As I mentioned it will also try to remove any DNS entries for the host
and revoke any certificates issued to the host and services. You'll need
to add those permissions as well.

The role which the admin is a member of,  has the following privileges: "Service Administrators" and "Host Administrators'' (ipa role -add-privilege $role_name  --privelege="Service Administrators" --privelege="Host Administrators'') ? If you can direct me to what those exact permissions/privileges are ?  and how to add them? Will they be the same as adding another privilege option flag? 
It'd be really helpful if anyone can answer it or provide some pointers/references. Thank you!

Regards,
Abhishek

On Fri, Oct 28, 2022, 23:14 Rob Crittenden <rcritten@redhat.com> wrote:
Abhishek Dasgupta via FreeIPA-users wrote:
> Thanks Alexander! Do you have any pointers on why it may be failing ?
> and how to proceed to solve the problem? I am happy to provide any
> information that is needed.

As I mentioned it will also try to remove any DNS entries for the host
and revoke any certificates issued to the host and services. You'll need
to add those permissions as well.

rob

>
> On Thu, Oct 27, 2022 at 9:49 PM Alexander Bokovoy <abokovoy@redhat.com
> <mailto:abokovoy@redhat.com>> wrote:
>
>     On to, 27 loka 2022, Abhishek Dasgupta via FreeIPA-users wrote:
>     >Hi Rob,
>     >Thanks for answering my doubts! The admin in my case has these
>     privileges =
>     >{"Service Administrator", "Host Administrator"}. Is some other
>     >privilege needed to delete a host ?
>
>     'Host Administrators' privilege should cover 'Remove Sosts' permission:
>
>              'System: Remove Hosts': {
>                  'ipapermright': {'delete'},
>                  'replaces': [
>                      '(target =
>     "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl
>     "permission:Remove Hosts";allow (delete) groupdn =
>     "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)',
>                  ],
>                  'default_privileges': {'Host Administrators'},
>              },
>
>     Accordingly, 'Service Administrators' privilege should cover 'Remove
>     Services' permission:
>
>              'System: Remove Services': {
>                  'ipapermright': {'delete'},
>                  'replaces': [
>                      '(target =
>     "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl
>     "permission:Remove Services";allow (delete) groupdn =
>     "ldap:///cn=Remove Services,cn=permissions,cn=pbac,$SUFFIX";)',
>                  ],
>                  'default_privileges': {'Service Administrators'},
>              },
>
>     These are the definitions of the actual permissions in IPA code.
>
>     >
>     >On Wed, Oct 26, 2022 at 10:35 PM Rob Crittenden
>     <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote:
>     >
>     >> Abhishek Dasgupta via FreeIPA-users wrote:
>     >> > Hello, If you can provide some pointers, it would be great! .
>     Thanks
>     >> >
>     >> > Best,
>     >> > Abhishek
>     >> >
>     >> > On Fri, Oct 21, 2022 at 6:17 PM Abhishek Dasgupta
>     >> > <abhishekdasgupta005@gmail.com
>     <mailto:abhishekdasgupta005@gmail.com>
>     <mailto:abhishekdasgupta005@gmail.com
>     <mailto:abhishekdasgupta005@gmail.com>>>
>     >> > wrote:
>     >> >
>     >> >     Newbie here. I have a use-case where I need to delete host
>     >> >     principals only when no service principals exist on the
>     host. Does
>     >> >     "ipa host-del" perform this check? If No, then when I run this
>     >> >     command  would it delete the host principal and along with
>     it delete
>     >> >     all the service principals associated ?
>     >>
>     >> A service can't exist without an accompanying host. If you use
>     host-del
>     >> it will delete the host and all services, no questions asked.
>     >>
>     >> >     I tried to run the command on a host but got the following
>     error:
>     >> >
>     >> >     ipa: ERROR: Insufficient access: Insufficient 'delete'
>     privilege to
>     >> >     delete the entry
>     >> >
>     >> >
>     >> >     What privileges are needed to run this command ? I was
>     already kinit
>     >> >     as an admin.
>     >>
>     >> In a stock install admin should have sufficient privileges to
>     remove any
>     >> host that is not also an IPA server.
>     >>
>     >> It will delete:
>     >>
>     >> - the host
>     >> - all services
>     >> - revoke all certificates issued to the host/service
>     >> - all DNS records for the host/service
>     >>
>     >> rob
>     >>
>     >>
>
>
>
>
>     --
>     / Alexander Bokovoy
>     Sr. Principal Software Engineer
>     Security / Identity Management Engineering
>     Red Hat Limited, Finland
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>