[Freeipa-users] ipa-getkeytab automation
Dmitri Pal
dpal at redhat.com
Tue Jul 13 23:33:42 UTC 2010
Doug Chapman wrote:
> Can anyone give me some tips or document links on client deployment
> automation (I'm using puppet) to update the /etc/krb5.keytab file?
>
> I'm using IPA 1.2.2 on Centos5 and it seems the direct approach is
> to script the creation of the service principles (ipa-addservice) and
> extract all of the keytabs into puppet deployed files. Is there
> anything I'm missing?
>
> The ipa-addservice would require a human to login with a valid ticket
> in order to work; is there any way I could create a service account
> with limited permissions to allow an application to populate the
> Directory with new hosts from an external source (eg: cobbler, or a
> database of hosts) ?
>
In v2 there is also an option for the automatic provisioning.
* You create a host entry in the IPA and give it an OTP password.
* You pass the same OTP password to the kickstart or some other client
software
* Client software invokes ipa-join and passes in the password. This
completes the enrollment of the host. This host will have a keytab and
would be able to work with IPA.
* The host will have permissions to retrieve a keytab for a service
running on the host.
* Add a service to IPA server
* Run ipa-getkeytab on the client under host identity. This will
provision a key for the service running on the host.
You can try one of the v2 alphas.
Thanks
Dmitri
> tia
> --
> DougC
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list