[Freeipa-users] Connecting Ubuntu to IPA - one last important step!

Sigbjorn Lie sigbjorn at nixtra.com
Thu Jun 9 17:38:42 UTC 2011 

Sorry, forgot one last, very important thing. Use ipa-getkeytab on a IPA 
server to retrieve the keytab for the host, and copy this to 
/etc/krb5.keytab on the Ubuntu client.

[root at ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p 
host/ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab

If you prefer you can use something like CFengine to automate the whole 
process.


Rgds,
Siggi.

On 06/09/2011 07:21 PM, Sigbjorn Lie wrote:
> Hi,
>
> I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 
> 11.04. NFS4+KRB successfully in 10.10 and 11.04.
>
> Install the packages below, substitute libpam-ldap for libpam-ldapd if 
> you prefer PADL's ldap liberary which can use groups within groups for 
> user accounts. ldapld can't, however it offers a daemon which connect 
> to a LDAP server, and workaround for such as issues with Thunderbird 
> crashing, etc. I have not been able to get the sssd that comes with 
> Ubuntu to work.
>
> Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the 
> Ubuntu host.
>
> Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make 
> /etc/ldap/ldap.conf a symlink to /etc/ldap.conf), /etc/idmapd.conf 
> (nfs4), /etc/nslcd.conf, /etc/default/autofs, /etc/nsswitch.conf, 
> /etc/default/nfs-common. See attached files for examples.
>
> Add the following to /etc/ssh/sshd_config:
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> And the following to /etc/ssh/ssh_config:
> Host *
>     GSSAPIAuthentication yes
>     GSSAPIDelegateCredentials yes
>
> Run this command to make sure ldap+krb has been configured in PAM 
> after the packages has been installed: $ /usr/sbin/pam-auth-update 
> --package --force
>
> This gives you a Ubuntu system configured for IPA with autofs and 
> nfs4+krb5, and ssh krb ticket forwarding. Looking forward to when SSSD 
> comes in version 1.5.x in Ubuntu! :)
>
> I've set the ldap timeouts very low so you might need tweaking for 
> this to work over a WAN/slow link, but it makes the client much more 
> responsive if your first listed IPA/LDAP server becomes unavailable.
>
>
> Packages:
>         autofs5                 action=install
>         autofs5-ldap            action=install
>         krb5-user               action=install
>         krb5-clients            action=install
>         nfs-client              action=install
>         nfs4-acl-tools          action=install
>         ldap-auth-config        action=install
>         ldap-utils              action=install
>         #libpam-ldap            action=install
>         libpam-ldapd            action=install
>         libpam-krb5             action=install
>         libpam-ccreds           action=install
>         libpam-foreground       action=install
>         libnss-ldap             action=install
>         nscd                    action=install
>         ntp                     action=install
>
>
>
> Rgds,
> Siggi
>
>
>
> On 06/09/2011 02:43 AM, Steven Jones wrote:
>> Hi,
>>
>> I am still tryig to figure getting ubuntu connected....
>>
>> So to get a non-rhel client computer into freeipa the first thing I 
>> have to do is make a client computer instance in freepia first? or 
>> doesnt it matter? ie can a non rhel client only do authentication or 
>> can it be acted upon fully as per a rhel client?
>>
>> Are there certificates for ssl or something that have to be copied 
>> over to the client(s)?
>>
>> I dont have it working yet beyond I can do a kinit and admin and give 
>> a password and then do klist etc....
>>
>> :/
>>
>> Its proving very painful....
>>
>> regards
>>
>> Steven
>>
>>
>> 8><----
>>
>> Maybe this article could be a good jumping-off point?
>> http://www.aput.net/~jheiss/krbldap/howto.html
>>
>> It's pretty old, but seems to bring together many things and overview 
>> them well, with enough static examples to give you a feel for what 
>> you're getting into.
>>
>> 8><---
>>
>> thanks, its helping.
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110609/05af8276/attachment.htm>

More information about the Freeipa-users mailing list