<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
thanks for the confirmation earlier Rob, that does make a lot of
sense.<br>
<br>
am I right in assuming that to run the following, would not work
with a host principle? Presumably I'd need admin priviledges to
create a service principle for a host.<br>
<br>
ipa service-add HTTP/$(hostname)<br>
<br>
I will be giving this a go for testing sake tonight.<br>
<br>
Dale<br>
<br>
<br>
<br>
<br>
On 02/08/2012 04:00 PM, Rob Crittenden wrote:<br>
<span style="white-space: pre;">> Dale Macartney wrote:<br>
>><br>
> Hi JR<br>
><br>
> I agree with your statement of acceptable risk.. this is my
main reason<br>
> for questioning..<br>
><br>
> The ideal situation would be to run this as a satellite
kickstart<br>
> snippet for provisioning with kickstart profiles... That way
I can<br>
> utilize the existing provisioning platform for everything.<br>
><br>
> At the moment everything is in dev using scripted kickstarts
for testing.<br>
><br>
> > A host should be able to get keytabs for its own
services so you should be able to kinit to the host service
principal in /etc/keytab and use ipa-getkeytab.<br>
><br>
> > rob<br>
><br>
><br>
> Dale<br>
><br>
><br>
><br>
> On 02/08/2012 03:33 PM, JR Aquino wrote:<br>
> >>> If you are really trying to go the route of
using the password, the<br>
> best way to accomplish that is to procedurally ADD the host
ahead of<br>
> time with the -random flag to generate a one-time-pass. Then
insert that<br>
> 1 time password dynamically into the kickstart script.<br>
> >>><br>
> >>> If you want to approach the problem from a
technical side and not<br>
> procedural... I don't suppose you have Puppet ?<br>
> >>><br>
> >>> You can utilize puppet to deploy a 'host
provisioning' keytab that you<br>
> then kinit -kt before issuing the other commands that require<br>
> authentication. When it is finished, delete the keytab.<br>
> >>><br>
> >>> The problem with authentication and complete
hands off automation is<br>
> that you always have to whittle it down to an area of
acceptable risk<br>
> with lots of compensating controls and logging.<br>
> >>><br>
> >>><br>
> >>> On Feb 8, 2012, at 6:44 AM, Dale Macartney
wrote:<br>
> >>><br>
> >>> ><br>
> >>> Hi Simo<br>
> >>><br>
> >>> ipa-client-install is provided by the ipa-client
rpm. Details below<br>
> >>><br>
> >>> Name : ipa-client<br>
> >>> Arch : x86_64<br>
> >>> Version : 2.1.3<br>
> >>> Release : 9.el6<br>
> >>> Size : 222 k<br>
> >>> Repo : installed<br>
> >>><br>
> >>><br>
> >>> What I am trying to achieve is these two
commands in a post...<br>
> >>><br>
> >>> ipa service-add HTTP/$(hostname)<br>
> >>> this definitely requires an authenticated user
to add i'm sure<br>
> >>><br>
> >>><br>
> >>> ipa-getkeytab -s ds01.example.com -p
HTTP/$(hostname) -k<br>
> >>> /etc/squid/krb5.keytab<br>
> >>> this one I suspect might be able to be retrieved
using the host/<br>
> >>> principle from the system after running
ipa-client-install.<br>
> >>><br>
> >>><br>
> >>> Does this help paint a picture?<br>
> >>><br>
> >>><br>
> >>> Dale<br>
> >>><br>
> >>><br>
> >>> On 02/08/2012 01:49 PM, Simo Sorce wrote:<br>
> >>> >>> On Wed, 2012-02-08 at 11:13 +0000,
Dale Macartney wrote:<br>
> >>> >>>> -----BEGIN PGP SIGNED
MESSAGE-----<br>
> >>> >>>> Hash: SHA1<br>
> >>> >>>><br>
> >>> >>>> morning all...<br>
> >>> >>>><br>
> >>> >>>> i'm dabbling with automated
provisioning of ipa client servers,<br>
> and i'm<br>
> >>> >>>> a little perplexed on how to
add a keytab to a system during the<br>
> %post<br>
> >>> >>>> section of a kickstart...<br>
> >>> >>>><br>
> >>> >>>> i've run ipa-client-install -U
-p admin -w redhat123 which works<br>
> >>> >>>> perfect, but in order to run
ipa-getkeytab i need a tgt, which<br>
> doesn't<br>
> >>> >>>> appear to be generated during
the ipa-client-install.<br>
> >>> >>>><br>
> >>> >>>> any suggestions on doing this
during a post?<br>
> >>> >>><br>
> >>> >>> What version of ipa-client-install
are you using ?<br>
> >>> >>><br>
> >>> >>> Newer versions (2.x) should fetch a
keytab for your system (needs<br>
> >>> >>> credentials or OTP password.<br>
> >>> >>><br>
> >>> >>> Simo.<br>
> >>> >>><br>
> >>> ><br>
> >>> ><br>
>
<0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________<br>
> >>> > Freeipa-users mailing list<br>
> >>> > <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> >>> >
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> >>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Freeipa-users mailing list<br>
>> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
>> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
></span><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a class="moz-txt-link-freetext" href="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</a><br>
<br>
iQIcBAEBAgAGBQJPMp15AAoJEAJsWS61tB+qHAAP/0oHXXxjZVBO0phBL5+4usEx<br>
pho8Rtmx+WlDxl0IQEQQK4mp3aAdgr2LQRxIu+7Q3pU72dJHAbID2S+gUh6qJbd7<br>
WZNLHfst0WVmWfcEquufwFQDEe9OuPoxtLgiR6wWPcTab8ip4KlIoa5dcy77Rv5s<br>
9cUbrtq3qA/tcHHUKQ2qNoIYCQvZOgRJ1VUahfwuCRoTWxWSjaz1tJCrcKrARzie<br>
w1cl/Gs5O7pPET6s+LMf7NWYD5AfMxwANRpi7/WusM1vVMWU64BI1S21dqynALvy<br>
HfSBmTYfHJoD5gdgLZNmaaq87ygpPcgVt9fD4+d+UgeJGsVzwtj/JCbQldVUF/G7<br>
SUxrd1EoE0idr81Pe56yYhTZQHwXCVhBeYK/Fd6QFok00phTjhs3hrZ+y38PWCwv<br>
1lXjIrTb0a58pvQl46hDbsJlHZ88guQ3911U7t7gMkNn8BeXIc7CSzbmnKoyjv+Y<br>
hmJ+I0e8Zhmby2WUTZuZMm1Fnw0ddrJBpln2/QCpTxhEID0QW6J4S1jYRsSCAP4Q<br>
lgpnFYo4MJyShOUl445YsPYzX4ZSVXdjceXT1NZgd2liExVnbbmotVJy9SKnE9QA<br>
ufI0pYTHiYHn4X17mBGVSgNOE4Hj/KFHSMLsecZi+f+JKGyo/ys+deTqqKTMuK0t<br>
4IueTfkeM50INgD6L9pr<br>
=p5cG<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>