Bug 1373541

Summary: Default "Host Enrollement" privilege fails to join new servers
Product: Red Hat Enterprise Linux 7 Reporter: David Sanz <dsanzmor>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED NOTABUG QA Contact: Kaleem <ksiddiqu>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.2CC: pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-13 15:46:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Sanz 2016-09-06 14:41:07 UTC 
Description of problem:

Default "Host Enrollement" privilege fails when is used to join a new server

Version-Release number of selected component (if applicable):

ipa-admintools-4.2.0-15.el7_2.19.x86_64
libipa_hbac-1.13.0-40.el7_2.12.x86_64
ipa-python-4.2.0-15.el7_2.19.x86_64
sssd-ipa-1.13.0-40.el7_2.12.x86_64
ipa-client-4.2.0-15.el7_2.19.x86_64
ipa-server-4.2.0-15.el7_2.19.x86_64
redhat-access-plugin-ipa-0.9.1-2.el7.noarch
python-libipa_hbac-1.13.0-40.el7_2.12.x86_64

How reproducible:

Trying to register a new server using a user with the privilege "Host Enrollement" results on:

"Joining realm failed: No permission to join this host to the IPA domain."

Adding permission "System:Add Hosts" to the role makes host to be correctly joined o the realm.

Actual results:

Host are not being joined using the default "Host Enrollement" privilege

Expected results:

Host to be joined

Additional info:
Comment 2 Rob Crittenden 2016-09-07 13:17:56 UTC 
This is by design to handle the case where you don't want to delegate the creation of host entries.
Comment 3 Petr Vobornik 2016-09-13 15:46:32 UTC 
per triage on Tue Sep 13, this is expected as Rob wrote in comment 2.