[Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab
Tomas Babej
tbabej at redhat.com
Mon Mar 4 17:27:22 UTC 2013
Hi,
A host that has been previously unenrolled and does not have its
host entry disabled or removed, can be re-enrolled using
a previously backed up keytab file.
A new option --keytab has been added to ipa-client-install. This
can be used to specify path to the keytab and can be used instead
of -p or -w options.
A new option -f has been added to ipa-join. It forces client to
join even if the host entry already exits. A new certificate,
ssh keys are generated, ipaUniqueID stays the same.
https://fedorahosted.org/freeipa/ticket/3374
Attaching a comparison between host entry states
(enrolled using principal and reenrolled using keytab).
Tomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0037-Add-support-for-re-enrolling-hosts-using-keytab.patch
Type: text/x-patch
Size: 7449 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130304/66a0cbc6/attachment.bin>
-------------- next part --------------
dn: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=br dn: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=br
fqdn: vm-078.example.com fqdn: vm-078.example.com
ipasshpubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAOTFZwfVABE3UNjNgnSYRAMcfFPm7T/NiZ5z4VbyzrP+NJzjUdd+ | ipasshpubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAOz9Jp42qxv3QvV3QoYOeLECuPpsVM1vrL4rS4MbKuSOPa6Nlu2Q
ipasshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/Li43jjUraASij+4jHM9peFF0a0vXBH7252vQELhc | ipasshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRG7ifJNlX3upFCzd6Yqmug9wVIswIj7epZyXconay
has_password: False has_password: False
has_keytab: True has_keytab: True
subject: CN=vm-078.example.com,O=EXAMPLE.COM subject: CN=vm-078.example.com,O=EXAMPLE.COM
serial_number: 15 | serial_number: 16
serial_number_hex: 0xF | serial_number_hex: 0x10
issuer: CN=Certificate Authority,O=EXAMPLE.COM issuer: CN=Certificate Authority,O=EXAMPLE.COM
valid_not_before: Mon Mar 04 11:11:12 2013 UTC | valid_not_before: Mon Mar 04 11:51:11 2013 UTC
valid_not_after: Thu Mar 05 11:11:12 2015 UTC | valid_not_after: Thu Mar 05 11:51:11 2015 UTC
md5_fingerprint: 27:7e:df:49:1c:8a:9f:d9:ce:86:4a:eb:2b:d9:e3:63 | md5_fingerprint: d7:87:8d:7c:4f:ee:2d:27:c5:91:e5:f3:ab:4e:8c:de
sha1_fingerprint: 4f:d9:45:d6:75:8b:53:1c:da:df:5c:d7:de:a5:6b:c4:70:14:92:20 | sha1_fingerprint: 15:d2:9a:81:78:b2:d7:92:91:45:70:4d:b8:ff:be:95:58:24:db:fe
sshpubkeyfp: 18:0A:83:16:75:F9:79:3F:AF:F3:01:71:7D:C2:84:0B (ssh-dss) | sshpubkeyfp: 92:31:BD:3E:BF:B2:27:2A:CB:08:16:4F:BB:B8:F7:8A (ssh-dss)
sshpubkeyfp: 9E:03:F0:A7:D2:B9:11:C6:44:25:40:93:3B:B1:42:33 (ssh-rsa) | sshpubkeyfp: 96:A7:2E:A3:B5:13:76:00:93:0B:0C:3A:72:59:F3:6B (ssh-rsa)
cn: vm-078.example.com cn: vm-078.example.com
enrolledBy: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com enrolledBy: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
ipaUniqueID: 37183b78-84bc-11e2-9fb3-001a4a22046a ipaUniqueID: 37183b78-84bc-11e2-9fb3-001a4a22046a
krbExtraData: AAJMgTRRaG9zdC92bS0wNzguaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb21ASURNLkxBQi5FTkcuQlJR | krbExtraData: AAKrijRRaG9zdC92bS0wNzguaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb21ASURNLkxBQi5FTkcuQlJR
krbLastPwdChange: 20130304111108Z | krbLastPwdChange: 20130304115107Z
krbLastSuccessfulAuth: 20130304111115Z | krbLastSuccessfulAuth: 20130304115114Z
krbPrincipalName: host/vm-078.example.com at EXAMPLE.COM krbPrincipalName: host/vm-078.example.com at EXAMPLE.COM
managedBy: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=en managedBy: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=en
managing: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng managing: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng
objectClass: ipaobject objectClass: ipaobject
objectClass: nshost objectClass: nshost
objectClass: ipahost objectClass: ipahost
objectClass: pkiuser objectClass: pkiuser
objectClass: ipaservice objectClass: ipaservice
objectClass: krbprincipalaux objectClass: krbprincipalaux
objectClass: krbprincipal objectClass: krbprincipal
objectClass: ieee802device objectClass: ieee802device
objectClass: ipasshhost objectClass: ipasshhost
objectClass: top objectClass: top
objectClass: ipaSshGroupOfPubKeys objectClass: ipaSshGroupOfPubKeys
serverHostName: vm-078 serverHostName: vm-078
userCertificate: MIIFHTCCBAWgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBFMSMwIQYDVQQKExpJRE0uTEFCLkVORy5CU | userCertificate: MIIFHTCCBAWgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBFMSMwIQYDVQQKExpJRE0uTEFCLkVORy5CU
More information about the Freeipa-devel
mailing list