If you are really trying to go the route of using the password, the best way to 
accomplish that is to procedurally ADD the host ahead of time with the -random 
flag to generate a one-time-pass.  Then insert that 1 time password dynamically 
into the kickstart script.

If you want to approach the problem from a technical side and not procedural... 
I don't suppose you have Puppet ?

You can utilize puppet to deploy a 'host provisioning' keytab that you then 
kinit -kt before issuing the other commands that require authentication. When 
it is finished, delete the keytab.

The problem with authentication and complete hands off automation is that you 
always have to whittle it down to an area of acceptable risk with lots of 
compensating controls and logging.


On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote:

> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Simo
> 
> ipa-client-install is provided by the ipa-client rpm. Details below
> 
> Name        : ipa-client
> Arch        : x86_64
> Version     : 2.1.3
> Release     : 9.el6
> Size        : 222 k
> Repo        : installed
> 
> 
> What I am trying to achieve is these two commands in a post...
> 
> ipa service-add HTTP/$(hostname)
> this definitely requires an authenticated user to add i'm sure
> 
> 
> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k
> /etc/squid/krb5.keytab
> this one I suspect might be able to be retrieved using the host/
> principle from the system after running ipa-client-install.
> 
> 
> Does this help paint a picture?
> 
> 
> Dale
> 
> 
> On 02/08/2012 01:49 PM, Simo Sorce wrote:
>> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> 
>>> morning all...
>>> 
>>> i'm dabbling with automated provisioning of ipa client servers, and i'm
>>> a little perplexed on how to add a keytab to a system during the %post
>>> section of a kickstart...
>>> 
>>> i've run ipa-client-install -U -p admin -w redhat123 which works
>>> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't
>>> appear to be generated during the ipa-client-install.
>>> 
>>> any suggestions on doing this during a post?
>> 
>> What version of ipa-client-install are you using ?
>> 
>> Newer versions (2.x) should fetch a keytab for your system (needs
>> credentials or OTP password.
>> 
>> Simo.
>> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBAgAGBQJPMopXAAoJEAJsWS61tB+qyg8QAJPJJB8/9sxjKmKaEreRQyRb
> NgHUaaY1FRGs7CvtTeSTY177bnVerr8dJGj3nmqMCwlveUEXZS2T8mBWxVpRm/BW
> HrNR5i9kEIXL6HiaYfZMCVX1pyaxsStCnZJCiBjDDL5PsIX6FCsuUEYX4BGXyLAU
> s212Ugn46vYY4E5d8Cwi6BS0MW6c9a3yoPXAH4A8JCSjIptYXMuBY8YFHiQLLAPi
> AID7Q4N3U5FC6B0ahqhL64tAL8EggMkxhJ0Flhz7aWboz14bL7+M+vx3qVxF2W0z
> WgaO13ai/lTL/jTy1n3dBVegqdACRTgH/K094+iaq96flhBrfzYiDaeCtj9OgoAV
> ntHJksEPuC2X2lc8IRgzWVFa847+GMYl3YdYt0jflCcRAoWnpsaNW5F4HKG9K2Ob
> sXEo+/4sSku85Ezu7rJyS5zNn6BfdynxOGfaYqavWK3lyegxpHaIBdxR3YPi9Esm
> mrRvN3mkfAaUWboxImOJvZTgv+P/jq7CFlokaTGakeJT2N5/HpQADw1haNLDDvoY
> DFfE3EgkmkT04Lcg+tCxouybYYdWdNSLl86maDsxeIHbyrnHQjgZ+Pw2KsMd1BUD
> huqromxtFnUoY6DY2cwRFTGFJihkX3/Grai2ojPGFgiNA5H1G1APs5J2i9dafp1x
> UftjI6x2lzTqQw/BNqLL
> =mInj
> -----END PGP SIGNATURE-----
> 
> <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to