Thanks Alexander! Do you have any pointers on why it may be failing
?
and how to proceed to solve the problem? I am happy to provide any
information that is needed.
As I mentioned it will also try to remove any DNS entries for the host
and revoke any certificates issued to the host and services. You'll need
to add those permissions as well.
rob
On Thu, Oct 27, 2022 at 9:49 PM Alexander Bokovoy <abokovoy(a)redhat.com
<mailto:abokovoy@redhat.com>> wrote:
On to, 27 loka 2022, Abhishek Dasgupta via FreeIPA-users wrote:
>Hi Rob,
>Thanks for answering my doubts! The admin in my case has these
privileges =
>{"Service Administrator", "Host Administrator"}. Is some
other
>privilege needed to delete a host ?
'Host Administrators' privilege should cover 'Remove Sosts'
permission:
'System: Remove Hosts': {
'ipapermright': {'delete'},
'replaces': [
'(target =
"ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl
"permission:Remove Hosts";allow (delete) groupdn =
"ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Host Administrators'},
},
Accordingly, 'Service Administrators' privilege should cover 'Remove
Services' permission:
'System: Remove Services': {
'ipapermright': {'delete'},
'replaces': [
'(target =
"ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version
3.0;acl
"permission:Remove Services";allow (delete) groupdn =
"ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {'Service Administrators'},
},
These are the definitions of the actual permissions in IPA code.
>
>On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>> wrote:
>
>> Abhishek Dasgupta via FreeIPA-users wrote:
>> > Hello, If you can provide some pointers, it would be great! .
Thanks
>> >
>> > Best,
>> > Abhishek
>> >
>> > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta
>> > <abhishekdasgupta005(a)gmail.com
<mailto:abhishekdasgupta005@gmail.com>
<mailto:abhishekdasgupta005@gmail.com
<mailto:abhishekdasgupta005@gmail.com>>>
>> > wrote:
>> >
>> > Newbie here. I have a use-case where I need to delete host
>> > principals only when no service principals exist on the
host. Does
>> > "ipa host-del" perform this check? If No, then when I run
this
>> > command would it delete the host principal and along with
it delete
>> > all the service principals associated ?
>>
>> A service can't exist without an accompanying host. If you use
host-del
>> it will delete the host and all services, no questions asked.
>>
>> > I tried to run the command on a host but got the following
error:
>> >
>> > ipa: ERROR: Insufficient access: Insufficient 'delete'
privilege to
>> > delete the entry
>> >
>> >
>> > What privileges are needed to run this command ? I was
already kinit
>> > as an admin.
>>
>> In a stock install admin should have sufficient privileges to
remove any
>> host that is not also an IPA server.
>>
>> It will delete:
>>
>> - the host
>> - all services
>> - revoke all certificates issued to the host/service
>> - all DNS records for the host/service
>>
>> rob
>>
>>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue