On 01/18/2013 06:52 AM, Fred van Zwieten wrote: > Hi Dmitri, > > Sorry for the late reply. I basically want to do the same as Charlie > Derwent in another tread on this mailing list: To fully automate the > re-installation of a server using Satellite/Spacewalk using kickstart. > As the server is an IPA client, it must first get to be un-enrolled, > before an ipa-client-install --unattened -w secret etc. can be done in > a %post snippet of the kickstart file. It is the automation of the > unenrollment proces that we are not able to set up. > > What I can do on any ipa-client to unenroll on the command line is: > > ipa --disable-host <server> and ipa host-mod --password=secret --ssh= > > This unprovisions the client, set's an OTP and removes the host ssh keys. > > However, this can only be done on an IPA client, and during a > kickstart install the server is no longer an IPA client, because it is > freshly being set up. > > It's a typical chicken-and-egg issue. You must first be ipa client to > be able to execute ipa commands, but you cannot become an ipa client > before unprovisioning yourself using those same ipa commands. > > Another approuch would be to unprovision the client just before the > reboot to be kickstarted, however, I have no idea how to set that up. > It would mean the server has to know somehow it is being rebooted > because of a re-install, but afaik, there is no way for > satellite/spacewalk to tell the server this.. > > Regards, > > Fred
IMO the right approach would be for the Satellite server to perform "ipa --disable-host <server> and ipa host-mod --password=secret --ssh=" as a part of the re-installation. Satellite should be given an IPA identity and call into IPA when it performs reinstall before rebooting the system. Tough... I will see what I can do. > > > > > On Sat, Jan 12, 2013 at 10:06 PM, Dmitri Pal <d...@redhat.com > <mailto:d...@redhat.com>> wrote: > > On 01/12/2013 03:28 AM, Fred van Zwieten wrote: >> Hi there, >> >> We are in the process of implementing Satellite and want to >> automate server installations 100% using kickstart, cobbler, >> satellite. >> >> IPA clients can be scripted enrolled using kickstart. Plenty of >> documentation about that. >> >> However, how to "re"-enroll IPA clients? >> >> Satellite gives me the option to re-install a server. In this >> case, there are still host and possibly service records for this >> host present in IPA and DNS. >> >> One way to think about this is, that it's actually OK to keep >> those records there, because it is a "re"-installation, so why >> remove and re-enroll? However, there is the krb5.keytab in /etc. >> I could save that file during redeployment, but I'm not sure if >> that will work. And iare there any other gotcha's. >> >> So, the question is, how to re-install an IPA client using >> kickstart (silent re-install)? > > The question is how/do you remove the client? > Based on what you say above you use the same system so there are > some leftovers. If you can run ipa-client-install --uninstall it > should clean things like keytab and certs (there have been bugs > fixed in freeIPA 3.0). If the client has access to the server it > will clean (not remove) the host entry too. Then you can re-run > the install. If you use OTP you would need to reset OTP first. > >> >> Regards, >> >> Fred >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users