On Tue, 2017-10-24 at 16:23 +1300, Aaron Hicks via FreeIPA-users wrote: > Hello the FreeIPA List, > > > > We've got a FreeIPA directory set up and running. That's all good. > > > > The difficult part is that we also have a number (many) of SLE 12 SP2 > hosts > that need to be enrolled. > > > > I can see that the freeipa-client package has not been available to > SLE/SUSE > since 2015 or so, so the ipa-client-install, ipa-join, and ipa- > getkeytab > tools are unavailable. They would be nice, we'd just do a check and > execute > it when host is redeployed to enroll and configure the host. > > > > We've manage to figure out the static parts of the required > configuration > (/etc/nsswitch.conf /etc/sssd/sssd.conf and /etc/krb5.conf) as well > as > deploying the FreeIPA server's certificate to /etc/ipa/ca.crt. We can > also > enroll the hosts 'remotely' by scripting over their hostnames and IP > addresses from a CSV file, so the exist in the FreeIPA directory and > even > join them to some hostgroups. > > > > The bit we're a bit stuck at is retrieving the host's Kerberos > keytab. There > does not seem to be a getkeytab request for the FreeIPA API, and the > use of > kadmin and ktutil to process the keytab is not recommended.
Use ipa-getkeytab on an admin workstation, then securely transfer the keytab to the servers. > We need a stepwise process to run on the host being enrolled that > gets the > keytab from the FreeIPA directory and installs it into the host. > > > > At the moment the method that looks like it's going to work is to > write a > script that ssh to the FreeIPA server, kinit as a user who can > retrieve > keytabs, get the keytab and write to a temporary file, scp the keytab > back > to the host, tidy up temp files, then return to the host, validate > the > keytab, install it, and restart Kerberos/sshd/sssd. This may work also. > > > This seems less than ideal, alternatively should we look a compiling > the ipa-client into a package? In the freeIPA git repo there is, in the spec file, a variable that allows you to compile only the client bits IIRC. You should be able to compile that for SLES. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
