[Freeipa-devel] Thoughts on client configuration

Rob Crittenden rcritten at redhat.com
Mon Nov 9 16:54:48 UTC 2009 

Simo Sorce wrote:
> On Mon, 2009-11-09 at 11:27 -0500, Rob Crittenden wrote:
>> I've got all the pieces together to create a host principal and keytab 
>> when a machine joins an IPA realm and am thinking about how I'm going to 
>> tie it altogether.
>>
>> My plan revolves around enhancing ipa-client-install to call ipa-join 
>> and ipa-rmkeytab (for uninstall). The question then becomes, is the 
>> client configuration dependent upon successful machine join?
>>
>> We have a bit of a chicken and egg problem right now with join in terms 
>> of validating argument inputs. Joining a machine can happen one of two 
>> ways, using kerberos credentials (an admin) or using a one-time password 
>> (OTP).
>>
>> The OTP method is easy enough, we can call that really early in the 
>> client configuration process. If it fails (wrong password, host not 
>> created, whatever) we can simply quit and not configure the client at all.
>>
>> With the admin method we have to first configure the machine, then get 
>> the credentials, then try to do the join. It could easily fail here for 
>> a number of reasons. Do we roll back the configuration upon failure?
> 
> Uhmm you can do admin stuff w/o necessarily configuring the machine
> first, for the kerberos part we can set temporary environment variables
> and get the admin password through a prompt. If all is successful we
> save the configuration in the real krb5.conf and all.

Wow, fantastic idea.

> I actually would really prefer to do it this way so that we do not touch
> permanent configuration files until the join procedure is successful.

Right, that's what I was afraid of. Having to fire up install machine 
only to then back it all out.

> 
>> I'm thinking the answer should be yes, otherwise some machines will have 
>> host service principals and some won't making a support nightmare. But 
>> should we have a --force option to let the client be configured anyway, 
>> in sort of a degraded mode? Or a --no-keytab option to be more explicit? 
>> Or both?
> 
> Good question, in what case would it make sense to run
> ipa-client-install and not get the machine enrolled in ?

I think that some desktop machines perhaps. Then again it is fairly 
trivial to manually configure the pam stack to do LDAP/kerberos.

There actually already is a --force option but it applies to the DNS 
discovery failing.

>> I'm all for flexibility, just not sure what the implications of this are 
>> other than support headaches like "I can log into machine A but not 
>> machine B, why not?" Well, you're missing the host keytab for some reason...
> 
> Yeah, I think we should avoid half configured machines. If someone has
> special needs he can script his own installation procedure the way he
> wants, IMO.

That or we need to write a very good FAQ :-)

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091109/83be4034/attachment.bin>

More information about the Freeipa-devel mailing list