From n.gresham at manchester.ac.uk Thu May 7 11:50:02 2009 From: n.gresham at manchester.ac.uk (Nick Gresham) Date: Thu, 07 May 2009 12:50:02 +0100 Subject: [Freeipa-users] ipa command line tools failure In-Reply-To: <49F1C3C6.7040608@redhat.com> References: <49F1A8EB.8020800@manchester.ac.uk> <49F1C3C6.7040608@redhat.com> Message-ID: <4A02CAEA.6040207@manchester.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Crittenden wrote: | Nick Gresham wrote: |> -----BEGIN PGP SIGNED MESSAGE----- |> Hash: SHA1 |> |> Hi |> |> We've been using freeipa on Centos 5 successfully at our medium-scale |> research site for several months now. |> |> We're currently running freeipa-1.2.1, installed via RPMs built from |> source. |> |> However, after the recent upgrade Centos 5.2 ---> Centos 5.3 the ipa |> command line utilities are broken, e.g. |> |> $ ipa-finduser -v testuser |> Connecting to IPA server: https://xxx.yyy.ac.uk/ipa/xml |> Did not receive Kerberos credentials. |> |> The web-interface is fine. |> |> Has anyone else had this problem? Is there a fix or workaround? |> |> Thanks in advance |> |> [NG] | | See if you have a forwardable ticket: | | % klist -f | | The flags for your TGT should include F. | | Another option is to look in the Apache error log | (/var/log/httpd/error_log). You may have to set LogLevel debug in | /etc/httpd/conf/httpd.conf to get more details. | | rob sorry about the delay in responding, unfortunately the problem persists: $ klist -f Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at XXX.YYY.AC.UK Valid starting Expires Service principal 05/07/09 12:11:04 05/08/09 12:11:00 krbtgt/XXX.YYY.AC.UK at XXX.YYY.AC.UK Flags: FIA 05/07/09 12:11:08 05/08/09 12:11:00 HTTP/ZZZ.XXX.YYY.ac.uk at XXX.YYY.AC.UK Flags: FAT Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Meanwhile turning up the apache LogLevel to debug and issuing $ ipa-finduser -v testuser produces a single entry in the error_log like: nn.mm.rr.ss - admin at XX.YY.AC.UK [07/May/2009:12:11:16 +0100] "POST /ipa/xml HTTP/1.0" 200 292 - --and that's all. It's the same story on our Centos 5.3 replica machine. On the other hand on a Fedora-9 replica machine the same query succeeds and provokes many more entries in the httpd error_log in addition to some TGS_REQs in krb5kdc.log. I'm still guessing that the problem is due to a careless update on my part, but any pointers to debugging would be very welcome. Many thanks again in advance, [NG] - -- N.J. Gresham FLS/IS AIO Systems Administration and Support University of Manchester Faculty of Life Sciences int: 7759349 ext: 0790-989-3684 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoCyuoACgkQoqZzfMI0UdmQHgCfesTcfRCdYVJz9zgLdwF3sLCf s7QAn1t68NLMBMuwKwaPCIgYjzW/5SXt =0NyC -----END PGP SIGNATURE----- From djscott at mit.edu Thu May 7 18:59:09 2009 From: djscott at mit.edu (Daniel Scott) Date: Thu, 7 May 2009 14:59:09 -0400 Subject: [Freeipa-users] Permit non-admin users to add user accounts Message-ID: <6835906b0905071159p71ccd334n1d7e558698f51cb3@mail.gmail.com> Hi, I would like to have the following permission system: Group: managers (Full admin of users group) Group: users (Group for general users) The managers group should have essentially full control of the users group. I've enable most functionality through a delegation, but there doesn't appear to be a facility to allow non-admins to add user accounts. I would like the managers group to be able to add users to the system, without the managers being in the admins group. Managers would then be able to add those users to the users group. Is this possible? I have found no documentation on this. The existing documentation implies that users adding other users are admins, but I cannot give managers admin access. Looking through the documentation that I have found, it seems like I may have to wait until version 2 - can anyone comment on this? Thanks, Dan Scott From rcritten at redhat.com Thu May 7 19:28:55 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 May 2009 15:28:55 -0400 Subject: [Freeipa-users] Permit non-admin users to add user accounts In-Reply-To: <6835906b0905071159p71ccd334n1d7e558698f51cb3@mail.gmail.com> References: <6835906b0905071159p71ccd334n1d7e558698f51cb3@mail.gmail.com> Message-ID: <4A033677.40106@redhat.com> Daniel Scott wrote: > Hi, > > I would like to have the following permission system: > > Group: managers (Full admin of users group) > Group: users (Group for general users) > > The managers group should have essentially full control of the users > group. I've enable most functionality through a delegation, but there > doesn't appear to be a facility to allow non-admins to add user > accounts. I would like the managers group to be able to add users to > the system, without the managers being in the admins group. Managers > would then be able to add those users to the users group. > > Is this possible? I have found no documentation on this. The existing > documentation implies that users adding other users are admins, but I > cannot give managers admin access. Looking through the documentation > that I have found, it seems like I may have to wait until version 2 - > can anyone comment on this? Yes, by default this is not possible to do in v1 and is planned for v2. It would be pretty hairy to manually do this in v1 but it would be possible. It would involve creating a couple of DS ACIs and creating a group to grant the access to. Something like this ACI would grant creating IPA users (where $SUFFIX is something like dc=mit,dc=edu): aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=groups,cn=accounts,$SUFFIX";) Then create an addusers group and you can add users/groups to that. Of course once you open this can of worms things get interesting because then you'll want to delete and modify users, and then groups, and... Well, you can see how it gets hairy fast. You'll find that this ACI alone isn't enough to actually work with the IPA tools because you also need modify write access on the member attribute of groups and write access on the password attributes of users because of the way we add users. We do it in 3 steps: 1. Create the user entry 2. Add the user to the default IPA users group 3. Set the password And so it goes. To get an idea of what we're planning for v2 you can look at http://git.fedorahosted.org/git/freeipa.git/?p=freeipa.git;a=blob_plain;f=install/updates/40-delegation.update;hb=HEAD The idea is to create ACIs which grant some permission to a task. This task is in the form of an LDAP group (so we call it a taskgroup). A taskgroup generally but not always maps 1-1 to an ACI. A taskgroup should represent a single operation. On top of this we have rolegroups. A rolegroup will be something like "Helpdesk". You might assign the task "change password" to the helpdesk rolegroup. Or you could have a "user admin" rolegroup. You might assign the add and update user tasks to that rolegroup (for the sake of argument we don't trust them with deleting users). Rolegroups can be members of other rolegroups and be a member of multiple taskgroups. As it stands today we probably aren't going to provide any tools to create tasks. You'll be able to create rolegroups to determine who can do what but if we don't provide some specific task you need you'll be back to writing ACIs by hand. The reason being that doing so requires a fairly detailed knowledge of the DIT and the relationships between objects. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From djscott at mit.edu Fri May 8 14:38:36 2009 From: djscott at mit.edu (Daniel Scott) Date: Fri, 8 May 2009 10:38:36 -0400 Subject: [Freeipa-users] Permit non-admin users to add user accounts In-Reply-To: <4A033677.40106@redhat.com> References: <6835906b0905071159p71ccd334n1d7e558698f51cb3@mail.gmail.com> <4A033677.40106@redhat.com> Message-ID: <6835906b0905080738w58ea2e2bj541a5a9b233f9e0@mail.gmail.com> Hi, Wow, that was an amazingly detailed and fast reply, thanks. 2009/5/7 Rob Crittenden : > Yes, by default this is not possible to do in v1 and is planned for v2. > > It would be pretty hairy to manually do this in v1 but it would be possible. > It would involve creating a couple of DS ACIs and creating a group to grant > the access to. > > Something like this ACI would grant creating IPA users (where $SUFFIX is > something like dc=mit,dc=edu): > > aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version > ?3.0;acl "Add Users";allow (add) groupdn = > "ldap:///cn=addusers,cn=groups,cn=accounts,$SUFFIX";) > > Then create an addusers group and you can add users/groups to that. I'll look into ACIs a little more - it looks like the one you provided will do fine. If I'm understanding it correctly, that would permit members of the 'addusers' group to add general users? They wouldn't be forced into a particular group? I guess I would need a rule similar to that which adds all users into the 'ipausers' group to automatically put them into my chosen group. > Of course once you open this can of worms things get interesting because > then you'll want to delete and modify users, and then groups, and... Sure. Thankfully, we don't imagine that deletions will happen very often, so we can get a full admin to do that. I've used the 'delegation' part of the freeipa control panel to create a group which can modify users in another group. This seems to work fine. Are there any problems with this that you know of. Thanks for the other information related to version 2, very interesting. And thanks again for the detailed reply. Initially, we think this will be pretty low volume, so full admins can handle a lot of stuff. We just want to be prepared incase the volume increases. Thanks, Dan From rcritten at redhat.com Mon May 11 13:58:13 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 May 2009 09:58:13 -0400 Subject: [Freeipa-users] Permit non-admin users to add user accounts In-Reply-To: <6835906b0905080738w58ea2e2bj541a5a9b233f9e0@mail.gmail.com> References: <6835906b0905071159p71ccd334n1d7e558698f51cb3@mail.gmail.com> <4A033677.40106@redhat.com> <6835906b0905080738w58ea2e2bj541a5a9b233f9e0@mail.gmail.com> Message-ID: <4A082EF5.3040808@redhat.com> Daniel Scott wrote: > Hi, > > Wow, that was an amazingly detailed and fast reply, thanks. > > 2009/5/7 Rob Crittenden : >> Yes, by default this is not possible to do in v1 and is planned for v2. >> >> It would be pretty hairy to manually do this in v1 but it would be possible. >> It would involve creating a couple of DS ACIs and creating a group to grant >> the access to. >> >> Something like this ACI would grant creating IPA users (where $SUFFIX is >> something like dc=mit,dc=edu): >> >> aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version >> 3.0;acl "Add Users";allow (add) groupdn = >> "ldap:///cn=addusers,cn=groups,cn=accounts,$SUFFIX";) >> >> Then create an addusers group and you can add users/groups to that. > > I'll look into ACIs a little more - it looks like the one you provided > will do fine. If I'm understanding it correctly, that would permit > members of the 'addusers' group to add general users? They wouldn't be > forced into a particular group? I guess I would need a rule similar to > that which adds all users into the 'ipausers' group to automatically > put them into my chosen group. Right, members of addusers can create new users. The users they create would be standalone, essentially. The addusers group only grants access to write the user entry, not anything else. For adding a user to a groupo automatically you wouldn't do this with an ACI. IPA defines a "default group for users." There is currently only one group though. You'd have to manually add users to other groups now if you want to automatically add some new users to group A and others to group B. In order to be able to add a user to a group you need to grant write access on the member attribute of the group. > >> Of course once you open this can of worms things get interesting because >> then you'll want to delete and modify users, and then groups, and... > > Sure. Thankfully, we don't imagine that deletions will happen very > often, so we can get a full admin to do that. I've used the > 'delegation' part of the freeipa control panel to create a group which > can modify users in another group. This seems to work fine. Are there > any problems with this that you know of. > > Thanks for the other information related to version 2, very > interesting. And thanks again for the detailed reply. > > Initially, we think this will be pretty low volume, so full admins can > handle a lot of stuff. We just want to be prepared incase the volume > increases. > > Thanks, > > Dan Glad this helped. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From djscott at mit.edu Tue May 12 16:07:50 2009 From: djscott at mit.edu (Daniel Scott) Date: Tue, 12 May 2009 12:07:50 -0400 Subject: [Freeipa-users] User keytab file Message-ID: <6835906b0905120907t55aed0edw5307be23a62c8ed5@mail.gmail.com> Hi, I have a FreeIPA server configured and working. I'm now trying to automate a few processes and have a question regarding user keytabs. I'm looking to enable passwordless authentication/login for a particular user. I have followed the instructions found here: http://kb.iu.edu/data/aumh.html >From the above page, it appears that I can do this using a user keytab. I have created a user named 'backup' and given it a good, long password. I then created a user keytab file using the following command: # ktutil ktutil: addent -password -p backup -k 1 -e des-cbc-crc ktutil: addent -password -p backup -k 2 -e des3-cbc-sha1 ktutil: wkt /etc/backup.keytab I can display the contents of this keytab and it appears to have been created successfully. Then, I should be able to authenticate using the following command, correct? # kinit backup -k -t /etc/backup.keytab kinit(v5): Key table entry not found while getting initial credentials The server logs show the following: May 12 11:54:34 example.com krb5kdc[12175](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.50: NEEDED_PREAUTH: backup at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required I have tried numerous combinations of the username in the kinit command, but I cannot obtain a ticket. Does anyone have any suggestions? Am I approaching this in the wrong way? Am I using the wrong hashing algorithm? A little more background information: 1. The backup.keytab has permissions 600 and is owned by backup. 2. I have also tried this as root. Thanks, Dan Scott From davido at redhat.com Wed May 13 01:54:49 2009 From: davido at redhat.com (David O'Brien) Date: Wed, 13 May 2009 11:54:49 +1000 Subject: [Freeipa-users] User keytab file In-Reply-To: <6835906b0905120907t55aed0edw5307be23a62c8ed5@mail.gmail.com> References: <6835906b0905120907t55aed0edw5307be23a62c8ed5@mail.gmail.com> Message-ID: <4A0A2869.2090807@redhat.com> Daniel Scott wrote: > Hi, > > I have a FreeIPA server configured and working. I'm now trying to > automate a few processes and have a question regarding user keytabs. > I'm looking to enable passwordless authentication/login for a > particular user. > > I have followed the instructions found here: > http://kb.iu.edu/data/aumh.html > > >From the above page, it appears that I can do this using a user > keytab. I have created a user named 'backup' and given it a good, long > password. I then created a user keytab file using the following > command: > > # ktutil > ktutil: addent -password -p backup -k 1 -e des-cbc-crc > ktutil: addent -password -p backup -k 2 -e des3-cbc-sha1 > ktutil: wkt /etc/backup.keytab > > I can display the contents of this keytab and it appears to have been > created successfully. Then, I should be able to authenticate using the > following command, correct? > > # kinit backup -k -t /etc/backup.keytab > kinit(v5): Key table entry not found while getting initial credentials > > The server logs show the following: > > May 12 11:54:34 example.com krb5kdc[12175](info): AS_REQ (7 etypes {18 > 17 16 23 1 3 2}) 192.168.1.50: NEEDED_PREAUTH: backup at EXAMPLE.COM for > krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required > > I have tried numerous combinations of the username in the kinit > command, but I cannot obtain a ticket. Does anyone have any > suggestions? Am I approaching this in the wrong way? Am I using the > wrong hashing algorithm? > > A little more background information: > 1. The backup.keytab has permissions 600 and is owned by backup. > 2. I have also tried this as root. > > Thanks, > > Dan Scott > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > You don't mention what OSes you're using, so I can only make a suggestion here: It looks like you're using Kerberos' native tools, which are not supported in IPA. Have a look at (in particular) section 1.2 in the Administration Reference on the freeipa.org site. http://freeipa.org/docs/1.2/Administrators_Reference/en-US/html/index.html Are you actually using EXAMPLE.COM as your realm name? That's what the Kerberos config file (/etc/krb5.conf) uses by default, so you'll need to change it to whatever your real realm name is. hth David -- David O'Brien IPA Content Author Red Hat Asia Pacific +61 7 3514 8189 "The most valuable of all talents is that of never using two words when one will do." Thomas Jefferson From davido at redhat.com Wed May 13 03:35:30 2009 From: davido at redhat.com (David O'Brien) Date: Wed, 13 May 2009 13:35:30 +1000 Subject: [Freeipa-users] User keytab file In-Reply-To: <6835906b0905122003p3db8f94bmc99a8f2d4b74ffd0@mail.gmail.com> References: <6835906b0905120907t55aed0edw5307be23a62c8ed5@mail.gmail.com> <4A0A2869.2090807@redhat.com> <6835906b0905122003p3db8f94bmc99a8f2d4b74ffd0@mail.gmail.com> Message-ID: <4A0A4002.4090705@redhat.com> Daniel Scott wrote: > Hi, > > Thanks for the comments. > > 2009/5/12 David O'Brien : > >> You don't mention what OSes you're using, so I can only make a suggestion >> here: >> > > Sorry for not mentioning the OS, both client and server are Fedora 10. > > >> It looks like you're using Kerberos' native tools, which are not supported >> in IPA. Have a look at (in particular) section 1.2 in the Administration >> Reference on the freeipa.org site. >> http://freeipa.org/docs/1.2/Administrators_Reference/en-US/html/index.html >> > > The native kerberos tools are not supported? The manual states that I > should use kinit and klist here: > > http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_the_IPA_Server-Configuring_the_IPA_Server.html#sect-Installation_and_Deployment_Guide-Configuring_the_IPA_Server-Testing_the_Configuration > > Are there some undocumented ipa* tools for obtaining and listing > kerberos tickets? I see the manual makes no mention of ktutil - is it > just this tool which is unsupported? In any case, surely it doesn't > really matter how I obtain the ticket? > > Thanks for the link, I have read through it. I should confirm that I > have the service principals working correctly. host/ services for > passwordless SSH and HTTP/ services for apache authentication. > > The problem is that I'm trying to add a 'service' principal for a user > (which I understand is a 'user principal'. Maybe my terminology is > wrong, please correct me if so), to enable passwordless > authentication. Maybe I'm not being clear. I'm trying to obtain a > service principal (which, if I understand correctly, permits a server > to authenticate without a password, like an SSH keypair?) but for a > particular user, rather than a service. > > The situation that I'm trying to solve: I have NFS shares > authenticated through kerberos. I want to backup some of these files > using a user 'backup' which is performed through a cronjob. When the > cronjob is executed, there is no guarantee that the backup user will > have a valid ticket and so I need a way to obtain a ticket without a > password. Which I believe I can do through user principals. > > If I run, for example: > > # ipa-addservice backup at EXAMPLE.COM > The requested service principal is not of the form: > service/fully-qualified host name > > So it appears that the ipa-addservice tool does not support the > addition of user principals. The manpage implies this as it states > that a FQDN must be given. I could force this to enable creation of a > user principal service, but I'm not sure that is correct. > > >> Are you actually using EXAMPLE.COM as your realm name? That's what the >> Kerberos config file (/etc/krb5.conf) uses by default, so you'll need to >> change it to whatever your real realm name is. >> > > Nope :). I replaced my real realm name with example.com for anonymity. > The realm is configured properly and working correctly. > > Thanks, > > Dan > CC'ing the list for better coverage. Using kinit and klist is not a problem. I just wanted to make sure you weren't using kadmin.local, etc. I'm no whizz at this, which is why I'm only offering suggestions. Expect some more useful answers once the USA hits daylight :) wrt the use of ktutil, have a look at the Client Configuration Guide, and especially Configuring NFS v4 with Kerberos, which talks about adding services, getting the keytab onto the client, etc. There's a whole section devoted to Fedora (written for f9 but should be fine for f10). cheers David -- David O'Brien IPA Content Author Red Hat Asia Pacific +61 7 3514 8189 "The most valuable of all talents is that of never using two words when one will do." Thomas Jefferson From ssorce at redhat.com Wed May 13 04:16:04 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 13 May 2009 00:16:04 -0400 (EDT) Subject: [Freeipa-users] User keytab file In-Reply-To: <6835906b0905120907t55aed0edw5307be23a62c8ed5@mail.gmail.com> Message-ID: <1780619740.69041242188164606.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- "Daniel Scott" wrote: > Hi, > > I have a FreeIPA server configured and working. I'm now trying to > automate a few processes and have a question regarding user keytabs. > I'm looking to enable passwordless authentication/login for a > particular user. > > I have followed the instructions found here: > http://kb.iu.edu/data/aumh.html > > >From the above page, it appears that I can do this using a user > keytab. I have created a user named 'backup' and given it a good, > long > password. I then created a user keytab file using the following > command: > > # ktutil > ktutil: addent -password -p backup -k 1 -e des-cbc-crc > ktutil: addent -password -p backup -k 2 -e des3-cbc-sha1 > ktutil: wkt /etc/backup.keytab > > I can display the contents of this keytab and it appears to have been > created successfully. Then, I should be able to authenticate using > the > following command, correct? > > # kinit backup -k -t /etc/backup.keytab > kinit(v5): Key table entry not found while getting initial > credentials > > The server logs show the following: > > May 12 11:54:34 example.com krb5kdc[12175](info): AS_REQ (7 etypes > {18 > 17 16 23 1 3 2}) 192.168.1.50: NEEDED_PREAUTH: backup at EXAMPLE.COM for > krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication > required This is fine, I need the next line in the log to see what's the problem. If you don't have a next line, then something is definitely "Wrong" > I have tried numerous combinations of the username in the kinit > command, but I cannot obtain a ticket. Does anyone have any > suggestions? Am I approaching this in the wrong way? Am I using the > wrong hashing algorithm? > > A little more background information: > 1. The backup.keytab has permissions 600 and is owned by backup. > 2. I have also tried this as root. I don't have enough information to be sure (logs) but one of your problems maybe that you came up with arbitrary (as in made up) kvno numbers. (the -k option to addent in ktutil). Simo. P.s: You may also want to use better encryption algorithms (like arcfour or aes, rather than des). From djscott at mit.edu Wed May 13 13:37:35 2009 From: djscott at mit.edu (Daniel Scott) Date: Wed, 13 May 2009 09:37:35 -0400 Subject: [Freeipa-users] User keytab file In-Reply-To: <4A0A4002.4090705@redhat.com> References: <6835906b0905120907t55aed0edw5307be23a62c8ed5@mail.gmail.com> <4A0A2869.2090807@redhat.com> <6835906b0905122003p3db8f94bmc99a8f2d4b74ffd0@mail.gmail.com> <4A0A4002.4090705@redhat.com> Message-ID: <6835906b0905130637jba7a3ddx80267e664d278a8d@mail.gmail.com> Hi, 2009/5/12 David O'Brien : > Using kinit and klist is not a problem. I just wanted to make sure you > weren't using kadmin.local, etc. I'm no whizz at this, which is why I'm only > offering suggestions. Expect some more useful answers once the USA hits > daylight ?:) Nope not touched kadmin.local. Thanks for the help so far. > wrt the use of ktutil, have a look at the Client Configuration Guide, and > especially Configuring NFS v4 with Kerberos, which talks about adding > services, getting the keytab onto the client, etc. There's a whole section > devoted to Fedora (written for f9 but should be fine for f10). Thanks for the pointer - I'd already read that when I configured NFS - that part's all working. Authentication from a 'manual' session is no problem. I can just type in the password for the backup user. The problem is with automated authentication, I need to get a ticket without a password. The Kerberos equivalent of an SSH keypair. Thanks, Dan From mr.vandeley at gmail.com Wed May 13 19:53:05 2009 From: mr.vandeley at gmail.com (Mr Vandeley) Date: Wed, 13 May 2009 16:53:05 -0300 Subject: [Freeipa-users] How to access to the FDS console? Message-ID: <87fa72960905131253l79105f44u44c9e7925c2d6b2f@mail.gmail.com> Hi, I'm trying to access to the fedora-idm-console so I can play around the directory schema a bit. I am following this instructions [1] but all I get is: [root at ipa ~]# /root/setup-admin.pl --file=setup-register-admin.inf : No such file or directory How can I debug this? Is there any other way to access de directory server console? Best regards, [1] http://markmail.org/message/53jife2vp5sc4hdv From rcritten at redhat.com Wed May 13 19:57:43 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 May 2009 15:57:43 -0400 Subject: [Freeipa-users] How to access to the FDS console? In-Reply-To: <87fa72960905131253l79105f44u44c9e7925c2d6b2f@mail.gmail.com> References: <87fa72960905131253l79105f44u44c9e7925c2d6b2f@mail.gmail.com> Message-ID: <4A0B2637.3010807@redhat.com> Mr Vandeley wrote: > Hi, > I'm trying to access to the fedora-idm-console so I can play around > the directory schema a bit. > I am following this instructions [1] but all I get is: > > [root at ipa ~]# /root/setup-admin.pl --file=setup-register-admin.inf > : No such file or directory > > How can I debug this? > Is there any other way to access de directory server console? > > Best regards, > > [1] http://markmail.org/message/53jife2vp5sc4hdv Did you create setup-register-admin.inf as directed? If it isn't in the cwd you'll probably need to include a full path to the file. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mr.vandeley at gmail.com Thu May 14 14:57:16 2009 From: mr.vandeley at gmail.com (Mr Vandeley) Date: Thu, 14 May 2009 11:57:16 -0300 Subject: [Freeipa-users] How to access to the FDS console? In-Reply-To: <4A0B2637.3010807@redhat.com> References: <87fa72960905131253l79105f44u44c9e7925c2d6b2f@mail.gmail.com> <4A0B2637.3010807@redhat.com> Message-ID: <87fa72960905140757t85433bfk1ebc5789bb8e31a1@mail.gmail.com> On Wed, May 13, 2009 at 4:57 PM, Rob Crittenden wrote: > Mr Vandeley wrote: >> >> Hi, >> I'm trying to access to the fedora-idm-console so I can play around >> the directory schema a bit. >> I am following this instructions [1] but all I get is: >> >> [root at ipa ~]# /root/setup-admin.pl --file=setup-register-admin.inf >> : No such file or directory >> >> How can I debug this? >> Is there any other way to access de directory server console? >> >> Best regards, >> >> [1] http://markmail.org/message/53jife2vp5sc4hdv > > Did you create setup-register-admin.inf as directed? If it isn't in the cwd > you'll probably need to include a full path to the file. > > rob > Thanks Rob, and yes, I've created that file and tried with the full path: [root at ipa ~]# ls setup-* setup-admin.pl setup-register-admin.inf [root at ipa ~]# /root/setup-admin.pl --file=/root/setup-register-admin.inf Also I tried running setup-ds-admin.pl. But I get an error: [root at ipa ~]# setup-ds-admin.pl --file=/root/setup-register-admin.inf [...] Would you like to continue with set up? [yes]: [...] Do you agree to the license terms? [no]: y [...] Choose a setup type [2]: [...] Computer name [ipa.sic.net]: [...] System User [dirsrv]: System Group [dirsrv]: [...] Do you want to register this software with an existing configuration directory server? [no]: y [...] Configuration directory server URL [ldap://ipa.sic.net:389/o=NetscapeRoot]: Configuration directory server admin ID [admin]: Configuration directory server admin password: Configuration directory server admin domain [sic.net]: Could not find the user 'admin' in the server 'ldap://ipa.sic.net:389/o=NetscapeRoot'. Error: No such object Please try again, in case you mis-typed something. [...] there are any errors on my setup? From randall.h.wood at alexandriasoftware.com Sat May 16 17:44:06 2009 From: randall.h.wood at alexandriasoftware.com (Randall Wood) Date: Sat, 16 May 2009 13:44:06 -0400 Subject: [Freeipa-users] Username too long error Message-ID: <2F63E0EE-E945-49D3-BB29-70BC1A941740@alexandriasoftware.com> I need to be able to use firstname.lastname style usernames, and know that FDS/389 can handle them, but ipa-useradd is throwing username too long errors. How can I fix this? From randall.h.wood at alexandriasoftware.com Sun May 17 10:43:18 2009 From: randall.h.wood at alexandriasoftware.com (Randall Wood) Date: Sun, 17 May 2009 06:43:18 -0400 Subject: [Freeipa-users] Re: Username too long error References: <6EE2A8ED-4130-4B71-9200-1C7A27DBDE1A@mac.com> Message-ID: <1C24A964-3899-47E4-922C-286E53A6263F@alexandriasoftware.com> I figured out once I started a web browser as root... I'm still surprised at the default setting of 8 character user names (I thought we were long past the days of Solaris 8/NIS dictating username settings). On 16 May 2009, at 13:44, Randall Wood wrote: > I need to be able to use firstname.lastname style usernames, and > know that FDS/389 can handle them, but ipa-useradd is throwing > username too long errors. How can I fix this? > From rcritten at redhat.com Mon May 18 14:05:44 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 May 2009 10:05:44 -0400 Subject: [Freeipa-users] Re: Username too long error In-Reply-To: <1C24A964-3899-47E4-922C-286E53A6263F@alexandriasoftware.com> References: <6EE2A8ED-4130-4B71-9200-1C7A27DBDE1A@mac.com> <1C24A964-3899-47E4-922C-286E53A6263F@alexandriasoftware.com> Message-ID: <4A116B38.9040706@redhat.com> Randall Wood wrote: > I figured out once I started a web browser as root... Not sure how that helped... > I'm still surprised at the default setting of 8 character user names (I > thought we were long past the days of Solaris 8/NIS dictating username > settings). Yes, we start with the lowest-common-denominator because we wanted to support clients as far back as Solaris 6. There is one setting to increase this, though there is still a cap of 32 (though the UI won't tell you this, a bug is already filed). rob > > On 16 May 2009, at 13:44, Randall Wood wrote: > >> I need to be able to use firstname.lastname style usernames, and know >> that FDS/389 can handle them, but ipa-useradd is throwing username too >> long errors. How can I fix this? >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From davido at redhat.com Mon May 18 22:16:11 2009 From: davido at redhat.com (David O'Brien) Date: Tue, 19 May 2009 08:16:11 +1000 Subject: [Freeipa-users] freeIPA documentation now available as PDF files Message-ID: <4A11DE2B.6030305@redhat.com> All of the freeIPA v1.2.1 documentation is now available as PDF files. The PDF and HTML versions can be found on the freeIPA Documentation Portal at the following address: http://freeipa.org/page/Documentation Comments and suggestions are always welcome. cheers, David -- David O'Brien IPA Content Author Red Hat Asia Pacific +61 7 3514 8189 "The most valuable of all talents is that of never using two words when one will do." Thomas Jefferson From randall.h.wood at alexandriasoftware.com Wed May 20 08:39:36 2009 From: randall.h.wood at alexandriasoftware.com (Randall Wood) Date: Wed, 20 May 2009 04:39:36 -0400 Subject: [Freeipa-users] Re: Username too long error In-Reply-To: <4A116B38.9040706@redhat.com> References: <6EE2A8ED-4130-4B71-9200-1C7A27DBDE1A@mac.com> <1C24A964-3899-47E4-922C-286E53A6263F@alexandriasoftware.com> <4A116B38.9040706@redhat.com> Message-ID: On Mon, May 18, 2009 at 10:05 AM, Rob Crittenden wrote: > Randall Wood wrote: >> >> I figured out once I started a web browser as root... > > Not sure how that helped... It helped merely because while installing/configuring IPA as root, I had run "kinit admin" which got the Kerberos ticket for Firefox into the root account.... > >> I'm still surprised at the default setting of 8 character user names (I >> thought we were long past the days of Solaris 8/NIS dictating username >> settings). > > Yes, we start with the lowest-common-denominator because we wanted to > support clients as far back as Solaris 6. > > There is one setting to increase this, though there is still a cap of 32 > (though the UI won't tell you this, a bug is already filed). > > rob > >> >> On 16 May 2009, at 13:44, Randall Wood wrote: >> >>> I need to be able to use firstname.lastname style usernames, and know >>> that FDS/389 can handle them, but ipa-useradd is throwing username too long >>> errors. How can I fix this? >>> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Randall Wood randall.h.wood at alexandriasoftware.com "The rules are simple: The ball is round. The game lasts 90 minutes. All the rest is just philosophy." From franklin.manzano at ltu.etecsa.cu Wed May 20 15:04:09 2009 From: franklin.manzano at ltu.etecsa.cu (Franklin Manzano Rodriguez) Date: Wed, 20 May 2009 10:04:09 -0500 Subject: [Freeipa-users] freeipa install error Message-ID: I need some help to install freeipa, this is a ipaserver-install.log Configuring directory server: [1/17]: creating directory server user [2/17]: creating directory server instance [3/17]: adding default schema [4/17]: enabling memberof plugin Unexpected error - see ipaserver-install.log for details: [Errno 2] No such file or directory [root at ipa-server tempo]# tail /var/log/ipaserver-install.log File "/usr/lib/python2.4/site-packages/ipa/ipautil.py", line 90, in run p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) File "/usr/lib/python2.4/subprocess.py", line 542, in __init__ errread, errwrite) File "/usr/lib/python2.4/subprocess.py", line 975, in _execute_child raise child_exception -------------- next part -------------- An HTML attachment was scrubbed... URL: From dqarras at yahoo.com Thu May 21 09:02:03 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Thu, 21 May 2009 02:02:03 -0700 (PDT) Subject: [Freeipa-users] FreeIPA with OpenLDAP Message-ID: <349097.85918.qm@web36805.mail.mud.yahoo.com> Hi! Mostly just academic interest: is it possible to use OpenLDAP instead of FedoraDS with FreeIPA? If so, are there any changes/limitations with IPA in that case? Or if not, are there any plans to make IPA independent of LDAP server implementation? Would it require a major surgery or just some tweaking to do that? Thanks! From rcritten at redhat.com Tue May 26 12:49:04 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 May 2009 08:49:04 -0400 Subject: [Freeipa-users] FreeIPA with OpenLDAP In-Reply-To: <349097.85918.qm@web36805.mail.mud.yahoo.com> References: <349097.85918.qm@web36805.mail.mud.yahoo.com> Message-ID: <4A1BE540.4060301@redhat.com> Daniel Qarras wrote: > Hi! > > Mostly just academic interest: is it possible to use OpenLDAP instead of FedoraDS with FreeIPA? If so, are there any changes/limitations with IPA in that case? Or if not, are there any plans to make IPA independent of LDAP server implementation? Would it require a major surgery or just some tweaking to do that? > > Thanks! It wouldn't be easy to do. A number of plugins would need to be ported including the Distributed Numeric Assignment (DNA) plugin, ensure that memberof works the same way, the IPA password plugin. Perhaps more, and that is just to get one server running. Replication would need to be reconfigured as well. We have no plans to port to OpenLDAP. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Tue May 26 15:32:14 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 26 May 2009 11:32:14 -0400 Subject: [Freeipa-users] freeipa install error In-Reply-To: References: Message-ID: <1243351934.7279.12.camel@localhost.localdomain> On Wed, 2009-05-20 at 10:04 -0500, Franklin Manzano Rodriguez wrote: > I need some help to install freeipa, this is a ipaserver-install.log > > Configuring directory server: > [1/17]: creating directory server user > [2/17]: creating directory server instance > [3/17]: adding default schema > [4/17]: enabling memberof plugin > Unexpected error - see ipaserver-install.log for details: > [Errno 2] No such file or directory > [root at ipa-server tempo]# tail /var/log/ipaserver-install.log > > File "/usr/lib/python2.4/site-packages/ipa/ipautil.py", line 90, in > run > p = subprocess.Popen(args, stdout=subprocess.PIPE, > stderr=subprocess.PIPE, close_fds=True) > > File "/usr/lib/python2.4/subprocess.py", line 542, in __init__ > errread, errwrite) > > File "/usr/lib/python2.4/subprocess.py", line 975, in _execute_child > raise child_exception Can you provide the full log ? Simo. -- Simo Sorce * Red Hat, Inc * New York From dqarras at yahoo.com Tue May 26 20:07:02 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Tue, 26 May 2009 13:07:02 -0700 (PDT) Subject: [Freeipa-users] FreeIPA with OpenLDAP Message-ID: <96064.96468.qm@web36806.mail.mud.yahoo.com> Hi! > > Mostly just academic interest: is it possible to use > > OpenLDAP instead of FedoraDS with FreeIPA? > > It wouldn't be easy to do. A number of plugins would need > to be ported including the Distributed Numeric Assignment > (DNA) plugin, ensure that memberof works the same way, the > IPA password plugin. Perhaps more, and that is just to get > one server running. Replication would need to be > reconfigured as well. > > We have no plans to port to OpenLDAP. Ok, thanks for the info! As said, basically just academic interest but on the other good to know that if one wants to start toying with an LDAP server, this might be hint towards Fedora DS.. Cheers! From ssorce at redhat.com Wed May 27 12:08:57 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 27 May 2009 08:08:57 -0400 Subject: [Freeipa-users] freeipa install error In-Reply-To: References: <1243351934.7279.12.camel@localhost.localdomain> Message-ID: <1243426137.7279.44.camel@localhost.localdomain> What version of Directory Server do you have ? On Wed, 2009-05-27 at 07:57 -0500, Franklin Manzano Rodriguez wrote: > This is a full log > > ----- Original Message ----- > From: "Simo Sorce" > To: "Franklin Manzano Rodriguez" > Cc: > Sent: Tuesday, May 26, 2009 10:32 AM > Subject: [SPAM] - Re: [Freeipa-users] freeipa install error - Bayesian > Filter detected spam > > > > On Wed, 2009-05-20 at 10:04 -0500, Franklin Manzano Rodriguez wrote: > >> I need some help to install freeipa, this is a ipaserver-install.log > >> > >> Configuring directory server: > >> [1/17]: creating directory server user > >> [2/17]: creating directory server instance > >> [3/17]: adding default schema > >> [4/17]: enabling memberof plugin > >> Unexpected error - see ipaserver-install.log for details: > >> [Errno 2] No such file or directory > >> [root at ipa-server tempo]# tail /var/log/ipaserver-install.log > >> > >> File "/usr/lib/python2.4/site-packages/ipa/ipautil.py", line 90, in > >> run > >> p = subprocess.Popen(args, stdout=subprocess.PIPE, > >> stderr=subprocess.PIPE, close_fds=True) > >> > >> File "/usr/lib/python2.4/subprocess.py", line 542, in __init__ > >> errread, errwrite) > >> > >> File "/usr/lib/python2.4/subprocess.py", line 975, in _execute_child > >> raise child_exception > > > > Can you provide the full log ? > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Simo Sorce * Red Hat, Inc * New York From djscott at mit.edu Wed May 27 16:55:39 2009 From: djscott at mit.edu (Daniel Scott) Date: Wed, 27 May 2009 12:55:39 -0400 Subject: [Freeipa-users] User keytab file In-Reply-To: <1780619740.69041242188164606.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <6835906b0905120907t55aed0edw5307be23a62c8ed5@mail.gmail.com> <1780619740.69041242188164606.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <6835906b0905270955s4371afc2u5c642cbc4793d386@mail.gmail.com> Hi, 2009/5/13 Simo Sorce : >> I have a FreeIPA server configured and working. I'm now trying to >> automate a few processes and have a question regarding user keytabs. >> I'm looking to enable passwordless authentication/login for a >> particular user. >> >> I have followed the instructions found here: >> http://kb.iu.edu/data/aumh.html >> >> >From the above page, it appears that I can do this using a user >> keytab. I have created a user named 'backup' and given it a good, >> long >> password. I then created a user keytab file using the following >> command: >> >> # ktutil >> ktutil: addent -password -p backup -k 1 -e des-cbc-crc >> ktutil: addent -password -p backup -k 2 -e des3-cbc-sha1 >> ktutil: wkt /etc/backup.keytab >> >> I can display the contents of this keytab and it appears to have been >> created successfully. Then, I should be able to authenticate using >> the >> following command, correct? >> >> # kinit backup -k -t /etc/backup.keytab >> kinit(v5): Key table entry not found while getting initial >> credentials >> >> The server logs show the following: >> >> May 12 11:54:34 example.com krb5kdc[12175](info): AS_REQ (7 etypes >> {18 >> 17 16 23 1 3 2}) 192.168.1.50: NEEDED_PREAUTH: backup at EXAMPLE.COM for >> krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication >> required > > This is fine, I need the next line in the log to see what's the problem. > If you don't have a next line, then something is definitely "Wrong" > >> I have tried numerous combinations of the username in the kinit >> command, but I cannot obtain a ticket. Does anyone have any >> suggestions? Am I approaching this in the wrong way? Am I using the >> wrong hashing algorithm? >> >> A little more background information: >> 1. The backup.keytab has permissions 600 and is owned by backup. >> 2. I have also tried this as root. > > I don't have enough information to be sure (logs) but one of your problems > maybe that you came up with arbitrary (as in made up) kvno numbers. > (the -k option to addent in ktutil). Does anyone have any more suggestions for this? I've tried explicitly stating the kvno, but no luck. It just seems like the keytab file is not being recognised correctly. I still get the log message above, but the error message on the command line looks like the kinit command isn't even hitting the server - the error seems to be with the keytab file. Am I even approaching this in the correct way? All my searching on the web seems to find information related to service principals rather than user principals. There are another couple of sites which mention principals such as username/admin at EXAMPLE.COM which I'm unsure about. It's very strange that I can extract the keytab entry for a principal, but then am told that the entry does not exist. Has anyone seen this before? Thanks, Dan Scott ------------------------------- http://danieljamesscott.org From serejka at gmail.com Sun May 31 16:23:18 2009 From: serejka at gmail.com (Sergei V. Kovylov) Date: Sun, 31 May 2009 20:23:18 +0400 Subject: [Freeipa-users] Freeipa v2. Message-ID: <7870594c0905310923x384462a7kf30afda959a50168@mail.gmail.com> Hello guys. Glad to see that the project under havy development. I have several questions: 1. Is it still actual to produce some release/ RC in may? 2. Is there SCM repo anywhere? Bacause both of fedorapeople and fedorahosted git's seems like not actual.