People rebuild IPA client systems all the time and need to easily re-enroll clients after they rebuilt them especially if they are virtual machines. This calls for a new provisioning method using a keytab.
Scenario:
Currently OTP method does not work for re-enrolment because it requires two asynchronous operations: one to get a new OTP from IPA and another to call the install with the new OTP. Using other provisioning schemes we support (admin based ones) means sticking admin password into the kickstart files - not a good security practice.
The proposal is to allow backing up a keytab and then using keytab to acquire the ticket and then installing the client.
Prerequisites: 1. System has already been enrolled 2. Host entry exists 3. Keytab was backed up 4. New authentication method/parameter is added to ipa-client-install
Proposed sequence: 1. Keytab is restored in a predefined place 2. ipa-client-install is called with new argumet --keytab=<path to keytab> 3. Client install does kinit using keytab and then continues the enrolment re-provisioning new keytab, certs and ssh keys. Restored keytab is destroyed or overwritten.
Note: The system can be de-provisioned with or without calling ipa-client-install --uninstall so the contents of the host entry might be different. The logic should work regardless of how the client was de-provisioned. Effectively running the ipa-client-install with --keytab option should reinit/repair the client configuration if the keytab is correct regardless of the current state of the client.
For more details about the discussion that lead to the creation of this RFE see mail thread: https://www.redhat.com/archives/freeipa-users/2013-January/msg00091.html
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=910901
From my investigation I would conclude that we cannot support client install using backed-up keytab when the host has been unenrolled (e.g. after running ipa-client-install --uninstall). When unenrolling, we disable the host entry in LDAP and therefore effectively disable the Kerberos key, SSL certificate and all services of a host.
We should only support reenrollment for clients that have not been unenrolled, and therefore still have valid Kerberos key.
Move all uncompleted tickets to next month bucket.
master: a38d93f
Metadata Update from @dpal: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Log in to comment on this ticket.