[Freeipa-users] Manually installed IPA clients failes to run 'ipa user-find', 'ipa host-find', etc.

Thu Apr 26 22:51:56 UTC 2012

Hi folks,

 I'm pretty new to freeIPA. And here is a freeIPA installation problem encountered in my work. For company policies reasons we can not use ipa-client-install on Linux clients, instead manual installation method is in use and most of the freeIPA client config files are pushed out with cfengine. The problem details/steps are listed below:

1, following the steps at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html, we registered all clients in IPA master, created and downloaded into subversion the keytab files for all clients, then use 'ipa-client-install' on one clients and save the config files into subversion too. 

2, when a new Linux node is newly deployed, we deploy the files below onto the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, /etc/sssd/sssd.conf, /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac, smartcard-auth-ac}, with permissions and ownership setup correctly.

3, then we tested kerberos commands kinit/kdestroy/klist and they were all working; we tested 'getent passwd <ipaAccount>', 'getent group ipausers' and they were working too, at last we tried ssh/login and they were working as expected as well.

4, at this step I could claim that IPA authentication and authorization worked successfully. Then I continued to try IPA admin command but unexpected them failed.

[root at ipaclient04 ~]# ipa
ipa: ERROR: Client is not
configured. Run ipa-client-install.
[root at ipaclient04 ~]# ipa user-find
ipa: ERROR: Client is not
configured. Run ipa-client-install.
[root at ipaclient04 ~]#
5, so I copied the files /etc/ca.crt and /etc/default.conf from a client installed with 'ipa-client-install' to this manual client, and tried the above command again and them stopped whiling and showed help screen as expected; but real IPA administration commands failed with the following error prompts:

[root at ipaclient04 ~]# ipa user-find
ipa: ERROR: cert validation failed for
"CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM"
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
trusted by the user.)
ipa: ERROR: cannot connect to
u'https://ipamaster.pegaclouds.com/ipa/xml': [Errno -8172]
(SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
trusted by the user.
6, So it looks like there are some kinds of new authentication steps I have missed somewhere -- could not find any clue on the Redhat IPA document for further steps --  I tried several times but results are not fruitful. Could anyone please shed a light at here? Thanks a lot.

-- David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120426/6bd7390f/attachment.htm>