On 11/30/2011 03:59 PM, Rob Crittenden wrote: > Stephen Ingram wrote: >> Rob- >> >> On Wed, Nov 30, 2011 at 12:04 PM, Rob >> Crittenden<[email protected]> wrote: >>> Retrieve the CA certificate for the FreeIPA CA. >>> >>> # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt >>> >>> Create a separate Kerberos configuration to test the provided >>> credentials. >>> This enables a Kerberos connection to the FreeIPA XML-RPC server, >>> necessary >>> to join the FreeIPA client to the FreeIPA domain. This Kerberos >>> configuration is ultimately discarded. >>> >>> - Basically just copy a working krb5.conf to /etc/krb5.conf and set >>> up sssd >>> or nss_ldap as documented. >>> >>> # kinit admin >>> # ipa-join -s ipa.example.com -b dc=example,dc=com >>> >>> Or if using a one-time password you can skip the kinit and do >>> >>> # ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123 >>> >>> ipa-join lets IPA know a host is enrolled and retrieves a host >>> principal and >>> stores it into /etc/krb5.keytab. >>> >>> Enable certmonger, retrieve an SSL server certificate, and install the >>> certificate in /etc/pki/nssdb. >>> >>> # service messagebus start >>> # service certmonger start >>> # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i >>> /etc/ipa/ca.crt >>> # ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate - >>> client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K >>> host/[email protected] >>> >>> Disable the nscd daemon. >>> >>> # service nscd stop >>> # chkconfig nscd off >> >> Thanks, but aren't some of these steps assuming that ipa-client has >> been installed on the system? For instance, instead of "# ipa-join -s >> ipa.example.com -b dc=example,dc=com -w Secret123", can't I instead >> use kadmin to retrieve the keytab and then securely copy it over to >> the client system? And, in the case of the ca.crt, if there if IPA >> itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I >> realize that I will lose functionality by not having ipa-client, but >> just trying to build a case for supporting legacy systems that I would >> never want to take the time to adapt ipa-client for. >> >> Steve > > The only part assuming that is ipa-join itself. IPA does not support > the direct use of kadmin or kadmin.local. On a supported platform > you'd run: > > # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p > host/remote.example.com > > Then ship /tmp/remote.keytab to the machine and either use ktutil to > combine it with /etc/krb5.keytab or replace krb5.keytab with it (and > fix owner and permissions, and potentially SELinux context). > > certmonger gets its IPA configuration from /etc/ipa/default.conf. If > you don't want or have certmonger then you can skip the CA bit > altogether. Otherwise you'll need to copy in a working config. >
Should any part of this be documented? > rob > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
