Hello,
I've encountered a minor annoyance when using the 'enrollement administrator' role
I created a user for ipa-client enrolment and made the user a member of the 'enrollement administrator' role.
I've tested it and it was capable of enrolling clients.
After this I disabled the allow_all policy.
Cleared the sssd cache on the ipa server and tried again.
Now the user get's a 'No permission to join this host to the IPA domain.'
It works for ipa admin accounts.
I guess I need to allow a service for the 'enrollement administrator' role.
But I don't know which one.
What service do I need to allow for the 'enrollement administrator' role to function properly ?
Rob Verduijn