Hi, Stephen,

  Thanks for your reply, and it works great, though I still have one question 
around the host cert -- what are the typical usage senarios of host cert for 
IPA clients?

>>On 4/26/12 6:01 PM, "Stephen Ingram" <sbing...@gmail.com> wrote:
>>On Thu, Apr 26, 2012 at 3:51 PM, hshhs caca <cao2...@yahoo.com> wrote:
>>> Hi folks,
>>>  I'm pretty new to freeIPA. And here is a freeIPA installation problem
>>> encountered in my work. For company policies reasons we can not use 
>>> ipa-client-install on Linux clients, instead manual installation method is
>>> in use and most of the freeIPA client config files are pushed out with
>>> cfengine. The problem details/steps are listed below:
>>> 1, following the steps at
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html,
>>> we registered all clients in IPA master, created and downloaded into
>>> subversion the keytab files for all clients, then use 'ipa-client-install'
>>> on one clients and save the config files into subversion too.
>>> 2, when a new Linux node is newly deployed, we deploy the files below onto
>>> the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, /etc/sssd/sssd.conf,
>>> /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac,
>>> smartcard-auth-ac}, with permissions and ownership setup correctly.
>>> 3, then we tested kerberos commands kinit/kdestroy/klist and they were all 
>>> working; we tested 'getent passwd <ipaAccount>', 'getent group ipausers' 
>>> and 
>>> they were working too, at last we tried ssh/login and they were working as
>>> expected as well.
>>> 4, at this step I could claim that IPA authentication and authorization
>>> worked successfully. Then I continued to try IPA admin command but 
>>> unexpected them failed.
>>> [root@ipaclient04 ~]# ipa 
>>> ipa: ERROR: Client is not configured. Run ipa-client-install.
>>> [root@ipaclient04 ~]# ipa user-find
>>> ipa: ERROR: Client is not configured. Run ipa-client-install.
>>> [root@ipaclient04 ~]# 
>>> [root@ipaclient04 ~]# ipa user-find
>>> ipa: ERROR: cert validation failed for 
>>> "CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
>>> Peer's certificate issuer has been marked as not trusted by the user.)
>>> ipa: ERROR: cannot connect to u'https://ipamaster.pegaclouds.com/ipa/xml':
>>> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has 
>>> been marked as not trusted by the user.
>>> 6, So it looks like there are some kinds of new authentication steps I have
>>> missed somewhere -- could not find any clue on the Redhat IPA document for 
>>> further steps --  I tried several times but results are not fruitful. Could
>>> anyone please shed a light at here? Thanks a lot.
>>It looks like you didn't import the CA into the host certificate store
>>in /etc/pki/nssdb. I believe those commands require that you trust
>>your IPA CA. You can import the CA with:
>>certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
>That is the magic finger!! and the IPA commands 'ipa user-find', 'ipa 
>host-add', etc 
>works without a glitch.
>>Also, make sure and generate a host cert for the machine (also in
>>/etc/pki/nssdb) and have IPA sign it. 
>I have to fire up service messagebus, certmonger, and then run 'ipa-getcert 
>command to generate a CSR, send it to IPA Master to sign it, save certificate 
>at IPA master,
>and save the host private key / certificate locally inder /etc/pki/nssdb.
>So what are the benefits of host certificates? bascically what are the usage 
>senarios to allure 
>users to go though these efforts to register and renew a host certicate? I am 
>new to host certificate
>(not httpd SSL certificate) and really not sure where they can be helpful.
>>> 5, so I copied the files /etc/ca.crt and /etc/default.conf from a client
>>> installed with 'ipa-client-install' to this manual client, and tried the 
>>> above command again and them stopped whiling and showed help screen as
>>> expected; but real IPA administration commands failed with the following
>>> error prompts:
Freeipa-users mailing list

Reply via email to