I'm pretty sure ya'll are tired of my stupid questions, but I've got that new Geek smell with regards to IPA, and definitely with manual configuration.  This should be easy to answer.  I've got all the necessaries manually setup and I'm at the step to get the certificate from the IPA server.  TFM states this is the correct syntax to do so:

[root@ipaclient ~]# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/ipaclient.example.com -N 'CN=ipaclient.example.com,O=EXAMPLE.COM'

The problem I'm having is with the HOST/ and CN options, the reason being that the host I'm enrolling doesn't have the same domain name as the IPA server I'm using.  The client is 'rad.astacalska.net' and the IPA server domain (and realm) is neonova.net.  In IPA the client principal alias is host/rad.astacalaska....@neonova.net.  I tried this:

ipa-getcert  request -d /etc/pki/nssdb -n Server-Cert -K HOST/rad.astacalaska.net -N 'CN=rad.astacalaska.net,O=NEONOVA.NET'

But after this completes (without an error I might add) and I try to su into my IPA account on the server I get 'unknown user'.  I'm almost certain I've got things configured correctly except for this last bit.  This box is on a /very slow/ link and the getcert was almost instantaneous, which makes me wonder if the command is wrong.  I can post logs if need be, but getting them is time consuming so this might be a long troubleshooting process.  So, is the command above correct?  Or should it be changed?

Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to