<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/23/2013 03:24 PM, Fred van Zwieten wrote:
<blockquote
cite="mid:CALVifsYWXVzokZRsMK+Za92=bmRweddEmMx632L7Nx_F860pBA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">Dmitri,
<div><span style="font-family:arial,sans-serif"><br>
</span></div>
<div>If I understand correcty t<span
style="font-family:arial,sans-serif">his would mean I
backup the keytab before reinstall en restore it after
(easily done with Satellite), then do a ipa-client-install
using the keytab. Does this mean the host record in IPA
will never change during this process? Sounds good to me.
This makes reinstalling a one-step process.</span><br>
</div>
<div><font face="arial, sans-serif"><br>
</font></div>
<div><font face="arial, sans-serif">When the ssh keys are not
preserved during reinstall they must be refreshed in IPA,
will ipa-client-install do that too in this case? <br>
</font></div>
</div>
</div>
</blockquote>
<br>
Yes I suspect, but that would be the same as the initial enroll. I
suspect the keytab, cert and ssh keys would be regenerated. We will
just use keytab to acquire ticket and then start the whole
enrollment from clean sheet.<br>
<br>
<blockquote
cite="mid:CALVifsYWXVzokZRsMK+Za92=bmRweddEmMx632L7Nx_F860pBA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_extra"><br clear="all">
<div>Fred</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_quote">On Wed, Jan 23, 2013 at 8:56 PM,
Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im"> On 01/23/2013 01:56 PM, Charlie Derwent
wrote:
<blockquote type="cite">
<div dir="ltr">
<div>Hi </div>
<div> </div>
<div>My team and I have been around this a few
times and as far as we can see the best and
simplest way to make this work is if we enrol
once and back up all the relevant bits of
information so in the event of a rebuild we can
restore the necessary components and make it
appear to the IPA server that it had never left.</div>
<div> </div>
<div>Disabling and re-enrolling was the preferred
option initially but it seems there are too many
issues to make this viable going forward.</div>
<ul>
<li>How to allow
developers/administrators/robots access
securely between the disabling the host and
re-enrolment (to say reboot the server for
PXEboot)</li>
<li>Having to grant users permission to enrol
servers even when they only need
to re-provision existing servers.</li>
<li>OTP reuse being disabled preventing
something simple like the hostname of the
server being used during re-enrolment</li>
<li>The lack of a reusable OTP also makes the
process two-step (see Fred's mail) rather than
the single step we previously had.</li>
</ul>
<div>To that end could someone please tell us or
document all the steps required to back up the
key ipa-client files so we can get past these
problems and move onto the more interesting
things that the IPA server can provide.</div>
<div> </div>
<div>Any effort to simplify the backup and restore
process within an IPA client (and the server for
that matter) would also be greatly appreciated.</div>
<div> </div>
</div>
</blockquote>
</div>
I suspect you opened the ticket: <a
moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/3373"
target="_blank">https://fedorahosted.org/freeipa/ticket/3373</a><br>
Anyways I replied in the ticket and I am pasting it
here:<br>
Making OTP reusable defeats the purpose of the OTP. It
becomes just another password. If you want this you can
create an account in IPA, limit its privileges to just
host enrollment and use the password associated with
this account to re-provision systems. Would that solve
the problem for you? <br>
<br>
If the backup seems like a good option I suggest we open
an RFE to allow re-enrolling a host using keytab.<br>
I can file an RFE for it. What it would do is: add an
argument to ipa-client-install to use keytab instead of
OTP or password if you saved one. If the authentication
successful the client will reconfigure the system once
again. <br>
<br>
Would that solve the problem?<br>
<br>
I do not like the full backup idea as it is not
consistent between the versions. Say you redeploy but
with the updated version of software that changed
something and config files from the previous version are
not 100% the same. Things would break.<br>
And depending upon the commands you used we touch
different files as SSSD can now be integrated with
autofs, ssh, sudo.<br>
I am just not sure that backup and restore is really a
sustainable approach project/product wise.<br>
We can probably craft a list but I am scared promoting
it as a solution.
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>Regards,</div>
<div>Charlie.</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
</div>
<div class="gmail_extra"> <br>
<br>
<div class="gmail_quote">On Fri, Jan 18, 2013 at
8:14 PM, Fred van Zwieten <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:fvzwieten@vxcompany.com"
target="_blank">fvzwieten@vxcompany.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">Dmitri,
<div><br>
</div>
<div>Sure I can do this. I can make a
script, and have this executed from
Satellite (remote command) and than
perform the server redeploy from
Satellite. However, that makes it a two
step process, and that is what I now
also have. However, I would like to make
it fully automated in a single step.</div>
<div><br>
</div>
<div>Come to think of it...there is also
an api for Satellite. Maybe I can make a
script that will first do the IPA stuff
and then call Satellite to redeploy the
server.....</div>
<div>....hmmm....will look into this...and
report my findings</div>
<div class="gmail_extra"><br clear="all">
<div><br>
Met vriendelijke groeten,<br>
<b><br>
<font style="color:rgb(51,102,255)"
color="#000099">Fre</font><font
style="color:rgb(51,102,255)"
color="#000099">d van Zwieten</font><br
style="color:rgb(51,102,255)">
</b>
<div><font color="#3333ff"><span
style="color:rgb(0,0,153)"><b
style="color:rgb(51,102,255)">Enterprise
Open Source Services</b><br>
</span></font></div>
<div><b><br>
<span
style="color:rgb(51,102,255)">Consultant</span></b><br>
<font size="1"><i>(vrijdags afwezig)</i></font></div>
<div><br>
<b><span style="color:rgb(255,0,0)">VX
Company IT Services B.V.</span></b><br>
<span style="color:rgb(0,0,153)"><b><span
style="color:rgb(255,0,0)">T</span></b><span
style="color:rgb(255,255,255)"> <span
style="color:rgb(51,102,255)">(035)
539 09 50 mobiel (06) 41 68 28
48</span></span></span><span
style="color:rgb(51,102,255)"></span><br
style="color:rgb(0,0,153)">
<span style="color:rgb(0,0,153)"><b><span
style="color:rgb(255,0,0)">F</span></b> <span
style="color:rgb(51,102,255)">(035)
539 09 08</span></span><br
style="color:rgb(0,0,153)">
<span style="color:rgb(0,0,153)"><b
style="color:rgb(255,0,0)">E</b><span
style="color:rgb(51,102,255)"> </span></span><a
moz-do-not-send="true"
style="color:rgb(51,102,255)"
href="mailto:fvzwieten@vxcompany.com"
target="_blank">fvzwieten@vxcompany.com</a><br
style="color:rgb(0,0,153)">
<span style="color:rgb(0,0,153)"><b
style="color:rgb(255,0,0)">I</b> </span><a
moz-do-not-send="true"
style="color:rgb(51,102,255)"
href="http://www.vxcompany.com/"
target="_blank">www.vxcompany.com</a></div>
</div>
<div>
<div> <br>
<br>
<div class="gmail_quote">On Fri, Jan
18, 2013 at 6:09 PM, Dmitri Pal <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div bgcolor="#FFFFFF"
text="#000000">
<div> On 01/18/2013 06:52 AM,
Fred van Zwieten wrote:
<blockquote type="cite">
<div dir="ltr">Hi Dmitri,
<div><br>
</div>
<div>Sorry for the late
reply. I basically
want to do the same as
Charlie Derwent in
another tread on this
mailing list: To fully
automate the
re-installation of a
server using
Satellite/Spacewalk
using kickstart. As
the server is an IPA
client, it must first
get to be un-enrolled,
before an
ipa-client-install
--unattened -w secret
etc. can be done in a
%post snippet of the
kickstart file. It is
the automation of the
unenrollment proces
that we are not able
to set up.</div>
<div><br>
</div>
<div>What I can do on
any ipa-client to
unenroll on the
command line is:</div>
<div><br>
</div>
<div>ipa --disable-host
<server> and ipa
host-mod
--password=secret
--ssh=</div>
<div> <br>
</div>
<div>This unprovisions
the client, set's an
OTP and removes the
host ssh keys.</div>
<div><br>
</div>
<div>However, this can
only be done on an IPA
client, and during a
kickstart install the
server is no longer an
IPA client, because it
is freshly being set
up.</div>
<div><br>
</div>
<div>It's a typical
chicken-and-egg issue.
You must first be ipa
client to be able to
execute ipa commands,
but you cannot become
an ipa client before
unprovisioning
yourself using those
same ipa commands.</div>
<div><br>
</div>
<div>Another approuch
would be to
unprovision the client
just before the reboot
to be kickstarted,
however, I have no
idea how to set that
up. It would mean the
server has to know
somehow it is being
rebooted because of a
re-install, but afaik,
there is no way for
satellite/spacewalk to
tell the server this..</div>
<div><br>
</div>
<div class="gmail_extra">Regards,</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Fred<br
clear="all">
</div>
</div>
</blockquote>
<br>
</div>
IMO the right approach would
be for the Satellite server to
perform "ipa --disable-host
<server> and ipa
host-mod --password=secret
--ssh=" as a part of the
re-installation.<br>
Satellite should be given an
IPA identity and call into IPA
when it performs reinstall
before rebooting the system.<br>
<br>
Tough... I will see what I can
do.
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div
class="gmail_extra">
<div><br>
<br>
</div>
<br>
<br>
<div
class="gmail_quote">On
Sat, Jan 12, 2013
at 10:06 PM,
Dmitri Pal <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div
bgcolor="#FFFFFF"
text="#000000">
<div>
<div> On
01/12/2013
03:28 AM, Fred
van Zwieten
wrote:
<blockquote
type="cite">
<div dir="ltr">Hi
there,
<div><br>
</div>
<div>We are in
the process of
implementing
Satellite and
want to
automate
server
installations
100% using
kickstart,
cobbler,
satellite.</div>
<div><br>
</div>
<div>IPA
clients can be
scripted
enrolled using
kickstart.
Plenty of
documentation
about that.</div>
<div><br>
</div>
<div>However,
how to
"re"-enroll
IPA clients?</div>
<div><br>
</div>
<div>Satellite
gives me the
option to
re-install a
server. In
this case,
there are
still host and
possibly
service
records for
this host
present in IPA
and DNS.</div>
<div><br>
</div>
<div>One way
to think about
this is, that
it's actually
OK to keep
those records
there, because
it is a
"re"-installation,
so why remove
and re-enroll?
However, there
is the
krb5.keytab in
/etc. I could
save that file
during
redeployment,
but I'm not
sure if that
will work. And
iare there any
other
gotcha's.</div>
<div><br>
</div>
<div>So, the
question is,
how to
re-install an
IPA client
using
kickstart
(silent
re-install)?</div>
</div>
</blockquote>
<br>
</div>
</div>
The question
is how/do you
remove the
client?<br>
Based on what
you say above
you use the
same system so
there are some
leftovers. If
you can run
ipa-client-install
--uninstall it
should clean
things like
keytab and
certs (there
have been bugs
fixed in
freeIPA 3.0).
If the client
has access to
the server it
will clean
(not remove)
the host entry
too. Then you
can re-run the
install. If
you use OTP
you would need
to reset OTP
first.<br>
<br>
<blockquote
type="cite">
<div dir="ltr">
<div>
<div><br>
Regards,<br>
<div><br>
</div>
</div>
<div>Fred</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span><font
color="#888888">
</font></span></blockquote>
<span><font
color="#888888">
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com"
target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>