[Freeipa-users] ipa-getkeytab during %post

Dale Macartney dale at themacartneyclan.com
Wed Feb 8 16:06:25 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

thanks for the confirmation earlier Rob, that does make a lot of sense.

am I right in assuming that to run the following, would not work with a
host principle? Presumably I'd need admin priviledges to create a
service principle for a host.

ipa service-add HTTP/$(hostname)

I will be giving this a go for testing sake tonight.

Dale




On 02/08/2012 04:00 PM, Rob Crittenden wrote:
> Dale Macartney wrote:
>>
> Hi JR
>
> I agree with your statement of acceptable risk.. this is my main reason
> for questioning..
>
> The ideal situation would be to run this as a satellite kickstart
> snippet for provisioning with kickstart profiles... That way I can
> utilize the existing provisioning platform for everything.
>
> At the moment everything is in dev using scripted kickstarts for testing.
>
> > A host should be able to get keytabs for its own services so you
should be able to kinit to the host service principal in /etc/keytab and
use ipa-getkeytab.
>
> > rob
>
>
> Dale
>
>
>
> On 02/08/2012 03:33 PM, JR Aquino wrote:
> >>> If you are really trying to go the route of using the password, the
> best way to accomplish that is to procedurally ADD the host ahead of
> time with the -random flag to generate a one-time-pass. Then insert that
> 1 time password dynamically into the kickstart script.
> >>>
> >>> If you want to approach the problem from a technical side and not
> procedural... I don't suppose you have Puppet ?
> >>>
> >>> You can utilize puppet to deploy a 'host provisioning' keytab that you
> then kinit -kt before issuing the other commands that require
> authentication. When it is finished, delete the keytab.
> >>>
> >>> The problem with authentication and complete hands off automation is
> that you always have to whittle it down to an area of acceptable risk
> with lots of compensating controls and logging.
> >>>
> >>>
> >>> On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote:
> >>>
> >>> >
> >>> Hi Simo
> >>>
> >>> ipa-client-install is provided by the ipa-client rpm. Details below
> >>>
> >>> Name : ipa-client
> >>> Arch : x86_64
> >>> Version : 2.1.3
> >>> Release : 9.el6
> >>> Size : 222 k
> >>> Repo : installed
> >>>
> >>>
> >>> What I am trying to achieve is these two commands in a post...
> >>>
> >>> ipa service-add HTTP/$(hostname)
> >>> this definitely requires an authenticated user to add i'm sure
> >>>
> >>>
> >>> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k
> >>> /etc/squid/krb5.keytab
> >>> this one I suspect might be able to be retrieved using the host/
> >>> principle from the system after running ipa-client-install.
> >>>
> >>>
> >>> Does this help paint a picture?
> >>>
> >>>
> >>> Dale
> >>>
> >>>
> >>> On 02/08/2012 01:49 PM, Simo Sorce wrote:
> >>> >>> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote:
> >>> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> >>>> Hash: SHA1
> >>> >>>>
> >>> >>>> morning all...
> >>> >>>>
> >>> >>>> i'm dabbling with automated provisioning of ipa client servers,
> and i'm
> >>> >>>> a little perplexed on how to add a keytab to a system during the
> %post
> >>> >>>> section of a kickstart...
> >>> >>>>
> >>> >>>> i've run ipa-client-install -U -p admin -w redhat123 which works
> >>> >>>> perfect, but in order to run ipa-getkeytab i need a tgt, which
> doesn't
> >>> >>>> appear to be generated during the ipa-client-install.
> >>> >>>>
> >>> >>>> any suggestions on doing this during a post?
> >>> >>>
> >>> >>> What version of ipa-client-install are you using ?
> >>> >>>
> >>> >>> Newer versions (2.x) should fetch a keytab for your system (needs
> >>> >>> credentials or OTP password.
> >>> >>>
> >>> >>> Simo.
> >>> >>>
> >>> >
> >>> >
> <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________
> >>> > Freeipa-users mailing list
> >>> > Freeipa-users at redhat.com
> >>> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPMp15AAoJEAJsWS61tB+qHAAP/0oHXXxjZVBO0phBL5+4usEx
pho8Rtmx+WlDxl0IQEQQK4mp3aAdgr2LQRxIu+7Q3pU72dJHAbID2S+gUh6qJbd7
WZNLHfst0WVmWfcEquufwFQDEe9OuPoxtLgiR6wWPcTab8ip4KlIoa5dcy77Rv5s
9cUbrtq3qA/tcHHUKQ2qNoIYCQvZOgRJ1VUahfwuCRoTWxWSjaz1tJCrcKrARzie
w1cl/Gs5O7pPET6s+LMf7NWYD5AfMxwANRpi7/WusM1vVMWU64BI1S21dqynALvy
HfSBmTYfHJoD5gdgLZNmaaq87ygpPcgVt9fD4+d+UgeJGsVzwtj/JCbQldVUF/G7
SUxrd1EoE0idr81Pe56yYhTZQHwXCVhBeYK/Fd6QFok00phTjhs3hrZ+y38PWCwv
1lXjIrTb0a58pvQl46hDbsJlHZ88guQ3911U7t7gMkNn8BeXIc7CSzbmnKoyjv+Y
hmJ+I0e8Zhmby2WUTZuZMm1Fnw0ddrJBpln2/QCpTxhEID0QW6J4S1jYRsSCAP4Q
lgpnFYo4MJyShOUl445YsPYzX4ZSVXdjceXT1NZgd2liExVnbbmotVJy9SKnE9QA
ufI0pYTHiYHn4X17mBGVSgNOE4Hj/KFHSMLsecZi+f+JKGyo/ys+deTqqKTMuK0t
4IueTfkeM50INgD6L9pr
=p5cG
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120208/106100fd/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120208/106100fd/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120208/106100fd/attachment.sig>

More information about the Freeipa-users mailing list