On Wed, Nov 30, 2011 at 12:04 PM, Rob Crittenden <> wrote:
> Retrieve the CA certificate for the FreeIPA CA.
> # wget -O /etc/ipa/ca.crt
> Create a separate Kerberos configuration to test the provided credentials.
> This enables a Kerberos connection to the FreeIPA XML-RPC server, necessary
> to join the FreeIPA client to the FreeIPA domain. This Kerberos
> configuration is ultimately discarded.
> - Basically just copy a working krb5.conf to /etc/krb5.conf and set up sssd
> or nss_ldap as documented.
> # kinit admin
> # ipa-join -s -b dc=example,dc=com
> Or if using a one-time password you can skip the kinit and do
> # ipa-join -s -b dc=example,dc=com -w Secret123
> ipa-join lets IPA know a host is enrolled and retrieves a host principal and
> stores it into /etc/krb5.keytab.
> Enable certmonger, retrieve an SSL server certificate, and install the
> certificate in /etc/pki/nssdb.
> # service messagebus start
> # service certmonger start
> # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
> # ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate -
> host/
> Disable the nscd daemon.
> # service nscd stop
> # chkconfig nscd off

Thanks, but aren't some of these steps assuming that ipa-client has
been installed on the system? For instance, instead of "# ipa-join -s -b dc=example,dc=com -w Secret123", can't I instead
use kadmin to retrieve the keytab and then securely copy it over to
the client system? And, in the case of the ca.crt, if there if IPA
itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I
realize that I will lose functionality by not having ipa-client, but
just trying to build a case for supporting legacy systems that I would
never want to take the time to adapt ipa-client for.


Freeipa-users mailing list

Reply via email to