5.6. Performing a Two-Administrator Enrollment
Enrolling machines as clients in the IdM domain is a two-part process. A host entry is created for the client (and stored in the 389 Directory Server instance), and then a keytab is created to provision the client.
Both parts are performed automatically by the
ipa-client-installcommand. It is also possible to perform those steps separately; this allows for administrators to prepare machines and the IdM server configuration in advance of actually configuring the clients. This allows more flexible setup scenarios, including bulk deployments.
When performing a manual enrollment, the host entry is created separately, and then enrollment is completed when the client script is run, which creates the requisite keytab.
There are two ways to set the password. You can either supply your own or have IdM generate a random one.
There may be a situation where an administrator in one group is prohibited from creating a host entry and, therefore, from simply running the
ipa-client-installcommand and allowing it to create the host. However, that administrator may have the right to run the command after a host entry exists. In that case, one administrator can create the host entry manually, then the second administrator can complete the enrollment by running the
- An administrator creates the host entry, as described in Section 5.4.2, “Other Examples of Adding a Host Entry”.
- The second administrator installs the IdM client packages on the machine, as in Section 5.3, “Configuring a Linux System as an IdM Client”.
- When the second administrator runs the setup script, he must pass his Kerberos password and username (principal) with the
ipa-client-installcommand. For example:
$ ipa-client-install -w secret -p admin2
- The keytab is generated on the server and provisioned to the client machine, so that the client machine is not able to connect to the IdM domain. The keytab is saved with
root:rootownership and 0600 permissions.