<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 02/08/2012 11:06 AM, Dale Macartney wrote:<br>
<span style="white-space: pre;">></span><br>
<blockquote type="cite">thanks for the confirmation earlier Rob,
that does make a lot of sense.<br>
<br>
am I right in assuming that to run the following, would not work
with a host principle? Presumably I'd need admin priviledges to
create a service principle for a host.<br>
</blockquote>
<br>
Someone has to have privilege. You can make the host capable to
provision keytabs for services that run on the same host. AFAIR this
is allowed by default. I am not sure you can allow host principal to
create new services out of the box. I think you would have to play
with permission to allow it. Rob, am I correct? <br>
<br>
<blockquote type="cite"><br>
ipa service-add HTTP/$(hostname)<br>
<br>
I will be giving this a go for testing sake tonight.<br>
<br>
Dale<br>
<br>
<br>
<br>
<br>
On 02/08/2012 04:00 PM, Rob Crittenden wrote:<br>
> Dale Macartney wrote:<br>
<br>
>><br>
<br>
> Hi JR<br>
<br>
<br>
<br>
> I agree with your statement of acceptable risk.. this is my<br>
main reason<br>
<br>
> for questioning..<br>
<br>
<br>
<br>
> The ideal situation would be to run this as a satellite<br>
kickstart<br>
<br>
> snippet for provisioning with kickstart profiles... That way<br>
I can<br>
<br>
> utilize the existing provisioning platform for everything.<br>
<br>
<br>
<br>
> At the moment everything is in dev using scripted kickstarts<br>
for testing.<br>
<br>
<br>
<br>
> > A host should be able to get keytabs for its own<br>
services so you should be able to kinit to the host service<br>
principal in /etc/keytab and use ipa-getkeytab.<br>
<br>
<br>
<br>
> > rob<br>
<br>
<br>
<br>
<br>
<br>
> Dale<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
> On 02/08/2012 03:33 PM, JR Aquino wrote:<br>
<br>
> >>> If you are really trying to go the route of<br>
using the password, the<br>
<br>
> best way to accomplish that is to procedurally ADD the host<br>
ahead of<br>
<br>
> time with the -random flag to generate a one-time-pass. Then<br>
insert that<br>
<br>
> 1 time password dynamically into the kickstart script.<br>
<br>
> >>><br>
<br>
> >>> If you want to approach the problem from a<br>
technical side and not<br>
<br>
> procedural... I don't suppose you have Puppet ?<br>
<br>
> >>><br>
<br>
> >>> You can utilize puppet to deploy a 'host<br>
provisioning' keytab that you<br>
<br>
> then kinit -kt before issuing the other commands that require<br>
<br>
> authentication. When it is finished, delete the keytab.<br>
<br>
> >>><br>
<br>
> >>> The problem with authentication and complete<br>
hands off automation is<br>
<br>
> that you always have to whittle it down to an area of<br>
acceptable risk<br>
<br>
> with lots of compensating controls and logging.<br>
<br>
> >>><br>
<br>
> >>><br>
<br>
> >>> On Feb 8, 2012, at 6:44 AM, Dale Macartney<br>
wrote:<br>
<br>
> >>><br>
<br>
> >>> ><br>
<br>
> >>> Hi Simo<br>
<br>
> >>><br>
<br>
> >>> ipa-client-install is provided by the ipa-client<br>
rpm. Details below<br>
<br>
> >>><br>
<br>
> >>> Name : ipa-client<br>
<br>
> >>> Arch : x86_64<br>
<br>
> >>> Version : 2.1.3<br>
<br>
> >>> Release : 9.el6<br>
<br>
> >>> Size : 222 k<br>
<br>
> >>> Repo : installed<br>
<br>
> >>><br>
<br>
> >>><br>
<br>
> >>> What I am trying to achieve is these two<br>
commands in a post...<br>
<br>
> >>><br>
<br>
> >>> ipa service-add HTTP/$(hostname)<br>
<br>
> >>> this definitely requires an authenticated user<br>
to add i'm sure<br>
<br>
> >>><br>
<br>
> >>><br>
<br>
> >>> ipa-getkeytab -s ds01.example.com -p<br>
HTTP/$(hostname) -k<br>
<br>
> >>> /etc/squid/krb5.keytab<br>
<br>
> >>> this one I suspect might be able to be retrieved<br>
using the host/<br>
<br>
> >>> principle from the system after running<br>
ipa-client-install.<br>
<br>
> >>><br>
<br>
> >>><br>
<br>
> >>> Does this help paint a picture?<br>
<br>
> >>><br>
<br>
> >>><br>
<br>
> >>> Dale<br>
<br>
> >>><br>
<br>
> >>><br>
<br>
> >>> On 02/08/2012 01:49 PM, Simo Sorce wrote:<br>
<br>
> >>> >>> On Wed, 2012-02-08 at 11:13 +0000,<br>
Dale Macartney wrote:<br>
<br>
> >>> >>>> -----BEGIN PGP SIGNED<br>
MESSAGE-----<br>
<br>
> >>> >>>> Hash: SHA1<br>
<br>
> >>> >>>><br>
<br>
> >>> >>>> morning all...<br>
<br>
> >>> >>>><br>
<br>
> >>> >>>> i'm dabbling with automated<br>
provisioning of ipa client servers,<br>
<br>
> and i'm<br>
<br>
> >>> >>>> a little perplexed on how to<br>
add a keytab to a system during the<br>
<br>
> %post<br>
<br>
> >>> >>>> section of a kickstart...<br>
<br>
> >>> >>>><br>
<br>
> >>> >>>> i've run ipa-client-install -U<br>
-p admin -w redhat123 which works<br>
<br>
> >>> >>>> perfect, but in order to run<br>
ipa-getkeytab i need a tgt, which<br>
<br>
> doesn't<br>
<br>
> >>> >>>> appear to be generated during<br>
the ipa-client-install.<br>
<br>
> >>> >>>><br>
<br>
> >>> >>>> any suggestions on doing this<br>
during a post?<br>
<br>
> >>> >>><br>
<br>
> >>> >>> What version of ipa-client-install<br>
are you using ?<br>
<br>
> >>> >>><br>
<br>
> >>> >>> Newer versions (2.x) should fetch a<br>
keytab for your system (needs<br>
<br>
> >>> >>> credentials or OTP password.<br>
<br>
> >>> >>><br>
<br>
> >>> >>> Simo.<br>
<br>
> >>> >>><br>
<br>
> >>> ><br>
<br>
> >>> ><br>
<br>
<br>
<0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________<br>
<br>
> >>> > Freeipa-users mailing list<br>
<br>
> >>> > <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<br>
> >>> ><br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
> >>><br>
<br>
>><br>
<br>
>><br>
<br>
>><br>
<br>
>> _______________________________________________<br>
<br>
>> Freeipa-users mailing list<br>
<br>
>> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<br>
>> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
</blockquote>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
-- <br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager IPA project,<br>
Red Hat Inc.<br>
<br>
<br>
-------------------------------<br>
Looking to carve out IT costs?<br>
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><br>
<br>
<br>
<br>
</body>
</html>