Discussion:
[Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Johan Vermeulen
2017-04-10 14:14:13 UTC
Permalink
Hello All,

just getting started with FreeIPA and one of the first features I'm trying
is adding hosts, something I can't do in our current
ldap-setup. So I'm looking forward to being able to do this.
But after adding a host, the only way I see to disable it is unprovision
it. And after doing that, I can' t find a way to re-provision the host.

Can anybody point me in the right direction regarding this?

Many thanks, J.
Rob Crittenden
2017-04-10 19:37:47 UTC
Permalink
Post by Johan Vermeulen
Hello All,
just getting started with FreeIPA and one of the first features I'm
trying is adding hosts, something I can't do in our current
ldap-setup. So I'm looking forward to being able to do this.
But after adding a host, the only way I see to disable it is unprovision
it. And after doing that, I can' t find a way to re-provision the host.
Can anybody point me in the right direction regarding this?
I'm not sure I follow what you're doing and don't want to guess and send
you on a wild goose chase :-)

Can you elaborate on your workflow and the output you're seeing when you
try to re-provision?

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Johan Vermeulen
2017-04-11 08:02:46 UTC
Permalink
Rob,

thanks for helping me out.
I support some 80 laptop users at the moment, all running Centos7.
The users are now in ldap, the laptops ( hosts) are not. I'm testing the
ability to add the laptops as hosts.

Under "identity - hosts", when selecting a host, I go to "actions". The
only way I see to disable ( block) a host, what I would do when
a laptop is stolen for instance, is unprovision.
I then tried to re-provision it, I see no "provision" option. I tried to
"rebuild auto membership" and " new certificate" but that doesn't seem to
work.
I hope I'm making sense.

Greetings, J.
Post by Rob Crittenden
Post by Johan Vermeulen
Hello All,
just getting started with FreeIPA and one of the first features I'm
trying is adding hosts, something I can't do in our current
ldap-setup. So I'm looking forward to being able to do this.
But after adding a host, the only way I see to disable it is unprovision
it. And after doing that, I can' t find a way to re-provision the host.
Can anybody point me in the right direction regarding this?
I'm not sure I follow what you're doing and don't want to guess and send
you on a wild goose chase :-)
Can you elaborate on your workflow and the output you're seeing when you
try to re-provision?
rob
Rob Crittenden
2017-04-11 14:54:16 UTC
Permalink
Post by Johan Vermeulen
Rob,
thanks for helping me out.
I support some 80 laptop users at the moment, all running Centos7.
The users are now in ldap, the laptops ( hosts) are not. I'm testing the
ability to add the laptops as hosts.
Under "identity - hosts", when selecting a host, I go to "actions". The
only way I see to disable ( block) a host, what I would do when
a laptop is stolen for instance, is unprovision.
I then tried to re-provision it, I see no "provision" option. I tried to
"rebuild auto membership" and " new certificate" but that doesn't seem
to work.
I hope I'm making sense.
In the case of a lost or stolen laptop then disabling the host seems
like a good mechanism. It will revoke and certificates issued for the
host and invalidate its keytab.

Provisioning happens when ipa-client-install is run on the host [1].
There is no facility for remote provisioning.

rob

[1] technically a host is provisioned when it has a keytab but this
doesn't configure that host to actually use it and you potentially need
to safely transfer this keytab to the host.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Johan Vermeulen
2017-04-12 12:26:48 UTC
Permalink
Hello Rob,

doing it this way indeed works.
Thanks for helping me out.

Greetings, J.
Post by Rob Crittenden
Post by Johan Vermeulen
Rob,
thanks for helping me out.
I support some 80 laptop users at the moment, all running Centos7.
The users are now in ldap, the laptops ( hosts) are not. I'm testing the
ability to add the laptops as hosts.
Under "identity - hosts", when selecting a host, I go to "actions". The
only way I see to disable ( block) a host, what I would do when
a laptop is stolen for instance, is unprovision.
I then tried to re-provision it, I see no "provision" option. I tried to
"rebuild auto membership" and " new certificate" but that doesn't seem
to work.
I hope I'm making sense.
In the case of a lost or stolen laptop then disabling the host seems
like a good mechanism. It will revoke and certificates issued for the
host and invalidate its keytab.
Provisioning happens when ipa-client-install is run on the host [1].
There is no facility for remote provisioning.
rob
[1] technically a host is provisioned when it has a keytab but this
doesn't configure that host to actually use it and you potentially need
to safely transfer this keytab to the host.
Lachlan Musicman
2017-04-10 22:51:55 UTC
Permalink
Post by Johan Vermeulen
Hello All,
just getting started with FreeIPA and one of the first features I'm trying
is adding hosts, something I can't do in our current
ldap-setup. So I'm looking forward to being able to do this.
But after adding a host, the only way I see to disable it is unprovision
it. And after doing that, I can' t find a way to re-provision the host.
Can anybody point me in the right direction regarding this?
Many thanks, J.
Rob is right - it depends on what you are doing.

But, in the mean time, here are a couple of pointers:

How to enable/disable hosts
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-disable.html


If what you are after is having it in the domain but restricting access,
then you are looking for "Host Based Access Control"

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html


Cheers
L.



------
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
Johan Vermeulen
2017-04-11 08:07:34 UTC
Permalink
Hello,

thanks for the advise.
I will try this asap.

Greetings, J.
Post by Lachlan Musicman
Post by Johan Vermeulen
Hello All,
just getting started with FreeIPA and one of the first features I'm
trying is adding hosts, something I can't do in our current
ldap-setup. So I'm looking forward to being able to do this.
But after adding a host, the only way I see to disable it is unprovision
it. And after doing that, I can' t find a way to re-provision the host.
Can anybody point me in the right direction regarding this?
Many thanks, J.
Rob is right - it depends on what you are doing.
How to enable/disable hosts
https://access.redhat.com/documentation/en-US/Red_Hat_
Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
Guide/host-disable.html
If what you are after is having it in the domain but restricting access,
then you are looking for "Host Based Access Control"
https://access.redhat.com/documentation/en-US/Red_Hat_
Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
Guide/configuring-host-access.html
Cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
Loading...