[Freeipa-devel] Thoughts on client configuration
Simo Sorce
ssorce at redhat.com
Mon Nov 9 16:35:52 UTC 2009
On Mon, 2009-11-09 at 11:27 -0500, Rob Crittenden wrote:
> I've got all the pieces together to create a host principal and keytab
> when a machine joins an IPA realm and am thinking about how I'm going to
> tie it altogether.
>
> My plan revolves around enhancing ipa-client-install to call ipa-join
> and ipa-rmkeytab (for uninstall). The question then becomes, is the
> client configuration dependent upon successful machine join?
>
> We have a bit of a chicken and egg problem right now with join in terms
> of validating argument inputs. Joining a machine can happen one of two
> ways, using kerberos credentials (an admin) or using a one-time password
> (OTP).
>
> The OTP method is easy enough, we can call that really early in the
> client configuration process. If it fails (wrong password, host not
> created, whatever) we can simply quit and not configure the client at all.
>
> With the admin method we have to first configure the machine, then get
> the credentials, then try to do the join. It could easily fail here for
> a number of reasons. Do we roll back the configuration upon failure?
Uhmm you can do admin stuff w/o necessarily configuring the machine
first, for the kerberos part we can set temporary environment variables
and get the admin password through a prompt. If all is successful we
save the configuration in the real krb5.conf and all.
I actually would really prefer to do it this way so that we do not touch
permanent configuration files until the join procedure is successful.
> I'm thinking the answer should be yes, otherwise some machines will have
> host service principals and some won't making a support nightmare. But
> should we have a --force option to let the client be configured anyway,
> in sort of a degraded mode? Or a --no-keytab option to be more explicit?
> Or both?
Good question, in what case would it make sense to run
ipa-client-install and not get the machine enrolled in ?
> I'm all for flexibility, just not sure what the implications of this are
> other than support headaches like "I can log into machine A but not
> machine B, why not?" Well, you're missing the host keytab for some reason...
Yeah, I think we should avoid half configured machines. If someone has
special needs he can script his own installation procedure the way he
wants, IMO.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list