<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> On 02/08/2012 11:06 AM, Dale Macartney wrote: > <blockquote type="cite">thanks for the confirmation earlier Rob, that does make a lot of sense. am I right in assuming that to run the following, would not work with a host principle? Presumably I'd need admin priviledges to create a service principle for a host. </blockquote> Someone has to have privilege. You can make the host capable to provision keytabs for services that run on the same host. AFAIR this is allowed by default. I am not sure you can allow host principal to create new services out of the box. I think you would have to play with permission to allow it. Rob, am I correct? <blockquote type="cite"> ipa service-add HTTP/$(hostname) I will be giving this a go for testing sake tonight. Dale On 02/08/2012 04:00 PM, Rob Crittenden wrote: > Dale Macartney wrote: >> > Hi JR > I agree with your statement of acceptable risk.. this is my main reason > for questioning.. > The ideal situation would be to run this as a satellite kickstart > snippet for provisioning with kickstart profiles... That way I can > utilize the existing provisioning platform for everything. > At the moment everything is in dev using scripted kickstarts for testing. > > A host should be able to get keytabs for its own services so you should be able to kinit to the host service principal in /etc/keytab and use ipa-getkeytab. > > rob > Dale > On 02/08/2012 03:33 PM, JR Aquino wrote: > >>> If you are really trying to go the route of using the password, the > best way to accomplish that is to procedurally ADD the host ahead of > time with the -random flag to generate a one-time-pass. Then insert that > 1 time password dynamically into the kickstart script. > >>> > >>> If you want to approach the problem from a technical side and not > procedural... I don't suppose you have Puppet ? > >>> > >>> You can utilize puppet to deploy a 'host provisioning' keytab that you > then kinit -kt before issuing the other commands that require > authentication. When it is finished, delete the keytab. > >>> > >>> The problem with authentication and complete hands off automation is > that you always have to whittle it down to an area of acceptable risk > with lots of compensating controls and logging. > >>> > >>> > >>> On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: > >>> > >>> > > >>> Hi Simo > >>> > >>> ipa-client-install is provided by the ipa-client rpm. Details below > >>> > >>> Name : ipa-client > >>> Arch : x86_64 > >>> Version : 2.1.3 > >>> Release : 9.el6 > >>> Size : 222 k > >>> Repo : installed > >>> > >>> > >>> What I am trying to achieve is these two commands in a post... > >>> > >>> ipa service-add HTTP/$(hostname) > >>> this definitely requires an authenticated user to add i'm sure > >>> > >>> > >>> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k > >>> /etc/squid/krb5.keytab > >>> this one I suspect might be able to be retrieved using the host/ > >>> principle from the system after running ipa-client-install. > >>> > >>> > >>> Does this help paint a picture? > >>> > >>> > >>> Dale > >>> > >>> > >>> On 02/08/2012 01:49 PM, Simo Sorce wrote: > >>> >>> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote: > >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- > >>> >>>> Hash: SHA1 > >>> >>>> > >>> >>>> morning all... > >>> >>>> > >>> >>>> i'm dabbling with automated provisioning of ipa client servers, > and i'm > >>> >>>> a little perplexed on how to add a keytab to a system during the > %post > >>> >>>> section of a kickstart... > >>> >>>> > >>> >>>> i've run ipa-client-install -U -p admin -w redhat123 which works > >>> >>>> perfect, but in order to run ipa-getkeytab i need a tgt, which > doesn't > >>> >>>> appear to be generated during the ipa-client-install. > >>> >>>> > >>> >>>> any suggestions on doing this during a post? > >>> >>> > >>> >>> What version of ipa-client-install are you using ? > >>> >>> > >>> >>> Newer versions (2.x) should fetch a keytab for your system (needs > >>> >>> credentials or OTP password. > >>> >>> > >>> >>> Simo. > >>> >>> > >>> > > >>> > <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________ > >>> > Freeipa-users mailing list > >>> > <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > >>> > <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > >>> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> >> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote> _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </body> </html>