Stephen Ingram wrote:
Rob-
On Wed, Nov 30, 2011 at 12:04 PM, Rob Crittenden<rcrit...@redhat.com> wrote:
Retrieve the CA certificate for the FreeIPA CA.
# wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt
Create a separate Kerberos configuration to test the provided credentials.
This enables a Kerberos connection to the FreeIPA XML-RPC server, necessary
to join the FreeIPA client to the FreeIPA domain. This Kerberos
configuration is ultimately discarded.
- Basically just copy a working krb5.conf to /etc/krb5.conf and set up sssd
or nss_ldap as documented.
# kinit admin
# ipa-join -s ipa.example.com -b dc=example,dc=com
Or if using a one-time password you can skip the kinit and do
# ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123
ipa-join lets IPA know a host is enrolled and retrieves a host principal and
stores it into /etc/krb5.keytab.
Enable certmonger, retrieve an SSL server certificate, and install the
certificate in /etc/pki/nssdb.
# service messagebus start
# service certmonger start
# certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
# ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate -
client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K
host/client.example....@example.com
Disable the nscd daemon.
# service nscd stop
# chkconfig nscd off
Thanks, but aren't some of these steps assuming that ipa-client has
been installed on the system? For instance, instead of "# ipa-join -s
ipa.example.com -b dc=example,dc=com -w Secret123", can't I instead
use kadmin to retrieve the keytab and then securely copy it over to
the client system? And, in the case of the ca.crt, if there if IPA
itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I
realize that I will lose functionality by not having ipa-client, but
just trying to build a case for supporting legacy systems that I would
never want to take the time to adapt ipa-client for.
Steve
The only part assuming that is ipa-join itself. IPA does not support the
direct use of kadmin or kadmin.local. On a supported platform you'd run:
# ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p
host/remote.example.com
Then ship /tmp/remote.keytab to the machine and either use ktutil to
combine it with /etc/krb5.keytab or replace krb5.keytab with it (and fix
owner and permissions, and potentially SELinux context).
certmonger gets its IPA configuration from /etc/ipa/default.conf. If you
don't want or have certmonger then you can skip the CA bit altogether.
Otherwise you'll need to copy in a working config.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
