<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/23/2013 01:56 PM, Charlie Derwent wrote:
<blockquote
cite="mid:CA+W6xet6on+ueHnazfcNqcqm_OY3hzYK66EkeO7nLr6JP9GFOw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Hi </div>
<div> </div>
<div>My team and I have been around this a few times and as far
as we can see the best and simplest way to make this work is
if we enrol once and back up all the relevant bits of
information so in the event of a rebuild we can restore the
necessary components and make it appear to the IPA server that
it had never left.</div>
<div> </div>
<div>Disabling and re-enrolling was the preferred option
initially but it seems there are too many issues to make this
viable going forward.</div>
<ul>
<li>How to allow developers/administrators/robots access
securely between the disabling the host and re-enrolment (to
say reboot the server for PXEboot)</li>
<li>Having to grant users permission to enrol servers even
when they only need to re-provision existing servers.</li>
<li>OTP reuse being disabled preventing something simple like
the hostname of the server being used during re-enrolment</li>
<li>The lack of a reusable OTP also makes the process two-step
(see Fred's mail) rather than the single step we previously
had.</li>
</ul>
<div>To that end could someone please tell us or document all
the steps required to back up the key ipa-client files so we
can get past these problems and move onto the more interesting
things that the IPA server can provide.</div>
<div> </div>
<div>Any effort to simplify the backup and restore process
within an IPA client (and the server for that matter) would
also be greatly appreciated.</div>
<div> </div>
</div>
</blockquote>
I suspect you opened the ticket:
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/3373">https://fedorahosted.org/freeipa/ticket/3373</a><br>
Anyways I replied in the ticket and I am pasting it here:<br>
Making OTP reusable defeats the purpose of the OTP. It becomes just
another password. If you want this you can create an account in IPA,
limit its privileges to just host enrollment and use the password
associated with this account to re-provision systems. Would that
solve the problem for you?
<br>
<br>
If the backup seems like a good option I suggest we open an RFE to
allow re-enrolling a host using keytab.<br>
I can file an RFE for it. What it would do is: add an argument to
ipa-client-install to use keytab instead of OTP or password if you
saved one. If the authentication successful the client will
reconfigure the system once again. <br>
<br>
Would that solve the problem?<br>
<br>
I do not like the full backup idea as it is not consistent between
the versions. Say you redeploy but with the updated version of
software that changed something and config files from the previous
version are not 100% the same. Things would break.<br>
And depending upon the commands you used we touch different files as
SSSD can now be integrated with autofs, ssh, sudo.<br>
I am just not sure that backup and restore is really a sustainable
approach project/product wise.<br>
We can probably craft a list but I am scared promoting it as a
solution.<br>
<br>
<br>
<blockquote
cite="mid:CA+W6xet6on+ueHnazfcNqcqm_OY3hzYK66EkeO7nLr6JP9GFOw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Regards,</div>
<div>Charlie.</div>
<div>
</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
</div>
<div class="gmail_extra">
<br>
<br>
<div class="gmail_quote">On Fri, Jan 18, 2013 at 8:14 PM, Fred
van Zwieten <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:fvzwieten@vxcompany.com" target="_blank">fvzwieten@vxcompany.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Dmitri,
<div><br>
</div>
<div>Sure I can do this. I can make a script, and have
this executed from Satellite (remote command) and than
perform the server redeploy from Satellite. However,
that makes it a two step process, and that is what I now
also have. However, I would like to make it fully
automated in a single step.</div>
<div><br>
</div>
<div>Come to think of it...there is also an api for
Satellite. Maybe I can make a script that will first do
the IPA stuff and then call Satellite to redeploy the
server.....</div>
<div>....hmmm....will look into this...and report my
findings</div>
<div class="gmail_extra"><br clear="all">
<div><br>
Met vriendelijke groeten,<br>
<b><br>
<font style="color:rgb(51,102,255)" color="#000099">Fre</font><font
style="color:rgb(51,102,255)" color="#000099">d
van Zwieten</font><br
style="color:rgb(51,102,255)">
</b>
<div><font color="#3333ff"><span
style="color:rgb(0,0,153)"><b
style="color:rgb(51,102,255)">Enterprise Open
Source Services</b><br>
</span></font></div>
<div><b><br>
<span style="color:rgb(51,102,255)">Consultant</span></b><br>
<font size="1"><i>(vrijdags afwezig)</i></font></div>
<div><br>
<b><span style="color:rgb(255,0,0)">VX Company IT
Services B.V.</span></b><br>
<span style="color:rgb(0,0,153)"><b><span
style="color:rgb(255,0,0)">T</span></b><span
style="color:rgb(255,255,255)"> <span
style="color:rgb(51,102,255)">(035) 539 09 50
mobiel (06) 41 68 28 48</span></span></span><span
style="color:rgb(51,102,255)"></span><br
style="color:rgb(0,0,153)">
<span style="color:rgb(0,0,153)"><b><span
style="color:rgb(255,0,0)">F</span></b> <span
style="color:rgb(51,102,255)">(035) 539 09 08</span></span><br
style="color:rgb(0,0,153)">
<span style="color:rgb(0,0,153)"><b
style="color:rgb(255,0,0)">E</b><span
style="color:rgb(51,102,255)"> </span></span><a
moz-do-not-send="true"
style="color:rgb(51,102,255)"
href="mailto:fvzwieten@vxcompany.com"
target="_blank">fvzwieten@vxcompany.com</a><br
style="color:rgb(0,0,153)">
<span style="color:rgb(0,0,153)"><b
style="color:rgb(255,0,0)">I</b> </span><a
moz-do-not-send="true"
style="color:rgb(51,102,255)"
href="http://www.vxcompany.com/" target="_blank">www.vxcompany.com</a></div>
</div>
<div>
<div class="h5">
<br>
<br>
<div class="gmail_quote">On Fri, Jan 18, 2013 at
6:09 PM, Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 01/18/2013 06:52 AM, Fred van Zwieten
wrote:
<blockquote type="cite">
<div dir="ltr">Hi Dmitri,
<div><br>
</div>
<div>Sorry for the late reply. I
basically want to do the same as
Charlie Derwent in another tread on
this mailing list: To fully automate
the re-installation of a server using
Satellite/Spacewalk using kickstart.
As the server is an IPA client, it
must first get to be un-enrolled,
before an ipa-client-install
--unattened -w secret etc. can be done
in a %post snippet of the kickstart
file. It is the automation of the
unenrollment proces that we are not
able to set up.</div>
<div><br>
</div>
<div>What I can do on any ipa-client to
unenroll on the command line is:</div>
<div><br>
</div>
<div>ipa --disable-host <server>
and ipa host-mod --password=secret
--ssh=</div>
<div> <br>
</div>
<div>This unprovisions the client, set's
an OTP and removes the host ssh keys.</div>
<div><br>
</div>
<div>However, this can only be done on
an IPA client, and during a kickstart
install the server is no longer an IPA
client, because it is freshly being
set up.</div>
<div><br>
</div>
<div>It's a typical chicken-and-egg
issue. You must first be ipa client to
be able to execute ipa commands, but
you cannot become an ipa client before
unprovisioning yourself using those
same ipa commands.</div>
<div><br>
</div>
<div>Another approuch would be to
unprovision the client just before the
reboot to be kickstarted, however, I
have no idea how to set that up. It
would mean the server has to know
somehow it is being rebooted because
of a re-install, but afaik, there is
no way for satellite/spacewalk to tell
the server this..</div>
<div><br>
</div>
<div class="gmail_extra">Regards,</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Fred<br
clear="all">
</div>
</div>
</blockquote>
<br>
</div>
IMO the right approach would be for the
Satellite server to perform "ipa
--disable-host <server> and ipa host-mod
--password=secret --ssh=" as a part of the
re-installation.<br>
Satellite should be given an IPA identity and
call into IPA when it performs reinstall
before rebooting the system.<br>
<br>
Tough... I will see what I can do.
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div><br>
<br>
</div>
<br>
<br>
<div class="gmail_quote">On Sat, Jan
12, 2013 at 10:06 PM, Dmitri Pal <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div bgcolor="#FFFFFF"
text="#000000">
<div>
<div> On 01/12/2013 03:28
AM, Fred van Zwieten
wrote:
<blockquote type="cite">
<div dir="ltr">Hi there,
<div><br>
</div>
<div>We are in the
process of
implementing
Satellite and want
to automate server
installations 100%
using kickstart,
cobbler, satellite.</div>
<div><br>
</div>
<div>IPA clients can
be scripted enrolled
using kickstart.
Plenty of
documentation about
that.</div>
<div><br>
</div>
<div>However, how to
"re"-enroll IPA
clients?</div>
<div><br>
</div>
<div>Satellite gives
me the option to
re-install a server.
In this case, there
are still host and
possibly service
records for this
host present in IPA
and DNS.</div>
<div><br>
</div>
<div>One way to think
about this is, that
it's actually OK to
keep those records
there, because it is
a "re"-installation,
so why remove and
re-enroll? However,
there is the
krb5.keytab in /etc.
I could save that
file during
redeployment, but
I'm not sure if that
will work. And iare
there any other
gotcha's.</div>
<div><br>
</div>
<div>So, the question
is, how to
re-install an IPA
client using
kickstart (silent
re-install)?</div>
</div>
</blockquote>
<br>
</div>
</div>
The question is how/do you
remove the client?<br>
Based on what you say above
you use the same system so
there are some leftovers. If
you can run ipa-client-install
--uninstall it should clean
things like keytab and certs
(there have been bugs fixed in
freeIPA 3.0). If the client
has access to the server it
will clean (not remove) the
host entry too. Then you can
re-run the install. If you use
OTP you would need to reset
OTP first.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><br>
Regards,<br>
<div><br>
</div>
</div>
<div>Fred</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span><font color="#888888">
</font></span></blockquote>
<span><font color="#888888"> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>