On to, 27 loka 2022, Abhishek Dasgupta via FreeIPA-users wrote:
Hi Rob,
Thanks for answering my doubts! The admin in my case has these privileges =
{"Service Administrator", "Host Administrator"}. Is some other
privilege needed to delete a host ?
'Host Administrators' privilege should cover 'Remove Sosts' permission:
'System: Remove Hosts': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl
"permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove
Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Administrators'},
},
Accordingly, 'Service Administrators' privilege should cover 'Remove
Services' permission:
'System: Remove Services': {
'ipapermright': {'delete'},
'replaces': [
'(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version
3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove
Services,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Service Administrators'},
},
These are the definitions of the actual permissions in IPA code.
On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden <[email protected]> wrote:
Abhishek Dasgupta via FreeIPA-users wrote:
> Hello, If you can provide some pointers, it would be great! . Thanks
>
> Best,
> Abhishek
>
> On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta
> <[email protected] <mailto:[email protected]>>
> wrote:
>
> Newbie here. I have a use-case where I need to delete host
> principals only when no service principals exist on the host. Does
> "ipa host-del" perform this check? If No, then when I run this
> command would it delete the host principal and along with it delete
> all the service principals associated ?
A service can't exist without an accompanying host. If you use host-del
it will delete the host and all services, no questions asked.
> I tried to run the command on a host but got the following error:
>
> ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to
> delete the entry
>
>
> What privileges are needed to run this command ? I was already kinit
> as an admin.
In a stock install admin should have sufficient privileges to remove any
host that is not also an IPA server.
It will delete:
- the host
- all services
- revoke all certificates issued to the host/service
- all DNS records for the host/service
rob
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
