[Freeipa-users] Manually installed IPA clients failes to run 'ipa user-find', 'ipa host-find', etc.

Fri Apr 27 06:15:49 UTC 2012

On Thu, Apr 26, 2012 at 7:08 PM, David Copperfield <cao2dan at yahoo.com> wrote:
> Hi, Stephen,
>
>   Thanks for your reply, and it works great, though I still have one
> question around the host cert -- what are the typical usage senarios of host
> cert for IPA clients?
>
>>
>>
>>On 4/26/12 6:01 PM, "Stephen Ingram" <sbingram at gmail.com> wrote:
>>
>>On Thu, Apr 26, 2012 at 3:51 PM, hshhs caca <cao2dan at yahoo.com> wrote:
>>> Hi folks,
>>>
>>>  I'm pretty new to freeIPA. And here is a freeIPA installation problem
>>> encountered in my work. For company policies reasons we can not use
>>> ipa-client-install on Linux clients, instead manual installation method
>>> is
>>> in use and most of the freeIPA client config files are pushed out with
>>> cfengine. The problem details/steps are listed below:
>>>
>>> 1, following the steps at
>>>
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html,
>>> we registered all clients in IPA master, created and downloaded into
>>> subversion the keytab files for all clients, then use
>>> 'ipa-client-install'
>>> on one clients and save the config files into subversion too.
>>>
>>> 2, when a new Linux node is newly deployed, we deploy the files below
>>> onto
>>> the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf},
>>> /etc/sssd/sssd.conf,
>>> /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac,
>>> smartcard-auth-ac}, with permissions and ownership setup correctly.
>>>
>>> 3, then we tested kerberos commands kinit/kdestroy/klist and they were
>>> all
>>> working; we tested 'getent passwd <ipaAccount>', 'getent group ipausers'
>>> and
>>> they were working too, at last we tried ssh/login and they were working
>>> as
>>> expected as well.
>>>
>>> 4, at this step I could claim that IPA authentication and authorization
>>> worked successfully. Then I continued to try IPA admin command but
>>> unexpected them failed.
>>>
>>> [root at ipaclient04 ~]# ipa
>>> ipa: ERROR: Client is not configured. Run ipa-client-install.
>>> [root at ipaclient04 ~]# ipa user-find
>>> ipa: ERROR: Client is not configured. Run ipa-client-install.
>>> [root at ipaclient04 ~]#
>>>>>
>>> [root at ipaclient04 ~]# ipa user-find
>>> ipa: ERROR: cert validation failed for
>>> "CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM"
>>> ((SEC_ERROR_UNTRUSTED_ISSUER)
>>> Peer's certificate issuer has been marked as not trusted by the user.)
>>> ipa: ERROR: cannot connect to
>>> u'https://ipamaster.pegaclouds.com/ipa/xml':
>>> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has
>>> been marked as not trusted by the user.
>>>
>>> 6, So it looks like there are some kinds of new authentication steps I
>>> have
>>> missed somewhere -- could not find any clue on the Redhat IPA document
>>> for
>>> further steps --  I tried several times but results are not fruitful.
>>> Could
>>> anyone please shed a light at here? Thanks a lot.
>>
>>David-
>>
>>It looks like you didn't import the CA into the host certificate store
>>in /etc/pki/nssdb. I believe those commands require that you trust
>>your IPA CA. You can import the CA with:
>>
>>certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
>>
>
> That is the magic finger!! and the IPA commands 'ipa user-find', 'ipa
> host-add', etc
> works without a glitch.

Excellent! I really enjoy the fact that all of this can be done
manually as well as automatically by ipa-client-install. I think it
speaks well of the design of IPA instead of working with some closed
up box, where, if it breaks, you really have no idea of how to fix it.

>>Also, make sure and generate a host cert for the machine (also in
>>/etc/pki/nssdb) and have IPA sign it.
>>
>
> I have to fire up service messagebus, certmonger, and then run 'ipa-getcert
> request'
> command to generate a CSR, send it to IPA Master to sign it, save
> certificate at IPA master,
> and save the host private key / certificate locally inder /etc/pki/nssdb.
>
> So what are the benefits of host certificates? bascically what are the usage
> senarios to allure
> users to go though these efforts to register and renew a host certicate? I
> am new to host certificate
> (not httpd SSL certificate) and really not sure where they can be helpful.
>
> Thanks.
>
> --David

The host and CA certificates are used in IPA to provide some soft of
assurance that you are talking to whom you think you are talking to
such that you won't be sending IPA commands to just anyone. Also, it's
nice for IPA to have some assurance of who the machine is making the
requests.

Steve