Dmitri, Sure I can do this. I can make a script, and have this executed from Satellite (remote command) and than perform the server redeploy from Satellite. However, that makes it a two step process, and that is what I now also have. However, I would like to make it fully automated in a single step.
Come to think of it...there is also an api for Satellite. Maybe I can make a script that will first do the IPA stuff and then call Satellite to redeploy the server..... ....hmmm....will look into this...and report my findings Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open Source Services* * Consultant* *(vrijdags afwezig)* *VX Company IT Services B.V.* *T* (035) 539 09 50 mobiel (06) 41 68 28 48 *F* (035) 539 09 08 *E* fvzwie...@vxcompany.com *I* www.vxcompany.com On Fri, Jan 18, 2013 at 6:09 PM, Dmitri Pal <d...@redhat.com> wrote: > On 01/18/2013 06:52 AM, Fred van Zwieten wrote: > > Hi Dmitri, > > Sorry for the late reply. I basically want to do the same as Charlie > Derwent in another tread on this mailing list: To fully automate the > re-installation of a server using Satellite/Spacewalk using kickstart. As > the server is an IPA client, it must first get to be un-enrolled, before an > ipa-client-install --unattened -w secret etc. can be done in a %post > snippet of the kickstart file. It is the automation of the unenrollment > proces that we are not able to set up. > > What I can do on any ipa-client to unenroll on the command line is: > > ipa --disable-host <server> and ipa host-mod --password=secret --ssh= > > This unprovisions the client, set's an OTP and removes the host ssh keys. > > However, this can only be done on an IPA client, and during a kickstart > install the server is no longer an IPA client, because it is freshly being > set up. > > It's a typical chicken-and-egg issue. You must first be ipa client to be > able to execute ipa commands, but you cannot become an ipa client before > unprovisioning yourself using those same ipa commands. > > Another approuch would be to unprovision the client just before the > reboot to be kickstarted, however, I have no idea how to set that up. It > would mean the server has to know somehow it is being rebooted because of a > re-install, but afaik, there is no way for satellite/spacewalk to tell the > server this.. > > Regards, > > Fred > > > IMO the right approach would be for the Satellite server to perform "ipa > --disable-host <server> and ipa host-mod --password=secret --ssh=" as a > part of the re-installation. > Satellite should be given an IPA identity and call into IPA when it > performs reinstall before rebooting the system. > > Tough... I will see what I can do. > > > > > > > On Sat, Jan 12, 2013 at 10:06 PM, Dmitri Pal <d...@redhat.com> wrote: > >> On 01/12/2013 03:28 AM, Fred van Zwieten wrote: >> >> Hi there, >> >> We are in the process of implementing Satellite and want to automate >> server installations 100% using kickstart, cobbler, satellite. >> >> IPA clients can be scripted enrolled using kickstart. Plenty of >> documentation about that. >> >> However, how to "re"-enroll IPA clients? >> >> Satellite gives me the option to re-install a server. In this case, >> there are still host and possibly service records for this host present in >> IPA and DNS. >> >> One way to think about this is, that it's actually OK to keep those >> records there, because it is a "re"-installation, so why remove and >> re-enroll? However, there is the krb5.keytab in /etc. I could save that >> file during redeployment, but I'm not sure if that will work. And iare >> there any other gotcha's. >> >> So, the question is, how to re-install an IPA client using kickstart >> (silent re-install)? >> >> >> The question is how/do you remove the client? >> Based on what you say above you use the same system so there are some >> leftovers. If you can run ipa-client-install --uninstall it should clean >> things like keytab and certs (there have been bugs fixed in freeIPA 3.0). >> If the client has access to the server it will clean (not remove) the host >> entry too. Then you can re-run the install. If you use OTP you would need >> to reset OTP first. >> >> >> Regards, >> >> Fred >> >> >> _______________________________________________ >> Freeipa-users mailing >> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
