[Freeipa-users] Using DHCPD with IPA
Adam Young
ayoung at redhat.com
Thu Jan 26 14:54:23 UTC 2012
On 01/24/2012 09:11 PM, ~Stack~ wrote:
> Crud. This looks like it could be difficult. I don't preserve anything
> on those machines. At least not right now...
It is a boot strap issue. For a shared nothing boot like you are
doing, there needs to be a way for the new machine to securely get its
identity.
Ideally, PXE boot would give you the option to somehow store a private
key in the BIOS and present a certificate during boot. If it did that,
you could then set up a secure way to tell the IPA server "I am still
who I claimed I was before" and fetch all of your secure data during the
start up process.
Assuming your data center is locked down and a rouge machine cannot PXE
boot on your local interface, what you would need is probably a way to
push down a one time password to the booting machine so that it could
then use that to refetch its keytab from the IPA server. Not something
currently supported (only happens during register).
You can unregister and then register the machines when you reboot them.
I am pretty sure that you don't really want to do that, though.
More information about the Freeipa-users
mailing list