[Freeipa-users] ipa-getkeytab during %post
Dale Macartney
dale at themacartneyclan.com
Wed Feb 8 15:49:17 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi JR
I agree with your statement of acceptable risk.. this is my main reason
for questioning..
The ideal situation would be to run this as a satellite kickstart
snippet for provisioning with kickstart profiles... That way I can
utilize the existing provisioning platform for everything.
At the moment everything is in dev using scripted kickstarts for testing.
Dale
On 02/08/2012 03:33 PM, JR Aquino wrote:
> If you are really trying to go the route of using the password, the
best way to accomplish that is to procedurally ADD the host ahead of
time with the -random flag to generate a one-time-pass. Then insert that
1 time password dynamically into the kickstart script.
>
> If you want to approach the problem from a technical side and not
procedural... I don't suppose you have Puppet ?
>
> You can utilize puppet to deploy a 'host provisioning' keytab that you
then kinit -kt before issuing the other commands that require
authentication. When it is finished, delete the keytab.
>
> The problem with authentication and complete hands off automation is
that you always have to whittle it down to an area of acceptable risk
with lots of compensating controls and logging.
>
>
> On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote:
>
>>
> Hi Simo
>
> ipa-client-install is provided by the ipa-client rpm. Details below
>
> Name : ipa-client
> Arch : x86_64
> Version : 2.1.3
> Release : 9.el6
> Size : 222 k
> Repo : installed
>
>
> What I am trying to achieve is these two commands in a post...
>
> ipa service-add HTTP/$(hostname)
> this definitely requires an authenticated user to add i'm sure
>
>
> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k
> /etc/squid/krb5.keytab
> this one I suspect might be able to be retrieved using the host/
> principle from the system after running ipa-client-install.
>
>
> Does this help paint a picture?
>
>
> Dale
>
>
> On 02/08/2012 01:49 PM, Simo Sorce wrote:
> >>> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote:
> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>> Hash: SHA1
> >>>>
> >>>> morning all...
> >>>>
> >>>> i'm dabbling with automated provisioning of ipa client servers,
and i'm
> >>>> a little perplexed on how to add a keytab to a system during the %post
> >>>> section of a kickstart...
> >>>>
> >>>> i've run ipa-client-install -U -p admin -w redhat123 which works
> >>>> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't
> >>>> appear to be generated during the ipa-client-install.
> >>>>
> >>>> any suggestions on doing this during a post?
> >>>
> >>> What version of ipa-client-install are you using ?
> >>>
> >>> Newer versions (2.x) should fetch a keytab for your system (needs
> >>> credentials or OTP password.
> >>>
> >>> Simo.
> >>>
>>
>>
<0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPMplpAAoJEAJsWS61tB+q294QAJZELZhAD4Xsq8z+q4xbeMdy
R9g2XT6WuY0Bi42mTi4EJbcupIiWm3q1etU7mhsXJ7zVRHrzHfCZGz3m5ksYxBdm
FTT4Q2zssc2Q1kIH6wp9XobBrXSA+RsZn7huBa+klShLBRGkZTABAJ/DkR7j1yRw
Fch1CU9cytXMHXRdJiUaIm8lj38u4mwIZxzU2R7gE3aXUX1p+K9A2uXswPvr4Ouc
oHx46bfu4GMGQt9Sek8GeV1YcAGPrH5QT0ChejBalsREuKYx+GbAz6lMW/YA+rdL
sfqFS5fkWLlzffw0M5HqGg4JNt2l/KsJsqKLnkwShMCNFy2j0M2dt+gujUCkSBAD
wAohFnNerTyC6jypo0oSgvDbBSVo+oZUENeIacQEi8m2EkrgRE1/S3eTAS7SKxOc
wbyPZp4JXzqyOQVw2rAKEpRd56qdQV3lCElJB9SMUK73sCL3TSTHJ7NP7pEMeaJs
JEfJQCjMgJwI/Ok9v5pskkX8uDF0FYptwcwVze2w+ap/hNahaU8uHQOGnVzTTPU2
eA6d0T6opV7YpNbUczOYsEvTJYDUHqX1sf5lN0DfvSP9l9dncr3jRArkdG6X5kuj
9Yrc+d8cEG5Ol4xD3g3ZvtLhL7VuKEhecLP4xsFgQI8NukcFAfpGrPLBklcFzJ1I
wSWQZseFSumVD9glWtMz
=NzzG
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120208/93bf50a6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120208/93bf50a6/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120208/93bf50a6/attachment.sig>
More information about the Freeipa-users
mailing list