Roland Kaeser wrote:
HelloJust try to add Scientific Linux 6 (RHEL 6) into the freeipa. Sorry to say that but after reading a lot of the documentation I found that the most of it is obselete or just wrong. For Sample: in http://freeipa.org/docs/2.0.0/Client_Setup_Guide/en-US/html/#chap-Client_Configurat ion_Guide-Configuring_Fedora_as_an_IPA_Client <http://freeipa.org/docs/2.0.0/Client_Setup_Guide/en-US/html/#chap-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client> the command: ipa-addservice is nowhere avialable.
You want to use this guide: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/ I've removed references to the older documentation. The command you want is ipa service-add afs/...
Currently I try to get a keytab file for the afs service made via web interface using: ipa-getkeytab -s freeipa.[domain] -p afs/afs.[domain]@[REALM] -k /tmp/afs.keytab all I get is: Operation failed! unsupported extended operation Note: Replaced the original domain and realm with placeholders. The client is: ipa-client-2.0-9.el6.i686 The server is: freeipa-server-2.0.0.rc3-0.fc14.i686
In rc2 we had to make a change to the OID used for some operations because they were duplicated. The OID for the ipa-getkeytab operation was one of them, so older clients don't work with newer servers. IIRC the EL6 ipa-client was based on the alpha 3 release.
I attached a patch that gives the general idea of what needs to change. It was originally for the EL 5 branch but it may work with few changes in EL6.
First, I had to made the kerberos principal key for host and afs-service by hand on command line. Why?
I'm not sure what you mean given the next question.
Second why can I not get this key out of the web interface to add it to the afs service? I can only see the option to delete this key in the section services. The ipa-getkeytab also fails (see above)
The only way to retrieve a keytab currently is with the ipa-getkeytab command.
Third: The documentation contains no section to add a RHEL6/SL client to free ipa. Why?
Fourth: The default principal set to kadmin is wrong, its set to admin/admin@REALM instead of admin@REALM (seems to be wrong on all kerberos implementations)
admin is a user we create.
Fifth: Running ipa-client-install works only with the _ldap._tcp.[Domain] SRV 10 10 389 [server] _kerberos._tcp.[Domain] SRV 0 0 88 [server] in the dns zone.
You should be able to provide the server name to the ipa-client-install script.
The informations in: http://freeipa.org/page/DNS_Location_Discovery <http: //freeipa.org/page/DNS_Location_Discovery> are completely wrong. The entries for _ldap and _kerberos are not related to _network which not even exist in bind9 they are related to a domain/zone.
This is just a draft design document.
Sixth: the ipa-client install doesn't generate a keytab file for the host principal and does not extract the ca cert from the ipa server for the ldap communication with the server.
Did the installation complete successfully? From everything you've said up to now it sounds like ipa-client-install has been failing in one way or another. If it succeeds you'll end up with a host service principal in /etc/krb5.keytab.
Looks all really confusing to me. So whats the correct steps to add a freeipa 2.0 client and a service such as nfs/afs/smb etc. to a freeipa 2.0 server on Fedora 14?
(you need the freeipa-python, freeipa-admintools and freeipa-client pkgs for this)
# ipa-client-install # kinit admin # ipa service-add afs/client.example.com# ipa-getkeytab -s ipa.example.com -k /etc/krb5.keytab -p afs/client.example....@example.com
Also note that the 2.0 GA release is not available on Fedora 14. It lacks certified dogtag 9 packages. They are available from our development repo but you'd be unlikely to get support on those. We realize that Fedora 15 isn't quite ready yet but it was always our release target for IPA v2.
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users