[Freeipa-users] setting up a client on Debian squeeze

Rob Crittenden rcritten at redhat.com
Fri Aug 30 02:04:43 UTC 2013 

Michał Dwużnik wrote:
> Sorry for quick continuation...
>
> Certificate added to nss DB in /etc/pki
> certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt
>
> sssd configured according to
> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html
>
> How do I test now, before changing PAM options that the pieces fit together?

Perhaps exercise nss with:

% id admin
% getent passwd admin
% getent group admin

You can substitute admin for any IPA user or group.

And really you can skip the cert step if you want. Unless you have 
something that will use it we put a cert on the system as a convenience 
right now. There isn't currently anything using it by default.

rob

>
>
> (Sorry for being a bit too tired...)
>
> M.
>
>
> On Fri, Aug 30, 2013 at 1:49 AM, Michał Dwużnik
> <michal.dwuznik at gmail.com <mailto:michal.dwuznik at gmail.com>> wrote:
>
>     Ok, going step by step I did the following on squeeze:
>
>     set up ntp, time synced with ipa server
>
>     test setup is done on
>     ipa.localdomain (server)
>     client.localdomain
>     (client on Scientific Linux 6.4, looks ok after ipa-client-install,
>     ssh works for test users tester and tester2)
>
>     client2.localdomain is the Debian Squeeze client
>
>     added host client2.localdomain on IPA server, added 'managedby', got
>     the keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2
>
>     most important part of /etc/krb5.conf:
>
>     [realms]
>              LOCALDOMAIN = {
>                      kdc = ipa.localdomain
>                      admin_server = ipa.localdomain
>              }
>
>     [domain_realm]
>              .localdomain = LOCALDOMAIN
>              localdomain = LOCALDOMAIN
>              default_domain = localdomain
>
>     [libdefaults]
>              default_realm = LOCALDOMAIN
>
>
>     The following lets me think the KRB5 part of the setup is done
>     correctly:
>
>     root at client2:/etc# kinit admin
>     Password for admin at LOCALDOMAIN:
>     root at client2:/etc# kdestroy
>     root at client2:/etc# kinit tester
>     Password for tester at LOCALDOMAIN:
>     root at client2:/etc# klis
>     -su: klis: command not found
>     root at client2:/etc# klist
>     Ticket cache: FILE:/tmp/krb5cc_0
>     Default principal: tester at LOCALDOMAIN
>
>     Valid starting     Expires            Service principal
>     08/30/13 00:35:50  08/31/13 00:35:47  krbtgt/LOCALDOMAIN at LOCALDOMAIN
>
>
>     root at client2:/etc# kpasswd tester
>     Password for tester at LOCALDOMAIN:
>     Enter new password:
>     Enter it again:
>     Password changed.
>
>
>     I guess that's the point of snapshotting 'KRB done' state (can I be
>     wrong?)
>
>     DNS for all the hosts involved is similar to:
>     root at client2:/etc# nslookup ipa
>     Server:         192.168.137.29
>     Address:        192.168.137.29#53
>
>     Name:   ipa.localdomain
>     Address: 192.168.137.13
>
>     root at client2:/etc# nslookup 192.168.137.13
>     Server:         192.168.137.29
>     Address:        192.168.137.29#53
>
>     13.137.168.192.in-addr.arpa     name = ipa.localdomain.
>
>     Now I guess it's time for certificates, where I do have some doubts...
>
>     I've added the SSH host keys via web interface, now the cert part:
>
>     having generated the CSR afte creating the new database:
>
>       certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
>     (in the /etc/pki dir) I paste the CSR and Issue the certificate for host
>
>     (/etc/pi contains newly created   cert8.db   key3.db    secmod.db )
>
>     Which of those should be used to add the cert to?
>
>     (like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i
>     /|/path/to/|/ca.crt)
>
>     All of the tries result in:
>     root at client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n "IPA CA"
>     -t CT,C,C -a -i ./ca.crt
>     certutil: function failed: security library: bad database.
>     root at client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n "IPA CA"
>     -t CT,C,C -a -i ./ca.crt
>     certutil: function failed: security library: bad database.
>     root at client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n "IPA CA"
>     -t CT,C,C -a -i ./ca.crt
>     certutil: function failed: security library: bad database.
>
>     Could someone show me my mistake?
>
>     Regards
>     Michal
>
>
>
>     On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik
>     <michal.dwuznik at gmail.com <mailto:michal.dwuznik at gmail.com>> wrote:
>
>         As for now I have set up a 'known good' client on RH based
>         distro, to get the feeling how the config files
>         look like when configured correctly.
>
>         Thanks for the nice reference
>
>         M.
>
>
>         On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden
>         <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>
>             Michał Dwużnik wrote:
>
>                 Hi folks,
>
>                 did anyone succeed in connecting such an old thing
>                 recently to freeipa
>                 server?
>
>                 Is there a document (or an archive post) about
>                 connecting a 'non ipa
>                 aware' client step by step?
>                 I got as far as woing Kerberos with no issues, hit a
>                 wall with ldap part..
>
>
>             You might try this:
>             http://docs.fedoraproject.org/__en-US/Fedora/17/html/FreeIPA___Guide/linux-manual.html
>             <http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html>
>
>             rob
>
>
>
>
>         --
>         Michal Dwuznik
>
>
>
>
>     --
>     Michal Dwuznik
>
>
>
>
> --
> Michal Dwuznik
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list