On 01/24/2012 09:11 PM, ~Stack~ wrote:
Crud. This looks like it could be difficult. I don't preserve anything
on those machines. At least not right now...
It is a boot strap issue. For a shared nothing boot like you are doing, there needs to be a way for the new machine to securely get its identity.

Ideally, PXE boot would give you the option to somehow store a private key in the BIOS and present a certificate during boot. If it did that, you could then set up a secure way to tell the IPA server "I am still who I claimed I was before" and fetch all of your secure data during the start up process.

Assuming your data center is locked down and a rouge machine cannot PXE boot on your local interface, what you would need is probably a way to push down a one time password to the booting machine so that it could then use that to refetch its keytab from the IPA server. Not something currently supported (only happens during register).

You can unregister and then register the machines when you reboot them. I am pretty sure that you don't really want to do that, though.

Freeipa-users mailing list

Reply via email to