Aaron Hicks via FreeIPA-users wrote:
> Hi Simo,
> 
>> Use ipa-getkeytab on an admin workstation, then securely transfer the keytab 
>> to the servers.
> 
> We have _many_ hosts in a cluster, so this is not practical on a per host 
> basis. I single line command we could bulk execute on each of them to 
> retrieve the key would be preferred.

Your best bet is to get ipa-client built for SLE.

rob

> 
> Regards,
> 
> Aaron
> 
> -----Original Message-----
> From: Simo Sorce [mailto:s...@redhat.com] 
> Sent: Wednesday, 25 October 2017 2:26 AM
> To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> Cc: Aaron Hicks <aaron.hi...@nesi.org.nz>
> Subject: Re: [Freeipa-users] Enrolling SLE 12 SP2 hosts with FreeIPA
> 
> On Tue, 2017-10-24 at 16:23 +1300, Aaron Hicks via FreeIPA-users wrote:
>> Hello the FreeIPA List,
>>
>>  
>>
>> We've got a FreeIPA directory set up and running. That's all good.
>>
>>  
>>
>> The difficult part is that we also have a number (many) of SLE 12 SP2 
>> hosts that need to be enrolled.
>>
>>  
>>
>> I can see that the freeipa-client package has not been available to 
>> SLE/SUSE since 2015 or so, so the ipa-client-install, ipa-join, and 
>> ipa- getkeytab tools are unavailable. They would be nice, we'd just do 
>> a check and execute it when host is redeployed to enroll and configure 
>> the host.
>>
>>  
>>
>> We've manage to figure out the static parts of the required 
>> configuration (/etc/nsswitch.conf /etc/sssd/sssd.conf and 
>> /etc/krb5.conf) as well as deploying the FreeIPA server's certificate 
>> to /etc/ipa/ca.crt. We can also enroll the hosts 'remotely' by 
>> scripting over their hostnames and IP addresses from a CSV file, so 
>> the exist in the FreeIPA directory and even join them to some 
>> hostgroups.
>>
>>  
>>
>> The bit we're a bit stuck at is retrieving the host's Kerberos keytab. 
>> There does not seem to be a getkeytab request for the FreeIPA API, and 
>> the use of kadmin and ktutil to process the keytab is not recommended.
> 
> Use ipa-getkeytab on an admin workstation, then securely transfer the keytab 
> to the servers.
> 
> 
>> We need a stepwise process to run on the host being enrolled that gets 
>> the keytab from the FreeIPA directory and installs it into the host.
>>
>>  
>>
>> At the moment the method that looks like it's going to work is to 
>> write a script that ssh to the FreeIPA server, kinit as a user who can 
>> retrieve keytabs, get the keytab and write to a temporary file, scp 
>> the keytab back to the host, tidy up temp files, then return to the 
>> host, validate the keytab, install it, and restart Kerberos/sshd/sssd.
> 
> This may work also.
> 
>>  
>>
>> This seems less than ideal, alternatively should we look a compiling 
>> the ipa-client into a package?
> 
> In the freeIPA git repo there is, in the spec file, a variable that allows 
> you to compile only the client bits IIRC. You should be able to compile that 
> for SLES.
> 
> Simo.
> 
> --
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to