Discussion:
[Freeipa-users] basics of openssh and freeipa integration
freeipa-users--- via FreeIPA-users
2017-09-22 20:55:21 UTC
Permalink
Assume my new freeipa server is on 7.4 centos, and my client freeipa
hosts are on fedora 25. Assume I create a freeipa user "jdoe" with a
NFS4 automounted home dir, to be available on the fedora hosts.

The goal is to ssh remotely into any fedora client host as "jdoe" and
be authenticated by the centos freeipa server. Is or can openssh
configured to work this way by the initial freeipa server install? If
not what steps must be done?

Assuming I succeed, may I still ssh to a non freeipa account (ie a
local account in /etc/passwd) on the a freeipa server or a fedora
freeipa client? How are "non freeipa", ie local accounts handled by
open ssh on the fedora 25 client freeipa hosts?
--
Thanks for trying to clear up my foggy grasp of freeipa,
Tom
--
Below is some more background, and additional question(s).
--
GOAL: Setup freeipa for w/ kerberos NFS4 file sharing,
and autofs/auto mount home directories. A small number of users or hosts.

I have a centos 7.3 Internet host "pez.ipa.uqjau.org", with
bind/bind-chroot installed and working. There is a "ipa.uqjau.org"
delegation NS record and a SOA ipa.uqjau.org record, both mapped to
host "pez.ipa.uqjau.org" both in the "uqjau.org" zone. bind is working
OK on pez with pez bind authoritative for ipa.uqjau.org, but I plan
to uninstall bind-chroot and let 'ipa-server-install' setup bind from
scratch. (I understand I need to uninstall bind-chroot, and plan to
do so.)

I'm new to freeipa, but have read for 7 hours or so, and have spent a
couple of hours reading the list. NFS4 is working now.

For guidance on the install I have been looking at:

<https://mkosek.fedorapeople.org/publican_site/en-US/FreeIPA/3.4/html/FreeIPA_Guide/creating-server.html>

<https://blog.christophersmart.com/articles/freeipa-how-to-fedora/>

How does this look?

ipa-server-install
--unattended
--realm=IPA.UQJAU.ORG
--domain=ipa.uqjau.org
--ds-password=SOMESECRET_PASSWD
--admin-password=SOMESECRET_PW
--mkhomedir
--ip-address=45.55.89.85
--idstart=50000
--no_hbac_allow
--ssh-trust-dns
--setup-dns
--no-forwarders
--no-reverse
--zonemgr=SOME_EMAIL_ADDR_HERE
--no-dnssec-validation

The --zonemgr line above is what I think the man page intends,
right?
--
thanks,
Tom
_______________________________________________
FreeIPA-users mailing list -- freeipa-***@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-***@list
Loading...