Mark Haney via FreeIPA-users wrote:
I'm pretty sure ya'll are tired of my stupid questions, but I've got
that new Geek smell with regards to IPA, and definitely with manual
configuration. This should be easy to answer. I've got all the
necessaries manually setup and I'm at the step to get the certificate
from the IPA server. TFM states this is the correct syntax to do so:
[root@ipaclient ~]# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert
-K HOST/ipaclient.example.com -N 'CN=ipaclient.example.com,O=EXAMPLE.COM'
The problem I'm having is with the HOST/ and CN options, the reason
being that the host I'm enrolling doesn't have the same domain name as
the IPA server I'm using. The client is 'rad.astacalska.net' and the
IPA server domain (and realm) is neonova.net. In IPA the client
principal alias is host/rad.astacalaska....@neonova.net. I tried this:
ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K
HOST/rad.astacalaska.net -N 'CN=rad.astacalaska.net,O=NEONOVA.NET'
You may want host/... instead of HOST. Case matters for Kerberos
principals (but the strings are more or less semi-established
"standards"). Strictly speaking the prefix doesn't matter, it provides a
"bucket" so IPA knows where to store the cert. If you use host/ it won't
conflict with any other host entries and won't require a separate
Differing hostnames are allowed but the other host name(s) need to have
host entries in IPA and it needs to be delegated to the enrolled name
(managed by in IPA-speak).
But after this completes (without an error I might add) and I try to su
into my IPA account on the server I get 'unknown user'. I'm almost
certain I've got things configured correctly except for this last bit.
This box is on a /very slow/ link and the getcert was almost
instantaneous, which makes me wonder if the command is wrong. I can
post logs if need be, but getting them is time consuming so this might
be a long troubleshooting process. So, is the command above correct?
Or should it be changed?
ipa-getcert is asynchronous so you submit a request and a daemon takes
care of the rest. ipa-getcert list will show you the status.
A cert isn't required for basic sssd operation.
I think you just need /etc/ipa/default.conf, /etc/sssd/sssd.conf and a
keytab but I haven't done a manual configuration in many moons.
By default sssd does very little logging. You might try bumping up the
log level so you can see what is going on with the box, whether it can
connect to IPA, etc.
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org