[Freeipa-devel] [PATCH] 749 use hostname consistently in ipa-client-install
Rob Crittenden
rcritten at redhat.com
Fri Mar 4 22:59:26 UTC 2011
If a hostname was provided it wasn't used to configure either certmonger
or sssd. This resulted in a non-working configuration.
Additionally on un-enrollment the wrong hostname was unenrolled, it used
the value of gethostname() rather than the one that was passed into the
installer.
We have to modify the CA configuration of certmonger to make it use the
right principal when requesting certificates. The filename is
unpredicable but it will be in /var/lib/certmonger/cas. We need to hunt
for ipa_submit and add -k <principal> to it, then undo that on
uninstall. These files are created the first time the certmonger service
starts, so start and stop it before messing with them.
ticket 1029
To test do something like:
# ipa-client-install --hostname some_other_host.example.com
# ipa-getcert list
# id admin
If id admin works it means sssd is set up properly, you can confirm by
looking at ipa_hostname in /etc/sssd/sssd.conf.
The certificate in ipa-getcert should be MONITORING.
Now on the IPA server look at the host entry for
som_other_host.example.com and it should have Keytab: True
Now run: ipa-client-install --uninstall
The host entry on the server should have Keytab: False
ipa-getcert list should return nothing (you'll need to start the
certmonger service to see it)
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-749-hostname.patch
Type: application/mbox
Size: 9849 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110304/68d7c996/attachment.mbox>
More information about the Freeipa-devel
mailing list