On 04/26/2012 07:10 PM, David Copperfield wrote: > IPA Replica installation fails on IPV4 Linux box, The > exception/messages on screen are: > > ... > error: [Errno 97] Address family not supported by protocol > ... > > After looking into the python code, it is found out that the IPA > program tried to test both IPV4 and IPv6 address families, and it > failed there when IPV6 is turned off. > > So I turn on IPV6 again, try ipa-conncheck again and it works this time. >
This rings the bell, I think we already have a ticket for that. > --David > > > > ------------------------------------------------------------------------ > *From:* hshhs caca <[email protected]> > *To:* "[email protected]" <[email protected]> > *Sent:* Thursday, April 26, 2012 1:51 PM > *Subject:* [Freeipa-users] What are the main purposes of Dogtag > certificate system inside IPA > > > Hi folks, > > When evaluating migration from existing seperate LDAP/Kerberos > solution to integrated IPA, I got confused on the purposes of Dogtag > Certificate system inside IPA. What are the main purposes of it? or > what value it brings in to IPA? > > I can see the points of KDC and 389 Directory server parts, even NTP > and DNS, but not for Dogtag. Frankly, I am not sure where I should put > it. Say, For Kerberos authentication, I need only /etc/krb5.conf and > /etc/krb5.keytab locally on client and then krb5 tools/libs will do > their work happily. Then why should I authenticate a machine with > certificate, or certificate+keytab -- either way the certificate part > is a MUST -- see document > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html > ( at the very bottom). > > A close question is: what are the main points/benefits of machine > authentication? because of with traditional keytab based kerberos > setup, the users, machines and services can authenticate no problem, > then why we need an extra authentication with machine certificate as a > must? > > Please help me clarify the question of why the statement > 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after > running ipa-client-install script? what is its purposes? > > Last problem is: after I following the steps at > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html > to setup my Linux client manually, I still can not run 'ipa user-find' > command on the client; when another same type linux client installed > with 'ipa-client-install' has no problem to run it. Does there are any > difference between manual and automatic installations? > > Sorry I got too many questions and probably more, as I read though the > Redhat IPA document serveral times, and every time more questions pop > up. :) > > Thanks a lot. > > --Robinson > > _______________________________________________ > Freeipa-users mailing list > [email protected] <mailto:[email protected]> > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
