Hello the FreeIPA List,


We've got a FreeIPA directory set up and running. That's all good.


The difficult part is that we also have a number (many) of SLE 12 SP2 hosts
that need to be enrolled.


I can see that the freeipa-client package has not been available to SLE/SUSE
since 2015 or so, so the ipa-client-install, ipa-join, and ipa-getkeytab
tools are unavailable. They would be nice, we'd just do a check and execute
it when host is redeployed to enroll and configure the host.


We've manage to figure out the static parts of the required configuration
(/etc/nsswitch.conf /etc/sssd/sssd.conf and /etc/krb5.conf) as well as
deploying the FreeIPA server's certificate to /etc/ipa/ca.crt. We can also
enroll the hosts 'remotely' by scripting over their hostnames and IP
addresses from a CSV file, so the exist in the FreeIPA directory and even
join them to some hostgroups.


The bit we're a bit stuck at is retrieving the host's Kerberos keytab. There
does not seem to be a getkeytab request for the FreeIPA API, and the use of
kadmin and ktutil to process the keytab is not recommended.


We need a stepwise process to run on the host being enrolled that gets the
keytab from the FreeIPA directory and installs it into the host.


At the moment the method that looks like it's going to work is to write a
script that ssh to the FreeIPA server, kinit as a user who can retrieve
keytabs, get the keytab and write to a temporary file, scp the keytab back
to the host, tidy up temp files, then return to the host, validate the
keytab, install it, and restart Kerberos/sshd/sssd.


This seems less than ideal, alternatively should we look a compiling the
ipa-client into a package?




Aaron Hicks

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to