Talk:HOWTO: Attach a system to auth.sshchicago.org

From sshcWiki
Revision as of 15:59, 30 March 2014 by Cswingler (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Raspbian Notes

Manual setup notes are at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html

For systems that you can't get the freeipa-client (in particular, raspbian) you can manually set things up. Here's my history transcript from an attempt:

  17  apt-cache search sssd
  18  apt-get install sssd ssd-tools
  19  apt-get install sssd sssd-tools
  20  hostname -fqdn
  21  hostname --fqdn
  22  /sbin/ifconfig 
  23  /sbin/ifconfig 
  24  cd /etc/
  25  ls
  26  cp /home/user/debian6fipatest.chrisswingler.com.keytab krb5.keytab
  27  chown root:root /etc/krb5.keytab 
  28  chmod 0600 /etc/krb5.keytab 
  29  chcon 
  30  chcon system_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab
  31  vi /etc/sssd/ssd.conf
  32  vim /etc/sssd/ssd.conf
  33  apt-cache search vim
  34  apt-cache install vim
  35  apt-get install vim
  36  vim /etc/sssd/ssd.conf
  37  vim /etc/nsswitch.conf 
  38  vim /etc/krb5.conf
  39  cd /etc/pam.d/
  40  ls
  41  apt-cache search system | grep pam
  42  ls
  43  vim passwd 
  44  locate sss
  45  apt-cache search sss
  46  apt-get install libpam-sss
  47  ls
  48  less passwd 
  49  vim common-password 
  50  grep auth *
  51  vim common-auth 
  52  pam-auth-update 
  53  pam-auth-update 
  54  wget -O /etc/ipa/ca.cert http://dir.chrisswingler.com/ipa/config/ca.crt
  55  mkdir -p /etc/ipa
  56  wget -O /etc/ipa/ca.cert http://dir.chrisswingler.com/ipa/config/ca.crt
  57  certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt
  58  apt-cache search certutil
  59  apt-get install libnss3-tools
  60  certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt
  61  cat /etc/ipa/ca.cert 
  62  mv /etc/ipa/ca.cert /etc/ipa/ca.crt
  63  certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt
  64  certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt
  65  apt-cache search ca-certificates
  66  apt-cache install ca-certificates
  67  apt-get install ca-certificates
  68  cd /etc/ca-certificates/
  69  ls
  70  updatedb
  71  locate nssdb
  72  apt-cache search nss
  73  apt-cache search nssd
  74  apt-cache install certmonger
  75  apt-get install certmonger
  76  updatedb
  77  locate nssdb
  78  certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt
  79  cd /etc/
  80  ls
  81  vim certmonger/certmonger.conf 
  82  cd /etc/default/
  83  ls
  84  cat cacerts 
  85  cd /etc/ss
  86  cd /etc/ssl/
  87  ls
  88  cd certs/
  89  ls
  90  history | grep wget
  91  wget -O /etc/ssl/certs/dir.chrisswingler.com.crt http://dir.chrisswingler.com/ipa/config/ca.crt
  92  ls
  93  file *
  94  /etc/init.d/certmonger status
  95  /etc/init.d/certmonger restart
  96  ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/$(hostname --fqdn) -N 'CN=debian6fipatest.chrisswingler.com,O=CHRISSWINGLER.COM'
  97  mkdir /etc/pki
  98  ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/$(hostname --fqdn) -N 'CN=debian6fipatest.chrisswingler.com,O=CHRISSWINGLER.COM'
  99  apt-get install libnss-ldapd libnss-ldap
 100  history | grep certutil
 101  mkdir -p /etc/pki
 102  crtutil -N -d sql:/etc/pki/nssdb
 103  certutil -N -d sql:/etc/pki/nssdb
 104  man certutil
 105  certutil --help
 106  certutil --help | less
 107  certutil --help | less
 108  certutil --help | less
 109  certutil --help 2>&1 | less
 110  certutil -N -d /etc/pki/
 111  certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt
 112  certutil -N -d sql:/etc/pki/nssdb
 113  certutil -N  -d /etc/pki/nssdb
 114  certutil -N -d /etc/pki/nssdb
 115  file /etc/pki/nssdb
 116  certutil -d/etc/pki/nssdb -N
 117  mkdir -p /etc/pki/nssdb
 118  certutil -N -d sql:/etc/pki/nssdb
 119  rm /etc/pki/*
 120  certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt
 121  history | grep getcert
 122  ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/$(hostname --fqdn) -N 'CN=debian6fipatest.chrisswingler.com,O=CHRISSWINGLER.COM'
 123  getent plug1
 124  getent passwd
 125  getent 
 126  id plug2
 127  cd /etc/pam.d/
 128  ls
 129  grep sss &
 130  grep sss *&
 131  tail /var/log/messages 
 132  grep cswingler /var/log/messages 
 133  cd /var/log/
 134  ls
 135  grep cswingler *
 136  cd sssd/
 137  ls
 138  ls -l
 139  cd ..
 140  ls
 141  /etc/init.d/sssd status
 142  /etc/init.d/sssd start
 143  tail /var/log/messages 
 144  tail /var/log/daemon.log 
 145  cd /etc/sssd/
 146  mv ssd.conf sssd.conf
 147  stat sssd.conf 
 148  chmod 600 sssd.conf 
 149  /etc/init.d/sssd start
 150  /etc/init.d/sssd status

This almost works, but with the following caveats applied:

  • For some reason, auto-password-changes via GDM don't work (possibly related to the next issue Nope; breaks even with manual creation):
  • Auto-creation of home directories does not work