On Mon, 2009-11-09 at 11:27 -0500, Rob Crittenden wrote: > I've got all the pieces together to create a host principal and keytab > when a machine joins an IPA realm and am thinking about how I'm going to > tie it altogether. > > My plan revolves around enhancing ipa-client-install to call ipa-join > and ipa-rmkeytab (for uninstall). The question then becomes, is the > client configuration dependent upon successful machine join? > > We have a bit of a chicken and egg problem right now with join in terms > of validating argument inputs. Joining a machine can happen one of two > ways, using kerberos credentials (an admin) or using a one-time password > (OTP). > > The OTP method is easy enough, we can call that really early in the > client configuration process. If it fails (wrong password, host not > created, whatever) we can simply quit and not configure the client at all. > > With the admin method we have to first configure the machine, then get > the credentials, then try to do the join. It could easily fail here for > a number of reasons. Do we roll back the configuration upon failure?
Uhmm you can do admin stuff w/o necessarily configuring the machine first, for the kerberos part we can set temporary environment variables and get the admin password through a prompt. If all is successful we save the configuration in the real krb5.conf and all. I actually would really prefer to do it this way so that we do not touch permanent configuration files until the join procedure is successful. > I'm thinking the answer should be yes, otherwise some machines will have > host service principals and some won't making a support nightmare. But > should we have a --force option to let the client be configured anyway, > in sort of a degraded mode? Or a --no-keytab option to be more explicit? > Or both? Good question, in what case would it make sense to run ipa-client-install and not get the machine enrolled in ? > I'm all for flexibility, just not sure what the implications of this are > other than support headaches like "I can log into machine A but not > machine B, why not?" Well, you're missing the host keytab for some reason... Yeah, I think we should avoid half configured machines. If someone has special needs he can script his own installation procedure the way he wants, IMO. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel