<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/23/2013 04:09 PM, Fred van Zwieten wrote:
<blockquote
cite="mid:CALVifsax=95kvxjQ-67yGmsdqmOKoddgEq-RQSHDWtS+2deVYQ@mail.gmail.com"
type="cite">
<div dir="ltr">On Wed, Jan 23, 2013 at 10:01 PM, Dmitri Pal <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im"> On 01/23/2013 03:24 PM, Fred van
Zwieten wrote:
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">Dmitri,
<div><span style="font-family:arial,sans-serif"><br>
</span></div>
<div>If I understand correcty t<span
style="font-family:arial,sans-serif">his
would mean I backup the keytab before
reinstall en restore it after (easily done
with Satellite), then do a
ipa-client-install using the keytab. Does
this mean the host record in IPA will never
change during this process? Sounds good to
me. This makes reinstalling a one-step
process.</span><br>
</div>
<div><font face="arial, sans-serif"><br>
</font></div>
<div><font face="arial, sans-serif">When the ssh
keys are not preserved during reinstall they
must be refreshed in IPA, will
ipa-client-install do that too in this case?
<br>
</font></div>
</div>
</div>
</blockquote>
<br>
</div>
Yes I suspect, but that would be the same as the initial
enroll. I suspect the keytab, cert and ssh keys would be
regenerated. We will just use keytab to acquire ticket
and then start the whole enrollment from clean sheet.
<div>
<div class="h5"><span style="color:rgb(34,34,34)"></span></div>
</div>
</div>
</blockquote>
<div> </div>
<div style="">That would be a perfectly workable solution
for me. <br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/3374">https://fedorahosted.org/freeipa/ticket/3374</a><br>
<br>
<blockquote
cite="mid:CALVifsax=95kvxjQ-67yGmsdqmOKoddgEq-RQSHDWtS+2deVYQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_extra"><br clear="all">
<div>Fred</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_quote">On Wed, Jan 23, 2013
at 8:56 PM, Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 01/23/2013 01:56 PM, Charlie
Derwent wrote:
<blockquote type="cite">
<div dir="ltr">
<div>Hi </div>
<div> </div>
<div>My team and I have been
around this a few times and as
far as we can see the best and
simplest way to make this work
is if we enrol once and back up
all the relevant bits of
information so in the event of a
rebuild we can restore the
necessary components and make it
appear to the IPA server that it
had never left.</div>
<div> </div>
<div>Disabling and
re-enrolling was the preferred
option initially but it seems
there are too many issues to
make this viable going forward.</div>
<ul>
<li>How to allow
developers/administrators/robots
access securely between the
disabling the host and
re-enrolment (to say reboot
the server for PXEboot)</li>
<li>Having to grant users
permission to enrol servers
even when they only need
to re-provision existing
servers.</li>
<li>OTP reuse being disabled
preventing something simple
like the hostname of the
server being used during
re-enrolment</li>
<li>The lack of a reusable OTP
also makes the process
two-step (see Fred's
mail) rather than the single
step we previously had.</li>
</ul>
<div>To that end could someone
please tell us or document all
the steps required to back up
the key ipa-client files so we
can get past these problems and
move onto the more interesting
things that the IPA server
can provide.</div>
<div> </div>
<div>Any effort to simplify the
backup and restore process
within an IPA client (and the
server for that matter) would
also be greatly appreciated.</div>
<div> </div>
</div>
</blockquote>
</div>
I suspect you opened the ticket: <a
moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/3373"
target="_blank">https://fedorahosted.org/freeipa/ticket/3373</a><br>
Anyways I replied in the ticket and I am
pasting it here:<br>
Making OTP reusable defeats the purpose
of the OTP. It becomes just another
password. If you want this you can
create an account in IPA, limit its
privileges to just host enrollment and
use the password associated with this
account to re-provision systems. Would
that solve the problem for you? <br>
<br>
If the backup seems like a good option I
suggest we open an RFE to allow
re-enrolling a host using keytab.<br>
I can file an RFE for it. What it would
do is: add an argument to
ipa-client-install to use keytab instead
of OTP or password if you saved one. If
the authentication successful the client
will reconfigure the system once again.
<br>
<br>
Would that solve the problem?<br>
<br>
I do not like the full backup idea as it
is not consistent between the versions.
Say you redeploy but with the updated
version of software that changed
something and config files from the
previous version are not 100% the same.
Things would break.<br>
And depending upon the commands you used
we touch different files as SSSD can now
be integrated with autofs, ssh, sudo.<br>
I am just not sure that backup and
restore is really a sustainable approach
project/product wise.<br>
We can probably craft a list but I am
scared promoting it as a solution.
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>Regards,</div>
<div>Charlie.</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
</div>
<div class="gmail_extra"> <br>
<br>
<div class="gmail_quote">On Fri,
Jan 18, 2013 at 8:14 PM, Fred
van Zwieten <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:fvzwieten@vxcompany.com"
target="_blank">fvzwieten@vxcompany.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">Dmitri,
<div><br>
</div>
<div>Sure I can do this. I
can make a script, and
have this executed from
Satellite (remote
command) and than
perform the server
redeploy from Satellite.
However, that makes it a
two step process, and
that is what I now also
have. However, I would
like to make it fully
automated in a single
step.</div>
<div><br>
</div>
<div>Come to think of
it...there is also an
api for Satellite. Maybe
I can make a script that
will first do the IPA
stuff and then call
Satellite to redeploy
the server.....</div>
<div>....hmmm....will look
into this...and report
my findings</div>
<div class="gmail_extra"><br
clear="all">
<div><br>
Met vriendelijke
groeten,<br>
<b><br>
<font
style="color:rgb(51,102,255)"
color="#000099">Fre</font><font
style="color:rgb(51,102,255)" color="#000099">d van Zwieten</font><br
style="color:rgb(51,102,255)">
</b>
<div><font
color="#3333ff"><span
style="color:rgb(0,0,153)"><b style="color:rgb(51,102,255)">Enterprise
Open Source
Services</b><br>
</span></font></div>
<div><b><br>
<span
style="color:rgb(51,102,255)">Consultant</span></b><br>
<font size="1"><i>(vrijdags
afwezig)</i></font></div>
<div><br>
<b><span
style="color:rgb(255,0,0)">VX
Company IT
Services B.V.</span></b><br>
<span
style="color:rgb(0,0,153)"><b><span
style="color:rgb(255,0,0)">T</span></b><span
style="color:rgb(255,255,255)"> <span
style="color:rgb(51,102,255)">(035) 539 09 50 mobiel (06) 41 68 28 48</span></span></span><span
style="color:rgb(51,102,255)"></span><br style="color:rgb(0,0,153)">
<span
style="color:rgb(0,0,153)"><b><span
style="color:rgb(255,0,0)">F</span></b> <span
style="color:rgb(51,102,255)">(035)
539 09 08</span></span><br
style="color:rgb(0,0,153)">
<span
style="color:rgb(0,0,153)"><b
style="color:rgb(255,0,0)">E</b><span style="color:rgb(51,102,255)"> </span></span><a
moz-do-not-send="true" style="color:rgb(51,102,255)"
href="mailto:fvzwieten@vxcompany.com"
target="_blank">fvzwieten@vxcompany.com</a><br
style="color:rgb(0,0,153)">
<span
style="color:rgb(0,0,153)"><b
style="color:rgb(255,0,0)">I</b> </span><a moz-do-not-send="true"
style="color:rgb(51,102,255)"
href="http://www.vxcompany.com/" target="_blank">www.vxcompany.com</a></div>
</div>
<div>
<div> <br>
<br>
<div
class="gmail_quote">On
Fri, Jan 18, 2013
at 6:09 PM, Dmitri
Pal <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div
bgcolor="#FFFFFF"
text="#000000">
<div> On
01/18/2013
06:52 AM, Fred
van Zwieten
wrote:
<blockquote
type="cite">
<div dir="ltr">Hi
Dmitri,
<div><br>
</div>
<div>Sorry for
the late
reply. I
basically want
to do the same
as Charlie
Derwent in
another tread
on this
mailing list:
To fully
automate the
re-installation
of a server
using
Satellite/Spacewalk
using
kickstart. As
the server is
an IPA client,
it must first
get to be
un-enrolled,
before an
ipa-client-install
--unattened -w
secret etc.
can be done in
a %post
snippet of the
kickstart
file. It is
the automation
of the
unenrollment
proces that we
are not able
to set up.</div>
<div><br>
</div>
<div>What I
can do on any
ipa-client to
unenroll on
the command
line is:</div>
<div><br>
</div>
<div>ipa
--disable-host
<server>
and ipa
host-mod
--password=secret
--ssh=</div>
<div> <br>
</div>
<div>This
unprovisions
the client,
set's an OTP
and removes
the host ssh
keys.</div>
<div><br>
</div>
<div>However,
this can only
be done on an
IPA client,
and during a
kickstart
install the
server is no
longer an IPA
client,
because it is
freshly being
set up.</div>
<div><br>
</div>
<div>It's a
typical
chicken-and-egg
issue. You
must first be
ipa client to
be able to
execute ipa
commands, but
you cannot
become an ipa
client before
unprovisioning
yourself using
those same ipa
commands.</div>
<div><br>
</div>
<div>Another
approuch would
be to
unprovision
the client
just before
the reboot to
be
kickstarted,
however, I
have no idea
how to set
that up. It
would mean the
server has to
know somehow
it is being
rebooted
because of a
re-install,
but afaik,
there is no
way for
satellite/spacewalk
to tell the
server this..</div>
<div><br>
</div>
<div
class="gmail_extra">Regards,</div>
<div
class="gmail_extra"><br>
</div>
<div
class="gmail_extra">Fred<br
clear="all">
</div>
</div>
</blockquote>
<br>
</div>
IMO the right
approach would
be for the
Satellite
server to
perform "ipa
--disable-host
<server>
and ipa
host-mod
--password=secret
--ssh=" as a
part of the
re-installation.<br>
Satellite
should be
given an IPA
identity and
call into IPA
when it
performs
reinstall
before
rebooting the
system.<br>
<br>
Tough... I
will see what
I can do.
<div>
<div><br>
<br>
<blockquote
type="cite">
<div dir="ltr">
<div
class="gmail_extra">
<div><br>
<br>
</div>
<br>
<br>
<div
class="gmail_quote">On
Sat, Jan 12,
2013 at 10:06
PM, Dmitri Pal
<span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div
bgcolor="#FFFFFF"
text="#000000">
<div>
<div> On
01/12/2013
03:28 AM, Fred
van Zwieten
wrote:
<blockquote
type="cite">
<div dir="ltr">Hi
there,
<div><br>
</div>
<div>We are in
the process of
implementing
Satellite and
want to
automate
server
installations
100% using
kickstart,
cobbler,
satellite.</div>
<div><br>
</div>
<div>IPA
clients can be
scripted
enrolled using
kickstart.
Plenty of
documentation
about that.</div>
<div><br>
</div>
<div>However,
how to
"re"-enroll
IPA clients?</div>
<div><br>
</div>
<div>Satellite
gives me the
option to
re-install a
server. In
this case,
there are
still host and
possibly
service
records for
this host
present in IPA
and DNS.</div>
<div><br>
</div>
<div>One way
to think about
this is, that
it's actually
OK to keep
those records
there, because
it is a
"re"-installation,
so why remove
and re-enroll?
However, there
is the
krb5.keytab in
/etc. I could
save that file
during
redeployment,
but I'm not
sure if that
will work. And
iare there any
other
gotcha's.</div>
<div><br>
</div>
<div>So, the
question is,
how to
re-install an
IPA client
using
kickstart
(silent
re-install)?</div>
</div>
</blockquote>
<br>
</div>
</div>
The question
is how/do you
remove the
client?<br>
Based on what
you say above
you use the
same system so
there are some
leftovers. If
you can run
ipa-client-install
--uninstall it
should clean
things like
keytab and
certs (there
have been bugs
fixed in
freeIPA 3.0).
If the client
has access to
the server it
will clean
(not remove)
the host entry
too. Then you
can re-run the
install. If
you use OTP
you would need
to reset OTP
first.<br>
<br>
<blockquote
type="cite">
<div dir="ltr">
<div>
<div><br>
Regards,<br>
<div><br>
</div>
</div>
<div>Fred</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span><font
color="#888888">
</font></span></blockquote>
<span><font
color="#888888">
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>