On ma, 13 marras 2017, Harald Dunkel wrote:
Hi Alex,
On Fri, 10 Nov 2017 16:59:07 +0200
Alexander Bokovoy via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote:
> On pe, 10 marras 2017, Harald Dunkel via FreeIPA-users wrote:
> >
> >ipa-getkeytab failed with
> >
> > Failed to parse result: PrincipalName not found.
> >
> >I would have expected it to create the principal on the fly.
> ipa-getkeytab does not create principal. It creates key for an existing
> principal.
>
Do you think a one-shot solution could be implemented? I mean, the
whole ipa-client-install can be run remotely, using just a single
command line. Thats great. It would be pretty cool if a service
principal and the appropriate keytab file entry could be created
within one step as well.
You can implement that yourself since IPA CLI is always
part of the
rpms/debs where ipa-client-install is located. However, we would
probably avoid adding this by default because we try to keep actions
separated: adding an object to IPA and enrolling an existing object are
two distinct actions from security point of view and we'd like to keep
it this way.
There is a ticket for a future releases to allow users have a quota on
objects they could create themselves (say, up to 10 hosts). We aren't
there yet.
--
/ Alexander Bokovoy