On Fri, Mar 28, 2008 at 12:40:59AM -0400, Perry N. Myers
wrote:> Right now the host-keyadd daemon and some of the python utility scripts
> use kadmin.local to do things like create host principals for the ovirt
> managed hosts. This makes it so the ipa and ovirt servers need to be on
> the same box.
>
> I was thinking that it would make more sense to generate a keytab for the
> ovirt mgmt host and grant that principal privileges to kadmin running on
> the ipa server. Then the ovirt daemons can use kadmin instead of
> kadmin.local.
>
> The developer install would just need to have a few more things scripted
> to create the principal and keytab. And we'd have to provide
instructions
> for doing this for the production install.
>
> Is this the right path to go down, or should we be doing something else?
> If people think this is reasonable, I'll make the changes.
>
FWIW the IPA guys say using kadmin kills kittens and we should be
using their ipa-* scripts instead... that doesn't necessarily change
the general outline of what you're doing, but the implementation is
going to be a little different...
--H