[Freeipa-users] Howto re-deploy an IPA-client using kickstart

Fred van Zwieten fvzwieten at vxcompany.com
Fri Jan 18 11:52:55 UTC 2013 

Hi Dmitri,

Sorry for the late reply. I basically want to do the same as Charlie
Derwent in another tread on this mailing list: To fully automate the
re-installation of a server using Satellite/Spacewalk using kickstart. As
the server is an IPA client, it must first get to be un-enrolled, before an
ipa-client-install --unattened -w secret etc. can be done in a %post
snippet of the kickstart file. It is the automation of the unenrollment
proces that we are not able to set up.

What I can do on any ipa-client to unenroll on the command line is:

ipa --disable-host <server> and ipa host-mod --password=secret --ssh=

This unprovisions the client, set's an OTP and removes the host ssh keys.

However, this can only be done on an IPA client, and during a kickstart
install the server is no longer an IPA client, because it is freshly being
set up.

It's a typical chicken-and-egg issue. You must first be ipa client to be
able to execute ipa commands, but you cannot become an ipa client before
unprovisioning yourself using those same ipa commands.

Another approuch would be to unprovision the client just before the reboot
to be kickstarted, however, I have no idea how to set that up. It would
mean the server has to know somehow it is being rebooted because of a
re-install, but afaik, there is no way for satellite/spacewalk to tell the
server this..

Regards,

Fred




On Sat, Jan 12, 2013 at 10:06 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 01/12/2013 03:28 AM, Fred van Zwieten wrote:
>
> Hi there,
>
>  We are in the process of implementing Satellite and want to automate
> server installations 100% using kickstart, cobbler, satellite.
>
>  IPA clients can be scripted enrolled using kickstart. Plenty of
> documentation about that.
>
>  However, how to "re"-enroll IPA clients?
>
>  Satellite gives me the option to re-install a server. In this case,
> there are still host and possibly service records for this host present in
> IPA and DNS.
>
>  One way to think about this is, that it's actually OK to keep those
> records there, because it is a "re"-installation, so why remove and
> re-enroll? However, there is the krb5.keytab in /etc. I could save that
> file during redeployment, but I'm not sure if that will work. And iare
> there any other gotcha's.
>
>  So, the question is, how to re-install an IPA client using kickstart
> (silent re-install)?
>
>
> The question is how/do you remove the client?
> Based on what you say above you use the same system so there are some
> leftovers. If you can run ipa-client-install --uninstall it should clean
> things like keytab and certs (there have been bugs fixed in freeIPA 3.0).
> If the client has access to the server it will clean (not remove) the host
> entry too. Then you can re-run the install. If you use OTP you would need
> to reset OTP first.
>
>
> Regards,
>
>  Fred
>
>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130118/033a5cd8/attachment.htm>

More information about the Freeipa-users mailing list