[Freeipa-users] ipa-getkeytab automation

[Dmitri Pal]

Doug Chapman wrote:
> Can anyone give me some tips or document links on client deployment
> automation (I'm using puppet) to update the /etc/krb5.keytab file?
>
> I'm using IPA 1.2.2 on Centos5 and it seems the direct approach is
> to script the creation of the service principles (ipa-addservice) and
> extract all of the keytabs into puppet deployed files.  Is there
> anything I'm missing?
>
> The ipa-addservice would require a human to login with a valid ticket
> in order to work; is there any way I could create a service account
> with limited permissions to allow an application to populate the
> Directory with new hosts from an external source (eg: cobbler, or a
> database of hosts) ?
>

In v2 there is also an option for the automatic provisioning.
* You create a host entry in the IPA and give it an OTP password.
* You pass the same OTP password to the kickstart or some other client
software
* Client software invokes ipa-join and passes in the password. This
completes the enrollment of the host. This host will have a keytab and
would be able to work with IPA.
* The host will have permissions to retrieve a keytab for a service
running on the host.
* Add a service to IPA server
* Run ipa-getkeytab on the client under host identity. This will
provision a key for the service running on the host.
 
You can try one of the v2 alphas.

Thanks
Dmitri


> tia
> --
> DougC
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/