[Freeipa-users] headless ipa client join using kerberos ticket
Troels Hansen
th at casalogic.dk
Thu Aug 11 08:18:30 UTC 2016
I can see this have been discussed a lot here, but I still can't seem to find the correct answer, so bare with me if i'm asking a question already answered.
I'm trying to create a user that can be used for (headless) joining out RHEL clients to IPA
Here is what have been done:
/etc/krb5.conf and /etc/ipa/ca.crt copied to the client.
a user created on IPA:
# ipa user-show joinipa
User login: joinipa
First name: Host
Last name: Adder
Home directory: /home/joinipa
Login shell: /bin/sh
Email address: joinipa at linux.dr.dk
UID: 10006
GID: 10006
Account disabled: False
Password: False
Member of groups: ipausers
Roles: joinipa
Kerberos keys available: True
has role joinipa
# ipa role-show "joinipa"
Role name: joinipa
Member users: joinipa
Privileges: Host Enrollment
Host Enrollemnt provilege also has the 'System: Add Hosts' permission:
# ipa privilege-show "Host Enrollment"
Privilege name: Host Enrollment
Description: Host Enrollment
Permissions: System: Add Hosts, System: Add krbPrincipalName to a Host, System: Enroll a Host, System: Manage Host Certificates,
System: Manage Host Enrollment Password, System: Manage Host Keytab
Granting privilege to roles: joinipa
Get the keytab from IPA server (run on IPA server):
# ipa-getkeytab -s `hostname` -p joinipa at LINUX.DR.DK -k /tmp/joinipa.keytab
Keytab copied to IPA client:
kinit keytab:
# kinit joinipa at LINUX.DR.DK -kt joinipa.keytab
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: joinipa at LINUX.DR.DK
Valid starting Expires Service principal
08/11/2016 10:12:33 08/12/2016 10:12:33 krbtgt/LINUX.DR.DK at LINUX.DR.DK
Try to join IPA server:
# ipa-join --server ipa01tst.linux.dr.dk
Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=LINUX.DR.DK
Host gets created on IPA server, but what makes it fail?
If I try to join again I also get told its already joined:
# ipa-join --server ipa01tst.linux.dr.dk
Host is already joined.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160811/98e82e84/attachment.htm>
More information about the Freeipa-users
mailing list