On Tue, 2012-01-24 at 20:11 -0600, ~Stack~ wrote: > > You can manage to have machines still fetch data from IPA, but they > > can't be full fledged clients if you can't preserve the keytab and some > > other configuration. > > As long as I can have a user log into the box and run a process, I don't > really care if they are a full client or not. Theses systems are never > logged into directly, but through a ssh connection so if the users can > still authenticate into them I might be good on this. How do I configure > this?
You can set the clients up as pure LDAP+KRB5 clients in SSSD, but the catch is that you lose the ability to configure them with HBAC rules. (You need to do more traditional forms of access-control logic in that case). Only fully-enrolled clients will honor HBAC rules at this time.
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users