Make the IPA server host and its services "real" IPA entries

We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server).

Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead.

This is a relatively manual process so if the schema for hosts or services changes this may require updates as well.

There remains a minor problem. If you create a replica, during the installation of that replica it will create host and service entries too. But if you retire this replica those entries will remain. The next time you try to install the replica it will fail with dupliate entries. I'll address this in the future as the easy workaround is to run `ipa host-del` and re-install the replica.


Attachment: freeipa-329-services.patch
Description: application/mbox

Freeipa-devel mailing list

Reply via email to