[Freeipa-users] manual client join
Rob Crittenden
rcritten at redhat.com
Wed Nov 30 20:59:35 UTC 2011
Stephen Ingram wrote:
> Rob-
>
> On Wed, Nov 30, 2011 at 12:04 PM, Rob Crittenden<rcritten at redhat.com> wrote:
>> Retrieve the CA certificate for the FreeIPA CA.
>>
>> # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt
>>
>> Create a separate Kerberos configuration to test the provided credentials.
>> This enables a Kerberos connection to the FreeIPA XML-RPC server, necessary
>> to join the FreeIPA client to the FreeIPA domain. This Kerberos
>> configuration is ultimately discarded.
>>
>> - Basically just copy a working krb5.conf to /etc/krb5.conf and set up sssd
>> or nss_ldap as documented.
>>
>> # kinit admin
>> # ipa-join -s ipa.example.com -b dc=example,dc=com
>>
>> Or if using a one-time password you can skip the kinit and do
>>
>> # ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123
>>
>> ipa-join lets IPA know a host is enrolled and retrieves a host principal and
>> stores it into /etc/krb5.keytab.
>>
>> Enable certmonger, retrieve an SSL server certificate, and install the
>> certificate in /etc/pki/nssdb.
>>
>> # service messagebus start
>> # service certmonger start
>> # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
>> # ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate -
>> client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K
>> host/client.example.com at EXAMPLE.COM
>>
>> Disable the nscd daemon.
>>
>> # service nscd stop
>> # chkconfig nscd off
>
> Thanks, but aren't some of these steps assuming that ipa-client has
> been installed on the system? For instance, instead of "# ipa-join -s
> ipa.example.com -b dc=example,dc=com -w Secret123", can't I instead
> use kadmin to retrieve the keytab and then securely copy it over to
> the client system? And, in the case of the ca.crt, if there if IPA
> itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I
> realize that I will lose functionality by not having ipa-client, but
> just trying to build a case for supporting legacy systems that I would
> never want to take the time to adapt ipa-client for.
>
> Steve
The only part assuming that is ipa-join itself. IPA does not support the
direct use of kadmin or kadmin.local. On a supported platform you'd run:
# ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p
host/remote.example.com
Then ship /tmp/remote.keytab to the machine and either use ktutil to
combine it with /etc/krb5.keytab or replace krb5.keytab with it (and fix
owner and permissions, and potentially SELinux context).
certmonger gets its IPA configuration from /etc/ipa/default.conf. If you
don't want or have certmonger then you can skip the CA bit altogether.
Otherwise you'll need to copy in a working config.
rob
More information about the Freeipa-users
mailing list