[Freeipa-users] Fwd: manual client join
Rob Crittenden
rcritten at redhat.com
Mon Dec 5 20:49:39 UTC 2011
Stephen Ingram wrote:
> On Wed, Nov 30, 2011 at 12:59 PM, Rob Crittenden<rcritten at redhat.com> wrote:
>>
>> The only part assuming that is ipa-join itself. IPA does not support the
>> direct use of kadmin or kadmin.local. On a supported platform you'd run:
>>
>> # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p
>> host/remote.example.com
>>
>> Then ship /tmp/remote.keytab to the machine and either use ktutil to combine
>> it with /etc/krb5.keytab or replace krb5.keytab with it (and fix owner and
>> permissions, and potentially SELinux context).
>
> OK, got it. I can use the FreeIPA system itself to grab these for host
> and services and then new remote machine will have all principals it
> requires to work within FreeIPA realm.
Yup.
>
>> certmonger gets its IPA configuration from /etc/ipa/default.conf. If you
>> don't want or have certmonger then you can skip the CA bit altogether.
>> Otherwise you'll need to copy in a working config.
>
> OK, this requires certmonger. If I still want FreeIPA-signed cert (say
> I need to talk SSL to FreeIPA directory for mail server config
> purposes e.g. check existence of email address) without certmonger, I
> can use certmonger on FreeIPA server or UI to sign csr generated using
> nss on remote system and then transport cert to remote system and
> manually install for apache, ldap client, etc., right?
You don't need certmonger to have SSL certs, it just makes it easier to
request and manage them (because of the auto-renewal features).
To do it manually just do something like this to get a cert for a web
server. IPA server here is really any machine with admintools package
installed.
remote system:
generate CSR using openssl or certutil, save as PEM file, ship to IPA host.
With NSS I do:
certutil -R -s "CN=remote.example.com,O=EXAMPLE.COM" -d
/path/to/database/dir -a > example.csr
Be sure that the CN value is the FQDN of your server.
IPA server:
# ipa cert-request --prinicipal HTTP/remote.example.com /path/to/csr.pem
# ipa service-show --out=/tmp/service.crt HTTP/remote.example.com
Your cert will be in /tmp/service.crt and PEM formatted for easy use.
The output of cert-request is just a base64 blob.
> I'm not trying to supplant FreeIPA here. Obviously the best (and
> almost effortless) solution is to have freeipa-client and certmonger
> on system, however, if I'm stuck with an older version of Redhat or
> some other OS that just doesn't conveniently support FreeIPA, I just
> want to be able to get a cert and necessary principals to be able to
> easily work within FreeIPA realm. I also sort of like to know how
> everything works in more detail just in case something breaks and I
> have to make manual adjustments.
This may be handy to augment the IPA documentation too if you want to
donate back your findings :-)
cheers
rob
More information about the Freeipa-users
mailing list