Re: [Freeipa-users] Fwd: manual client join
On 03/13/2012 05:29 PM, Stephen Ingram wrote: > On Tue, Mar 13, 2012 at 2:25 PM, Dmitri Pal wrote: >> Thank you! >> Just FYI, all tickets go into NEEDS_TRIAGE bucket first so that we do >> the correct processing and handling when we triage them. > Got it. Sorry about that. I guess that's why it was the default. > > Steve NP. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: manual client join
On Tue, Mar 13, 2012 at 2:25 PM, Dmitri Pal wrote: > Thank you! > Just FYI, all tickets go into NEEDS_TRIAGE bucket first so that we do > the correct processing and handling when we triage them. Got it. Sorry about that. I guess that's why it was the default. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: manual client join
On 03/13/2012 04:44 PM, Stephen Ingram wrote: > On Mon, Dec 19, 2011 at 5:36 AM, John Dennis wrote: >> Sorry, but currently on the command line the only way to specify a >> certificate is via it's serial number. The serial number is the only >> identifier guaranteed to be unique. However, I agree it's not convenient. >> Would you like to open an RFE (Request for Enhancement) on >> https://fedorahosted.org/freeipa/ > I know it's been some time, but I've opened a ticket. I've never > submitted an RFE before so I'm not sure I filled in the correct > selections. I went for less urgent as this really isn't breaking > anything--it's just more of an inconvenience. It's ticket #2528. > > Steve > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Thank you! Just FYI, all tickets go into NEEDS_TRIAGE bucket first so that we do the correct processing and handling when we triage them. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: manual client join
On Mon, Dec 19, 2011 at 5:36 AM, John Dennis wrote: > Sorry, but currently on the command line the only way to specify a > certificate is via it's serial number. The serial number is the only > identifier guaranteed to be unique. However, I agree it's not convenient. > Would you like to open an RFE (Request for Enhancement) on > https://fedorahosted.org/freeipa/ I know it's been some time, but I've opened a ticket. I've never submitted an RFE before so I'm not sure I filled in the correct selections. I went for less urgent as this really isn't breaking anything--it's just more of an inconvenience. It's ticket #2528. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: manual client join
Stephen Ingram wrote: On Mon, Dec 5, 2011 at 12:49 PM, Rob Crittenden wrote: ...snip... Be sure that the CN value is the FQDN of your server. IPA server: # ipa cert-request --prinicipal HTTP/remote.example.com /path/to/csr.pem # ipa service-show --out=/tmp/service.crt HTTP/remote.example.com Your cert will be in /tmp/service.crt and PEM formatted for easy use. The output of cert-request is just a base64 blob. ...snip... This may be handy to augment the IPA documentation too if you want to donate back your findings :-) OK, I'm going through lots of different scenarios to try to document this entire process and ran into one problem so far. Using your suggested command above to retrieve the cert via the command line: ipa service-show --out=/tmp/service.crt HTTP/remote.example.com This does not work for the host certficiate: e.g. ipa service-show --out=/tmp/service.crt host/remote.example.com While it is now easy to get the PEM formatted cert from the UI in version 2.1.4, I don't see any way to obtain this particular cert from the command line other than ipa cert-show {serial number} which is obviously not very convenient. Is there another way I'm missing or is that it? Steve The host service principal is treated differently. It is stored in the host entry itself so use host-show --out rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: manual client join
On 12/18/2011 09:05 PM, Stephen Ingram wrote: On Mon, Dec 5, 2011 at 12:49 PM, Rob Crittenden wrote: ...snip... Be sure that the CN value is the FQDN of your server. IPA server: # ipa cert-request --prinicipal HTTP/remote.example.com /path/to/csr.pem # ipa service-show --out=/tmp/service.crt HTTP/remote.example.com Your cert will be in /tmp/service.crt and PEM formatted for easy use. The output of cert-request is just a base64 blob. ...snip... This may be handy to augment the IPA documentation too if you want to donate back your findings :-) OK, I'm going through lots of different scenarios to try to document this entire process and ran into one problem so far. Using your suggested command above to retrieve the cert via the command line: ipa service-show --out=/tmp/service.crt HTTP/remote.example.com This does not work for the host certficiate: e.g. ipa service-show --out=/tmp/service.crt host/remote.example.com While it is now easy to get the PEM formatted cert from the UI in version 2.1.4, I don't see any way to obtain this particular cert from the command line other than ipa cert-show {serial number} which is obviously not very convenient. Is there another way I'm missing or is that it? Sorry, but currently on the command line the only way to specify a certificate is via it's serial number. The serial number is the only identifier guaranteed to be unique. However, I agree it's not convenient. Would you like to open an RFE (Request for Enhancement) on https://fedorahosted.org/freeipa/ -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: manual client join
On Mon, Dec 5, 2011 at 12:49 PM, Rob Crittenden wrote: ...snip... > > Be sure that the CN value is the FQDN of your server. > > IPA server: > # ipa cert-request --prinicipal HTTP/remote.example.com /path/to/csr.pem > # ipa service-show --out=/tmp/service.crt HTTP/remote.example.com > > Your cert will be in /tmp/service.crt and PEM formatted for easy use. The > output of cert-request is just a base64 blob. > ...snip... > > This may be handy to augment the IPA documentation too if you want to donate > back your findings :-) OK, I'm going through lots of different scenarios to try to document this entire process and ran into one problem so far. Using your suggested command above to retrieve the cert via the command line: ipa service-show --out=/tmp/service.crt HTTP/remote.example.com This does not work for the host certficiate: e.g. ipa service-show --out=/tmp/service.crt host/remote.example.com While it is now easy to get the PEM formatted cert from the UI in version 2.1.4, I don't see any way to obtain this particular cert from the command line other than ipa cert-show {serial number} which is obviously not very convenient. Is there another way I'm missing or is that it? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: manual client join
Stephen Ingram wrote: On Wed, Nov 30, 2011 at 12:59 PM, Rob Crittenden wrote: The only part assuming that is ipa-join itself. IPA does not support the direct use of kadmin or kadmin.local. On a supported platform you'd run: # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p host/remote.example.com Then ship /tmp/remote.keytab to the machine and either use ktutil to combine it with /etc/krb5.keytab or replace krb5.keytab with it (and fix owner and permissions, and potentially SELinux context). OK, got it. I can use the FreeIPA system itself to grab these for host and services and then new remote machine will have all principals it requires to work within FreeIPA realm. Yup. certmonger gets its IPA configuration from /etc/ipa/default.conf. If you don't want or have certmonger then you can skip the CA bit altogether. Otherwise you'll need to copy in a working config. OK, this requires certmonger. If I still want FreeIPA-signed cert (say I need to talk SSL to FreeIPA directory for mail server config purposes e.g. check existence of email address) without certmonger, I can use certmonger on FreeIPA server or UI to sign csr generated using nss on remote system and then transport cert to remote system and manually install for apache, ldap client, etc., right? You don't need certmonger to have SSL certs, it just makes it easier to request and manage them (because of the auto-renewal features). To do it manually just do something like this to get a cert for a web server. IPA server here is really any machine with admintools package installed. remote system: generate CSR using openssl or certutil, save as PEM file, ship to IPA host. With NSS I do: certutil -R -s "CN=remote.example.com,O=EXAMPLE.COM" -d /path/to/database/dir -a > example.csr Be sure that the CN value is the FQDN of your server. IPA server: # ipa cert-request --prinicipal HTTP/remote.example.com /path/to/csr.pem # ipa service-show --out=/tmp/service.crt HTTP/remote.example.com Your cert will be in /tmp/service.crt and PEM formatted for easy use. The output of cert-request is just a base64 blob. I'm not trying to supplant FreeIPA here. Obviously the best (and almost effortless) solution is to have freeipa-client and certmonger on system, however, if I'm stuck with an older version of Redhat or some other OS that just doesn't conveniently support FreeIPA, I just want to be able to get a cert and necessary principals to be able to easily work within FreeIPA realm. I also sort of like to know how everything works in more detail just in case something breaks and I have to make manual adjustments. This may be handy to augment the IPA documentation too if you want to donate back your findings :-) cheers rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users