On Mon, 23 Sep 2019, Vinícius Ferrão via FreeIPA-users wrote:
Florence and Angus, thanks for the replies.
xCAT definitely can run scripts at boot time. And the kickstart method seems to
be the way to go. But I sill have some questions:
The nodes are stateless, so in a reboot all the configuration is lost and get
back from the image. FreeIPA configuration will be lost and then restarted.
Which appears to be ok. But there are two issues:
* The password for “joining” the FreeIPA domain that expires after the first use
* The necessity of the hostname on the ipa-client-install command:
hostname=client.example.com <http://client.example.com/>
With this two things I think we are unable to move forward, so the first
question is:
1. Do I really need this password? Or better, the password can be
permanent? It’s a “closed” system, so in terms of security I think
there’s no problem.
Please check ipa-client-install manual page. It has all explanations for
methods of enrollment. You can create a special user that has privileges
to create machines and enroll them and record the user's credentials in
the kickstart file.
2. Ipa-client-install can’t use the hostname of the node automatically?
Do I really need to fill the hostname? Because this kills the ideia of
a generic image.
This is also covered in the man page. In short, there is no need to
supply hostname explicitly, it will be discovered.
Thank you all guys.
On 23 Sep 2019, at 04:04, Florence Blanc-Renaud <f...@redhat.com> wrote:
On 9/23/19 1:10 AM, Vinícius Ferrão via FreeIPA-users wrote:
Hello, the subject of the message may sound a little bit strange, but let me
explain what I’m trying to do.
I have a machine with an provisioner (xCAT) that is able to boot and control
different types of computer nodes. A stateless node is just a machine that
boots over the network from a shared image on the server.
What I’m trying to do?
Join those stateless nodes to FreeIPA Server.
To do this, I’m aware that I can’t just run freeipa-client-install on the image
chroot, since it will not behave as expected.
At this point xCAT (the provisioner) can create the DNS registers of the
stateless nodes on FreeIPA integrated DNS (using TSIG keys). But I need to
properly join the nodes to the server.
There’s a way to manually register the nodes on the server?
And about the users? How to enable them? Just Configure SSSD on the image and
it should be fine?
The certificates, client certificates and things like this? There’s something
that I need to do?
Automount?
Any help is really appreciated.
Thanks,
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Hi,
xCAT probably offers you the possibility to run a custom script at the end of the
installation. If it's the case, you can use a workflow similar to what is described in
"Setting up an IdM Client Through Kickstart" [1]. You need to create a client
host entry first, and the custom script on the client will call ipa-client-install.
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-kickstart
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
