[Freeipa-users] Minimal permissions for "joiner" account?
Rob Crittenden
rcritten at redhat.com
Mon Aug 18 18:33:14 UTC 2014
Michael Lasevich wrote:
> Thanks, that was actually very helpful.
>
> "Host Enrollment" privilege does not actually allow you to enroll hosts,
> not sure what that is about. But "Host Administrators" worked just fine.
I'd be curious to know how it was failing. It should be enough to do
just an enrollment (not add a missing host, etc).
Host Administrator also grants a slew of privileges beyond what you need.
rob
>
> -M
>
>
> On Fri, Aug 15, 2014 at 1:18 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
> On 08/14/2014 10:23 PM, Michael Lasevich wrote:
> > Is there somewhere a documented minimum set of permissions required to
> > create a special role/account/principal to auto-join machines to
> the domain?
> >
> > I am not all too comfortable to run this as admin user and not
> quite ready
> > to set up the orchestration needed to pre-join the host.
> >
> > Thanks,
> >
> > -M
> >
> >
> >
>
> You can simply create a system user or a joiner service and assign
> it a "Host
> Administrators" privilege:
>
> # ipa privilege-show "Host Administrators"
> Privilege name: Host Administrators
> Description: Host Administrators
> Permissions: add hosts, remove hosts, modify hosts, manage host
> ssh public keys,
> manage host keytab, enroll a host, retrieve
> certificates from
> the ca,
> revoke certificate, add krbprincipalname to a host
> Granting privilege to roles: IT Specialist
>
> HTH,
> Martin
>
>
>
>
More information about the Freeipa-users
mailing list