Which privileges are needed for ipa-client-install? I created a user and gave it host enrollment privileges. But that does not seem to be enough...
ipa-client-install needs to be ran as root or with sudo. Or do you mean which user can you use when it asks for the admin username?
On 06/04/2017 11:27 AM, Ronald Wimmer via FreeIPA-users wrote:
Which privileges are needed for ipa-client-install? I created a user and gave it host enrollment privileges. But that does not seem to be enough... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
If you meant what privileges on the IPA server a user enrolling new hosts needs to have, I believe it is Host Enrollment and Host Administrators. Enrollment gives access to enroll hosts, but to create the host object, you need to be in Host Administrators.
On 06/04/2017 11:39 AM, Striker Leggette via FreeIPA-users wrote:
ipa-client-install needs to be ran as root or with sudo. Or do you mean which user can you use when it asks for the admin username?
On 06/04/2017 11:27 AM, Ronald Wimmer via FreeIPA-users wrote:
Which privileges are needed for ipa-client-install? I created a user and gave it host enrollment privileges. But that does not seem to be enough... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On 2017-06-04 17:41, Striker Leggette wrote:
If you meant what privileges on the IPA server a user enrolling new hosts needs to have, I believe it is Host Enrollment and Host Administrators. Enrollment gives access to enroll hosts, but to create the host object, you need to be in Host Administrators.
Perfect. Thanks a lot. This was the information I was looking for.
"Host Enrollment" does only make sense if the host object already exists?
Yes. The idea behind this split is that whoever is able to create hosts holds greater powers over DNS of your environment. When host is created it is added to a DNS zone, this goes privilege could be used to disrupt your operations.
Enrolling the host is only setting the data on an existing object in LDAP.
----- Ronald Wimmer via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 2017-06-04 17:41, Striker Leggette wrote:
If you meant what privileges on the IPA server a user enrolling new hosts needs to have, I believe it is Host Enrollment and Host Administrators. Enrollment gives access to enroll hosts, but to create the host object, you need to be in Host Administrators.
Perfect. Thanks a lot. This was the information I was looking for.
"Host Enrollment" does only make sense if the host object already exists? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
We augmented our Host enrollment role with permissions to create host objects. This is because we've encapsulated the function in our configuration management to enroll existing systems into IPA.
For more modern orchestration one could use OTP enrollment and teach the orchestrator to create a host object with a different account.
The Host administrator role has far more permissions, including deleting hosts.
I can look up the exact permissions for you if you want.
Verzonden vanaf mijn Samsung-apparaat
-------- Oorspronkelijk bericht -------- Van: Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org Datum: 04-06-17 17:55 (GMT+01:00) Aan: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Ronald Wimmer ronaldw@ronzo.at, Alexander Bokovoy abokovoy@redhat.com Onderwerp: [Freeipa-users] Re: Privileges needed for ipa-client-install
Yes. The idea behind this split is that whoever is able to create hosts holds greater powers over DNS of your environment. When host is created it is added to a DNS zone, this goes privilege could be used to disrupt your operations.
Enrolling the host is only setting the data on an existing object in LDAP.
----- Ronald Wimmer via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 2017-06-04 17:41, Striker Leggette wrote:
If you meant what privileges on the IPA server a user enrolling new hosts needs to have, I believe it is Host Enrollment and Host Administrators. Enrollment gives access to enroll hosts, but to create the host object, you need to be in Host Administrators.
Perfect. Thanks a lot. This was the information I was looking for.
"Host Enrollment" does only make sense if the host object already exists? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- / Alexander Bokovoy _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Ronald Wimmer -
Striker Leggette -
wouter.hummelink@kpn.com