[Freeipa-devel] Thoughts on client configuration

Dmitri Pal dpal at redhat.com
Mon Nov 9 16:35:30 UTC 2009 

Rob Crittenden wrote:
> I've got all the pieces together to create a host principal and keytab
> when a machine joins an IPA realm and am thinking about how I'm going
> to tie it altogether.
>
> My plan revolves around enhancing ipa-client-install to call ipa-join
> and ipa-rmkeytab (for uninstall). The question then becomes, is the
> client configuration dependent upon successful machine join?
>
> We have a bit of a chicken and egg problem right now with join in
> terms of validating argument inputs. Joining a machine can happen one
> of two ways, using kerberos credentials (an admin) or using a one-time
> password (OTP).
>
> The OTP method is easy enough, we can call that really early in the
> client configuration process. If it fails (wrong password, host not
> created, whatever) we can simply quit and not configure the client at
> all.
>
> With the admin method we have to first configure the machine, then get
> the credentials, then try to do the join. It could easily fail here
> for a number of reasons. Do we roll back the configuration upon failure?

Why do you need first configure the machine? Why the sequence of
operations is different in the OTP vs admin case.
Can we have the same sequence? Then the difference is the authenticated
entity and its permissions only.
 


>
> I'm thinking the answer should be yes, otherwise some machines will
> have host service principals and some won't making a support
> nightmare. But should we have a --force option to let the client be
> configured anyway, in sort of a degraded mode? Or a --no-keytab option
> to be more explicit? Or both?
>
> I'm all for flexibility, just not sure what the implications of this
> are other than support headaches like "I can log into machine A but
> not machine B, why not?" Well, you're missing the host keytab for some
> reason...
>
> rob
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list