Rob- On Wed, Nov 30, 2011 at 12:04 PM, Rob Crittenden <[email protected]> wrote: > Retrieve the CA certificate for the FreeIPA CA. > > # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt > > Create a separate Kerberos configuration to test the provided credentials. > This enables a Kerberos connection to the FreeIPA XML-RPC server, necessary > to join the FreeIPA client to the FreeIPA domain. This Kerberos > configuration is ultimately discarded. > > - Basically just copy a working krb5.conf to /etc/krb5.conf and set up sssd > or nss_ldap as documented. > > # kinit admin > # ipa-join -s ipa.example.com -b dc=example,dc=com > > Or if using a one-time password you can skip the kinit and do > > # ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123 > > ipa-join lets IPA know a host is enrolled and retrieves a host principal and > stores it into /etc/krb5.keytab. > > Enable certmonger, retrieve an SSL server certificate, and install the > certificate in /etc/pki/nssdb. > > # service messagebus start > # service certmonger start > # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt > # ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate - > client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K > host/[email protected] > > Disable the nscd daemon. > > # service nscd stop > # chkconfig nscd off
Thanks, but aren't some of these steps assuming that ipa-client has been installed on the system? For instance, instead of "# ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123", can't I instead use kadmin to retrieve the keytab and then securely copy it over to the client system? And, in the case of the ca.crt, if there if IPA itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I realize that I will lose functionality by not having ipa-client, but just trying to build a case for supporting legacy systems that I would never want to take the time to adapt ipa-client for. Steve _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
