[Freeipa-devel] Thoughts on client configuration
I've got all the pieces together to create a host principal and keytab when a machine joins an IPA realm and am thinking about how I'm going to tie it altogether. My plan revolves around enhancing ipa-client-install to call ipa-join and ipa-rmkeytab (for uninstall). The question then becomes, is the client configuration dependent upon successful machine join? We have a bit of a chicken and egg problem right now with join in terms of validating argument inputs. Joining a machine can happen one of two ways, using kerberos credentials (an admin) or using a one-time password (OTP). The OTP method is easy enough, we can call that really early in the client configuration process. If it fails (wrong password, host not created, whatever) we can simply quit and not configure the client at all. With the admin method we have to first configure the machine, then get the credentials, then try to do the join. It could easily fail here for a number of reasons. Do we roll back the configuration upon failure? I'm thinking the answer should be yes, otherwise some machines will have host service principals and some won't making a support nightmare. But should we have a --force option to let the client be configured anyway, in sort of a degraded mode? Or a --no-keytab option to be more explicit? Or both? I'm all for flexibility, just not sure what the implications of this are other than support headaches like I can log into machine A but not machine B, why not? Well, you're missing the host keytab for some reason... rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Thoughts on client configuration
Rob Crittenden wrote: I've got all the pieces together to create a host principal and keytab when a machine joins an IPA realm and am thinking about how I'm going to tie it altogether. My plan revolves around enhancing ipa-client-install to call ipa-join and ipa-rmkeytab (for uninstall). The question then becomes, is the client configuration dependent upon successful machine join? We have a bit of a chicken and egg problem right now with join in terms of validating argument inputs. Joining a machine can happen one of two ways, using kerberos credentials (an admin) or using a one-time password (OTP). The OTP method is easy enough, we can call that really early in the client configuration process. If it fails (wrong password, host not created, whatever) we can simply quit and not configure the client at all. With the admin method we have to first configure the machine, then get the credentials, then try to do the join. It could easily fail here for a number of reasons. Do we roll back the configuration upon failure? Why do you need first configure the machine? Why the sequence of operations is different in the OTP vs admin case. Can we have the same sequence? Then the difference is the authenticated entity and its permissions only. I'm thinking the answer should be yes, otherwise some machines will have host service principals and some won't making a support nightmare. But should we have a --force option to let the client be configured anyway, in sort of a degraded mode? Or a --no-keytab option to be more explicit? Or both? I'm all for flexibility, just not sure what the implications of this are other than support headaches like I can log into machine A but not machine B, why not? Well, you're missing the host keytab for some reason... rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Thoughts on client configuration
On Mon, 2009-11-09 at 11:27 -0500, Rob Crittenden wrote: I've got all the pieces together to create a host principal and keytab when a machine joins an IPA realm and am thinking about how I'm going to tie it altogether. My plan revolves around enhancing ipa-client-install to call ipa-join and ipa-rmkeytab (for uninstall). The question then becomes, is the client configuration dependent upon successful machine join? We have a bit of a chicken and egg problem right now with join in terms of validating argument inputs. Joining a machine can happen one of two ways, using kerberos credentials (an admin) or using a one-time password (OTP). The OTP method is easy enough, we can call that really early in the client configuration process. If it fails (wrong password, host not created, whatever) we can simply quit and not configure the client at all. With the admin method we have to first configure the machine, then get the credentials, then try to do the join. It could easily fail here for a number of reasons. Do we roll back the configuration upon failure? Uhmm you can do admin stuff w/o necessarily configuring the machine first, for the kerberos part we can set temporary environment variables and get the admin password through a prompt. If all is successful we save the configuration in the real krb5.conf and all. I actually would really prefer to do it this way so that we do not touch permanent configuration files until the join procedure is successful. I'm thinking the answer should be yes, otherwise some machines will have host service principals and some won't making a support nightmare. But should we have a --force option to let the client be configured anyway, in sort of a degraded mode? Or a --no-keytab option to be more explicit? Or both? Good question, in what case would it make sense to run ipa-client-install and not get the machine enrolled in ? I'm all for flexibility, just not sure what the implications of this are other than support headaches like I can log into machine A but not machine B, why not? Well, you're missing the host keytab for some reason... Yeah, I think we should avoid half configured machines. If someone has special needs he can script his own installation procedure the way he wants, IMO. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Thoughts on client configuration
Simo Sorce wrote: On Mon, 2009-11-09 at 11:27 -0500, Rob Crittenden wrote: I've got all the pieces together to create a host principal and keytab when a machine joins an IPA realm and am thinking about how I'm going to tie it altogether. My plan revolves around enhancing ipa-client-install to call ipa-join and ipa-rmkeytab (for uninstall). The question then becomes, is the client configuration dependent upon successful machine join? We have a bit of a chicken and egg problem right now with join in terms of validating argument inputs. Joining a machine can happen one of two ways, using kerberos credentials (an admin) or using a one-time password (OTP). The OTP method is easy enough, we can call that really early in the client configuration process. If it fails (wrong password, host not created, whatever) we can simply quit and not configure the client at all. With the admin method we have to first configure the machine, then get the credentials, then try to do the join. It could easily fail here for a number of reasons. Do we roll back the configuration upon failure? Uhmm you can do admin stuff w/o necessarily configuring the machine first, for the kerberos part we can set temporary environment variables and get the admin password through a prompt. If all is successful we save the configuration in the real krb5.conf and all. Wow, fantastic idea. I actually would really prefer to do it this way so that we do not touch permanent configuration files until the join procedure is successful. Right, that's what I was afraid of. Having to fire up install machine only to then back it all out. I'm thinking the answer should be yes, otherwise some machines will have host service principals and some won't making a support nightmare. But should we have a --force option to let the client be configured anyway, in sort of a degraded mode? Or a --no-keytab option to be more explicit? Or both? Good question, in what case would it make sense to run ipa-client-install and not get the machine enrolled in ? I think that some desktop machines perhaps. Then again it is fairly trivial to manually configure the pam stack to do LDAP/kerberos. There actually already is a --force option but it applies to the DNS discovery failing. I'm all for flexibility, just not sure what the implications of this are other than support headaches like I can log into machine A but not machine B, why not? Well, you're missing the host keytab for some reason... Yeah, I think we should avoid half configured machines. If someone has special needs he can script his own installation procedure the way he wants, IMO. That or we need to write a very good FAQ :-) rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel