<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 09/23/2014 03:55 PM, Walid wrote:<br>
</div>
<blockquote
cite="mid:CAN4dctq==i8-t9D__TNJQR7GeBs8L5HRUBZM4Z6Rn4+j+PRgww@mail.gmail.com"
type="cite">
<div dir="ltr">Yes Dmitri these two hints would definitely help,
the servers are not 4.x yet though.</div>
</blockquote>
<br>
The first one is available in FreeIPA 3.3 which ships with RHEL7.<br>
<br>
<blockquote
cite="mid:CAN4dctq==i8-t9D__TNJQR7GeBs8L5HRUBZM4Z6Rn4+j+PRgww@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 19 September 2014 23:14, Dmitri Pal
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 09/19/2014 04:03 PM, Walid wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thank you all, will investigate the
requirements of host keytabs, and if there is a way
around it by having it shared but secure for our
context.</div>
</blockquote>
<br>
</span> Couple hints.<br>
<br>
1. If you have a keytab stashed and the system was rebuilt
you can now rerun ipa-client-install using this keytab to
get a new one and configure the client system. It can run
and then die but if you store the keytab after running
ipa-client-install you would be able to revive it next
time<br>
2. In 4.1 you will be able to retrieve same keytab using
ipa-getkeytab command. It is implemented to allow clusters
that have to share the same key but it might be applicable
to your use case too.<br>
<br>
Thanks<span class="HOEnZb"><font color="#888888"><br>
Dmitri</font></span>
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 18 September 2014
23:04, Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<div>On 09/18/2014 10:12 AM, Walid A.
Shaari wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>we are going to have a use case
of diskless HPC clients that will
use the IPA for lookups, I was
wondering if i can get rid of the
state-fulness of the client
configuration as much as possible
as it is more of a cattle than
pets use case. that is i do not
need to know that the client is
part of the domain, no need to
enroll a node with a certificate.
and services will be mostly hpc
mpi and ssh, not required to have
an SSL certificate for secure
communication. is it possible to
get rid of the client certificate
and the requirements for clients
to enroll? or there are other uses
for the certificate that i am not
aware of ?</div>
<div><br>
</div>
<div>regards</div>
<div><br>
</div>
<div>Walid</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</div>
</div>
I think the main problem is making sure that
the client can connect to IPA server.<br>
You can elect to not use ipa-client and just
copy configuration files. The problem is
that SSSD requires some type of the
authentication to get to IPA as a host to do
the lookups.<br>
So this connection must be authenticated.
Since you want it to be stateless you do not
want to manage keys or certs the only option
(which I really do not like) is to use bind
password in a file for LDAP connection. You
would probably use the same unprivileged
account for this bind. However when we get
to 4.x you would need to adjust permissions
on the server side to make sure that proper
read permissions are granted. Having a
password in a file is a security risk so
make sure it is not leaked.<span><font
color="#888888"><br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>
--<br>
Manage your subscription for the Freeipa-users
mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>