[Freeipa-users] manual client join
Rob Crittenden
rcritten at redhat.com
Wed Nov 30 20:04:26 UTC 2011
Stephen Ingram wrote:
> Looking at section 3.1 of the documentation I see the process for what
> happens during a client setup. In cases where there is no ipa-client
> support, this is likely the best option. Is there any more specific
> documentation that details the exact procedure (i.e. how to import the
> CA certificate, obtain services principals) of what happens during the
> ipa-join process? I seem to remember this from version 1 and even
> earlier versions of 2.x, but I can't find anywhere now.
Retrieve the CA certificate for the FreeIPA CA.
# wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt
Create a separate Kerberos configuration to test the provided
credentials. This enables a Kerberos connection to the FreeIPA XML-RPC
server, necessary to join the FreeIPA client to the FreeIPA domain. This
Kerberos configuration is ultimately discarded.
- Basically just copy a working krb5.conf to /etc/krb5.conf and set up
sssd or nss_ldap as documented.
# kinit admin
# ipa-join -s ipa.example.com -b dc=example,dc=com
Or if using a one-time password you can skip the kinit and do
# ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123
ipa-join lets IPA know a host is enrolled and retrieves a host principal
and stores it into /etc/krb5.keytab.
Enable certmonger, retrieve an SSL server certificate, and install the
certificate in /etc/pki/nssdb.
# service messagebus start
# service certmonger start
# certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
# ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate -
client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K
host/client.example.com at EXAMPLE.COM
Disable the nscd daemon.
# service nscd stop
# chkconfig nscd off
rob
More information about the Freeipa-users
mailing list