[Freeipa-users] Connecting Ubuntu to IPA - one last important step!

Steven Jones Steven.Jones at vuw.ac.nz
Thu Jun 9 20:46:00 UTC 2011 

Hi,

thanks, this should help a lot.

When I sudo to root I can use the ipa password so Im fairly close...

regards


________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com]
Sent: Friday, 10 June 2011 5:38 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Connecting Ubuntu to IPA - one last important step!

Sorry, forgot one last, very important thing. Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, and copy this to /etc/krb5.keytab on the Ubuntu client.

[root at ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab

If you prefer you can use something like CFengine to automate the whole process.


Rgds,
Siggi.

On 06/09/2011 07:21 PM, Sigbjorn Lie wrote:
Hi,

I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 11.04. NFS4+KRB successfully in 10.10 and 11.04.

Install the packages below, substitute libpam-ldap for libpam-ldapd if you prefer PADL's ldap liberary which can use groups within groups for user accounts. ldapld can't, however it offers a daemon which connect to a LDAP server, and workaround for such as issues with Thunderbird crashing, etc. I have not been able to get the sssd that comes with Ubuntu to work.

Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the Ubuntu host.

Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make /etc/ldap/ldap.conf a symlink to /etc/ldap.conf), /etc/idmapd.conf (nfs4), /etc/nslcd.conf, /etc/default/autofs, /etc/nsswitch.conf, /etc/default/nfs-common. See attached files for examples.

Add the following to /etc/ssh/sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

And the following to /etc/ssh/ssh_config:
Host *
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

Run this command to make sure ldap+krb has been configured in PAM after the packages has been installed: $ /usr/sbin/pam-auth-update --package --force

This gives you a Ubuntu system configured for IPA with autofs and nfs4+krb5, and ssh krb ticket forwarding. Looking forward to when SSSD comes in version 1.5.x in Ubuntu! :)

I've set the ldap timeouts very low so you might need tweaking for this to work over a WAN/slow link, but it makes the client much more responsive if your first listed IPA/LDAP server becomes unavailable.


Packages:
        autofs5                 action=install
        autofs5-ldap            action=install
        krb5-user               action=install
        krb5-clients            action=install
        nfs-client              action=install
        nfs4-acl-tools          action=install
        ldap-auth-config        action=install
        ldap-utils              action=install
        #libpam-ldap            action=install
        libpam-ldapd            action=install
        libpam-krb5             action=install
        libpam-ccreds           action=install
        libpam-foreground       action=install
        libnss-ldap             action=install
        nscd                    action=install
        ntp                     action=install



Rgds,
Siggi



On 06/09/2011 02:43 AM, Steven Jones wrote:
Hi,

I am still tryig to figure getting ubuntu connected....

So to get a non-rhel client computer into freeipa the first thing I have to do is make a client computer instance in freepia first? or doesnt it matter? ie can a non rhel client only do authentication or can it be acted upon fully as per a rhel client?

Are there certificates for ssl or something that have to be copied over to the client(s)?

I dont have it working yet beyond I can do a kinit and admin and give a password and then do klist etc....

:/

Its proving very painful....

regards

Steven


8><----

Maybe this article could be a good jumping-off point?
http://www.aput.net/~jheiss/krbldap/howto.html

It's pretty old, but seems to bring together many things and overview them well, with enough static examples to give you a feel for what you're getting into.

8><---

thanks, its helping.

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list