[Freeipa-users] IPA Bug??: IPA replica installation problem on IPV4-only nodes
David Copperfield
cao2dan at yahoo.com
Thu Apr 26 23:10:53 UTC 2012
IPA Replica installation fails on IPV4 Linux box, The exception/messages on screen are:
...
error: [Errno 97] Address family not supported by protocol
...
After looking into the python code, it is found out that the IPA program tried to test both IPV4 and IPv6 address families, and it failed there when IPV6 is turned off.
So I turn on IPV6 again, try ipa-conncheck again and it works this time.
--David
________________________________
From: hshhs caca <cao2dan at yahoo.com>
To: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Sent: Thursday, April 26, 2012 1:51 PM
Subject: [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA
Hi folks,
When evaluating migration from existing seperate LDAP/Kerberos solution to integrated IPA, I got confused on the purposes of Dogtag Certificate system inside IPA. What are the main purposes of it? or what value it brings in to IPA?
I can see the points of KDC and 389 Directory server parts, even NTP and DNS, but not for Dogtag. Frankly, I am not sure where I should put it. Say, For Kerberos authentication, I need only /etc/krb5.conf and /etc/krb5.keytab locally on client and then krb5 tools/libs will do their work happily. Then why should I authenticate a machine with certificate, or certificate+keytab -- either way the certificate part is a MUST -- see document
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html ( at the very bottom).
A close question is: what are the main points/benefits of machine authentication? because of with traditional keytab based kerberos setup, the users, machines and services can authenticate no problem, then why we need an extra authentication with machine certificate as a must?
Please help me clarify the question of why the statement 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after running ipa-client-install script? what is its purposes?
Last problem is: after I following the steps at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html to setup my Linux client manually, I still can not run 'ipa user-find' command on the client; when another same type linux client installed with 'ipa-client-install' has no problem to run it.
Does there are any difference between manual and automatic installations?
Sorry I got too many questions and probably more, as I read though the Redhat IPA document serveral times, and every time more questions pop up. :)
Thanks a lot.
--Robinson
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120426/c1a5d942/attachment.htm>
More information about the Freeipa-users
mailing list