[Freeipa-users] Split enrollment (adding hosts via kickstart)
Ian Levesque
ian at crystal.harvard.edu
Wed May 16 18:42:07 UTC 2012
On May 16, 2012, at 10:02 AM, Rob Crittenden wrote:
> Ian Levesque wrote:
>>
>> On May 15, 2012, at 6:14 PM, Rob Crittenden wrote:
>>
>>> Don't set the principal and it will work, just drop the --principal bit. The principal doesn't exist yet which is why things are failing (or more precisely, the principal with that principal key doesn't exist yet).
>>
>> No luck:
>>
>> Joining realm failed: Incorrect password.
>> Installation failed. Rolling back changes.
>>
>> I thought the point of doing the host-add was to setup a host principal with a one-time password. Without specifying the host principal, isn't the ipa-client-install trying to use the specified password to auth me, and not the host?
>
> Bulk enrollment is done using a one-time password. No Kerberos credentials are created (though still works if a krbPrincipalName is set in the host entry).
>
> The userPassword attribute is set to the password and the client installer does a simple bind using the dn of the host as the user and the provided password to do the enrollment. The enrollment process removes the userPassword attribute when a successful bind occurs.
>
> I'd suggest resetting the password on the host and trying again.
Hi Rob, et al -
I tried again, and am pasting all the output below. Is there something I'm missing?
Cheers,
Ian
--- server ---
[sbgrid-directory]# ipa host-del ian-ultra24-dmz.in.hwlab
---------------------------------------
Deleted host "ian-ultra24-dmz.in.hwlab"
[sbgrid-directory]# ipa host-find ian-ultra24-dmz.in.hwlab
---------------
0 hosts matched
[sbgrid-directory]# ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar
-------------------------------------
Added host "ian-ultra24-dmz.in.hwlab"
-------------------------------------
Host name: ian-ultra24-dmz.in.hwlab
Keytab: False
Password: True
Managed by: ian-ultra24-dmz.in.hwlab
--- client ---
[ian-ultra24-dmz]# ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab --domain=in.hwlab -w=foobar \
--realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended
DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Hostname: ian-ultra24-dmz.in.hwlab
Realm: SBGRID.ORG
DNS Domain: in.hwlab
IPA Server: sbgrid-directory.in.hwlab
BaseDN: dc=sbgrid,dc=org
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Joining realm failed: Incorrect password.
Installation failed. Rolling back changes.
[ian-ultra24-dmz]# ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab --domain=in.hwlab --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab
DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Hostname: ian-ultra24-dmz.in.hwlab
Realm: SBGRID.ORG
DNS Domain: in.hwlab
IPA Server: sbgrid-directory.in.hwlab
BaseDN: dc=sbgrid,dc=org
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: ian
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for ian at SBGRID.ORG:
Enrolled in IPA realm SBGRID.ORG
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm SBGRID.ORG
SSSD enabled
NTP enabled
Client configuration complete.
More information about the Freeipa-users
mailing list