As an IPA master, I want to be able to see the server roles I have so that use that in ipa-healthcheck.
The host principal of an IPA master is not allowed to read server roles.
KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa server-show hostname will succeed but will not include enabled_role_servrole.
This is a nice-to-have that would eliminate a direct LDAP search. It is better to not rely on IPA internals in general.
I think a new permission will be required to grant read access. The ipaservers hostgroup could be a default direct member of this, or we can do a role.
to comment on this ticket.