Re: [Freeipa-users] ipa-getkeytab during %post
On 02/08/2012 11:06 AM, Dale Macartney wrote: > > thanks for the confirmation earlier Rob, that does make a lot of sense. > > am I right in assuming that to run the following, would not work with > a host principle? Presumably I'd need admin priviledges to create a > service principle for a host. Someone has to have privilege. You can make the host capable to provision keytabs for services that run on the same host. AFAIR this is allowed by default. I am not sure you can allow host principal to create new services out of the box. I think you would have to play with permission to allow it. Rob, am I correct? > > ipa service-add HTTP/$(hostname) > > I will be giving this a go for testing sake tonight. > > Dale > > > > > On 02/08/2012 04:00 PM, Rob Crittenden wrote: > > Dale Macartney wrote: > > >> > > > Hi JR > > > > > I agree with your statement of acceptable risk.. this is my > main reason > > > for questioning.. > > > > > The ideal situation would be to run this as a satellite > kickstart > > > snippet for provisioning with kickstart profiles... That way > I can > > > utilize the existing provisioning platform for everything. > > > > > At the moment everything is in dev using scripted kickstarts > for testing. > > > > > > A host should be able to get keytabs for its own > services so you should be able to kinit to the host service > principal in /etc/keytab and use ipa-getkeytab. > > > > > > rob > > > > > > > Dale > > > > > > > > > On 02/08/2012 03:33 PM, JR Aquino wrote: > > > >>> If you are really trying to go the route of > using the password, the > > > best way to accomplish that is to procedurally ADD the host > ahead of > > > time with the -random flag to generate a one-time-pass. Then > insert that > > > 1 time password dynamically into the kickstart script. > > > >>> > > > >>> If you want to approach the problem from a > technical side and not > > > procedural... I don't suppose you have Puppet ? > > > >>> > > > >>> You can utilize puppet to deploy a 'host > provisioning' keytab that you > > > then kinit -kt before issuing the other commands that require > > > authentication. When it is finished, delete the keytab. > > > >>> > > > >>> The problem with authentication and complete > hands off automation is > > > that you always have to whittle it down to an area of > acceptable risk > > > with lots of compensating controls and logging. > > > >>> > > > >>> > > > >>> On Feb 8, 2012, at 6:44 AM, Dale Macartney > wrote: > > > >>> > > > >>> > > > > >>> Hi Simo > > > >>> > > > >>> ipa-client-install is provided by the ipa-client > rpm. Details below > > > >>> > > > >>> Name : ipa-client > > > >>> Arch : x86_64 > > > >>> Version : 2.1.3 > > > >>> Release : 9.el6 > > > >>> Size : 222 k > > > >>> Repo : installed > > > >>> > > > >>> > > > >>> What I am trying to achieve is these two > commands in a post... > > > >>> > > > >>> ipa service-add HTTP/$(hostname) > > > >>> this definitely requires an authenticated user > to add i'm sure > > > >>> > > > >>> > > > >>> ipa-getkeytab -s ds01.example.com -p > HTTP/$(hostname) -k > > > >>> /etc/squid/krb5.keytab > > > >>> this one I suspect might be able to be retrieved > using the host/ > > > >>> principle from the system after running > ipa-client-install. > > > >>> > > > >>> > > > >>> Does this help paint a picture? > > > >>> > > > >>> > > > >>> Dale > > > >>> > > > >>> > > > >>> On 02/08/2012 01:49 PM, Simo Sorce wrote: > > > >>> >>> On Wed, 2012-02-08 at 11:13 +, > Dale Macartney wrote: > > > >>> -BEGIN PGP SIGNED > MESSAGE- > > > >>> Hash: SHA1 > > > >>> > > > >>> morning all... > > > >>> > > > >>> i'm dabbling with automated > provisioning of ipa client servers, > > > and i'm > > > >>> a little perplexed on how to > add a keytab to a system during the > > > %post > > > >>> section of a kickstart... > > > >>> > > > >>> i've run ipa-client-install -U > -p admin -w redhat123 which works > > > >>> perfect, but in order to run > ipa-getkeytab i need a tgt, which > > > doesn't > > > >>> appear to be generated during > the ipa-client-install. > > > >>> > > > >>> any suggestions on doing this > during a post? > > > >>> >>> > > > >>> >>> What version of ipa-client-install > are you using ? > > > >>> >>> > > > >>> >>> Newer versions (2.x) should fetch a > keytab for your system (needs > > > >>> >>> credentials or OTP password. > > > >>> >>> > > > >>> >>> Simo. > > > >>> >>> > > > >>> > > > > >>> > > > > <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>___ > > > >>> > Freeipa-users mailing list > > > >>> > Freeipa-users@redhat.com > > > >>> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > >>> > > >> > > >> > > >> > > >> ___ > > >> Freeipa-users mailing list > > >> Freeipa-users@redhat.com > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > ___
Re: [Freeipa-users] ipa-getkeytab during %post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 thanks for the confirmation earlier Rob, that does make a lot of sense. am I right in assuming that to run the following, would not work with a host principle? Presumably I'd need admin priviledges to create a service principle for a host. ipa service-add HTTP/$(hostname) I will be giving this a go for testing sake tonight. Dale On 02/08/2012 04:00 PM, Rob Crittenden wrote: > Dale Macartney wrote: >> > Hi JR > > I agree with your statement of acceptable risk.. this is my main reason > for questioning.. > > The ideal situation would be to run this as a satellite kickstart > snippet for provisioning with kickstart profiles... That way I can > utilize the existing provisioning platform for everything. > > At the moment everything is in dev using scripted kickstarts for testing. > > > A host should be able to get keytabs for its own services so you should be able to kinit to the host service principal in /etc/keytab and use ipa-getkeytab. > > > rob > > > Dale > > > > On 02/08/2012 03:33 PM, JR Aquino wrote: > >>> If you are really trying to go the route of using the password, the > best way to accomplish that is to procedurally ADD the host ahead of > time with the -random flag to generate a one-time-pass. Then insert that > 1 time password dynamically into the kickstart script. > >>> > >>> If you want to approach the problem from a technical side and not > procedural... I don't suppose you have Puppet ? > >>> > >>> You can utilize puppet to deploy a 'host provisioning' keytab that you > then kinit -kt before issuing the other commands that require > authentication. When it is finished, delete the keytab. > >>> > >>> The problem with authentication and complete hands off automation is > that you always have to whittle it down to an area of acceptable risk > with lots of compensating controls and logging. > >>> > >>> > >>> On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: > >>> > >>> > > >>> Hi Simo > >>> > >>> ipa-client-install is provided by the ipa-client rpm. Details below > >>> > >>> Name : ipa-client > >>> Arch : x86_64 > >>> Version : 2.1.3 > >>> Release : 9.el6 > >>> Size : 222 k > >>> Repo : installed > >>> > >>> > >>> What I am trying to achieve is these two commands in a post... > >>> > >>> ipa service-add HTTP/$(hostname) > >>> this definitely requires an authenticated user to add i'm sure > >>> > >>> > >>> ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k > >>> /etc/squid/krb5.keytab > >>> this one I suspect might be able to be retrieved using the host/ > >>> principle from the system after running ipa-client-install. > >>> > >>> > >>> Does this help paint a picture? > >>> > >>> > >>> Dale > >>> > >>> > >>> On 02/08/2012 01:49 PM, Simo Sorce wrote: > >>> >>> On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote: > >>> -BEGIN PGP SIGNED MESSAGE- > >>> Hash: SHA1 > >>> > >>> morning all... > >>> > >>> i'm dabbling with automated provisioning of ipa client servers, > and i'm > >>> a little perplexed on how to add a keytab to a system during the > %post > >>> section of a kickstart... > >>> > >>> i've run ipa-client-install -U -p admin -w redhat123 which works > >>> perfect, but in order to run ipa-getkeytab i need a tgt, which > doesn't > >>> appear to be generated during the ipa-client-install. > >>> > >>> any suggestions on doing this during a post? > >>> >>> > >>> >>> What version of ipa-client-install are you using ? > >>> >>> > >>> >>> Newer versions (2.x) should fetch a keytab for your system (needs > >>> >>> credentials or OTP password. > >>> >>> > >>> >>> Simo. > >>> >>> > >>> > > >>> > > <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>___ > >>> > Freeipa-users mailing list > >>> > Freeipa-users@redhat.com > >>> > https://www.redhat.com/mailman/listinfo/freeipa-users > >>> >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMp15AAoJEAJsWS61tB+qHAAP/0oHXXxjZVBO0phBL5+4usEx pho8Rtmx+WlDxl0IQEQQK4mp3aAdgr2LQRxIu+7Q3pU72dJHAbID2S+gUh6qJbd7 WZNLHfst0WVmWfcEquufwFQDEe9OuPoxtLgiR6wWPcTab8ip4KlIoa5dcy77Rv5s 9cUbrtq3qA/tcHHUKQ2qNoIYCQvZOgRJ1VUahfwuCRoTWxWSjaz1tJCrcKrARzie w1cl/Gs5O7pPET6s+LMf7NWYD5AfMxwANRpi7/WusM1vVMWU64BI1S21dqynALvy HfSBmTYfHJoD5gdgLZNmaaq87ygpPcgVt9fD4+d+UgeJGsVzwtj/JCbQldVUF/G7 SUxrd1EoE0idr81Pe56yYhTZQHwXCVhBeYK/Fd6QFok00phTjhs3hrZ+y38PWCwv 1lXjIrTb0a58pvQl46hDbsJlHZ88guQ3911U7t7gMkNn8BeXIc7CSzbmnKoyjv+Y hmJ+I0e8Zhmby2WUTZuZMm1Fnw0ddrJBpln2/QCpTxhEID0QW6J4S1jYRsSCAP4Q lgpnFYo4MJyShOUl445YsPYzX4ZSVXdjceXT1NZgd2liExVnbbmotVJy9SKnE9QA ufI0pYTHiYHn4X17mBGVSgNOE4Hj/KFHSMLsecZi+f+JKGyo/ys+deTqqKTMuK0t 4IueTfkeM50INgD6L9pr =p5cG -END PGP SIGNAT
Re: [Freeipa-users] ipa-getkeytab during %post
Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi JR I agree with your statement of acceptable risk.. this is my main reason for questioning.. The ideal situation would be to run this as a satellite kickstart snippet for provisioning with kickstart profiles... That way I can utilize the existing provisioning platform for everything. At the moment everything is in dev using scripted kickstarts for testing. A host should be able to get keytabs for its own services so you should be able to kinit to the host service principal in /etc/keytab and use ipa-getkeytab. rob Dale On 02/08/2012 03:33 PM, JR Aquino wrote: If you are really trying to go the route of using the password, the best way to accomplish that is to procedurally ADD the host ahead of time with the -random flag to generate a one-time-pass. Then insert that 1 time password dynamically into the kickstart script. If you want to approach the problem from a technical side and not procedural... I don't suppose you have Puppet ? You can utilize puppet to deploy a 'host provisioning' keytab that you then kinit -kt before issuing the other commands that require authentication. When it is finished, delete the keytab. The problem with authentication and complete hands off automation is that you always have to whittle it down to an area of acceptable risk with lots of compensating controls and logging. On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: > Hi Simo ipa-client-install is provided by the ipa-client rpm. Details below Name : ipa-client Arch : x86_64 Version : 2.1.3 Release : 9.el6 Size : 222 k Repo : installed What I am trying to achieve is these two commands in a post... ipa service-add HTTP/$(hostname) this definitely requires an authenticated user to add i'm sure ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k /etc/squid/krb5.keytab this one I suspect might be able to be retrieved using the host/ principle from the system after running ipa-client-install. Does this help paint a picture? Dale On 02/08/2012 01:49 PM, Simo Sorce wrote: >>> On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 morning all... i'm dabbling with automated provisioning of ipa client servers, and i'm a little perplexed on how to add a keytab to a system during the %post section of a kickstart... i've run ipa-client-install -U -p admin -w redhat123 which works perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't appear to be generated during the ipa-client-install. any suggestions on doing this during a post? >>> >>> What version of ipa-client-install are you using ? >>> >>> Newer versions (2.x) should fetch a keytab for your system (needs >>> credentials or OTP password. >>> >>> Simo. >>> > > <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMplpAAoJEAJsWS61tB+q294QAJZELZhAD4Xsq8z+q4xbeMdy R9g2XT6WuY0Bi42mTi4EJbcupIiWm3q1etU7mhsXJ7zVRHrzHfCZGz3m5ksYxBdm FTT4Q2zssc2Q1kIH6wp9XobBrXSA+RsZn7huBa+klShLBRGkZTABAJ/DkR7j1yRw Fch1CU9cytXMHXRdJiUaIm8lj38u4mwIZxzU2R7gE3aXUX1p+K9A2uXswPvr4Ouc oHx46bfu4GMGQt9Sek8GeV1YcAGPrH5QT0ChejBalsREuKYx+GbAz6lMW/YA+rdL sfqFS5fkWLlzffw0M5HqGg4JNt2l/KsJsqKLnkwShMCNFy2j0M2dt+gujUCkSBAD wAohFnNerTyC6jypo0oSgvDbBSVo+oZUENeIacQEi8m2EkrgRE1/S3eTAS7SKxOc wbyPZp4JXzqyOQVw2rAKEpRd56qdQV3lCElJB9SMUK73sCL3TSTHJ7NP7pEMeaJs JEfJQCjMgJwI/Ok9v5pskkX8uDF0FYptwcwVze2w+ap/hNahaU8uHQOGnVzTTPU2 eA6d0T6opV7YpNbUczOYsEvTJYDUHqX1sf5lN0DfvSP9l9dncr3jRArkdG6X5kuj 9Yrc+d8cEG5Ol4xD3g3ZvtLhL7VuKEhecLP4xsFgQI8NukcFAfpGrPLBklcFzJ1I wSWQZseFSumVD9glWtMz =NzzG -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi JR I agree with your statement of acceptable risk.. this is my main reason for questioning.. The ideal situation would be to run this as a satellite kickstart snippet for provisioning with kickstart profiles... That way I can utilize the existing provisioning platform for everything. At the moment everything is in dev using scripted kickstarts for testing. Dale On 02/08/2012 03:33 PM, JR Aquino wrote: > If you are really trying to go the route of using the password, the best way to accomplish that is to procedurally ADD the host ahead of time with the -random flag to generate a one-time-pass. Then insert that 1 time password dynamically into the kickstart script. > > If you want to approach the problem from a technical side and not procedural... I don't suppose you have Puppet ? > > You can utilize puppet to deploy a 'host provisioning' keytab that you then kinit -kt before issuing the other commands that require authentication. When it is finished, delete the keytab. > > The problem with authentication and complete hands off automation is that you always have to whittle it down to an area of acceptable risk with lots of compensating controls and logging. > > > On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: > >> > Hi Simo > > ipa-client-install is provided by the ipa-client rpm. Details below > > Name : ipa-client > Arch : x86_64 > Version : 2.1.3 > Release : 9.el6 > Size : 222 k > Repo : installed > > > What I am trying to achieve is these two commands in a post... > > ipa service-add HTTP/$(hostname) > this definitely requires an authenticated user to add i'm sure > > > ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k > /etc/squid/krb5.keytab > this one I suspect might be able to be retrieved using the host/ > principle from the system after running ipa-client-install. > > > Does this help paint a picture? > > > Dale > > > On 02/08/2012 01:49 PM, Simo Sorce wrote: > >>> On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > morning all... > > i'm dabbling with automated provisioning of ipa client servers, and i'm > a little perplexed on how to add a keytab to a system during the %post > section of a kickstart... > > i've run ipa-client-install -U -p admin -w redhat123 which works > perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't > appear to be generated during the ipa-client-install. > > any suggestions on doing this during a post? > >>> > >>> What version of ipa-client-install are you using ? > >>> > >>> Newer versions (2.x) should fetch a keytab for your system (needs > >>> credentials or OTP password. > >>> > >>> Simo. > >>> >> >> <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMplpAAoJEAJsWS61tB+q294QAJZELZhAD4Xsq8z+q4xbeMdy R9g2XT6WuY0Bi42mTi4EJbcupIiWm3q1etU7mhsXJ7zVRHrzHfCZGz3m5ksYxBdm FTT4Q2zssc2Q1kIH6wp9XobBrXSA+RsZn7huBa+klShLBRGkZTABAJ/DkR7j1yRw Fch1CU9cytXMHXRdJiUaIm8lj38u4mwIZxzU2R7gE3aXUX1p+K9A2uXswPvr4Ouc oHx46bfu4GMGQt9Sek8GeV1YcAGPrH5QT0ChejBalsREuKYx+GbAz6lMW/YA+rdL sfqFS5fkWLlzffw0M5HqGg4JNt2l/KsJsqKLnkwShMCNFy2j0M2dt+gujUCkSBAD wAohFnNerTyC6jypo0oSgvDbBSVo+oZUENeIacQEi8m2EkrgRE1/S3eTAS7SKxOc wbyPZp4JXzqyOQVw2rAKEpRd56qdQV3lCElJB9SMUK73sCL3TSTHJ7NP7pEMeaJs JEfJQCjMgJwI/Ok9v5pskkX8uDF0FYptwcwVze2w+ap/hNahaU8uHQOGnVzTTPU2 eA6d0T6opV7YpNbUczOYsEvTJYDUHqX1sf5lN0DfvSP9l9dncr3jRArkdG6X5kuj 9Yrc+d8cEG5Ol4xD3g3ZvtLhL7VuKEhecLP4xsFgQI8NukcFAfpGrPLBklcFzJ1I wSWQZseFSumVD9glWtMz =NzzG -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
If you are really trying to go the route of using the password, the best way to accomplish that is to procedurally ADD the host ahead of time with the -random flag to generate a one-time-pass. Then insert that 1 time password dynamically into the kickstart script. If you want to approach the problem from a technical side and not procedural... I don't suppose you have Puppet ? You can utilize puppet to deploy a 'host provisioning' keytab that you then kinit -kt before issuing the other commands that require authentication. When it is finished, delete the keytab. The problem with authentication and complete hands off automation is that you always have to whittle it down to an area of acceptable risk with lots of compensating controls and logging. On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi Simo > > ipa-client-install is provided by the ipa-client rpm. Details below > > Name: ipa-client > Arch: x86_64 > Version : 2.1.3 > Release : 9.el6 > Size: 222 k > Repo: installed > > > What I am trying to achieve is these two commands in a post... > > ipa service-add HTTP/$(hostname) > this definitely requires an authenticated user to add i'm sure > > > ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k > /etc/squid/krb5.keytab > this one I suspect might be able to be retrieved using the host/ > principle from the system after running ipa-client-install. > > > Does this help paint a picture? > > > Dale > > > On 02/08/2012 01:49 PM, Simo Sorce wrote: >> On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote: >>> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA1 >>> >>> morning all... >>> >>> i'm dabbling with automated provisioning of ipa client servers, and i'm >>> a little perplexed on how to add a keytab to a system during the %post >>> section of a kickstart... >>> >>> i've run ipa-client-install -U -p admin -w redhat123 which works >>> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't >>> appear to be generated during the ipa-client-install. >>> >>> any suggestions on doing this during a post? >> >> What version of ipa-client-install are you using ? >> >> Newer versions (2.x) should fetch a keytab for your system (needs >> credentials or OTP password. >> >> Simo. >> > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJPMopXAAoJEAJsWS61tB+qyg8QAJPJJB8/9sxjKmKaEreRQyRb > NgHUaaY1FRGs7CvtTeSTY177bnVerr8dJGj3nmqMCwlveUEXZS2T8mBWxVpRm/BW > HrNR5i9kEIXL6HiaYfZMCVX1pyaxsStCnZJCiBjDDL5PsIX6FCsuUEYX4BGXyLAU > s212Ugn46vYY4E5d8Cwi6BS0MW6c9a3yoPXAH4A8JCSjIptYXMuBY8YFHiQLLAPi > AID7Q4N3U5FC6B0ahqhL64tAL8EggMkxhJ0Flhz7aWboz14bL7+M+vx3qVxF2W0z > WgaO13ai/lTL/jTy1n3dBVegqdACRTgH/K094+iaq96flhBrfzYiDaeCtj9OgoAV > ntHJksEPuC2X2lc8IRgzWVFa847+GMYl3YdYt0jflCcRAoWnpsaNW5F4HKG9K2Ob > sXEo+/4sSku85Ezu7rJyS5zNn6BfdynxOGfaYqavWK3lyegxpHaIBdxR3YPi9Esm > mrRvN3mkfAaUWboxImOJvZTgv+P/jq7CFlokaTGakeJT2N5/HpQADw1haNLDDvoY > DFfE3EgkmkT04Lcg+tCxouybYYdWdNSLl86maDsxeIHbyrnHQjgZ+Pw2KsMd1BUD > huqromxtFnUoY6DY2cwRFTGFJihkX3/Grai2ojPGFgiNA5H1G1APs5J2i9dafp1x > UftjI6x2lzTqQw/BNqLL > =mInj > -END PGP SIGNATURE- > > <0xB5B41FAA.asc><0xB5B41FAA.asc.sig>___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Simo ipa-client-install is provided by the ipa-client rpm. Details below Name: ipa-client Arch: x86_64 Version : 2.1.3 Release : 9.el6 Size: 222 k Repo: installed What I am trying to achieve is these two commands in a post... ipa service-add HTTP/$(hostname) this definitely requires an authenticated user to add i'm sure ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k /etc/squid/krb5.keytab this one I suspect might be able to be retrieved using the host/ principle from the system after running ipa-client-install. Does this help paint a picture? Dale On 02/08/2012 01:49 PM, Simo Sorce wrote: > On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> morning all... >> >> i'm dabbling with automated provisioning of ipa client servers, and i'm >> a little perplexed on how to add a keytab to a system during the %post >> section of a kickstart... >> >> i've run ipa-client-install -U -p admin -w redhat123 which works >> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't >> appear to be generated during the ipa-client-install. >> >> any suggestions on doing this during a post? > > What version of ipa-client-install are you using ? > > Newer versions (2.x) should fetch a keytab for your system (needs > credentials or OTP password. > > Simo. > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMopXAAoJEAJsWS61tB+qyg8QAJPJJB8/9sxjKmKaEreRQyRb NgHUaaY1FRGs7CvtTeSTY177bnVerr8dJGj3nmqMCwlveUEXZS2T8mBWxVpRm/BW HrNR5i9kEIXL6HiaYfZMCVX1pyaxsStCnZJCiBjDDL5PsIX6FCsuUEYX4BGXyLAU s212Ugn46vYY4E5d8Cwi6BS0MW6c9a3yoPXAH4A8JCSjIptYXMuBY8YFHiQLLAPi AID7Q4N3U5FC6B0ahqhL64tAL8EggMkxhJ0Flhz7aWboz14bL7+M+vx3qVxF2W0z WgaO13ai/lTL/jTy1n3dBVegqdACRTgH/K094+iaq96flhBrfzYiDaeCtj9OgoAV ntHJksEPuC2X2lc8IRgzWVFa847+GMYl3YdYt0jflCcRAoWnpsaNW5F4HKG9K2Ob sXEo+/4sSku85Ezu7rJyS5zNn6BfdynxOGfaYqavWK3lyegxpHaIBdxR3YPi9Esm mrRvN3mkfAaUWboxImOJvZTgv+P/jq7CFlokaTGakeJT2N5/HpQADw1haNLDDvoY DFfE3EgkmkT04Lcg+tCxouybYYdWdNSLl86maDsxeIHbyrnHQjgZ+Pw2KsMd1BUD huqromxtFnUoY6DY2cwRFTGFJihkX3/Grai2ojPGFgiNA5H1G1APs5J2i9dafp1x UftjI6x2lzTqQw/BNqLL =mInj -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > morning all... > > i'm dabbling with automated provisioning of ipa client servers, and i'm > a little perplexed on how to add a keytab to a system during the %post > section of a kickstart... > > i've run ipa-client-install -U -p admin -w redhat123 which works > perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't > appear to be generated during the ipa-client-install. > > any suggestions on doing this during a post? What version of ipa-client-install are you using ? Newer versions (2.x) should fetch a keytab for your system (needs credentials or OTP password. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks Christian I was thinking the same to be honest.. the issue with having a password in a kickstart is obviously that someone can read it in clear text. here I would see the need to use a specific role account with limited ability, but the issue remains the same... its a clear text password and has the ability to read ipa data. I was pondering the idea of fetching a keytab file, however as the system has not yet registered itself into ipa, there is no host data available to be exported to a key.. has anyone performed this kind of task in an environment of their own so far? Dale On 02/08/2012 09:28 AM, Christian Horn wrote: > On Wed, Feb 08, 2012 at 11:13:36AM +, Dale Macartney wrote: >> >> i'm dabbling with automated provisioning of ipa client servers, and i'm >> a little perplexed on how to add a keytab to a system during the %post >> section of a kickstart... >> >> i've run ipa-client-install -U -p admin -w redhat123 which works >> perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't >> appear to be generated during the ipa-client-install. >> >> any suggestions on doing this during a post? > > The password does not look nice here thou.. > > echo 'redhat123' | kinit admin -- > > One might also be able to fetch the ticket as a file and deploy > it on the system for usage. > > Christian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMl2QAAoJEAJsWS61tB+qhMgQAJYPwAWUFr7jNzl5C6qVcAPS 1q8dNniu9atPLzQUQQN596S/8Ca9nrUDtf2O0La5B2ULwq2ljZH7XebWlMzcA+ns 1TL9qfg9baDmhioQx1ACX4VvwT/RUxQtcmWCVOkYxSYJQvd4wH8XeXAS9xzyceix ie0S0apWyhP0Z3TWhhmxJqImBUQf/ddymZHhLPJhOzgqepYvWDRzpX5YuJNcLEag WXsEXOmXxfmj3YTOGkFkX4Fj21fXuHEV6LTcpF7v8kFmSNKPGsAAy5SQL6pTuJVt 2rcVYLuwT/75rX4eTnD2JvWdQtOqTLd/wHv7cYDCrpTT5GDgOIit+KppQHi0VTNe leBoFFz83XF6fvUCCZzDkhdkOw+Dqr14LTag3pwiLvSYSbcksMWPFnpNiP26yYmH neR3Y8MRTwoVn5XF6PqYgGSAb2JXDGKV8KJeVMGWuwkkyxPNUuXwLsCxUqQlfn+h KLintABb1YJn9AXCgA2h1U3QJJ8undqETovcVHyoY+OUYfDCD1T+zAgL4ol6P9N9 kqJGUcF7/EM5DzHh0Doglqx9U1MkXcdXFB/OQHIZ+Xc0PLKTsr7HL2bDdxmAbYoX MgNxK63Vrl10+5m1bAi4jSe3t+hhvagAMXtZ4iW/iuvtDAUllp5JBVQ0CMMh2ClA iCMetup5cwqOHcLsG5n6 =4A+9 -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
On Wed, Feb 08, 2012 at 11:13:36AM +, Dale Macartney wrote: > > i'm dabbling with automated provisioning of ipa client servers, and i'm > a little perplexed on how to add a keytab to a system during the %post > section of a kickstart... > > i've run ipa-client-install -U -p admin -w redhat123 which works > perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't > appear to be generated during the ipa-client-install. > > any suggestions on doing this during a post? The password does not look nice here thou.. echo 'redhat123' | kinit admin -- One might also be able to fetch the ticket as a file and deploy it on the system for usage. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-getkeytab during %post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 morning all... i'm dabbling with automated provisioning of ipa client servers, and i'm a little perplexed on how to add a keytab to a system during the %post section of a kickstart... i've run ipa-client-install -U -p admin -w redhat123 which works perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't appear to be generated during the ipa-client-install. any suggestions on doing this during a post? Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMljYAAoJEAJsWS61tB+qi74P/2aNhu4ztqcyhLwBsg7ukYi3 kH+BYA6miuunxwAKbDR7nd3vbL5g2gqjNFUNiD5tVoFSxtKgRPlEizLdQX+BeHJm KOHq51DPNulkf5QeFh9FntTSWxQHr2ow5UgL9z1Xyv4wVhIgkL/L898/TRvY/tmZ JFWX4eaK07EELV64vopqo20bR70F3DFB0Om7RXla45BYFBN/TMvXqmv8qvRe8Ibe IGJNWo+dF9Oc/CCHU5B0+3AeTCVUt//Rlagpdw70h7Y6BJ1vfpn+CgTMcQ80Utip q/CCF887kxL2o6+8zGN2mtEOqjr26+0l2Lh3Tjbx5ADs49VPOMC98Wc18M+IKgaV 3d6x1KrkliBJBMmBK2tdKxl7JnAPG1wkeRWz7UC5k39UzYH8JVw0Gt42M7EV8iv2 xp+/GKhTn5kfL1qv6mv3Dy558+b1iOZSkLpPS8n5b5dfcX4LkLNs/+hunwXyAd3C noW8Wed2ACgh03PavqHCIu11NJjzaSXIAcsemBGF7yDOtaaaI5swkNM8U9WdegjR flTtxlbTyfMhqusZgxHCcEMRWcO6J+Bfv7SPJpO2gF3OEQyT4hLt+6mlf+/kXv4A AdxJLfM9q8MXyvO4Fim1VPw68eyZdpljey+bmP5Fr9LAukeezZRMrKaBKbL0HF5u QfewGFkfvPFJq9PMX2ZH =K4Qv -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
