Hi folks,
I'm pretty new to freeIPA. And here is a freeIPA installation problem
encountered in my work. For company policies reasons we can not use
ipa-client-install on Linux clients, instead manual installation method is in
use and most of the freeIPA client config files are pushed out with cfengine.
The problem details/steps are listed below:
1, following the steps at
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html,
we registered all clients in IPA master, created and downloaded into
subversion the keytab files for all clients, then use 'ipa-client-install' on
one clients and save the config files into subversion too.
2, when a new Linux node is newly deployed, we deploy the files below onto the
nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, /etc/sssd/sssd.conf,
/etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac,
smartcard-auth-ac}, with permissions and ownership setup correctly.
3, then we tested kerberos commands kinit/kdestroy/klist and they were all
working; we tested 'getent passwd <ipaAccount>', 'getent group ipausers' and
they were working too, at last we tried ssh/login and they were working as
expected as well.
4, at this step I could claim that IPA authentication and authorization worked
successfully. Then I continued to try IPA admin command but unexpected them
failed.
[root@ipaclient04 ~]# ipa
ipa: ERROR: Client is not
configured. Run ipa-client-install.
[root@ipaclient04 ~]# ipa user-find
ipa: ERROR: Client is not
configured. Run ipa-client-install.
[root@ipaclient04 ~]#
5, so I copied the files /etc/ca.crt and /etc/default.conf from a client
installed with 'ipa-client-install' to this manual client, and tried the above
command again and them stopped whiling and showed help screen as expected; but
real IPA administration commands failed with the following error prompts:
[root@ipaclient04 ~]# ipa user-find
ipa: ERROR: cert validation failed for
"CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM"
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
trusted by the user.)
ipa: ERROR: cannot connect to
u'https://ipamaster.pegaclouds.com/ipa/xml': [Errno -8172]
(SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
trusted by the user.
6, So it looks like there are some kinds of new authentication steps I have
missed somewhere -- could not find any clue on the Redhat IPA document for
further steps -- I tried several times but results are not fruitful. Could
anyone please shed a light at here? Thanks a lot.
-- David
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users