Host enrollment command
Description
When we want to create a new host, and have it let you log in with normal credentials, we need to:
- Create a new LDAP entry, so the host can see things in LDAP
- Create a new kerberos principal, like
host/office.internal.tardisproject.uk
- Create a key for the kerberos principal, and put this on the host
- Configure sssd on the host, with the LDAP creds and kerberos keytab.
This is a lot of effort, so it would be good to automate it as much as possible. At least the keytab generation and config generation could probably be added to sonic-screwdriver's CLI, which would already be good.
Optionally, it could have some extra flags for things like 'only admins can log into this', or 'only users with this group can login to this'.
Resources
- Kerberos adapter used for the web interface, which uses kadmin.local. There will need to be a new one that is designed to not run on the same machine as the kerberos domain controller
-
Ldap adapter. Note that the
User::System
enum variant is meant for services, not hosts. - Example of an SSSD config:
[sssd]
domains = tardisproject.uk
[domain/tardisproject.uk]
id_provider = ldap
sudo_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = TARDISPROJECT.UK
krb5_server = kdc.internal.tardisproject.uk
krb5_kpasswd = kadm.internal.tardisproject.uk
ldap_uri = ldap://ldap.internal.tardisproject.uk
ldap_search_base = dc=tardisproject,dc=uk
ldap_user_search_base = ou=people,ou=users,dc=tardisproject,dc=uk
ldap_default_bind_dn = uid=office,ou=hosts,dc=tardisproject,dc=uk
ldap_default_authtok_type = password
ldap_default_authtok = ...
override_shell = /usr/bin/bash
Edited by Aria Shrimpton