Stephen Ingram wrote:

On Wed, Nov 30, 2011 at 12:04 PM, Rob Crittenden<>  wrote:
Retrieve the CA certificate for the FreeIPA CA.

# wget -O /etc/ipa/ca.crt

Create a separate Kerberos configuration to test the provided credentials.
This enables a Kerberos connection to the FreeIPA XML-RPC server, necessary
to join the FreeIPA client to the FreeIPA domain. This Kerberos
configuration is ultimately discarded.

- Basically just copy a working krb5.conf to /etc/krb5.conf and set up sssd
or nss_ldap as documented.

# kinit admin
# ipa-join -s -b dc=example,dc=com

Or if using a one-time password you can skip the kinit and do

# ipa-join -s -b dc=example,dc=com -w Secret123

ipa-join lets IPA know a host is enrolled and retrieves a host principal and
stores it into /etc/krb5.keytab.

Enable certmonger, retrieve an SSL server certificate, and install the
certificate in /etc/pki/nssdb.

# service messagebus start
# service certmonger start
# certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
# ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate -' -N ',O=EXAMPLE.COM; -K

Disable the nscd daemon.

# service nscd stop
# chkconfig nscd off

Thanks, but aren't some of these steps assuming that ipa-client has
been installed on the system? For instance, instead of "# ipa-join -s -b dc=example,dc=com -w Secret123", can't I instead
use kadmin to retrieve the keytab and then securely copy it over to
the client system? And, in the case of the ca.crt, if there if IPA
itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I
realize that I will lose functionality by not having ipa-client, but
just trying to build a case for supporting legacy systems that I would
never want to take the time to adapt ipa-client for.


The only part assuming that is ipa-join itself. IPA does not support the direct use of kadmin or kadmin.local. On a supported platform you'd run:

# ipa-getkeytab -s -k /tmp/remote.keytab -p host/

Then ship /tmp/remote.keytab to the machine and either use ktutil to combine it with /etc/krb5.keytab or replace krb5.keytab with it (and fix owner and permissions, and potentially SELinux context).

certmonger gets its IPA configuration from /etc/ipa/default.conf. If you don't want or have certmonger then you can skip the CA bit altogether. Otherwise you'll need to copy in a working config.


Freeipa-users mailing list

Reply via email to