[Freeipa-devel] Notes on server to server sasl
Rich Megginson
rmeggins at redhat.com
Fri Oct 17 23:15:13 UTC 2008
I'm using the current HEAD code. My master is F9 x86_64 and my replica
is F8 i386. For the most part, the setup documented here
http://freeipa.org/page/InstallAndDeploy works pretty well.
Setup
1) I'm not using DNS, just testing with VMs, so I had to make sure my
VMs were assigned a consistent IP address via dhcp - and edit /etc/hosts
to use the fqdn
2) I did not assign a hostname at install time, so I had to edit
/etc/sysconfig/network to assign the hostname and reboot - probably
could have done that with dhcp too (anyone know how?)
3) I had to edit the firewall settings to allow 389 and 636 tcp (and udp
for good measure) on both the master and replica
4) I added the --no-host-dns option to ipa-server-install, but I'll need
to add that to several other ipa- cmd line tools as well - I just hacked
them instead to pass in verify_fqdn(name, True)
Notes
1) ipa-replica-install did not add a replication agreement from the
replica to the master, but it configured the replica as a master (for
MMR) - is this expected?
2) There was no principal for ldap/fqdn.of.replica at REALM - do I have to
add this manually? I did anyway and it made kerberos happier (but not
work) with replication, but it seemed to break lots of stuff on the
replica (could no longer ldapsearch -Y GSSAPI on the replica, could not
ipa-finduser on the replica)
* Server to Server SASL/GSSAPI
I modified Fedora DS to do SASL/GSSAPI bind for replication from the
master to the replica. I then had to modify /etc/sysconfig/dirsrv to do
the following:
kinit -k -t /etc/dirsrv/ds.keytab ldap/fqdn.of.master at REALM
parse klist to get the tgt filename
export KRB5CCNAME=tgtfilename
chown dirsrv:dirsrv $KRB5CCNAME
I then had to add the ldap host principal for ldap/fqdn.of.replica at REALM
(not sure why it wasn't there?). After startup, the master attempts to
do a SASL/GSSAPI bind to the replica, and gets this error in kdc5krb log
on the master:
NO PREAUTH: authtime xxxx, ldap/fqdn.of.master at REALM
<mailto:ldap/fqdn.of.master at REALM> for ldap/fqdn.of.replica at REALM
<mailto:ldap/fqdn.of.replica at REALM>, Generic error (see e-text)
Is what I'm trying to do possible within the IPA kerberos framework?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20081017/7307de26/attachment.bin>
More information about the Freeipa-devel
mailing list