Hello, First of all thanks for everyone helping out. Answers inline.
On 24 Sep 2019, at 20:48, Rob Crittenden <rcrit...@redhat.com<mailto:rcrit...@redhat.com>> wrote: Vinícius Ferrão via FreeIPA-users wrote: Hello all, On 23 Sep 2019, at 12:59, Alexander Bokovoy <aboko...@redhat.com<mailto:aboko...@redhat.com> <mailto:aboko...@redhat.com>> wrote: On Mon, 23 Sep 2019, Vinícius Ferrão via FreeIPA-users wrote: Florence and Angus, thanks for the replies. xCAT definitely can run scripts at boot time. And the kickstart method seems to be the way to go. But I sill have some questions: The nodes are stateless, so in a reboot all the configuration is lost and get back from the image. FreeIPA configuration will be lost and then restarted. Which appears to be ok. But there are two issues: * The password for “joining” the FreeIPA domain that expires after the first use * The necessity of the hostname on the ipa-client-install command: hostname=client.example.com<http://client.example.com/> <http://client.example.com<http://client.example.com/>> <http://client.example.com/> With this two things I think we are unable to move forward, so the first question is: 1. Do I really need this password? Or better, the password can be permanent? It’s a “closed” system, so in terms of security I think there’s no problem. Please check ipa-client-install manual page. It has all explanations for methods of enrollment. You can create a special user that has privileges to create machines and enroll them and record the user's credentials in the kickstart file. I was worried about the RTM but I really can’t find the exact answer. That’s why I came to the list. Searching a little but further, I came across the Forced Re-enrollment page and I think you’re mentioning this one, right? https://www.freeipa.org/page/V3/Forced_client_re-enrollment But in this page it says about the OTP to primary join the FreeIPA domain, but I can’t use another OTP to do the re-enrollment. Is this expected? Did you get an error about unenrolling? You probably need to call host-disable to mark it as unenrolled, then you can set a new OTP and enroll. If, when you decommission the machine, you call ipa-client-install --uninstall the host-disable should happen automatically IIRC So, the problem is the unenrolling part. I don’t have any automatic machanism (none that I’m aware of) to unenroll the compute nodes (the stateless machines). At this moment the configuration is working with something being run at boot time, every time it buts: ipa-client-install —domain=cluster.example.com<http://cluster.example.com> -p admin -w adminpassword --force-join -U Even for new hosts (never registered ones) it works correctly. The only thing that bugs me is the plaintext password of the admin account in the script. What I’m trying to achieve is avoid this password. What I have? During node registration I can register it manually on FreeIPA if needed. At this moment FreeIPA DNS is handled by xCAT with it’s makedns command, that basically do a TSIG update on FreeIPA DNS. So this is the only thing done by the server inside FreeIPA. For this process there’s no need to kinit anything. Which is good. That’s it. The only was to successfully re-enroll a machine is passing the Keytab or passing admin username and password. With this in mind: * Can I recover the Keytab directly from the server and try to send it to the new booted machine to avoid passing user/pass combination? * If not is it possible to have a service account to do this? I don't think you can recover the keytab per se but I guess there is no reason you couldn't run ipa-getkeytab to get a new one and use that to enroll. I was able to recover the host Keytab directly from the server. I’ve done this: ipa-getkeytab -p host/hpclab01.cluster.iq.ufrj...@cluster.iq.ufrj.br<mailto:host/hpclab01.cluster.iq.ufrj...@cluster.iq.ufrj.br> -k /tmp/host.keytab The problem here is that I need to kinit as admin… If I had a Service Principal to do that would be good, because I can try workaround the re-enroll process with this. But I wasn’t able to, and I don’t know if FreeIPA supports this. About the service accounts, it’s little confusing in the documentation either. There’s something in this link, but I can’t be sure if it’s the same thing: https://www.freeipa.org/page/HowTo/LDAP Service account to do what? The service account would be a last resort if everything else fails to at lease hide the admin account on the script to re-enroll the stateless nodes. Thanks!!!!!!! rob 2. Ipa-client-install can’t use the hostname of the node automatically? Do I really need to fill the hostname? Because this kills the ideia of a generic image. This is also covered in the man page. In short, there is no need to supply hostname explicitly, it will be discovered. Thanks, this one I completely missed: --hostname The hostname of this machine (FQDN). If specified, the hostname will be set and the system configuration will be updated to persist over reboot. By default a nodename result from uname(2) is used. Thank you all guys. On 23 Sep 2019, at 04:04, Florence Blanc-Renaud <f...@redhat.com<mailto:f...@redhat.com> <mailto:f...@redhat.com>> wrote: On 9/23/19 1:10 AM, Vinícius Ferrão via FreeIPA-users wrote: Hello, the subject of the message may sound a little bit strange, but let me explain what I’m trying to do. I have a machine with an provisioner (xCAT) that is able to boot and control different types of computer nodes. A stateless node is just a machine that boots over the network from a shared image on the server. What I’m trying to do? Join those stateless nodes to FreeIPA Server. To do this, I’m aware that I can’t just run freeipa-client-install on the image chroot, since it will not behave as expected. At this point xCAT (the provisioner) can create the DNS registers of the stateless nodes on FreeIPA integrated DNS (using TSIG keys). But I need to properly join the nodes to the server. There’s a way to manually register the nodes on the server? And about the users? How to enable them? Just Configure SSSD on the image and it should be fine? The certificates, client certificates and things like this? There’s something that I need to do? Automount? Any help is really appreciated. Thanks, _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> <mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Hi, xCAT probably offers you the possibility to run a custom script at the end of the installation. If it's the case, you can use a workflow similar to what is described in "Setting up an IdM Client Through Kickstart" [1]. You need to create a client host entry first, and the custom script on the client will call ipa-client-install. HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-kickstart -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org