Abhishek Dasgupta wrote: > As I mentioned it will also try to remove any DNS entries for the host > and revoke any certificates issued to the host and services. You'll need > to add those permissions as well. > > > The role which the admin is a member of, has the following privileges: > "Service Administrators" and "Host Administrators'' (ipa role > -add-privilege $role_name --privelege="Service Administrators" > --privelege="Host Administrators'') ? If you can direct me to what those > exact permissions/privileges are ? and how to add them? Will they be > the same as adding another privilege option flag? > It'd be really helpful if anyone can answer it or provide some > pointers/references. Thank you!
I'd recommend you at least skim the IPA documentation at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9 (or whatever similar version of *nix you have). Find it via the Identity Management checkbox on the left. IPA is complex and not always cookie-cutter depending on your needs. Randomly assigning privileges to a role may not be what you want because while it may work, it very well could increase risk depending on how much you trust the users in this role. Only you can answer that. The privilege for DNS management is "DNS Administrators" and for certificates is "Certificate Administrators" but again, could be overly broad. rob > > Regards, > Abhishek > > On Fri, Oct 28, 2022, 23:14 Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Abhishek Dasgupta via FreeIPA-users wrote: > > Thanks Alexander! Do you have any pointers on why it may be failing ? > > and how to proceed to solve the problem? I am happy to provide any > > information that is needed. > > As I mentioned it will also try to remove any DNS entries for the host > and revoke any certificates issued to the host and services. You'll need > to add those permissions as well. > > rob > > > > > On Thu, Oct 27, 2022 at 9:49 PM Alexander Bokovoy > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > On to, 27 loka 2022, Abhishek Dasgupta via FreeIPA-users wrote: > > >Hi Rob, > > >Thanks for answering my doubts! The admin in my case has these > > privileges = > > >{"Service Administrator", "Host Administrator"}. Is some other > > >privilege needed to delete a host ? > > > > 'Host Administrators' privilege should cover 'Remove Sosts' > permission: > > > > 'System: Remove Hosts': { > > 'ipapermright': {'delete'}, > > 'replaces': [ > > '(target = > > "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl > > "permission:Remove Hosts";allow (delete) groupdn = > > "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)', > > ], > > 'default_privileges': {'Host Administrators'}, > > }, > > > > Accordingly, 'Service Administrators' privilege should cover > 'Remove > > Services' permission: > > > > 'System: Remove Services': { > > 'ipapermright': {'delete'}, > > 'replaces': [ > > '(target = > > > "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version > 3.0;acl > > "permission:Remove Services";allow (delete) groupdn = > > "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)', > > ], > > 'default_privileges': {'Service Administrators'}, > > }, > > > > These are the definitions of the actual permissions in IPA code. > > > > > > > >On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > >> Abhishek Dasgupta via FreeIPA-users wrote: > > >> > Hello, If you can provide some pointers, it would be great! . > > Thanks > > >> > > > >> > Best, > > >> > Abhishek > > >> > > > >> > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta > > >> > <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > <mailto:[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>>> > > >> > wrote: > > >> > > > >> > Newbie here. I have a use-case where I need to delete > host > > >> > principals only when no service principals exist on the > > host. Does > > >> > "ipa host-del" perform this check? If No, then when I > run this > > >> > command would it delete the host principal and along > with > > it delete > > >> > all the service principals associated ? > > >> > > >> A service can't exist without an accompanying host. If you use > > host-del > > >> it will delete the host and all services, no questions asked. > > >> > > >> > I tried to run the command on a host but got the > following > > error: > > >> > > > >> > ipa: ERROR: Insufficient access: Insufficient 'delete' > > privilege to > > >> > delete the entry > > >> > > > >> > > > >> > What privileges are needed to run this command ? I was > > already kinit > > >> > as an admin. > > >> > > >> In a stock install admin should have sufficient privileges to > > remove any > > >> host that is not also an IPA server. > > >> > > >> It will delete: > > >> > > >> - the host > > >> - all services > > >> - revoke all certificates issued to the host/service > > >> - all DNS records for the host/service > > >> > > >> rob > > >> > > >> > > > > > > > > > > -- > > / Alexander Bokovoy > > Sr. Principal Software Engineer > > Security / Identity Management Engineering > > Red Hat Limited, Finland > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
