HI Rob, As you say I figured out the same indeed and tested to see what happens, no way around it (also cert stuff and so on). I would have been a workaround for... I'm looking forward to some intra-IPA trust in the future, would be awesome!
Thanks! 2017-04-09 4:09 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: > Matt . wrote: >> The issue you get here is that the IPA client is not enrolled anymore >> when you did an uninstall of the client before the IPA install on that >> "previous" client which needs to be client again after the IPA install >> on it. >> >> This sounds messy but could be ideal for some situations of useraccess >> on systems. > > Installing an IPA master configures it as a client for that master, > there is no way around it. > > You can't (or shouldn't) mix and match discrete IPA installations. > Eventually there will be intra-IPA trust which will do you what I think > you are looking for. > > rob > >> >> 2017-04-07 23:24 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: >>> Matt . wrote: >>>> Nope, I provision my servers and they are added to my FreeIPA >>>> environment which auths my systeadmins. But on a server I provisioned >>>> I need to install FreeIPA as well, but without dns and ca, so it's >>>> doing ldap only actually. >>>> >>>> When I want to install FreeIPA server on this IPA client it tells me >>>> (which is logical): >>>> >>>> ipa.ipapython.install.cli.install_tool(Server): ERROR IPA client is >>>> already configured on this system. >>>> Please uninstall it before configuring the IPA server, using >>>> 'ipa-client-install --uninstall' >>>> >>>> So what I want to do is install FreeIPA server on it but using local >>>> system accounts to be auth against the former IPA server the client >>>> was assigned to. >>>> >>>> So: >>>> >>>> IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed >>>> with FreeIPA (no dns and CA) as well but I want to have local >>>> sysaccounts that login to cli and such auth against IPA01 after it's >>>> installed with FreeIPA and the clientconfig for sssd is not there >>>> anymore because of the 'ipa-client-install --uninstall' >>> >>> Still very confusing. LDAP has nothing to do with this. IPA is always at >>> least LDAP + Kerberos + Apache + a few other minor services. So it's >>> better to just say no DNS and no CA, though that isn't really relevant >>> since those are always optional. >>> >>> It sounds like what you want to do is, on the same box, install IPA >>> server and configure the local machine to point to a DIFFERENT IPA >>> server for user/group lookups? >>> >>> You might be able to do it via sssd but it would be an unsupportable >>> nightmare. >>> >>> rob >>> >>>> >>>> 2017-04-07 23:11 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: >>>>> Matt . wrote: >>>>>> When I have a full ipa setup and I want to add a host to it that is >>>>>> installed or needs to be installed as IPA LDAP server only, is that >>>>>> possible ? >>>>> >>>>> If you're asking if only 389-ds can be configured on an IPA server, no, >>>>> not using any IPA tools in any case. >>>>> >>>>>> Of course the ipa-server-install complains that the agent is already >>>>>> configured on the host but there might be a way ? Or just copy the >>>>>> config back faster the IPA LDAP only server is installed ? >>>>> >>>>> I don't understand. Seeing the error message and commands might help. >>>>> >>>>> rob >>>>> >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project