[Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
Dale Macartney
dale at themacartneyclan.com
Mon Mar 11 11:43:27 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/11/2013 11:39 AM, Christian Horn wrote:
>
>
>
> Dale Macartneyさんが書きました:
>>
>> On 03/11/2013 11:04 AM, Christian Horn wrote:
>>>
>>> How about having service-add/ipa-getkeytab done on the server,
>>> and having the keytab deployed onto the clientsystem using scp from
>>> the server, or via configmanagement?
>> That definitely gets around security concerns, however still requires
>> some manual intervention... the keytab could be pushed using config
>> management, but generating it in the first place still requires work as
>> a trusted user.
>
> Yes, but this could be automated.
> If you deploy i.e. with cobbler there were IIRC hooks so one can do
> serverside tasks, as soon as a system gets added. So the secret could
> be embedded in a script there.
In my current lab, I just use my own script which pushes api calls to
rhev to deploy machines. I know there is a way to use a user keytab to
auth to IPA. I could do that and have my provisioning script push the
necessary admin commands and leave the client to pull to the client
during %post...
I guess it depends on the provisioning model within the organisation.
>
>
> Christian
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJRPcNdAAoJEAJsWS61tB+qjuUQAK34npb0p8M0U64499r/Y/ZP
RswnOiTLgylGv/Lwt3Tb5aNQvA75Qu2i45BBB3q5NuqN6/m7c2Re7HkMQpfzdEhz
l72Iytz1m9WG802Ibd77MmTGNX1rapYv9JKb1K9QhQVoPCZHwWye6pXGuGAbacab
LXmm0hR3ajZhJwYBh7/6oqaZwXv01qI8Xv/vYmD+ZtDevxmHWeaTGiwUq7gUDCeo
B/McDGd6SiT0juPuAzr694eqryRN1qMDsQu9rv8FsBmFaTtW0WQ0JUMrJKdvYNCm
O6zCdqJKRI536JNUxm49Zot1K8PnlTgkE0jBHkQJn9XeCt63nr2NUuVRgWjEuoXK
FfYsDSEM7SZ3b69WuOnmhKuk697Yn8lMolvWKOFQR/RNa8wa+gNo3uaAXyTnulBv
ba0S2Iehd6pBknuyDN8c1xmGcTSaDIgFeXUnKCVYw5rTo4pfLO/g/zTQwK4wvlJB
ODhOy/n2BiLh/zDu5qadYdPUTbbKZyrYV/ulrhSiMBqFzc7plsFyMQ1uEnvrRFyE
9VgX92u5h2Vw6+mURWZLdFYp3jTMgOsKe+IX6g85hcNyg7JkuP732FCNPkEjoX4O
OSLvx3i2dtSkrKOXKnnf2pHoiRKnzRZ/NVFmOvYHy8Js2WO8TPBXyTkL6bf/Y8QH
z/tB69rCpBy80wyTWAKn
=B5hc
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list