[Freeipa-devel] Thoughts on client configuration

Simo Sorce ssorce at redhat.com
Mon Nov 9 16:35:52 UTC 2009 

On Mon, 2009-11-09 at 11:27 -0500, Rob Crittenden wrote:
> I've got all the pieces together to create a host principal and keytab 
> when a machine joins an IPA realm and am thinking about how I'm going to 
> tie it altogether.
> 
> My plan revolves around enhancing ipa-client-install to call ipa-join 
> and ipa-rmkeytab (for uninstall). The question then becomes, is the 
> client configuration dependent upon successful machine join?
> 
> We have a bit of a chicken and egg problem right now with join in terms 
> of validating argument inputs. Joining a machine can happen one of two 
> ways, using kerberos credentials (an admin) or using a one-time password 
> (OTP).
> 
> The OTP method is easy enough, we can call that really early in the 
> client configuration process. If it fails (wrong password, host not 
> created, whatever) we can simply quit and not configure the client at all.
> 
> With the admin method we have to first configure the machine, then get 
> the credentials, then try to do the join. It could easily fail here for 
> a number of reasons. Do we roll back the configuration upon failure?

Uhmm you can do admin stuff w/o necessarily configuring the machine
first, for the kerberos part we can set temporary environment variables
and get the admin password through a prompt. If all is successful we
save the configuration in the real krb5.conf and all.

I actually would really prefer to do it this way so that we do not touch
permanent configuration files until the join procedure is successful.

> I'm thinking the answer should be yes, otherwise some machines will have 
> host service principals and some won't making a support nightmare. But 
> should we have a --force option to let the client be configured anyway, 
> in sort of a degraded mode? Or a --no-keytab option to be more explicit? 
> Or both?

Good question, in what case would it make sense to run
ipa-client-install and not get the machine enrolled in ?

> I'm all for flexibility, just not sure what the implications of this are 
> other than support headaches like "I can log into machine A but not 
> machine B, why not?" Well, you're missing the host keytab for some reason...

Yeah, I think we should avoid half configured machines. If someone has
special needs he can script his own installation procedure the way he
wants, IMO.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list