This may also be a bug. Host Enrollment privilege should be enough to join
FreeIPA. We did many access control related fixes in FreeIPA 4.0 (like
https://fedorahosted.org/freeipa/ticket/4252), it may got fixed there.

If "Host Enrollment" permission is still failing for you in 4.0+, we would be
interested to see the actual error so that we can fix it.

Martin

On 08/15/2014 11:27 AM, Michael Lasevich wrote:
> Thanks, that was actually very helpful.
> 
> "Host Enrollment" privilege does not actually allow you to enroll hosts,
> not sure what that is about. But "Host Administrators" worked just fine.
> 
> -M
> 
> 
> On Fri, Aug 15, 2014 at 1:18 AM, Martin Kosek <mko...@redhat.com> wrote:
> 
>> On 08/14/2014 10:23 PM, Michael Lasevich wrote:
>>> Is there somewhere a documented minimum set of permissions required to
>>> create a special role/account/principal to auto-join machines to the
>> domain?
>>>
>>> I am not all too comfortable to run this as admin user and not quite
>> ready
>>> to set up the orchestration needed to pre-join the host.
>>>
>>> Thanks,
>>>
>>> -M
>>>
>>>
>>>
>>
>> You can simply create a system user or a joiner service and assign it a
>> "Host
>> Administrators" privilege:
>>
>> # ipa privilege-show "Host Administrators"
>>   Privilege name: Host Administrators
>>   Description: Host Administrators
>>   Permissions: add hosts, remove hosts, modify hosts, manage host ssh
>> public keys,
>>                manage host keytab, enroll a host, retrieve certificates
>> from
>> the ca,
>>                revoke certificate, add krbprincipalname to a host
>>   Granting privilege to roles: IT Specialist
>>
>> HTH,
>> Martin
>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to