[Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

Tomas Babej tbabej at redhat.com
Mon Mar 4 17:27:22 UTC 2013 

Hi,

A host that has been previously unenrolled and does not have its
host entry disabled or removed, can be re-enrolled using
a previously backed up keytab file.

A new option --keytab has been added to ipa-client-install. This
can be used to specify path to the keytab and can be used instead
of -p or -w options.

A new option -f has been added to ipa-join. It forces client to
join even if the host entry already exits. A new certificate,
ssh keys are generated, ipaUniqueID stays the same.

https://fedorahosted.org/freeipa/ticket/3374

Attaching a comparison between host entry states
(enrolled using principal and reenrolled using keytab).

Tomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tbabej-0037-Add-support-for-re-enrolling-hosts-using-keytab.patch
Type: text/x-patch
Size: 7449 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130304/66a0cbc6/attachment.bin>
-------------- next part --------------
  dn: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=br      			  dn: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng,dc=br
  fqdn: vm-078.example.com								 		  fqdn: vm-078.example.com
  ipasshpubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAOTFZwfVABE3UNjNgnSYRAMcfFPm7T/NiZ5z4VbyzrP+NJzjUdd+   |	  ipasshpubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAOz9Jp42qxv3QvV3QoYOeLECuPpsVM1vrL4rS4MbKuSOPa6Nlu2Q
  ipasshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/Li43jjUraASij+4jHM9peFF0a0vXBH7252vQELhc   |	  ipasshpubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRG7ifJNlX3upFCzd6Yqmug9wVIswIj7epZyXconay
  has_password: False											  has_password: False
  has_keytab: True											  has_keytab: True
  subject: CN=vm-078.example.com,O=EXAMPLE.COM				  				  subject: CN=vm-078.example.com,O=EXAMPLE.COM
  serial_number: 15										   |	  serial_number: 16
  serial_number_hex: 0xF									   |	  serial_number_hex: 0x10
  issuer: CN=Certificate Authority,O=EXAMPLE.COM						  	  issuer: CN=Certificate Authority,O=EXAMPLE.COM
  valid_not_before: Mon Mar 04 11:11:12 2013 UTC						   |	  valid_not_before: Mon Mar 04 11:51:11 2013 UTC
  valid_not_after: Thu Mar 05 11:11:12 2015 UTC							   |	  valid_not_after: Thu Mar 05 11:51:11 2015 UTC
  md5_fingerprint: 27:7e:df:49:1c:8a:9f:d9:ce:86:4a:eb:2b:d9:e3:63				   |	  md5_fingerprint: d7:87:8d:7c:4f:ee:2d:27:c5:91:e5:f3:ab:4e:8c:de
  sha1_fingerprint: 4f:d9:45:d6:75:8b:53:1c:da:df:5c:d7:de:a5:6b:c4:70:14:92:20			   |	  sha1_fingerprint: 15:d2:9a:81:78:b2:d7:92:91:45:70:4d:b8:ff:be:95:58:24:db:fe
  sshpubkeyfp: 18:0A:83:16:75:F9:79:3F:AF:F3:01:71:7D:C2:84:0B (ssh-dss)			   |	  sshpubkeyfp: 92:31:BD:3E:BF:B2:27:2A:CB:08:16:4F:BB:B8:F7:8A (ssh-dss)
  sshpubkeyfp: 9E:03:F0:A7:D2:B9:11:C6:44:25:40:93:3B:B1:42:33 (ssh-rsa)			   |	  sshpubkeyfp: 96:A7:2E:A3:B5:13:76:00:93:0B:0C:3A:72:59:F3:6B (ssh-rsa)
  cn: vm-078.example.com									          cn: vm-078.example.com
  enrolledBy: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com		  enrolledBy: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
  ipaUniqueID: 37183b78-84bc-11e2-9fb3-001a4a22046a							  ipaUniqueID: 37183b78-84bc-11e2-9fb3-001a4a22046a
  krbExtraData: AAJMgTRRaG9zdC92bS0wNzguaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb21ASURNLkxBQi5FTkcuQlJR   |	  krbExtraData: AAKrijRRaG9zdC92bS0wNzguaWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb21ASURNLkxBQi5FTkcuQlJR
  krbLastPwdChange: 20130304111108Z								   |	  krbLastPwdChange: 20130304115107Z
  krbLastSuccessfulAuth: 20130304111115Z							   |	  krbLastSuccessfulAuth: 20130304115114Z
  krbPrincipalName: host/vm-078.example.com at EXAMPLE.COM			  			          krbPrincipalName: host/vm-078.example.com at EXAMPLE.COM
  managedBy: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=en	  		  managedBy: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=en
  managing: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng	  		  managing: fqdn=vm-078.example.com,cn=computers,cn=accounts,dc=idm,dc=lab,dc=eng
  objectClass: ipaobject										  objectClass: ipaobject
  objectClass: nshost											  objectClass: nshost
  objectClass: ipahost											  objectClass: ipahost
  objectClass: pkiuser											  objectClass: pkiuser
  objectClass: ipaservice										  objectClass: ipaservice
  objectClass: krbprincipalaux										  objectClass: krbprincipalaux
  objectClass: krbprincipal										  objectClass: krbprincipal
  objectClass: ieee802device										  objectClass: ieee802device
  objectClass: ipasshhost										  objectClass: ipasshhost
  objectClass: top											  objectClass: top
  objectClass: ipaSshGroupOfPubKeys									  objectClass: ipaSshGroupOfPubKeys
  serverHostName: vm-078										  serverHostName: vm-078
  userCertificate: MIIFHTCCBAWgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBFMSMwIQYDVQQKExpJRE0uTEFCLkVORy5CU   |	  userCertificate: MIIFHTCCBAWgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBFMSMwIQYDVQQKExpJRE0uTEFCLkVORy5CU

More information about the Freeipa-devel mailing list