[debian-lan-devel] on sending a kerberos keytab to the client machine
Thomas Neumann
blacky+fai at fluffbunny.de
Mon Sep 3 21:05:55 UTC 2012
Hello Andreas
"Andreas B. Mundt" <andi.mundt at web.de> wrote:
> I would like to present and 'ask for comments' on a way I figured out
> last week. Perhaps it is well known, but I did not hear/read something
> like that before. I have implemented it in the Debian-LAN setup [2]
> now, and so far it works fine.
I settled on something completely different to distribute a configuration
to 'unknown' clients. Cornerstone of this approach is replacing the
fai-config (especially softupdates) with puppet. During the client's
installation I create a unique id which is based on the machine-id provided
through BIOS/dmidecode and the current date. fai configures puppet to use
this id as this client's nodename and points puppet to the correct server.
I can then validate/sanity-check any new id on the puppetserver and either
acknowledge or deny them.
I rejected MAC-Addresses as identification because there's the question on
how do you pick 'the correct one' in case of multiple interfaces? ('eth0'
might change during reinstall). The date was added mostly to guarantee a
re-installed client does not receive a previous configuration. Depending
on your configuration this may or may not be a good thing. (classroom
environment with constantly recurring reinstalls versus static (production?)
environment where a re-install typically means the machine has been
repurposed.)
I'm not sure how that fits into your scenario. Maybe it totally replaces
Kerberos, maybe puppet can be used to distribute the keytab (and other
configuration items).
bye
thomas
More information about the debian-lan-devel
mailing list