On Mon, 2009-12-07 at 23:21 -0500, Rob Crittenden wrote:
> Make the IPA server host and its services "real" IPA entries
> We use kadmin.local to bootstrap the creation of the kerberos principals
> for the IPA server machine: host, HTTP and ldap. This works fine and has
> the side-effect of protecting the services from modification by an admin
> (which would likely break the server).
> Unfortunately this also means that the services can't be managed by
> useful utilities such as certmonger. So we have to create them as "real"
> services instead.
> This is a relatively manual process so if the schema for hosts or
> services changes this may require updates as well.
> There remains a minor problem. If you create a replica, during the
> installation of that replica it will create host and service entries
> too. But if you retire this replica those entries will remain. The next
> time you try to install the replica it will fail with dupliate entries.
> I'll address this in the future as the easy workaround is to run `ipa
> host-del replica.example.com` and re-install the replica.
ack. pushed to master.
Freeipa-devel mailing list