On Mon, 2009-12-07 at 23:21 -0500, Rob Crittenden wrote:
> Make the IPA server host and its services "real" IPA entries
> We use kadmin.local to bootstrap the creation of the kerberos principals 
> for the IPA server machine: host, HTTP and ldap. This works fine and has 
> the side-effect of protecting the services from modification by an admin 
> (which would likely break the server).
> Unfortunately this also means that the services can't be managed by 
> useful utilities such as certmonger. So we have to create them as "real" 
> services instead.
> This is a relatively manual process so if the schema for hosts or 
> services changes this may require updates as well.
> There remains a minor problem. If you create a replica, during the 
> installation of that replica it will create host and service entries 
> too. But if you retire this replica those entries will remain. The next 
> time you try to install the replica it will fail with dupliate entries. 
> I'll address this in the future as the easy workaround is to run `ipa 
> host-del replica.example.com` and re-install the replica.
> rob

ack.  pushed to master.

Freeipa-devel mailing list

Reply via email to