[Freeipa-users] ipa-getkeytab automation
Rob Crittenden
rcritten at redhat.com
Wed Jul 14 13:42:37 UTC 2010
Doug Chapman wrote:
> Can anyone give me some tips or document links on client deployment
> automation (I'm using puppet) to update the /etc/krb5.keytab file?
>
> I'm using IPA 1.2.2 on Centos5 and it seems the direct approach is
> to script the creation of the service principles (ipa-addservice) and
> extract all of the keytabs into puppet deployed files. Is there
> anything I'm missing?
>
> The ipa-addservice would require a human to login with a valid ticket in
> order to work; is there any way I could create a service account with
> limited permissions to allow an application to populate the Directory
> with new hosts from an external source (eg: cobbler, or a database of
> hosts) ?
>
As Dmitri said, we're addressing this in v2. It requires a fair bit of
work to get this done, mostly in the area of writing 389-ds ACIs.
Off the top of my head I guess the way I'd approach is create a service
principal used for creating other principals. You need an ACI granting
add access to this principal to create other principals. And you'd need
an ACI granting write privileges to the krb* attributes so you can use
ipa-getkeytab to generate and retrieve a keytab.
But you're probably better off giving v2 a look-see.
rob
More information about the Freeipa-users
mailing list