[Freeipa-users] Re: Need Information regarding "ipa host-del" command

Thanks Alexander! Do you have any pointers on why it may be failing ? and how to proceed to solve the problem? I am happy to provide any information that is needed.

On Thu, Oct 27, 2022 at 9:49 PM Alexander Bokovoy <abokovoy(a)redhat.com <mailto:abokovoy@redhat.com>> wrote: On to, 27 loka 2022, Abhishek Dasgupta via FreeIPA-users wrote: >Hi Rob, >Thanks for answering my doubts! The admin in my case has these privileges = >{"Service Administrator", "Host Administrator"}. Is some other >privilege needed to delete a host ? 'Host Administrators' privilege should cover 'Remove Sosts' permission:          'System: Remove Hosts': {              'ipapermright': {'delete'},              'replaces': [                  '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)',              ],              'default_privileges': {'Host Administrators'},          }, Accordingly, 'Service Administrators' privilege should cover 'Remove Services' permission:          'System: Remove Services': {              'ipapermright': {'delete'},              'replaces': [                  '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Services";allow (delete) groupdn = "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)',              ],              'default_privileges': {'Service Administrators'},          }, These are the definitions of the actual permissions in IPA code. > >On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com>> wrote: > >> Abhishek Dasgupta via FreeIPA-users wrote: >> > Hello, If you can provide some pointers, it would be great! . Thanks >> > >> > Best, >> > Abhishek >> > >> > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta >> > <abhishekdasgupta005(a)gmail.com <mailto:abhishekdasgupta005@gmail.com> <mailto:abhishekdasgupta005@gmail.com <mailto:abhishekdasgupta005@gmail.com>>> >> > wrote: >> > >> >     Newbie here. I have a use-case where I need to delete host >> >     principals only when no service principals exist on the host. Does >> >     "ipa host-del" perform this check? If No, then when I run this >> >     command  would it delete the host principal and along with it delete >> >     all the service principals associated ? >> >> A service can't exist without an accompanying host. If you use host-del >> it will delete the host and all services, no questions asked. >> >> >     I tried to run the command on a host but got the following error: >> > >> >     ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to >> >     delete the entry >> > >> > >> >     What privileges are needed to run this command ? I was already kinit >> >     as an admin. >> >> In a stock install admin should have sufficient privileges to remove any >> host that is not also an IPA server. >> >> It will delete: >> >> - the host >> - all services >> - revoke all certificates issued to the host/service >> - all DNS records for the host/service >> >> rob >> >> -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue