[Freeipa-users] setting up a client on Debian squeeze
Michał Dwużnik
michal.dwuznik at gmail.com
Thu Aug 29 23:49:37 UTC 2013
Ok, going step by step I did the following on squeeze:
set up ntp, time synced with ipa server
test setup is done on
ipa.localdomain (server)
client.localdomain
(client on Scientific Linux 6.4, looks ok after ipa-client-install, ssh
works for test users tester and tester2)
client2.localdomain is the Debian Squeeze client
added host client2.localdomain on IPA server, added 'managedby', got the
keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2
most important part of /etc/krb5.conf:
[realms]
LOCALDOMAIN = {
kdc = ipa.localdomain
admin_server = ipa.localdomain
}
[domain_realm]
.localdomain = LOCALDOMAIN
localdomain = LOCALDOMAIN
default_domain = localdomain
[libdefaults]
default_realm = LOCALDOMAIN
The following lets me think the KRB5 part of the setup is done correctly:
root at client2:/etc# kinit admin
Password for admin at LOCALDOMAIN:
root at client2:/etc# kdestroy
root at client2:/etc# kinit tester
Password for tester at LOCALDOMAIN:
root at client2:/etc# klis
-su: klis: command not found
root at client2:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tester at LOCALDOMAIN
Valid starting Expires Service principal
08/30/13 00:35:50 08/31/13 00:35:47 krbtgt/LOCALDOMAIN at LOCALDOMAIN
root at client2:/etc# kpasswd tester
Password for tester at LOCALDOMAIN:
Enter new password:
Enter it again:
Password changed.
I guess that's the point of snapshotting 'KRB done' state (can I be wrong?)
DNS for all the hosts involved is similar to:
root at client2:/etc# nslookup ipa
Server: 192.168.137.29
Address: 192.168.137.29#53
Name: ipa.localdomain
Address: 192.168.137.13
root at client2:/etc# nslookup 192.168.137.13
Server: 192.168.137.29
Address: 192.168.137.29#53
13.137.168.192.in-addr.arpa name = ipa.localdomain.
Now I guess it's time for certificates, where I do have some doubts...
I've added the SSH host keys via web interface, now the cert part:
having generated the CSR afte creating the new database:
certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
(in the /etc/pki dir) I paste the CSR and Issue the certificate for host
(/etc/pi contains newly created cert8.db key3.db secmod.db )
Which of those should be used to add the cert to?
(like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i */path/to/*
ca.crt)
All of the tries result in:
root at client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
root at client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
root at client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
Could someone show me my mistake?
Regards
Michal
On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik <michal.dwuznik at gmail.com>wrote:
> As for now I have set up a 'known good' client on RH based distro, to get
> the feeling how the config files
> look like when configured correctly.
>
> Thanks for the nice reference
>
> M.
>
>
> On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>
>> Michał Dwużnik wrote:
>>
>>> Hi folks,
>>>
>>> did anyone succeed in connecting such an old thing recently to freeipa
>>> server?
>>>
>>> Is there a document (or an archive post) about connecting a 'non ipa
>>> aware' client step by step?
>>> I got as far as woing Kerberos with no issues, hit a wall with ldap
>>> part..
>>>
>>
>> You might try this: http://docs.fedoraproject.org/**
>> en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html>
>>
>> rob
>>
>>
>
>
> --
> Michal Dwuznik
>
--
Michal Dwuznik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130830/51f3b403/attachment.htm>
More information about the Freeipa-users
mailing list