[Freeipa-users] ipa-getkeytab during %post

Rob Crittenden rcritten at redhat.com
Wed Feb 8 16:00:59 UTC 2012 

Dale Macartney wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi JR
>
> I agree with your statement of acceptable risk.. this is my main reason
> for questioning..
>
> The ideal situation would be to run this as a satellite kickstart
> snippet for provisioning with kickstart profiles... That way I can
> utilize the existing provisioning platform for everything.
>
> At the moment everything is in dev using scripted kickstarts for testing.

A host should be able to get keytabs for its own services so you should 
be able to kinit to the host service principal in /etc/keytab and use 
ipa-getkeytab.

rob

>
> Dale
>
>
>
> On 02/08/2012 03:33 PM, JR Aquino wrote:
>>  If you are really trying to go the route of using the password, the
> best way to accomplish that is to procedurally ADD the host ahead of
> time with the -random flag to generate a one-time-pass. Then insert that
> 1 time password dynamically into the kickstart script.
>>
>>  If you want to approach the problem from a technical side and not
> procedural... I don't suppose you have Puppet ?
>>
>>  You can utilize puppet to deploy a 'host provisioning' keytab that you
> then kinit -kt before issuing the other commands that require
> authentication. When it is finished, delete the keytab.
>>
>>  The problem with authentication and complete hands off automation is
> that you always have to whittle it down to an area of acceptable risk
> with lots of compensating controls and logging.
>>
>>
>>  On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote:
>>
>> >
>>  Hi Simo
>>
>>  ipa-client-install is provided by the ipa-client rpm. Details below
>>
>>  Name : ipa-client
>>  Arch : x86_64
>>  Version : 2.1.3
>>  Release : 9.el6
>>  Size : 222 k
>>  Repo : installed
>>
>>
>>  What I am trying to achieve is these two commands in a post...
>>
>>  ipa service-add HTTP/$(hostname)
>>  this definitely requires an authenticated user to add i'm sure
>>
>>
>>  ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k
>>  /etc/squid/krb5.keytab
>>  this one I suspect might be able to be retrieved using the host/
>>  principle from the system after running ipa-client-install.
>>
>>
>>  Does this help paint a picture?
>>
>>
>>  Dale
>>
>>
>>  On 02/08/2012 01:49 PM, Simo Sorce wrote:
>>  >>> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote:
>>  >>>> -----BEGIN PGP SIGNED MESSAGE-----
>>  >>>> Hash: SHA1
>>  >>>>
>>  >>>> morning all...
>>  >>>>
>>  >>>> i'm dabbling with automated provisioning of ipa client servers,
> and i'm
>>  >>>> a little perplexed on how to add a keytab to a system during the
> %post
>>  >>>> section of a kickstart...
>>  >>>>
>>  >>>> i've run ipa-client-install -U -p admin -w redhat123 which works
>>  >>>> perfect, but in order to run ipa-getkeytab i need a tgt, which
> doesn't
>>  >>>> appear to be generated during the ipa-client-install.
>>  >>>>
>>  >>>> any suggestions on doing this during a post?
>>  >>>
>>  >>> What version of ipa-client-install are you using ?
>>  >>>
>>  >>> Newer versions (2.x) should fetch a keytab for your system (needs
>>  >>> credentials or OTP password.
>>  >>>
>>  >>> Simo.
>>  >>>
>> >
>> >
> <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________
>> > Freeipa-users mailing list
>> > Freeipa-users at redhat.com
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJPMplpAAoJEAJsWS61tB+q294QAJZELZhAD4Xsq8z+q4xbeMdy
> R9g2XT6WuY0Bi42mTi4EJbcupIiWm3q1etU7mhsXJ7zVRHrzHfCZGz3m5ksYxBdm
> FTT4Q2zssc2Q1kIH6wp9XobBrXSA+RsZn7huBa+klShLBRGkZTABAJ/DkR7j1yRw
> Fch1CU9cytXMHXRdJiUaIm8lj38u4mwIZxzU2R7gE3aXUX1p+K9A2uXswPvr4Ouc
> oHx46bfu4GMGQt9Sek8GeV1YcAGPrH5QT0ChejBalsREuKYx+GbAz6lMW/YA+rdL
> sfqFS5fkWLlzffw0M5HqGg4JNt2l/KsJsqKLnkwShMCNFy2j0M2dt+gujUCkSBAD
> wAohFnNerTyC6jypo0oSgvDbBSVo+oZUENeIacQEi8m2EkrgRE1/S3eTAS7SKxOc
> wbyPZp4JXzqyOQVw2rAKEpRd56qdQV3lCElJB9SMUK73sCL3TSTHJ7NP7pEMeaJs
> JEfJQCjMgJwI/Ok9v5pskkX8uDF0FYptwcwVze2w+ap/hNahaU8uHQOGnVzTTPU2
> eA6d0T6opV7YpNbUczOYsEvTJYDUHqX1sf5lN0DfvSP9l9dncr3jRArkdG6X5kuj
> 9Yrc+d8cEG5Ol4xD3g3ZvtLhL7VuKEhecLP4xsFgQI8NukcFAfpGrPLBklcFzJ1I
> wSWQZseFSumVD9glWtMz
> =NzzG
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list