[Freeipa-users] Minimal permissions for "joiner" account?
Martin Kosek
mkosek at redhat.com
Fri Aug 15 08:18:18 UTC 2014
On 08/14/2014 10:23 PM, Michael Lasevich wrote:
> Is there somewhere a documented minimum set of permissions required to
> create a special role/account/principal to auto-join machines to the domain?
>
> I am not all too comfortable to run this as admin user and not quite ready
> to set up the orchestration needed to pre-join the host.
>
> Thanks,
>
> -M
>
>
>
You can simply create a system user or a joiner service and assign it a "Host
Administrators" privilege:
# ipa privilege-show "Host Administrators"
Privilege name: Host Administrators
Description: Host Administrators
Permissions: add hosts, remove hosts, modify hosts, manage host ssh public keys,
manage host keytab, enroll a host, retrieve certificates from
the ca,
revoke certificate, add krbprincipalname to a host
Granting privilege to roles: IT Specialist
HTH,
Martin
More information about the Freeipa-users
mailing list