On Wed, Nov 30, 2011 at 12:59 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > > The only part assuming that is ipa-join itself. IPA does not support the > direct use of kadmin or kadmin.local. On a supported platform you'd run: > > # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p > host/remote.example.com > > Then ship /tmp/remote.keytab to the machine and either use ktutil to combine > it with /etc/krb5.keytab or replace krb5.keytab with it (and fix owner and > permissions, and potentially SELinux context).
OK, got it. I can use the FreeIPA system itself to grab these for host and services and then new remote machine will have all principals it requires to work within FreeIPA realm. > certmonger gets its IPA configuration from /etc/ipa/default.conf. If you > don't want or have certmonger then you can skip the CA bit altogether. > Otherwise you'll need to copy in a working config. OK, this requires certmonger. If I still want FreeIPA-signed cert (say I need to talk SSL to FreeIPA directory for mail server config purposes e.g. check existence of email address) without certmonger, I can use certmonger on FreeIPA server or UI to sign csr generated using nss on remote system and then transport cert to remote system and manually install for apache, ldap client, etc., right? I'm not trying to supplant FreeIPA here. Obviously the best (and almost effortless) solution is to have freeipa-client and certmonger on system, however, if I'm stuck with an older version of Redhat or some other OS that just doesn't conveniently support FreeIPA, I just want to be able to get a cert and necessary principals to be able to easily work within FreeIPA realm. I also sort of like to know how everything works in more detail just in case something breaks and I have to make manual adjustments. Steve _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users