DESCRIPTION
ncm-freeipa provides support for FreeIPA configuration for
- server: add users, groups, services
- client: retrieve keytabs and certificates
- initialisation: get started n an already deployed host
- AII: add initialisation in kickstart and support removal
Server
On the server, create a keytab for the quattor-server user kinit admin
uidadmin=`ipa user-show admin |grep UID: |sed "s/UID://;s/ //g;"`
gidadmin=`ipa user-show admin |grep GID: |sed "s/GID://;s/ //g;"`
# keep random password; it's already expired
ipa user-add quattor-server --first=server --last=quattor --random --uid=$(($uidadmin+1)) --gidnumber=$(($gidadmin+1))
kdestroy
# use expired random password; and pick new random password (new password is not relevant)
kinit quattor-server
kdestroy
kinit admin
ipa role-add "Quattor server"
for priv in "Host Administrators" "DNS Administrators" "Group Administrators" "Service Administrators" "User Administrators"; do
ipa role-add-privilege "Quattor server" --privileges="$priv"
done
ipa role-add-member --users=quattor-server "Quattor server"
# use -r option to retrieve existing keytab (e.g. from another ipa server)
ipa-getkeytab -p quattor-server -k `/etc/quattor`-server.keytab -s ipaserver.example.com
Use these with ncm-freeipa on the server.
prefix "/software/components/freeipa/principals/server";
"principal" = "quattor-server";
"keytab" = "/etc/quattor-server.keytab";
(Do not retrieve a keytab for the admin user; it resets the admin password).
AII
The AII hooks act on behalf of the host it is going to setup, so any of those principals cannot be used. Instead we use a fixed AII principal and keytab.
First we need to add a user with appropriate privileges kinit admin
uidadmin=`ipa user-show admin |grep UID: |sed "s/UID://;s/ //g;"`
gidadmin=`ipa user-show admin |grep GID: |sed "s/GID://;s/ //g;"`
# keep random password; it's already expired
ipa user-add quattor-aii --first=aii --last=quattor --random --uid=$(($uidadmin+2)) --gidnumber=$(($gidadmin+2))
kdestroy
# use expired random password; and pick new random password (new password is not relevant)
kinit quattor-aii
kdestroy
kinit admin
ipa role-add "Quattor AII"
ipa role-add-privilege "Quattor AII" --privileges="Host Administrators"
ipa role-add-member --users=quattor-aii "Quattor AII"
On the AII host (assuming the host is already added to IPA)
kinit admin
# use -r option to retrieve existing keytab (e.g. from another AII server)
ipa-getkeytab -p quattor-aii -k /etc/quattor
-aii.keytab -s ipaserver.example.com
kdestroy
(If you have granted the host principal the rights to retrieve the quattor-aii keytab, you can add in the template of the AII host prefix "/software/components/freeipa/principals/aii"; "principal" = "quattor-aii"; "keytab" = "/etc/quattor-aii.keytab"; )
Missing
- role / privileges
- retrieve use keytabs
- AII principal/keytab via config file
Methods
server
Configure server settings
server
Configure server settings