Stephen Ingram wrote:
Looking at section 3.1 of the documentation I see the process for what
happens during a client setup. In cases where there is no ipa-client
support, this is likely the best option. Is there any more specific
documentation that details the exact procedure (i.e. how to import the
CA certificate, obtain services principals) of what happens during the
ipa-join process? I seem to remember this from version 1 and even
earlier versions of 2.x, but I can't find anywhere now.
Retrieve the CA certificate for the FreeIPA CA.
# wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt
Create a separate Kerberos configuration to test the provided
credentials. This enables a Kerberos connection to the FreeIPA XML-RPC
server, necessary to join the FreeIPA client to the FreeIPA domain. This
Kerberos configuration is ultimately discarded.
- Basically just copy a working krb5.conf to /etc/krb5.conf and set up
sssd or nss_ldap as documented.
# kinit admin
# ipa-join -s ipa.example.com -b dc=example,dc=com
Or if using a one-time password you can skip the kinit and do
# ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123
ipa-join lets IPA know a host is enrolled and retrieves a host principal
and stores it into /etc/krb5.keytab.
Enable certmonger, retrieve an SSL server certificate, and install the
certificate in /etc/pki/nssdb.
# service messagebus start
# service certmonger start
# certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
# ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate -
client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K
Disable the nscd daemon.
# service nscd stop
# chkconfig nscd off
Freeipa-users mailing list