5:41 p.m.
Hola,
So in doing a system analysis, I noted that some of our hosts have
ipa-client and some don't.
All of the hosts are using SSSD to connect to the FreeIPA server.
Once a client system has joined the domain successfully and users can
login, is ipa-client still necessary?
(ie, the real question is: in order to get uniformity, do I install
ipa-client on all hosts or remove ipa-client from all hosts)
cheers
L.
------
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, *Black Lives Matter founder*
8:27 a.m.
New subject: ipa-client package - is it necessary after install?
On Fri, Jun 09, 2017 at 08:41:18AM +1000, Lachlan Musicman via FreeIPA-users wrote:
Hola,
So in doing a system analysis, I noted that some of our hosts have
ipa-client and some don't.
All of the hosts are using SSSD to connect to the FreeIPA server.
Once a client system has joined the domain successfully and users can
login, is ipa-client still necessary?
(ie, the real question is: in order to get uniformity, do I install
ipa-client on all hosts or remove ipa-client from all hosts)
cheers
L.
------
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, *Black Lives Matter founder*
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Hi Lachlan,
it depends on the nature of the clients. If you just need them to authenticate
against the IPA domain using SSSD and for nothing else, then you can safely
remove ipa-client package (but keep in mind that it has sssd as a dependency so
you may end up removing that one as well).
If, however, you plan on using IPA CLI/Python API from clients, you require
ipa-client to be present on the machine as it provides this functionality by
pulling in "ipa" CLI utility, among others.
You also would have trouble requesting new host keys for the clients in a rare
case they get compromised somehow, since "ipa-getkeytab" utility is provided by
the package that facilitates this.
From my POV, unless you are somehow constrained on resources I would recommend
installing and keeping ipa-client package on all enrolled hosts.
--
Martin Babinsky
2506
days inactive
2507
days old
freeipa-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Lachlan Musicman -
Martin Babinsky