5.6. Performing a Two-Administrator Enrollment
ipa-client-installcommand. It is also possible to perform those steps separately; this allows for administrators to prepare machines and the IdM server configuration in advance of actually configuring the clients. This allows more flexible setup scenarios, including bulk deployments.
ipa-client-installcommand and allowing it to create the host. However, that administrator may have the right to run the command after a host entry exists. In that case, one administrator can create the host entry manually, then the second administrator can complete the enrollment by running the
- An administrator creates the host entry, as described in Section 5.4.2, “Other Examples of Adding a Host Entry”.
- The second administrator installs the IdM client packages on the machine, as in Section 5.3, “Configuring a Linux System as an IdM Client”.
- When the second administrator runs the setup script, he must pass his Kerberos password and username (principal) with the
ipa-client-installcommand. For example:
$ ipa-client-install -w secret -p admin2
- The keytab is generated on the server and provisioned to the client machine, so that the client machine is not able to connect to the IdM domain. The keytab is saved with
root:rootownership and 0600 permissions.