Re: [Freeipa-users] IPA Bug??: IPA replica installation problem on IPV4-only nodes

2012-04-27 Thread Dmitri Pal 
On 04/26/2012 07:10 PM, David Copperfield wrote:
> IPA Replica installation fails on IPV4 Linux box, The
> exception/messages on screen are:
>
> ...
> error: [Errno 97] Address family not supported by protocol
> ...
>
> After looking into the python code, it is found out that the IPA
> program tried to test both IPV4 and IPv6 address families, and it
> failed there when IPV6 is turned off.
>
> So I turn on IPV6 again, try ipa-conncheck again and it works this time.
>

This rings the bell, I think we already have a ticket for that.

> --David
>
>
>
> 
> *From:* hshhs caca 
> *To:* "freeipa-users@redhat.com" 
> *Sent:* Thursday, April 26, 2012 1:51 PM
> *Subject:* [Freeipa-users] What are the main purposes of Dogtag
> certificate system inside IPA
>
>
> Hi folks,
>
>  When evaluating migration from existing seperate LDAP/Kerberos
> solution to integrated IPA, I got confused on the purposes of Dogtag
> Certificate system inside IPA. What are the main purposes of it? or
> what value it brings in to IPA?
>
>  I can see the points of KDC and 389 Directory server parts, even NTP
> and DNS, but not for Dogtag. Frankly, I am not sure where I should put
> it. Say, For Kerberos authentication, I need only /etc/krb5.conf and
> /etc/krb5.keytab locally on client and then krb5 tools/libs will do
> their work happily.  Then why should I authenticate a machine with
> certificate, or certificate+keytab -- either way the certificate part
> is a MUST -- see document
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html
> ( at the very bottom).
>
> A close question is: what are the main points/benefits of machine
> authentication? because of with traditional keytab based kerberos
> setup, the users, machines and services can authenticate no problem,
> then why we need an extra authentication with machine certificate as a
> must?
>
>  Please help me clarify the question of why the statement
> 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after
> running ipa-client-install script? what is its purposes?
>
> Last problem is: after I following the steps at
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html
> to setup my Linux client manually, I still can not run 'ipa user-find'
> command on the client; when another same type linux client installed
> with 'ipa-client-install' has no problem to run it. Does there are any
> difference between manual and automatic installations?
>
> Sorry I got too many questions and probably more, as I read though the
> Redhat IPA document serveral times, and every time more questions pop
> up. :)
>
> Thanks a lot.
>
> --Robinson
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com 
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA Bug??: IPA replica installation problem on IPV4-only nodes

2012-04-26 Thread David Copperfield 
IPA Replica installation fails on IPV4 Linux box, The exception/messages on 
screen are:

...
 error: [Errno 97] Address family not supported by protocol 

...

After looking into the python code, it is found out that the IPA program tried 
to test both IPV4 and IPv6 address families, and it failed there when IPV6 is 
turned off.

So I turn on IPV6 again, try ipa-conncheck again and it works this time.

--David






 From: hshhs caca 
To: "freeipa-users@redhat.com"  
Sent: Thursday, April 26, 2012 1:51 PM
Subject: [Freeipa-users] What are the main purposes of Dogtag certificate 
system inside IPA
 


Hi folks,

 When evaluating migration from existing seperate LDAP/Kerberos solution to 
integrated IPA, I got confused on the purposes of Dogtag Certificate system 
inside IPA. What are the main purposes of it? or what value it brings in to 
IPA? 

 I can see the points of KDC and 389 Directory server parts, even NTP and DNS, 
but not for Dogtag. Frankly, I am not sure where I should put it. Say, For 
Kerberos authentication, I need only /etc/krb5.conf and /etc/krb5.keytab 
locally on client and then krb5 tools/libs will do their work happily.  Then 
why should I authenticate a machine with certificate, or certificate+keytab -- 
either way the certificate part is a MUST -- see document
 
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html
 ( at the very bottom).

A close question is: what are the main points/benefits of machine 
authentication? because of with traditional keytab based kerberos setup, the 
users, machines and services can authenticate no problem, then why we need an 
extra authentication with machine certificate as a must?

 Please help me clarify the question of why the statement 'pkinit_anchors = 
FILE:/etc/ipa/ca.crt' is put inside krb5.conf after running ipa-client-install 
script? what is its purposes?

Last problem is: after I following the steps at 
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html
 to setup my Linux client manually, I still can not run 'ipa user-find' command 
on the client; when another same type linux client installed with 
'ipa-client-install' has no problem to run it.
 Does there are any difference between manual and automatic installations?

Sorry I got too many questions and probably more, as I read though the Redhat 
IPA document serveral times, and every time more questions pop up. :)

Thanks a lot.

--Robinson

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users