[Freeipa-devel] Thoughts on client configuration
Rob Crittenden
rcritten at redhat.com
Mon Nov 9 16:27:07 UTC 2009
I've got all the pieces together to create a host principal and keytab
when a machine joins an IPA realm and am thinking about how I'm going to
tie it altogether.
My plan revolves around enhancing ipa-client-install to call ipa-join
and ipa-rmkeytab (for uninstall). The question then becomes, is the
client configuration dependent upon successful machine join?
We have a bit of a chicken and egg problem right now with join in terms
of validating argument inputs. Joining a machine can happen one of two
ways, using kerberos credentials (an admin) or using a one-time password
(OTP).
The OTP method is easy enough, we can call that really early in the
client configuration process. If it fails (wrong password, host not
created, whatever) we can simply quit and not configure the client at all.
With the admin method we have to first configure the machine, then get
the credentials, then try to do the join. It could easily fail here for
a number of reasons. Do we roll back the configuration upon failure?
I'm thinking the answer should be yes, otherwise some machines will have
host service principals and some won't making a support nightmare. But
should we have a --force option to let the client be configured anyway,
in sort of a degraded mode? Or a --no-keytab option to be more explicit?
Or both?
I'm all for flexibility, just not sure what the implications of this are
other than support headaches like "I can log into machine A but not
machine B, why not?" Well, you're missing the host keytab for some reason...
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091109/5e1f8a41/attachment.bin>
More information about the Freeipa-devel
mailing list