[Freeipa-users] Re: freeipa server + how to joining opensuse clients
Daniel Qarras
dqarras at yahoo.com
Sat Mar 14 15:40:23 UTC 2009
Hi!
> If you also want to offer kerberized services (like SSO
> auth via sshd) then you can use ipa-addservice to add a 'host'
> service for your machine and ipa-getkeytab to retrieve a keytab
> for the machine.
>
> Details on the single operations are in the docs.
The doc was good, perhaps it should stress for the unenlightened (like me) that this must be done for each and every host?
> This page is to configure windows clients, you want to read
> this one for linux/unix clients:
>
> http://www.freeipa.org/page/ClientConfigurationGuide
Again, nice doc but a bit outdated, Fedora version speaks about testing repos for 7 and 8 and rawhide for F9. In general though, great to see this kind of documentation!
Few quick questions about the actual content:
- I've been setting up KerberosV5 lately and practically all guides have set these to false:
dns_lookup_realm = true
dns_lookup_kdc = true
Isn't those unneeded when the servers have been already defined in krb5.conf?
- TLS section lists
TLS_REQCERT allow
Doesn't this mean that if TLS procedures fail a non-TLS connection will be used instead? Perhaps it could be mentioned that using "demand" would force TLS usage (and in lack of it the termination)?
Thanks!
More information about the Freeipa-users
mailing list