On 06/06/2013 03:45 PM, Jan Pazdziora wrote:
On Wed, Jun 05, 2013 at 04:14:36PM +0200, Ana Krivokapic wrote:

The attached patch should improve handling of client re-enrollment
related options of ipa-client-install.


+ if options.keytab and options.principal:
+        root_logger.error("Options 'principal' and 'keytab' cannot be used "
+                          "together.")
+        return CLIENT_INSTALL_ERROR
I know that this check only explains what happens later in the code
but isn't using custom principal _plus_ a keytab for that principal
a valid combination? Right now, it's either principal + password, or
keytab and from that keytab a specific host/* principal. Can't it be
ptincipal + keytab?

Currently only the host keytab is supported. This is described
in the man pages / or shows up with --help option, so there should
be no confusion.

See http://www.freeipa.org/page/V3/Forced_client_re-enrollment

The use case was to have a way how to automatically re-enroll
a host that would not need sticking admin's password in the script.


Freeipa-devel mailing list

Reply via email to