[Freeipa-users] Using DHCPD with IPA

~Stack~ i.am.stack at gmail.com
Wed Jan 25 02:11:07 UTC 2012 

On 01/24/2012 07:46 PM, Simo Sorce wrote:
> On Tue, 2012-01-24 at 19:30 -0600, ~Stack~ wrote:
[snip]
>> 2) How do I get dhcpd to update DNS?
> 
> The first question is: why do you need DHCP to do that, why don't you
> let clients securely do it ?
> We do register a client in the DNS in ipa-client-install.

I have nodes being PXEbooted and the MAC address to distinguish them
from other nodes is in the dhcpd.conf. Which means they have to be
defined in the dhcpd.conf file. However, if the reverse DNS entry is not
enabled when the PXEboot client launches, it doesn't get a hostname and
it stalls out long before the ipa-client-install even runs to put an
entry into the IPA DNS.

[snip]

>> 3) The very first time when I PXEBoot/tftp/kickstart a machine and it
>> auto installs, everything works great. The ipa-client-install runs with
>> all my parameters and it just works. However, the second time the node
>> boots and installs, I get complaints that the system is already registered.
> 
> Install is a one time thing, it creates a record in IPA and gices the
> machine a keytab. this is data that needs to be preserved across
> reboots.

Crud. This looks like it could be difficult. I don't preserve anything
on those machines. At least not right now...

>> (fresh install)
>> # ipa-client-install --mkhomedir
>> ...[snip]...
>> Joining realm failed: Host is already joined.
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>>
>> If I try to -f force it, I get errors and nothing seems to work.
>> # ipa-client-install --mkhomedir -f
>> ...[snip]...
>> Joining realm failed: Host is already joined.
>> Use ipa-getkeytab to obtain a host principle for this server.
>> ...[snip]...
>> Unable to find 'admin' user with 'getent passwd admin'!
> 
> I would say this is expected.
> 
>> For PXEboot nodes that may/will end up with a fresh install, how do I
>> best configure them in IPA? Automatically would be best.
> 
> You have to keep some configuration, ipa-client-install is not
> compatible with a machine that loses all state at each reboot.
> 
> You can manage to have machines still fetch data from IPA, but they
> can't be full fledged clients if you can't preserve the keytab and some
> other configuration.

As long as I can have a user log into the box and run a process, I don't
really care if they are a full client or not. Theses systems are never
logged into directly, but through a ssh connection so if the users can
still authenticate into them I might be good on this. How do I configure
this?

> Note: You could reset the machine account from the IPA interface before
> a reboot, but requiring admin credentials at each reboot to re-enroll
> machines is not something I can recommend.

I agree. I may have to rethink this.

Thank you for your response!

~Stack~

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120124/b336e1ae/attachment.sig>

More information about the Freeipa-users mailing list