[Freeipa-users] Re: Need Information regarding "ipa host-del" command
> > As I mentioned it will also try to remove any DNS entries for the host > and revoke any certificates issued to the host and services. You'll need > to add those permissions as well. The role which the admin is a member of, has the following privileges: "Service Administrators" and "Host Administrators'' (ipa role -add-privilege $role_name --privelege="Service Administrators" --privelege="Host Administrators'') ? If you can direct me to what those exact permissions/privileges are ? and how to add them? Will they be the same as adding another privilege option flag? It'd be really helpful if anyone can answer it or provide some pointers/references. Thank you! Regards, Abhishek On Fri, Oct 28, 2022, 23:14 Rob Crittenden wrote: > Abhishek Dasgupta via FreeIPA-users wrote: > > Thanks Alexander! Do you have any pointers on why it may be failing ? > > and how to proceed to solve the problem? I am happy to provide any > > information that is needed. > > As I mentioned it will also try to remove any DNS entries for the host > and revoke any certificates issued to the host and services. You'll need > to add those permissions as well. > > rob > > > > > On Thu, Oct 27, 2022 at 9:49 PM Alexander Bokovoy > <mailto:aboko...@redhat.com>> wrote: > > > > On to, 27 loka 2022, Abhishek Dasgupta via FreeIPA-users wrote: > > >Hi Rob, > > >Thanks for answering my doubts! The admin in my case has these > > privileges = > > >{"Service Administrator", "Host Administrator"}. Is some other > > >privilege needed to delete a host ? > > > > 'Host Administrators' privilege should cover 'Remove Sosts' > permission: > > > > 'System: Remove Hosts': { > > 'ipapermright': {'delete'}, > > 'replaces': [ > > '(target = > > "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(version 3.0;acl > > "permission:Remove Hosts";allow (delete) groupdn = > > "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)', > > ], > > 'default_privileges': {'Host Administrators'}, > > }, > > > > Accordingly, 'Service Administrators' privilege should cover 'Remove > > Services' permission: > > > > 'System: Remove Services': { > > 'ipapermright': {'delete'}, > > 'replaces': [ > > '(target = > > > "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX;)(version > 3.0;acl > > "permission:Remove Services";allow (delete) groupdn = > > "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)', > > ], > > 'default_privileges': {'Service Administrators'}, > > }, > > > > These are the definitions of the actual permissions in IPA code. > > > > > > > >On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden > > mailto:rcrit...@redhat.com>> wrote: > > > > > >> Abhishek Dasgupta via FreeIPA-users wrote: > > >> > Hello, If you can provide some pointers, it would be great! . > > Thanks > > >> > > > >> > Best, > > >> > Abhishek > > >> > > > >> > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta > > >> > > <mailto:abhishekdasgupta...@gmail.com> > > <mailto:abhishekdasgupta...@gmail.com > > <mailto:abhishekdasgupta...@gmail.com>>> > > >> > wrote: > > >> > > > >> > Newbie here. I have a use-case where I need to delete host > > >> > principals only when no service principals exist on the > > host. Does > > >> > "ipa host-del" perform this check? If No, then when I run > this > > >> > command would it delete the host principal and along with > > it delete > > >> > all the service principals associated ? > > >> > > >> A service can't exist without an accompanying host. If you use > > host-del > > >> it will delete the host and all services, no questions asked. > > >> > > >> > I tried to run the command on a host but got the following > > error: > > >> > > > >> >
[Freeipa-users] Re: Need Information regarding "ipa host-del" command
Thanks Alexander! Do you have any pointers on why it may be failing ? and how to proceed to solve the problem? I am happy to provide any information that is needed. Best, Abhishek On Thu, Oct 27, 2022 at 9:49 PM Alexander Bokovoy wrote: > On to, 27 loka 2022, Abhishek Dasgupta via FreeIPA-users wrote: > >Hi Rob, > >Thanks for answering my doubts! The admin in my case has these privileges > = > >{"Service Administrator", "Host Administrator"}. Is some other > >privilege needed to delete a host ? > > 'Host Administrators' privilege should cover 'Remove Sosts' permission: > > 'System: Remove Hosts': { > 'ipapermright': {'delete'}, > 'replaces': [ > '(target = > "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(version 3.0;acl > "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove > Hosts,cn=permissions,cn=pbac,$SUFFIX";)', > ], > 'default_privileges': {'Host Administrators'}, > }, > > Accordingly, 'Service Administrators' privilege should cover 'Remove > Services' permission: > > 'System: Remove Services': { > 'ipapermright': {'delete'}, > 'replaces': [ > '(target = > "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX;)(version > 3.0;acl "permission:Remove Services";allow (delete) groupdn = > "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)', > ], > 'default_privileges': {'Service Administrators'}, > }, > > These are the definitions of the actual permissions in IPA code. > > > > >On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden > wrote: > > > >> Abhishek Dasgupta via FreeIPA-users wrote: > >> > Hello, If you can provide some pointers, it would be great! . Thanks > >> > > >> > Best, > >> > Abhishek > >> > > >> > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta > >> > mailto:abhishekdasgupta...@gmail.com > >> > >> > wrote: > >> > > >> > Newbie here. I have a use-case where I need to delete host > >> > principals only when no service principals exist on the host. Does > >> > "ipa host-del" perform this check? If No, then when I run this > >> > command would it delete the host principal and along with it > delete > >> > all the service principals associated ? > >> > >> A service can't exist without an accompanying host. If you use host-del > >> it will delete the host and all services, no questions asked. > >> > >> > I tried to run the command on a host but got the following error: > >> > > >> > ipa: ERROR: Insufficient access: Insufficient 'delete' privilege > to > >> > delete the entry > >> > > >> > > >> > What privileges are needed to run this command ? I was already > kinit > >> > as an admin. > >> > >> In a stock install admin should have sufficient privileges to remove any > >> host that is not also an IPA server. > >> > >> It will delete: > >> > >> - the host > >> - all services > >> - revoke all certificates issued to the host/service > >> - all DNS records for the host/service > >> > >> rob > >> > >> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Need Information regarding "ipa host-del" command
Hi Rob, Thanks for answering my doubts! The admin in my case has these privileges = {"Service Administrator", "Host Administrator"}. Is some other privilege needed to delete a host ? On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden wrote: > Abhishek Dasgupta via FreeIPA-users wrote: > > Hello, If you can provide some pointers, it would be great! . Thanks > > > > Best, > > Abhishek > > > > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta > > mailto:abhishekdasgupta...@gmail.com>> > > wrote: > > > > Newbie here. I have a use-case where I need to delete host > > principals only when no service principals exist on the host. Does > > "ipa host-del" perform this check? If No, then when I run this > > command would it delete the host principal and along with it delete > > all the service principals associated ? > > A service can't exist without an accompanying host. If you use host-del > it will delete the host and all services, no questions asked. > > > I tried to run the command on a host but got the following error: > > > > ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to > > delete the entry > > > > > > What privileges are needed to run this command ? I was already kinit > > as an admin. > > In a stock install admin should have sufficient privileges to remove any > host that is not also an IPA server. > > It will delete: > > - the host > - all services > - revoke all certificates issued to the host/service > - all DNS records for the host/service > > rob > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Need Information regarding "ipa host-del" command
Hello, If you can provide some pointers, it would be great! . Thanks Best, Abhishek On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta < abhishekdasgupta...@gmail.com> wrote: > Newbie here. I have a use-case where I need to delete host principals only > when no service principals exist on the host. Does "ipa host-del" perform > this check? If No, then when I run this command would it delete the host > principal and along with it delete all the service principals associated ? > > I tried to run the command on a host but got the following error: > > ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to delete > the entry > > > What privileges are needed to run this command ? I was already kinit as an > admin. > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Need Information regarding "ipa host-del" command
Newbie here. I have a use-case where I need to delete host principals only when no service principals exist on the host. Does "ipa host-del" perform this check? If No, then when I run this command would it delete the host principal and along with it delete all the service principals associated ? I tried to run the command on a host but got the following error: ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to delete the entry What privileges are needed to run this command ? I was already kinit as an admin. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue