[Freeipa-users] setting up a client on Debian squeeze

Michał Dwużnik michal.dwuznik at gmail.com
Fri Aug 30 00:12:01 UTC 2013 

Sorry for quick continuation...

Certificate added to nss DB in /etc/pki
certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt

sssd configured according to
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html

How do I test now, before changing PAM options that the pieces fit together?


(Sorry for being a bit too tired...)

M.


On Fri, Aug 30, 2013 at 1:49 AM, Michał Dwużnik <michal.dwuznik at gmail.com>wrote:

> Ok, going step by step I did the following on squeeze:
>
> set up ntp, time synced with ipa server
>
> test setup is done on
> ipa.localdomain (server)
> client.localdomain
> (client on Scientific Linux 6.4, looks ok after ipa-client-install, ssh
> works for test users tester and tester2)
>
> client2.localdomain is the Debian Squeeze client
>
> added host client2.localdomain on IPA server, added 'managedby', got the
> keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2
>
> most important part of /etc/krb5.conf:
>
> [realms]
>         LOCALDOMAIN = {
>                 kdc = ipa.localdomain
>                 admin_server = ipa.localdomain
>         }
>
> [domain_realm]
>         .localdomain = LOCALDOMAIN
>         localdomain = LOCALDOMAIN
>         default_domain = localdomain
>
> [libdefaults]
>         default_realm = LOCALDOMAIN
>
>
> The following lets me think the KRB5 part of the setup is done correctly:
>
> root at client2:/etc# kinit admin
> Password for admin at LOCALDOMAIN:
> root at client2:/etc# kdestroy
> root at client2:/etc# kinit tester
> Password for tester at LOCALDOMAIN:
> root at client2:/etc# klis
> -su: klis: command not found
> root at client2:/etc# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: tester at LOCALDOMAIN
>
> Valid starting     Expires            Service principal
> 08/30/13 00:35:50  08/31/13 00:35:47  krbtgt/LOCALDOMAIN at LOCALDOMAIN
>
>
> root at client2:/etc# kpasswd tester
> Password for tester at LOCALDOMAIN:
> Enter new password:
> Enter it again:
> Password changed.
>
>
> I guess that's the point of snapshotting 'KRB done' state (can I be wrong?)
>
> DNS for all the hosts involved is similar to:
> root at client2:/etc# nslookup ipa
> Server:         192.168.137.29
> Address:        192.168.137.29#53
>
> Name:   ipa.localdomain
> Address: 192.168.137.13
>
> root at client2:/etc# nslookup 192.168.137.13
> Server:         192.168.137.29
> Address:        192.168.137.29#53
>
> 13.137.168.192.in-addr.arpa     name = ipa.localdomain.
>
> Now I guess it's time for certificates, where I do have some doubts...
>
> I've added the SSH host keys via web interface, now the cert part:
>
> having generated the CSR afte creating the new database:
>
>  certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
> (in the /etc/pki dir) I paste the CSR and Issue the certificate for host
>
> (/etc/pi contains newly created   cert8.db   key3.db    secmod.db )
>
> Which of those should be used to add the cert to?
>
> (like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i */path/to/
> *ca.crt)
>
> All of the tries result in:
> root at client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n "IPA CA" -t
> CT,C,C -a -i ./ca.crt
> certutil: function failed: security library: bad database.
> root at client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n "IPA CA" -t
> CT,C,C -a -i ./ca.crt
> certutil: function failed: security library: bad database.
> root at client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n "IPA CA" -t
> CT,C,C -a -i ./ca.crt
> certutil: function failed: security library: bad database.
>
> Could someone show me my mistake?
>
> Regards
> Michal
>
>
>
> On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik <michal.dwuznik at gmail.com>wrote:
>
>> As for now I have set up a 'known good' client on RH based distro, to get
>> the feeling how the config files
>> look like when configured correctly.
>>
>> Thanks for the nice reference
>>
>> M.
>>
>>
>> On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>>
>>> Michał Dwużnik wrote:
>>>
>>>> Hi folks,
>>>>
>>>> did anyone succeed in connecting such an old thing recently to freeipa
>>>> server?
>>>>
>>>> Is there a document (or an archive post) about connecting a 'non ipa
>>>> aware' client step by step?
>>>> I got as far as woing Kerberos with no issues, hit a wall with ldap
>>>> part..
>>>>
>>>
>>> You might try this: http://docs.fedoraproject.org/**
>>> en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html>
>>>
>>> rob
>>>
>>>
>>
>>
>> --
>> Michal Dwuznik
>>
>
>
>
> --
> Michal Dwuznik
>



-- 
Michal Dwuznik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130830/74873cc9/attachment.htm>

More information about the Freeipa-users mailing list