[Freeipa-users] Specific rights needed to enroll a new host
Martin Kosek
mkosek at redhat.com
Fri Jun 12 07:18:34 UTC 2015
On 06/12/2015 01:30 AM, Christopher Young wrote:
> I'm trying to develop a process in Ansible to enroll new hosts (as well as
> check beforehand to see if the host is already enrolled). I was wondering a
> couple of things:
>
> #1. Has anyone else worked out a process for doing this using a non 'admin'
> account?
>
> #2. Is there a simple mechanism (preferably something that could be automated
> and thus not require any interactivity), that could be used to check as to
> whether a system is enrolled? I would hope that some type of simple LDAP
> search or simple command that could be run to check with easy return codes.
>
> In particular, I'm trying to avoid using the 'admin' user to enroll hosts
> because I'd like to minimize the rights to just the enrollment of new hosts as
> well as checking for an existing enrollment.
You can do the same check that "ipa host-show" does - see if the host has a
keytab generated or not. AFAIK, all authenticated users can do this check (not
retrieve the key itself, but check if it is there).
See my test as non-authenticated user/host:
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_nXWwGw1
Default principal: host/ipa.f22 at F22
Valid starting Expires Service principal
06/12/2015 03:15:01 06/13/2015 03:15:01 krbtgt/F22 at F22
1. See all hosts
[root at ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b
"cn=computers,cn=accounts,dc=f22" fqdn
SASL/GSSAPI authentication started
SASL username: host/ipa.f22 at F22
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=computers,cn=accounts,dc=f22> with scope subtree
# filter: (objectclass=*)
# requesting: fqdn
#
# computers, accounts, f22
dn: cn=computers,cn=accounts,dc=f22
# ipa.f22, computers, accounts, f22
dn: fqdn=ipa.f22,cn=computers,cn=accounts,dc=f22
fqdn: ipa.f22
# is.not.enrolled, computers, accounts, f22
dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22
fqdn: is.not.enrolled
# search result
search: 4
result: 0 Success
# numResponses: 4
# numEntries: 3
2. See just the unenrolled hosts
[root at ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b
"cn=computers,cn=accounts,dc=f22" "(!(krbprincipalkey=*))" fqdn
SASL/GSSAPI authentication started
SASL username: host/ipa.f22 at F22
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=computers,cn=accounts,dc=f22> with scope subtree
# filter: (!(krbprincipalkey=*))
# requesting: fqdn
#
# computers, accounts, f22
dn: cn=computers,cn=accounts,dc=f22
# is.not.enrolled, computers, accounts, f22
dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22
fqdn: is.not.enrolled
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
HTH.
>
> Any thoughts of feedback that could point me in the best direction would be
> greatly appreciated!
>
> Thanks,
>
> Chris
>
>
More information about the Freeipa-users
mailing list