Re: [Freeipa-users] Manually installed IPA clients failes to run 'ipa user-find', 'ipa host-find', etc.
On Thu, Apr 26, 2012 at 7:08 PM, David Copperfield wrote:
> Hi, Stephen,
>
> Thanks for your reply, and it works great, though I still have one
> question around the host cert -- what are the typical usage senarios of host
> cert for IPA clients?
>
>>
>>
>>On 4/26/12 6:01 PM, "Stephen Ingram" wrote:
>>
>>On Thu, Apr 26, 2012 at 3:51 PM, hshhs caca wrote:
>>> Hi folks,
>>>
>>> I'm pretty new to freeIPA. And here is a freeIPA installation problem
>>> encountered in my work. For company policies reasons we can not use
>>> ipa-client-install on Linux clients, instead manual installation method
>>> is
>>> in use and most of the freeIPA client config files are pushed out with
>>> cfengine. The problem details/steps are listed below:
>>>
>>> 1, following the steps at
>>>
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html,
>>> we registered all clients in IPA master, created and downloaded into
>>> subversion the keytab files for all clients, then use
>>> 'ipa-client-install'
>>> on one clients and save the config files into subversion too.
>>>
>>> 2, when a new Linux node is newly deployed, we deploy the files below
>>> onto
>>> the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf},
>>> /etc/sssd/sssd.conf,
>>> /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac,
>>> smartcard-auth-ac}, with permissions and ownership setup correctly.
>>>
>>> 3, then we tested kerberos commands kinit/kdestroy/klist and they were
>>> all
>>> working; we tested 'getent passwd ', 'getent group ipausers'
>>> and
>>> they were working too, at last we tried ssh/login and they were working
>>> as
>>> expected as well.
>>>
>>> 4, at this step I could claim that IPA authentication and authorization
>>> worked successfully. Then I continued to try IPA admin command but
>>> unexpected them failed.
>>>
>>> [root@ipaclient04 ~]# ipa
>>> ipa: ERROR: Client is not configured. Run ipa-client-install.
>>> [root@ipaclient04 ~]# ipa user-find
>>> ipa: ERROR: Client is not configured. Run ipa-client-install.
>>> [root@ipaclient04 ~]#
>
>>> [root@ipaclient04 ~]# ipa user-find
>>> ipa: ERROR: cert validation failed for
>>> "CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM"
>>> ((SEC_ERROR_UNTRUSTED_ISSUER)
>>> Peer's certificate issuer has been marked as not trusted by the user.)
>>> ipa: ERROR: cannot connect to
>>> u'https://ipamaster.pegaclouds.com/ipa/xml':
>>> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
>>> been marked as not trusted by the user.
>>>
>>> 6, So it looks like there are some kinds of new authentication steps I
>>> have
>>> missed somewhere -- could not find any clue on the Redhat IPA document
>>> for
>>> further steps -- I tried several times but results are not fruitful.
>>> Could
>>> anyone please shed a light at here? Thanks a lot.
>>
>>David-
>>
>>It looks like you didn't import the CA into the host certificate store
>>in /etc/pki/nssdb. I believe those commands require that you trust
>>your IPA CA. You can import the CA with:
>>
>>certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
>>
>
> That is the magic finger!! and the IPA commands 'ipa user-find', 'ipa
> host-add', etc
> works without a glitch.
Excellent! I really enjoy the fact that all of this can be done
manually as well as automatically by ipa-client-install. I think it
speaks well of the design of IPA instead of working with some closed
up box, where, if it breaks, you really have no idea of how to fix it.
>>Also, make sure and generate a host cert for the machine (also in
>>/etc/pki/nssdb) and have IPA sign it.
>>
>
> I have to fire up service messagebus, certmonger, and then run 'ipa-getcert
> request'
> command to generate a CSR, send it to IPA Master to sign it, save
> certificate at IPA master,
> and save the host private key / certificate locally inder /etc/pki/nssdb.
>
> So what are the benefits of host certificates? bascically what are the usage
> senarios to allure
> users to go though these efforts to register and renew a host certicate? I
> am new to host certificate
> (not httpd SSL certificate) and really not sure where they can be helpful.
>
> Thanks.
>
> --David
The host and CA certificates are used in IPA to provide some soft of
assurance that you are talking to whom you think you are talking to
such that you won't be sending IPA commands to just anyone. Also, it's
nice for IPA to have some assurance of who the machine is making the
requests.
Steve
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Manually installed IPA clients failes to run 'ipa user-find', 'ipa host-find', etc.
Hi, Stephen,
Thanks for your reply, and it works great, though I still have one question
around the host cert -- what are the typical usage senarios of host cert for
IPA clients?
>
>>
>>On 4/26/12 6:01 PM, "Stephen Ingram" wrote:
>>
>>On Thu, Apr 26, 2012 at 3:51 PM, hshhs caca wrote:
>>> Hi folks,
>>>
>>> I'm pretty new to freeIPA. And here is a freeIPA installation problem
>>> encountered in my work. For company policies reasons we can not use
>>> ipa-client-install on Linux clients, instead manual installation method is
>>> in use and most of the freeIPA client config files are pushed out with
>>> cfengine. The problem details/steps are listed below:
>>>
>>> 1, following the steps at
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html,
>>> we registered all clients in IPA master, created and downloaded into
>>> subversion the keytab files for all clients, then use 'ipa-client-install'
>>> on one clients and save the config files into subversion too.
>>>
>>> 2, when a new Linux node is newly deployed, we deploy the files below onto
>>> the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, /etc/sssd/sssd.conf,
>>> /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac,
>>> smartcard-auth-ac}, with permissions and ownership setup correctly.
>>>
>>> 3, then we tested kerberos commands kinit/kdestroy/klist and they were all
>>> working; we tested 'getent passwd ', 'getent group ipausers'
>>> and
>>> they were working too, at last we tried ssh/login and they were working as
>>> expected as well.
>>>
>>> 4, at this step I could claim that IPA authentication and authorization
>>> worked successfully. Then I continued to try IPA admin command but
>>> unexpected them failed.
>>>
>>> [root@ipaclient04 ~]# ipa
>>> ipa: ERROR: Client is not configured. Run ipa-client-install.
>>> [root@ipaclient04 ~]# ipa user-find
>>> ipa: ERROR: Client is not configured. Run ipa-client-install.
>>> [root@ipaclient04 ~]#
>
>>> [root@ipaclient04 ~]# ipa user-find
>>> ipa: ERROR: cert validation failed for
>>> "CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
>>> Peer's certificate issuer has been marked as not trusted by the user.)
>>> ipa: ERROR: cannot connect to u'https://ipamaster.pegaclouds.com/ipa/xml':
>>> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
>>> been marked as not trusted by the user.
>>>
>>> 6, So it looks like there are some kinds of new authentication steps I have
>>> missed somewhere -- could not find any clue on the Redhat IPA document for
>>> further steps -- I tried several times but results are not fruitful. Could
>>> anyone please shed a light at here? Thanks a lot.
>>
>>David-
>>
>>It looks like you didn't import the CA into the host certificate store
>>in /etc/pki/nssdb. I believe those commands require that you trust
>>your IPA CA. You can import the CA with:
>>
>>certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
>>
>
>That is the magic finger!! and the IPA commands 'ipa user-find', 'ipa
>host-add', etc
>works without a glitch.
>>
>>Also, make sure and generate a host cert for the machine (also in
>>/etc/pki/nssdb) and have IPA sign it.
>>
>
>I have to fire up service messagebus, certmonger, and then run 'ipa-getcert
>request'
>command to generate a CSR, send it to IPA Master to sign it, save certificate
>at IPA master,
>and save the host private key / certificate locally inder /etc/pki/nssdb.
>
>So what are the benefits of host certificates? bascically what are the usage
>senarios to allure
>users to go though these efforts to register and renew a host certicate? I am
>new to host certificate
>(not httpd SSL certificate) and really not sure where they can be helpful.
>
>Thanks.
>
>--David
>
>>> 5, so I copied the files /etc/ca.crt and /etc/default.conf from a client
>>> installed with 'ipa-client-install' to this manual client, and tried the
>>> above command again and them stopped whiling and showed help screen as
>>> expected; but real IPA administration commands failed with the following
>>> error prompts:
>
>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Manually installed IPA clients failes to run 'ipa user-find', 'ipa host-find', etc.
On Thu, Apr 26, 2012 at 3:51 PM, hshhs caca wrote:
> Hi folks,
>
> I'm pretty new to freeIPA. And here is a freeIPA installation problem
> encountered in my work. For company policies reasons we can not use
> ipa-client-install on Linux clients, instead manual installation method is
> in use and most of the freeIPA client config files are pushed out with
> cfengine. The problem details/steps are listed below:
>
> 1, following the steps at
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html,
> we registered all clients in IPA master, created and downloaded into
> subversion the keytab files for all clients, then use 'ipa-client-install'
> on one clients and save the config files into subversion too.
>
> 2, when a new Linux node is newly deployed, we deploy the files below onto
> the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, /etc/sssd/sssd.conf,
> /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac,
> smartcard-auth-ac}, with permissions and ownership setup correctly.
>
> 3, then we tested kerberos commands kinit/kdestroy/klist and they were all
> working; we tested 'getent passwd ', 'getent group ipausers' and
> they were working too, at last we tried ssh/login and they were working as
> expected as well.
>
> 4, at this step I could claim that IPA authentication and authorization
> worked successfully. Then I continued to try IPA admin command but
> unexpected them failed.
>
> [root@ipaclient04 ~]# ipa
> ipa: ERROR: Client is not configured. Run ipa-client-install.
> [root@ipaclient04 ~]# ipa user-find
> ipa: ERROR: Client is not configured. Run ipa-client-install.
> [root@ipaclient04 ~]#
>
> 5, so I copied the files /etc/ca.crt and /etc/default.conf from a client
> installed with 'ipa-client-install' to this manual client, and tried the
> above command again and them stopped whiling and showed help screen as
> expected; but real IPA administration commands failed with the following
> error prompts:
>
> [root@ipaclient04 ~]# ipa user-find
> ipa: ERROR: cert validation failed for
> "CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
> Peer's certificate issuer has been marked as not trusted by the user.)
> ipa: ERROR: cannot connect to u'https://ipamaster.pegaclouds.com/ipa/xml':
> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
> been marked as not trusted by the user.
>
> 6, So it looks like there are some kinds of new authentication steps I have
> missed somewhere -- could not find any clue on the Redhat IPA document for
> further steps -- I tried several times but results are not fruitful. Could
> anyone please shed a light at here? Thanks a lot.
David-
It looks like you didn't import the CA into the host certificate store
in /etc/pki/nssdb. I believe those commands require that you trust
your IPA CA. You can import the CA with:
certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
Also, make sure and generate a host cert for the machine (also in
/etc/pki/nssdb) and have IPA sign it.
Steve
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
