#3960 [RFE] ipa-client command cannot be run on machine that is not enrolled
Closed: wontfix 5 years ago Opened 10 years ago by admiyo.

If an IPA server is managing a remote deployment, a user with a machine that is not enrolled as an IPA client cannot execute command line operations. Even if the user has a valid TGT, the CA cert, and they have modified the /etc/ipa/default.conf file the CLI still states that the machine is not an ipa-client. Ideally, a user would be able to run the IPA client commands with nothing but valid tgt and environment variables for all the other options.


Why? What is the use case? If you can run all other things why you can't just enrol the system?

Have you tried creating a host entry for this host?

Cloud use case: I have multiple clouds, and each has their own IPA instance. The VM belongs to the cloud, but my identity does not. For example, as an IT guy, I am responsible for finding the best deal for service when deploying a new VM. I have contracts with: Amazon, Rackspace, Dream Host, Verizon, and I have a couple private cloud deployments as well. Assuming each remote cloud has an IPA instance, I want to do :kinit ayoung@<CLOUDPRIVODER> and then ipa host-create to that cloud provider. My Laptop is not controlleld by the Cloud provider, it is enrolled in the IT domain for my company.

You would have to be an admin in each cloud.

The workaround is to do it from within any of your cloud machines. So it is really a convenience optimization, right?

Adam, can you please comment on this one?

Starting to shape next release

This would be possible by adding a new flag to the ipa-client install that would not configure SSSD or certmonger and would not get a keytab for the system. And the then the check for keytab needs to be removed.

The FreeIPA 4.2 was already shaped (see [[milestone:FreeIPA 4.2]] milestone), this does not fit. Pushing out.

If anyone is willing to help and contribute to this one, please let us know!

Metadata Update from @admiyo:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

It's now possible to use the IPA command without enrolling a host. You need to set IPA_CONFDIR to a directory with default.conf and ca.crt for your server, as well as KRB5_CONFIG to a krb5.conf for the realm.

Note Document the feature before closing the bug.

Metadata Update from @cheimes:
- Issue close_status updated to: None

5 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata