Hoi,

Dale Macartneyさんが書きました:
> 
> I'm open to hear some opinions and thoughts on what the best way to
> auto-provision service principles in an environment with a 100%
> autonomous build process..
> 
> Lets say for example, I wanted to provision a mail server and configure
> dovecot SSO in the same process.
> 
> Obviously something like this would be terrible in a production
> environment as having this in the %post of a kickstart gives away the
> admin password
> 
> %post
> echo redhat123 | kinit admin --
> ipa service-add imap/$(hostname)
> ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
> /etc/dovecot/krb5.keytab
> 
> Is there are more secure way to perform such a task via kickstart or
> other provisioning method?

How about having service-add/ipa-getkeytab done on the server,
and having the keytab deployed onto the clientsystem using scp from 
the server, or via configmanagement?

Christian

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to