Michał Dwużnik wrote:
Sorry for quick continuation...
Certificate added to nss DB in /etc/pki
certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt
sssd configured according to
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html
How do I test now, before changing PAM options that the pieces fit together?
Perhaps exercise nss with:
% id admin
% getent passwd admin
% getent group admin
You can substitute admin for any IPA user or group.
And really you can skip the cert step if you want. Unless you have
something that will use it we put a cert on the system as a convenience
right now. There isn't currently anything using it by default.
rob
(Sorry for being a bit too tired...)
M.
On Fri, Aug 30, 2013 at 1:49 AM, Michał Dwużnik
<michal.dwuz...@gmail.com <mailto:michal.dwuz...@gmail.com>> wrote:
Ok, going step by step I did the following on squeeze:
set up ntp, time synced with ipa server
test setup is done on
ipa.localdomain (server)
client.localdomain
(client on Scientific Linux 6.4, looks ok after ipa-client-install,
ssh works for test users tester and tester2)
client2.localdomain is the Debian Squeeze client
added host client2.localdomain on IPA server, added 'managedby', got
the keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2
most important part of /etc/krb5.conf:
[realms]
LOCALDOMAIN = {
kdc = ipa.localdomain
admin_server = ipa.localdomain
}
[domain_realm]
.localdomain = LOCALDOMAIN
localdomain = LOCALDOMAIN
default_domain = localdomain
[libdefaults]
default_realm = LOCALDOMAIN
The following lets me think the KRB5 part of the setup is done
correctly:
root@client2:/etc# kinit admin
Password for admin@LOCALDOMAIN:
root@client2:/etc# kdestroy
root@client2:/etc# kinit tester
Password for tester@LOCALDOMAIN:
root@client2:/etc# klis
-su: klis: command not found
root@client2:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tester@LOCALDOMAIN
Valid starting Expires Service principal
08/30/13 00:35:50 08/31/13 00:35:47 krbtgt/LOCALDOMAIN@LOCALDOMAIN
root@client2:/etc# kpasswd tester
Password for tester@LOCALDOMAIN:
Enter new password:
Enter it again:
Password changed.
I guess that's the point of snapshotting 'KRB done' state (can I be
wrong?)
DNS for all the hosts involved is similar to:
root@client2:/etc# nslookup ipa
Server: 192.168.137.29
Address: 192.168.137.29#53
Name: ipa.localdomain
Address: 192.168.137.13
root@client2:/etc# nslookup 192.168.137.13
Server: 192.168.137.29
Address: 192.168.137.29#53
13.137.168.192.in-addr.arpa name = ipa.localdomain.
Now I guess it's time for certificates, where I do have some doubts...
I've added the SSH host keys via web interface, now the cert part:
having generated the CSR afte creating the new database:
certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
(in the /etc/pki dir) I paste the CSR and Issue the certificate for host
(/etc/pi contains newly created cert8.db key3.db secmod.db )
Which of those should be used to add the cert to?
(like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i
/|/path/to/|/ca.crt)
All of the tries result in:
root@client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n "IPA CA"
-t CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
root@client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n "IPA CA"
-t CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
root@client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n "IPA CA"
-t CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
Could someone show me my mistake?
Regards
Michal
On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik
<michal.dwuz...@gmail.com <mailto:michal.dwuz...@gmail.com>> wrote:
As for now I have set up a 'known good' client on RH based
distro, to get the feeling how the config files
look like when configured correctly.
Thanks for the nice reference
M.
On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:
Michał Dwużnik wrote:
Hi folks,
did anyone succeed in connecting such an old thing
recently to freeipa
server?
Is there a document (or an archive post) about
connecting a 'non ipa
aware' client step by step?
I got as far as woing Kerberos with no issues, hit a
wall with ldap part..
You might try this:
http://docs.fedoraproject.org/__en-US/Fedora/17/html/FreeIPA___Guide/linux-manual.html
<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html>
rob
--
Michal Dwuznik
--
Michal Dwuznik
--
Michal Dwuznik
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
