On Tue, 2017-10-24 at 16:23 +1300, Aaron Hicks via FreeIPA-users wrote:
> Hello the FreeIPA List,
> We've got a FreeIPA directory set up and running. That's all good.
> The difficult part is that we also have a number (many) of SLE 12 SP2
> that need to be enrolled.
> I can see that the freeipa-client package has not been available to
> since 2015 or so, so the ipa-client-install, ipa-join, and ipa-
> tools are unavailable. They would be nice, we'd just do a check and
> it when host is redeployed to enroll and configure the host.
> We've manage to figure out the static parts of the required
> (/etc/nsswitch.conf /etc/sssd/sssd.conf and /etc/krb5.conf) as well
> deploying the FreeIPA server's certificate to /etc/ipa/ca.crt. We can
> enroll the hosts 'remotely' by scripting over their hostnames and IP
> addresses from a CSV file, so the exist in the FreeIPA directory and
> join them to some hostgroups.
> The bit we're a bit stuck at is retrieving the host's Kerberos
> keytab. There
> does not seem to be a getkeytab request for the FreeIPA API, and the
> use of
> kadmin and ktutil to process the keytab is not recommended.
Use ipa-getkeytab on an admin workstation, then securely transfer the
keytab to the servers.
> We need a stepwise process to run on the host being enrolled that
> gets the
> keytab from the FreeIPA directory and installs it into the host.
> At the moment the method that looks like it's going to work is to
> write a
> script that ssh to the FreeIPA server, kinit as a user who can
> keytabs, get the keytab and write to a temporary file, scp the keytab
> to the host, tidy up temp files, then return to the host, validate
> keytab, install it, and restart Kerberos/sshd/sssd.
This may work also.
> This seems less than ideal, alternatively should we look a compiling
> the ipa-client into a package?
In the freeIPA git repo there is, in the spec file, a variable that
allows you to compile only the client bits IIRC. You should be able to
compile that for SLES.
Sr. Principal Software Engineer
Red Hat, Inc
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org