[Freeipa-users] ipa-getkeytab during %post
Rob Crittenden
rcritten at redhat.com
Wed Feb 8 16:00:59 UTC 2012
Dale Macartney wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi JR
>
> I agree with your statement of acceptable risk.. this is my main reason
> for questioning..
>
> The ideal situation would be to run this as a satellite kickstart
> snippet for provisioning with kickstart profiles... That way I can
> utilize the existing provisioning platform for everything.
>
> At the moment everything is in dev using scripted kickstarts for testing.
A host should be able to get keytabs for its own services so you should
be able to kinit to the host service principal in /etc/keytab and use
ipa-getkeytab.
rob
>
> Dale
>
>
>
> On 02/08/2012 03:33 PM, JR Aquino wrote:
>> If you are really trying to go the route of using the password, the
> best way to accomplish that is to procedurally ADD the host ahead of
> time with the -random flag to generate a one-time-pass. Then insert that
> 1 time password dynamically into the kickstart script.
>>
>> If you want to approach the problem from a technical side and not
> procedural... I don't suppose you have Puppet ?
>>
>> You can utilize puppet to deploy a 'host provisioning' keytab that you
> then kinit -kt before issuing the other commands that require
> authentication. When it is finished, delete the keytab.
>>
>> The problem with authentication and complete hands off automation is
> that you always have to whittle it down to an area of acceptable risk
> with lots of compensating controls and logging.
>>
>>
>> On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote:
>>
>> >
>> Hi Simo
>>
>> ipa-client-install is provided by the ipa-client rpm. Details below
>>
>> Name : ipa-client
>> Arch : x86_64
>> Version : 2.1.3
>> Release : 9.el6
>> Size : 222 k
>> Repo : installed
>>
>>
>> What I am trying to achieve is these two commands in a post...
>>
>> ipa service-add HTTP/$(hostname)
>> this definitely requires an authenticated user to add i'm sure
>>
>>
>> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k
>> /etc/squid/krb5.keytab
>> this one I suspect might be able to be retrieved using the host/
>> principle from the system after running ipa-client-install.
>>
>>
>> Does this help paint a picture?
>>
>>
>> Dale
>>
>>
>> On 02/08/2012 01:49 PM, Simo Sorce wrote:
>> >>> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote:
>> >>>> -----BEGIN PGP SIGNED MESSAGE-----
>> >>>> Hash: SHA1
>> >>>>
>> >>>> morning all...
>> >>>>
>> >>>> i'm dabbling with automated provisioning of ipa client servers,
> and i'm
>> >>>> a little perplexed on how to add a keytab to a system during the
> %post
>> >>>> section of a kickstart...
>> >>>>
>> >>>> i've run ipa-client-install -U -p admin -w redhat123 which works
>> >>>> perfect, but in order to run ipa-getkeytab i need a tgt, which
> doesn't
>> >>>> appear to be generated during the ipa-client-install.
>> >>>>
>> >>>> any suggestions on doing this during a post?
>> >>>
>> >>> What version of ipa-client-install are you using ?
>> >>>
>> >>> Newer versions (2.x) should fetch a keytab for your system (needs
>> >>> credentials or OTP password.
>> >>>
>> >>> Simo.
>> >>>
>> >
>> >
> <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________
>> > Freeipa-users mailing list
>> > Freeipa-users at redhat.com
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJPMplpAAoJEAJsWS61tB+q294QAJZELZhAD4Xsq8z+q4xbeMdy
> R9g2XT6WuY0Bi42mTi4EJbcupIiWm3q1etU7mhsXJ7zVRHrzHfCZGz3m5ksYxBdm
> FTT4Q2zssc2Q1kIH6wp9XobBrXSA+RsZn7huBa+klShLBRGkZTABAJ/DkR7j1yRw
> Fch1CU9cytXMHXRdJiUaIm8lj38u4mwIZxzU2R7gE3aXUX1p+K9A2uXswPvr4Ouc
> oHx46bfu4GMGQt9Sek8GeV1YcAGPrH5QT0ChejBalsREuKYx+GbAz6lMW/YA+rdL
> sfqFS5fkWLlzffw0M5HqGg4JNt2l/KsJsqKLnkwShMCNFy2j0M2dt+gujUCkSBAD
> wAohFnNerTyC6jypo0oSgvDbBSVo+oZUENeIacQEi8m2EkrgRE1/S3eTAS7SKxOc
> wbyPZp4JXzqyOQVw2rAKEpRd56qdQV3lCElJB9SMUK73sCL3TSTHJ7NP7pEMeaJs
> JEfJQCjMgJwI/Ok9v5pskkX8uDF0FYptwcwVze2w+ap/hNahaU8uHQOGnVzTTPU2
> eA6d0T6opV7YpNbUczOYsEvTJYDUHqX1sf5lN0DfvSP9l9dncr3jRArkdG6X5kuj
> 9Yrc+d8cEG5Ol4xD3g3ZvtLhL7VuKEhecLP4xsFgQI8NukcFAfpGrPLBklcFzJ1I
> wSWQZseFSumVD9glWtMz
> =NzzG
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list