Abhishek Dasgupta via FreeIPA-users wrote: > Thanks Alexander! Do you have any pointers on why it may be failing ? > and how to proceed to solve the problem? I am happy to provide any > information that is needed.
As I mentioned it will also try to remove any DNS entries for the host and revoke any certificates issued to the host and services. You'll need to add those permissions as well. rob > > On Thu, Oct 27, 2022 at 9:49 PM Alexander Bokovoy <[email protected] > <mailto:[email protected]>> wrote: > > On to, 27 loka 2022, Abhishek Dasgupta via FreeIPA-users wrote: > >Hi Rob, > >Thanks for answering my doubts! The admin in my case has these > privileges = > >{"Service Administrator", "Host Administrator"}. Is some other > >privilege needed to delete a host ? > > 'Host Administrators' privilege should cover 'Remove Sosts' permission: > > 'System: Remove Hosts': { > 'ipapermright': {'delete'}, > 'replaces': [ > '(target = > "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl > "permission:Remove Hosts";allow (delete) groupdn = > "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)', > ], > 'default_privileges': {'Host Administrators'}, > }, > > Accordingly, 'Service Administrators' privilege should cover 'Remove > Services' permission: > > 'System: Remove Services': { > 'ipapermright': {'delete'}, > 'replaces': [ > '(target = > "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version > 3.0;acl > "permission:Remove Services";allow (delete) groupdn = > "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)', > ], > 'default_privileges': {'Service Administrators'}, > }, > > These are the definitions of the actual permissions in IPA code. > > > > >On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden > <[email protected] <mailto:[email protected]>> wrote: > > > >> Abhishek Dasgupta via FreeIPA-users wrote: > >> > Hello, If you can provide some pointers, it would be great! . > Thanks > >> > > >> > Best, > >> > Abhishek > >> > > >> > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta > >> > <[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> > >> > wrote: > >> > > >> > Newbie here. I have a use-case where I need to delete host > >> > principals only when no service principals exist on the > host. Does > >> > "ipa host-del" perform this check? If No, then when I run this > >> > command would it delete the host principal and along with > it delete > >> > all the service principals associated ? > >> > >> A service can't exist without an accompanying host. If you use > host-del > >> it will delete the host and all services, no questions asked. > >> > >> > I tried to run the command on a host but got the following > error: > >> > > >> > ipa: ERROR: Insufficient access: Insufficient 'delete' > privilege to > >> > delete the entry > >> > > >> > > >> > What privileges are needed to run this command ? I was > already kinit > >> > as an admin. > >> > >> In a stock install admin should have sufficient privileges to > remove any > >> host that is not also an IPA server. > >> > >> It will delete: > >> > >> - the host > >> - all services > >> - revoke all certificates issued to the host/service > >> - all DNS records for the host/service > >> > >> rob > >> > >> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
