On 03/11/2013 07:43 AM, Dale Macartney wrote: > > > On 03/11/2013 11:39 AM, Christian Horn wrote: > > > > > Dale Macartneyさんが書きました： > >> > >> On 03/11/2013 11:04 AM, Christian Horn wrote: > >>> > >>> How about having service-add/ipa-getkeytab done on the server, > >>> and having the keytab deployed onto the clientsystem using scp from > >>> the server, or via configmanagement? > >> That definitely gets around security concerns, however still requires > >> some manual intervention... the keytab could be pushed using config > >> management, but generating it in the first place still requires work as > >> a trusted user. > > > Yes, but this could be automated. > > If you deploy i.e. with cobbler there were IIRC hooks so one can do > > serverside tasks, as soon as a system gets added. So the secret could > > be embedded in a script there. > In my current lab, I just use my own script which pushes api calls to > rhev to deploy machines. I know there is a way to use a user keytab to > auth to IPA. I could do that and have my provisioning script push the > necessary admin commands and leave the client to pull to the client > during %post... > > I guess it depends on the provisioning model within the organisation.
For the things to work right the provisioning service MUST have some behind the scenes interaction with IPA. This is what we always had in mind. Let us say that provisioning system is called P. Setup: 1) Create a principal for P 2) Provision keytab for P 3) Make P use IPA interfaces authenticating as P rpincipal using keytab 4) Make sure P has the right permissions to manage other hosts 5) Make P store IPA public cert Provisioning sequence: 1) User/script requests provisioning of a system 2) P connects to IPA and creates a host entry in IPA, an OTP is returned back 3) P provides IPA public cert for the new machine 4) P inserts OTP into the kickstart for the system to join IPA 5) If provision of the identity fails P should disable host in IPA to make sure that the OTP has not been stolen and used to provision some other fake system. This is how things "should work" in a prefect world. > > > > > Christian > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipafirstname.lastname@example.org > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users