Hello the list,
Here's an updated manual process for SUSE/SLE 12 SP2:
For the many nodes we had, we found that full registration was not required as
user's were not meant to be able to login so we only implemented name and group
resolution with nss and LDAP. This did not require the generation and retrieval
of a keytab.
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Wednesday, 25 October 2017 10:11 AM
To: FreeIPA users list <email@example.com>
Cc: Aaron Hicks <aaron.hi...@nesi.org.nz>
Subject: Re: [Freeipa-users] Re: Enrolling SLE 12 SP2 hosts with FreeIPA
Aaron Hicks via FreeIPA-users wrote:
> Hi Simo,
>> Use ipa-getkeytab on an admin workstation, then securely transfer the keytab
>> to the servers.
> We have _many_ hosts in a cluster, so this is not practical on a per host
> basis. I single line command we could bulk execute on each of them to
> retrieve the key would be preferred.
Your best bet is to get ipa-client built for SLE.
> -----Original Message-----
> From: Simo Sorce [mailto:s...@redhat.com]
> Sent: Wednesday, 25 October 2017 2:26 AM
> To: FreeIPA users list <firstname.lastname@example.org>
> Cc: Aaron Hicks <aaron.hi...@nesi.org.nz>
> Subject: Re: [Freeipa-users] Enrolling SLE 12 SP2 hosts with FreeIPA
> On Tue, 2017-10-24 at 16:23 +1300, Aaron Hicks via FreeIPA-users wrote:
>> Hello the FreeIPA List,
>> We've got a FreeIPA directory set up and running. That's all good.
>> The difficult part is that we also have a number (many) of SLE 12 SP2
>> hosts that need to be enrolled.
>> I can see that the freeipa-client package has not been available to
>> SLE/SUSE since 2015 or so, so the ipa-client-install, ipa-join, and
>> ipa- getkeytab tools are unavailable. They would be nice, we'd just
>> do a check and execute it when host is redeployed to enroll and
>> configure the host.
>> We've manage to figure out the static parts of the required
>> configuration (/etc/nsswitch.conf /etc/sssd/sssd.conf and
>> /etc/krb5.conf) as well as deploying the FreeIPA server's certificate
>> to /etc/ipa/ca.crt. We can also enroll the hosts 'remotely' by
>> scripting over their hostnames and IP addresses from a CSV file, so
>> the exist in the FreeIPA directory and even join them to some
>> The bit we're a bit stuck at is retrieving the host's Kerberos keytab.
>> There does not seem to be a getkeytab request for the FreeIPA API,
>> and the use of kadmin and ktutil to process the keytab is not recommended.
> Use ipa-getkeytab on an admin workstation, then securely transfer the keytab
> to the servers.
>> We need a stepwise process to run on the host being enrolled that
>> gets the keytab from the FreeIPA directory and installs it into the host.
>> At the moment the method that looks like it's going to work is to
>> write a script that ssh to the FreeIPA server, kinit as a user who
>> can retrieve keytabs, get the keytab and write to a temporary file,
>> scp the keytab back to the host, tidy up temp files, then return to
>> the host, validate the keytab, install it, and restart Kerberos/sshd/sssd.
> This may work also.
>> This seems less than ideal, alternatively should we look a compiling
>> the ipa-client into a package?
> In the freeIPA git repo there is, in the spec file, a variable that allows
> you to compile only the client bits IIRC. You should be able to compile that
> for SLES.
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc
> FreeIPA-users mailing list -- email@example.com
> To unsubscribe send an email to
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org