Roland Kaeser wrote:
Hello

Just try to add Scientific Linux 6 (RHEL 6) into the freeipa. Sorry to
say that but after reading a lot of the documentation I found that the
most of it is obselete or just wrong. For Sample:
in
http://freeipa.org/docs/2.0.0/Client_Setup_Guide/en-US/html/#chap-Client_Configurat
ion_Guide-Configuring_Fedora_as_an_IPA_Client
<http://freeipa.org/docs/2.0.0/Client_Setup_Guide/en-US/html/#chap-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client>
the command: ipa-addservice is nowhere avialable.

You want to use this guide:
http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/

I've removed references to the older documentation.

The command you want is ipa service-add afs/...


Currently I try to get a keytab file for the afs service made via web
interface using:

ipa-getkeytab -s freeipa.[domain] -p afs/afs.[domain]@[REALM] -k
/tmp/afs.keytab
all I get is: Operation failed! unsupported extended operation
Note: Replaced the original domain and realm with placeholders.

The client is: ipa-client-2.0-9.el6.i686
The server is: freeipa-server-2.0.0.rc3-0.fc14.i686

In rc2 we had to make a change to the OID used for some operations because they were duplicated. The OID for the ipa-getkeytab operation was one of them, so older clients don't work with newer servers. IIRC the EL6 ipa-client was based on the alpha 3 release.

I attached a patch that gives the general idea of what needs to change. It was originally for the EL 5 branch but it may work with few changes in EL6.

First, I had to made the kerberos principal key for host and afs-service
by hand on command line. Why?

I'm not sure what you mean given the next question.

Second why can I not get this key out of the web interface to add it to
the afs service? I can only see the option to delete this key in the
section services. The ipa-getkeytab also fails (see above)

The only way to retrieve a keytab currently is with the ipa-getkeytab command.

Third: The documentation contains no section to add a RHEL6/SL client to
free ipa. Why?

Old documentation.

Fourth: The default principal set to kadmin is wrong, its set to
admin/admin@REALM instead of admin@REALM (seems to be wrong on all
kerberos implementations)

admin is a user we create.

Fifth: Running ipa-client-install works only with the
_ldap._tcp.[Domain] SRV 10 10 389 [server]
_kerberos._tcp.[Domain] SRV 0 0 88 [server]
in the dns zone.

You should be able to provide the server name to the ipa-client-install script.

The informations in: http://freeipa.org/page/DNS_Location_Discovery
<http: //freeipa.org/page/DNS_Location_Discovery> are completely wrong.
The entries for _ldap and _kerberos are not related to _network which
not even exist in bind9 they are related to a domain/zone.

This is just a draft design document.

Sixth: the ipa-client install doesn't generate a keytab file for the
host principal and does not extract the ca cert from the ipa server for
the ldap communication with the server.

Did the installation complete successfully? From everything you've said up to now it sounds like ipa-client-install has been failing in one way or another. If it succeeds you'll end up with a host service principal in /etc/krb5.keytab.

Looks all really confusing to me.
So whats the correct steps to add a freeipa 2.0 client and a service
such as nfs/afs/smb etc. to a freeipa 2.0 server on Fedora 14?

(you need the freeipa-python, freeipa-admintools and freeipa-client pkgs for this)

# ipa-client-install
# kinit admin
# ipa service-add afs/client.example.com
# ipa-getkeytab -s ipa.example.com -k /etc/krb5.keytab -p afs/client.example....@example.com

Also note that the 2.0 GA release is not available on Fedora 14. It lacks certified dogtag 9 packages. They are available from our development repo but you'd be unlikely to get support on those. We realize that Fedora 15 isn't quite ready yet but it was always our release target for IPA v2.

regards

rob

Attachment: ipa-client-oid.patch
Description: application/mbox

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to