From puck at i29.net Tue Oct 7 22:03:00 2008 From: puck at i29.net (puck at i29.net) Date: Tue, 07 Oct 2008 17:03:00 -0500 Subject: [Freeipa-users] sasl binding failed when running ipa-getkeytab Message-ID: <48EBDC94.90405@i29.net> I had this same issue and eventually figured out I'd installed the x86_64 version of ipa_client but the i386 version of cyrus-sasl-gssapi. You can check this by issuing the following command: /rpm -qa --qf "%{n}-%{v}-%{r}.%{arch}\n"|grep gss/ Hopefully that helps! Jem Ivan Levchenko wrote: On Mon, Sep 29, 2008 at 5:55 PM, Rob Crittenden wrote: Did you have a kerberos ticket before running ipa-getkeytab? You need to do a kinit before running this. Yes, I did kinit for admin, and klist shows that I have a ticket. I'm not sure what you mean by "enter them manually" when logging on as an ipa user. i.e. when i ssh to the box, it prompts me for a password and authenticates via pam (which checks against the ipa server), and i get logged in successfully using the user that is defined on the ipa server. Log into which box? The IPA server or another server? If not the IPA server, does this other server have a host service principal and has sshd been restarted? Using the -v argument with ssh will show you more details on what authentication methods it is trying. You will want to look on the IPA server in /var/log/krb5kdc.log and/or /var/log/dirsrv/slapd-INSTANCE/error for more information. I was just tailing those two files while running the ipa-getkeytab command.. nothing.... also checked any other even remotely relevant log files (messages, secure...) - nothing... I'm not sure how that is possible. The error you reported from ipa-getkeytab is returned if an LDAP GSSAPI bind to the IPA LDAP server fails. You can try a similar operation by doing something like: % ldapsearch -Y GSSAPI -h ipa.freeipa.org -b "dc=freeipa,dc=org" uid=admin rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From n.gresham at manchester.ac.uk Wed Oct 8 15:26:52 2008 From: n.gresham at manchester.ac.uk (Nick Gresham) Date: Wed, 08 Oct 2008 16:26:52 +0100 Subject: [Freeipa-users] minimum UIDs and GIDs Message-ID: <48ECD13C.3040804@manchester.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm a systems administrator at the University of Manchester currently trialling FreeIPA as an authentication solution for a group of workstations and HPC machines. Generally speaking, I am very impressed, but I was wondering if there would be a way of setting minimum values for UIDs and GIDs of new users and groups respectively, so as to keep IPA-generated values from colliding with pre-existing accounts on machines that we are trying to make into FreeIPA clients? Thanks in advance, [NG] - -- N.J. Gresham FLS/IS AIO Systems Administration and Support University of Manchester Faculty of Life Sciences int: 7759349 ext: 0790-989-3684 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjs0SwACgkQoqZzfMI0UdmGrgCfXSM4awCKGUOSsJoW6E6Nzo44 Kc0An1aTabz+gWP5flJqWHEKNebxP5dL =9hAq -----END PGP SIGNATURE----- From ssorce at redhat.com Wed Oct 8 15:50:01 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 08 Oct 2008 11:50:01 -0400 Subject: [Freeipa-users] minimum UIDs and GIDs In-Reply-To: <48ECD13C.3040804@manchester.ac.uk> References: <48ECD13C.3040804@manchester.ac.uk> Message-ID: <1223481001.632.27.camel@hopeson> On Wed, 2008-10-08 at 16:26 +0100, Nick Gresham wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I'm a systems administrator at the University of Manchester currently > trialling FreeIPA as an authentication solution for a group of > workstations and HPC machines. > > Generally speaking, I am very impressed, but I was wondering if there > would be a way of setting minimum values for UIDs and GIDs of new users > and groups respectively, so as to keep IPA-generated values from > colliding with pre-existing accounts on machines that we are trying to > make into FreeIPA clients? Yes, currently it requires a change in the dna plugin configuration. You can change the attribute 'dnaNextValue' in these 2 ldap entries: cn=Accounts,cn=Posix,cn=ipa-dna,cn=plugins,cn=config cn=Groups,cn=Posix,cn=ipa-dna,cn=plugins,cn=config You can do that online using the 'cn=Directory Manager' ldap user. Simo. From puck at i29.net Wed Oct 8 16:07:22 2008 From: puck at i29.net (puck at i29.net) Date: Wed, 08 Oct 2008 11:07:22 -0500 Subject: [Freeipa-users] Help with sshd configuration - ChallengeResponseAuthentication In-Reply-To: <1223481001.632.27.camel@hopeson> References: <48ECD13C.3040804@manchester.ac.uk> <1223481001.632.27.camel@hopeson> Message-ID: <48ECDABA.9080100@i29.net> I've run into a problem when setting up IPA for ssh logins. I've found that I need to set ChallengeResponseAuthentication to "yes" in my sshd_config to allow users to change their expired passwords on login, otherwise the login process just hangs and eventually times out. However, when I set it to "yes" password-less logins between my servers no longer work. Once I'm logged in, if I run a "kinit (username)" then the password-less login works again so I assume that when ChallengeResponseAuthentication is on, sshd just doesn't set that correctly. Can anyone recommend an sshd configuration that would allow both the password-less logins and allow users to change their passwords at login when they are expired? Jem Tallon From ssorce at redhat.com Wed Oct 8 16:30:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 08 Oct 2008 12:30:14 -0400 Subject: [Freeipa-users] Help with sshd configuration - ChallengeResponseAuthentication In-Reply-To: <48ECDABA.9080100@i29.net> References: <48ECD13C.3040804@manchester.ac.uk> <1223481001.632.27.camel@hopeson> <48ECDABA.9080100@i29.net> Message-ID: <1223483414.632.28.camel@hopeson> On Wed, 2008-10-08 at 11:07 -0500, puck at i29.net wrote: > I've run into a problem when setting up IPA for ssh logins. I've found > that I need to set ChallengeResponseAuthentication to "yes" in my > sshd_config to allow users to change their expired passwords on login, > otherwise the login process just hangs and eventually times out. > However, when I set it to "yes" password-less logins between my servers > no longer work. Once I'm logged in, if I run a "kinit (username)" then > the password-less login works again so I assume that when > ChallengeResponseAuthentication is on, sshd just doesn't set that > correctly. Can anyone recommend an sshd configuration that would allow > both the password-less logins and allow users to change their passwords > at login when they are expired? By "password-less" login you mean a gssapi login or an ssh-key aided login ? Simo. From puck at i29.net Wed Oct 8 16:40:35 2008 From: puck at i29.net (puck at i29.net) Date: Wed, 08 Oct 2008 11:40:35 -0500 Subject: [Freeipa-users] Help with sshd configuration - ChallengeResponseAuthentication In-Reply-To: <1223483414.632.28.camel@hopeson> References: <48ECD13C.3040804@manchester.ac.uk> <1223481001.632.27.camel@hopeson> <48ECDABA.9080100@i29.net> <1223483414.632.28.camel@hopeson> Message-ID: <48ECE283.5020806@i29.net> Sorry. I meant GSSAPI login. Jem Simo Sorce wrote: > On Wed, 2008-10-08 at 11:07 -0500, puck at i29.net wrote: > >> I've run into a problem when setting up IPA for ssh logins. I've found >> that I need to set ChallengeResponseAuthentication to "yes" in my >> sshd_config to allow users to change their expired passwords on login, >> otherwise the login process just hangs and eventually times out. >> However, when I set it to "yes" password-less logins between my servers >> no longer work. Once I'm logged in, if I run a "kinit (username)" then >> the password-less login works again so I assume that when >> ChallengeResponseAuthentication is on, sshd just doesn't set that >> correctly. Can anyone recommend an sshd configuration that would allow >> both the password-less logins and allow users to change their passwords >> at login when they are expired? >> > > By "password-less" login you mean a gssapi login or an ssh-key aided > login ? > > Simo. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mythtv at vulturest.com Thu Oct 9 00:19:57 2008 From: mythtv at vulturest.com (Johan Venter) Date: Thu, 09 Oct 2008 10:19:57 +1000 Subject: [Freeipa-users] Windows Kerberos auth to IPA Message-ID: <48ED4E2D.3010308@vulturest.com> Hi all, I would very much like to achieve with Windows what I have achieved on Linux with IPA, namely: - single sign-on - access control To achieve the first, I have been trying to figure out how to use ksetup.exe from the Windows Support Tools installation on Windows Server 2003. As I understand it, the only way to make this work is with a host principal that has a usable password. I cannot find any way to add a password to a service principal in IPA and all attempts at the command line were thwarted: - kadmin.local didn't let me do it because admin doesn't have permission outside cn=kerberos and I shouldn't need to use kadmin.local anyway - ldappasswd wouldn't let me do it because service principals by default in IPA do not have the appropriate objectClass (I figured this was posixAccount but wasn't sure), and all attempts to add object classes to a service principal using ldapmodify failed I'm at a bit of a loss. It seems I need a password on the host principal to make this work, but IPA is completely engineered to not allow that. What should I do? Also, if I ever get sign-on working, what can I do about access control? In Linux I can use /etc/security/access.conf and sudoers to provide reasonable access to only specific groups - I wonder how can I map my sysadmins LDAP group to Administrator in Windows and will this will have the same effect? Any help would be greatly appreciated. I'm pulling out my hair on this one. Thanks, Johan From ssorce at redhat.com Thu Oct 9 09:21:27 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 09 Oct 2008 05:21:27 -0400 Subject: [Freeipa-users] Windows Kerberos auth to IPA In-Reply-To: <48ED4E2D.3010308@vulturest.com> References: <48ED4E2D.3010308@vulturest.com> Message-ID: <1223544087.27224.4.camel@hopeson> On Thu, 2008-10-09 at 10:19 +1000, Johan Venter wrote: > Hi all, > > I would very much like to achieve with Windows what I have achieved on > Linux with IPA, namely: > - single sign-on > - access control > > To achieve the first, I have been trying to figure out how to use > ksetup.exe from the Windows Support Tools installation on Windows Server > 2003. > > As I understand it, the only way to make this work is with a host > principal that has a usable password. I cannot find any way to add a > password to a service principal in IPA and all attempts at the command > line were thwarted: > - kadmin.local didn't let me do it because admin doesn't have > permission outside cn=kerberos and I shouldn't need to use kadmin.local > anyway > - ldappasswd wouldn't let me do it because service principals by > default in IPA do not have the appropriate objectClass (I figured this > was posixAccount but wasn't sure), and all attempts to add object > classes to a service principal using ldapmodify failed > > I'm at a bit of a loss. It seems I need a password on the host principal > to make this work, but IPA is completely engineered to not allow that. > What should I do? The latest ipa-getkeytab should allow you to specify a password. > Also, if I ever get sign-on working, what can I do about access control? > In Linux I can use /etc/security/access.conf and sudoers to provide > reasonable access to only specific groups - I wonder how can I map my > sysadmins LDAP group to Administrator in Windows and will this will have > the same effect? You need to tweak user privileges, but this would be a per machine option. As all users and groups will be local to the windows machine. Windows do not have any way to get users from a remote server unless it is a Windows Domain Controller. Simo. From ssorce at redhat.com Thu Oct 9 09:22:18 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 09 Oct 2008 05:22:18 -0400 Subject: [Freeipa-users] Help with sshd configuration - ChallengeResponseAuthentication In-Reply-To: <48ECE283.5020806@i29.net> References: <48ECD13C.3040804@manchester.ac.uk> <1223481001.632.27.camel@hopeson> <48ECDABA.9080100@i29.net> <1223483414.632.28.camel@hopeson> <48ECE283.5020806@i29.net> Message-ID: <1223544138.27224.5.camel@hopeson> Can you use ssh -vv and paste what you get there when trying to login ? (feel free to sanitize output if there is data that you do not want to share broadly). Simo. On Wed, 2008-10-08 at 11:40 -0500, puck at i29.net wrote: > Sorry. I meant GSSAPI login. > > Jem > > > Simo Sorce wrote: > > On Wed, 2008-10-08 at 11:07 -0500, puck at i29.net wrote: > > > > > I've run into a problem when setting up IPA for ssh logins. I've found > > > that I need to set ChallengeResponseAuthentication to "yes" in my > > > sshd_config to allow users to change their expired passwords on login, > > > otherwise the login process just hangs and eventually times out. > > > However, when I set it to "yes" password-less logins between my servers > > > no longer work. Once I'm logged in, if I run a "kinit (username)" then > > > the password-less login works again so I assume that when > > > ChallengeResponseAuthentication is on, sshd just doesn't set that > > > correctly. Can anyone recommend an sshd configuration that would allow > > > both the password-less logins and allow users to change their passwords > > > at login when they are expired? > > > > > > > By "password-less" login you mean a gssapi login or an ssh-key aided > > login ? > > > > Simo. > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From puck at i29.net Thu Oct 9 12:55:41 2008 From: puck at i29.net (puck at i29.net) Date: Thu, 09 Oct 2008 07:55:41 -0500 Subject: [Freeipa-users] Help with sshd configuration - ChallengeResponseAuthentication In-Reply-To: <1223544138.27224.5.camel@hopeson> References: <48ECD13C.3040804@manchester.ac.uk> <1223481001.632.27.camel@hopeson> <48ECDABA.9080100@i29.net> <1223483414.632.28.camel@hopeson> <48ECE283.5020806@i29.net> <1223544138.27224.5.camel@hopeson> Message-ID: <48EDFF4D.8090406@i29.net> Thanks for the response, Simo. I left the systems alone overnight and mysteriously this morning both the password changing and the GSS logins work. That makes me a little nervous but I'm willing to assume the universe is throwing me a bone on this one ;) If the systems fall back to the old behavior, I'll be sure to send more info once I'm able to reproduce the problem. Jem Simo Sorce wrote: > Can you use ssh -vv and paste what you get there when trying to login ? > (feel free to sanitize output if there is data that you do not want to > share broadly). > > Simo. > > On Wed, 2008-10-08 at 11:40 -0500, puck at i29.net wrote: > >> Sorry. I meant GSSAPI login. >> >> Jem >> >> >> Simo Sorce wrote: >> >>> On Wed, 2008-10-08 at 11:07 -0500, puck at i29.net wrote: >>> >>> >>>> I've run into a problem when setting up IPA for ssh logins. I've found >>>> that I need to set ChallengeResponseAuthentication to "yes" in my >>>> sshd_config to allow users to change their expired passwords on login, >>>> otherwise the login process just hangs and eventually times out. >>>> However, when I set it to "yes" password-less logins between my servers >>>> no longer work. Once I'm logged in, if I run a "kinit (username)" then >>>> the password-less login works again so I assume that when >>>> ChallengeResponseAuthentication is on, sshd just doesn't set that >>>> correctly. Can anyone recommend an sshd configuration that would allow >>>> both the password-less logins and allow users to change their passwords >>>> at login when they are expired? >>>> >>>> >>> By "password-less" login you mean a gssapi login or an ssh-key aided >>> login ? >>> >>> Simo. >>> >>> >>> >>> >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From n.gresham at manchester.ac.uk Thu Oct 9 19:33:59 2008 From: n.gresham at manchester.ac.uk (Nick Gresham) Date: Thu, 09 Oct 2008 20:33:59 +0100 Subject: [Freeipa-users] minimum UIDs and GIDs In-Reply-To: <1223481001.632.27.camel@hopeson> References: <48ECD13C.3040804@manchester.ac.uk> <1223481001.632.27.camel@hopeson> Message-ID: <48EE5CA7.9060903@manchester.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Wed, 2008-10-08 at 16:26 +0100, Nick Gresham wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi, >> >> I'm a systems administrator at the University of Manchester currently >> trialling FreeIPA as an authentication solution for a group of >> workstations and HPC machines. >> >> Generally speaking, I am very impressed, but I was wondering if there >> would be a way of setting minimum values for UIDs and GIDs of new users >> and groups respectively, so as to keep IPA-generated values from >> colliding with pre-existing accounts on machines that we are trying to >> make into FreeIPA clients? > > Yes, currently it requires a change in the dna plugin configuration. > > You can change the attribute 'dnaNextValue' in these 2 ldap entries: > cn=Accounts,cn=Posix,cn=ipa-dna,cn=plugins,cn=config > cn=Groups,cn=Posix,cn=ipa-dna,cn=plugins,cn=config > > You can do that online using the 'cn=Directory Manager' ldap user. > > Simo. > Many thanks: that worked! In case anyone gets stumped by the command needed to access and edit the 'plugins' part of the dirsrv tree (as I initially was), for the record, I used: ldapvi -D "cn=Directory Manager" -b cn=ipa-dna,cn=plugins,cn=config I'm assuming that one needs to do this on all replica servers: is that correct? Regards [NG] - -- N.J. Gresham FLS/IS AIO Systems Administration and Support University of Manchester Faculty of Life Sciences int: 7759349 ext: 0790-989-3684 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjuXGsACgkQoqZzfMI0Udl4xACfTZPfaF16j1wvIGK3NVRRDfSk YakAniQAhmk82QK6MrXUQFu0h8jWlFCI =Cl9h -----END PGP SIGNATURE----- From mythtv at vulturest.com Fri Oct 10 00:26:52 2008 From: mythtv at vulturest.com (Johan Venter) Date: Fri, 10 Oct 2008 10:26:52 +1000 Subject: [Freeipa-users] Windows Kerberos auth to IPA In-Reply-To: <1223544087.27224.4.camel@hopeson> References: <48ED4E2D.3010308@vulturest.com> <1223544087.27224.4.camel@hopeson> Message-ID: <48EEA14C.3080301@vulturest.com> Simo Sorce wrote: > On Thu, 2008-10-09 at 10:19 +1000, Johan Venter wrote: >> I'm at a bit of a loss. It seems I need a password on the host principal >> to make this work, but IPA is completely engineered to not allow that. >> What should I do? > > The latest ipa-getkeytab should allow you to specify a password. Ok, that's great, however I'm not sure what I should do. I have configured IPA on a large number of CentOS servers by compiling RPMS from the RedHat SRPMS. How would I go about getting this latest version (can I just update the one executable or do I have to find a way to update the whole of IPA?) onto a server so I can use ipa-getkeytab to give a host principal a password? If there's a manual route I can take, that would be far preferable to updating all of these machines to the latest IPA that is not already in SRPMS - or are there more recent SRPMS I can compile from? I apologise if these seem dumb questions, I'm quite new to IPA (and Kerberos/LDAP in general) and have made plenty of progress to the point where all the CentOS servers are working fine, just need to get over this hump with Windows. >> Also, if I ever get sign-on working, what can I do about access control? >> In Linux I can use /etc/security/access.conf and sudoers to provide >> reasonable access to only specific groups - I wonder how can I map my >> sysadmins LDAP group to Administrator in Windows and will this will have >> the same effect? > > You need to tweak user privileges, but this would be a per machine > option. As all users and groups will be local to the windows machine. > Windows do not have any way to get users from a remote server unless it > is a Windows Domain Controller. OK, as I understand ksetup I can map certain Kerberos users to local accounts on the Windows machine - what I would like achieve is some dynamic way to map a whole group to the local Administrator account as that would satisfy my current objective (that is, giving system administrators single sign on to Windows machines with the same username and password they use on the Linux servers) without having to map each user individually (as the members of the sysadmin group could change regularly). I realise that a 'group' is really an LDAP construct and not a Kerberos one, but I'm truly hoping there is a way to do this. Alternatively, am I going about this whole thing wrong? Is there a better way to achieve single sign-on through IPA infrastructure on Windows? Perhaps using Samba as a domain controller and authenticating through it? It seems crazy to me that if I had an AD server I could happily get Windows to log in users that do not exist on the local machine with certain privileges, why can I not seem to achieve the same thing without AD? Regards, Johan From mythtv at vulturest.com Fri Oct 10 05:33:01 2008 From: mythtv at vulturest.com (Johan Venter) Date: Fri, 10 Oct 2008 15:33:01 +1000 Subject: [Freeipa-users] Windows Kerberos auth to IPA In-Reply-To: <48EEA14C.3080301@vulturest.com> References: <48ED4E2D.3010308@vulturest.com> <1223544087.27224.4.camel@hopeson> <48EEA14C.3080301@vulturest.com> Message-ID: <48EEE90D.9070605@vulturest.com> Johan Venter wrote: > Simo Sorce wrote: >> The latest ipa-getkeytab should allow you to specify a password. > How would I go about getting this latest version (can I just update the > one executable or do I have to find a way to update the whole of IPA?) > onto a server so I can use ipa-getkeytab to give a host principal a > password? Ok, so I got recent source for ipa-getkeytab.c from Trac and incorporated that into my RPM build. I read through the source and didn't see that it required any special dependencies. I used ipa-getkeytab like this to set the password for the host principal of the Windows machine: # ipa-getkeytab -s kdc.example.local -p host/windowshost.example.local -k keys.txt -P and set the password to 'password'. On the Windows machine I issued: ksetup /setdomain EXAMPLE.LOCAL ksetup /addkdc EXAMPLE.LOCAL kdc.example.local ksetup /setcomputerpassword password ksetup /mapuser * Administrator Rebooted the Windows machine and tried to login with a Keberos user. In the /var/log/krb5kdc.log on the IPA server I see: Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 172.17.16.16: NEEDED_PREAUTH: testuser at EXAMPLE.LOCAL for krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL, Additional pre-authentication required Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 172.17.16.16: NEEDED_PREAUTH: testuser at EXAMPLE.LOCAL for krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL, Additional pre-authentication required Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (3 etypes {23 3 1}) 172.17.16.16: ISSUE: authtime 1223615889, etypes {rep=23 tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (3 etypes {23 3 1}) 172.17.16.16: ISSUE: authtime 1223615889, etypes {rep=23 tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): TGS_REQ (5 etypes {23 3 1 24 -135}) 172.17.16.16: ISSUE: authtime 1223615889, etypes {rep=23 tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for host/windowshost.example.local at EXAMPLE.LOCAL Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): TGS_REQ (5 etypes {23 3 1 24 -135}) 172.17.16.16: ISSUE: authtime 1223615889, etypes {rep=23 tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for host/windowshost.example.local at EXAMPLE.LOCAL Which all looks good to me (obviously I'm not using example.local and EXAMPLE.LOCAL, but I've modified the log output to protect my client), but it refuses to log in. Windows reports "The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case." I have: - checked that forward and reverse DNS is correct for all involved - changed the user password a dozen times - tried various different user mappings with ksetup - ensured the Windows time is correct (NTP'ing to IPA server) Please help me to get this to work, it's driving me nuts - there's no errors anywhere and as far as I can see the Windows host is getting issued the appropriate tickets. Thanks, Johan. From ssorce at redhat.com Fri Oct 10 09:31:59 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Oct 2008 05:31:59 -0400 Subject: [Freeipa-users] minimum UIDs and GIDs In-Reply-To: <48EE5CA7.9060903@manchester.ac.uk> References: <48ECD13C.3040804@manchester.ac.uk> <1223481001.632.27.camel@hopeson> <48EE5CA7.9060903@manchester.ac.uk> Message-ID: <1223631119.27822.40.camel@hopeson> On Thu, 2008-10-09 at 20:33 +0100, Nick Gresham wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > > On Wed, 2008-10-08 at 16:26 +0100, Nick Gresham wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Hi, > >> > >> I'm a systems administrator at the University of Manchester currently > >> trialling FreeIPA as an authentication solution for a group of > >> workstations and HPC machines. > >> > >> Generally speaking, I am very impressed, but I was wondering if there > >> would be a way of setting minimum values for UIDs and GIDs of new users > >> and groups respectively, so as to keep IPA-generated values from > >> colliding with pre-existing accounts on machines that we are trying to > >> make into FreeIPA clients? > > > > Yes, currently it requires a change in the dna plugin configuration. > > > > You can change the attribute 'dnaNextValue' in these 2 ldap entries: > > cn=Accounts,cn=Posix,cn=ipa-dna,cn=plugins,cn=config > > cn=Groups,cn=Posix,cn=ipa-dna,cn=plugins,cn=config > > > > You can do that online using the 'cn=Directory Manager' ldap user. > > > > Simo. > > > > Many thanks: that worked! > > In case anyone gets stumped by the command needed to access and edit the > 'plugins' part of the dirsrv tree (as I initially was), for the record, > I used: > > ldapvi -D "cn=Directory Manager" -b cn=ipa-dna,cn=plugins,cn=config > > I'm assuming that one needs to do this on all replica servers: is that > correct? Technically in v1 each replica should be changed so that they have assigned no overlapping ranges, so given 3 masters you should probably change config options to reach something like the following configuration: A) dnaNextValue: 100000 dnaMaxValue: 199999 B) dnaNextValue: 200000 dnaMaxValue: 299999 C) dnaNextValue: 300000 dnaMaxValue: 399999 This will make 100% sure there is absolutely no chance 2 concurring* "adduser" operations on 2 different masters will end up creating 2 different users with the same UIDs as each master will use its own pool. Of course if the same master is always used to create user accounts or manipulate them there is no risk as internally each master guarantees the uniqueness of the ids released. Simo. *Can also be caused by a temporary pause in replication From ssorce at redhat.com Fri Oct 10 13:59:00 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Oct 2008 09:59:00 -0400 Subject: [Freeipa-users] Windows Kerberos auth to IPA In-Reply-To: <48EEA14C.3080301@vulturest.com> References: <48ED4E2D.3010308@vulturest.com> <1223544087.27224.4.camel@hopeson> <48EEA14C.3080301@vulturest.com> Message-ID: <1223647140.27822.51.camel@hopeson> On Fri, 2008-10-10 at 10:26 +1000, Johan Venter wrote: > OK, as I understand ksetup I can map certain Kerberos users to local > accounts on the Windows machine - what I would like achieve is some > dynamic way to map a whole group to the local Administrator account as > that would satisfy my current objective (that is, giving system > administrators single sign on to Windows machines with the same username > and password they use on the Linux servers) without having to map each > user individually (as the members of the sysadmin group could change > regularly). > > I realise that a 'group' is really an LDAP construct and not a Kerberos > one, but I'm truly hoping there is a way to do this. Unfortunately Windows LSASS.EXE is able to use external user/group sources only if attached to a windows domain. MS do not provide means to easily plug in any other provider. > Alternatively, am I going about this whole thing wrong? Is there a > better way to achieve single sign-on through IPA infrastructure on > Windows? Perhaps using Samba as a domain controller and authenticating > through it? Samba can be used but samba3 does provide NT4 level domains only which means no kerberos. > It seems crazy to me that if I had an AD server I could happily get > Windows to log in users that do not exist on the local machine with > certain privileges, why can I not seem to achieve the same thing without AD? This is a question only MS can reply in full, although we are making progress with Samba4 in providing an AD like domain controller. Simo. From ssorce at redhat.com Fri Oct 10 14:03:30 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 10 Oct 2008 10:03:30 -0400 Subject: [Freeipa-users] Windows Kerberos auth to IPA In-Reply-To: <48EEE90D.9070605@vulturest.com> References: <48ED4E2D.3010308@vulturest.com> <1223544087.27224.4.camel@hopeson> <48EEA14C.3080301@vulturest.com> <48EEE90D.9070605@vulturest.com> Message-ID: <1223647410.27822.54.camel@hopeson> On Fri, 2008-10-10 at 15:33 +1000, Johan Venter wrote: > Johan Venter wrote: > > Simo Sorce wrote: > >> The latest ipa-getkeytab should allow you to specify a password. > > > How would I go about getting this latest version (can I just update the > > one executable or do I have to find a way to update the whole of IPA?) > > onto a server so I can use ipa-getkeytab to give a host principal a > > password? > > Ok, so I got recent source for ipa-getkeytab.c from Trac and > incorporated that into my RPM build. I read through the source and > didn't see that it required any special dependencies. > > I used ipa-getkeytab like this to set the password for the host > principal of the Windows machine: > > # ipa-getkeytab -s kdc.example.local -p host/windowshost.example.local > -k keys.txt -P > > and set the password to 'password'. > > On the Windows machine I issued: > > ksetup /setdomain EXAMPLE.LOCAL > ksetup /addkdc EXAMPLE.LOCAL kdc.example.local > ksetup /setcomputerpassword password > ksetup /mapuser * Administrator > > Rebooted the Windows machine and tried to login with a Keberos user. In > the /var/log/krb5kdc.log on the IPA server I see: > > Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 172.17.16.16: NEEDED_PREAUTH: > testuser at EXAMPLE.LOCAL for krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL, > Additional pre-authentication required > Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 172.17.16.16: NEEDED_PREAUTH: > testuser at EXAMPLE.LOCAL for krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL, > Additional pre-authentication required > Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (3 etypes > {23 3 1}) 172.17.16.16: ISSUE: authtime 1223615889, etypes {rep=23 > tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for > krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL > Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (3 etypes > {23 3 1}) 172.17.16.16: ISSUE: authtime 1223615889, etypes {rep=23 > tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for > krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL > Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): TGS_REQ (5 > etypes {23 3 1 24 -135}) 172.17.16.16: ISSUE: authtime 1223615889, > etypes {rep=23 tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for > host/windowshost.example.local at EXAMPLE.LOCAL > Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): TGS_REQ (5 > etypes {23 3 1 24 -135}) 172.17.16.16: ISSUE: authtime 1223615889, > etypes {rep=23 tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for > host/windowshost.example.local at EXAMPLE.LOCAL > > Which all looks good to me (obviously I'm not using example.local and > EXAMPLE.LOCAL, but I've modified the log output to protect my client), > but it refuses to log in. Windows reports "The system could not log you > on. Make sure your User name and domain are correct, then type your > password again. Letters in passwords must be typed using the correct case." > > I have: > - checked that forward and reverse DNS is correct for all involved > - changed the user password a dozen times > - tried various different user mappings with ksetup > - ensured the Windows time is correct (NTP'ing to IPA server) > > Please help me to get this to work, it's driving me nuts - there's no > errors anywhere and as far as I can see the Windows host is getting > issued the appropriate tickets. The krb5kdc output seem indeed all correct. Have you tested that the ipa-getkeytab binary generated a valid key ? I think I needed to fix a bug in the server to correctly generate a keytab when a password was specified. If you don't have this fix in the server you might get back a bogus ticket that cannot be verified. To test if the machine key is goo, just run: kinit host/windowshost.example.local at EXAMPLE.LOCAL And provide the password you set. If you get back a ticket that is good, otherwise that's the problem. Simo. From levchenko.i at gmail.com Mon Oct 13 21:47:16 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Tue, 14 Oct 2008 00:47:16 +0300 Subject: [Freeipa-users] mod_authz_ldap authentication against ipa Message-ID: HI, I'm trying to setup apache authentication via mod_authz_ldap, but it i'm having some problems with it. i've setup apache as per http://directory.fedoraproject.org/wiki/Howto:Apache, changed the AuthzLDAPUserBase directive to cn=users,cn=accounts,dc=example,dc=com, but its not authenticating... after reading the docs for mod_authz_ldap, it says: The password is verified by binding to the directory as the user whose distinguished name was found in the previous step, with the password from the login dialog. I've tried to connect to the ldap server using a reguler user created via the web interface and i was not able to. am i doing something wrong, or is it not possible to authenticate against ldap and i should only use kerberos? thanks in advance. -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From levchenko.i at gmail.com Mon Oct 13 23:44:34 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Tue, 14 Oct 2008 02:44:34 +0300 Subject: [Freeipa-users] Re: mod_authz_ldap authentication against ipa In-Reply-To: References: Message-ID: On Tue, Oct 14, 2008 at 12:47 AM, Ivan Levchenko wrote: > HI, > > I'm trying to setup apache authentication via mod_authz_ldap, but it > i'm having some problems with it. > i've setup apache as per > http://directory.fedoraproject.org/wiki/Howto:Apache, changed the > AuthzLDAPUserBase directive to > cn=users,cn=accounts,dc=example,dc=com, but its not authenticating... > > after reading the docs for mod_authz_ldap, it says: > The password is verified by binding to the directory as the user whose > distinguished name was found in the previous step, with the password > from the login dialog. > > I've tried to connect to the ldap server using a reguler user created > via the web interface and i was not able to. > > am i doing something wrong, or is it not possible to authenticate > against ldap and i should only use kerberos? > > thanks in advance. > -- > > Best Regards, > > Ivan Levchenko > levchenko.i at gmail.com > another thing... trying to use authentication when doing a regular ldapsearch: ldapsearch -v -x -W -h master.example.com -D "uid=ivan,cn=users,cn=accounts,dc=example,dc=com" -b "cn=users,cn=accounts,dc=example,dc=com" uid=ivan ldap_initialize( ldap://master.example.com ) Enter LDAP Password: ldap_bind: Invalid credentials (49) ... a bit lost why it isn't authenticating.... From mythtv at vulturest.com Mon Oct 13 23:52:18 2008 From: mythtv at vulturest.com (Johan Venter) Date: Tue, 14 Oct 2008 09:52:18 +1000 Subject: [Freeipa-users] Windows Kerberos auth to IPA In-Reply-To: <1223647410.27822.54.camel@hopeson> References: <48ED4E2D.3010308@vulturest.com> <1223544087.27224.4.camel@hopeson> <48EEA14C.3080301@vulturest.com> <48EEE90D.9070605@vulturest.com> <1223647410.27822.54.camel@hopeson> Message-ID: <48F3DF32.9030305@vulturest.com> Simo Sorce wrote: >> Please help me to get this to work, it's driving me nuts - there's no >> errors anywhere and as far as I can see the Windows host is getting >> issued the appropriate tickets. > > The krb5kdc output seem indeed all correct. > Have you tested that the ipa-getkeytab binary generated a valid key ? > I think I needed to fix a bug in the server to correctly generate a > keytab when a password was specified. If you don't have this fix in the > server you might get back a bogus ticket that cannot be verified. Ok, I worked it out. By default the ipa-getkeytab is generating the host principal keys in a bunch of different encryption formats, none of which Windows supports. So, by adding -e des-cbc-crc (from memory, not sure if that's exactly right) to the ipa-getkeytab command line I got Windows to log in immediately to the Kerberos realm. Obviously, my group mapping requirements won't be solved any time soon, but /mapuser * Administrator has given me 99% of the single sign on requirement. So to recap, if you want Windows to log into an IPA Kerberos realm, generate keytabs with keys in less secure encryptions (yay, go Windows) - no AES, no 3DES, Windows (at least Server 2003) does not support them. Thanks for your help, Simo. Johan. From chorn at fluxcoil.net Tue Oct 14 07:12:54 2008 From: chorn at fluxcoil.net (Christian Horn) Date: Tue, 14 Oct 2008 09:12:54 +0200 Subject: [Freeipa-users] Windows Kerberos auth to IPA In-Reply-To: <48F3DF32.9030305@vulturest.com> References: <48ED4E2D.3010308@vulturest.com> <1223544087.27224.4.camel@hopeson> <48EEA14C.3080301@vulturest.com> <48EEE90D.9070605@vulturest.com> <1223647410.27822.54.camel@hopeson> <48F3DF32.9030305@vulturest.com> Message-ID: <20081014071254.GB5138@fluxcoil.net> On Tue, Oct 14, 2008 at 09:52:18AM +1000, Johan Venter wrote: > > So to recap, if you want Windows to log into an IPA Kerberos realm, > generate keytabs with keys in less secure encryptions (yay, go Windows) > - no AES, no 3DES, Windows (at least Server 2003) does not support them. Havent used it but apparently windows 2008 / vista supports aes128/256 for domainmembers ( aes128-cts-hmac-sha1-96 / aes256-cts-hmac-sha1-96 ): http://technet.microsoft.com/en-us/library/cc771132.aspx Christian From ssorce at redhat.com Tue Oct 14 11:08:21 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 14 Oct 2008 07:08:21 -0400 Subject: [Freeipa-users] Re: mod_authz_ldap authentication against ipa In-Reply-To: References: Message-ID: <1223982501.28298.2.camel@hopeson> On Tue, 2008-10-14 at 02:44 +0300, Ivan Levchenko wrote: > On Tue, Oct 14, 2008 at 12:47 AM, Ivan Levchenko wrote: > > HI, > > > > I'm trying to setup apache authentication via mod_authz_ldap, but it > > i'm having some problems with it. > > i've setup apache as per > > http://directory.fedoraproject.org/wiki/Howto:Apache, changed the > > AuthzLDAPUserBase directive to > > cn=users,cn=accounts,dc=example,dc=com, but its not authenticating... > > > > after reading the docs for mod_authz_ldap, it says: > > The password is verified by binding to the directory as the user whose > > distinguished name was found in the previous step, with the password > > from the login dialog. > > > > I've tried to connect to the ldap server using a reguler user created > > via the web interface and i was not able to. > > > > am i doing something wrong, or is it not possible to authenticate > > against ldap and i should only use kerberos? > > > > thanks in advance. > > -- > > > > Best Regards, > > > > Ivan Levchenko > > levchenko.i at gmail.com > > > > another thing... > > trying to use authentication when doing a regular ldapsearch: > > ldapsearch -v -x -W -h master.example.com -D > "uid=ivan,cn=users,cn=accounts,dc=example,dc=com" -b > "cn=users,cn=accounts,dc=example,dc=com" uid=ivan > ldap_initialize( ldap://master.example.com ) > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > > ... a bit lost why it isn't authenticating.... Kerberos auth is the recommended one. Tho simple auth should work too. Simo. From rcritten at redhat.com Tue Oct 14 13:34:36 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Oct 2008 09:34:36 -0400 Subject: [Freeipa-users] Re: mod_authz_ldap authentication against ipa In-Reply-To: References: Message-ID: <48F49FEC.7090108@redhat.com> Ivan Levchenko wrote: > On Tue, Oct 14, 2008 at 12:47 AM, Ivan Levchenko wrote: >> HI, >> >> I'm trying to setup apache authentication via mod_authz_ldap, but it >> i'm having some problems with it. >> i've setup apache as per >> http://directory.fedoraproject.org/wiki/Howto:Apache, changed the >> AuthzLDAPUserBase directive to >> cn=users,cn=accounts,dc=example,dc=com, but its not authenticating... >> >> after reading the docs for mod_authz_ldap, it says: >> The password is verified by binding to the directory as the user whose >> distinguished name was found in the previous step, with the password >> from the login dialog. >> >> I've tried to connect to the ldap server using a reguler user created >> via the web interface and i was not able to. >> >> am i doing something wrong, or is it not possible to authenticate >> against ldap and i should only use kerberos? >> >> thanks in advance. >> -- >> >> Best Regards, >> >> Ivan Levchenko >> levchenko.i at gmail.com >> > > another thing... > > trying to use authentication when doing a regular ldapsearch: > > ldapsearch -v -x -W -h master.example.com -D > "uid=ivan,cn=users,cn=accounts,dc=example,dc=com" -b > "cn=users,cn=accounts,dc=example,dc=com" uid=ivan > ldap_initialize( ldap://master.example.com ) > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > > ... a bit lost why it isn't authenticating.... This should work. It appears that your password is wrong (or missing). Can you verify that you have an LDAP password attribute set on this entry? ldapsearch -x -W -D "cn=directory manager" -b "dc=example,dc=com" uid=ivan userPassword You might also try changing your password to see if that helps. We have a plugin that is supposed to keep the kerberos principal password and the basic auth password the same. As Simo mentioned, you can alternatively use mod_auth_kerb for kerberos auth. rob From levchenko.i at gmail.com Tue Oct 21 20:52:01 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Tue, 21 Oct 2008 23:52:01 +0300 Subject: [Freeipa-users] Re: mod_authz_ldap authentication against ipa In-Reply-To: <48F49FEC.7090108@redhat.com> References: <48F49FEC.7090108@redhat.com> Message-ID: On Tue, Oct 14, 2008 at 4:34 PM, Rob Crittenden wrote: > > This should work. It appears that your password is wrong (or missing). > > Can you verify that you have an LDAP password attribute set on this entry? > > ldapsearch -x -W -D "cn=directory manager" -b "dc=example,dc=com" uid=ivan > userPassword > > You might also try changing your password to see if that helps. We have a > plugin that is supposed to keep the kerberos principal password and the > basic auth password the same. > > As Simo mentioned, you can alternatively use mod_auth_kerb for kerberos > auth. > > rob > That query doesn't return anything. I have already changed the password for my user twice.. so that doesn't help.. any way to manually make ldap and kerberos sync passwords? Thanks in advance. Ivan From rcritten at redhat.com Tue Oct 21 21:13:49 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Oct 2008 17:13:49 -0400 Subject: [Freeipa-users] Re: mod_authz_ldap authentication against ipa In-Reply-To: References: <48F49FEC.7090108@redhat.com> Message-ID: <48FE460D.404@redhat.com> Ivan Levchenko wrote: > On Tue, Oct 14, 2008 at 4:34 PM, Rob Crittenden wrote: >> This should work. It appears that your password is wrong (or missing). >> >> Can you verify that you have an LDAP password attribute set on this entry? >> >> ldapsearch -x -W -D "cn=directory manager" -b "dc=example,dc=com" uid=ivan >> userPassword >> >> You might also try changing your password to see if that helps. We have a >> plugin that is supposed to keep the kerberos principal password and the >> basic auth password the same. >> >> As Simo mentioned, you can alternatively use mod_auth_kerb for kerberos >> auth. >> >> rob >> > > That query doesn't return anything. I have already changed the > password for my user twice.. so that doesn't help.. any way to > manually make ldap and kerberos sync passwords? > > Thanks in advance. If it isn't returning anything then it means that the attribute doesn't exist which explains why LDAP authentication isn't working. What I don't understand is how this can be. From my reading of the password change plugin it should always set the userPassword attribute. You might try: % kinit admin at YOUR_REALM % ldappasswd -S -Y GSSAPI dn_of_user And see if that adds the userPassword attribute to the entry. rob From levchenko.i at gmail.com Tue Oct 21 21:27:44 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Wed, 22 Oct 2008 00:27:44 +0300 Subject: [Freeipa-users] Re: mod_authz_ldap authentication against ipa In-Reply-To: <48FE460D.404@redhat.com> References: <48F49FEC.7090108@redhat.com> <48FE460D.404@redhat.com> Message-ID: On Wed, Oct 22, 2008 at 12:13 AM, Rob Crittenden wrote: > > If it isn't returning anything then it means that the attribute doesn't > exist which explains why LDAP authentication isn't working. err.. sorry for misinforming you.. i had a typo in the command, thats why it didn't return anything. With the correct command, it returns some sort of hash. > > What I don't understand is how this can be. From my reading of the password > change plugin it should always set the userPassword attribute. > > You might try: > > % kinit admin at YOUR_REALM > % ldappasswd -S -Y GSSAPI dn_of_user Now it works! I reset my password with this, and the ldap search now authenticates and so does apache. so it looks like kerberos and ldap are out of sync... any more troubleshooting i can do to help identify the issue? (i promise to doublecheck before pressing enter!) > > And see if that adds the userPassword attribute to the entry. > > rob > Thanks! From rcritten at redhat.com Wed Oct 22 13:27:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Oct 2008 09:27:31 -0400 Subject: [Freeipa-users] Re: mod_authz_ldap authentication against ipa In-Reply-To: References: <48F49FEC.7090108@redhat.com> <48FE460D.404@redhat.com> Message-ID: <48FF2A43.50608@redhat.com> Ivan Levchenko wrote: > On Wed, Oct 22, 2008 at 12:13 AM, Rob Crittenden wrote: >> If it isn't returning anything then it means that the attribute doesn't >> exist which explains why LDAP authentication isn't working. > err.. sorry for misinforming you.. i had a typo in the command, thats > why it didn't return anything. > With the correct command, it returns some sort of hash. Well, that hash was your old LDAP password. >> What I don't understand is how this can be. From my reading of the password >> change plugin it should always set the userPassword attribute. >> >> You might try: >> >> % kinit admin at YOUR_REALM >> % ldappasswd -S -Y GSSAPI dn_of_user > Now it works! I reset my password with this, and the ldap search now > authenticates and so does apache. so it looks like kerberos and ldap > are out of sync... any more troubleshooting i can do to help identify > the issue? (i promise to doublecheck before pressing enter!) I'm not sure how this would happen, nor why ldappasswd would fix it. I think we'll need to try to reproduce it. I'm not even sure what I'd suggest for debugging other than really complex things. Let me try to clarify the things you found though: You found that your user couldn't authenticate via LDAP but could use kinit. You used the kpasswd tool to reset your kerberos credentials. You could kinit with the new password but LDAP authentication still failed. When you use ldappasswd you could authenticate using LDAP and kinit. Did you use a different password each time you changed or were you resetting to the same password? rob From n.gresham at manchester.ac.uk Thu Oct 23 17:00:29 2008 From: n.gresham at manchester.ac.uk (Nick Gresham) Date: Thu, 23 Oct 2008 18:00:29 +0100 Subject: [Freeipa-users] pam settings for changing password under FreeIPA Message-ID: <4900ADAD.1060200@manchester.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, As I mentioned previously, I've been trialling FreeIPA for the Bioinformatics Group at Manchester University. Generally, things are going well: our primary FreeIPA server is a Fedora 9 machine, and we are replicating matters over to a Centos 5.2 box (we built and installed the RPMs from the freeipa-1.1.1 release on these). Where we are hitting trouble, however, is in devising the correct pam and ssh settings to allow users to reset their passwords on client machines (which could be their desktops or servers that they access remotely over ssh). We are even having trouble with the case where the client is a Fedora 9 VM. Here we have in /etc/pam.d/system-auth: password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok \ try_first_pass \ use_authtok password sufficient pam_krb5.so use_authtok password required pam_ldap.so try_first_pass use_authtok password required pam_deny.so And in /etc/ssh/sshd: PasswordAuthentication no ChallengeResponseAuthentication yes #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication no GSSAPICleanupCredentials yes UsePAM yes Now when a user whose password has been reset on one of the freeipa servers attempts to log in, he or she is informed that the password expired, and is prompted to change it, the change fails with errors like Oct 23 17:47:42 c*******h sshd[20920]: pam_unix(sshd:chauthtok): user "m****" does not exist in /etc/passwd Oct 23 17:48:14 c*******h sshd[20920]: pam_krb5[20920]: password change failed for m****@S***H.MAN.AC.UK: Cannot contact any KDC for requested realm Oct 23 17:48:14 c*******h sshd[20918]: error: PAM: Authentication token manipulation error for m**** from l***.s***h.man.ac.uk on the client, and Oct 23 17:47:59 i*******h kpasswd[27429]: Unable to read request: Key version number for principal in key table is incorrect on the freeipa server. In fact the only case where we have this working at present is when the client is OpenSuSE-11: that is using pam_krb5-2.2.22-35.2. Could anyone suggest some guidelines for arriving at the winning combination of settings? Many thanks in advance, [NG] - -- N.J. Gresham FLS/IS AIO Systems Administration and Support University of Manchester Faculty of Life Sciences int: 7759349 ext: 0790-989-3684 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEUEARECAAYFAkkAra0ACgkQoqZzfMI0UdmnkwCcC2Gl3ZJ151eubWdwRrlYb0GY 8mAAl3LZk5GgM8j4xU4fnGefPQROzVY= =MrSy -----END PGP SIGNATURE----- From rcritten at redhat.com Thu Oct 23 18:52:18 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Oct 2008 14:52:18 -0400 Subject: [Freeipa-users] pam settings for changing password under FreeIPA In-Reply-To: <4900ADAD.1060200@manchester.ac.uk> References: <4900ADAD.1060200@manchester.ac.uk> Message-ID: <4900C7E2.8020706@redhat.com> Nick Gresham wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > As I mentioned previously, I've been trialling FreeIPA for the > Bioinformatics Group at Manchester University. > > Generally, things are going well: our primary FreeIPA server is a Fedora > 9 machine, and we are replicating matters over to a Centos 5.2 box (we > built and installed the RPMs from the freeipa-1.1.1 release on these). > > Where we are hitting trouble, however, is in devising the correct pam > and ssh settings to allow users to reset their passwords on client > machines (which could be their desktops or servers that they access > remotely over ssh). > > We are even having trouble with the case where the client is a Fedora 9 VM. > > Here we have in /etc/pam.d/system-auth: > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok \ > try_first_pass \ use_authtok > password sufficient pam_krb5.so use_authtok > password required pam_ldap.so try_first_pass use_authtok > password required pam_deny.so > > And in /etc/ssh/sshd: > > PasswordAuthentication no > ChallengeResponseAuthentication yes > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > #KerberosGetAFSToken no > # GSSAPI options > #GSSAPIAuthentication no > GSSAPIAuthentication no > GSSAPICleanupCredentials yes > UsePAM yes > > Now when a user whose password has been reset on one of the freeipa > servers attempts to log in, he or she is informed that the password > expired, and is prompted to change it, the change fails with errors like > > Oct 23 17:47:42 c*******h sshd[20920]: pam_unix(sshd:chauthtok): user > "m****" does not exist in /etc/passwd > Oct 23 17:48:14 c*******h sshd[20920]: pam_krb5[20920]: password change > failed for m****@S***H.MAN.AC.UK: Cannot contact any KDC for requested realm > Oct 23 17:48:14 c*******h sshd[20918]: error: PAM: Authentication token > manipulation error for m**** from l***.s***h.man.ac.uk > > on the client, and > > Oct 23 17:47:59 i*******h kpasswd[27429]: Unable to read request: Key > version number for principal in key table is incorrect > > on the freeipa server. > > In fact the only case where we have this working at present is when the > client is OpenSuSE-11: that is using pam_krb5-2.2.22-35.2. > > Could anyone suggest some guidelines for arriving at the winning > combination of settings? > So it works on a SuSE client but not others, even now? You can go to non-SuSE and it fails and then go to SuSE and it works? Is there anything in the KDC error log: /var/log/krb5kdc.log rob From n.gresham at manchester.ac.uk Fri Oct 24 11:38:07 2008 From: n.gresham at manchester.ac.uk (Nick Gresham) Date: Fri, 24 Oct 2008 12:38:07 +0100 Subject: [Freeipa-users] pam settings for changing password under FreeIPA In-Reply-To: <4900C7E2.8020706@redhat.com> References: <4900ADAD.1060200@manchester.ac.uk> <4900C7E2.8020706@redhat.com> Message-ID: <4901B39F.5020905@manchester.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > So it works on a SuSE client but not others, even now? You can go to > non-SuSE and it fails and then go to SuSE and it works? > that's right: at present the password changing procedure only works with an OpenSuSE client: e.g. Password: Warning: password has expired. New Password: Reenter New Password: LDAP password information changed for m***** Last login: Wed Oct 22 14:03:04 2008 from l***.s****.man.ac.uk Have a lot of fun... The OpenSuSE settings in /etc/pam.d/common-password are as follows: password requisite pam_pwcheck.so cracklib password sufficient pam_unix2.so use_authtok password sufficient pam_krb5.so password required pam_ldap.so try_first_pass \ use_authtok but trasplanting these to the Fedora 9 machine referred to above results in Password: Warning: password has expired. Password: etc... > Is there anything in the KDC error log: /var/log/krb5kdc.log > > rob the server-side logs look OK, e.g. 10.******: NEEDED_PREAUTH: m****@S****.MAN.AC.UK for kadmin/changepw at SMITH.MAN.AC.UK, Additional pre-authentication required Oct 24 12:26:02 i*******.s****.man.ac.uk krb5kdc[18404](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.**.**.67: NEEDED_PREAUTH: m*****@SMITH.MAN.AC.UK for kadmin/changepw at SMITH.MAN.AC.UK, Additional pre-authentication required Oct 24 12:26:53 i**********.s****.man.ac.uk krb5kdc[18404](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.*.*.249: CLIENT KEY EXPIRED: m*****@SMITH.MAN.AC.UK for krbtgt/SMITH.MAN.AC.UK at SMITH.MAN.AC.UK, Password has expired Oct 24 12:26:53 i**********.s****.man.ac.uk krb5kdc[18404](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.*.*.249: CLIENT KEY EXPIRED: m*****@SMITH.MAN.AC.UK for krbtgt/SMITH.MAN.AC.UK at SMITH.MAN.AC.UK, Password has expired Oct 24 12:26:53 i**********.s****.man.ac.uk krb5kdc[18404](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.*.*.249: NEEDED_PREAUTH: m*****@SMITH.MAN.AC.UK for kadmin/changepw at SMITH.MAN.AC.UK, Additional pre-authentication required Oct 24 12:26:53 i**********.s****.man.ac.uk krb5kdc[18404](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.*.*.249: NEEDED_PREAUTH: m*****@SMITH.MAN.AC.UK for kadmin/changepw at SMITH.MAN.AC.UK, Additional pre-authentication required Oct 24 12:26:53 i**********.s****.man.ac.uk krb5kdc[18404](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.*.*.249: ISSUE: authtime 1224847613, etypes {rep=18 tkt=18 ses=18}, m*****@SMITH.MAN.AC.UK for kadmin/changepw at SMITH.MAN.AC.UK Oct 24 12:26:53 i**********.s****.man.ac.uk krb5kdc[18404](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.*.*.249: ISSUE: authtime 1224847613, etypes {rep=18 tkt=18 ses=18}, m*****@s****.man.ac.uk for kadmin/changepw at s****.man.ac.uk I believe its is a question of juggling the different sshd/pam settings for different distros with their respective versions of pam_krb5 Does anyone have some working settings for Fedora or RHEL5 that they could post? Regards [NG] N.J. Gresham FLS/IS AIO Systems Administration and Support University of Manchester Faculty of Life Sciences int: 7759349 ext: 0790-989-3684 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkBs58ACgkQoqZzfMI0UdnJAQCfcbQPNlPOtOX0C0VyvaqcCAZK UawAn00rLWoyI19DqXS6NeVn5TYlma2n =0UB9 -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Oct 24 12:17:53 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 24 Oct 2008 08:17:53 -0400 Subject: [Freeipa-users] pam settings for changing password under FreeIPA In-Reply-To: <4901B39F.5020905@manchester.ac.uk> References: <4900ADAD.1060200@manchester.ac.uk> <4900C7E2.8020706@redhat.com> <4901B39F.5020905@manchester.ac.uk> Message-ID: <1224850673.9303.142.camel@hopeson> On Fri, 2008-10-24 at 12:38 +0100, Nick Gresham wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > So it works on a SuSE client but not others, even now? You can go to > > non-SuSE and it fails and then go to SuSE and it works? > > > > that's right: at present the password changing procedure only works with > an OpenSuSE client: e.g. > > Password: > Warning: password has expired. > New Password: > Reenter New Password: > LDAP password information changed for m***** > Last login: Wed Oct 22 14:03:04 2008 from l***.s****.man.ac.uk > Have a lot of fun... This is working because you are doing a password change over ldap and not using kerberos. Form the other email I have the impression that your ipa_kpasswd daemon has an invalid keytab and cannot successfully authenticate to ldap to perform the password change. Not sure why that happened. You might try to use kadmin.local in this case to create a new secret for kpasswd/changepw at REALM and dump it in /var/kerberos/krb5kdc/kpasswd.keytab (make sure to copy it on all servers). You are the second that seem to have stumbled on this problem, so it would be nice to know if you did any particular operation right before that password change mechanism stopped working ? Simo. From n.gresham at manchester.ac.uk Fri Oct 24 13:36:14 2008 From: n.gresham at manchester.ac.uk (Nick Gresham) Date: Fri, 24 Oct 2008 14:36:14 +0100 Subject: [Freeipa-users] pam settings for changing password under FreeIPA In-Reply-To: <1224850673.9303.142.camel@hopeson> References: <4900ADAD.1060200@manchester.ac.uk> <4900C7E2.8020706@redhat.com> <4901B39F.5020905@manchester.ac.uk> <1224850673.9303.142.camel@hopeson> Message-ID: <4901CF4E.6030900@manchester.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > This is working because you are doing a password change over ldap and > not using kerberos. > Ok, that makes sense: presumably when I have matters working I should comment out the password required pam_ldap.so etc.. stuff in common-password. > Form the other email I have the impression that your ipa_kpasswd daemon > has an invalid keytab and cannot successfully authenticate to ldap to > perform the password change. > > Not sure why that happened. > > You might try to use kadmin.local in this case to create a new secret > for kpasswd/changepw at REALM and dump it > in /var/kerberos/krb5kdc/kpasswd.keytab (make sure to copy it on all > servers). > Ok done! After resetting the secret for kpasswd/changepw at REALM and re-extracting the keytab the password-changing dialog for an ssh-session to the Fedora-9 client now goes like this: Password: ******** Warning: Your password will expire in less than one hour. Warning: password has expired. Kerberos 5 Password: ******** Warning: Your password will expire in less than one hour. New UNIX password: ****** Retype new UNIX password: ****** Last login: Fri Oct 24 14:08:51 2008 from l***.s***.man.ac.uk So this is a big improvement, but I am still concerned that it may be too confusing for our user base, in that they would have to enter the 'old' (i.e. expired) password twice (once at the initial "Password" prompt and then again after the warnings at the "Kerberos 5 Password" prompt) before getting to 'New UNIX password' and the actual password change. Ideally there would just be the initial prompt and warning and then 'New UNIX password' etc Just to reiterate, the Fedora 9 client now has the following in /etc/pam.d/system-auth: password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so and in /etc/ssh/sshd_config it has PasswordAuthentication no ChallengeResponseAuthentication yes GSSAPIAuthentication no GSSAPICleanupCredentials yes UsePAM yes My experience here coincides with that of a previous poster to the list: password changing will not work at all unless 'ChallengeResponseAuthentication yes' is in effect. > You are the second that seem to have stumbled on this problem, so it > would be nice to know if you did any particular operation right before > that password change mechanism stopped working ? > Not sure how the keytab could have become invalid: but at one point I did tear down and reinstall freeipa on both machines, so perhaps some thing went astray there. Many thanks for the advice so far, Regards [NG] - -- N.J. Gresham FLS/IS AIO Systems Administration and Support University of Manchester Faculty of Life Sciences int: 7759349 ext: 0790-989-3684 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkBz00ACgkQoqZzfMI0UdmnpgCcCJs5gTfQ1K8r7jQQucg/zU1U 3CEAoIPndhZ5A87wHRypyY0nsCzHLqZQ =0Cto -----END PGP SIGNATURE----- From ssorce at redhat.com Fri Oct 24 14:00:50 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 24 Oct 2008 10:00:50 -0400 Subject: [Freeipa-users] pam settings for changing password under FreeIPA In-Reply-To: <4901CF4E.6030900@manchester.ac.uk> References: <4900ADAD.1060200@manchester.ac.uk> <4900C7E2.8020706@redhat.com> <4901B39F.5020905@manchester.ac.uk> <1224850673.9303.142.camel@hopeson> <4901CF4E.6030900@manchester.ac.uk> Message-ID: <1224856850.9303.162.camel@hopeson> On Fri, 2008-10-24 at 14:36 +0100, Nick Gresham wrote: > So this is a big improvement, but I am still concerned that it may be > too confusing for our user base, in that they would have to enter the > 'old' (i.e. expired) password twice (once at the initial "Password" > prompt and then again after the warnings at the "Kerberos 5 Password" > prompt) before getting to 'New UNIX password' and the actual password > change. This is just a matter of configuration of the pam_stack, you want to probably always attempt first a kerberos password change and a unix password change only if it fails, as the default case for you is users coming from IPA not local users. Simo. From n.gresham at manchester.ac.uk Tue Oct 28 11:00:28 2008 From: n.gresham at manchester.ac.uk (Nick Gresham) Date: Tue, 28 Oct 2008 11:00:28 +0000 Subject: [Freeipa-users] pam settings for changing password under FreeIPA In-Reply-To: <1224856850.9303.162.camel@hopeson> References: <4900ADAD.1060200@manchester.ac.uk> <4900C7E2.8020706@redhat.com> <4901B39F.5020905@manchester.ac.uk> <1224850673.9303.142.camel@hopeson> <4901CF4E.6030900@manchester.ac.uk> <1224856850.9303.162.camel@hopeson> Message-ID: <4906F0CC.7040108@manchester.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > This is just a matter of configuration of the pam_stack, you want to > probably always attempt first a kerberos password change and a unix > password change only if it fails, as the default case for you is users > coming from IPA not local users. > > Simo. > Just for reference, should anyone be interested, the following settings in /etc/pam.d/system-auth seem to work and to hide the "Kerberos 5 Password" stage: password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok no_initial_prompt password required pam_deny.so Many thanks for the advice given on this list, [NG] - -- N.J. Gresham FLS/IS AIO Systems Administration and Support University of Manchester Faculty of Life Sciences int: 7759349 ext: 0790-989-3684 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkG8MYACgkQoqZzfMI0UdnMWgCdHuzVaRMjfoioZxplL+lrAJH9 wJUAn2o1EBieeCuGEe4Ryuh1vkXEsNKi =/u8V -----END PGP SIGNATURE----- From beres.laszlo at sys-admin.hu Wed Oct 29 10:06:43 2008 From: beres.laszlo at sys-admin.hu (Laszlo BERES) Date: Wed, 29 Oct 2008 11:06:43 +0100 Subject: [Freeipa-users] FreeIPA and freeradius Message-ID: <490835B3.3070409@sys-admin.hu> Hi all, first of all I would like to thank all of you for the great FreeIPA project. Unfortunately after installing a base environment I've just met some troubles. My goal is to build an integrated FreeIPA/freeradius combo using Fedora 9 as easily as I can. I've successfully installed all the necessary components, built the base server and tried to run ipa-radius-install script. The output was: [root at freeipa ~]# ipa-radius-install Traceback (most recent call last): File "/usr/sbin/ipa-radius-install", line 26, in from ipaserver.plugins import radiusinstance ImportError: No module named plugins It seems that some python import doesn't work (from ipaserver.plugins import radiusinstance). I tried exporting /usr/share/ipa/ipaserver/plugins via PYTHONPATH variable, with no success. Is that a known bug? Do you have any workaround? -- L?szl? B?RES RHCE, RHCX senior IT engineer, trainer Red Hat, Fedora, CentOS, SELinux: http://sys-admin.hu From jdennis at redhat.com Wed Oct 29 13:22:23 2008 From: jdennis at redhat.com (John Dennis) Date: Wed, 29 Oct 2008 09:22:23 -0400 Subject: [Freeipa-users] FreeIPA and freeradius In-Reply-To: <490835B3.3070409@sys-admin.hu> References: <490835B3.3070409@sys-admin.hu> Message-ID: <4908638F.4020009@redhat.com> Laszlo BERES wrote: > Hi all, > > first of all I would like to thank all of you for the great FreeIPA > project. Unfortunately after installing a base environment I've just met > some troubles. > > My goal is to build an integrated FreeIPA/freeradius combo using Fedora > 9 as easily as I can. I've successfully installed all the necessary > components, built the base server and tried to run ipa-radius-install > script. The output was: > > [root at freeipa ~]# ipa-radius-install > Traceback (most recent call last): > File "/usr/sbin/ipa-radius-install", line 26, in > from ipaserver.plugins import radiusinstance > ImportError: No module named plugins > > It seems that some python import doesn't work (from ipaserver.plugins > import radiusinstance). I tried exporting > /usr/share/ipa/ipaserver/plugins via PYTHONPATH variable, with no success. > > Is that a known bug? Do you have any workaround? > > Currently there isn't any actual support for Radius in IPA despite the presence of some Radius related files. If the Radius files are showing up in a released version they should be removed. By any chance were you installing from source? FWIW, we've pushed Radius support out a bit because unrealistic schedule constraints. If you're interested in contributing to this area please let us know. -- John Dennis From beres.laszlo at sys-admin.hu Wed Oct 29 14:02:14 2008 From: beres.laszlo at sys-admin.hu (Laszlo BERES) Date: Wed, 29 Oct 2008 15:02:14 +0100 Subject: [Freeipa-users] FreeIPA and freeradius In-Reply-To: <4908638F.4020009@redhat.com> References: <490835B3.3070409@sys-admin.hu> <4908638F.4020009@redhat.com> Message-ID: <49086CE6.3060906@sys-admin.hu> John Dennis wrote: > Currently there isn't any actual support for Radius in IPA despite the > presence of some Radius related files. If the Radius files are showing > up in a released version they should be removed. By any chance were you > installing from source? Well, that's sad. I was installing from the standard Fedora 9 repository: ipa-radius-server-1.1.0-7.fc9 ipa-radius-admintools-1.1.0-7.fc9 Isn't it a little misleading? > FWIW, we've pushed Radius support out a bit because unrealistic schedule > constraints. If you're interested in contributing to this area please > let us know. Thank you for the answer, John. I am interested and will examine how could I contribute. -- B?RES L?szl? RHCE, RHCX senior IT engineer, trainer Red Hat, Fedora, CentOS, SELinux: http://sys-admin.hu From ryan.skorstad at beatport.com Wed Oct 29 20:43:30 2008 From: ryan.skorstad at beatport.com (Ryan Skorstad) Date: Wed, 29 Oct 2008 14:43:30 -0600 Subject: [Freeipa-users] FreeIPA and freeradius In-Reply-To: <49086CE6.3060906@sys-admin.hu> References: <490835B3.3070409@sys-admin.hu> <4908638F.4020009@redhat.com> <49086CE6.3060906@sys-admin.hu> Message-ID: <4908CAF2.3050005@beatport.com> I was able to get the radius server included with IPA operational by: 1. Installing the 'freeradius-ldap' rpm from yum 2. chmod 775 /etc/raddb/certs (so radiusd can write cert files) 3. Change your 'authorize' and 'authenticate' sections of /etc/raddb/radiusd.conf to: authorize { ldap } authenticate { Auth-Type LDAP { ldap } } The radius server will now authenticate users against IPA's LDAP directory. I have not tested this configuration extensively, I have only verified that it returned Access-Accept for a valid user/pass/secret and Access-Reject for a bad user/pass/secret. Laszlo BERES wrote: > John Dennis wrote: > >> Currently there isn't any actual support for Radius in IPA despite the >> presence of some Radius related files. If the Radius files are showing >> up in a released version they should be removed. By any chance were you >> installing from source? > > Well, that's sad. I was installing from the standard Fedora 9 repository: > > ipa-radius-server-1.1.0-7.fc9 > ipa-radius-admintools-1.1.0-7.fc9 > > Isn't it a little misleading? > >> FWIW, we've pushed Radius support out a bit because unrealistic schedule >> constraints. If you're interested in contributing to this area please >> let us know. > > Thank you for the answer, John. I am interested and will examine how > could I contribute. > -- ++ Ryan Skorstad - Systems Administrator ryan.skorstad at beatport.com DIGITAL DOWNLOAD NETWORK(tm) BEATPORT-BEATSOURCE-TRAKTOR-BEATPORTSYNC-BEATPORTAL ----------------------------------------------- 1037-C Broadway Denver, Colorado USA 80203 Access the world of club music(tm) From dpal at redhat.com Fri Oct 31 19:13:15 2008 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 31 Oct 2008 15:13:15 -0400 Subject: [Freeipa-users] New IPA v2 draft designs posted on freeIPA Message-ID: <490B58CB.8080509@redhat.com> Hello, We collected a lot of different design materials that we have written over the last month but have not made public yet. Sorry for being a little bit behind. We are trying to advance project in a lot of different directions and I really did not anticipate the volume of the information I will have to deal with. So the draft design pages are now published on the http://www.freeipa.org/page/DocumentationV2. They are not curved in stone. All these ideas are subject for your review and feedback. Everybody is welcome to suggest alternative approaches or add to proposed vision. Your opinion is important! Let us discuss these designs on different freeIPA lists. More pages to come soon. Thank you, Dmitri Pal