich wrote: > Thanks, that was actually very helpful. > > "Host Enrollment" privilege does not actually allow you to enroll hosts, > not sure what that is about. But "Host Administrators" worked just fine. > > -M > > > On Fri, Aug 15, 2014 at 1:18 AM, Martin Kosek <mko...@redhat.com> wrote: > >> On 08/14/2014 10:23 PM, Michael Lasevich wrote: >>> Is there somewhere a documented minimum set of permissions required to >>> create a special role/account/principal to auto-join machines to the >> domain? >>> >>> I am not all too comfortable to run this as admin user and not quite >> ready >>> to set up the orchestration needed to pre-join the host. >>> >>> Thanks, >>> >>> -M >>> >>> >>> >> >> You can simply create a system user or a joiner service and assign it a >> "Host >> Administrators" privilege: >> >> # ipa privilege-show "Host Administrators" >> Privilege name: Host Administrators >> Description: Host Administrators >> Permissions: add hosts, remove hosts, modify hosts, manage host ssh >> public keys, >> manage host keytab, enroll a host, retrieve certificates >> from >> the ca, >> revoke certificate, add krbprincipalname to a host >> Granting privilege to roles: IT Specialist >> >> HTH, >> Martin >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project