[Freeipa-users] ipa-getkeytab during %post
JR Aquino
JR.Aquino at citrix.com
Wed Feb 8 15:33:36 UTC 2012
If you are really trying to go the route of using the password, the best way to accomplish that is to procedurally ADD the host ahead of time with the -random flag to generate a one-time-pass. Then insert that 1 time password dynamically into the kickstart script.
If you want to approach the problem from a technical side and not procedural... I don't suppose you have Puppet ?
You can utilize puppet to deploy a 'host provisioning' keytab that you then kinit -kt before issuing the other commands that require authentication. When it is finished, delete the keytab.
The problem with authentication and complete hands off automation is that you always have to whittle it down to an area of acceptable risk with lots of compensating controls and logging.
On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Simo
>
> ipa-client-install is provided by the ipa-client rpm. Details below
>
> Name : ipa-client
> Arch : x86_64
> Version : 2.1.3
> Release : 9.el6
> Size : 222 k
> Repo : installed
>
>
> What I am trying to achieve is these two commands in a post...
>
> ipa service-add HTTP/$(hostname)
> this definitely requires an authenticated user to add i'm sure
>
>
> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k
> /etc/squid/krb5.keytab
> this one I suspect might be able to be retrieved using the host/
> principle from the system after running ipa-client-install.
>
>
> Does this help paint a picture?
>
>
> Dale
>
>
> On 02/08/2012 01:49 PM, Simo Sorce wrote:
>> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> morning all...
>>>
>>> i'm dabbling with automated provisioning of ipa client servers, and i'm
>>> a little perplexed on how to add a keytab to a system during the %post
>>> section of a kickstart...
>>>
>>> i've run ipa-client-install -U -p admin -w redhat123 which works
>>> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't
>>> appear to be generated during the ipa-client-install.
>>>
>>> any suggestions on doing this during a post?
>>
>> What version of ipa-client-install are you using ?
>>
>> Newer versions (2.x) should fetch a keytab for your system (needs
>> credentials or OTP password.
>>
>> Simo.
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJPMopXAAoJEAJsWS61tB+qyg8QAJPJJB8/9sxjKmKaEreRQyRb
> NgHUaaY1FRGs7CvtTeSTY177bnVerr8dJGj3nmqMCwlveUEXZS2T8mBWxVpRm/BW
> HrNR5i9kEIXL6HiaYfZMCVX1pyaxsStCnZJCiBjDDL5PsIX6FCsuUEYX4BGXyLAU
> s212Ugn46vYY4E5d8Cwi6BS0MW6c9a3yoPXAH4A8JCSjIptYXMuBY8YFHiQLLAPi
> AID7Q4N3U5FC6B0ahqhL64tAL8EggMkxhJ0Flhz7aWboz14bL7+M+vx3qVxF2W0z
> WgaO13ai/lTL/jTy1n3dBVegqdACRTgH/K094+iaq96flhBrfzYiDaeCtj9OgoAV
> ntHJksEPuC2X2lc8IRgzWVFa847+GMYl3YdYt0jflCcRAoWnpsaNW5F4HKG9K2Ob
> sXEo+/4sSku85Ezu7rJyS5zNn6BfdynxOGfaYqavWK3lyegxpHaIBdxR3YPi9Esm
> mrRvN3mkfAaUWboxImOJvZTgv+P/jq7CFlokaTGakeJT2N5/HpQADw1haNLDDvoY
> DFfE3EgkmkT04Lcg+tCxouybYYdWdNSLl86maDsxeIHbyrnHQjgZ+Pw2KsMd1BUD
> huqromxtFnUoY6DY2cwRFTGFJihkX3/Grai2ojPGFgiNA5H1G1APs5J2i9dafp1x
> UftjI6x2lzTqQw/BNqLL
> =mInj
> -----END PGP SIGNATURE-----
>
> <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list