[Freeipa-users] IPA Client join

Roland Kaeser roland.kaeser at intersoft-networks.ch
Thu Mar 31 09:30:23 UTC 2011 

Hello 


Just try to add Scientific Linux 6 (RHEL 6) into the freeipa. Sorry to say that but after reading a lot of the documentation I found that the most of it is obselete or just wrong. For Sample: 
in http://freeipa.org/docs/2.0.0/Client_Setup_Guide/en-US/html/#chap-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client 
the command: ipa-addservice is nowhere avialable. 


Currently I try to get a keytab file for the afs service made via web interface using: 


ipa-getkeytab -s freeipa.[domain] -p afs/afs.[domain]@[REALM] -k /tmp/afs.keytab 
all I get is: Operation failed! unsupported extended operation 
Note: Replaced the original domain and realm with placeholders. 


The client is: ipa-client-2.0-9.el6.i686 
The server is: freeipa-server-2.0.0.rc3-0.fc14.i686 


First, I had to made the kerberos principal key for host and afs-service by hand on command line. Why? 
Second why can I not get this key out of the web interface to add it to the afs service? I can only see the option to delete this key in the section services. The ipa-getkeytab also fails (see above) 
Third: The documentation contains no section to add a RHEL6/SL client to free ipa. Why? 
Fourth: The default principal set to kadmin is wrong, its set to admin/admin at REALM instead of admin at REALM (seems to be wrong on all kerberos implementations) 
Fifth: Running ipa-client-install works only with the 
_ldap._tcp.[Domain] SRV 10 10 389 [server] 

_kerberos._tcp.[Domain] SRV 0 0 88 [server] 
in the dns zone. 
The informations in: http://freeipa.org/page/DNS_Location_Discovery are completely wrong. The entries for _ldap and _kerberos are not related to _network which not even exist in bind9 they are related to a domain/zone. 
Sixth: the ipa-client install doesn't generate a keytab file for the host principal and does not extract the ca cert from the ipa server for the ldap communication with the server. 


Looks all really confusing to me. 
So whats the correct steps to add a freeipa 2.0 client and a service such as nfs/afs/smb etc. to a freeipa 2.0 server on Fedora 14? 



Regards 


Roland 





------------------------------------------------------------------------------------------------------------------------------ 
Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, 
werden am Ende keines von beiden haben - und verdienen es auch nicht. 
(Benjamin Franklin) 
------------------------------------------------------------------------------------------------------------------------------ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110331/78def549/attachment.htm>

More information about the Freeipa-users mailing list