On Tuesday, June 11, 2013 6:38:59 PM UTC-7, Trevor Vaughan wrote: > > If you're already joining a machine to a Kerberos realm, then you're > probably either doing it at install time using a first layer authorization > subsystem (razor type install), or you're hopping on after the fact to > register the system, or you're using Puppet to do it. > > Right. The step where a privileged operation adds a machine to the domain is something that already has to happen. By using Kerberos authentication of agents to the puppet master we eliminate a second privileged operation to register the machine to puppet, and also avoid deploying PKI for agents. We still need PKI for puppet masters -- but that infrastructure is already in place.
I hope that makes sense. I think these are important justification points for the armature. -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev. For more options, visit https://groups.google.com/groups/opt_out.
