Re: [Freeipa-users] ipa-getkeytab automation
Doug Chapman wrote: Can anyone give me some tips or document links on client deployment automation (I'm using puppet) to update the /etc/krb5.keytab file? I'm using IPA 1.2.2 on Centos5 and it seems the direct approach is to script the creation of the service principles (ipa-addservice) and extract all of the keytabs into puppet deployed files. Is there anything I'm missing? The ipa-addservice would require a human to login with a valid ticket in order to work; is there any way I could create a service account with limited permissions to allow an application to populate the Directory with new hosts from an external source (eg: cobbler, or a database of hosts) ? As Dmitri said, we're addressing this in v2. It requires a fair bit of work to get this done, mostly in the area of writing 389-ds ACIs. Off the top of my head I guess the way I'd approach is create a service principal used for creating other principals. You need an ACI granting add access to this principal to create other principals. And you'd need an ACI granting write privileges to the krb* attributes so you can use ipa-getkeytab to generate and retrieve a keytab. But you're probably better off giving v2 a look-see. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab automation
Doug Chapman wrote: > Can anyone give me some tips or document links on client deployment > automation (I'm using puppet) to update the /etc/krb5.keytab file? > > I'm using IPA 1.2.2 on Centos5 and it seems the direct approach is > to script the creation of the service principles (ipa-addservice) and > extract all of the keytabs into puppet deployed files. Is there > anything I'm missing? > > The ipa-addservice would require a human to login with a valid ticket > in order to work; is there any way I could create a service account > with limited permissions to allow an application to populate the > Directory with new hosts from an external source (eg: cobbler, or a > database of hosts) ? > In v2 there is also an option for the automatic provisioning. * You create a host entry in the IPA and give it an OTP password. * You pass the same OTP password to the kickstart or some other client software * Client software invokes ipa-join and passes in the password. This completes the enrollment of the host. This host will have a keytab and would be able to work with IPA. * The host will have permissions to retrieve a keytab for a service running on the host. * Add a service to IPA server * Run ipa-getkeytab on the client under host identity. This will provision a key for the service running on the host. You can try one of the v2 alphas. Thanks Dmitri > tia > -- > DougC > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-getkeytab automation
Can anyone give me some tips or document links on client deployment automation (I'm using puppet) to update the /etc/krb5.keytab file? I'm using IPA 1.2.2 on Centos5 and it seems the direct approach is to script the creation of the service principles (ipa-addservice) and extract all of the keytabs into puppet deployed files. Is there anything I'm missing? The ipa-addservice would require a human to login with a valid ticket in order to work; is there any way I could create a service account with limited permissions to allow an application to populate the Directory with new hosts from an external source (eg: cobbler, or a database of hosts) ? tia -- DougC ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users