If you don't find an answer for doing it -minus- a ticket, here is what I would suggest.
Create a service user who's only role permissions give them the ability to
delete users.
Then perform a getkeytab for the user:
ipa-getkeytab -s ipa.example.com -p <user name to export>@EXAMPLE.COM -k
/path/to/username.keytab
Then associate the following along with your cron. I would also recommend a
kdestroy -after- the task is run.
#!/bin/bash
#######
# Auto Kinit
########
/usr/kerberos/bin/klist -s
EXITCODE=$?
if [ $EXITCODE != "0" ] ; then
/usr/kerberos/bin/kdestroy >> /dev/null 2>&1
/usr/kerberos/bin/kinit -F usern...@example.com -k -t
/path/to/username.keytab
fi
On Mar 6, 2014, at 8:48 AM, KodaK <sako...@gmail.com> wrote:
> Once again, I'm probably missing something that's well documented. I promise
> I searched.
>
> We have a daily termination list that needs to be enforced at 5:00 PM every
> day. I can script it up just fine, but sometimes I like to sneak out early.
>
> I tried to use "at," but since I'm logged out when the job runs there's no
> ticket and the ipa commands fail.
>
> ex:
>
> echo "sh terminate" | at 5:00 PM Friday
>
> works if I'm logged in with a ticket ("terminate" contains the ipa command to
> disable / delete users.)
>
> Is there some way to automate this? I can leave a terminal open on a VM as a
> work-around, but I'd like to be cleaner if I can.
>
> --Jason
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
