[Freeipa-users] Minimal permissions for "joiner" account?
Martin Kosek
mkosek at redhat.com
Fri Aug 15 10:26:21 UTC 2014
This may also be a bug. Host Enrollment privilege should be enough to join
FreeIPA. We did many access control related fixes in FreeIPA 4.0 (like
https://fedorahosted.org/freeipa/ticket/4252), it may got fixed there.
If "Host Enrollment" permission is still failing for you in 4.0+, we would be
interested to see the actual error so that we can fix it.
Martin
On 08/15/2014 11:27 AM, Michael Lasevich wrote:
> Thanks, that was actually very helpful.
>
> "Host Enrollment" privilege does not actually allow you to enroll hosts,
> not sure what that is about. But "Host Administrators" worked just fine.
>
> -M
>
>
> On Fri, Aug 15, 2014 at 1:18 AM, Martin Kosek <mkosek at redhat.com> wrote:
>
>> On 08/14/2014 10:23 PM, Michael Lasevich wrote:
>>> Is there somewhere a documented minimum set of permissions required to
>>> create a special role/account/principal to auto-join machines to the
>> domain?
>>>
>>> I am not all too comfortable to run this as admin user and not quite
>> ready
>>> to set up the orchestration needed to pre-join the host.
>>>
>>> Thanks,
>>>
>>> -M
>>>
>>>
>>>
>>
>> You can simply create a system user or a joiner service and assign it a
>> "Host
>> Administrators" privilege:
>>
>> # ipa privilege-show "Host Administrators"
>> Privilege name: Host Administrators
>> Description: Host Administrators
>> Permissions: add hosts, remove hosts, modify hosts, manage host ssh
>> public keys,
>> manage host keytab, enroll a host, retrieve certificates
>> from
>> the ca,
>> revoke certificate, add krbprincipalname to a host
>> Granting privilege to roles: IT Specialist
>>
>> HTH,
>> Martin
>>
>
More information about the Freeipa-users
mailing list