Hello,

I've encountered a minor annoyance when using the 'enrollement administrator' role

I created a user for ipa-client enrolment and made the user a member of the 'enrollement administrator' role.

I've tested it and it was capable of enrolling clients.

After this I disabled the allow_all policy.

Cleared the sssd cache on the ipa server and tried again.

Now the user get's a 'No permission to join this host to the IPA domain.'

It works for ipa admin accounts.

I guess I need to allow a service for the 'enrollement administrator' role.

But I don't know which one.

What service do I need to allow for the 'enrollement administrator' role to function properly ?