Hello list, question from users led me to reading about host-add-managedby. While doing so I found out procedure listed on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/#host-setup-proc and I wonder if it is correct or not. I think it needs update.
- In step 3 "create a host entry for the client" I would omit --force option as this option should not be promoted at all. - More interestingly, step 4 "set the client host to be managed by the server" seems totally weird. Why managedby from client should be pointing to a server? I do not think it is necessary at all. Remove the step completely? - Steps 5 & 7: sssd.conf and krb5.conf should not be pointing to one IPA server but rather use server auto-discovery. - AFAIK step 11 "set up a host certificate for the host in IdM" is obsolete as we do not do this by default anymore. I would remove the step. Any opinions? As a side-note, help text for host-add-managedby is totally insufficient because it does not explain purpose of the command: > # ipa help host-add-managedby > Usage: ipa [global-options] host-add-managedby HOSTNAME [options] > > Add hosts that can manage this host. > Options: > --hosts=STR hosts to add Docs https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/#Delegating_Host_Management is a little bit more verbose but contains an invalid example. The delegation was done to client2 but keytab used in the example was for server... I would fix the example + add some explanation to the help command. With this I need help from someone because I'm not even sure what is the correct semantics. Should the 'manager' be able to retrieve keytab for host/ only? Or of any service running on that host? What about certificates? All this should be clarified somewhere in the help text. Thank you for your attention :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
