[Freeipa-users] Fwd: manual client join

[Stephen Ingram]

On Wed, Nov 30, 2011 at 12:59 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
> The only part assuming that is ipa-join itself. IPA does not support the
> direct use of kadmin or kadmin.local. On a supported platform you'd run:
>
> # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p
> host/remote.example.com
>
> Then ship /tmp/remote.keytab to the machine and either use ktutil to combine
> it with /etc/krb5.keytab or replace krb5.keytab with it (and fix owner and
> permissions, and potentially SELinux context).

OK, got it. I can use the FreeIPA system itself to grab these for host
and services and then new remote machine will have all principals it
requires to work within FreeIPA realm.

> certmonger gets its IPA configuration from /etc/ipa/default.conf. If you
> don't want or have certmonger then you can skip the CA bit altogether.
> Otherwise you'll need to copy in a working config.

OK, this requires certmonger. If I still want FreeIPA-signed cert (say
I need to talk SSL to FreeIPA directory for mail server config
purposes e.g. check existence of email address) without certmonger, I
can use certmonger on FreeIPA server or UI to sign csr generated using
nss on remote system and then transport cert to remote system and
manually install for apache, ldap client, etc., right?

I'm not trying to supplant FreeIPA here. Obviously the best (and
almost effortless) solution is to have freeipa-client and certmonger
on system, however, if I'm stuck with an older version of Redhat or
some other OS that just doesn't conveniently support FreeIPA, I just
want to be able to get a cert and necessary principals to be able to
easily work within FreeIPA realm. I also sort of like to know how
everything works in more detail just in case something breaks and I
have to make manual adjustments.

Steve