> On 03/11/2013 11:04 AM, Christian Horn wrote:
> > How about having service-add/ipa-getkeytab done on the server,
> > and having the keytab deployed onto the clientsystem using scp from
> > the server, or via configmanagement?
> That definitely gets around security concerns, however still requires
> some manual intervention... the keytab could be pushed using config
> management, but generating it in the first place still requires work as
> a trusted user.
Yes, but this could be automated.
If you deploy i.e. with cobbler there were IIRC hooks so one can do
serverside tasks, as soon as a system gets added. So the secret could
be embedded in a script there.
Freeipa-users mailing list