Just try to add Scientific Linux 6 (RHEL 6) into the freeipa. Sorry to say that 
but after reading a lot of the documentation I found that the most of it is 
obselete or just wrong. For Sample: 
the command: ipa-addservice is nowhere avialable. 

Currently I try to get a keytab file for the afs service made via web interface 

ipa-getkeytab -s freeipa.[domain] -p afs/afs.[domain]@[REALM] -k 
all I get is: Operation failed! unsupported extended operation 
Note: Replaced the original domain and realm with placeholders. 

The client is: ipa-client-2.0-9.el6.i686 
The server is: freeipa-server-2.0.0.rc3-0.fc14.i686 

First, I had to made the kerberos principal key for host and afs-service by 
hand on command line. Why? 
Second why can I not get this key out of the web interface to add it to the afs 
service? I can only see the option to delete this key in the section services. 
The ipa-getkeytab also fails (see above) 
Third: The documentation contains no section to add a RHEL6/SL client to free 
ipa. Why? 
Fourth: The default principal set to kadmin is wrong, its set to 
admin/admin@REALM instead of admin@REALM (seems to be wrong on all kerberos 
Fifth: Running ipa-client-install works only with the 
_ldap._tcp.[Domain] SRV 10 10 389 [server] 

_kerberos._tcp.[Domain] SRV 0 0 88 [server] 
in the dns zone. 
The informations in: http://freeipa.org/page/DNS_Location_Discovery are 
completely wrong. The entries for _ldap and _kerberos are not related to 
_network which not even exist in bind9 they are related to a domain/zone. 
Sixth: the ipa-client install doesn't generate a keytab file for the host 
principal and does not extract the ca cert from the ipa server for the ldap 
communication with the server. 

Looks all really confusing to me. 
So whats the correct steps to add a freeipa 2.0 client and a service such as 
nfs/afs/smb etc. to a freeipa 2.0 server on Fedora 14? 



Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, 
werden am Ende keines von beiden haben - und verdienen es auch nicht. 
(Benjamin Franklin) 
Freeipa-users mailing list

Reply via email to