<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Hi JR<br>
<br>
I agree with your statement of acceptable risk.. this is my main
reason for questioning..<br>
<br>
The ideal situation would be to run this as a satellite kickstart
snippet for provisioning with kickstart profiles... That way I can
utilize the existing provisioning platform for everything.<br>
<br>
At the moment everything is in dev using scripted kickstarts for
testing.<br>
<br>
Dale<br>
<br>
<br>
<br>
On 02/08/2012 03:33 PM, JR Aquino wrote:<br>
<span style="white-space: pre;">> If you are really trying to go
the route of using the password, the best way to accomplish that
is to procedurally ADD the host ahead of time with the -random
flag to generate a one-time-pass. Then insert that 1 time password
dynamically into the kickstart script.<br>
><br>
> If you want to approach the problem from a technical side and
not procedural... I don't suppose you have Puppet ?<br>
><br>
> You can utilize puppet to deploy a 'host provisioning' keytab
that you then kinit -kt before issuing the other commands that
require authentication. When it is finished, delete the keytab.<br>
><br>
> The problem with authentication and complete hands off
automation is that you always have to whittle it down to an area
of acceptable risk with lots of compensating controls and logging.<br>
><br>
><br>
> On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote:<br>
><br>
>><br>
> Hi Simo<br>
><br>
> ipa-client-install is provided by the ipa-client rpm. Details
below<br>
><br>
> Name : ipa-client<br>
> Arch : x86_64<br>
> Version : 2.1.3<br>
> Release : 9.el6<br>
> Size : 222 k<br>
> Repo : installed<br>
><br>
><br>
> What I am trying to achieve is these two commands in a
post...<br>
><br>
> ipa service-add HTTP/$(hostname)<br>
> this definitely requires an authenticated user to add i'm
sure<br>
><br>
><br>
> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k<br>
> /etc/squid/krb5.keytab<br>
> this one I suspect might be able to be retrieved using the
host/<br>
> principle from the system after running ipa-client-install.<br>
><br>
><br>
> Does this help paint a picture?<br>
><br>
><br>
> Dale<br>
><br>
><br>
> On 02/08/2012 01:49 PM, Simo Sorce wrote:<br>
> >>> On Wed, 2012-02-08 at 11:13 +0000, Dale
Macartney wrote:<br>
> >>>> -----BEGIN PGP SIGNED MESSAGE-----<br>
> >>>> Hash: SHA1<br>
> >>>><br>
> >>>> morning all...<br>
> >>>><br>
> >>>> i'm dabbling with automated provisioning of
ipa client servers, and i'm<br>
> >>>> a little perplexed on how to add a keytab to
a system during the %post<br>
> >>>> section of a kickstart...<br>
> >>>><br>
> >>>> i've run ipa-client-install -U -p admin -w
redhat123 which works<br>
> >>>> perfect, but in order to run ipa-getkeytab i
need a tgt, which doesn't<br>
> >>>> appear to be generated during the
ipa-client-install.<br>
> >>>><br>
> >>>> any suggestions on doing this during a post?<br>
> >>><br>
> >>> What version of ipa-client-install are you using
?<br>
> >>><br>
> >>> Newer versions (2.x) should fetch a keytab for
your system (needs<br>
> >>> credentials or OTP password.<br>
> >>><br>
> >>> Simo.<br>
> >>><br>
>><br>
>>
<0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________<br>
>> Freeipa-users mailing list<br>
>> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
>> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
></span><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a class="moz-txt-link-freetext" href="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</a><br>
<br>
iQIcBAEBAgAGBQJPMplpAAoJEAJsWS61tB+q294QAJZELZhAD4Xsq8z+q4xbeMdy<br>
R9g2XT6WuY0Bi42mTi4EJbcupIiWm3q1etU7mhsXJ7zVRHrzHfCZGz3m5ksYxBdm<br>
FTT4Q2zssc2Q1kIH6wp9XobBrXSA+RsZn7huBa+klShLBRGkZTABAJ/DkR7j1yRw<br>
Fch1CU9cytXMHXRdJiUaIm8lj38u4mwIZxzU2R7gE3aXUX1p+K9A2uXswPvr4Ouc<br>
oHx46bfu4GMGQt9Sek8GeV1YcAGPrH5QT0ChejBalsREuKYx+GbAz6lMW/YA+rdL<br>
sfqFS5fkWLlzffw0M5HqGg4JNt2l/KsJsqKLnkwShMCNFy2j0M2dt+gujUCkSBAD<br>
wAohFnNerTyC6jypo0oSgvDbBSVo+oZUENeIacQEi8m2EkrgRE1/S3eTAS7SKxOc<br>
wbyPZp4JXzqyOQVw2rAKEpRd56qdQV3lCElJB9SMUK73sCL3TSTHJ7NP7pEMeaJs<br>
JEfJQCjMgJwI/Ok9v5pskkX8uDF0FYptwcwVze2w+ap/hNahaU8uHQOGnVzTTPU2<br>
eA6d0T6opV7YpNbUczOYsEvTJYDUHqX1sf5lN0DfvSP9l9dncr3jRArkdG6X5kuj<br>
9Yrc+d8cEG5Ol4xD3g3ZvtLhL7VuKEhecLP4xsFgQI8NukcFAfpGrPLBklcFzJ1I<br>
wSWQZseFSumVD9glWtMz<br>
=NzzG<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>