Hola,
So in doing a system analysis, I noted that some of our hosts have ipa-client and some don't.
All of the hosts are using SSSD to connect to the FreeIPA server.
Once a client system has joined the domain successfully and users can login, is ipa-client still necessary?
(ie, the real question is: in order to get uniformity, do I install ipa-client on all hosts or remove ipa-client from all hosts)
cheers L.
------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, *Black Lives Matter founder*
On Fri, Jun 09, 2017 at 08:41:18AM +1000, Lachlan Musicman via FreeIPA-users wrote:
Hola,
So in doing a system analysis, I noted that some of our hosts have ipa-client and some don't.
All of the hosts are using SSSD to connect to the FreeIPA server.
Once a client system has joined the domain successfully and users can login, is ipa-client still necessary?
(ie, the real question is: in order to get uniformity, do I install ipa-client on all hosts or remove ipa-client from all hosts)
cheers L.
"Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, *Black Lives Matter founder*
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Lachlan,
it depends on the nature of the clients. If you just need them to authenticate against the IPA domain using SSSD and for nothing else, then you can safely remove ipa-client package (but keep in mind that it has sssd as a dependency so you may end up removing that one as well).
If, however, you plan on using IPA CLI/Python API from clients, you require ipa-client to be present on the machine as it provides this functionality by pulling in "ipa" CLI utility, among others.
You also would have trouble requesting new host keys for the clients in a rare case they get compromised somehow, since "ipa-getkeytab" utility is provided by the package that facilitates this.
From my POV, unless you are somehow constrained on resources I would recommend installing and keeping ipa-client package on all enrolled hosts.
freeipa-users@lists.fedorahosted.org