This may also be a bug. Host Enrollment privilege should be enough to join
FreeIPA. We did many access control related fixes in FreeIPA 4.0 (like, it may got fixed there.

If "Host Enrollment" permission is still failing for you in 4.0+, we would be
interested to see the actual error so that we can fix it.


On 08/15/2014 11:27 AM, Michael Lasevich wrote:
> Thanks, that was actually very helpful.
> "Host Enrollment" privilege does not actually allow you to enroll hosts,
> not sure what that is about. But "Host Administrators" worked just fine.
> -M
> On Fri, Aug 15, 2014 at 1:18 AM, Martin Kosek <> wrote:
>> On 08/14/2014 10:23 PM, Michael Lasevich wrote:
>>> Is there somewhere a documented minimum set of permissions required to
>>> create a special role/account/principal to auto-join machines to the
>> domain?
>>> I am not all too comfortable to run this as admin user and not quite
>> ready
>>> to set up the orchestration needed to pre-join the host.
>>> Thanks,
>>> -M
>> You can simply create a system user or a joiner service and assign it a
>> "Host
>> Administrators" privilege:
>> # ipa privilege-show "Host Administrators"
>>   Privilege name: Host Administrators
>>   Description: Host Administrators
>>   Permissions: add hosts, remove hosts, modify hosts, manage host ssh
>> public keys,
>>                manage host keytab, enroll a host, retrieve certificates
>> from
>> the ca,
>>                revoke certificate, add krbprincipalname to a host
>>   Granting privilege to roles: IT Specialist
>> HTH,
>> Martin

Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to