On Fri, Jun 09, 2017 at 08:41:18AM +1000, Lachlan Musicman via FreeIPA-users 
>So in doing a system analysis, I noted that some of our hosts have
>ipa-client and some don't.
>All of the hosts are using SSSD to connect to the FreeIPA server.
>Once a client system has joined the domain successfully and users can
>login, is ipa-client still necessary?
>(ie, the real question is: in order to get uniformity, do I install
>ipa-client on all hosts or remove ipa-client from all hosts)
>"Mission Statement: To provide hope and inspiration for collective action,
>to build collective power, to achieve collective transformation, rooted in
>grief and rage but pointed towards vision and dreams."
> - Patrisse Cullors, *Black Lives Matter founder*

>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi Lachlan,

it depends on the nature of the clients. If you just need them to authenticate
against the IPA domain using SSSD and for nothing else, then you can safely
remove ipa-client package (but keep in mind that it has sssd as a dependency so
you may end up removing that one as well).

If, however, you plan on using IPA CLI/Python API from clients, you require
ipa-client to be present on the machine as it provides this functionality by
pulling in "ipa" CLI utility, among others.

You also would have trouble requesting new host keys for the clients in a rare
case they get compromised somehow, since "ipa-getkeytab" utility is provided by
the package that facilitates this.

From my POV, unless you are somehow constrained on resources I would recommend
installing and keeping ipa-client package on all enrolled hosts.

Martin Babinsky
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to