[Freeipa-users] manual client join

Dmitri Pal dpal at redhat.com
Sat Dec 3 18:56:25 UTC 2011 

On 11/30/2011 03:59 PM, Rob Crittenden wrote:
> Stephen Ingram wrote:
>> Rob-
>>
>> On Wed, Nov 30, 2011 at 12:04 PM, Rob
>> Crittenden<rcritten at redhat.com>  wrote:
>>> Retrieve the CA certificate for the FreeIPA CA.
>>>
>>> # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt
>>>
>>> Create a separate Kerberos configuration to test the provided
>>> credentials.
>>> This enables a Kerberos connection to the FreeIPA XML-RPC server,
>>> necessary
>>> to join the FreeIPA client to the FreeIPA domain. This Kerberos
>>> configuration is ultimately discarded.
>>>
>>> - Basically just copy a working krb5.conf to /etc/krb5.conf and set
>>> up sssd
>>> or nss_ldap as documented.
>>>
>>> # kinit admin
>>> # ipa-join -s ipa.example.com -b dc=example,dc=com
>>>
>>> Or if using a one-time password you can skip the kinit and do
>>>
>>> # ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123
>>>
>>> ipa-join lets IPA know a host is enrolled and retrieves a host
>>> principal and
>>> stores it into /etc/krb5.keytab.
>>>
>>> Enable certmonger, retrieve an SSL server certificate, and install the
>>> certificate in /etc/pki/nssdb.
>>>
>>> # service messagebus start
>>> # service certmonger start
>>> # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i
>>> /etc/ipa/ca.crt
>>> # ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate -
>>> client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K
>>> host/client.example.com at EXAMPLE.COM
>>>
>>> Disable the nscd daemon.
>>>
>>> # service nscd stop
>>> # chkconfig nscd off
>>
>> Thanks, but aren't some of these steps assuming that ipa-client has
>> been installed on the system? For instance, instead of "# ipa-join -s
>> ipa.example.com -b dc=example,dc=com -w Secret123", can't I instead
>> use kadmin to retrieve the keytab and then securely copy it over to
>> the client system? And, in the case of the ca.crt, if there if IPA
>> itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I
>> realize that I will lose functionality by not having ipa-client, but
>> just trying to build a case for supporting legacy systems that I would
>> never want to take the time to adapt ipa-client for.
>>
>> Steve
>
> The only part assuming that is ipa-join itself. IPA does not support
> the direct use of kadmin or kadmin.local. On a supported platform
> you'd run:
>
> # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p
> host/remote.example.com
>
> Then ship /tmp/remote.keytab to the machine and either use ktutil to
> combine it with /etc/krb5.keytab or replace krb5.keytab with it (and
> fix owner and permissions, and potentially SELinux context).
>
> certmonger gets its IPA configuration from /etc/ipa/default.conf. If
> you don't want or have certmonger then you can skip the CA bit
> altogether. Otherwise you'll need to copy in a working config.
>

Should any part of this be documented?

> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list