Purpose:
It should also help to understand "container use-case". Which part of installation is necessary for which component.
Here is a part of related mail communication:
I'm not freeipa developer but I'll try to describe what ipa-client-install does. - time synchronisation && configure ntp (can be disabled with --no-ntp) In my opinion ntp/chrony should run in separate container - download keytab for host /etc/krb5.keytab - generate krb5 /etc/krb5.conf - download certificate from IPA server - configure ipa defaults (/etc/ipa/default) - generate sssd.conf (/etc/sssd.conf) - configure certmonger - configure pam stack - create openldap configuration (/etc/openldap/ldap.conf) ipa-client install also touch some other configuration files. here is a list of aguments for disabling such features. (copy & paste): --no-nisdomain do not configure NIS domain name --no-ssh do not configure OpenSSH client --no-sshd do not configure OpenSSH server --no-sudo do not configure SSSD as data source for sudo --no-dns-sshfp do not automatically create DNS SHFP records After this descrition I realized you might want to share krb5.conf and krb5.keytab between sssd-container and host. You can prepare image with installed ipa-client and run ipa-client in container created from this image. "docker diff" shoudl show you all changed/created files.
It should be mentioned that setting "nisdomainname" is necessary for sudo and not for sssd.
RHEL documentation can be useful for stat as well.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/linux-manual.html
Processing leftovers from 4.2 backlog - this ticket was found as suitable for consideration in next big feature release - 4.4.
Metadata Update from @lslebodn: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @rcritten: - Issue close_status updated to: None - Issue tagged with: documentation
Login to comment on this ticket.