search

freeipa / freeipa-community-portal

[ABANDONED] FreeIPA Community Portal extension
GNU General Public License v3.0
4 stars 6 forks source link

[doc] Portal user setup incomplete #4

Closed tiran closed 8 years ago

tiran commented 8 years ago

The installation guide is incomplete and doesn't explain all necessary steps for the user setup. After create-portal-user is invoked, the user is available but cannot grab a TGT from Kerberos.

# kinit portal
kinit: Generic preauthentication failure while getting initial credentials
# ipa user-find portal
--------------
1 user matched
--------------
  User login: portal
  First name: Self
  Last name: Service
  Home directory: /home/portal
  Login shell: /bin/sh
  Email address: portal@ipa.example
  UID: 1507400003
  GID: 1507400003
  Account disabled: False
  Password: False
  Kerberos keys available: False
----------------------------
Number of entries returned 1
----------------------------

The create-portal-user script has a commented out section at the end. It shows how to use ipa-getkeytab to acquire a user keytab. This should be added to the docs, too.

# ipa-getkeytab -s ipaserver.ipa.example -p portal@IPA.EXAMPLE -k /etc/ipa/portal.keytab
# kinit -kt /etc/ipa/portal.keytab portal
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_XbhVstw
Default principal: portal@KDCPROXY.DEMO

Valid starting       Expires              Service principal
2015-08-07 12:38:12  2015-08-08 12:38:12  krbtgt/IPA.EXAMPLE@IPA.EXAMPLE

# chown apache:apache /etc/ipa/portal.keytab 
# su -s /bin/sh apache -c 'kinit -kt /etc/ipa/portal.keytab portal'
tiran commented 8 years ago

The new script from PR #28 now create a keytab. The case is also covered by updated documentation.