===== ipa rhel6 client =====
<code>
yum -y install ipa-client ipa-admintools

# rewrite resolv.conf to make the system use the IPA server for DNS
echo 'nameserver 192.168.4.23' >/etc/resolv.conf

# now have the client discover the IPA server and hookup performed:
ipa-client-install --enable-dns-updates

# verify user lookup
getent passwd chorn
</code>

===== manual kerberos/ldap hookup per nscd/nslcd =====
<code>
vi /etc/hosts            #ensure the partitipating boxes are in box
vi /etc/security/network #ensure HOSTNAME is fully qualified

rpm -e sssd
yum -y install krb5-workstation openldap-clients pam_ldap nss-pam-ldapd pam_krb5

# copy configs from ipa server
scp rhel6u1a:/etc/krb5.conf /etc
scp rhel6u1a:/etc/resolv.conf /etc

kinit chorn
ldapsearch -x -b dc=fluxcoil,dc=net -h rhel6u1a.fluxcoil.net cn=chorn

# cd /etc/openldap/cacerts
# for i in *; do ln -s $i $(openssl x509 -noout -hash -in $i); done

authconfig --enableldap --enableldapauth --ldapserver=rhel6u1a.fluxcoil.net --ldapbasedn="dc=fluxcoil,dc=net" \
  --enableldaptls --disablesssd  --disablesssdauth --enablelocauthorize --enablemkhomedir --updateall


# this /etc/nslcd.conf works for cleartext (for debugging):
uid nslcd
gid ldap
uri ldap://rhel6b.fluxcoil.net/
base dc=fluxcoil,dc=net
tls_cacertdir /etc/openldap/cacerts

# this /etc/nslcd.conf works for encrypted connections:
uid nslcd
gid ldap
uri ldap://rhel6b.fluxcoil.net/
base dc=fluxcoil,dc=net
ssl start_tls
tls_cacertfile /etc/openldap/cacerts/cacert.pem

service nslcd restart
service nscd restart  # optional for caching
chkconfig nslcd on
chkconfig nscd on  # optional for caching

vi /etc/pam_ldap.conf
vi /etc/pam.d/password-auth
# auth        sufficient    pam_krb5.so use_first_pass
# password    sufficient    pam_krb5.so use_authtok

# login should work now
ssh chorn@127.0.0.1 

# to be able to do kerberos password changes
vi /etc/pam.d/system-auth
# auth        sufficient    pam_krb5.so use_first_pass
# password    sufficient    pam_krb5.so use_authtok

</code>