Questo contenuto non è disponibile nella lingua selezionata.
Chapter 15. Installing an IdM client with Kickstart
A Kickstart enrollment automatically adds a new system to the Identity Management (IdM) domain at the time Red Hat Enterprise Linux is installed.
15.1. Installing a client with Kickstart
Follow this procedure to use a Kickstart file to install an Identity Management (IdM) client.
Prerequisites
-
Do not start the
sshdservice prior to the kickstart enrollment. Startingsshdbefore enrolling the client generates the SSH keys automatically, but the Kickstart file in Section 15.2, “Kickstart file for client installation” uses a script for the same purpose, which is the preferred solution.
Procedure
Pre-create the host entry on the IdM server, and set a temporary password for the entry:
$ ipa host-add client.example.com --password=secretThe password is used by Kickstart to authenticate during the client installation and expires after the first authentication attempt. After the client is successfully installed, it authenticates using its keytab.
-
Create a Kickstart file with the contents described in Section 15.2, “Kickstart file for client installation”. Make sure that network is configured properly in the Kickstart file using the
networkcommand. - Use the Kickstart file to install the IdM client.
15.2. Kickstart file for client installation
You can use a Kickstart file to install an Identity Management (IdM) client. The contents of the Kickstart file must meet certain requirements as outlined here.
- The
ipa-clientpackage in the list of packages to install Add the
ipa-clientpackage to the %packages section of the Kickstart file. For example:%packages ...
ipa-client...- Post-installation instructions for the IdM client
The post-installation instructions must include:
- An instruction for ensuring SSH keys are generated before enrollment
An instruction to run the
ipa-client-installutility, while specifying:- All the required information to access and configure the IdM domain services
- The password which you set when pre-creating the client host on the IdM server. in Section 15.1, “Installing a client with Kickstart”.
For example, the post-installation instructions for a Kickstart installation that uses a one-time password and retrieves the required options from the command line rather than via DNS can look like this:
%post --log=/root/ks-post.log # Generate SSH keys; ipa-client-install uploads them to the IdM server by default /usr/libexec/openssh/sshd-keygen rsa # Run the client install script /usr/sbin/ipa-client-install --hostname=client.example.com --domain=EXAMPLE.COM --enable-dns-updates --mkhomedir -w secret --realm=EXAMPLE.COM --server=server.example.com
Optionally, you can also include other options in the Kickstart file, such as:
-
For a non-interactive installation, add the
--unattendedoption toipa-client-install. To let the client installation script request a certificate for the machine:
-
Add the
--request-certoption toipa-client-install. Set the system bus address to
/dev/nullfor both thegetcertandipa-client-installutility in the Kickstartchrootenvironment. To do this, add these lines to the post-installation instructions in the Kickstart file before theipa-client-installinstruction:# env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null getcert list # env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-client-install
-
Add the
15.3. Testing an IdM client
The command-line interface informs you that the ipa-client-install was successful, but you can also do your own test.
To test that the Identity Management (IdM) client can obtain information about users defined on the server, check that you are able to resolve a user defined on the server. For example, to check the default admin user:
[user@client ~]$ id admin
uid=1254400000(admin) gid=1254400000(admins) groups=1254400000(admins)
To test that authentication works correctly, su to a root user from a non-root user:
[user@client ~]$ su -
Last login: Thu Oct 18 18:39:11 CEST 2018 from 192.168.122.1 on pts/0
[root@client ~]#