On 01/24/2012 09:11 PM, ~Stack~ wrote:
It is a boot strap issue. For a shared nothing boot like you are
doing, there needs to be a way for the new machine to securely get its
Crud. This looks like it could be difficult. I don't preserve anything
on those machines. At least not right now...
Ideally, PXE boot would give you the option to somehow store a private
key in the BIOS and present a certificate during boot. If it did that,
you could then set up a secure way to tell the IPA server "I am still
who I claimed I was before" and fetch all of your secure data during the
start up process.
Assuming your data center is locked down and a rouge machine cannot PXE
boot on your local interface, what you would need is probably a way to
push down a one time password to the booting machine so that it could
then use that to refetch its keytab from the IPA server. Not something
currently supported (only happens during register).
You can unregister and then register the machines when you reboot them.
I am pretty sure that you don't really want to do that, though.
Freeipa-users mailing list