Chapter 14. Installing an IdM client with Kickstart
A Kickstart enrollment automatically adds a new system to the Identity Management (IdM) domain at the time Red Hat Enterprise Linux is installed.
14.1. Installing a client with Kickstart
Follow this procedure to use a Kickstart file to install an Identity Management (IdM) client.
Prerequisites
-
Do not start the
sshd
service prior to the kickstart enrollment. Startingsshd
before enrolling the client generates the SSH keys automatically, but the Kickstart file in Section 14.2, “Kickstart file for client installation” uses a script for the same purpose, which is the preferred solution.
Procedure
Pre-create the host entry on the IdM server, and set a temporary password for the entry:
$ ipa host-add client.example.com --password=secret
The password is used by Kickstart to authenticate during the client installation and expires after the first authentication attempt. After the client is successfully installed, it authenticates using its keytab.
-
Create a Kickstart file with the contents described in Section 14.2, “Kickstart file for client installation”. Make sure that network is configured properly in the Kickstart file using the
network
command. - Use the Kickstart file to install the IdM client.
14.2. Kickstart file for client installation
You can use a Kickstart file to install an Identity Management (IdM) client. The contents of the Kickstart file must meet certain requirements as outlined here.
- The
ipa-client
package in the list of packages to install Add the
ipa-client
package to the %packages section of the Kickstart file. For example:%packages ...
ipa-client
...- Post-installation instructions for the IdM client
The post-installation instructions must include:
- An instruction for ensuring SSH keys are generated before enrollment
An instruction to run the
ipa-client-install
utility, while specifying:- All the required information to access and configure the IdM domain services
- The password which you set when pre-creating the client host on the IdM server. in Section 14.1, “Installing a client with Kickstart”.
For example, the post-installation instructions for a Kickstart installation that uses a one-time password and retrieves the required options from the command line rather than via DNS can look like this:
%post --log=/root/ks-post.log # Generate SSH keys; ipa-client-install uploads them to the IdM server by default /usr/libexec/openssh/sshd-keygen rsa # Run the client install script /usr/sbin/ipa-client-install --hostname=client.example.com --domain=EXAMPLE.COM --enable-dns-updates --mkhomedir -w secret --realm=EXAMPLE.COM --server=server.example.com
Optionally, you can also include other options in the Kickstart file, such as:
-
For a non-interactive installation, add the
--unattended
option toipa-client-install
. To let the client installation script request a certificate for the machine:
-
Add the
--request-cert
option toipa-client-install
. Set the system bus address to
/dev/null
for both thegetcert
andipa-client-install
utility in the Kickstartchroot
environment. To do this, add these lines to the post-installation instructions in the Kickstart file before theipa-client-install
instruction:# env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null getcert list # env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-client-install
-
Add the
14.3. Testing an IdM client
The command-line interface informs you that the ipa-client-install
was successful, but you can also do your own test.
To test that the Identity Management (IdM) client can obtain information about users defined on the server, check that you are able to resolve a user defined on the server. For example, to check the default admin
user:
[user@client ~]$ id admin
uid=1254400000(admin) gid=1254400000(admins) groups=1254400000(admins)
To test that authentication works correctly, su
to a root user from a non-root user:
[user@client ~]$ su -
Last login: Thu Oct 18 18:39:11 CEST 2018 from 192.168.122.1 on pts/0
[root@client ~]#