[Freeipa-users] ipa client install
Rob Crittenden
rcritten at redhat.com
Thu Mar 24 00:43:24 UTC 2011
Uzor Ide wrote:
> I have manually enrolled and configured the client. I am able to log
> into the client and access nfs4 shares. What I am wondering is if there
> are anything that the client would miss by joining this way. The client
> authenticate to the ipa-server through sssd. I would like to know if
> HBAC and centrally managed SUDO and other policy enforcements will fail
> to work because the manual enrolment. Note that host certificate was
> not generated because of the manual joining.
I guess it means by how you manually joined but based on what you can do
I think you covered the major details.
If you have a host service principal in /etc/krb5.keytab and a correctly
configured sssd then you are fine for HBAC and nss (users, groups, etc).
SUDO works through nss_ldap so you should be fine there as well.
ipa-client-install doesn't do anything too special, it just makes sure
the environment is sane and then sets up sssd.conf, krb5.conf, fetches a
host service principal and uses certmonger to get an SSL server cert.
This last step is done as a convenience, it otherwise isn't used by IPA.
But if you wanted to setup an HTTP server that uses the same PKI as IPA
you'd have a certificate and key available.
cheers
rob
>
> Thanks
>
>
> On Tue, Mar 22, 2011 at 12:25 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 03/22/2011 10:34 AM, ide4you at gmail.com <mailto:ide4you at gmail.com>
> wrote:
> > Thanks Rob,
> >
> > However the client is a fedora 13 box.
> > There is no client rpm for fedora 13
>
> We do not build F13 any more as the packages and functionality they
> provide deviated so far between F14-F15 and F13.
>
> > ------Original Message------
> > From: Rob Crittenden
> > To: Uzor Ide
> > Cc: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> > Subject: Re: [Freeipa-users] ipa client install
> > Sent: Mar 22, 2011 9:44 AM
> >
> > Uzor Ide wrote:
> >> Hi
> >>
> >> Is there a requirement for the same version of client as the server.
> >> I've just install freeipa server version 2.0 rc3. While on the
> client
> >> side, I have a previously installed client version 2.0 beta1. It
> would
> >> not join the realm. I had run the client install script to
> remove the
> >> client from the another 2.0 beta1 server.
> >> But when I try to run against the new server, to join the server
> version
> >> 2.0 rc3 realm, the discovery goes on smoothly after which I get the
> >> following
> >>
> >>
> >> Continue to configure the system with these values? [no]: yes
> >>
> >> Joining realm failed: Operation failed! unsupported extended
> operation
> >> child exited with 9
> >> Certificate subject base is: o=uzdomainco
> >>
> >> The client's kerberos keytab is not update and non of the config
> files
> >> are update.
> >> However when you use the command ipa host-find on the server the
> host is
> >> listed.
> >>
> >> Any ideas what the issue would be?
> >>
> >> thanks
> >>
> >> ide
> > A change was made in 2.0rc2 in the release that made pre rc2 clients
> > unable to join rc2 and beyond servers. We changed the LDAP extended
> > operation OID used for doing online enrollment and retrieving keytabs
> > which is why the older clients now fail (we had inadvertently
> used them
> > in more than one place).
> >
> > You should be able to just upgrade the client rpm and enrollment
> will work.
> >
> > rob
> >
> > Sent on the TELUS Mobility network with BlackBerry
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list