[Freeipa-users] ipa client install

Rob Crittenden rcritten at redhat.com
Thu Mar 24 00:43:24 UTC 2011 

Uzor Ide wrote:
> I have manually enrolled and configured the client. I am able to log
> into the client and access nfs4 shares. What I am wondering is if there
> are anything that the client would miss by joining this way. The client
> authenticate to the ipa-server through sssd. I would like to know if
> HBAC and centrally managed SUDO and other policy enforcements will fail
> to work because the manual enrolment.  Note that host certificate was
> not generated because of the manual joining.

I guess it means by how you manually joined but based on what you can do 
I think you covered the major details.

If you have a host service principal in /etc/krb5.keytab and a correctly 
configured sssd then you are fine for HBAC and nss (users, groups, etc).

SUDO works through nss_ldap so you should be fine there as well.

ipa-client-install doesn't do anything too special, it just makes sure 
the environment is sane and then sets up sssd.conf, krb5.conf, fetches a 
host service principal and uses certmonger to get an SSL server cert. 
This last step is done as a convenience, it otherwise isn't used by IPA. 
But if you wanted to setup an HTTP server that uses the same PKI as IPA 
you'd have a certificate and key available.

cheers

rob

>
> Thanks
>
>
> On Tue, Mar 22, 2011 at 12:25 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     On 03/22/2011 10:34 AM, ide4you at gmail.com <mailto:ide4you at gmail.com>
>     wrote:
>      > Thanks Rob,
>      >
>      > However the client is a fedora 13 box.
>      > There is no client rpm for fedora 13
>
>     We do not build F13 any more as the packages and functionality they
>     provide deviated so far between F14-F15 and F13.
>
>      > ------Original Message------
>      > From: Rob Crittenden
>      > To: Uzor Ide
>      > Cc: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>      > Subject: Re: [Freeipa-users] ipa client install
>      > Sent: Mar 22, 2011 9:44 AM
>      >
>      > Uzor Ide wrote:
>      >> Hi
>      >>
>      >> Is there a requirement for the same version of client as the server.
>      >> I've just install freeipa server version 2.0 rc3. While on the
>     client
>      >> side, I have a previously installed client version 2.0 beta1. It
>     would
>      >> not join the realm. I had run the client install script to
>     remove the
>      >> client from the another 2.0 beta1 server.
>      >> But when I try to run against the new server, to join the server
>     version
>      >> 2.0 rc3 realm, the discovery goes on smoothly after which I get the
>      >> following
>      >>
>      >>
>      >> Continue to configure the system with these values? [no]: yes
>      >>
>      >> Joining realm failed: Operation failed! unsupported extended
>     operation
>      >> child exited with 9
>      >> Certificate subject base is: o=uzdomainco
>      >>
>      >> The client's kerberos keytab is not update and non of the config
>     files
>      >> are update.
>      >> However when you use the command ipa host-find on the server the
>     host is
>      >> listed.
>      >>
>      >> Any ideas what the issue would be?
>      >>
>      >> thanks
>      >>
>      >> ide
>      > A change was made in 2.0rc2 in the release that made pre rc2 clients
>      > unable to join rc2 and beyond servers. We changed the LDAP extended
>      > operation OID used for doing online enrollment and retrieving keytabs
>      > which is why the older clients now fail (we had inadvertently
>     used them
>      > in more than one place).
>      >
>      > You should be able to just upgrade the client rpm and enrollment
>     will work.
>      >
>      > rob
>      >
>      > Sent on the TELUS Mobility network with BlackBerry
>      >
>      > _______________________________________________
>      > Freeipa-users mailing list
>      > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>      > https://www.redhat.com/mailman/listinfo/freeipa-users
>      >
>      >
>
>
>     --
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IPA project,
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list