Simo Sorce wrote:
On Mon, 2009-11-09 at 11:27 -0500, Rob Crittenden wrote:
I've got all the pieces together to create a host principal and keytab when a machine joins an IPA realm and am thinking about how I'm going to tie it altogether.

My plan revolves around enhancing ipa-client-install to call ipa-join and ipa-rmkeytab (for uninstall). The question then becomes, is the client configuration dependent upon successful machine join?

We have a bit of a chicken and egg problem right now with join in terms of validating argument inputs. Joining a machine can happen one of two ways, using kerberos credentials (an admin) or using a one-time password (OTP).

The OTP method is easy enough, we can call that really early in the client configuration process. If it fails (wrong password, host not created, whatever) we can simply quit and not configure the client at all.

With the admin method we have to first configure the machine, then get the credentials, then try to do the join. It could easily fail here for a number of reasons. Do we roll back the configuration upon failure?

Uhmm you can do admin stuff w/o necessarily configuring the machine
first, for the kerberos part we can set temporary environment variables
and get the admin password through a prompt. If all is successful we
save the configuration in the real krb5.conf and all.

Wow, fantastic idea.

I actually would really prefer to do it this way so that we do not touch
permanent configuration files until the join procedure is successful.

Right, that's what I was afraid of. Having to fire up install machine only to then back it all out.

I'm thinking the answer should be yes, otherwise some machines will have host service principals and some won't making a support nightmare. But should we have a --force option to let the client be configured anyway, in sort of a degraded mode? Or a --no-keytab option to be more explicit? Or both?

Good question, in what case would it make sense to run
ipa-client-install and not get the machine enrolled in ?

I think that some desktop machines perhaps. Then again it is fairly trivial to manually configure the pam stack to do LDAP/kerberos.

There actually already is a --force option but it applies to the DNS discovery failing.

I'm all for flexibility, just not sure what the implications of this are other than support headaches like "I can log into machine A but not machine B, why not?" Well, you're missing the host keytab for some reason...

Yeah, I think we should avoid half configured machines. If someone has
special needs he can script his own installation procedure the way he
wants, IMO.

That or we need to write a very good FAQ :-)


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-devel mailing list

Reply via email to