Hello.

Im trying to set up a redhat 6.1 to ipaserver.

What i have done.....

On the Ipaserver

#ipa host-add --force --ip-address=192.168.237.1 seadv-.d1.gameop.net

#kinit admin

#ipa host-add-managedby --hosts=ipaserver.d1.gameop.net
seadv-237-1.d1.gameop.net


#ipa-getkeytab -s ipaserver.d1.gameop.net -p
host/seadv-237-1.d1.gameop.net-k /tmp/seadv-.keytab

#scp client1.keytab seadv-237-1.d1.gameop.net:/tmp

On Client 6.1

#yum install krb5-workstation oddjob-mkhomedir
#mv /tmp/client1.keytab /etc/krb5.keytab

#vim /etc/krb5.conf

[libdefaults]
  default_realm = D1.GAMEOP.NET
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  D1.GAMEOP.NET = {
    kdc = ipaserver.d1.gameop.net:88
    admin_server = ipaserver.d1.gameop.net:749
    default_domain = d1.gameop.net
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .d1.gameop.net = D1.GAMEOP.NET
  d1.gameop.net = D1.GAMEOP.NET


#cd /etc/pam.d/

#vim fingerprint-auth

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

#vim password-auth

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

#vim smartcard-auth

auth        required      pam_env.so
auth        [success=done ignore=ignore default=die] pam_pkcs11.so
wait_for_card card_only
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    required      pam_pkcs11.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

#vim system-auth

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so


#vim /etc/sssd/sssd.conf

[domain/d1.gameop.net]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = d1.gameop.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, ipaserver.d1.gameop.net
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
config_file_version = 2

reconnection_retries = 3

sbus_timeout = 30
services = nss, pam

domains = d1.gameop.net

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

#chmod 0600 sssd.conf

#vim /etc/nsswitch.conf

passwd:     files sss
shadow:     files sss
group:      files sss

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:    files nisplus


Now I can do
#kinit admin
#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@d1.gameop.net

Valid starting     Expires            Service principal
04/29/13 13:41:37  04/30/13 13:41:35  krbtgt/d1.gameop....@d1.gameop.net

and when i try to do ID acke or ssh a...@seadv-237-1.d1.gameop.net.

I get nothing...

My dns records for my dns that i want to use.

ipaserver.d1.gameop.net         A      192.168.232.41
ipareplica.d1.gameop.net        A       192.168.235.181

_ldap._tcp.d1.gameop.net       SRV 100 389 ipaserver
_ldap._tcp.d1.gameop.net       SRV 100 389 ipareplica

_kerberos                               TXT  d1.gameop.net
_kerberos._tcp.d1.gameop.net  SRV 100 88 ipaserver
_kerberos._udp.d1.gameop.net SRV 100 88 ipaserver
_kerberos-master._tcp.d1.gameop.net SRV 100 88 ipaserver
_kerberos-master._udp.d1.gameop.net SRV 100 88 ipaserver
_kpasswd._tcp.d1.gameop.net   SRV 100 88 ipaserver
_kpasswd._udp.d1.gameop.net  SRV 100 88 ipaserver

This setup do not work whit my dns i want. But if i change my resolve.conf
to

nameserver 192.168.232.41

I can id and ssh...

So have i missed somthing whit the dns?

I have tried to have the SRV records to only _ldap._tcp and _kerberos._tcp
but that dont work either.


Thanks

PS

My first mailinglist sorry if I dont follow some kind of standard
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to