Doug Chapman wrote: > Can anyone give me some tips or document links on client deployment > automation (I'm using puppet) to update the /etc/krb5.keytab file? > > I'm using IPA 1.2.2 on Centos5 and it seems the direct approach is > to script the creation of the service principles (ipa-addservice) and > extract all of the keytabs into puppet deployed files. Is there > anything I'm missing? > > The ipa-addservice would require a human to login with a valid ticket > in order to work; is there any way I could create a service account > with limited permissions to allow an application to populate the > Directory with new hosts from an external source (eg: cobbler, or a > database of hosts) ? >
In v2 there is also an option for the automatic provisioning. * You create a host entry in the IPA and give it an OTP password. * You pass the same OTP password to the kickstart or some other client software * Client software invokes ipa-join and passes in the password. This completes the enrollment of the host. This host will have a keytab and would be able to work with IPA. * The host will have permissions to retrieve a keytab for a service running on the host. * Add a service to IPA server * Run ipa-getkeytab on the client under host identity. This will provision a key for the service running on the host. You can try one of the v2 alphas. Thanks Dmitri > tia > -- > DougC > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
