On 03/13/2012 05:16 PM, Stephen Ingram wrote: > On Sat, Dec 3, 2011 at 10:56 AM, Dmitri Pal <[email protected]> wrote: >> On 11/30/2011 03:59 PM, Rob Crittenden wrote: >>> Stephen Ingram wrote: >>>> Rob- >>>> >>>> On Wed, Nov 30, 2011 at 12:04 PM, Rob >>>> Crittenden<[email protected]> wrote: >>>>> Retrieve the CA certificate for the FreeIPA CA. >>>>> >>>>> # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt >>>>> >>>>> Create a separate Kerberos configuration to test the provided >>>>> credentials. >>>>> This enables a Kerberos connection to the FreeIPA XML-RPC server, >>>>> necessary >>>>> to join the FreeIPA client to the FreeIPA domain. This Kerberos >>>>> configuration is ultimately discarded. >>>>> >>>>> - Basically just copy a working krb5.conf to /etc/krb5.conf and set >>>>> up sssd >>>>> or nss_ldap as documented. >>>>> >>>>> # kinit admin >>>>> # ipa-join -s ipa.example.com -b dc=example,dc=com >>>>> >>>>> Or if using a one-time password you can skip the kinit and do >>>>> >>>>> # ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123 >>>>> >>>>> ipa-join lets IPA know a host is enrolled and retrieves a host >>>>> principal and >>>>> stores it into /etc/krb5.keytab. >>>>> >>>>> Enable certmonger, retrieve an SSL server certificate, and install the >>>>> certificate in /etc/pki/nssdb. >>>>> >>>>> # service messagebus start >>>>> # service certmonger start >>>>> # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i >>>>> /etc/ipa/ca.crt >>>>> # ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate - >>>>> client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K >>>>> host/[email protected] >>>>> >>>>> Disable the nscd daemon. >>>>> >>>>> # service nscd stop >>>>> # chkconfig nscd off >>>> Thanks, but aren't some of these steps assuming that ipa-client has >>>> been installed on the system? For instance, instead of "# ipa-join -s >>>> ipa.example.com -b dc=example,dc=com -w Secret123", can't I instead >>>> use kadmin to retrieve the keytab and then securely copy it over to >>>> the client system? And, in the case of the ca.crt, if there if IPA >>>> itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I >>>> realize that I will lose functionality by not having ipa-client, but >>>> just trying to build a case for supporting legacy systems that I would >>>> never want to take the time to adapt ipa-client for. >>>> >>>> Steve >>> The only part assuming that is ipa-join itself. IPA does not support >>> the direct use of kadmin or kadmin.local. On a supported platform >>> you'd run: >>> >>> # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p >>> host/remote.example.com >>> >>> Then ship /tmp/remote.keytab to the machine and either use ktutil to >>> combine it with /etc/krb5.keytab or replace krb5.keytab with it (and >>> fix owner and permissions, and potentially SELinux context). >>> >>> certmonger gets its IPA configuration from /etc/ipa/default.conf. If >>> you don't want or have certmonger then you can skip the CA bit >>> altogether. Otherwise you'll need to copy in a working config. >>> >> Should any part of this be documented? > This might be beyond what you are thinking, however, to me, one of the > best things about FreeIPA is that because of how flexible you've made > it, I can use as much or as little as I want. These sorts of "small > steps" might also make it easier to integrate into non-Redhat/Fedora > or non-Linux systems. I have compiled and tested the suggestions > offered to me by Rob and put them into an attached text document that > roughly corresponds to the current section 3.4 of the FreeIPA > documentation. It's probably a little rough, but should make a nice > template to help supplement the existing documentation. > > Steve Thank you! We will take a look.
-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
