Sorry for quick continuation... Certificate added to nss DB in /etc/pki certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt
sssd configured according to http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html How do I test now, before changing PAM options that the pieces fit together? (Sorry for being a bit too tired...) M. On Fri, Aug 30, 2013 at 1:49 AM, Michał Dwużnik <[email protected]>wrote: > Ok, going step by step I did the following on squeeze: > > set up ntp, time synced with ipa server > > test setup is done on > ipa.localdomain (server) > client.localdomain > (client on Scientific Linux 6.4, looks ok after ipa-client-install, ssh > works for test users tester and tester2) > > client2.localdomain is the Debian Squeeze client > > added host client2.localdomain on IPA server, added 'managedby', got the > keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2 > > most important part of /etc/krb5.conf: > > [realms] > LOCALDOMAIN = { > kdc = ipa.localdomain > admin_server = ipa.localdomain > } > > [domain_realm] > .localdomain = LOCALDOMAIN > localdomain = LOCALDOMAIN > default_domain = localdomain > > [libdefaults] > default_realm = LOCALDOMAIN > > > The following lets me think the KRB5 part of the setup is done correctly: > > root@client2:/etc# kinit admin > Password for admin@LOCALDOMAIN: > root@client2:/etc# kdestroy > root@client2:/etc# kinit tester > Password for tester@LOCALDOMAIN: > root@client2:/etc# klis > -su: klis: command not found > root@client2:/etc# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: tester@LOCALDOMAIN > > Valid starting Expires Service principal > 08/30/13 00:35:50 08/31/13 00:35:47 krbtgt/LOCALDOMAIN@LOCALDOMAIN > > > root@client2:/etc# kpasswd tester > Password for tester@LOCALDOMAIN: > Enter new password: > Enter it again: > Password changed. > > > I guess that's the point of snapshotting 'KRB done' state (can I be wrong?) > > DNS for all the hosts involved is similar to: > root@client2:/etc# nslookup ipa > Server: 192.168.137.29 > Address: 192.168.137.29#53 > > Name: ipa.localdomain > Address: 192.168.137.13 > > root@client2:/etc# nslookup 192.168.137.13 > Server: 192.168.137.29 > Address: 192.168.137.29#53 > > 13.137.168.192.in-addr.arpa name = ipa.localdomain. > > Now I guess it's time for certificates, where I do have some doubts... > > I've added the SSH host keys via web interface, now the cert part: > > having generated the CSR afte creating the new database: > > certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN' > (in the /etc/pki dir) I paste the CSR and Issue the certificate for host > > (/etc/pi contains newly created cert8.db key3.db secmod.db ) > > Which of those should be used to add the cert to? > > (like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i */path/to/ > *ca.crt) > > All of the tries result in: > root@client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n "IPA CA" -t > CT,C,C -a -i ./ca.crt > certutil: function failed: security library: bad database. > root@client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n "IPA CA" -t > CT,C,C -a -i ./ca.crt > certutil: function failed: security library: bad database. > root@client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n "IPA CA" -t > CT,C,C -a -i ./ca.crt > certutil: function failed: security library: bad database. > > Could someone show me my mistake? > > Regards > Michal > > > > On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik > <[email protected]>wrote: > >> As for now I have set up a 'known good' client on RH based distro, to get >> the feeling how the config files >> look like when configured correctly. >> >> Thanks for the nice reference >> >> M. >> >> >> On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden <[email protected]>wrote: >> >>> Michał Dwużnik wrote: >>> >>>> Hi folks, >>>> >>>> did anyone succeed in connecting such an old thing recently to freeipa >>>> server? >>>> >>>> Is there a document (or an archive post) about connecting a 'non ipa >>>> aware' client step by step? >>>> I got as far as woing Kerberos with no issues, hit a wall with ldap >>>> part.. >>>> >>> >>> You might try this: http://docs.fedoraproject.org/** >>> en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html> >>> >>> rob >>> >>> >> >> >> -- >> Michal Dwuznik >> > > > > -- > Michal Dwuznik > -- Michal Dwuznik
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
