Hi folks,

 I'm pretty new to freeIPA. And here is a freeIPA installation problem 
encountered in my work. For company policies reasons we can not use 
ipa-client-install on Linux clients, instead manual installation method is in 
use and most of the freeIPA client config files are pushed out with cfengine. 
The problem details/steps are listed below:

1, following the steps at 
 we registered all clients in IPA master, created and downloaded into 
subversion the keytab files for all clients, then use 'ipa-client-install' on 
one clients and save the config files into subversion too. 

2, when a new Linux node is newly deployed, we deploy the files below onto the 
nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, /etc/sssd/sssd.conf, 
/etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac, 
smartcard-auth-ac}, with permissions and ownership setup correctly.

3, then we tested kerberos commands kinit/kdestroy/klist and they were all 
working; we tested 'getent passwd <ipaAccount>', 'getent group ipausers' and 
they were working too, at last we tried ssh/login and they were working as 
expected as well.

4, at this step I could claim that IPA authentication and authorization worked 
successfully. Then I continued to try IPA admin command but unexpected them 

[root@ipaclient04 ~]# ipa
ipa: ERROR: Client is not
configured. Run ipa-client-install.
[root@ipaclient04 ~]# ipa user-find
ipa: ERROR: Client is not
configured. Run ipa-client-install.
[root@ipaclient04 ~]#
5, so I copied the files /etc/ca.crt and /etc/default.conf from a client 
installed with 'ipa-client-install' to this manual client, and tried the above 
command again and them stopped whiling and showed help screen as expected; but 
real IPA administration commands failed with the following error prompts:

[root@ipaclient04 ~]# ipa user-find
ipa: ERROR: cert validation failed for
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
trusted by the user.)
ipa: ERROR: cannot connect to
u'https://ipamaster.pegaclouds.com/ipa/xml': [Errno -8172]
(SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
trusted by the user.
6, So it looks like there are some kinds of new authentication steps I have 
missed somewhere -- could not find any clue on the Redhat IPA document for 
further steps --  I tried several times but results are not fruitful. Could 
anyone please shed a light at here? Thanks a lot.

-- David
Freeipa-users mailing list

Reply via email to