On Wed, 23 Mar 2011 20:43:24 -0400
Rob Crittenden <rcrit...@redhat.com> wrote:
> Uzor Ide wrote:
> > I have manually enrolled and configured the client. I am able to log
> > into the client and access nfs4 shares. What I am wondering is if
> > there are anything that the client would miss by joining this way.
> > The client authenticate to the ipa-server through sssd. I would
> > like to know if HBAC and centrally managed SUDO and other policy
> > enforcements will fail to work because the manual enrolment. Note
> > that host certificate was not generated because of the manual
> > joining.
> I guess it means by how you manually joined but based on what you can
> do I think you covered the major details.
> If you have a host service principal in /etc/krb5.keytab and a
> correctly configured sssd then you are fine for HBAC and nss (users,
> groups, etc).
> SUDO works through nss_ldap so you should be fine there as well.
To avoid confusion (if possible :) sudo uses the nss_ldap config file,
but not the nss_ldap code.
So all you need to do is to read the sudo docs to find which file you
need to touch.
Of course because sudo doesn't go though sssd (yet) it will not work
properly in offline mode, unfortunately.
> ipa-client-install doesn't do anything too special, it just makes
> sure the environment is sane and then sets up sssd.conf, krb5.conf,
> fetches a host service principal and uses certmonger to get an SSL
> server cert. This last step is done as a convenience, it otherwise
> isn't used by IPA. But if you wanted to setup an HTTP server that
> uses the same PKI as IPA you'd have a certificate and key available.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list