[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Connecting Ubuntu to IPA - one last important step!



Sorry, forgot one last, very important thing. Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, and copy this to /etc/krb5.keytab on the Ubuntu client.

[root ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab

If you prefer you can use something like CFengine to automate the whole process.


Rgds,
Siggi.

On 06/09/2011 07:21 PM, Sigbjorn Lie wrote:
Hi,

I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 11.04. NFS4+KRB successfully in 10.10 and 11.04.

Install the packages below, substitute libpam-ldap for libpam-ldapd if you prefer PADL's ldap liberary which can use groups within groups for user accounts. ldapld can't, however it offers a daemon which connect to a LDAP server, and workaround for such as issues with Thunderbird crashing, etc. I have not been able to get the sssd that comes with Ubuntu to work.

Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the Ubuntu host.

Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make /etc/ldap/ldap.conf a symlink to /etc/ldap.conf), /etc/idmapd.conf (nfs4), /etc/nslcd.conf, /etc/default/autofs, /etc/nsswitch.conf, /etc/default/nfs-common. See attached files for examples.

Add the following to /etc/ssh/sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

And the following to /etc/ssh/ssh_config:
Host *
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

Run this command to make sure ldap+krb has been configured in PAM after the packages has been installed: $ /usr/sbin/pam-auth-update --package --force

This gives you a Ubuntu system configured for IPA with autofs and nfs4+krb5, and ssh krb ticket forwarding. Looking forward to when SSSD comes in version 1.5.x in Ubuntu! :)

I've set the ldap timeouts very low so you might need tweaking for this to work over a WAN/slow link, but it makes the client much more responsive if your first listed IPA/LDAP server becomes unavailable.


Packages:
        autofs5                 action=""
        autofs5-ldap            action=""
        krb5-user               action=""
        krb5-clients            action=""
        nfs-client              action=""
        nfs4-acl-tools          action=""
        ldap-auth-config        action=""
        ldap-utils              action=""
        #libpam-ldap            action=""
        libpam-ldapd            action=""
        libpam-krb5             action=""
        libpam-ccreds           action=""
        libpam-foreground       action=""
        libnss-ldap             action=""
        nscd                    action=""
        ntp                     action=""



Rgds,
Siggi



On 06/09/2011 02:43 AM, Steven Jones wrote:
Hi,

I am still tryig to figure getting ubuntu connected....

So to get a non-rhel client computer into freeipa the first thing I have to do is make a client computer instance in freepia first? or doesnt it matter? ie can a non rhel client only do authentication or can it be acted upon fully as per a rhel client?

Are there certificates for ssl or something that have to be copied over to the client(s)?

I dont have it working yet beyond I can do a kinit and admin and give a password and then do klist etc....

:/

Its proving very painful....

regards

Steven


8><----

Maybe this article could be a good jumping-off point?
http://www.aput.net/~jheiss/krbldap/howto.html

It's pretty old, but seems to bring together many things and overview them well, with enough static examples to give you a feel for what you're getting into.

8><---

thanks, its helping.

_______________________________________________
Freeipa-users mailing list
Freeipa-users redhat com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________ Freeipa-users mailing list Freeipa-users redhat com https://www.redhat.com/mailman/listinfo/freeipa-users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]