[Freeipa-users] IPA Bug??: IPA replica installation problem on IPV4-only nodes
Dmitri Pal
dpal at redhat.com
Fri Apr 27 18:37:55 UTC 2012
On 04/26/2012 07:10 PM, David Copperfield wrote:
> IPA Replica installation fails on IPV4 Linux box, The
> exception/messages on screen are:
>
> ...
> error: [Errno 97] Address family not supported by protocol
> ...
>
> After looking into the python code, it is found out that the IPA
> program tried to test both IPV4 and IPv6 address families, and it
> failed there when IPV6 is turned off.
>
> So I turn on IPV6 again, try ipa-conncheck again and it works this time.
>
This rings the bell, I think we already have a ticket for that.
> --David
>
>
>
> ------------------------------------------------------------------------
> *From:* hshhs caca <cao2dan at yahoo.com>
> *To:* "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Sent:* Thursday, April 26, 2012 1:51 PM
> *Subject:* [Freeipa-users] What are the main purposes of Dogtag
> certificate system inside IPA
>
>
> Hi folks,
>
> When evaluating migration from existing seperate LDAP/Kerberos
> solution to integrated IPA, I got confused on the purposes of Dogtag
> Certificate system inside IPA. What are the main purposes of it? or
> what value it brings in to IPA?
>
> I can see the points of KDC and 389 Directory server parts, even NTP
> and DNS, but not for Dogtag. Frankly, I am not sure where I should put
> it. Say, For Kerberos authentication, I need only /etc/krb5.conf and
> /etc/krb5.keytab locally on client and then krb5 tools/libs will do
> their work happily. Then why should I authenticate a machine with
> certificate, or certificate+keytab -- either way the certificate part
> is a MUST -- see document
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html
> ( at the very bottom).
>
> A close question is: what are the main points/benefits of machine
> authentication? because of with traditional keytab based kerberos
> setup, the users, machines and services can authenticate no problem,
> then why we need an extra authentication with machine certificate as a
> must?
>
> Please help me clarify the question of why the statement
> 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after
> running ipa-client-install script? what is its purposes?
>
> Last problem is: after I following the steps at
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html
> to setup my Linux client manually, I still can not run 'ipa user-find'
> command on the client; when another same type linux client installed
> with 'ipa-client-install' has no problem to run it. Does there are any
> difference between manual and automatic installations?
>
> Sorry I got too many questions and probably more, as I read though the
> Redhat IPA document serveral times, and every time more questions pop
> up. :)
>
> Thanks a lot.
>
> --Robinson
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120427/f19c3452/attachment.htm>
More information about the Freeipa-users
mailing list