<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 thanks for the confirmation earlier Rob, that does make a lot of sense. am I right in assuming that to run the following, would not work with a host principle? Presumably I'd need admin priviledges to create a service principle for a host. ipa service-add HTTP/$(hostname) I will be giving this a go for testing sake tonight. Dale On 02/08/2012 04:00 PM, Rob Crittenden wrote: > Dale Macartney wrote: >> > Hi JR > > I agree with your statement of acceptable risk.. this is my main reason > for questioning.. > > The ideal situation would be to run this as a satellite kickstart > snippet for provisioning with kickstart profiles... That way I can > utilize the existing provisioning platform for everything. > > At the moment everything is in dev using scripted kickstarts for testing. > > > A host should be able to get keytabs for its own services so you should be able to kinit to the host service principal in /etc/keytab and use ipa-getkeytab. > > > rob > > > Dale > > > > On 02/08/2012 03:33 PM, JR Aquino wrote: > >>> If you are really trying to go the route of using the password, the > best way to accomplish that is to procedurally ADD the host ahead of > time with the -random flag to generate a one-time-pass. Then insert that > 1 time password dynamically into the kickstart script. > >>> > >>> If you want to approach the problem from a technical side and not > procedural... I don't suppose you have Puppet ? > >>> > >>> You can utilize puppet to deploy a 'host provisioning' keytab that you > then kinit -kt before issuing the other commands that require > authentication. When it is finished, delete the keytab. > >>> > >>> The problem with authentication and complete hands off automation is > that you always have to whittle it down to an area of acceptable risk > with lots of compensating controls and logging. > >>> > >>> > >>> On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: > >>> > >>> > > >>> Hi Simo > >>> > >>> ipa-client-install is provided by the ipa-client rpm. Details below > >>> > >>> Name : ipa-client > >>> Arch : x86_64 > >>> Version : 2.1.3 > >>> Release : 9.el6 > >>> Size : 222 k > >>> Repo : installed > >>> > >>> > >>> What I am trying to achieve is these two commands in a post... > >>> > >>> ipa service-add HTTP/$(hostname) > >>> this definitely requires an authenticated user to add i'm sure > >>> > >>> > >>> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k > >>> /etc/squid/krb5.keytab > >>> this one I suspect might be able to be retrieved using the host/ > >>> principle from the system after running ipa-client-install. > >>> > >>> > >>> Does this help paint a picture? > >>> > >>> > >>> Dale > >>> > >>> > >>> On 02/08/2012 01:49 PM, Simo Sorce wrote: > >>> >>> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote: > >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- > >>> >>>> Hash: SHA1 > >>> >>>> > >>> >>>> morning all... > >>> >>>> > >>> >>>> i'm dabbling with automated provisioning of ipa client servers, > and i'm > >>> >>>> a little perplexed on how to add a keytab to a system during the > %post > >>> >>>> section of a kickstart... > >>> >>>> > >>> >>>> i've run ipa-client-install -U -p admin -w redhat123 which works > >>> >>>> perfect, but in order to run ipa-getkeytab i need a tgt, which > doesn't > >>> >>>> appear to be generated during the ipa-client-install. > >>> >>>> > >>> >>>> any suggestions on doing this during a post? > >>> >>> > >>> >>> What version of ipa-client-install are you using ? > >>> >>> > >>> >>> Newer versions (2.x) should fetch a keytab for your system (needs > >>> >>> credentials or OTP password. > >>> >>> > >>> >>> Simo. > >>> >>> > >>> > > >>> > > <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________ > >>> > Freeipa-users mailing list > >>> > <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > >>> > <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >>> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> >> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - <a class="moz-txt-link-freetext" href="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</a> iQIcBAEBAgAGBQJPMp15AAoJEAJsWS61tB+qHAAP/0oHXXxjZVBO0phBL5+4usEx pho8Rtmx+WlDxl0IQEQQK4mp3aAdgr2LQRxIu+7Q3pU72dJHAbID2S+gUh6qJbd7 WZNLHfst0WVmWfcEquufwFQDEe9OuPoxtLgiR6wWPcTab8ip4KlIoa5dcy77Rv5s 9cUbrtq3qA/tcHHUKQ2qNoIYCQvZOgRJ1VUahfwuCRoTWxWSjaz1tJCrcKrARzie w1cl/Gs5O7pPET6s+LMf7NWYD5AfMxwANRpi7/WusM1vVMWU64BI1S21dqynALvy HfSBmTYfHJoD5gdgLZNmaaq87ygpPcgVt9fD4+d+UgeJGsVzwtj/JCbQldVUF/G7 SUxrd1EoE0idr81Pe56yYhTZQHwXCVhBeYK/Fd6QFok00phTjhs3hrZ+y38PWCwv 1lXjIrTb0a58pvQl46hDbsJlHZ88guQ3911U7t7gMkNn8BeXIc7CSzbmnKoyjv+Y hmJ+I0e8Zhmby2WUTZuZMm1Fnw0ddrJBpln2/QCpTxhEID0QW6J4S1jYRsSCAP4Q lgpnFYo4MJyShOUl445YsPYzX4ZSVXdjceXT1NZgd2liExVnbbmotVJy9SKnE9QA ufI0pYTHiYHn4X17mBGVSgNOE4Hj/KFHSMLsecZi+f+JKGyo/ys+deTqqKTMuK0t 4IueTfkeM50INgD6L9pr =p5cG -----END PGP SIGNATURE----- </body> </html>