Thanks Alexander! Do you have any pointers on why it may be failing ? and how to proceed to solve the problem? I am happy to provide any information that is needed.

Best,
Abhishek

On Thu, Oct 27, 2022 at 9:49 PM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On to, 27 loka 2022, Abhishek Dasgupta via FreeIPA-users wrote:
>Hi Rob,
>Thanks for answering my doubts! The admin in my case has these privileges =
>{"Service Administrator", "Host Administrator"}. Is some other
>privilege needed to delete a host ?

'Host Administrators' privilege should cover 'Remove Sosts' permission:

         'System: Remove Hosts': {
             'ipapermright': {'delete'},
             'replaces': [
                 '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
             ],
             'default_privileges': {'Host Administrators'},
         },

Accordingly, 'Service Administrators' privilege should cover 'Remove
Services' permission:

         'System: Remove Services': {
             'ipapermright': {'delete'},
             'replaces': [
                 '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)',
             ],
             'default_privileges': {'Service Administrators'},
         },

These are the definitions of the actual permissions in IPA code.

>
>On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden <rcritten@redhat.com> wrote:
>
>> Abhishek Dasgupta via FreeIPA-users wrote:
>> > Hello, If you can provide some pointers, it would be great! . Thanks
>> >
>> > Best,
>> > Abhishek
>> >
>> > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta
>> > <abhishekdasgupta005@gmail.com <mailto:abhishekdasgupta005@gmail.com>>
>> > wrote:
>> >
>> >     Newbie here. I have a use-case where I need to delete host
>> >     principals only when no service principals exist on the host. Does
>> >     "ipa host-del" perform this check? If No, then when I run this
>> >     command  would it delete the host principal and along with it delete
>> >     all the service principals associated ?
>>
>> A service can't exist without an accompanying host. If you use host-del
>> it will delete the host and all services, no questions asked.
>>
>> >     I tried to run the command on a host but got the following error:
>> >
>> >     ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to
>> >     delete the entry
>> >
>> >
>> >     What privileges are needed to run this command ? I was already kinit
>> >     as an admin.
>>
>> In a stock install admin should have sufficient privileges to remove any
>> host that is not also an IPA server.
>>
>> It will delete:
>>
>> - the host
>> - all services
>> - revoke all certificates issued to the host/service
>> - all DNS records for the host/service
>>
>> rob
>>
>>




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland