subject:"\[Freeipa\-users\] Centos7\/IPA4.2 \: disable\/enable hosts"

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

2017-04-12 Thread Johan Vermeulen

Hello Rob,

doing it this way indeed works.
Thanks for helping me out.

Greetings, J.

2017-04-11 16:54 GMT+02:00 Rob Crittenden :

> Johan Vermeulen wrote:
> > Rob,
> >
> > thanks for helping me out.
> > I support some 80 laptop users at the moment, all running Centos7.
> > The users are now in ldap, the laptops ( hosts) are not. I'm testing the
> > ability to add the laptops as hosts.
> >
> > Under "identity - hosts", when selecting a host, I go to "actions". The
> > only way I see to disable ( block) a host, what I would do when
> > a laptop is stolen for instance, is unprovision.
> > I then tried to re-provision it, I see no "provision" option. I tried to
> > "rebuild auto membership" and " new certificate" but that doesn't seem
> > to work.
> > I hope I'm making sense.
>
> In the case of a lost or stolen laptop then disabling the host seems
> like a good mechanism. It will revoke and certificates issued for the
> host and invalidate its keytab.
>
> Provisioning happens when ipa-client-install is run on the host [1].
> There is no facility for remote provisioning.
>
> rob
>
> [1] technically a host is provisioned when it has a keytab but this
> doesn't configure that host to actually use it and you potentially need
> to safely transfer this keytab to the host.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

2017-04-11 Thread Rob Crittenden

Johan Vermeulen wrote:
> Rob,
> 
> thanks for helping me out.
> I support some 80 laptop users at the moment, all running Centos7.
> The users are now in ldap, the laptops ( hosts) are not. I'm testing the
> ability to add the laptops as hosts.
> 
> Under "identity - hosts", when selecting a host, I go to "actions". The
> only way I see to disable ( block) a host, what I would do when
> a laptop is stolen for instance, is unprovision.
> I then tried to re-provision it, I see no "provision" option. I tried to
> "rebuild auto membership" and " new certificate" but that doesn't seem
> to work.
> I hope I'm making sense.

In the case of a lost or stolen laptop then disabling the host seems
like a good mechanism. It will revoke and certificates issued for the
host and invalidate its keytab.

Provisioning happens when ipa-client-install is run on the host [1].
There is no facility for remote provisioning.

rob

[1] technically a host is provisioned when it has a keytab but this
doesn't configure that host to actually use it and you potentially need
to safely transfer this keytab to the host.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

2017-04-11 Thread Johan Vermeulen

Hello,

thanks for the advise.
I will try this asap.

Greetings, J.

2017-04-11 0:51 GMT+02:00 Lachlan Musicman :

> On 11 April 2017 at 00:14, Johan Vermeulen  wrote:
>
>> Hello All,
>>
>> just getting started with FreeIPA and one of the first features I'm
>> trying is adding hosts, something I can't do in our current
>> ldap-setup. So I'm looking forward to being able to do this.
>> But after adding a host, the only way I see to disable it is unprovision
>> it. And after doing that, I can' t find a way to re-provision the host.
>>
>> Can anybody point me in the right direction regarding this?
>>
>> Many thanks, J.
>>
>>
>
> Rob is right - it depends on what you are doing.
>
> But, in the mean time, here are a couple of pointers:
>
> How to enable/disable hosts
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> Guide/host-disable.html
>
>
> If what you are after is having it in the domain but restricting access,
> then you are looking for "Host Based Access Control"
>
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> Guide/configuring-host-access.html
>
>
> Cheers
> L.
>
>
>
> --
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

2017-04-11 Thread Johan Vermeulen

Rob,

thanks for helping me out.
I support some 80 laptop users at the moment, all running Centos7.
The users are now in ldap, the laptops ( hosts) are not. I'm testing the
ability to add the laptops as hosts.

Under "identity - hosts", when selecting a host, I go to "actions". The
only way I see to disable ( block) a host, what I would do when
a laptop is stolen for instance, is unprovision.
I then tried to re-provision it, I see no "provision" option. I tried to
"rebuild auto membership" and " new certificate" but that doesn't seem to
work.
I hope I'm making sense.

Greetings, J.

2017-04-10 21:37 GMT+02:00 Rob Crittenden :

> Johan Vermeulen wrote:
> > Hello All,
> >
> > just getting started with FreeIPA and one of the first features I'm
> > trying is adding hosts, something I can't do in our current
> > ldap-setup. So I'm looking forward to being able to do this.
> > But after adding a host, the only way I see to disable it is unprovision
> > it. And after doing that, I can' t find a way to re-provision the host.
> >
> > Can anybody point me in the right direction regarding this?
>
> I'm not sure I follow what you're doing and don't want to guess and send
> you on a wild goose chase :-)
>
> Can you elaborate on your workflow and the output you're seeing when you
> try to re-provision?
>
> rob
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

2017-04-10 Thread Lachlan Musicman

On 11 April 2017 at 00:14, Johan Vermeulen  wrote:

> Hello All,
>
> just getting started with FreeIPA and one of the first features I'm trying
> is adding hosts, something I can't do in our current
> ldap-setup. So I'm looking forward to being able to do this.
> But after adding a host, the only way I see to disable it is unprovision
> it. And after doing that, I can' t find a way to re-provision the host.
>
> Can anybody point me in the right direction regarding this?
>
> Many thanks, J.
>
>

Rob is right - it depends on what you are doing.

But, in the mean time, here are a couple of pointers:

How to enable/disable hosts
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-disable.html


If what you are after is having it in the domain but restricting access,
then you are looking for "Host Based Access Control"

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html


Cheers
L.



--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

2017-04-10 Thread Rob Crittenden

Johan Vermeulen wrote:
> Hello All,
> 
> just getting started with FreeIPA and one of the first features I'm
> trying is adding hosts, something I can't do in our current
> ldap-setup. So I'm looking forward to being able to do this.
> But after adding a host, the only way I see to disable it is unprovision
> it. And after doing that, I can' t find a way to re-provision the host.
> 
> Can anybody point me in the right direction regarding this?

I'm not sure I follow what you're doing and don't want to guess and send
you on a wild goose chase :-)

Can you elaborate on your workflow and the output you're seeing when you
try to re-provision?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

2017-04-10 Thread Johan Vermeulen

Hello All,

just getting started with FreeIPA and one of the first features I'm trying
is adding hosts, something I can't do in our current
ldap-setup. So I'm looking forward to being able to do this.
But after adding a host, the only way I see to disable it is unprovision
it. And after doing that, I can' t find a way to re-provision the host.

Can anybody point me in the right direction regarding this?

Many thanks, J.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

[Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

7 matches

Site Navigation

Mail list logo

Footer information