Dale Macartney wrote:
-----BEGIN PGP SIGNED MESSAGE-----
I agree with your statement of acceptable risk.. this is my main reason
The ideal situation would be to run this as a satellite kickstart
snippet for provisioning with kickstart profiles... That way I can
utilize the existing provisioning platform for everything.
At the moment everything is in dev using scripted kickstarts for testing.
A host should be able to get keytabs for its own services so you should
be able to kinit to the host service principal in /etc/keytab and use
On 02/08/2012 03:33 PM, JR Aquino wrote:
If you are really trying to go the route of using the password, the
best way to accomplish that is to procedurally ADD the host ahead of
time with the -random flag to generate a one-time-pass. Then insert that
1 time password dynamically into the kickstart script.
If you want to approach the problem from a technical side and not
procedural... I don't suppose you have Puppet ?
You can utilize puppet to deploy a 'host provisioning' keytab that you
then kinit -kt before issuing the other commands that require
authentication. When it is finished, delete the keytab.
The problem with authentication and complete hands off automation is
that you always have to whittle it down to an area of acceptable risk
with lots of compensating controls and logging.
On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote:
ipa-client-install is provided by the ipa-client rpm. Details below
Name : ipa-client
Arch : x86_64
Version : 2.1.3
Release : 9.el6
Size : 222 k
Repo : installed
What I am trying to achieve is these two commands in a post...
ipa service-add HTTP/$(hostname)
this definitely requires an authenticated user to add i'm sure
ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k
this one I suspect might be able to be retrieved using the host/
principle from the system after running ipa-client-install.
Does this help paint a picture?
On 02/08/2012 01:49 PM, Simo Sorce wrote:
>>> On Wed, 2012-02-08 at 11:13 +0000, Dale Macartney wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>> morning all...
>>>> i'm dabbling with automated provisioning of ipa client servers,
>>>> a little perplexed on how to add a keytab to a system during the
>>>> section of a kickstart...
>>>> i've run ipa-client-install -U -p admin -w redhat123 which works
>>>> perfect, but in order to run ipa-getkeytab i need a tgt, which
>>>> appear to be generated during the ipa-client-install.
>>>> any suggestions on doing this during a post?
>>> What version of ipa-client-install are you using ?
>>> Newer versions (2.x) should fetch a keytab for your system (needs
>>> credentials or OTP password.
> Freeipa-users mailing list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Freeipa-users mailing list
Freeipa-users mailing list