[Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

Mon Mar 11 14:30:25 UTC 2013

On 03/11/2013 07:43 AM, Dale Macartney wrote:
>
>
> On 03/11/2013 11:39 AM, Christian Horn wrote:
>
>
>
> > Dale Macartneyさんが書きました：
> >>
> >> On 03/11/2013 11:04 AM, Christian Horn wrote:
> >>>
> >>> How about having service-add/ipa-getkeytab done on the server,
> >>> and having the keytab deployed onto the clientsystem using scp from
> >>> the server, or via configmanagement?
> >> That definitely gets around security concerns, however still requires
> >> some manual intervention... the keytab could be pushed using config
> >> management, but generating it in the first place still requires work as
> >> a trusted user.
>
> > Yes, but this could be automated.
> > If you deploy i.e. with cobbler there were IIRC hooks so one can do
> > serverside tasks, as soon as a system gets added. So the secret could
> > be embedded in a script there.
> In my current lab, I just use my own script which pushes api calls to
> rhev to deploy machines. I know there is a way to use a user keytab to
> auth to IPA. I could do that and have my provisioning script push the
> necessary admin commands and leave the client to pull to the client
> during %post...
>
> I guess it depends on the provisioning model within the organisation.

For the things to work right the provisioning service MUST have some
behind the scenes interaction with IPA. This is what we always had in mind.
Let us say that provisioning system is called P.

Setup:
1) Create a principal for P
2) Provision keytab for P
3) Make P use IPA interfaces authenticating as P rpincipal using keytab
4) Make sure P has the right permissions to manage other hosts
5) Make P store IPA public cert

Provisioning sequence:
1) User/script requests provisioning of a system
2) P connects to IPA and creates a host entry in IPA, an OTP is returned
back
3) P provides IPA public cert for the new machine
4) P inserts OTP into the kickstart for the system to join IPA
5) If provision of the identity fails P should disable host in IPA to
make sure that the OTP has not been stolen and used to provision some
other fake system.

This is how things "should work" in a prefect world.

>
>
>
> > Christian
>
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130311/aa123ea2/attachment.htm>