Bug 791077

Summary: Clarify some things in ipa documentation in section 9.3.1
Product: Red Hat Enterprise Linux 6 Reporter: Rob Crittenden <rcritten>
Component: doc-Identity_Management_GuideAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: jskeoch
Target Milestone: rcKeywords: Documentation
Target Release: 6.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-21 23:15:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Crittenden 2012-02-16 04:38:53 UTC 
Description of problem:

Some suggestions from freeipa-users mailing list (and my response).

> Sort of minor but I find the following a bit inconsistent,
> 
> I am looking at section 9.3.1, item no 3
> 
> I think it should say,
> 
> 3. Generate the nfs service keytab, there are two methods,
> 
> i) On the NFS server, with this command "etc etc"
> 
> ii) On a different machine do a)....b)...c)...d)

The distinction is really "whether the machine has ipa-getkeytab or not." The NFS server could be a Solaris machine in which case you'd have to do all this elsewhere.

I think this is trying to say "if your NFS server is a Linux machine you can directly update /etc/krb5.keytab with these keys and be done with it."

Perhaps a little more language about this distinction would help.

> 
> for your b) You say "Copy over to the NFS host machine" where earlier you said NFS server, you repeat this in d)   for consistency it should be "server" it certainly slows my understanding down when I see such things being mixed up....

Yup, I agree.

> 
> I also see under 6.5.1 point 6 that there is a ipa-getkeytab command but as per NFS is that run on the server that is providing the service? or on the IPA server, I find it unclear.......thinking about it its on the target server offering the service I think you are saying, but by then Ive lost my train of thought....

ipa-getkeytab can be run anywhere for any service. It is just more convenient to run it on the target machine because then you don't have to move around keytabs (and do the nasty work in 9.3.1.3 d).

We also should probably mention that you need a Kerberos ticket to run ipa-getkeytab. It may get a bit cumbersome to mention it EVERY single time though, not sure what the best route is.
Comment 1 Rob Crittenden 2012-02-16 04:39:15 UTC 
This is for
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.html#krb-nfs-server
Comment 4 Deon Ballard 2012-04-17 16:49:50 UTC 
Link:
http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.html#krb-nfs-server

As for kinit'ing before running every command -- I've been trying to update CLI procedures as I touch them. I haven't made it a super high priority, but I'm trying to do it incrementally, at least by adding kinit admin or whatever to the example. And I added this section to the tools usage chapter:
http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/basic-usage.html#cmd-usage-kinit
Comment 6 Deon Ballard 2012-06-21 23:15:13 UTC 
Closing.