[Freeipa-users] Re: IPA API - Fetch keytab
On 04.11.22 17:47, Jochen Kellner wrote: Ronald Wimmer via FreeIPA-users writes: Jochen already provided you the required commands. They can be automated easily. I was still thinking about how to do that from the AIX side. I'm sorry... Obviously I could need more coffee. ;-) A lot of what can be done depends on what you use as AIX automation. If you still use shell scripts - ssh to a linux host is your most likely solution. If you use something like ansible, you might want to check "delegate_to" in the ansible documentation. In the unlikely event you use SALT, have a look at orchestration. For other tool I declare total ignorance. We will go the shell script way as not many AIX hosts look the same and Ansible might be a problem. The IPA client host will most likely be a K8s pod - maybe even without persistent storage. I'll have to check with the IPA developers if a ephemeral IPA clients will eat up id ranges or else over time. There are lots and lots of possible solutions. Just a hint how you might handle authentication for IPA commands: Add a user to IPA that has the role "Enrollment Administrator". Get a keytab for that user and store it at a save place on your IPA client. You should be able to run "ipa" and other commands with and not giving name/password on the command line: env KRB5_CLIENT_KTNAME=/path/to/key.tab ipa ... Thanks. I am using this already somewhere else. (you might need to install urllib-gssapi or python3-urllib-gssapi) That would still need some experimenting, but I'm sure it will work in the end. The first idea is to ssh to the Linux machine to call a python script doing all the magic and scp the keytab over to the AIX host. Remember that the AIX host and freeipa need to agree what's the last kvno is - That might be a problem while experimenting. Thanks! I'll keep that in mind! Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA API - Fetch keytab
Ronald Wimmer via FreeIPA-users writes: >> Jochen already provided you the required commands. They can be >> automated >> easily. > > I was still thinking about how to do that from the AIX side. I'm > sorry... Obviously I could need more coffee. ;-) A lot of what can be done depends on what you use as AIX automation. If you still use shell scripts - ssh to a linux host is your most likely solution. If you use something like ansible, you might want to check "delegate_to" in the ansible documentation. In the unlikely event you use SALT, have a look at orchestration. For other tool I declare total ignorance. There are lots and lots of possible solutions. Just a hint how you might handle authentication for IPA commands: Add a user to IPA that has the role "Enrollment Administrator". Get a keytab for that user and store it at a save place on your IPA client. You should be able to run "ipa" and other commands with and not giving name/password on the command line: env KRB5_CLIENT_KTNAME=/path/to/key.tab ipa ... (you might need to install urllib-gssapi or python3-urllib-gssapi) That would still need some experimenting, but I'm sure it will work in the end. Remember that the AIX host and freeipa need to agree what's the last kvno is - That might be a problem while experimenting. Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA API - Fetch keytab
On 04.11.22 09:30, Alexander Bokovoy via FreeIPA-users wrote: On pe, 04 marras 2022, Ronald Wimmer wrote: On 03.11.22 15:43, Alexander Bokovoy via FreeIPA-users wrote: On to, 03 marras 2022, Ronald Wimmer via FreeIPA-users wrote: On 03.11.22 13:06, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer wrote: On 02.11.22 20:44, Jochen Kellner via FreeIPA-users wrote: Hello Ronald, Ronald Wimmer via FreeIPA-users writes: On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: In order to integrate our AIX clients we do have to take two steps manually: 1) Enrolling the host 2) Fetching the keytab file for this particular host A quick search in the WebGUIs API browser revealed a host_add method but I cannot find a method for fetching a keytab file. Did I miss something here? There is no IPA API to retrieve a keytab[1]. You should use ipa-getkeytab. There is no ipa-getkeytab on AIX. So I need to fetch an IPA client's keytab from LDAP, right? I'd do the following: 1. Enroll the host in freeipa: ipa host-add aix.example.org --ip-address=192.168.30.x 2. Allow my user to create a keytab: ipa host-allow-create-keytab aix.example.org --users=jochen 3. get the keytab: ipa-getkeytab -p host/aix.jochen.org -k aix.keytab Keytab successfully retrieved and stored in: aix.keytab 4. Transfer the keytab to the AIX host Thanks Jochen! I am trying to automate these steps. AIX colleagues are a separate team and do not have the possibility to use ipa commands on a linux machine at the moment. What I need is a possibility to enroll a host and fetch its keytab comlpletely without ipa commands and manual interaction so that the AIX guys can do that themselves. Jochen outlined the recommended way to handle non-Linux OS's. If you want to do it from AIX then you'll need to build ipa-getkeytab on AIX. Is the keytab file generated on demand or does it reside somewhere in the LDAP tree? Just for my understanding... why is there no API way to fetch the keytab file? There is an API and it is provided through the ipa-getkeytab tool. It uses secure mechanism we developed on top of 389-ds LDAP server access controls, not HTTPS server to reduce number of parties who might get hold of the Kerberos keys to be transferred. Remember that a keytab is simply a file containing a bunch of Kerberos keys. Each key can be considered a form of a password, from usage point of view. The less hands touch it, the better. Thanks for clarifying this matter! Building ipa-getkeytab on AIX will most likely result in some kind of nightmare. What would you consider as the most feasible way to enroll an AIX host and fetch its keytab in an automated manner? (We could provide our AIX guys with an IPA client machine so that all IPA commands would be available there...) Jochen already provided you the required commands. They can be automated easily. I was still thinking about how to do that from the AIX side. I'm sorry... Obviously I could need more coffee. ;-) We will give them an IPA client machine, automate these two steps there and let them fetch the keytab from this machine. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA API - Fetch keytab
On pe, 04 marras 2022, Ronald Wimmer wrote: On 03.11.22 15:43, Alexander Bokovoy via FreeIPA-users wrote: On to, 03 marras 2022, Ronald Wimmer via FreeIPA-users wrote: On 03.11.22 13:06, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer wrote: On 02.11.22 20:44, Jochen Kellner via FreeIPA-users wrote: Hello Ronald, Ronald Wimmer via FreeIPA-users writes: On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: In order to integrate our AIX clients we do have to take two steps manually: 1) Enrolling the host 2) Fetching the keytab file for this particular host A quick search in the WebGUIs API browser revealed a host_add method but I cannot find a method for fetching a keytab file. Did I miss something here? There is no IPA API to retrieve a keytab[1]. You should use ipa-getkeytab. There is no ipa-getkeytab on AIX. So I need to fetch an IPA client's keytab from LDAP, right? I'd do the following: 1. Enroll the host in freeipa: ipa host-add aix.example.org --ip-address=192.168.30.x 2. Allow my user to create a keytab: ipa host-allow-create-keytab aix.example.org --users=jochen 3. get the keytab: ipa-getkeytab -p host/aix.jochen.org -k aix.keytab Keytab successfully retrieved and stored in: aix.keytab 4. Transfer the keytab to the AIX host Thanks Jochen! I am trying to automate these steps. AIX colleagues are a separate team and do not have the possibility to use ipa commands on a linux machine at the moment. What I need is a possibility to enroll a host and fetch its keytab comlpletely without ipa commands and manual interaction so that the AIX guys can do that themselves. Jochen outlined the recommended way to handle non-Linux OS's. If you want to do it from AIX then you'll need to build ipa-getkeytab on AIX. Is the keytab file generated on demand or does it reside somewhere in the LDAP tree? Just for my understanding... why is there no API way to fetch the keytab file? There is an API and it is provided through the ipa-getkeytab tool. It uses secure mechanism we developed on top of 389-ds LDAP server access controls, not HTTPS server to reduce number of parties who might get hold of the Kerberos keys to be transferred. Remember that a keytab is simply a file containing a bunch of Kerberos keys. Each key can be considered a form of a password, from usage point of view. The less hands touch it, the better. Thanks for clarifying this matter! Building ipa-getkeytab on AIX will most likely result in some kind of nightmare. What would you consider as the most feasible way to enroll an AIX host and fetch its keytab in an automated manner? (We could provide our AIX guys with an IPA client machine so that all IPA commands would be available there...) Jochen already provided you the required commands. They can be automated easily. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA API - Fetch keytab
On 03.11.22 15:43, Alexander Bokovoy via FreeIPA-users wrote: On to, 03 marras 2022, Ronald Wimmer via FreeIPA-users wrote: On 03.11.22 13:06, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer wrote: On 02.11.22 20:44, Jochen Kellner via FreeIPA-users wrote: Hello Ronald, Ronald Wimmer via FreeIPA-users writes: On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: In order to integrate our AIX clients we do have to take two steps manually: 1) Enrolling the host 2) Fetching the keytab file for this particular host A quick search in the WebGUIs API browser revealed a host_add method but I cannot find a method for fetching a keytab file. Did I miss something here? There is no IPA API to retrieve a keytab[1]. You should use ipa-getkeytab. There is no ipa-getkeytab on AIX. So I need to fetch an IPA client's keytab from LDAP, right? I'd do the following: 1. Enroll the host in freeipa: ipa host-add aix.example.org --ip-address=192.168.30.x 2. Allow my user to create a keytab: ipa host-allow-create-keytab aix.example.org --users=jochen 3. get the keytab: ipa-getkeytab -p host/aix.jochen.org -k aix.keytab Keytab successfully retrieved and stored in: aix.keytab 4. Transfer the keytab to the AIX host Thanks Jochen! I am trying to automate these steps. AIX colleagues are a separate team and do not have the possibility to use ipa commands on a linux machine at the moment. What I need is a possibility to enroll a host and fetch its keytab comlpletely without ipa commands and manual interaction so that the AIX guys can do that themselves. Jochen outlined the recommended way to handle non-Linux OS's. If you want to do it from AIX then you'll need to build ipa-getkeytab on AIX. Is the keytab file generated on demand or does it reside somewhere in the LDAP tree? Just for my understanding... why is there no API way to fetch the keytab file? There is an API and it is provided through the ipa-getkeytab tool. It uses secure mechanism we developed on top of 389-ds LDAP server access controls, not HTTPS server to reduce number of parties who might get hold of the Kerberos keys to be transferred. Remember that a keytab is simply a file containing a bunch of Kerberos keys. Each key can be considered a form of a password, from usage point of view. The less hands touch it, the better. Thanks for clarifying this matter! Building ipa-getkeytab on AIX will most likely result in some kind of nightmare. What would you consider as the most feasible way to enroll an AIX host and fetch its keytab in an automated manner? (We could provide our AIX guys with an IPA client machine so that all IPA commands would be available there...) Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA API - Fetch keytab
On to, 03 marras 2022, Ronald Wimmer via FreeIPA-users wrote: On 03.11.22 13:06, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer wrote: On 02.11.22 20:44, Jochen Kellner via FreeIPA-users wrote: Hello Ronald, Ronald Wimmer via FreeIPA-users writes: On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: In order to integrate our AIX clients we do have to take two steps manually: 1) Enrolling the host 2) Fetching the keytab file for this particular host A quick search in the WebGUIs API browser revealed a host_add method but I cannot find a method for fetching a keytab file. Did I miss something here? There is no IPA API to retrieve a keytab[1]. You should use ipa-getkeytab. There is no ipa-getkeytab on AIX. So I need to fetch an IPA client's keytab from LDAP, right? I'd do the following: 1. Enroll the host in freeipa: ipa host-add aix.example.org --ip-address=192.168.30.x 2. Allow my user to create a keytab: ipa host-allow-create-keytab aix.example.org --users=jochen 3. get the keytab: ipa-getkeytab -p host/aix.jochen.org -k aix.keytab Keytab successfully retrieved and stored in: aix.keytab 4. Transfer the keytab to the AIX host Thanks Jochen! I am trying to automate these steps. AIX colleagues are a separate team and do not have the possibility to use ipa commands on a linux machine at the moment. What I need is a possibility to enroll a host and fetch its keytab comlpletely without ipa commands and manual interaction so that the AIX guys can do that themselves. Jochen outlined the recommended way to handle non-Linux OS's. If you want to do it from AIX then you'll need to build ipa-getkeytab on AIX. Is the keytab file generated on demand or does it reside somewhere in the LDAP tree? Just for my understanding... why is there no API way to fetch the keytab file? There is an API and it is provided through the ipa-getkeytab tool. It uses secure mechanism we developed on top of 389-ds LDAP server access controls, not HTTPS server to reduce number of parties who might get hold of the Kerberos keys to be transferred. Remember that a keytab is simply a file containing a bunch of Kerberos keys. Each key can be considered a form of a password, from usage point of view. The less hands touch it, the better. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA API - Fetch keytab
On 03.11.22 13:06, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer wrote: On 02.11.22 20:44, Jochen Kellner via FreeIPA-users wrote: Hello Ronald, Ronald Wimmer via FreeIPA-users writes: On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: In order to integrate our AIX clients we do have to take two steps manually: 1) Enrolling the host 2) Fetching the keytab file for this particular host A quick search in the WebGUIs API browser revealed a host_add method but I cannot find a method for fetching a keytab file. Did I miss something here? There is no IPA API to retrieve a keytab[1]. You should use ipa-getkeytab. There is no ipa-getkeytab on AIX. So I need to fetch an IPA client's keytab from LDAP, right? I'd do the following: 1. Enroll the host in freeipa: ipa host-add aix.example.org --ip-address=192.168.30.x 2. Allow my user to create a keytab: ipa host-allow-create-keytab aix.example.org --users=jochen 3. get the keytab: ipa-getkeytab -p host/aix.jochen.org -k aix.keytab Keytab successfully retrieved and stored in: aix.keytab 4. Transfer the keytab to the AIX host Thanks Jochen! I am trying to automate these steps. AIX colleagues are a separate team and do not have the possibility to use ipa commands on a linux machine at the moment. What I need is a possibility to enroll a host and fetch its keytab comlpletely without ipa commands and manual interaction so that the AIX guys can do that themselves. Jochen outlined the recommended way to handle non-Linux OS's. If you want to do it from AIX then you'll need to build ipa-getkeytab on AIX. Is the keytab file generated on demand or does it reside somewhere in the LDAP tree? Just for my understanding... why is there no API way to fetch the keytab file? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA API - Fetch keytab
Ronald Wimmer wrote: > On 02.11.22 20:44, Jochen Kellner via FreeIPA-users wrote: >> >> Hello Ronald, >> >> Ronald Wimmer via FreeIPA-users >> writes: >> >>> On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: > In order to integrate our AIX clients we do have to take two steps > manually: > > 1) Enrolling the host > 2) Fetching the keytab file for this particular host > > A quick search in the WebGUIs API browser revealed a host_add > method but > I cannot find a method for fetching a keytab file. Did I miss > something > here? There is no IPA API to retrieve a keytab[1]. You should use ipa-getkeytab. >>> >>> There is no ipa-getkeytab on AIX. So I need to fetch an IPA client's >>> keytab from LDAP, right? >> >> I'd do the following: >> >> 1. Enroll the host in freeipa: >> ipa host-add aix.example.org --ip-address=192.168.30.x >> 2. Allow my user to create a keytab: >> ipa host-allow-create-keytab aix.example.org --users=jochen >> 3. get the keytab: >> ipa-getkeytab -p host/aix.jochen.org -k aix.keytab >> Keytab successfully retrieved and stored in: aix.keytab >> 4. Transfer the keytab to the AIX host > > Thanks Jochen! I am trying to automate these steps. AIX colleagues are a > separate team and do not have the possibility to use ipa commands on a > linux machine at the moment. > > What I need is a possibility to enroll a host and fetch its keytab > comlpletely without ipa commands and manual interaction so that the AIX > guys can do that themselves. Jochen outlined the recommended way to handle non-Linux OS's. If you want to do it from AIX then you'll need to build ipa-getkeytab on AIX. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA API - Fetch keytab
On 02.11.22 20:44, Jochen Kellner via FreeIPA-users wrote: Hello Ronald, Ronald Wimmer via FreeIPA-users writes: On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: In order to integrate our AIX clients we do have to take two steps manually: 1) Enrolling the host 2) Fetching the keytab file for this particular host A quick search in the WebGUIs API browser revealed a host_add method but I cannot find a method for fetching a keytab file. Did I miss something here? There is no IPA API to retrieve a keytab[1]. You should use ipa-getkeytab. There is no ipa-getkeytab on AIX. So I need to fetch an IPA client's keytab from LDAP, right? I'd do the following: 1. Enroll the host in freeipa: ipa host-add aix.example.org --ip-address=192.168.30.x 2. Allow my user to create a keytab: ipa host-allow-create-keytab aix.example.org --users=jochen 3. get the keytab: ipa-getkeytab -p host/aix.jochen.org -k aix.keytab Keytab successfully retrieved and stored in: aix.keytab 4. Transfer the keytab to the AIX host Thanks Jochen! I am trying to automate these steps. AIX colleagues are a separate team and do not have the possibility to use ipa commands on a linux machine at the moment. What I need is a possibility to enroll a host and fetch its keytab comlpletely without ipa commands and manual interaction so that the AIX guys can do that themselves. Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA API - Fetch keytab
Hello Ronald, Ronald Wimmer via FreeIPA-users writes: > On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote: >> Ronald Wimmer via FreeIPA-users wrote: >>> In order to integrate our AIX clients we do have to take two steps >>> manually: >>> >>> 1) Enrolling the host >>> 2) Fetching the keytab file for this particular host >>> >>> A quick search in the WebGUIs API browser revealed a host_add method but >>> I cannot find a method for fetching a keytab file. Did I miss something >>> here? >> There is no IPA API to retrieve a keytab[1]. You should use >> ipa-getkeytab. > > There is no ipa-getkeytab on AIX. So I need to fetch an IPA client's > keytab from LDAP, right? I'd do the following: 1. Enroll the host in freeipa: ipa host-add aix.example.org --ip-address=192.168.30.x 2. Allow my user to create a keytab: ipa host-allow-create-keytab aix.example.org --users=jochen 3. get the keytab: ipa-getkeytab -p host/aix.jochen.org -k aix.keytab Keytab successfully retrieved and stored in: aix.keytab 4. Transfer the keytab to the AIX host HTH Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA API - Fetch keytab
On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: In order to integrate our AIX clients we do have to take two steps manually: 1) Enrolling the host 2) Fetching the keytab file for this particular host A quick search in the WebGUIs API browser revealed a host_add method but I cannot find a method for fetching a keytab file. Did I miss something here? There is no IPA API to retrieve a keytab[1]. You should use ipa-getkeytab. There is no ipa-getkeytab on AIX. So I need to fetch an IPA client's keytab from LDAP, right? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: IPA API - Fetch keytab
Ronald Wimmer via FreeIPA-users wrote: > In order to integrate our AIX clients we do have to take two steps > manually: > > 1) Enrolling the host > 2) Fetching the keytab file for this particular host > > A quick search in the WebGUIs API browser revealed a host_add method but > I cannot find a method for fetching a keytab file. Did I miss something > here? There is no IPA API to retrieve a keytab[1]. You should use ipa-getkeytab. rob [1] strictly speaking there is an LDAP control but you'd be re-implementing ipa-getkeytab ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue