On Tue, 2017-10-24 at 16:23 +1300, Aaron Hicks via FreeIPA-users wrote:
Hello the FreeIPA List,
We've got a FreeIPA directory set up and running. That's all good.
The difficult part is that we also have a number (many) of SLE 12 SP2
hosts
that need to be enrolled.
I can see that the freeipa-client package has not been available to
SLE/SUSE
since 2015 or so, so the ipa-client-install, ipa-join, and ipa-
getkeytab
tools are unavailable. They would be nice, we'd just do a check and
execute
it when host is redeployed to enroll and configure the host.
We've manage to figure out the static parts of the required
configuration
(/etc/nsswitch.conf /etc/sssd/sssd.conf and /etc/krb5.conf) as well
as
deploying the FreeIPA server's certificate to /etc/ipa/ca.crt. We can
also
enroll the hosts 'remotely' by scripting over their hostnames and IP
addresses from a CSV file, so the exist in the FreeIPA directory and
even
join them to some hostgroups.
The bit we're a bit stuck at is retrieving the host's Kerberos
keytab. There
does not seem to be a getkeytab request for the FreeIPA API, and the
use of
kadmin and ktutil to process the keytab is not recommended.
Use ipa-getkeytab on an admin workstation, then securely transfer the
keytab to the servers.
We need a stepwise process to run on the host being enrolled that
gets the
keytab from the FreeIPA directory and installs it into the host.
At the moment the method that looks like it's going to work is to
write a
script that ssh to the FreeIPA server, kinit as a user who can
retrieve
keytabs, get the keytab and write to a temporary file, scp the keytab
back
to the host, tidy up temp files, then return to the host, validate
the
keytab, install it, and restart Kerberos/sshd/sssd.
This may work also.
This seems less than ideal, alternatively should we look a compiling
the ipa-client into a package?
In the freeIPA git repo there is, in the spec file, a variable that
allows you to compile only the client bits IIRC. You should be able to
compile that for SLES.
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc