Uzor Ide wrote:
I have manually enrolled and configured the client. I am able to log
into the client and access nfs4 shares. What I am wondering is if there
are anything that the client would miss by joining this way. The client
authenticate to the ipa-server through sssd. I would like to know if
HBAC and centrally managed SUDO and other policy enforcements will fail
to work because the manual enrolment.  Note that host certificate was
not generated because of the manual joining.

I guess it means by how you manually joined but based on what you can do I think you covered the major details.

If you have a host service principal in /etc/krb5.keytab and a correctly configured sssd then you are fine for HBAC and nss (users, groups, etc).

SUDO works through nss_ldap so you should be fine there as well.

ipa-client-install doesn't do anything too special, it just makes sure the environment is sane and then sets up sssd.conf, krb5.conf, fetches a host service principal and uses certmonger to get an SSL server cert. This last step is done as a convenience, it otherwise isn't used by IPA. But if you wanted to setup an HTTP server that uses the same PKI as IPA you'd have a certificate and key available.




On Tue, Mar 22, 2011 at 12:25 PM, Dmitri Pal <
<>> wrote:

    On 03/22/2011 10:34 AM, <>
     > Thanks Rob,
     > However the client is a fedora 13 box.
     > There is no client rpm for fedora 13

    We do not build F13 any more as the packages and functionality they
    provide deviated so far between F14-F15 and F13.

     > ------Original Message------
     > From: Rob Crittenden
     > To: Uzor Ide
     > Cc: <>
     > Subject: Re: [Freeipa-users] ipa client install
     > Sent: Mar 22, 2011 9:44 AM
     > Uzor Ide wrote:
     >> Hi
     >> Is there a requirement for the same version of client as the server.
     >> I've just install freeipa server version 2.0 rc3. While on the
     >> side, I have a previously installed client version 2.0 beta1. It
     >> not join the realm. I had run the client install script to
    remove the
     >> client from the another 2.0 beta1 server.
     >> But when I try to run against the new server, to join the server
     >> 2.0 rc3 realm, the discovery goes on smoothly after which I get the
     >> following
     >> Continue to configure the system with these values? [no]: yes
     >> Joining realm failed: Operation failed! unsupported extended
     >> child exited with 9
     >> Certificate subject base is: o=uzdomainco
     >> The client's kerberos keytab is not update and non of the config
     >> are update.
     >> However when you use the command ipa host-find on the server the
    host is
     >> listed.
     >> Any ideas what the issue would be?
     >> thanks
     >> ide
     > A change was made in 2.0rc2 in the release that made pre rc2 clients
     > unable to join rc2 and beyond servers. We changed the LDAP extended
     > operation OID used for doing online enrollment and retrieving keytabs
     > which is why the older clients now fail (we had inadvertently
    used them
     > in more than one place).
     > You should be able to just upgrade the client rpm and enrollment
    will work.
     > rob
     > Sent on the TELUS Mobility network with BlackBerry
     > _______________________________________________
     > Freeipa-users mailing list
     > <>

    Thank you,
    Dmitri Pal

    Sr. Engineering Manager IPA project,
    Red Hat Inc.

    Looking to carve out IT costs? <>

    Freeipa-users mailing list <>

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to