On Thu, Apr 26, 2012 at 3:51 PM, hshhs caca <cao2...@yahoo.com> wrote:
> Hi folks,
>  I'm pretty new to freeIPA. And here is a freeIPA installation problem
> encountered in my work. For company policies reasons we can not use
> ipa-client-install on Linux clients, instead manual installation method is
> in use and most of the freeIPA client config files are pushed out with
> cfengine. The problem details/steps are listed below:
> 1, following the steps at
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html,
> we registered all clients in IPA master, created and downloaded into
> subversion the keytab files for all clients, then use 'ipa-client-install'
> on one clients and save the config files into subversion too.
> 2, when a new Linux node is newly deployed, we deploy the files below onto
> the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, /etc/sssd/sssd.conf,
> /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac,
> smartcard-auth-ac}, with permissions and ownership setup correctly.
> 3, then we tested kerberos commands kinit/kdestroy/klist and they were all
> working; we tested 'getent passwd <ipaAccount>', 'getent group ipausers' and
> they were working too, at last we tried ssh/login and they were working as
> expected as well.
> 4, at this step I could claim that IPA authentication and authorization
> worked successfully. Then I continued to try IPA admin command but
> unexpected them failed.
> [root@ipaclient04 ~]# ipa
> ipa: ERROR: Client is not configured. Run ipa-client-install.
> [root@ipaclient04 ~]# ipa user-find
> ipa: ERROR: Client is not configured. Run ipa-client-install.
> [root@ipaclient04 ~]#
> 5, so I copied the files /etc/ca.crt and /etc/default.conf from a client
> installed with 'ipa-client-install' to this manual client, and tried the
> above command again and them stopped whiling and showed help screen as
> expected; but real IPA administration commands failed with the following
> error prompts:
> [root@ipaclient04 ~]# ipa user-find
> ipa: ERROR: cert validation failed for
> "CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
> Peer's certificate issuer has been marked as not trusted by the user.)
> ipa: ERROR: cannot connect to u'https://ipamaster.pegaclouds.com/ipa/xml':
> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
> been marked as not trusted by the user.
> 6, So it looks like there are some kinds of new authentication steps I have
> missed somewhere -- could not find any clue on the Redhat IPA document for
> further steps --  I tried several times but results are not fruitful. Could
> anyone please shed a light at here? Thanks a lot.


It looks like you didn't import the CA into the host certificate store
in /etc/pki/nssdb. I believe those commands require that you trust
your IPA CA. You can import the CA with:

certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt

Also, make sure and generate a host cert for the machine (also in
/etc/pki/nssdb) and have IPA sign it.


Freeipa-users mailing list

Reply via email to