[Freeipa-users] Minimal permissions for "joiner" account?
Michael Lasevich
mlasevich at lasevich.net
Fri Aug 15 09:27:30 UTC 2014
Thanks, that was actually very helpful.
"Host Enrollment" privilege does not actually allow you to enroll hosts,
not sure what that is about. But "Host Administrators" worked just fine.
-M
On Fri, Aug 15, 2014 at 1:18 AM, Martin Kosek <mkosek at redhat.com> wrote:
> On 08/14/2014 10:23 PM, Michael Lasevich wrote:
> > Is there somewhere a documented minimum set of permissions required to
> > create a special role/account/principal to auto-join machines to the
> domain?
> >
> > I am not all too comfortable to run this as admin user and not quite
> ready
> > to set up the orchestration needed to pre-join the host.
> >
> > Thanks,
> >
> > -M
> >
> >
> >
>
> You can simply create a system user or a joiner service and assign it a
> "Host
> Administrators" privilege:
>
> # ipa privilege-show "Host Administrators"
> Privilege name: Host Administrators
> Description: Host Administrators
> Permissions: add hosts, remove hosts, modify hosts, manage host ssh
> public keys,
> manage host keytab, enroll a host, retrieve certificates
> from
> the ca,
> revoke certificate, add krbprincipalname to a host
> Granting privilege to roles: IT Specialist
>
> HTH,
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140815/444c28d4/attachment.htm>
More information about the Freeipa-users
mailing list