<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Sorry, forgot one last, very important thing. Use ipa-getkeytab on a
IPA server to retrieve the keytab for the host, and copy this to
/etc/krb5.keytab on the Ubuntu client.<br>
<br>
[root@ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p
host/ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab<br>
<br>
If you prefer you can use something like CFengine to automate the
whole process. <br>
<br>
<br>
Rgds,<br>
Siggi.<br>
<br>
On 06/09/2011 07:21 PM, Sigbjorn Lie wrote:
<blockquote cite="mid:4DF10125.5020406@nixtra.com" type="cite">Hi,
<br>
<br>
I've connected and used IPA successfully with Ubuntu 10.04, 10.10,
and 11.04. NFS4+KRB successfully in 10.10 and 11.04.
<br>
<br>
Install the packages below, substitute libpam-ldap for
libpam-ldapd if you prefer PADL's ldap liberary which can use
groups within groups for user accounts. ldapld can't, however it
offers a daemon which connect to a LDAP server, and workaround for
such as issues with Thunderbird crashing, etc. I have not been
able to get the sssd that comes with Ubuntu to work.
<br>
<br>
Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the
Ubuntu host.
<br>
<br>
Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make
/etc/ldap/ldap.conf a symlink to /etc/ldap.conf), /etc/idmapd.conf
(nfs4), /etc/nslcd.conf, /etc/default/autofs, /etc/nsswitch.conf,
/etc/default/nfs-common. See attached files for examples.
<br>
<br>
Add the following to /etc/ssh/sshd_config:
<br>
GSSAPIAuthentication yes
<br>
GSSAPICleanupCredentials yes
<br>
<br>
And the following to /etc/ssh/ssh_config:
<br>
Host *
<br>
GSSAPIAuthentication yes
<br>
GSSAPIDelegateCredentials yes
<br>
<br>
Run this command to make sure ldap+krb has been configured in PAM
after the packages has been installed: $ /usr/sbin/pam-auth-update
--package --force
<br>
<br>
This gives you a Ubuntu system configured for IPA with autofs and
nfs4+krb5, and ssh krb ticket forwarding. Looking forward to when
SSSD comes in version 1.5.x in Ubuntu! :)
<br>
<br>
I've set the ldap timeouts very low so you might need tweaking for
this to work over a WAN/slow link, but it makes the client much
more responsive if your first listed IPA/LDAP server becomes
unavailable.
<br>
<br>
<br>
Packages:
<br>
autofs5 action=install
<br>
autofs5-ldap action=install
<br>
krb5-user action=install
<br>
krb5-clients action=install
<br>
nfs-client action=install
<br>
nfs4-acl-tools action=install
<br>
ldap-auth-config action=install
<br>
ldap-utils action=install
<br>
#libpam-ldap action=install
<br>
libpam-ldapd action=install
<br>
libpam-krb5 action=install
<br>
libpam-ccreds action=install
<br>
libpam-foreground action=install
<br>
libnss-ldap action=install
<br>
nscd action=install
<br>
ntp action=install
<br>
<br>
<br>
<br>
Rgds,
<br>
Siggi
<br>
<br>
<br>
<br>
On 06/09/2011 02:43 AM, Steven Jones wrote:
<br>
<blockquote type="cite">Hi,
<br>
<br>
I am still tryig to figure getting ubuntu connected....
<br>
<br>
So to get a non-rhel client computer into freeipa the first
thing I have to do is make a client computer instance in freepia
first? or doesnt it matter? ie can a non rhel client only do
authentication or can it be acted upon fully as per a rhel
client?
<br>
<br>
Are there certificates for ssl or something that have to be
copied over to the client(s)?
<br>
<br>
I dont have it working yet beyond I can do a kinit and admin and
give a password and then do klist etc....
<br>
<br>
:/
<br>
<br>
Its proving very painful....
<br>
<br>
regards
<br>
<br>
Steven
<br>
<br>
<br>
8><----
<br>
<br>
Maybe this article could be a good jumping-off point?
<br>
<a class="moz-txt-link-freetext" href="http://www.aput.net/~jheiss/krbldap/howto.html">http://www.aput.net/~jheiss/krbldap/howto.html</a>
<br>
<br>
It's pretty old, but seems to bring together many things and
overview them well, with enough static examples to give you a
feel for what you're getting into.
<br>
<br>
8><---
<br>
<br>
thanks, its helping.
<br>
<br>
_______________________________________________
<br>
Freeipa-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
<br>
</blockquote>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>