On Tue, 2012-01-24 at 20:11 -0600, ~Stack~ wrote:
> > You can manage to have machines still fetch data from IPA, but they
> > can't be full fledged clients if you can't preserve the keytab and some
> > other configuration.
> As long as I can have a user log into the box and run a process, I don't
> really care if they are a full client or not. Theses systems are never
> logged into directly, but through a ssh connection so if the users can
> still authenticate into them I might be good on this. How do I configure
> this?

You can set the clients up as pure LDAP+KRB5 clients in SSSD, but the
catch is that you lose the ability to configure them with HBAC rules.
(You need to do more traditional forms of access-control logic in that

Only fully-enrolled clients will honor HBAC rules at this time.

Attachment: signature.asc
Description: This is a digitally signed message part

Freeipa-users mailing list

Reply via email to