On 03/13/2012 05:16 PM, Stephen Ingram wrote:
> On Sat, Dec 3, 2011 at 10:56 AM, Dmitri Pal <d...@redhat.com> wrote:
>> On 11/30/2011 03:59 PM, Rob Crittenden wrote:
>>> Stephen Ingram wrote:
>>>> Rob-
>>>> On Wed, Nov 30, 2011 at 12:04 PM, Rob
>>>> Crittenden<rcrit...@redhat.com>  wrote:
>>>>> Retrieve the CA certificate for the FreeIPA CA.
>>>>> # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt
>>>>> Create a separate Kerberos configuration to test the provided
>>>>> credentials.
>>>>> This enables a Kerberos connection to the FreeIPA XML-RPC server,
>>>>> necessary
>>>>> to join the FreeIPA client to the FreeIPA domain. This Kerberos
>>>>> configuration is ultimately discarded.
>>>>> - Basically just copy a working krb5.conf to /etc/krb5.conf and set
>>>>> up sssd
>>>>> or nss_ldap as documented.
>>>>> # kinit admin
>>>>> # ipa-join -s ipa.example.com -b dc=example,dc=com
>>>>> Or if using a one-time password you can skip the kinit and do
>>>>> # ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123
>>>>> ipa-join lets IPA know a host is enrolled and retrieves a host
>>>>> principal and
>>>>> stores it into /etc/krb5.keytab.
>>>>> Enable certmonger, retrieve an SSL server certificate, and install the
>>>>> certificate in /etc/pki/nssdb.
>>>>> # service messagebus start
>>>>> # service certmonger start
>>>>> # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i
>>>>> /etc/ipa/ca.crt
>>>>> # ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate -
>>>>> client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K
>>>>> host/client.example....@example.com
>>>>> Disable the nscd daemon.
>>>>> # service nscd stop
>>>>> # chkconfig nscd off
>>>> Thanks, but aren't some of these steps assuming that ipa-client has
>>>> been installed on the system? For instance, instead of "# ipa-join -s
>>>> ipa.example.com -b dc=example,dc=com -w Secret123", can't I instead
>>>> use kadmin to retrieve the keytab and then securely copy it over to
>>>> the client system? And, in the case of the ca.crt, if there if IPA
>>>> itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I
>>>> realize that I will lose functionality by not having ipa-client, but
>>>> just trying to build a case for supporting legacy systems that I would
>>>> never want to take the time to adapt ipa-client for.
>>>> Steve
>>> The only part assuming that is ipa-join itself. IPA does not support
>>> the direct use of kadmin or kadmin.local. On a supported platform
>>> you'd run:
>>> # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p
>>> host/remote.example.com
>>> Then ship /tmp/remote.keytab to the machine and either use ktutil to
>>> combine it with /etc/krb5.keytab or replace krb5.keytab with it (and
>>> fix owner and permissions, and potentially SELinux context).
>>> certmonger gets its IPA configuration from /etc/ipa/default.conf. If
>>> you don't want or have certmonger then you can skip the CA bit
>>> altogether. Otherwise you'll need to copy in a working config.
>> Should any part of this be documented?
> This might be beyond what you are thinking, however, to me, one of the
> best things about FreeIPA is that because of how flexible you've made
> it, I can use as much or as little as I want. These sorts of "small
> steps" might also make it easier to integrate into non-Redhat/Fedora
> or non-Linux systems. I have compiled and tested the suggestions
> offered to me by Rob and put them into an attached text document that
> roughly corresponds to the current section 3.4 of the FreeIPA
> documentation. It's probably a little rough, but should make a nice
> template to help supplement the existing documentation.
> Steve
Thank you! We will take a look.

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to