Re: [Freeipa-devel] [PATCH 0154] man: sshd should be run at least once before client
On Mon, Feb 24, 2014 at 02:58:13PM +0100, Tomas Babej wrote: Hi, If SSH keys have not been generated prior to enrolling the client to the IPA server, they will not be uploaded to the server, since they're not present. Clarify this issue in the man pages. https://fedorahosted.org/freeipa/ticket/4055 [...] +.SS Assumptions +The ipa\-client\-install script assumes that the machine has already generated SSH keys. It will not generate SSH keys on its own accord. I'm not native speaker but I believe it should be either on its own or of its own accord. If SSH keys are not present (e.g when running the ipa-client-install in Is it correct that there are no backslashes in this occurence of ipa-client-install? a kickstart, before ever running sshd), they will not be uploaded to the client host entry on the server. + -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0154] man: sshd should be run at least once before client
Thanks Jan, both fixed. Tomas On 03/05/2014 10:53 AM, Jan Pazdziora wrote: On Mon, Feb 24, 2014 at 02:58:13PM +0100, Tomas Babej wrote: Hi, If SSH keys have not been generated prior to enrolling the client to the IPA server, they will not be uploaded to the server, since they're not present. Clarify this issue in the man pages. https://fedorahosted.org/freeipa/ticket/4055 [...] +.SS Assumptions +The ipa\-client\-install script assumes that the machine has already generated SSH keys. It will not generate SSH keys on its own accord. I'm not native speaker but I believe it should be either on its own or of its own accord. If SSH keys are not present (e.g when running the ipa-client-install in Is it correct that there are no backslashes in this occurence of ipa-client-install? a kickstart, before ever running sshd), they will not be uploaded to the client host entry on the server. + -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 0da460699594565f341f7f17ee53ce1fb1b6ea44 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 27 Nov 2013 09:49:32 +0100 Subject: [PATCH] man: sshd should be run at least once before client enrollment If SSH keys have not been generated prior to enrolling the client to the IPA server, they will not be uploaded to the server, since they're not present. Clarify this issue in the man pages. https://fedorahosted.org/freeipa/ticket/4055 --- ipa-client/man/ipa-client-install.1 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 51a276202ac28b630d928e70dd658fad929b8d2b..3d72b0c9f5f5c5dec6314adf9eb02f873918bfda 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -30,6 +30,9 @@ An authorized user is required to join a client machine to IPA. This can take th This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the prinicipal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/fqdn@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable fqdn). +.SS Assumptions +The ipa\-client\-install script assumes that the machine has already generated SSH keys. It will not generate SSH keys of its own accord. If SSH keys are not present (e.g when running the ipa\-client\-install in a kickstart, before ever running sshd), they will not be uploaded to the client host entry on the server. + .SS Hostname Requirements Client must use a \fBstatic hostname\fR. If the machine hostname changes for example due to a dynamic hostname assignment by a DHCP server, client enrollment to IPA server breaks and user then would not be able to perform Kerberos authentication. -- 1.8.5.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0154] man: sshd should be run at least once before client
On Wed, Mar 05, 2014 at 12:33:01PM +0100, Tomas Babej wrote: Thanks Jan, both fixed. Ack. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0154] man: sshd should be run at least once before client
On 03/05/2014 12:37 PM, Jan Pazdziora wrote: On Wed, Mar 05, 2014 at 12:33:01PM +0100, Tomas Babej wrote: Thanks Jan, both fixed. Ack. Pushed to master: 6b94f959a4d41b62ca6c2b273633880bbfab8b49 Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0154] man: sshd should be run at least once before client
Hi, If SSH keys have not been generated prior to enrolling the client to the IPA server, they will not be uploaded to the server, since they're not present. Clarify this issue in the man pages. https://fedorahosted.org/freeipa/ticket/4055 -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 62f3e481845c4cef40f5c53136d91982977db791 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 27 Nov 2013 09:49:32 +0100 Subject: [PATCH] man: sshd should be run at least once before client enrollment If SSH keys have not been generated prior to enrolling the client to the IPA server, they will not be uploaded to the server, since they're not present. Clarify this issue in the man pages. https://fedorahosted.org/freeipa/ticket/4055 --- ipa-client/man/ipa-client-install.1 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 51a276202ac28b630d928e70dd658fad929b8d2b..44c4a5fe1c654a7ede45bc5042d6990cf715d1d7 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -30,6 +30,9 @@ An authorized user is required to join a client machine to IPA. This can take th This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the prinicipal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/fqdn@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable fqdn). +.SS Assumptions +The ipa\-client\-install script assumes that the machine has already generated SSH keys. It will not generate SSH keys on its own accord. If SSH keys are not present (e.g when running the ipa-client-install in a kickstart, before ever running sshd), they will not be uploaded to the client host entry on the server. + .SS Hostname Requirements Client must use a \fBstatic hostname\fR. If the machine hostname changes for example due to a dynamic hostname assignment by a DHCP server, client enrollment to IPA server breaks and user then would not be able to perform Kerberos authentication. -- 1.8.5.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
