Dale Macartneyさんが書きました:
> I'm open to hear some opinions and thoughts on what the best way to
> auto-provision service principles in an environment with a 100%
> autonomous build process..
> Lets say for example, I wanted to provision a mail server and configure
> dovecot SSO in the same process.
> Obviously something like this would be terrible in a production
> environment as having this in the %post of a kickstart gives away the
> admin password
> %post
> echo redhat123 | kinit admin --
> ipa service-add imap/$(hostname)
> ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
> /etc/dovecot/krb5.keytab
> Is there are more secure way to perform such a task via kickstart or
> other provisioning method?

How about having service-add/ipa-getkeytab done on the server,
and having the keytab deployed onto the clientsystem using scp from 
the server, or via configmanagement?


Freeipa-users mailing list

Reply via email to