[Freeipa-users] Re: freeipa server + how to joining opensuse clients
Rob Crittenden
rcritten at redhat.com
Mon Mar 16 14:14:20 UTC 2009
Daniel Qarras wrote:
> Hi!
>
>> If you also want to offer kerberized services (like SSO
>> auth via sshd) then you can use ipa-addservice to add a 'host'
>> service for your machine and ipa-getkeytab to retrieve a keytab
>> for the machine.
>>
>> Details on the single operations are in the docs.
>
> The doc was good, perhaps it should stress for the unenlightened (like me) that this must be done for each and every host?
>
>> This page is to configure windows clients, you want to read
>> this one for linux/unix clients:
>>
>> http://www.freeipa.org/page/ClientConfigurationGuide
>
> Again, nice doc but a bit outdated, Fedora version speaks about testing repos for 7 and 8 and rawhide for F9. In general though, great to see this kind of documentation!
Thanks, I've fixed this.
>
> Few quick questions about the actual content:
>
> - I've been setting up KerberosV5 lately and practically all guides have set these to false:
>
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
> Isn't those unneeded when the servers have been already defined in krb5.conf?
Yes, as I understand it if you go to a realm/domain specified in the
file these will not be used. Doesn't hurt to have them defined I
suppose, I'm not sure what the defaults are. Do you think having these
will cause confusion?
>
> - TLS section lists
>
> TLS_REQCERT allow
>
> Doesn't this mean that if TLS procedures fail a non-TLS connection will be used instead? Perhaps it could be mentioned that using "demand" would force TLS usage (and in lack of it the termination)?
Not really. As I understand it if TLS is not available then it will fall
back to non-TLS. If the TLS is available but fails because of a bad
cert, no trust of the CA, etc. then the connection will fail.
>
> Thanks!
Thanks for the feedback.
rob
More information about the Freeipa-users
mailing list