<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 12/01/2017 10:59, <a class="moz-txt-link-abbreviated" href="mailto:hirofumi.morikawa@accenture.com">hirofumi.morikawa@accenture.com</a> wrote: </div> <blockquote cite="mid:%3Cb6ee03f3411945eda2ff416da6302eca@BY2PR42MB168.048d.mgd.msft.net%3E" type="cite"> Let me further clarify the question that is asked by Niraj below.<o:p></o:p> <o:p> </o:p> Currently, we have 1 master FreeIPA server and 1 client server. Evaluating your product for production deployment<o:p></o:p> Master and client connectivity is established and when creating the user in the web console, it is indeed creating the user in the client machine <o:p></o:p> <o:p> </o:p> However, When we add public key through the web console below, this key is not created(or transfered) to the client machine </blockquote> That's correct: it doesn't copy them anywhere, nor is it supposed to. Instead, the keys sit in the FreeIPA LDAP database. When you install the ipa-client package on a host, it configures sshd so it communicates via sssd to query the authorized keys in LDAP. You will find: # /etc/ssh/sshd_config AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys # /etc/sssd/sssd.conf [sssd] services = nss, pam, ssh, sudo That means you have central control of your authorized_keys with FreeIPA, without copying them onto every hosts' filesystem. You also have central control of your user accounts, group memberships, uid and gid mappings, sudo policy, host access policy (i.e. which users are allowed to login to which hosts), ... All this is done via sssd and LDAP as well. HTH, Brian. </body> </html>