Bug 1373541 - Default "Host Enrollement" privilege fails to join new servers
Summary: Default "Host Enrollement" privilege fails to join new servers
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-06 14:41 UTC by David Sanz
Modified: 2016-09-13 15:46 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-13 15:46:32 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description David Sanz 2016-09-06 14:41:07 UTC 
Description of problem:

Default "Host Enrollement" privilege fails when is used to join a new server

Version-Release number of selected component (if applicable):

ipa-admintools-4.2.0-15.el7_2.19.x86_64
libipa_hbac-1.13.0-40.el7_2.12.x86_64
ipa-python-4.2.0-15.el7_2.19.x86_64
sssd-ipa-1.13.0-40.el7_2.12.x86_64
ipa-client-4.2.0-15.el7_2.19.x86_64
ipa-server-4.2.0-15.el7_2.19.x86_64
redhat-access-plugin-ipa-0.9.1-2.el7.noarch
python-libipa_hbac-1.13.0-40.el7_2.12.x86_64

How reproducible:

Trying to register a new server using a user with the privilege "Host Enrollement" results on:

"Joining realm failed: No permission to join this host to the IPA domain."

Adding permission "System:Add Hosts" to the role makes host to be correctly joined o the realm.

Actual results:

Host are not being joined using the default "Host Enrollement" privilege

Expected results:

Host to be joined

Additional info:
Comment 2 Rob Crittenden 2016-09-07 13:17:56 UTC 
This is by design to handle the case where you don't want to delegate the creation of host entries.
Comment 3 Petr Vobornik 2016-09-13 15:46:32 UTC 
per triage on Tue Sep 13, this is expected as Rob wrote in comment 2.
Note You need to log in before you can comment on or make changes to this bug.