[Freeipa-users] Connecting Ubuntu to IPA

Sigbjorn Lie sigbjorn at nixtra.com
Thu Jun 9 17:21:41 UTC 2011 

Hi,

I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 
11.04. NFS4+KRB successfully in 10.10 and 11.04.

Install the packages below, substitute libpam-ldap for libpam-ldapd if 
you prefer PADL's ldap liberary which can use groups within groups for 
user accounts. ldapld can't, however it offers a daemon which connect to 
a LDAP server, and workaround for such as issues with Thunderbird 
crashing, etc. I have not been able to get the sssd that comes with 
Ubuntu to work.

Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the Ubuntu 
host.

Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make 
/etc/ldap/ldap.conf a symlink to /etc/ldap.conf), /etc/idmapd.conf 
(nfs4), /etc/nslcd.conf, /etc/default/autofs, /etc/nsswitch.conf, 
/etc/default/nfs-common. See attached files for examples.

Add the following to /etc/ssh/sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

And the following to /etc/ssh/ssh_config:
Host *
     GSSAPIAuthentication yes
     GSSAPIDelegateCredentials yes

Run this command to make sure ldap+krb has been configured in PAM after 
the packages has been installed: $ /usr/sbin/pam-auth-update --package 
--force

This gives you a Ubuntu system configured for IPA with autofs and 
nfs4+krb5, and ssh krb ticket forwarding. Looking forward to when SSSD 
comes in version 1.5.x in Ubuntu! :)

I've set the ldap timeouts very low so you might need tweaking for this 
to work over a WAN/slow link, but it makes the client much more 
responsive if your first listed IPA/LDAP server becomes unavailable.


Packages:
         autofs5                 action=install
         autofs5-ldap            action=install
         krb5-user               action=install
         krb5-clients            action=install
         nfs-client              action=install
         nfs4-acl-tools          action=install
         ldap-auth-config        action=install
         ldap-utils              action=install
         #libpam-ldap            action=install
         libpam-ldapd            action=install
         libpam-krb5             action=install
         libpam-ccreds           action=install
         libpam-foreground       action=install
         libnss-ldap             action=install
         nscd                    action=install
         ntp                     action=install



Rgds,
Siggi



On 06/09/2011 02:43 AM, Steven Jones wrote:
> Hi,
>
> I am still tryig to figure getting ubuntu connected....
>
> So to get a non-rhel client computer into freeipa the first thing I have to do is make a client computer instance in freepia first? or doesnt it matter? ie can a non rhel client only do authentication or can it be acted upon fully as per a rhel client?
>
> Are there certificates for ssl or something that have to be copied over to the client(s)?
>
> I dont have it working yet beyond I can do a kinit and admin and give a password and then do klist etc....
>
> :/
>
> Its proving very painful....
>
> regards
>
> Steven
>
>
> 8><----
>
> Maybe this article could be a good jumping-off point?
> http://www.aput.net/~jheiss/krbldap/howto.html
>
> It's pretty old, but seems to bring together many things and overview them well, with enough static examples to give you a feel for what you're getting into.
>
> 8><---
>
> thanks, its helping.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: autofs
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110609/891f05f0/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: idmapd.conf
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110609/891f05f0/attachment.conf>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: krb5.conf
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110609/891f05f0/attachment-0001.conf>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ldap.conf
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110609/891f05f0/attachment-0002.conf>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nslcd.conf
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110609/891f05f0/attachment-0003.conf>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nsswitch.conf
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110609/891f05f0/attachment-0004.conf>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ntp.conf
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110609/891f05f0/attachment-0005.conf>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nfs-common
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110609/891f05f0/attachment-0001.ksh>

More information about the Freeipa-users mailing list