We want to be able to destroy/recreate IPA enrolled hosts without using admin credentials.
ipa-client-install with a keytab seems like a good option except it generates a new keytab. And there is no non-hacky way of passing this new keytab back to terraform. Can we tell it not to generate a new keytab on re-enrollment? Alternatively, we could create a user that has just enough permissions to enroll host X but nothing else. What is the minimum set of permissions for this? Or is there a better way? Cheers, Yuriy -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
