On 02/08/2012 11:06 AM, Dale Macartney wrote: > > thanks for the confirmation earlier Rob, that does make a lot of sense. > > am I right in assuming that to run the following, would not work with > a host principle? Presumably I'd need admin priviledges to create a > service principle for a host.
Someone has to have privilege. You can make the host capable to provision keytabs for services that run on the same host. AFAIR this is allowed by default. I am not sure you can allow host principal to create new services out of the box. I think you would have to play with permission to allow it. Rob, am I correct? > > ipa service-add HTTP/$(hostname) > > I will be giving this a go for testing sake tonight. > > Dale > > > > > On 02/08/2012 04:00 PM, Rob Crittenden wrote: > > Dale Macartney wrote: > > >> > > > Hi JR > > > > > I agree with your statement of acceptable risk.. this is my > main reason > > > for questioning.. > > > > > The ideal situation would be to run this as a satellite > kickstart > > > snippet for provisioning with kickstart profiles... That way > I can > > > utilize the existing provisioning platform for everything. > > > > > At the moment everything is in dev using scripted kickstarts > for testing. > > > > > > A host should be able to get keytabs for its own > services so you should be able to kinit to the host service > principal in /etc/keytab and use ipa-getkeytab. > > > > > > rob > > > > > > > Dale > > > > > > > > > On 02/08/2012 03:33 PM, JR Aquino wrote: > > > >>> If you are really trying to go the route of > using the password, the > > > best way to accomplish that is to procedurally ADD the host > ahead of > > > time with the -random flag to generate a one-time-pass. Then > insert that > > > 1 time password dynamically into the kickstart script. > > > >>> > > > >>> If you want to approach the problem from a > technical side and not > > > procedural... I don't suppose you have Puppet ? > > > >>> > > > >>> You can utilize puppet to deploy a 'host > provisioning' keytab that you > > > then kinit -kt before issuing the other commands that require > > > authentication. When it is finished, delete the keytab. > > > >>> > > > >>> The problem with authentication and complete > hands off automation is > > > that you always have to whittle it down to an area of > acceptable risk > > > with lots of compensating controls and logging. > > > >>> > > > >>> > > > >>> On Feb 8, 2012, at 6:44 AM, Dale Macartney > wrote: > > > >>> > > > >>> > > > > >>> Hi Simo > > > >>> > > > >>> ipa-client-install is provided by the ipa-client > rpm. Details below > > > >>> > > > >>> Name : ipa-client > > > >>> Arch : x86_64 > > > >>> Version : 2.1.3 > > > >>> Release : 9.el6 > > > >>> Size : 222 k > > > >>> Repo : installed > > > >>> > > > >>> > > > >>> What I am trying to achieve is these two > commands in a post... > > > >>> > > > >>> ipa service-add HTTP/$(hostname) > > > >>> this definitely requires an authenticated user > to add i'm sure > > > >>> > > > >>> > > > >>> ipa-getkeytab -s ds01.example.com -p > HTTP/$(hostname) -k > > > >>> /etc/squid/krb5.keytab > > > >>> this one I suspect might be able to be retrieved > using the host/ > > > >>> principle from the system after running > ipa-client-install. > > > >>> > > > >>> > > > >>> Does this help paint a picture? > > > >>> > > > >>> > > > >>> Dale > > > >>> > > > >>> > > > >>> On 02/08/2012 01:49 PM, Simo Sorce wrote: > > > >>> >>> On Wed, 2012-02-08 at 11:13 +0000, > Dale Macartney wrote: > > > >>> >>>> -----BEGIN PGP SIGNED > MESSAGE----- > > > >>> >>>> Hash: SHA1 > > > >>> >>>> > > > >>> >>>> morning all... > > > >>> >>>> > > > >>> >>>> i'm dabbling with automated > provisioning of ipa client servers, > > > and i'm > > > >>> >>>> a little perplexed on how to > add a keytab to a system during the > > > %post > > > >>> >>>> section of a kickstart... > > > >>> >>>> > > > >>> >>>> i've run ipa-client-install -U > -p admin -w redhat123 which works > > > >>> >>>> perfect, but in order to run > ipa-getkeytab i need a tgt, which > > > doesn't > > > >>> >>>> appear to be generated during > the ipa-client-install. > > > >>> >>>> > > > >>> >>>> any suggestions on doing this > during a post? > > > >>> >>> > > > >>> >>> What version of ipa-client-install > are you using ? > > > >>> >>> > > > >>> >>> Newer versions (2.x) should fetch a > keytab for your system (needs > > > >>> >>> credentials or OTP password. > > > >>> >>> > > > >>> >>> Simo. > > > >>> >>> > > > >>> > > > > >>> > > > > <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>_______________________________________________ > > > >>> > Freeipa-users mailing list > > > >>> > Freeipa-users@redhat.com > > > >>> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > >>> > > >> > > >> > > >> > > >> _______________________________________________ > > >> Freeipa-users mailing list > > >> Freeipa-users@redhat.com > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users