![]() If SSH keys are not present (e.g when running the ipa-client-install in a kickstart, before ever running sshd), they will not be uploaded to the client host entry on the server.Ĭlient must use a static hostname. It will not generate SSH keys of its own accord. ![]() ![]() The ipa-client-install script assumes that the machine has already generated SSH keys. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host-disable ). The machine principal in /etc/krb5.keytab is used to authenticate to the IPA server to unenroll itself. Unenrollment consists of disabling the principal key on the IPA server so that it may be re-enrolled. Part of this process is to unenroll the host from the IPA server. This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. This can take the form of a kerberos principal or a one-time password associated with the machine. Optionally one can instead configure PAM and NSS (Name Switching Service) to work with an IPA server over Kerberos and LDAP.Īn authorized user is required to join a client machine to IPA. By default this configures SSSD to connect to an IPA server for authentication and authorization.
0 Comments
Leave a Reply. |