Matt . wrote: > The issue you get here is that the IPA client is not enrolled anymore > when you did an uninstall of the client before the IPA install on that > "previous" client which needs to be client again after the IPA install > on it. > > This sounds messy but could be ideal for some situations of useraccess > on systems.
Installing an IPA master configures it as a client for that master, there is no way around it. You can't (or shouldn't) mix and match discrete IPA installations. Eventually there will be intra-IPA trust which will do you what I think you are looking for. rob > > 2017-04-07 23:24 GMT+02:00 Rob Crittenden <[email protected]>: >> Matt . wrote: >>> Nope, I provision my servers and they are added to my FreeIPA >>> environment which auths my systeadmins. But on a server I provisioned >>> I need to install FreeIPA as well, but without dns and ca, so it's >>> doing ldap only actually. >>> >>> When I want to install FreeIPA server on this IPA client it tells me >>> (which is logical): >>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR IPA client is >>> already configured on this system. >>> Please uninstall it before configuring the IPA server, using >>> 'ipa-client-install --uninstall' >>> >>> So what I want to do is install FreeIPA server on it but using local >>> system accounts to be auth against the former IPA server the client >>> was assigned to. >>> >>> So: >>> >>> IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed >>> with FreeIPA (no dns and CA) as well but I want to have local >>> sysaccounts that login to cli and such auth against IPA01 after it's >>> installed with FreeIPA and the clientconfig for sssd is not there >>> anymore because of the 'ipa-client-install --uninstall' >> >> Still very confusing. LDAP has nothing to do with this. IPA is always at >> least LDAP + Kerberos + Apache + a few other minor services. So it's >> better to just say no DNS and no CA, though that isn't really relevant >> since those are always optional. >> >> It sounds like what you want to do is, on the same box, install IPA >> server and configure the local machine to point to a DIFFERENT IPA >> server for user/group lookups? >> >> You might be able to do it via sssd but it would be an unsupportable >> nightmare. >> >> rob >> >>> >>> 2017-04-07 23:11 GMT+02:00 Rob Crittenden <[email protected]>: >>>> Matt . wrote: >>>>> When I have a full ipa setup and I want to add a host to it that is >>>>> installed or needs to be installed as IPA LDAP server only, is that >>>>> possible ? >>>> >>>> If you're asking if only 389-ds can be configured on an IPA server, no, >>>> not using any IPA tools in any case. >>>> >>>>> Of course the ipa-server-install complains that the agent is already >>>>> configured on the host but there might be a way ? Or just copy the >>>>> config back faster the IPA LDAP only server is installed ? >>>> >>>> I don't understand. Seeing the error message and commands might help. >>>> >>>> rob >>>> >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
