Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Hello Rob, doing it this way indeed works. Thanks for helping me out. Greetings, J. 2017-04-11 16:54 GMT+02:00 Rob Crittenden: > Johan Vermeulen wrote: > > Rob, > > > > thanks for helping me out. > > I support some 80 laptop users at the moment, all running Centos7. > > The users are now in ldap, the laptops ( hosts) are not. I'm testing the > > ability to add the laptops as hosts. > > > > Under "identity - hosts", when selecting a host, I go to "actions". The > > only way I see to disable ( block) a host, what I would do when > > a laptop is stolen for instance, is unprovision. > > I then tried to re-provision it, I see no "provision" option. I tried to > > "rebuild auto membership" and " new certificate" but that doesn't seem > > to work. > > I hope I'm making sense. > > In the case of a lost or stolen laptop then disabling the host seems > like a good mechanism. It will revoke and certificates issued for the > host and invalidate its keytab. > > Provisioning happens when ipa-client-install is run on the host [1]. > There is no facility for remote provisioning. > > rob > > [1] technically a host is provisioned when it has a keytab but this > doesn't configure that host to actually use it and you potentially need > to safely transfer this keytab to the host. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Johan Vermeulen wrote: > Rob, > > thanks for helping me out. > I support some 80 laptop users at the moment, all running Centos7. > The users are now in ldap, the laptops ( hosts) are not. I'm testing the > ability to add the laptops as hosts. > > Under "identity - hosts", when selecting a host, I go to "actions". The > only way I see to disable ( block) a host, what I would do when > a laptop is stolen for instance, is unprovision. > I then tried to re-provision it, I see no "provision" option. I tried to > "rebuild auto membership" and " new certificate" but that doesn't seem > to work. > I hope I'm making sense. In the case of a lost or stolen laptop then disabling the host seems like a good mechanism. It will revoke and certificates issued for the host and invalidate its keytab. Provisioning happens when ipa-client-install is run on the host [1]. There is no facility for remote provisioning. rob [1] technically a host is provisioned when it has a keytab but this doesn't configure that host to actually use it and you potentially need to safely transfer this keytab to the host. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Hello, thanks for the advise. I will try this asap. Greetings, J. 2017-04-11 0:51 GMT+02:00 Lachlan Musicman: > On 11 April 2017 at 00:14, Johan Vermeulen wrote: > >> Hello All, >> >> just getting started with FreeIPA and one of the first features I'm >> trying is adding hosts, something I can't do in our current >> ldap-setup. So I'm looking forward to being able to do this. >> But after adding a host, the only way I see to disable it is unprovision >> it. And after doing that, I can' t find a way to re-provision the host. >> >> Can anybody point me in the right direction regarding this? >> >> Many thanks, J. >> >> > > Rob is right - it depends on what you are doing. > > But, in the mean time, here are a couple of pointers: > > How to enable/disable hosts > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ > Guide/host-disable.html > > > If what you are after is having it in the domain but restricting access, > then you are looking for "Host Based Access Control" > > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ > Guide/configuring-host-access.html > > > Cheers > L. > > > > -- > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Rob, thanks for helping me out. I support some 80 laptop users at the moment, all running Centos7. The users are now in ldap, the laptops ( hosts) are not. I'm testing the ability to add the laptops as hosts. Under "identity - hosts", when selecting a host, I go to "actions". The only way I see to disable ( block) a host, what I would do when a laptop is stolen for instance, is unprovision. I then tried to re-provision it, I see no "provision" option. I tried to "rebuild auto membership" and " new certificate" but that doesn't seem to work. I hope I'm making sense. Greetings, J. 2017-04-10 21:37 GMT+02:00 Rob Crittenden: > Johan Vermeulen wrote: > > Hello All, > > > > just getting started with FreeIPA and one of the first features I'm > > trying is adding hosts, something I can't do in our current > > ldap-setup. So I'm looking forward to being able to do this. > > But after adding a host, the only way I see to disable it is unprovision > > it. And after doing that, I can' t find a way to re-provision the host. > > > > Can anybody point me in the right direction regarding this? > > I'm not sure I follow what you're doing and don't want to guess and send > you on a wild goose chase :-) > > Can you elaborate on your workflow and the output you're seeing when you > try to re-provision? > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
On 11 April 2017 at 00:14, Johan Vermeulenwrote: > Hello All, > > just getting started with FreeIPA and one of the first features I'm trying > is adding hosts, something I can't do in our current > ldap-setup. So I'm looking forward to being able to do this. > But after adding a host, the only way I see to disable it is unprovision > it. And after doing that, I can' t find a way to re-provision the host. > > Can anybody point me in the right direction regarding this? > > Many thanks, J. > > Rob is right - it depends on what you are doing. But, in the mean time, here are a couple of pointers: How to enable/disable hosts https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-disable.html If what you are after is having it in the domain but restricting access, then you are looking for "Host Based Access Control" https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Johan Vermeulen wrote: > Hello All, > > just getting started with FreeIPA and one of the first features I'm > trying is adding hosts, something I can't do in our current > ldap-setup. So I'm looking forward to being able to do this. > But after adding a host, the only way I see to disable it is unprovision > it. And after doing that, I can' t find a way to re-provision the host. > > Can anybody point me in the right direction regarding this? I'm not sure I follow what you're doing and don't want to guess and send you on a wild goose chase :-) Can you elaborate on your workflow and the output you're seeing when you try to re-provision? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Hello All, just getting started with FreeIPA and one of the first features I'm trying is adding hosts, something I can't do in our current ldap-setup. So I'm looking forward to being able to do this. But after adding a host, the only way I see to disable it is unprovision it. And after doing that, I can' t find a way to re-provision the host. Can anybody point me in the right direction regarding this? Many thanks, J. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project