[Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
Axel Berlin
acke.89 at gmail.com
Mon Apr 29 11:55:29 UTC 2013
Hello.
Im trying to set up a redhat 6.1 to ipaserver.
What i have done.....
On the Ipaserver
#ipa host-add --force --ip-address=192.168.237.1 seadv-.d1.gameop.net
#kinit admin
#ipa host-add-managedby --hosts=ipaserver.d1.gameop.net
seadv-237-1.d1.gameop.net
#ipa-getkeytab -s ipaserver.d1.gameop.net -p
host/seadv-237-1.d1.gameop.net-k /tmp/seadv-.keytab
#scp client1.keytab seadv-237-1.d1.gameop.net:/tmp
On Client 6.1
#yum install krb5-workstation oddjob-mkhomedir
#mv /tmp/client1.keytab /etc/krb5.keytab
#vim /etc/krb5.conf
[libdefaults]
default_realm = D1.GAMEOP.NET
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
D1.GAMEOP.NET = {
kdc = ipaserver.d1.gameop.net:88
admin_server = ipaserver.d1.gameop.net:749
default_domain = d1.gameop.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.d1.gameop.net = D1.GAMEOP.NET
d1.gameop.net = D1.GAMEOP.NET
#cd /etc/pam.d/
#vim fingerprint-auth
auth required pam_env.so
auth sufficient pam_fprintd.so
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#vim password-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#vim smartcard-auth
auth required pam_env.so
auth [success=done ignore=ignore default=die] pam_pkcs11.so
wait_for_card card_only
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password required pam_pkcs11.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#vim system-auth
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#vim /etc/sssd/sssd.conf
[domain/d1.gameop.net]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = d1.gameop.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, ipaserver.d1.gameop.net
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = d1.gameop.net
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
#chmod 0600 sssd.conf
#vim /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
Now I can do
#kinit admin
#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at D1.GAMEOP.NET
Valid starting Expires Service principal
04/29/13 13:41:37 04/30/13 13:41:35 krbtgt/D1.GAMEOP.NET at D1.GAMEOP.NET
and when i try to do ID acke or ssh acke at seadv-237-1.d1.gameop.net.
I get nothing...
My dns records for my dns that i want to use.
ipaserver.d1.gameop.net A 192.168.232.41
ipareplica.d1.gameop.net A 192.168.235.181
_ldap._tcp.d1.gameop.net SRV 100 389 ipaserver
_ldap._tcp.d1.gameop.net SRV 100 389 ipareplica
_kerberos TXT d1.gameop.net
_kerberos._tcp.d1.gameop.net SRV 100 88 ipaserver
_kerberos._udp.d1.gameop.net SRV 100 88 ipaserver
_kerberos-master._tcp.d1.gameop.net SRV 100 88 ipaserver
_kerberos-master._udp.d1.gameop.net SRV 100 88 ipaserver
_kpasswd._tcp.d1.gameop.net SRV 100 88 ipaserver
_kpasswd._udp.d1.gameop.net SRV 100 88 ipaserver
This setup do not work whit my dns i want. But if i change my resolve.conf
to
nameserver 192.168.232.41
I can id and ssh...
So have i missed somthing whit the dns?
I have tried to have the SRV records to only _ldap._tcp and _kerberos._tcp
but that dont work either.
Thanks
PS
My first mailinglist sorry if I dont follow some kind of standard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130429/8b38ab42/attachment.htm>
More information about the Freeipa-users
mailing list