Re: [Freeipa-users] setting up a client on Debian squeeze
On Thu, Aug 29, 2013 at 10:04:43PM -0400, Rob Crittenden wrote: Michał Dwużnik wrote: Sorry for quick continuation... Certificate added to nss DB in /etc/pki certutil -A -d /etc/pki/ -n IPA CA -t CT,C,C -a -i pki/ca.crt sssd configured according to http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html How do I test now, before changing PAM options that the pieces fit together? Perhaps exercise nss with: % id admin % getent passwd admin % getent group admin You can substitute admin for any IPA user or group. And really you can skip the cert step if you want. Unless you have something that will use it we put a cert on the system as a convenience right now. There isn't currently anything using it by default. rob On the client, one piece of functionality where you need the cert are password migrations from LDAP to IPA. I don't think that's your case, though. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setting up a client on Debian squeeze
Ok, I somehow assumed certs are very much needed for ldaps... In the meantime, I set up a debian wheezy machine to try the freeipa-client from debs. I managed to get working ipa-client (with a few quirks...- default nss database needed to be created) with packages from deb http://apt.numeezy.fr wheezy main deb-src http://apt.numeezy.fr wheezy main. So now I have a ready set of debian-like configs for wheezy, making it work with squeeze seems easier now (it comes with learning, too...) I must admit ipa-client debug option is lovely as a step-by-step guide for trying by hand : Going back to thinking whether to try getting ipa on squeeze or getting the legacy software working with squeeze... (some of the scientists seem to be the happiest if the system is totally unchanged for some 20 years...). Regards Michal PS:I do see hope for rooting out the last instance of NIS on the campus : ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setting up a client on Debian squeeze
On Fri, Aug 30, 2013 at 03:54:54PM +0200, Michał Dwużnik wrote: Ok, I somehow assumed certs are very much needed for ldaps... Well, for most operations the SSSD uses GSSAPI authentication. Only when passwords are migrated, we do an LDAP bind with StartTLS. In the meantime, I set up a debian wheezy machine to try the freeipa-client from debs. I managed to get working ipa-client (with a few quirks...- default nss database needed to be created) with packages from deb http://apt.numeezy.fr wheezy main deb-src http://apt.numeezy.fr wheezy main. So now I have a ready set of debian-like configs for wheezy, making it work with squeeze seems easier now (it comes with learning, too...) I must admit ipa-client debug option is lovely as a step-by-step guide for trying by hand : Going back to thinking whether to try getting ipa on squeeze or getting the legacy software working with squeeze... (some of the scientists seem to be the happiest if the system is totally unchanged for some 20 years...). Regards Michal PS:I do see hope for rooting out the last instance of NIS on the campus : Terminate it with extreme prejudice :-) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setting up a client on Debian squeeze
Michał Dwużnik wrote: Hi folks, did anyone succeed in connecting such an old thing recently to freeipa server? Is there a document (or an archive post) about connecting a 'non ipa aware' client step by step? I got as far as woing Kerberos with no issues, hit a wall with ldap part.. You might try this: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setting up a client on Debian squeeze
As for now I have set up a 'known good' client on RH based distro, to get the feeling how the config files look like when configured correctly. Thanks for the nice reference M. On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden rcrit...@redhat.com wrote: Michał Dwużnik wrote: Hi folks, did anyone succeed in connecting such an old thing recently to freeipa server? Is there a document (or an archive post) about connecting a 'non ipa aware' client step by step? I got as far as woing Kerberos with no issues, hit a wall with ldap part.. You might try this: http://docs.fedoraproject.org/** en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.htmlhttp://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html rob -- Michal Dwuznik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setting up a client on Debian squeeze
Ok, going step by step I did the following on squeeze: set up ntp, time synced with ipa server test setup is done on ipa.localdomain (server) client.localdomain (client on Scientific Linux 6.4, looks ok after ipa-client-install, ssh works for test users tester and tester2) client2.localdomain is the Debian Squeeze client added host client2.localdomain on IPA server, added 'managedby', got the keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2 most important part of /etc/krb5.conf: [realms] LOCALDOMAIN = { kdc = ipa.localdomain admin_server = ipa.localdomain } [domain_realm] .localdomain = LOCALDOMAIN localdomain = LOCALDOMAIN default_domain = localdomain [libdefaults] default_realm = LOCALDOMAIN The following lets me think the KRB5 part of the setup is done correctly: root@client2:/etc# kinit admin Password for admin@LOCALDOMAIN: root@client2:/etc# kdestroy root@client2:/etc# kinit tester Password for tester@LOCALDOMAIN: root@client2:/etc# klis -su: klis: command not found root@client2:/etc# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: tester@LOCALDOMAIN Valid starting ExpiresService principal 08/30/13 00:35:50 08/31/13 00:35:47 krbtgt/LOCALDOMAIN@LOCALDOMAIN root@client2:/etc# kpasswd tester Password for tester@LOCALDOMAIN: Enter new password: Enter it again: Password changed. I guess that's the point of snapshotting 'KRB done' state (can I be wrong?) DNS for all the hosts involved is similar to: root@client2:/etc# nslookup ipa Server: 192.168.137.29 Address:192.168.137.29#53 Name: ipa.localdomain Address: 192.168.137.13 root@client2:/etc# nslookup 192.168.137.13 Server: 192.168.137.29 Address:192.168.137.29#53 13.137.168.192.in-addr.arpa name = ipa.localdomain. Now I guess it's time for certificates, where I do have some doubts... I've added the SSH host keys via web interface, now the cert part: having generated the CSR afte creating the new database: certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN' (in the /etc/pki dir) I paste the CSR and Issue the certificate for host (/etc/pi contains newly created cert8.db key3.dbsecmod.db ) Which of those should be used to add the cert to? (like certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i */path/to/* ca.crt) All of the tries result in: root@client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n IPA CA -t CT,C,C -a -i ./ca.crt certutil: function failed: security library: bad database. root@client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n IPA CA -t CT,C,C -a -i ./ca.crt certutil: function failed: security library: bad database. root@client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n IPA CA -t CT,C,C -a -i ./ca.crt certutil: function failed: security library: bad database. Could someone show me my mistake? Regards Michal On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik michal.dwuz...@gmail.comwrote: As for now I have set up a 'known good' client on RH based distro, to get the feeling how the config files look like when configured correctly. Thanks for the nice reference M. On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden rcrit...@redhat.comwrote: Michał Dwużnik wrote: Hi folks, did anyone succeed in connecting such an old thing recently to freeipa server? Is there a document (or an archive post) about connecting a 'non ipa aware' client step by step? I got as far as woing Kerberos with no issues, hit a wall with ldap part.. You might try this: http://docs.fedoraproject.org/** en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.htmlhttp://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html rob -- Michal Dwuznik -- Michal Dwuznik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] setting up a client on Debian squeeze
Sorry for quick continuation... Certificate added to nss DB in /etc/pki certutil -A -d /etc/pki/ -n IPA CA -t CT,C,C -a -i pki/ca.crt sssd configured according to http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html How do I test now, before changing PAM options that the pieces fit together? (Sorry for being a bit too tired...) M. On Fri, Aug 30, 2013 at 1:49 AM, Michał Dwużnik michal.dwuz...@gmail.comwrote: Ok, going step by step I did the following on squeeze: set up ntp, time synced with ipa server test setup is done on ipa.localdomain (server) client.localdomain (client on Scientific Linux 6.4, looks ok after ipa-client-install, ssh works for test users tester and tester2) client2.localdomain is the Debian Squeeze client added host client2.localdomain on IPA server, added 'managedby', got the keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2 most important part of /etc/krb5.conf: [realms] LOCALDOMAIN = { kdc = ipa.localdomain admin_server = ipa.localdomain } [domain_realm] .localdomain = LOCALDOMAIN localdomain = LOCALDOMAIN default_domain = localdomain [libdefaults] default_realm = LOCALDOMAIN The following lets me think the KRB5 part of the setup is done correctly: root@client2:/etc# kinit admin Password for admin@LOCALDOMAIN: root@client2:/etc# kdestroy root@client2:/etc# kinit tester Password for tester@LOCALDOMAIN: root@client2:/etc# klis -su: klis: command not found root@client2:/etc# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: tester@LOCALDOMAIN Valid starting ExpiresService principal 08/30/13 00:35:50 08/31/13 00:35:47 krbtgt/LOCALDOMAIN@LOCALDOMAIN root@client2:/etc# kpasswd tester Password for tester@LOCALDOMAIN: Enter new password: Enter it again: Password changed. I guess that's the point of snapshotting 'KRB done' state (can I be wrong?) DNS for all the hosts involved is similar to: root@client2:/etc# nslookup ipa Server: 192.168.137.29 Address:192.168.137.29#53 Name: ipa.localdomain Address: 192.168.137.13 root@client2:/etc# nslookup 192.168.137.13 Server: 192.168.137.29 Address:192.168.137.29#53 13.137.168.192.in-addr.arpa name = ipa.localdomain. Now I guess it's time for certificates, where I do have some doubts... I've added the SSH host keys via web interface, now the cert part: having generated the CSR afte creating the new database: certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN' (in the /etc/pki dir) I paste the CSR and Issue the certificate for host (/etc/pi contains newly created cert8.db key3.dbsecmod.db ) Which of those should be used to add the cert to? (like certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i */path/to/ *ca.crt) All of the tries result in: root@client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n IPA CA -t CT,C,C -a -i ./ca.crt certutil: function failed: security library: bad database. root@client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n IPA CA -t CT,C,C -a -i ./ca.crt certutil: function failed: security library: bad database. root@client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n IPA CA -t CT,C,C -a -i ./ca.crt certutil: function failed: security library: bad database. Could someone show me my mistake? Regards Michal On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik michal.dwuz...@gmail.comwrote: As for now I have set up a 'known good' client on RH based distro, to get the feeling how the config files look like when configured correctly. Thanks for the nice reference M. On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden rcrit...@redhat.comwrote: Michał Dwużnik wrote: Hi folks, did anyone succeed in connecting such an old thing recently to freeipa server? Is there a document (or an archive post) about connecting a 'non ipa aware' client step by step? I got as far as woing Kerberos with no issues, hit a wall with ldap part.. You might try this: http://docs.fedoraproject.org/** en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.htmlhttp://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html rob -- Michal Dwuznik -- Michal Dwuznik -- Michal Dwuznik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users