<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt">Hi, Stephen, Thanks for your reply, and it works great, though I still have one question around the host cert -- what are the typical usage senarios of host cert for IPA clients? <blockquote>> > >On 4/26/12 6:01 PM, "Stephen Ingram" <sbingram@gmail.com> wrote: > >On Thu, Apr 26, 2012 at 3:51 PM, hshhs caca <cao2dan@yahoo.com> wrote: >> Hi folks, >> >> I'm pretty new to freeIPA. And here is a freeIPA installation problem >> encountered in my work. For company policies reasons we can not use >> ipa-client-install on Linux clients, instead manual installation method is >> in use and most of the freeIPA client config files are pushed out with >> cfengine. The problem details/steps are listed below: >> >> 1, following the steps at >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html, >> we registered all clients in IPA master, created and downloaded into >> subversion the keytab files for all clients, then use 'ipa-client-install' >> on one clients and save the config files into subversion too. >> >> 2, when a new Linux node is newly deployed, we deploy the files below onto >> the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, /etc/sssd/sssd.conf, >> /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac, >> smartcard-auth-ac}, with permissions and ownership setup correctly. >> >> 3, then we tested kerberos commands kinit/kdestroy/klist and they were all >> working; we tested 'getent passwd <ipaAccount>', 'getent group ipausers' and >> they were working too, at last we tried ssh/login and they were working as >> expected as well. >> >> 4, at this step I could claim that IPA authentication and authorization >> worked successfully. Then I continued to try IPA admin command but >> unexpected them failed. >> >> [root@ipaclient04 ~]# ipa >> ipa: ERROR: Client is not configured. Run ipa-client-install. >> [root@ipaclient04 ~]# ipa user-find >> ipa: ERROR: Client is not configured. Run ipa-client-install. >> [root@ipaclient04 ~]# >>>> >> [root@ipaclient04 ~]# ipa user-find >> ipa: ERROR: cert validation failed for >> "CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) >> Peer's certificate issuer has been marked as not trusted by the user.) >> ipa: ERROR: cannot connect to u'https://ipamaster.pegaclouds.com/ipa/xml': >> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has >> been marked as not trusted by the user. >> >> 6, So it looks like there are some kinds of new authentication steps I have >> missed somewhere -- could not find any clue on the Redhat IPA document for >> further steps -- I tried several times but results are not fruitful. Could >> anyone please shed a light at here? Thanks a lot. > >David- > >It looks like you didn't import the CA into the host certificate store >in /etc/pki/nssdb. I believe those commands require that you trust >your IPA CA. You can import the CA with: > >certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt > That is the magic finger!! and the IPA commands 'ipa user-find', 'ipa host-add', etc works without a glitch. > >Also, make sure and generate a host cert for the machine (also in >/etc/pki/nssdb) and have IPA sign it. > I have to fire up service messagebus, certmonger, and then run 'ipa-getcert request' command to generate a CSR, send it to IPA Master to sign it, save certificate at IPA master, and save the host private key / certificate locally inder /etc/pki/nssdb. So what are the benefits of host certificates? bascically what are the usage senarios to allure users to go though these efforts to register and renew a host certicate? I am new to host certificate (not httpd SSL certificate) and really not sure where they can be helpful. Thanks. --David >> 5, so I copied the files /etc/ca.crt and /etc/default.conf from a client >> installed with 'ipa-client-install' to this manual client, and tried the >> above command again and them stopped whiling and showed help screen as >> expected; but real IPA administration commands failed with the following >> error prompts: </blockquote> </div></body></html>