With recent improvements in MIT KRB5 and planned move from NSS to OpenSSL on the client side, it became feasible to remove the need for /etc/krb5.conf and /etc/ipa/nssdb. It should even be possible to remove all IPA related configuration completely in order to make unenrolled clients truly zero config (sans CA).
/etc/krb5.conf
/etc/ipa/nssdb
default_realm
kinit user
_kerberos.ipa.example
kinit user@IPA.EXAMPLE
libdefaults
ipaclient.ipadiscovery.IPADiscovery can auto-discover server, KDC, LDAP etc. The KDC auto-discovery feature uses the old SRV lookup on _kerberos._udp 88, though. It needs to be enhanced to perform URI lookup.
ipaclient.ipadiscovery.IPADiscovery
api.confdir
api.conf_default
API
/etc/ipa/ca.crt
from ipalib import api api.bootstrap(autodiscover=True)
topic for 4.6
Metadata Update from @cheimes: - Issue assigned to someone - Issue set to the milestone: Future Releases
Metadata Update from @cheimes: - Custom field affects_doc reset - Custom field component reset - Custom field rhbz reset - Custom field type reset - Issue close_status updated to: None - Issue set to the milestone: None (was: Future Releases) - Issue tagged with: integration
Metadata Update from @pvoborni: - Custom field affects_doc reset - Custom field tester adjusted to wanted - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Closed https://pagure.io/freeipa/issue/6389 as duplicate of this.
Login to comment on this ticket.