[Freeipa-users] Howto re-deploy an IPA-client using kickstart

Dmitri Pal dpal at redhat.com
Fri Jan 18 17:09:29 UTC 2013 

On 01/18/2013 06:52 AM, Fred van Zwieten wrote:
> Hi Dmitri,
>
> Sorry for the late reply. I basically want to do the same as Charlie
> Derwent in another tread on this mailing list: To fully automate the
> re-installation of a server using Satellite/Spacewalk using kickstart.
> As the server is an IPA client, it must first get to be un-enrolled,
> before an ipa-client-install --unattened -w secret etc. can be done in
> a %post snippet of the kickstart file. It is the automation of the
> unenrollment proces that we are not able to set up.
>
> What I can do on any ipa-client to unenroll on the command line is:
>
> ipa --disable-host <server> and ipa host-mod --password=secret --ssh=
>
> This unprovisions the client, set's an OTP and removes the host ssh keys.
>
> However, this can only be done on an IPA client, and during a
> kickstart install the server is no longer an IPA client, because it is
> freshly being set up.
>
> It's a typical chicken-and-egg issue. You must first be ipa client to
> be able to execute ipa commands, but you cannot become an ipa client
> before unprovisioning yourself using those same ipa commands.
>
> Another approuch would be to unprovision the client just before the
> reboot to be kickstarted, however, I have no idea how to set that up.
> It would mean the server has to know somehow it is being rebooted
> because of a re-install, but afaik, there is no way for
> satellite/spacewalk to tell the server this..
>
> Regards,
>
> Fred

IMO the right approach would be for the Satellite server to perform "ipa
--disable-host <server> and ipa host-mod --password=secret --ssh=" as a
part of the re-installation.
Satellite should be given an IPA identity and call into IPA when it
performs reinstall before rebooting the system.

Tough... I will see what I can do.

>
>
>
>
> On Sat, Jan 12, 2013 at 10:06 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     On 01/12/2013 03:28 AM, Fred van Zwieten wrote:
>>     Hi there,
>>
>>     We are in the process of implementing Satellite and want to
>>     automate server installations 100% using kickstart, cobbler,
>>     satellite.
>>
>>     IPA clients can be scripted enrolled using kickstart. Plenty of
>>     documentation about that.
>>
>>     However, how to "re"-enroll IPA clients?
>>
>>     Satellite gives me the option to re-install a server. In this
>>     case, there are still host and possibly service records for this
>>     host present in IPA and DNS.
>>
>>     One way to think about this is, that it's actually OK to keep
>>     those records there, because it is a "re"-installation, so why
>>     remove and re-enroll? However, there is the krb5.keytab in /etc.
>>     I could save that file during redeployment, but I'm not sure if
>>     that will work. And iare there any other gotcha's.
>>
>>     So, the question is, how to re-install an IPA client using
>>     kickstart (silent re-install)?
>
>     The question is how/do you remove the client?
>     Based on what you say above you use the same system so there are
>     some leftovers. If you can run ipa-client-install --uninstall it
>     should clean things like keytab and certs (there have been bugs
>     fixed in freeIPA 3.0). If the client has access to the server it
>     will clean (not remove) the host entry too. Then you can re-run
>     the install. If you use OTP you would need to reset OTP first.
>
>>
>>     Regards,
>>
>>     Fred
>>
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager for IdM portfolio
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130118/e97b99e3/attachment.htm>

More information about the Freeipa-users mailing list