From tomasz.napierala at allegro.pl Thu Oct 1 12:06:03 2009 From: tomasz.napierala at allegro.pl (Tomasz Z. Napierala) Date: Thu, 1 Oct 2009 14:06:03 +0200 Subject: [Freeipa-users] Using FreeIPA as password backend for Samba In-Reply-To: <1253731597.3617.443.camel@arepa.pzo.lgs.com.ve> References: <1253695578.18011.7.camel@alledrag> <1253719193.3126.32.camel@localhost.localdomain> <1253728250.8314.2.camel@alledrag> <1253731597.3617.443.camel@arepa.pzo.lgs.com.ve> Message-ID: <1254398763.4810.4.camel@alledrag> Dnia 2009-09-23, ?ro o godzinie 20:46 +0200, Loris Santamaria pisze: > We integrate freeipa and samba 3 having freeipa generating automatically > the sambaSID for users and groups. > > First step, you need to modify cn=ipaconfig to have freeipa add the > appropriate objectclasses: > > ldapmodify < dn: cn=ipaconfig,cn=etc,dc=yourdomain > changetype: modify > add: ipaUserObjectClasses > ipaUserObjectClasses: sambaSAMAccount > - > add: ipaGroupObjectClasses > ipaGroupObjectClasses: sambaGroupMapping > EOF That's pretty straightforward and clear > Second you may configure the ipa-dna (or dna) plugin to generate > sambasids for users and groups. Something like (using 389's dna plugin): [cut] > NOTE 1, you have to change the dnaprefix attribute to match the sambaSID > of your domain, which you can get with the command "net rpc getlocalsid" Does it mean, that I can only have one Samba server in Kerberos realm? This is quite important, because we have about 10 development servers, and each of them is running it's own Samba server. I'd like to sync passwords on all servers, would it be possible? P.S. Loris, sorry for off-list message :/ Regards, -- Tomasz Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ QXL Poland sp. z o.o. ul. Marceli?ska 90, 60-324 Pozna? NIP 779-21-25-257; S?d Rejonowy Pozna? - Nowe Miasto i Wilda w Poznaniu, Wydzia? VIII Gospodarczy KRS nr 0000104322 Kapita? zak?adowy: 1.046.000 z?. From vic_1980 at bk.ru Thu Oct 1 10:35:39 2009 From: vic_1980 at bk.ru (=?koi8-r?Q?=F7=C9=CB=D4=CF=D2_?= =?koi8-r?Q?=F3=C5=D2=C7=C5=C5=D7=C9=DE?=) Date: Thu, 01 Oct 2009 14:35:39 +0400 Subject: [Freeipa-users] about rplication FreeIPA Message-ID: <1254393339.2685.30.camel@n51v.kbtm-spb.ru> Hello! I try to create replication server On a primary-server it is established fedora10, on secondary a server fedora 11. I use function multimaster replication and process with pgp file on secondary server with help ipa-replica-install passes normally (on secondary a server all services start, but in a webinterface permission denided, but the given situation is specified in MAN freeIPA - only console management of a remark), however by search of the user on secondary I receive the message: ipa-finduser admin "Did not receive Kerberos credentials" It seems is not present krb-authorisation? I try to be authorised: kinit admin ... cannot contact any KDC for realm 'REALM_NAME' That is it is impossible to find KDC? Distinctions between files krb5.conf on primary and secondary servers: In krb5.conf on the secondary server: [realm] kdc=secondary.domain.zone admin_server=secondary.domain.zone default_domain=kbtm-spb.ru [dbmodules] ... ldap_servers=ldap://127.0.0.1/ In krb5.conf on the primary server: [realm] kdc=primary.domain.zone admin_server=primary.domain.zone default_domain=kbtm-spb.ru [dbmodules] ... ldap_servers=ldap://192.168.0.1/ If i change parametrs of the pach [realm] secondary>primary? then i can use kinit, but ... it's do bad idea. What I have to do? From jgalipea at redhat.com Thu Oct 1 18:14:35 2009 From: jgalipea at redhat.com (Jenny Galipeau) Date: Thu, 01 Oct 2009 14:14:35 -0400 Subject: [Freeipa-users] about rplication FreeIPA In-Reply-To: <1254393339.2685.30.camel@n51v.kbtm-spb.ru> References: <1254393339.2685.30.camel@n51v.kbtm-spb.ru> Message-ID: <4AC4F18B.8080401@redhat.com> ?????? ????????? wrote: > Hello! > > I try to create replication server > > On a primary-server it is established fedora10, on secondary a server > fedora 11. I use function multimaster replication and process with pgp > file on secondary server with help ipa-replica-install passes normally > (on secondary a server all services start, but in a webinterface > permission denided, but the given situation is specified in MAN freeIPA > - only console management of a remark), however by search of the user on > secondary I receive the message: > > ipa-finduser admin > "Did not receive Kerberos credentials" > > It seems is not present krb-authorisation? I try to be authorised: > > kinit admin > ... cannot contact any KDC for realm 'REALM_NAME' > > That is it is impossible to find KDC? > Hi .. Just to clarify - the first server - primary is all okay, right? Then let's start by ruling out the easy stuff. Make sure DNS is configured properly and the machines are forward and reverse resolvable. And could you post the entire contents of both server's /etc/krb5.conf files. Thanks Jenny > Distinctions between files krb5.conf on primary and secondary servers: > > In krb5.conf on the secondary server: > > [realm] > kdc=secondary.domain.zone > admin_server=secondary.domain.zone > default_domain=kbtm-spb.ru > > [dbmodules] > ... > ldap_servers=ldap://127.0.0.1/ > > > > In krb5.conf on the primary server: > > [realm] > kdc=primary.domain.zone > admin_server=primary.domain.zone > default_domain=kbtm-spb.ru > > [dbmodules] > ... > ldap_servers=ldap://192.168.0.1/ > > > If i change parametrs of the pach [realm] secondary>primary? then i can > use kinit, but ... it's do bad idea. > > > What I have to do? > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From james.roman at ssaihq.com Thu Oct 1 18:44:47 2009 From: james.roman at ssaihq.com (James Roman) Date: Thu, 01 Oct 2009 14:44:47 -0400 Subject: [Freeipa-users] ipa-replica install failing In-Reply-To: <4AC3ACFF.9070006@viveli.com> References: <4AC3ACFF.9070006@viveli.com> Message-ID: <4AC4F89F.5070204@ssaihq.com> David Christensen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > When I installed my first ipa server I used the self signed ssl cert and > soon followed up with a replica. Shortly after installing the replica I > attempted to import a wild card CA signed cert and ran into an issue. > This is a bit unclear. Did you try to import a 3rd party CA signed wildcard certificate? If so, depending on who your signing CA is, you may need to import a certificate chain for your signing CA to get to a CA that NSS trusts. Most 3rd party CAs will tell you this (or at least will let you know in their support knowledge-base). OR did you issue a wildcard certificate from your IPA CA certificate? > > Now I am trying to create a 3rd replica and have run into what I think > is a similar issue. I can export the replica package from the "master" > ipa server using the pk12 options however the replica install fails. > > I ran the debug on the replica install and this is where the install fails: > > root : INFO > creation of replica failed: Could not find a CA cert in > /tmp/tmplO4Bp3ipa/realm_info/dscert.p12 > root : DEBUG Could not find a CA cert in > /tmp/tmplO4Bp3ipa/realm_info/dscert.p12 > File "/usr/sbin/ipa-replica-install", line 294, in > main() > > File "/usr/sbin/ipa-replica-install", line 244, in main > ds = install_ds(config) > > File "/usr/sbin/ipa-replica-install", line 115, in install_ds > ds.create_instance(config.ds_user, config.realm_name, > config.host_name, config.domain_name, config.dirman_password, pkcs12_info) > > File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line > 193, in create_instance > self.start_creation("Configuring directory server:") > > File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line > 139, in start_creation > method() > > File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line > 345, in __enable_ssl > ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) > > File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 472, > in create_from_pkcs12 > raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) > > > If you changed the initial CA certs, you will most likely need to provide a PKCS12 file for both the directory server and httpd server. ipa-replica-prepare --dirsrv_pkcs12=/path/to/pkcs12/file --http_pkcs12=/path/to/pkcs12/file \ --dirsrv_pin=PasswordUsedToGeneratePKCS12File --http_pin=PasswordUsedToGeneratePKCS12File Are you providing a certificate or trying to have the script generate one using the default? If you did generate a pkcs12 file to include in the ipa-replica-prepare script, run pk12util -l /path/to/pkcs12/file and verify that the entire certificate chain up to an NSS trusted CA is included. (Start from the end and look at the "Subject:" and "Issuer:" lines. Scroll up and see if the next subject line is the previous issuer, repeat as needed until you get an issuer CA certificate that NSS (or Firefox) include in their default trusted CAs. > Your system may be partly configured. > > Is this issue similar to what I experienced with the ssl cert import or > is it something entirely different? > > David > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkrDrP8ACgkQ5B+8XEnAvqtBCgCgnO75V05RxkDtpxTzK0gdk1Cg > pRQAniFkA0G4JHjChzeyZ7bP/oTHTurz > =F7r+ > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From loris at lgs.com.ve Fri Oct 2 13:56:09 2009 From: loris at lgs.com.ve (Loris Santamaria) Date: Fri, 02 Oct 2009 09:26:09 -0430 Subject: [Freeipa-users] Using FreeIPA as password backend for Samba In-Reply-To: <1254398763.4810.4.camel@alledrag> References: <1253695578.18011.7.camel@alledrag> <1253719193.3126.32.camel@localhost.localdomain> <1253728250.8314.2.camel@alledrag> <1253731597.3617.443.camel@arepa.pzo.lgs.com.ve> <1254398763.4810.4.camel@alledrag> Message-ID: <1254491769.4105.31.camel@arepa.pzo.lgs.com.ve> El jue, 01-10-2009 a las 14:06 +0200, Tomasz Z. Napierala escribi?: > Dnia 2009-09-23, ?ro o godzinie 20:46 +0200, Loris Santamaria pisze: > > > Second you may configure the ipa-dna (or dna) plugin to generate > > sambasids for users and groups. Something like (using 389's dna plugin): > > [cut] > > > NOTE 1, you have to change the dnaprefix attribute to match the sambaSID > > of your domain, which you can get with the command "net rpc getlocalsid" > > Does it mean, that I can only have one Samba server in Kerberos realm? > This is quite important, because we have about 10 development servers, > and each of them is running it's own Samba server. I'd like to sync > passwords on all servers, would it be possible? Every samba server in a _domain_ shares the same prefix for the sid. If you execute "net rpc getlocalsid" on the domain controller you should get the sid for the entire domain. If you don't have your servers arranged in a domain, you really should to. It wouldn't make sense to use freeipa as a backend otherwise. Regards -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ -O9 -omg-optimize -fomit-instructions -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3149 bytes Desc: not available URL: From garyv at gmoneylove.com Tue Oct 6 17:36:44 2009 From: garyv at gmoneylove.com (garyv) Date: Tue, 06 Oct 2009 10:36:44 -0700 Subject: [Freeipa-users] slapi-nis installation help Message-ID: <4ACB802C.2080205@gmoneylove.com> Hi, I've installed freeIPA (ipa-server-1.2.2-1.fc11.i586)and have the base functionality working and I'm quite pleased. The problem I'm experiencing is with getting slapi-nis to function properly. Reading other posts in the list I was able to get FreeIPA to serve NIS maps, and clients to bind to the NIS dom, but no passwords/auth work for users. Any tips on setup/troubleshooting this? Thanks Gary on the Client: root at fell:~$ ypcat -k passwd ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash root at fell:~$ ypwhich -m passwd.byuid fcds.edited passwd.byname fcds.edited netid.byname fcds.edited group.upg fcds.nes.edited group.byname fcds.edited group.bygid fcds.edited From yzhang at redhat.com Tue Oct 6 18:16:28 2009 From: yzhang at redhat.com (yi zhang) Date: Tue, 06 Oct 2009 11:16:28 -0700 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <4ACB802C.2080205@gmoneylove.com> References: <4ACB802C.2080205@gmoneylove.com> Message-ID: <4ACB897C.3020607@redhat.com> On 10/06/2009 10:36 AM, garyv wrote: > Hi, > > I've installed freeIPA (ipa-server-1.2.2-1.fc11.i586)and have the > base functionality working and I'm quite pleased. > > The problem I'm experiencing is with getting slapi-nis to function > properly. > > Reading other posts in the list I was able to get FreeIPA to serve NIS > maps, and clients to bind to the NIS dom, but no passwords/auth work > for users. > > Any tips on setup/troubleshooting this? I haven't do any ipa-nis configuration for a while, here is my old notes, they might still work * NIS client host set up in general This is what RHEL linux should follow. 1. Append the following line in the */etc/sysconfig/network* file: * NISDOMAIN=mynisdomain 2. Append the following line in */etc/yp.conf* : * domain mynisdomain server 192.168.0.1 replace ip to the IPA server IP 3. Make sure the following lines contain 'nis' as an option in the file */etc/nsswitch.conf* * passwd: files nis * shadow: files nis * group: files nis * hosts: files nis dns * networks: files nis * protocols: files nis * publickey: nisplus * automount: files nis * netgroup: files nis * aliases: files nisplus 4. restart ypbind and portmap * */etc/rc.d/init.d/ypbind restart* * */etc/rc.d/init.d/portmap restart* > > Thanks > > Gary > > on the Client: > root at fell:~$ ypcat -k passwd > ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash > > root at fell:~$ ypwhich -m > passwd.byuid fcds.edited > passwd.byname fcds.edited > netid.byname fcds.edited > group.upg fcds.nes.edited > group.byname fcds.edited > group.bygid fcds.edited > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From gverhulp at checkpoint.com Tue Oct 6 18:33:02 2009 From: gverhulp at checkpoint.com (Gary Verhulp) Date: Tue, 6 Oct 2009 11:33:02 -0700 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <4ACB897C.3020607@redhat.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> Message-ID: <4ACB8D5E.6060404@checkpoint.com> Thanks for the response. I have the NIS config on the client setup correctly I believe. This client was moved from my current NIS domain and works fine. It's not that the client does not bind to the new FreeIPA NIS domain, but rather there is no passwd hash in the output of ypcat -k passwd so it has no way to auth. garyv at fell:/var/log$ ypcat -k passwd ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash br, Gary yi zhang wrote: > On 10/06/2009 10:36 AM, garyv wrote: >> Hi, >> >> I've installed freeIPA (ipa-server-1.2.2-1.fc11.i586)and have the >> base functionality working and I'm quite pleased. >> >> The problem I'm experiencing is with getting slapi-nis to function >> properly. >> >> Reading other posts in the list I was able to get FreeIPA to serve >> NIS maps, and clients to bind to the NIS dom, but no passwords/auth >> work for users. >> >> Any tips on setup/troubleshooting this? > I haven't do any ipa-nis configuration for a while, here is my old > notes, they might still work > > * NIS client host set up in general > > This is what RHEL linux should follow. > > 1. Append the following line in the */etc/sysconfig/network* file: > * NISDOMAIN=mynisdomain > 2. Append the following line in */etc/yp.conf* : > * domain mynisdomain server 192.168.0.1 replace ip to the > IPA server IP > 3. Make sure the following lines contain 'nis' as an option in the > file */etc/nsswitch.conf* > * passwd: files nis > * shadow: files nis > * group: files nis > * hosts: files nis dns > * networks: files nis > * protocols: files nis > * publickey: nisplus > * automount: files nis > * netgroup: files nis > * aliases: files nisplus > 4. restart ypbind and portmap > * */etc/rc.d/init.d/ypbind restart* > * */etc/rc.d/init.d/portmap restart* > > >> >> Thanks >> >> Gary >> >> on the Client: >> root at fell:~$ ypcat -k passwd >> ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash >> >> root at fell:~$ ypwhich -m >> passwd.byuid fcds.edited >> passwd.byname fcds.edited >> netid.byname fcds.edited >> group.upg fcds.nes.edited >> group.byname fcds.edited >> group.bygid fcds.edited >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > From yzhang at redhat.com Tue Oct 6 18:47:37 2009 From: yzhang at redhat.com (yi zhang) Date: Tue, 06 Oct 2009 11:47:37 -0700 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <4ACB8D5E.6060404@checkpoint.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com> Message-ID: <4ACB90C9.7050800@redhat.com> On 10/06/2009 11:33 AM, Gary Verhulp wrote: > Thanks for the response. > I have the NIS config on the client setup correctly I believe. > This client was moved from my current NIS domain and works fine. > > It's not that the client does not bind to the new FreeIPA NIS domain, > but rather there is no passwd hash in the output of ypcat -k passwd so > it has no way to auth. > > garyv at fell:/var/log$ ypcat -k passwd > ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash > > have you enabled the IPA nis plug in? By default, this plug-in is disabled. To enable it, do following on ipa server 1. kinit admin 2. ipa-compat-manage enable -y 3. ipa-nis-manage enable -y 4. service dirsrv restart where the password file contains plain text password of "admin" and dirsrv is the backend DB for ipa Yi > br, > Gary > > > yi zhang wrote: > >> On 10/06/2009 10:36 AM, garyv wrote: >> >>> Hi, >>> >>> I've installed freeIPA (ipa-server-1.2.2-1.fc11.i586)and have the >>> base functionality working and I'm quite pleased. >>> >>> The problem I'm experiencing is with getting slapi-nis to function >>> properly. >>> >>> Reading other posts in the list I was able to get FreeIPA to serve >>> NIS maps, and clients to bind to the NIS dom, but no passwords/auth >>> work for users. >>> >>> Any tips on setup/troubleshooting this? >>> >> I haven't do any ipa-nis configuration for a while, here is my old >> notes, they might still work >> >> * NIS client host set up in general >> >> This is what RHEL linux should follow. >> >> 1. Append the following line in the */etc/sysconfig/network* file: >> * NISDOMAIN=mynisdomain >> 2. Append the following line in */etc/yp.conf* : >> * domain mynisdomain server 192.168.0.1 replace ip to the >> IPA server IP >> 3. Make sure the following lines contain 'nis' as an option in the >> file */etc/nsswitch.conf* >> * passwd: files nis >> * shadow: files nis >> * group: files nis >> * hosts: files nis dns >> * networks: files nis >> * protocols: files nis >> * publickey: nisplus >> * automount: files nis >> * netgroup: files nis >> * aliases: files nisplus >> 4. restart ypbind and portmap >> * */etc/rc.d/init.d/ypbind restart* >> * */etc/rc.d/init.d/portmap restart* >> >> >> >>> Thanks >>> >>> Gary >>> >>> on the Client: >>> root at fell:~$ ypcat -k passwd >>> ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash >>> >>> root at fell:~$ ypwhich -m >>> passwd.byuid fcds.edited >>> passwd.byname fcds.edited >>> netid.byname fcds.edited >>> group.upg fcds.nes.edited >>> group.byname fcds.edited >>> group.bygid fcds.edited >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From gverhulp at checkpoint.com Tue Oct 6 19:12:11 2009 From: gverhulp at checkpoint.com (Gary Verhulp) Date: Tue, 6 Oct 2009 12:12:11 -0700 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <4ACB90C9.7050800@redhat.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com>,<4ACB90C9.7050800@redhat.com> Message-ID: <98A78DC20B9DD949B2521D8FC483C3F336AFEAFA62@US-EX01.ad.checkpoint.com> I have not done those steps. I did not see any of those in the doc anywhere!? I do not seem to have "ipa-nis-manage" command on this machine. Seems like I'm missing a basic step somewhere. I know I'm serving NIS with this server as I'm able to bind a client and: [root at fcds tmp]# rpcinfo -p program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 44690 status 100024 1 tcp 45670 status 100004 2 tcp 671 ypserv 100004 2 udp 671 ypserv ___________________ _____________________ From: yi zhang [yzhang at redhat.com] Sent: Tuesday, October 06, 2009 11:47 AM To: Gary Verhulp Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] slapi-nis installation help On 10/06/2009 11:33 AM, Gary Verhulp wrote: > Thanks for the response. > I have the NIS config on the client setup correctly I believe. > This client was moved from my current NIS domain and works fine. > > It's not that the client does not bind to the new FreeIPA NIS domain, > but rather there is no passwd hash in the output of ypcat -k passwd so > it has no way to auth. > > garyv at fell:/var/log$ ypcat -k passwd > ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash > > have you enabled the IPA nis plug in? By default, this plug-in is disabled. To enable it, do following on ipa server 1. kinit admin 2. ipa-compat-manage enable -y 3. ipa-nis-manage enable -y 4. service dirsrv restart where the password file contains plain text password of "admin" and dirsrv is the backend DB for ipa Yi > br, > Gary > > > yi zhang wrote: > >> On 10/06/2009 10:36 AM, garyv wrote: >> >>> Hi, >>> >>> I've installed freeIPA (ipa-server-1.2.2-1.fc11.i586)and have the >>> base functionality working and I'm quite pleased. >>> >>> The problem I'm experiencing is with getting slapi-nis to function >>> properly. >>> >>> Reading other posts in the list I was able to get FreeIPA to serve >>> NIS maps, and clients to bind to the NIS dom, but no passwords/auth >>> work for users. >>> >>> Any tips on setup/troubleshooting this? >>> >> I haven't do any ipa-nis configuration for a while, here is my old >> notes, they might still work >> >> * NIS client host set up in general >> >> This is what RHEL linux should follow. >> >> 1. Append the following line in the */etc/sysconfig/network* file: >> * NISDOMAIN=mynisdomain >> 2. Append the following line in */etc/yp.conf* : >> * domain mynisdomain server 192.168.0.1 replace ip to the >> IPA server IP >> 3. Make sure the following lines contain 'nis' as an option in the >> file */etc/nsswitch.conf* >> * passwd: files nis >> * shadow: files nis >> * group: files nis >> * hosts: files nis dns >> * networks: files nis >> * protocols: files nis >> * publickey: nisplus >> * automount: files nis >> * netgroup: files nis >> * aliases: files nisplus >> 4. restart ypbind and portmap >> * */etc/rc.d/init.d/ypbind restart* >> * */etc/rc.d/init.d/portmap restart* >> >> >> >>> Thanks >>> >>> Gary >>> >>> on the Client: >>> root at fell:~$ ypcat -k passwd >>> ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash >>> >>> root at fell:~$ ypwhich -m >>> passwd.byuid fcds.edited >>> passwd.byname fcds.edited >>> netid.byname fcds.edited >>> group.upg fcds.nes.edited >>> group.byname fcds.edited >>> group.bygid fcds.edited >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > Scanned by Check Point Total Security Gateway. From nalin at redhat.com Tue Oct 6 19:45:14 2009 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 6 Oct 2009 15:45:14 -0400 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <4ACB8D5E.6060404@checkpoint.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com> Message-ID: <20091006194514.GA6695@redhat.com> On Tue, Oct 06, 2009 at 11:33:02AM -0700, Gary Verhulp wrote: > Thanks for the response. > I have the NIS config on the client setup correctly I believe. > This client was moved from my current NIS domain and works fine. > > It's not that the client does not bind to the new FreeIPA NIS domain, > but rather there is no passwd hash in the output of ypcat -k passwd so > it has no way to auth. > > garyv at fell:/var/log$ ypcat -k passwd > ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash The plugin's default configuration has it search for a "crypt" style value in the userPassword attribute for that entry, which is what a client would understand. (Specifically, it looks for an entry that begins with the magic value "{CRYPT}", strips that off of the front, and puts the rest into that field. Failing that, it uses "*".) If you use ldapsearch to search for ttest's entry as the directory administrator, do you see values of the form "{CRYPT}xxxxxxxxxxxxx" for the entry's "userPassword" attribute? If they're base64-encoded (marked by two ':' characters instead of one between the attribute name and value in the LDIF output), you may need to pipe the value through "openssl base64 -d" or something similar. Nalin From garyv at gmoneylove.com Tue Oct 6 19:58:32 2009 From: garyv at gmoneylove.com (garyv) Date: Tue, 06 Oct 2009 12:58:32 -0700 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <20091006194514.GA6695@redhat.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com> <20091006194514.GA6695@redhat.com> Message-ID: <4ACBA168.1080008@gmoneylove.com> Again, I appreciate your help. seemingly my lidf perhaps was not loaded correctly. I see no userPassword attribute. ldapsearch -x -b dc=nes,dc=edited,dc=com # ttest, users, accounts, nes.edited.com dn: uid=ttest,cn=users,cn=accounts,dc=nes,dc=edited,dc=com displayName: Tim Test cn: Tim Test title: test User objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetUser objectClass: posixAccount objectClass: krbPrincipalAux objectClass: radiusprofile loginShell: /bin/bash gidNumber: 1002 gecos: Tim Test sn: Test homeDirectory: /home/ttest uid: ttest mail: tim.test at nes.edited.com krbPrincipalName: ttest at EDITED initials: TT uidNumber: 1102 memberOf: cn=ipausers,cn=groups,cn=accounts,dc=nes,dc=edited,dc=com krbLastPwdChange: 20091006002554Z krbPasswordExpiration: 20091006002554Z givenName: Tim This is the .ldif file I added, but I do not see a "userPassword" attibute in it. Am i using a correct .ldif file? dn: cn=NIS Server, cn=plugins, cn=config add: objectclass: top add: objectclass: nsSlapdPlugin add: objectclass: extensibleObject add: cn: NIS Server add: nsslapd-pluginpath: /usr/lib/dirsrv/plugins/nisserver-plugin.so add: nsslapd-plugininitfunc: nis_plugin_init add: nsslapd-plugintype: object add: nsslapd-pluginenabled: on add: nsslapd-pluginid: nis-server add: nsslapd-pluginversion: 0.15 add: nsslapd-pluginvendor: redhat.com add: nsslapd-plugindescription: NIS Server Plugin add: nis-tcp-wrappers-name: nis-server dn: nis-domain=rwceng+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config add: objectclass: top add: objectclass: extensibleObject add: nis-domain: rwceng add: nis-map: passwd.byname add: nis-base: cn=Users, dc=nes, dc=edited, dc=com add: nis-secure: no dn: nis-domain=rwceng+nis-map=passwd.byuid, cn=NIS Server, cn=plugins, cn=config add: objectclass: top add: objectclass: extensibleObject add: nis-domain: rwceng add: nis-map: passwd.byuid add: nis-base: cn=Users, dc=nes, dc=edited, dc=com add: nis-secure: no dn: nis-domain=rwceng+nis-map=group.byname, cn=NIS Server, cn=plugins, cn=config add: objectclass: top add: objectclass: extensibleObject add: nis-domain: rwceng add: nis-map: group.byname add: nis-base: cn=Groups, dc=nes, dc=edited, dc=com add: nis-secure: no dn: nis-domain=rwceng+nis-map=group.bygid, cn=NIS Server, cn=plugins, cn=config add: objectclass: top add: objectclass: extensibleObject add: nis-domain: rwceng add: nis-map: group.bygid add: nis-base: cn=Groups, dc=nes, dc=edited, dc=com add: nis-secure: no dn: nis-domain=rwceng+nis-map=group.upg, cn=NIS Server, cn=plugins, cn=config add: objectclass: top add: objectclass: extensibleObject add: nis-domain: rwceng add: nis-map: group.upg add: nis-base: cn=Users, dc=nes, dc=edited, dc=com add: nis-filter: (objectclass=posixAccount) add: nis-key-format: %{uid} add: nis-value-format: %{uid}:*:%{gidNumber}:%{uid} add: nis-secure: no add: nis-disallowed-chars: :, dn: nis-domain=rwceng+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config add: objectclass: top add: objectclass: extensibleObject add: nis-domain: rwceng add: nis-map: netid.byname add: nis-base: cn=Users, dc=nes, dc=edited, dc=com add: nis-secure: no Nalin Dahyabhai wrote: > On Tue, Oct 06, 2009 at 11:33:02AM -0700, Gary Verhulp wrote: >> Thanks for the response. >> I have the NIS config on the client setup correctly I believe. >> This client was moved from my current NIS domain and works fine. >> >> It's not that the client does not bind to the new FreeIPA NIS domain, >> but rather there is no passwd hash in the output of ypcat -k passwd so >> it has no way to auth. >> >> garyv at fell:/var/log$ ypcat -k passwd >> ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash > > The plugin's default configuration has it search for a "crypt" style > value in the userPassword attribute for that entry, which is what a > client would understand. (Specifically, it looks for an entry that > begins with the magic value "{CRYPT}", strips that off of the front, and > puts the rest into that field. Failing that, it uses "*".) > > If you use ldapsearch to search for ttest's entry as the directory > administrator, do you see values of the form "{CRYPT}xxxxxxxxxxxxx" for > the entry's "userPassword" attribute? > > If they're base64-encoded (marked by two ':' characters instead of one > between the attribute name and value in the LDIF output), you may need > to pipe the value through "openssl base64 -d" or something similar. > > Nalin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Tue Oct 6 20:06:22 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 Oct 2009 16:06:22 -0400 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <4ACBA168.1080008@gmoneylove.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com> <20091006194514.GA6695@redhat.com> <4ACBA168.1080008@gmoneylove.com> Message-ID: <4ACBA33E.4070401@redhat.com> garyv wrote: > Again, I appreciate your help. > > > seemingly my lidf perhaps was not loaded correctly. > I see no userPassword attribute. You need to bind as Directory Manager to show the userPassword attribute for everyone. ldapsearch -x -D "cn=directory manager" -W -b "dcc=nes,dc=edited,dc=com" "* userPassword" rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From gverhulp at checkpoint.com Tue Oct 6 21:06:33 2009 From: gverhulp at checkpoint.com (Gary Verhulp) Date: Tue, 6 Oct 2009 14:06:33 -0700 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <4ACBA33E.4070401@redhat.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com> <20091006194514.GA6695@redhat.com> <4ACBA168.1080008@gmoneylove.com> <4ACBA33E.4070401@redhat.com> Message-ID: <4ACBB159.7040004@checkpoint.com> This is what I ended up with. # ttest, users, accounts, nes.checkpoint.com dn: uid=ttest,cn=users,cn=accounts,dc=nes,dc=edited,dc=com displayName: Tim Test cn: Tim Test title: test User objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetUser objectClass: posixAccount objectClass: krbPrincipalAux objectClass: radiusprofile loginShell: /bin/bash gidNumber: 1002 gecos: Tim Test sn: Test homeDirectory: /home/ttest uid: ttest mail: tim.test at nes.edited.com krbPrincipalName: ttest at NES.EDITED.COM initials: TT uidNumber: 1102 memberOf: cn=ipausers,cn=groups,cn=accounts,dc=nes,dc=edited,dc=com krbPrincipalKey:: MIICaqADAgEBoQMCAQGiAwIBAqMDAgEApIICUjCCAk4wb6AiMCCgAwIBAKEZ BBdORVMuQ0hFQ0tQT0lOVC5DT010dGVzdKFJMEegAwIBEqFABD4gAPCg096xJRi1GCmdH+zCX/RPw 9yyZrMTcajwdhvCdba2IHXc3nCxerCCFG7EWTzE/BDNbQ1Lo+8ncpZdsDBfoCIwIKADAgEAoRkEF0 5FUy5DSEVDS1BPSU5ULkNPTXR0ZXN0oTkwN6ADAgERoTAELhAAmiazCloBWUy83FJWE++tGIJROXc DP/VRmEak0w3NFgKeKmFEj+Oq2uaftZ8wZ6AiMCCgAwIBAKEZBBdORVMuQ0hFQ0tQT0lOVC5DT010 dGVzdKFBMD+gAwIBEKE4BDYYANobnHqJtwdPVHJ/2xB7RAhubd/7x0AcT+tqepz0tKj8+cZZDVrWR eMpvaznEXBHqGIBnw8wX6AiMCCgAwIBAKEZBBdORVMuQ0hFQ0tQT0lOVC5DT010dGVzdKE5MDegAw IBF6EwBC4QAJY308SqY0/KJW0RCqHokmtmETV8kp1vOvd6kCxO0FZzRaXRKiBeJ/lqqqplMFegIjA goAMCAQChGQQXTkVTLkNIRUNLUE9JTlQuQ09NdHRlc3ShMTAvoAMCAQihKAQmCACaTs3yqOZQsdi1 0+H8+jPdbkC1RU2VoHvwdRMnP7wt+sfmBTowV6AiMCCgAwIBAKEZBBdORVMuQ0hFQ0tQT0lOVC5DT 010dGVzdKExMC+gAwIBA6EoBCYIAExPRjZpLwlGTj9cISvbxi3jsVv6g1jy7tlxanAoFd8Y/6fs+w == krbLastPwdChange: 20091006002554Z krbPasswordExpiration: 20091006002554Z userPassword:: e1NTSEF9NmdQbGR5VWsxMmpuV3lraFYvZEEzdURQSEc3YUN0UkpBam9YVnc9PQ= = givenName: Tim Rob Crittenden wrote: > > garyv wrote: > > Again, I appreciate your help. > > > > > > seemingly my lidf perhaps was not loaded correctly. > > I see no userPassword attribute. > > You need to bind as Directory Manager to show the userPassword attribute > for everyone. > > ldapsearch -x -D "cn=directory manager" -W -b "dcc=nes,dc=edited,dc=com" > "* userPassword" > > rob > From rmeggins at redhat.com Tue Oct 6 21:20:07 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 06 Oct 2009 15:20:07 -0600 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <4ACBB159.7040004@checkpoint.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com> <20091006194514.GA6695@redhat.com> <4ACBA168.1080008@gmoneylove.com> <4ACBA33E.4070401@redhat.com> <4ACBB159.7040004@checkpoint.com> Message-ID: <4ACBB487.6050900@redhat.com> Gary Verhulp wrote: > This is what I ended up with. > > # ttest, users, accounts, nes.checkpoint.com > dn: uid=ttest,cn=users,cn=accounts,dc=nes,dc=edited,dc=com > displayName: Tim Test > cn: Tim Test > title: test User > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: inetUser > objectClass: posixAccount > objectClass: krbPrincipalAux > objectClass: radiusprofile > loginShell: /bin/bash > gidNumber: 1002 > gecos: Tim Test > sn: Test > homeDirectory: /home/ttest > uid: ttest > mail: tim.test at nes.edited.com > krbPrincipalName: ttest at NES.EDITED.COM > initials: TT > uidNumber: 1102 > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=nes,dc=edited,dc=com > krbPrincipalKey:: > MIICaqADAgEBoQMCAQGiAwIBAqMDAgEApIICUjCCAk4wb6AiMCCgAwIBAKEZ > BBdORVMuQ0hFQ0tQT0lOVC5DT010dGVzdKFJMEegAwIBEqFABD4gAPCg096xJRi1GCmdH+zCX/RPw > 9yyZrMTcajwdhvCdba2IHXc3nCxerCCFG7EWTzE/BDNbQ1Lo+8ncpZdsDBfoCIwIKADAgEAoRkEF0 > 5FUy5DSEVDS1BPSU5ULkNPTXR0ZXN0oTkwN6ADAgERoTAELhAAmiazCloBWUy83FJWE++tGIJROXc > DP/VRmEak0w3NFgKeKmFEj+Oq2uaftZ8wZ6AiMCCgAwIBAKEZBBdORVMuQ0hFQ0tQT0lOVC5DT010 > dGVzdKFBMD+gAwIBEKE4BDYYANobnHqJtwdPVHJ/2xB7RAhubd/7x0AcT+tqepz0tKj8+cZZDVrWR > eMpvaznEXBHqGIBnw8wX6AiMCCgAwIBAKEZBBdORVMuQ0hFQ0tQT0lOVC5DT010dGVzdKE5MDegAw > IBF6EwBC4QAJY308SqY0/KJW0RCqHokmtmETV8kp1vOvd6kCxO0FZzRaXRKiBeJ/lqqqplMFegIjA > goAMCAQChGQQXTkVTLkNIRUNLUE9JTlQuQ09NdHRlc3ShMTAvoAMCAQihKAQmCACaTs3yqOZQsdi1 > 0+H8+jPdbkC1RU2VoHvwdRMnP7wt+sfmBTowV6AiMCCgAwIBAKEZBBdORVMuQ0hFQ0tQT0lOVC5DT > 010dGVzdKExMC+gAwIBA6EoBCYIAExPRjZpLwlGTj9cISvbxi3jsVv6g1jy7tlxanAoFd8Y/6fs+w > == > krbLastPwdChange: 20091006002554Z > krbPasswordExpiration: 20091006002554Z > userPassword:: > e1NTSEF9NmdQbGR5VWsxMmpuV3lraFYvZEEzdURQSEc3YUN0UkpBam9YVnc9PQ= > = > userPassword: {SSHA}6gPldyUk12jnWykhV/dA3uDPHG7aCtRJAjoXVw== > givenName: Tim > > > Rob Crittenden wrote: > >> garyv wrote: >> >>> Again, I appreciate your help. >>> >>> >>> seemingly my lidf perhaps was not loaded correctly. >>> I see no userPassword attribute. >>> >> You need to bind as Directory Manager to show the userPassword attribute >> for everyone. >> >> ldapsearch -x -D "cn=directory manager" -W -b "dcc=nes,dc=edited,dc=com" >> "* userPassword" >> >> rob >> >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From garyv at gmoneylove.com Tue Oct 6 21:43:47 2009 From: garyv at gmoneylove.com (garyv) Date: Tue, 06 Oct 2009 14:43:47 -0700 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <4ACBB487.6050900@redhat.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com> <20091006194514.GA6695@redhat.com> <4ACBA168.1080008@gmoneylove.com> <4ACBA33E.4070401@redhat.com> <4ACBB159.7040004@checkpoint.com> <4ACBB487.6050900@redhat.com> Message-ID: <4ACBBA13.6020903@gmoneylove.com> So my client needs to understand SSHA encryption? Did I understand that correct? I have some really old clients that will only do DES. (don't laugh) Is there a way to change how which encryption algorithm it uses? Gary Rich Megginson wrote: > Gary Verhulp wrote: >> This is what I ended up with. >> >> # ttest, users, accounts, nes.edited.com >> dn: uid=ttest,cn=users,cn=accounts,dc=nes,dc=edited,dc=com >> displayName: Tim Test >> cn: Tim Test >> title: test User >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetOrgPerson >> objectClass: inetUser >> objectClass: posixAccount >> objectClass: krbPrincipalAux >> objectClass: radiusprofile >> loginShell: /bin/bash >> gidNumber: 1002 >> gecos: Tim Test >> sn: Test >> homeDirectory: /home/ttest >> uid: ttest >> mail: tim.test at nes.edited.com >> krbPrincipalName: ttest at NES.EDITED.COM >> initials: TT >> uidNumber: 1102 >> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=nes,dc=edited,dc=com >> krbPrincipalKey:: >> MIICaqADAgEBoQMCAQGiAwIBAqMDAgEApIICUjCCAk4wb6AiMCCgAwIBAKEZ >> BBdORVMuQ0hFQ0tQT0lOVC5DT010dGVzdKFJMEegAwIBEqFABD4gAPCg096xJRi1GCmdH+zCX/RPw >> >> 9yyZrMTcajwdhvCdba2IHXc3nCxerCCFG7EWTzE/BDNbQ1Lo+8ncpZdsDBfoCIwIKADAgEAoRkEF0 >> >> 5FUy5DSEVDS1BPSU5ULkNPTXR0ZXN0oTkwN6ADAgERoTAELhAAmiazCloBWUy83FJWE++tGIJROXc >> >> DP/VRmEak0w3NFgKeKmFEj+Oq2uaftZ8wZ6AiMCCgAwIBAKEZBBdORVMuQ0hFQ0tQT0lOVC5DT010 >> >> dGVzdKFBMD+gAwIBEKE4BDYYANobnHqJtwdPVHJ/2xB7RAhubd/7x0AcT+tqepz0tKj8+cZZDVrWR >> >> eMpvaznEXBHqGIBnw8wX6AiMCCgAwIBAKEZBBdORVMuQ0hFQ0tQT0lOVC5DT010dGVzdKE5MDegAw >> >> IBF6EwBC4QAJY308SqY0/KJW0RCqHokmtmETV8kp1vOvd6kCxO0FZzRaXRKiBeJ/lqqqplMFegIjA >> >> goAMCAQChGQQXTkVTLkNIRUNLUE9JTlQuQ09NdHRlc3ShMTAvoAMCAQihKAQmCACaTs3yqOZQsdi1 >> >> 0+H8+jPdbkC1RU2VoHvwdRMnP7wt+sfmBTowV6AiMCCgAwIBAKEZBBdORVMuQ0hFQ0tQT0lOVC5DT >> >> 010dGVzdKExMC+gAwIBA6EoBCYIAExPRjZpLwlGTj9cISvbxi3jsVv6g1jy7tlxanAoFd8Y/6fs+w >> >> == >> krbLastPwdChange: 20091006002554Z >> krbPasswordExpiration: 20091006002554Z >> userPassword:: >> e1NTSEF9NmdQbGR5VWsxMmpuV3lraFYvZEEzdURQSEc3YUN0UkpBam9YVnc9PQ= >> = >> > userPassword: {SSHA}6gPldyUk12jnWykhV/dA3uDPHG7aCtRJAjoXVw== > >> givenName: Tim >> >> >> Rob Crittenden wrote: >> >>> garyv wrote: >>> >>>> Again, I appreciate your help. >>>> >>>> >>>> seemingly my lidf perhaps was not loaded correctly. >>>> I see no userPassword attribute. >>>> >>> You need to bind as Directory Manager to show the userPassword attribute >>> for everyone. >>> >>> ldapsearch -x -D "cn=directory manager" -W -b "dcc=nes,dc=edited,dc=com" >>> "* userPassword" >>> >>> rob >>> >>> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Wed Oct 7 15:46:45 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 07 Oct 2009 11:46:45 -0400 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <98A78DC20B9DD949B2521D8FC483C3F336AFEAFA62@US-EX01.ad.checkpoint.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com>, <4ACB90C9.7050800@redhat.com> <98A78DC20B9DD949B2521D8FC483C3F336AFEAFA62@US-EX01.ad.checkpoint.com> Message-ID: <4ACCB7E5.6080903@redhat.com> Gary Verhulp wrote: > I have not done those steps. I did not see any of those in the doc anywhere!? > > I do not seem to have "ipa-nis-manage" command on this machine. Don't panic, ipa-nis-manage is part of the next IPA release, V2. > Seems like I'm missing a basic step somewhere. I think you have things basically working. It looks like the problem is the password storage scheme being used, SSHA vs CRYPT. rob > > I know I'm serving NIS with this server as I'm able to bind a client and: > > [root at fcds tmp]# rpcinfo -p > program vers proto port service > 100000 4 tcp 111 portmapper > 100000 3 tcp 111 portmapper > 100000 2 tcp 111 portmapper > 100000 4 udp 111 portmapper > 100000 3 udp 111 portmapper > 100000 2 udp 111 portmapper > 100024 1 udp 44690 status > 100024 1 tcp 45670 status > 100004 2 tcp 671 ypserv > 100004 2 udp 671 ypserv > > ___________________ _____________________ > From: yi zhang [yzhang at redhat.com] > Sent: Tuesday, October 06, 2009 11:47 AM > To: Gary Verhulp > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] slapi-nis installation help > > On 10/06/2009 11:33 AM, Gary Verhulp wrote: >> Thanks for the response. >> I have the NIS config on the client setup correctly I believe. >> This client was moved from my current NIS domain and works fine. >> >> It's not that the client does not bind to the new FreeIPA NIS domain, >> but rather there is no passwd hash in the output of ypcat -k passwd so >> it has no way to auth. >> >> garyv at fell:/var/log$ ypcat -k passwd >> ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash >> >> > have you enabled the IPA nis plug in? By default, this plug-in is > disabled. To enable it, do following on ipa server > 1. kinit admin > 2. ipa-compat-manage enable -y > 3. ipa-nis-manage enable -y > 4. service dirsrv restart > where the password file contains plain text password of "admin" > and dirsrv is the backend DB for ipa > Yi >> br, >> Gary >> >> >> yi zhang wrote: >> >>> On 10/06/2009 10:36 AM, garyv wrote: >>> >>>> Hi, >>>> >>>> I've installed freeIPA (ipa-server-1.2.2-1.fc11.i586)and have the >>>> base functionality working and I'm quite pleased. >>>> >>>> The problem I'm experiencing is with getting slapi-nis to function >>>> properly. >>>> >>>> Reading other posts in the list I was able to get FreeIPA to serve >>>> NIS maps, and clients to bind to the NIS dom, but no passwords/auth >>>> work for users. >>>> >>>> Any tips on setup/troubleshooting this? >>>> >>> I haven't do any ipa-nis configuration for a while, here is my old >>> notes, they might still work >>> >>> * NIS client host set up in general >>> >>> This is what RHEL linux should follow. >>> >>> 1. Append the following line in the */etc/sysconfig/network* file: >>> * NISDOMAIN=mynisdomain >>> 2. Append the following line in */etc/yp.conf* : >>> * domain mynisdomain server 192.168.0.1 replace ip to the >>> IPA server IP >>> 3. Make sure the following lines contain 'nis' as an option in the >>> file */etc/nsswitch.conf* >>> * passwd: files nis >>> * shadow: files nis >>> * group: files nis >>> * hosts: files nis dns >>> * networks: files nis >>> * protocols: files nis >>> * publickey: nisplus >>> * automount: files nis >>> * netgroup: files nis >>> * aliases: files nisplus >>> 4. restart ypbind and portmap >>> * */etc/rc.d/init.d/ypbind restart* >>> * */etc/rc.d/init.d/portmap restart* >>> >>> >>> >>>> Thanks >>>> >>>> Gary >>>> >>>> on the Client: >>>> root at fell:~$ ypcat -k passwd >>>> ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash >>>> >>>> root at fell:~$ ypwhich -m >>>> passwd.byuid fcds.edited >>>> passwd.byname fcds.edited >>>> netid.byname fcds.edited >>>> group.upg fcds.nes.edited >>>> group.byname fcds.edited >>>> group.bygid fcds.edited >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > Scanned by Check Point Total Security Gateway. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From garyv at gmoneylove.com Wed Oct 7 19:44:40 2009 From: garyv at gmoneylove.com (garyv) Date: Wed, 07 Oct 2009 12:44:40 -0700 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <4ACCB7E5.6080903@redhat.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com>, <4ACB90C9.7050800@redhat.com> <98A78DC20B9DD949B2521D8FC483C3F336AFEAFA62@US-EX01.ad.checkpoint.com> <4ACCB7E5.6080903@redhat.com> Message-ID: <4ACCEFA8.9010704@gmoneylove.com> Is there a way to get the NIS plugin to hand out DES passwords. I have some freebsd 3.51 and old solaris machines that will not play nice except for DES. I know it's not ideal but such is my lot. I looked at the dse.ldif dn: cn=Password Storage Schemes Any suggestions on how to serve DES passwds from the NIS plugin?? Thanks Gary Rob Crittenden wrote: > Gary Verhulp wrote: >> I have not done those steps. I did not see any of those in the doc >> anywhere!? >> >> I do not seem to have "ipa-nis-manage" command on this machine. > > Don't panic, ipa-nis-manage is part of the next IPA release, V2. > >> Seems like I'm missing a basic step somewhere. > > I think you have things basically working. It looks like the problem is > the password storage scheme being used, SSHA vs CRYPT. > > rob > >> >> I know I'm serving NIS with this server as I'm able to bind a client and: >> >> [root at fcds tmp]# rpcinfo -p program vers proto port service >> 100000 4 tcp 111 portmapper >> 100000 3 tcp 111 portmapper >> 100000 2 tcp 111 portmapper >> 100000 4 udp 111 portmapper >> 100000 3 udp 111 portmapper >> 100000 2 udp 111 portmapper >> 100024 1 udp 44690 status >> 100024 1 tcp 45670 status >> 100004 2 tcp 671 ypserv >> 100004 2 udp 671 ypserv >> >> ___________________ _____________________ >> From: yi zhang [yzhang at redhat.com] >> Sent: Tuesday, October 06, 2009 11:47 AM >> To: Gary Verhulp >> Cc: Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] slapi-nis installation help >> >> On 10/06/2009 11:33 AM, Gary Verhulp wrote: >>> Thanks for the response. >>> I have the NIS config on the client setup correctly I believe. >>> This client was moved from my current NIS domain and works fine. >>> >>> It's not that the client does not bind to the new FreeIPA NIS domain, >>> but rather there is no passwd hash in the output of ypcat -k passwd so >>> it has no way to auth. >>> >>> garyv at fell:/var/log$ ypcat -k passwd >>> ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash >>> >>> >> have you enabled the IPA nis plug in? By default, this plug-in is >> disabled. To enable it, do following on ipa server >> 1. kinit admin >> 2. ipa-compat-manage enable -y >> 3. ipa-nis-manage enable -y >> 4. service dirsrv restart >> where the password file contains plain text password of "admin" >> and dirsrv is the backend DB for ipa >> Yi >>> br, >>> Gary >>> >>> >>> yi zhang wrote: >>> >>>> On 10/06/2009 10:36 AM, garyv wrote: >>>> >>>>> Hi, >>>>> >>>>> I've installed freeIPA (ipa-server-1.2.2-1.fc11.i586)and have the >>>>> base functionality working and I'm quite pleased. >>>>> >>>>> The problem I'm experiencing is with getting slapi-nis to function >>>>> properly. >>>>> >>>>> Reading other posts in the list I was able to get FreeIPA to serve >>>>> NIS maps, and clients to bind to the NIS dom, but no passwords/auth >>>>> work for users. >>>>> >>>>> Any tips on setup/troubleshooting this? >>>>> >>>> I haven't do any ipa-nis configuration for a while, here is my old >>>> notes, they might still work >>>> >>>> * NIS client host set up in general >>>> >>>> This is what RHEL linux should follow. >>>> >>>> 1. Append the following line in the */etc/sysconfig/network* file: >>>> * NISDOMAIN=mynisdomain >>>> 2. Append the following line in */etc/yp.conf* : >>>> * domain mynisdomain server 192.168.0.1 replace ip to the >>>> IPA server IP >>>> 3. Make sure the following lines contain 'nis' as an option in the >>>> file */etc/nsswitch.conf* >>>> * passwd: files nis >>>> * shadow: files nis >>>> * group: files nis >>>> * hosts: files nis dns >>>> * networks: files nis >>>> * protocols: files nis >>>> * publickey: nisplus >>>> * automount: files nis >>>> * netgroup: files nis >>>> * aliases: files nisplus >>>> 4. restart ypbind and portmap >>>> * */etc/rc.d/init.d/ypbind restart* >>>> * */etc/rc.d/init.d/portmap restart* >>>> >>>> >>>> >>>>> Thanks >>>>> >>>>> Gary >>>>> >>>>> on the Client: >>>>> root at fell:~$ ypcat -k passwd >>>>> ttest ttest:*:1102:1002:Tim Test:/home/ttest:/bin/bash >>>>> >>>>> root at fell:~$ ypwhich -m >>>>> passwd.byuid fcds.edited >>>>> passwd.byname fcds.edited >>>>> netid.byname fcds.edited >>>>> group.upg fcds.nes.edited >>>>> group.byname fcds.edited >>>>> group.bygid fcds.edited >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> Scanned by Check Point Total Security Gateway. >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From ssorce at redhat.com Thu Oct 8 14:34:55 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 08 Oct 2009 10:34:55 -0400 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <4ACBBA13.6020903@gmoneylove.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com> <20091006194514.GA6695@redhat.com> <4ACBA168.1080008@gmoneylove.com> <4ACBA33E.4070401@redhat.com> <4ACBB159.7040004@checkpoint.com> <4ACBB487.6050900@redhat.com> <4ACBBA13.6020903@gmoneylove.com> Message-ID: <1255012495.2985.8.camel@localhost.localdomain> On Tue, 2009-10-06 at 14:43 -0700, garyv wrote: > So my client needs to understand SSHA encryption? > Did I understand that correct? > > I have some really old clients that will only do DES. > (don't laugh) > > Is there a way to change how which encryption algorithm it uses? No and exposing passwords over the network is a particularly bad idea anyways. Can't you use a pam module on your client to perform kerberos authentication instead of compromising all your network accounts for a stupid client ? Simo. -- Simo Sorce * Red Hat, Inc * New York From james.roman at ssaihq.com Mon Oct 12 15:28:31 2009 From: james.roman at ssaihq.com (James Roman) Date: Mon, 12 Oct 2009 11:28:31 -0400 Subject: [Freeipa-users] Customization risks with freeipa Message-ID: <4AD34B1F.80905@ssaihq.com> I am planning two customizations to our directory and wanted to find out if they pose any risks with future migrations. First we have a subtree in our directory cn-applications,cn-accounts,dc=REALM,dc=com that contains application based accounts. I plan to enforce a separate password policy for entries in this container providing for a longer password age. Second, we have been asked to modify the visibility of some of the default IPA account attributes when viewed by other authenticated users. Specifically, the cell phone, home phone and jpegPhoto attributes. I plan on applying a customized set of ACIs to the cn=People container that specify the visibility. Do either of these customization pose any risks? From garyv at gmoneylove.com Mon Oct 12 17:04:23 2009 From: garyv at gmoneylove.com (garyv) Date: Mon, 12 Oct 2009 10:04:23 -0700 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <1255012495.2985.8.camel@localhost.localdomain> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com> <20091006194514.GA6695@redhat.com> <4ACBA168.1080008@gmoneylove.com> <4ACBA33E.4070401@redhat.com> <4ACBB159.7040004@checkpoint.com> <4ACBB487.6050900@redhat.com> <4ACBBA13.6020903@gmoneylove.com> <1255012495.2985.8.camel@localhost.localdomain> Message-ID: <4AD36197.5000906@gmoneylove.com> Finally getting back to you. The Bad news: You are of course right, but I have ~40 old build machines to support and alas am not able to walk away from them. The Good News: FreeIPA and the NIS-plugin works with these (FreeBSD 3.51) My initial test client had issues and I moved on to another test client and it works! Next I need to figure out how to server AMD and autofs maps with the nis-plugin Thanks for your help. Gary Simo Sorce wrote: > On Tue, 2009-10-06 at 14:43 -0700, garyv wrote: >> So my client needs to understand SSHA encryption? >> Did I understand that correct? >> >> I have some really old clients that will only do DES. >> (don't laugh) >> >> Is there a way to change how which encryption algorithm it uses? > > No and exposing passwords over the network is a particularly bad idea > anyways. Can't you use a pam module on your client to perform kerberos > authentication instead of compromising all your network accounts for a > stupid client ? > > Simo. > From rcritten at redhat.com Mon Oct 12 17:38:03 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Oct 2009 13:38:03 -0400 Subject: [Freeipa-users] Customization risks with freeipa In-Reply-To: <4AD34B1F.80905@ssaihq.com> References: <4AD34B1F.80905@ssaihq.com> Message-ID: <4AD3697B.8050508@redhat.com> James Roman wrote: > I am planning two customizations to our directory and wanted to find out > if they pose any risks with future migrations. > > First we have a subtree in our directory > cn-applications,cn-accounts,dc=REALM,dc=com that contains application > based accounts. I plan to enforce a separate password policy for entries > in this container providing for a longer password age. You'll probably need to migrate this manually yourself at some point and cn=applications is an awfully generic name, no promises that we won't use that at some point for something else. But you're safe for now anyway. > Second, we have been asked to modify the visibility of some of the > default IPA account attributes when viewed by other authenticated users. > Specifically, the cell phone, home phone and jpegPhoto attributes. I > plan on applying a customized set of ACIs to the cn=People container > that specify the visibility. Again, you'd probably be on the hook to migrate this yourself but it shouldn't be a big deal depending on the actual ACI(s). I assume you mean cn=users, right? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon Oct 12 18:16:54 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 12 Oct 2009 14:16:54 -0400 Subject: [Freeipa-users] slapi-nis installation help In-Reply-To: <4AD36197.5000906@gmoneylove.com> References: <4ACB802C.2080205@gmoneylove.com> <4ACB897C.3020607@redhat.com> <4ACB8D5E.6060404@checkpoint.com> <20091006194514.GA6695@redhat.com> <4ACBA168.1080008@gmoneylove.com> <4ACBA33E.4070401@redhat.com> <4ACBB159.7040004@checkpoint.com> <4ACBB487.6050900@redhat.com> <4ACBBA13.6020903@gmoneylove.com> <1255012495.2985.8.camel@localhost.localdomain> <4AD36197.5000906@gmoneylove.com> Message-ID: <1255371414.12301.14.camel@localhost.localdomain> On Mon, 2009-10-12 at 10:04 -0700, garyv wrote: > Finally getting back to you. > > The Bad news: You are of course right, but I have ~40 old build > machines to support and alas am not able to walk > away from them. > > The Good News: FreeIPA and the NIS-plugin works with these (FreeBSD > 3.51) > My initial test client had issues and I moved on to > another test client and it works! I am glad it worked for you in the end, if there is anything missing in our documentation that you want to point out, it would be nice to know. (You could even write a small howto on the freeipa.org wiki should you feel particularly generous :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From mnagy at redhat.com Wed Oct 14 06:13:46 2009 From: mnagy at redhat.com (Martin Nagy) Date: Wed, 14 Oct 2009 08:13:46 +0200 Subject: [Freeipa-users] Re: [Freeipa-interest] Can freeIPA enter into trust relationship with AD? In-Reply-To: <5fa6c12e0910130919o1cdd06b4v7c65494982f9b742@mail.gmail.com> References: <5fa6c12e0910130425t59be67c8q3187f31155bea3c0@mail.gmail.com> <4AD4A746.4030203@pet.ubc.ca> <5fa6c12e0910130919o1cdd06b4v7c65494982f9b742@mail.gmail.com> Message-ID: <1255500826.29221.2887.camel@wolverine.englab.brq.redhat.com> On Tue, 2009-10-13 at 18:19 +0200, Martin wrote: > I was even surprised that -interest isn't a read only newsletter like > list when I saw the original message (*hint*) I agree with Martin. Can someone make the -interest list moderated please? Martin From wxiluo at gmail.com Tue Oct 20 07:30:02 2009 From: wxiluo at gmail.com (Michael Kang) Date: Tue, 20 Oct 2009 15:30:02 +0800 Subject: [Freeipa-users] Import LDIF file to FreeIPA Message-ID: <97725cf0910200030qb84022fk7ea0dcdf7434f2f4@mail.gmail.com> Dear all, I got a LDIF file which is exported from Fedora 389 Directory Server. I want to import those user info into FreeIPA. What should I do? I just need the group,username and passwd information which is exported from another Fedora 389 Directory Server. As far as I considered, I need to write a shell script to read user name from LDIF file and use *ipa-useradd* command to archive my goal. FreeIPA also use 389 ds. Can I use *389-console* java platform to manage FreeIPA? Thanks, Michael Kang -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Oct 20 13:49:48 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 20 Oct 2009 09:49:48 -0400 Subject: [Freeipa-users] Import LDIF file to FreeIPA In-Reply-To: <97725cf0910200030qb84022fk7ea0dcdf7434f2f4@mail.gmail.com> References: <97725cf0910200030qb84022fk7ea0dcdf7434f2f4@mail.gmail.com> Message-ID: <4ADDBFFC.1050101@redhat.com> Michael Kang wrote: > Dear all, > > I got a LDIF file which is exported from Fedora 389 Directory Server. I > want to import those user info into FreeIPA. What should I do? I just > need the group,username and passwd information which is exported from > another Fedora 389 Directory Server. You won't be able to import it without some changes. You'll need to match the IPA DIT (http://freeipa.org/page/UsingRhdsWithIpa) to begin with. You'll probably want to update the objectclasses in each user entry as well to include: top, organizationalperson, inetorgperson, inetuser, posixaccount and krbprincipalaux. You'll need to set krbprincipalname to uid at REALM in each user entry. The existing userPassword entry can be imported but you won't have usable kerberos credentials (it will probably generate keys but it will use the pre-hashed password so the keys will be unusable). As you can see, directly importing the LDIF would be quite a bit of work. > As far as I considered, I need to write a shell script to read user name > from LDIF file and use */ipa-useradd/* command to archive my goal. This is probably a better way, you'll just need to set a password on each user. The first time the user logs in they will need to reset the password (so only they know it) > FreeIPA also use 389 ds. Can I use */389-console/* java platform to > manage FreeIPA? This is not recommended. Someone figured out how to do this at one point and posted instructions to either freeipa-devel or freeipa-users, I can't recall at this point. It isn't recommended because you can easily create users outside of the IPA DIT, create non-posix users, etc. It will probably end up causing more problems in the long-run. We recommend using the IPA tools. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Tue Oct 20 15:55:34 2009 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 20 Oct 2009 11:55:34 -0400 Subject: [Freeipa-users] Import LDIF file to FreeIPA In-Reply-To: <4ADDBFFC.1050101@redhat.com> References: <97725cf0910200030qb84022fk7ea0dcdf7434f2f4@mail.gmail.com> <4ADDBFFC.1050101@redhat.com> Message-ID: <4ADDDD76.8080807@redhat.com> Rob Crittenden wrote: > Michael Kang wrote: >> Dear all, >> >> I got a LDIF file which is exported from Fedora 389 Directory Server. >> I want to import those user info into FreeIPA. What should I do? I >> just need the group,username and passwd information which is exported >> from another Fedora 389 Directory Server. > > You won't be able to import it without some changes. You'll need to > match the IPA DIT (http://freeipa.org/page/UsingRhdsWithIpa) to begin > with. You'll probably want to update the objectclasses in each user > entry as well to include: top, organizationalperson, inetorgperson, > inetuser, posixaccount and krbprincipalaux. > > You'll need to set krbprincipalname to uid at REALM in each user entry. > > The existing userPassword entry can be imported but you won't have > usable kerberos credentials (it will probably generate keys but it > will use the pre-hashed password so the keys will be unusable). > > As you can see, directly importing the LDIF would be quite a bit of work. > >> As far as I considered, I need to write a shell script to read user >> name from LDIF file and use */ipa-useradd/* command to archive my goal. > > This is probably a better way, you'll just need to set a password on > each user. The first time the user logs in they will need to reset the > password (so only they know it) > If you can create a script that invokes IPA CLI like ipa-adduser would be the best. In this case you do not need to worry about any schema differences. >> FreeIPA also use 389 ds. Can I use */389-console/* java platform to >> manage FreeIPA? > > This is not recommended. Someone figured out how to do this at one > point and posted instructions to either freeipa-devel or > freeipa-users, I can't recall at this point. > > It isn't recommended because you can easily create users outside of > the IPA DIT, create non-posix users, etc. It will probably end up > causing more problems in the long-run. We recommend using the IPA tools. > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Andy.Singleton at tipp24os.co.uk Thu Oct 22 15:22:41 2009 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Thu, 22 Oct 2009 16:22:41 +0100 Subject: [Freeipa-users] FreeIPA "crashes" after many mystery connections Message-ID: <1CD40A4DEEA320479C98D8A93A5C690601D9061B@waterloo.t24uk.tipp24.net> Hello, I am trying to solve a mystery. We have 2 replicated FreeIPA servers. Today they both stopped receiving requests because the Directory Server had begun to refuse connections. The relevant message is "Not listening for new connections - too many fds open" That's all well and good: I can increase the file descriptor allowance. However, the reason the fds limit was reached was a massive number of connections from the servers themselves. Can someone provide me with an idea for what this might be? We received 1024 connections in under 1 second: Here is an example dirsrv access log entry: [22/Oct/2009:12:29:53 +0200] conn=679021 fd=464 slot=464 connection from 127.0.0.1 to 127.0.0.1 [22/Oct/2009:12:29:53 +0200] conn=679021 op=0 BIND dn="uid=kdc,cn=sysaccounts,cn=etc,dc=live,dc=tipp 24,dc=net" method=128 version=3 [22/Oct/2009:12:29:53 +0200] conn=679021 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=kdc,cn= sysaccounts,cn=etc,dc=live,dc=tipp24,dc=net" Some final notes: Both servers stopped one after the other. First server A, then 1 second afterwards, server B. I'm pretty stuck as to what might have caused this. Cheers Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Oct 22 16:02:18 2009 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 22 Oct 2009 12:02:18 -0400 Subject: [Freeipa-users] FreeIPA "crashes" after many mystery connections In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C690601D9061B@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C690601D9061B@waterloo.t24uk.tipp24.net> Message-ID: <1256227338.2914.10.camel@localhost.localdomain> On Thu, 2009-10-22 at 16:22 +0100, Andy Singleton wrote: > Hello, > > > > I am trying to solve a mystery. We have 2 replicated FreeIPA servers. > > Today they both stopped receiving requests because the Directory > Server had begun to refuse connections. > > The relevant message is ?Not listening for new connections - too many > fds open? > > > > That?s all well and good: I can increase the file descriptor > allowance. > > However, the reason the fds limit was reached was a massive number of > connections from the servers themselves. > > Can someone provide me with an idea for what this might be? > > > > We received 1024 connections in under 1 second: Here is an example > dirsrv access log entry: > > > > [22/Oct/2009:12:29:53 +0200] conn=679021 fd=464 slot=464 connection > from 127.0.0.1 to 127.0.0.1 > > [22/Oct/2009:12:29:53 +0200] conn=679021 op=0 BIND > dn="uid=kdc,cn=sysaccounts,cn=etc,dc=live,dc=tipp > > 24,dc=net" method=128 version=3 > > [22/Oct/2009:12:29:53 +0200] conn=679021 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="uid=kdc,cn= > > sysaccounts,cn=etc,dc=live,dc=tipp24,dc=net" > > > > > > Some final notes: > > Both servers stopped one after the other. First server A, then 1 > second afterwards, server B. > > > > I?m pretty stuck as to what might have caused this. Can you check the krb5kdc logs ? dn="uid=kdc,cn=sysaccounts,cn=etc,dc=live,dc=tipp24,dc=net" is the account used by the kdc (in v1). So it looks like the KDC went crazy trying to connect to the ldap server. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbrady at gtfservices.com Fri Oct 23 01:13:37 2009 From: sbrady at gtfservices.com (Sean Brady) Date: Thu, 22 Oct 2009 18:13:37 -0700 Subject: [Freeipa-users] As a non-developer, how can I contribute?? Message-ID: <7743B3216F93CA4E83EF6F0EC4081C9B5F6AB009D0@EXVMBX017-10.exch017.msoutlookonline.net> Please forgive me if this question is redundant, I can't seem to find the answer to this anywhere... I am a network admin of a heterogeneous small network (Windows and CentOS), and a non-developer. How can I help move this project forward? If there is anything that I can do to assist with this project, whether it be documentation editing, testing, financial (to a limited degree), or anything else, please let me know. I have been looking at FreeIPA for a little while now, and I am completely convinced that this is what the Linux community needs to really move forward in the enterprise. I am becoming increasingly convinced that we need to reduce or eliminate our reliance on proprietary identity management solutions, and for Linux on the desktop to be truly successful we need a comprehensive, open source identity and security management platform. Also, has the group looked at some of the things that Likewise is doing (http://www.likewise.com/products/likewise_enterprise/). Perhaps they would be interested in contributing some technical resources? I believe that it could be a good strategic move for Redhat, FreeIPA and Likewise. I was particularly interested in the GNOME group policies (http://www.likewise.com/products/likewise_enterprise/gnome_group_policy.php). That is something that would really add tremendous value to the network admin deploying Linux to the desktop. Thanks all. Sean Brady GTF Services LLC -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Fri Oct 23 12:50:13 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 23 Oct 2009 12:50:13 +0000 Subject: [Freeipa-users] As a non-developer, how can I contribute?? In-Reply-To: <7743B3216F93CA4E83EF6F0EC4081C9B5F6AB009D0@EXVMBX017-10.exch017.msoutlookonline.net> References: <7743B3216F93CA4E83EF6F0EC4081C9B5F6AB009D0@EXVMBX017-10.exch017.msoutlookonline.net> Message-ID: <1256302213.2914.21.camel@localhost.localdomain> On Thu, 2009-10-22 at 18:13 -0700, Sean Brady wrote: > If there is anything that I can do to assist with this project, > whether it be documentation editing, testing, financial (to a limited > degree), or anything else, please let me know. Hi Sean, there are a lot of things you can do. Testing code (both freeipa and sssd + ipa provider) and reporting bugs for example. Also helping out with keeping freeipa.org up to date would be very useful. If you like writing documentation, that is very welcome too. There many areas that are borderline and yet important for admins where howtos would be really appreciated and so on. You don't need a developer to help, just look at the project and identify a week area where you think you can contribute and let us know what you plan to do. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Oct 23 12:50:50 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 23 Oct 2009 08:50:50 -0400 Subject: [Freeipa-users] FreeIPA "crashes" after many mystery connections In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C6906020629C7@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C690601D9061B@waterloo.t24uk.tipp24.net> <1256227338.2914.10.camel@localhost.localdomain> <1CD40A4DEEA320479C98D8A93A5C6906020629C7@waterloo.t24uk.tipp24.net> Message-ID: <1256302250.2914.22.camel@localhost.localdomain> On Fri, 2009-10-23 at 09:59 +0100, Andy Singleton wrote: > There isn't much in the krb5kdc.logs. > Server A has a few entries about a minute before the incident. Then > nothing until we had to reboot the box. Very strange ... Do yo ustill have the DS error log ? Anything in there ? Simo. -- Simo Sorce * Red Hat, Inc * New York From Andy.Singleton at tipp24os.co.uk Fri Oct 23 08:59:50 2009 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Fri, 23 Oct 2009 09:59:50 +0100 Subject: [Freeipa-users] FreeIPA "crashes" after many mystery connections References: <1CD40A4DEEA320479C98D8A93A5C690601D9061B@waterloo.t24uk.tipp24.net> <1256227338.2914.10.camel@localhost.localdomain> Message-ID: <1CD40A4DEEA320479C98D8A93A5C6906020629C7@waterloo.t24uk.tipp24.net> There isn't much in the krb5kdc.logs. Server A has a few entries about a minute before the incident. Then nothing until we had to reboot the box. Oct 22 12:27:53 a.office.tipp24.de krb5kdc[2114](info): TGS_REQ (1 etypes {18}) 192.168.0.11: IS SUE: authtime 1255946532, etypes {rep=18 tkt=18 ses=18}, user1 at LIVE.TIPP24.NET for krbtgt/LIVE.TIPP2 4.NET at LIVE.TIPP24.NET Oct 22 12:28:08 a.office.tipp24.de krb5kdc[2114](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.12: CLIENT_NOT_FOUND: root at LIVE.TIPP24.NET for krbtgt/LIVE.TIPP24.NET at LIVE.TIPP24.NET, Clien t not found in Kerberos database Oct 22 12:28:13 a.office.tipp24.de krb5kdc[2114](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.12: NEEDED_PREAUTH: user1 at LIVE.TIPP24.NET for krbtgt/LIVE.TIPP24.NET at LIVE.TIPP24.NET, Additi onal pre-authentication required Oct 22 12:28:13 a.office.tipp24.de krb5kdc[2114](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.12: ISSUE: authtime 1256207293, etypes {rep=18 tkt=18 ses=18}, user1 at LIVE.TIPP24.NET for krb tgt/LIVE.TIPP24.NET at LIVE.TIPP24.NET Oct 22 13:21:40 a.office.tipp24.de krb5kdc[2080](info): setting up network... Server B has even less: No entries for an hour before it gets the same problem. Oct 22 11:32:34 b.office.tipp24.de krb5kdc[11838](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.10: NEEDED_PREAUTH: user2 at LIVE.TIPP24.NET for krbtgt/LIVE.TIPP24.NET at LIVE.TIPP24.NET, Additional pre-authentication required Oct 22 11:32:34 b.office.tipp24.de krb5kdc[11838](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.0.10: ISSUE: authtime 1256203954, etypes {rep=18 tkt=18 ses=18}, user2 at LIVE.TIPP24.NET f or krbtgt/LIVE.TIPP24.NET at LIVE.TIPP24.NET All hostnames and users have been changed to protect the innocent. Andy -----Original Message----- From: Simo Sorce [mailto:ssorce at redhat.com] Sent: 22 October 2009 18:02 To: Andy Singleton Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA "crashes" after many mystery connections On Thu, 2009-10-22 at 16:22 +0100, Andy Singleton wrote: > Hello, > > > > I am trying to solve a mystery. We have 2 replicated FreeIPA servers. > > Today they both stopped receiving requests because the Directory > Server had begun to refuse connections. > > The relevant message is ?Not listening for new connections - too many > fds open? > > > > That?s all well and good: I can increase the file descriptor > allowance. > > However, the reason the fds limit was reached was a massive number of > connections from the servers themselves. > > Can someone provide me with an idea for what this might be? > > > > We received 1024 connections in under 1 second: Here is an example > dirsrv access log entry: > > > > [22/Oct/2009:12:29:53 +0200] conn=679021 fd=464 slot=464 connection > from 127.0.0.1 to 127.0.0.1 > > [22/Oct/2009:12:29:53 +0200] conn=679021 op=0 BIND > dn="uid=kdc,cn=sysaccounts,cn=etc,dc=live,dc=tipp > > 24,dc=net" method=128 version=3 > > [22/Oct/2009:12:29:53 +0200] conn=679021 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="uid=kdc,cn= > > sysaccounts,cn=etc,dc=live,dc=tipp24,dc=net" > > > > > > Some final notes: > > Both servers stopped one after the other. First server A, then 1 > second afterwards, server B. > > > > I?m pretty stuck as to what might have caused this. Can you check the krb5kdc logs ? dn="uid=kdc,cn=sysaccounts,cn=etc,dc=live,dc=tipp24,dc=net" is the account used by the kdc (in v1). So it looks like the KDC went crazy trying to connect to the ldap server. Simo. -- Simo Sorce * Red Hat, Inc * New York From chorn at fluxcoil.net Fri Oct 23 20:26:05 2009 From: chorn at fluxcoil.net (Christian Horn) Date: Fri, 23 Oct 2009 22:26:05 +0200 Subject: [Freeipa-users] As a non-developer, how can I contribute?? In-Reply-To: <1256302213.2914.21.camel@localhost.localdomain> References: <7743B3216F93CA4E83EF6F0EC4081C9B5F6AB009D0@EXVMBX017-10.exch017.msoutlookonline.net> <1256302213.2914.21.camel@localhost.localdomain> Message-ID: <20091023202605.GA25245@fluxcoil.net> Hi, On Fri, Oct 23, 2009 at 12:50:13PM +0000, Simo Sorce wrote: > On Thu, 2009-10-22 at 18:13 -0700, Sean Brady wrote: > > If there is anything that I can do to assist with this project, > > whether it be documentation editing, testing, financial (to a limited > > degree), or anything else, please let me know. > > If you like writing documentation, that is very welcome too. There many > areas that are borderline and yet important for admins where howtos > would be really appreciated and so on. I am more user/sysadmin/engineer of authentication/authorization environments, this is what also first came to my mind: howtos of typical setups. Maybe including cross-realm setups with microsoft AD and discussing who supports what parts of such setups in detail since its an important point for big corporations. Christian From sbrady at gtfservices.com Sat Oct 24 01:22:29 2009 From: sbrady at gtfservices.com (Sean Brady) Date: Fri, 23 Oct 2009 18:22:29 -0700 Subject: [Freeipa-users] As a non-developer, how can I contribute?? In-Reply-To: <20091023202605.GA25245@fluxcoil.net> References: <7743B3216F93CA4E83EF6F0EC4081C9B5F6AB009D0@EXVMBX017-10.exch017.msoutlookonline.net> <1256302213.2914.21.camel@localhost.localdomain> <20091023202605.GA25245@fluxcoil.net> Message-ID: <7743B3216F93CA4E83EF6F0EC4081C9B5F6AB00D0C@EXVMBX017-10.exch017.msoutlookonline.net> Sounds like documentation is the main thing here. I'll start getting a test lab setup and documenting what I am doing. Is there any other docs that are in the planning/alpha/beta stages that you can share? I can possibly edit and proof those as well. Any thoughts on the likewise stuff, specifically the GNOME group policies? Sean Brady GTF Services LLC sbrady at gtfservices.com 303.800.9350 x2404 -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Christian Horn Sent: Friday, October 23, 2009 2:26 PM To: Simo Sorce Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] As a non-developer, how can I contribute?? Hi, On Fri, Oct 23, 2009 at 12:50:13PM +0000, Simo Sorce wrote: > On Thu, 2009-10-22 at 18:13 -0700, Sean Brady wrote: > > If there is anything that I can do to assist with this project, > > whether it be documentation editing, testing, financial (to a limited > > degree), or anything else, please let me know. > > If you like writing documentation, that is very welcome too. There many > areas that are borderline and yet important for admins where howtos > would be really appreciated and so on. I am more user/sysadmin/engineer of authentication/authorization environments, this is what also first came to my mind: howtos of typical setups. Maybe including cross-realm setups with microsoft AD and discussing who supports what parts of such setups in detail since its an important point for big corporations. Christian _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From davido at redhat.com Sun Oct 25 21:47:33 2009 From: davido at redhat.com (David O'Brien) Date: Mon, 26 Oct 2009 07:47:33 +1000 Subject: [Freeipa-users] As a non-developer, how can I contribute?? In-Reply-To: <7743B3216F93CA4E83EF6F0EC4081C9B5F6AB00D0C@EXVMBX017-10.exch017.msoutlookonline.net> References: <7743B3216F93CA4E83EF6F0EC4081C9B5F6AB009D0@EXVMBX017-10.exch017.msoutlookonline.net> <1256302213.2914.21.camel@localhost.localdomain> <20091023202605.GA25245@fluxcoil.net> <7743B3216F93CA4E83EF6F0EC4081C9B5F6AB00D0C@EXVMBX017-10.exch017.msoutlookonline.net> Message-ID: <4AE4C775.5090008@redhat.com> Sean Brady wrote: > Sounds like documentation is the main thing here. I'll start getting a test lab setup and documenting what I am doing. Contributions to documentation are always most welcome, be they additions to cover configurations for different platforms, or reviews, tests, etc., of existing documentation. > > Is there any other docs that are in the planning/alpha/beta stages that you can share? I can possibly edit and proof those as well. The only doc being developed at the moment is for the next version of freeIPA, which is not due out for some time. You can see all available documentation at http://freeipa.org/page/DocumentationPortal best regards, -- David O'Brien IPA Content Author Red Hat Asia Pacific +61 7 3514 8189 http://freeipa.org/page/DocumentationPortal http://git.fedorahosted.org/git/ipadocs.git "The most valuable of all talents is that of never using two words when one will do." Thomas Jefferson > > Any thoughts on the likewise stuff, specifically the GNOME group policies? > > Sean Brady > GTF Services LLC > sbrady at gtfservices.com > 303.800.9350 x2404 > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Christian Horn > Sent: Friday, October 23, 2009 2:26 PM > To: Simo Sorce > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] As a non-developer, how can I contribute?? > > Hi, > > On Fri, Oct 23, 2009 at 12:50:13PM +0000, Simo Sorce wrote: >> On Thu, 2009-10-22 at 18:13 -0700, Sean Brady wrote: >>> If there is anything that I can do to assist with this project, >>> whether it be documentation editing, testing, financial (to a limited >>> degree), or anything else, please let me know. >> If you like writing documentation, that is very welcome too. There many >> areas that are borderline and yet important for admins where howtos >> would be really appreciated and so on. > > I am more user/sysadmin/engineer of authentication/authorization > environments, this is what also first came to my mind: howtos of > typical setups. Maybe including cross-realm setups with microsoft > AD and discussing who supports what parts of such setups in detail > since its an important point for big corporations. > > > Christian > From dpal at redhat.com Mon Oct 26 03:36:33 2009 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 25 Oct 2009 23:36:33 -0400 Subject: [Freeipa-users] As a non-developer, how can I contribute?? In-Reply-To: <4AE4C775.5090008@redhat.com> References: <7743B3216F93CA4E83EF6F0EC4081C9B5F6AB009D0@EXVMBX017-10.exch017.msoutlookonline.net> <1256302213.2914.21.camel@localhost.localdomain> <20091023202605.GA25245@fluxcoil.net> <7743B3216F93CA4E83EF6F0EC4081C9B5F6AB00D0C@EXVMBX017-10.exch017.msoutlookonline.net> <4AE4C775.5090008@redhat.com> Message-ID: <4AE51941.1020102@redhat.com> David O'Brien wrote: > Sean Brady wrote: >> Sounds like documentation is the main thing here. I'll start getting >> a test lab setup and documenting what I am doing. > > Contributions to documentation are always most welcome, be they > additions to cover configurations for different platforms, or reviews, > tests, etc., of existing documentation. >> >> Is there any other docs that are in the planning/alpha/beta stages >> that you can share? I can possibly edit and proof those as well. > > The only doc being developed at the moment is for the next version of > freeIPA, which is not due out for some time. You can see all available > documentation at http://freeipa.org/page/DocumentationPortal > > best regards, > We are planning to post some of the new pages about how different features actually work. Hopefully we will be able to do it this week. Stay tuned. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Andy.Singleton at tipp24os.co.uk Mon Oct 26 08:46:08 2009 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Mon, 26 Oct 2009 08:46:08 -0000 Subject: [Freeipa-users] FreeIPA "crashes" after many mystery connections References: <1CD40A4DEEA320479C98D8A93A5C690601D9061B@waterloo.t24uk.tipp24.net> <1256227338.2914.10.camel@localhost.localdomain> <1CD40A4DEEA320479C98D8A93A5C6906020629C7@waterloo.t24uk.tipp24.net> <1256302250.2914.22.camel@localhost.localdomain> Message-ID: <1CD40A4DEEA320479C98D8A93A5C690602062A87@waterloo.t24uk.tipp24.net> The DS log entries look like this: [22/Oct/2009:12:29:51 +0200] - Not listening for new connections - too many fds open [22/Oct/2009:12:30:12 +0200] - Listening for new connections again [22/Oct/2009:12:30:12 +0200] - Not listening for new connections - too many fds open [22/Oct/2009:13:19:50 +0200] - Listening for new connections again ...repeated x 170... [22/Oct/2009:13:20:08 +0200] - Not listening for new connections - too many fds open [22/Oct/2009:13:20:08 +0200] - Listening for new connections again [22/Oct/2009:13:20:13 +0200] - slapd shutting down - signaling operation threads [22/Oct/2009:13:20:13 +0200] - slapd shutting down - closing down internal subsystems and plugins [22/Oct/2009:13:20:16 +0200] - Waiting for 4 database threads to stop [22/Oct/2009:13:20:16 +0200] - All database threads now stopped [22/Oct/2009:13:20:16 +0200] - slapd stopped. As far as I can see, whatever was trying to connect kept trying, and filling up new slots as they became available until I rebooted. Thanks Andy -----Original Message----- From: Simo Sorce [mailto:ssorce at redhat.com] Sent: 23 October 2009 13:51 To: Andy Singleton Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] FreeIPA "crashes" after many mystery connections On Fri, 2009-10-23 at 09:59 +0100, Andy Singleton wrote: > There isn't much in the krb5kdc.logs. > Server A has a few entries about a minute before the incident. Then > nothing until we had to reboot the box. Very strange ... Do yo ustill have the DS error log ? Anything in there ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Oct 26 12:29:37 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 26 Oct 2009 08:29:37 -0400 Subject: [Freeipa-users] FreeIPA "crashes" after many mystery connections In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C690602062A87@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C690601D9061B@waterloo.t24uk.tipp24.net> <1256227338.2914.10.camel@localhost.localdomain> <1CD40A4DEEA320479C98D8A93A5C6906020629C7@waterloo.t24uk.tipp24.net> <1256302250.2914.22.camel@localhost.localdomain> <1CD40A4DEEA320479C98D8A93A5C690602062A87@waterloo.t24uk.tipp24.net> Message-ID: <1256560177.2808.6.camel@willson> On Mon, 2009-10-26 at 08:46 +0000, Andy Singleton wrote: > As far as I can see, whatever was trying to connect kept trying, and > filling up new slots as they became available until I rebooted. How many clients do you have ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Oct 26 14:17:51 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 26 Oct 2009 10:17:51 -0400 Subject: [Freeipa-users] FreeIPA "crashes" after many mystery connections In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C690602062B4B@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C690601D9061B@waterloo.t24uk.tipp24.net> <1256227338.2914.10.camel@localhost.localdomain> <1CD40A4DEEA320479C98D8A93A5C6906020629C7@waterloo.t24uk.tipp24.net> <1256302250.2914.22.camel@localhost.localdomain> <1CD40A4DEEA320479C98D8A93A5C690602062A87@waterloo.t24uk.tipp24.net> <1256560177.2808.6.camel@willson> <1CD40A4DEEA320479C98D8A93A5C690602062B4B@waterloo.t24uk.tipp24.net> Message-ID: <1256566671.2808.10.camel@willson> On Mon, 2009-10-26 at 14:13 +0000, Andy Singleton wrote: > There are 26 IPA clients, 28 users, and 4 FreeIPA servers (of which only > 2 are used by clients for authentication at present). They are not many so even the default of ~1000 available FDs shouldn't be a problem. I guess I can't help you further unless we can find what caused so many connections. Simo. -- Simo Sorce * Red Hat, Inc * New York From Andy.Singleton at tipp24os.co.uk Mon Oct 26 14:13:13 2009 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Mon, 26 Oct 2009 14:13:13 -0000 Subject: [Freeipa-users] FreeIPA "crashes" after many mystery connections References: <1CD40A4DEEA320479C98D8A93A5C690601D9061B@waterloo.t24uk.tipp24.net> <1256227338.2914.10.camel@localhost.localdomain> <1CD40A4DEEA320479C98D8A93A5C6906020629C7@waterloo.t24uk.tipp24.net> <1256302250.2914.22.camel@localhost.localdomain> <1CD40A4DEEA320479C98D8A93A5C690602062A87@waterloo.t24uk.tipp24.net> <1256560177.2808.6.camel@willson> Message-ID: <1CD40A4DEEA320479C98D8A93A5C690602062B4B@waterloo.t24uk.tipp24.net> There are 26 IPA clients, 28 users, and 4 FreeIPA servers (of which only 2 are used by clients for authentication at present). Andy -----Original Message----- From: Simo Sorce [mailto:ssorce at redhat.com] Sent: 26 October 2009 12:30 To: Andy Singleton Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] FreeIPA "crashes" after many mystery connections On Mon, 2009-10-26 at 08:46 +0000, Andy Singleton wrote: > As far as I can see, whatever was trying to connect kept trying, and > filling up new slots as they became available until I rebooted. How many clients do you have ? Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Wed Oct 28 14:58:19 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 28 Oct 2009 10:58:19 -0400 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Alpha 1 Release Message-ID: <4AE85C0B.80501@redhat.com> To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Alpha 1 release of the long-awaited freeIPA 2.0 server [1]. This version of the server includes: * Optionally installable DNS server * Optionally installable Certificate Authority to manage server certificates * NIS compatibility plug-in The freeIPA 2.0 server is capable of: * Managing host identities * Defining host-based access control rules that will be enforced on the client side by the IPA back end for SSSD (not provided yet) * Serving netgroups based on user and host objects stored in IPA * Serving sets of automount maps to different clients * Finer-grained management delegation * Group-based password policies The freeIPA 2.0 release provides: * Pluggable and extensible framework for UI/CLI * Rich CLI * Certificate provisioning capabilities Current version of the server does not include web based user interface. FreeIPA 2.0 clients can be configured in the same way as freeIPA 1.2 clients, using ipa-client install. For richer functionality freeIPA can be used with SSSD (System Security Services Daemon). The special freeIPA back end for SSSD developed by the SSSD project is not ready yet, however, the freeIPA 2.0 server can still be configured as a generic LDAP + Kerberos back end for SSSD. For more information about features delivered in this release, see documentation [2] on the freeIPA web site. For information on how to configure client systems to use freeIPA without SSSD, see freeIPA 1.2 documentation [3]. For information on how freeIPA can be used in conjunction with SSSD, see the SSSD documentation [4]. For all other freeIPA-related documentation [5], see freeIPA web site. [1] http://www.freeipa.org/page/Downloads/ [2] http://www.freeipa.org/page/IPAv2_development_status#Documentation [3] http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/ [4] https://fedorahosted.org/sssd/ [5] http://www.freeipa.org/page/DocumentationPortal -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Oct 28 15:11:17 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 28 Oct 2009 11:11:17 -0400 Subject: [Freeipa-users] Re: [Freeipa-devel] Announcing FreeIPA v2 Server Alpha 1 Release In-Reply-To: <4AE85C0B.80501@redhat.com> References: <4AE85C0B.80501@redhat.com> Message-ID: <4AE85F15.6010504@redhat.com> Dmitri Pal wrote: > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Alpha 1 release of the long-awaited freeIPA 2.0 server [1]. > > This version of the server includes: > * Optionally installable DNS server > * Optionally installable Certificate Authority to manage server certificates > * NIS compatibility plug-in > > The freeIPA 2.0 server is capable of: > * Managing host identities > * Defining host-based access control rules that will be enforced > on the client side by the IPA back end for SSSD (not provided yet) > * Serving netgroups based on user and host objects stored in IPA > * Serving sets of automount maps to different clients > * Finer-grained management delegation > * Group-based password policies > > The freeIPA 2.0 release provides: > * Pluggable and extensible framework for UI/CLI > * Rich CLI > * Certificate provisioning capabilities > > Current version of the server does not include web based user interface. > > FreeIPA 2.0 clients can be configured in the same way as freeIPA 1.2 > clients, using ipa-client install. For richer functionality freeIPA > can be used with SSSD (System Security Services Daemon). > The special freeIPA back end for SSSD developed by the SSSD project is > not ready yet, however, the freeIPA 2.0 server can still be configured > as a generic LDAP + Kerberos back end for SSSD. > > For more information about features delivered in this release, see > documentation [2] on the freeIPA web site. > For information on how to configure client systems to use freeIPA > without SSSD, see freeIPA 1.2 documentation [3]. > For information on how freeIPA can be used in conjunction with SSSD, > see the SSSD documentation [4]. > For all other freeIPA-related documentation [5], see freeIPA web site. > > [1] http://www.freeipa.org/page/Downloads/ > A quick correction to the link: [1] http://www.freeipa.org/page/Downloads Sorry for confusion. > [2] http://www.freeipa.org/page/IPAv2_development_status#Documentation > [3] http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/ > [4] https://fedorahosted.org/sssd/ > [5] http://www.freeipa.org/page/DocumentationPortal > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From natxo.asenjo at gmail.com Thu Oct 29 20:01:37 2009 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Thu, 29 Oct 2009 21:01:37 +0100 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Alpha 1 Release In-Reply-To: <4AE99E72.3090007@redhat.com> References: <4AE85C0B.80501@redhat.com> <90f6e8270910290333p28eeb252y1874f75e9bb21d57@mail.gmail.com> <4AE99E72.3090007@redhat.com> Message-ID: <90f6e8270910291301x71e5aaafide78b10e762cc68b@mail.gmail.com> My apologies, Dmitri, for mailing you directly. Now on list. On Thu, Oct 29, 2009 at 2:53 PM, Dmitri Pal wrote: > Natxo Asenjo wrote: > > On Wed, Oct 28, 2009 at 3:58 PM, Dmitri Pal > > wrote: > > > > To all freeipa-interest, freeipa-users and freeipa-devel list > members, > > > > The FreeIPA project team is pleased to announce the availability > > of the > > Alpha 1 release of the long-awaited freeIPA 2.0 server [1]. > > > > > > great news!!! > > > > I will try this shortly. Thanks for this project, this is going to > > make my job as a linux admin easier ;-) > > > > one question: will there be packages for other distributions/unix > > variants in the future? > > > > -- > > natxo > Server side - no, unless someone comes in and ports it. > We will be focusing on supporting Fedora and adding more features. > But we will welcome any effort to port it to any other distribution. > However it will be really huge effort since it would require porting > things like DS and CS. > Not impossible but really bug chunk of work. > I really meant the client side, sorry for not being specific. I am perfectly fine with a redhat authentication solution in the data center. Would it otherwise be enogh (client side) to specify the good realm in krb5.conf for the authentication and properly configure the pam ldap libray for the user attributes? Or am I thinking too simply? -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Oct 29 20:31:07 2009 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 29 Oct 2009 16:31:07 -0400 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Alpha 1 Release In-Reply-To: <90f6e8270910291301x71e5aaafide78b10e762cc68b@mail.gmail.com> References: <4AE85C0B.80501@redhat.com> <90f6e8270910290333p28eeb252y1874f75e9bb21d57@mail.gmail.com> <4AE99E72.3090007@redhat.com> <90f6e8270910291301x71e5aaafide78b10e762cc68b@mail.gmail.com> Message-ID: <4AE9FB8B.3090303@redhat.com> > > I really meant the client side, sorry for not being specific. I am > perfectly fine with a redhat authentication solution in the data center. > > Would it otherwise be enogh (client side) to specify the good realm in > krb5.conf for the authentication and properly configure the pam ldap > libray for the user attributes? Or am I thinking too simply? > > Hi, This is a simple approach and will give you the functionality already provided by the existing client machines. Just configure pam and nss and you are pretty much done. This was the approach for clients we described in out freeIPA v1 documentation http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/ This approach, however, has some limitations. This is where SSSD comes to play. SSSD project provides several important features that simple combination of pam+nss does not have. Things like offline authentication, identity caching, support of multiple different identity sources at the same time and more... SSSD is a pluggable framework supporting multiple back ends. It will come with the set of back ends out of box. You would be able to use IPA with SSSD as authentication and identity provider via ldap+ldap or krb+ldap ro krb+ldap+ host based access control provided by IPA In all these cases you will also be able to take advantage of offline authentication and multiple identity domains. https://fedorahosted.org/sssd/ SSSD is a part of Fedora, Suse, Ubuntu etc. We are planning to look into other platforms like HP, AIX and Solaris later on. Hope this helps, Dmitri From danieljamesscott at gmail.com Thu Oct 29 21:56:33 2009 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 29 Oct 2009 17:56:33 -0400 Subject: [Freeipa-users] Library to change expired password Message-ID: <6835906b0910291456h455cea3axae38727060ce9532@mail.gmail.com> Hi, I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have the login module configured properly and it is working fine. However, I have a problem with the initial user setup. New accounts are created with expired passwords for good reason. However, I would like a way to for a user to change their expired kerberos password which does not use the command line. e.g. an SSL web form. On searching the web, there does not appear to be a (free) java library which implements the same functionality as ipa-passwd, kinit or ssh for changing expired passwords. Does anyone know if such a thing exists? The IPA documentation indicates that ssh has an option 'challenge-response' for changing expired passwords. I would like the same functionality on a web page. Assuming that this is true (which I find very hard to believe), then I can think of 3 possible solutions: 1. Attempt to execute the system commands from within Java (Yuck - quite apart from the difficulties of escaping the arguments, the password will be displayed in the system process list while the command is being executed). 2. Use XMLRPC. Although this introduces another whole layer into the system, this might be the best way to go. 3. Update the users password expiry in the LDAP directory to (say) 1 day in the future so that they can login. I am currently looking at the XMLRPC route. However, no matter what request I send to the server, I receive 'XmlRpcException:HTTP server returned unexpected status: Authorization Required'. Do I need to store the details of the failed login so that I can authorize my RPC? Is there any documentation on the FreeIPA XMLRPC which I can read? I have the API, but no more. I had to dig into the apache configuration to find the domain path context (/xml/ipa). Thanks, Dan Scott http://danieljamesscott.org From jderose at redhat.com Fri Oct 30 04:54:01 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Thu, 29 Oct 2009 22:54:01 -0600 Subject: [Freeipa-users] Library to change expired password In-Reply-To: <6835906b0910291456h455cea3axae38727060ce9532@mail.gmail.com> References: <6835906b0910291456h455cea3axae38727060ce9532@mail.gmail.com> Message-ID: <1256878441.16193.20.camel@jgd-dsk> On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote: > Hi, > > I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have > the login module configured properly and it is working fine. > > However, I have a problem with the initial user setup. New accounts > are created with expired passwords for good reason. However, I would > like a way to for a user to change their expired kerberos password > which does not use the command line. e.g. an SSL web form. > > On searching the web, there does not appear to be a (free) java > library which implements the same functionality as ipa-passwd, kinit > or ssh for changing expired passwords. Does anyone know if such a > thing exists? The IPA documentation indicates that ssh has an option > 'challenge-response' for changing expired passwords. I would like the > same functionality on a web page. Yes, you raise a good point and we obviously need a way to do this via the web UI. Rob, if a user's password is expired, how does the password change work? Does the user still do a Kerberos auth with the old password, or do we need a non-Kerberos protected web page through which to update the password? Either way, this will be a simple thing to add to the UI. > Assuming that this is true (which I find very hard to believe), then I > can think of 3 possible solutions: > > 1. Attempt to execute the system commands from within Java (Yuck - > quite apart from the difficulties of escaping the arguments, the > password will be displayed in the system process list while the > command is being executed). > 2. Use XMLRPC. Although this introduces another whole layer into the > system, this might be the best way to go. > 3. Update the users password expiry in the LDAP directory to (say) 1 > day in the future so that they can login. > > I am currently looking at the XMLRPC route. However, no matter what > request I send to the server, I receive 'XmlRpcException:HTTP server > returned unexpected status: Authorization Required'. Do I need to > store the details of the failed login so that I can authorize my RPC? Ah, you've raised an important question that we currently don't have documented, AFAIK. Your XML-RPC client will have to set the 'Authorization' header for the Kerberos negotiation. But as some clients might not allow you to set the HTTP headers, we obviously need other mechanisms, including using just a username/password. For what it's worth, this is the Python code Rob wrote for doing this (line 318 in ipalib/rpc.py): class KerbTransport(SSLTransport): """ Handles Kerberos Negotiation authentication to an XML-RPC server. """ def _handle_exception(self, e, service=None): (major, minor) = ipautil.get_gsserror(e) if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: raise errors.ServiceError(service=service) elif minor[1] == KRB5_FCC_NOFILE: raise errors.NoCCacheError() elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED: raise errors.TicketExpired() elif minor[1] == KRB5_FCC_PERM: raise errors.BadCCachePerms() elif minor[1] == KRB5_CC_FORMAT: raise errors.BadCCacheFormat() elif minor[1] == KRB5_REALM_CANT_RESOLVE: raise errors.CannotResolveKDC() else: raise errors.KerberosError(major=major, minor=minor) def get_host_info(self, host): (host, extra_headers, x509) = SSLTransport.get_host_info(self, host) # Set the remote host principal service = "HTTP@" + host.split(':')[0] try: (rc, vc) = kerberos.authGSSClientInit(service, kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG) except kerberos.GSSError, e: self._handle_exception(e) try: kerberos.authGSSClientStep(vc, "") except kerberos.GSSError, e: self._handle_exception(e, service=service) extra_headers = [ ('Authorization', 'negotiate %s' % kerberos.authGSSClientResponse(vc)) ] return (host, extra_headers, x509) > Is there any documentation on the FreeIPA XMLRPC which I can read? I > have the API, but no more. I had to dig into the apache configuration > to find the domain path context (/xml/ipa). Right now the documentation is scarce, but we're currently working on solidifying and formalizing the XML-RPC API and plan to document it in detail once this is done. Thanks for your interest in FreeIPA and we appreciate your feedback! > Thanks, > > Dan Scott > http://danieljamesscott.org > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sbose at redhat.com Fri Oct 30 07:47:57 2009 From: sbose at redhat.com (Sumit Bose) Date: Fri, 30 Oct 2009 08:47:57 +0100 Subject: [Freeipa-users] Library to change expired password In-Reply-To: <1256878441.16193.20.camel@jgd-dsk> References: <6835906b0910291456h455cea3axae38727060ce9532@mail.gmail.com> <1256878441.16193.20.camel@jgd-dsk> Message-ID: <20091030074757.GH3017@localhost.localdomain> On Thu, Oct 29, 2009 at 10:54:01PM -0600, Jason Gerard DeRose wrote: > On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote: > > Hi, > > > > I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have > > the login module configured properly and it is working fine. > > > > However, I have a problem with the initial user setup. New accounts > > are created with expired passwords for good reason. However, I would > > like a way to for a user to change their expired kerberos password > > which does not use the command line. e.g. an SSL web form. > > > > On searching the web, there does not appear to be a (free) java > > library which implements the same functionality as ipa-passwd, kinit > > or ssh for changing expired passwords. Does anyone know if such a > > thing exists? The IPA documentation indicates that ssh has an option > > 'challenge-response' for changing expired passwords. I would like the > > same functionality on a web page. > > Yes, you raise a good point and we obviously need a way to do this via > the web UI. > > Rob, if a user's password is expired, how does the password change work? > Does the user still do a Kerberos auth with the old password, or do we > need a non-Kerberos protected web page through which to update the > password? > > Either way, this will be a simple thing to add to the UI. > If the password is expired you get KRB5KDC_ERR_KEY_EXP when requesting a TGT. Please note that you will always get this response not matter if the password matches the old password or not. You can then request a password change ticket, principle: kadmin/changepw, with tho old password and run the password change with this ticket. I would expect that you cannot use a kerberos protected page, because you do not have a TGT and cannot request a service ticket for the web server. bye, Sumit From rcritten at redhat.com Fri Oct 30 13:29:49 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 Oct 2009 09:29:49 -0400 Subject: [Freeipa-users] Library to change expired password In-Reply-To: <1256878441.16193.20.camel@jgd-dsk> References: <6835906b0910291456h455cea3axae38727060ce9532@mail.gmail.com> <1256878441.16193.20.camel@jgd-dsk> Message-ID: <4AEAEA4D.1020609@redhat.com> Jason Gerard DeRose wrote: > On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote: >> Hi, >> >> I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have >> the login module configured properly and it is working fine. >> >> However, I have a problem with the initial user setup. New accounts >> are created with expired passwords for good reason. However, I would >> like a way to for a user to change their expired kerberos password >> which does not use the command line. e.g. an SSL web form. >> >> On searching the web, there does not appear to be a (free) java >> library which implements the same functionality as ipa-passwd, kinit >> or ssh for changing expired passwords. Does anyone know if such a >> thing exists? The IPA documentation indicates that ssh has an option >> 'challenge-response' for changing expired passwords. I would like the >> same functionality on a web page. > > Yes, you raise a good point and we obviously need a way to do this via > the web UI. > > Rob, if a user's password is expired, how does the password change work? > Does the user still do a Kerberos auth with the old password, or do we > need a non-Kerberos protected web page through which to update the > password? > > Either way, this will be a simple thing to add to the UI. As Sumit said, the self-service page currently requires kerberos so you'd have to get a TGT first which means you need a valid password. This may not be too difficult to do in a web form (SSL protected, of course). You should be able to create a non-kerberos auth page that prompts for username, old and new password and a submit button. You could pass this onto a a simple backend that does an LDAP bind as the user with the old password then use ldap_passwd() to set the new password. >> Assuming that this is true (which I find very hard to believe), then I >> can think of 3 possible solutions: >> >> 1. Attempt to execute the system commands from within Java (Yuck - >> quite apart from the difficulties of escaping the arguments, the >> password will be displayed in the system process list while the >> command is being executed). >> 2. Use XMLRPC. Although this introduces another whole layer into the >> system, this might be the best way to go. >> 3. Update the users password expiry in the LDAP directory to (say) 1 >> day in the future so that they can login. >> >> I am currently looking at the XMLRPC route. However, no matter what >> request I send to the server, I receive 'XmlRpcException:HTTP server >> returned unexpected status: Authorization Required'. Do I need to >> store the details of the failed login so that I can authorize my RPC? > > Ah, you've raised an important question that we currently don't have > documented, AFAIK. Your XML-RPC client will have to set the > 'Authorization' header for the Kerberos negotiation. But as some > clients might not allow you to set the HTTP headers, we obviously need > other mechanisms, including using just a username/password. One can set KrbMethodK5Passwd to on in /etc/httpd/conf.d/ipa.conf to allow it to fall back to username/password authentication. Still requires a non-expired password though. >> Is there any documentation on the FreeIPA XMLRPC which I can read? I >> have the API, but no more. I had to dig into the apache configuration >> to find the domain path context (/xml/ipa). Yes, just the API is documented, there aren't any programming examples other than the code itself AFAIK. One thing you can do is add the -v option to the ipa command-line tools to see the XML-RPC request/response. That might help. > Right now the documentation is scarce, but we're currently working on > solidifying and formalizing the XML-RPC API and plan to document it in > detail once this is done. Yeah, we'll have to see if we can get some sample requests into the v2 API docs. > > Thanks for your interest in FreeIPA and we appreciate your feedback! > >> Thanks, >> >> Dan Scott >> http://danieljamesscott.org rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Fri Oct 30 14:05:16 2009 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 30 Oct 2009 10:05:16 -0400 Subject: [Freeipa-users] Library to change expired password In-Reply-To: <4AEAEA4D.1020609@redhat.com> References: <6835906b0910291456h455cea3axae38727060ce9532@mail.gmail.com> <1256878441.16193.20.camel@jgd-dsk> <4AEAEA4D.1020609@redhat.com> Message-ID: <4AEAF29C.80201@redhat.com> > > As Sumit said, the self-service page currently requires kerberos so > you'd have to get a TGT first which means you need a valid password. > > This may not be too difficult to do in a web form (SSL protected, of > course). You should be able to create a non-kerberos auth page that > prompts for username, old and new password and a submit button. You > could pass this onto a a simple backend that does an LDAP bind as the > user with the old password then use ldap_passwd() to set the new > password. Is there anything we can leverage from what Pavel has done with non kerberos migration page? I know this is a completely different case under the hood but for end user they seem pretty similar so may be there is a way to take advantage of what Pavel already implemented. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Oct 30 14:43:44 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 Oct 2009 10:43:44 -0400 Subject: [Freeipa-users] Library to change expired password In-Reply-To: <4AEAF29C.80201@redhat.com> References: <6835906b0910291456h455cea3axae38727060ce9532@mail.gmail.com> <1256878441.16193.20.camel@jgd-dsk> <4AEAEA4D.1020609@redhat.com> <4AEAF29C.80201@redhat.com> Message-ID: <4AEAFBA0.1000207@redhat.com> Dmitri Pal wrote: >> As Sumit said, the self-service page currently requires kerberos so >> you'd have to get a TGT first which means you need a valid password. >> >> This may not be too difficult to do in a web form (SSL protected, of >> course). You should be able to create a non-kerberos auth page that >> prompts for username, old and new password and a submit button. You >> could pass this onto a a simple backend that does an LDAP bind as the >> user with the old password then use ldap_passwd() to set the new >> password. > > Is there anything we can leverage from what Pavel has done with non > kerberos migration page? > I know this is a completely different case under the hood but for end > user they seem pretty similar > so may be there is a way to take advantage of what Pavel already > implemented. > > It is certainly similar in principal. I need to review Pavel's work a bit more to determine how much could be leveraged. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From danieljamesscott at gmail.com Fri Oct 30 21:26:52 2009 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 30 Oct 2009 17:26:52 -0400 Subject: [Freeipa-users] Library to change expired password In-Reply-To: <4AEAEA4D.1020609@redhat.com> References: <6835906b0910291456h455cea3axae38727060ce9532@mail.gmail.com> <1256878441.16193.20.camel@jgd-dsk> <4AEAEA4D.1020609@redhat.com> Message-ID: <6835906b0910301426y632ed652x7172d65515bbf93a@mail.gmail.com> Hi, Thanks for your replies. On Fri, Oct 30, 2009 at 09:29, Rob Crittenden wrote: > Jason Gerard DeRose wrote: >> >> On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote: >>> >>> Hi, >>> >>> I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have >>> the login module configured properly and it is working fine. >>> >>> However, I have a problem with the initial user setup. New accounts >>> are created with expired passwords for good reason. However, I would >>> like a way to for a user to change their expired kerberos password >>> which does not use the command line. e.g. an SSL web form. >>> >>> On searching the web, there does not appear to be a (free) java >>> library which implements the same functionality as ipa-passwd, kinit >>> or ssh for changing expired passwords. Does anyone know if such a >>> thing exists? The IPA documentation indicates that ssh has an option >>> 'challenge-response' for changing expired passwords. I would like the >>> same functionality on a web page. >> >> Yes, you raise a good point and we obviously need a way to do this via >> the web UI. >> >> Rob, if a user's password is expired, how does the password change work? >> Does the user still do a Kerberos auth with the old password, or do we >> need a non-Kerberos protected web page through which to update the >> password? >> >> Either way, this will be a simple thing to add to the UI. > > As Sumit said, the self-service page currently requires kerberos so you'd > have to get a TGT first which means you need a valid password. > > This may not be too difficult to do in a web form (SSL protected, of > course). You should be able to create a non-kerberos auth page that prompts > for username, old and new password and a submit button. You could pass this > onto a a simple backend that does an LDAP bind as the user with the old > password then use ldap_passwd() to set the new password. Thanks. Do you have a particular language in mind for the ldap_passwd() command? This sounds like a good way to go about it. I've been looking at the ldappasswd command to figure out the correct arguments, but this seems to require an SSL connection (Which is not currently configured on my ipa server). This is strange, as ipa-passwd and/or kpasswd don't appear to require SSL (maybe I'm wrong about this). Anyway, is there a way to do this without using SSL? I might be making this all far too complicated. I have considered using JNI to wrap a c kerberos library. Does this sound like a reasonable idea? >>> Is there any documentation on the FreeIPA XMLRPC which I can read? I >>> have the API, but no more. I had to dig into the apache configuration >>> to find the domain path context (/xml/ipa). > > Yes, just the API is documented, there aren't any programming examples other > than the code itself AFAIK. > > One thing you can do is add the -v option to the ipa command-line tools to > see the XML-RPC request/response. That might help. Thanks for that tip. It's useful to see the RPCs. Just to confirm, there's no way to perform the 'un-authenticated' XML RPC to change a password, even if the expired password is supplied in the call? Thanks, Dan Scott http://danieljamesscott.org From rcritten at redhat.com Fri Oct 30 21:42:45 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 30 Oct 2009 17:42:45 -0400 Subject: [Freeipa-users] Library to change expired password In-Reply-To: <6835906b0910301426y632ed652x7172d65515bbf93a@mail.gmail.com> References: <6835906b0910291456h455cea3axae38727060ce9532@mail.gmail.com> <1256878441.16193.20.camel@jgd-dsk> <4AEAEA4D.1020609@redhat.com> <6835906b0910301426y632ed652x7172d65515bbf93a@mail.gmail.com> Message-ID: <4AEB5DD5.9000105@redhat.com> Dan Scott wrote: >> This may not be too difficult to do in a web form (SSL protected, of >> course). You should be able to create a non-kerberos auth page that prompts >> for username, old and new password and a submit button. You could pass this >> onto a a simple backend that does an LDAP bind as the user with the old >> password then use ldap_passwd() to set the new password. > > Thanks. Do you have a particular language in mind for the > ldap_passwd() command? This sounds like a good way to go about it. > I've been looking at the ldappasswd command to figure out the correct > arguments, but this seems to require an SSL connection (Which is not > currently configured on my ipa server). This is strange, as ipa-passwd > and/or kpasswd don't appear to require SSL (maybe I'm wrong about > this). Anyway, is there a way to do this without using SSL? I'll respond in reverse. I don't believe the LDAP server will accept password changes over an unencrypted channel, so you either need to bind using GSSAPI or use SSL. We use forwarded tickets in XML-RPC so our LDAP connections don't use SSL, we do a GSSAPI bind which brings its own encryption. You will have to do a simple bind since you'll just have a username/password. We configure SSL for the LDAP server so as long as you trust the IPA CA you can do an SSL connection. You can do it in whatever language you feel most comfortable with. You can write it as a CGI using perl, use mod_python, PHP, etc. All of these have some amount of LDAP support. > > I might be making this all far too complicated. I have considered > using JNI to wrap a c kerberos library. Does this sound like a > reasonable idea? I'm pretty sure Java supports kerberos natively. It can also speak LDAP natively. >>>> Is there any documentation on the FreeIPA XMLRPC which I can read? I >>>> have the API, but no more. I had to dig into the apache configuration >>>> to find the domain path context (/xml/ipa). >> Yes, just the API is documented, there aren't any programming examples other >> than the code itself AFAIK. >> >> One thing you can do is add the -v option to the ipa command-line tools to >> see the XML-RPC request/response. That might help. > > Thanks for that tip. It's useful to see the RPCs. Just to confirm, > there's no way to perform the 'un-authenticated' XML RPC to change a > password, even if the expired password is supplied in the call? Right, no unauthenticated access. We let Apache's mod_auth_kerb module handle authentication for us and expect a ticket in the entry point. Even if you configured it to not require a ticket things would very likely blow up. That said, you can probably look at ipaldap.py for inspiration on how to do the password change in python (if you choose to go that route). > > Thanks, > > Dan Scott > http://danieljamesscott.org rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From danieljamesscott at gmail.com Fri Oct 30 22:16:52 2009 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 30 Oct 2009 18:16:52 -0400 Subject: Fwd: [Freeipa-users] Library to change expired password In-Reply-To: <6835906b0910301515x7f7801c8wf7e919b942a2643d@mail.gmail.com> References: <6835906b0910291456h455cea3axae38727060ce9532@mail.gmail.com> <1256878441.16193.20.camel@jgd-dsk> <4AEAEA4D.1020609@redhat.com> <6835906b0910301426y632ed652x7172d65515bbf93a@mail.gmail.com> <4AEB5DD5.9000105@redhat.com> <6835906b0910301515x7f7801c8wf7e919b942a2643d@mail.gmail.com> Message-ID: <6835906b0910301516g781c2325q487bddefcfa1723d@mail.gmail.com> Sorry, forgot to copy everyone else in. Dan ---------- Forwarded message ---------- From: Dan Scott Date: Fri, Oct 30, 2009 at 18:15 Subject: Re: [Freeipa-users] Library to change expired password To: Rob Crittenden Hi, On Fri, Oct 30, 2009 at 17:42, Rob Crittenden wrote: > Dan Scott wrote: >>> >>> This may not be too difficult to do in a web form (SSL protected, of >>> course). You should be able to create a non-kerberos auth page that >>> prompts >>> for username, old and new password and a submit button. You could pass >>> this >>> onto a a simple backend that does an LDAP bind as the user with the old >>> password then use ldap_passwd() to set the new password. >> >> Thanks. Do you have a particular language in mind for the >> ldap_passwd() command? This sounds like a good way to go about it. >> I've been looking at the ldappasswd command to figure out the correct >> arguments, but this seems to require an SSL connection (Which is not >> currently configured on my ipa server). This is strange, as ipa-passwd >> and/or kpasswd don't appear to require SSL (maybe I'm wrong about >> this). Anyway, is there a way to do this without using SSL? > > I'll respond in reverse. > > I don't believe the LDAP server will accept password changes over an > unencrypted channel, so you either need to bind using GSSAPI or use SSL. > > We use forwarded tickets in XML-RPC so our LDAP connections don't use SSL, > we do a GSSAPI bind which brings its own encryption. You will have to do a > simple bind since you'll just have a username/password. OK, that makes sense, thanks. But there's still one thing I don't really understand. How do the ipa tools obtain a ticket for the RPC when the password has expired? This is the fundamental problem that I have. I can't obtain a ticket because the password has expired and I can't change the password because I don't have a ticket! :) > You can do it in whatever language you feel most comfortable with. You can > write it as a CGI using perl, use mod_python, PHP, etc. All of these have > some amount of LDAP support. OK, thanks. The reason I'm asking is because I've looked through most/all of these technologies and I can't find much/anything related to changing expired passwords. Admittedly, when I was looking for this, I was attempting to use Kerberos, not LDAP. But the problem appears the same for LDAP password changing support. Python seems to be the exception where there is a good kerberos library (and I have played around with this, but my Python knowledge is very poor.:) ). There doesn't appear to be a php-kerberos library (Well, there is one for kadm, but not MIT kerberos). Java has Kerberos support for the Login protocol via JAAS, but no support for changing passwords. There's no java LDAP change password functionality, only direct directory manipulation. I'm not sure whether I'm trying to do something wrong, but it doesn't seem like anyone else has had this problem before me. It seems very strange that none of these technologies have good password change support. Am I going about this the wrong way? :) >> I might be making this all far too complicated. I have considered >> using JNI to wrap a c kerberos library. Does this sound like a >> reasonable idea? > > I'm pretty sure Java supports kerberos natively. It can also speak LDAP > natively. Sure, it does, primarily for login functionality. But support for password changes does not appear to exist without client side hashing and direct directory manipulation. Thanks for your responses, they're very useful. Dan From ssorce at redhat.com Sat Oct 31 17:50:40 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 31 Oct 2009 13:50:40 -0400 Subject: Fwd: [Freeipa-users] Library to change expired password In-Reply-To: <6835906b0910301516g781c2325q487bddefcfa1723d@mail.gmail.com> References: <6835906b0910291456h455cea3axae38727060ce9532@mail.gmail.com> <1256878441.16193.20.camel@jgd-dsk> <4AEAEA4D.1020609@redhat.com> <6835906b0910301426y632ed652x7172d65515bbf93a@mail.gmail.com> <4AEB5DD5.9000105@redhat.com> <6835906b0910301515x7f7801c8wf7e919b942a2643d@mail.gmail.com> <6835906b0910301516g781c2325q487bddefcfa1723d@mail.gmail.com> Message-ID: <1257011440.3553.1.camel@willson.li.ssimo.org> On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote: > OK, that makes sense, thanks. But there's still one thing I don't > really understand. How do the ipa tools obtain a ticket for the RPC > when the password has expired? They don't, password change is done via kpasswd (or direct connection to ldap and ldappasswd operation). Simo. -- Simo Sorce * Red Hat, Inc * New York