subject:"\[Freeipa\-users\] Re\: Manually join machines in stateless environment"

[Freeipa-users] Re: Manually join machines in stateless environment

2019-09-25 Thread Angus Clarke via FreeIPA-users

Hmm, yes I see the problem, when a previously registered node reboots, all the 
local configuration is lost however it still has entries in IPA server.

I've not tried running ipa-client-install on such a node but it sounds like you 
have and the --force option is achieving what you desire.

Alternatively, you could identify all the configuration files that the 
ipa-client-install command updates locally and move them to some stateful 
filesystem (NFS for example) and sym-link back (I'm just thinking out loud - 
I've successfully done such things on other topics before now!) From memory, 
you would need at least:

/etc/krb5.conf
/etc/krb5.keytab
/etc/ipa/default.conf
/etc/sssd/sssd.conf

I'm keeping in mind that the DNS is still correct as per the original names 
initially registered in IPA ...



You can create a separate account for registering/adding hosts to IPA with 
restricted privileges to do just that.

Regards
Angus


From: Vinícius Ferrão via FreeIPA-users 
Sent: 26 September 2019 01:20
To: Rob Crittenden 
Cc: FreeIPA users list ; Alexander 
Bokovoy ; Florence Blanc-Renaud ; 
Vinícius Ferrão 
Subject: [Freeipa-users] Re: Manually join machines in stateless environment



On 25 Sep 2019, at 17:41, Rob Crittenden 
mailto:rcrit...@redhat.com>> wrote:

Vinícius Ferrão wrote:
Hello,

First of all thanks for everyone helping out. Answers inline.

On 24 Sep 2019, at 20:48, Rob Crittenden 
mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com>> wrote:

Vinícius Ferrão via FreeIPA-users wrote:
Hello all,

On 23 Sep 2019, at 12:59, Alexander Bokovoy 
mailto:aboko...@redhat.com>
<mailto:aboko...@redhat.com>
<mailto:aboko...@redhat.com>> wrote:

On Mon, 23 Sep 2019, Vinícius Ferrão via FreeIPA-users wrote:
Florence and Angus, thanks for the replies.

xCAT definitely can run scripts at boot time. And the kickstart
method seems to be the way to go. But I sill have some questions:

The nodes are stateless, so in a reboot all the configuration is lost
and get back from the image. FreeIPA configuration will be lost and
then restarted. Which appears to be ok. But there are two issues:

* The password for “joining” the FreeIPA domain that expires after
the first use
* The necessity of the hostname on the ipa-client-install command:
hostname=client.example.com<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fclient.example.com&data=02%7C01%7C%7C286b6634e76f4f89fd7808d7420f0210%7C84df9e7fe9f640afb435%7C1%7C0%7C637050504537208792&sdata=uysHRhUOZ08RkTA%2B66NZDXhWRgNfK7usQNUrHkRwCW8%3D&reserved=0>
<http://client.example.com/<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fclient.example.com%2F&data=02%7C01%7C%7C286b6634e76f4f89fd7808d7420f0210%7C84df9e7fe9f640afb435%7C1%7C0%7C637050504537218803&sdata=xtCsGZYOAym%2FfAluig%2FQI434ZXPJ0b%2FQwb7PrkJPnM8%3D&reserved=0>>
 
<http://client.example.com<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fclient.example.com&data=02%7C01%7C%7C286b6634e76f4f89fd7808d7420f0210%7C84df9e7fe9f640afb435%7C1%7C0%7C637050504537228808&sdata=qN5AW5FnsJgPgRKRyfN6FGQR%2BStcgq0IHEXHBc8oGpE%3D&reserved=0>
<http://client.example.com/<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fclient.example.com%2F&data=02%7C01%7C%7C286b6634e76f4f89fd7808d7420f0210%7C84df9e7fe9f640afb435%7C1%7C0%7C637050504537238819&sdata=vzwHJ%2BfzM84GEphQ2BJFIadvbk8Ks%2FytE3ybj%2BY46Ks%3D&reserved=0>>>
<http://client.example.com/<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fclient.example.com%2F&data=02%7C01%7C%7C286b6634e76f4f89fd7808d7420f0210%7C84df9e7fe9f640afb435%7C1%7C0%7C637050504537238819&sdata=vzwHJ%2BfzM84GEphQ2BJFIadvbk8Ks%2FytE3ybj%2BY46Ks%3D&reserved=0>>

With this two things I think we are unable to move forward, so the
first question is:

1. Do I really need this password? Or better, the password can be
permanent? It’s a “closed” system, so in terms of security I think
there’s no problem.
Please check ipa-client-install manual page. It has all explanations for
methods of enrollment. You can create a special user that has privileges
to create machines and enroll them and record the user's credentials in
the kickstart file.

I was worried about the RTM but I really can’t find the exact answer.
That’s why I came to the list. Searching a little but further, I came
across the Forced Re-enrollment page and I think you’re mentioning this
one, right? 
https://www.freeipa.org/page/V3/Forced_client_re-enrollment<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.freeipa.org%2Fpage%2FV3%2FForced_client_re-enrollment&data=02%7C01%7C%7C286b6634e76f4f89fd7808d7420f0210%7C84df9e7fe9f640afb435%7C1%7C0%7C637050504537248824&sdata=SDVUj0tq

[Freeipa-users] Re: Manually join machines in stateless environment

2019-09-25 Thread Vinícius Ferrão via FreeIPA-users

On 25 Sep 2019, at 17:41, Rob Crittenden 
mailto:rcrit...@redhat.com>> wrote:

Vinícius Ferrão wrote:
Hello,

First of all thanks for everyone helping out. Answers inline.

On 24 Sep 2019, at 20:48, Rob Crittenden 
mailto:rcrit...@redhat.com>
> wrote:

Vinícius Ferrão via FreeIPA-users wrote:
Hello all,

On 23 Sep 2019, at 12:59, Alexander Bokovoy 
mailto:aboko...@redhat.com>

> wrote:

On Mon, 23 Sep 2019, Vinícius Ferrão via FreeIPA-users wrote:
Florence and Angus, thanks for the replies.

xCAT definitely can run scripts at boot time. And the kickstart
method seems to be the way to go. But I sill have some questions:

The nodes are stateless, so in a reboot all the configuration is lost
and get back from the image. FreeIPA configuration will be lost and
then restarted. Which appears to be ok. But there are two issues:

* The password for “joining” the FreeIPA domain that expires after
the first use
* The necessity of the hostname on the ipa-client-install command:
hostname=client.example.com
 >

With this two things I think we are unable to move forward, so the
first question is:

1. Do I really need this password? Or better, the password can be
permanent? It’s a “closed” system, so in terms of security I think
there’s no problem.
Please check ipa-client-install manual page. It has all explanations for
methods of enrollment. You can create a special user that has privileges
to create machines and enroll them and record the user's credentials in
the kickstart file.

I was worried about the RTM but I really can’t find the exact answer.
That’s why I came to the list. Searching a little but further, I came
across the Forced Re-enrollment page and I think you’re mentioning this
one, right? https://www.freeipa.org/page/V3/Forced_client_re-enrollment

But in this page it says about the OTP to primary join the FreeIPA
domain, but I can’t use another OTP to do the re-enrollment. Is this
expected?

Did you get an error about unenrolling? You probably need to call
host-disable to mark it as unenrolled, then you can set a new OTP and
enroll. If, when you decommission the machine, you call
ipa-client-install --uninstall the host-disable should happen
automatically IIRC

So, the problem is the unenrolling part. I don’t have any automatic
machanism (none that I’m aware of) to unenroll the compute nodes (the
stateless machines).

Ok, I'm not at all familiar with xCAT so don't know how it does its
provisioning. You mentioned makedns, so perhaps there is a way to inject
commands prior to instantiating the node?

Typically for this type of provisioning (Foreman, OpenStack novajoin)
there is an outside controller that is privileged and can manage IPA
entries. These generally do:

- host-add (if needed), or host-disable if the node was enrolled
- set OTP

The OTP is then passed into the provisioned system (kickstart in
Foreman, cloud-init in novajoin).

The newly provisioned machine then calls ipa-client-install using the
provided OTP.

Hi Rob,

During the node initial configuration I must inform xCAT things like MAC 
address, hostname, IP, etc. So this is made with some xCAT commands. One of 
them builds the DNS with this data, it’s the makedns command.

So yes, I can run commands on the headnode to manually host-add and set the 
OTP. This is good.

The problem is later on. The node boots and everything is OK, but in the case 
of a reboot of the stateless node it will lose the configuration and since the 
machine is already configured there’s no way back to detected this and do a 
host-add again or something similar.

That’s why I’ve done that atrocious force-join with the admin password, it 
works in both cases. New nodes and already enrolled nodes.

At this moment the configuration is working with something being run at
boot time, every time it buts:
ipa-client-install —domain=cluster.example.com
 -p admin -w adminpassword --force-join -U

Even for new hosts (never registered ones) it works correctly.

The only thing that bugs me is the plaintext password of the admin
account in the script. What I’m trying to achieve is avoid this password.
Worst case you can create a separate user and delegate them the ability
to provision hosts and pass in that password.

So what I was talking about service account actually is a normal user account 
with some privileges. Sorry for the mess.

There’s a way to make this a principal instead? I can put some generic things 
in the stateless image so it can be sufficient to at least re-enroll itself 
during boot without any password.

To do this I just need to clarify how it works and if it’s viable, or even if 
this makes sense.

ipa service-add-principal can create service principal for xCAT, but I was not 
able t

[Freeipa-users] Re: Manually join machines in stateless environment

2019-09-25 Thread Rob Crittenden via FreeIPA-users

Vinícius Ferrão wrote:
> Hello,
> 
> First of all thanks for everyone helping out. Answers inline.
> 
>> On 24 Sep 2019, at 20:48, Rob Crittenden > > wrote:
>>
>> Vinícius Ferrão via FreeIPA-users wrote:
>>> Hello all,
>>>
 On 23 Sep 2019, at 12:59, Alexander Bokovoy >>> 
 > wrote:

 On Mon, 23 Sep 2019, Vinícius Ferrão via FreeIPA-users wrote:
> Florence and Angus, thanks for the replies.
>
> xCAT definitely can run scripts at boot time. And the kickstart
> method seems to be the way to go. But I sill have some questions:
>
> The nodes are stateless, so in a reboot all the configuration is lost
> and get back from the image. FreeIPA configuration will be lost and
> then restarted. Which appears to be ok. But there are two issues:
>
> * The password for “joining” the FreeIPA domain that expires after
> the first use
> * The necessity of the hostname on the ipa-client-install command:
> hostname=client.example.com
>   >
> 
>
> With this two things I think we are unable to move forward, so the
> first question is:
>
> 1. Do I really need this password? Or better, the password can be
> permanent? It’s a “closed” system, so in terms of security I think
> there’s no problem.
 Please check ipa-client-install manual page. It has all explanations for
 methods of enrollment. You can create a special user that has privileges
 to create machines and enroll them and record the user's credentials in
 the kickstart file.
>>>
>>> I was worried about the RTM but I really can’t find the exact answer.
>>> That’s why I came to the list. Searching a little but further, I came
>>> across the Forced Re-enrollment page and I think you’re mentioning this
>>> one, right? https://www.freeipa.org/page/V3/Forced_client_re-enrollment
>>>
>>> But in this page it says about the OTP to primary join the FreeIPA
>>> domain, but I can’t use another OTP to do the re-enrollment. Is this
>>> expected?
>>
>> Did you get an error about unenrolling? You probably need to call
>> host-disable to mark it as unenrolled, then you can set a new OTP and
>> enroll. If, when you decommission the machine, you call
>> ipa-client-install --uninstall the host-disable should happen
>> automatically IIRC
> 
> So, the problem is the unenrolling part. I don’t have any automatic
> machanism (none that I’m aware of) to unenroll the compute nodes (the
> stateless machines).

Ok, I'm not at all familiar with xCAT so don't know how it does its
provisioning. You mentioned makedns, so perhaps there is a way to inject
commands prior to instantiating the node?

Typically for this type of provisioning (Foreman, OpenStack novajoin)
there is an outside controller that is privileged and can manage IPA
entries. These generally do:

- host-add (if needed), or host-disable if the node was enrolled
- set OTP

The OTP is then passed into the provisioned system (kickstart in
Foreman, cloud-init in novajoin).

The newly provisioned machine then calls ipa-client-install using the
provided OTP.

> At this moment the configuration is working with something being run at
> boot time, every time it buts:
> ipa-client-install —domain=cluster.example.com
>  -p admin -w adminpassword --force-join -U
> 
> Even for new hosts (never registered ones) it works correctly.
> 
> The only thing that bugs me is the plaintext password of the admin
> account in the script. What I’m trying to achieve is avoid this password.
Worst case you can create a separate user and delegate them the ability
to provision hosts and pass in that password.

> What I have?
> 
> During node registration I can register it manually on FreeIPA if
> needed. At this moment FreeIPA DNS is handled by xCAT with it’s makedns
> command, that basically do a TSIG update on FreeIPA DNS. So this is the
> only thing done by the server inside FreeIPA. For this process there’s
> no need to kinit anything. Which is good.
> 
> That’s it.
> 
> 
>>> The only was to successfully re-enroll a machine is passing the Keytab
>>> or passing admin username and password.
>>>
>>> With this in mind:
>>> * Can I recover the Keytab directly from the server and try to send it
>>> to the new booted machine to avoid passing user/pass combination?
>>> * If not is it possible to have a service account to do this?
>>
>> I don't think you can recover the keytab per se but I guess there is no
>> reason you couldn't run ipa-getkeytab to get a new one and use that to
>> enroll.
> 
> I was able to recover the host Keytab directly from the server. I’ve
> done this:
> 
> ipa-getkeytab -p host/hpclab01.cluster.iq.ufrj...@cluster.iq.ufrj.br
>  -k
> /tmp/host.keytab
> 
>

[Freeipa-users] Re: Manually join machines in stateless environment

2019-09-25 Thread Vinícius Ferrão via FreeIPA-users

Hello,

First of all thanks for everyone helping out. Answers inline.

On 24 Sep 2019, at 20:48, Rob Crittenden 
mailto:rcrit...@redhat.com>> wrote:

Vinícius Ferrão via FreeIPA-users wrote:
Hello all,

On 23 Sep 2019, at 12:59, Alexander Bokovoy 
mailto:aboko...@redhat.com>
> wrote:

On Mon, 23 Sep 2019, Vinícius Ferrão via FreeIPA-users wrote:
Florence and Angus, thanks for the replies.

xCAT definitely can run scripts at boot time. And the kickstart
method seems to be the way to go. But I sill have some questions:

The nodes are stateless, so in a reboot all the configuration is lost
and get back from the image. FreeIPA configuration will be lost and
then restarted. Which appears to be ok. But there are two issues:

* The password for “joining” the FreeIPA domain that expires after
the first use
* The necessity of the hostname on the ipa-client-install command:
hostname=client.example.com 
>

With this two things I think we are unable to move forward, so the
first question is:

1. Do I really need this password? Or better, the password can be
permanent? It’s a “closed” system, so in terms of security I think
there’s no problem.
Please check ipa-client-install manual page. It has all explanations for
methods of enrollment. You can create a special user that has privileges
to create machines and enroll them and record the user's credentials in
the kickstart file.

I was worried about the RTM but I really can’t find the exact answer.
That’s why I came to the list. Searching a little but further, I came
across the Forced Re-enrollment page and I think you’re mentioning this
one, right? https://www.freeipa.org/page/V3/Forced_client_re-enrollment

But in this page it says about the OTP to primary join the FreeIPA
domain, but I can’t use another OTP to do the re-enrollment. Is this
expected?

Did you get an error about unenrolling? You probably need to call
host-disable to mark it as unenrolled, then you can set a new OTP and
enroll. If, when you decommission the machine, you call
ipa-client-install --uninstall the host-disable should happen
automatically IIRC

So, the problem is the unenrolling part. I don’t have any automatic machanism 
(none that I’m aware of) to unenroll the compute nodes (the stateless machines).

At this moment the configuration is working with something being run at boot 
time, every time it buts:
ipa-client-install —domain=cluster.example.com -p 
admin -w adminpassword --force-join -U

Even for new hosts (never registered ones) it works correctly.

The only thing that bugs me is the plaintext password of the admin account in 
the script. What I’m trying to achieve is avoid this password.

What I have?

During node registration I can register it manually on FreeIPA if needed. At 
this moment FreeIPA DNS is handled by xCAT with it’s makedns command, that 
basically do a TSIG update on FreeIPA DNS. So this is the only thing done by 
the server inside FreeIPA. For this process there’s no need to kinit anything. 
Which is good.

That’s it.

The only was to successfully re-enroll a machine is passing the Keytab
or passing admin username and password.

With this in mind:
* Can I recover the Keytab directly from the server and try to send it
to the new booted machine to avoid passing user/pass combination?
* If not is it possible to have a service account to do this?

I don't think you can recover the keytab per se but I guess there is no
reason you couldn't run ipa-getkeytab to get a new one and use that to
enroll.

I was able to recover the host Keytab directly from the server. I’ve done this:

ipa-getkeytab -p 
host/hpclab01.cluster.iq.ufrj...@cluster.iq.ufrj.br
 -k /tmp/host.keytab

The problem here is that I need to kinit as admin…

If I had a Service Principal to do that would be good, because I can try 
workaround the re-enroll process with this. But I wasn’t able to, and I don’t 
know if FreeIPA supports this.

About the service accounts, it’s little confusing in the documentation
either. There’s something in this link, but I can’t be sure if it’s the
same thing: https://www.freeipa.org/page/HowTo/LDAP

Service account to do what?

The service account would be a last resort if everything else fails to at lease 
hide the admin account on the script to re-enroll the stateless nodes.

Thanks!!!

rob

2. Ipa-client-install can’t use the hostname of the node automatically?
Do I really need to fill the hostname? Because this kills the ideia of
a generic image.
This is also covered in the man page. In short, there is no need to
supply hostname explicitly, it will be discovered.

Thanks, this one I completely missed:

--hostname
The hostname of this machine (FQDN). If specified, the hostname will be
set and the system configuration will be updated to persist ov

[Freeipa-users] Re: Manually join machines in stateless environment

2019-09-24 Thread Rob Crittenden via FreeIPA-users

Vinícius Ferrão via FreeIPA-users wrote:
> Hello all,
> 
>> On 23 Sep 2019, at 12:59, Alexander Bokovoy > > wrote:
>>
>> On Mon, 23 Sep 2019, Vinícius Ferrão via FreeIPA-users wrote:
>>> Florence and Angus, thanks for the replies.
>>>
>>> xCAT definitely can run scripts at boot time. And the kickstart
>>> method seems to be the way to go. But I sill have some questions:
>>>
>>> The nodes are stateless, so in a reboot all the configuration is lost
>>> and get back from the image. FreeIPA configuration will be lost and
>>> then restarted. Which appears to be ok. But there are two issues:
>>>
>>> * The password for “joining” the FreeIPA domain that expires after
>>> the first use
>>> * The necessity of the hostname on the ipa-client-install command:
>>> hostname=client.example.com 
>>> 
>>>
>>> With this two things I think we are unable to move forward, so the
>>> first question is:
>>>
>>> 1. Do I really need this password? Or better, the password can be
>>> permanent? It’s a “closed” system, so in terms of security I think
>>> there’s no problem.
>> Please check ipa-client-install manual page. It has all explanations for
>> methods of enrollment. You can create a special user that has privileges
>> to create machines and enroll them and record the user's credentials in
>> the kickstart file.
> 
> I was worried about the RTM but I really can’t find the exact answer.
> That’s why I came to the list. Searching a little but further, I came
> across the Forced Re-enrollment page and I think you’re mentioning this
> one, right? https://www.freeipa.org/page/V3/Forced_client_re-enrollment
> 
> But in this page it says about the OTP to primary join the FreeIPA
> domain, but I can’t use another OTP to do the re-enrollment. Is this
> expected?

Did you get an error about unenrolling? You probably need to call
host-disable to mark it as unenrolled, then you can set a new OTP and
enroll. If, when you decommission the machine, you call
ipa-client-install --uninstall the host-disable should happen
automatically IIRC

> The only was to successfully re-enroll a machine is passing the Keytab
> or passing admin username and password.
> 
> With this in mind:
> * Can I recover the Keytab directly from the server and try to send it
> to the new booted machine to avoid passing user/pass combination?
> * If not is it possible to have a service account to do this?

I don't think you can recover the keytab per se but I guess there is no
reason you couldn't run ipa-getkeytab to get a new one and use that to
enroll.

> 
> About the service accounts, it’s little confusing in the documentation
> either. There’s something in this link, but I can’t be sure if it’s the
> same thing: https://www.freeipa.org/page/HowTo/LDAP

Service account to do what?

rob

> 
>>
>>>
>>> 2. Ipa-client-install can’t use the hostname of the node automatically?
>>> Do I really need to fill the hostname? Because this kills the ideia of
>>> a generic image.
>> This is also covered in the man page. In short, there is no need to
>> supply hostname explicitly, it will be discovered.
> 
> Thanks, this one I completely missed:
> 
> --hostname
> The hostname of this machine (FQDN). If specified, the hostname will be
> set and the system configuration will be updated to persist over reboot.
> By default a nodename result from uname(2) is used.
> 
> 
> 
>>
>>>
>>> Thank you all guys.
>>>
>>>
 On 23 Sep 2019, at 04:04, Florence Blanc-Renaud >>> > wrote:

 On 9/23/19 1:10 AM, Vinícius Ferrão via FreeIPA-users wrote:
> Hello, the subject of the message may sound a little bit strange,
> but let me explain what I’m trying to do.
> I have a machine with an provisioner (xCAT) that is able to boot
> and control different types of computer nodes. A stateless node is
> just a machine that boots over the network from a shared image on
> the server.
> What I’m trying to do?
> Join those stateless nodes to FreeIPA Server.
> To do this, I’m aware that I can’t just run freeipa-client-install
> on the image chroot, since it will not behave as expected.
> At this point xCAT (the provisioner) can create the DNS registers
> of the stateless nodes on FreeIPA integrated DNS (using TSIG keys).
> But I need to properly join the nodes to the server.
> There’s a way to manually register the nodes on the server?
> And about the users? How to enable them? Just Configure SSSD on the
> image and it should be fine?
> The certificates, client certificates and things like this? There’s
> something that I need to do?
> Automount?
> Any help is really appreciated.
> Thanks,
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> 
> To unsubscribe send an email to
> freeipa-use

[Freeipa-users] Re: Manually join machines in stateless environment

2019-09-24 Thread Vinícius Ferrão via FreeIPA-users

Hello all,

On 23 Sep 2019, at 12:59, Alexander Bokovoy
mailto:aboko...@redhat.com>> wrote:

On Mon, 23 Sep 2019, Vinícius Ferrão via FreeIPA-users wrote:
Florence and Angus, thanks for the replies.

xCAT definitely can run scripts at boot time. And the kickstart method seems to
be the way to go. But I sill have some questions:

The nodes are stateless, so in a reboot all the configuration is lost and get
back from the image. FreeIPA configuration will be lost and then restarted.
Which appears to be ok. But there are two issues:

* The password for “joining” the FreeIPA domain that expires after the first use
* The necessity of the hostname on the ipa-client-install command:
hostname=client.example.com

With this two things I think we are unable to move forward, so the first
question is:

1. Do I really need this password? Or better, the password can be
permanent? It’s a “closed” system, so in terms of security I think
there’s no problem.
Please check ipa-client-install manual page. It has all explanations for
methods of enrollment. You can create a special user that has privileges
to create machines and enroll them and record the user's credentials in
the kickstart file.

I was worried about the RTM but I really can’t find the exact answer. That’s
why I came to the list. Searching a little but further, I came across the
Forced Re-enrollment page and I think you’re mentioning this one, right?
https://www.freeipa.org/page/V3/Forced_client_re-enrollment

But in this page it says about the OTP to primary join the FreeIPA domain, but
I can’t use another OTP to do the re-enrollment. Is this expected?

The only was to successfully re-enroll a machine is passing the Keytab or
passing admin username and password.

With this in mind:
* Can I recover the Keytab directly from the server and try to send it to the
new booted machine to avoid passing user/pass combination?
* If not is it possible to have a service account to do this?

About the service accounts, it’s little confusing in the documentation either.
There’s something in this link, but I can’t be sure if it’s the same thing:
https://www.freeipa.org/page/HowTo/LDAP

2. Ipa-client-install can’t use the hostname of the node automatically?
Do I really need to fill the hostname? Because this kills the ideia of
a generic image.
This is also covered in the man page. In short, there is no need to
supply hostname explicitly, it will be discovered.

Thanks, this one I completely missed:

--hostname
The hostname of this machine (FQDN). If specified, the hostname will be set and
the system configuration will be updated to persist over reboot. By default a
nodename result from uname(2) is used.

Thank you all guys.

On 23 Sep 2019, at 04:04, Florence Blanc-Renaud
mailto:f...@redhat.com>> wrote:

On 9/23/19 1:10 AM, Vinícius Ferrão via FreeIPA-users wrote:
Hello, the subject of the message may sound a little bit strange, but let me
explain what I’m trying to do.
I have a machine with an provisioner (xCAT) that is able to boot and control
different types of computer nodes. A stateless node is just a machine that
boots over the network from a shared image on the server.
What I’m trying to do?
Join those stateless nodes to FreeIPA Server.
To do this, I’m aware that I can’t just run freeipa-client-install on the image
chroot, since it will not behave as expected.
At this point xCAT (the provisioner) can create the DNS registers of the
stateless nodes on FreeIPA integrated DNS (using TSIG keys). But I need to
properly join the nodes to the server.
There’s a way to manually register the nodes on the server?
And about the users? How to enable them? Just Configure SSSD on the image and
it should be fine?
The certificates, client certificates and things like this? There’s something
that I need to do?
Automount?
Any help is really appreciated.
Thanks,
___
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Hi,
xCAT probably offers you the possibility to run a custom script at the end of
the installation. If it's the case, you can use a workflow similar to what is
described in "Setting up an IdM Client Through Kickstart" [1]. You need to
create a client host entry first, and the custom script on the client will call
ipa-client-install.

HTH,
flo

[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-kickstart

--
/ Alexa

[Freeipa-users] Re: Manually join machines in stateless environment

2019-09-23 Thread Alexander Bokovoy via FreeIPA-users

On Mon, 23 Sep 2019, Vinícius Ferrão via FreeIPA-users wrote:

Florence and Angus, thanks for the replies.

xCAT definitely can run scripts at boot time. And the kickstart method seems to
be the way to go. But I sill have some questions:

* The password for “joining” the FreeIPA domain that expires after the first use
* The necessity of the hostname on the ipa-client-install command:
hostname=client.example.com

With this two things I think we are unable to move forward, so the first
question is:

1. Do I really need this password? Or better, the password can be
permanent? It’s a “closed” system, so in terms of security I think
there’s no problem.

Please check ipa-client-install manual page. It has all explanations for
methods of enrollment. You can create a special user that has privileges
to create machines and enroll them and record the user's credentials in
the kickstart file.

2. Ipa-client-install can’t use the hostname of the node automatically?
Do I really need to fill the hostname? Because this kills the ideia of
a generic image.

This is also covered in the man page. In short, there is no need to
supply hostname explicitly, it will be discovered.

Thank you all guys.

On 23 Sep 2019, at 04:04, Florence Blanc-Renaud wrote:

On 9/23/19 1:10 AM, Vinícius Ferrão via FreeIPA-users wrote:

Hello, the subject of the message may sound a little bit strange, but let me
explain what I’m trying to do.
I have a machine with an provisioner (xCAT) that is able to boot and control
different types of computer nodes. A stateless node is just a machine that
boots over the network from a shared image on the server.
What I’m trying to do?
Join those stateless nodes to FreeIPA Server.
To do this, I’m aware that I can’t just run freeipa-client-install on the image
chroot, since it will not behave as expected.
At this point xCAT (the provisioner) can create the DNS registers of the
stateless nodes on FreeIPA integrated DNS (using TSIG keys). But I need to
properly join the nodes to the server.
There’s a way to manually register the nodes on the server?
And about the users? How to enable them? Just Configure SSSD on the image and
it should be fine?
The certificates, client certificates and things like this? There’s something
that I need to do?
Automount?
Any help is really appreciated.
Thanks,
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Hi,
xCAT probably offers you the possibility to run a custom script at the end of the
installation. If it's the case, you can use a workflow similar to what is described in
"Setting up an IdM Client Through Kickstart" [1]. You need to create a client
host entry first, and the custom script on the client will call ipa-client-install.

HTH,
flo

[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-kickstart

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Manually join machines in stateless environment

2019-09-23 Thread Vinícius Ferrão via FreeIPA-users

Florence and Angus, thanks for the replies.

xCAT definitely can run scripts at boot time. And the kickstart method seems to 
be the way to go. But I sill have some questions:

The nodes are stateless, so in a reboot all the configuration is lost and get 
back from the image. FreeIPA configuration will be lost and then restarted. 
Which appears to be ok. But there are two issues:

* The password for “joining” the FreeIPA domain that expires after the first use
* The necessity of the hostname on the ipa-client-install command: 
hostname=client.example.com 

With this two things I think we are unable to move forward, so the first 
question is:

1. Do I really need this password? Or better, the password can be permanent? 
It’s a “closed” system, so in terms of security I think there’s no problem.

2. Ipa-client-install can’t use the hostname of the node automatically? Do I 
really need to fill the hostname? Because this kills the ideia of a generic 
image.

Thank you all guys.


> On 23 Sep 2019, at 04:04, Florence Blanc-Renaud  wrote:
> 
> On 9/23/19 1:10 AM, Vinícius Ferrão via FreeIPA-users wrote:
>> Hello, the subject of the message may sound a little bit strange, but let me 
>> explain what I’m trying to do.
>> I have a machine with an provisioner (xCAT) that is able to boot and control 
>> different types of computer nodes. A stateless node is just a machine that 
>> boots over the network from a shared image on the server.
>> What I’m trying to do?
>> Join those stateless nodes to FreeIPA Server.
>> To do this, I’m aware that I can’t just run freeipa-client-install on the 
>> image chroot, since it will not behave as expected.
>> At this point xCAT (the provisioner) can create the DNS registers of the 
>> stateless nodes on FreeIPA integrated DNS (using TSIG keys). But I need to 
>> properly join the nodes to the server.
>> There’s a way to manually register the nodes on the server?
>> And about the users? How to enable them? Just Configure SSSD on the image 
>> and it should be fine?
>> The certificates, client certificates and things like this? There’s 
>> something that I need to do?
>> Automount?
>> Any help is really appreciated.
>> Thanks,
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: 
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
> Hi,
> xCAT probably offers you the possibility to run a custom script at the end of 
> the installation. If it's the case, you can use a workflow similar to what is 
> described in "Setting up an IdM Client Through Kickstart" [1]. You need to 
> create a client host entry first, and the custom script on the client will 
> call ipa-client-install.
> 
> HTH,
> flo
> 
> [1] 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-kickstart



smime.p7s
Description: S/MIME cryptographic signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Manually join machines in stateless environment

2019-09-23 Thread Florence Blanc-Renaud via FreeIPA-users

On 9/23/19 1:10 AM, Vinícius Ferrão via FreeIPA-users wrote:

Hello, the subject of the message may sound a little bit strange, but let me
explain what I’m trying to do.

I have a machine with an provisioner (xCAT) that is able to boot and control
different types of computer nodes. A stateless node is just a machine that
boots over the network from a shared image on the server.

What I’m trying to do?

Join those stateless nodes to FreeIPA Server.

To do this, I’m aware that I can’t just run freeipa-client-install on the image
chroot, since it will not behave as expected.

At this point xCAT (the provisioner) can create the DNS registers of the
stateless nodes on FreeIPA integrated DNS (using TSIG keys). But I need to
properly join the nodes to the server.

There’s a way to manually register the nodes on the server?
And about the users? How to enable them? Just Configure SSSD on the image and
it should be fine?
The certificates, client certificates and things like this? There’s something
that I need to do?
Automount?

Any help is really appreciated.

Thanks,

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Hi,
xCAT probably offers you the possibility to run a custom script at the
end of the installation. If it's the case, you can use a workflow
similar to what is described in "Setting up an IdM Client Through
Kickstart" [1]. You need to create a client host entry first, and the
custom script on the client will call ipa-client-install.

HTH,
flo

[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-kickstart

[Freeipa-users] Re: Manually join machines in stateless environment

2019-09-22 Thread Angus Clarke via FreeIPA-users

Hi

Perhaps some boot script to run the ipa-client-install command when a new 
instance boots up? I'm not sure how the system would behave if you run the 
ipa-client-install command multiple times, should the same machine name boots 
more than once.

For HBAC rules you can use "auto-member" to automatically put new hosts into 
particular host groups for which you would have existing HABC rules.

Regards
Angus




From: Vinícius Ferrão via FreeIPA-users 
Sent: 23 September 2019 01:10
To: freeipa-users@lists.fedorahosted.org 
Cc: Vinícius Ferrão 
Subject: [Freeipa-users] Manually join machines in stateless environment

Hello, the subject of the message may sound a little bit strange, but let me 
explain what I’m trying to do.

I have a machine with an provisioner (xCAT) that is able to boot and control 
different types of computer nodes. A stateless node is just a machine that 
boots over the network from a shared image on the server.

What I’m trying to do?

Join those stateless nodes to FreeIPA Server.

To do this, I’m aware that I can’t just run freeipa-client-install on the image 
chroot, since it will not behave as expected.

At this point xCAT (the provisioner) can create the DNS registers of the 
stateless nodes on FreeIPA integrated DNS (using TSIG keys). But I need to 
properly join the nodes to the server.

There’s a way to manually register the nodes on the server?
And about the users? How to enable them? Just Configure SSSD on the image and 
it should be fine?
The certificates, client certificates and things like this? There’s something 
that I need to do?
Automount?

Any help is really appreciated.

Thanks,


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Manually join machines in stateless environment

[Freeipa-users] Re: Manually join machines in stateless environment

[Freeipa-users] Re: Manually join machines in stateless environment

[Freeipa-users] Re: Manually join machines in stateless environment

[Freeipa-users] Re: Manually join machines in stateless environment

[Freeipa-users] Re: Manually join machines in stateless environment

[Freeipa-users] Re: Manually join machines in stateless environment

[Freeipa-users] Re: Manually join machines in stateless environment

[Freeipa-users] Re: Manually join machines in stateless environment

[Freeipa-users] Re: Manually join machines in stateless environment

10 matches

Site Navigation

Mail list logo

Footer information