Stephen Ingram wrote:
Looking at section 3.1 of the documentation I see the process for what
happens during a client setup. In cases where there is no ipa-client
support, this is likely the best option. Is there any more specific
documentation that details the exact procedure (i.e. how to import the
CA certificate, obtain services principals) of what happens during the
ipa-join process? I seem to remember this from version 1 and even
earlier versions of 2.x, but I can't find anywhere now.

Retrieve the CA certificate for the FreeIPA CA.

# wget -O /etc/ipa/ca.crt

Create a separate Kerberos configuration to test the provided credentials. This enables a Kerberos connection to the FreeIPA XML-RPC server, necessary to join the FreeIPA client to the FreeIPA domain. This Kerberos configuration is ultimately discarded.

- Basically just copy a working krb5.conf to /etc/krb5.conf and set up sssd or nss_ldap as documented.

# kinit admin
# ipa-join -s -b dc=example,dc=com

Or if using a one-time password you can skip the kinit and do

# ipa-join -s -b dc=example,dc=com -w Secret123

ipa-join lets IPA know a host is enrolled and retrieves a host principal and stores it into /etc/krb5.keytab.

Enable certmonger, retrieve an SSL server certificate, and install the certificate in /etc/pki/nssdb.

# service messagebus start
# service certmonger start
# certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
# ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate -' -N ',O=EXAMPLE.COM; -K host/

Disable the nscd daemon.

# service nscd stop
# chkconfig nscd off


Freeipa-users mailing list

Reply via email to