Ok, going step by step I did the following on squeeze:

set up ntp, time synced with ipa server

test setup is done on
ipa.localdomain (server)
client.localdomain
(client on Scientific Linux 6.4, looks ok after ipa-client-install, ssh
works for test users tester and tester2)

client2.localdomain is the Debian Squeeze client

added host client2.localdomain on IPA server, added 'managedby', got the
keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2

most important part of /etc/krb5.conf:

[realms]
        LOCALDOMAIN = {
                kdc = ipa.localdomain
                admin_server = ipa.localdomain
        }

[domain_realm]
        .localdomain = LOCALDOMAIN
        localdomain = LOCALDOMAIN
        default_domain = localdomain

[libdefaults]
        default_realm = LOCALDOMAIN


The following lets me think the KRB5 part of the setup is done correctly:

root@client2:/etc# kinit admin
Password for admin@LOCALDOMAIN:
root@client2:/etc# kdestroy
root@client2:/etc# kinit tester
Password for tester@LOCALDOMAIN:
root@client2:/etc# klis
-su: klis: command not found
root@client2:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tester@LOCALDOMAIN

Valid starting     Expires            Service principal
08/30/13 00:35:50  08/31/13 00:35:47  krbtgt/LOCALDOMAIN@LOCALDOMAIN


root@client2:/etc# kpasswd tester
Password for tester@LOCALDOMAIN:
Enter new password:
Enter it again:
Password changed.


I guess that's the point of snapshotting 'KRB done' state (can I be wrong?)

DNS for all the hosts involved is similar to:
root@client2:/etc# nslookup ipa
Server:         192.168.137.29
Address:        192.168.137.29#53

Name:   ipa.localdomain
Address: 192.168.137.13

root@client2:/etc# nslookup 192.168.137.13
Server:         192.168.137.29
Address:        192.168.137.29#53

13.137.168.192.in-addr.arpa     name = ipa.localdomain.

Now I guess it's time for certificates, where I do have some doubts...

I've added the SSH host keys via web interface, now the cert part:

having generated the CSR afte creating the new database:

 certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
(in the /etc/pki dir) I paste the CSR and Issue the certificate for host

(/etc/pi contains newly created   cert8.db   key3.db    secmod.db )

Which of those should be used to add the cert to?

(like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i */path/to/*
ca.crt)

All of the tries result in:
root@client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
root@client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
root@client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.

Could someone show me my mistake?

Regards
Michal



On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik <michal.dwuz...@gmail.com>wrote:

> As for now I have set up a 'known good' client on RH based distro, to get
> the feeling how the config files
> look like when configured correctly.
>
> Thanks for the nice reference
>
> M.
>
>
> On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden <rcrit...@redhat.com>wrote:
>
>> Michał Dwużnik wrote:
>>
>>> Hi folks,
>>>
>>> did anyone succeed in connecting such an old thing recently to freeipa
>>> server?
>>>
>>> Is there a document (or an archive post) about connecting a 'non ipa
>>> aware' client step by step?
>>> I got as far as woing Kerberos with no issues, hit a wall with ldap
>>> part..
>>>
>>
>> You might try this: http://docs.fedoraproject.org/**
>> en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html>
>>
>> rob
>>
>>
>
>
> --
> Michal Dwuznik
>



-- 
Michal Dwuznik
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to