Aaron Hicks via FreeIPA-users wrote: > Hi Simo, > >> Use ipa-getkeytab on an admin workstation, then securely transfer the keytab >> to the servers. > > We have _many_ hosts in a cluster, so this is not practical on a per host > basis. I single line command we could bulk execute on each of them to > retrieve the key would be preferred.
Your best bet is to get ipa-client built for SLE. rob > > Regards, > > Aaron > > -----Original Message----- > From: Simo Sorce [mailto:[email protected]] > Sent: Wednesday, 25 October 2017 2:26 AM > To: FreeIPA users list <[email protected]> > Cc: Aaron Hicks <[email protected]> > Subject: Re: [Freeipa-users] Enrolling SLE 12 SP2 hosts with FreeIPA > > On Tue, 2017-10-24 at 16:23 +1300, Aaron Hicks via FreeIPA-users wrote: >> Hello the FreeIPA List, >> >> >> >> We've got a FreeIPA directory set up and running. That's all good. >> >> >> >> The difficult part is that we also have a number (many) of SLE 12 SP2 >> hosts that need to be enrolled. >> >> >> >> I can see that the freeipa-client package has not been available to >> SLE/SUSE since 2015 or so, so the ipa-client-install, ipa-join, and >> ipa- getkeytab tools are unavailable. They would be nice, we'd just do >> a check and execute it when host is redeployed to enroll and configure >> the host. >> >> >> >> We've manage to figure out the static parts of the required >> configuration (/etc/nsswitch.conf /etc/sssd/sssd.conf and >> /etc/krb5.conf) as well as deploying the FreeIPA server's certificate >> to /etc/ipa/ca.crt. We can also enroll the hosts 'remotely' by >> scripting over their hostnames and IP addresses from a CSV file, so >> the exist in the FreeIPA directory and even join them to some >> hostgroups. >> >> >> >> The bit we're a bit stuck at is retrieving the host's Kerberos keytab. >> There does not seem to be a getkeytab request for the FreeIPA API, and >> the use of kadmin and ktutil to process the keytab is not recommended. > > Use ipa-getkeytab on an admin workstation, then securely transfer the keytab > to the servers. > > >> We need a stepwise process to run on the host being enrolled that gets >> the keytab from the FreeIPA directory and installs it into the host. >> >> >> >> At the moment the method that looks like it's going to work is to >> write a script that ssh to the FreeIPA server, kinit as a user who can >> retrieve keytabs, get the keytab and write to a temporary file, scp >> the keytab back to the host, tidy up temp files, then return to the >> host, validate the keytab, install it, and restart Kerberos/sshd/sssd. > > This may work also. > >> >> >> This seems less than ideal, alternatively should we look a compiling >> the ipa-client into a package? > > In the freeIPA git repo there is, in the spec file, a variable that allows > you to compile only the client bits IIRC. You should be able to compile that > for SLES. > > Simo. > > -- > Simo Sorce > Sr. Principal Software Engineer > Red Hat, Inc > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
