On 06/06/2013 03:45 PM, Jan Pazdziora wrote:
On Wed, Jun 05, 2013 at 04:14:36PM +0200, Ana Krivokapic wrote:
Hello,

The attached patch should improve handling of client re-enrollment
related options of ipa-client-install.

https://fedorahosted.org/freeipa/ticket/3686
[...]

+ if options.keytab and options.principal:
+        root_logger.error("Options 'principal' and 'keytab' cannot be used "
+                          "together.")
+        return CLIENT_INSTALL_ERROR
+
I know that this check only explains what happens later in the code
but isn't using custom principal _plus_ a keytab for that principal
a valid combination? Right now, it's either principal + password, or
keytab and from that keytab a specific host/* principal. Can't it be
ptincipal + keytab?

Currently only the host keytab is supported. This is described
in the man pages / or shows up with --help option, so there should
be no confusion.

See http://www.freeipa.org/page/V3/Forced_client_re-enrollment

The use case was to have a way how to automatically re-enroll
a host that would not need sticking admin's password in the script.

Tomas

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to