Matt . wrote:
> The issue you get here is that the IPA client is not enrolled anymore
> when you did an uninstall of the client before the IPA install on that
> "previous" client which needs to be client again after the IPA install
> on it.
> This sounds messy but could be ideal for some situations of useraccess
> on systems.

Installing an IPA master configures it as a client for that master,
there is no way around it.

You can't (or shouldn't) mix and match discrete IPA installations.
Eventually there will be intra-IPA trust which will do you what I think
you are looking for.


> 2017-04-07 23:24 GMT+02:00 Rob Crittenden <>:
>> Matt . wrote:
>>> Nope, I provision my servers and they are added to my FreeIPA
>>> environment which auths my systeadmins. But on a server I provisioned
>>> I need to install FreeIPA as well, but without dns and ca, so it's
>>> doing ldap only actually.
>>> When I want to install FreeIPA server on this IPA client it tells me
>>> (which is logical):
>>> ipa.ipapython.install.cli.install_tool(Server): ERROR    IPA client is
>>> already configured on this system.
>>> Please uninstall it before configuring the IPA server, using
>>> 'ipa-client-install --uninstall'
>>> So what I want to do is install FreeIPA server on it but using local
>>> system accounts to be auth against the former IPA server the client
>>> was assigned to.
>>> So:
>>> IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed
>>> with FreeIPA (no dns and CA) as well but I want to have local
>>> sysaccounts that login to cli and such auth against IPA01 after it's
>>> installed with FreeIPA and the clientconfig for sssd is not there
>>> anymore because of the 'ipa-client-install --uninstall'
>> Still very confusing. LDAP has nothing to do with this. IPA is always at
>> least LDAP + Kerberos + Apache + a few other minor services. So it's
>> better to just say no DNS and no CA, though that isn't really relevant
>> since those are always optional.
>> It sounds like what you want to do is, on the same box, install IPA
>> server and configure the local machine to point to a DIFFERENT IPA
>> server for user/group lookups?
>> You might be able to do it via sssd but it would be an unsupportable
>> nightmare.
>> rob
>>> 2017-04-07 23:11 GMT+02:00 Rob Crittenden <>:
>>>> Matt . wrote:
>>>>> When I have a full ipa setup and I want to add a host to it that is
>>>>> installed or needs to be installed as IPA LDAP server only, is that
>>>>> possible ?
>>>> If you're asking if only 389-ds can be configured on an IPA server, no,
>>>> not using any IPA tools in any case.
>>>>> Of course the ipa-server-install complains that the agent is already
>>>>> configured on the host but there might be a way ? Or just copy the
>>>>> config back faster the IPA LDAP only server is installed ?
>>>> I don't understand. Seeing the error message and commands might help.
>>>> rob

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to