<div dir="ltr">Yes Dmitri these two hints would definitely help, the servers are not 4.x yet though.</div><div class="gmail_extra"><br><div class="gmail_quote">On 19 September 2014 23:14, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 09/19/2014 04:03 PM, Walid wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thank you all, will investigate the requirements of
host keytabs, and if there is a way around it by having it
shared but secure for our context.</div>
</blockquote>
<br></span>
Couple hints.<br>
<br>
1. If you have a keytab stashed and the system was rebuilt you can
now rerun ipa-client-install using this keytab to get a new one and
configure the client system. It can run and then die but if you
store the keytab after running ipa-client-install you would be able
to revive it next time<br>
2. In 4.1 you will be able to retrieve same keytab using
ipa-getkeytab command. It is implemented to allow clusters that have
to share the same key but it might be applicable to your use case
too.<br>
<br>
Thanks<span class="HOEnZb"><font color="#888888"><br>
Dmitri</font></span><div><div class="h5"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 18 September 2014 23:04, Dmitri Pal
<span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<div>On 09/18/2014 10:12 AM, Walid A. Shaari wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>we are going to have a use case of diskless
HPC clients that will use the IPA for lookups, I
was wondering if i can get rid of the
state-fulness of the client configuration as
much as possible as it is more of a cattle than
pets use case. that is i do not need to know
that the client is part of the domain, no need
to enroll a node with a certificate. and
services will be mostly hpc mpi and ssh, not
required to have an SSL certificate for secure
communication. is it possible to get rid of the
client certificate and the requirements for
clients to enroll? or there are other uses for
the certificate that i am not aware of ?</div>
<div><br>
</div>
<div>regards</div>
<div><br>
</div>
<div>Walid</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</div>
</div>
I think the main problem is making sure that the client
can connect to IPA server.<br>
You can elect to not use ipa-client and just copy
configuration files. The problem is that SSSD requires
some type of the authentication to get to IPA as a host to
do the lookups.<br>
So this connection must be authenticated. Since you want
it to be stateless you do not want to manage keys or certs
the only option (which I really do not like) is to use
bind password in a file for LDAP connection. You would
probably use the same unprivileged account for this bind.
However when we get to 4.x you would need to adjust
permissions on the server side to make sure that proper
read permissions are granted. Having a password in a file
is a security risk so make sure it is not leaked.<span><font color="#888888"><br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on
the project<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</div></div></div>
</blockquote></div><br></div>