Michael Lasevich wrote: > Thanks, that was actually very helpful. > > "Host Enrollment" privilege does not actually allow you to enroll hosts, > not sure what that is about. But "Host Administrators" worked just fine.
I'd be curious to know how it was failing. It should be enough to do just an enrollment (not add a missing host, etc). Host Administrator also grants a slew of privileges beyond what you need. rob > > -M > > > On Fri, Aug 15, 2014 at 1:18 AM, Martin Kosek <mko...@redhat.com > <mailto:mko...@redhat.com>> wrote: > > On 08/14/2014 10:23 PM, Michael Lasevich wrote: > > Is there somewhere a documented minimum set of permissions required to > > create a special role/account/principal to auto-join machines to > the domain? > > > > I am not all too comfortable to run this as admin user and not > quite ready > > to set up the orchestration needed to pre-join the host. > > > > Thanks, > > > > -M > > > > > > > > You can simply create a system user or a joiner service and assign > it a "Host > Administrators" privilege: > > # ipa privilege-show "Host Administrators" > Privilege name: Host Administrators > Description: Host Administrators > Permissions: add hosts, remove hosts, modify hosts, manage host > ssh public keys, > manage host keytab, enroll a host, retrieve > certificates from > the ca, > revoke certificate, add krbprincipalname to a host > Granting privilege to roles: IT Specialist > > HTH, > Martin > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project