[Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

Dale Macartney dale at themacartneyclan.com
Mon Mar 11 11:34:29 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 03/11/2013 11:04 AM, Christian Horn wrote:
> Hoi,
>
> Dale Macartneyさんが書きました:
>>
>> I'm open to hear some opinions and thoughts on what the best way to
>> auto-provision service principles in an environment with a 100%
>> autonomous build process..
>>
>> Lets say for example, I wanted to provision a mail server and configure
>> dovecot SSO in the same process.
>>
>> Obviously something like this would be terrible in a production
>> environment as having this in the %post of a kickstart gives away the
>> admin password
>>
>> %post
>> echo redhat123 | kinit admin --
>> ipa service-add imap/$(hostname)
>> ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
>> /etc/dovecot/krb5.keytab
>>
>> Is there are more secure way to perform such a task via kickstart or
>> other provisioning method?
>
> How about having service-add/ipa-getkeytab done on the server,
> and having the keytab deployed onto the clientsystem using scp from
> the server, or via configmanagement?
That definitely gets around security concerns, however still requires
some manual intervention... the keytab could be pushed using config
management, but generating it in the first place still requires work as
a trusted user.

>
>
> Christian
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRPcFCAAoJEAJsWS61tB+qqZMP/RM51shHoYGwK+L91OKru61c
aJc/ubBt1sCLcnxazDC5nAsuRrKtwGg3b76r2B8FE1Mhi4gBYOm/G5+lLITjiDTx
3BR7Uh9ruTpRkdt1YE1Cptj0aFSL8MUdb/I3f8yPaGbBdLmJL/pXNg44Oz8Kmc2Q
ZVxIar5aMpMG+gkHPNNS5jeay867dyV+P3r1RUuYhDQX0ALGBnE69OxZnwdiFkDE
G+ZqS8SNORndyMKb+jIzfuasdrL831sfwT7xpODQUzyTGT9OWO1PE6PRfm5wkdpi
pWvLE3tvKiokb+fEuQnC6PTCjZfEIR0HWNF1J6eeAYQJ3827dKvA2nISQBD10GUc
R3eIVgUszW+8GUpAt9vVqu0PKiTPCUNGV+JCuCBLVVHXlHxkd1PpfMDPtmOCh8Y1
Nk46AyAqJ7UIY45piJTgoRUhYR/sQzcXYSjyQlL4UTFxLE/7iK2DE+GJsdywlWOB
qfgWTyWnWjLd9+FJHUe1vSNw/C8VO+eT0mh+s4yIN32QmgdieoHShKQ6eAAh+m46
vXM7YFi+UdUFuMb0lSeCu+DOkASpm4AhoHDQULqQdusQO8orG0vV8JxJtGKa/E/n
icBUjTt2IJvV1pNMUKRDNfjqVx7NPulDszOIjaOJ/Y7ohMtFkhpuGQaX/NIQ+zqJ
MzQPcBAy1pxeJuJWYJTN
=CQBx
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list