[Freeipa-users] IPA Client join

Thu Mar 31 13:14:48 UTC 2011

Roland Kaeser wrote:
> Hello
>
> Just try to add Scientific Linux 6 (RHEL 6) into the freeipa. Sorry to
> say that but after reading a lot of the documentation I found that the
> most of it is obselete or just wrong. For Sample:
> in
> http://freeipa.org/docs/2.0.0/Client_Setup_Guide/en-US/html/#chap-Client_Configurat
> ion_Guide-Configuring_Fedora_as_an_IPA_Client
> <http://freeipa.org/docs/2.0.0/Client_Setup_Guide/en-US/html/#chap-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client>
> the command: ipa-addservice is nowhere avialable.

You want to use this guide:
http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/

I've removed references to the older documentation.

The command you want is ipa service-add afs/...

>
> Currently I try to get a keytab file for the afs service made via web
> interface using:
>
> ipa-getkeytab -s freeipa.[domain] -p afs/afs.[domain]@[REALM] -k
> /tmp/afs.keytab
> all I get is: Operation failed! unsupported extended operation
> Note: Replaced the original domain and realm with placeholders.
>
> The client is: ipa-client-2.0-9.el6.i686
> The server is: freeipa-server-2.0.0.rc3-0.fc14.i686

In rc2 we had to make a change to the OID used for some operations 
because they were duplicated. The OID for the ipa-getkeytab operation 
was one of them, so older clients don't work with newer servers. IIRC 
the EL6 ipa-client was based on the alpha 3 release.

I attached a patch that gives the general idea of what needs to change. 
It was originally for the EL 5 branch but it may work with few changes 
in EL6.

> First, I had to made the kerberos principal key for host and afs-service
> by hand on command line. Why?

I'm not sure what you mean given the next question.

> Second why can I not get this key out of the web interface to add it to
> the afs service? I can only see the option to delete this key in the
> section services. The ipa-getkeytab also fails (see above)

The only way to retrieve a keytab currently is with the ipa-getkeytab 
command.

> Third: The documentation contains no section to add a RHEL6/SL client to
> free ipa. Why?

Old documentation.

> Fourth: The default principal set to kadmin is wrong, its set to
> admin/admin at REALM instead of admin at REALM (seems to be wrong on all
> kerberos implementations)

admin is a user we create.

> Fifth: Running ipa-client-install works only with the
> _ldap._tcp.[Domain] SRV 10 10 389 [server]
> _kerberos._tcp.[Domain] SRV 0 0 88 [server]
> in the dns zone.

You should be able to provide the server name to the ipa-client-install 
script.

> The informations in: http://freeipa.org/page/DNS_Location_Discovery
> <http: //freeipa.org/page/DNS_Location_Discovery> are completely wrong.
> The entries for _ldap and _kerberos are not related to _network which
> not even exist in bind9 they are related to a domain/zone.

This is just a draft design document.

> Sixth: the ipa-client install doesn't generate a keytab file for the
> host principal and does not extract the ca cert from the ipa server for
> the ldap communication with the server.

Did the installation complete successfully? From everything you've said 
up to now it sounds like ipa-client-install has been failing in one way 
or another. If it succeeds you'll end up with a host service principal 
in /etc/krb5.keytab.

> Looks all really confusing to me.
> So whats the correct steps to add a freeipa 2.0 client and a service
> such as nfs/afs/smb etc. to a freeipa 2.0 server on Fedora 14?

(you need the freeipa-python, freeipa-admintools and freeipa-client pkgs 
for this)

# ipa-client-install
# kinit admin
# ipa service-add afs/client.example.com
# ipa-getkeytab -s ipa.example.com -k /etc/krb5.keytab -p 
afs/client.example.com at EXAMPLE.COM

Also note that the 2.0 GA release is not available on Fedora 14. It 
lacks certified dogtag 9 packages. They are available from our 
development repo but you'd be unlikely to get support on those. We 
realize that Fedora 15 isn't quite ready yet but it was always our 
release target for IPA v2.

regards

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-client-oid.patch
Type: application/mbox
Size: 1138 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110331/9963aee0/attachment.mbox>