Re: [Freeipa-users] IPA Client join

[Roland Kaeser]

Hello Rob

Thanks for the srpm. Sorry but I just had time now to compile and test it. 
While installing and testing ipa-client-install, I found a small installation 
dependency problem in the spec.

To install the rpm the package nss-tools should be required. This provides 
/usr/bin/certutil which is executed by the ipa-client-install while joining the 
realm and getting the certificate. You eventually can add this additional 
installation dependency to the spec file.


Thanks

Roland



- Ursprüngliche Mail -
Von: "Rob Crittenden" 
An: "Roland Käser" 
CC: freeipa-users@redhat.com
Gesendet: Freitag, 1. April 2011 16:54:24
Betreff: Re: [Freeipa-users] IPA Client join

Roland Kaeser wrote:
> Hello
>
>> The next update will be in 6.1. I can probably cobble together a srpm
>> that would work on 6.0 until 6.1 is released if you'd like.
>
> Is there a definitive release date for 6.1? I would like to have srpm for 
> 6.0, if possible, to start building up my pilot.
> Thanks

Attached is a srpm that updates the OIDs. I did a very brief smoke-test 
and was able to join a 6.0 client to a F-15 server. The tarball is still 
alpha 3.

rob

>
> Roland
>
>
> - Ursprüngliche Mail -
> Von: "Rob Crittenden"
> An: "Roland Käser"
> CC: freeipa-users@redhat.com
> Gesendet: Donnerstag, 31. März 2011 20:46:27
> Betreff: Re: [Freeipa-users] IPA Client join
>
> Roland Kaeser wrote:
>> Hello
>>
>>> Will there be an update to the ipa-client package in RHEL 6.0, or do we 
>>> have to wait for RHEL 6.1?
>
> The next update will be in 6.1. I can probably cobble together a srpm
> that would work on 6.0 until 6.1 is released if you'd like.
>
>>
>> So which is the software stack to use for my pilot and the later production 
>> environment?
>> I wouldn't like to use Fedora in company production environments. I would be 
>> really prefer to use RHEL6/6.1
>> I also checked the latest avialable fedora 15 version. I only can find a 
>> alpha version iso from february, 28.
>>
>> I would really like to have a software stack which works with freeipa 
>> (client/server) and afs-server.
>
> Yeah, this is a bit of a grey area right now. IPA does a lot of cat
> herding and keeping all the various versions of the packages we require
> in sync is very tedious.
>
> For a pilot I think you'd be fine using Fedora 14 though I would
> recommend doing some amount of re-testing in F-15 once it is released.
> We've done 80% of our development in F-14 and it works very well. The
> dogtag project built F-14 packages for us as a favor. They don't want to
> support deployments of it because they've done zero testing of their own
> on F-14. You'd need to build the packages yourself though, we haven't
> pushed this to F-14 because of the dogtag issue. mock should be able to
> build it fairly painlessly.
>
> What I've done for my F-15 installations is to install F-14 and then
> upgrade to Fedora-15 from there. It has been fairly painless. The GA IPA
> release is in the stable repo of F-15 now.
>
> regards
>
> rob
>
>>
>>
>> - Ursprüngliche Mail -
>> Von: "Sigbjorn Lie"
>> An: "Rob Crittenden"
>> CC: "Roland Käser", 
>> freeipa-users@redhat.com
>> Gesendet: Donnerstag, 31. März 2011 16:14:34
>> Betreff: Re: [Freeipa-users] IPA Client join
>>
>>>
>>> In rc2 we had to make a change to the OID used for some operations
>>> because they were duplicated. The OID for the ipa-getkeytab operation was 
>>> one of them, so older
>>> clients don't work with newer servers. IIRC the EL6 ipa-client was based on 
>>> the alpha 3 release.
>>>
>>> I attached a patch that gives the general idea of what needs to change.
>>> It was originally for the EL 5 branch but it may work with few changes
>>> in EL6.
>>>
>>
>> Will there be an update to the ipa-client package in RHEL 6.0, or do we have 
>> to wait for RHEL 6.1?
>>
>>
>> Rgds,
>> Siggi
>>
>>
>>
>
>


-- 

InterSoft Networks 
Roland Käser, Systems Engineer OpenSource 
Fulachstr. 197, 8200 Schaffhausen 
Tel: +41 77 415 79 11 
--
 
Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, 
werden am Ende keines von beiden haben - und verdienen es auch nicht. 
(Benjamin Franklin) 
--
 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Client join

[Dmitri Pal]

On 04/01/2011 03:05 AM, Roland Kaeser wrote:
> Hello
>
>> The next update will be in 6.1. I can probably cobble together a srpm 
>> that would work on 6.0 until 6.1 is released if you'd like.
> Is there a definitive release date for 6.1? I would like to have srpm for 
> 6.0, if possible, to start building up my pilot.
> Thanks
>
> Roland
>
>
> - Ursprüngliche Mail -
> Von: "Rob Crittenden" 
> An: "Roland Käser" 
> CC: freeipa-users@redhat.com
> Gesendet: Donnerstag, 31. März 2011 20:46:27
> Betreff: Re: [Freeipa-users] IPA Client join
>
> Roland Kaeser wrote:
>> Hello
>>
>>> Will there be an update to the ipa-client package in RHEL 6.0, or do we 
>>> have to wait for RHEL 6.1?
> The next update will be in 6.1. I can probably cobble together a srpm 
> that would work on 6.0 until 6.1 is released if you'd like.
>
>> So which is the software stack to use for my pilot and the later production 
>> environment?
>> I wouldn't like to use Fedora in company production environments. I would be 
>> really prefer to use RHEL6/6.1
>> I also checked the latest avialable fedora 15 version. I only can find a 
>> alpha version iso from february, 28.
>>
>> I would really like to have a software stack which works with freeipa 
>> (client/server) and afs-server.
> Yeah, this is a bit of a grey area right now. IPA does a lot of cat 
> herding and keeping all the various versions of the packages we require 
> in sync is very tedious.
>
> For a pilot I think you'd be fine using Fedora 14 though I would 
> recommend doing some amount of re-testing in F-15 once it is released. 
> We've done 80% of our development in F-14 and it works very well. The 
> dogtag project built F-14 packages for us as a favor. They don't want to 
> support deployments of it because they've done zero testing of their own 
> on F-14. You'd need to build the packages yourself though, we haven't 
> pushed this to F-14 because of the dogtag issue. mock should be able to 
> build it fairly painlessly.
>
> What I've done for my F-15 installations is to install F-14 and then 
> upgrade to Fedora-15 from there. It has been fairly painless. The GA IPA 
> release is in the stable repo of F-15 now.
>
> regards
>
> rob
>
>>
>> - Ursprüngliche Mail -
>> Von: "Sigbjorn Lie"
>> An: "Rob Crittenden"
>> CC: "Roland Käser", 
>> freeipa-users@redhat.com
>> Gesendet: Donnerstag, 31. März 2011 16:14:34
>> Betreff: Re: [Freeipa-users] IPA Client join
>>
>>> In rc2 we had to make a change to the OID used for some operations
>>> because they were duplicated. The OID for the ipa-getkeytab operation was 
>>> one of them, so older
>>> clients don't work with newer servers. IIRC the EL6 ipa-client was based on 
>>> the alpha 3 release.
>>>
>>> I attached a patch that gives the general idea of what needs to change.
>>> It was originally for the EL 5 branch but it may work with few changes
>>> in EL6.
>>>
>> Will there be an update to the ipa-client package in RHEL 6.0, or do we have 
>> to wait for RHEL 6.1?

RHEL update releases are coming at about every 6-7 months. The 6.0
release was in November. 6.1 beta is out. You can do your math.
Keep in mind that IPA in RHEL 6.1 will be in tech preview. This means
that it will work but it is not in the state when we are confident that
it meets all usual RHEL related quality expectations of our customers.
So we will be stabilizing it in upcoming months so that we can declare
full support in 6.2 later this year.


>>
>> Rgds,
>> Siggi
>>
>>
>>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Client join

[Roland Kaeser]

Hello

>The next update will be in 6.1. I can probably cobble together a srpm 
>that would work on 6.0 until 6.1 is released if you'd like.

Is there a definitive release date for 6.1? I would like to have srpm for 6.0, 
if possible, to start building up my pilot.
Thanks

Roland


- Ursprüngliche Mail -
Von: "Rob Crittenden" 
An: "Roland Käser" 
CC: freeipa-users@redhat.com
Gesendet: Donnerstag, 31. März 2011 20:46:27
Betreff: Re: [Freeipa-users] IPA Client join

Roland Kaeser wrote:
> Hello
>
>> Will there be an update to the ipa-client package in RHEL 6.0, or do we have 
>> to wait for RHEL 6.1?

The next update will be in 6.1. I can probably cobble together a srpm 
that would work on 6.0 until 6.1 is released if you'd like.

>
> So which is the software stack to use for my pilot and the later production 
> environment?
> I wouldn't like to use Fedora in company production environments. I would be 
> really prefer to use RHEL6/6.1
> I also checked the latest avialable fedora 15 version. I only can find a 
> alpha version iso from february, 28.
>
> I would really like to have a software stack which works with freeipa 
> (client/server) and afs-server.

Yeah, this is a bit of a grey area right now. IPA does a lot of cat 
herding and keeping all the various versions of the packages we require 
in sync is very tedious.

For a pilot I think you'd be fine using Fedora 14 though I would 
recommend doing some amount of re-testing in F-15 once it is released. 
We've done 80% of our development in F-14 and it works very well. The 
dogtag project built F-14 packages for us as a favor. They don't want to 
support deployments of it because they've done zero testing of their own 
on F-14. You'd need to build the packages yourself though, we haven't 
pushed this to F-14 because of the dogtag issue. mock should be able to 
build it fairly painlessly.

What I've done for my F-15 installations is to install F-14 and then 
upgrade to Fedora-15 from there. It has been fairly painless. The GA IPA 
release is in the stable repo of F-15 now.

regards

rob

>
>
> - Ursprüngliche Mail -
> Von: "Sigbjorn Lie"
> An: "Rob Crittenden"
> CC: "Roland Käser", 
> freeipa-users@redhat.com
> Gesendet: Donnerstag, 31. März 2011 16:14:34
> Betreff: Re: [Freeipa-users] IPA Client join
>
>>
>> In rc2 we had to make a change to the OID used for some operations
>> because they were duplicated. The OID for the ipa-getkeytab operation was 
>> one of them, so older
>> clients don't work with newer servers. IIRC the EL6 ipa-client was based on 
>> the alpha 3 release.
>>
>> I attached a patch that gives the general idea of what needs to change.
>> It was originally for the EL 5 branch but it may work with few changes
>> in EL6.
>>
>
> Will there be an update to the ipa-client package in RHEL 6.0, or do we have 
> to wait for RHEL 6.1?
>
>
> Rgds,
> Siggi
>
>
>


-- 

InterSoft Networks 
Roland Käser, Systems Engineer OpenSource 
Fulachstr. 197, 8200 Schaffhausen 
Tel: +41 77 415 79 11 
--
 
Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, 
werden am Ende keines von beiden haben - und verdienen es auch nicht. 
(Benjamin Franklin) 
--
 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Client join [OT]

[Natxo Asenjo]

On Fri, Apr 1, 2011 at 1:21 AM, Steven Jones  wrote:
> Hi,
>
> Just a note...on compatibilityyes I know IPA isnt fit yet but...
>
> If your POC environment is Vmware based F14 isnt supported for vmtools and 
> you cant install vmware tools either it barfs at kernel detection, not good.

I feel your pain but that's why tools like cfengine or puppet are for.
Just compile the vmware tools in one vm and distribute them to the
rest. Or just make a clone of that vm with the self compiled tools if
you feel having a configuration management tool is too much overhead
(IMO when having more than 10 hosts to manage, you will be glad you
have decided to use some config management).

We have waited so long for v2 of the freeipa project to come that we
no longer can wait for the long term support in rhel, it seems :-). It
really fills in a gap.

--
natxo

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Client join

[Steven Jones]

Hi,

Just a note...on compatibilityyes I know IPA isnt fit yet but...

If your POC environment is Vmware based F14 isnt supported for vmtools and you 
cant install vmware tools either it barfs at kernel detection, not good. 

So, if I want to do freeIPA I have to run F14 on RHEL6.0 as KVMs and connect to 
VMWare ESXi with ethernet cablesthen I have to have RHEL6 on real hardware 
as well running virtual box so I can run a virtualised copy of my Sun 7410 
array (NB  you cant run virtual box on rhel6 with kvm at the same time) and 
there is no vmware or kvm image for the sun array software and I have to make 
this all work.its goddam painfulyou should see my desk.a spider 
would feel happy

:/

It will be really nice when there are some binary IPA rpms for RHEL 6.x, trying 
to / accidently restricting stuff just hurts.  

:(

regards

Steven

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, 1 April 2011 7:46 a.m.
To: Roland Käser
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA Client join

Roland Kaeser wrote:
> Hello
>
>> Will there be an update to the ipa-client package in RHEL 6.0, or do we have 
>> to wait for RHEL 6.1?

The next update will be in 6.1. I can probably cobble together a srpm
that would work on 6.0 until 6.1 is released if you'd like.

>
> So which is the software stack to use for my pilot and the later production 
> environment?
> I wouldn't like to use Fedora in company production environments. I would be 
> really prefer to use RHEL6/6.1
> I also checked the latest avialable fedora 15 version. I only can find a 
> alpha version iso from february, 28.
>
> I would really like to have a software stack which works with freeipa 
> (client/server) and afs-server.

Yeah, this is a bit of a grey area right now. IPA does a lot of cat
herding and keeping all the various versions of the packages we require
in sync is very tedious.

For a pilot I think you'd be fine using Fedora 14 though I would
recommend doing some amount of re-testing in F-15 once it is released.
We've done 80% of our development in F-14 and it works very well. The
dogtag project built F-14 packages for us as a favor. They don't want to
support deployments of it because they've done zero testing of their own
on F-14. You'd need to build the packages yourself though, we haven't
pushed this to F-14 because of the dogtag issue. mock should be able to
build it fairly painlessly.

What I've done for my F-15 installations is to install F-14 and then
upgrade to Fedora-15 from there. It has been fairly painless. The GA IPA
release is in the stable repo of F-15 now.

regards

rob

>
>
> - Ursprüngliche Mail -
> Von: "Sigbjorn Lie"
> An: "Rob Crittenden"
> CC: "Roland Käser", 
> freeipa-users@redhat.com
> Gesendet: Donnerstag, 31. März 2011 16:14:34
> Betreff: Re: [Freeipa-users] IPA Client join
>
>>
>> In rc2 we had to make a change to the OID used for some operations
>> because they were duplicated. The OID for the ipa-getkeytab operation was 
>> one of them, so older
>> clients don't work with newer servers. IIRC the EL6 ipa-client was based on 
>> the alpha 3 release.
>>
>> I attached a patch that gives the general idea of what needs to change.
>> It was originally for the EL 5 branch but it may work with few changes
>> in EL6.
>>
>
> Will there be an update to the ipa-client package in RHEL 6.0, or do we have 
> to wait for RHEL 6.1?
>
>
> Rgds,
> Siggi
>
>
>

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Client join

[Rob Crittenden]

Roland Kaeser wrote:

Hello


Will there be an update to the ipa-client package in RHEL 6.0, or do we have to 
wait for RHEL 6.1?


The next update will be in 6.1. I can probably cobble together a srpm 
that would work on 6.0 until 6.1 is released if you'd like.




So which is the software stack to use for my pilot and the later production 
environment?
I wouldn't like to use Fedora in company production environments. I would be 
really prefer to use RHEL6/6.1
I also checked the latest avialable fedora 15 version. I only can find a alpha 
version iso from february, 28.

I would really like to have a software stack which works with freeipa 
(client/server) and afs-server.


Yeah, this is a bit of a grey area right now. IPA does a lot of cat 
herding and keeping all the various versions of the packages we require 
in sync is very tedious.


For a pilot I think you'd be fine using Fedora 14 though I would 
recommend doing some amount of re-testing in F-15 once it is released. 
We've done 80% of our development in F-14 and it works very well. The 
dogtag project built F-14 packages for us as a favor. They don't want to 
support deployments of it because they've done zero testing of their own 
on F-14. You'd need to build the packages yourself though, we haven't 
pushed this to F-14 because of the dogtag issue. mock should be able to 
build it fairly painlessly.


What I've done for my F-15 installations is to install F-14 and then 
upgrade to Fedora-15 from there. It has been fairly painless. The GA IPA 
release is in the stable repo of F-15 now.


regards

rob




- Ursprüngliche Mail -
Von: "Sigbjorn Lie"
An: "Rob Crittenden"
CC: "Roland Käser", 
freeipa-users@redhat.com
Gesendet: Donnerstag, 31. März 2011 16:14:34
Betreff: Re: [Freeipa-users] IPA Client join



In rc2 we had to make a change to the OID used for some operations
because they were duplicated. The OID for the ipa-getkeytab operation was one 
of them, so older
clients don't work with newer servers. IIRC the EL6 ipa-client was based on the 
alpha 3 release.

I attached a patch that gives the general idea of what needs to change.
It was originally for the EL 5 branch but it may work with few changes
in EL6.



Will there be an update to the ipa-client package in RHEL 6.0, or do we have to 
wait for RHEL 6.1?


Rgds,
Siggi





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Client join

[Roland Kaeser]

Hello

>Will there be an update to the ipa-client package in RHEL 6.0, or do we have 
>to wait for RHEL 6.1?

So which is the software stack to use for my pilot and the later production 
environment? 
I wouldn't like to use Fedora in company production environments. I would be 
really prefer to use RHEL6/6.1
I also checked the latest avialable fedora 15 version. I only can find a alpha 
version iso from february, 28. 

I would really like to have a software stack which works with freeipa 
(client/server) and afs-server.

Regards

Roland


- Ursprüngliche Mail -
Von: "Sigbjorn Lie" 
An: "Rob Crittenden" 
CC: "Roland Käser" , 
freeipa-users@redhat.com
Gesendet: Donnerstag, 31. März 2011 16:14:34
Betreff: Re: [Freeipa-users] IPA Client join

>
> In rc2 we had to make a change to the OID used for some operations
> because they were duplicated. The OID for the ipa-getkeytab operation was one 
> of them, so older
> clients don't work with newer servers. IIRC the EL6 ipa-client was based on 
> the alpha 3 release.
>
> I attached a patch that gives the general idea of what needs to change.
> It was originally for the EL 5 branch but it may work with few changes
> in EL6.
>

Will there be an update to the ipa-client package in RHEL 6.0, or do we have to 
wait for RHEL 6.1?


Rgds,
Siggi



-- 

InterSoft Networks 
Roland Käser, Systems Engineer OpenSource 
Fulachstr. 197, 8200 Schaffhausen 
Tel: +41 77 415 79 11 
--
 
Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, 
werden am Ende keines von beiden haben - und verdienen es auch nicht. 
(Benjamin Franklin) 
--
 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Client join

[Sigbjorn Lie]

>
> In rc2 we had to make a change to the OID used for some operations
> because they were duplicated. The OID for the ipa-getkeytab operation was one 
> of them, so older
> clients don't work with newer servers. IIRC the EL6 ipa-client was based on 
> the alpha 3 release.
>
> I attached a patch that gives the general idea of what needs to change.
> It was originally for the EL 5 branch but it may work with few changes
> in EL6.
>

Will there be an update to the ipa-client package in RHEL 6.0, or do we have to 
wait for RHEL 6.1?


Rgds,
Siggi


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Client join

[Rob Crittenden]

Roland Kaeser wrote:

Hello

Just try to add Scientific Linux 6 (RHEL 6) into the freeipa. Sorry to
say that but after reading a lot of the documentation I found that the
most of it is obselete or just wrong. For Sample:
in
http://freeipa.org/docs/2.0.0/Client_Setup_Guide/en-US/html/#chap-Client_Configurat
ion_Guide-Configuring_Fedora_as_an_IPA_Client

the command: ipa-addservice is nowhere avialable.


You want to use this guide:
http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/

I've removed references to the older documentation.

The command you want is ipa service-add afs/...



Currently I try to get a keytab file for the afs service made via web
interface using:

ipa-getkeytab -s freeipa.[domain] -p afs/afs.[domain]@[REALM] -k
/tmp/afs.keytab
all I get is: Operation failed! unsupported extended operation
Note: Replaced the original domain and realm with placeholders.

The client is: ipa-client-2.0-9.el6.i686
The server is: freeipa-server-2.0.0.rc3-0.fc14.i686


In rc2 we had to make a change to the OID used for some operations 
because they were duplicated. The OID for the ipa-getkeytab operation 
was one of them, so older clients don't work with newer servers. IIRC 
the EL6 ipa-client was based on the alpha 3 release.


I attached a patch that gives the general idea of what needs to change. 
It was originally for the EL 5 branch but it may work with few changes 
in EL6.



First, I had to made the kerberos principal key for host and afs-service
by hand on command line. Why?


I'm not sure what you mean given the next question.


Second why can I not get this key out of the web interface to add it to
the afs service? I can only see the option to delete this key in the
section services. The ipa-getkeytab also fails (see above)


The only way to retrieve a keytab currently is with the ipa-getkeytab 
command.



Third: The documentation contains no section to add a RHEL6/SL client to
free ipa. Why?


Old documentation.


Fourth: The default principal set to kadmin is wrong, its set to
admin/admin@REALM instead of admin@REALM (seems to be wrong on all
kerberos implementations)


admin is a user we create.


Fifth: Running ipa-client-install works only with the
_ldap._tcp.[Domain] SRV 10 10 389 [server]
_kerberos._tcp.[Domain] SRV 0 0 88 [server]
in the dns zone.


You should be able to provide the server name to the ipa-client-install 
script.



The informations in: http://freeipa.org/page/DNS_Location_Discovery
 are completely wrong.
The entries for _ldap and _kerberos are not related to _network which
not even exist in bind9 they are related to a domain/zone.


This is just a draft design document.


Sixth: the ipa-client install doesn't generate a keytab file for the
host principal and does not extract the ca cert from the ipa server for
the ldap communication with the server.


Did the installation complete successfully? From everything you've said 
up to now it sounds like ipa-client-install has been failing in one way 
or another. If it succeeds you'll end up with a host service principal 
in /etc/krb5.keytab.



Looks all really confusing to me.
So whats the correct steps to add a freeipa 2.0 client and a service
such as nfs/afs/smb etc. to a freeipa 2.0 server on Fedora 14?


(you need the freeipa-python, freeipa-admintools and freeipa-client pkgs 
for this)


# ipa-client-install
# kinit admin
# ipa service-add afs/client.example.com
# ipa-getkeytab -s ipa.example.com -k /etc/krb5.keytab -p 
afs/client.example@example.com


Also note that the 2.0 GA release is not available on Fedora 14. It 
lacks certified dogtag 9 packages. They are available from our 
development repo but you'd be unlikely to get support on those. We 
realize that Fedora 15 isn't quite ready yet but it was always our 
release target for IPA v2.


regards

rob


ipa-client-oid.patch
Description: application/mbox
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA Client join

[Roland Kaeser]

Hello 


Just try to add Scientific Linux 6 (RHEL 6) into the freeipa. Sorry to say that 
but after reading a lot of the documentation I found that the most of it is 
obselete or just wrong. For Sample: 
in 
http://freeipa.org/docs/2.0.0/Client_Setup_Guide/en-US/html/#chap-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client
 
the command: ipa-addservice is nowhere avialable. 


Currently I try to get a keytab file for the afs service made via web interface 
using: 


ipa-getkeytab -s freeipa.[domain] -p afs/afs.[domain]@[REALM] -k 
/tmp/afs.keytab 
all I get is: Operation failed! unsupported extended operation 
Note: Replaced the original domain and realm with placeholders. 


The client is: ipa-client-2.0-9.el6.i686 
The server is: freeipa-server-2.0.0.rc3-0.fc14.i686 


First, I had to made the kerberos principal key for host and afs-service by 
hand on command line. Why? 
Second why can I not get this key out of the web interface to add it to the afs 
service? I can only see the option to delete this key in the section services. 
The ipa-getkeytab also fails (see above) 
Third: The documentation contains no section to add a RHEL6/SL client to free 
ipa. Why? 
Fourth: The default principal set to kadmin is wrong, its set to 
admin/admin@REALM instead of admin@REALM (seems to be wrong on all kerberos 
implementations) 
Fifth: Running ipa-client-install works only with the 
_ldap._tcp.[Domain] SRV 10 10 389 [server] 

_kerberos._tcp.[Domain] SRV 0 0 88 [server] 
in the dns zone. 
The informations in: http://freeipa.org/page/DNS_Location_Discovery are 
completely wrong. The entries for _ldap and _kerberos are not related to 
_network which not even exist in bind9 they are related to a domain/zone. 
Sixth: the ipa-client install doesn't generate a keytab file for the host 
principal and does not extract the ca cert from the ipa server for the ldap 
communication with the server. 


Looks all really confusing to me. 
So whats the correct steps to add a freeipa 2.0 client and a service such as 
nfs/afs/smb etc. to a freeipa 2.0 server on Fedora 14? 



Regards 


Roland 





--
 
Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, 
werden am Ende keines von beiden haben - und verdienen es auch nicht. 
(Benjamin Franklin) 
--
 
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users