[Freeipa-users] Re: freeipa server + how to joining opensuse clients

[Rob Crittenden]

Daniel Qarras wrote:
> Hi!
> 
>> If you also want to offer kerberized services (like SSO
>> auth via sshd) then you can use ipa-addservice to add a 'host'
>> service for your machine and ipa-getkeytab to retrieve a keytab
>> for the machine.
>>
>> Details on the single operations are in the docs.
> 
> The doc was good, perhaps it should stress for the unenlightened (like me) that this must be done for each and every host?
> 
>> This page is to configure windows clients, you want to read
>> this one for linux/unix clients:
>>
>> http://www.freeipa.org/page/ClientConfigurationGuide
> 
> Again, nice doc but a bit outdated, Fedora version speaks about testing repos for 7 and 8 and rawhide for F9. In general though, great to see this kind of documentation!

Thanks, I've fixed this.

> 
> Few quick questions about the actual content:
> 
> - I've been setting up KerberosV5 lately and practically all guides have set these to false:
> 
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
> 
> Isn't those unneeded when the servers have been already defined in krb5.conf?

Yes, as I understand it if you go to a realm/domain specified in the 
file these will not be used. Doesn't hurt to have them defined I 
suppose, I'm not sure what the defaults are. Do you think having these 
will cause confusion?

> 
> - TLS section lists
> 
>   TLS_REQCERT allow
> 
> Doesn't this mean that if TLS procedures fail a non-TLS connection will be used instead? Perhaps it could be mentioned that using "demand" would force TLS usage (and in lack of it the termination)?

Not really. As I understand it if TLS is not available then it will fall 
back to non-TLS. If the TLS is available but fails because of a bad 
cert, no trust of the CA, etc. then the connection will fail.

> 
> Thanks!

Thanks for the feedback.

rob