On Thu, Apr 26, 2012 at 3:51 PM, hshhs caca <[email protected]> wrote: > Hi folks, > > I'm pretty new to freeIPA. And here is a freeIPA installation problem > encountered in my work. For company policies reasons we can not use > ipa-client-install on Linux clients, instead manual installation method is > in use and most of the freeIPA client config files are pushed out with > cfengine. The problem details/steps are listed below: > > 1, following the steps at > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html, > we registered all clients in IPA master, created and downloaded into > subversion the keytab files for all clients, then use 'ipa-client-install' > on one clients and save the config files into subversion too. > > 2, when a new Linux node is newly deployed, we deploy the files below onto > the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, /etc/sssd/sssd.conf, > /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac, > smartcard-auth-ac}, with permissions and ownership setup correctly. > > 3, then we tested kerberos commands kinit/kdestroy/klist and they were all > working; we tested 'getent passwd <ipaAccount>', 'getent group ipausers' and > they were working too, at last we tried ssh/login and they were working as > expected as well. > > 4, at this step I could claim that IPA authentication and authorization > worked successfully. Then I continued to try IPA admin command but > unexpected them failed. > > [root@ipaclient04 ~]# ipa > ipa: ERROR: Client is not configured. Run ipa-client-install. > [root@ipaclient04 ~]# ipa user-find > ipa: ERROR: Client is not configured. Run ipa-client-install. > [root@ipaclient04 ~]# > > 5, so I copied the files /etc/ca.crt and /etc/default.conf from a client > installed with 'ipa-client-install' to this manual client, and tried the > above command again and them stopped whiling and showed help screen as > expected; but real IPA administration commands failed with the following > error prompts: > > [root@ipaclient04 ~]# ipa user-find > ipa: ERROR: cert validation failed for > "CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) > Peer's certificate issuer has been marked as not trusted by the user.) > ipa: ERROR: cannot connect to u'https://ipamaster.pegaclouds.com/ipa/xml': > [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has > been marked as not trusted by the user. > > 6, So it looks like there are some kinds of new authentication steps I have > missed somewhere -- could not find any clue on the Redhat IPA document for > further steps -- I tried several times but results are not fruitful. Could > anyone please shed a light at here? Thanks a lot.
David- It looks like you didn't import the CA into the host certificate store in /etc/pki/nssdb. I believe those commands require that you trust your IPA CA. You can import the CA with: certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt Also, make sure and generate a host cert for the machine (also in /etc/pki/nssdb) and have IPA sign it. Steve _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
