My plan revolves around enhancing ipa-client-install to call ipa-join and ipa-rmkeytab (for uninstall). The question then becomes, is the client configuration dependent upon successful machine join?
We have a bit of a chicken and egg problem right now with join in terms of validating argument inputs. Joining a machine can happen one of two ways, using kerberos credentials (an admin) or using a one-time password (OTP).
The OTP method is easy enough, we can call that really early in the client configuration process. If it fails (wrong password, host not created, whatever) we can simply quit and not configure the client at all.
With the admin method we have to first configure the machine, then get the credentials, then try to do the join. It could easily fail here for a number of reasons. Do we roll back the configuration upon failure?
I'm thinking the answer should be yes, otherwise some machines will have host service principals and some won't making a support nightmare. But should we have a --force option to let the client be configured anyway, in sort of a degraded mode? Or a --no-keytab option to be more explicit? Or both?
I'm all for flexibility, just not sure what the implications of this are other than support headaches like "I can log into machine A but not machine B, why not?" Well, you're missing the host keytab for some reason...
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel