I'm pretty sure ya'll are tired of my stupid questions, but I've got
that new Geek smell with regards to IPA, and definitely with manual
configuration. This should be easy to answer. I've got all the
necessaries manually setup and I'm at the step to get the certificate
from the IPA server. TFM states this is the correct syntax to do so:
[root@ipaclient ~]# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert
-K HOST/ipaclient.example.com -N 'CN=ipaclient.example.com,O=EXAMPLE.COM'
The problem I'm having is with the HOST/ and CN options, the reason
being that the host I'm enrolling doesn't have the same domain name as
the IPA server I'm using. The client is 'rad.astacalska.net' and the
IPA server domain (and realm) is neonova.net. In IPA the client
principal alias is host/rad.astacalaska....@neonova.net. I tried this:
ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K
HOST/rad.astacalaska.net -N 'CN=rad.astacalaska.net,O=NEONOVA.NET'
But after this completes (without an error I might add) and I try to su
into my IPA account on the server I get 'unknown user'. I'm almost
certain I've got things configured correctly except for this last bit.
This box is on a /very slow/ link and the getcert was almost
instantaneous, which makes me wonder if the command is wrong. I can
post logs if need be, but getting them is time consuming so this might
be a long troubleshooting process. So, is the command above correct?
Or should it be changed?
Network Engineer at NeoNova
919-460-3330 option 1
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org