[Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
Christian Horn
chorn at fluxcoil.net
Mon Mar 11 11:04:09 UTC 2013
Hoi,
Dale Macartneyさんが書きました:
>
> I'm open to hear some opinions and thoughts on what the best way to
> auto-provision service principles in an environment with a 100%
> autonomous build process..
>
> Lets say for example, I wanted to provision a mail server and configure
> dovecot SSO in the same process.
>
> Obviously something like this would be terrible in a production
> environment as having this in the %post of a kickstart gives away the
> admin password
>
> %post
> echo redhat123 | kinit admin --
> ipa service-add imap/$(hostname)
> ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
> /etc/dovecot/krb5.keytab
>
> Is there are more secure way to perform such a task via kickstart or
> other provisioning method?
How about having service-add/ipa-getkeytab done on the server,
and having the keytab deployed onto the clientsystem using scp from
the server, or via configmanagement?
Christian
More information about the Freeipa-users
mailing list