Today hosts can write to values in only its managed services but it cannot create those services. This is due to missing aci capabilities, mostly because a host and service are not in a hierarchical parent/child relationship.
This will need to limit the krbprincipalname of the service to match the fqdn of the host entry, ideally also confirming that managedby contains the host fqdn.
One use case for this is certmonger, requesting a certificate for a non-existent service on the host. Certmonger today always includes the --add option to attempt service creation if it does not already exists. It fails today with an error about not being in the serviceadmin role (because a host can't add services by default).
There is an RFE against 389-ds to add a new ACI type to achieve this: https://fedorahosted.org/389/ticket/47904
The certmonger use case is described also in already triaged ticket: https://fedorahosted.org/freeipa/ticket/4540#comment:2
Rob should have some cycles to help with this one.
Another certmonger related ticket that would benefit from this RFE - #4918.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1204504
I should mention that this requires 389-ds-base 1.3.4.0 which contains an ACI wildcard fix, https://fedorahosted.org/389/ticket/48141
master:
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 4.2
Login to comment on this ticket.