[Freeipa-users] ipa-getkeytab during %post

Dmitri Pal dpal at redhat.com
Thu Feb 9 20:40:50 UTC 2012 

On 02/08/2012 11:06 AM, Dale Macartney wrote:
>
> thanks for the confirmation earlier Rob, that does make a lot of sense.
>
> am I right in assuming that to run the following, would not work with
> a host principle? Presumably I'd need admin priviledges to create a
> service principle for a host.

Someone has to have privilege. You can make the host capable to
provision keytabs for services that run on the same host. AFAIR this is
allowed by default. I am not sure you can allow host principal to create
new services out of the box. I think you would have to play with
permission to allow it. Rob, am I correct? 

>
> ipa service-add HTTP/$(hostname)
>
> I will be giving this a go for testing sake tonight.
>
> Dale
>
>
>
>
> On 02/08/2012 04:00 PM, Rob Crittenden wrote:
> > Dale Macartney wrote:
>
> >>
>
> > Hi JR
>
>
>
> > I agree with your statement of acceptable risk.. this is my
> main reason
>
> > for questioning..
>
>
>
> > The ideal situation would be to run this as a satellite
> kickstart
>
> > snippet for provisioning with kickstart profiles... That way
> I can
>
> > utilize the existing provisioning platform for everything.
>
>
>
> > At the moment everything is in dev using scripted kickstarts
> for testing.
>
>
>
> > > A host should be able to get keytabs for its own
> services so you should be able to kinit to the host service
> principal in /etc/keytab and use ipa-getkeytab.
>
>
>
> > > rob
>
>
>
>
>
> > Dale
>
>
>
>
>
>
>
> > On 02/08/2012 03:33 PM, JR Aquino wrote:
>
> > >>> If you are really trying to go the route of
> using the password, the
>
> > best way to accomplish that is to procedurally ADD the host
> ahead of
>
> > time with the -random flag to generate a one-time-pass. Then
> insert that
>
> > 1 time password dynamically into the kickstart script.
>
> > >>>
>
> > >>> If you want to approach the problem from a
> technical side and not
>
> > procedural... I don't suppose you have Puppet ?
>
> > >>>
>
> > >>> You can utilize puppet to deploy a 'host
> provisioning' keytab that you
>
> > then kinit -kt before issuing the other commands that require
>
> > authentication. When it is finished, delete the keytab.
>
> > >>>
>
> > >>> The problem with authentication and complete
> hands off automation is
>
> > that you always have to whittle it down to an area of
> acceptable risk
>
> > with lots of compensating controls and logging.
>
> > >>>
>
> > >>>
>
> > >>> On Feb 8, 2012, at 6:44 AM, Dale Macartney
> wrote:
>
> > >>>
>
> > >>> >
>
> > >>> Hi Simo
>
> > >>>
>
> > >>> ipa-client-install is provided by the ipa-client
> rpm. Details below
>
> > >>>
>
> > >>> Name : ipa-client
>
> > >>> Arch : x86_64
>
> > >>> Version : 2.1.3
>
> > >>> Release : 9.el6
>
> > >>> Size : 222 k
>
> > >>> Repo : installed
>
> > >>>
>
> > >>>
>
> > >>> What I am trying to achieve is these two
> commands in a post...
>
> > >>>
>
> > >>> ipa service-add HTTP/$(hostname)
>
> > >>> this definitely requires an authenticated user
> to add i'm sure
>
> > >>>
>
> > >>>
>
> > >>> ipa-getkeytab -s ds01.example.com -p
> HTTP/$(hostname) -k
>
> > >>> /etc/squid/krb5.keytab
>
> > >>> this one I suspect might be able to be retrieved
> using the host/
>
> > >>> principle from the system after running
> ipa-client-install.
>
> > >>>
>
> > >>>
>
> > >>> Does this help paint a picture?
>
> > >>>
>
> > >>>
>
> > >>> Dale
>
> > >>>
>
> > >>>
>
> > >>> On 02/08/2012 01:49 PM, Simo Sorce wrote:
>
> > >>> >>> On Wed, 2012-02-08 at 11:13 +0000,
> Dale Macartney wrote:
>
> > >>> >>>> -----BEGIN PGP SIGNED
> MESSAGE-----
>
> > >>> >>>> Hash: SHA1
>
> > >>> >>>>
>
> > >>> >>>> morning all...
>
> > >>> >>>>
>
> > >>> >>>> i'm dabbling with automated
> provisioning of ipa client servers,
>
> > and i'm
>
> > >>> >>>> a little perplexed on how to
> add a keytab to a system during the
>
> > %post
>
> > >>> >>>> section of a kickstart...
>
> > >>> >>>>
>
> > >>> >>>> i've run ipa-client-install -U
> -p admin -w redhat123 which works
>
> > >>> >>>> perfect, but in order to run
> ipa-getkeytab i need a tgt, which
>
> > doesn't
>
> > >>> >>>> appear to be generated during
> the ipa-client-install.
>
> > >>> >>>>
>
> > >>> >>>> any suggestions on doing this
> during a post?
>
> > >>> >>>
>
> > >>> >>> What version of ipa-client-install
> are you using ?
>
> > >>> >>>
>
> > >>> >>> Newer versions (2.x) should fetch a
> keytab for your system (needs
>
> > >>> >>> credentials or OTP password.
>
> > >>> >>>
>
> > >>> >>> Simo.
>
> > >>> >>>
>
> > >>> >
>
> > >>> >
>
>
> <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________
>
> > >>> > Freeipa-users mailing list
>
> > >>> > Freeipa-users at redhat.com
>
> > >>> >
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> > >>>
>
> >>
>
> >>
>
> >>
>
> >> _______________________________________________
>
> >> Freeipa-users mailing list
>
> >> Freeipa-users at redhat.com
>
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120209/4955b8c6/attachment.htm>

More information about the Freeipa-users mailing list