[Freeipa-users] Connecting Ubuntu to IPA - one last important step!
Steven Jones
Steven.Jones at vuw.ac.nz
Thu Jun 9 20:46:00 UTC 2011
Hi,
thanks, this should help a lot.
When I sudo to root I can use the ipa password so Im fairly close...
regards
________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com]
Sent: Friday, 10 June 2011 5:38 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Connecting Ubuntu to IPA - one last important step!
Sorry, forgot one last, very important thing. Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, and copy this to /etc/krb5.keytab on the Ubuntu client.
[root at ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab
If you prefer you can use something like CFengine to automate the whole process.
Rgds,
Siggi.
On 06/09/2011 07:21 PM, Sigbjorn Lie wrote:
Hi,
I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 11.04. NFS4+KRB successfully in 10.10 and 11.04.
Install the packages below, substitute libpam-ldap for libpam-ldapd if you prefer PADL's ldap liberary which can use groups within groups for user accounts. ldapld can't, however it offers a daemon which connect to a LDAP server, and workaround for such as issues with Thunderbird crashing, etc. I have not been able to get the sssd that comes with Ubuntu to work.
Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the Ubuntu host.
Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make /etc/ldap/ldap.conf a symlink to /etc/ldap.conf), /etc/idmapd.conf (nfs4), /etc/nslcd.conf, /etc/default/autofs, /etc/nsswitch.conf, /etc/default/nfs-common. See attached files for examples.
Add the following to /etc/ssh/sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
And the following to /etc/ssh/ssh_config:
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Run this command to make sure ldap+krb has been configured in PAM after the packages has been installed: $ /usr/sbin/pam-auth-update --package --force
This gives you a Ubuntu system configured for IPA with autofs and nfs4+krb5, and ssh krb ticket forwarding. Looking forward to when SSSD comes in version 1.5.x in Ubuntu! :)
I've set the ldap timeouts very low so you might need tweaking for this to work over a WAN/slow link, but it makes the client much more responsive if your first listed IPA/LDAP server becomes unavailable.
Packages:
autofs5 action=install
autofs5-ldap action=install
krb5-user action=install
krb5-clients action=install
nfs-client action=install
nfs4-acl-tools action=install
ldap-auth-config action=install
ldap-utils action=install
#libpam-ldap action=install
libpam-ldapd action=install
libpam-krb5 action=install
libpam-ccreds action=install
libpam-foreground action=install
libnss-ldap action=install
nscd action=install
ntp action=install
Rgds,
Siggi
On 06/09/2011 02:43 AM, Steven Jones wrote:
Hi,
I am still tryig to figure getting ubuntu connected....
So to get a non-rhel client computer into freeipa the first thing I have to do is make a client computer instance in freepia first? or doesnt it matter? ie can a non rhel client only do authentication or can it be acted upon fully as per a rhel client?
Are there certificates for ssl or something that have to be copied over to the client(s)?
I dont have it working yet beyond I can do a kinit and admin and give a password and then do klist etc....
:/
Its proving very painful....
regards
Steven
8><----
Maybe this article could be a good jumping-off point?
http://www.aput.net/~jheiss/krbldap/howto.html
It's pretty old, but seems to bring together many things and overview them well, with enough static examples to give you a feel for what you're getting into.
8><---
thanks, its helping.
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list