If a hostname was provided it wasn't used to configure either certmonger or sssd. This resulted in a non-working configuration.

Additionally on un-enrollment the wrong hostname was unenrolled, it used the value of gethostname() rather than the one that was passed into the installer.

We have to modify the CA configuration of certmonger to make it use the right principal when requesting certificates. The filename is unpredicable but it will be in /var/lib/certmonger/cas. We need to hunt for ipa_submit and add -k <principal> to it, then undo that on uninstall. These files are created the first time the certmonger service starts, so start and stop it before messing with them.

ticket 1029

To test do something like:

# ipa-client-install --hostname some_other_host.example.com
# ipa-getcert list
# id admin

If id admin works it means sssd is set up properly, you can confirm by looking at ipa_hostname in /etc/sssd/sssd.conf.

The certificate in ipa-getcert should be MONITORING.

Now on the IPA server look at the host entry for som_other_host.example.com and it should have Keytab: True

Now run: ipa-client-install --uninstall

The host entry on the server should have Keytab: False

ipa-getcert list should return nothing (you'll need to start the certmonger service to see it)

rob

Attachment: freeipa-rcrit-749-hostname.patch
Description: application/mbox

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to