[Freeipa-users] Re: Need Information regarding "ipa host-del" command
>
> As I mentioned it will also try to remove any DNS entries for the host
> and revoke any certificates issued to the host and services. You'll need
> to add those permissions as well.
The role which the admin is a member of, has the following privileges:
"Service Administrators" and "Host Administrators'' (ipa role
-add-privilege $role_name --privelege="Service Administrators"
--privelege="Host Administrators'') ? If you can direct me to what those
exact permissions/privileges are ? and how to add them? Will they be the
same as adding another privilege option flag?
It'd be really helpful if anyone can answer it or provide some
pointers/references. Thank you!
Regards,
Abhishek
On Fri, Oct 28, 2022, 23:14 Rob Crittenden wrote:
> Abhishek Dasgupta via FreeIPA-users wrote:
> > Thanks Alexander! Do you have any pointers on why it may be failing ?
> > and how to proceed to solve the problem? I am happy to provide any
> > information that is needed.
>
> As I mentioned it will also try to remove any DNS entries for the host
> and revoke any certificates issued to the host and services. You'll need
> to add those permissions as well.
>
> rob
>
> >
> > On Thu, Oct 27, 2022 at 9:49 PM Alexander Bokovoy > <mailto:aboko...@redhat.com>> wrote:
> >
> > On to, 27 loka 2022, Abhishek Dasgupta via FreeIPA-users wrote:
> > >Hi Rob,
> > >Thanks for answering my doubts! The admin in my case has these
> > privileges =
> > >{"Service Administrator", "Host Administrator"}. Is some other
> > >privilege needed to delete a host ?
> >
> > 'Host Administrators' privilege should cover 'Remove Sosts'
> permission:
> >
> > 'System: Remove Hosts': {
> > 'ipapermright': {'delete'},
> > 'replaces': [
> > '(target =
> > "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(version 3.0;acl
> > "permission:Remove Hosts";allow (delete) groupdn =
> > "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
> > ],
> > 'default_privileges': {'Host Administrators'},
> > },
> >
> > Accordingly, 'Service Administrators' privilege should cover 'Remove
> > Services' permission:
> >
> > 'System: Remove Services': {
> > 'ipapermright': {'delete'},
> > 'replaces': [
> > '(target =
> >
> "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX;)(version
> 3.0;acl
> > "permission:Remove Services";allow (delete) groupdn =
> > "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)',
> > ],
> > 'default_privileges': {'Service Administrators'},
> > },
> >
> > These are the definitions of the actual permissions in IPA code.
> >
> > >
> > >On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden
> > mailto:rcrit...@redhat.com>> wrote:
> > >
> > >> Abhishek Dasgupta via FreeIPA-users wrote:
> > >> > Hello, If you can provide some pointers, it would be great! .
> > Thanks
> > >> >
> > >> > Best,
> > >> > Abhishek
> > >> >
> > >> > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta
> > >> > > <mailto:abhishekdasgupta...@gmail.com>
> > <mailto:abhishekdasgupta...@gmail.com
> > <mailto:abhishekdasgupta...@gmail.com>>>
> > >> > wrote:
> > >> >
> > >> > Newbie here. I have a use-case where I need to delete host
> > >> > principals only when no service principals exist on the
> > host. Does
> > >> > "ipa host-del" perform this check? If No, then when I run
> this
> > >> > command would it delete the host principal and along with
> > it delete
> > >> > all the service principals associated ?
> > >>
> > >> A service can't exist without an accompanying host. If you use
> > host-del
> > >> it will delete the host and all services, no questions asked.
> > >>
> > >> > I tried to run the command on a host but got the following
> > error:
> > >> >
> > >> >
[Freeipa-users] Re: Need Information regarding "ipa host-del" command
Thanks Alexander! Do you have any pointers on why it may be failing ? and
how to proceed to solve the problem? I am happy to provide any information
that is needed.
Best,
Abhishek
On Thu, Oct 27, 2022 at 9:49 PM Alexander Bokovoy
wrote:
> On to, 27 loka 2022, Abhishek Dasgupta via FreeIPA-users wrote:
> >Hi Rob,
> >Thanks for answering my doubts! The admin in my case has these privileges
> =
> >{"Service Administrator", "Host Administrator"}. Is some other
> >privilege needed to delete a host ?
>
> 'Host Administrators' privilege should cover 'Remove Sosts' permission:
>
> 'System: Remove Hosts': {
> 'ipapermright': {'delete'},
> 'replaces': [
> '(target =
> "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(version 3.0;acl
> "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove
> Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
> ],
> 'default_privileges': {'Host Administrators'},
> },
>
> Accordingly, 'Service Administrators' privilege should cover 'Remove
> Services' permission:
>
> 'System: Remove Services': {
> 'ipapermright': {'delete'},
> 'replaces': [
> '(target =
> "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX;)(version
> 3.0;acl "permission:Remove Services";allow (delete) groupdn =
> "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)',
> ],
> 'default_privileges': {'Service Administrators'},
> },
>
> These are the definitions of the actual permissions in IPA code.
>
> >
> >On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden
> wrote:
> >
> >> Abhishek Dasgupta via FreeIPA-users wrote:
> >> > Hello, If you can provide some pointers, it would be great! . Thanks
> >> >
> >> > Best,
> >> > Abhishek
> >> >
> >> > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta
> >> > mailto:abhishekdasgupta...@gmail.com
> >>
> >> > wrote:
> >> >
> >> > Newbie here. I have a use-case where I need to delete host
> >> > principals only when no service principals exist on the host. Does
> >> > "ipa host-del" perform this check? If No, then when I run this
> >> > command would it delete the host principal and along with it
> delete
> >> > all the service principals associated ?
> >>
> >> A service can't exist without an accompanying host. If you use host-del
> >> it will delete the host and all services, no questions asked.
> >>
> >> > I tried to run the command on a host but got the following error:
> >> >
> >> > ipa: ERROR: Insufficient access: Insufficient 'delete' privilege
> to
> >> > delete the entry
> >> >
> >> >
> >> > What privileges are needed to run this command ? I was already
> kinit
> >> > as an admin.
> >>
> >> In a stock install admin should have sufficient privileges to remove any
> >> host that is not also an IPA server.
> >>
> >> It will delete:
> >>
> >> - the host
> >> - all services
> >> - revoke all certificates issued to the host/service
> >> - all DNS records for the host/service
> >>
> >> rob
> >>
> >>
>
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Need Information regarding "ipa host-del" command
Hi Rob,
Thanks for answering my doubts! The admin in my case has these privileges =
{"Service Administrator", "Host Administrator"}. Is some other
privilege needed to delete a host ?
On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden wrote:
> Abhishek Dasgupta via FreeIPA-users wrote:
> > Hello, If you can provide some pointers, it would be great! . Thanks
> >
> > Best,
> > Abhishek
> >
> > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta
> > mailto:abhishekdasgupta...@gmail.com>>
> > wrote:
> >
> > Newbie here. I have a use-case where I need to delete host
> > principals only when no service principals exist on the host. Does
> > "ipa host-del" perform this check? If No, then when I run this
> > command would it delete the host principal and along with it delete
> > all the service principals associated ?
>
> A service can't exist without an accompanying host. If you use host-del
> it will delete the host and all services, no questions asked.
>
> > I tried to run the command on a host but got the following error:
> >
> > ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to
> > delete the entry
> >
> >
> > What privileges are needed to run this command ? I was already kinit
> > as an admin.
>
> In a stock install admin should have sufficient privileges to remove any
> host that is not also an IPA server.
>
> It will delete:
>
> - the host
> - all services
> - revoke all certificates issued to the host/service
> - all DNS records for the host/service
>
> rob
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Need Information regarding "ipa host-del" command
Hello, If you can provide some pointers, it would be great! . Thanks Best, Abhishek On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta < abhishekdasgupta...@gmail.com> wrote: > Newbie here. I have a use-case where I need to delete host principals only > when no service principals exist on the host. Does "ipa host-del" perform > this check? If No, then when I run this command would it delete the host > principal and along with it delete all the service principals associated ? > > I tried to run the command on a host but got the following error: > > ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to delete > the entry > > > What privileges are needed to run this command ? I was already kinit as an > admin. > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Need Information regarding "ipa host-del" command
Newbie here. I have a use-case where I need to delete host principals only when no service principals exist on the host. Does "ipa host-del" perform this check? If No, then when I run this command would it delete the host principal and along with it delete all the service principals associated ? I tried to run the command on a host but got the following error: ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to delete the entry What privileges are needed to run this command ? I was already kinit as an admin. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
