Dmitri Pal wrote:
Does ipa-client-install  bring admin utils?
What is its purpose?
It configures the machine to be an IPA client. It configures nss_ldap,
etc. It also creates some configuration files we need such as what IPA
server to talk to and the CA cert for that server.

I though the sequence of operations would be somewhat (do not look at
the names, I do not expect them to be exactly as I put them):
yum install ipa-client-enrollment
ipa-enroll ...

The enroll will also do some configuration as it used to do in v1 but
other than that I expected  the mentioned sequence.
I scanned quickly through the patch but was not able to see whether
things work as I expect or not.
I did this as a separate step. It can be included in the
ipa-client-install sequence though it currently is not.

IMO the logic should be a bit reverse. The enrollment script should
invoke the old IPA client installation script (somewhere at the
beginning of the enrollment process) internally if SSSD is not detected.
If SSSD is detected it should configure IPA back end as a part of the
enrollment and not touch nss_ldap in this case. Optionally we probably
can configure automount or some other maps (but I am not sure that
was/is a requirement at the moment).

This patch covers just host enrollment, no other settings.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-devel mailing list

Reply via email to