Hi Mark, I’ve the same question in the past.
At the end of the day we “reverse engineered” what ipa-client-install does to avoid the
force-join and passing the password in plaintext. So it’s basically a bunch of files that
must be configured on the target system, so we configured it directly on the stateless
Some “manual” provisioning must be done, but you can do it through your stateless manager.
For instance we are using xCAT, so when we create a new node on xCAT we automatically do
the ipa-add-host on IPA.
We’ve done this for our HPC cluster software, the code is available here:
Feel free to look at inner workings of the code, it’s basically an Ansible Playbook.
On 1 Sep 2020, at 11:31, Mark Potter via FreeIPA-users
We boot everything stateless in our environment and are using FreeIPA for authentication.
I started discussing this a while ago but ended up with other things taking priority. The
number of machines we have make managing keys an untenable solution so we are using
ipa-client-install -U -q -p <join user> -w <password
called from rc.local during boot to rejoin machines to the FreeIPA environment (we will be
moving away from --fixed-primary but aren't there yet). While this works it,
potentially, exposes a password. I am looking for a better way to handle machines that
need to re-join at every boot.
We have access to ansible as well a decent, in house, templating system for configuration.
Please forgive my starting this discussion anew and not resurrecting a zombie and thanks
in advance for your help!
Senior Linux Administrator
FreeIPA-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines