[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Freeipa-devel] Notes on server to server sasl



I'm using the current HEAD code. My master is F9 x86_64 and my replica is F8 i386. For the most part, the setup documented here http://freeipa.org/page/InstallAndDeploy works pretty well.

Setup
1) I'm not using DNS, just testing with VMs, so I had to make sure my VMs were assigned a consistent IP address via dhcp - and edit /etc/hosts to use the fqdn 2) I did not assign a hostname at install time, so I had to edit /etc/sysconfig/network to assign the hostname and reboot - probably could have done that with dhcp too (anyone know how?) 3) I had to edit the firewall settings to allow 389 and 636 tcp (and udp for good measure) on both the master and replica 4) I added the --no-host-dns option to ipa-server-install, but I'll need to add that to several other ipa- cmd line tools as well - I just hacked them instead to pass in verify_fqdn(name, True)

Notes
1) ipa-replica-install did not add a replication agreement from the replica to the master, but it configured the replica as a master (for MMR) - is this expected? 2) There was no principal for ldap/fqdn of replica REALM - do I have to add this manually? I did anyway and it made kerberos happier (but not work) with replication, but it seemed to break lots of stuff on the replica (could no longer ldapsearch -Y GSSAPI on the replica, could not ipa-finduser on the replica)

* Server to Server SASL/GSSAPI
I modified Fedora DS to do SASL/GSSAPI bind for replication from the master to the replica. I then had to modify /etc/sysconfig/dirsrv to do the following:
kinit -k -t /etc/dirsrv/ds.keytab ldap/fqdn of master REALM
parse klist to get the tgt filename
export KRB5CCNAME=tgtfilename
chown dirsrv:dirsrv $KRB5CCNAME

I then had to add the ldap host principal for ldap/fqdn of replica REALM (not sure why it wasn't there?). After startup, the master attempts to do a SASL/GSSAPI bind to the replica, and gets this error in kdc5krb log on the master: NO PREAUTH: authtime xxxx, ldap/fqdn of master REALM <mailto:ldap/fqdn of master REALM> for ldap/fqdn of replica REALM <mailto:ldap/fqdn of replica REALM>, Generic error (see e-text)

Is what I'm trying to do possible within the IPA kerberos framework?

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]