From rcritten at redhat.com Mon Jun 1 14:30:13 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Jun 2009 10:30:13 -0400 Subject: [Freeipa-users] Freeipa v2. In-Reply-To: <7870594c0905310923x384462a7kf30afda959a50168@mail.gmail.com> References: <7870594c0905310923x384462a7kf30afda959a50168@mail.gmail.com> Message-ID: <4A23E5F5.2010805@redhat.com> Sergei V. Kovylov wrote: > Hello guys. > Glad to see that the project under havy development. I have several questions: > 1. Is it still actual to produce some release/ RC in may? No, it isn't ready yet and won't be for another few months. I've updated the Roadmap page. > 2. Is there SCM repo anywhere? Bacause both of fedorapeople and > fedorahosted git's seems like not actual. The sssd and freeipa fedorahosted repos are the official repositories of IPA. The policy repo is currently experimental. I updated the repositories listed on http://freeipa.org/page/IPAv2_development_status rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon Jun 1 14:30:28 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 01 Jun 2009 10:30:28 -0400 Subject: [Freeipa-users] Freeipa v2. In-Reply-To: <7870594c0905310923x384462a7kf30afda959a50168@mail.gmail.com> References: <7870594c0905310923x384462a7kf30afda959a50168@mail.gmail.com> Message-ID: <1243866628.4093.27.camel@localhost.localdomain> On Sun, 2009-05-31 at 20:23 +0400, Sergei V. Kovylov wrote: > Hello guys. > Glad to see that the project under havy development. I have several questions: > 1. Is it still actual to produce some release/ RC in may?\\ Nope, we will update the website as soon as we have new estimates, but we are clearly slipping at least a few months. > 2. Is there SCM repo anywhere? Bacause both of fedorapeople and > fedorahosted git's seems like not actual. The fedorahosted repo's are actual, and recently update, what makes you think they are not ? Simo. -- Simo Sorce * Red Hat, Inc * New York From valent.turkovic at gmail.com Mon Jun 1 15:39:49 2009 From: valent.turkovic at gmail.com (Valent Turkovic) Date: Mon, 1 Jun 2009 17:39:49 +0200 Subject: [Freeipa-users] Freeipa v2. In-Reply-To: <1243866628.4093.27.camel@localhost.localdomain> References: <7870594c0905310923x384462a7kf30afda959a50168@mail.gmail.com> <1243866628.4093.27.camel@localhost.localdomain> Message-ID: <64b14b300906010839m45b8e812hc0596c579e55cf7b@mail.gmail.com> On Mon, Jun 1, 2009 at 4:30 PM, Simo Sorce wrote: > On Sun, 2009-05-31 at 20:23 +0400, Sergei V. Kovylov wrote: >> Hello guys. >> Glad to see that the project under havy development. I have several questions: >> 1. Is it still actual to produce some release/ RC in may?\\ > > Nope, we will update the website as soon as we have new estimates, but > we are clearly slipping at least a few months. If you don't mind my asking, what is the reason for slipping? -- http://kernelreloaded.blog385.com/ linux, blog, anime, spirituality, windsurf, wireless registered as user #367004 with the Linux Counter, http://counter.li.org. ICQ: 2125241, Skype: valent.turkovic From ssorce at redhat.com Mon Jun 1 15:51:27 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 01 Jun 2009 11:51:27 -0400 Subject: [Freeipa-users] Freeipa v2. In-Reply-To: <64b14b300906010839m45b8e812hc0596c579e55cf7b@mail.gmail.com> References: <7870594c0905310923x384462a7kf30afda959a50168@mail.gmail.com> <1243866628.4093.27.camel@localhost.localdomain> <64b14b300906010839m45b8e812hc0596c579e55cf7b@mail.gmail.com> Message-ID: <1243871487.5965.0.camel@localhost.localdomain> On Mon, 2009-06-01 at 17:39 +0200, Valent Turkovic wrote: > On Mon, Jun 1, 2009 at 4:30 PM, Simo Sorce wrote: > > On Sun, 2009-05-31 at 20:23 +0400, Sergei V. Kovylov wrote: > >> Hello guys. > >> Glad to see that the project under havy development. I have several questions: > >> 1. Is it still actual to produce some release/ RC in may?\\ > > > > Nope, we will update the website as soon as we have new estimates, but > > we are clearly slipping at least a few months. > > If you don't mind my asking, what is the reason for slipping? We have not yet finished all the features and the python framework rewrite :-) I think we simply underestimated some tasks initially. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jun 1 16:34:22 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 01 Jun 2009 12:34:22 -0400 Subject: [Freeipa-users] Freeipa v2. In-Reply-To: <7870594c0906010903w4cc7a6a2u8c5b16348ab620b8@mail.gmail.com> References: <7870594c0905310923x384462a7kf30afda959a50168@mail.gmail.com> <1243866628.4093.27.camel@localhost.localdomain> <7870594c0906010903w4cc7a6a2u8c5b16348ab620b8@mail.gmail.com> Message-ID: <1243874062.5965.7.camel@localhost.localdomain> On Mon, 2009-06-01 at 20:03 +0400, Sergei V. Kovylov wrote: > Simo I see that last commit have been done 5 days ago, but free-ipa > devel contains some patches which are not in main tree. We use a post and ack development process. Until patches are acked on the mailing list they are not pushed to the main repo. Simo. -- Simo Sorce * Red Hat, Inc * New York From valent.turkovic at gmail.com Mon Jun 1 19:59:58 2009 From: valent.turkovic at gmail.com (Valent Turkovic) Date: Mon, 1 Jun 2009 21:59:58 +0200 Subject: [Freeipa-users] Freeipa v2. In-Reply-To: <1243871487.5965.0.camel@localhost.localdomain> References: <7870594c0905310923x384462a7kf30afda959a50168@mail.gmail.com> <1243866628.4093.27.camel@localhost.localdomain> <64b14b300906010839m45b8e812hc0596c579e55cf7b@mail.gmail.com> <1243871487.5965.0.camel@localhost.localdomain> Message-ID: <64b14b300906011259h6ff64b6i427aae15792dd7d4@mail.gmail.com> On Mon, Jun 1, 2009 at 5:51 PM, Simo Sorce wrote: > On Mon, 2009-06-01 at 17:39 +0200, Valent Turkovic wrote: >> On Mon, Jun 1, 2009 at 4:30 PM, Simo Sorce wrote: >> > On Sun, 2009-05-31 at 20:23 +0400, Sergei V. Kovylov wrote: >> >> Hello guys. >> >> Glad to see that the project under havy development. I have several questions: >> >> 1. Is it still actual to produce some release/ RC in may?\\ >> > >> > Nope, we will update the website as soon as we have new estimates, but >> > we are clearly slipping at least a few months. >> >> If you don't mind my asking, what is the reason for slipping? > > We have not yet finished all the features and the python framework > rewrite :-) > > I think we simply underestimated some tasks initially. > > Simo. I have just one more quick question... Will IPAv2 have implementation of replication of group policy objects. That is to say, the ability to make a small change, to multiple machines, with one setting on the server. An example of this is to lock down proxy settings for a browser on all machines with one setting on the server, or to restrict portions of the menu. Cheers. -- http://kernelreloaded.blog385.com/ linux, blog, anime, spirituality, windsurf, wireless registered as user #367004 with the Linux Counter, http://counter.li.org. ICQ: 2125241, Skype: valent.turkovic From dumboq at yahoo.com Wed Jun 3 20:42:20 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Wed, 3 Jun 2009 13:42:20 -0700 (PDT) Subject: [Freeipa-users] Trouble with new installation Message-ID: <853840.86844.qm@web111913.mail.gq1.yahoo.com> I am trying to get a feel for redhat ipa, but i am not having much luck. I am trying to set a password for a new user that i created earlier today, but ipa-password just hangs. not sure what is going on.. or where to look. Here is what i did, followed by the only messages that popped up in log. I let it hang for 15 minutes.. [root at auth01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at MYDOM.COM Valid starting Expires Service principal 06/03/09 16:01:41 06/04/09 16:01:35 krbtgt/MYDOM.COM at MYDOM.COM 06/03/09 16:01:58 06/04/09 16:01:35 HTTP/auth01.mydom.com at MYDOM.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root at auth01 ~]# ipa-passwd test Changing password for test at MYDOM.COM New Password: Confirm Password: Jun 03 16:30:47 auth01.mydom.com krb5kdc[4001](info): TGS_REQ (1 etypes {18}) 10.30.1.53: ISSUE: authtime 1244059301, etypes {rep=18 tkt=18 ses=18}, admin at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM Jun 03 16:30:47 auth01.mydom.com krb5kdc[4001](info): TGS_REQ (1 etypes {18}) 10.30.1.53: ISSUE: authtime 1244059301, etypes {rep=18 tkt=18 ses=18}, admin at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Wed Jun 3 22:09:53 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 03 Jun 2009 18:09:53 -0400 Subject: [Freeipa-users] Trouble with new installation In-Reply-To: <853840.86844.qm@web111913.mail.gq1.yahoo.com> References: <853840.86844.qm@web111913.mail.gq1.yahoo.com> Message-ID: <1244066993.3623.26.camel@localhost.localdomain> On Wed, 2009-06-03 at 13:42 -0700, Dumbo Q wrote: > I am trying to get a feel for redhat ipa, but i am not having much > luck. > > I am trying to set a password for a new user that i created earlier > today, but ipa-password just hangs. not sure what is going on.. or > where to look. > > Here is what i did, followed by the only messages that popped up in > log. I let it hang for 15 minutes.. > > [root at auth01 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at MYDOM.COM > > Valid starting Expires Service principal > 06/03/09 16:01:41 06/04/09 16:01:35 krbtgt/MYDOM.COM at MYDOM.COM > 06/03/09 16:01:58 06/04/09 16:01:35 HTTP/auth01.mydom.com at MYDOM.COM > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > [root at auth01 ~]# ipa-passwd test > Changing password for test at MYDOM.COM > New Password: > Confirm Password: > > > Jun 03 16:30:47 auth01.mydom.com krb5kdc[4001](info): TGS_REQ (1 > etypes {18}) 10.30.1.53: ISSUE: authtime 1244059301, etypes {rep=18 > tkt=18 ses=18}, admin at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM > Jun 03 16:30:47 auth01.mydom.com krb5kdc[4001](info): TGS_REQ (1 > etypes {18}) 10.30.1.53: ISSUE: authtime 1244059301, etypes {rep=18 > tkt=18 ses=18}, admin at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM Can you run any other admin command ? Looks like either a DNS resolution problem or a firewall dropping packets. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Thu Jun 4 00:04:36 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 03 Jun 2009 20:04:36 -0400 Subject: [Freeipa-users] Freeipa v2. In-Reply-To: <64b14b300906011259h6ff64b6i427aae15792dd7d4@mail.gmail.com> References: <7870594c0905310923x384462a7kf30afda959a50168@mail.gmail.com> <1243866628.4093.27.camel@localhost.localdomain> <64b14b300906010839m45b8e812hc0596c579e55cf7b@mail.gmail.com> <1243871487.5965.0.camel@localhost.localdomain> <64b14b300906011259h6ff64b6i427aae15792dd7d4@mail.gmail.com> Message-ID: <4A270F94.4060307@redhat.com> Valent Turkovic wrote: > On Mon, Jun 1, 2009 at 5:51 PM, Simo Sorce wrote: > >> On Mon, 2009-06-01 at 17:39 +0200, Valent Turkovic wrote: >> >>> On Mon, Jun 1, 2009 at 4:30 PM, Simo Sorce wrote: >>> >>>> On Sun, 2009-05-31 at 20:23 +0400, Sergei V. Kovylov wrote: >>>> >>>>> Hello guys. >>>>> Glad to see that the project under havy development. I have several questions: >>>>> 1. Is it still actual to produce some release/ RC in may?\\ >>>>> >>>> Nope, we will update the website as soon as we have new estimates, but >>>> we are clearly slipping at least a few months. >>>> >>> If you don't mind my asking, what is the reason for slipping? >>> >> We have not yet finished all the features and the python framework >> rewrite :-) >> >> I think we simply underestimated some tasks initially. >> >> Simo. >> > > I have just one more quick question... > > Will IPAv2 have implementation of replication of group policy objects. > That is to say, the ability to make a small change, to multiple > machines, with one setting on the server. An example of this is to > lock down proxy settings for a browser on all machines with one > setting on the server, or to restrict portions of the menu. > > Cheers. > > > We are more and more stepping away from the P of IPA as we originally thought about it. The P of IPA duplicates a lot of other existing projects in different ways so we are currently evaluating our plans about policy management in IPA. Rather than building our own solution from scratch it makes sense to integrate with existing solid configuration management alternatives. How? It is the big question and we seriously looking into it. But it is something that will take time and a lot of investigation and coordination. We are committed to P of IPA but our assessment showed that what we planned might not be the right way to tackle the problem. Audit also seems to be a much bigger undertaking than we originally thought but we are committed to it. However audit is being developed as a n independent component. This would allow us to deliver it on the independent schedule when it is ready to do the basics. For now, it seems that is would make sense to focus on things we already know how to do and can be completed in a foreseeable future (by September or so). Looking at what this might mean I would say that the release would consist of: 1) SSSD - client identity framework that allows offline authentication functionality and provides capability to have different identity domains including but not limited to IPA. (LDAP, NIS, etc.). This would allow client machines to be a part of the domain and have secure channel to server. This secure channel can/will be used for cert provisioning and key management. 2) Server with : a) New extensible and pluggable management framework and richer CLI/UI b) Integrated DNS c) Integrated NIS backward compatibility plugin (for systems that do not understand LDAP for NSS) d) Integrated CA with ability to issues certs of auto renew certs on the client e) Some key management features (may be) f) Host base access control rules g) Support of automount maps via LDAP This is a realistic view of what IPA v2 might end up being. We will continue on the project. We are already looking into post IPA v2 features related to Kerberos and Samba. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu Jun 4 00:07:34 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 03 Jun 2009 20:07:34 -0400 Subject: [Freeipa-users] Freeipa v2. In-Reply-To: <4A270F94.4060307@redhat.com> References: <7870594c0905310923x384462a7kf30afda959a50168@mail.gmail.com> <1243866628.4093.27.camel@localhost.localdomain> <64b14b300906010839m45b8e812hc0596c579e55cf7b@mail.gmail.com> <1243871487.5965.0.camel@localhost.localdomain> <64b14b300906011259h6ff64b6i427aae15792dd7d4@mail.gmail.com> <4A270F94.4060307@redhat.com> Message-ID: <4A271046.9060503@redhat.com> Dmitri Pal wrote: > Valent Turkovic wrote: >> On Mon, Jun 1, 2009 at 5:51 PM, Simo Sorce wrote: >> >>> On Mon, 2009-06-01 at 17:39 +0200, Valent Turkovic wrote: >>> >>>> On Mon, Jun 1, 2009 at 4:30 PM, Simo Sorce wrote: >>>> >>>>> On Sun, 2009-05-31 at 20:23 +0400, Sergei V. Kovylov wrote: >>>>> >>>>>> Hello guys. >>>>>> Glad to see that the project under havy development. I have >>>>>> several questions: >>>>>> 1. Is it still actual to produce some release/ RC in may?\\ >>>>>> >>>>> Nope, we will update the website as soon as we have new estimates, >>>>> but >>>>> we are clearly slipping at least a few months. >>>>> >>>> If you don't mind my asking, what is the reason for slipping? >>>> >>> We have not yet finished all the features and the python framework >>> rewrite :-) >>> >>> I think we simply underestimated some tasks initially. >>> >>> Simo. >>> >> >> I have just one more quick question... >> >> Will IPAv2 have implementation of replication of group policy objects. >> That is to say, the ability to make a small change, to multiple >> machines, with one setting on the server. An example of this is to >> lock down proxy settings for a browser on all machines with one >> setting on the server, or to restrict portions of the menu. >> >> Cheers. >> >> >> > We are more and more stepping away from the P of IPA as we originally > thought about it. > The P of IPA duplicates a lot of other existing projects in different > ways so we are currently evaluating our plans about policy management > in IPA. > Rather than building our own solution from scratch it makes sense to > integrate with existing solid configuration management alternatives. > How? It is the big question and we seriously looking into it. But it > is something that will take time and a lot of investigation and > coordination. > We are committed to P of IPA but our assessment showed that what we > planned might not be the right way to tackle the problem. > > Audit also seems to be a much bigger undertaking than we originally > thought but we are committed to it. However audit is being developed > as a n independent component. > This would allow us to deliver it on the independent schedule when it > is ready to do the basics. > > For now, it seems that is would make sense to focus on things we > already know how to do and can be completed in a foreseeable future > (by September or so). I mean being functional complete :-) > Looking at what this might mean I would say that the release would > consist of: > > 1) SSSD - client identity framework that allows offline authentication > functionality and provides capability to have different identity > domains including but not limited to IPA. (LDAP, NIS, etc.). This > would allow client machines to be a part of the domain and have secure > channel to server. This secure channel can/will be used for cert > provisioning and key management. > 2) Server with : > a) New extensible and pluggable management framework and richer CLI/UI > b) Integrated DNS > c) Integrated NIS backward compatibility plugin (for systems that do > not understand LDAP for NSS) > d) Integrated CA with ability to issues certs of auto renew certs on > the client > e) Some key management features (may be) > f) Host base access control rules > g) Support of automount maps via LDAP > > This is a realistic view of what IPA v2 might end up being. > We will continue on the project. > We are already looking into post IPA v2 features related to Kerberos > and Samba. > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Thu Jun 4 12:58:26 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 04 Jun 2009 08:58:26 -0400 Subject: [Freeipa-users] Re: FreeIPA beginner In-Reply-To: <869100480906040546x29cae57ya22ee7ed35423793@mail.gmail.com> References: <869100480906040546x29cae57ya22ee7ed35423793@mail.gmail.com> Message-ID: <1244120306.3623.47.camel@localhost.localdomain> Moved to freeipa-users, Rob please use this list for user help questions. On Thu, 2009-06-04 at 14:46 +0200, Rob Visser wrote: > Hello, > > Just recently I installed na IPA server and IP client on two Fedora 10 > computers. > I managed to get ssh working for the admin user (with single sign on). > I am confused about the the relation between Kerberos and UNIX > identities. > A few questions: > - Is it required to add the UNIX user (in the passwd file) after > entering the user with FreeIPA? Or perhaps the other way around? your client should be configured to use nss_ldap, users are created on the freeIPA server and seen by all clients. > - If so, then I assume with the UID/GID that are generated with the > "add user". UID/GID are generate on the freeipa server and distributed to all clients via nss_ldap > - The admin user automagically seems to be linked to the (unix) root > user? It should really not be, did you create some mapping on the client ? > When I create a new user with FreeIPA, then I can login with GDM with > the new identity, however, the pam_namespace does not create > a /home/user and /tmp pam_mkhomedir is what creates home directories if properly configured. > When I try to change the Kerkeros password, it complains that it > cannot find any kdc. looks like a network or client configuration issue. > Is there something I missed in reading documents? > > Any help is appreciated. Make sure you follow the user guides throughly. Simo. -- Simo Sorce * Red Hat, Inc * New York From dumboq at yahoo.com Thu Jun 4 16:36:39 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Thu, 4 Jun 2009 09:36:39 -0700 (PDT) Subject: [Freeipa-users] Trouble with new installation In-Reply-To: <1244066993.3623.26.camel@localhost.localdomain> References: <853840.86844.qm@web111913.mail.gq1.yahoo.com> <1244066993.3623.26.camel@localhost.localdomain> Message-ID: <947191.60406.qm@web111911.mail.gq1.yahoo.com> I am somewhat confused here. Can someone explain the technical relationship between kerberos and ldap. I understand the relationship overview but not so much is going on behind the scenes. Why would I have no trouble using the 'admin' account, but then kpasswd is unable to bind to ldap when changing a regular user account? ________________________________ From: Simo Sorce To: Dumbo Q Cc: freeipa-users at redhat.com Sent: Wednesday, June 3, 2009 6:09:53 PM Subject: Re: [Freeipa-users] Trouble with new installation On Wed, 2009-06-03 at 13:42 -0700, Dumbo Q wrote: > I am trying to get a feel for redhat ipa, but i am not having much > luck. > > I am trying to set a password for a new user that i created earlier > today, but ipa-password just hangs. not sure what is going on.. or > where to look. > > Here is what i did, followed by the only messages that popped up in > log. I let it hang for 15 minutes.. > > [root at auth01 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at MYDOM.COM > > Valid starting Expires Service principal > 06/03/09 16:01:41 06/04/09 16:01:35 krbtgt/MYDOM.COM at MYDOM.COM > 06/03/09 16:01:58 06/04/09 16:01:35 HTTP/auth01.mydom.com at MYDOM.COM > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > [root at auth01 ~]# ipa-passwd test > Changing password for test at MYDOM.COM > New Password: > Confirm Password: > > > Jun 03 16:30:47 auth01.mydom.com krb5kdc[4001](info): TGS_REQ (1 > etypes {18}) 10.30.1.53: ISSUE: authtime 1244059301, etypes {rep=18 > tkt=18 ses=18}, admin at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM > Jun 03 16:30:47 auth01.mydom.com krb5kdc[4001](info): TGS_REQ (1 > etypes {18}) 10.30.1.53: ISSUE: authtime 1244059301, etypes {rep=18 > tkt=18 ses=18}, admin at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM Can you run any other admin command ? Looks like either a DNS resolution problem or a firewall dropping packets. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- An HTML attachment was scrubbed... URL: From chorn at fluxcoil.net Thu Jun 4 16:49:58 2009 From: chorn at fluxcoil.net (Christian Horn) Date: Thu, 4 Jun 2009 18:49:58 +0200 Subject: [Freeipa-users] Trouble with new installation In-Reply-To: <947191.60406.qm@web111911.mail.gq1.yahoo.com> References: <853840.86844.qm@web111913.mail.gq1.yahoo.com> <1244066993.3623.26.camel@localhost.localdomain> <947191.60406.qm@web111911.mail.gq1.yahoo.com> Message-ID: <20090604164958.GA21605@fluxcoil.net> On Thu, Jun 04, 2009 at 09:36:39AM -0700, Dumbo Q wrote: > I am somewhat confused here. Can someone explain the technical > relationship between kerberos and ldap. I understand the > relationship overview but not so much is going on behind the > scenes. You should read on authorizations vs. authentication, kerberos and ldap basics. Introduction is i.e. here: http://fluxcoil.net/files/a_sysadmins_guide_to_authentication_and_authorization__chhorn__current.pdf Doesnt hurt to have both ldap and kerberos used in separate environments/separated bevore using both from IPA. Debugging both for itself is interesting sometimes ;) Christian From dumboq at yahoo.com Thu Jun 4 20:05:49 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Thu, 4 Jun 2009 13:05:49 -0700 (PDT) Subject: [Freeipa-users] Trouble with new installation In-Reply-To: <20090604164958.GA21605@fluxcoil.net> References: <853840.86844.qm@web111913.mail.gq1.yahoo.com> <1244066993.3623.26.camel@localhost.localdomain> <947191.60406.qm@web111911.mail.gq1.yahoo.com> <20090604164958.GA21605@fluxcoil.net> Message-ID: <524059.60536.qm@web111910.mail.gq1.yahoo.com> That had me thinking that maybe the user was not allowed to access the specific machine. I've gone through the docs a few times, and cannot find where my problem may be. As a a test i created the following file dn: uid=test,cn=users,cn=accounts,dc=mydom,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 20090605194542Z [root at auth01 ~]# ldapmodify -h localhost -xv -D cn="Directory Manager" -W -f /root/testexpire.ldif ldap_initialize( ldap://localhost ) Enter LDAP Password: replace krbPasswordExpiration: 20090605194542Z modifying entry "uid=test,cn=users,cn=accounts,dc=mydom,dc=com" modify complete The test user was now able to login to the server as i had hoped. I ran the 'passwd' command, entered my kerb pass, then picked a new pass. /var/log/messages again said: Jun 4 15:58:40 auth01 kpasswd[18390]: Unable to bind to ldap server Jun 4 15:58:40 auth01 kpasswd[18390]: Server Error while performing LDAP password change what could be going wrong here?? i also tried running kinit, and then changing the passwd with the same results. - Stumped. ________________________________ From: Christian Horn To: Dumbo Q Cc: Simo Sorce ; freeipa-users at redhat.com Sent: Thursday, June 4, 2009 12:49:58 PM Subject: Re: [Freeipa-users] Trouble with new installation On Thu, Jun 04, 2009 at 09:36:39AM -0700, Dumbo Q wrote: > I am somewhat confused here. Can someone explain the technical > relationship between kerberos and ldap. I understand the > relationship overview but not so much is going on behind the > scenes. You should read on authorizations vs. authentication, kerberos and ldap basics. Introduction is i.e. here: http://fluxcoil.net/files/a_sysadmins_guide_to_authentication_and_authorization__chhorn__current.pdf Doesnt hurt to have both ldap and kerberos used in separate environments/separated bevore using both from IPA. Debugging both for itself is interesting sometimes ;) Christian -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Jun 4 20:15:00 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 04 Jun 2009 16:15:00 -0400 Subject: [Freeipa-users] Trouble with new installation In-Reply-To: <524059.60536.qm@web111910.mail.gq1.yahoo.com> References: <853840.86844.qm@web111913.mail.gq1.yahoo.com> <1244066993.3623.26.camel@localhost.localdomain> <947191.60406.qm@web111911.mail.gq1.yahoo.com> <20090604164958.GA21605@fluxcoil.net> <524059.60536.qm@web111910.mail.gq1.yahoo.com> Message-ID: <1244146500.3623.91.camel@localhost.localdomain> On Thu, 2009-06-04 at 13:05 -0700, Dumbo Q wrote: > That had me thinking that maybe the user was not allowed to access the > specific machine. I've gone through the docs a few times, and cannot > find where my problem may be. > > As a a test i created the following file > dn: uid=test,cn=users,cn=accounts,dc=mydom,dc=com > changetype: modify > replace: krbPasswordExpiration > krbPasswordExpiration: 20090605194542Z > > [root at auth01 ~]# ldapmodify -h localhost -xv -D cn="Directory Manager" > -W -f /root/testexpire.ldif > ldap_initialize( ldap://localhost ) > Enter LDAP Password: > replace krbPasswordExpiration: > 20090605194542Z > modifying entry "uid=test,cn=users,cn=accounts,dc=mydom,dc=com" > modify complete > > > The test user was now able to login to the server as i had hoped. > I ran the 'passwd' command, entered my kerb pass, then picked a new > pass. > /var/log/messages again said: > Jun 4 15:58:40 auth01 kpasswd[18390]: Unable to bind to ldap server > Jun 4 15:58:40 auth01 kpasswd[18390]: Server Error while performing > LDAP password change > > what could be going wrong here?? > i also tried running kinit, and then changing the passwd with the same > results. Have you tried to start kadmin by chance ? I think I remember on some older versions the kadmin init script will heppily generate a new kadmin/changepw secret making the one we stored in the ipa-kpasswd specific keytab useless. Can you check if you see errors in krb5kdc.log regarding obtaining a TGT for kadmin/changepw ? Simo. -- Simo Sorce * Red Hat, Inc * New York From dumboq at yahoo.com Thu Jun 4 21:02:14 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Thu, 4 Jun 2009 14:02:14 -0700 (PDT) Subject: [Freeipa-users] Trouble with new installation In-Reply-To: <1244146500.3623.91.camel@localhost.localdomain> References: <853840.86844.qm@web111913.mail.gq1.yahoo.com> <1244066993.3623.26.camel@localhost.localdomain> <947191.60406.qm@web111911.mail.gq1.yahoo.com> <20090604164958.GA21605@fluxcoil.net> <524059.60536.qm@web111910.mail.gq1.yahoo.com> <1244146500.3623.91.camel@localhost.localdomain> Message-ID: <736688.93925.qm@web111910.mail.gq1.yahoo.com> Alright, now im starting to get somewhere! kadmin was not running, and I was getting Jun 04 16:05:00 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: NEEDED_PREAUTH: test at MYDOM.COM for kadmin/changepw at MYDOM.COM, Additional pre-authentication required Jun 04 16:05:00 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: ISSUE: authtime 1244145900, etypes {rep=18 tkt=18 ses=18}, test at MYDOM.COM for kadmin/changepw at MYDOM.COM Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: NEEDED_PREAUTH: kadmin/changepw at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM, Additional pre-authentication required Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: ISSUE: authtime 1244145908, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.30.1.53: ISSUE: authtime 1244145908, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYDOM.COM for ldap/auth01.mydom.com at MYDOM.COM /sbin/service kadmin start /sbin/chkconfig kadmin on now it hangs for a minute when changing the password, and I see the following in /var/log/messages. Jun 4 16:47:02 auth01 kpasswd[19933]: Unable to read request: Key version number for principal in key table is incorrect Jun 4 16:47:10 auth01 kpasswd[19935]: Unable to read request: Key version number for principal in key table is incorrect Jun 4 16:47:19 auth01 kpasswd[19951]: Unable to read request: Key version number for principal in key table is incorrect Note: the above messages messages where from using the passwd command. (In my previous posts i usually try passwd, kpasswd, and ipa-passwd). I tried again with ipa-passwd and it worked right away! Did an ldapsearch and can see that my expiration is now 200909... Thanks everyone for your help with this. Two more questions while on this topic. 1. Is it to be expected that passwords should be changed using ipa-password and not regular passwd? 2. Is there any documentation that shows the technical layout of how things are supposed to work, including the services and how they all integrate together? I found a diagram online but it was very top level and didn't explain much more then I could have guessed without any ldap or kerberos experience. I would create this myself, but I am clearly not the one for the task :) ________________________________ From: Simo Sorce To: Dumbo Q Cc: Christian Horn ; freeipa-users at redhat.com Sent: Thursday, June 4, 2009 4:15:00 PM Subject: Re: [Freeipa-users] Trouble with new installation On Thu, 2009-06-04 at 13:05 -0700, Dumbo Q wrote: > That had me thinking that maybe the user was not allowed to access the > specific machine. I've gone through the docs a few times, and cannot > find where my problem may be. > > As a a test i created the following file > dn: uid=test,cn=users,cn=accounts,dc=mydom,dc=com > changetype: modify > replace: krbPasswordExpiration > krbPasswordExpiration: 20090605194542Z > > [root at auth01 ~]# ldapmodify -h localhost -xv -D cn="Directory Manager" > -W -f /root/testexpire.ldif > ldap_initialize( ldap://localhost ) > Enter LDAP Password: > replace krbPasswordExpiration: > 20090605194542Z > modifying entry "uid=test,cn=users,cn=accounts,dc=mydom,dc=com" > modify complete > > > The test user was now able to login to the server as i had hoped. > I ran the 'passwd' command, entered my kerb pass, then picked a new > pass. > /var/log/messages again said: > Jun 4 15:58:40 auth01 kpasswd[18390]: Unable to bind to ldap server > Jun 4 15:58:40 auth01 kpasswd[18390]: Server Error while performing > LDAP password change > > what could be going wrong here?? > i also tried running kinit, and then changing the passwd with the same > results. Have you tried to start kadmin by chance ? I think I remember on some older versions the kadmin init script will heppily generate a new kadmin/changepw secret making the one we stored in the ipa-kpasswd specific keytab useless. Can you check if you see errors in krb5kdc.log regarding obtaining a TGT for kadmin/changepw ? Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Jun 4 21:20:39 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 04 Jun 2009 17:20:39 -0400 Subject: [Freeipa-users] Trouble with new installation In-Reply-To: <736688.93925.qm@web111910.mail.gq1.yahoo.com> References: <853840.86844.qm@web111913.mail.gq1.yahoo.com> <1244066993.3623.26.camel@localhost.localdomain> <947191.60406.qm@web111911.mail.gq1.yahoo.com> <20090604164958.GA21605@fluxcoil.net> <524059.60536.qm@web111910.mail.gq1.yahoo.com> <1244146500.3623.91.camel@localhost.localdomain> <736688.93925.qm@web111910.mail.gq1.yahoo.com> Message-ID: <1244150439.3623.98.camel@localhost.localdomain> On Thu, 2009-06-04 at 14:02 -0700, Dumbo Q wrote: > Alright, now im starting to get somewhere! > kadmin was not running, and I was getting > Jun 04 16:05:00 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: NEEDED_PREAUTH: > test at MYDOM.COM for kadmin/changepw at MYDOM.COM, Additional > pre-authentication required > Jun 04 16:05:00 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: ISSUE: authtime > 1244145900, etypes {rep=18 tkt=18 ses=18}, test at MYDOM.COM for > kadmin/changepw at MYDOM.COM > Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: NEEDED_PREAUTH: > kadmin/changepw at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM, Additional > pre-authentication required > Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: ISSUE: authtime > 1244145908, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYDOM.COM > for krbtgt/MYDOM.COM at MYDOM.COM > Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 10.30.1.53: ISSUE: authtime 1244145908, > etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYDOM.COM for > ldap/auth01.mydom.com at MYDOM.COM > > /sbin/service kadmin start > /sbin/chkconfig kadmin on > now it hangs for a minute when changing the password, and I see the > following in /var/log/messages. > Jun 4 16:47:02 auth01 kpasswd[19933]: Unable to read request: Key > version number for principal in key table is incorrect > Jun 4 16:47:10 auth01 kpasswd[19935]: Unable to read request: Key > version number for principal in key table is incorrect > Jun 4 16:47:19 auth01 kpasswd[19951]: Unable to read request: Key > version number for principal in key table is incorrect > > Note: the above messages messages where from using the passwd > command. (In my previous posts i usually try passwd, kpasswd, and > ipa-passwd). > > I tried again with ipa-passwd and it worked right away! Did an > ldapsearch and can see that my expiration is now 200909... > > Thanks everyone for your help with this. Except that I didn't tell you to start kadmin, I was worried you did :-/ Now you have broken your installation, you are supposed to use ipa-kpasswd not kadmin as kadmin has other unwanted properties, like the fact that it will not create a hash for simple binds to the ldap server, and will not use the ipa defined password policies. You will now have to fix the installation so that ipa-kpasswd has the right keytab. > Two more questions while on this topic. > 1. Is it to be expected that passwords should be changed using > ipa-password and not regular passwd? no, you should use regular passwd or, at most kpasswd, ipa-passwd is for admin purposes. > 2. Is there any documentation that shows the technical layout of how > things are supposed to work, including the services and how they all > integrate together? I found a diagram online but it was very top > level and didn't explain much more then I could have guessed without > any ldap or kerberos experience. I would create this myself, but I am > clearly not the one for the task :) All we have is published on freeipa.org sorry. Simo. -- Simo Sorce * Red Hat, Inc * New York From dumboq at yahoo.com Thu Jun 4 21:31:52 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Thu, 4 Jun 2009 14:31:52 -0700 (PDT) Subject: [Freeipa-users] Trouble with new installation In-Reply-To: <1244150439.3623.98.camel@localhost.localdomain> References: <853840.86844.qm@web111913.mail.gq1.yahoo.com> <1244066993.3623.26.camel@localhost.localdomain> <947191.60406.qm@web111911.mail.gq1.yahoo.com> <20090604164958.GA21605@fluxcoil.net> <524059.60536.qm@web111910.mail.gq1.yahoo.com> <1244146500.3623.91.camel@localhost.localdomain> <736688.93925.qm@web111910.mail.gq1.yahoo.com> <1244150439.3623.98.camel@localhost.localdomain> Message-ID: <385582.9480.qm@web111916.mail.gq1.yahoo.com> "Except that I didn't tell you to start kadmin, I was worried you did :-/" Doh! I was so excited I damn near skipped through the hallway. Back to the drawing board :) So I believe i will need to do something like ipa-getkeytab -s auth01.mydom.com -p -k ??? I'm just sure what exactly i broke. ________________________________ From: Simo Sorce To: Dumbo Q Cc: Christian Horn ; freeipa-users at redhat.com Sent: Thursday, June 4, 2009 5:20:39 PM Subject: Re: [Freeipa-users] Trouble with new installation On Thu, 2009-06-04 at 14:02 -0700, Dumbo Q wrote: > Alright, now im starting to get somewhere! > kadmin was not running, and I was getting > Jun 04 16:05:00 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: NEEDED_PREAUTH: > test at MYDOM.COM for kadmin/changepw at MYDOM.COM, Additional > pre-authentication required > Jun 04 16:05:00 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: ISSUE: authtime > 1244145900, etypes {rep=18 tkt=18 ses=18}, test at MYDOM.COM for > kadmin/changepw at MYDOM.COM > Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: NEEDED_PREAUTH: > kadmin/changepw at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM, Additional > pre-authentication required > Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: ISSUE: authtime > 1244145908, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYDOM.COM > for krbtgt/MYDOM.COM at MYDOM.COM > Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 10.30.1.53: ISSUE: authtime 1244145908, > etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYDOM.COM for > ldap/auth01.mydom.com at MYDOM.COM > > /sbin/service kadmin start > /sbin/chkconfig kadmin on > now it hangs for a minute when changing the password, and I see the > following in /var/log/messages. > Jun 4 16:47:02 auth01 kpasswd[19933]: Unable to read request: Key > version number for principal in key table is incorrect > Jun 4 16:47:10 auth01 kpasswd[19935]: Unable to read request: Key > version number for principal in key table is incorrect > Jun 4 16:47:19 auth01 kpasswd[19951]: Unable to read request: Key > version number for principal in key table is incorrect > > Note: the above messages messages where from using the passwd > command. (In my previous posts i usually try passwd, kpasswd, and > ipa-passwd). > > I tried again with ipa-passwd and it worked right away! Did an > ldapsearch and can see that my expiration is now 200909... > > Thanks everyone for your help with this. Except that I didn't tell you to start kadmin, I was worried you did :-/ Now you have broken your installation, you are supposed to use ipa-kpasswd not kadmin as kadmin has other unwanted properties, like the fact that it will not create a hash for simple binds to the ldap server, and will not use the ipa defined password policies. You will now have to fix the installation so that ipa-kpasswd has the right keytab. > Two more questions while on this topic. > 1. Is it to be expected that passwords should be changed using > ipa-password and not regular passwd? no, you should use regular passwd or, at most kpasswd, ipa-passwd is for admin purposes. > 2. Is there any documentation that shows the technical layout of how > things are supposed to work, including the services and how they all > integrate together? I found a diagram online but it was very top > level and didn't explain much more then I could have guessed without > any ldap or kerberos experience. I would create this myself, but I am > clearly not the one for the task :) All we have is published on freeipa.org sorry. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- An HTML attachment was scrubbed... URL: From ok at softbox.de Fri Jun 5 11:57:19 2009 From: ok at softbox.de (Oliver Kaspar) Date: Fri, 5 Jun 2009 13:57:19 +0200 Subject: [Freeipa-users] samba share access win xp Message-ID: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> Hi, I have problems accessing a samba share using windows xp, both, the samba server and the windows client being ipa clients. UNKNOWN_SERVER: authtime 1244197692 ...cifs/samba.EXAMPLE.LAN at EXAPMPLE.LAN , Server not found in Kerberos database Accessing the share with linux and mac os works. Is is a Problem, that windows ist looking for cifs/samba.EXAMPLE.LAN and the principal is cifs/samba.example.lan? I can't add a server principal in capital letters, as it is indicated here: http://sial.org/howto/kerberos/windows/#s4 Thanks, Oliver | oliver kaspar, dipl.-ing. univ. | softbox gmbh, balanstr. 73 Gebaeude 9 81541 | muenchen | tel: +49 89 48900069 | fax: +49 89 48900068 | amtsgericht muenchen | hrb 127479 | ustid de 200166144 | gf: thilo weinzierl und oliver kaspar :-) | From ssorce at redhat.com Fri Jun 5 13:09:44 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 05 Jun 2009 13:09:44 +0000 Subject: [Freeipa-users] samba share access win xp In-Reply-To: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> Message-ID: <1244207384.3623.104.camel@localhost.localdomain> On Fri, 2009-06-05 at 13:57 +0200, Oliver Kaspar wrote: > Hi, > > I have problems accessing a samba share using windows xp, both, the > samba server and the windows client being ipa clients. > > UNKNOWN_SERVER: authtime 1244197692 ...cifs/samba.EXAMPLE.LAN at EXAPMPLE.LAN > , Server not found in Kerberos database How do you access the share from windows ? > Accessing the share with linux and mac os works. Is is a Problem, that > windows ist looking for cifs/samba.EXAMPLE.LAN and the principal is > cifs/samba.example.lan? I can't add a server principal in capital > letters, as it is indicated here: http://sial.org/howto/kerberos/windows/#s4 Well in theory you could try to manually (ldapmodify) set up an alias (krbPrincipalName is multivalued IIRC) and see if that works somehow, but we never tested this, it might not work w/o modifications to the KDC ldap driver. Simo. -- Simo Sorce * Red Hat, Inc * New York From ok at softbox.de Fri Jun 5 13:33:10 2009 From: ok at softbox.de (Oliver Kaspar) Date: Fri, 5 Jun 2009 15:33:10 +0200 Subject: [Freeipa-users] samba share access win xp In-Reply-To: <1244207384.3623.104.camel@localhost.localdomain> References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> <1244207384.3623.104.camel@localhost.localdomain> Message-ID: <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> Hi Simo, thanks for your answer, Am 05.06.2009 um 15:09 schrieb Simo Sorce: > On Fri, 2009-06-05 at 13:57 +0200, Oliver Kaspar wrote: >> Hi, >> >> I have problems accessing a samba share using windows xp, both, the >> samba server and the windows client being ipa clients. >> >> UNKNOWN_SERVER: authtime 1244197692 ...cifs/samba.EXAMPLE.LAN at EXAPMPLE.LAN >> , Server not found in Kerberos database > > How do you access the share from windows ? I log on at the kerberos realm (this is working). Then I use the windows explorer. The server is listed in "My Network Places" and I klick on it, is this what you mean? > > >> Accessing the share with linux and mac os works. Is is a Problem, >> that >> windows ist looking for cifs/samba.EXAMPLE.LAN and the principal is >> cifs/samba.example.lan? I can't add a server principal in capital >> letters, as it is indicated here: http://sial.org/howto/kerberos/windows/#s4 > > Well in theory you could try to manually (ldapmodify) set up an alias > (krbPrincipalName is multivalued IIRC) and see if that works somehow, > but we never tested this, it might not work w/o modifications to the > KDC > ldap driver. > Do you think, the capital letters could be the problem? Many thanks, Oliver > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > | oliver kaspar, dipl.-ing. univ. | softbox gmbh, balanstr. 73 Gebaeude 9 81541 | muenchen | tel: +49 89 48900069 | fax: +49 89 48900068 | amtsgericht muenchen | hrb 127479 | ustid de 200166144 | gf: thilo weinzierl und oliver kaspar :-) | From ssorce at redhat.com Fri Jun 5 14:08:38 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 05 Jun 2009 14:08:38 +0000 Subject: [Freeipa-users] samba share access win xp In-Reply-To: <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> <1244207384.3623.104.camel@localhost.localdomain> <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> Message-ID: <1244210918.3623.114.camel@localhost.localdomain> On Fri, 2009-06-05 at 15:33 +0200, Oliver Kaspar wrote: > Hi Simo, > > thanks for your answer, > > Am 05.06.2009 um 15:09 schrieb Simo Sorce: > > > On Fri, 2009-06-05 at 13:57 +0200, Oliver Kaspar wrote: > >> Hi, > >> > >> I have problems accessing a samba share using windows xp, both, the > >> samba server and the windows client being ipa clients. > >> > >> UNKNOWN_SERVER: authtime 1244197692 ...cifs/samba.EXAMPLE.LAN at EXAPMPLE.LAN > >> , Server not found in Kerberos database > > > > How do you access the share from windows ? > > I log on at the kerberos realm (this is working). Then I use the > windows explorer. The server is listed in "My Network Places" and I > klick on it, is this what you mean? Yes, just for testing can you try to access the server using: \\fully.qualified.domain.name\yourshare ? Just to see if this makes any difference. > >> Accessing the share with linux and mac os works. Is is a Problem, > >> that > >> windows ist looking for cifs/samba.EXAMPLE.LAN and the principal is > >> cifs/samba.example.lan? I can't add a server principal in capital > >> letters, as it is indicated here: http://sial.org/howto/kerberos/windows/#s4 > > > > Well in theory you could try to manually (ldapmodify) set up an alias > > (krbPrincipalName is multivalued IIRC) and see if that works somehow, > > but we never tested this, it might not work w/o modifications to the > > KDC > > ldap driver. > > > > Do you think, the capital letters could be the problem? They probably are. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jun 5 14:34:45 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 05 Jun 2009 10:34:45 -0400 Subject: [Freeipa-users] samba share access win xp In-Reply-To: <99DACCEA-02C4-4270-88C9-BF84AD48EFF8@softbox.de> References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> <1244207384.3623.104.camel@localhost.localdomain> <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> <1244210918.3623.114.camel@localhost.localdomain> <99DACCEA-02C4-4270-88C9-BF84AD48EFF8@softbox.de> Message-ID: <1244212485.3623.129.camel@localhost.localdomain> On Fri, 2009-06-05 at 16:19 +0200, Oliver Kaspar wrote: > >>> How do you access the share from windows ? > >> > >> I log on at the kerberos realm (this is working). Then I use the > >> windows explorer. The server is listed in "My Network Places" and I > >> klick on it, is this what you mean? > > > > Yes, just for testing can you try to access the server using: > > \\fully.qualified.domain.name\yourshare ? > > > > Just to see if this makes any difference. > > > that's very interesting, using the fqdn is working Yeah I suspected that would happen. What is the default dns suffix in your windows machine ? if you try to do an nslookup with just the host name of the samba server (not the fully qualified name), can you correctly resolve the name ? Simo. -- Simo Sorce * Red Hat, Inc * New York From zxvdr.au at gmail.com Fri Jun 5 15:01:27 2009 From: zxvdr.au at gmail.com (David Robinson) Date: Fri, 5 Jun 2009 16:01:27 +0100 Subject: [Freeipa-users] pam_tally for FreeIPA? Message-ID: Hi all, Is there a pam_tally sort of equivalent for FreeIPA? I'd like to be able to centralize the lockout (ie pam_tally) policy, eg. after X failed login attempts lock the account, optionally automatically unlock after X mins. Locking an account would lock it for the entire realm instead of the local system. One of the criteria (8.5.13 and 8.5.14) for the payment card industry's data security standards is that an account be locked after 6 incorrect login attempts. I couldn't see anything that addresses the criteria on the requirements doc for FreeIPA v2, and I couldn't find the feature in v1. Is this something that is being considered, or is pam_tally the way to go? --Dave From ssorce at redhat.com Fri Jun 5 15:36:27 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 05 Jun 2009 11:36:27 -0400 Subject: [Freeipa-users] pam_tally for FreeIPA? In-Reply-To: References: Message-ID: <1244216187.6068.23.camel@localhost.localdomain> On Fri, 2009-06-05 at 16:01 +0100, David Robinson wrote: > Hi all, > > Is there a pam_tally sort of equivalent for FreeIPA? I'd like to be > able to centralize the lockout (ie pam_tally) policy, eg. after X > failed login attempts lock the account, optionally automatically > unlock after X mins. Locking an account would lock it for the entire > realm instead of the local system. > > One of the criteria (8.5.13 and 8.5.14) for the payment card > industry's data security standards is that an account be locked after > 6 incorrect login attempts. I couldn't see anything that addresses the > criteria on the requirements doc for FreeIPA v2, and I couldn't find > the feature in v1. Is this something that is being considered, or is > pam_tally the way to go? We can;t use a client side mechanism to perform lock, or a single machine could be abuse to lock all accounts without even trying a single password change. We have facilities to set the nsAccountLock flag to block accounts. At the moment our KDC does not enforce automatic locking unfortunately (the KDC fully respects the nsAccountLock flag when set, it just does not set it automatically), but there is code to do that, so we should be able to enable it at some point. Simo. -- Simo Sorce * Red Hat, Inc * New York From ok at softbox.de Fri Jun 5 15:51:49 2009 From: ok at softbox.de (Oliver Kaspar) Date: Fri, 5 Jun 2009 17:51:49 +0200 Subject: [Freeipa-users] samba share access win xp In-Reply-To: <1244212485.3623.129.camel@localhost.localdomain> References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> <1244207384.3623.104.camel@localhost.localdomain> <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> <1244210918.3623.114.camel@localhost.localdomain> <99DACCEA-02C4-4270-88C9-BF84AD48EFF8@softbox.de> <1244212485.3623.129.camel@localhost.localdomain> Message-ID: <507471AD-98BD-4F4C-B169-57232B33D61B@softbox.de> Hi Simo, Am 05.06.2009 um 16:34 schrieb Simo Sorce: > On Fri, 2009-06-05 at 16:19 +0200, Oliver Kaspar wrote: >>>>> How do you access the share from windows ? >>>> >>>> I log on at the kerberos realm (this is working). Then I use the >>>> windows explorer. The server is listed in "My Network Places" and I >>>> klick on it, is this what you mean? >>> >>> Yes, just for testing can you try to access the server using: >>> \\fully.qualified.domain.name\yourshare ? >>> >>> Just to see if this makes any difference. >> >> >> that's very interesting, using the fqdn is working > > Yeah I suspected that would happen. > really, you are kidding ;-) > What is the default dns suffix in your windows machine ? you mean the primary dns suffix? It's the domain name, it seems to be correct > > if you try to do an nslookup with just the host name of the samba > server > (not the fully qualified name), can you correctly resolve the name ? yes, that is working Thanks a lot, Oliver > > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > | oliver kaspar, dipl.-ing. univ. | softbox gmbh, balanstr. 73 Gebaeude 9 81541 | muenchen | tel: +49 89 48900069 | fax: +49 89 48900068 | amtsgericht muenchen | hrb 127479 | ustid de 200166144 | gf: thilo weinzierl und oliver kaspar :-) | From ok at softbox.de Fri Jun 5 16:22:59 2009 From: ok at softbox.de (Oliver Kaspar) Date: Fri, 5 Jun 2009 18:22:59 +0200 Subject: [Freeipa-users] samba share access win xp In-Reply-To: <1244212485.3623.129.camel@localhost.localdomain> References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> <1244207384.3623.104.camel@localhost.localdomain> <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> <1244210918.3623.114.camel@localhost.localdomain> <99DACCEA-02C4-4270-88C9-BF84AD48EFF8@softbox.de> <1244212485.3623.129.camel@localhost.localdomain> Message-ID: Hi Simo, Windows seems to use different notations, the same PC asks for cifs/SAMBA.example.org at EXAMPLE.ORG or samba.EXAMPLE.ORG at EXAMPLE.ORG or Samba at EXAMPLE.ORG@EXAMPLE.ORG, is there no workaround for that problem? Am 05.06.2009 um 16:34 schrieb Simo Sorce: > On Fri, 2009-06-05 at 16:19 +0200, Oliver Kaspar wrote: >>>>> How do you access the share from windows ? >>>> >>>> I log on at the kerberos realm (this is working). Then I use the >>>> windows explorer. The server is listed in "My Network Places" and I >>>> klick on it, is this what you mean? >>> >>> Yes, just for testing can you try to access the server using: >>> \\fully.qualified.domain.name\yourshare ? >>> >>> Just to see if this makes any difference. >> >> >> that's very interesting, using the fqdn is working > but not in any case,:-( Thanks, Oliver > > | oliver kaspar, dipl.-ing. univ. | softbox gmbh, balanstr. 73 Gebaeude 9 81541 | muenchen | tel: +49 89 48900069 | fax: +49 89 48900068 | amtsgericht muenchen | hrb 127479 | ustid de 200166144 | gf: thilo weinzierl und oliver kaspar :-) | From ssorce at redhat.com Fri Jun 5 17:59:27 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 05 Jun 2009 13:59:27 -0400 Subject: [Freeipa-users] samba share access win xp In-Reply-To: References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> <1244207384.3623.104.camel@localhost.localdomain> <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> <1244210918.3623.114.camel@localhost.localdomain> <99DACCEA-02C4-4270-88C9-BF84AD48EFF8@softbox.de> <1244212485.3623.129.camel@localhost.localdomain> Message-ID: <1244224767.6068.50.camel@localhost.localdomain> On Fri, 2009-06-05 at 18:22 +0200, Oliver Kaspar wrote: > Hi Simo, > > Windows seems to use different notations, the same PC asks for cifs/SAMBA.example.org at EXAMPLE.ORG > or samba.EXAMPLE.ORG at EXAMPLE.ORG or Samba at EXAMPLE.ORG@EXAMPLE.ORG, > is there no workaround for that problem? Well this is one of the differences between Windows KDC implementation and a "to specs" KDC implementation. Windows KDCs have a much more lax canonicalisation engine and can recognize many forms as aliases of the same principal. We are working on implementing some of this in FreeIPA and MIT 1.7 already allows aliases. Unfortunately I can't see nothing easy that can be done as a workaround right now. We would at the very least have to try to patch the KDC ldap driver to try to be smarter, but I am not sure it will give the desired results in the MIT 1.6.3 code base. An option could be to allow windows to use NTLM auth againt samba when krb auth fails. Simo. -- Simo Sorce * Red Hat, Inc * New York From ok at softbox.de Fri Jun 5 21:55:25 2009 From: ok at softbox.de (Oliver Kaspar) Date: Fri, 5 Jun 2009 23:55:25 +0200 Subject: [Freeipa-users] samba share access win xp In-Reply-To: <1244224767.6068.50.camel@localhost.localdomain> References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> <1244207384.3623.104.camel@localhost.localdomain> <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> <1244210918.3623.114.camel@localhost.localdomain> <99DACCEA-02C4-4270-88C9-BF84AD48EFF8@softbox.de> <1244212485.3623.129.camel@localhost.localdomain> <1244224767.6068.50.camel@localhost.localdomain> Message-ID: <7E784751-FBBC-42D1-ADF3-E4AB5182BF52@softbox.de> Hi Simo, I am not 100% sure, but it seems to work now. I changed the primary domain suffix on the windows box from capital letters to lowercase and now could logon many times to the samba server. There are still the strange error messages in kr5.log, but I can access the share. I will take some more time for testing... Am 05.06.2009 um 19:59 schrieb Simo Sorce: > On Fri, 2009-06-05 at 18:22 +0200, Oliver Kaspar wrote: >> Hi Simo, >> >> Windows seems to use different notations, the same PC asks for cifs/SAMBA.example.org at EXAMPLE.ORG >> or samba.EXAMPLE.ORG at EXAMPLE.ORG or Samba at EXAMPLE.ORG@EXAMPLE.ORG, >> is there no workaround for that problem? > > Well this is one of the differences between Windows KDC implementation > and a "to specs" KDC implementation. > Windows KDCs have a much more lax canonicalisation engine and can > recognize many forms as aliases of the same principal. > > We are working on implementing some of this in FreeIPA and MIT 1.7 > already allows aliases. > > Unfortunately I can't see nothing easy that can be done as a > workaround > right now. We would at the very least have to try to patch the KDC > ldap > driver to try to be smarter, but I am not sure it will give the > desired > results in the MIT 1.6.3 code base. > > An option could be to allow windows to use NTLM auth againt samba when > krb auth fails. > this would be a great deal anyway, because it would give the possibility for non kerberos clients to use samba services. Is there a mechanism to sync the passwords between kerberos an ntlm (as smbk5pwd overlay for openldap)? Thanks a lot for your advise and your very fast reaction, Wish you a nice weekend, Oliver > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > | oliver kaspar, dipl.-ing. univ. | softbox gmbh, balanstr. 73 Gebaeude 9 81541 | muenchen | tel: +49 89 48900069 | fax: +49 89 48900068 | amtsgericht muenchen | hrb 127479 | ustid de 200166144 | gf: thilo weinzierl und oliver kaspar :-) | From ssorce at redhat.com Sun Jun 7 03:31:25 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 06 Jun 2009 23:31:25 -0400 Subject: [Freeipa-users] samba share access win xp In-Reply-To: <7E784751-FBBC-42D1-ADF3-E4AB5182BF52@softbox.de> References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> <1244207384.3623.104.camel@localhost.localdomain> <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> <1244210918.3623.114.camel@localhost.localdomain> <99DACCEA-02C4-4270-88C9-BF84AD48EFF8@softbox.de> <1244212485.3623.129.camel@localhost.localdomain> <1244224767.6068.50.camel@localhost.localdomain> <7E784751-FBBC-42D1-ADF3-E4AB5182BF52@softbox.de> Message-ID: <1244345485.6068.76.camel@localhost.localdomain> On Fri, 2009-06-05 at 23:55 +0200, Oliver Kaspar wrote: > this would be a great deal anyway, because it would give the > possibility for non kerberos clients to use samba services. Is there > a > mechanism to sync the passwords between kerberos an ntlm (as > smbk5pwd > overlay for openldap)? > > > Thanks a lot for your advise and your very fast reaction, > If you set the sambaAccount objectlass on a freeipa account, NTLM hashes will be automatically generated the next time you change that password. So if you configure your samba server to use ldapsam and you point it as the freeipa server you should be able to use these hashes. Simo. -- Simo Sorce * Red Hat, Inc * New York From ok at softbox.de Sun Jun 7 22:09:47 2009 From: ok at softbox.de (Oliver Kaspar) Date: Mon, 8 Jun 2009 00:09:47 +0200 Subject: [Freeipa-users] samba share access win xp In-Reply-To: <1244345485.6068.76.camel@localhost.localdomain> References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> <1244207384.3623.104.camel@localhost.localdomain> <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> <1244210918.3623.114.camel@localhost.localdomain> <99DACCEA-02C4-4270-88C9-BF84AD48EFF8@softbox.de> <1244212485.3623.129.camel@localhost.localdomain> <1244224767.6068.50.camel@localhost.localdomain> <7E784751-FBBC-42D1-ADF3-E4AB5182BF52@softbox.de> <1244345485.6068.76.camel@localhost.localdomain> Message-ID: Hi Simo, thanks for you answer, I'm really impressed by the freeipa project, really great work :-) Thanks again Oliver Am 07.06.2009 um 05:31 schrieb Simo Sorce: > On Fri, 2009-06-05 at 23:55 +0200, Oliver Kaspar wrote: >> this would be a great deal anyway, because it would give the >> possibility for non kerberos clients to use samba services. Is there >> a >> mechanism to sync the passwords between kerberos an ntlm (as >> smbk5pwd >> overlay for openldap)? >> >> >> Thanks a lot for your advise and your very fast reaction, >> > If you set the sambaAccount objectlass on a freeipa account, NTLM > hashes > will be automatically generated the next time you change that > password. > So if you configure your samba server to use ldapsam and you point > it as > the freeipa server you should be able to use these hashes. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users | oliver kaspar, dipl.-ing. univ. | softbox gmbh, balanstr. 73 Gebaeude 9 81541 | muenchen | tel: +49 89 48900069 | fax: +49 89 48900068 | amtsgericht muenchen | hrb 127479 | ustid de 200166144 | gf: thilo weinzierl und oliver kaspar :-) | From visser.rob at gmail.com Mon Jun 8 09:08:25 2009 From: visser.rob at gmail.com (Rob Visser) Date: Mon, 8 Jun 2009 11:08:25 +0200 Subject: [Freeipa-users] Re: FreeIPA beginner In-Reply-To: <1244120306.3623.47.camel@localhost.localdomain> References: <869100480906040546x29cae57ya22ee7ed35423793@mail.gmail.com> <1244120306.3623.47.camel@localhost.localdomain> Message-ID: <869100480906080208t6377247ek48e44622ec5022b9@mail.gmail.com> Hi Simo, Thanks for the answer. Some problems are solved, some I am still working on. In particula the following: You suggested to use pam_makehomedir. However, the installation script resulted in a PAM configuration with pam_namespace. I would prefer the latter for reasons of security. The pam_namespace, however does not work: a login with gdm simply hangs forever. Any suggestions? Rob On Thu, Jun 4, 2009 at 2:58 PM, Simo Sorce wrote: > Moved to freeipa-users, > Rob please use this list for user help questions. > > On Thu, 2009-06-04 at 14:46 +0200, Rob Visser wrote: > > Hello, > > > > Just recently I installed na IPA server and IP client on two Fedora 10 > > computers. > > I managed to get ssh working for the admin user (with single sign on). > > I am confused about the the relation between Kerberos and UNIX > > identities. > > A few questions: > > - Is it required to add the UNIX user (in the passwd file) after > > entering the user with FreeIPA? Or perhaps the other way around? > > your client should be configured to use nss_ldap, users are created on > the freeIPA server and seen by all clients. > > > - If so, then I assume with the UID/GID that are generated with the > > "add user". > > UID/GID are generate on the freeipa server and distributed to all > clients via nss_ldap > > > - The admin user automagically seems to be linked to the (unix) root > > user? > > It should really not be, did you create some mapping on the client ? > > > When I create a new user with FreeIPA, then I can login with GDM with > > the new identity, however, the pam_namespace does not create > > a /home/user and /tmp > > pam_mkhomedir is what creates home directories if properly configured. > > > When I try to change the Kerkeros password, it complains that it > > cannot find any kdc. > > looks like a network or client configuration issue. > > > Is there something I missed in reading documents? > > > > Any help is appreciated. > > Make sure you follow the user guides throughly. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Jun 8 13:05:02 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 08 Jun 2009 09:05:02 -0400 Subject: [Freeipa-users] Trouble with new installation In-Reply-To: <385582.9480.qm@web111916.mail.gq1.yahoo.com> References: <853840.86844.qm@web111913.mail.gq1.yahoo.com> <1244066993.3623.26.camel@localhost.localdomain> <947191.60406.qm@web111911.mail.gq1.yahoo.com> <20090604164958.GA21605@fluxcoil.net> <524059.60536.qm@web111910.mail.gq1.yahoo.com> <1244146500.3623.91.camel@localhost.localdomain> <736688.93925.qm@web111910.mail.gq1.yahoo.com> <1244150439.3623.98.camel@localhost.localdomain> <385582.9480.qm@web111916.mail.gq1.yahoo.com> Message-ID: <1244466302.6068.84.camel@localhost.localdomain> On Thu, 2009-06-04 at 14:31 -0700, Dumbo Q wrote: > "Except that I didn't tell you to start kadmin, I was worried you > did :-/" > > Doh! I was so excited I damn near skipped through the hallway. Back to > the drawing board :) > > So I believe i will need to do something like > ipa-getkeytab -s auth01.mydom.com -p -k ??? the principal is kadmin/changepw at REALM (IIRC :-) > I'm just sure what exactly i broke. by changing the secret you made kpasswd.keytab (under /var/kerberos/krb5kdc/ obsolete as it has not been updated). This means that ipa-kpasswd will not be able to perform password changes, as it doesn't have valid credentials to connect to the ldap service. Simo. -- Simo Sorce * Red Hat, Inc * New York From dqarras at yahoo.com Mon Jun 8 21:29:32 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Mon, 8 Jun 2009 14:29:32 -0700 (PDT) Subject: [Freeipa-users] SSSD vs NSCD Message-ID: <725596.73238.qm@web36806.mail.mud.yahoo.com> Hi, I googled a bit and got impression that on IPA clients SSSD should completely replace nscd, is this correct? If so, will it provide ~1:1 functionality, too, or, if not, what are the main differences? Are there cases where one should run both SSSD and nscd or even nscd only? Unfortunately with nscd it seems that it cannot correctly handle the case where a user roams with a laptop unconnected to a LDAP/AD server [1] forcing adding entries to /etc/passwd for proper NSS info (pam_ccreds seem to handle authentication caching ok [2]). I would love to see this issue addressed with SSSD. 1) http://sources.redhat.com/bugzilla/show_bug.cgi?id=10181 2) https://bugzilla.redhat.com/show_bug.cgi?id=478446 Thanks! From sgallagh at redhat.com Wed Jun 10 12:13:14 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 10 Jun 2009 08:13:14 -0400 Subject: [Freeipa-users] SSSD vs NSCD In-Reply-To: <725596.73238.qm@web36806.mail.mud.yahoo.com> References: <725596.73238.qm@web36806.mail.mud.yahoo.com> Message-ID: <4A2FA35A.5050702@redhat.com> Daniel, one of the goals of the SSSD will be to eliminate the need for running nscd. SSSD itself provides a cache for user information coming in from network services, as well as an offline authentication cache similar to pam_ccreds. Currently, the name-service caching is not as high-performance as nscd, but that is intended for future optimization. So in deployments where one might expect dozens or hundreds of identical NSS requests at the same time, there may still be some benefit to using nscd. In less intense deployments, SSSD will still provide local caching to significantly reduce latency from contacting the network. Glossary: Online: SSSD has a live network connection to its user information and authentication providers (We'll use the LDAP example) Offline: network cable has been pulled, or other network failure prevents access to the providers. User information and credential caching works as follows: NSS: Check the cache. If the user is present, check whether the cache timeout has expired. If it is still valid, immediately return the user. If the cache timeout has expired, check our online/offline status. If the SSSD is offline, it will return the cache entry anyway (since there's no way to refresh it) If the user was not present, or out of date, the identity provider will be queried. It will update the cache if the user was found, and the new cache entry will be returned, or it will return "No such user" PAM: Behaves similarly to NSS, except that we will first check online/offline status. If we are online, we will always query the authentication provider and cache the credentials. The cache will be used only when the SSSD is offline. On 06/08/2009 05:29 PM, Daniel Qarras wrote: > Hi, > > I googled a bit and got impression that on IPA clients SSSD should completely replace nscd, is this correct? If so, will it provide ~1:1 functionality, too, or, if not, what are the main differences? Are there cases where one should run both SSSD and nscd or even nscd only? > > Unfortunately with nscd it seems that it cannot correctly handle the case where a user roams with a laptop unconnected to a LDAP/AD server [1] forcing adding entries to /etc/passwd for proper NSS info (pam_ccreds seem to handle authentication caching ok [2]). I would love to see this issue addressed with SSSD. > > 1) http://sources.redhat.com/bugzilla/show_bug.cgi?id=10181 > 2) https://bugzilla.redhat.com/show_bug.cgi?id=478446 > > Thanks! > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From soporte.informatico at enforex.es Wed Jun 10 16:17:47 2009 From: soporte.informatico at enforex.es (Ismael Puerto) Date: Wed, 10 Jun 2009 18:17:47 +0200 Subject: [Freeipa-users] Error while changing password Message-ID: <4A2FDCAB.2040702@enforex.es> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello When you change a password, I get this: isma at linux-qggn:~> kinit ipuerto Password for ipuerto at IDEAL.SPAIN: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials I got this error from the server and client Best regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkov3KsACgkQzc30qp8y2tLM/ACfchA5K0LO/UbbZBfXHWzxTyIZ w5kAmwYijL1qbRiWW+53XQ6LUXMuLrew =5Ubi -----END PGP SIGNATURE----- ________________________________________________________________________________ ADVERTENCIA LEGAL Este mensaje va dirigido, de manera exclusiva, a su destinatario y contiene informaci?n confidencial y sujeta al secreto profesional, cuya divulgaci?n no est? permitida por la ley. En caso de haber recibido este mensaje por error, le rogamos que, de forma inmediata, nos lo comunique mediante correo electr?nico remitido a nuestra atenci?n o a trav?s del tel?fono (+ 34) 915 943 776 y proceda a su eliminaci?n, as? como a la de cualquier documento adjunto al mismo. As?mismo, le comunicamos que la distribuci?n, copia o utilizaci?n de este mensaje, o de cualquier documento adjunto al mismo, cualquiera que fuera su finalidad, est?n prohibidas por la ley. Le informamos, como destinatario de este mensaje, que el correo electr?nico y las comunicaciones por medio de Internet no permiten asegurar ni garantizar la confidencialidad de los mensajes transmitidos, as? como tampoco su integridad o su correcta recepci?n, por lo que el emisor no asume responsabilidad alguna por tales circunstancias. Si no consintiese en la utilizaci?n del correo electr?nico o de las comunicaciones v?a Internet le rogamos nos lo comunique y ponga en nuestro conocimiento de manera inmediata. ________________________________________________________________________________ PRIVILEGED AND CONFIDENTIAL This message is intended exclusively for the person to whom it is addressed and contains privileged and confidential information protected from disclosure by law. If you are not the addressee indicated in this message, you should immediately delete it and any attachments and notify the sender by reply e-mail or by phone(+ 34) 915 943 776. In such case, you are hereby notified that any dissemination, distribution, copying or use of this message or any attachments, for any purpose, is strictly prohibited by law. We hereby inform you, as addressee of this message, that e-mail and Internet do not guarantee the confidentiality, nor the completeness or proper reception of the messages sent and, thus, the sender does not assume any liability for those circumstances. Should you not agree to the use of e-mail or to communications via Internet, you are kindly requested to notify us immediately. From d.Thomas at colostate.edu Wed Jun 10 20:20:22 2009 From: d.Thomas at colostate.edu (Thomas,Dave) Date: Wed, 10 Jun 2009 14:20:22 -0600 Subject: [Freeipa-users] Can't create replica with promoted master server Message-ID: <67A4901921307B49AC55A96647DBDBDD10A5EB3A2D@EVS4.ColoState.EDU> Hi, I'm having trouble setting up replication after I promoted a replica to be the master. I followed the instructions here: https://bugzilla.redhat.com/show_bug.cgi?id=486950, but to import the certificate had to use the following command inside /etc/dirsrv/slapd-REALM: # pk12util -i ~/cacert.p12 -k pwdfile.txt -w ~/pwdfile.txt -d . (~/cacert.p12 and ~/pwdfile.txt are both from the old master server.) Then I deleted the replication agreement and turned off the old master. The new master seems to be working fine, but when I try to set up a new replica, I get the following message: [12/17]: restarting directory server root : CRITICAL Failed to restart the directory server. See the installation log for details. ipareplica-install.log says this: 2009-06-10 14:01:37,212 INFO [10/Jun/2009:14:01:27 -0600] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) [10/Jun/2009:14:01:27 -0600] - SSL failure: None of the cipher are valid The new master server is running Fedora 10, and the new replica is has Fedora 11. I don't know much about SSL, so at this point, I'm not sure what to do. Thanks, Dave From rcritten at redhat.com Thu Jun 11 13:22:35 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 11 Jun 2009 09:22:35 -0400 Subject: [Freeipa-users] Error while changing password In-Reply-To: <4A2FDCAB.2040702@enforex.es> References: <4A2FDCAB.2040702@enforex.es> Message-ID: <4A31051B.8000006@redhat.com> Ismael Puerto wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello > > When you change a password, I get this: > > isma at linux-qggn:~> kinit ipuerto > Password for ipuerto at IDEAL.SPAIN: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit(v5): Cannot contact any KDC for requested realm while getting > initial credentials > > > > I got this error from the server and client > > Is the ipa_kpasswd process running on the server? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From soporte.informatico at enforex.es Thu Jun 11 19:42:58 2009 From: soporte.informatico at enforex.es (Ismael Puerto) Date: Thu, 11 Jun 2009 21:42:58 +0200 Subject: [Freeipa-users] Error while changing password In-Reply-To: <4A31051B.8000006@redhat.com> References: <4A31051B.8000006@redhat.com> Message-ID: Thanks Restart ipa_kpasswd service and everything runs perfectly Thank you very much again Ismael Puerto El 11/06/2009, a las 15:22, Rob Crittenden escribi?: > Ismael Puerto wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello >> >> When you change a password, I get this: >> >> isma at linux-qggn:~> kinit ipuerto >> Password for ipuerto at IDEAL.SPAIN: >> Password expired. You must change it now. >> Enter new password: >> Enter it again: >> kinit(v5): Cannot contact any KDC for requested realm while getting >> initial credentials >> >> >> >> I got this error from the server and client >> >> > > Is the ipa_kpasswd process running on the server? > > rob > ________________________________________________________________________________ ADVERTENCIA LEGAL Este mensaje va dirigido, de manera exclusiva, a su destinatario y contiene informaci?n confidencial y sujeta al secreto profesional, cuya divulgaci?n no est? permitida por la ley. En caso de haber recibido este mensaje por error, le rogamos que, de forma inmediata, nos lo comunique mediante correo electr?nico remitido a nuestra atenci?n o a trav?s del tel?fono (+ 34) 915 943 776 y proceda a su eliminaci?n, as? como a la de cualquier documento adjunto al mismo. As?mismo, le comunicamos que la distribuci?n, copia o utilizaci?n de este mensaje, o de cualquier documento adjunto al mismo, cualquiera que fuera su finalidad, est?n prohibidas por la ley. Le informamos, como destinatario de este mensaje, que el correo electr?nico y las comunicaciones por medio de Internet no permiten asegurar ni garantizar la confidencialidad de los mensajes transmitidos, as? como tampoco su integridad o su correcta recepci?n, por lo que el emisor no asume responsabilidad alguna por tales circunstancias. Si no consintiese en la utilizaci?n del correo electr?nico o de las comunicaciones v?a Internet le rogamos nos lo comunique y ponga en nuestro conocimiento de manera inmediata. ________________________________________________________________________________ PRIVILEGED AND CONFIDENTIAL This message is intended exclusively for the person to whom it is addressed and contains privileged and confidential information protected from disclosure by law. If you are not the addressee indicated in this message, you should immediately delete it and any attachments and notify the sender by reply e-mail or by phone(+ 34) 915 943 776. In such case, you are hereby notified that any dissemination, distribution, copying or use of this message or any attachments, for any purpose, is strictly prohibited by law. We hereby inform you, as addressee of this message, that e-mail and Internet do not guarantee the confidentiality, nor the completeness or proper reception of the messages sent and, thus, the sender does not assume any liability for those circumstances. Should you not agree to the use of e-mail or to communications via Internet, you are kindly requested to notify us immediately. From dqarras at yahoo.com Fri Jun 12 11:32:09 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Fri, 12 Jun 2009 04:32:09 -0700 (PDT) Subject: [Freeipa-users] SSSD vs NSCD Message-ID: <855990.5262.qm@web36802.mail.mud.yahoo.com> Hi! > Daniel, one of the goals of the SSSD will be to eliminate the need for > running nscd. SSSD itself provides a cache for user information coming > in from network services, as well as an offline authentication cache > similar to pam_ccreds. Ok, this was my impression, good to a hear a confirmation :) > Currently, the name-service caching is not as high-performance as nscd, > but that is intended for future optimization. So in deployments where > one might expect dozens or hundreds of identical NSS requests at the > same time, there may still be some benefit to using nscd. In less > intense deployments, SSSD will still provide local caching to > significantly reduce latency from contacting the network. This doesn't sound an issue to me at all but again good to know. > User information and credential caching works as follows: > NSS: > Check the cache. If the user is present, check whether the > cache timeout has expired. If it is still valid, immediately return the > user. If the cache timeout has expired, check our online/offline status. > If the SSSD is offline, it will return the cache entry anyway (since > there's no way to refresh it) Is there a method to make cache to expire even in offline mode (as it is with nscd)? Probably unnecessary for an ordinary user but who knows if someone needs that kind of a feature. > PAM: > Behaves similarly to NSS, except that we will first check > online/offline status. If we are online, we will always query the > authentication provider and cache the credentials. The cache will > be used only when the SSSD is offline. Makes sense. Thanks! From dpal at redhat.com Fri Jun 12 14:49:14 2009 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 12 Jun 2009 10:49:14 -0400 Subject: [Freeipa-users] SSSD vs NSCD In-Reply-To: <855990.5262.qm@web36802.mail.mud.yahoo.com> References: <855990.5262.qm@web36802.mail.mud.yahoo.com> Message-ID: <4A326AEA.3090407@redhat.com> >> User information and credential caching works as follows: >> NSS: >> Check the cache. If the user is present, check whether the >> cache timeout has expired. If it is still valid, immediately return the >> user. If the cache timeout has expired, check our online/offline status. >> If the SSSD is offline, it will return the cache entry anyway (since >> there's no way to refresh it) >> > > Is there a method to make cache to expire even in offline mode (as it is with nscd)? Probably unnecessary for an ordinary user but who knows if someone needs that kind of a feature. > > Steve, I do not think there is my it might make sense to have a tool that will flush the cache - sss_cache. Something for future. Daniel can you please log an ER? https://fedorahosted.org/sssd/ >> PAM: >> Behaves similarly to NSS, except that we will first check >> online/offline status. If we are online, we will always query the >> authentication provider and cache the credentials. The cache will >> be used only when the SSSD is offline. >> > > Makes sense. > > Thanks! > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dqarras at yahoo.com Sat Jun 13 16:48:02 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Sat, 13 Jun 2009 09:48:02 -0700 (PDT) Subject: [Freeipa-users] SSSD vs NSCD Message-ID: <880484.1556.qm@web36805.mail.mud.yahoo.com> Hi Dmitri, > > Is there a method to make cache to expire even in offline mode > > (as it is with nscd)? Probably unnecessary for an ordinary user > > but who knows if someone needs that kind of a feature. > > Steve, I do not think there is my it might make sense to have a tool > that will flush the cache - sss_cache. Something for future. > > Daniel can you please log an ER? https://fedorahosted.org/sssd/ I honestly tried but failed spectacularly with Trac (my first and last time trying) so I put it in RH Bugzilla, sorry for the inconvenience: https://bugzilla.redhat.com/show_bug.cgi?id=505771 Thanks! From dqarras at yahoo.com Sat Jun 13 19:22:26 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Sat, 13 Jun 2009 12:22:26 -0700 (PDT) Subject: [Freeipa-users] SSSD vs NSCD Message-ID: <760923.25315.qm@web36807.mail.mud.yahoo.com> Hi! Few more quick general comments/questions: - some users are under impression (1) that SSSD is tied to IPA and won't work with OpenLDAP/MS AD/etc - is this correct? I thought that SSSD is an independent of IPA and works against any Kerberos5/LDAP server, even MS AD? If so, perhaps you could also set the record straight on Bugzilla :) - even some RH developers seem to think that nss_ldap/nss-ldapd is better suited for some scenarios than SSSD (2) - would it be possible to eloborate a bit on that? I'd hate a situation where due to some corner case two different solutions implementing almost identical functionality would need to be deployed. 1) https://bugzilla.redhat.com/show_bug.cgi?id=186527#c57 2) https://bugzilla.redhat.com/show_bug.cgi?id=491767#c17 Thanks! From ok at softbox.de Sat Jun 13 22:58:02 2009 From: ok at softbox.de (Oliver Kaspar) Date: Sun, 14 Jun 2009 00:58:02 +0200 Subject: [Freeipa-users] samba share access win xp In-Reply-To: <1244345485.6068.76.camel@localhost.localdomain> References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> <1244207384.3623.104.camel@localhost.localdomain> <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> <1244210918.3623.114.camel@localhost.localdomain> <99DACCEA-02C4-4270-88C9-BF84AD48EFF8@softbox.de> <1244212485.3623.129.camel@localhost.localdomain> <1244224767.6068.50.camel@localhost.localdomain> <7E784751-FBBC-42D1-ADF3-E4AB5182BF52@softbox.de> <1244345485.6068.76.camel@localhost.localdomain> Message-ID: <2AC6C37F-C1C3-4DDD-8722-66837A22F318@softbox.de> Hi Simo, Am 07.06.2009 um 05:31 schrieb Simo Sorce: > On Fri, 2009-06-05 at 23:55 +0200, Oliver Kaspar wrote: >> this would be a great deal anyway, because it would give the >> possibility for non kerberos clients to use samba services. Is there >> a >> mechanism to sync the passwords between kerberos an ntlm (as >> smbk5pwd >> overlay for openldap)? >> >> >> Thanks a lot for your advise and your very fast reaction, >> > If you set the sambaAccount objectlass on a freeipa account, NTLM > hashes > will be automatically generated the next time you change that > password. I'm sorry, but generating the NTLM hashes doesn't work at my system. It is a plain Fedora 10 System, freeIPA is installed by yum. I added the sambaSam stuff, the users get listet by pdbedit, but they didn't get the NTLM hashes. Do I need to activate something aditional or need I to change the config? And I have a second question: I found the attibute "ipaCustomFields" and added it for displaying the samba SID: ipaCustomFields: sambaSID. But when I add it, the gui produces an error: An unexpected error occured HTTP Error Message: 500 - Internal Server Error Can't I use this attribute in this way? Thanks a lot, Oliver > > So if you configure your samba server to use ldapsam and you point > it as > the freeipa server you should be able to use these hashes. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users | oliver kaspar, dipl.-ing. univ. | softbox gmbh, balanstr. 73 Gebaeude 9 81541 | muenchen | tel: +49 89 48900069 | fax: +49 89 48900068 | amtsgericht muenchen | hrb 127479 | ustid de 200166144 | gf: thilo weinzierl und oliver kaspar :-) | From ssorce at redhat.com Sun Jun 14 14:28:05 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 14 Jun 2009 10:28:05 -0400 Subject: [Freeipa-users] SSSD vs NSCD In-Reply-To: <760923.25315.qm@web36807.mail.mud.yahoo.com> References: <760923.25315.qm@web36807.mail.mud.yahoo.com> Message-ID: <1244989685.14254.7.camel@localhost.localdomain> On Sat, 2009-06-13 at 12:22 -0700, Daniel Qarras wrote: > Hi! > > Few more quick general comments/questions: > > - some users are under impression (1) that SSSD is tied to IPA and > won't work with OpenLDAP/MS AD/etc - is this correct? I thought that > SSSD is an independent of IPA and works against any Kerberos5/LDAP > server, even MS AD? If so, perhaps you could also set the record > straight on Bugzilla :) SSSD is thought to work with multiple backend types, in fact you can use it right now with an nss module loaded as backend using the proxy backend. > - even some RH developers seem to think that nss_ldap/nss-ldapd is > better suited for some scenarios than SSSD (2) - would it be possible > to eloborate a bit on that? I'd hate a situation where due to some > corner case two different solutions implementing almost identical > functionality would need to be deployed. I think in time we will be able to replace nss_ldap, but not from the get go. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sun Jun 14 14:30:33 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 14 Jun 2009 10:30:33 -0400 Subject: [Freeipa-users] samba share access win xp In-Reply-To: <2AC6C37F-C1C3-4DDD-8722-66837A22F318@softbox.de> References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> <1244207384.3623.104.camel@localhost.localdomain> <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> <1244210918.3623.114.camel@localhost.localdomain> <99DACCEA-02C4-4270-88C9-BF84AD48EFF8@softbox.de> <1244212485.3623.129.camel@localhost.localdomain> <1244224767.6068.50.camel@localhost.localdomain> <7E784751-FBBC-42D1-ADF3-E4AB5182BF52@softbox.de> <1244345485.6068.76.camel@localhost.localdomain> <2AC6C37F-C1C3-4DDD-8722-66837A22F318@softbox.de> Message-ID: <1244989833.14254.10.camel@localhost.localdomain> On Sun, 2009-06-14 at 00:58 +0200, Oliver Kaspar wrote: > I'm sorry, but generating the NTLM hashes doesn't work at my system. > It is a plain Fedora 10 System, freeIPA is installed by yum. I added > the sambaSam stuff, the users get listet by pdbedit, but they didn't > get the NTLM hashes. Do I need to activate something aditional or need > I to change the config? The only thing you should need is to change the user's password (using kpasswd for example). Samba should be configured to not store hashes directly but to perform an ldap password change instead (and IPA will generate them). > And I have a second question: I found the attibute "ipaCustomFields" > and added it for displaying the samba SID: ipaCustomFields: sambaSID. > But when I add it, the gui produces an error: > > An unexpected error occured > HTTP Error Message: > > 500 - Internal Server Error > > Can't I use this attribute in this way? You should be able to, but I am not sure if there are limitations wrt the format. Can you open a bug ? Simo. -- Simo Sorce * Red Hat, Inc * New York From visser.rob at gmail.com Mon Jun 15 08:11:28 2009 From: visser.rob at gmail.com (Rob Visser) Date: Mon, 15 Jun 2009 10:11:28 +0200 Subject: [Freeipa-users] rdesktop and Kerberos Message-ID: <869100480906150111x380065d5x6e1d8211d82f217a@mail.gmail.com> Hello, In my FreeIPA Kerberos realm I would like to use some WinXP machines (probably virtual ones). The idea is to approach them with rdesktop, preferably with a Kerberos ticket (SSO). How can this be achieved? Rob Visser -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 15 13:16:47 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Jun 2009 09:16:47 -0400 Subject: [Freeipa-users] samba share access win xp In-Reply-To: <1244989833.14254.10.camel@localhost.localdomain> References: <94D941EB-0EC9-4AC2-8C97-E0FC33A74A05@softbox.de> <1244207384.3623.104.camel@localhost.localdomain> <91387AAA-A936-4454-8B05-C8DD2B9D91BE@softbox.de> <1244210918.3623.114.camel@localhost.localdomain> <99DACCEA-02C4-4270-88C9-BF84AD48EFF8@softbox.de> <1244212485.3623.129.camel@localhost.localdomain> <1244224767.6068.50.camel@localhost.localdomain> <7E784751-FBBC-42D1-ADF3-E4AB5182BF52@softbox.de> <1244345485.6068.76.camel@localhost.localdomain> <2AC6C37F-C1C3-4DDD-8722-66837A22F318@softbox.de> <1244989833.14254.10.camel@localhost.localdomain> Message-ID: <4A3649BF.3020308@redhat.com> Simo Sorce wrote: > On Sun, 2009-06-14 at 00:58 +0200, Oliver Kaspar wrote: > >> I'm sorry, but generating the NTLM hashes doesn't work at my system. >> It is a plain Fedora 10 System, freeIPA is installed by yum. I added >> the sambaSam stuff, the users get listet by pdbedit, but they didn't >> get the NTLM hashes. Do I need to activate something aditional or need >> I to change the config? > > The only thing you should need is to change the user's password (using > kpasswd for example). Samba should be configured to not store hashes > directly but to perform an ldap password change instead (and IPA will > generate them). > >> And I have a second question: I found the attibute "ipaCustomFields" >> and added it for displaying the samba SID: ipaCustomFields: sambaSID. >> But when I add it, the gui produces an error: >> >> An unexpected error occured >> HTTP Error Message: >> >> 500 - Internal Server Error >> >> Can't I use this attribute in this way? > > You should be able to, but I am not sure if there are limitations wrt > the format. > Can you open a bug ? > > Simo. > The format is a comma-delimited string of: ? label: The label displayed to the user ? field: The attribute name ? required: Whether or not the attribute requires a value (true/false) If there are multiple attributes to display those are delimited with $. An example is: "See Also,seealso,false$Country,c,false" You need to be sure that any attribute you add to this list is allowed by the user's objectclass's otherwise you'll get write failures. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sgallagh at redhat.com Mon Jun 15 17:33:31 2009 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 15 Jun 2009 13:33:31 -0400 Subject: [Freeipa-users] [PATCH][SSSD] Install SysV script as executable Message-ID: <4A3685EB.8040309@redhat.com> We had the SysV init script in Makefile.am as _DATA rather than _SCRIPTS. There was also a special permission exception made in sssd.spec.in which has now been rolled back. -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Make-SysV-script-install-executable.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From m.s.hannessen at drecomm.nl Tue Jun 16 09:08:05 2009 From: m.s.hannessen at drecomm.nl (Mark Hannessen) Date: Tue, 16 Jun 2009 11:08:05 +0200 Subject: [Freeipa-users] FreeIPA Multi Valued Custom Fields Message-ID: <200906161108.06173.m.s.hannessen@drecomm.nl> Hi List, I am currently deploying a freeipa installation for use in within our company. I have succesfully added a couple of custom attributes to the fedora directory server and to the webinterface using ipacustomfields in cn=ipaConfig,cn=etc All attributes however appear in the interface as single valued attributes. Does anyone know if it is possible ( or hackable ) to present them as multivalued attributes in the interface? ( all my custom attributes happen to be multi valued, so a hack that would make them all appear multi valued would be enough in my case as well ) Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 16 13:16:25 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 16 Jun 2009 09:16:25 -0400 Subject: [Freeipa-users] FreeIPA Multi Valued Custom Fields In-Reply-To: <200906161108.06173.m.s.hannessen@drecomm.nl> References: <200906161108.06173.m.s.hannessen@drecomm.nl> Message-ID: <4A379B29.8080105@redhat.com> Mark Hannessen wrote: > Hi List, > > > I am currently deploying a freeipa installation for use in within our > company. > I have succesfully added a couple of custom attributes to the fedora > directory server and to the webinterface using ipacustomfields in > cn=ipaConfig,cn=etc > > > All attributes however appear in the interface as single valued attributes. > > > Does anyone know if it is possible ( or hackable ) to present them as > multivalued attributes in the interface? ( all my custom attributes > happen to be multi valued, so a hack that would make them all appear > multi valued would be enough in my case as well ) Unfortunately our support for UI customization is very weak right now (which is one reason we started from scratch again). It only supports single-valued custom attributes right now. To try to add in multi-valued attributes would require a fair bit of work. In order to make the UI act the way we wanted we had to dump the TurboGears template system so it isn't as simple as adding in a new reference to a UI object. A bunch of custom code needs to be added, particularly for multi-valued fields. It isn't an impossible task but it would require a bit of coding on your end. I can try to point you in the right direction if you want to go that route (you'd just have to be careful about saving your work so an IPA update doesn't wipe it all out). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Wed Jun 17 13:13:12 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 17 Jun 2009 09:13:12 -0400 Subject: [Freeipa-users] rdesktop and Kerberos In-Reply-To: <869100480906150111x380065d5x6e1d8211d82f217a@mail.gmail.com> References: <869100480906150111x380065d5x6e1d8211d82f217a@mail.gmail.com> Message-ID: <4A38EBE8.2030309@redhat.com> Rob Visser wrote: > Hello, > > In my FreeIPA Kerberos realm I would like to use some WinXP machines > (probably virtual ones). > The idea is to approach them with rdesktop, preferably with a Kerberos > ticket (SSO). > We have not much explored Windows setups. We are planning to allow Windows clients via Samba 4 in IPA v3. We are looking into enhancing Kerberos and better integrating with Samba. There are a lot of challenges on this path. The following link is the setup that was tried and works http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step This is the best I can offer for now. Thanks Dmitri > How can this be achieved? > > Rob Visser > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Jun 17 14:27:25 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 17 Jun 2009 10:27:25 -0400 Subject: [Freeipa-users] Some clarifications about IPA and SSSD Message-ID: <4A38FD4D.1030606@redhat.com> Hello, It seems that there is a fair bit of confusion about IPA and SSSD. It is to some extent my fault since the freeIPA site is not frequently updated and information is not well organized there. The site does not reflect the state of the project so I am planning a cleanup in August. Meanwhile I wanted to try to make things a bit clearer. Here are some Q & A. What is IPA 2.0 about? Originally we planned a lot [1] but as it usually happens things change and we reduced the scope a bit. It is not because we do not want to deliver the functionality but because it is just too much to chew in one release. Also our view of P and A parts of IPA changed a bit. For P we were originally thinking about a broader set of the system management capabilities. It turned out that there is a big overlap between what we were planning to do and some very flexible configuration management solutions that already exist. We decided not to reinvent the wheel and try to integrate with such solutions. To do this effectively it made sense to separate this effort form IPA v2 and do it a bit later focusing right now on I of API and A of IPA. In IPA v2 the P will be represented by robust centrally managed host based access control. The A of IPA is the audit server. From the very beginning we realized that it would make sense to build A in such a way that it can be installed independently from I of IPA. This independence allows different delivery schedules for audit server than for the I part of IPA that consists of KDC, DS and management framework. So IPA can be viewed as a group of related sub projects that might have different schedules. One of such sub projects is SSSD which stands for System Security Services Daemon. It is a client side framework that allows caching of the identity information for offline use and support of multiple sources of the identity information at the same time. There are some misconceptions about SSSD that I will comment on below. So here is the core list of features that IPA v2 project family will provide: I of IPA * Host Identity, host enrollment, host keytab provisioning * Integration with CA * Issuing certs and tracking certs that need auto renewal * More robust services management * New management framework, more flexible and extensible * Rich UI and CLI interfaces * NIS and DS to IPA migration with NIS support of legacy systems * Integration between IPA users, groups, hosts, host groups and netgroups for NIS * Automount as LDAP map and more... P of IPA * Host based access control A of IPA * Collection of the log files and individual events, delivery of them to the audit server and storage on the server for the analysis with the third party tools. We plan to build out tools in v3. The functionality that we want to deliver required a client component. But instead of building a specific IPA client we split the client side into common part that can be used with different identity solutions and specific IPA part. This common component is SSSD. It provides a framework for identity services. It allows multiple back ends. IPA is just one of them. Others would include LDAP, NIS, Local files. There is no limitation of what can be an identity provider. There are plans to make Samba winbind be a back end in future. Any third party authentication vendors are welcome to build their own identity provider back ends. SSSD solves several important issues. The first one is caching identity data for offline authentication and NSS lookups. Second is the ability to get data from multiple identity sources at the same time. There are other benefits that lay foundation for the future better user login experience and support of contemporary authentication methods and multi factor authentication policies. Does SSSD require IPA? No. SSSD can have other data providers. IPA is not required. We view the SSSD is a core part of an OS. There is already interest from some distributions to port it. We start with Fedora but it is just one of the distros we are targeting. SSSD is written in C. It does not have a lot of dependencies. Most of them have been already ported to different distros so broad support of SSSD is possible and realistic. Does IPA require SSSD? To take advantage of the full IPA v2 functionality SSSD is required. But it is clear that it is not possible to put SSSD everywhere. For the systems that can only support NIS IPA server will act asd a NIS server, for systems that can have pam_krb5 or pam_ldap and nss_ldap IPA can still be an authentication and identity server as it was in v1. What is relation between NSS_LDAP and SSSD? Nss_ldap is known to have performance and scalability issues. SSSD addresses these issues by creating a robust caching mechanism. However SSSD can't replace NSS_LDAP everywhere right away. It is unrealistic. This is one of the reasons why nss_ldap issues are still being addressed. It might appear that the two hands do not know what the other is doing. They actually do and we intentionally clean the old solution - nss_ldap , providing nss_ldapd for better performance and scalability, and build a new one - SSSD that will eventually replace the nss_ldap in a long run. Any feedback is welcome! [1] http://www.freeipa.org/page/V2BPRD Thank you, Dmitri Pal From dqarras at yahoo.com Thu Jun 18 07:51:34 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Thu, 18 Jun 2009 00:51:34 -0700 (PDT) Subject: [Freeipa-users] Some clarifications about IPA and SSSD Message-ID: <259571.56438.qm@web36801.mail.mud.yahoo.com> Hi! Thanks a lot for your clarifications Dmitri, much appreciated! There was one detail in your message which raised my eyebrows and it would be great if you could elaborate a bit more on it. > What is relation between NSS_LDAP and SSSD? > > Nss_ldap is known to have performance and scalability issues. SSSD > addresses these issues by creating a robust caching mechanism. However > SSSD can't replace NSS_LDAP everywhere right away. It is unrealistic. > This is one of the reasons why nss_ldap issues are still being > addressed. It might appear that the two hands do not know what the > other is doing. They actually do and we intentionally clean the > old solution - nss_ldap , providing nss_ldapd for better performance > and scalability, and build a new one - SSSD that will eventually > replace the nss_ldap in a long run. In poetry it is admirable when one can invent a new phrase to mean the same thing that has been discussed earlier but in technical conversions one usually prefers using the same term over and over and over again :) So when you mention NSS_LDAP, Nss_ldap, nss_ldap, and nss_ldapd I'm wondering are you speaking only about nss_ldap (1) or do you also refer to nss-ldapd (2)? Especially if the latter, it would be very interesting if you could provide even a hint about envisioned schedule - what's happening with F11/F12, RHEL5.x, and with RHEL6? 1) http://www.padl.com/OSS/nss_ldap.html 2) http://arthurdejong.org/nss-ldapd/ Thanks! From nalin at redhat.com Thu Jun 18 17:01:36 2009 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 18 Jun 2009 13:01:36 -0400 Subject: [Freeipa-users] Some clarifications about IPA and SSSD In-Reply-To: <259571.56438.qm@web36801.mail.mud.yahoo.com> References: <259571.56438.qm@web36801.mail.mud.yahoo.com> Message-ID: <20090618170136.GC8135@redhat.com> On Thu, Jun 18, 2009 at 12:51:34AM -0700, Daniel Qarras wrote: > So when you mention NSS_LDAP, Nss_ldap, nss_ldap, and nss_ldapd I'm wondering are you speaking only about nss_ldap (1) or do you also refer to nss-ldapd (2)? Especially if the latter, it would be very interesting if you could provide even a hint about envisioned schedule - what's happening with F11/F12, RHEL5.x, and with RHEL6? > > 1) http://www.padl.com/OSS/nss_ldap.html > 2) http://arthurdejong.org/nss-ldapd/ Personally I lean toward keeping things as they are in existing releases, as nss-ldapd isn't quite a 100% direct replacement for nss_ldap, and switching over to using nss-ldapd in preference over nss_ldap for F12. Though I expect it'll be possible to have both installed at the same time, us not screwing with the sonames means that unless environment variables which affect the run-time linker are in play, applications will always only try to use nss-ldapd if both are installed. Cheers, Nalin From l_epa_m_inonda at hotmail.com Fri Jun 19 19:51:44 2009 From: l_epa_m_inonda at hotmail.com (Tebano epaminonda) Date: Fri, 19 Jun 2009 21:51:44 +0200 Subject: [Freeipa-users] Roadmap updates... Message-ID: Hi all. I'm reading about roadmap of new release of freeIpa and all interesting features it integrate. Has anyone updates on new release date? Thanks to all. Cheers. Tebano. _________________________________________________________________ More than messages?check out the rest of the Windows Live?. http://www.microsoft.com/windows/windowslive/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Jun 22 14:28:35 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 22 Jun 2009 10:28:35 -0400 Subject: [Freeipa-users] Roadmap updates... In-Reply-To: References: Message-ID: <1245680915.28192.6.camel@localhost.localdomain> On Fri, 2009-06-19 at 21:51 +0200, Tebano epaminonda wrote: > Hi all. > I'm reading about roadmap of new release of freeIpa and all > interesting features it integrate. > Has anyone updates on new release date? > Thanks to all. Tebano, I'm sorry we do not have updated release dates. We are obviously late on the schedule and are working head down to complete some fundamental bits before trying to a release. I can't commit on any date yet, but I think we will not see anything before fall almost certainly. I know it's not much but I hope this helps, Simo. -- Simo Sorce * Red Hat, Inc * New York From robert at marcanoonline.com Tue Jun 23 01:25:20 2009 From: robert at marcanoonline.com (Robert Marcano) Date: Mon, 22 Jun 2009 20:55:20 -0430 Subject: [Freeipa-users] Cannot contact any KDC for requested realm changing password Message-ID: This weekend one of our ipa servers was moved from one subnet to another new, all IPs, gateways, DNS references (including SRV records and reverse records) were changed. Since that change We have this problem, It is not possible for any user to change the password using kpasswd (or using kinit for an expired password), the error message is "Cannot contact any KDC for requested realm changing password", everyone can kinit without problems, [root at ipaserver ~]# kpasswd Password for user at MYDOMAIN.COM: Enter new password: Enter it again: kpasswd: Cannot contact any KDC for requested realm changing password /var/log/krb5kdc.log says (values altered to protect the inocent) Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.x.y: NEEDED_PREAUTH: user at MYDOMAIN.COM for kadmin/changepw at MYDOMAIN.COM, Additional pre-authentication required Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.x.y: NEEDED_PREAUTH: user at MYDOMAIN.COM for kadmin/changepw at MYDOMAIN.COM, Additional pre-authentication required Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.x.y: ISSUE: authtime 1245705451, etypes {rep=18 tkt=18 ses=18}, user at MYDOMAIN.COM for kadmin/changepw at MYDOMAIN.COM Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.x.y: ISSUE: authtime 1245705451, etypes {rep=18 tkt=18 ses=18}, user at MYDOMAIN.COM for kadmin/changepw at MYDOMAIN.COM In order to discard if it is a firewall problem, we disabled it, and tested kpasswd on the same ipa server. We are running with SELinux permissive trying to test if it is SELinux related. DNS SRV records are being resolved on the IPA server. Running FreeIPA 1.2 This problems looks more Kerberos related than a FreeIPA problem, but I am running out of ideas about the probable reason. Any help is really appreciated -- Robert Marcano From ntathu at tma.com.vn Tue Jun 23 03:49:20 2009 From: ntathu at tma.com.vn (Thu Nguyen) Date: Tue, 23 Jun 2009 10:49:20 +0700 Subject: [Freeipa-users] Migrate data from OpenLdap to FreeIPA Message-ID: <019a01c9f3b5$9754b170$c5fe1450$@com.vn> Dear all, I did use OpenLDAP for our system which used to authenticate all web services (bugzilla, svn,..) and mail service (dovecot) . Now I would like to replace it by FreeIPA. Would you please instruct (step-by-step if possible) how to migrate all data/structures from OpenLDAP to FreeIPA? Thanks for your help! Regards, Thu NGUYEN. -------------- next part -------------- An HTML attachment was scrubbed... URL: From soporte.informatico at enforex.es Tue Jun 23 05:46:14 2009 From: soporte.informatico at enforex.es (Ismael Puerto) Date: Tue, 23 Jun 2009 07:46:14 +0200 Subject: [Freeipa-users] Cannot contact any KDC for requested realm changing password In-Reply-To: References: Message-ID: Restart the service ipa-kpasswd Ismael Puerto El 23/06/2009, a las 03:25, Robert Marcano escribi?: > This weekend one of our ipa servers was moved from one subnet to > another new, all IPs, gateways, DNS references (including SRV records > and reverse records) were changed. Since that change We have this > problem, It is not possible for any user to change the password using > kpasswd (or using kinit for an expired password), the error message is > "Cannot contact any KDC for requested realm changing password", > everyone can kinit without problems, > > [root at ipaserver ~]# kpasswd > Password for user at MYDOMAIN.COM: > Enter new password: > Enter it again: > kpasswd: Cannot contact any KDC for requested realm changing password > > /var/log/krb5kdc.log says (values altered to protect the inocent) > > Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.x.y: NEEDED_PREAUTH: > user at MYDOMAIN.COM for kadmin/changepw at MYDOMAIN.COM, Additional > pre-authentication required > Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.x.y: NEEDED_PREAUTH: > user at MYDOMAIN.COM for kadmin/changepw at MYDOMAIN.COM, Additional > pre-authentication required > Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.x.y: ISSUE: authtime 1245705451, > etypes {rep=18 tkt=18 ses=18}, user at MYDOMAIN.COM for > kadmin/changepw at MYDOMAIN.COM > Jun 22 16:47:31 ipaserver.MYDOMAIN.COM krb5kdc[3551](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.x.y: ISSUE: authtime 1245705451, > etypes {rep=18 tkt=18 ses=18}, user at MYDOMAIN.COM for > kadmin/changepw at MYDOMAIN.COM > > In order to discard if it is a firewall problem, we disabled it, and > tested kpasswd on the same ipa server. We are running with SELinux > permissive trying to test if it is SELinux related. DNS SRV records > are being resolved on the IPA server. Running FreeIPA 1.2 > > This problems looks more Kerberos related than a FreeIPA problem, but > I am running out of ideas about the probable reason. > > Any help is really appreciated > > -- > Robert Marcano > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ________________________________________________________________________________ ADVERTENCIA LEGAL Este mensaje va dirigido, de manera exclusiva, a su destinatario y contiene informaci?n confidencial y sujeta al secreto profesional, cuya divulgaci?n no est? permitida por la ley. En caso de haber recibido este mensaje por error, le rogamos que, de forma inmediata, nos lo comunique mediante correo electr?nico remitido a nuestra atenci?n o a trav?s del tel?fono (+ 34) 915 943 776 y proceda a su eliminaci?n, as? como a la de cualquier documento adjunto al mismo. As?mismo, le comunicamos que la distribuci?n, copia o utilizaci?n de este mensaje, o de cualquier documento adjunto al mismo, cualquiera que fuera su finalidad, est?n prohibidas por la ley. Le informamos, como destinatario de este mensaje, que el correo electr?nico y las comunicaciones por medio de Internet no permiten asegurar ni garantizar la confidencialidad de los mensajes transmitidos, as? como tampoco su integridad o su correcta recepci?n, por lo que el emisor no asume responsabilidad alguna por tales circunstancias. Si no consintiese en la utilizaci?n del correo electr?nico o de las comunicaciones v?a Internet le rogamos nos lo comunique y ponga en nuestro conocimiento de manera inmediata. ________________________________________________________________________________ PRIVILEGED AND CONFIDENTIAL This message is intended exclusively for the person to whom it is addressed and contains privileged and confidential information protected from disclosure by law. If you are not the addressee indicated in this message, you should immediately delete it and any attachments and notify the sender by reply e-mail or by phone(+ 34) 915 943 776. In such case, you are hereby notified that any dissemination, distribution, copying or use of this message or any attachments, for any purpose, is strictly prohibited by law. We hereby inform you, as addressee of this message, that e-mail and Internet do not guarantee the confidentiality, nor the completeness or proper reception of the messages sent and, thus, the sender does not assume any liability for those circumstances. Should you not agree to the use of e-mail or to communications via Internet, you are kindly requested to notify us immediately. From djscott at mit.edu Tue Jun 23 15:49:24 2009 From: djscott at mit.edu (Daniel Scott) Date: Tue, 23 Jun 2009 11:49:24 -0400 Subject: [Freeipa-users] User keytab file In-Reply-To: <6835906b0905270955s4371afc2u5c642cbc4793d386@mail.gmail.com> References: <6835906b0905120907t55aed0edw5307be23a62c8ed5@mail.gmail.com> <1780619740.69041242188164606.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <6835906b0905270955s4371afc2u5c642cbc4793d386@mail.gmail.com> Message-ID: <6835906b0906230849v156c07f8v8f279e57c323ae6f@mail.gmail.com> 2009/5/27 Daniel Scott > Hi, > > 2009/5/13 Simo Sorce : > >> I have a FreeIPA server configured and working. I'm now trying to > >> automate a few processes and have a question regarding user keytabs. > >> I'm looking to enable passwordless authentication/login for a > >> particular user. > >> > >> I have followed the instructions found here: > >> http://kb.iu.edu/data/aumh.html > >> > >> >From the above page, it appears that I can do this using a user > >> keytab. I have created a user named 'backup' and given it a good, > >> long > >> password. I then created a user keytab file using the following > >> command: > >> > >> # ktutil > >> ktutil: addent -password -p backup -k 1 -e des-cbc-crc > >> ktutil: addent -password -p backup -k 2 -e des3-cbc-sha1 > >> ktutil: wkt /etc/backup.keytab > >> > >> I can display the contents of this keytab and it appears to have been > >> created successfully. Then, I should be able to authenticate using > >> the > >> following command, correct? > >> > >> # kinit backup -k -t /etc/backup.keytab > >> kinit(v5): Key table entry not found while getting initial > >> credentials > >> > >> The server logs show the following: > >> > >> May 12 11:54:34 example.com krb5kdc[12175](info): AS_REQ (7 etypes > >> {18 > >> 17 16 23 1 3 2}) 192.168.1.50: NEEDED_PREAUTH: backup at EXAMPLE.COM for > >> krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication > >> required > > > > This is fine, I need the next line in the log to see what's the problem. > > If you don't have a next line, then something is definitely "Wrong" > > > >> I have tried numerous combinations of the username in the kinit > >> command, but I cannot obtain a ticket. Does anyone have any > >> suggestions? Am I approaching this in the wrong way? Am I using the > >> wrong hashing algorithm? > >> > >> A little more background information: > >> 1. The backup.keytab has permissions 600 and is owned by backup. > >> 2. I have also tried this as root. > > > > I don't have enough information to be sure (logs) but one of your > problems > > maybe that you came up with arbitrary (as in made up) kvno numbers. > > (the -k option to addent in ktutil). > > Does anyone have any more suggestions for this? I've tried explicitly > stating the kvno, but no luck. It just seems like the keytab file is > not being recognised correctly. I still get the log message above, but > the error message on the command line looks like the kinit command > isn't even hitting the server - the error seems to be with the keytab > file. > > Am I even approaching this in the correct way? All my searching on the > web seems to find information related to service principals rather > than user principals. There are another couple of sites which mention > principals such as username/admin at EXAMPLE.COM which I'm unsure about. > > It's very strange that I can extract the keytab entry for a principal, > but then am told that the entry does not exist. Has anyone seen this > before? Hi, This problem still occurs. I've worked around it by using the standard fedora user authorization/authentication, but it's not really the best way to go about it. I'm still not sure if I'm even going about this the right way. Is there actually such a thing as a 'user principal'. There must be a way for an automated process to obtain a kerberos ticket. Maybe I'm going about this the wrong way? Any suggestions would be greatly appreciated. Does anyone have this or something similar working? Thanks, Dan ------------------------------- http://danieljamesscott.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From robert at marcanoonline.com Tue Jun 23 15:58:13 2009 From: robert at marcanoonline.com (Robert Marcano) Date: Tue, 23 Jun 2009 11:28:13 -0430 Subject: [Freeipa-users] Re: Cannot contact any KDC for requested realm changing password In-Reply-To: References: Message-ID: On Mon, Jun 22, 2009 at 8:55 PM, Robert Marcano wrote: > This weekend one of our ipa servers was moved from one subnet to > another new, all IPs, gateways, DNS references (including SRV records > and reverse records) were changed. Since that change We have this > problem, It is not possible for any user to change the password using > kpasswd (or using kinit for an expired password), the error message is > "Cannot contact any KDC for requested realm changing password", > everyone can kinit without problems, > strace tells me that it is contacting the right server (connect API), so it is not name resolving related. This problem has the same behavior than fixed bug 446210 https://bugzilla.redhat.com/show_bug.cgi?id=446210#c23 The fix was to build against openldap, but that was for 1.1.x versions, 1.2.x are not build against openldap, but to mozldap. it is weird this problem is triggered after a subnet change and DNS resolution is working fine -- Robert Marcano From pronix.service at gmail.com Thu Jun 25 15:26:31 2009 From: pronix.service at gmail.com (dima vasiletc) Date: Thu, 25 Jun 2009 19:26:31 +0400 Subject: [Freeipa-users] i can't configure browser Message-ID: <4A439727.6020502@gmail.com> Hello I read manual about firefox configure for freeipa. i add cert. and configure about:config but every time i get "Kerberos Authentication Failed" and description how to configure firefox. How to find my mistake ? -- ? ?????????, ??????? From davido at redhat.com Thu Jun 25 21:03:04 2009 From: davido at redhat.com (David O'Brien) Date: Fri, 26 Jun 2009 07:03:04 +1000 Subject: [Freeipa-users] i can't configure browser In-Reply-To: <4A439727.6020502@gmail.com> References: <4A439727.6020502@gmail.com> Message-ID: <4A43E608.3080706@redhat.com> dima vasiletc wrote: > Hello > I read manual about firefox configure for freeipa. > i add cert. and configure about:config > but every time i get "Kerberos Authentication Failed" and description > how to configure firefox. > > How to find my mistake ? > > Dima, Have you been through the Troubleshooting section in the Installation and Deployment Guide? What operating system are you using? Are you configuring the browser on the IPA server or a client? thanks -- David O'Brien IPA Content Author Red Hat Asia Pacific +61 7 3514 8189 http://freeipa.org/page/DocumentationPortal http://git.fedorahosted.org/git/ipadocs.git "The most valuable of all talents is that of never using two words when one will do." Thomas Jefferson From rcritten at redhat.com Mon Jun 29 17:58:12 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Jun 2009 13:58:12 -0400 Subject: [Freeipa-users] Migrate data from OpenLdap to FreeIPA In-Reply-To: <019a01c9f3b5$9754b170$c5fe1450$@com.vn> References: <019a01c9f3b5$9754b170$c5fe1450$@com.vn> Message-ID: <4A4900B4.3070005@redhat.com> Thu Nguyen wrote: > Dear all, > > > > I did use OpenLDAP for our system which used to authenticate all web > services (bugzilla, svn,..) and mail service (dovecot) . Now I would > like to replace it by FreeIPA. Would you please instruct (step-by-step > if possible) how to migrate all data/structures from OpenLDAP to FreeIPA? > We don't currently have instructions on how to do this. Basically what you need to do is: - install freeIPA - get an ldif dump of your OpenLDAP server - remove any unneeded structural and configuration options from the ldif - convert this ldif to the IPA DIT - load the ldif You can see the DIT we use at http://freeipa.org/page/UsingRhdsWithIpa When converting to our DIT you'll also need to ensure that the user entries are set up properly. This means having: - the krbprincipalname attribute set to @ - update the objectclass list - set gidnumber to the ipausers group You'll end up with a bunch of users that will work with simple auth but don't have kerberos keys yet so kinit will fail. You'll need to create some mechanism where they authenticate using their user password in order to get kerberos keys. And of course, do this on a test system first to make sure I haven't missed something :-) rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue Jun 30 13:11:21 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 30 Jun 2009 09:11:21 -0400 Subject: [Freeipa-users] User keytab file In-Reply-To: <6835906b0906230849v156c07f8v8f279e57c323ae6f@mail.gmail.com> References: <6835906b0905120907t55aed0edw5307be23a62c8ed5@mail.gmail.com> <1780619740.69041242188164606.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <6835906b0905270955s4371afc2u5c642cbc4793d386@mail.gmail.com> <6835906b0906230849v156c07f8v8f279e57c323ae6f@mail.gmail.com> Message-ID: <1246367481.13348.18.camel@localhost.localdomain> On Tue, 2009-06-23 at 11:49 -0400, Daniel Scott wrote: > This problem still occurs. I've worked around it by using the standard > fedora user authorization/authentication, but it's not really the best > way to go about it. I'm still not sure if I'm even going about this > the right way. Is there actually such a thing as a 'user principal'. > There must be a way for an automated process to obtain a kerberos > ticket. Maybe I'm going about this the wrong way? The only way to get a kerberos ticket is to have the shared secret at hand, whether that is a password or a keytab makes really no difference, they are equivalent for all purposes. > Any suggestions would be greatly appreciated. Does anyone have this or > something similar working? I am not sure what doesn't work, the message you see in the logs is perfectly normal, we configure the KDC to require pre-authentication, but by default kinit send the classic request first, and only when it gets the preauth required error, sends a preauth request (if necessary after having asked for a password). In short that message is not an error. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jun 30 13:12:14 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 30 Jun 2009 09:12:14 -0400 Subject: [Freeipa-users] Re: Cannot contact any KDC for requested realm changing password In-Reply-To: References: Message-ID: <1246367534.13348.19.camel@localhost.localdomain> On Tue, 2009-06-23 at 11:28 -0430, Robert Marcano wrote: > On Mon, Jun 22, 2009 at 8:55 PM, Robert Marcano wrote: > > This weekend one of our ipa servers was moved from one subnet to > > another new, all IPs, gateways, DNS references (including SRV records > > and reverse records) were changed. Since that change We have this > > problem, It is not possible for any user to change the password using > > kpasswd (or using kinit for an expired password), the error message is > > "Cannot contact any KDC for requested realm changing password", > > everyone can kinit without problems, > > > > strace tells me that it is contacting the right server (connect API), > so it is not name resolving related. This problem has the same > behavior than fixed bug 446210 > https://bugzilla.redhat.com/show_bug.cgi?id=446210#c23 > > The fix was to build against openldap, but that was for 1.1.x > versions, 1.2.x are not build against openldap, but to mozldap. it is > weird this problem is triggered after a subnet change and DNS > resolution is working fine Have you changed the server name by chance ? Simo. -- Simo Sorce * Red Hat, Inc * New York From djscott at mit.edu Tue Jun 30 14:17:21 2009 From: djscott at mit.edu (Daniel Scott) Date: Tue, 30 Jun 2009 10:17:21 -0400 Subject: [Freeipa-users] User keytab file In-Reply-To: <1246367481.13348.18.camel@localhost.localdomain> References: <6835906b0905120907t55aed0edw5307be23a62c8ed5@mail.gmail.com> <1780619740.69041242188164606.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> <6835906b0905270955s4371afc2u5c642cbc4793d386@mail.gmail.com> <6835906b0906230849v156c07f8v8f279e57c323ae6f@mail.gmail.com> <1246367481.13348.18.camel@localhost.localdomain> Message-ID: <6835906b0906300717g2f7cdf69s974e63bf9b3e6d62@mail.gmail.com> Hi, Thanks for the reply. 2009/6/30 Simo Sorce : > On Tue, 2009-06-23 at 11:49 -0400, Daniel Scott wrote: >> Any suggestions would be greatly appreciated. Does anyone have this or >> something similar working? > > I am not sure what doesn't work, the message you see in the logs is > perfectly normal, we configure the KDC to require pre-authentication, > but by default kinit send the classic request first, and only when it > gets the preauth required error, sends a preauth request (if necessary > after having asked for a password). In short that message is not an > error. The problem is that I am getting this error on the client: >> # kinit backup -k -t /etc/backup.keytab >> kinit(v5): Key table entry not found while getting initial >> credentials But no 'error' message in the server logs. Only the "NEEDED_PREAUTH" line which we've established isn't an error. For some reason, I can't obtain a ticket for a user principal. I have service principals working correctly, but I can't authenticate as a user without entering a password, which is no good for automated process such as backups. Thanks, Dan