[Freeipa-users] Re: Enrollment Administrator role

Jeff Goddard via FreeIPA-users wrote: > Hello again, > > We're using salt for automation and have created a salt service account > for the express permissions of joining machines to our domain. This user > has been assigned the "Enrollment Administrator" roll but when > attempting to join clients the log output is as follows: > > Client hostname: ubuntu.domain.com <http://ubuntu.domain.com> > Realm: DOMAIN.COM <http://DOMAIN.COM> > DNS Domain: domain.com <http://domain.com> > IPA Server: server1.domain.com <http://server1.domain.com> > BaseDN: dc=domain,dc=com > > Continue to configure the system with these values? [no]: yes > Synchronizing time > Configuration of chrony was changed by installer. > Attempting to sync time with chronyc. > Time synchronization was successful. > User authorized to enroll computers: test-join > Password for test(a)DOMAIN.COM <mailto:test@DOMAIN.COM>: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=DOMAIN.COMIPA environment is 4.4 > Issuer: CN=Certificate Authority,O=DOMAIN.COM < http://DOMAIN.COM> > Valid From: 2017-01-26 18:47:36 > Valid Until: 2037-01-26 18:47:36 > > Joining realm failed: No permission to join this host to the IPA domain. > > > The FreeIPA version is 4.6.5 and its running on Centos 7.7. Can someone > assist me in troubleshooting? Is there another pre-defined role or > permission that I need to assign? Does the host already exist in IPA? The Enrollment Administrator role allows for enrollment, not host creation. You can add the host add capability it just ships with the minimum required. rob