Re: [Freeipa-users] Client Certificate

2014-09-23 Thread Walid
Yes Dmitri these two hints would definitely help, the servers are not 4.x yet though. On 19 September 2014 23:14, Dmitri Pal d...@redhat.com wrote: On 09/19/2014 04:03 PM, Walid wrote: Thank you all, will investigate the requirements of host keytabs, and if there is a way around it by

Re: [Freeipa-users] Client Certificate

2014-09-19 Thread Dmitri Pal
On 09/19/2014 04:03 PM, Walid wrote: Thank you all, will investigate the requirements of host keytabs, and if there is a way around it by having it shared but secure for our context. Couple hints. 1. If you have a keytab stashed and the system was rebuilt you can now rerun

Re: [Freeipa-users] Client Certificate

2014-09-19 Thread Walid
Thank you all, will investigate the requirements of host keytabs, and if there is a way around it by having it shared but secure for our context. On 18 September 2014 23:04, Dmitri Pal d...@redhat.com wrote: On 09/18/2014 10:12 AM, Walid A. Shaari wrote: Hi, we are going to have a use

[Freeipa-users] Client Certificate

2014-09-18 Thread Walid A. Shaari
Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Rob Crittenden
Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Walid A. Shaari
Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3 clients? On 18 September 2014 17:43, Rob Crittenden rcrit...@redhat.com wrote: Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Simo Sorce
On Thu, 18 Sep 2014 18:49:44 +0300 Walid A. Shaari walid.sha...@linux.com wrote: Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3 clients? The X509 certificate has always been provided as a commodity but never required. Keytabs are the only thing we require. Simo. --

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Rob Crittenden
Walid A. Shaari wrote: Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3 clients? Sure, the cert isn't used anyway but it isn't optional to have certmonger try to get one. If you really care you can run a command to tell certmonger to stop tracking the cert though: #

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Natxo Asenjo
hi, On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com wrote: Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. Do you mean ipa will not have a CA in the future? Or will it be optional? Or am I misunderstanding this :-) ? I

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Alexander Bokovoy
On Thu, 18 Sep 2014, Natxo Asenjo wrote: hi, On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com wrote: Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. Do you mean ipa will not have a CA in the future? Or will it be

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Rob Crittenden
Natxo Asenjo wrote: hi, On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. Do you mean ipa will not have a CA in the future?

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Dmitri Pal
On 09/18/2014 10:12 AM, Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case.

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Natxo Asenjo
hi, On Thu, Sep 18, 2014 at 9:05 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: hi, On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Yes, you don't need to obtain a machine certificate. In fact we have

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Rob Crittenden
Natxo Asenjo wrote: hi, On Thu, Sep 18, 2014 at 9:05 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Natxo Asenjo wrote: hi, On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com

Re: [Freeipa-users] Client Certificate

2014-09-18 Thread Natxo Asenjo
On Thu, Sep 18, 2014 at 10:51 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: ok. I was thinking on starting a pilot with dot1.x and hosts certificates are usually used for this, so it would be nice to have a cli switch during enrollment. Ok, do you have a preference