From Steven.Jones at vuw.ac.nz Thu Sep 1 01:10:31 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 1 Sep 2011 01:10:31 +0000 Subject: [Freeipa-users] libcurl problem Message-ID: <833D8E48405E064EBC54C84EC6B36E403C5A3F51@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Has this been fixed in RHEL5.x and RHEL 6.x yet? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From rcritten at redhat.com Thu Sep 1 12:05:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 01 Sep 2011 08:05:36 -0400 Subject: [Freeipa-users] libcurl problem In-Reply-To: <833D8E48405E064EBC54C84EC6B36E403C5A3F51@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E403C5A3F51@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E5F7510.3010907@redhat.com> Steven Jones wrote: > Hi, > > Has this been fixed in RHEL5.x and RHEL 6.x yet? No. Still waiting for xmlrpc-c to be updated in RHEL-6 and ipa-client has been updated in neither. rob From caluml at gmail.com Thu Sep 1 09:55:48 2011 From: caluml at gmail.com (Calum) Date: Thu, 1 Sep 2011 10:55:48 +0100 Subject: [Freeipa-users] Compilation error Message-ID: Hello all, I am trying to install FreeIPA on Redhat 5.7, and I'm having some troubles. I believe I'm not missing any dependencies. Can anyone tell me what is causing the problem below? (Yes, I'm running make as root - it's not a problem in this instance) # make if [ ! -e RELEASE ]; then echo 0 > RELEASE; fi sed -e s/__VERSION__/2.1.0/ -e s/__RELEASE__/0/ \ freeipa.spec.in > freeipa.spec sed -e s/__VERSION__/2.1.0/ version.m4.in \ > version.m4 sed -e s/__VERSION__/2.1.0/ ipapython/setup.py.in \ > ipapython/setup.py sed -e s/__VERSION__/2.1.0/ ipapython/version.py.in \ > ipapython/version.py perl -pi -e "s:__NUM_VERSION__:210:" ipapython/version.py perl -pi -e "s:__API_VERSION__:2.11:" ipapython/version.py sed -e s/__VERSION__/2.1.0/ daemons/ipa-version.h.in \ > daemons/ipa-version.h perl -pi -e "s:__NUM_VERSION__:210:" daemons/ipa-version.h perl -pi -e "s:__DATA_VERSION__:20100614120000:" daemons/ipa-version.h sed -e s/__VERSION__/2.1.0/ -e s/__RELEASE__/0/ \ ipa-client/ipa-client.spec.in > ipa-client/ipa-client.spec sed -e s/__VERSION__/2.1.0/ ipa-client/version.m4.in \ > ipa-client/version.m4 if [ "" != "yes" ]; then \ ./makeapi --validate; \ fi Traceback (most recent call last): File "./makeapi", line 280, in ? sys.exit(main()) File "./makeapi", line 258, in main api.finalize() File "/root/freeipa-2.1.0/ipalib/plugable.py", line 578, in finalize self.__do_if_not_done('load_plugins') File "/root/freeipa-2.1.0/ipalib/plugable.py", line 388, in __do_if_not_done getattr(self, name)() File "/root/freeipa-2.1.0/ipalib/plugable.py", line 530, in load_plugins self.import_plugins('ipalib') File "/root/freeipa-2.1.0/ipalib/plugable.py", line 568, in import_plugins raise e File "/root/freeipa-2.1.0/ipalib/dn.py", line 1069 rdn = RDN(*avas, first_key_match=self.first_key_match) ^ SyntaxError: invalid syntax make: *** [version-update] Error 1 Many thanks, Calum From rcritten at redhat.com Thu Sep 1 15:07:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 01 Sep 2011 11:07:23 -0400 Subject: [Freeipa-users] Compilation error In-Reply-To: References: Message-ID: <4E5F9FAB.4000601@redhat.com> Calum wrote: > Hello all, > > I am trying to install FreeIPA on Redhat 5.7, and I'm having some troubles. > I believe I'm not missing any dependencies. > > Can anyone tell me what is causing the problem below? (Yes, I'm > running make as root - it's not a problem in this instance) > > # make > if [ ! -e RELEASE ]; then echo 0> RELEASE; fi > sed -e s/__VERSION__/2.1.0/ -e s/__RELEASE__/0/ \ > freeipa.spec.in> freeipa.spec > sed -e s/__VERSION__/2.1.0/ version.m4.in \ > > version.m4 > sed -e s/__VERSION__/2.1.0/ ipapython/setup.py.in \ > > ipapython/setup.py > sed -e s/__VERSION__/2.1.0/ ipapython/version.py.in \ > > ipapython/version.py > perl -pi -e "s:__NUM_VERSION__:210:" ipapython/version.py > perl -pi -e "s:__API_VERSION__:2.11:" ipapython/version.py > sed -e s/__VERSION__/2.1.0/ daemons/ipa-version.h.in \ > > daemons/ipa-version.h > perl -pi -e "s:__NUM_VERSION__:210:" daemons/ipa-version.h > perl -pi -e "s:__DATA_VERSION__:20100614120000:" daemons/ipa-version.h > sed -e s/__VERSION__/2.1.0/ -e s/__RELEASE__/0/ \ > ipa-client/ipa-client.spec.in> ipa-client/ipa-client.spec > sed -e s/__VERSION__/2.1.0/ ipa-client/version.m4.in \ > > ipa-client/version.m4 > if [ "" != "yes" ]; then \ > ./makeapi --validate; \ > fi > Traceback (most recent call last): > File "./makeapi", line 280, in ? > sys.exit(main()) > File "./makeapi", line 258, in main > api.finalize() > File "/root/freeipa-2.1.0/ipalib/plugable.py", line 578, in finalize > self.__do_if_not_done('load_plugins') > File "/root/freeipa-2.1.0/ipalib/plugable.py", line 388, in __do_if_not_done > getattr(self, name)() > File "/root/freeipa-2.1.0/ipalib/plugable.py", line 530, in load_plugins > self.import_plugins('ipalib') > File "/root/freeipa-2.1.0/ipalib/plugable.py", line 568, in import_plugins > raise e > File "/root/freeipa-2.1.0/ipalib/dn.py", line 1069 > rdn = RDN(*avas, first_key_match=self.first_key_match) > ^ > SyntaxError: invalid syntax > make: *** [version-update] Error 1 > > Many thanks, > > Calum You will have some serious difficulties getting the server to build in 5.x due to the version of python. We don't support the server in RHEL 5. rob From caluml at gmail.com Thu Sep 1 15:56:45 2011 From: caluml at gmail.com (Calum) Date: Thu, 1 Sep 2011 16:56:45 +0100 Subject: [Freeipa-users] Compilation error In-Reply-To: <4E5F9FAB.4000601@redhat.com> References: <4E5F9FAB.4000601@redhat.com> Message-ID: On 1 September 2011 16:07, Rob Crittenden wrote: > > You will have some serious difficulties getting the server to build in 5.x > due to the version of python. We don't support the server in RHEL 5. > > rob Hello, I couldn't find this mentioned anywhere on the site - maybe it's worthwhile adding to your FAQ, or have a Prerequisites/Requirements page? Anyway, I'll get a RHEL 6 box, and see if it goes a little more smoothly :) Calum From Steven.Jones at vuw.ac.nz Sun Sep 4 22:08:28 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 4 Sep 2011 22:08:28 +0000 Subject: [Freeipa-users] Test scenario Message-ID: <833D8E48405E064EBC54C84EC6B36E403C5B748A@STAWINCOX10MBX4.staff.vuw.ac.nz> Hi, >From evaluation purposes I am looking to write test cases to evaluate authentication products so here is one I am thinking of. >From what I can see of IPA it would be fairly easy to implement centrally? Lets say I have four users Linux users who are in AD...all on the same server/workstation. How would (or is it possible) to set them up so user A can ssh to certain remote servers (group A), but user B cannot get to the group A servers. At the same time user B can get to Group B servers but A cannot.....In addition to that User C is an admin and he can get to both groups A and B.....User D in the meantime cannot get to A or B groups.....but can ssh out to the Internet......as can A, B and C. Does anyone have any others that are real world situations that I can use as test cases? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From sigbjorn at nixtra.com Mon Sep 5 09:29:08 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 5 Sep 2011 11:29:08 +0200 (CEST) Subject: [Freeipa-users] Test scenario In-Reply-To: <833D8E48405E064EBC54C84EC6B36E403C5B748A@STAWINCOX10MBX4.staff.vuw.ac .nz> References: <833D8E48405E064EBC54C84EC6B36E403C5B748A@STAWINCOX10MBX4.staff.vuw.ac.nz> Message-ID: <34438.213.225.75.97.1315214948.squirrel@www.nixtra.com> On Mon, September 5, 2011 00:08, Steven Jones wrote: > Hi, > > >> From evaluation purposes I am looking to write test cases to evaluate authentication products >> so here is one I am thinking of. > >> From what I can see of IPA it would be fairly easy to implement centrally? >> > > Lets say I have four users Linux users who are in AD...all on the same server/workstation. > > > How would (or is it possible) to set them up so user A can ssh to certain remote servers (group > A), but user B cannot get to the group A servers. At the same time user B can get to Group B > servers but A cannot.....In addition to that User C is an admin and he can get to both groups A > and B.....User D in the meantime cannot get to A or B groups.....but can ssh out to the > Internet......as can A, B and C. > > > Does anyone have any others that are real world situations that I can use as test cases? > I presume you're referring to your AD users after they've been sync'ed to a IPA instance...? Use Host Based Group Access if the servers are running SSSD, or use old fashioned netgroups if your servers does not run SSSD. http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-host-access.html Regards, Siggi From Steven.Jones at vuw.ac.nz Mon Sep 5 21:15:30 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 5 Sep 2011 21:15:30 +0000 Subject: [Freeipa-users] Test scenario In-Reply-To: <34438.213.225.75.97.1315214948.squirrel@www.nixtra.com> References: <833D8E48405E064EBC54C84EC6B36E403C5B748A@STAWINCOX10MBX4.staff.vuw.ac.nz>, <34438.213.225.75.97.1315214948.squirrel@www.nixtra.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E403C5BAF35@STAWINCOX10MBX4.staff.vuw.ac.nz> No im looking at this in a fairly agnostic way.....what I am looking for are real world scenarios that I can test potential LDAP type solutions against to determine the best for our needs....but you are right the sssd link in is a killer...... BUT I have to prove to my management which solution is the best....I have an uphill struggle as they want to use AD but they also want all the bells and whistles, except they dont know what that means.....so I need to construct test cases where I can say here are (say) 5 cases, I want to get them to sign off on as what they want..... So I need to use logic against their gut feel.....or I'll end up managing a pile of crap.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Monday, 5 September 2011 9:29 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Test scenario On Mon, September 5, 2011 00:08, Steven Jones wrote: > Hi, > > >> From evaluation purposes I am looking to write test cases to evaluate authentication products >> so here is one I am thinking of. > >> From what I can see of IPA it would be fairly easy to implement centrally? >> > > Lets say I have four users Linux users who are in AD...all on the same server/workstation. > > > How would (or is it possible) to set them up so user A can ssh to certain remote servers (group > A), but user B cannot get to the group A servers. At the same time user B can get to Group B > servers but A cannot.....In addition to that User C is an admin and he can get to both groups A > and B.....User D in the meantime cannot get to A or B groups.....but can ssh out to the > Internet......as can A, B and C. > > > Does anyone have any others that are real world situations that I can use as test cases? > I presume you're referring to your AD users after they've been sync'ed to a IPA instance...? Use Host Based Group Access if the servers are running SSSD, or use old fashioned netgroups if your servers does not run SSSD. http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-host-access.html Regards, Siggi From simo at redhat.com Tue Sep 6 12:03:15 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 06 Sep 2011 08:03:15 -0400 Subject: [Freeipa-users] Test scenario In-Reply-To: <833D8E48405E064EBC54C84EC6B36E403C5BAF35@STAWINCOX10MBX4.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E403C5B748A@STAWINCOX10MBX4.staff.vuw.ac.nz> , <34438.213.225.75.97.1315214948.squirrel@www.nixtra.com> <833D8E48405E064EBC54C84EC6B36E403C5BAF35@STAWINCOX10MBX4.staff.vuw.ac.nz> Message-ID: <1315310595.20296.411.camel@willson.li.ssimo.org> On Mon, 2011-09-05 at 21:15 +0000, Steven Jones wrote: > No im looking at this in a fairly agnostic way.....what I am looking > for are real world scenarios that I can test potential LDAP type > solutions against to determine the best for our needs....but you are > right the sssd link in is a killer...... > > BUT > > I have to prove to my management which solution is the best....I have > an uphill struggle as they want to use AD but they also want all the > bells and whistles, except they dont know what that means.....so I > need to construct test cases where I can say here are (say) 5 cases, I > want to get them to sign off on as what they want..... > > So I need to use logic against their gut feel.....or I'll end up > managing a pile of crap.... In v3 we are planning on having "external groups" where you can put users from trusted domains. So you can reference these groups locally and are free to determine memberships. That will allow to use HBAC. That said you can only controil HBAC stuff on freeipa-enabled servers. Simo. -- Simo Sorce * Red Hat, Inc * New York From ranger at opennms.org Tue Sep 6 15:56:27 2011 From: ranger at opennms.org (Benjamin Reed) Date: Tue, 06 Sep 2011 11:56:27 -0400 Subject: [Freeipa-users] Installing Using Existing Certificate Message-ID: <4E6642AB.7010306@opennms.org> I've gotten a GeoTrust certificate for the host I'm attempting to put FreeIPA onto (connect.opennms.com) and I'm now trying to set up an IPA server on RHEL 6 and I'm running into an error. I have a feeling I'm missing something obvious and/or fundamental. =) First, I made a .pfx (PKCS12) file by taking my private key, the 2 CA certificates from GeoTrust, and the certificate and putting them into a .pem, then using openssl to generate a PKCS12 version of it. Then, I ran: ipa-server-install --http_pkcs12=/etc/pki/tls/certs/connect.pfx \ --dirsrv_pkcs12=/etc/pki/tls/certs/connect.pfx \ --dirsrv_pin=XXX --http_pin=XXX I accept all of the defaults: ---(snip!)--- ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) To accept the default shown in brackets, press the Enter key. Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [connect.opennms.com]: The domain name has been calculated based on the host name. Please confirm the domain name [opennms.com]: The IPA Master Server will be configured with Hostname: connect.opennms.com IP address: 66.135.60.215 Domain name: opennms.com The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [OPENNMS.COM]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. ... [13/32]: enabling entryUSN plugin [14/32]: configuring lockout plugin [15/32]: creating indices [16/32]: configuring ssl for ds instance Unexpected error - see ipaserver-install.log for details: Could not find a CA cert in /etc/pki/tls/certs/connect.pfx ---(snip!)--- ...is the issue that I really need a *.opennms.com certificate, or that I need to make my domain/realm "connect.opennms.com" ? -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ From ranger at opennms.org Tue Sep 6 16:21:51 2011 From: ranger at opennms.org (Benjamin Reed) Date: Tue, 06 Sep 2011 12:21:51 -0400 Subject: [Freeipa-users] Installing Using Existing Certificate In-Reply-To: <4E6642AB.7010306@opennms.org> References: <4E6642AB.7010306@opennms.org> Message-ID: <4E66489F.5030900@opennms.org> On 9/6/11 11:56 AM, Benjamin Reed wrote: > ...is the issue that I really need a *.opennms.com certificate, or that > I need to make my domain/realm "connect.opennms.com" ? Actually, I just tried this (making the hostname *and* the domain "connect.opennms.com") and it still bombs with the same error. I must be missing something else. -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ From ranger at opennms.org Tue Sep 6 16:35:58 2011 From: ranger at opennms.org (Benjamin Reed) Date: Tue, 06 Sep 2011 12:35:58 -0400 Subject: [Freeipa-users] Installing Using Existing Certificate In-Reply-To: <4E66489F.5030900@opennms.org> References: <4E6642AB.7010306@opennms.org> <4E66489F.5030900@opennms.org> Message-ID: <4E664BEE.4070307@opennms.org> On 9/6/11 12:21 PM, Benjamin Reed wrote: > On 9/6/11 11:56 AM, Benjamin Reed wrote: >> ...is the issue that I really need a *.opennms.com certificate, or that >> I need to make my domain/realm "connect.opennms.com" ? > > Actually, I just tried this (making the hostname *and* the domain > "connect.opennms.com") and it still bombs with the same error. I must > be missing something else. > OK, I think I see what I could do differently. It seems I really need to use the --external-ca method of setting up the server, except I've already created a csr and received a certificate back from geotrust. How do I short-circuit the first-half (--external-ca) part of the install so I can pass in my certificate and ca chain for the second half? (--external_cert_file and --external_ca_file) Sorry for the newbie questions, it appears my real issue is I got the certificate before seeing that FreeIPA sets things up by generating it's own CSR. -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ From sigbjorn at nixtra.com Tue Sep 6 18:04:28 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 06 Sep 2011 20:04:28 +0200 Subject: [Freeipa-users] Error message when denied by HBAC Message-ID: <4E6660AC.1030008@nixtra.com> Hi, I attempt a login with a user account that's being denied access to the host via HBAC, I receive the following generic error message. Sep 6 20:02:03 ipa01 sshd[11592]: pam_sss(sshd:account): Access denied for user username: 4 (System error) Would it be an idea to change this to advise that the user login was denied due to HBAC rules? I see this is a bit confusing. Regards, Siggi From sgallagh at redhat.com Tue Sep 6 18:37:07 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 06 Sep 2011 14:37:07 -0400 Subject: [Freeipa-users] Error message when denied by HBAC In-Reply-To: <4E6660AC.1030008@nixtra.com> References: <4E6660AC.1030008@nixtra.com> Message-ID: <1315334228.2410.25.camel@sgallagh520.bos.redhat.com> On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote: > Hi, > > I attempt a login with a user account that's being denied access to the > host via HBAC, I receive the following generic error message. > > Sep 6 20:02:03 ipa01 sshd[11592]: pam_sss(sshd:account): Access denied > for user username: 4 (System error) > > > Would it be an idea to change this to advise that the user login was > denied due to HBAC rules? I see this is a bit confusing. "System error" means that something went wrong with processing. It defaults to DENY (to be safe), but it's actually an error. What version of SSSD are you running on the client? We fixed a fair number of HBAC bugs in the 1.5.13 release (which is currently in the updates-testing repos for F14, F15 and F16). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From ranger at opennms.org Tue Sep 6 18:52:54 2011 From: ranger at opennms.org (Benjamin Reed) Date: Tue, 06 Sep 2011 14:52:54 -0400 Subject: [Freeipa-users] Installing Using Existing Certificate In-Reply-To: <4E6642AB.7010306@opennms.org> References: <4E6642AB.7010306@opennms.org> Message-ID: <4E666C06.8070103@opennms.org> On 9/6/11 11:56 AM, Benjamin Reed wrote: > I've gotten a GeoTrust certificate for the host I'm attempting to put > FreeIPA onto (connect.opennms.com) and I'm now trying to set up an IPA > server on RHEL 6 and I'm running into an error. I have a feeling I'm > missing something obvious and/or fundamental. =) I was, in fact, missing something both obvious and fundamental. So if you have a certificate from a CA that you wish to use for the "public-facing" portions of your server, you don't in fact need to embed it into the bowels of FreeIPA, you only need to use it for LDAP and HTTPS. Here are the steps I took to get it working (thanks MUCH for the help from simo and richm on IRC): First, Set up FreeIPA as you normally would, in my case: ipa-server-install --selfsign Then, get your keys in the right format, as per this page: http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP When attempting to restart the directory server, it failed, because it didn't have a trust setting for the chained CA certificates: certutil -d /etc/dirsrv/slapd-YOUR-DOMAIN -L GeoTrust DV SSL CA - GeoTrust Inc. ,, GeoTrust Global CA - GeoTrust Inc. ,, They should be "CT,," not ",," for things to start up correctly. I fixed it by telling certutil to trust them: certutil -d /etc/dirsrv/slapd-YOUR-DOMAIN -M -n "GeoTrust DV SSL CA - GeoTrust Inc." -t CT,, certutil -d /etc/dirsrv/slapd-YOUR-DOMAIN -M -n "GeoTrust Global CA - GeoTrust Inc." -t CT,, Now everything's up and appears to be running. -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ From sigbjorn at nixtra.com Tue Sep 6 18:58:49 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 06 Sep 2011 20:58:49 +0200 Subject: [Freeipa-users] Error message when denied by HBAC In-Reply-To: <1315334228.2410.25.camel@sgallagh520.bos.redhat.com> References: <4E6660AC.1030008@nixtra.com> <1315334228.2410.25.camel@sgallagh520.bos.redhat.com> Message-ID: <4E666D69.7040806@nixtra.com> On 09/06/2011 08:37 PM, Stephen Gallagher wrote: > On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote: >> Hi, >> >> I attempt a login with a user account that's being denied access to the >> host via HBAC, I receive the following generic error message. >> >> Sep 6 20:02:03 ipa01 sshd[11592]: pam_sss(sshd:account): Access denied >> for user username: 4 (System error) >> >> >> Would it be an idea to change this to advise that the user login was >> denied due to HBAC rules? I see this is a bit confusing. > > "System error" means that something went wrong with processing. It > defaults to DENY (to be safe), but it's actually an error. > > What version of SSSD are you running on the client? We fixed a fair > number of HBAC bugs in the 1.5.13 release (which is currently in the > updates-testing repos for F14, F15 and F16). sssd-1.5.12-1.fc15.x86_64 sssd-client-1.5.12-1.fc15.x86_64 I see there's some problems. :) I cannot log in if no exactly the user is mentioned and exactly the host mentioned in the rule. If I attempt to use user groups and host groups in a hbac rule, I receive the error above. Was there a related bug fixed in 1.5.13? Rgds, Siggi From sgallagh at redhat.com Tue Sep 6 19:08:13 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 06 Sep 2011 15:08:13 -0400 Subject: [Freeipa-users] Error message when denied by HBAC In-Reply-To: <4E666D69.7040806@nixtra.com> References: <4E6660AC.1030008@nixtra.com> <1315334228.2410.25.camel@sgallagh520.bos.redhat.com> <4E666D69.7040806@nixtra.com> Message-ID: <1315336094.2410.29.camel@sgallagh520.bos.redhat.com> On Tue, 2011-09-06 at 20:58 +0200, Sigbjorn Lie wrote: > On 09/06/2011 08:37 PM, Stephen Gallagher wrote: > > On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote: > >> Hi, > >> > >> I attempt a login with a user account that's being denied access to the > >> host via HBAC, I receive the following generic error message. > >> > >> Sep 6 20:02:03 ipa01 sshd[11592]: pam_sss(sshd:account): Access denied > >> for user username: 4 (System error) > >> > >> > >> Would it be an idea to change this to advise that the user login was > >> denied due to HBAC rules? I see this is a bit confusing. > > > > "System error" means that something went wrong with processing. It > > defaults to DENY (to be safe), but it's actually an error. > > > > What version of SSSD are you running on the client? We fixed a fair > > number of HBAC bugs in the 1.5.13 release (which is currently in the > > updates-testing repos for F14, F15 and F16). > > sssd-1.5.12-1.fc15.x86_64 > sssd-client-1.5.12-1.fc15.x86_64 > > I see there's some problems. :) > > I cannot log in if no exactly the user is mentioned and exactly the host > mentioned in the rule. If I attempt to use user groups and host groups > in a hbac rule, I receive the error above. Was there a related bug fixed > in 1.5.13? https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.13 Yes, there were three HBAC bugs fixed. User groups and host groups now work properly. (The other bug was related to groups with no mumbers). Please try sssd-1.5.13-1.fc15.2 from updates-testing (actually, it looks like it hasn't hit the mirrors yet, so wait a day or so). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sigbjorn at nixtra.com Tue Sep 6 19:31:25 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 06 Sep 2011 21:31:25 +0200 Subject: [Freeipa-users] Error message when denied by HBAC In-Reply-To: <1315336094.2410.29.camel@sgallagh520.bos.redhat.com> References: <4E6660AC.1030008@nixtra.com> <1315334228.2410.25.camel@sgallagh520.bos.redhat.com> <4E666D69.7040806@nixtra.com> <1315336094.2410.29.camel@sgallagh520.bos.redhat.com> Message-ID: <4E66750D.2030008@nixtra.com> On 09/06/2011 09:08 PM, Stephen Gallagher wrote: > On Tue, 2011-09-06 at 20:58 +0200, Sigbjorn Lie wrote: >> On 09/06/2011 08:37 PM, Stephen Gallagher wrote: >>> On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote: >>>> Hi, >>>> >>>> I attempt a login with a user account that's being denied access to the >>>> host via HBAC, I receive the following generic error message. >>>> >>>> Sep 6 20:02:03 ipa01 sshd[11592]: pam_sss(sshd:account): Access denied >>>> for user username: 4 (System error) >>>> >>>> >>>> Would it be an idea to change this to advise that the user login was >>>> denied due to HBAC rules? I see this is a bit confusing. >>> "System error" means that something went wrong with processing. It >>> defaults to DENY (to be safe), but it's actually an error. >>> >>> What version of SSSD are you running on the client? We fixed a fair >>> number of HBAC bugs in the 1.5.13 release (which is currently in the >>> updates-testing repos for F14, F15 and F16). >> sssd-1.5.12-1.fc15.x86_64 >> sssd-client-1.5.12-1.fc15.x86_64 >> >> I see there's some problems. :) >> >> I cannot log in if no exactly the user is mentioned and exactly the host >> mentioned in the rule. If I attempt to use user groups and host groups >> in a hbac rule, I receive the error above. Was there a related bug fixed >> in 1.5.13? > https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.13 > > Yes, there were three HBAC bugs fixed. User groups and host groups now > work properly. (The other bug was related to groups with no mumbers). > > Please try sssd-1.5.13-1.fc15.2 from updates-testing (actually, it looks > like it hasn't hit the mirrors yet, so wait a day or so). Ok, thank you. :) Rgds, Siggi From danieljamesscott at gmail.com Wed Sep 7 18:45:59 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 7 Sep 2011 14:45:59 -0400 Subject: [Freeipa-users] Migration to FreeIPA 2 - password update via LDAP Message-ID: Hi, I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After migration, the script says: "Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts." I have some users who are authenticated via LDAP. Also I have a Java application which allows them to change their password using LDAP. Will existing passwords continue to work when using LDAP authentication/password changes? It is only Kerberos authentication which requires users to re-login on this special page? Thanks, Dan From dpal at redhat.com Wed Sep 7 18:59:11 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 07 Sep 2011 14:59:11 -0400 Subject: [Freeipa-users] Migration to FreeIPA 2 - password update via LDAP In-Reply-To: References: Message-ID: <4E67BEFF.50000@redhat.com> On 09/07/2011 02:45 PM, Dan Scott wrote: > Hi, > > I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After > migration, the script says: > > "Passwords have been migrated in pre-hashed format. > IPA is unable to generate Kerberos keys unless provided > with clear text passwords. All migrated users need to > login at https://your.domain/ipa/migration/ before they > can use their Kerberos accounts." > > I have some users who are authenticated via LDAP. Also I have a Java > application which allows them to change their password using LDAP. > Will existing passwords continue to work when using LDAP > authentication/password changes? It is only Kerberos authentication > which requires users to re-login on this special page? > If you update the password via LDAP using bind over SSL so that server has the password in clear the new Kerberos hashes will be generated automatically and kerberos will become usable for these users once again. Also SSSD has a nice feature to migrate user passwords. Read more about it in the SSSD docs. > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sbingram at gmail.com Wed Sep 7 19:04:47 2011 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 7 Sep 2011 12:04:47 -0700 Subject: [Freeipa-users] fresh install on F15 Message-ID: I've been testing for some time now while still using my old rickety 2.0 release candidate. I'm now ready to setup a fresh install on F15. I've read several posts that lead me to believe that I should be using the testing repository instead of the release one. I notice, however, that you can't install from the testing repository because of too many dependency issues. Should I just use the release repository and then upgrade using testing, or is there another recommended way to get to a properly functioning 2.1? Steve From simo at redhat.com Wed Sep 7 19:12:22 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 07 Sep 2011 15:12:22 -0400 Subject: [Freeipa-users] fresh install on F15 In-Reply-To: References: Message-ID: <1315422742.2684.2.camel@willson.li.ssimo.org> On Wed, 2011-09-07 at 12:04 -0700, Stephen Ingram wrote: > I've been testing for some time now while still using my old rickety > 2.0 release candidate. I'm now ready to setup a fresh install on F15. > I've read several posts that lead me to believe that I should be using > the testing repository instead of the release one. I notice, however, > that you can't install from the testing repository because of too many > dependency issues. Should I just use the release repository and then > upgrade using testing, or is there another recommended way to get to a > properly functioning 2.1? I upgraded my f15 using updates-testing If you have dep issues you can try to use --skip-broken Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Sep 7 19:12:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 07 Sep 2011 15:12:48 -0400 Subject: [Freeipa-users] Migration to FreeIPA 2 - password update via LDAP In-Reply-To: References: Message-ID: <4E67C230.4070805@redhat.com> Dan Scott wrote: > Hi, > > I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After > migration, the script says: > > "Passwords have been migrated in pre-hashed format. > IPA is unable to generate Kerberos keys unless provided > with clear text passwords. All migrated users need to > login at https://your.domain/ipa/migration/ before they > can use their Kerberos accounts." > > I have some users who are authenticated via LDAP. Also I have a Java > application which allows them to change their password using LDAP. > Will existing passwords continue to work when using LDAP > authentication/password changes? It is only Kerberos authentication > which requires users to re-login on this special page? > > Thanks, > > Dan That is correct. When the user authenticates to this special page (sssd can also handle this) then Kerberos credentials are generated for the user. rob From rcritten at redhat.com Wed Sep 7 19:15:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 07 Sep 2011 15:15:00 -0400 Subject: [Freeipa-users] fresh install on F15 In-Reply-To: References: Message-ID: <4E67C2B4.3060909@redhat.com> Stephen Ingram wrote: > I've been testing for some time now while still using my old rickety > 2.0 release candidate. I'm now ready to setup a fresh install on F15. > I've read several posts that lead me to believe that I should be using > the testing repository instead of the release one. I notice, however, > that you can't install from the testing repository because of too many > dependency issues. Should I just use the release repository and then > upgrade using testing, or is there another recommended way to get to a > properly functioning 2.1? > > Steve Do you mean the test repositories on freeipa.org? You should not need to enable these, Fedora 15 should have everything you need. You probably need to enable updates-testing though. rob From pedro.nova33 at gmail.com Thu Sep 8 09:11:31 2011 From: pedro.nova33 at gmail.com (Pedro Nova) Date: Thu, 8 Sep 2011 11:11:31 +0200 Subject: [Freeipa-users] Failed to remove SELinux rule for port 7390 when uninstalling server (S.O.Fedora 15) Message-ID: Error thrown when uninstalling FreeIPA Server on Fedora 15 When I try to uninstall IPA server using command: ipa-server-install --uninstall -d or /usr/sbin/ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA directory server *root : CRITICAL Failed to remove SELinux rule for port 7390* Unconfiguring CA Unconfiguring named Unconfiguring directory server Regards, Pedro Nova -------------- next part -------------- An HTML attachment was scrubbed... URL: From pedro.nova33 at gmail.com Thu Sep 8 10:20:20 2011 From: pedro.nova33 at gmail.com (Pedro Nova) Date: Thu, 8 Sep 2011 12:20:20 +0200 Subject: [Freeipa-users] Creation of replica failed: Failed to start replication on Fedora 15 Message-ID: Hi All, When Im installing ipa-server-replica on Fedora release 15 failed: [20/27]: setting up initial replication Starting replication, please wait until this has completed. [vmnxipatest02.freeipa.gsnet.corp] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Then I run ipa-server-install --uninstall without issue. The server settings is Ok. Any ideas or support? Thanks, Pedro Nova -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Thu Sep 8 12:20:13 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 08 Sep 2011 08:20:13 -0400 Subject: [Freeipa-users] [Freeipa-devel] Creation of replica failed: Failed to start replication on Fedora 15 In-Reply-To: References: Message-ID: <1315484413.2684.15.camel@willson.li.ssimo.org> On Thu, 2011-09-08 at 12:20 +0200, Pedro Nova wrote: > Hi All, > > When Im installing ipa-server-replica on Fedora release 15 failed: > > [20/27]: setting up initial replication > Starting replication, please wait until this has completed. > [vmnxipatest02.freeipa.gsnet.corp] reports: Update failed! Status: [-2 > - System error] > creation of replica failed: Failed to start replication > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Then I run ipa-server-install --uninstall without issue. The server > settings is Ok. Any ideas or support? Please provide version numbers and the errors you have in /var/log/ipareplica-install.log (Also please subscribe to freeipa-users). Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Sep 8 14:34:54 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 Sep 2011 10:34:54 -0400 Subject: [Freeipa-users] [Freeipa-interest] Announcing FreeIPA 2.1.1 Message-ID: <4E68D28E.9090204@redhat.com> The FreeIPA Project is proud to announce the latest release of the FreeIPA. As always, the latest tarball can be found at http://freeipa.org/ FreeIPA 2.1.1 is available in Fedora 15. It is currently in the updates-testing repository along with a number of its dependencies. Fedora 16 and rawhide builds will be coming soon. == Highlights == * Reduced number of ports needed to punch through firewall by proxying dogtag through port 443 * New plugin, automember, that can automatically add users and hosts to groups and hostgroups based on regular expressions. * Indicator in the UI and CLI when a host has a one-time password set * DNS improvements - loading new zones via regular polling or LDAP persistent search == Upgrading == === Server === To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following: # yum update freeipa-server --enablerepo=updates-testing This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c packages (and perhaps some others). A script will be executed in the rpm postinstall phase to update the IPA LDAP server with any required changes. There is a bug reported against 389-ds, https://bugzilla.redhat.com/show_bug.cgi?id=730387, related to read-write locks. The NSPR RW lock implementation does not safely allow re-entrant use of reader locks. This is a timing issue so it is difficult to predict. During testing one user experienced this and the upgrade hung. To break the hang kill the ns-slapd process for your realm, wait for the yum transaction to complete, then restart 389-ds and manually run the update process: # service dirsrv start # ipa-ldap-updater === Client === The ipa-client-install tool in the ipa-client package is just a configuration tool. There should be no need to re-run this on every client already enrolled. == Detailed Changelog == Adam Young (1): * enable proxy for dogtag Alexander Bokovoy (1): * Propagate environment when it is required. Endi S. Dewata (19): * Fixed browser configuration pages * Hide activation/deactivation link from regular users. * Fixed problem selecting value from combobox * Fixed inconsistent layout for password reset dialog. * Removed 'Hide already enrolled' checkbox. * Replaced page dirty dialog title. * Updated add and delete association dialog titles. * Removed unnecessary HBAC/sudo rule category modification. * Fixed command partial failure handling. * Fixed default map type in automount map adder dialog. * Fixed host OTP status. * Fixed host keytab status after setting OTP. * Fixed host adder dialog to show default DNS zone. * Fixed hard-coded UI messages. * Fixed problem adding hostgroup into netgroup. * Fixed problem with combobox. * Fixed hard-coded UI message in entity.js. * Fixed missing permission filter field. * Fixed problem with combobox using Sahi Jan Cholasta (6): * Make sure messagebus is running prior to starting certmonger. * Verify that passwords specified through command line options of ipa-server-install meet the length requirement. * Add option to install without the automatic redirect to the Web UI. * Search for users in all the naming contexts present on the directory server. * Add subscription-manager dependency for RHEL. * Verify that the external CA certificate files are correct. John Dennis (11): * ticket 1568 - DN objects should support the insert method * ticket 1569 - Test DN object non-latin Unicode support * ticket 1600 - convert unittests to use DN objects * ticket 1659 - invalid i18n string in dns.py * ticket 1660 - update LINGUAS file, add missing po files * ticket 1661 - Update all po files * ticket 1650 - compute accurate translation statistics * ticket 1707 - add documentation validation to makeapi tool * ticket 1705 - internationalize help topics * ticket 1706 - internationalize cli help framework * ticket 1669 - improve i18n docstring extraction Jr Aquino (2): * Improve sudorule documentation * Create FreeIPA CLI Plugin for the 389 Auto Membership plugin Martin Kosek (6): * Add missing attribute labels for sudorule * Fix automountkey-mod * Fix automountlocation-import conflicts * ipa-client-install breaks network configuration * Fix sudo help and summaries * Let Bind track data changes Petr Vobornik (8): * error dialog for batch command * Uncheck checkboxes in association after deletion * Show error in adding associations * Validation of details facet before update * Modify serial associator to use batch * Modifying sudo options refreshes the whole page * Enable update and reset button only if dirty * Attributes table not scrollable Rob Crittenden (24): * Add information on setting api.env.host in the ipactl.8 man page * Log each command in a batch separately. * Do batch logging on successful commands too, not just failures. * Fix wording in examples of delegation plugin. * Suppress 389-ds debug output when starting services * Fix thread deadlock by using pthreads library instead of NSPR. * Change the way has_keytab is determined, also check for password. * Add additional pam ftp services to HBAC, and a ftp HBAC service group * Add label for HBAC services to show as members * Add option to only prompt once for passwords, use in entitle_register * Retrieve password/keytab state when modifying a host. * Disable reverse lookups in ipa-join and ipa-getkeytab * Remove more 389-ds files/directories on uninstallation. * Remove 389-ds upgrade state during uninstall * Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505 * Add common is_installed() fn, better uninstall logging, check for errors. * Add external source hosts to HBAC. * Roll back changes if client installation fails. * Add netgroup as possible memberOf for hostgroups * Sort lists so order is predictable and tests pass as expected. * Suppress managed netgroups from showing as memberof hostgroups. * Use the IPA server cert profile in the installer. * Set min nvr of 389-ds-base to 1.2.9.7-1 for BZ 728605 * Become IPA 2.1.1 Simo Sorce (1): * conncheck: Fix List of ports to check From smma0901 at stcloudstate.edu Thu Sep 8 17:48:37 2011 From: smma0901 at stcloudstate.edu (Smith, Martin R. [smma0901@stcloudstate.edu]) Date: Thu, 8 Sep 2011 17:48:37 +0000 Subject: [Freeipa-users] krb5kdc process at 100% Message-ID: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> Hello all, I'm running a fairly new install of Freeipa-server and we are running into a problem that is preventing users from logging in. We have two SSH servers that authenticate to our freeipa-server and after 15 min to 4 hrs of runtime the process Krb5kdc will consume 100% of the processor and the freeipa-server will no longer respond to ldap requests from the other machines. Here are some specs: The freeipa-server is running as a virtual machine on a Xen 5.6 box Fedora 15 with all current updates The /home directory is a NFS mount to a different server, also running freeipa-client I updated the freeipa-server package to the "testing" repo today, the problem still exists. The only additional components I've installed are fail2ban, and rsyslog. Some of the error messages include: (krb5kdc.log) Sep 08 12:10:23 client1.fake.com krb5kdc[1867](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH: host/client1.fake.com at fake.com for krbtgt/fake.com at fake.com, Additional pre-authentication required (pki-ca-system-log) Attached. This log is from the freeipa-server, it appears to be complaining that it can't connect to itself. I can provide more logs to a personal email if needed. Thanks for your help in resolving this issue. -Martin Smith -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: pki-ca-system.txt URL: From smma0901 at stcloudstate.edu Thu Sep 8 17:56:39 2011 From: smma0901 at stcloudstate.edu (Smith, Martin R. [smma0901@stcloudstate.edu]) Date: Thu, 8 Sep 2011 17:56:39 +0000 Subject: [Freeipa-users] krb5kdc process at 100% In-Reply-To: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> References: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> Message-ID: <77D806E3863A2E4DADE1335809383D6109D845DC@SCSU84A.campus.stcloudstate.edu> Update: It appears to lockup immediately after a user with an expired password attempts to login. This happens when a user attempts to login at the freeipa-server itself or one of the clients. From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Smith, Martin R. [smma0901 at stcloudstate.edu] Sent: Thursday, September 08, 2011 12:49 PM To: freeipa-users at redhat.com Subject: [Freeipa-users] krb5kdc process at 100% Hello all, I'm running a fairly new install of Freeipa-server and we are running into a problem that is preventing users from logging in. We have two SSH servers that authenticate to our freeipa-server and after 15 min to 4 hrs of runtime the process Krb5kdc will consume 100% of the processor and the freeipa-server will no longer respond to ldap requests from the other machines. Here are some specs: The freeipa-server is running as a virtual machine on a Xen 5.6 box Fedora 15 with all current updates The /home directory is a NFS mount to a different server, also running freeipa-client I updated the freeipa-server package to the "testing" repo today, the problem still exists. The only additional components I've installed are fail2ban, and rsyslog. Some of the error messages include: (krb5kdc.log) Sep 08 12:10:23 client1.fake.com krb5kdc[1867](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH: host/client1.fake.com at fake.com for krbtgt/fake.com at fake.com, Additional pre-authentication required (pki-ca-system-log) Attached. This log is from the freeipa-server, it appears to be complaining that it can't connect to itself. I can provide more logs to a personal email if needed. Thanks for your help in resolving this issue. -Martin Smith -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Thu Sep 8 18:04:57 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 08 Sep 2011 14:04:57 -0400 Subject: [Freeipa-users] krb5kdc process at 100% In-Reply-To: <77D806E3863A2E4DADE1335809383D6109D845DC@SCSU84A.campus.stcloudstate.edu> References: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> <77D806E3863A2E4DADE1335809383D6109D845DC@SCSU84A.campus.stcloudstate.edu> Message-ID: <1315505097.2684.42.camel@willson.li.ssimo.org> Is the ns-slapd instance for the ipa domain running when this happens ? Simo. On Thu, 2011-09-08 at 17:56 +0000, Smith, Martin R. [smma0901 at stcloudstate.edu] wrote: > Update: It appears to lockup immediately after a user with an expired > password attempts to login. This happens when a user attempts to login > at the freeipa-server itself or one of the clients. > > > > > > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Smith, Martin > R. [smma0901 at stcloudstate.edu] > Sent: Thursday, September 08, 2011 12:49 PM > To: freeipa-users at redhat.com > Subject: [Freeipa-users] krb5kdc process at 100% > > > > > Hello all, > > I?m running a fairly new install of Freeipa-server and we are running > into a problem that is preventing users from logging in. We have two > SSH servers that authenticate to our freeipa-server and after 15 min > to 4 hrs of runtime the process Krb5kdc will consume 100% of the > processor and the freeipa-server will no longer respond to ldap > requests from the other machines. > > > > Here are some specs: > > The freeipa-server is running as a virtual machine on a Xen 5.6 box > > Fedora 15 with all current updates > > The /home directory is a NFS mount to a different server, also running > freeipa-client > > > > I updated the freeipa-server package to the ?testing? repo today, the > problem still exists. The only additional components I?ve installed > are fail2ban, and rsyslog. > > > > Some of the error messages include: > > (krb5kdc.log) > > Sep 08 12:10:23 client1.fake.com krb5kdc[1867](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH: > host/client1.fake.com at fake.com for krbtgt/fake.com at fake.com, > Additional pre-authentication required > > > > (pki-ca-system-log) > > Attached. This log is from the freeipa-server, it appears to be > complaining that it can?t connect to itself. > > > > I can provide more logs to a personal email if needed. > > > > Thanks for your help in resolving this issue. > > -Martin Smith > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Sep 8 18:24:51 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 08 Sep 2011 14:24:51 -0400 Subject: [Freeipa-users] krb5kdc process at 100% In-Reply-To: <1315505097.2684.42.camel@willson.li.ssimo.org> References: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> <77D806E3863A2E4DADE1335809383D6109D845DC@SCSU84A.campus.stcloudstate.edu> <1315505097.2684.42.camel@willson.li.ssimo.org> Message-ID: <1315506291.2684.43.camel@willson.li.ssimo.org> Also any chance you can attach gdb to the krb5kdc process and take a backtrace ? Hopefully we will find out where it is hanging. Simo. On Thu, 2011-09-08 at 14:04 -0400, Simo Sorce wrote: > Is the ns-slapd instance for the ipa domain running when this happens ? > > Simo. > > On Thu, 2011-09-08 at 17:56 +0000, Smith, Martin R. > [smma0901 at stcloudstate.edu] wrote: > > Update: It appears to lockup immediately after a user with an expired > > password attempts to login. This happens when a user attempts to login > > at the freeipa-server itself or one of the clients. > > > > > > > > > > > > From: freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Smith, Martin > > R. [smma0901 at stcloudstate.edu] > > Sent: Thursday, September 08, 2011 12:49 PM > > To: freeipa-users at redhat.com > > Subject: [Freeipa-users] krb5kdc process at 100% > > > > > > > > > > Hello all, > > > > I?m running a fairly new install of Freeipa-server and we are running > > into a problem that is preventing users from logging in. We have two > > SSH servers that authenticate to our freeipa-server and after 15 min > > to 4 hrs of runtime the process Krb5kdc will consume 100% of the > > processor and the freeipa-server will no longer respond to ldap > > requests from the other machines. > > > > > > > > Here are some specs: > > > > The freeipa-server is running as a virtual machine on a Xen 5.6 box > > > > Fedora 15 with all current updates > > > > The /home directory is a NFS mount to a different server, also running > > freeipa-client > > > > > > > > I updated the freeipa-server package to the ?testing? repo today, the > > problem still exists. The only additional components I?ve installed > > are fail2ban, and rsyslog. > > > > > > > > Some of the error messages include: > > > > (krb5kdc.log) > > > > Sep 08 12:10:23 client1.fake.com krb5kdc[1867](info): AS_REQ (7 etypes > > {18 17 16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH: > > host/client1.fake.com at fake.com for krbtgt/fake.com at fake.com, > > Additional pre-authentication required > > > > > > > > (pki-ca-system-log) > > > > Attached. This log is from the freeipa-server, it appears to be > > complaining that it can?t connect to itself. > > > > > > > > I can provide more logs to a personal email if needed. > > > > > > > > Thanks for your help in resolving this issue. > > > > -Martin Smith > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York From danieljamesscott at gmail.com Thu Sep 8 21:29:24 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 8 Sep 2011 17:29:24 -0400 Subject: [Freeipa-users] Migration to FreeIPA 2 - password update via LDAP In-Reply-To: <4E67BEFF.50000@redhat.com> References: <4E67BEFF.50000@redhat.com> Message-ID: Hi, On Wed, Sep 7, 2011 at 14:59, Dmitri Pal wrote: > On 09/07/2011 02:45 PM, Dan Scott wrote: >> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After >> migration, the script says: >> >> "Passwords have been migrated in pre-hashed format. >> IPA is unable to generate Kerberos keys unless provided >> with clear text passwords. All migrated users need to >> login at https://your.domain/ipa/migration/ before they >> can use their Kerberos accounts." >> >> I have some users who are authenticated via LDAP. Also I have a Java >> application which allows them to change their password using LDAP. >> Will existing passwords continue to work when using LDAP >> authentication/password changes? It is only Kerberos authentication >> which requires users to re-login on this special page? >> > > If you update the password via LDAP using bind over SSL so that server > has the password in clear the new Kerberos hashes will be generated > automatically and kerberos will become usable for these users once again. > > Also SSSD has a nice feature to migrate user passwords. Read more about > it in the SSSD docs. Excellent, thanks for the repsponse. The LDAP bind must be over SSL, correct? When not using SSL, I get: "javax.security.auth.login.LoginException: javax.security.auth.login.LoginException: LDAP bind failed for uid=djscott,cn=users,cn=compat,dc=..." When using LDAPS, I get: "Exception in LdapRealm when trying to authenticate user. javax.security.auth.login.LoginException: javax.naming.CommunicationException: anonymous bind failed: kelvin.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]" So I guess I need to add a FreeIPA certificate into my Glassfish keystore. Does this sound right? Should I create a certificate for my service?: https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-services.html#request-service-service Or should I be adding the CA of my FreeIPA installation? Thanks, Dan >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From simo at redhat.com Fri Sep 9 01:20:32 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 08 Sep 2011 21:20:32 -0400 Subject: [Freeipa-users] Migration to FreeIPA 2 - password update via LDAP In-Reply-To: References: <4E67BEFF.50000@redhat.com> Message-ID: <1315531232.2684.53.camel@willson.li.ssimo.org> On Thu, 2011-09-08 at 17:29 -0400, Dan Scott wrote: > Hi, > > On Wed, Sep 7, 2011 at 14:59, Dmitri Pal wrote: > > On 09/07/2011 02:45 PM, Dan Scott wrote: > >> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After > >> migration, the script says: > >> > >> "Passwords have been migrated in pre-hashed format. > >> IPA is unable to generate Kerberos keys unless provided > >> with clear text passwords. All migrated users need to > >> login at https://your.domain/ipa/migration/ before they > >> can use their Kerberos accounts." > >> > >> I have some users who are authenticated via LDAP. Also I have a Java > >> application which allows them to change their password using LDAP. > >> Will existing passwords continue to work when using LDAP > >> authentication/password changes? It is only Kerberos authentication > >> which requires users to re-login on this special page? > >> > > > > If you update the password via LDAP using bind over SSL so that server > > has the password in clear the new Kerberos hashes will be generated > > automatically and kerberos will become usable for these users once again. > > > > Also SSSD has a nice feature to migrate user passwords. Read more about > > it in the SSSD docs. > > Excellent, thanks for the repsponse. The LDAP bind must be over SSL, > correct? When not using SSL, I get: > > "javax.security.auth.login.LoginException: > javax.security.auth.login.LoginException: LDAP bind failed for > uid=djscott,cn=users,cn=compat,dc=..." > > When using LDAPS, I get: > > "Exception in LdapRealm when trying to authenticate user. > javax.security.auth.login.LoginException: > javax.naming.CommunicationException: anonymous bind failed: > kelvin.example.com:636 [Root exception is > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target]" > > So I guess I need to add a FreeIPA certificate into my Glassfish > keystore. Does this sound right? Should I create a certificate for my > service?: > > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-services.html#request-service-service > > Or should I be adding the CA of my FreeIPA installation? You need to add and trust the FreeIPA CA certificate to your glassfish CA cert store. Simo. -- Simo Sorce * Red Hat, Inc * New York From smma0901 at stcloudstate.edu Fri Sep 9 05:09:26 2011 From: smma0901 at stcloudstate.edu (Smith, Martin R. [smma0901@stcloudstate.edu]) Date: Fri, 9 Sep 2011 05:09:26 +0000 Subject: [Freeipa-users] krb5kdc process at 100% In-Reply-To: <1315506291.2684.43.camel@willson.li.ssimo.org> References: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> <77D806E3863A2E4DADE1335809383D6109D845DC@SCSU84A.campus.stcloudstate.edu> <1315505097.2684.42.camel@willson.li.ssimo.org> <1315506291.2684.43.camel@willson.li.ssimo.org> Message-ID: <915F55D6-213E-45C8-9987-69DE25DB38A5@stcloudstate.du> When I attach gdb to the process, I have tried the main process and the four child processes, it provides no output. Here are the steps I'm taking: 1. On freeipa-server run htop and find the pid (or ps aux) * Shows one parent PID and four child processes * 934 root 20 0 46784 2656 388 S 0.0 0.1 0:00.00 `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4 * 1939 root 20 0 78664 4460 2056 S 0.0 0.1 0:00.26 | `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4 * 1938 root 20 0 78664 4460 2056 S 0.0 0.1 0:00.26 | `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4 * 1936 root 20 0 78664 4460 2056 S 0.0 0.1 0:00.26 | `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4 * 1935 root 20 0 78664 4212 1808 S 0.0 0.1 0:00.26 | `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4 * run sudo gdb * attach 934 * press "c" * Wait for output? 2. Attempt to login with user that has an expired password. 3. Now the krb5kdc process 934 starts running at 100% and the user is unable to login. 4. Only way to get the process back to normal is to type "service ipa restart" I've never debugged a program before so if I'm missing a step please let me know. -Martin On Sep 8, 2011, at 1:24 PM, Simo Sorce wrote: Also any chance you can attach gdb to the krb5kdc process and take a backtrace ? Hopefully we will find out where it is hanging. Simo. On Thu, 2011-09-08 at 14:04 -0400, Simo Sorce wrote: Is the ns-slapd instance for the ipa domain running when this happens ? Simo. On Thu, 2011-09-08 at 17:56 +0000, Smith, Martin R. [smma0901 at stcloudstate.edu] wrote: Update: It appears to lockup immediately after a user with an expired password attempts to login. This happens when a user attempts to login at the freeipa-server itself or one of the clients. From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Smith, Martin R. [smma0901 at stcloudstate.edu] Sent: Thursday, September 08, 2011 12:49 PM To: freeipa-users at redhat.com Subject: [Freeipa-users] krb5kdc process at 100% Hello all, I?m running a fairly new install of Freeipa-server and we are running into a problem that is preventing users from logging in. We have two SSH servers that authenticate to our freeipa-server and after 15 min to 4 hrs of runtime the process Krb5kdc will consume 100% of the processor and the freeipa-server will no longer respond to ldap requests from the other machines. Here are some specs: The freeipa-server is running as a virtual machine on a Xen 5.6 box Fedora 15 with all current updates The /home directory is a NFS mount to a different server, also running freeipa-client I updated the freeipa-server package to the ?testing? repo today, the problem still exists. The only additional components I?ve installed are fail2ban, and rsyslog. Some of the error messages include: (krb5kdc.log) Sep 08 12:10:23 client1.fake.com krb5kdc[1867](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH: host/client1.fake.com at fake.com for krbtgt/fake.com at fake.com, Additional pre-authentication required (pki-ca-system-log) Attached. This log is from the freeipa-server, it appears to be complaining that it can?t connect to itself. I can provide more logs to a personal email if needed. Thanks for your help in resolving this issue. -Martin Smith _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Sep 9 13:55:50 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 09 Sep 2011 09:55:50 -0400 Subject: [Freeipa-users] krb5kdc process at 100% In-Reply-To: <915F55D6-213E-45C8-9987-69DE25DB38A5@stcloudstate.du> References: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> <77D806E3863A2E4DADE1335809383D6109D845DC@SCSU84A.campus.stcloudstate.edu> <1315505097.2684.42.camel@willson.li.ssimo.org> <1315506291.2684.43.camel@willson.li.ssimo.org> <915F55D6-213E-45C8-9987-69DE25DB38A5@stcloudstate.du> Message-ID: <1315576550.2684.87.camel@willson.li.ssimo.org> On Fri, 2011-09-09 at 05:09 +0000, Smith, Martin R. [smma0901 at stcloudstate.edu] wrote: > When I attach gdb to the process, I have tried the main process and > the four child processes, it provides no output. > Here are the steps I'm taking: > 1. On freeipa-server run htop and find the pid (or ps aux) > 1. Shows one parent PID and four child processes > 1. 934 root 20 0 46784 2656 388 S 0.0 0.1 > 0:00.00 `- /usr/sbin/krb5kdc > -P /var/run/krb5kdc.pid -w 4 > 2. 1939 root 20 0 78664 4460 2056 S 0.0 > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > -P /var/run/krb5kdc.pid -w 4 > 3. 1938 root 20 0 78664 4460 2056 S 0.0 > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > -P /var/run/krb5kdc.pid -w 4 > 4. 1936 root 20 0 78664 4460 2056 S 0.0 > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > -P /var/run/krb5kdc.pid -w 4 > 5. 1935 root 20 0 78664 4212 1808 S 0.0 > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > -P /var/run/krb5kdc.pid -w 4 > 2. run sudo gdb > 1. attach 934 > 2. press "c" > 3. Wait for output? > 2. Attempt to login with user that has an expired password. > 3. Now the krb5kdc process 934 starts running at 100% and the > user is unable to login. > 4. Only way to get the process back to normal is to type "service > ipa restart" > > I've never debugged a program before so if I'm missing a step please > let me know. Ok, let's simplify the problem first. apperently you have a quadcore cpu so by default we configured krb5kdc to spawn 4 worker processes. Let's bring it down to not spawning any worker process so we can simplify debugging. Go to /etc/sysconfig/krb5kdc and remove the "-w 4" argument from it. Then simply do a service krb5kdc restart (no need to restart the whole ipa service for this). If krb5kdc locks up again, gdb the process like you have done before but do not press c, type 'bt' instead and copy the log then you can exit gdb. Simo. -- Simo Sorce * Red Hat, Inc * New York From g17jimmy at gmail.com Fri Sep 9 15:38:36 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 9 Sep 2011 11:38:36 -0400 Subject: [Freeipa-users] installation fails Message-ID: I am installing FreeIPA on a new installation of Fedora 15. During installation it gets to this point and fails: ============================================================ ============================================================ The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl--silent --logfile - -f /tmp/tmpkwsFQk' returned non-zero exit status 1 [3/3]: restarting directory server root : CRITICAL Failed to restart the directory server. See the installation log for details. [root at csp-idm log]# ^C [root at csp-idm log]# more /tmp/tmpkwsFQk /tmp/tmpkwsFQk: No such file or directory [root at csp-idm log]# /usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpkwsFQk Error: could not open inf file /tmp/tmpkwsFQk: No such file or directory Error: could not determine the current group ID: at /usr/lib64/dirsrv/perl/DSUtil.pm line 141 DSUtil::getGroup(undef) called at /usr/lib64/dirsrv/perl/DSCreate.pm line 807 DSCreate::setDefaults('Inf=HASH(0x1340668)') called at /usr/lib64/dirsrv/perl/DSCreate.pm line 1068 DSCreate::createDSInstance('Inf=HASH(0x1340668)') called at /usr/sbin/ setup-ds.pl line 83 ============================================================ ============================================================ Here is the output in the install log when the error occurs(I can email the entire log to anyone if it's needed): ============================================================ ============================================================ 2011-09-09 15:33:14,901 DEBUG calling setup-ds.pl 2011-09-09 15:43:21,083 DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpkwsFQk 2011-09-09 15:43:21,084 DEBUG stdout=Server failed to start !!! Please check errors log for problems [11/09/09:15:43:21] - [Setup] Info Could not start the directory server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last lin e from the error log was '[09/Sep/2011:15:33:21 +0000] - Shutting down due to possible conflicts with other slapd processes '. Error: Unknown error 256 Could not start the directory server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the error log was '[09/Sep/2 011:15:33:21 +0000] - Shutting down due to possible conflicts with other slapd processes '. Error: Unknown error 256 [11/09/09:15:43:21] - [Setup] Fatal Error: Could not create directory server instance 'PKI-IPA'. Error: Could not create directory server instance 'PKI-IPA'. [11/09/09:15:43:21] - [Setup] Fatal Exiting . . . Log file is '-' Exiting . . . Log file is '-' 2011-09-09 15:43:21,084 DEBUG stderr=Server failed to start !!! Please check errors log for problems 2011-09-09 15:43:21,085 CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpkwsFQk' returned non -zero exit status 1 2011-09-09 15:43:21,090 DEBUG duration: 606 seconds 2011-09-09 15:43:21,090 DEBUG [3/3]: restarting directory server 2011-09-09 15:43:22,387 DEBUG args=/sbin/service dirsrv restart PKI-IPA 2011-09-09 15:43:22,388 DEBUG stdout=Shutting down dirsrv: PKI-IPA... server already stopped[FAILED] *** Error: 1 instance(s) unsuccessfully stopped[FAILED] Starting dirsrv: PKI-IPA...[FAILED] *** Warning: 1 instance(s) failed to start 2011-09-09 15:43:22,388 DEBUG stderr= 2011-09-09 15:43:22,476 DEBUG args=/sbin/service dirsrv status 2011-09-09 15:43:22,477 DEBUG stdout=dirsrv PKI-IPA is stopped 2011-09-09 15:43:22,477 DEBUG stderr= 2011-09-09 15:43:22,478 CRITICAL Failed to restart the directory server. See the installation log for details. -------------- next part -------------- An HTML attachment was scrubbed... URL: From smma0901 at stcloudstate.edu Fri Sep 9 16:27:38 2011 From: smma0901 at stcloudstate.edu (Smith, Martin R. [smma0901@stcloudstate.edu]) Date: Fri, 9 Sep 2011 16:27:38 +0000 Subject: [Freeipa-users] krb5kdc process at 100% In-Reply-To: <1315576550.2684.87.camel@willson.li.ssimo.org> References: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> <77D806E3863A2E4DADE1335809383D6109D845DC@SCSU84A.campus.stcloudstate.edu> <1315505097.2684.42.camel@willson.li.ssimo.org> <1315506291.2684.43.camel@willson.li.ssimo.org> <915F55D6-213E-45C8-9987-69DE25DB38A5@stcloudstate.du> <1315576550.2684.87.camel@willson.li.ssimo.org> Message-ID: <77D806E3863A2E4DADE1335809383D6109D8511A@SCSU84A.campus.stcloudstate.edu> I removed the -w 4 from the config file. Here is what happens now. When a user with expired password logs in the krb5kdc process now crashes, instead of running at 100%. If I attach gdb to the process before it crashes and attempt to login the process doesn't crash. Here are the results of "bt" --------- #0 0x00007fe84e0ea1d3 in __select_nocancel () at ../sysdeps/unix/syscall-template.S:82 #1 0x00007fe84f2a8047 in krb5int_cm_call_select (in=, out=0x7fe8501d8780, sret=0x7fff421862b4) at sendto_kdc.c:564 #2 0x00007fe84ffd05ee in listen_and_process (handle=0x0, prog=0x7fff42187f52 "krb5kdc", reset=0x7fe84ffc6e10 ) at net-server.c:1835 #3 0x00007fe84ffbcf68 in main (argc=3, argv=) at main.c:1069 -------- I have also attached the /var/log/krb5kdc -Martin -----Original Message----- From: Simo Sorce [mailto:simo at redhat.com] Sent: Friday, September 09, 2011 8:56 AM To: Smith, Martin R. [smma0901 at stcloudstate.edu] Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc process at 100% On Fri, 2011-09-09 at 05:09 +0000, Smith, Martin R. [smma0901 at stcloudstate.edu] wrote: > When I attach gdb to the process, I have tried the main process and > the four child processes, it provides no output. > Here are the steps I'm taking: > 1. On freeipa-server run htop and find the pid (or ps aux) > 1. Shows one parent PID and four child processes > 1. 934 root 20 0 46784 2656 388 S 0.0 0.1 > 0:00.00 `- /usr/sbin/krb5kdc > -P /var/run/krb5kdc.pid -w 4 > 2. 1939 root 20 0 78664 4460 2056 S 0.0 > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > -P /var/run/krb5kdc.pid -w 4 > 3. 1938 root 20 0 78664 4460 2056 S 0.0 > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > -P /var/run/krb5kdc.pid -w 4 > 4. 1936 root 20 0 78664 4460 2056 S 0.0 > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > -P /var/run/krb5kdc.pid -w 4 > 5. 1935 root 20 0 78664 4212 1808 S 0.0 > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > -P /var/run/krb5kdc.pid -w 4 > 2. run sudo gdb > 1. attach 934 > 2. press "c" > 3. Wait for output? > 2. Attempt to login with user that has an expired password. > 3. Now the krb5kdc process 934 starts running at 100% and the > user is unable to login. > 4. Only way to get the process back to normal is to type "service > ipa restart" > > I've never debugged a program before so if I'm missing a step please > let me know. Ok, let's simplify the problem first. apperently you have a quadcore cpu so by default we configured krb5kdc to spawn 4 worker processes. Let's bring it down to not spawning any worker process so we can simplify debugging. Go to /etc/sysconfig/krb5kdc and remove the "-w 4" argument from it. Then simply do a service krb5kdc restart (no need to restart the whole ipa service for this). If krb5kdc locks up again, gdb the process like you have done before but do not press c, type 'bt' instead and copy the log then you can exit gdb. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: krb5kdc.txt URL: From dpal at redhat.com Fri Sep 9 17:09:38 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 09 Sep 2011 13:09:38 -0400 Subject: [Freeipa-users] installation fails In-Reply-To: References: Message-ID: <4E6A4852.20703@redhat.com> On 09/09/2011 11:38 AM, Jimmy wrote: > I am installing FreeIPA on a new installation of Fedora 15. During > installation it gets to this point and fails: > > ============================================================ > ============================================================ > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > Configuring directory server for the CA: Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f > /tmp/tmpkwsFQk' returned non-zero exit status 1 > [3/3]: restarting directory server > root : CRITICAL Failed to restart the directory server. See the > installation log for details. > [root at csp-idm log]# ^C > [root at csp-idm log]# more /tmp/tmpkwsFQk > /tmp/tmpkwsFQk: No such file or directory > [root at csp-idm log]# /usr/sbin/setup-ds.pl > --silent --logfile - -f /tmp/tmpkwsFQk > Error: could not open inf file /tmp/tmpkwsFQk: No such file or directory > Error: could not determine the current group ID: at > /usr/lib64/dirsrv/perl/DSUtil.pm line 141 > DSUtil::getGroup(undef) called at /usr/lib64/dirsrv/perl/DSCreate.pm > line 807 > DSCreate::setDefaults('Inf=HASH(0x1340668)') called at > /usr/lib64/dirsrv/perl/DSCreate.pm line 1068 > DSCreate::createDSInstance('Inf=HASH(0x1340668)') called at > /usr/sbin/setup-ds.pl line 83 > ============================================================ > ============================================================ > > Here is the output in the install log when the error occurs(I can > email the entire log to anyone if it's needed): > > ============================================================ > ============================================================ > 2011-09-09 15:33:14,901 DEBUG calling setup-ds.pl > 2011-09-09 15:43:21,083 DEBUG args=/usr/sbin/setup-ds.pl > --silent --logfile - -f /tmp/tmpkwsFQk > 2011-09-09 15:43:21,084 DEBUG stdout=Server failed to start !!! Please > check errors log for problems > [11/09/09:15:43:21] - [Setup] Info Could not start the directory > server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. > The last lin > e from the error log was '[09/Sep/2011:15:33:21 +0000] - Shutting down > due to possible conflicts with other slapd processes > '. Error: Unknown error 256 > Could not start the directory server using command > '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the > error log was '[09/Sep/2 > 011:15:33:21 +0000] - Shutting down due to possible conflicts with > other slapd processes > '. Error: Unknown error 256 > [11/09/09:15:43:21] - [Setup] Fatal Error: Could not create directory > server instance 'PKI-IPA'. > Error: Could not create directory server instance 'PKI-IPA'. > [11/09/09:15:43:21] - [Setup] Fatal Exiting . . . > Log file is '-' > > Exiting . . . > Log file is '-' > > > 2011-09-09 15:43:21,084 DEBUG stderr=Server failed to start !!! Please > check errors log for problems > > 2011-09-09 15:43:21,085 CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f > /tmp/tmpkwsFQk' returned non > -zero exit status 1 > 2011-09-09 15:43:21,090 DEBUG duration: 606 seconds > 2011-09-09 15:43:21,090 DEBUG [3/3]: restarting directory server > 2011-09-09 15:43:22,387 DEBUG args=/sbin/service dirsrv restart PKI-IPA > 2011-09-09 15:43:22,388 DEBUG stdout=Shutting down dirsrv: > PKI-IPA... server already stopped[FAILED] > *** Error: 1 instance(s) unsuccessfully stopped[FAILED] > Starting dirsrv: > PKI-IPA...[FAILED] > *** Warning: 1 instance(s) failed to start > > 2011-09-09 15:43:22,388 DEBUG stderr= > 2011-09-09 15:43:22,476 DEBUG args=/sbin/service dirsrv status > 2011-09-09 15:43:22,477 DEBUG stdout=dirsrv PKI-IPA is stopped > > 2011-09-09 15:43:22,477 DEBUG stderr= > 2011-09-09 15:43:22,478 CRITICAL Failed to restart the directory > server. See the installation log for details. > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users What is the package version of pki-core, 389 and ipa packages? Also are there any leftovers of the DS instances from the past? There have been problems that earlier installs failed leaving things around and the later install stumbles on those. Also what is the SELinux setting? There might be some SELinux issue due to incorrect labeling in the past. I suggest you make sure the machine is cleaned from any DS instances and try again. For that do ipa-server-install --uninstall several times (3) as each time it might detect and clean different leftovers. We have tickets to make this cleanup better in the future. After that check if there are any other DS instances still around. They will be in /etc/dirsrv/slapd-* If there are you can remove them manually or use remove-ds.pl. But before you do that please tar and send all the logs for ipa, CS, DS so that we can see what the cause of the problem actually was. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Fri Sep 9 17:31:25 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 9 Sep 2011 13:31:25 -0400 Subject: [Freeipa-users] installation fails In-Reply-To: <4E6A4852.20703@redhat.com> References: <4E6A4852.20703@redhat.com> Message-ID: I temporarily disabled SElinux(echo 0 >/selinux/enforce) and the install completed. Did I miss something in the documentation? I didn't see anything aboud SElinux in the install doc. Jimmy On Fri, Sep 9, 2011 at 1:09 PM, Dmitri Pal wrote: > _______________________________________________ Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > What is the package version of pki-core, 389 and ipa packages? > Also are there any leftovers of the DS instances from the past? > There have been problems that earlier installs failed leaving things around > and the later install stumbles on those. > Also what is the SELinux setting? There might be some SELinux issue due to > incorrect labeling in the past. > I suggest you make sure the machine is cleaned from any DS instances and > try again. > For that do ipa-server-install --uninstall several times (3) as each time > it might detect and clean different leftovers. We have tickets to make this > cleanup better in the future. > After that check if there are any other DS instances still around. They > will be in /etc/dirsrv/slapd-* > If there are you can remove them manually or use remove-ds.pl. > > > But before you do that please tar and send all the logs for ipa, CS, DS so > that we can see what the cause of the problem actually was. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Sep 9 17:35:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 09 Sep 2011 13:35:55 -0400 Subject: [Freeipa-users] installation fails In-Reply-To: References: <4E6A4852.20703@redhat.com> Message-ID: <4E6A4E7B.3060007@redhat.com> Jimmy wrote: > I temporarily disabled SElinux(echo 0 >/selinux/enforce) and the install > completed. Did I miss something in the documentation? I didn't see > anything aboud SElinux in the install doc. It should work in enforcing mode. Can you provide the output of this: ausearch -m avc -ts recent This will show us the SELinux denials over the last 10 minutes (recent). rob > Jimmy > > On Fri, Sep 9, 2011 at 1:09 PM, Dmitri Pal > wrote: > > _______________________________________________ Freeipa-users > mailing list Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > What is the package version of pki-core, 389 and ipa packages? > Also are there any leftovers of the DS instances from the past? > There have been problems that earlier installs failed leaving things > around and the later install stumbles on those. > Also what is the SELinux setting? There might be some SELinux issue > due to incorrect labeling in the past. > I suggest you make sure the machine is cleaned from any DS instances > and try again. > For that do ipa-server-install --uninstall several times (3) as each > time it might detect and clean different leftovers. We have tickets > to make this cleanup better in the future. > After that check if there are any other DS instances still around. > They will be in /etc/dirsrv/slapd-* > If there are you can remove them manually or use remove-ds.pl > . > > > But before you do that please tar and send all the logs for ipa, CS, > DS so that we can see what the cause of the problem actually was. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Fri Sep 9 17:37:45 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 09 Sep 2011 13:37:45 -0400 Subject: [Freeipa-users] krb5kdc process at 100% In-Reply-To: <77D806E3863A2E4DADE1335809383D6109D8511A@SCSU84A.campus.stcloudstate.edu> References: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> <77D806E3863A2E4DADE1335809383D6109D845DC@SCSU84A.campus.stcloudstate.edu> <1315505097.2684.42.camel@willson.li.ssimo.org> <1315506291.2684.43.camel@willson.li.ssimo.org> <915F55D6-213E-45C8-9987-69DE25DB38A5@stcloudstate.du> <1315576550.2684.87.camel@willson.li.ssimo.org> <77D806E3863A2E4DADE1335809383D6109D8511A@SCSU84A.campus.stcloudstate.edu> Message-ID: <1315589865.2684.99.camel@willson.li.ssimo.org> If it crashes it is a bug in the KDC. Can you please get us the core dump when it crashes ? If you have abtrd installed it should be somewhere in /var/cache/abrt (check /var/log/messages) to see where. Alternatively you can run service krb5kdc stop then as root in a shell run ulimit -c unlimited and manually start /usr/sbin/krb5kdc wait for the crash then take the core file generated. Please also tell what is the exact version of the krb5-server package and the related ldap driver package. Simo. On Fri, 2011-09-09 at 16:27 +0000, Smith, Martin R. [smma0901 at stcloudstate.edu] wrote: > I removed the -w 4 from the config file. Here is what happens now. > > When a user with expired password logs in the krb5kdc process now crashes, instead of running at 100%. > If I attach gdb to the process before it crashes and attempt to login the process doesn't crash. Here are the results of "bt" > --------- > #0 0x00007fe84e0ea1d3 in __select_nocancel () > at ../sysdeps/unix/syscall-template.S:82 > #1 0x00007fe84f2a8047 in krb5int_cm_call_select (in=, > out=0x7fe8501d8780, sret=0x7fff421862b4) at sendto_kdc.c:564 > #2 0x00007fe84ffd05ee in listen_and_process (handle=0x0, > prog=0x7fff42187f52 "krb5kdc", reset=0x7fe84ffc6e10 ) > at net-server.c:1835 > #3 0x00007fe84ffbcf68 in main (argc=3, argv=) at main.c:1069 > -------- > > I have also attached the /var/log/krb5kdc > > -Martin > > -----Original Message----- > From: Simo Sorce [mailto:simo at redhat.com] > Sent: Friday, September 09, 2011 8:56 AM > To: Smith, Martin R. [smma0901 at stcloudstate.edu] > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc process at 100% > > On Fri, 2011-09-09 at 05:09 +0000, Smith, Martin R. > [smma0901 at stcloudstate.edu] wrote: > > When I attach gdb to the process, I have tried the main process and > > the four child processes, it provides no output. > > Here are the steps I'm taking: > > 1. On freeipa-server run htop and find the pid (or ps aux) > > 1. Shows one parent PID and four child processes > > 1. 934 root 20 0 46784 2656 388 S 0.0 0.1 > > 0:00.00 `- /usr/sbin/krb5kdc > > -P /var/run/krb5kdc.pid -w 4 > > 2. 1939 root 20 0 78664 4460 2056 S 0.0 > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > > -P /var/run/krb5kdc.pid -w 4 > > 3. 1938 root 20 0 78664 4460 2056 S 0.0 > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > > -P /var/run/krb5kdc.pid -w 4 > > 4. 1936 root 20 0 78664 4460 2056 S 0.0 > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > > -P /var/run/krb5kdc.pid -w 4 > > 5. 1935 root 20 0 78664 4212 1808 S 0.0 > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > > -P /var/run/krb5kdc.pid -w 4 > > 2. run sudo gdb > > 1. attach 934 > > 2. press "c" > > 3. Wait for output? > > 2. Attempt to login with user that has an expired password. > > 3. Now the krb5kdc process 934 starts running at 100% and the > > user is unable to login. > > 4. Only way to get the process back to normal is to type "service > > ipa restart" > > > > > I've never debugged a program before so if I'm missing a step please > > let me know. > > Ok, let's simplify the problem first. > > apperently you have a quadcore cpu so by default we configured krb5kdc to spawn 4 worker processes. Let's bring it down to not spawning any worker process so we can simplify debugging. > > Go to /etc/sysconfig/krb5kdc and remove the "-w 4" argument from it. > > Then simply do a service krb5kdc restart (no need to restart the whole ipa service for this). > > > If krb5kdc locks up again, gdb the process like you have done before but do not press c, type 'bt' instead and copy the log then you can exit gdb. > > Simo. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York From g17jimmy at gmail.com Fri Sep 9 17:44:13 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 9 Sep 2011 13:44:13 -0400 Subject: [Freeipa-users] installation fails In-Reply-To: <4E6A4E7B.3060007@redhat.com> References: <4E6A4852.20703@redhat.com> <4E6A4E7B.3060007@redhat.com> Message-ID: It's been about 20 mins since I ran the install and did so with SELinux disabled. I ran the command you suggested, but with 'today' as the argument instead of 'recent'. This is the output: ausearch -m avc -ts today ---- time->Fri Sep 9 14:24:12 2011 type=SYSCALL msg=audit(1315578252.415:214): arch=c000003e syscall=2 success=no exit=-13 a0=7fffbee29a70 a1=c2 a2=1a4 a3=0 items=0 ppid=1 pid=5578 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1315578252.415:214): avc: denied { read } for pid=5578 comm="ns-slapd" name="lock" dev=sda2 ino=1710 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file ---- time->Fri Sep 9 14:34:12 2011 type=SYSCALL msg=audit(1315578852.159:215): arch=c000003e syscall=2 success=no exit=-13 a0=7fffb8d9bb40 a1=c2 a2=1a4 a3=0 items=0 ppid=1 pid=5627 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1315578852.159:215): avc: denied { read } for pid=5627 comm="ns-slapd" name="lock" dev=sda2 ino=1710 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file ---- time->Fri Sep 9 15:15:11 2011 type=SYSCALL msg=audit(1315581311.764:223): arch=c000003e syscall=2 success=no exit=-13 a0=7fff2c58be30 a1=c2 a2=1a4 a3=0 items=0 ppid=1 pid=5727 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1315581311.764:223): avc: denied { read } for pid=5727 comm="ns-slapd" name="lock" dev=sda2 ino=1710 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file ---- time->Fri Sep 9 15:33:21 2011 type=SYSCALL msg=audit(1315582401.640:238): arch=c000003e syscall=2 success=no exit=-13 a0=7fff74555140 a1=c2 a2=1a4 a3=0 items=0 ppid=1 pid=6092 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1315582401.640:238): avc: denied { read } for pid=6092 comm="ns-slapd" name="lock" dev=sda2 ino=1710 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file ---- time->Fri Sep 9 15:43:21 2011 type=SYSCALL msg=audit(1315583001.304:239): arch=c000003e syscall=2 success=no exit=-13 a0=7fffdf7f3ba0 a1=c2 a2=1a4 a3=0 items=0 ppid=1 pid=6141 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1315583001.304:239): avc: denied { read } for pid=6141 comm="ns-slapd" name="lock" dev=sda2 ino=1710 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file ---- time->Fri Sep 9 18:18:54 2011 type=SYSCALL msg=audit(1315592334.382:269): arch=c000003e syscall=2 success=yes exit=9 a0=7fffe3872cc0 a1=c2 a2=1a4 a3=0 items=0 ppid=1 pid=6292 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1315592334.382:269): avc: denied { read } for pid=6292 comm="ns-slapd" name="lock" dev=sda2 ino=1710 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file ---- time->Fri Sep 9 18:20:26 2011 type=SYSCALL msg=audit(1315592426.491:284): arch=c000003e syscall=2 success=yes exit=9 a0=7fffb5102c20 a1=c2 a2=1a4 a3=0 items=0 ppid=1 pid=6709 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1315592426.491:284): avc: denied { read } for pid=6709 comm="ns-slapd" name="lock" dev=sda2 ino=1710 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file ---- time->Fri Sep 9 18:22:47 2011 type=SYSCALL msg=audit(1315592567.255:301): arch=c000003e syscall=2 success=yes exit=9 a0=7fffe8125540 a1=c2 a2=1a4 a3=0 items=0 ppid=1 pid=7779 auid=0 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1315592567.255:301): avc: denied { read } for pid=7779 comm="ns-slapd" name="lock" dev=sda2 ino=1710 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file ---- time->Fri Sep 9 18:23:07 2011 type=SYSCALL msg=audit(1315592587.857:305): arch=c000003e syscall=2 success=yes exit=6 a0=7fffd14031b0 a1=c2 a2=1a4 a3=0 items=0 ppid=1 pid=7882 auid=0 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1315592587.857:305): avc: denied { read } for pid=7882 comm="ns-slapd" name="lock" dev=sda2 ino=1710 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file ---- time->Fri Sep 9 18:25:29 2011 type=SYSCALL msg=audit(1315592729.758:316): arch=c000003e syscall=2 success=yes exit=6 a0=7fffffd7c220 a1=c2 a2=1a4 a3=0 items=0 ppid=1 pid=8262 auid=0 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1315592729.758:316): avc: denied { read } for pid=8262 comm="ns-slapd" name="lock" dev=sda2 ino=1710 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file On Fri, Sep 9, 2011 at 1:35 PM, Rob Crittenden wrote: > Jimmy wrote: > >> I temporarily disabled SElinux(echo 0 >/selinux/enforce) and the install >> completed. Did I miss something in the documentation? I didn't see >> anything aboud SElinux in the install doc. >> > > It should work in enforcing mode. > > Can you provide the output of this: > > ausearch -m avc -ts recent > > This will show us the SELinux denials over the last 10 minutes (recent). > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Sep 9 17:50:59 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 09 Sep 2011 13:50:59 -0400 Subject: [Freeipa-users] installation fails In-Reply-To: References: <4E6A4852.20703@redhat.com> <4E6A4E7B.3060007@redhat.com> Message-ID: <1315590659.2684.101.camel@willson.li.ssimo.org> On Fri, 2011-09-09 at 13:44 -0400, Jimmy wrote: > It's been about 20 mins since I ran the install and did so with > SELinux disabled. For future reference, please do not disable selinux, just put it in permissive mode, so the AVCs will still be produced they will simply not be applied against the process. (also it will avoid you trouble if you want to re-enable selinux as you won't need a full relabeling). Simo. -- Simo Sorce * Red Hat, Inc * New York From g17jimmy at gmail.com Fri Sep 9 17:55:03 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 9 Sep 2011 13:55:03 -0400 Subject: [Freeipa-users] installation fails In-Reply-To: <1315590659.2684.101.camel@willson.li.ssimo.org> References: <4E6A4852.20703@redhat.com> <4E6A4E7B.3060007@redhat.com> <1315590659.2684.101.camel@willson.li.ssimo.org> Message-ID: I'll go back to a clean system and re-install freeipa with SELinux in permissive so we can see what's going on. Jimmy On Fri, Sep 9, 2011 at 1:50 PM, Simo Sorce wrote: > On Fri, 2011-09-09 at 13:44 -0400, Jimmy wrote: > > It's been about 20 mins since I ran the install and did so with > > SELinux disabled. > > For future reference, please do not disable selinux, just put it in > permissive mode, so the AVCs will still be produced they will simply not > be applied against the process. > > (also it will avoid you trouble if you want to re-enable selinux as you > won't need a full relabeling). > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Sep 9 18:10:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 09 Sep 2011 14:10:46 -0400 Subject: [Freeipa-users] installation fails In-Reply-To: References: <4E6A4852.20703@redhat.com> <4E6A4E7B.3060007@redhat.com> Message-ID: <4E6A56A6.8080207@redhat.com> Jimmy wrote: > It's been about 20 mins since I ran the install and did so with SELinux > disabled. I ran the command you suggested, but with 'today' as the > argument instead of 'recent'. This is the output: > > ausearch -m avc -ts today > ---- > time->Fri Sep 9 14:24:12 2011 > type=SYSCALL msg=audit(1315578252.415:214): arch=c000003e syscall=2 > success=no exit=-13 a0=7fffbee29a70 a1=c2 a2=1a4 a3=0 items=0 ppid=1 > pid=5578 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 > sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" > exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) > type=AVC msg=audit(1315578252.415:214): avc: denied { read } for > pid=5578 comm="ns-slapd" name="lock" dev=sda2 ino=1710 > scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > ---- > time->Fri Sep 9 14:34:12 2011 > type=SYSCALL msg=audit(1315578852.159:215): arch=c000003e syscall=2 > success=no exit=-13 a0=7fffb8d9bb40 a1=c2 a2=1a4 a3=0 items=0 ppid=1 > pid=5627 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 > sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" > exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) > type=AVC msg=audit(1315578852.159:215): avc: denied { read } for > pid=5627 comm="ns-slapd" name="lock" dev=sda2 ino=1710 > scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > ---- > time->Fri Sep 9 15:15:11 2011 > type=SYSCALL msg=audit(1315581311.764:223): arch=c000003e syscall=2 > success=no exit=-13 a0=7fff2c58be30 a1=c2 a2=1a4 a3=0 items=0 ppid=1 > pid=5727 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 > sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" > exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) > type=AVC msg=audit(1315581311.764:223): avc: denied { read } for > pid=5727 comm="ns-slapd" name="lock" dev=sda2 ino=1710 > scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > ---- > time->Fri Sep 9 15:33:21 2011 > type=SYSCALL msg=audit(1315582401.640:238): arch=c000003e syscall=2 > success=no exit=-13 a0=7fff74555140 a1=c2 a2=1a4 a3=0 items=0 ppid=1 > pid=6092 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 > sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" > exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) > type=AVC msg=audit(1315582401.640:238): avc: denied { read } for > pid=6092 comm="ns-slapd" name="lock" dev=sda2 ino=1710 > scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > ---- > time->Fri Sep 9 15:43:21 2011 > type=SYSCALL msg=audit(1315583001.304:239): arch=c000003e syscall=2 > success=no exit=-13 a0=7fffdf7f3ba0 a1=c2 a2=1a4 a3=0 items=0 ppid=1 > pid=6141 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 > sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" > exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) > type=AVC msg=audit(1315583001.304:239): avc: denied { read } for > pid=6141 comm="ns-slapd" name="lock" dev=sda2 ino=1710 > scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > ---- > time->Fri Sep 9 18:18:54 2011 > type=SYSCALL msg=audit(1315592334.382:269): arch=c000003e syscall=2 > success=yes exit=9 a0=7fffe3872cc0 a1=c2 a2=1a4 a3=0 items=0 ppid=1 > pid=6292 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 > sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" > exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) > type=AVC msg=audit(1315592334.382:269): avc: denied { read } for > pid=6292 comm="ns-slapd" name="lock" dev=sda2 ino=1710 > scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > ---- > time->Fri Sep 9 18:20:26 2011 > type=SYSCALL msg=audit(1315592426.491:284): arch=c000003e syscall=2 > success=yes exit=9 a0=7fffb5102c20 a1=c2 a2=1a4 a3=0 items=0 ppid=1 > pid=6709 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 > sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" > exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) > type=AVC msg=audit(1315592426.491:284): avc: denied { read } for > pid=6709 comm="ns-slapd" name="lock" dev=sda2 ino=1710 > scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > ---- > time->Fri Sep 9 18:22:47 2011 > type=SYSCALL msg=audit(1315592567.255:301): arch=c000003e syscall=2 > success=yes exit=9 a0=7fffe8125540 a1=c2 a2=1a4 a3=0 items=0 ppid=1 > pid=7779 auid=0 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 > sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" > exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) > type=AVC msg=audit(1315592567.255:301): avc: denied { read } for > pid=7779 comm="ns-slapd" name="lock" dev=sda2 ino=1710 > scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > ---- > time->Fri Sep 9 18:23:07 2011 > type=SYSCALL msg=audit(1315592587.857:305): arch=c000003e syscall=2 > success=yes exit=6 a0=7fffd14031b0 a1=c2 a2=1a4 a3=0 items=0 ppid=1 > pid=7882 auid=0 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 > sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" > exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) > type=AVC msg=audit(1315592587.857:305): avc: denied { read } for > pid=7882 comm="ns-slapd" name="lock" dev=sda2 ino=1710 > scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > ---- > time->Fri Sep 9 18:25:29 2011 > type=SYSCALL msg=audit(1315592729.758:316): arch=c000003e syscall=2 > success=yes exit=6 a0=7fffffd7c220 a1=c2 a2=1a4 a3=0 items=0 ppid=1 > pid=8262 auid=0 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 > sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" > exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) > type=AVC msg=audit(1315592729.758:316): avc: denied { read } for > pid=8262 comm="ns-slapd" name="lock" dev=sda2 ino=1710 > scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > > > On Fri, Sep 9, 2011 at 1:35 PM, Rob Crittenden > wrote: > > Jimmy wrote: > > I temporarily disabled SElinux(echo 0 >/selinux/enforce) and the > install > completed. Did I miss something in the documentation? I didn't see > anything aboud SElinux in the install doc. > > > It should work in enforcing mode. > > Can you provide the output of this: > > ausearch -m avc -ts recent > > This will show us the SELinux denials over the last 10 minutes (recent). > > rob > > What version of selinux-policy do you have installed? (rpm -q selinux-policy) thanks rob From g17jimmy at gmail.com Fri Sep 9 18:19:18 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 9 Sep 2011 14:19:18 -0400 Subject: [Freeipa-users] installation fails In-Reply-To: <4E6A56A6.8080207@redhat.com> References: <4E6A4852.20703@redhat.com> <4E6A4E7B.3060007@redhat.com> <4E6A56A6.8080207@redhat.com> Message-ID: To answer Rob's question : selinux-policy-3.9.16-23.fc15.noarch And to correct myself from earlier, `echo 0 >/selinux/enforce` does set SELinux to permissive, does not disable it. So the AVC's I sent are correct. On Fri, Sep 9, 2011 at 2:10 PM, Rob Crittenden wrote: > Jimmy wrote: > >> It's been about 20 mins since I ran the install and did so with SELinux >> disabled. I ran the command you suggested, but with 'today' as the >> argument instead of 'recent'. This is the output: >> >> ausearch -m avc -ts today >> ---- >> time->Fri Sep 9 14:24:12 2011 >> type=SYSCALL msg=audit(1315578252.415:214): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fffbee29a70 a1=c2 a2=1a4 a3=0 items=0 ppid=1 >> pid=5578 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 >> sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" >> exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) >> type=AVC msg=audit(1315578252.415:214): avc: denied { read } for >> pid=5578 comm="ns-slapd" name="lock" dev=sda2 ino=1710 >> scontext=unconfined_u:system_r:dirsrv_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=lnk_file >> ---- >> time->Fri Sep 9 14:34:12 2011 >> type=SYSCALL msg=audit(1315578852.159:215): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fffb8d9bb40 a1=c2 a2=1a4 a3=0 items=0 ppid=1 >> pid=5627 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 >> sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" >> exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) >> type=AVC msg=audit(1315578852.159:215): avc: denied { read } for >> pid=5627 comm="ns-slapd" name="lock" dev=sda2 ino=1710 >> scontext=unconfined_u:system_r:dirsrv_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=lnk_file >> ---- >> time->Fri Sep 9 15:15:11 2011 >> type=SYSCALL msg=audit(1315581311.764:223): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fff2c58be30 a1=c2 a2=1a4 a3=0 items=0 ppid=1 >> pid=5727 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 >> sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" >> exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) >> type=AVC msg=audit(1315581311.764:223): avc: denied { read } for >> pid=5727 comm="ns-slapd" name="lock" dev=sda2 ino=1710 >> scontext=unconfined_u:system_r:dirsrv_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=lnk_file >> ---- >> time->Fri Sep 9 15:33:21 2011 >> type=SYSCALL msg=audit(1315582401.640:238): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fff74555140 a1=c2 a2=1a4 a3=0 items=0 ppid=1 >> pid=6092 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 >> sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" >> exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) >> type=AVC msg=audit(1315582401.640:238): avc: denied { read } for >> pid=6092 comm="ns-slapd" name="lock" dev=sda2 ino=1710 >> scontext=unconfined_u:system_r:dirsrv_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=lnk_file >> ---- >> time->Fri Sep 9 15:43:21 2011 >> type=SYSCALL msg=audit(1315583001.304:239): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fffdf7f3ba0 a1=c2 a2=1a4 a3=0 items=0 ppid=1 >> pid=6141 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 >> sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" >> exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) >> type=AVC msg=audit(1315583001.304:239): avc: denied { read } for >> pid=6141 comm="ns-slapd" name="lock" dev=sda2 ino=1710 >> scontext=unconfined_u:system_r:dirsrv_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=lnk_file >> ---- >> time->Fri Sep 9 18:18:54 2011 >> type=SYSCALL msg=audit(1315592334.382:269): arch=c000003e syscall=2 >> success=yes exit=9 a0=7fffe3872cc0 a1=c2 a2=1a4 a3=0 items=0 ppid=1 >> pid=6292 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 >> sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" >> exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) >> type=AVC msg=audit(1315592334.382:269): avc: denied { read } for >> pid=6292 comm="ns-slapd" name="lock" dev=sda2 ino=1710 >> scontext=unconfined_u:system_r:dirsrv_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=lnk_file >> ---- >> time->Fri Sep 9 18:20:26 2011 >> type=SYSCALL msg=audit(1315592426.491:284): arch=c000003e syscall=2 >> success=yes exit=9 a0=7fffb5102c20 a1=c2 a2=1a4 a3=0 items=0 ppid=1 >> pid=6709 auid=0 uid=498 gid=494 euid=498 suid=498 fsuid=498 egid=494 >> sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" >> exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) >> type=AVC msg=audit(1315592426.491:284): avc: denied { read } for >> pid=6709 comm="ns-slapd" name="lock" dev=sda2 ino=1710 >> scontext=unconfined_u:system_r:dirsrv_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=lnk_file >> ---- >> time->Fri Sep 9 18:22:47 2011 >> type=SYSCALL msg=audit(1315592567.255:301): arch=c000003e syscall=2 >> success=yes exit=9 a0=7fffe8125540 a1=c2 a2=1a4 a3=0 items=0 ppid=1 >> pid=7779 auid=0 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 >> sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" >> exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) >> type=AVC msg=audit(1315592567.255:301): avc: denied { read } for >> pid=7779 comm="ns-slapd" name="lock" dev=sda2 ino=1710 >> scontext=unconfined_u:system_r:dirsrv_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=lnk_file >> ---- >> time->Fri Sep 9 18:23:07 2011 >> type=SYSCALL msg=audit(1315592587.857:305): arch=c000003e syscall=2 >> success=yes exit=6 a0=7fffd14031b0 a1=c2 a2=1a4 a3=0 items=0 ppid=1 >> pid=7882 auid=0 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 >> sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" >> exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) >> type=AVC msg=audit(1315592587.857:305): avc: denied { read } for >> pid=7882 comm="ns-slapd" name="lock" dev=sda2 ino=1710 >> scontext=unconfined_u:system_r:dirsrv_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=lnk_file >> ---- >> time->Fri Sep 9 18:25:29 2011 >> type=SYSCALL msg=audit(1315592729.758:316): arch=c000003e syscall=2 >> success=yes exit=6 a0=7fffffd7c220 a1=c2 a2=1a4 a3=0 items=0 ppid=1 >> pid=8262 auid=0 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 >> sgid=494 fsgid=494 tty=(none) ses=1 comm="ns-slapd" >> exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) >> type=AVC msg=audit(1315592729.758:316): avc: denied { read } for >> pid=8262 comm="ns-slapd" name="lock" dev=sda2 ino=1710 >> scontext=unconfined_u:system_r:dirsrv_t:s0 >> tcontext=system_u:object_r:var_t:s0 tclass=lnk_file >> >> >> On Fri, Sep 9, 2011 at 1:35 PM, Rob Crittenden > > wrote: >> >> Jimmy wrote: >> >> I temporarily disabled SElinux(echo 0 >/selinux/enforce) and the >> install >> completed. Did I miss something in the documentation? I didn't see >> anything aboud SElinux in the install doc. >> >> >> It should work in enforcing mode. >> >> Can you provide the output of this: >> >> ausearch -m avc -ts recent >> >> This will show us the SELinux denials over the last 10 minutes >> (recent). >> >> rob >> >> >> > What version of selinux-policy do you have installed? (rpm -q > selinux-policy) > > thanks > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbingram at gmail.com Fri Sep 9 19:01:57 2011 From: sbingram at gmail.com (Stephen Ingram) Date: Fri, 9 Sep 2011 12:01:57 -0700 Subject: [Freeipa-users] fresh install on F15 In-Reply-To: <4E67C2B4.3060909@redhat.com> References: <4E67C2B4.3060909@redhat.com> Message-ID: On Wed, Sep 7, 2011 at 12:15 PM, Rob Crittenden wrote: > Do you mean the test repositories on freeipa.org? You should not need to > enable these, Fedora 15 should have everything you need. You probably need > to enable updates-testing though. OK, this is working now. I was using a private repository that wasn't quite right, but for some reason wasn't reporting a yum error. I tried with both release and updates-testing (both from Fedora not FreeIPA) and it works both ways. I also upgraded to 2.1.1 this morning and it worked also. I'm off to try some experimental setups now. Thank you for the help. Steve From smma0901 at stcloudstate.edu Fri Sep 9 19:14:44 2011 From: smma0901 at stcloudstate.edu (Smith, Martin R. [smma0901@stcloudstate.edu]) Date: Fri, 9 Sep 2011 19:14:44 +0000 Subject: [Freeipa-users] krb5kdc process at 100% In-Reply-To: <1315589865.2684.99.camel@willson.li.ssimo.org> References: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> <77D806E3863A2E4DADE1335809383D6109D845DC@SCSU84A.campus.stcloudstate.edu> <1315505097.2684.42.camel@willson.li.ssimo.org> <1315506291.2684.43.camel@willson.li.ssimo.org> <915F55D6-213E-45C8-9987-69DE25DB38A5@stcloudstate.du> <1315576550.2684.87.camel@willson.li.ssimo.org> <77D806E3863A2E4DADE1335809383D6109D8511A@SCSU84A.campus.stcloudstate.edu> <1315589865.2684.99.camel@willson.li.ssimo.org> Message-ID: <77D806E3863A2E4DADE1335809383D6109D852AD@SCSU84A.campus.stcloudstate.edu> I have linked a zip the whole directory from abrt. After typing "abrt-cli -l" it outputted: ----- Directory: /var/spool/abrt/ccpp-2011-09-09-13:41:51-972 count: 1 executable: /usr/sbin/krb5kdc package: krb5-server-1.9.1-5.fc15 time: Fri 09 Sep 2011 01:41:51 PM CDT uid: 0 ----- Link to crash.zip This appears to be my current ldap "openldap-2.4.24-3.fc15.x86_64". -Martin -----Original Message----- From: Simo Sorce [mailto:simo at redhat.com] Sent: Friday, September 09, 2011 12:38 PM To: Smith, Martin R. [smma0901 at stcloudstate.edu] Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc process at 100% If it crashes it is a bug in the KDC. Can you please get us the core dump when it crashes ? If you have abtrd installed it should be somewhere in /var/cache/abrt (check /var/log/messages) to see where. Alternatively you can run service krb5kdc stop then as root in a shell run ulimit -c unlimited and manually start /usr/sbin/krb5kdc wait for the crash then take the core file generated. Please also tell what is the exact version of the krb5-server package and the related ldap driver package. Simo. On Fri, 2011-09-09 at 16:27 +0000, Smith, Martin R. [smma0901 at stcloudstate.edu] wrote: > I removed the -w 4 from the config file. Here is what happens now. > > When a user with expired password logs in the krb5kdc process now crashes, instead of running at 100%. > If I attach gdb to the process before it crashes and attempt to login the process doesn't crash. Here are the results of "bt" > --------- > #0 0x00007fe84e0ea1d3 in __select_nocancel () > at ../sysdeps/unix/syscall-template.S:82 > #1 0x00007fe84f2a8047 in krb5int_cm_call_select (in=, > out=0x7fe8501d8780, sret=0x7fff421862b4) at sendto_kdc.c:564 > #2 0x00007fe84ffd05ee in listen_and_process (handle=0x0, > prog=0x7fff42187f52 "krb5kdc", reset=0x7fe84ffc6e10 ) > at net-server.c:1835 > #3 0x00007fe84ffbcf68 in main (argc=3, argv=) at > main.c:1069 > -------- > > I have also attached the /var/log/krb5kdc > > -Martin > > -----Original Message----- > From: Simo Sorce [mailto:simo at redhat.com] > Sent: Friday, September 09, 2011 8:56 AM > To: Smith, Martin R. [smma0901 at stcloudstate.edu] > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc process at 100% > > On Fri, 2011-09-09 at 05:09 +0000, Smith, Martin R. > [smma0901 at stcloudstate.edu] wrote: > > When I attach gdb to the process, I have tried the main process and > > the four child processes, it provides no output. > > Here are the steps I'm taking: > > 1. On freeipa-server run htop and find the pid (or ps aux) > > 1. Shows one parent PID and four child processes > > 1. 934 root 20 0 46784 2656 388 S 0.0 0.1 > > 0:00.00 `- /usr/sbin/krb5kdc > > -P /var/run/krb5kdc.pid -w 4 > > 2. 1939 root 20 0 78664 4460 2056 S 0.0 > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > > -P /var/run/krb5kdc.pid -w 4 > > 3. 1938 root 20 0 78664 4460 2056 S 0.0 > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > > -P /var/run/krb5kdc.pid -w 4 > > 4. 1936 root 20 0 78664 4460 2056 S 0.0 > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > > -P /var/run/krb5kdc.pid -w 4 > > 5. 1935 root 20 0 78664 4212 1808 S 0.0 > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > > -P /var/run/krb5kdc.pid -w 4 > > 2. run sudo gdb > > 1. attach 934 > > 2. press "c" > > 3. Wait for output? > > 2. Attempt to login with user that has an expired password. > > 3. Now the krb5kdc process 934 starts running at 100% and the > > user is unable to login. > > 4. Only way to get the process back to normal is to type "service > > ipa restart" > > > > > I've never debugged a program before so if I'm missing a step please > > let me know. > > Ok, let's simplify the problem first. > > apperently you have a quadcore cpu so by default we configured krb5kdc to spawn 4 worker processes. Let's bring it down to not spawning any worker process so we can simplify debugging. > > Go to /etc/sysconfig/krb5kdc and remove the "-w 4" argument from it. > > Then simply do a service krb5kdc restart (no need to restart the whole ipa service for this). > > > If krb5kdc locks up again, gdb the process like you have done before but do not press c, type 'bt' instead and copy the log then you can exit gdb. > > Simo. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Fri Sep 9 21:20:11 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 9 Sep 2011 17:20:11 -0400 Subject: [Freeipa-users] Migration to FreeIPA 2 - password update via LDAP In-Reply-To: <1315531232.2684.53.camel@willson.li.ssimo.org> References: <4E67BEFF.50000@redhat.com> <1315531232.2684.53.camel@willson.li.ssimo.org> Message-ID: Hi, On Thu, Sep 8, 2011 at 21:20, Simo Sorce wrote: > On Thu, 2011-09-08 at 17:29 -0400, Dan Scott wrote: >> Hi, >> >> On Wed, Sep 7, 2011 at 14:59, Dmitri Pal wrote: >> > On 09/07/2011 02:45 PM, Dan Scott wrote: >> >> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After >> >> migration, the script says: >> >> >> >> "Passwords have been migrated in pre-hashed format. >> >> IPA is unable to generate Kerberos keys unless provided >> >> with clear text passwords. All migrated users need to >> >> login at https://your.domain/ipa/migration/ before they >> >> can use their Kerberos accounts." >> >> >> >> I have some users who are authenticated via LDAP. Also I have a Java >> >> application which allows them to change their password using LDAP. >> >> Will existing passwords continue to work when using LDAP >> >> authentication/password changes? It is only Kerberos authentication >> >> which requires users to re-login on this special page? >> >> >> > >> > If you update the password via LDAP using bind over SSL so that server >> > has the password in clear the new Kerberos hashes will be generated >> > automatically and kerberos will become usable for these users once again. >> > >> > Also SSSD has a nice feature to migrate user passwords. Read more about >> > it in the SSSD docs. >> >> Excellent, thanks for the repsponse. The LDAP bind must be over SSL, >> correct? When not using SSL, I get: >> >> "javax.security.auth.login.LoginException: >> javax.security.auth.login.LoginException: LDAP bind failed for >> uid=djscott,cn=users,cn=compat,dc=..." >> >> When using LDAPS, I get: >> >> "Exception in LdapRealm when trying to authenticate user. >> javax.security.auth.login.LoginException: >> javax.naming.CommunicationException: anonymous bind failed: >> kelvin.example.com:636 [Root exception is >> javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find valid certification path to requested target]" >> >> So I guess I need to add a FreeIPA certificate into my Glassfish >> keystore. Does this sound right? Should I create a certificate for my >> service?: >> >> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-services.html#request-service-service >> >> Or should I be adding the CA of my FreeIPA installation? > > You need to add and trust the FreeIPA CA certificate to your glassfish > CA cert store. Thanks, I'm getting closer. I now receive the "LDAP bind failed for" message when attempting LDAPS authentication. Is there a way I can test LDAPS authentication from the command line? Dan From dpal at redhat.com Fri Sep 9 23:28:51 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 09 Sep 2011 19:28:51 -0400 Subject: [Freeipa-users] krb5kdc process at 100% In-Reply-To: <77D806E3863A2E4DADE1335809383D6109D852AD@SCSU84A.campus.stcloudstate.edu> References: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> <77D806E3863A2E4DADE1335809383D6109D845DC@SCSU84A.campus.stcloudstate.edu> <1315505097.2684.42.camel@willson.li.ssimo.org> <1315506291.2684.43.camel@willson.li.ssimo.org> <915F55D6-213E-45C8-9987-69DE25DB38A5@stcloudstate.du> <1315576550.2684.87.camel@willson.li.ssimo.org> <77D806E3863A2E4DADE1335809383D6109D8511A@SCSU84A.campus.stcloudstate.edu> <1315589865.2684.99.camel@willson.li.ssimo.org> <77D806E3863A2E4DADE1335809383D6109D852AD@SCSU84A.campus.stcloudstate.edu> Message-ID: <4E6AA133.6060300@redhat.com> On 09/09/2011 03:14 PM, Smith, Martin R. [smma0901 at stcloudstate.edu] wrote: > I have linked a zip the whole directory from abrt. After typing > "abrt-cli -l" it outputted: > ----- > Directory: /var/spool/abrt/ccpp-2011-09-09-13:41:51-972 > count: 1 > executable: /usr/sbin/krb5kdc > package: krb5-server-1.9.1-5.fc15 > time: Fri 09 Sep 2011 01:41:51 PM CDT > uid: 0 > ----- > > Link to _crash.zip_ > > > This appears to be my current ldap "openldap-2.4.24-3.fc15.x86_64". > Can you please file a BZ? https://bugzilla.redhat.com I assume it is on Fedora 15 right? > > -Martin > > > -----Original Message----- > From: Simo Sorce _[mailto:simo at redhat.com]_ > > Sent: Friday, September 09, 2011 12:38 PM > To: Smith, Martin R. [smma0901 at stcloudstate.edu] > Cc: _freeipa-users at redhat.com_ > Subject: Re: [Freeipa-users] krb5kdc process at 100% > > If it crashes it is a bug in the KDC. > Can you please get us the core dump when it crashes ? > > If you have abtrd installed it should be somewhere in /var/cache/abrt > (check /var/log/messages) to see where. > > Alternatively you can run service krb5kdc stop then as root in a shell > run ulimit -c unlimited and manually start /usr/sbin/krb5kdc wait for > the crash then take the core file generated. > > Please also tell what is the exact version of the krb5-server package > and the related ldap driver package. > > Simo. > > On Fri, 2011-09-09 at 16:27 +0000, Smith, Martin R. > [smma0901 at stcloudstate.edu] wrote: > > I removed the -w 4 from the config file. Here is what happens now. > > > > When a user with expired password logs in the krb5kdc process now > crashes, instead of running at 100%. > > If I attach gdb to the process before it crashes and attempt to login > the process doesn't crash. Here are the results of "bt" > > --------- > > #0 0x00007fe84e0ea1d3 in __select_nocancel () > > at ../sysdeps/unix/syscall-template.S:82 > > #1 0x00007fe84f2a8047 in krb5int_cm_call_select (in=, > > out=0x7fe8501d8780, sret=0x7fff421862b4) at sendto_kdc.c:564 > > #2 0x00007fe84ffd05ee in listen_and_process (handle=0x0, > > prog=0x7fff42187f52 "krb5kdc", reset=0x7fe84ffc6e10 > ) > > at net-server.c:1835 > > #3 0x00007fe84ffbcf68 in main (argc=3, argv=) at > > main.c:1069 > > -------- > > > > I have also attached the /var/log/krb5kdc > > > > -Martin > > > > -----Original Message----- > > From: Simo Sorce _[mailto:simo at redhat.com]_ > > > Sent: Friday, September 09, 2011 8:56 AM > > To: Smith, Martin R. [smma0901 at stcloudstate.edu] > > Cc: _freeipa-users at redhat.com_ > > Subject: Re: [Freeipa-users] krb5kdc process at 100% > > > > On Fri, 2011-09-09 at 05:09 +0000, Smith, Martin R. > > [smma0901 at stcloudstate.edu] wrote: > > > When I attach gdb to the process, I have tried the main process and > > > the four child processes, it provides no output. > > > Here are the steps I'm taking: > > > 1. On freeipa-server run htop and find the pid (or ps aux) > > > 1. Shows one parent PID and four child processes > > > 1. 934 root 20 0 46784 2656 388 S 0.0 0.1 > > > 0:00.00 `- /usr/sbin/krb5kdc > > > -P /var/run/krb5kdc.pid -w 4 > > > 2. 1939 root 20 0 78664 4460 2056 S 0.0 > > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > > > -P /var/run/krb5kdc.pid -w 4 > > > 3. 1938 root 20 0 78664 4460 2056 S 0.0 > > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > > > -P /var/run/krb5kdc.pid -w 4 > > > 4. 1936 root 20 0 78664 4460 2056 S 0.0 > > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > > > -P /var/run/krb5kdc.pid -w 4 > > > 5. 1935 root 20 0 78664 4212 1808 S 0.0 > > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc > > > -P /var/run/krb5kdc.pid -w 4 > > > 2. run sudo gdb > > > 1. attach 934 > > > 2. press "c" > > > 3. Wait for output? > > > 2. Attempt to login with user that has an expired password. > > > 3. Now the krb5kdc process 934 starts running at 100% and the > > > user is unable to login. > > > 4. Only way to get the process back to normal is to type "service > > > ipa restart" > > > > > > > > I've never debugged a program before so if I'm missing a step please > > > let me know. > > > > Ok, let's simplify the problem first. > > > > apperently you have a quadcore cpu so by default we configured > krb5kdc to spawn 4 worker processes. Let's bring it down to not > spawning any worker process so we can simplify debugging. > > > > Go to /etc/sysconfig/krb5kdc and remove the "-w 4" argument from it. > > > > Then simply do a service krb5kdc restart (no need to restart the > whole ipa service for this). > > > > > > If krb5kdc locks up again, gdb the process like you have done before > but do not press c, type 'bt' instead and copy the log then you can > exit gdb. > > > > Simo. > > > > > > _______________________________________________ > > Freeipa-users mailing list > > _Freeipa-users at redhat.com_ > > _https://www.redhat.com/mailman/listinfo/freeipa-users_ > > -- > Simo Sorce * Red Hat, Inc * New York > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Sep 10 01:38:41 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 09 Sep 2011 21:38:41 -0400 Subject: [Freeipa-users] krb5kdc process at 100% In-Reply-To: <4E6AA133.6060300@redhat.com> References: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> <77D806E3863A2E4DADE1335809383D6109D845DC@SCSU84A.campus.stcloudstate.edu> <1315505097.2684.42.camel@willson.li.ssimo.org> <1315506291.2684.43.camel@willson.li.ssimo.org> <915F55D6-213E-45C8-9987-69DE25DB38A5@stcloudstate.du> <1315576550.2684.87.camel@willson.li.ssimo.org> <77D806E3863A2E4DADE1335809383D6109D8511A@SCSU84A.campus.stcloudstate.edu> <1315589865.2684.99.camel@willson.li.ssimo.org> <77D806E3863A2E4DADE1335809383D6109D852AD@SCSU84A.campus.stcloudstate.edu> <4E6AA133.6060300@redhat.com> Message-ID: <4E6ABFA1.60304@redhat.com> On 09/09/2011 07:28 PM, Dmitri Pal wrote: > On 09/09/2011 03:14 PM, Smith, Martin R. [smma0901 at stcloudstate.edu] > wrote: >> I have linked a zip the whole directory from abrt. After typing >> "abrt-cli -l" it outputted: >> ----- >> Directory: /var/spool/abrt/ccpp-2011-09-09-13:41:51-972 >> count: 1 >> executable: /usr/sbin/krb5kdc >> package: krb5-server-1.9.1-5.fc15 >> time: Fri 09 Sep 2011 01:41:51 PM CDT >> uid: 0 >> ----- >> >> Link to _crash.zip_ >> >> >> This appears to be my current ldap "openldap-2.4.24-3.fc15.x86_64". >> > > Can you please file a BZ? https://bugzilla.redhat.com > I assume it is on Fedora 15 right? End of day... Did not notice that the package name has fc15. I opened it myself: https://bugzilla.redhat.com/show_bug.cgi?id=737224 Feel free to add. > >> >> -Martin >> >> >> -----Original Message----- >> From: Simo Sorce _[mailto:simo at redhat.com]_ >> >> Sent: Friday, September 09, 2011 12:38 PM >> To: Smith, Martin R. [smma0901 at stcloudstate.edu] >> Cc: _freeipa-users at redhat.com_ >> Subject: Re: [Freeipa-users] krb5kdc process at 100% >> >> If it crashes it is a bug in the KDC. >> Can you please get us the core dump when it crashes ? >> >> If you have abtrd installed it should be somewhere in /var/cache/abrt >> (check /var/log/messages) to see where. >> >> Alternatively you can run service krb5kdc stop then as root in a >> shell run ulimit -c unlimited and manually start /usr/sbin/krb5kdc >> wait for the crash then take the core file generated. >> >> Please also tell what is the exact version of the krb5-server package >> and the related ldap driver package. >> >> Simo. >> >> On Fri, 2011-09-09 at 16:27 +0000, Smith, Martin R. >> [smma0901 at stcloudstate.edu] wrote: >> > I removed the -w 4 from the config file. Here is what happens now. >> > >> > When a user with expired password logs in the krb5kdc process now >> crashes, instead of running at 100%. >> > If I attach gdb to the process before it crashes and attempt to >> login the process doesn't crash. Here are the results of "bt" >> > --------- >> > #0 0x00007fe84e0ea1d3 in __select_nocancel () >> > at ../sysdeps/unix/syscall-template.S:82 >> > #1 0x00007fe84f2a8047 in krb5int_cm_call_select (in=, >> > out=0x7fe8501d8780, sret=0x7fff421862b4) at sendto_kdc.c:564 >> > #2 0x00007fe84ffd05ee in listen_and_process (handle=0x0, >> > prog=0x7fff42187f52 "krb5kdc", reset=0x7fe84ffc6e10 >> ) >> > at net-server.c:1835 >> > #3 0x00007fe84ffbcf68 in main (argc=3, argv=) at >> > main.c:1069 >> > -------- >> > >> > I have also attached the /var/log/krb5kdc >> > >> > -Martin >> > >> > -----Original Message----- >> > From: Simo Sorce _[mailto:simo at redhat.com]_ >> >> > Sent: Friday, September 09, 2011 8:56 AM >> > To: Smith, Martin R. [smma0901 at stcloudstate.edu] >> > Cc: _freeipa-users at redhat.com_ >> > Subject: Re: [Freeipa-users] krb5kdc process at 100% >> > >> > On Fri, 2011-09-09 at 05:09 +0000, Smith, Martin R. >> > [smma0901 at stcloudstate.edu] wrote: >> > > When I attach gdb to the process, I have tried the main process and >> > > the four child processes, it provides no output. >> > > Here are the steps I'm taking: >> > > 1. On freeipa-server run htop and find the pid (or ps aux) >> > > 1. Shows one parent PID and four child processes >> > > 1. 934 root 20 0 46784 2656 388 S 0.0 0.1 >> > > 0:00.00 `- /usr/sbin/krb5kdc >> > > -P /var/run/krb5kdc.pid -w 4 >> > > 2. 1939 root 20 0 78664 4460 2056 S 0.0 >> > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc >> > > -P /var/run/krb5kdc.pid -w 4 >> > > 3. 1938 root 20 0 78664 4460 2056 S 0.0 >> > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc >> > > -P /var/run/krb5kdc.pid -w 4 >> > > 4. 1936 root 20 0 78664 4460 2056 S 0.0 >> > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc >> > > -P /var/run/krb5kdc.pid -w 4 >> > > 5. 1935 root 20 0 78664 4212 1808 S 0.0 >> > > 0.1 0:00.26 | `- /usr/sbin/krb5kdc >> > > -P /var/run/krb5kdc.pid -w 4 >> > > 2. run sudo gdb >> > > 1. attach 934 >> > > 2. press "c" >> > > 3. Wait for output? >> > > 2. Attempt to login with user that has an expired password. >> > > 3. Now the krb5kdc process 934 starts running at 100% and the >> > > user is unable to login. >> > > 4. Only way to get the process back to normal is to type "service >> > > ipa restart" >> > >> > > >> > > I've never debugged a program before so if I'm missing a step please >> > > let me know. >> > >> > Ok, let's simplify the problem first. >> > >> > apperently you have a quadcore cpu so by default we configured >> krb5kdc to spawn 4 worker processes. Let's bring it down to not >> spawning any worker process so we can simplify debugging. >> > >> > Go to /etc/sysconfig/krb5kdc and remove the "-w 4" argument from it. >> > >> > Then simply do a service krb5kdc restart (no need to restart the >> whole ipa service for this). >> > >> > >> > If krb5kdc locks up again, gdb the process like you have done before >> but do not press c, type 'bt' instead and copy the log then you can >> exit gdb. >> > >> > Simo. >> > >> > >> > _______________________________________________ >> > Freeipa-users mailing list >> > _Freeipa-users at redhat.com_ >> > _https://www.redhat.com/mailman/listinfo/freeipa-users_ >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Sat Sep 10 15:47:37 2011 From: simo at redhat.com (Simo Sorce) Date: Sat, 10 Sep 2011 11:47:37 -0400 Subject: [Freeipa-users] krb5kdc process at 100% In-Reply-To: <4E6AA133.6060300@redhat.com> References: <77D806E3863A2E4DADE1335809383D6109D8458C@SCSU84A.campus.stcloudstate.edu> <77D806E3863A2E4DADE1335809383D6109D845DC@SCSU84A.campus.stcloudstate.edu> <1315505097.2684.42.camel@willson.li.ssimo.org> <1315506291.2684.43.camel@willson.li.ssimo.org> <915F55D6-213E-45C8-9987-69DE25DB38A5@stcloudstate.du> <1315576550.2684.87.camel@willson.li.ssimo.org> <77D806E3863A2E4DADE1335809383D6109D8511A@SCSU84A.campus.stcloudstate.edu> <1315589865.2684.99.camel@willson.li.ssimo.org> <77D806E3863A2E4DADE1335809383D6109D852AD@SCSU84A.campus.stcloudstate.edu> <4E6AA133.6060300@redhat.com> Message-ID: <1315669657.2684.141.camel@willson.li.ssimo.org> On Fri, 2011-09-09 at 19:28 -0400, Dmitri Pal wrote: > On 09/09/2011 03:14 PM, Smith, Martin R. [smma0901 at stcloudstate.edu] > wrote: > > I have linked a zip the whole directory from abrt. After typing > > "abrt-cli -l" it outputted: > > ----- > > Directory: /var/spool/abrt/ccpp-2011-09-09-13:41:51-972 > > count: 1 > > executable: /usr/sbin/krb5kdc > > package: krb5-server-1.9.1-5.fc15 > > time: Fri 09 Sep 2011 01:41:51 PM CDT > > uid: 0 > > ----- > > > > Link to crash.zip > > > > This appears to be my current ldap "openldap-2.4.24-3.fc15.x86_64". > > > > Can you please file a BZ? https://bugzilla.redhat.com > I assume it is on Fedora 15 right? FWIW I think I reproduced this yesterday evening. I will take a deeper look at it next week if it reproduces again. It seem to happen only when multiple worker processes are in use and one of them segfaults. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbingram at gmail.com Mon Sep 12 17:57:36 2011 From: sbingram at gmail.com (Stephen Ingram) Date: Mon, 12 Sep 2011 10:57:36 -0700 Subject: [Freeipa-users] backup and upgrade/transition to new versions Message-ID: I've seen mentioned on this list before that it is better to just image the entire system as a backup rather than actually try to figure out where the specific files are that relate to the various components of IPA. What I'm wondering is what if you want to upgrade the distribution say from Fedora 15 to 16. How would this work as related to a production IPA install? I also know that some of our installations that begin on Fedora would end up on Redhat so that customers could take advantage of support. Is there any mechanism by which these upgrades could work? Steve From simo at redhat.com Mon Sep 12 18:17:51 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 12 Sep 2011 14:17:51 -0400 Subject: [Freeipa-users] backup and upgrade/transition to new versions In-Reply-To: References: Message-ID: <1315851471.2684.211.camel@willson.li.ssimo.org> On Mon, 2011-09-12 at 10:57 -0700, Stephen Ingram wrote: > I've seen mentioned on this list before that it is better to just > image the entire system as a backup rather than actually try to figure > out where the specific files are that relate to the various components > of IPA. What I'm wondering is what if you want to upgrade the > distribution say from Fedora 15 to 16. How would this work as related > to a production IPA install? I also know that some of our > installations that begin on Fedora would end up on Redhat so that > customers could take advantage of support. Is there any mechanism by > which these upgrades could work? I would suggest that the best way to deal with changing radically the underlying OS is to make a replica on a new machine and then get rid of the old one if possible. If multiple replicas are already available I would just wipe out the machine, re-install, then replicate again. Just pay attention to backup things that may be only on the first master (for example the CA if you used selfsign). Simo. -- Simo Sorce * Red Hat, Inc * New York From g17jimmy at gmail.com Tue Sep 13 18:47:49 2011 From: g17jimmy at gmail.com (Jimmy) Date: Tue, 13 Sep 2011 14:47:49 -0400 Subject: [Freeipa-users] Windows client logon Message-ID: I'm setting up a WinXP system to authenticate to FreeIPA. I followed the directions listed here: http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step I created the host account in FreeIPA, and the user, and I do get prompted to change the initial password(and it seems to work,) but as soon as the password is changed(or subsequent login attempts) I get the log in message" "the system cannot log you on now because the domain is not available" Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Sep 13 20:08:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 Sep 2011 16:08:48 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: Message-ID: <4E6FB850.1080704@redhat.com> Jimmy wrote: > I'm setting up a WinXP system to authenticate to FreeIPA. I followed the > directions listed here: > http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step > > I created the host account in FreeIPA, and the user, and I do get > prompted to change the initial password(and it seems to work,) but as > soon as the password is changed(or subsequent login attempts) I get the > log in message" > "the system cannot log you on now because the domain is not available" > The guide says this happens when you don't log in using the principal name, are you using that? rob From fedora at romal.de Wed Sep 14 04:54:29 2011 From: fedora at romal.de (Robert M. Albrecht) Date: Wed, 14 Sep 2011 06:54:29 +0200 Subject: [Freeipa-users] DNS discovery failed to determine your DNS domain Message-ID: <4E703385.1080501@romal.de> Hi, this happens while ipa-client-install. If I enter the domain manually, I get "unable to find the IPA server". After this the installer complains about resolv.conf. Mine looks like domain example.com search example.com nameserver 192.168.0.230 The ip is my ipa-server. What should i look like ? cu romal From rcritten at redhat.com Wed Sep 14 12:34:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Sep 2011 08:34:18 -0400 Subject: [Freeipa-users] DNS discovery failed to determine your DNS domain In-Reply-To: <4E703385.1080501@romal.de> References: <4E703385.1080501@romal.de> Message-ID: <4E709F4A.3040608@redhat.com> Robert M. Albrecht wrote: > Hi, > > this happens while ipa-client-install. > > If I enter the domain manually, I get "unable to find the IPA server". > > After this the installer complains about resolv.conf. > > Mine looks like > > domain example.com > search example.com > nameserver 192.168.0.230 > > The ip is my ipa-server. > > What should i look like ? > > cu romal We need some more details. What version of ipa-client? Can you include the exact errors you are getting? Do you have an AD server for the same domain/realm? rob From g17jimmy at gmail.com Wed Sep 14 13:06:59 2011 From: g17jimmy at gmail.com (Jimmy) Date: Wed, 14 Sep 2011 09:06:59 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: <4E6FB850.1080704@redhat.com> References: <4E6FB850.1080704@redhat.com> Message-ID: Just curious about this, the guide that we both refer to provides instructions for a windows client authentication but this page indicates that FreeIPA doesn't support windows clients: http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html Which is correct? On Tue, Sep 13, 2011 at 4:08 PM, Rob Crittenden wrote: > Jimmy wrote: > >> I'm setting up a WinXP system to authenticate to FreeIPA. I followed the >> directions listed here: >> >> http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step >> >> I created the host account in FreeIPA, and the user, and I do get >> prompted to change the initial password(and it seems to work,) but as >> soon as the password is changed(or subsequent login attempts) I get the >> log in message" >> "the system cannot log you on now because the domain is not available" >> >> > The guide says this happens when you don't log in using the principal name, > are you using that? > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 14 14:07:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Sep 2011 10:07:56 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> Message-ID: <4E70B53C.8020002@redhat.com> Jimmy wrote: > Just curious about this, the guide that we both refer to provides > instructions for a windows client authentication but this page indicates > that FreeIPA doesn't support windows clients: > > http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html > > Which is correct? The guide you referred to was contributed by another FreeIPA user showing one way to get Windows login working. It does this by mapping all IPA users to a single windows user (ipauser). This is not practical for most installations so we don't recommend it. The roadmap for the next major release of FreeIPA adds AD trust so the IPA realm can be trusted as part of an AD forest. rob > > On Tue, Sep 13, 2011 at 4:08 PM, Rob Crittenden > wrote: > > Jimmy wrote: > > I'm setting up a WinXP system to authenticate to FreeIPA. I > followed the > directions listed here: > http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step > > I created the host account in FreeIPA, and the user, and I do get > prompted to change the initial password(and it seems to work,) > but as > soon as the password is changed(or subsequent login attempts) I > get the > log in message" > "the system cannot log you on now because the domain is not > available" > > > The guide says this happens when you don't log in using the > principal name, are you using that? > > rob > > From dpal at redhat.com Wed Sep 14 15:36:02 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 14 Sep 2011 11:36:02 -0400 Subject: [Freeipa-users] Multi-tennancy and Freeipa Message-ID: <4E70C9E2.6090101@redhat.com> Can Freeipa accommodate a mufti-tennant environment? i.e. I work for a managed service provider that currently uses LDAP for authentication for both our users and our customer's users. But Customer A cannot see Customer B's data due to access control on our directory. Each customer has at least one LDAP service account in their container in the tree that can only view that customer's container and my company container. Would we have to do something like create realms for each customer? Then configure trusts from customer realm to ours? EXAMPLE.COM - our realm CUSTOMERA.EXAMPLE.COM - customer a realm ... so on What about data within the directory? Currently our DIT is like: o=MyCompany,dc=example,dc=com o=CustomerA,dc=excample,dc=com Would seperating by realms automatically divide that up? What about would Customer A be able to see any Customer B users using multiple realms alone or would we have to take additional precautions? Regards, -Alan ============================ Posted on behalf of Alan -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From g17jimmy at gmail.com Wed Sep 14 18:49:02 2011 From: g17jimmy at gmail.com (Jimmy) Date: Wed, 14 Sep 2011 14:49:02 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: <4E70B53C.8020002@redhat.com> References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> Message-ID: One thing that doesn't quite make sense about the windows config instructions, we make a keytab, but there is no indication as to where the keytab goes. I wouldn't think the IPA server would need the keytab as the password is stored in the IPA server already. On Wed, Sep 14, 2011 at 10:07 AM, Rob Crittenden wrote: > Jimmy wrote: > >> Just curious about this, the guide that we both refer to provides >> instructions for a windows client authentication but this page indicates >> that FreeIPA doesn't support windows clients: >> >> http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html >> >> Which is correct? >> > > The guide you referred to was contributed by another FreeIPA user showing > one way to get Windows login working. It does this by mapping all IPA users > to a single windows user (ipauser). > > This is not practical for most installations so we don't recommend it. > > The roadmap for the next major release of FreeIPA adds AD trust so the IPA > realm can be trusted as part of an AD forest. > > rob > > >> On Tue, Sep 13, 2011 at 4:08 PM, Rob Crittenden > > wrote: >> >> Jimmy wrote: >> >> I'm setting up a WinXP system to authenticate to FreeIPA. I >> followed the >> directions listed here: >> >> http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step >> >> I created the host account in FreeIPA, and the user, and I do get >> prompted to change the initial password(and it seems to work,) >> but as >> soon as the password is changed(or subsequent login attempts) I >> get the >> log in message" >> "the system cannot log you on now because the domain is not >> available" >> >> >> The guide says this happens when you don't log in using the >> principal name, are you using that? >> >> rob >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Wed Sep 14 18:59:04 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 14 Sep 2011 14:59:04 -0400 Subject: [Freeipa-users] FreeIPA 2.1 - Authenticated LDAP search Message-ID: Hi, I'm trying to perform an authenticated LDAP search against a FreeIPA server (Fedora 15, freeipa-server-2.1.0-1.fc15.x86_64). When I run: [root at kelvin ~]# ldapsearch -D "uid=guser,cn=users,cn=accounts,dc=example,dc=com" -w 'guserpassword' -b "cn=accounts,dc=example,dc=com" -h kelvin.example.com -v "uid=guser" -ZZ -c -d1 I receive the following error: ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20 Full details shown in attachment. Can anyone help me figure out what I'm doing wrong? Thanks, Dan Scott http://danieljamesscott.org -------------- next part -------------- [root at kelvin ~]# ldapsearch -D "uid=guser,cn=users,cn=accounts,dc=example,dc=com" -w 'guserpassword' -b "cn=accounts,dc=example,dc=com" -h kelvin.example.com -v "uid=guser" -ZZ -c -d1 ldap_initialize( ldap://kelvin.example.com ) ldap_create ldap_url_parse_ext(ldap://kelvin.example.com) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP kelvin.example.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.100.32:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0xb0d280 msgid 1 wait4msg ld 0xb0d280 msgid 1 (infinite timeout) wait4msg continue ld 0xb0d280 msgid 1 all 1 ** ld 0xb0d280 Connections: * host: kelvin.example.com port: 389 (default) refcnt: 2 status: Connected last used: Wed Sep 14 14:52:28 2011 ** ld 0xb0d280 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0xb0d280 request count 1 (abandoned 0) ** ld 0xb0d280 Response Queue: Empty ld 0xb0d280 response count 0 ldap_chkResponseList ld 0xb0d280 msgid 1 all 1 ldap_chkResponseList returns ld 0xb0d280 NULL ldap_int_select read1msg: ld 0xb0d280 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 95 contents: read1msg: ld 0xb0d280 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0xb0d280 0 new referrals read1msg: mark request completed, ld 0xb0d280 msgid 1 request done: ld 0xb0d280 msgid 1 res_errno: 0, res_error: , res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: certificate [CN=Certificate Authority,O=EXAMPLE.COM] is not valid - error -8172:Unknown code ___f 20. TLS: error: connect - force handshake failure: errno 21 - moznss error -8172 TLS: can't connect: TLS error -8172:Unknown code ___f 20. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20 From simo at redhat.com Wed Sep 14 19:08:22 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 14 Sep 2011 15:08:22 -0400 Subject: [Freeipa-users] Multi-tennancy and Freeipa In-Reply-To: <4E70C9E2.6090101@redhat.com> References: <4E70C9E2.6090101@redhat.com> Message-ID: <1316027302.2684.305.camel@willson.li.ssimo.org> On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: > Can Freeipa accommodate a mufti-tennant environment? i.e. I work for > a managed service provider that currently uses LDAP for authentication > for both our users and our customer's users. But Customer A cannot > see Customer B's data due to access control on our directory. Each > customer has at least one LDAP service account in their container in > the tree that can only view that customer's container and my company > container. At the moment we do not have the ability to move accounts into sub containers. It is a feature we may want to implement in future, but we kept the tree intentionally flat to avoid misuse we've seen as quite common in products like AD. > Would we have to do something like create realms for each customer? > Then configure trusts from customer realm to ours? > > EXAMPLE.COM - our realm > CUSTOMERA.EXAMPLE.COM - customer a realm > ... so on This may work onve ipa v3 is out. Building multiple realms (in multiple servers/VMs) is possible but trust relationship management is not fully backed in yet. > What about data within the directory? Currently our DIT is like: > > o=MyCompany,dc=example,dc=com > o=CustomerA,dc=excample,dc=com If you create multiple realms you'll have to do it with multiple servers with current IPA. > Would seperating by realms automatically divide that up? What about > would Customer A be able to see any Customer B users using multiple > realms alone or would we have to take additional precautions? In general ACIs can be used to limit who sees what. It may be possible to use the current flat view on the server and constrain access to specific users/groups using a bit of custom schema in order to "label" entries, and custom ACIs. Of course you would want to turn off anonymous access to the directory and encrypt all traffic with SSL or GSSAPI at that point. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Sep 14 19:08:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Sep 2011 15:08:27 -0400 Subject: [Freeipa-users] FreeIPA 2.1 - Authenticated LDAP search In-Reply-To: References: Message-ID: <4E70FBAB.7000801@redhat.com> Dan Scott wrote: > Hi, > > I'm trying to perform an authenticated LDAP search against a FreeIPA > server (Fedora 15, freeipa-server-2.1.0-1.fc15.x86_64). > > When I run: > > [root at kelvin ~]# ldapsearch -D > "uid=guser,cn=users,cn=accounts,dc=example,dc=com" -w 'guserpassword' > -b "cn=accounts,dc=example,dc=com" -h kelvin.example.com -v > "uid=guser" -ZZ -c -d1 > > I receive the following error: > > ldap_start_tls: Connect error (-11) > additional info: TLS error -8172:Unknown code ___f 20 > > Full details shown in attachment. > > Can anyone help me figure out what I'm doing wrong? The IPA CA cert isn't in the default CA bundle so you need do either set this in /etc/openldap/ldap.conf or pass it on the command line: LDAPTLS_CACERT=/etc/ipa/ca.crt ldapsearch ... The error is less than desirable, for sure. -8172 is an NSS error message meaning the Certificate is signed by an untrusted issuer. rob From simo at redhat.com Wed Sep 14 19:17:17 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 14 Sep 2011 15:17:17 -0400 Subject: [Freeipa-users] Multi-tennancy and Freeipa In-Reply-To: <1316027302.2684.305.camel@willson.li.ssimo.org> References: <4E70C9E2.6090101@redhat.com> <1316027302.2684.305.camel@willson.li.ssimo.org> Message-ID: <1316027837.2684.311.camel@willson.li.ssimo.org> On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote: > On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: > > Can Freeipa accommodate a mufti-tennant environment? i.e. I work for > > a managed service provider that currently uses LDAP for authentication > > for both our users and our customer's users. But Customer A cannot > > see Customer B's data due to access control on our directory. Each > > customer has at least one LDAP service account in their container in > > the tree that can only view that customer's container and my company > > container. > > At the moment we do not have the ability to move accounts into sub > containers. It is a feature we may want to implement in future, but we > kept the tree intentionally flat to avoid misuse we've seen as quite > common in products like AD. > > > Would we have to do something like create realms for each customer? > > Then configure trusts from customer realm to ours? > > > > EXAMPLE.COM - our realm > > CUSTOMERA.EXAMPLE.COM - customer a realm > > ... so on > > This may work onve ipa v3 is out. Building multiple realms (in multiple > servers/VMs) is possible but trust relationship management is not fully > backed in yet. > > > What about data within the directory? Currently our DIT is like: > > > > o=MyCompany,dc=example,dc=com > > o=CustomerA,dc=excample,dc=com > > If you create multiple realms you'll have to do it with multiple servers > with current IPA. > > > Would seperating by realms automatically divide that up? What about > > would Customer A be able to see any Customer B users using multiple > > realms alone or would we have to take additional precautions? > > In general ACIs can be used to limit who sees what. > It may be possible to use the current flat view on the server and > constrain access to specific users/groups using a bit of custom schema > in order to "label" entries, and custom ACIs. > Of course you would want to turn off anonymous access to the directory > and encrypt all traffic with SSL or GSSAPI at that point. Replying to myself, custom schema may not be necessary. It may be possible to use just ACIs and non-posix groups together w/o adding additional schema, that would make the problem simpler, although ACIs need to be built carefully not to cripple the admins view. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Sep 14 19:19:51 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Sep 2011 15:19:51 -0400 Subject: [Freeipa-users] Multi-tennancy and Freeipa In-Reply-To: <1316027837.2684.311.camel@willson.li.ssimo.org> References: <4E70C9E2.6090101@redhat.com> <1316027302.2684.305.camel@willson.li.ssimo.org> <1316027837.2684.311.camel@willson.li.ssimo.org> Message-ID: <4E70FE57.2010705@redhat.com> Simo Sorce wrote: > On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote: >> On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: >>> Can Freeipa accommodate a mufti-tennant environment? i.e. I work for >>> a managed service provider that currently uses LDAP for authentication >>> for both our users and our customer's users. But Customer A cannot >>> see Customer B's data due to access control on our directory. Each >>> customer has at least one LDAP service account in their container in >>> the tree that can only view that customer's container and my company >>> container. >> >> At the moment we do not have the ability to move accounts into sub >> containers. It is a feature we may want to implement in future, but we >> kept the tree intentionally flat to avoid misuse we've seen as quite >> common in products like AD. >> >>> Would we have to do something like create realms for each customer? >>> Then configure trusts from customer realm to ours? >>> >>> EXAMPLE.COM - our realm >>> CUSTOMERA.EXAMPLE.COM - customer a realm >>> ... so on >> >> This may work onve ipa v3 is out. Building multiple realms (in multiple >> servers/VMs) is possible but trust relationship management is not fully >> backed in yet. >> >>> What about data within the directory? Currently our DIT is like: >>> >>> o=MyCompany,dc=example,dc=com >>> o=CustomerA,dc=excample,dc=com >> >> If you create multiple realms you'll have to do it with multiple servers >> with current IPA. >> >>> Would seperating by realms automatically divide that up? What about >>> would Customer A be able to see any Customer B users using multiple >>> realms alone or would we have to take additional precautions? >> >> In general ACIs can be used to limit who sees what. >> It may be possible to use the current flat view on the server and >> constrain access to specific users/groups using a bit of custom schema >> in order to "label" entries, and custom ACIs. >> Of course you would want to turn off anonymous access to the directory >> and encrypt all traffic with SSL or GSSAPI at that point. > > Replying to myself, custom schema may not be necessary. It may be > possible to use just ACIs and non-posix groups together w/o adding > additional schema, that would make the problem simpler, although ACIs > need to be built carefully not to cripple the admins view. > > Simo. > The management framework only supports a single realm as well, even if you could manage to insert the data. rob From simo at redhat.com Wed Sep 14 19:22:41 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 14 Sep 2011 15:22:41 -0400 Subject: [Freeipa-users] Multi-tennancy and Freeipa In-Reply-To: <4E70FE57.2010705@redhat.com> References: <4E70C9E2.6090101@redhat.com> <1316027302.2684.305.camel@willson.li.ssimo.org> <1316027837.2684.311.camel@willson.li.ssimo.org> <4E70FE57.2010705@redhat.com> Message-ID: <1316028161.2684.317.camel@willson.li.ssimo.org> On Wed, 2011-09-14 at 15:19 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote: > >> On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: > >>> Can Freeipa accommodate a mufti-tennant environment? i.e. I work for > >>> a managed service provider that currently uses LDAP for authentication > >>> for both our users and our customer's users. But Customer A cannot > >>> see Customer B's data due to access control on our directory. Each > >>> customer has at least one LDAP service account in their container in > >>> the tree that can only view that customer's container and my company > >>> container. > >> > >> At the moment we do not have the ability to move accounts into sub > >> containers. It is a feature we may want to implement in future, but we > >> kept the tree intentionally flat to avoid misuse we've seen as quite > >> common in products like AD. > >> > >>> Would we have to do something like create realms for each customer? > >>> Then configure trusts from customer realm to ours? > >>> > >>> EXAMPLE.COM - our realm > >>> CUSTOMERA.EXAMPLE.COM - customer a realm > >>> ... so on > >> > >> This may work onve ipa v3 is out. Building multiple realms (in multiple > >> servers/VMs) is possible but trust relationship management is not fully > >> backed in yet. > >> > >>> What about data within the directory? Currently our DIT is like: > >>> > >>> o=MyCompany,dc=example,dc=com > >>> o=CustomerA,dc=excample,dc=com > >> > >> If you create multiple realms you'll have to do it with multiple servers > >> with current IPA. > >> > >>> Would seperating by realms automatically divide that up? What about > >>> would Customer A be able to see any Customer B users using multiple > >>> realms alone or would we have to take additional precautions? > >> > >> In general ACIs can be used to limit who sees what. > >> It may be possible to use the current flat view on the server and > >> constrain access to specific users/groups using a bit of custom schema > >> in order to "label" entries, and custom ACIs. > >> Of course you would want to turn off anonymous access to the directory > >> and encrypt all traffic with SSL or GSSAPI at that point. > > > > Replying to myself, custom schema may not be necessary. It may be > > possible to use just ACIs and non-posix groups together w/o adding > > additional schema, that would make the problem simpler, although ACIs > > need to be built carefully not to cripple the admins view. > > > > Simo. > > > > The management framework only supports a single realm as well, even if > you could manage to insert the data. The ACIs solution would work with a single-realm model ... except that it also means each customer needs to do very careful access control when using kerberos for now, as we do not have a way to constrain which users can get tickets for which services in the same REALM. This is something we want to introduce in v3.0 anyways for various reasons. So going forward, segmentation of users should become simpler. Simo. -- Simo Sorce * Red Hat, Inc * New York From alanwevans at gmail.com Wed Sep 14 19:26:00 2011 From: alanwevans at gmail.com (Alan Evans) Date: Wed, 14 Sep 2011 15:26:00 -0400 Subject: [Freeipa-users] Multi-tennancy and Freeipa In-Reply-To: <1316028161.2684.317.camel@willson.li.ssimo.org> References: <4E70C9E2.6090101@redhat.com> <1316027302.2684.305.camel@willson.li.ssimo.org> <1316027837.2684.311.camel@willson.li.ssimo.org> <4E70FE57.2010705@redhat.com> <1316028161.2684.317.camel@willson.li.ssimo.org> Message-ID: Thanks all for your quick replies. My case is a bit of a corner case anyway so I was not expecting to have a perfect solution. Having tested out freeipa a few times in the last couple years it is certainly impressive the progress that has been made. I think for now I am going to continue using LDAP as we are and re-evaluate adding Kerberos later or at most selectively enable it for our admin users in the short term. :) Regards, -Alan On Wed, Sep 14, 2011 at 3:22 PM, Simo Sorce wrote: > On Wed, 2011-09-14 at 15:19 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >> > On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote: >> >> On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: >> >>> Can Freeipa accommodate a mufti-tennant environment? ?i.e. I work for >> >>> a managed service provider that currently uses LDAP for authentication >> >>> for both our users and our customer's users. ?But Customer A cannot >> >>> see Customer B's data due to access control on our directory. ?Each >> >>> customer has at least one LDAP service account in their container in >> >>> the tree that can only view that customer's container and my company >> >>> container. >> >> >> >> At the moment we do not have the ability to move accounts into sub >> >> containers. It is a feature we may want to implement in future, but we >> >> kept the tree intentionally flat to avoid misuse we've seen as quite >> >> common in products like AD. >> >> >> >>> Would we have to do something like create realms for each customer? >> >>> Then configure trusts from customer realm to ours? >> >>> >> >>> EXAMPLE.COM - our realm >> >>> CUSTOMERA.EXAMPLE.COM - customer a realm >> >>> ... so on >> >> >> >> This may work onve ipa v3 is out. Building multiple realms (in multiple >> >> servers/VMs) is possible but trust relationship management is not fully >> >> backed in yet. >> >> >> >>> What about data within the directory? ?Currently our DIT is like: >> >>> >> >>> o=MyCompany,dc=example,dc=com >> >>> o=CustomerA,dc=excample,dc=com >> >> >> >> If you create multiple realms you'll have to do it with multiple servers >> >> with current IPA. >> >> >> >>> Would seperating by realms automatically divide that up? ?What about >> >>> would Customer A be able to see any Customer B users using multiple >> >>> realms alone or would we have to take additional precautions? >> >> >> >> In general ACIs can be used to limit who sees what. >> >> It may be possible to use the current flat view on the server and >> >> constrain access to specific users/groups using a bit of custom schema >> >> in order to "label" entries, and custom ACIs. >> >> Of course you would want to turn off anonymous access to the directory >> >> and encrypt all traffic with SSL or GSSAPI at that point. >> > >> > Replying to myself, custom schema may not be necessary. It may be >> > possible to use just ACIs and non-posix groups together w/o adding >> > additional schema, that would make the problem simpler, although ACIs >> > need to be built carefully not to cripple the admins view. >> > >> > Simo. >> > >> >> The management framework only supports a single realm as well, even if >> you could manage to insert the data. > > The ACIs solution would work with a single-realm model ... except that > it also means each customer needs to do very careful access control when > using kerberos for now, as we do not have a way to constrain which users > can get tickets for which services in the same REALM. This is something > we want to introduce in v3.0 anyways for various reasons. So going > forward, segmentation of users should become simpler. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > From ondrejv at s3group.cz Thu Sep 15 07:28:18 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 15 Sep 2011 09:28:18 +0200 Subject: [Freeipa-users] FreeIPA 2.1 - Authenticated LDAP search In-Reply-To: References: Message-ID: <4E71A912.9010102@s3group.cz> I would recommend using Kerberos for authentication, i.e. parameter "-Y GSSAPI". That always worked for me... On 09/14/2011 08:59 PM, Dan Scott wrote: > Hi, > > I'm trying to perform an authenticated LDAP search against a FreeIPA > server (Fedora 15, freeipa-server-2.1.0-1.fc15.x86_64). > > When I run: > > [root at kelvin ~]# ldapsearch -D > "uid=guser,cn=users,cn=accounts,dc=example,dc=com" -w 'guserpassword' > -b "cn=accounts,dc=example,dc=com" -h kelvin.example.com -v > "uid=guser" -ZZ -c -d1 > > I receive the following error: > > ldap_start_tls: Connect error (-11) > additional info: TLS error -8172:Unknown code ___f 20 > > Full details shown in attachment. > > Can anyone help me figure out what I'm doing wrong? > > Thanks, > > Dan Scott > http://danieljamesscott.org > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Thu Sep 15 09:58:01 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 15 Sep 2011 11:58:01 +0200 (CEST) Subject: [Freeipa-users] [Fwd: RHN Errata Alert: ipa-client bug fix update] Message-ID: <54994.62.148.39.180.1316080681.squirrel@www.nixtra.com> I have received this errata for RHEL5, but not RHEL6. Has the issue been fixed in RHEL 6 as well? Rgds, Siggi -----Original Message----- From: Red Hat Network Alert [mailto:dev-null at rhn.redhat.com] Sent: 15. september 2011 09:58 To: Sigbj??rn Lie Subject: RHN Errata Alert: ipa-client bug fix update Red Hat Network has determined that the following advisory is applicable to one or more of the systems you have registered: Complete information about this errata can be found at the following location: https://rhn.redhat.com/rhn/errata/details/Details.do?eid=12202 Bug Fix Advisory - RHBA-2011:1290-1 ------------------------------------------------------------------------------ Summary: ipa-client bug fix update An updated ipa-client package that fixes one bug is now available for Red Hat Enterprise Linux 5. Description: IPA (Identity, Policy, Audit) is an integrated solution to provide centrally managed identity, that is, machine, user, virtual machines, groups, and authentication credentials. The ipa-client package provides a tool to enroll a machine to an IPA version 2 server. This update fixes the following bug: * Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a security issue. As a result, applications that rely on delegation did not work properly. This update utilizes a new constructor argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION curl option. This option enables the credential delegation, thus fixing this bug. (BZ#736658) Users of ipa-client are advised to upgrade to this updated package, which fixes this bug. From danieljamesscott at gmail.com Thu Sep 15 11:08:50 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 15 Sep 2011 07:08:50 -0400 Subject: [Freeipa-users] FreeIPA 2.1 - Authenticated LDAP search In-Reply-To: <4E71A912.9010102@s3group.cz> References: <4E71A912.9010102@s3group.cz> Message-ID: Yes, I'd rather do that, but I'm trying to authenticate a Java web application using the Glassfish application server. Glassfish has LDAP authentication built in, I'd have to write a Kerberos login module myself. Dan On Thu, Sep 15, 2011 at 03:28, Ondrej Valousek wrote: > I would recommend using Kerberos for authentication, i.e. parameter "-Y > GSSAPI". That always worked for me... > > > On 09/14/2011 08:59 PM, Dan Scott wrote: > > Hi, > > I'm trying to perform an authenticated LDAP search against a FreeIPA > server (Fedora 15, freeipa-server-2.1.0-1.fc15.x86_64). > > When I run: > > [root at kelvin ~]# ldapsearch -D > "uid=guser,cn=users,cn=accounts,dc=example,dc=com" -w 'guserpassword' > -b "cn=accounts,dc=example,dc=com" -h kelvin.example.com -v > "uid=guser" -ZZ -c -d1 > > I receive the following error: > > ldap_start_tls: Connect error (-11) > additional info: TLS error -8172:Unknown code ___f 20 > > Full details shown in attachment. > > Can anyone help me figure out what I'm doing wrong? > > Thanks, > > Dan Scott > http://danieljamesscott.org > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > ________________________________ > The information contained in this e-mail and in any attachments is > confidential and is designated solely for the attention of the intended > recipient(s). If you are not an intended recipient, you must not use, > disclose, copy, distribute or retain this e-mail or any part thereof. If you > have received this e-mail in error, please notify the sender by return > e-mail and delete all copies of this e-mail from your computer system(s). > Please direct any additional queries to: communications at s3group.com. Thank > You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland > no. 378073. Registered Office: South County Business Park, Leopardstown, > Dublin 18 > ________________________________ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From rcritten at redhat.com Thu Sep 15 13:03:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Sep 2011 09:03:02 -0400 Subject: [Freeipa-users] [Fwd: RHN Errata Alert: ipa-client bug fix update] In-Reply-To: <54994.62.148.39.180.1316080681.squirrel@www.nixtra.com> References: <54994.62.148.39.180.1316080681.squirrel@www.nixtra.com> Message-ID: <4E71F786.5010503@redhat.com> Sigbjorn Lie wrote: > I have received this errata for RHEL5, but not RHEL6. Has the issue been fixed in RHEL 6 as well? It is going through testing now, I can't provide an ETA. rob > > > > > Rgds, > Siggi > > > -----Original Message----- > From: Red Hat Network Alert [mailto:dev-null at rhn.redhat.com] > Sent: 15. september 2011 09:58 > To: Sigbj??rn Lie > Subject: RHN Errata Alert: ipa-client bug fix update > > Red Hat Network has determined that the following advisory is applicable to > one or more of the systems you have registered: > > Complete information about this errata can be found at the following location: > https://rhn.redhat.com/rhn/errata/details/Details.do?eid=12202 > > Bug Fix Advisory - RHBA-2011:1290-1 > ------------------------------------------------------------------------------ > Summary: > ipa-client bug fix update > > An updated ipa-client package that fixes one bug is now available for Red Hat > Enterprise Linux 5. > > > Description: > IPA (Identity, Policy, Audit) is an integrated solution to provide centrally > managed identity, that is, machine, user, virtual machines, groups, and > authentication credentials. The ipa-client package provides a tool to enroll a > machine to an IPA version 2 server. > > This update fixes the following bug: > > * Prior to this update, GSSAPI credential delegation was disabled in the curl > utility due to a security issue. As a result, applications that rely on > delegation did not work properly. This update utilizes a new constructor > argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION > curl option. This option enables the credential delegation, thus fixing this > bug. (BZ#736658) > > Users of ipa-client are advised to upgrade to this updated package, which fixes > this bug. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From jgalipea at redhat.com Thu Sep 15 14:40:45 2011 From: jgalipea at redhat.com (Jenny Galipeau) Date: Thu, 15 Sep 2011 10:40:45 -0400 (EDT) Subject: [Freeipa-users] [Fwd: RHN Errata Alert: ipa-client bug fix update] In-Reply-To: <4E71F786.5010503@redhat.com> Message-ID: <1707095473.693353.1316097645962.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > Sigbjorn Lie wrote: > > I have received this errata for RHEL5, but not RHEL6. Has the issue > > been fixed in RHEL 6 as well? > > It is going through testing now, I can't provide an ETA. It has finished testing and has been pushed live. It should be available soon! Thanks Jenny > > rob > > > > > > > > > > > Rgds, > > Siggi > > > > > > -----Original Message----- > > From: Red Hat Network Alert [mailto:dev-null at rhn.redhat.com] > > Sent: 15. september 2011 09:58 > > To: Sigbj??rn Lie > > Subject: RHN Errata Alert: ipa-client bug fix update > > > > Red Hat Network has determined that the following advisory is > > applicable to > > one or more of the systems you have registered: > > > > Complete information about this errata can be found at the following > > location: > > https://rhn.redhat.com/rhn/errata/details/Details.do?eid=12202 > > > > Bug Fix Advisory - RHBA-2011:1290-1 > > ------------------------------------------------------------------------------ > > Summary: > > ipa-client bug fix update > > > > An updated ipa-client package that fixes one bug is now available > > for Red Hat > > Enterprise Linux 5. > > > > > > Description: > > IPA (Identity, Policy, Audit) is an integrated solution to provide > > centrally > > managed identity, that is, machine, user, virtual machines, groups, > > and > > authentication credentials. The ipa-client package provides a tool > > to enroll a > > machine to an IPA version 2 server. > > > > This update fixes the following bug: > > > > * Prior to this update, GSSAPI credential delegation was disabled in > > the curl > > utility due to a security issue. As a result, applications that rely > > on > > delegation did not work properly. This update utilizes a new > > constructor > > argument in the xmlrpc-c client API to set the new > > CURLOPT_GSSAPI_DELEGATION > > curl option. This option enables the credential delegation, thus > > fixing this > > bug. (BZ#736658) > > > > Users of ipa-client are advised to upgrade to this updated package, > > which fixes > > this bug. > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From jgalipea at redhat.com Thu Sep 15 14:50:48 2011 From: jgalipea at redhat.com (Jenny Galipeau) Date: Thu, 15 Sep 2011 10:50:48 -0400 (EDT) Subject: [Freeipa-users] [Fwd: RHN Errata Alert: ipa-client bug fix update] In-Reply-To: <1707095473.693353.1316097645962.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <1171850977.693538.1316098248532.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > ----- Original Message ----- > > Sigbjorn Lie wrote: > > > I have received this errata for RHEL5, but not RHEL6. Has the > > > issue > > > been fixed in RHEL 6 as well? > > > > It is going through testing now, I can't provide an ETA. > > It has finished testing and has been pushed live. It should be > available soon! Sorry was mistaken it is still being tested but we are hoping to push the fix today. So stay tuned. > Thanks > Jenny > > > > > rob > > > > > > > > > > > > > > > > > Rgds, > > > Siggi > > > > > > > > > -----Original Message----- > > > From: Red Hat Network Alert [mailto:dev-null at rhn.redhat.com] > > > Sent: 15. september 2011 09:58 > > > To: Sigbj??rn Lie > > > Subject: RHN Errata Alert: ipa-client bug fix update > > > > > > Red Hat Network has determined that the following advisory is > > > applicable to > > > one or more of the systems you have registered: > > > > > > Complete information about this errata can be found at the > > > following > > > location: > > > https://rhn.redhat.com/rhn/errata/details/Details.do?eid=12202 > > > > > > Bug Fix Advisory - RHBA-2011:1290-1 > > > ------------------------------------------------------------------------------ > > > Summary: > > > ipa-client bug fix update > > > > > > An updated ipa-client package that fixes one bug is now available > > > for Red Hat > > > Enterprise Linux 5. > > > > > > > > > Description: > > > IPA (Identity, Policy, Audit) is an integrated solution to provide > > > centrally > > > managed identity, that is, machine, user, virtual machines, > > > groups, > > > and > > > authentication credentials. The ipa-client package provides a tool > > > to enroll a > > > machine to an IPA version 2 server. > > > > > > This update fixes the following bug: > > > > > > * Prior to this update, GSSAPI credential delegation was disabled > > > in > > > the curl > > > utility due to a security issue. As a result, applications that > > > rely > > > on > > > delegation did not work properly. This update utilizes a new > > > constructor > > > argument in the xmlrpc-c client API to set the new > > > CURLOPT_GSSAPI_DELEGATION > > > curl option. This option enables the credential delegation, thus > > > fixing this > > > bug. (BZ#736658) > > > > > > Users of ipa-client are advised to upgrade to this updated > > > package, > > > which fixes > > > this bug. > > > > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > Jenny Galipeau > Principal Software QA Engineer > Red Hat, Inc. Security Engineering > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From sigbjorn at nixtra.com Thu Sep 15 19:45:08 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 15 Sep 2011 21:45:08 +0200 Subject: [Freeipa-users] Add user -> custom script Message-ID: <4E7255C4.2030406@nixtra.com> Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Regards, Siggi From dpal at redhat.com Thu Sep 15 19:59:56 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 15 Sep 2011 15:59:56 -0400 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E7255C4.2030406@nixtra.com> References: <4E7255C4.2030406@nixtra.com> Message-ID: <4E72593C.4030600@redhat.com> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: > Hi, > > Is there a custom script hook for when a user account is added using > either the cli, webui, or the winsync module? > > I have a custom script I run when creating a user account, and having > this run automatically by IPA would make my life a lot easier. > > Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? > > Regards, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From matthew at familycampground.org Thu Sep 15 20:02:32 2011 From: matthew at familycampground.org (Matthew Davis) Date: Thu, 15 Sep 2011 16:02:32 -0400 Subject: [Freeipa-users] Installation failed at configuring CA Message-ID: So here's the steps I took to reproduce this (which I've done a few times now to make sure I didn't botch something up) - fresh install of F15 - fully updated from the main repos - install freeipa-server using the updates-testing repo - set SELinux to permissive (due to previous conversations about selinux stopping the ldap server from restarting) - ran ipa-server-install It dies at this stage: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa.domain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1oSAYI -client_certdb_pwd 'XXXXXXXX' -preop_pin JBpIwvNsi8efrsbebjVK -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=DOMAIN.COM" -ldap_host ipa.domain.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=DOMAIN.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=DOMAIN.COM" -ca_server_cert_subject_name "CN=ipa.domain.com,O=DOMAIN.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=DOMAIN.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=DOMAIN.COM" -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed Attached is the last bit of the install log. -- Matthew Davis -------------- next part -------------- RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Thu, 15 Sep 2011 19:55:08 GMT RESPONSE HEADER: Connection: close ERROR: unable to parse xml ERROR XML = ame>Key PairssubjectnameSubject NamescertrequestRequests and CertificatesbackupkeysExport Keys and Certificatessavepk12Save Keys and CertificatesimportcachainImport CA's Certificate ChainadminAdministratorimportadmincertImport Administrator's CertificatedoneDone

17

CA Setup WizardtrueMIIHMwYJKoZIhvcNAQcCoIIHJDCCByACAQExADAPBgkqhkiG9w0BBwGgAgQAoIIHBDCCA3EwggJZoAMCAQICAQYwDQYJKoZIhvcNAQELBQAwNjEUMBIGA1UEChMLSU5NWVZBQy5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTA5MTUxOTU1MDlaFw0xMzA5MDQxOTU1MDlaMC0xFDASBgNVBAoTC0lOTVlWQUMuQ09NMRUwEwYDVQQDEwxpcGEtY2EtYWdlbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt6S6FDiTJ/o32dXnrmidRS/aSC/FYTjY+hvMfhADO9Fr/vn3hid6ndV3oaDZYrPZi9vgocRCp4N16+wb1Vb3c4l37eTe8f0nwUfi/kwNkoFS9VxiJXxVeTLNbfIm3IVzy1lc0LmsqEV53Gi/G0RBTQlkN59FFsyJfyd5zez31Mf7BhpV9C4Vn/o8sKL+m2N7Ni7ZGU8csfXC8pVoDR4UhxgMdoLYP96G2yjVNvTA+F0xk5iGvr/5zB2zlRm8UL2DHSnX65OOWvSE44n9jOvfb9x03CuHTl1XFcJI5T2Y/WUobky5Rvmv/7uAbs+Ur0Zd3Xkc4w3dQbb614fNcW87xAgMBAAGjgZIwgY8wHwYDVR0jBBgwFoAUslPrdQpbOsMeeG17miuOzjbXn7cwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vaXBhLmlubXl2YWMuY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAB+xT1uJ6k9OixhjYn6zQD1aJBLQ2/RR2zWssMdrmkP7DT0+GAUF7Y0G9pdEYpXS34raNz/lAqSGW0NnWKZxyLRVR47QZqW9MiRCe+0L64tGzRtj2sjsE/a09cf8MhwliIeWn0nHb/bSDHifdWY44qnYJydtm54XYR2Vom33pvN2FnofZRjz2i9cre/UuPyzcaCSR9SjEg4P1JdYAG8iHZ7/5SvLy67e7AR233m4wcT91wrAruDg3/JqYcpRtgxa3rm7bxObDHrCYUxHj3Z/k81F1uv5xl3b0jCrip5Vcc48c7df6gS1rt5YaBYjkcRAS3kXlLgnvCCwzPd3ggydndzCCA4swggJzoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwNjEUMBIGA1UEChMLSU5NWVZBQy5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTA5MTUxOTU1MDRaFw0xOTA5MTUxOTU1MDRaMDYxFDASBgNVBAoTC0lOTVlWQUMuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0m53R30h9YexZHG+z1yZpmM50qafPRyU73LP+EBJjDxOcDrBZUbSPXdCYyYU7b4n2bz4uDDfGjqP9rPwJZ96VJjqxHXnklWvrUU0fjrF0L5H5hBlk8zaMx//jLKDNfGTHeL510r2JUUaVp/Gqg8arzPkMWRqJOJ2rQnES9K5hSec3SNdnZ3NhyN8gZpjkkJb+bZGQyknb9tl5C7q/iCCDHyUF/hrVeo+4qO7PbV/lp4ZugujBU6K43+a94cspLm2aiEZXqKQonFjJw+dywMYcQgZRcmYtGQHos3jyNtHs60C1yxZ/KWB5UQyl4pbwicGArfSIUaQ96a5gmnGG6H53AgMBAAGjgaMwgaAwHwYDVR0jBBgwFoAUslPrdQpbOsMeeG17miuOzjbXn7cwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFLJT63UKWzrDHnhte5orjs4215+3MD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL2lwYS5pbm15dmFjLmNvbTo4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQCqzTYygHnGR5jZj0q7za69cCobCucJIYyIksuYQ+9YMOxegTE1Ie9MS9poJAHFrAuNor/cNl+GAbvtKtxgApkB8oM+2edITaY6Hci5XgleyD/+CQfmRSfB+X9SZGO32gHNYpE2CthJZzYDI6K6VNAmp7LkT/ksbdMwkKb3uovI2S5sUDOHCC/s2YyoE4dv/LuGDBxQf5DZpSM4oosxbw6K28fZ91g7C9IFa1F0p4QpwBGvs/WoX6yglOBznWucg6PgBeG7Rn72FgR3F/gqs2KnIALOA3/WctJB8AaYS3dBwMMfqZzHAZjqq2FeiNFUX1yJI7rKprLyFY8238taMqNzMQA=importadmincert ERROR: Tag=updateStatushas no values Error in AdminCertReqPanel(): updateStatus value is null ERROR: ConfigureCA: AdminCertReqPanel() failure ERROR: unable to create CA ####################################################################### 2011-09-15 15:55:09,542 DEBUG stderr=[Fatal Error] :20:136: The entity name must immediately follow the '&' in the entity reference. org.xml.sax.SAXParseException; lineNumber: 20; columnNumber: 136; The entity name must immediately follow the '&' in the entity reference. at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121) at ParseXML.parse(ParseXML.java:43) at ConfigureCA.getStatus(ConfigureCA.java:205) at ConfigureCA.checkStatus(ConfigureCA.java:221) at ConfigureCA.checkStatus(ConfigureCA.java:216) at ConfigureCA.AdminCertReqPanel(ConfigureCA.java:1029) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1309) at ConfigureCA.main(ConfigureCA.java:1672) 2011-09-15 15:55:09,542 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa.domain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1oSAYI -client_certdb_pwd 'XXXXXXXX' -preop_pin JBpIwvNsi8efrsbebjVK -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=DOMAIN.COM" -ldap_host ipa.domain.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=DOMAIN.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=DOMAIN.COM" -ca_server_cert_subject_name "CN=ipa.domain.com,O=DOMAIN.COM" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=DOMAIN.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=DOMAIN.COM" -external false -clone false' returned non-zero exit status 255 2011-09-15 15:55:09,559 DEBUG Configuration of CA failed File "/usr/sbin/ipa-server-install", line 1081, in sys.exit(main()) File "/usr/sbin/ipa-server-install", line 883, in main subject_base=options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 544, in configure_instance self.start_creation("Configuring certificate server", 210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 276, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 684, in __configure_instance raise RuntimeError('Configuration of CA failed') From rcritten at redhat.com Thu Sep 15 20:10:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Sep 2011 16:10:55 -0400 Subject: [Freeipa-users] Installation failed at configuring CA In-Reply-To: References: Message-ID: <4E725BCF.4040605@redhat.com> Matthew Davis wrote: > So here's the steps I took to reproduce this (which I've done a few > times now to make sure I didn't botch something up) > > - fresh install of F15 > - fully updated from the main repos > - install freeipa-server using the updates-testing repo > - set SELinux to permissive (due to previous conversations about > selinux stopping the ldap server from restarting) > - ran ipa-server-install > > It dies at this stage: > > Configuring certificate server: Estimated time 3 minutes 30 seconds > [1/17]: creating certificate server user > [2/17]: creating pki-ca instance > [3/17]: configuring certificate server instance > root : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > ipa.domain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-1oSAYI > -client_certdb_pwd 'XXXXXXXX' -preop_pin JBpIwvNsi8efrsbebjVK > -domain_name IPA -admin_user admin -admin_email root at localhost > -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size > 2048 -agent_key_type rsa -agent_cert_subject > "CN=ipa-ca-agent,O=DOMAIN.COM" -ldap_host ipa.domain.com -ldap_port > 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' > -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=DOMAIN.COM" > -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=DOMAIN.COM" > -ca_server_cert_subject_name "CN=ipa.domain.com,O=DOMAIN.COM" > -ca_audit_signing_cert_subject_name "CN=CA Audit,O=DOMAIN.COM" > -ca_sign_cert_subject_name "CN=Certificate Authority,O=DOMAIN.COM" > -external false -clone false' returned non-zero exit status 255 > Unexpected error - see ipaserver-install.log for details: > Configuration of CA failed > > Attached is the last bit of the install log. Are you using a Directory Manager password with special characters in it? The password ends up getting passed through the shell and some things that require escaping aren't escaped by either us, dogtag or both. We're investigating that now. rob From sigbjorn at nixtra.com Thu Sep 15 20:14:40 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 15 Sep 2011 22:14:40 +0200 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E72593C.4030600@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> Message-ID: <4E725CB0.7080807@nixtra.com> On 09/15/2011 09:59 PM, Dmitri Pal wrote: > On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >> Hi, >> >> Is there a custom script hook for when a user account is added using >> either the cli, webui, or the winsync module? >> >> I have a custom script I run when creating a user account, and having >> this run automatically by IPA would make my life a lot easier. >> >> > Can you describe what kind of operations you need to do? > Have you looked at the automembership plugin? > I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. From matthew at familycampground.org Thu Sep 15 20:47:59 2011 From: matthew at familycampground.org (Matthew Davis) Date: Thu, 15 Sep 2011 16:47:59 -0400 Subject: [Freeipa-users] Installation failed at configuring CA In-Reply-To: <4E725BCF.4040605@redhat.com> References: <4E725BCF.4040605@redhat.com> Message-ID: On Thu, Sep 15, 2011 at 4:10 PM, Rob Crittenden wrote: > Are you using a Directory Manager password with special characters in it? > The password ends up getting passed through the shell and some things that > require escaping aren't escaped by either us, dogtag or both. We're > investigating that now. Ah, yes, there is a & in there and a few other special chars. Thanks. I'll test again w/o them. -- Matthew Davis From matthew at familycampground.org Thu Sep 15 20:58:16 2011 From: matthew at familycampground.org (Matthew Davis) Date: Thu, 15 Sep 2011 16:58:16 -0400 Subject: [Freeipa-users] Installation failed at configuring CA In-Reply-To: References: <4E725BCF.4040605@redhat.com> Message-ID: On Thu, Sep 15, 2011 at 4:47 PM, Matthew Davis wrote: > On Thu, Sep 15, 2011 at 4:10 PM, Rob Crittenden wrote: >> Are you using a Directory Manager password with special characters in it? >> The password ends up getting passed through the shell and some things that >> require escaping aren't escaped by either us, dogtag or both. We're >> investigating that now. > > Ah, yes, there is a & in there and a few other special chars. Thanks. > I'll test again w/o them. Thanks Rob, that did it. Need me to file a bug so this doesn't get lost? -- Matthew Davis http://familycampground.org/matthew/ From rcritten at redhat.com Thu Sep 15 21:10:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 Sep 2011 17:10:55 -0400 Subject: [Freeipa-users] Installation failed at configuring CA In-Reply-To: References: <4E725BCF.4040605@redhat.com> Message-ID: <4E7269DF.6060405@redhat.com> Matthew Davis wrote: > On Thu, Sep 15, 2011 at 4:47 PM, Matthew Davis > wrote: >> On Thu, Sep 15, 2011 at 4:10 PM, Rob Crittenden wrote: >>> Are you using a Directory Manager password with special characters in it? >>> The password ends up getting passed through the shell and some things that >>> require escaping aren't escaped by either us, dogtag or both. We're >>> investigating that now. >> >> Ah, yes, there is a& in there and a few other special chars. Thanks. >> I'll test again w/o them. > > Thanks Rob, that did it. > > Need me to file a bug so this doesn't get lost? > We have an upstream ticket opened on it if you want to add any details (like what characters were blowing up), https://fedorahosted.org/freeipa/ticket/1636 rob From g17jimmy at gmail.com Thu Sep 15 21:51:23 2011 From: g17jimmy at gmail.com (Jimmy) Date: Thu, 15 Sep 2011 17:51:23 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> Message-ID: I'm still working on this... I was reading this post in the archives: http://www.mail-archive.com/freeipa-users at redhat.com/msg02049.html Dmitri's statement "There might be some MIT documentation about how to join a Windows machine to MIT KDC. If this can be done I am sure the same can be done with IPA." should be true, but for the windows system to use authentication I have to be able to set the host password in Kerberos. There doesn't seem to be a way to do that in the FreeIPA interface. I would normally do that in kadmin if working directly in kerberos, but that's not possible either. *IS* there a way to set the host password so that machines can provide user authentication for a windows client? -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Sep 16 03:49:40 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 15 Sep 2011 23:49:40 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> Message-ID: <1316144980.2684.421.camel@willson.li.ssimo.org> On Thu, 2011-09-15 at 17:51 -0400, Jimmy wrote: > I'm still working on this... I was reading this post in the archives: > http://www.mail-archive.com/freeipa-users at redhat.com/msg02049.html > Dmitri's statement "There might be some MIT documentation about how to > join a Windows machine to MIT KDC. If this can be done I am sure the > same can be done with IPA." should be true, but for the windows system > to use authentication I have to be able to set the host password in > Kerberos. There doesn't seem to be a way to do that in the FreeIPA > interface. I would normally do that in kadmin if working directly in > kerberos, but that's not possible either. > > > *IS* there a way to set the host password so that machines can provide > user authentication for a windows client? > Use ipa-getkeytab with the -P option to specify a 'password' to use to generate the keys instead of letting it generate a random password. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Sep 16 05:35:06 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 16 Sep 2011 01:35:06 -0400 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E725CB0.7080807@nixtra.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> Message-ID: <4E72E00A.4060007@redhat.com> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: > On 09/15/2011 09:59 PM, Dmitri Pal wrote: >> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >>> Hi, >>> >>> Is there a custom script hook for when a user account is added using >>> either the cli, webui, or the winsync module? >>> >>> I have a custom script I run when creating a user account, and having >>> this run automatically by IPA would make my life a lot easier. >>> >>> >> Can you describe what kind of operations you need to do? >> Have you looked at the automembership plugin? >> > > I'm doing a SSH login on to a filer, creating a home folder ZFS > dataset for the new user, setting quota and ACL on the newly created > dataset, and adding files from a skeleton folder into the home folder. > It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From abokovoy at redhat.com Fri Sep 16 08:29:05 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 16 Sep 2011 11:29:05 +0300 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E72E00A.4060007@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> Message-ID: <20110916082905.GB31677@redhat.com> On Fri, 16 Sep 2011, Dmitri Pal wrote: > On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: > > On 09/15/2011 09:59 PM, Dmitri Pal wrote: > >> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: > >>> Hi, > >>> > >>> Is there a custom script hook for when a user account is added using > >>> either the cli, webui, or the winsync module? > >>> > >>> I have a custom script I run when creating a user account, and having > >>> this run automatically by IPA would make my life a lot easier. > >>> > >>> > >> Can you describe what kind of operations you need to do? > >> Have you looked at the automembership plugin? > >> > > > > I'm doing a SSH login on to a filer, creating a home folder ZFS > > dataset for the new user, setting quota and ACL on the newly created > > dataset, and adding files from a skeleton folder into the home folder. > > > > It might be a stupid question but... you seem to do all the operation > described above on the filer. I am not quite clear what part of it, if > any, needs to be run on the server side, I mean on the IPA. Or you > actually want to be able to create an account on the server side and > make it trapped and send the event to the filer and run a script there? > > We can't do it now. AFAIR there was a ticket about something like this > in the deferred bucket... Could not find it... But I remember a discussion. > We might need to file a ticket to track this but sound like something > that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! -- / Alexander Bokovoy -------------- next part -------------- diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 92a026d..b8631e3 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -25,6 +25,7 @@ from ipalib.request import context from time import gmtime, strftime import copy from ipalib import _, ngettext +from ipapython import ipautil __doc__ = _(""" Users @@ -413,6 +414,12 @@ class user_add(LDAPCreate): entry_from_entry(entry_attrs, newentry) self.obj.get_password_attributes(ldap, dn, entry_attrs) + # If there is a ipa_user_script set in configuration, call it out + if 'ipa_user_script' in self.api.env: + try: + ipautil.run(self.api.env.ipa_user_script,["add", dn]) + except: + pass return dn api.register(user_add) @@ -424,6 +431,12 @@ class user_del(LDAPDelete): msg_summary = _('Deleted user "%(value)s"') def post_callback(self, ldap, dn, *keys, **options): + # If there is a ipa_user_script set in configuration, call it out + if 'ipa_user_script' in self.api.env: + try: + ipautil.run(self.api.env.ipa_user_script,["del", dn]) + except: + pass return True api.register(user_del) @@ -446,6 +459,12 @@ class user_mod(LDAPUpdate): convert_nsaccountlock(entry_attrs) self.obj._convert_manager(entry_attrs, **options) self.obj.get_password_attributes(ldap, dn, entry_attrs) + # If there is a ipa_user_script set in configuration, call it out + if 'ipa_user_script' in self.api.env: + try: + ipautil.run(self.api.env.ipa_user_script,["mod", dn]) + except: + pass return dn api.register(user_mod) From simo at redhat.com Fri Sep 16 11:53:56 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 16 Sep 2011 07:53:56 -0400 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <20110916082905.GB31677@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> Message-ID: <1316174036.2684.427.camel@willson.li.ssimo.org> On Fri, 2011-09-16 at 11:29 +0300, Alexander Bokovoy wrote: > On Fri, 16 Sep 2011, Dmitri Pal wrote: > > On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: > > > On 09/15/2011 09:59 PM, Dmitri Pal wrote: > > >> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: > > >>> Hi, > > >>> > > >>> Is there a custom script hook for when a user account is added using > > >>> either the cli, webui, or the winsync module? > > >>> > > >>> I have a custom script I run when creating a user account, and having > > >>> this run automatically by IPA would make my life a lot easier. > > >>> > > >>> > > >> Can you describe what kind of operations you need to do? > > >> Have you looked at the automembership plugin? > > >> > > > > > > I'm doing a SSH login on to a filer, creating a home folder ZFS > > > dataset for the new user, setting quota and ACL on the newly created > > > dataset, and adding files from a skeleton folder into the home folder. > > > > > > > It might be a stupid question but... you seem to do all the operation > > described above on the filer. I am not quite clear what part of it, if > > any, needs to be run on the server side, I mean on the IPA. Or you > > actually want to be able to create an account on the server side and > > make it trapped and send the event to the filer and run a script there? > > > > We can't do it now. AFAIR there was a ticket about something like this > > in the deferred bucket... Could not find it... But I remember a discussion. > > We might need to file a ticket to track this but sound like something > > that will take a lot of time to accomplish. > Attached untested patch is a proof of concept. If /etc/ipa/server.conf > has following setting: > > ipa_user_script=/path/to/script > > then during add/delete/modify of an user, it will be called with > add/del/mod as first parameter and user's dn as second. Result of > the call is ignored but return from IPA server is blocked by the > execution so be quick in ipa_user_script! As a proof of concept sounds nice, but as is this would be bad, as changes to /etc/ipa/server.conf are not replicated through all masters. So a change on one server would require manual synchronization to all others or users create from one server will trigger something while users create through another will trigger something else. Also the issue is that this script is run as the apache user so you'd have to give that user access as root (passwordless private ssh key ? brrr). For things like this I think we should provide a more sophisticated mechanism in many ways, maybe we should discuss on freeipa-devel Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Fri Sep 16 12:17:45 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 16 Sep 2011 15:17:45 +0300 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <1316174036.2684.427.camel@willson.li.ssimo.org> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> <1316174036.2684.427.camel@willson.li.ssimo.org> Message-ID: <20110916121744.GE31677@redhat.com> On Fri, 16 Sep 2011, Simo Sorce wrote: > As a proof of concept sounds nice, but as is this would be bad, as > changes to /etc/ipa/server.conf are not replicated through all masters. > So a change on one server would require manual synchronization to all > others or users create from one server will trigger something while > users create through another will trigger something else. > > Also the issue is that this script is run as the apache user so you'd > have to give that user access as root (passwordless private ssh key ? > brrr). > For things like this I think we should provide a more sophisticated > mechanism in many ways, maybe we should discuss on freeipa-devel Sure. I only wanted to show how large is amount of work to hook something in. You can treat my POC as means to provoke discussion. :) -- / Alexander Bokovoy From rcritten at redhat.com Fri Sep 16 12:45:11 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 Sep 2011 08:45:11 -0400 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <20110916121744.GE31677@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> <1316174036.2684.427.camel@willson.li.ssimo.org> <20110916121744.GE31677@redhat.com> Message-ID: <4E7344D7.9060008@redhat.com> Alexander Bokovoy wrote: > On Fri, 16 Sep 2011, Simo Sorce wrote: >> As a proof of concept sounds nice, but as is this would be bad, as >> changes to /etc/ipa/server.conf are not replicated through all masters. >> So a change on one server would require manual synchronization to all >> others or users create from one server will trigger something while >> users create through another will trigger something else. >> >> Also the issue is that this script is run as the apache user so you'd >> have to give that user access as root (passwordless private ssh key ? >> brrr). >> For things like this I think we should provide a more sophisticated >> mechanism in many ways, maybe we should discuss on freeipa-devel > Sure. I only wanted to show how large is amount of work to hook > something in. You can treat my POC as means to provoke discussion. :) Well, ideally we'd integrate this into the baseclasses so any plugin could use it. I'd probably either read the script name out of LDAP or we would require a plugin extension to do it. LDAP is probably lower-hanging fruit. At one point Nalin suggested using oddjob to do the privilege escalation but I never really followed up. rob From g17jimmy at gmail.com Fri Sep 16 13:31:30 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 16 Sep 2011 09:31:30 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: <1316144980.2684.421.camel@willson.li.ssimo.org> References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> Message-ID: I tried that but still cannot successfully log in as a IPA user. The same system can be configured as a Kerberos client(non-IPA) defined in MIT Kerberos, and authenticate against MIT Kerberos. The system uses AES when authenticating to MIT Kerberos so those are the only encryption types I defined manually. In the network trace for this transaction I see the error KRB_AP_ERR_BAD_INTEGRITY (31) Commands used(different iterations): ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab -P [entering into the main keytab /etc/krb5.keytab] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P Log entries: Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Sep 16 13:35:37 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 16 Sep 2011 09:35:37 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> Message-ID: <1316180137.2684.443.camel@willson.li.ssimo.org> On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k > krb5.keytab > -P [entering into the main keytab /etc/krb5.keytab] > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k > krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > aes256-cts-hmac-sha1-96 -k krb5.keytab -P > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > aes128-cts-hmac-sha1-96 -k krb5.keytab -P > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P > This is not how it works. You must define all types in one single go. Every time you invoke ipa-getkeytab for a principal you are discarding any previous key in the KDC, and only the last one is available. Simo. -- Simo Sorce * Red Hat, Inc * New York From g17jimmy at gmail.com Fri Sep 16 13:44:38 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 16 Sep 2011 09:44:38 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: <1316180137.2684.443.camel@willson.li.ssimo.org> References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> Message-ID: When I do not specify the encryption type it does put them all in in a single go. I just was attempting to eliminate the other types in case that was creating a problem. The system defaults to type x18 (aes256-cts-hmac-sha1-96). Thanks for your help on this. [root at csp-idm etc]# klist -kte krb5.keytab.sys1 Keytab name: WRFILE:krb5.keytab.sys1 KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP(aes256-cts-hmac-sha1-96) 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP(aes128-cts-hmac-sha1-96) 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (des3-cbc-sha1) 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (arcfour-hmac) On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce wrote: > On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k > > krb5.keytab > > -P [entering into the main keytab /etc/krb5.keytab] > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k > > krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes256-cts-hmac-sha1-96 -k krb5.keytab -P > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes128-cts-hmac-sha1-96 -k krb5.keytab -P > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P > > > > This is not how it works. > You must define all types in one single go. > Every time you invoke ipa-getkeytab for a principal you are discarding > any previous key in the KDC, and only the last one is available. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Sunnerstig at auriga.se Fri Sep 16 15:19:43 2011 From: Johan.Sunnerstig at auriga.se (Johan Sunnerstig) Date: Fri, 16 Sep 2011 15:19:43 +0000 Subject: [Freeipa-users] Debian clients? Message-ID: <47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net> Hello. I'm wondering if anyone has used FreeIPA with Debian clients, and if so, what client software you opted to use? Right now I have nss-pam-ldapd (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb software that's included in Debian 6 working decently. By that I mean I can use it to allow logins as expected, but so far I haven't worked out allowing or disallowing login based on group membership. Obviously the best solution would be a "real" IPA client, but has anyone attempted this? I mucked around a bit with the SSSD included in the Debian repos(1.2.1) but didn't get it to work. Though in all fairness I didn't try THAT hard since it seems like SSSD has evolved quite a bit since 1.2.1. Is the SSSD route worthwhile? I really just need group based logins, sudo controls I can handle based on groups with Puppet, but again, if the real client route isn't too much work that's of course preferable. I hope this makes sense, late friday and I have a horrible headache, so if it doesn't I apologize in advance. :) Regards Johan -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Fri Sep 16 15:34:55 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 16 Sep 2011 17:34:55 +0200 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E72E00A.4060007@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> Message-ID: <4E736C9F.1080609@nixtra.com> On 09/16/2011 07:35 AM, Dmitri Pal wrote: > On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: >> On 09/15/2011 09:59 PM, Dmitri Pal wrote: >>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >>>> Hi, >>>> >>>> Is there a custom script hook for when a user account is added using >>>> either the cli, webui, or the winsync module? >>>> >>>> I have a custom script I run when creating a user account, and having >>>> this run automatically by IPA would make my life a lot easier. >>>> >>>> >>> Can you describe what kind of operations you need to do? >>> Have you looked at the automembership plugin? >>> >> I'm doing a SSH login on to a filer, creating a home folder ZFS >> dataset for the new user, setting quota and ACL on the newly created >> dataset, and adding files from a skeleton folder into the home folder. >> > It might be a stupid question but... you seem to do all the operation > described above on the filer. I am not quite clear what part of it, if > any, needs to be run on the server side, I mean on the IPA. Or you > actually want to be able to create an account on the server side and > make it trapped and send the event to the filer and run a script there? > > We can't do it now. AFAIR there was a ticket about something like this > in the deferred bucket... Could not find it... But I remember a discussion. > We might need to file a ticket to track this but sound like something > that will take a lot of time to accomplish. > The filer get it's user account data from the IPA server. The commands I'm running on the filer is to create a personal dataset (filesystem) for the newly created user account, as well as setting the correct ACL for the filesystem. The filer is a ZFS based filer, and the command being used is "zfs create ...". There is no remote API for this command. However I feel like you have misinterpreted the request. It does not matter to IPA what I'm trying to accomplish with my script. I require a script to be run after a user account has been created (or deleted, or perhaps deleted). There are plenty of environments where custom scripts is required to run after a new user account is created. In a typical Microsoft AD environments this is often accomplished with additional expensive-to-buy-and-complicated-to-set-up Identify Management suites, so after a user account is created, additional accounts is created in systems such as SAP, Incident Management tool, or any other company specific databases or applications. In the UNIX/Linux environments I've seen, any post-user-creation tasks is accomplished with a script, run by the user management tool after the account has been created. Hence my request for the option to run a post-user-creation script. :) Regards, Siggi From sigbjorn at nixtra.com Fri Sep 16 15:35:28 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 16 Sep 2011 17:35:28 +0200 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <20110916082905.GB31677@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> Message-ID: <4E736CC0.2070100@nixtra.com> On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: > On Fri, 16 Sep 2011, Dmitri Pal wrote: >> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: >>> On 09/15/2011 09:59 PM, Dmitri Pal wrote: >>>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >>>>> Hi, >>>>> >>>>> Is there a custom script hook for when a user account is added using >>>>> either the cli, webui, or the winsync module? >>>>> >>>>> I have a custom script I run when creating a user account, and having >>>>> this run automatically by IPA would make my life a lot easier. >>>>> >>>>> >>>> Can you describe what kind of operations you need to do? >>>> Have you looked at the automembership plugin? >>>> >>> I'm doing a SSH login on to a filer, creating a home folder ZFS >>> dataset for the new user, setting quota and ACL on the newly created >>> dataset, and adding files from a skeleton folder into the home folder. >>> >> It might be a stupid question but... you seem to do all the operation >> described above on the filer. I am not quite clear what part of it, if >> any, needs to be run on the server side, I mean on the IPA. Or you >> actually want to be able to create an account on the server side and >> make it trapped and send the event to the filer and run a script there? >> >> We can't do it now. AFAIR there was a ticket about something like this >> in the deferred bucket... Could not find it... But I remember a discussion. >> We might need to file a ticket to track this but sound like something >> that will take a lot of time to accomplish. > Attached untested patch is a proof of concept. If /etc/ipa/server.conf > has following setting: > > ipa_user_script=/path/to/script > > then during add/delete/modify of an user, it will be called with > add/del/mod as first parameter and user's dn as second. Result of > the call is ignored but return from IPA server is blocked by the > execution so be quick in ipa_user_script! Excellent, thank you! I will try this!! From abokovoy at redhat.com Fri Sep 16 15:43:25 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 16 Sep 2011 18:43:25 +0300 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E736CC0.2070100@nixtra.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> <4E736CC0.2070100@nixtra.com> Message-ID: <20110916154324.GA14233@redhat.com> On Fri, 16 Sep 2011, Sigbjorn Lie wrote: > >>We can't do it now. AFAIR there was a ticket about something like this > >>in the deferred bucket... Could not find it... But I remember a discussion. > >>We might need to file a ticket to track this but sound like something > >>that will take a lot of time to accomplish. > >Attached untested patch is a proof of concept. If /etc/ipa/server.conf > >has following setting: > > > >ipa_user_script=/path/to/script > > > >then during add/delete/modify of an user, it will be called with > >add/del/mod as first parameter and user's dn as second. Result of > >the call is ignored but return from IPA server is blocked by the > >execution so be quick in ipa_user_script! > > Excellent, thank you! I will try this!! Make sure you read what Simo wrote about deficiencies of this solution and in part that it runs under apache privileges. As you need to trigger action on a different host, it might be enough but still poses possible privilege escalation in your environment. -- / Alexander Bokovoy From sigbjorn at nixtra.com Fri Sep 16 15:43:21 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 16 Sep 2011 17:43:21 +0200 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <1316174036.2684.427.camel@willson.li.ssimo.org> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> <1316174036.2684.427.camel@willson.li.ssimo.org> Message-ID: <4E736E99.9000909@nixtra.com> On 09/16/2011 01:53 PM, Simo Sorce wrote: > On Fri, 2011-09-16 at 11:29 +0300, Alexander Bokovoy wrote: >> On Fri, 16 Sep 2011, Dmitri Pal wrote: >>> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: >>>> On 09/15/2011 09:59 PM, Dmitri Pal wrote: >>>>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >>>>>> Hi, >>>>>> >>>>>> Is there a custom script hook for when a user account is added using >>>>>> either the cli, webui, or the winsync module? >>>>>> >>>>>> I have a custom script I run when creating a user account, and having >>>>>> this run automatically by IPA would make my life a lot easier. >>>>>> >>>>>> >>>>> Can you describe what kind of operations you need to do? >>>>> Have you looked at the automembership plugin? >>>>> >>>> I'm doing a SSH login on to a filer, creating a home folder ZFS >>>> dataset for the new user, setting quota and ACL on the newly created >>>> dataset, and adding files from a skeleton folder into the home folder. >>>> >>> It might be a stupid question but... you seem to do all the operation >>> described above on the filer. I am not quite clear what part of it, if >>> any, needs to be run on the server side, I mean on the IPA. Or you >>> actually want to be able to create an account on the server side and >>> make it trapped and send the event to the filer and run a script there? >>> >>> We can't do it now. AFAIR there was a ticket about something like this >>> in the deferred bucket... Could not find it... But I remember a discussion. >>> We might need to file a ticket to track this but sound like something >>> that will take a lot of time to accomplish. >> Attached untested patch is a proof of concept. If /etc/ipa/server.conf >> has following setting: >> >> ipa_user_script=/path/to/script >> >> then during add/delete/modify of an user, it will be called with >> add/del/mod as first parameter and user's dn as second. Result of >> the call is ignored but return from IPA server is blocked by the >> execution so be quick in ipa_user_script! > As a proof of concept sounds nice, but as is this would be bad, as > changes to /etc/ipa/server.conf are not replicated through all masters. > So a change on one server would require manual synchronization to all > others or users create from one server will trigger something while > users create through another will trigger something else. > > Also the issue is that this script is run as the apache user so you'd > have to give that user access as root (passwordless private ssh key ? > brrr). > > For things like this I think we should provide a more sophisticated > mechanism in many ways, maybe we should discuss on freeipa-devel I manage my environment with CFengine, so distributing a few patches and files does not bother me. :) Actually, in my specific case the script does not have to do more than write the username(s) to a file, and CFengine can pick up the file and do the rest of the job for me. No root access required for the apache server. :) Rgds, Siggi From sigbjorn at nixtra.com Fri Sep 16 15:50:45 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 16 Sep 2011 17:50:45 +0200 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E7344D7.9060008@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> <1316174036.2684.427.camel@willson.li.ssimo.org> <20110916121744.GE31677@redhat.com> <4E7344D7.9060008@redhat.com> Message-ID: <4E737055.80303@nixtra.com> On 09/16/2011 02:45 PM, Rob Crittenden wrote: > Alexander Bokovoy wrote: >> On Fri, 16 Sep 2011, Simo Sorce wrote: >>> As a proof of concept sounds nice, but as is this would be bad, as >>> changes to /etc/ipa/server.conf are not replicated through all masters. >>> So a change on one server would require manual synchronization to all >>> others or users create from one server will trigger something while >>> users create through another will trigger something else. >>> >>> Also the issue is that this script is run as the apache user so you'd >>> have to give that user access as root (passwordless private ssh key ? >>> brrr). >>> For things like this I think we should provide a more sophisticated >>> mechanism in many ways, maybe we should discuss on freeipa-devel >> Sure. I only wanted to show how large is amount of work to hook >> something in. You can treat my POC as means to provoke discussion. :) > > Well, ideally we'd integrate this into the baseclasses so any plugin > could use it. I'd probably either read the script name out of LDAP or > we would require a plugin extension to do it. LDAP is probably > lower-hanging fruit. > > At one point Nalin suggested using oddjob to do the privilege > escalation but I never really followed up. Having the variable for what script to run in the LDAP would sure be nice. Just modify Alex's script to read from LDAP instead. Job done. :) Rgds, Siggi From dpal at redhat.com Fri Sep 16 15:59:15 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 16 Sep 2011 11:59:15 -0400 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E736C9F.1080609@nixtra.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <4E736C9F.1080609@nixtra.com> Message-ID: <4E737253.2020807@redhat.com> On 09/16/2011 11:34 AM, Sigbjorn Lie wrote: > On 09/16/2011 07:35 AM, Dmitri Pal wrote: >> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: >>> On 09/15/2011 09:59 PM, Dmitri Pal wrote: >>>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >>>>> Hi, >>>>> >>>>> Is there a custom script hook for when a user account is added using >>>>> either the cli, webui, or the winsync module? >>>>> >>>>> I have a custom script I run when creating a user account, and having >>>>> this run automatically by IPA would make my life a lot easier. >>>>> >>>>> >>>> Can you describe what kind of operations you need to do? >>>> Have you looked at the automembership plugin? >>>> >>> I'm doing a SSH login on to a filer, creating a home folder ZFS >>> dataset for the new user, setting quota and ACL on the newly created >>> dataset, and adding files from a skeleton folder into the home folder. >>> >> It might be a stupid question but... you seem to do all the operation >> described above on the filer. I am not quite clear what part of it, if >> any, needs to be run on the server side, I mean on the IPA. Or you >> actually want to be able to create an account on the server side and >> make it trapped and send the event to the filer and run a script there? >> >> We can't do it now. AFAIR there was a ticket about something like this >> in the deferred bucket... Could not find it... But I remember a >> discussion. >> We might need to file a ticket to track this but sound like something >> that will take a lot of time to accomplish. >> > > > The filer get it's user account data from the IPA server. The commands > I'm running on the filer is to create a personal dataset (filesystem) > for the newly created user account, as well as setting the correct ACL > for the filesystem. The filer is a ZFS based filer, and the command > being used is "zfs create ...". There is no remote API for this command. > > However I feel like you have misinterpreted the request. It does not > matter to IPA what I'm trying to accomplish with my script. I require > a script to be run after a user account has been created (or deleted, > or perhaps deleted). > > There are plenty of environments where custom scripts is required to > run after a new user account is created. In a typical Microsoft AD > environments this is often accomplished with additional > expensive-to-buy-and-complicated-to-set-up Identify Management suites, > so after a user account is created, additional accounts is created in > systems such as SAP, Incident Management tool, or any other company > specific databases or applications. > > In the UNIX/Linux environments I've seen, any post-user-creation tasks > is accomplished with a script, run by the user management tool after > the account has been created. > > Hence my request for the option to run a post-user-creation script. :) > > > > Regards, > Siggi > What we need to do is to have a way from the DS plugin to send notification messages about record operation and then let services to subscribe and consume notifications and do whatever they need in an async way. It might make sense to have an option QPID broker for that. I will talk to qpid guys. > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sigbjorn at nixtra.com Fri Sep 16 16:12:08 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 16 Sep 2011 18:12:08 +0200 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <20110916154324.GA14233@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> <4E736CC0.2070100@nixtra.com> <20110916154324.GA14233@redhat.com> Message-ID: <4E737558.6030105@nixtra.com> On 09/16/2011 05:43 PM, Alexander Bokovoy wrote: > On Fri, 16 Sep 2011, Sigbjorn Lie wrote: >>>> We can't do it now. AFAIR there was a ticket about something like this >>>> in the deferred bucket... Could not find it... But I remember a discussion. >>>> We might need to file a ticket to track this but sound like something >>>> that will take a lot of time to accomplish. >>> Attached untested patch is a proof of concept. If /etc/ipa/server.conf >>> has following setting: >>> >>> ipa_user_script=/path/to/script >>> >>> then during add/delete/modify of an user, it will be called with >>> add/del/mod as first parameter and user's dn as second. Result of >>> the call is ignored but return from IPA server is blocked by the >>> execution so be quick in ipa_user_script! >> Excellent, thank you! I will try this!! > Make sure you read what Simo wrote about deficiencies of this solution > and in part that it runs under apache privileges. As you need to > trigger action on a different host, it might be enough but still poses > possible privilege escalation in your environment. I sure do agree to that. :) From sigbjorn at nixtra.com Fri Sep 16 16:20:18 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 16 Sep 2011 18:20:18 +0200 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E737253.2020807@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <4E736C9F.1080609@nixtra.com> <4E737253.2020807@redhat.com> Message-ID: <4E737742.3000505@nixtra.com> On 09/16/2011 05:59 PM, Dmitri Pal wrote: > On 09/16/2011 11:34 AM, Sigbjorn Lie wrote: >> On 09/16/2011 07:35 AM, Dmitri Pal wrote: >>> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: >>>> On 09/15/2011 09:59 PM, Dmitri Pal wrote: >>>>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >>>>>> Hi, >>>>>> >>>>>> Is there a custom script hook for when a user account is added using >>>>>> either the cli, webui, or the winsync module? >>>>>> >>>>>> I have a custom script I run when creating a user account, and having >>>>>> this run automatically by IPA would make my life a lot easier. >>>>>> >>>>>> >>>>> Can you describe what kind of operations you need to do? >>>>> Have you looked at the automembership plugin? >>>>> >>>> I'm doing a SSH login on to a filer, creating a home folder ZFS >>>> dataset for the new user, setting quota and ACL on the newly created >>>> dataset, and adding files from a skeleton folder into the home folder. >>>> >>> It might be a stupid question but... you seem to do all the operation >>> described above on the filer. I am not quite clear what part of it, if >>> any, needs to be run on the server side, I mean on the IPA. Or you >>> actually want to be able to create an account on the server side and >>> make it trapped and send the event to the filer and run a script there? >>> >>> We can't do it now. AFAIR there was a ticket about something like this >>> in the deferred bucket... Could not find it... But I remember a >>> discussion. >>> We might need to file a ticket to track this but sound like something >>> that will take a lot of time to accomplish. >>> >> >> The filer get it's user account data from the IPA server. The commands >> I'm running on the filer is to create a personal dataset (filesystem) >> for the newly created user account, as well as setting the correct ACL >> for the filesystem. The filer is a ZFS based filer, and the command >> being used is "zfs create ...". There is no remote API for this command. >> >> However I feel like you have misinterpreted the request. It does not >> matter to IPA what I'm trying to accomplish with my script. I require >> a script to be run after a user account has been created (or deleted, >> or perhaps deleted). >> >> There are plenty of environments where custom scripts is required to >> run after a new user account is created. In a typical Microsoft AD >> environments this is often accomplished with additional >> expensive-to-buy-and-complicated-to-set-up Identify Management suites, >> so after a user account is created, additional accounts is created in >> systems such as SAP, Incident Management tool, or any other company >> specific databases or applications. >> >> In the UNIX/Linux environments I've seen, any post-user-creation tasks >> is accomplished with a script, run by the user management tool after >> the account has been created. >> >> Hence my request for the option to run a post-user-creation script. :) >> >> >> >> Regards, >> Siggi >> > > What we need to do is to have a way from the DS plugin to send > notification messages about record operation and then let services to > subscribe and consume notifications and do whatever they need in an > async way. It might make sense to have an option QPID broker for that. I > will talk to qpid guys. > Sounds even better! Much more secure! Thanks! :) From simo at redhat.com Fri Sep 16 18:01:32 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 16 Sep 2011 14:01:32 -0400 Subject: [Freeipa-users] Debian clients? In-Reply-To: <47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net> References: <47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net> Message-ID: <1316196092.2684.450.camel@willson.li.ssimo.org> On Fri, 2011-09-16 at 15:19 +0000, Johan Sunnerstig wrote: > Hello. > I'm wondering if anyone has used FreeIPA with Debian clients, and if > so, what client software you opted to use? > Right now I have nss-pam-ldapd > (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb > software that's included in Debian 6 working decently. By that I mean > I can use it to allow logins as expected, but so far I haven't worked > out allowing or disallowing login based on group membership. > > Obviously the best solution would be a "real" IPA client, but has > anyone attempted this? I mucked around a bit with the SSSD included in > the Debian repos(1.2.1) but didn't get it to work. Though in all > fairness I didn't try THAT hard since it seems like SSSD has evolved > quite a bit since 1.2.1. > Is the SSSD route worthwhile? SSSD is certainly the preferred client as it has many, many useful features others lack including simplified configuration in a ipa-specific backend. But 1.2.1 is too old. > I really just need group based logins, sudo controls I can handle > based on groups with Puppet, but again, if the real client route isn't > too much work that's of course preferable. > > I hope this makes sense, late friday and I have a horrible headache, > so if it doesn't I apologize in advance. :) There is some work being done to make ipa-client -install more cross platforms, and we also have some contrib scripts, but we do not have a complete ipa-client-install script for debian based distributions yet. So you'll have to manually (or script) configure all components for now. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Fri Sep 16 18:21:43 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 16 Sep 2011 20:21:43 +0200 Subject: [Freeipa-users] Debian clients? In-Reply-To: <47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net> References: <47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net> Message-ID: <4E7393B7.5080508@nixtra.com> On 09/16/2011 05:19 PM, Johan Sunnerstig wrote: > Hello. > I'm wondering if anyone has used FreeIPA with Debian clients, and if > so, what client software you opted to use? > Right now I have nss-pam-ldapd > (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb > software that's included in Debian 6 working decently. By that I mean > I can use it to allow logins as expected, but so far I haven't worked > out allowing or disallowing login based on group membership. > > Obviously the best solution would be a "real" IPA client, but has > anyone attempted this? I mucked around a bit with the SSSD included in > the Debian repos(1.2.1) but didn't get it to work. Though in all > fairness I didn't try THAT hard since it seems like SSSD has evolved > quite a bit since 1.2.1. > Is the SSSD route worthwhile? > > I really just need group based logins, sudo controls I can handle > based on groups with Puppet, but again, if the real client route isn't > too much work that's of course preferable. > > I hope this makes sense, late friday and I have a horrible headache, > so if it doesn't I apologize in advance. :) Hi Johan, I'm using Ubuntu with FreeIPA. I'm not using the ldapd as I've found it unreliable. I'm using the libnss-ldap and manually configured kerberos. ldapd does not support nested groups last I checked, that's a downside too. It's not perfect, sssd would have been better, but it works just fine. If you lower the bind_timelimit and timelimit quite low (a few seconds) it's not too bad when a ipa server is unavailable. nscd is required to overcome some issues with the libnss-ldap. (Such as Thunderbird segfaulting...) I've used cfengine to make an IPA config script for clients not supporting sssd and ipa-client-install. I'm sure you could do the same with puppet. To get group based login, I've used the AllowGroups property in sshd. Hope this makes sense. :) Regards, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Fri Sep 16 18:26:52 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 16 Sep 2011 14:26:52 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> Message-ID: I can create a keytab using ipa-getkeytab for any entity, say for instance a user, and store a password in the keytab but as soon as the user attempts to kinit with the set password it expires and must be changed. Is this happening with the host(workstation) entities? On Fri, Sep 16, 2011 at 9:44 AM, Jimmy wrote: > When I do not specify the encryption type it does put them all in in a > single go. I just was attempting to eliminate the other types in case that > was creating a problem. The system defaults to type x18 > (aes256-cts-hmac-sha1-96). Thanks for your help on this. > > [root at csp-idm etc]# klist -kte krb5.keytab.sys1 > Keytab name: WRFILE:krb5.keytab.sys1 > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP(aes256-cts-hmac-sha1-96) > 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP(aes128-cts-hmac-sha1-96) > 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (des3-cbc-sha1) > 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (arcfour-hmac) > > > On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce wrote: > >> On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: >> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k >> > krb5.keytab >> > -P [entering into the main keytab /etc/krb5.keytab] >> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k >> > krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] >> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e >> > aes256-cts-hmac-sha1-96 -k krb5.keytab -P >> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e >> > aes128-cts-hmac-sha1-96 -k krb5.keytab -P >> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e >> > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P >> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e >> > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P >> > >> >> This is not how it works. >> You must define all types in one single go. >> Every time you invoke ipa-getkeytab for a principal you are discarding >> any previous key in the KDC, and only the last one is available. >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Fri Sep 16 19:22:21 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 16 Sep 2011 15:22:21 -0400 Subject: [Freeipa-users] Debian clients? In-Reply-To: <1316196092.2684.450.camel@willson.li.ssimo.org> References: <47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net> <1316196092.2684.450.camel@willson.li.ssimo.org> Message-ID: <1316200943.26796.17.camel@sgallagh520.bos.redhat.com> On Fri, 2011-09-16 at 14:01 -0400, Simo Sorce wrote: > There is some work being done to make ipa-client -install more cross > platforms, and we also have some contrib scripts, but we do not have a > complete ipa-client-install script for debian based distributions yet. > So you'll have to manually (or script) configure all components for now. I've opened https://fedorahosted.org/freeipa/ticket/1809 (Document manual steps to configure SSSD as an IPA client). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From abokovoy at redhat.com Fri Sep 16 19:39:55 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 16 Sep 2011 22:39:55 +0300 Subject: [Freeipa-users] Debian clients? In-Reply-To: <47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net> References: <47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net> Message-ID: <20110916193954.GB22600@redhat.com> Hi, On Fri, 16 Sep 2011, Johan Sunnerstig wrote: > Hello. I'm wondering if anyone has used FreeIPA with Debian clients, > and if so, what client software you opted to use? Right now I have > nss-pam-ldapd (http://arthurdejong.org/nss-pam-ldapd/) and the > MIT-based krb software that's included in Debian 6 working decently. > By that I mean I can use it to allow logins as expected, but so far > I haven't worked out allowing or disallowing login based on group > membership. > > Obviously the best solution would be a "real" IPA client, but has > anyone attempted this? I mucked around a bit with the SSSD included > in the Debian repos(1.2.1) but didn't get it to work. Though in all > fairness I didn't try THAT hard since it seems like SSSD has evolved > quite a bit since 1.2.1. Is the SSSD route worthwhile? I have made first step into allowing to support other platforms in FreeIPA. FreeIPA 2.1.2 will have an infrastructure to add new "platform backends" that implement details of platform-specific interaction with services. This does not affect configuration files per se but rather services' start/stop and check for service availability. I'm working on systemd support right now for Fedora 16 and, of course, any help on GNU/Debian-based systems is welcomed -- we are probably too far from making server bits distribution-independent but for client side we are quite close. We 'just' miss full featured replacement for Fedora's authconfig utility on Debian side (parts of which should be imported into FreeIPA in my humble opinion). If you are willing to help or have someone else with spare hands, look at ipapython/platform/* in freeipa's upstream and check http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1 as an example on how to extend it -- it is work in progress too but it shows what you can achieve. > I really just need group based logins, sudo controls I can handle > based on groups with Puppet, but again, if the real client route > isn't too much work that's of course preferable. > > I hope this makes sense, late friday and I have a horrible headache, > so if it doesn't I apologize in advance. :) Friday night is a nice time to talk about serious stuff :) -- / Alexander Bokovoy From dpal at redhat.com Fri Sep 16 20:42:11 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 16 Sep 2011 16:42:11 -0400 Subject: [Freeipa-users] Debian clients? In-Reply-To: <47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net> References: <47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net> Message-ID: <4E73B4A3.7010406@redhat.com> On 09/16/2011 11:19 AM, Johan Sunnerstig wrote: > Hello. > I'm wondering if anyone has used FreeIPA with Debian clients, and if > so, what client software you opted to use? > Right now I have nss-pam-ldapd > (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb > software that's included in Debian 6 working decently. By that I mean > I can use it to allow logins as expected, but so far I haven't worked > out allowing or disallowing login based on group membership. > > Obviously the best solution would be a "real" IPA client, but has > anyone attempted this? I mucked around a bit with the SSSD included in > the Debian repos(1.2.1) but didn't get it to work. Though in all > fairness I didn't try THAT hard since it seems like SSSD has evolved > quite a bit since 1.2.1. > Is the SSSD route worthwhile? If you can get SSSD 1.5.x (latest) working that would be best avenue as it supports natively IPA host based access control features. If you manage to do so we will help you to setup it manually. If you as a result of this would be able to share youer experience and create a wiki page with the steps need to do all this manually would be awesome. An alternative would be to try and port ipa-client to Debian. > > I really just need group based logins, sudo controls I can handle > based on groups with Puppet, but again, if the real client route isn't > too much work that's of course preferable. If you want something simple there might be some options in the nss ldap but you need to dig it from man pages or from Nalin... > > I hope this makes sense, late friday and I have a horrible headache, > so if it doesn't I apologize in advance. :) > > Regards > Johan > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Sep 16 20:45:35 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 16 Sep 2011 16:45:35 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> Message-ID: <4E73B56F.9040603@redhat.com> On 09/16/2011 02:26 PM, Jimmy wrote: > I can create a keytab using ipa-getkeytab for any entity, say for > instance a user, and store a password in the keytab but as soon as the > user attempts to kinit with the set password it expires and must be > changed. Is this happening with the host(workstation) entities? Are you using latest hand built IPA from the master? There is a bug about passwords being expired. A more stable version is available from Fedora if you are using Fedora or from 2.1 branch. > > On Fri, Sep 16, 2011 at 9:44 AM, Jimmy > wrote: > > When I do not specify the encryption type it does put them all in > in a single go. I just was attempting to eliminate the other types > in case that was creating a problem. The system defaults to type > x18 (aes256-cts-hmac-sha1-96). Thanks for your help on this. > > [root at csp-idm etc]# klist -kte krb5.keytab.sys1 > Keytab name: WRFILE:krb5.keytab.sys1 > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP > (aes256-cts-hmac-sha1-96) > 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP > (aes128-cts-hmac-sha1-96) > 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (des3-cbc-sha1) > 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (arcfour-hmac) > > > On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce > wrote: > > On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k > > krb5.keytab > > -P [entering into the main keytab /etc/krb5.keytab] > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k > > krb5.keytab.sys1 -P [entering into a new keytab > krb5.keytab.sys1] > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes256-cts-hmac-sha1-96 -k krb5.keytab -P > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes128-cts-hmac-sha1-96 -k krb5.keytab -P > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P > > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e > > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P > > > > This is not how it works. > You must define all types in one single go. > Every time you invoke ipa-getkeytab for a principal you are > discarding > any previous key in the KDC, and only the last one is available. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Fri Sep 16 20:58:21 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 16 Sep 2011 22:58:21 +0200 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <20110916082905.GB31677@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> Message-ID: <4E73B86D.5020800@nixtra.com> On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: > On Fri, 16 Sep 2011, Dmitri Pal wrote: >> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: >>> On 09/15/2011 09:59 PM, Dmitri Pal wrote: >>>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >>>>> Hi, >>>>> >>>>> Is there a custom script hook for when a user account is added using >>>>> either the cli, webui, or the winsync module? >>>>> >>>>> I have a custom script I run when creating a user account, and having >>>>> this run automatically by IPA would make my life a lot easier. >>>>> >>>>> >>>> Can you describe what kind of operations you need to do? >>>> Have you looked at the automembership plugin? >>>> >>> I'm doing a SSH login on to a filer, creating a home folder ZFS >>> dataset for the new user, setting quota and ACL on the newly created >>> dataset, and adding files from a skeleton folder into the home folder. >>> >> It might be a stupid question but... you seem to do all the operation >> described above on the filer. I am not quite clear what part of it, if >> any, needs to be run on the server side, I mean on the IPA. Or you >> actually want to be able to create an account on the server side and >> make it trapped and send the event to the filer and run a script there? >> >> We can't do it now. AFAIR there was a ticket about something like this >> in the deferred bucket... Could not find it... But I remember a discussion. >> We might need to file a ticket to track this but sound like something >> that will take a lot of time to accomplish. > Attached untested patch is a proof of concept. If /etc/ipa/server.conf > has following setting: > > ipa_user_script=/path/to/script > > then during add/delete/modify of an user, it will be called with > add/del/mod as first parameter and user's dn as second. Result of > the call is ignored but return from IPA server is blocked by the > execution so be quick in ipa_user_script! > I got the patch installed OK, env variable set, and the script is being run when do user modifications. Great! :) But the action (add/del/mod) and the dn is not being supplied as arguments. For testing's sake I've made a very simple script just to capture the env variables. Do you have any suggestion to why the arguments is not getting supplied to the script? #!/bin/bash echo "a:$1 u:$2" >> /tmp/ipa_custom_$$ env >> /tmp/ipa_custom_$$ From rcritten at redhat.com Fri Sep 16 21:18:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 Sep 2011 17:18:00 -0400 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E73B86D.5020800@nixtra.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> <4E73B86D.5020800@nixtra.com> Message-ID: <4E73BD08.3010308@redhat.com> Sigbjorn Lie wrote: > On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: >> On Fri, 16 Sep 2011, Dmitri Pal wrote: >>> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: >>>> On 09/15/2011 09:59 PM, Dmitri Pal wrote: >>>>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >>>>>> Hi, >>>>>> >>>>>> Is there a custom script hook for when a user account is added using >>>>>> either the cli, webui, or the winsync module? >>>>>> >>>>>> I have a custom script I run when creating a user account, and having >>>>>> this run automatically by IPA would make my life a lot easier. >>>>>> >>>>>> >>>>> Can you describe what kind of operations you need to do? >>>>> Have you looked at the automembership plugin? >>>>> >>>> I'm doing a SSH login on to a filer, creating a home folder ZFS >>>> dataset for the new user, setting quota and ACL on the newly created >>>> dataset, and adding files from a skeleton folder into the home folder. >>>> >>> It might be a stupid question but... you seem to do all the operation >>> described above on the filer. I am not quite clear what part of it, if >>> any, needs to be run on the server side, I mean on the IPA. Or you >>> actually want to be able to create an account on the server side and >>> make it trapped and send the event to the filer and run a script there? >>> >>> We can't do it now. AFAIR there was a ticket about something like this >>> in the deferred bucket... Could not find it... But I remember a >>> discussion. >>> We might need to file a ticket to track this but sound like something >>> that will take a lot of time to accomplish. >> Attached untested patch is a proof of concept. If /etc/ipa/server.conf >> has following setting: >> >> ipa_user_script=/path/to/script >> >> then during add/delete/modify of an user, it will be called with >> add/del/mod as first parameter and user's dn as second. Result of >> the call is ignored but return from IPA server is blocked by the >> execution so be quick in ipa_user_script! >> > > I got the patch installed OK, env variable set, and the script is being > run when do user modifications. Great! :) But the action (add/del/mod) > and the dn is not being supplied as arguments. > > For testing's sake I've made a very simple script just to capture the > env variables. > > Do you have any suggestion to why the arguments is not getting supplied > to the script? > > > #!/bin/bash > > echo "a:$1 u:$2" >> /tmp/ipa_custom_$$ > env >> /tmp/ipa_custom_$$ The ipautil.run invocation should be: ipautil.run([self.api.env.ipa_user_script,"add", dn]) In other words, the whole thing needs to be in the list. Note that a cleaner way of adding this without having to modify ipa-provided files would be to write an extension plugin that does this (untested): from ipalib.plugins.user import user_add def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User added') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,"add", dn]) except: pass return dn user_add.register_post_callback(script_post_add_callback) Stick that into a file and drop it into the directory with the other plugins and restart Apache and that should do it. rob From g17jimmy at gmail.com Fri Sep 16 21:24:48 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 16 Sep 2011 17:24:48 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: <4E73B56F.9040603@redhat.com> References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> Message-ID: This was installed using yum. I need to be able to authenticate users against Kerberos from a Windows client machine and it fails at login saying the username/password is incorrect. The krb5kdc.log shows: Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed I know the user's password I'm using is correct because I can kinit with that username/password on the IPA server. I used the ipa-getkeytab to set the machine password, but I'm not sure that it's doing what I would normally do in a stand alone MIT Kerberos server using kadmin. Using ksetup on the windows7 client I can reconfigure for a couple different realms and authentication works just fine, but I'm missing something on the IPA config that would allow the same authentication. Thanks,Jimmy On Fri, Sep 16, 2011 at 4:45 PM, Dmitri Pal wrote: > On 09/16/2011 02:26 PM, Jimmy wrote: > > I can create a keytab using ipa-getkeytab for any entity, say for instance > a user, and store a password in the keytab but as soon as the user attempts > to kinit with the set password it expires and must be changed. Is this > happening with the host(workstation) entities? > > > Are you using latest hand built IPA from the master? > There is a bug about passwords being expired. > A more stable version is available from Fedora if you are using Fedora or > from 2.1 branch. > > > On Fri, Sep 16, 2011 at 9:44 AM, Jimmy wrote: > >> When I do not specify the encryption type it does put them all in in a >> single go. I just was attempting to eliminate the other types in case that >> was creating a problem. The system defaults to type x18 >> (aes256-cts-hmac-sha1-96). Thanks for your help on this. >> >> [root at csp-idm etc]# klist -kte krb5.keytab.sys1 >> Keytab name: WRFILE:krb5.keytab.sys1 >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP(aes256-cts-hmac-sha1-96) >> 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP(aes128-cts-hmac-sha1-96) >> 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (des3-cbc-sha1) >> 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (arcfour-hmac) >> >> >> On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce wrote: >> >>> On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: >>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k >>> > krb5.keytab >>> > -P [entering into the main keytab /etc/krb5.keytab] >>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k >>> > krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] >>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e >>> > aes256-cts-hmac-sha1-96 -k krb5.keytab -P >>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e >>> > aes128-cts-hmac-sha1-96 -k krb5.keytab -P >>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e >>> > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P >>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e >>> > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P >>> > >>> >>> This is not how it works. >>> You must define all types in one single go. >>> Every time you invoke ipa-getkeytab for a principal you are discarding >>> any previous key in the KDC, and only the last one is available. >>> >>> Simo. >>> >>> -- >>> Simo Sorce * Red Hat, Inc * New York >>> >>> >> > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Sep 16 21:31:14 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 17 Sep 2011 00:31:14 +0300 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E73BD08.3010308@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> <4E73B86D.5020800@nixtra.com> <4E73BD08.3010308@redhat.com> Message-ID: <20110916213114.GC22600@redhat.com> On Fri, 16 Sep 2011, Rob Crittenden wrote: > >>Attached untested patch is a proof of concept. If /etc/ipa/server.conf > >>has following setting: > >> > >>ipa_user_script=/path/to/script > >> > >>then during add/delete/modify of an user, it will be called with > >>add/del/mod as first parameter and user's dn as second. Result of > >>the call is ignored but return from IPA server is blocked by the > >>execution so be quick in ipa_user_script! > >> > > > >I got the patch installed OK, env variable set, and the script is being > >run when do user modifications. Great! :) But the action (add/del/mod) > >and the dn is not being supplied as arguments. As I said, it is untested and I indeed made wrong arguments passing. > The ipautil.run invocation should be: > > ipautil.run([self.api.env.ipa_user_script,"add", dn]) Exactly. Fixed patch attached. > In other words, the whole thing needs to be in the list. > > Note that a cleaner way of adding this without having to modify > ipa-provided files would be to write an extension plugin that does > this (untested): > > from ipalib.plugins.user import user_add > > def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): > inst.log.info('User added') > if 'ipa_user_script' in inst.api.env: > try: > ipautil.run([inst.api.env.ipa_user_script,"add", dn]) > except: > pass > > return dn > > user_add.register_post_callback(script_post_add_callback) > > Stick that into a file and drop it into the directory with the other > plugins and restart Apache and that should do it. That would be even better as it is clearly separated from stock FreeIPA install. -- / Alexander Bokovoy -------------- next part -------------- diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 92a026d..b8631e3 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -25,6 +25,7 @@ from ipalib.request import context from time import gmtime, strftime import copy from ipalib import _, ngettext +from ipapython import ipautil __doc__ = _(""" Users @@ -413,6 +414,12 @@ class user_add(LDAPCreate): entry_from_entry(entry_attrs, newentry) self.obj.get_password_attributes(ldap, dn, entry_attrs) + # If there is a ipa_user_script set in configuration, call it out + if 'ipa_user_script' in self.api.env: + try: + ipautil.run([self.api.env.ipa_user_script, "add", dn]) + except: + pass return dn api.register(user_add) @@ -424,6 +431,12 @@ class user_del(LDAPDelete): msg_summary = _('Deleted user "%(value)s"') def post_callback(self, ldap, dn, *keys, **options): + # If there is a ipa_user_script set in configuration, call it out + if 'ipa_user_script' in self.api.env: + try: + ipautil.run([self.api.env.ipa_user_script, "del", dn]) + except: + pass return True api.register(user_del) @@ -446,6 +459,12 @@ class user_mod(LDAPUpdate): convert_nsaccountlock(entry_attrs) self.obj._convert_manager(entry_attrs, **options) self.obj.get_password_attributes(ldap, dn, entry_attrs) + # If there is a ipa_user_script set in configuration, call it out + if 'ipa_user_script' in self.api.env: + try: + ipautil.run([self.api.env.ipa_user_script, "mod", dn]) + except: + pass return dn api.register(user_mod) From simo at redhat.com Fri Sep 16 21:55:45 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 16 Sep 2011 17:55:45 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> Message-ID: <1316210145.2684.462.camel@willson.li.ssimo.org> On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote: > This was installed using yum. I need to be able to authenticate users > against Kerberos from a Windows client machine and it fails at login > saying the username/password is incorrect. The krb5kdc.log shows: > > > > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: oper at PDH.CSP > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth > (timestamp) verify failure: Decrypt integrity check failed > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes > {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP > for krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth > (timestamp) verify failure: Decrypt integrity check failed > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes > {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP > for krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed These logs say that either the password is wrong, or the clock on your windows client is way off (more than 5 min. skew) wrt the ipa server. > > I know the user's password I'm using is correct because I can kinit > with that username/password on the IPA server. I used the > ipa-getkeytab to set the machine password, but I'm not sure that it's > doing what I would normally do in a stand alone MIT Kerberos server > using kadmin. Using ksetup on the windows7 client I can reconfigure > for a couple different realms and authentication works just fine, but > I'm missing something on the IPA config that would allow the same > authentication. The reason to have a "password" (windows) or a keytab (unix) for the machine is to be able to validate the account against a possible rouge KDC+attacker at login prompt pair. But you are not even getting to the validation step as you are failing to get a TGT for the user in the first place. If the user password is right and your Freeipa REALM name is indeed PDH.CSP then it is probably clock skew. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Fri Sep 16 22:10:10 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sat, 17 Sep 2011 00:10:10 +0200 (CEST) Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E73BD08.3010308@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> <4E73B86D.5020800@nixtra.com> <4E73BD08.3010308@redhat.com> Message-ID: <60215.192.168.211.60.1316211010.squirrel@www.nixtra.com> On Fri, September 16, 2011 23:18, Rob Crittenden wrote: > Sigbjorn Lie wrote: > >> On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: >> >>> On Fri, 16 Sep 2011, Dmitri Pal wrote: >>> >>>> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: >>>> >>>>> On 09/15/2011 09:59 PM, Dmitri Pal wrote: >>>>> >>>>>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> >>>>>>> Is there a custom script hook for when a user account is added using >>>>>>> either the cli, webui, or the winsync module? >>>>>>> >>>>>>> I have a custom script I run when creating a user account, and having >>>>>>> this run automatically by IPA would make my life a lot easier. >>>>>>> >>>>>>> >>>>>> Can you describe what kind of operations you need to do? >>>>>> Have you looked at the automembership plugin? >>>>>> >>>>>> >>>>> I'm doing a SSH login on to a filer, creating a home folder ZFS >>>>> dataset for the new user, setting quota and ACL on the newly created dataset, and adding >>>>> files from a skeleton folder into the home folder. >>>>> >>>> It might be a stupid question but... you seem to do all the operation >>>> described above on the filer. I am not quite clear what part of it, if any, needs to be run >>>> on the server side, I mean on the IPA. Or you actually want to be able to create an account >>>> on the server side and make it trapped and send the event to the filer and run a script >>>> there? >>>> >>>> We can't do it now. AFAIR there was a ticket about something like this >>>> in the deferred bucket... Could not find it... But I remember a discussion. We might need to >>>> file a ticket to track this but sound like something that will take a lot of time to >>>> accomplish. >>> Attached untested patch is a proof of concept. If /etc/ipa/server.conf >>> has following setting: >>> >>> ipa_user_script=/path/to/script >>> >>> then during add/delete/modify of an user, it will be called with add/del/mod as first >>> parameter and user's dn as second. Result of the call is ignored but return from IPA server is >>> blocked by the execution so be quick in ipa_user_script! >>> >> >> I got the patch installed OK, env variable set, and the script is being >> run when do user modifications. Great! :) But the action (add/del/mod) and the dn is not being >> supplied as arguments. >> >> For testing's sake I've made a very simple script just to capture the >> env variables. >> >> Do you have any suggestion to why the arguments is not getting supplied >> to the script? >> >> >> #!/bin/bash >> >> >> echo "a:$1 u:$2" >> /tmp/ipa_custom_$$ env >> /tmp/ipa_custom_$$ > > The ipautil.run invocation should be: > > > ipautil.run([self.api.env.ipa_user_script,"add", dn]) > > In other words, the whole thing needs to be in the list. > > > Note that a cleaner way of adding this without having to modify > ipa-provided files would be to write an extension plugin that does this (untested): > > > from ipalib.plugins.user import user_add > > def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User > added') if 'ipa_user_script' in inst.api.env: try: > ipautil.run([inst.api.env.ipa_user_script,"add", dn]) except: > pass > > return dn > > user_add.register_post_callback(script_post_add_callback) > > Stick that into a file and drop it into the directory with the other > plugins and restart Apache and that should do it. > > rob > I reverted the patched user.py file back to tbe unpatched user.py file. I called the script you provided custom.py, and I've tried copying it to /usr/lib/python2.7/site-packages/ipalib/plugins and /usr/lib/python2.7/site-packages/ipaserver/plugins. Then I restarted httpd and tomcat6. Now the script is not called anymore. Should the script be put anywhere else? Anything I didnt do? From nalin at redhat.com Fri Sep 16 22:31:29 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 16 Sep 2011 18:31:29 -0400 Subject: [Freeipa-users] Debian clients? In-Reply-To: <4E73B4A3.7010406@redhat.com> References: <47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net> <4E73B4A3.7010406@redhat.com> Message-ID: <20110916223129.GA13128@redhat.com> On Fri, Sep 16, 2011 at 04:42:11PM -0400, Dmitri Pal wrote: > On 09/16/2011 11:19 AM, Johan Sunnerstig wrote: > Right now I have nss-pam-ldapd > ([1]http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb > software that's included in Debian 6 working decently. By that I mean I > can use it to allow logins as expected, but so far I haven't worked out > allowing or disallowing login based on group membership. [snip] > I really just need group based logins, sudo controls I can handle based > on groups with Puppet, but again, if the real client route isn't too > much work that's of course preferable. Well, it may not be the most elegant option, but if you turn on the compat plugin (with ipa-compat-manage), the plugin will "flatten" the groups and show the results under cn=groups,cn=compat,$SUFFIX so that the client doesn't need to do the recursive resolution itself. You'd then be able to point the LDAP client at the compat area for group information, you'd be able to use anything that knew about POSIX groups to actually enforce the group membership requirement. I'd use pam_succeed_if for this (once to allow UIDs that are low enough to be local, a second time to allow members of the group), but there are almost certainly other ways. HTH, Nalin From Johan.Sunnerstig at auriga.se Mon Sep 19 04:53:38 2011 From: Johan.Sunnerstig at auriga.se (Johan Sunnerstig) Date: Mon, 19 Sep 2011 04:53:38 +0000 Subject: [Freeipa-users] Debian clients? In-Reply-To: <4E73B4A3.7010406@redhat.com> References: <47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net>, <4E73B4A3.7010406@redhat.com> Message-ID: <47CE7527FAFAD348AEA328EB66E545A114E93028@exchappvp1.adauriga.auriganet.net> Hi. Thanks for all the feedback, I think I'll start with this route and see if I can get a more recent SSSD working. And yes, I do all my documentation in Zim, and my boss is quite supportive of sharing the work I/we do, so if I do get this working in a nice manner I will certainly be more than happy to share the documentation. As for contributing code, I'm more than a little rusty when it comes to coding Python(not that I was particularly good to begin with), but maybe if I get some spare time I could have a go at it. :) Thanks again for all the feedback everyone. Regards Johan ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: 16 September 2011 22:42 To: freeipa-users at redhat.com; Nalin Dahyabhai Subject: Re: [Freeipa-users] Debian clients? On 09/16/2011 11:19 AM, Johan Sunnerstig wrote: Hello. I'm wondering if anyone has used FreeIPA with Debian clients, and if so, what client software you opted to use? Right now I have nss-pam-ldapd (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb software that's included in Debian 6 working decently. By that I mean I can use it to allow logins as expected, but so far I haven't worked out allowing or disallowing login based on group membership. Obviously the best solution would be a "real" IPA client, but has anyone attempted this? I mucked around a bit with the SSSD included in the Debian repos(1.2.1) but didn't get it to work. Though in all fairness I didn't try THAT hard since it seems like SSSD has evolved quite a bit since 1.2.1. Is the SSSD route worthwhile? If you can get SSSD 1.5.x (latest) working that would be best avenue as it supports natively IPA host based access control features. If you manage to do so we will help you to setup it manually. If you as a result of this would be able to share youer experience and create a wiki page with the steps need to do all this manually would be awesome. An alternative would be to try and port ipa-client to Debian. I really just need group based logins, sudo controls I can handle based on groups with Puppet, but again, if the real client route isn't too much work that's of course preferable. If you want something simple there might be some options in the nss ldap but you need to dig it from man pages or from Nalin... I hope this makes sense, late friday and I have a horrible headache, so if it doesn't I apologize in advance. :) Regards Johan _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Sep 19 13:42:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 Sep 2011 09:42:39 -0400 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <60215.192.168.211.60.1316211010.squirrel@www.nixtra.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> <4E73B86D.5020800@nixtra.com> <4E73BD08.3010308@redhat.com> <60215.192.168.211.60.1316211010.squirrel@www.nixtra.com> Message-ID: <4E7746CF.70903@redhat.com> Sigbjorn Lie wrote: > > > On Fri, September 16, 2011 23:18, Rob Crittenden wrote: >> Sigbjorn Lie wrote: >> >>> On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: >>> >>>> On Fri, 16 Sep 2011, Dmitri Pal wrote: >>>> >>>>> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: >>>>> >>>>>> On 09/15/2011 09:59 PM, Dmitri Pal wrote: >>>>>> >>>>>>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> >>>>>>>> Is there a custom script hook for when a user account is added using >>>>>>>> either the cli, webui, or the winsync module? >>>>>>>> >>>>>>>> I have a custom script I run when creating a user account, and having >>>>>>>> this run automatically by IPA would make my life a lot easier. >>>>>>>> >>>>>>>> >>>>>>> Can you describe what kind of operations you need to do? >>>>>>> Have you looked at the automembership plugin? >>>>>>> >>>>>>> >>>>>> I'm doing a SSH login on to a filer, creating a home folder ZFS >>>>>> dataset for the new user, setting quota and ACL on the newly created dataset, and adding >>>>>> files from a skeleton folder into the home folder. >>>>>> >>>>> It might be a stupid question but... you seem to do all the operation >>>>> described above on the filer. I am not quite clear what part of it, if any, needs to be run >>>>> on the server side, I mean on the IPA. Or you actually want to be able to create an account >>>>> on the server side and make it trapped and send the event to the filer and run a script >>>>> there? >>>>> >>>>> We can't do it now. AFAIR there was a ticket about something like this >>>>> in the deferred bucket... Could not find it... But I remember a discussion. We might need to >>>>> file a ticket to track this but sound like something that will take a lot of time to >>>>> accomplish. >>>> Attached untested patch is a proof of concept. If /etc/ipa/server.conf >>>> has following setting: >>>> >>>> ipa_user_script=/path/to/script >>>> >>>> then during add/delete/modify of an user, it will be called with add/del/mod as first >>>> parameter and user's dn as second. Result of the call is ignored but return from IPA server is >>>> blocked by the execution so be quick in ipa_user_script! >>>> >>> >>> I got the patch installed OK, env variable set, and the script is being >>> run when do user modifications. Great! :) But the action (add/del/mod) and the dn is not being >>> supplied as arguments. >>> >>> For testing's sake I've made a very simple script just to capture the >>> env variables. >>> >>> Do you have any suggestion to why the arguments is not getting supplied >>> to the script? >>> >>> >>> #!/bin/bash >>> >>> >>> echo "a:$1 u:$2">> /tmp/ipa_custom_$$ env>> /tmp/ipa_custom_$$ >> >> The ipautil.run invocation should be: >> >> >> ipautil.run([self.api.env.ipa_user_script,"add", dn]) >> >> In other words, the whole thing needs to be in the list. >> >> >> Note that a cleaner way of adding this without having to modify >> ipa-provided files would be to write an extension plugin that does this (untested): >> >> >> from ipalib.plugins.user import user_add >> >> def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User >> added') if 'ipa_user_script' in inst.api.env: try: >> ipautil.run([inst.api.env.ipa_user_script,"add", dn]) except: >> pass >> >> return dn >> >> user_add.register_post_callback(script_post_add_callback) >> >> Stick that into a file and drop it into the directory with the other >> plugins and restart Apache and that should do it. >> >> rob >> > > I reverted the patched user.py file back to tbe unpatched user.py file. > > I called the script you provided custom.py, and I've tried copying it to > /usr/lib/python2.7/site-packages/ipalib/plugins and > /usr/lib/python2.7/site-packages/ipaserver/plugins. Then I restarted httpd and tomcat6. Now the > script is not called anymore. > > Should the script be put anywhere else? Anything I didnt do? > > > It needs to be in ipalib/plugins. Add: from ipapython import ipautil rob From g17jimmy at gmail.com Mon Sep 19 14:10:02 2011 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 19 Sep 2011 10:10:02 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: <1316210145.2684.462.camel@willson.li.ssimo.org> References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> Message-ID: I have verified that the password set for the workstation in the kerberos host principal(using ipa-getkeytab) and the password on the host (using ksetup) are the same. I'm still getting the " Decrypt integrity check failed" errors. I have also verified that the system clock is accurate on both the KDC and the workstation. What else could be causing this? As I have said, this system authenticates flawlessly against other KDC's I have set up. Jimmy On Fri, Sep 16, 2011 at 5:55 PM, Simo Sorce wrote: > On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote: > > This was installed using yum. I need to be able to authenticate users > > against Kerberos from a Windows client machine and it fails at login > > saying the username/password is incorrect. The krb5kdc.log shows: > > > > > > > > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes > > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: oper at PDH.CSP > > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required > > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth > > (timestamp) verify failure: Decrypt integrity check failed > > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes > > {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP > > for krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed > > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth > > (timestamp) verify failure: Decrypt integrity check failed > > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes > > {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP > > for krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed > > > These logs say that either the password is wrong, or the clock on your > windows client is way off (more than 5 min. skew) wrt the ipa server. > > > > I know the user's password I'm using is correct because I can kinit > > with that username/password on the IPA server. I used the > > ipa-getkeytab to set the machine password, but I'm not sure that it's > > doing what I would normally do in a stand alone MIT Kerberos server > > using kadmin. Using ksetup on the windows7 client I can reconfigure > > for a couple different realms and authentication works just fine, but > > I'm missing something on the IPA config that would allow the same > > authentication. > > The reason to have a "password" (windows) or a keytab (unix) for the > machine is to be able to validate the account against a possible rouge > KDC+attacker at login prompt pair. > > But you are not even getting to the validation step as you are failing > to get a TGT for the user in the first place. > > If the user password is right and your Freeipa REALM name is indeed > PDH.CSP then it is probably clock skew. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Sep 19 14:31:46 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 Sep 2011 10:31:46 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> Message-ID: <1316442706.2684.473.camel@willson.li.ssimo.org> On Mon, 2011-09-19 at 10:10 -0400, Jimmy wrote: > I have verified that the password set for the workstation in the > kerberos host principal(using ipa-getkeytab) and the password on the > host (using ksetup) are the same. I'm still getting the " Decrypt > integrity check failed" errors. I have also verified that the system > clock is accurate on both the KDC and the workstation. What else could > be causing this? As I have said, this system authenticates flawlessly > against other KDC's I have set up. The thing that is failing is your user password does not check with what the KDC thinks is the user's secret. You are not yet to the stage where the machine password is tried. Simo. > -- Simo Sorce * Red Hat, Inc * New York From g17jimmy at gmail.com Mon Sep 19 14:58:51 2011 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 19 Sep 2011 10:58:51 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: <1316442706.2684.473.camel@willson.li.ssimo.org> References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> Message-ID: I think you're on to something here. I just reset the user's password on IPA and get the "password expired" message but I get that regardless of what I enter for the user's password. I'm confused as to why I can make the user auth work with a normal KDC but I'm having so much trouble with IPA-KDC. Going to wipe the Win7 config and start fresh on that system. On Mon, Sep 19, 2011 at 10:31 AM, Simo Sorce wrote: > On Mon, 2011-09-19 at 10:10 -0400, Jimmy wrote: > > I have verified that the password set for the workstation in the > > kerberos host principal(using ipa-getkeytab) and the password on the > > host (using ksetup) are the same. I'm still getting the " Decrypt > > integrity check failed" errors. I have also verified that the system > > clock is accurate on both the KDC and the workstation. What else could > > be causing this? As I have said, this system authenticates flawlessly > > against other KDC's I have set up. > > The thing that is failing is your user password does not check with what > the KDC thinks is the user's secret. You are not yet to the stage where > the machine password is tried. > > Simo. > > > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Sep 19 15:13:03 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 Sep 2011 11:13:03 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> Message-ID: <1316445183.2684.477.camel@willson.li.ssimo.org> On Mon, 2011-09-19 at 10:58 -0400, Jimmy wrote: > I think you're on to something here. I just reset the user's password > on IPA and get the "password expired" message but I get that > regardless of what I enter for the user's password. I'm confused as to > why I can make the user auth work with a normal KDC but I'm having so > much trouble with IPA-KDC. Going to wipe the Win7 config and start > fresh on that system. Not sure wht you are having trouble, the KDC component of IPA is a stock MIT KDC with LDAP backend. > Simo. -- Simo Sorce * Red Hat, Inc * New York From g17jimmy at gmail.com Mon Sep 19 15:33:31 2011 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 19 Sep 2011 11:33:31 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: <1316445183.2684.477.camel@willson.li.ssimo.org> References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> Message-ID: I just found that the FreeIPA user 'admin' can log in with no issues on the Windows system, with no changes from the config that I was attempting to use with a newly created IPA user. So authentication from the workstation works if the user has a known, non-expired password. It seems the kpasswd function is not working. I will test more and post results. Here are logs from a successful login for admin: Sep 19 15:27:03 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: admin at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required Sep 19 15:27:03 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: ISSUE: authtime 1316446023, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP Sep 19 15:27:03 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: ISSUE: authtime 1316446023, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for host/ews1.pdh.csp at PDH.CSP On Mon, Sep 19, 2011 at 11:13 AM, Simo Sorce wrote: > On Mon, 2011-09-19 at 10:58 -0400, Jimmy wrote: > > I think you're on to something here. I just reset the user's password > > on IPA and get the "password expired" message but I get that > > regardless of what I enter for the user's password. I'm confused as to > > why I can make the user auth work with a normal KDC but I'm having so > > much trouble with IPA-KDC. Going to wipe the Win7 config and start > > fresh on that system. > > Not sure wht you are having trouble, the KDC component of IPA is a stock > MIT KDC with LDAP backend. > > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Sep 19 15:40:53 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 Sep 2011 11:40:53 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> Message-ID: <1316446853.2684.479.camel@willson.li.ssimo.org> On Mon, 2011-09-19 at 11:33 -0400, Jimmy wrote: > I just found that the FreeIPA user 'admin' can log in with no issues > on the Windows system, with no changes from the config that I was > attempting to use with a newly created IPA user. So authentication > from the workstation works if the user has a known, non-expired > password. It seems the kpasswd function is not working. Verify that the ipa_kpasswd daemon is working. However you can workaround the issue for now by performing a kinit on the ipa server as soon as you give it a password, and changing it to something you are ok with. This way the user will have a valid not-expired password. Simo. -- Simo Sorce * Red Hat, Inc * New York From g17jimmy at gmail.com Mon Sep 19 18:51:34 2011 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 19 Sep 2011 14:51:34 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: <1316453562.2684.494.camel@willson.li.ssimo.org> References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> <1316446853.2684.479.camel@willson.li.ssimo.org> <1316450267.2684.489.camel@willson.li.ssimo.org> <1316453562.2684.494.camel@willson.li.ssimo.org> Message-ID: It's weird that the 'admin' IPA user worked until I changed the password. I'm working on getting a WinXP system to test with now. On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce wrote: > On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: > > Once I changed the password for 'admin' I now get this error on the > > windows system: > > > > > > > > Insufficient system resources exist to complete the requested service > > > > > > and get this in the log no matter if I use the correct(changed) > > password or if I use a known bad password: > > Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes > > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: admin at PDH.CSP > > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required > > > > > > I even deleted the user and all associated profile information on the > > windows system and still it won't work any more. > > > > > Ok somehow we generate a key the windows client doesn't like or know how > to work with. While MIT's clients are just fine with. > The way we generate keys is by setting a special random seed that is > handed back to the client when the preauth error is generated, perhaps > Windows is not liking what it sees ? > > Any chance you can try with an older client, I wonder if it is a > regression in win7 ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Mon Sep 19 19:53:57 2011 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 19 Sep 2011 15:53:57 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: <1316453562.2684.494.camel@willson.li.ssimo.org> References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> <1316446853.2684.479.camel@willson.li.ssimo.org> <1316450267.2684.489.camel@willson.li.ssimo.org> <1316453562.2684.494.camel@willson.li.ssimo.org> Message-ID: I have a WinXP client configured to authenticate now but it looks like FreeIPA is sending the ticket encrypted with AES and XP does not support AES. The user is getting authenticated, just not able to decrypt the ticket. Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, oper at PDH.CSP for host/crm1.pdh.csp at PDH.CSP On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce wrote: > On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: > > Once I changed the password for 'admin' I now get this error on the > > windows system: > > > > > > > > Insufficient system resources exist to complete the requested service > > > > > > and get this in the log no matter if I use the correct(changed) > > password or if I use a known bad password: > > Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes > > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: admin at PDH.CSP > > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required > > > > > > I even deleted the user and all associated profile information on the > > windows system and still it won't work any more. > > > > > Ok somehow we generate a key the windows client doesn't like or know how > to work with. While MIT's clients are just fine with. > The way we generate keys is by setting a special random seed that is > handed back to the client when the preauth error is generated, perhaps > Windows is not liking what it sees ? > > Any chance you can try with an older client, I wonder if it is a > regression in win7 ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Sep 19 20:03:06 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 Sep 2011 16:03:06 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> <1316446853.2684.479.camel@willson.li.ssimo.org> <1316450267.2684.489.camel@willson.li.ssimo.org> <1316453562.2684.494.camel@willson.li.ssimo.org> Message-ID: <1316462586.2684.496.camel@willson.li.ssimo.org> On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: > I have a WinXP client configured to authenticate now but it looks like > FreeIPA is sending the ticket encrypted with AES and XP does not > support AES. The user is getting authenticated, just not able to > decrypt the ticket. > > > > Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: > oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication > required > Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes > {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 > tkt=18 ses=23}, oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP > Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime > 1316461836, etypes {rep=23 tkt=18 ses=23}, oper at PDH.CSP for > host/crm1.pdh.csp at PDH.CSP > Yes this looks weird as the client clearly do not list etype 18 ... Sounds like an MIT bug. But also confirms something funny is going on with Windows 7 and AES. I will see what we can do about that with upstream. Simo. > > On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce wrote: > On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: > > Once I changed the password for 'admin' I now get this error > on the > > windows system: > > > > > > > > Insufficient system resources exist to complete the > requested service > > > > > > and get this in the log no matter if I use the > correct(changed) > > password or if I use a known bad password: > > Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ > (7 etypes > > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: > admin at PDH.CSP > > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication > required > > > > > > I even deleted the user and all associated profile > information on the > > windows system and still it won't work any more. > > > > > > Ok somehow we generate a key the windows client doesn't like > or know how > to work with. While MIT's clients are just fine with. > The way we generate keys is by setting a special random seed > that is > handed back to the client when the preauth error is generated, > perhaps > Windows is not liking what it sees ? > > Any chance you can try with an older client, I wonder if it is > a > regression in win7 ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Mon Sep 19 20:05:23 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 Sep 2011 16:05:23 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> <1316446853.2684.479.camel@willson.li.ssimo.org> <1316450267.2684.489.camel@willson.li.ssimo.org> <1316453562.2684.494.camel@willson.li.ssimo.org> Message-ID: <1316462723.2684.497.camel@willson.li.ssimo.org> I wonder if changing the defaults to exclude the use of AES would help in your case. Not ideal, but apparently something funny is going on there. Simo. On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: > I have a WinXP client configured to authenticate now but it looks like > FreeIPA is sending the ticket encrypted with AES and XP does not > support AES. The user is getting authenticated, just not able to > decrypt the ticket. > > > > Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: > oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication > required > Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes > {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 > tkt=18 ses=23}, oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP > Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime > 1316461836, etypes {rep=23 tkt=18 ses=23}, oper at PDH.CSP for > host/crm1.pdh.csp at PDH.CSP > > > > On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce wrote: > On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: > > Once I changed the password for 'admin' I now get this error > on the > > windows system: > > > > > > > > Insufficient system resources exist to complete the > requested service > > > > > > and get this in the log no matter if I use the > correct(changed) > > password or if I use a known bad password: > > Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ > (7 etypes > > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: > admin at PDH.CSP > > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication > required > > > > > > I even deleted the user and all associated profile > information on the > > windows system and still it won't work any more. > > > > > > Ok somehow we generate a key the windows client doesn't like > or know how > to work with. While MIT's clients are just fine with. > The way we generate keys is by setting a special random seed > that is > handed back to the client when the preauth error is generated, > perhaps > Windows is not liking what it sees ? > > Any chance you can try with an older client, I wonder if it is > a > regression in win7 ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Mon Sep 19 20:14:32 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 Sep 2011 16:14:32 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> <1316446853.2684.479.camel@willson.li.ssimo.org> <1316450267.2684.489.camel@willson.li.ssimo.org> <1316453562.2684.494.camel@willson.li.ssimo.org> Message-ID: <1316463272.2684.499.camel@willson.li.ssimo.org> What error exactly do you get on the client side ? Simo. On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: > I have a WinXP client configured to authenticate now but it looks like > FreeIPA is sending the ticket encrypted with AES and XP does not > support AES. The user is getting authenticated, just not able to > decrypt the ticket. > > > > Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: > oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication > required > Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes > {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 > tkt=18 ses=23}, oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP > Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime > 1316461836, etypes {rep=23 tkt=18 ses=23}, oper at PDH.CSP for > host/crm1.pdh.csp at PDH.CSP > > > > On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce wrote: > On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: > > Once I changed the password for 'admin' I now get this error > on the > > windows system: > > > > > > > > Insufficient system resources exist to complete the > requested service > > > > > > and get this in the log no matter if I use the > correct(changed) > > password or if I use a known bad password: > > Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ > (7 etypes > > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: > admin at PDH.CSP > > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication > required > > > > > > I even deleted the user and all associated profile > information on the > > windows system and still it won't work any more. > > > > > > Ok somehow we generate a key the windows client doesn't like > or know how > to work with. While MIT's clients are just fine with. > The way we generate keys is by setting a special random seed > that is > handed back to the client when the preauth error is generated, > perhaps > Windows is not liking what it sees ? > > Any chance you can try with an older client, I wonder if it is > a > regression in win7 ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > -- Simo Sorce * Red Hat, Inc * New York From g17jimmy at gmail.com Mon Sep 19 20:17:07 2011 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 19 Sep 2011 16:17:07 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: <1316462723.2684.497.camel@willson.li.ssimo.org> References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> <1316446853.2684.479.camel@willson.li.ssimo.org> <1316450267.2684.489.camel@willson.li.ssimo.org> <1316453562.2684.494.camel@willson.li.ssimo.org> <1316462723.2684.497.camel@willson.li.ssimo.org> Message-ID: According to this: http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.htmlthere are a ton of encryption options that XP does support, but I always get this error if I define anything specific in the keytab: Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316462970, etypes {rep=23 tkt=18 ses=23}, oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: BAD_ENCRYPTION_TYPE: authtime 0, oper at PDH.CSP for host/crm1.pdh.csp at PDH.CSP, KDC has no support for encryption type There is a fix for Win7. I have a technet article I will post the link as soon as I can. I had the Win7 system working with the freeipa 'admin' user before I changed the admin user password, now it's broken. The MIT KFW client can authenticate and get a ticket, but I need to get the native windows authentication working. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Sep 19 20:17:36 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 Sep 2011 16:17:36 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> <1316446853.2684.479.camel@willson.li.ssimo.org> <1316450267.2684.489.camel@willson.li.ssimo.org> <1316453562.2684.494.camel@willson.li.ssimo.org> Message-ID: <1316463456.2684.501.camel@willson.li.ssimo.org> Ah stupid me, When using Windows XP you must generate a keytab that does not use the AES enctype. If you include the AES enctype when generating keys for the host, you are telling the KDC that the host knows how to use AES. You should probably just use arcfour only for WinXP as that client only understand RC4 and DES, and DES is not worth using. Simo. On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: > I have a WinXP client configured to authenticate now but it looks like > FreeIPA is sending the ticket encrypted with AES and XP does not > support AES. The user is getting authenticated, just not able to > decrypt the ticket. > > > > Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: > oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication > required > Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes > {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 > tkt=18 ses=23}, oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP > Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime > 1316461836, etypes {rep=23 tkt=18 ses=23}, oper at PDH.CSP for > host/crm1.pdh.csp at PDH.CSP > > > > On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce wrote: > On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: > > Once I changed the password for 'admin' I now get this error > on the > > windows system: > > > > > > > > Insufficient system resources exist to complete the > requested service > > > > > > and get this in the log no matter if I use the > correct(changed) > > password or if I use a known bad password: > > Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ > (7 etypes > > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: > admin at PDH.CSP > > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication > required > > > > > > I even deleted the user and all associated profile > information on the > > windows system and still it won't work any more. > > > > > > Ok somehow we generate a key the windows client doesn't like > or know how > to work with. While MIT's clients are just fine with. > The way we generate keys is by setting a special random seed > that is > handed back to the client when the preauth error is generated, > perhaps > Windows is not liking what it sees ? > > Any chance you can try with an older client, I wonder if it is > a > regression in win7 ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Mon Sep 19 20:36:00 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 Sep 2011 16:36:00 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> <1316446853.2684.479.camel@willson.li.ssimo.org> <1316450267.2684.489.camel@willson.li.ssimo.org> <1316453562.2684.494.camel@willson.li.ssimo.org> <1316462723.2684.497.camel@willson.li.ssimo.org> Message-ID: <1316464560.2684.504.camel@willson.li.ssimo.org> On Mon, 2011-09-19 at 16:17 -0400, Jimmy wrote: > According to this: > http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.html there are a ton of encryption options that XP does support, but I always get this error if I define anything specific in the keytab: I know for a fact that stock WinXp supports only RC4 and DES, no 3DES nor AAES support there. If you create the host keytab with only RC4 you should be able to make WinXp happy. > Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: > oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication > required > Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes > {23}) 192.168.201.150: ISSUE: authtime 1316462970, etypes {rep=23 > tkt=18 ses=23}, oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP > Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 192.168.201.150: BAD_ENCRYPTION_TYPE: > authtime 0, oper at PDH.CSP for host/crm1.pdh.csp at PDH.CSP, KDC has no > support for encryption type > > There is a fix for Win7. I have a technet article I will post the link > as soon as I can. Yes please let me know the link, I will try to investigate any Win7/W2K8 issues with AES and random salts asap, but not this week probably. > I had the Win7 system working with the freeipa 'admin' user before I > changed the admin user password, now it's broken. The MIT KFW client > can authenticate and get a ticket, but I need to get the native > windows authentication working. Understood. If AES is the issue, you could reconfigure FreeIPA to not allow AES, not ideal, but it would be the fastest solution. Although it will probably require also to change all passwords. Simo. -- Simo Sorce * Red Hat, Inc * New York From g17jimmy at gmail.com Mon Sep 19 20:44:57 2011 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 19 Sep 2011 16:44:57 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: <1316464560.2684.504.camel@willson.li.ssimo.org> References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> <1316446853.2684.479.camel@willson.li.ssimo.org> <1316450267.2684.489.camel@willson.li.ssimo.org> <1316453562.2684.494.camel@willson.li.ssimo.org> <1316462723.2684.497.camel@willson.li.ssimo.org> <1316464560.2684.504.camel@willson.li.ssimo.org> Message-ID: You are correct. As soon as I set the WinXP machine to arcfour-hmac it's working to authenticate all users against the FreeIPA realm. I just went into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and maybe that will fix it, too. -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Mon Sep 19 20:52:52 2011 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 19 Sep 2011 16:52:52 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> <1316446853.2684.479.camel@willson.li.ssimo.org> <1316450267.2684.489.camel@willson.li.ssimo.org> <1316453562.2684.494.camel@willson.li.ssimo.org> <1316462723.2684.497.camel@willson.li.ssimo.org> <1316464560.2684.504.camel@willson.li.ssimo.org> Message-ID: That fixed Win7. Now I'm going to enable AES on Win7 to see if it breaks again. On Mon, Sep 19, 2011 at 4:44 PM, Jimmy wrote: > You are correct. As soon as I set the WinXP machine to arcfour-hmac it's > working to authenticate all users against the FreeIPA realm. I just went > into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and > maybe that will fix it, too. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Mon Sep 19 21:31:21 2011 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 19 Sep 2011 17:31:21 -0400 Subject: [Freeipa-users] Windows client logon In-Reply-To: References: <4E6FB850.1080704@redhat.com> <4E70B53C.8020002@redhat.com> <1316144980.2684.421.camel@willson.li.ssimo.org> <1316180137.2684.443.camel@willson.li.ssimo.org> <4E73B56F.9040603@redhat.com> <1316210145.2684.462.camel@willson.li.ssimo.org> <1316442706.2684.473.camel@willson.li.ssimo.org> <1316445183.2684.477.camel@willson.li.ssimo.org> <1316446853.2684.479.camel@willson.li.ssimo.org> <1316450267.2684.489.camel@willson.li.ssimo.org> <1316453562.2684.494.camel@willson.li.ssimo.org> <1316462723.2684.497.camel@willson.li.ssimo.org> <1316464560.2684.504.camel@willson.li.ssimo.org> Message-ID: I can't find the technet article right now, but here's what I did that makes Win7 work.? Run gpedit.msc. Under >Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called ?Network Security: Configure encryption types allowed for Kerberos? unselect everything except RC4_HMAC_MD5 and reboot. Step by step instructions below. AES worked at first for me but that was only for the IPA user `admin` and even that broke after I changed the `admin` password using the windows change password dialog. I will be submitting that tracefile and log to MS to see what might be happening. On FreeIPA: i. create the host principal in the web interface ii. create IPA users to correspond to windows users iii. reset the user's IPA password to a known password using the web interface, the user will be prompted to change at first log in. (is there a default password or is this random? sorry if that's somewhere else in docs and I missed it) iv. on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] -P configure windows ksetup: i. ksetup /setdomain [REALM NAME] ii. ksetup /addkdc [REALM NAME] [kdc DNS name] iii. ksetup /addkpassword [REALM NAME] [kdc DNS name] iv. ksetup /setcomputerpassword [PASSWORD] v. ksetup /mapuser * * vi. Run gpedit.msc. Under >Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called ?Network Security: Configure encryption types allowed for Kerberos? unselect everything except RC4_HMAC_MD5 vii. *** REBOOT *** viii. log in as [user]@[REALM] with the initial password, you will be prompted to change the password then logged in. From janfrode at tanso.net Tue Sep 20 13:18:01 2011 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Tue, 20 Sep 2011 15:18:01 +0200 Subject: [Freeipa-users] password migration Message-ID: <20110920131801.GA17428@oc1046828364.ibm.com> We have an existing user database managed by Sun Identity Manager, which populates a centos-directory-server. The users in the directory server have all passwords hassed with SSHA, and "ipa migrate-ds" told me that the passwords has been migrated in pre-hashed format. Luckily Sun Identity Manager has the plain text passwords hidden away somewhere, and should let me change hash algorithm. For the selection of password hash algorithm, it says: Password Hash Algorithm ------------------------- Indicates the algorithm that the system should use to hash the password. Currently supported values are SSHA, SHA, SMD5, and MD5. A value of NONE or no value indicates that the system will not hash passwords. This will cause cleartext passwords to be stored in LDAP unless the LDAP server performs the hash (Netscape Directory Server and iPlanet Directory Server do). Will the ipa-migration handle any of these formats ? Which would be the preferred ? -jf From dpal at redhat.com Tue Sep 20 13:59:16 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 20 Sep 2011 09:59:16 -0400 Subject: [Freeipa-users] password migration In-Reply-To: <20110920131801.GA17428@oc1046828364.ibm.com> References: <20110920131801.GA17428@oc1046828364.ibm.com> Message-ID: <4E789C34.5040800@redhat.com> On 09/20/2011 09:18 AM, Jan-Frode Myklebust wrote: > We have an existing user database managed by Sun Identity Manager, > which populates a centos-directory-server. The users in the directory > server have all passwords hassed with SSHA, and "ipa migrate-ds" told me > that the passwords has been migrated in pre-hashed format. > > Luckily Sun Identity Manager has the plain text passwords hidden away > somewhere, and should let me change hash algorithm. For the selection > of password hash algorithm, it says: > > Password Hash Algorithm > ------------------------- > Indicates the algorithm that the system should use to hash the password. > Currently supported values are SSHA, SHA, SMD5, and MD5. A value of NONE > or no value indicates that the system will not hash passwords. This will > cause cleartext passwords to be stored in LDAP unless the LDAP server > performs the hash (Netscape Directory Server and iPlanet Directory > Server do). > > Will the ipa-migration handle any of these formats ? Which would be the > preferred ? > I am not sure it keeps it in clear internally anywhere. Password is always hashed unless you explicitly set it to be cleartext in the setting above. The problem is not with password hash but with Kerberos password. While your LDAP hashes most likely will be migrated and supported you will still be missing kerberos hashes. To create these hashes in IPA one has three options: 1) Reset passwords in IPA and let users set them. 2) After importing users turn on the password set screen and point users to this web page to pass authentication. IPA will capture password, make sure it matches ldap hash and will generate the Kerberos hash. 3) After importing users use SSSD in migration mode (special setting in SSSD config). In this case for any user without kerberos hash who would log via SSSD the SSSD would connect IPA in a special way and trigger the Kerberos hash generation. > -jf > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sgallagh at redhat.com Tue Sep 20 14:18:13 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 20 Sep 2011 10:18:13 -0400 Subject: [Freeipa-users] password migration In-Reply-To: <4E789C34.5040800@redhat.com> References: <20110920131801.GA17428@oc1046828364.ibm.com> <4E789C34.5040800@redhat.com> Message-ID: <1316528294.2425.12.camel@sgallagh520.bos.redhat.com> On Tue, 2011-09-20 at 09:59 -0400, Dmitri Pal wrote: > 3) After importing users use SSSD in migration mode (special setting in > SSSD config). In this case for any user without kerberos hash who would > log via SSSD the SSSD would connect IPA in a special way and trigger the > Kerberos hash generation. Migration mode in SSSD is not a client-side configuration. We ask the FreeIPA server whether migration is active. Specifically, the way SSSD behaves is as follows: 1) Try to authenticate with Kerberos. If Kerberos responds that there's no hash for this user, 2) Ask FreeIPA if migration mode is enabled, if it is, 3) Try to bind to FreeIPA LDAP using the same password. If this succeeds, we know that the password is valid 4) Initiate a kerberos password-change to set the kerberos password equal to the LDAP password. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sigbjorn at nixtra.com Wed Sep 21 18:30:03 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 21 Sep 2011 20:30:03 +0200 Subject: [Freeipa-users] Add user -> custom script In-Reply-To: <4E7746CF.70903@redhat.com> References: <4E7255C4.2030406@nixtra.com> <4E72593C.4030600@redhat.com> <4E725CB0.7080807@nixtra.com> <4E72E00A.4060007@redhat.com> <20110916082905.GB31677@redhat.com> <4E73B86D.5020800@nixtra.com> <4E73BD08.3010308@redhat.com> <60215.192.168.211.60.1316211010.squirrel@www.nixtra.com> <4E7746CF.70903@redhat.com> Message-ID: <4E7A2D2B.10701@nixtra.com> On 09/19/2011 03:42 PM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> >> >> On Fri, September 16, 2011 23:18, Rob Crittenden wrote: >>> Sigbjorn Lie wrote: >>> >>>> On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: >>>> >>>>> On Fri, 16 Sep 2011, Dmitri Pal wrote: >>>>> >>>>>> On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: >>>>>> >>>>>>> On 09/15/2011 09:59 PM, Dmitri Pal wrote: >>>>>>> >>>>>>>> On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> >>>>>>>>> Is there a custom script hook for when a user account is added >>>>>>>>> using >>>>>>>>> either the cli, webui, or the winsync module? >>>>>>>>> >>>>>>>>> I have a custom script I run when creating a user account, and >>>>>>>>> having >>>>>>>>> this run automatically by IPA would make my life a lot easier. >>>>>>>>> >>>>>>>>> >>>>>>>> Can you describe what kind of operations you need to do? >>>>>>>> Have you looked at the automembership plugin? >>>>>>>> >>>>>>>> >>>>>>> I'm doing a SSH login on to a filer, creating a home folder ZFS >>>>>>> dataset for the new user, setting quota and ACL on the newly >>>>>>> created dataset, and adding >>>>>>> files from a skeleton folder into the home folder. >>>>>>> >>>>>> It might be a stupid question but... you seem to do all the >>>>>> operation >>>>>> described above on the filer. I am not quite clear what part of >>>>>> it, if any, needs to be run >>>>>> on the server side, I mean on the IPA. Or you actually want to be >>>>>> able to create an account >>>>>> on the server side and make it trapped and send the event to the >>>>>> filer and run a script >>>>>> there? >>>>>> >>>>>> We can't do it now. AFAIR there was a ticket about something like >>>>>> this >>>>>> in the deferred bucket... Could not find it... But I remember a >>>>>> discussion. We might need to >>>>>> file a ticket to track this but sound like something that will >>>>>> take a lot of time to >>>>>> accomplish. >>>>> Attached untested patch is a proof of concept. If >>>>> /etc/ipa/server.conf >>>>> has following setting: >>>>> >>>>> ipa_user_script=/path/to/script >>>>> >>>>> then during add/delete/modify of an user, it will be called with >>>>> add/del/mod as first >>>>> parameter and user's dn as second. Result of the call is ignored >>>>> but return from IPA server is >>>>> blocked by the execution so be quick in ipa_user_script! >>>>> >>>> >>>> I got the patch installed OK, env variable set, and the script is >>>> being >>>> run when do user modifications. Great! :) But the action >>>> (add/del/mod) and the dn is not being >>>> supplied as arguments. >>>> >>>> For testing's sake I've made a very simple script just to capture the >>>> env variables. >>>> >>>> Do you have any suggestion to why the arguments is not getting >>>> supplied >>>> to the script? >>>> >>>> >>>> #!/bin/bash >>>> >>>> >>>> echo "a:$1 u:$2">> /tmp/ipa_custom_$$ env>> /tmp/ipa_custom_$$ >>> >>> The ipautil.run invocation should be: >>> >>> >>> ipautil.run([self.api.env.ipa_user_script,"add", dn]) >>> >>> In other words, the whole thing needs to be in the list. >>> >>> >>> Note that a cleaner way of adding this without having to modify >>> ipa-provided files would be to write an extension plugin that does >>> this (untested): >>> >>> >>> from ipalib.plugins.user import user_add >>> >>> def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, >>> **options): inst.log.info('User >>> added') if 'ipa_user_script' in inst.api.env: try: >>> ipautil.run([inst.api.env.ipa_user_script,"add", dn]) except: >>> pass >>> >>> return dn >>> >>> user_add.register_post_callback(script_post_add_callback) >>> >>> Stick that into a file and drop it into the directory with the other >>> plugins and restart Apache and that should do it. >>> >>> rob >>> >> >> I reverted the patched user.py file back to tbe unpatched user.py file. >> >> I called the script you provided custom.py, and I've tried copying it to >> /usr/lib/python2.7/site-packages/ipalib/plugins and >> /usr/lib/python2.7/site-packages/ipaserver/plugins. Then I restarted >> httpd and tomcat6. Now the >> script is not called anymore. >> >> Should the script be put anywhere else? Anything I didnt do? >> >> >> > It needs to be in ipalib/plugins. > > Add: > > from ipapython import ipautil Works perfectly! Thanks! :) From ijstokes at hkl.hms.harvard.edu Wed Sep 21 19:58:21 2011 From: ijstokes at hkl.hms.harvard.edu (Ian Stokes-Rees) Date: Wed, 21 Sep 2011 15:58:21 -0400 Subject: [Freeipa-users] Host redirection problems Message-ID: <4E7A41DD.8070003@hkl.hms.harvard.edu> It appears that FreeIPA v2 includes the hostname in web-based URLs and redirects. This isn't good if the server is sitting behind a proxy server or if a user is trying to use port forwarding (as I am now) to access the system. Is there some way to configure this behavior to avoid it happening? If so, shouldn't that be the default? Thanks, Ian -- Ian Stokes-Rees, PhD W: http://portal.nebiogrid.org ijstokes at hkl.hms.harvard.edu T: +1.617.432.5608 x75 NEBioGrid, Harvard Medical School C: +1.617.331.5993 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ijstokes.vcf Type: text/x-vcard Size: 380 bytes Desc: not available URL: From rcritten at redhat.com Wed Sep 21 20:10:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 Sep 2011 16:10:58 -0400 Subject: [Freeipa-users] Host redirection problems In-Reply-To: <4E7A41DD.8070003@hkl.hms.harvard.edu> References: <4E7A41DD.8070003@hkl.hms.harvard.edu> Message-ID: <4E7A44D2.6050104@redhat.com> Ian Stokes-Rees wrote: > It appears that FreeIPA v2 includes the hostname in web-based URLs and > redirects. This isn't good if the server is sitting behind a proxy > server or if a user is trying to use port forwarding (as I am now) to > access the system. > > Is there some way to configure this behavior to avoid it happening? If > so, shouldn't that be the default? > Kerberos and SSL are very specific about what host they want to talk to so we have some mod_redirect rules to make sure we are talking to the right FQDN over SSL. You can disable these in /etc/httpd/conf.d/ipa-rewrite.conf if you'd like. rob From danieljamesscott at gmail.com Wed Sep 21 20:10:25 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 21 Sep 2011 16:10:25 -0400 Subject: [Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server Message-ID: Hi, I have a FreeIPA 1.2 realm running. I've installed a new server running 2.1 and migrated the user accounts across. I've installed a client and am trying to authenticate against the new server. I get the following errors: djscott at pc35:~$ kinit Password for djscott at EXAMPLE.COM: kinit: Preauthentication failed while getting initial credentials djscott at pc35:~$ The server krb5kdc log contains the following: Sep 21 16:02:00 fileserver1.example.com krb5kdc[17795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.35: NEEDED_PREAUTH: djscott at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): preauth (timestamp) verify failure: No matching key in entry Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.35: PREAUTH_FAILED: djscott at EXAMPLE.COM for krbtgtEXAMPLE.COM at EXAMPLE.COM, Preauthentication failed I've been to the page: https://fileserver1.example.com/ipa/migration/ And tried to migrate my password, but I receive: "There was a problem with your request. Please, try again later. If the problem persists, contact your administrator." The same error occurs when I try to authenticate as myself on the server, although 'id djscott' returns the correct list of groups, so it appears that LDAP is working, but Kerberos is not. I guess it's something to do with the password migration? Anyone know how I can figure out what's going wrong? Thanks, Dan Scott From rcritten at redhat.com Wed Sep 21 20:28:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 Sep 2011 16:28:39 -0400 Subject: [Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server In-Reply-To: References: Message-ID: <4E7A48F7.2040509@redhat.com> Dan Scott wrote: > Hi, > > I have a FreeIPA 1.2 realm running. > > I've installed a new server running 2.1 and migrated the user accounts > across. I've installed a client and am trying to authenticate against > the new server. I get the following errors: > > djscott at pc35:~$ kinit > Password for djscott at EXAMPLE.COM: > kinit: Preauthentication failed while getting initial credentials > djscott at pc35:~$ > > The server krb5kdc log contains the following: > > Sep 21 16:02:00 fileserver1.example.com krb5kdc[17795](info): AS_REQ > (4 etypes {18 17 16 23}) 192.168.1.35: NEEDED_PREAUTH: > djscott at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional > pre-authentication required > Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): preauth > (timestamp) verify failure: No matching key in entry > Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): AS_REQ > (4 etypes {18 17 16 23}) 192.168.1.35: PREAUTH_FAILED: > djscott at EXAMPLE.COM for krbtgtEXAMPLE.COM at EXAMPLE.COM, > Preauthentication failed > > I've been to the page: > > https://fileserver1.example.com/ipa/migration/ > > And tried to migrate my password, but I receive: > > "There was a problem with your request. Please, try again later. If > the problem persists, contact your administrator." > > The same error occurs when I try to authenticate as myself on the > server, although 'id djscott' returns the correct list of groups, so > it appears that LDAP is working, but Kerberos is not. I guess it's > something to do with the password migration? > > Anyone know how I can figure out what's going wrong? > > Thanks, > > Dan Scott It looks like the Apache error log is probably not going to have a ton of information for you, but wouldn't hurt to check. I'd start with the 389-ds access log when doing a migration. You should see the following sequence: - anonymous bind to search for the naming contexts. It looks like we use the first one there which is bad (ticket https://fedorahosted.org/freeipa/ticket/1834) - it attempts a bind with dn uid=,cn=users,cn=accounts, For some reason we convert the LDAP errors into IOErrors, not entirely sure why but we should have beefed up logging in any case (ticket https://fedorahosted.org/freeipa/ticket/1835) See what either or both of them is returning and that may provide the clues we need to figure it out. If you still have migration mode enabled you can generate your credentials with sssd by logging into the client normally. If migration mode is on then sssd will initiate a kerberos password change for you. rob From simo at redhat.com Wed Sep 21 20:36:49 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 21 Sep 2011 16:36:49 -0400 Subject: [Freeipa-users] Host redirection problems In-Reply-To: <4E7A44D2.6050104@redhat.com> References: <4E7A41DD.8070003@hkl.hms.harvard.edu> <4E7A44D2.6050104@redhat.com> Message-ID: <1316637409.2684.567.camel@willson.li.ssimo.org> On Wed, 2011-09-21 at 16:10 -0400, Rob Crittenden wrote: > Ian Stokes-Rees wrote: > > It appears that FreeIPA v2 includes the hostname in web-based URLs and > > redirects. This isn't good if the server is sitting behind a proxy > > server or if a user is trying to use port forwarding (as I am now) to > > access the system. It is a problem only if you are using port forwarding which is a configuration we do not support. Proxy servers are completely transparent wrt that, proxies do not rewrite URLs. You should use the SOCKS option of SSH if you need to port forward and configure your browser to use the port you set up as a SOCKS proxy. This should make your situation work w/o changes to the apache configuration. > > Is there some way to configure this behavior to avoid it happening? If > > so, shouldn't that be the default? > > > > Kerberos and SSL are very specific about what host they want to talk to > so we have some mod_redirect rules to make sure we are talking to the > right FQDN over SSL. > > You can disable these in /etc/httpd/conf.d/ipa-rewrite.conf if you'd like. Note that if you disable that, Kerberos auth will fail and you'll probably end up enabling basic auth which is bad, (heavy weight on the KDC and also stores your kerberos password in the browser). Simo. -- Simo Sorce * Red Hat, Inc * New York From danieljamesscott at gmail.com Thu Sep 22 18:34:19 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 22 Sep 2011 14:34:19 -0400 Subject: [Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server In-Reply-To: <4E7A48F7.2040509@redhat.com> References: <4E7A48F7.2040509@redhat.com> Message-ID: Hi, On Wed, Sep 21, 2011 at 16:28, Rob Crittenden wrote: > Dan Scott wrote: >> >> Hi, >> >> I have a FreeIPA 1.2 realm running. >> >> I've installed a new server running 2.1 and migrated the user accounts >> across. I've installed a client and am trying to authenticate against >> the new server. I get the following errors: >> >> djscott at pc35:~$ kinit >> Password for djscott at EXAMPLE.COM: >> kinit: Preauthentication failed while getting initial credentials >> djscott at pc35:~$ >> >> The server krb5kdc log contains the following: >> >> Sep 21 16:02:00 fileserver1.example.com krb5kdc[17795](info): AS_REQ >> (4 etypes {18 17 16 23}) 192.168.1.35: NEEDED_PREAUTH: >> djscott at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional >> pre-authentication required >> Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): preauth >> (timestamp) verify failure: No matching key in entry >> Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): AS_REQ >> (4 etypes {18 17 16 23}) 192.168.1.35: PREAUTH_FAILED: >> djscott at EXAMPLE.COM for krbtgtEXAMPLE.COM at EXAMPLE.COM, >> Preauthentication failed >> >> I've been to the page: >> >> https://fileserver1.example.com/ipa/migration/ >> >> And tried to migrate my password, but I receive: >> >> "There was a problem with your request. Please, try again later. If >> the problem persists, contact your administrator." >> >> The same error occurs when I try to authenticate as myself on the >> server, although 'id djscott' returns the correct list of groups, so >> it appears that LDAP is working, but Kerberos is not. I guess it's >> something to do with the password migration? >> >> Anyone know how I can figure out what's going wrong? >> >> Thanks, >> >> Dan Scott > > It looks like the Apache error log is probably not going to have a ton of > information for you, but wouldn't hurt to check. > > I'd start with the 389-ds access log when doing a migration. You should see > the following sequence: > > - anonymous bind to search for the naming contexts. It looks like we use the > first one there which is bad (ticket > https://fedorahosted.org/freeipa/ticket/1834) > - it attempts a bind with dn uid=,cn=users,cn=accounts, context> > > For some reason we convert the LDAP errors into IOErrors, not entirely sure > why but we should have beefed up logging in any case (ticket > https://fedorahosted.org/freeipa/ticket/1835) > > See what either or both of them is returning and that may provide the clues > we need to figure it out. > > If you still have migration mode enabled you can generate your credentials > with sssd by logging into the client normally. If migration mode is on then > sssd will initiate a kerberos password change for you. Well, I'm not entirely sure what the problem was, but SSHing to another server appears to have migrated the password successfully. It's working fine now. So I need to leave migration mode enabled until all users have migrated their passwords, correct? Is this all that migration mode does? Re-generate the Kerberos hashes? Thanks, Dan From rcritten at redhat.com Thu Sep 22 18:56:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 22 Sep 2011 14:56:40 -0400 Subject: [Freeipa-users] Upgrade from FreeIPA 1.2 to 2.1 - getting tickets from upgraded server In-Reply-To: References: <4E7A48F7.2040509@redhat.com> Message-ID: <4E7B84E8.6040704@redhat.com> Dan Scott wrote: > Hi, > > On Wed, Sep 21, 2011 at 16:28, Rob Crittenden wrote: >> Dan Scott wrote: >>> >>> Hi, >>> >>> I have a FreeIPA 1.2 realm running. >>> >>> I've installed a new server running 2.1 and migrated the user accounts >>> across. I've installed a client and am trying to authenticate against >>> the new server. I get the following errors: >>> >>> djscott at pc35:~$ kinit >>> Password for djscott at EXAMPLE.COM: >>> kinit: Preauthentication failed while getting initial credentials >>> djscott at pc35:~$ >>> >>> The server krb5kdc log contains the following: >>> >>> Sep 21 16:02:00 fileserver1.example.com krb5kdc[17795](info): AS_REQ >>> (4 etypes {18 17 16 23}) 192.168.1.35: NEEDED_PREAUTH: >>> djscott at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional >>> pre-authentication required >>> Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): preauth >>> (timestamp) verify failure: No matching key in entry >>> Sep 21 16:02:03 fileserver1.example.com krb5kdc[17795](info): AS_REQ >>> (4 etypes {18 17 16 23}) 192.168.1.35: PREAUTH_FAILED: >>> djscott at EXAMPLE.COM for krbtgtEXAMPLE.COM at EXAMPLE.COM, >>> Preauthentication failed >>> >>> I've been to the page: >>> >>> https://fileserver1.example.com/ipa/migration/ >>> >>> And tried to migrate my password, but I receive: >>> >>> "There was a problem with your request. Please, try again later. If >>> the problem persists, contact your administrator." >>> >>> The same error occurs when I try to authenticate as myself on the >>> server, although 'id djscott' returns the correct list of groups, so >>> it appears that LDAP is working, but Kerberos is not. I guess it's >>> something to do with the password migration? >>> >>> Anyone know how I can figure out what's going wrong? >>> >>> Thanks, >>> >>> Dan Scott >> >> It looks like the Apache error log is probably not going to have a ton of >> information for you, but wouldn't hurt to check. >> >> I'd start with the 389-ds access log when doing a migration. You should see >> the following sequence: >> >> - anonymous bind to search for the naming contexts. It looks like we use the >> first one there which is bad (ticket >> https://fedorahosted.org/freeipa/ticket/1834) >> - it attempts a bind with dn uid=,cn=users,cn=accounts,> context> >> >> For some reason we convert the LDAP errors into IOErrors, not entirely sure >> why but we should have beefed up logging in any case (ticket >> https://fedorahosted.org/freeipa/ticket/1835) >> >> See what either or both of them is returning and that may provide the clues >> we need to figure it out. >> >> If you still have migration mode enabled you can generate your credentials >> with sssd by logging into the client normally. If migration mode is on then >> sssd will initiate a kerberos password change for you. > > Well, I'm not entirely sure what the problem was, but SSHing to > another server appears to have migrated the password successfully. > It's working fine now. > > So I need to leave migration mode enabled until all users have > migrated their passwords, correct? Is this all that migration mode > does? Re-generate the Kerberos hashes? > > Thanks, > > Dan Yes, migration mode enables you to authenticate with a stored LDAP password to generate missing Kerberos principal keys. I assume that the other server has sssd configured so it performed the password migration. rob From janfrode at tanso.net Fri Sep 23 08:08:09 2011 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 23 Sep 2011 10:08:09 +0200 Subject: [Freeipa-users] password migration In-Reply-To: <4E789C34.5040800@redhat.com> References: <20110920131801.GA17428@oc1046828364.ibm.com> <4E789C34.5040800@redhat.com> Message-ID: <20110923080808.GA7809@oc1046828364.ibm.com> On Tue, Sep 20, 2011 at 09:59:16AM -0400, Dmitri Pal wrote: > > > > Password Hash Algorithm > > ------------------------- > > Indicates the algorithm that the system should use to hash the password. > > Currently supported values are SSHA, SHA, SMD5, and MD5. A value of NONE > > or no value indicates that the system will not hash passwords. This will > > cause cleartext passwords to be stored in LDAP unless the LDAP server > > performs the hash (Netscape Directory Server and iPlanet Directory > > Server do). > > > > Will the ipa-migration handle any of these formats ? Which would be the > > preferred ? > > > I am not sure it keeps it in clear internally anywhere. Password is > always hashed unless you explicitly set it to be cleartext in the > setting above. Are you stating that based on knowledge of Sun Identity Manager? As far as I understand SIM, I should be able to add new managed "resources" (directories, databases, servers, etc) at a later point and push my userdatabase to. For that to work, SIM will have to either hash to all supported hashing methods (including cleartext??) or just keep a cleartext version hidden somewhere. -jf From janfrode at tanso.net Fri Sep 23 08:20:36 2011 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 23 Sep 2011 10:20:36 +0200 Subject: [Freeipa-users] password migration In-Reply-To: <1316528294.2425.12.camel@sgallagh520.bos.redhat.com> References: <20110920131801.GA17428@oc1046828364.ibm.com> <4E789C34.5040800@redhat.com> <1316528294.2425.12.camel@sgallagh520.bos.redhat.com> Message-ID: <20110923082036.GA8238@oc1046828364.ibm.com> On Tue, Sep 20, 2011 at 10:18:13AM -0400, Stephen Gallagher wrote: > > Specifically, the way SSSD behaves is as follows: > 1) Try to authenticate with Kerberos. If Kerberos responds that there's > no hash for this user, > 2) Ask FreeIPA if migration mode is enabled, if it is, > 3) Try to bind to FreeIPA LDAP using the same password. If this > succeeds, we know that the password is valid > 4) Initiate a kerberos password-change to set the kerberos password > equal to the LDAP password. Is it supported to run a mixed ldap bind / kerberos environment? I'm thinking of letting all old RHEL4 and RHEL5 systems keep running ldap bind authentication, and only enable kerberos/sssd on RHEL6 initially. After 3 months, or so, all users should have been forced to change their passwords trough the password expiry policy. Will then the RHEL4/5 klients also update kerberos password when they're forced to change their LDAP password ? -jf From simo at redhat.com Fri Sep 23 13:19:22 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 23 Sep 2011 09:19:22 -0400 Subject: [Freeipa-users] password migration In-Reply-To: <20110923082036.GA8238@oc1046828364.ibm.com> References: <20110920131801.GA17428@oc1046828364.ibm.com> <4E789C34.5040800@redhat.com> <1316528294.2425.12.camel@sgallagh520.bos.redhat.com> <20110923082036.GA8238@oc1046828364.ibm.com> Message-ID: <1316783962.2684.626.camel@willson.li.ssimo.org> On Fri, 2011-09-23 at 10:20 +0200, Jan-Frode Myklebust wrote: > On Tue, Sep 20, 2011 at 10:18:13AM -0400, Stephen Gallagher wrote: > > > > Specifically, the way SSSD behaves is as follows: > > 1) Try to authenticate with Kerberos. If Kerberos responds that there's > > no hash for this user, > > 2) Ask FreeIPA if migration mode is enabled, if it is, > > 3) Try to bind to FreeIPA LDAP using the same password. If this > > succeeds, we know that the password is valid > > 4) Initiate a kerberos password-change to set the kerberos password > > equal to the LDAP password. > > Is it supported to run a mixed ldap bind / kerberos environment? I'm > thinking of letting all old RHEL4 and RHEL5 systems keep running ldap > bind authentication, and only enable kerberos/sssd on RHEL6 initially. Yes, that's ok, ldap auth is there explicit to support clients that can't do kerb auth for whatever reason. > After 3 months, or so, all users should have been forced to change their > passwords trough the password expiry policy. Will then the RHEL4/5 > klients also update kerberos password when they're forced to change their > LDAP password ? They should. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Sep 23 13:30:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 23 Sep 2011 09:30:10 -0400 Subject: [Freeipa-users] password migration In-Reply-To: <20110923080808.GA7809@oc1046828364.ibm.com> References: <20110920131801.GA17428@oc1046828364.ibm.com> <4E789C34.5040800@redhat.com> <20110923080808.GA7809@oc1046828364.ibm.com> Message-ID: <4E7C89E2.1020200@redhat.com> Jan-Frode Myklebust wrote: > On Tue, Sep 20, 2011 at 09:59:16AM -0400, Dmitri Pal wrote: >>> >>> Password Hash Algorithm >>> ------------------------- >>> Indicates the algorithm that the system should use to hash the password. >>> Currently supported values are SSHA, SHA, SMD5, and MD5. A value of NONE >>> or no value indicates that the system will not hash passwords. This will >>> cause cleartext passwords to be stored in LDAP unless the LDAP server >>> performs the hash (Netscape Directory Server and iPlanet Directory >>> Server do). >>> >>> Will the ipa-migration handle any of these formats ? Which would be the >>> preferred ? >>> >> I am not sure it keeps it in clear internally anywhere. Password is >> always hashed unless you explicitly set it to be cleartext in the >> setting above. > > Are you stating that based on knowledge of Sun Identity Manager? As far > as I understand SIM, I should be able to add new managed "resources" > (directories, databases, servers, etc) at a later point and push my > userdatabase to. For that to work, SIM will have to either hash to all > supported hashing methods (including cleartext??) or just keep a > cleartext version hidden somewhere. I think he was referring to 389-ds. IPA migration grabs the raw userPassword attribute from the remote LDAP server to create the entry in 389-ds. For the hash types that 389-ds supports look for passwordStorageScheme in http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes rob From danieljamesscott at gmail.com Fri Sep 23 17:38:26 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 23 Sep 2011 13:38:26 -0400 Subject: [Freeipa-users] Cannot login to GDM Message-ID: Hi, I've recently upgraded from FreeIPA 1.2 to 2.1. Most things are working OK, but I have a few problems: 1. I'm unable to login to a new client machine via GDM with my existing credentials. i.e. I can login on the command line and my home directory is created correctly, but GDM logins hang, with the fields greyed out until I press escape, when it returns to the login screen. The /var/log/gdm files contain: Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x1400007 (Login Wind) Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed. Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x1400007 (Login Wind) Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed. ==> /var/log/gdm/:0-slave.log <== pam: gdm-password[2484]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott pam: gdm-password[2484]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott ==> /var/log/gdm/:0-greeter.log <== Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x1400007 (Login Wind) Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed. Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x1400007 (Login Wind) Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed. Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x1400007 (Login Wind) Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed. Any idea what's going on here? 2. I'm having trouble migrating the user passwords. The /ipa/migration/ webpage doesn't work: "There was a problem with your request. Please, try again later." The only way I have been able to migrate user passwords is by getting them to ssh into one of the FreeIPA masters. I've read through manpages for sssd, sssd.conf, sssd-ldap, sssd-krb5 and pam_sss, and the FreeIPA and SSSD websites, but I can't find the documentation for getting SSSD to migrate passwords. Can someone point me in the correct direction? 3. The migration appears to have created a group for each user, i.e. there is a group called 'djscott' along with my user, visible via an LDAP browser. Should they exist? Is there an easy way to remove them - they don't show up in the web interface or command line, just the LDAP browser. 4. The old ipausers group had ID 1002, which now does not exist, resulting in an annoying "id: cannot find name for group ID 1002" whenever I ssh to another system. Is there a simple way to change the GID for all users who have the old ID to have the new ID? I've created a temporary ipausers-legacy group with ID 1002 to eliminate the error temporarily. I think that's it for now.... :) Thanks, Dan Scott http://danieljamesscott.org/ From sgallagh at redhat.com Fri Sep 23 17:57:55 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 23 Sep 2011 13:57:55 -0400 Subject: [Freeipa-users] Cannot login to GDM In-Reply-To: References: Message-ID: <1316800676.2395.25.camel@sgallagh520.bos.redhat.com> On Fri, 2011-09-23 at 13:38 -0400, Dan Scott wrote: > Hi, > > I've recently upgraded from FreeIPA 1.2 to 2.1. Most things are > working OK, but I have a few problems: > > 1. I'm unable to login to a new client machine via GDM with my > existing credentials. i.e. I can login on the command line and my home > directory is created correctly, but GDM logins hang, with the fields > greyed out until I press escape, when it returns to the login screen. > The /var/log/gdm files contain: > > Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message > with a timestamp of 0 for 0x1400007 (Login Wind) > Window manager warning: meta_window_activate called by a pager with a > 0 timestamp; the pager needs to be fixed. > Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message > with a timestamp of 0 for 0x1400007 (Login Wind) > Window manager warning: meta_window_activate called by a pager with a > 0 timestamp; the pager needs to be fixed. > > ==> /var/log/gdm/:0-slave.log <== > pam: gdm-password[2484]: pam_unix(gdm-password:auth): authentication > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott > pam: gdm-password[2484]: pam_sss(gdm-password:auth): authentication > success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott > > ==> /var/log/gdm/:0-greeter.log <== > Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message > with a timestamp of 0 for 0x1400007 (Login Wind) > Window manager warning: meta_window_activate called by a pager with a > 0 timestamp; the pager needs to be fixed. > Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message > with a timestamp of 0 for 0x1400007 (Login Wind) > Window manager warning: meta_window_activate called by a pager with a > 0 timestamp; the pager needs to be fixed. > Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message > with a timestamp of 0 for 0x1400007 (Login Wind) > Window manager warning: meta_window_activate called by a pager with a > 0 timestamp; the pager needs to be fixed. > > Any idea what's going on here? Could you check /var/log/secure? Also, what version of the sssd and gdm packages are installed on the system? > > 2. I'm having trouble migrating the user passwords. The > /ipa/migration/ webpage doesn't work: > > "There was a problem with your request. Please, try again later." > > The only way I have been able to migrate user passwords is by getting > them to ssh into one of the FreeIPA masters. I've read through > manpages for sssd, sssd.conf, sssd-ldap, sssd-krb5 and pam_sss, and > the FreeIPA and SSSD websites, but I can't find the documentation for > getting SSSD to migrate passwords. Can someone point me in the correct > direction? > There's no special configuration required for getting SSSD to migrate passwords. As long as password migration mode is configured on the FreeIPA server (and SSSD has been set up with ipa-client-install), we will detect whether migration mode is active and behave appropriately. This is exactly why migration by connecting to the FreeIPA masters by SSH works; it's authenticating through the SSSD client on the master and performing the migration quietly behind the scenes. If this isn't working when SSHing into FreeIPA clients other than the server, then there's probably something wrong with your SSHD config. Otherwise, whatever's causing the failure in step 1) is probably causing the migration to not work (since authentication isn't completing). > 3. The migration appears to have created a group for each user, i.e. > there is a group called 'djscott' along with my user, visible via an > LDAP browser. Should they exist? Is there an easy way to remove them - > they don't show up in the web interface or command line, just the LDAP > browser. These are private groups and they are a security feature. The idea is that each user is by default a member only of a special group consisting only of themselves. This way, when a user creates a file with default permissions, it isn't vulnerable to leaking to other members of the user's primary group. > 4. The old ipausers group had ID 1002, which now does not exist, > resulting in an annoying "id: cannot find name for group ID 1002" > whenever I ssh to another system. Is there a simple way to change the > GID for all users who have the old ID to have the new ID? I've created > a temporary ipausers-legacy group with ID 1002 to eliminate the error > temporarily. I'll leave this for the core FreeIPA team to discuss, but the removal of ipausers was intentional, in favor of using private groups as I described above. > > I think that's it for now.... :) > > Thanks, > > Dan Scott > http://danieljamesscott.org/ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Fri Sep 23 18:09:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 23 Sep 2011 14:09:26 -0400 Subject: [Freeipa-users] Cannot login to GDM In-Reply-To: <1316800676.2395.25.camel@sgallagh520.bos.redhat.com> References: <1316800676.2395.25.camel@sgallagh520.bos.redhat.com> Message-ID: <4E7CCB56.4080100@redhat.com> Stephen Gallagher wrote: > On Fri, 2011-09-23 at 13:38 -0400, Dan Scott wrote: >> Hi, >> >> I've recently upgraded from FreeIPA 1.2 to 2.1. Most things are >> working OK, but I have a few problems: >> >> 1. I'm unable to login to a new client machine via GDM with my >> existing credentials. i.e. I can login on the command line and my home >> directory is created correctly, but GDM logins hang, with the fields >> greyed out until I press escape, when it returns to the login screen. >> The /var/log/gdm files contain: >> >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> >> ==> /var/log/gdm/:0-slave.log<== >> pam: gdm-password[2484]: pam_unix(gdm-password:auth): authentication >> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott >> pam: gdm-password[2484]: pam_sss(gdm-password:auth): authentication >> success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott >> >> ==> /var/log/gdm/:0-greeter.log<== >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> >> Any idea what's going on here? > > Could you check /var/log/secure? > > Also, what version of the sssd and gdm packages are installed on the > system? > >> >> 2. I'm having trouble migrating the user passwords. The >> /ipa/migration/ webpage doesn't work: >> >> "There was a problem with your request. Please, try again later." >> >> The only way I have been able to migrate user passwords is by getting >> them to ssh into one of the FreeIPA masters. I've read through >> manpages for sssd, sssd.conf, sssd-ldap, sssd-krb5 and pam_sss, and >> the FreeIPA and SSSD websites, but I can't find the documentation for >> getting SSSD to migrate passwords. Can someone point me in the correct >> direction? >> > > There's no special configuration required for getting SSSD to migrate > passwords. As long as password migration mode is configured on the > FreeIPA server (and SSSD has been set up with ipa-client-install), we > will detect whether migration mode is active and behave appropriately. > This is exactly why migration by connecting to the FreeIPA masters by > SSH works; it's authenticating through the SSSD client on the master and > performing the migration quietly behind the scenes. > > If this isn't working when SSHing into FreeIPA clients other than the > server, then there's probably something wrong with your SSHD config. > > Otherwise, whatever's causing the failure in step 1) is probably causing > the migration to not work (since authentication isn't completing). > >> 3. The migration appears to have created a group for each user, i.e. >> there is a group called 'djscott' along with my user, visible via an >> LDAP browser. Should they exist? Is there an easy way to remove them - >> they don't show up in the web interface or command line, just the LDAP >> browser. > > These are private groups and they are a security feature. The idea is > that each user is by default a member only of a special group consisting > only of themselves. This way, when a user creates a file with default > permissions, it isn't vulnerable to leaking to other members of the > user's primary group. > >> 4. The old ipausers group had ID 1002, which now does not exist, >> resulting in an annoying "id: cannot find name for group ID 1002" >> whenever I ssh to another system. Is there a simple way to change the >> GID for all users who have the old ID to have the new ID? I've created >> a temporary ipausers-legacy group with ID 1002 to eliminate the error >> temporarily. > > I'll leave this for the core FreeIPA team to discuss, but the removal of > ipausers was intentional, in favor of using private groups as I > described above. There still is an ipausers group, but since it already existed during the migration it wasn't migrated, essentially orphaning the old GID. I'll open a ticket to consider this. rob From danieljamesscott at gmail.com Fri Sep 23 18:11:28 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 23 Sep 2011 14:11:28 -0400 Subject: [Freeipa-users] Cannot login to GDM In-Reply-To: <1316800676.2395.25.camel@sgallagh520.bos.redhat.com> References: <1316800676.2395.25.camel@sgallagh520.bos.redhat.com> Message-ID: Hi, On Fri, Sep 23, 2011 at 13:57, Stephen Gallagher wrote: > On Fri, 2011-09-23 at 13:38 -0400, Dan Scott wrote: >> Hi, >> >> I've recently upgraded from FreeIPA 1.2 to 2.1. Most things are >> working OK, but I have a few problems: >> >> 1. I'm unable to login to a new client machine via GDM with my >> existing credentials. i.e. I can login on the command line and my home >> directory is created correctly, but GDM logins hang, with the fields >> greyed out until I press escape, when it returns to the login screen. >> The /var/log/gdm files contain: >> >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> >> ==> /var/log/gdm/:0-slave.log <== >> pam: gdm-password[2484]: pam_unix(gdm-password:auth): authentication >> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= ?user=djscott >> pam: gdm-password[2484]: pam_sss(gdm-password:auth): authentication >> success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott >> >> ==> /var/log/gdm/:0-greeter.log <== >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message >> with a timestamp of 0 for 0x1400007 (Login Wind) >> Window manager warning: meta_window_activate called by a pager with a >> 0 timestamp; the pager needs to be fixed. >> >> Any idea what's going on here? > > Could you check /var/log/secure? Sorry, I should have included this originally, but I checked it already and I don't think it contains anything useful: Sep 23 12:35:38 pc37 pam: gdm-password[2484]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott Sep 23 12:35:40 pc37 pam: gdm-password[2484]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=djscott > Also, what version of the sssd and gdm packages are installed on the > system? [root at pc37 ~]# rpm -qa|grep sssd sssd-1.5.13-1.fc15.2.x86_64 sssd-client-1.5.13-1.fc15.2.x86_64 [root at pc37 ~]# rpm -qa|grep gdm gdm-3.0.4-1.fc15.x86_64 gdm-plugin-fingerprint-3.0.4-1.fc15.x86_64 pulseaudio-gdm-hooks-0.9.22-5.fc15.x86_64 [root at pc37 ~]# >> 2. I'm having trouble migrating the user passwords. The >> /ipa/migration/ webpage doesn't work: >> >> "There was a problem with your request. Please, try again later." >> >> The only way I have been able to migrate user passwords is by getting >> them to ssh into one of the FreeIPA masters. I've read through >> manpages for sssd, sssd.conf, sssd-ldap, sssd-krb5 and pam_sss, and >> the FreeIPA and SSSD websites, but I can't find the documentation for >> getting SSSD to migrate passwords. Can someone point me in the correct >> direction? >> > > There's no special configuration required for getting SSSD to migrate > passwords. As long as password migration mode is configured on the > FreeIPA server (and SSSD has been set up with ipa-client-install), we > will detect whether migration mode is active and behave appropriately. > This is exactly why migration by connecting to the FreeIPA masters by > SSH works; it's authenticating through the SSSD client on the master and > performing the migration quietly behind the scenes. > > If this isn't working when SSHing into FreeIPA clients other than the > server, then there's probably something wrong with your SSHD config. Ahh, OK. Is there anything particular I need to check for? Logins to non-server machines give: Sep 23 13:04:23 fw sshd[31652]: pam_krb5[31652]: authentication fails for 'qiaoli' (qiaoli at EXAMPLE.COM): Authentication failure (Preauthentication failed) Sep 23 13:04:25 fw sshd[31652]: Failed password for qiaoli from IP_ADDR_REMOVED port 35238 ssh2 in /var/log/secure Having just looked at this, I see that it's not using sssd by the look of things. Strange, I enabled it and started it running. I can probably fix this by getting the config sorted properly. > Otherwise, whatever's causing the failure in step 1) is probably causing > the migration to not work (since authentication isn't completing). > >> 3. The migration appears to have created a group for each user, i.e. >> there is a group called 'djscott' along with my user, visible via an >> LDAP browser. Should they exist? Is there an easy way to remove them - >> they don't show up in the web interface or command line, just the LDAP >> browser. > > These are private groups and they are a security feature. The idea is > that each user is by default a member only of a special group consisting > only of themselves. This way, when a user creates a file with default > permissions, it isn't vulnerable to leaking to other members of the > user's primary group. Ahh, OK, that's fine then. Thanks. >> 4. The old ipausers group had ID 1002, which now does not exist, >> resulting in an annoying "id: cannot find name for group ID 1002" >> whenever I ssh to another system. Is there a simple way to change the >> GID for all users who have the old ID to have the new ID? I've created >> a temporary ipausers-legacy group with ID 1002 to eliminate the error >> temporarily. > > I'll leave this for the core FreeIPA team to discuss, but the removal of > ipausers was intentional, in favor of using private groups as I > described above. So I should change each user's GID to the GID which is the same as their username? Is there a script to do this, to save having to do it manually? Thanks, Dan From g17jimmy at gmail.com Fri Sep 23 19:17:52 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 23 Sep 2011 15:17:52 -0400 Subject: [Freeipa-users] Using FreeIPA web interface from a windows client(IE) Message-ID: I have been using the interface from a Linux client on Firefox just fine, but now I need to configure a windows client to access the web interface. I have the win7 client logged in using a FreeIPA user, authenticated against the realm, and when I browse to the web page I still get another log in box but no matter what I do not get access, or the browser cannot access the ticket the system has. I enabled the "Enable Integrated Windows Authentication" option in IE. After that wasn't working I even installed the MIT KFW to make sure I was really getting a ticket(not really expecting that it would fix the problem.) I am searching for this fix actively, but figured I'd ask here in case someone had the answer at hand. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Sep 23 19:31:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 23 Sep 2011 15:31:42 -0400 Subject: [Freeipa-users] Using FreeIPA web interface from a windows client(IE) In-Reply-To: References: Message-ID: <4E7CDE9E.6080707@redhat.com> Jimmy wrote: > I have been using the interface from a Linux client on Firefox just > fine, but now I need to configure a windows client to access the web > interface. I have the win7 client logged in using a FreeIPA user, > authenticated against the realm, and when I browse to the web page I > still get another log in box but no matter what I do not get access, or > the browser cannot access the ticket the system has. I enabled the > "Enable Integrated Windows Authentication" option in IE. After that > wasn't working I even installed the MIT KFW to make sure I was really > getting a ticket(not really expecting that it would fix the problem.) > > I am searching for this fix actively, but figured I'd ask here in case > someone had the answer at hand. Firefox in Windows will work with the MIT client but not IE. For IE to work you need to enable fake basic auth fallback, http://freeipa.org/page/UIPasswordAuth . This isn't really ideal but the only workaround we know of. rob From ayoung at redhat.com Fri Sep 23 19:37:13 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 23 Sep 2011 15:37:13 -0400 Subject: [Freeipa-users] Using FreeIPA web interface from a windows client(IE) In-Reply-To: <4E7CDE9E.6080707@redhat.com> References: <4E7CDE9E.6080707@redhat.com> Message-ID: <4E7CDFE9.2050602@redhat.com> On 09/23/2011 03:31 PM, Rob Crittenden wrote: > Jimmy wrote: >> I have been using the interface from a Linux client on Firefox just >> fine, but now I need to configure a windows client to access the web >> interface. I have the win7 client logged in using a FreeIPA user, >> authenticated against the realm, and when I browse to the web page I >> still get another log in box but no matter what I do not get access, or >> the browser cannot access the ticket the system has. I enabled the >> "Enable Integrated Windows Authentication" option in IE. After that >> wasn't working I even installed the MIT KFW to make sure I was really >> getting a ticket(not really expecting that it would fix the problem.) >> >> I am searching for this fix actively, but figured I'd ask here in case >> someone had the answer at hand. > > Firefox in Windows will work with the MIT client but not IE. For IE to > work you need to enable fake basic auth fallback, > http://freeipa.org/page/UIPasswordAuth . This isn't really ideal but > the only workaround we know of. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Chrome will work as well, just not IE. From dpal at redhat.com Fri Sep 23 21:47:35 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 23 Sep 2011 17:47:35 -0400 Subject: [Freeipa-users] Cannot login to GDM In-Reply-To: References: <1316800676.2395.25.camel@sgallagh520.bos.redhat.com> Message-ID: <4E7CFE77.70607@redhat.com> On 09/23/2011 02:11 PM, Dan Scott wrote: >> I'll leave this for the core FreeIPA team to discuss, but the removal of >> > ipausers was intentional, in favor of using private groups as I >> > described above. > So I should change each user's GID to the GID which is the same as > their username? Is there a script to do this, to save having to do it > manually? It is unclear how it can be automated. The biggest challenge is determining the criteria to identify the files that need to be updated. This is kind of specific to your environment. Other than that it is couple lines of shell script. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ranger at opennms.org Sat Sep 24 16:45:05 2011 From: ranger at opennms.org (Benjamin Reed) Date: Sat, 24 Sep 2011 12:45:05 -0400 Subject: [Freeipa-users] ipa-client-install with anonymous bind disabled? Message-ID: <4E7E0911.8030006@opennms.org> We have disabled anonymous bind since we are at times accessing our LDAP(s) server over the public internet. How do I specify the right credentials to ipa-client-install so that it doesn't give me this error when trying to set up a CentOS 5 client? > # ipa-client-install > root : ERROR LDAP Error: Inappropriate authentication: Anonymous access is not allowed > Failed to verify that connect.opennms.com is an IPA Server. > This may mean that the remote server is not up or is not reachable > due to network or firewall settings. -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ From simo at redhat.com Sat Sep 24 17:13:55 2011 From: simo at redhat.com (Simo Sorce) Date: Sat, 24 Sep 2011 13:13:55 -0400 Subject: [Freeipa-users] ipa-client-install with anonymous bind disabled? In-Reply-To: <4E7E0911.8030006@opennms.org> References: <4E7E0911.8030006@opennms.org> Message-ID: <1316884435.2684.671.camel@willson.li.ssimo.org> On Sat, 2011-09-24 at 12:45 -0400, Benjamin Reed wrote: > We have disabled anonymous bind since we are at times accessing our > LDAP(s) server over the public internet. How do I specify the right > credentials to ipa-client-install so that it doesn't give me this error > when trying to set up a CentOS 5 client? > > > # ipa-client-install > > root : ERROR LDAP Error: Inappropriate authentication: > Anonymous access is not allowed > > Failed to verify that connect.opennms.com is an IPA Server. > > This may mean that the remote server is not up or is not reachable > > due to network or firewall settings. Can you please specify what version are you using exactly, this might be a bug we need to file and fix. Simo. -- Simo Sorce * Red Hat, Inc * New York From ranger at opennms.org Sat Sep 24 17:31:34 2011 From: ranger at opennms.org (Benjamin Reed) Date: Sat, 24 Sep 2011 13:31:34 -0400 Subject: [Freeipa-users] ipa-client-install with anonymous bind disabled? In-Reply-To: <1316884435.2684.671.camel@willson.li.ssimo.org> References: <4E7E0911.8030006@opennms.org> <1316884435.2684.671.camel@willson.li.ssimo.org> Message-ID: <4E7E13F6.8060406@opennms.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/24/11 1:13 PM, Simo Sorce wrote: > Can you please specify what version are you using exactly, this might be > a bug we need to file and fix. IPA server is RHEL6: # rpm -qa | grep -i ipa ipa-pki-common-theme-9.0.3-6.el6.noarch ipa-server-2.0.0-23.el6_1.2.x86_64 ipa-client-2.0.0-23.el6_1.2.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.0.0-23.el6_1.2.x86_64 ipa-pki-ca-theme-9.0.3-6.el6.noarch ipa-server-selinux-2.0.0-23.el6_1.2.x86_64 ipa-python-2.0.0-23.el6_1.2.x86_64 Client is RHEL5: ipa-client-2.0-14.el5_7.1 - -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFOfhP2Uu+jZtP2Zf4RAg7uAKCK/587wA8tLqhDsgMj5TA7Fb4VWACghyj1 AIE4dk2qdBGnsruY8+RKISI= =kA0h -----END PGP SIGNATURE----- From simo at redhat.com Sat Sep 24 17:40:17 2011 From: simo at redhat.com (Simo Sorce) Date: Sat, 24 Sep 2011 13:40:17 -0400 Subject: [Freeipa-users] ipa-client-install with anonymous bind disabled? In-Reply-To: <4E7E13F6.8060406@opennms.org> References: <4E7E0911.8030006@opennms.org> <1316884435.2684.671.camel@willson.li.ssimo.org> <4E7E13F6.8060406@opennms.org> Message-ID: <1316886017.2684.672.camel@willson.li.ssimo.org> On Sat, 2011-09-24 at 13:31 -0400, Benjamin Reed wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 9/24/11 1:13 PM, Simo Sorce wrote: > > Can you please specify what version are you using exactly, this might be > > a bug we need to file and fix. > > IPA server is RHEL6: > > # rpm -qa | grep -i ipa > ipa-pki-common-theme-9.0.3-6.el6.noarch > ipa-server-2.0.0-23.el6_1.2.x86_64 > ipa-client-2.0.0-23.el6_1.2.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > ipa-admintools-2.0.0-23.el6_1.2.x86_64 > ipa-pki-ca-theme-9.0.3-6.el6.noarch > ipa-server-selinux-2.0.0-23.el6_1.2.x86_64 > ipa-python-2.0.0-23.el6_1.2.x86_64 > > Client is RHEL5: > > ipa-client-2.0-14.el5_7.1 > Confirmed to be a bug in the tool after discussion on IRC. Bugzilla to follow and we'll handle it next week. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Sun Sep 25 09:14:49 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 25 Sep 2011 11:14:49 +0200 Subject: [Freeipa-users] Client re-installation Message-ID: <4E7EF109.4050408@nixtra.com> Hi, When a client is re-installed and the ipa-client-install script is run, the kerberos host keytab /etc/krb5.keytab is not retreived and placed on the client. Why? If I unprovision the host before reinstalling the client and running ipa-client-install, a new keytab is placed on the client. The keytab should be retrieved and installed on the client, despite if the host has been provisioned before...? Regards, Siggi From sigbjorn at nixtra.com Sun Sep 25 21:49:26 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 25 Sep 2011 23:49:26 +0200 Subject: [Freeipa-users] Certificate error when modifying/deleting a host Message-ID: <4E7FA1E6.6050409@nixtra.com> Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and have no issues. The error message I receive is: * Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have looked in the Dogtag Certificate Manager, and I can see the certificate. It's still valid, and holds the same serial number as what is displayed using ipa host-show . Any suggestions? Rgds, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Sun Sep 25 22:01:40 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 26 Sep 2011 00:01:40 +0200 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E7FA1E6.6050409@nixtra.com> References: <4E7FA1E6.6050409@nixtra.com> Message-ID: <4E7FA4C4.6030909@nixtra.com> On 09/25/2011 11:49 PM, Sigbjorn Lie wrote: > > Hi, > > I have a host that refuses to be modified or deleted. I get the same > error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all > updates from the updates repository. I cannot find any error in any > log. I have tried to reboot my ipa servers. All services seem to be > running and have no issues. > > The error message I receive is: > > * Certificate operation cannot be completed: Unable to communicate > with CMS (Not Found) > > > I have looked in the Dogtag Certificate Manager, and I can see the > certificate. It's still valid, and holds the same serial number as > what is displayed using ipa host-show . > > Any suggestions? > There was more than one host. I notice that the hosts with an issue, is the Fedora 15 joined hosts. These we're joined using the ipa-client-install command. Accessing any of these hosts in the gui yields the same error message. However I do not receive any error when look at the host entry for my ipa servers, which are also Fedora 15. Any Red Hat 5 or Red Hat 6 joined hosts does not seem to have a certificate in the dogtag, and the error is not displayed when accessing these in the webui. Rgds, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Sep 26 03:10:50 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 26 Sep 2011 03:10:50 +0000 Subject: [Freeipa-users] libcurl fix Message-ID: <833D8E48405E064EBC54C84EC6B36E403EB9CDBF@STAWINCOX10MBX1.staff.vuw.ac.nz> Is there an ETA yet? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From sigbjorn at nixtra.com Mon Sep 26 10:14:12 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 26 Sep 2011 12:14:12 +0200 (CEST) Subject: [Freeipa-users] libcurl fix In-Reply-To: <833D8E48405E064EBC54C84EC6B36E403EB9CDBF@STAWINCOX10MBX1.staff.vuw.ac .nz> References: <833D8E48405E064EBC54C84EC6B36E403EB9CDBF@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <32524.213.225.75.97.1317032052.squirrel@www.nixtra.com> My systems are updated (RHEL5/6 and Fedora 15) to latest available version from the respective repositories. And I have no issues with libcurl. I noticed updates from RHN a few weeks back. My current RHEL6 pkg: libcurl-7.19.7-26.el6_1.2.x86_64. Rgds, Siggi On Mon, September 26, 2011 05:10, Steven Jones wrote: > Is there an ETA yet? > > > > regards > > Steven Jones > > > Technical Specialist - Linux RHCE > > > Victoria University, Wellington, NZ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From jhrozek at redhat.com Mon Sep 26 11:18:37 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 26 Sep 2011 13:18:37 +0200 Subject: [Freeipa-users] libcurl fix In-Reply-To: <32524.213.225.75.97.1317032052.squirrel@www.nixtra.com> References: <833D8E48405E064EBC54C84EC6B36E403EB9CDBF@STAWINCOX10MBX1.staff.vuw.ac.nz> <32524.213.225.75.97.1317032052.squirrel@www.nixtra.com> Message-ID: <20110926111837.GE16451@zeppelin.brq.redhat.com> On Mon, Sep 26, 2011 at 12:14:12PM +0200, Sigbjorn Lie wrote: > My systems are updated (RHEL5/6 and Fedora 15) to latest available version from the respective > repositories. And I have no issues with libcurl. > > I noticed updates from RHN a few weeks back. My current RHEL6 pkg: libcurl-7.19.7-26.el6_1.2.x86_64. > That's the one according to the changelog: * Wed Aug 03 2011 Kamil Dudka 7.19.7-26.el6_1.2 - * add a new option CURLOPT_GSSAPI_DELEGATION (#727882) From g17jimmy at gmail.com Mon Sep 26 17:51:33 2011 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 26 Sep 2011 13:51:33 -0400 Subject: [Freeipa-users] Using FreeIPA web interface from a windows client(IE) In-Reply-To: <4E7CDE9E.6080707@redhat.com> References: <4E7CDE9E.6080707@redhat.com> Message-ID: I'm testing with firefox now and have set the network.negotiate-auth.trusted-uris but the FreeIPA web interface says my "kerberos ticket is no longer valid" even though the MIT KFW has a current, valid, ticket. I only see that as a configuration setting for Firefox for this funtionality. Anything else I'm missing? On Fri, Sep 23, 2011 at 3:31 PM, Rob Crittenden wrote: > Jimmy wrote: > >> I have been using the interface from a Linux client on Firefox just >> fine, but now I need to configure a windows client to access the web >> interface. I have the win7 client logged in using a FreeIPA user, >> authenticated against the realm, and when I browse to the web page I >> still get another log in box but no matter what I do not get access, or >> the browser cannot access the ticket the system has. I enabled the >> "Enable Integrated Windows Authentication" option in IE. After that >> wasn't working I even installed the MIT KFW to make sure I was really >> getting a ticket(not really expecting that it would fix the problem.) >> >> I am searching for this fix actively, but figured I'd ask here in case >> someone had the answer at hand. >> > > Firefox in Windows will work with the MIT client but not IE. For IE to work > you need to enable fake basic auth fallback, > http://freeipa.org/page/UIPasswordAuth . This isn't really ideal but the > only workaround we know of. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Mon Sep 26 18:07:36 2011 From: g17jimmy at gmail.com (Jimmy) Date: Mon, 26 Sep 2011 14:07:36 -0400 Subject: [Freeipa-users] Using FreeIPA web interface from a windows client(IE) In-Reply-To: References: <4E7CDE9E.6080707@redhat.com> Message-ID: Correction, the error I'm getting is "IPA Error 1101 - did not receive Kerberos credentials" and I do not see anything in the server logs. On Mon, Sep 26, 2011 at 1:51 PM, Jimmy wrote: > I'm testing with firefox now and have set the > network.negotiate-auth.trusted-uris but the FreeIPA web interface says my > "kerberos ticket is no longer valid" even though the MIT KFW has a current, > valid, ticket. I only see that as a configuration setting for Firefox for > this funtionality. Anything else I'm missing? > > > On Fri, Sep 23, 2011 at 3:31 PM, Rob Crittenden wrote: > >> Jimmy wrote: >> >>> I have been using the interface from a Linux client on Firefox just >>> fine, but now I need to configure a windows client to access the web >>> interface. I have the win7 client logged in using a FreeIPA user, >>> authenticated against the realm, and when I browse to the web page I >>> still get another log in box but no matter what I do not get access, or >>> the browser cannot access the ticket the system has. I enabled the >>> "Enable Integrated Windows Authentication" option in IE. After that >>> wasn't working I even installed the MIT KFW to make sure I was really >>> getting a ticket(not really expecting that it would fix the problem.) >>> >>> I am searching for this fix actively, but figured I'd ask here in case >>> someone had the answer at hand. >>> >> >> Firefox in Windows will work with the MIT client but not IE. For IE to >> work you need to enable fake basic auth fallback, >> http://freeipa.org/page/UIPasswordAuth . This isn't really ideal but the >> only workaround we know of. >> >> rob >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Sep 26 18:32:34 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 26 Sep 2011 14:32:34 -0400 Subject: [Freeipa-users] Using FreeIPA web interface from a windows client(IE) In-Reply-To: References: <4E7CDE9E.6080707@redhat.com> Message-ID: <1317061954.15918.2.camel@willson.li.ssimo.org> On Mon, 2011-09-26 at 14:07 -0400, Jimmy wrote: > Correction, the error I'm getting is "IPA Error 1101 - did not receive > Kerberos credentials" and I do not see anything in the server logs. You need to enable forwarding of credentials too. Simo. > On Mon, Sep 26, 2011 at 1:51 PM, Jimmy wrote: > I'm testing with firefox now and have set the > network.negotiate-auth.trusted-uris but the FreeIPA web > interface says my "kerberos ticket is no longer valid" even > though the MIT KFW has a current, valid, ticket. I only see > that as a configuration setting for Firefox for this > funtionality. Anything else I'm missing? > > > On Fri, Sep 23, 2011 at 3:31 PM, Rob Crittenden > wrote: > Jimmy wrote: > I have been using the interface from a Linux > client on Firefox just > fine, but now I need to configure a windows > client to access the web > interface. I have the win7 client logged in > using a FreeIPA user, > authenticated against the realm, and when I > browse to the web page I > still get another log in box but no matter > what I do not get access, or > the browser cannot access the ticket the > system has. I enabled the > "Enable Integrated Windows Authentication" > option in IE. After that > wasn't working I even installed the MIT KFW to > make sure I was really > getting a ticket(not really expecting that it > would fix the problem.) > > I am searching for this fix actively, but > figured I'd ask here in case > someone had the answer at hand. > > > Firefox in Windows will work with the MIT client but > not IE. For IE to work you need to enable fake basic > auth fallback, > http://freeipa.org/page/UIPasswordAuth . This isn't > really ideal but the only workaround we know of. > > rob > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Mon Sep 26 21:22:07 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 26 Sep 2011 23:22:07 +0200 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E7FA4C4.6030909@nixtra.com> References: <4E7FA1E6.6050409@nixtra.com> <4E7FA4C4.6030909@nixtra.com> Message-ID: <4E80ECFF.7000409@nixtra.com> On 09/26/2011 12:01 AM, Sigbjorn Lie wrote: > On 09/25/2011 11:49 PM, Sigbjorn Lie wrote: >> >> Hi, >> >> I have a host that refuses to be modified or deleted. I get the same >> error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all >> updates from the updates repository. I cannot find any error in any >> log. I have tried to reboot my ipa servers. All services seem to be >> running and have no issues. >> >> The error message I receive is: >> >> * Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found) >> >> >> I have looked in the Dogtag Certificate Manager, and I can see the >> certificate. It's still valid, and holds the same serial number as >> what is displayed using ipa host-show . >> >> Any suggestions? >> > > There was more than one host. I notice that the hosts with an issue, > is the Fedora 15 joined hosts. These we're joined using the > ipa-client-install command. Accessing any of these hosts in the gui > yields the same error message. > > However I do not receive any error when look at the host entry for my > ipa servers, which are also Fedora 15. > > Any Red Hat 5 or Red Hat 6 joined hosts does not seem to have a > certificate in the dogtag, and the error is not displayed when > accessing these in the webui. Ticket opened: https://bugzilla.redhat.com/show_bug.cgi?id=741458 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Sep 26 22:34:17 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 26 Sep 2011 18:34:17 -0400 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E7FA1E6.6050409@nixtra.com> References: <4E7FA1E6.6050409@nixtra.com> Message-ID: <4E80FDE9.2010504@redhat.com> On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: > > Hi, > > I have a host that refuses to be modified or deleted. I get the same > error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all > updates from the updates repository. I cannot find any error in any > log. I have tried to reboot my ipa servers. All services seem to be > running and have no issues. > > The error message I receive is: > > * Certificate operation cannot be completed: Unable to communicate > with CMS (Not Found) > > > I have looked in the Dogtag Certificate Manager, and I can see the > certificate. It's still valid, and holds the same serial number as > what is displayed using ipa host-show . > > Any suggestions? > > Can you please send the sanitized apache logs? > > Rgds, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Sep 26 22:36:24 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 26 Sep 2011 18:36:24 -0400 Subject: [Freeipa-users] Client re-installation In-Reply-To: <4E7EF109.4050408@nixtra.com> References: <4E7EF109.4050408@nixtra.com> Message-ID: <4E80FE68.7010802@redhat.com> On 09/25/2011 05:14 AM, Sigbjorn Lie wrote: > Hi, > > When a client is re-installed and the ipa-client-install script is > run, the kerberos host keytab /etc/krb5.keytab is not retreived and > placed on the client. Why? > > If I unprovision the host before reinstalling the client and running > ipa-client-install, a new keytab is placed on the client. > > The keytab should be retrieved and installed on the client, despite if > the host has been provisioned before...? > > > Regards, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Is this with the latest? I remember there was some fixing of the keytab regeneration logic recently. But it was not released with 2.1.2 yet. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From raal.goff at zettaserve.com Tue Sep 27 07:24:24 2011 From: raal.goff at zettaserve.com (Goff, Raal) Date: Tue, 27 Sep 2011 15:24:24 +0800 Subject: [Freeipa-users] Change Password problems (Unsupported Version) Message-ID: Hi, My IPA 2.0 master-slave setup has been working fine up until this week when users started getting problems updating their password due to expiry. Users get the following error when using kpasswd to update their passwords: kinit: krb5_get_init_creds: Unable to reach any changepw server in realm EXAMPLE.COM The only error I seem to find in the logs is unhelpful: Sep 27 15:16:12 ipa1 kpasswd[2689]: Unsupported version Sep 27 15:16:43 ipa1 kpasswd[2692]: Unsupported version Additionally, it seems some users can reset their passwords, but the error still appears in the logs, and on the client software: Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded It looks like 'Unsupported version' is a reference to 'krb5_kdb_bad_version: Unsupported version in database entry' in the kerberos software, but I can't find any more information regarding it. Has anyone come across this before? Is there any way to recover from it? Regards, -R ZettaServe Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this email by mistake and delete this email from your system. Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any virus transmitted by this email. From dpal at redhat.com Tue Sep 27 14:49:29 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 27 Sep 2011 10:49:29 -0400 Subject: [Freeipa-users] Change Password problems (Unsupported Version) In-Reply-To: References: Message-ID: <4E81E279.9060301@redhat.com> On 09/27/2011 03:24 AM, Goff, Raal wrote: > Hi, > > My IPA 2.0 master-slave setup has been working fine up until this week when users started getting problems updating their password due to expiry. Users get the following error when using kpasswd to update their passwords: > > kinit: krb5_get_init_creds: Unable to reach any changepw server in realm EXAMPLE.COM > > The only error I seem to find in the logs is unhelpful: > > Sep 27 15:16:12 ipa1 kpasswd[2689]: Unsupported version > Sep 27 15:16:43 ipa1 kpasswd[2692]: Unsupported version > > Additionally, it seems some users can reset their passwords, but the error still appears in the logs, and on the client software: > > Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version > Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version > Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded > > It looks like 'Unsupported version' is a reference to 'krb5_kdb_bad_version: Unsupported version in database entry' in the kerberos software, but I can't find any more information regarding it. > > Has anyone come across this before? Is there any way to recover from it? > Is there anything related to KRB4 around? Can it be that your client is KRB4? > Regards, > > -R > > > ZettaServe Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this email by mistake and delete this email from your system. Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any virus transmitted by this email. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From nalin at redhat.com Tue Sep 27 16:27:42 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 27 Sep 2011 12:27:42 -0400 Subject: [Freeipa-users] Change Password problems (Unsupported Version) In-Reply-To: References: Message-ID: <20110927162742.GC6970@redhat.com> On Tue, Sep 27, 2011 at 03:24:24PM +0800, Goff, Raal wrote: > My IPA 2.0 master-slave setup has been working fine up until this week when users started getting problems updating their password due to expiry. Users get the following error when using kpasswd to update their passwords: > > kinit: krb5_get_init_creds: Unable to reach any changepw server in realm EXAMPLE.COM > > The only error I seem to find in the logs is unhelpful: > > Sep 27 15:16:12 ipa1 kpasswd[2689]: Unsupported version > Sep 27 15:16:43 ipa1 kpasswd[2692]: Unsupported version Those correlate - the ipa_kpasswd daemon logs these messages when it sees a password-change request with an internal version number that doesn't match the version of the protocol that it handles. The client gets no reply, and because it's connectionless, it assumes that it was not able to contact a server. > Additionally, it seems some users can reset their passwords, but the error still appears in the logs, and on the client software: > > Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version > Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version > Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded Are the users who can change their passwords using different client software (specifically, versions of Kerberos, which supplies the kpasswd command) compared to the users who can't? If you can get a packet capture of a client request, we can examine the first few bytes to check what's triggering the failure. HTH, Nalin From sigbjorn at nixtra.com Tue Sep 27 19:54:33 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 27 Sep 2011 21:54:33 +0200 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E80FDE9.2010504@redhat.com> References: <4E7FA1E6.6050409@nixtra.com> <4E80FDE9.2010504@redhat.com> Message-ID: <4E8229F9.3050400@nixtra.com> On 09/27/2011 12:34 AM, Dmitri Pal wrote: > On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: >> >> Hi, >> >> I have a host that refuses to be modified or deleted. I get the same >> error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all >> updates from the updates repository. I cannot find any error in any >> log. I have tried to reboot my ipa servers. All services seem to be >> running and have no issues. >> >> The error message I receive is: >> >> * Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found) >> >> >> I have looked in the Dogtag Certificate Manager, and I can see the >> certificate. It's still valid, and holds the same serial number as >> what is displayed using ipa host-show . >> >> Any suggestions? >> >> > > Can you please send the sanitized apache logs? > These are the apache log lines that correspond to # ipa host-disable . I have no config files in my /etc/httpd/conf.d/ directory that contains any reference to the /ca directory. Also /var/www/html/ca does not exist. I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist on any of my 3 IPA servers. Should that file contain an alias and proxy rules for /ca/ ? error_log: [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: admin at IX.TEST.COM: ping(): SUCCESS [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: admin at IX.TEST.COM: host_disable(u'bck01.ix.TEST.com'): CertificateOperationError [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: admin at IX.TEST.COM: ping(): SUCCESS [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does not exist: /var/www/html/ca [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: admin at IX.TEST.COM: cert_show(u'268369923'): CertificateOperationError access_log: 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:00 +0200] "POST /ipa/xml HTTP/1.1" 200 259 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:01 +0200] "POST /ipa/xml HTTP/1.1" 200 360 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:07 +0200] "POST /ipa/xml HTTP/1.1" 200 259 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:08 +0200] "POST /ipa/xml HTTP/1.1" 200 360 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Tue Sep 27 20:22:10 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 27 Sep 2011 22:22:10 +0200 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E8229F9.3050400@nixtra.com> References: <4E7FA1E6.6050409@nixtra.com> <4E80FDE9.2010504@redhat.com> <4E8229F9.3050400@nixtra.com> Message-ID: <4E823072.1010808@nixtra.com> On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: > On 09/27/2011 12:34 AM, Dmitri Pal wrote: >> On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: >>> >>> Hi, >>> >>> I have a host that refuses to be modified or deleted. I get the same >>> error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + >>> all updates from the updates repository. I cannot find any error in >>> any log. I have tried to reboot my ipa servers. All services seem to >>> be running and have no issues. >>> >>> The error message I receive is: >>> >>> * Certificate operation cannot be completed: Unable to >>> communicate with CMS (Not Found) >>> >>> >>> I have looked in the Dogtag Certificate Manager, and I can see the >>> certificate. It's still valid, and holds the same serial number as >>> what is displayed using ipa host-show . >>> >>> Any suggestions? >>> >>> >> >> Can you please send the sanitized apache logs? >> > > > These are the apache log lines that correspond to # ipa host-disable > . I have no config files in > my /etc/httpd/conf.d/ directory that contains any reference to the /ca > directory. Also /var/www/html/ca does not exist. > > I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file > /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not exist > on any of my 3 IPA servers. > > Should that file contain an alias and proxy rules for /ca/ ? > > > error_log: > [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: admin at IX.TEST.COM: > ping(): SUCCESS > [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget > 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' > [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does > not exist: /var/www/html/ca > [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: admin at IX.TEST.COM: > host_disable(u'bck01.ix.TEST.com'): CertificateOperationError > [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: admin at IX.TEST.COM: > ping(): SUCCESS > [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget > 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' > [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does > not exist: /var/www/html/ca > [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: admin at IX.TEST.COM: > cert_show(u'268369923'): CertificateOperationError > > access_log: > 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:00 +0200] "POST > /ipa/xml HTTP/1.1" 200 259 > 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST > /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 > 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:01 +0200] "POST > /ipa/xml HTTP/1.1" 200 360 > 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:07 +0200] "POST > /ipa/xml HTTP/1.1" 200 259 > 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST > /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 > 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:08 +0200] "POST > /ipa/xml HTTP/1.1" 200 360 > > > I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port numbers seemed incorrect. They we're pointing at ajp://localhost:9447/, which is a port that's not reponding to anything. "netstat -nat" agrees...nothing there. "/etc/init.d/pki-cad status" seem to indicate that the correct port is 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, and restarted httpd. And attempted to disable the host: # ipa host-disable bck01.ix.test.com ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca yields: Secure Connection Failed An error occurred during a connection to ipasrv01.ix.test.com:9443. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) Am I heading in the incorrect direction here? Or does the pki-cad service have some cert issues? -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Sep 27 20:46:00 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 27 Sep 2011 16:46:00 -0400 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E823072.1010808@nixtra.com> References: <4E7FA1E6.6050409@nixtra.com> <4E80FDE9.2010504@redhat.com> <4E8229F9.3050400@nixtra.com> <4E823072.1010808@nixtra.com> Message-ID: <1317156360.15918.12.camel@willson.li.ssimo.org> On Tue, 2011-09-27 at 22:22 +0200, Sigbjorn Lie wrote: > On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: > > On 09/27/2011 12:34 AM, Dmitri Pal wrote: > > > On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: > > > > Hi, > > > > > > > > > > > > I have a host that refuses to be modified or deleted. I get the > > > > same error from the webui and the cli. I am using F15, FreeIPA > > > > 2.1.1 + all updates from the updates repository. I cannot find > > > > any error in any log. I have tried to reboot my ipa servers. All > > > > services seem to be running and have no issues. > > > > > > > > > > > > The error message I receive is: > > > > * Certificate operation cannot be completed: Unable to > > > > communicate with CMS (Not Found) > > > > > > > > I have looked in the Dogtag Certificate Manager, and I can see > > > > the certificate. It's still valid, and holds the same serial > > > > number as what is displayed using ipa host-show . > > > > > > > > Any suggestions? > > > > > > > > > > > > > > > > > > Can you please send the sanitized apache logs? > > > > > > > > > These are the apache log lines that correspond to # ipa host-disable > > . I have no config files in > > my /etc/httpd/conf.d/ directory that contains any reference to > > the /ca directory. Also /var/www/html/ca does not exist. > > > > I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a > > file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does > > not exist on any of my 3 IPA servers. > > > > Should that file contain an alias and proxy rules for /ca/ ? > > > > > > error_log: > > [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: admin at IX.TEST.COM: > > ping(): SUCCESS > > [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget > > 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' > > [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does > > not exist: /var/www/html/ca > > [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: admin at IX.TEST.COM: > > host_disable(u'bck01.ix.TEST.com'): CertificateOperationError > > [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: admin at IX.TEST.COM: > > ping(): SUCCESS > > [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget > > 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' > > [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does > > not exist: /var/www/html/ca > > [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: admin at IX.TEST.COM: > > cert_show(u'268369923'): CertificateOperationError > > > > access_log: > > 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:00 +0200] > > "POST /ipa/xml HTTP/1.1" 200 259 > > 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] > > "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 > > 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:01 +0200] > > "POST /ipa/xml HTTP/1.1" 200 360 > > 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:07 +0200] > > "POST /ipa/xml HTTP/1.1" 200 259 > > 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] > > "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 > > 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:08 +0200] > > "POST /ipa/xml HTTP/1.1" 200 360 > > > > > > > > I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I > copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port > numbers seemed incorrect. They we're pointing at > ajp://localhost:9447/, which is a port that's not reponding to > anything. "netstat -nat" agrees...nothing there. > > "/etc/init.d/pki-cad status" seem to indicate that the correct port is > 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, > and restarted httpd. And attempted to disable the host: > > # ipa host-disable bck01.ix.test.com > ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An > I/O error occurred during security authorization. > > Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca > yields: > > Secure Connection Failed > An error occurred during a connection to ipasrv01.ix.test.com:9443. > SSL peer cannot verify your certificate. > (Error code: ssl_error_bad_cert_alert) > > > Am I heading in the incorrect direction here? Or does the pki-cad > service have some cert issues? In order for the proxy conf to work you need to have a verion of dogtag that properly supports it. What version of dogtag are you running ? (pki-* packages) Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Tue Sep 27 20:54:42 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 27 Sep 2011 22:54:42 +0200 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <1317156360.15918.12.camel@willson.li.ssimo.org> References: <4E7FA1E6.6050409@nixtra.com> <4E80FDE9.2010504@redhat.com> <4E8229F9.3050400@nixtra.com> <4E823072.1010808@nixtra.com> <1317156360.15918.12.camel@willson.li.ssimo.org> Message-ID: <4E823812.9050705@nixtra.com> On 09/27/2011 10:46 PM, Simo Sorce wrote: > On Tue, 2011-09-27 at 22:22 +0200, Sigbjorn Lie wrote: >> On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: >>> On 09/27/2011 12:34 AM, Dmitri Pal wrote: >>>> On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: >>>>> Hi, >>>>> >>>>> >>>>> I have a host that refuses to be modified or deleted. I get the >>>>> same error from the webui and the cli. I am using F15, FreeIPA >>>>> 2.1.1 + all updates from the updates repository. I cannot find >>>>> any error in any log. I have tried to reboot my ipa servers. All >>>>> services seem to be running and have no issues. >>>>> >>>>> >>>>> The error message I receive is: >>>>> * Certificate operation cannot be completed: Unable to >>>>> communicate with CMS (Not Found) >>>>> >>>>> I have looked in the Dogtag Certificate Manager, and I can see >>>>> the certificate. It's still valid, and holds the same serial >>>>> number as what is displayed using ipa host-show. >>>>> >>>>> Any suggestions? >>>>> >>>>> >>>>> >>>> Can you please send the sanitized apache logs? >>>> >>> >>> These are the apache log lines that correspond to # ipa host-disable >>> . I have no config files in >>> my /etc/httpd/conf.d/ directory that contains any reference to >>> the /ca directory. Also /var/www/html/ca does not exist. >>> >>> I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a >>> file /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does >>> not exist on any of my 3 IPA servers. >>> >>> Should that file contain an alias and proxy rules for /ca/ ? >>> >>> >>> error_log: >>> [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: admin at IX.TEST.COM: >>> ping(): SUCCESS >>> [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget >>> 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' >>> [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does >>> not exist: /var/www/html/ca >>> [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: admin at IX.TEST.COM: >>> host_disable(u'bck01.ix.TEST.com'): CertificateOperationError >>> [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: admin at IX.TEST.COM: >>> ping(): SUCCESS >>> [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget >>> 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' >>> [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does >>> not exist: /var/www/html/ca >>> [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: admin at IX.TEST.COM: >>> cert_show(u'268369923'): CertificateOperationError >>> >>> access_log: >>> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:00 +0200] >>> "POST /ipa/xml HTTP/1.1" 200 259 >>> 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] >>> "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 >>> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:01 +0200] >>> "POST /ipa/xml HTTP/1.1" 200 360 >>> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:07 +0200] >>> "POST /ipa/xml HTTP/1.1" 200 259 >>> 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] >>> "POST /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 >>> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:08 +0200] >>> "POST /ipa/xml HTTP/1.1" 200 360 >>> >>> >>> >> I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I >> copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port >> numbers seemed incorrect. They we're pointing at >> ajp://localhost:9447/, which is a port that's not reponding to >> anything. "netstat -nat" agrees...nothing there. >> >> "/etc/init.d/pki-cad status" seem to indicate that the correct port is >> 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, >> and restarted httpd. And attempted to disable the host: >> >> # ipa host-disable bck01.ix.test.com >> ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An >> I/O error occurred during security authorization. >> >> Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca >> yields: >> >> Secure Connection Failed >> An error occurred during a connection to ipasrv01.ix.test.com:9443. >> SSL peer cannot verify your certificate. >> (Error code: ssl_error_bad_cert_alert) >> >> >> Am I heading in the incorrect direction here? Or does the pki-cad >> service have some cert issues? > In order for the proxy conf to work you need to have a verion of dogtag > that properly supports it. > > What version of dogtag are you running ? > > (pki-* packages) > > Simo. > pki-setup-9.0.12-1.fc15.noarch pki-util-9.0.12-1.fc15.noarch pki-silent-9.0.12-1.fc15.noarch pki-symkey-9.0.12-1.fc15.x86_64 pki-selinux-9.0.12-1.fc15.noarch pki-java-tools-9.0.12-1.fc15.noarch pki-ca-9.0.12-1.fc15.noarch pki-native-tools-9.0.12-1.fc15.x86_64 pki-common-9.0.12-1.fc15.noarch From ayoung at redhat.com Tue Sep 27 21:11:41 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 27 Sep 2011 17:11:41 -0400 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E823072.1010808@nixtra.com> References: <4E7FA1E6.6050409@nixtra.com> <4E80FDE9.2010504@redhat.com> <4E8229F9.3050400@nixtra.com> <4E823072.1010808@nixtra.com> Message-ID: <4E823C0D.9050806@redhat.com> On 09/27/2011 04:22 PM, Sigbjorn Lie wrote: > On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: >> On 09/27/2011 12:34 AM, Dmitri Pal wrote: >>> On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: >>>> >>>> Hi, >>>> >>>> I have a host that refuses to be modified or deleted. I get the >>>> same error from the webui and the cli. I am using F15, FreeIPA >>>> 2.1.1 + all updates from the updates repository. I cannot find any >>>> error in any log. I have tried to reboot my ipa servers. All >>>> services seem to be running and have no issues. >>>> >>>> The error message I receive is: >>>> >>>> * Certificate operation cannot be completed: Unable to >>>> communicate with CMS (Not Found) >>>> >>>> >>>> I have looked in the Dogtag Certificate Manager, and I can see the >>>> certificate. It's still valid, and holds the same serial number as >>>> what is displayed using ipa host-show . >>>> >>>> Any suggestions? >>>> >>>> >>> >>> Can you please send the sanitized apache logs? >>> >> >> >> These are the apache log lines that correspond to # ipa host-disable >> . I have no config files in >> my /etc/httpd/conf.d/ directory that contains any reference to the >> /ca directory. Also /var/www/html/ca does not exist. >> >> I notice that the freeipa-server-2.1.1-1.fc15.x86_64 rpm lists a file >> /etc/httpd/conf.d/ipa-pki-proxy.conf. However this file does not >> exist on any of my 3 IPA servers. >> >> Should that file contain an alias and proxy rules for /ca/ ? >> >> >> error_log: >> [Tue Sep 27 21:44:01 2011] [error] ipa: INFO: admin at IX.TEST.COM: >> ping(): SUCCESS >> [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: sslget >> 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' >> [Tue Sep 27 21:44:02 2011] [error] [client 192.168.210.20] File does >> not exist: /var/www/html/ca >> [Tue Sep 27 21:44:02 2011] [error] ipa: INFO: admin at IX.TEST.COM: >> host_disable(u'bck01.ix.TEST.com'): CertificateOperationError >> [Tue Sep 27 21:44:08 2011] [error] ipa: INFO: admin at IX.TEST.COM: >> ping(): SUCCESS >> [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: sslget >> 'https://ipasrv01.ix.TEST.com:443/ca/agent/ca/displayBySerial' >> [Tue Sep 27 21:44:09 2011] [error] [client 192.168.210.20] File does >> not exist: /var/www/html/ca >> [Tue Sep 27 21:44:09 2011] [error] ipa: INFO: admin at IX.TEST.COM: >> cert_show(u'268369923'): CertificateOperationError >> >> access_log: >> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:00 +0200] "POST >> /ipa/xml HTTP/1.1" 200 259 >> 192.168.210.20 - - [27/Sep/2011:21:44:02 +0200] "POST >> /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 >> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:01 +0200] "POST >> /ipa/xml HTTP/1.1" 200 360 >> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:07 +0200] "POST >> /ipa/xml HTTP/1.1" 200 259 >> 192.168.210.20 - - [27/Sep/2011:21:44:09 +0200] "POST >> /ca/agent/ca/displayBySerial HTTP/1.1" 404 314 >> 192.168.210.20 - admin at IX.TEST.COM [27/Sep/2011:21:44:08 +0200] "POST >> /ipa/xml HTTP/1.1" 200 360 >> >> >> > > I found the missing file in /usr/share/ipa/ipa-pki-proxy.conf. I > copied this file into /etc/httpd/conf.d/ipa-pki-proxy.conf. The port > numbers seemed incorrect. They we're pointing at > ajp://localhost:9447/, which is a port that's not reponding to > anything. "netstat -nat" agrees...nothing there. > > "/etc/init.d/pki-cad status" seem to indicate that the correct port is > 9443? I changed to port number 9443 in the ipa-pki-proxy.conf file, > and restarted httpd. And attempted to disable the host: > > # ipa host-disable bck01.ix.test.com > ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An > I/O error occurred during security authorization. > > Using Firefox to access https://ipasrv01.ix.test.com:9443/ca/agent/ca > yields: > > Secure Connection Failed > An error occurred during a connection to ipasrv01.ix.test.com:9443. > SSL peer cannot verify your certificate. > (Error code: ssl_error_bad_cert_alert) > > > Am I heading in the incorrect direction here? Or does the pki-cad > service have some cert issues? 9447 was likely the right value. I think the problem is with the Proxy configuration. We are working on a script to upgrade a non-proxied PKI (Dogtag) to a proxied version, but the ports set in the config file need to match the ports that the pki-ca web app is using. I'm assuming from what you said above that you can talk to Dogtag directly of port 9443, but that the proxy is not set correctly for the HTTPD to AJP communication. Have your server.xml and web.xml files in the PKI configuration been modified to listen to AJP? It should be something like: In the server.xml file. THE AJP port has to match what the file in /etc/httpd/conf.d/proxy.conf file says. 9443 is, I think the HTTPS port in your case, not the AJP port. AJP should be 9447. > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users We (Ade Lee) is working in a script to upgrade an existing Dogtag instance to use -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Tue Sep 27 23:55:30 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 27 Sep 2011 19:55:30 -0400 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E823812.9050705@nixtra.com> References: <4E7FA1E6.6050409@nixtra.com> <4E80FDE9.2010504@redhat.com> <4E8229F9.3050400@nixtra.com> <4E823072.1010808@nixtra.com> <1317156360.15918.12.camel@willson.li.ssimo.org> <4E823812.9050705@nixtra.com> Message-ID: <4E826272.7050100@redhat.com> Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat instance managed by IPA in /var/lib/pki-ca. The first is /var/lib/pki-ca/conf/server.xml It needs the addition: + You can place it around line 281, above the comment for the line Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml For each of the filter entries it needs the code addition below: proxy_port 443 + + proxy_port + 443 + active true The third change is creating a symlink to /etc/pki-ca/proxy.conf in the directory /etc/httpd/conf.d -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Sep 28 01:33:11 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 27 Sep 2011 21:33:11 -0400 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E826272.7050100@redhat.com> References: <4E7FA1E6.6050409@nixtra.com> <4E80FDE9.2010504@redhat.com> <4E8229F9.3050400@nixtra.com> <4E823072.1010808@nixtra.com> <1317156360.15918.12.camel@willson.li.ssimo.org> <4E823812.9050705@nixtra.com> <4E826272.7050100@redhat.com> Message-ID: <4E827957.4080606@redhat.com> After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam Young wrote: > > Siggi, > > This is my comment in the ticket: > https://fedorahosted.org/freeipa/ticket/1889 > > We are working on a tool in the PKI project that will perform these > steps in an automated fashion. > > > There are three files that need to be addressed. > > On the tomcat side, the files are in the Tomcat instance managed by > IPA in /var/lib/pki-ca. The first is > > /var/lib/pki-ca/conf/server.xml > > It needs the addition: > > + > > You can place it around line 281, above the comment for the line > > > Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml > > For each of the filter entries it needs the code addition below: > > > > proxy_port > 443 > > > > + + proxy_port + > 443 + > > > > active true > > > > > > The third change is creating a symlink to /etc/pki-ca/proxy.conf in > the directory /etc/httpd/conf.d > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From raal.goff at zettaserve.com Wed Sep 28 06:49:02 2011 From: raal.goff at zettaserve.com (Goff, Raal) Date: Wed, 28 Sep 2011 14:49:02 +0800 Subject: [Freeipa-users] Change Password problems (Unsupported Version) In-Reply-To: <20110927162742.GC6970@redhat.com> References: <20110927162742.GC6970@redhat.com> Message-ID: <7C9297D3-DCD3-476C-BCAD-305C60A390D2@zettaserve.com> On 28/09/2011, at 12:27 AM, Nalin Dahyabhai wrote: > >> Additionally, it seems some users can reset their passwords, but the error still appears in the logs, and on the client software: >> >> Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version >> Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version >> Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded > > Are the users who can change their passwords using different client > software (specifically, versions of Kerberos, which supplies the kpasswd > command) compared to the users who can't? The only difference I know about is that the users who CAN change their passwords have not got an expired password (so they can login and use kpasswd from the shell), whereas those who CANNOT change their password need to reset it before logging in (i.e., they get the 'your password has expired, reset it now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box using the Continuous Release repository, and then edited the ldap configuration to get around https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=713525 and users can now reset their passwords on that box during login and on the shell (kpasswd). I'm not sure which of these actually fixed the problem (if any). I'll continue to keep an eye on it for now. It may be as you say, a version difference, although I'm unaware of any large differences in versions between the machines, is kerberos very sensitive to version changes? > > If you can get a packet capture of a client request, we can examine the > first few bytes to check what's triggering the failure. > tcpdump says its a V5 packet. I have captured the entire login/reset failure and can email it to you directly if you wish. Thanks, Raal ZettaServe Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this email by mistake and delete this email from your system. Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any virus transmitted by this email. From dpal at redhat.com Wed Sep 28 12:34:45 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 28 Sep 2011 08:34:45 -0400 Subject: [Freeipa-users] Change Password problems (Unsupported Version) In-Reply-To: <7C9297D3-DCD3-476C-BCAD-305C60A390D2@zettaserve.com> References: <20110927162742.GC6970@redhat.com> <7C9297D3-DCD3-476C-BCAD-305C60A390D2@zettaserve.com> Message-ID: <4E831465.8000708@redhat.com> On 09/28/2011 02:49 AM, Goff, Raal wrote: > On 28/09/2011, at 12:27 AM, Nalin Dahyabhai wrote: > >>> Additionally, it seems some users can reset their passwords, but the error still appears in the logs, and on the client software: >>> >>> Sep 27 15:08:52 ipa1 kpasswd[2630]: Unsupported version >>> Sep 27 15:09:23 ipa1 kpasswd[2633]: Unsupported version >>> Sep 27 15:09:54 ipa1 kpasswd[2637]: Password change succeeded >> Are the users who can change their passwords using different client >> software (specifically, versions of Kerberos, which supplies the kpasswd >> command) compared to the users who can't? > The only difference I know about is that the users who CAN change their passwords have not got an expired password (so they can login and use kpasswd from the shell), whereas those who CANNOT change their password need to reset it before logging in (i.e., they get the 'your password has expired, reset it now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box using the Continuous Release repository, and then edited the ldap configuration to get around https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=713525 and users can now reset their passwords on that box during login and on the shell (kpasswd). I'm not sure which of these actually fixed the problem (if any). > > I'll continue to keep an eye on it for now. It may be as you say, a version difference, although I'm unaware of any large differences in versions between the machines, is kerberos very sensitive to version changes? > No. The biggest change was dropping support for v4 protocol couple years ago. That in some cases required regeneration of the keytabs. Other than that it is extremely stable. >> If you can get a packet capture of a client request, we can examine the >> first few bytes to check what's triggering the failure. >> > tcpdump says its a V5 packet. I have captured the entire login/reset failure and can email it to you directly if you wish. Yes please send them to Nalin. It is worth taking a look. > Thanks, > > Raal > > ZettaServe Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this email by mistake and delete this email from your system. Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any virus transmitted by this email. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sbingram at gmail.com Wed Sep 28 17:13:43 2011 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 28 Sep 2011 10:13:43 -0700 Subject: [Freeipa-users] user login exposes all users in UI Message-ID: When logging into the FreeIPA UI as a user, most everything is removed with the exception of the Identity tab and the Users list. Although I'm guessing that LDAP needs to expose the users list to all users just as anyone can view the passwd file on any one system, is there a technical need to expose all of the users to any user logging into the UI? Steve From nalin at redhat.com Wed Sep 28 17:59:36 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 28 Sep 2011 13:59:36 -0400 Subject: [Freeipa-users] Change Password problems (Unsupported Version) In-Reply-To: <7C9297D3-DCD3-476C-BCAD-305C60A390D2@zettaserve.com> References: <20110927162742.GC6970@redhat.com> <7C9297D3-DCD3-476C-BCAD-305C60A390D2@zettaserve.com> Message-ID: <20110928175936.GA18814@redhat.com> On Wed, Sep 28, 2011 at 02:49:02PM +0800, Goff, Raal wrote: > The only difference I know about is that the users who CAN change their passwords have not got an expired password (so they can login and use kpasswd from the shell), whereas those who CANNOT change their password need to reset it before logging in (i.e., they get the 'your password has expired, reset it now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box using the Continuous Release repository, and then edited the ldap configuration to get around https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=713525 and users can now reset their passwords on that box during login and on the shell (kpasswd). I'm not sure which of these actually fixed the problem (if any). Ah, somehow I'd missed that you were running 6.0. If your client systems are using pam_krb5 instead of SSSD, then you're likely hitting https://bugzilla.redhat.com/show_bug.cgi?id=690583, which was fixed in 6.1. > I'll continue to keep an eye on it for now. It may be as you say, a version difference, although I'm unaware of any large differences in versions between the machines, is kerberos very sensitive to version changes? It's not supposed to be, and usually isn't. Barring bugs, of course. > > If you can get a packet capture of a client request, we can examine the > > first few bytes to check what's triggering the failure. > > tcpdump says its a V5 packet. I have captured the entire login/reset failure and can email it to you directly if you wish. Sure. The first four bytes encode the message length (the first two bytes) and the protocol version number (the next two), so just that part should actually be enough to verify. HTH, Nalin From jhrozek at redhat.com Wed Sep 28 19:38:33 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 28 Sep 2011 21:38:33 +0200 Subject: [Freeipa-users] Change Password problems (Unsupported Version) In-Reply-To: <20110928175936.GA18814@redhat.com> References: <20110927162742.GC6970@redhat.com> <7C9297D3-DCD3-476C-BCAD-305C60A390D2@zettaserve.com> <20110928175936.GA18814@redhat.com> Message-ID: <20110928193833.GA14046@hendrix.redhat.com> On Wed, Sep 28, 2011 at 01:59:36PM -0400, Nalin Dahyabhai wrote: > On Wed, Sep 28, 2011 at 02:49:02PM +0800, Goff, Raal wrote: > > The only difference I know about is that the users who CAN change their passwords have not got an expired password (so they can login and use kpasswd from the shell), whereas those who CANNOT change their password need to reset it before logging in (i.e., they get the 'your password has expired, reset it now etc etc). I updated the kerberos libraries/tools on the CentOS 6.0 box using the Continuous Release repository, and then edited the ldap configuration to get around https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=713525 and users can now reset their passwords on that box during login and on the shell (kpasswd). I'm not sure which of these actually fixed the problem (if any). > > Ah, somehow I'd missed that you were running 6.0. If your client > systems are using pam_krb5 instead of SSSD, then you're likely hitting > https://bugzilla.redhat.com/show_bug.cgi?id=690583, which was fixed in > 6.1. > He said he was updating the passwords with kpasswd, which should bypass the pam stack and talk to the kpasswd deamon directly, right? From nalin at redhat.com Wed Sep 28 19:53:39 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 28 Sep 2011 15:53:39 -0400 Subject: [Freeipa-users] Change Password problems (Unsupported Version) In-Reply-To: <20110928193833.GA14046@hendrix.redhat.com> References: <20110927162742.GC6970@redhat.com> <7C9297D3-DCD3-476C-BCAD-305C60A390D2@zettaserve.com> <20110928175936.GA18814@redhat.com> <20110928193833.GA14046@hendrix.redhat.com> Message-ID: <20110928195339.GB18814@redhat.com> On Wed, Sep 28, 2011 at 09:38:33PM +0200, Jakub Hrozek wrote: > He said he was updating the passwords with kpasswd, which should bypass > the pam stack and talk to the kpasswd deamon directly, right? The users who can change their passwords can log in and do so with kpasswd, but the ones who can't change their passwords can't log in to run kpasswd because the login-time password change (which goes through PAM) is failing. I expect that users who attempt to change their passwords with the "passwd" command are also triggering the same bug. Nalin From Steven.Jones at vuw.ac.nz Wed Sep 28 20:02:29 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 28 Sep 2011 20:02:29 +0000 Subject: [Freeipa-users] Documentation & Interface Message-ID: <833D8E48405E064EBC54C84EC6B36E404460CE28@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Just going through the latest? F15 documentation and there are pretty pictures! :D This is a great improvement as it gives ppl who are unsure of where they are in the gui, confidence they are in the right place and are doing the right thing!......when you have a written description but looking at a gui its quite hard.........So I often end up [re-]writing our own documentation because "manuals" are just useless for ppl who have never seen the interface(s) before or use it infrequently. I have also been "away from IPA for 2 or 3 months and coming back to it, the Interface also seems a bit more intuitive/polished.... :D Now to get my managers to let me loose with it. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From sigbjorn at nixtra.com Wed Sep 28 21:03:07 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 28 Sep 2011 23:03:07 +0200 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E827957.4080606@redhat.com> References: <4E7FA1E6.6050409@nixtra.com> <4E80FDE9.2010504@redhat.com> <4E8229F9.3050400@nixtra.com> <4E823072.1010808@nixtra.com> <1317156360.15918.12.camel@willson.li.ssimo.org> <4E823812.9050705@nixtra.com> <4E826272.7050100@redhat.com> <4E827957.4080606@redhat.com> Message-ID: <4E838B8B.4020601@nixtra.com> On 09/28/2011 03:33 AM, Adam Young wrote: > After talking with the PKI developer that is fixing this, I found out > that one other file needs to be modified: > > > /var/lib/pki-ca/conf/CS.cfg > > http.port=8080 > https.port=8443 > > > > > > On 09/27/2011 07:55 PM, Adam Young wrote: >> >> Siggi, >> >> This is my comment in the ticket: >> https://fedorahosted.org/freeipa/ticket/1889 >> >> We are working on a tool in the PKI project that will perform these >> steps in an automated fashion. >> >> >> There are three files that need to be addressed. >> >> On the tomcat side, the files are in the Tomcat instance managed by >> IPA in /var/lib/pki-ca. The first is >> >> /var/lib/pki-ca/conf/server.xml >> >> It needs the addition: >> >> + >> >> You can place it around line 281, above the comment for the line >> >> >> Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml >> >> For each of the filter entries it needs the code addition below: >> >> >> >> proxy_port >> 443 >> >> >> >> + + proxy_port + >> 443 + >> >> >> >> active true >> >> >> >> >> >> The third change is creating a symlink to /etc/pki-ca/proxy.conf in >> the directory /etc/httpd/conf.d >> >> >> Sorry for the late reply. I have performed the modifications you've suggested to /var/lib/pki-ca/conf/server.xml, and /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml. In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already http.port=8080 and https.port=8443. I could not find the file /etc/pki-ca/proxy.conf. I did find /usr/share/pki/ca/conf/proxy.conf, I copied this into /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with localhost:9447. Then I restarted ipa: $ ipactl restart I get a different error now, same error msg both in webui and cli: ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An I/O error occurred during security authorization. What do you suggest doing next? :) -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Wed Sep 28 21:35:29 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 28 Sep 2011 17:35:29 -0400 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E838B8B.4020601@nixtra.com> References: <4E7FA1E6.6050409@nixtra.com> <4E80FDE9.2010504@redhat.com> <4E8229F9.3050400@nixtra.com> <4E823072.1010808@nixtra.com> <1317156360.15918.12.camel@willson.li.ssimo.org> <4E823812.9050705@nixtra.com> <4E826272.7050100@redhat.com> <4E827957.4080606@redhat.com> <4E838B8B.4020601@nixtra.com> Message-ID: <4E839321.9020101@redhat.com> On 09/28/2011 05:03 PM, Sigbjorn Lie wrote: > On 09/28/2011 03:33 AM, Adam Young wrote: >> After talking with the PKI developer that is fixing this, I found out >> that one other file needs to be modified: >> >> >> /var/lib/pki-ca/conf/CS.cfg >> >> http.port=8080 >> https.port=8443 >> >> >> >> >> >> On 09/27/2011 07:55 PM, Adam Young wrote: >>> >>> Siggi, >>> >>> This is my comment in the ticket: >>> https://fedorahosted.org/freeipa/ticket/1889 >>> >>> We are working on a tool in the PKI project that will perform these >>> steps in an automated fashion. >>> >>> >>> There are three files that need to be addressed. >>> >>> On the tomcat side, the files are in the Tomcat instance managed by >>> IPA in /var/lib/pki-ca. The first is >>> >>> /var/lib/pki-ca/conf/server.xml >>> >>> It needs the addition: >>> >>> + >>> >>> You can place it around line 281, above the comment for the line >>> >>> >>> Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml >>> >>> For each of the filter entries it needs the code addition below: >>> >>> >>> >>> proxy_port >>> 443 >>> >>> >>> >>> + + proxy_port + >>> 443 + >>> >>> >>> >>> active true >>> >>> >>> >>> >>> >>> The third change is creating a symlink to /etc/pki-ca/proxy.conf in >>> the directory /etc/httpd/conf.d >>> >>> >>> > > Sorry for the late reply. > > I have performed the modifications you've suggested to > /var/lib/pki-ca/conf/server.xml, and > /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml. > > In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already > http.port=8080 and https.port=8443. > > I could not find the file /etc/pki-ca/proxy.conf. I did find > /usr/share/pki/ca/conf/proxy.conf, I copied this into > /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with > localhost:9447. > > Then I restarted ipa: $ ipactl restart > > I get a different error now, same error msg both in webui and cli: > ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An > I/O error occurred during security authorization. > > What do you suggest doing next? :) /etc/httpd/conf.d/nss.conf: oot at vm-077 conf.d]# diff nss.conf.orig nss.conf 74c74 < NSSRenegotiation off --- > NSSRenegotiation on 78c78 < NSSRequireSafeNegotiation off --- > NSSRequireSafeNegotiation on As I said, we are scripting this. I should have had you hold out for the script. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Wed Sep 28 21:36:17 2011 From: alee at redhat.com (Ade Lee) Date: Wed, 28 Sep 2011 17:36:17 -0400 Subject: [Freeipa-users] [Fwd: [Freeipa-devel] script to proxy-ize a dogtag instance] Message-ID: <1317245777.28092.94.camel@localhost.localdomain> Cross-posting to freeipa-users. In addition, Adam determined that the following dirctives need to be enabled in /etc/httpd/conf.d/nss.conf : NSSRenegotiation on NSSRequireSafeNegotiation on Ade -------------- next part -------------- An embedded message was scrubbed... From: Ade Lee Subject: [Freeipa-devel] script to proxy-ize a dogtag instance Date: Wed, 28 Sep 2011 11:11:24 -0400 Size: 20835 URL: From sigbjorn at nixtra.com Wed Sep 28 21:59:40 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 28 Sep 2011 23:59:40 +0200 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E839321.9020101@redhat.com> References: <4E7FA1E6.6050409@nixtra.com> <4E80FDE9.2010504@redhat.com> <4E8229F9.3050400@nixtra.com> <4E823072.1010808@nixtra.com> <1317156360.15918.12.camel@willson.li.ssimo.org> <4E823812.9050705@nixtra.com> <4E826272.7050100@redhat.com> <4E827957.4080606@redhat.com> <4E838B8B.4020601@nixtra.com> <4E839321.9020101@redhat.com> Message-ID: <4E8398CC.4070704@nixtra.com> On 09/28/2011 11:35 PM, Adam Young wrote: > On 09/28/2011 05:03 PM, Sigbjorn Lie wrote: >> On 09/28/2011 03:33 AM, Adam Young wrote: >>> After talking with the PKI developer that is fixing this, I found >>> out that one other file needs to be modified: >>> >>> >>> /var/lib/pki-ca/conf/CS.cfg >>> >>> http.port=8080 >>> https.port=8443 >>> >>> >>> >>> >>> >>> On 09/27/2011 07:55 PM, Adam Young wrote: >>>> >>>> Siggi, >>>> >>>> This is my comment in the ticket: >>>> https://fedorahosted.org/freeipa/ticket/1889 >>>> >>>> We are working on a tool in the PKI project that will perform these >>>> steps in an automated fashion. >>>> >>>> >>>> There are three files that need to be addressed. >>>> >>>> On the tomcat side, the files are in the Tomcat instance managed by >>>> IPA in /var/lib/pki-ca. The first is >>>> >>>> /var/lib/pki-ca/conf/server.xml >>>> >>>> It needs the addition: >>>> >>>> + >>>> >>>> You can place it around line 281, above the comment for the line >>>> >>>> >>>> Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml >>>> >>>> For each of the filter entries it needs the code addition below: >>>> >>>> >>>> >>>> proxy_port >>>> 443 >>>> >>>> >>>> >>>> + + proxy_port + >>>> 443 + >>>> >>>> >>>> >>>> active >>>> true >>>> >>>> >>>> >>>> >>>> >>>> The third change is creating a symlink to /etc/pki-ca/proxy.conf in >>>> the directory /etc/httpd/conf.d >>>> >>>> >>>> >> >> Sorry for the late reply. >> >> I have performed the modifications you've suggested to >> /var/lib/pki-ca/conf/server.xml, and >> /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml. >> >> In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already >> http.port=8080 and https.port=8443. >> >> I could not find the file /etc/pki-ca/proxy.conf. I did find >> /usr/share/pki/ca/conf/proxy.conf, I copied this into >> /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] with >> localhost:9447. >> >> Then I restarted ipa: $ ipactl restart >> >> I get a different error now, same error msg both in webui and cli: >> ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) An >> I/O error occurred during security authorization. >> >> What do you suggest doing next? :) > > /etc/httpd/conf.d/nss.conf: > > oot at vm-077 conf.d]# diff nss.conf.orig nss.conf > 74c74 > < NSSRenegotiation off > --- > > NSSRenegotiation on > 78c78 > < NSSRequireSafeNegotiation off > --- > > NSSRequireSafeNegotiation on > > > As I said, we are scripting this. I should have had you hold out for > the script. :) I see Ade Lee has posted the script now. I'll have a go at the script tomorrow. Rgds, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Sep 29 00:54:12 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 28 Sep 2011 20:54:12 -0400 Subject: [Freeipa-users] Certificate error when modifying/deleting a host In-Reply-To: <4E8398CC.4070704@nixtra.com> References: <4E7FA1E6.6050409@nixtra.com> <4E80FDE9.2010504@redhat.com> <4E8229F9.3050400@nixtra.com> <4E823072.1010808@nixtra.com> <1317156360.15918.12.camel@willson.li.ssimo.org> <4E823812.9050705@nixtra.com> <4E826272.7050100@redhat.com> <4E827957.4080606@redhat.com> <4E838B8B.4020601@nixtra.com> <4E839321.9020101@redhat.com> <4E8398CC.4070704@nixtra.com> Message-ID: <4E83C1B4.9010005@redhat.com> On 09/28/2011 05:59 PM, Sigbjorn Lie wrote: > On 09/28/2011 11:35 PM, Adam Young wrote: >> On 09/28/2011 05:03 PM, Sigbjorn Lie wrote: >>> On 09/28/2011 03:33 AM, Adam Young wrote: >>>> After talking with the PKI developer that is fixing this, I found >>>> out that one other file needs to be modified: >>>> >>>> >>>> /var/lib/pki-ca/conf/CS.cfg >>>> >>>> http.port=8080 >>>> https.port=8443 >>>> >>>> >>>> >>>> >>>> >>>> On 09/27/2011 07:55 PM, Adam Young wrote: >>>>> >>>>> Siggi, >>>>> >>>>> This is my comment in the ticket: >>>>> https://fedorahosted.org/freeipa/ticket/1889 >>>>> >>>>> We are working on a tool in the PKI project that will perform >>>>> these steps in an automated fashion. >>>>> >>>>> >>>>> There are three files that need to be addressed. >>>>> >>>>> On the tomcat side, the files are in the Tomcat instance managed >>>>> by IPA in /var/lib/pki-ca. The first is >>>>> >>>>> /var/lib/pki-ca/conf/server.xml >>>>> >>>>> It needs the addition: >>>>> >>>>> + >>>>> >>>>> You can place it around line 281, above the comment for the line >>>>> >>>>> >>>>> Second is: /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml >>>>> >>>>> For each of the filter entries it needs the code addition below: >>>>> >>>>> >>>>> >>>>> proxy_port >>>>> 443 >>>>> >>>>> >>>>> >>>>> + + proxy_port + >>>>> 443 + >>>>> >>>>> >>>>> >>>>> active >>>>> true >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> The third change is creating a symlink to /etc/pki-ca/proxy.conf >>>>> in the directory /etc/httpd/conf.d >>>>> >>>>> >>>>> >>> >>> Sorry for the late reply. >>> >>> I have performed the modifications you've suggested to >>> /var/lib/pki-ca/conf/server.xml, and >>> /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml. >>> >>> In the file /var/lib/pki-ca/conf/CS.cfg, the settings we're already >>> http.port=8080 and https.port=8443. >>> >>> I could not find the file /etc/pki-ca/proxy.conf. I did find >>> /usr/share/pki/ca/conf/proxy.conf, I copied this into >>> /etc/httpd/conf.d and replaced [PKI_MACHINE_NAME]:[PKI_AJP_PORT] >>> with localhost:9447. >>> >>> Then I restarted ipa: $ ipactl restart >>> >>> I get a different error now, same error msg both in webui and cli: >>> ipa: ERROR: Certificate format error: [Errno -8192] (SEC_ERROR_IO) >>> An I/O error occurred during security authorization. >>> >>> What do you suggest doing next? :) >> >> /etc/httpd/conf.d/nss.conf: >> >> oot at vm-077 conf.d]# diff nss.conf.orig nss.conf >> 74c74 >> < NSSRenegotiation off >> --- >> > NSSRenegotiation on >> 78c78 >> < NSSRequireSafeNegotiation off >> --- >> > NSSRequireSafeNegotiation on >> >> >> As I said, we are scripting this. I should have had you hold out for >> the script. > > :) > > I see Ade Lee has posted the script now. I'll have a go at the script > tomorrow. > > Rgds, > Siggi > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Well, that script assumes the machine is in a certain state. I am not sure if you machine now qualifies. You shold only need the nss.conf change, as that seems to match the error you are seeing. Before you make any changes, try pointing a browser at https://hostname/ca/ee/ca/getCertChain And you should get a valid response: XML with a tag This shows that Dogtag is being proxied correctly. The error you are seeing is due to the need to "renegotiate" the SSL handshake for the authed sections of the PKI-CA. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Sep 29 00:58:16 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 28 Sep 2011 20:58:16 -0400 Subject: [Freeipa-users] user login exposes all users in UI In-Reply-To: References: Message-ID: <4E83C2A8.10504@redhat.com> On 09/28/2011 01:13 PM, Stephen Ingram wrote: > When logging into the FreeIPA UI as a user, most everything is removed > with the exception of the Identity tab and the Users list. Although > I'm guessing that LDAP needs to expose the users list to all users > just as anyone can view the passwd file on any one system, is there a > technical need to expose all of the users to any user logging into the > UI? > > Steve > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users The UI does not remove any privs. That same user can run the command line ipa user-find and get the same results. Additionally, the user has the ability to query the LDAP server directly. Thus, we decided to leave the ability to enumerate all users, but not to advertise it. We did remove tabs for other things that the user can do, mainly because some of them pointed at operations that the user was not allowed to see (Roles, for example, and Sudo commands for another). We had to draw the line somewhere, and that is where we decided. It has the added benefit of letting IPA work as a company directory. From Steven.Jones at vuw.ac.nz Thu Sep 29 20:35:59 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 29 Sep 2011 20:35:59 +0000 Subject: [Freeipa-users] Question on AD to freeipa sync Message-ID: <833D8E48405E064EBC54C84EC6B36E404461A1B8@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, In the documentation it says that new accounts in AD are syncd over to freeIPA, so IPA sets the UID as it "arrives"? What happens if the user is an existing one and has a UID they want to retain, does that transfer over and get used? Also how do you set permissions and groups? does the new user just go into a default group and then you login to freeIPA and set them up? or can you put the GIDs into AD and they get transferred and the user put into the "right" groups" automagically? Looks like I can set this sort of thing "how I want" in the sync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rmeggins at redhat.com Thu Sep 29 20:49:04 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 29 Sep 2011 14:49:04 -0600 Subject: [Freeipa-users] Question on AD to freeipa sync In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404461A1B8@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404461A1B8@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E84D9C0.2010804@redhat.com> On 09/29/2011 02:35 PM, Steven Jones wrote: > Hi, > > In the documentation it says that new accounts in AD are syncd over to freeIPA, so IPA sets the UID as it "arrives"? Yes. It uses the DNA plugin to assign an auto-incremented uidNumber value. > What happens if the user is an existing one and has a UID they want to retain, does that transfer over and get used? uidNumber from AD, or is this a case where the user already exists in both AD and IPA? > Also how do you set permissions What permissions? ACIs? > and groups? Posix groups? > does the new user just go into a default group In the ipa-winsync plugin config you tell it how to find the entry that has the default group gidNumber to use. This should be documented somewhere. > and then you login to freeIPA and set them up? or can you put the GIDs into AD and they get transferred and the user put into the "right" groups" automagically? It cannot copy the gidNumber from AD. > Looks like I can set this sort of thing "how I want" in the sync agreement? This sort of thing should be documented in the ipa winsync documentation. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Sep 29 20:55:35 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 29 Sep 2011 20:55:35 +0000 Subject: [Freeipa-users] backing up and restoring the backend Message-ID: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Backing up I cant find anything in the documentation discussing backing up and recovering IPA/ldap?....in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.....I think there was a gui to do that.... So even if its a case of now its easy just backup /var/lib/dirsrv and nothing more is needed, it should say so IMHO. Restoring Is there a restore process? so with FDS/389 you would import the exported file. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Thu Sep 29 21:02:05 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 29 Sep 2011 21:02:05 +0000 Subject: [Freeipa-users] Load balancing Message-ID: <833D8E48405E064EBC54C84EC6B36E404461A1C8@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I'm a bit unclear on a few aspects of the IPA design.... In the beginning of the fedora 15 user document there is comment on load balancing yet when you join a client its stating a specific server, so how does that work? So is the load balancing manual-matic? ie if you have several replicas you have to point the client at one or other when you join? If so how does the client survive while one replica is off line? For an architecture design for our site Im thinking of have a "Master" Master that does the gui and the AD sync but then 2 replicas that I point the clients at? keeping the master isolated with a firewall so clients dont normally connect does this make sense? Possibly some visio (oops wash my mouth out) diagrams in the doc on architectural options would be useful....I know I'd find them useful. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From dlackey at redhat.com Thu Sep 29 21:20:41 2011 From: dlackey at redhat.com (Deon Lackey) Date: Thu, 29 Sep 2011 17:20:41 -0400 (EDT) Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: First off, I have opened a ticket to make it clear in the FreeIPA docs what you should do: https://fedorahosted.org/freeipa-guide/ticket/25 Okay, until I get that done, here is the info on what to do for backing up and restoring the DS in general: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Populating_Directory_Databases-Backing_Up_and_Restoring_Data.html There are a couple of different options and scripts you can use, aside from just importing and exporting data. Hope that helps! Deon ----- Original Message ----- From: "Steven Jones" To: freeipa-users at redhat.com Sent: Thursday, September 29, 2011 3:55:35 PM Subject: [Freeipa-users] backing up and restoring the backend Hi, Backing up I cant find anything in the documentation discussing backing up and recovering IPA/ldap?....in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.....I think there was a gui to do that.... So even if its a case of now its easy just backup /var/lib/dirsrv and nothing more is needed, it should say so IMHO. Restoring Is there a restore process? ?so with FDS/389 you would import the exported file. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Sep 29 21:33:37 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 29 Sep 2011 23:33:37 +0200 Subject: [Freeipa-users] Load balancing In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404461A1C8@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404461A1C8@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20110929213337.GC12370@zeppelin.brq.redhat.com> On Thu, Sep 29, 2011 at 09:02:05PM +0000, Steven Jones wrote: > Hi, > > I'm a bit unclear on a few aspects of the IPA design.... > > In the beginning of the fedora 15 user document there is comment on load balancing yet when you join a client its stating a specific server, so how does that work? > Clients should use SRV DNS records for load balancing and IIRC they are configured to do so automatically. > So is the load balancing manual-matic? ie if you have several replicas you have to point the client at one or other when you join? > No, it's automatic. This is how it works in detail: There are two important parts of a SRV records - priority and weight. Priority specifies the order in which the servers should be contacted. The client first attempts to contact the server with the lowest priority, if it doesn't respond, then try the second lowest etc. Weight specifies the relative load for entries with the same priority. All replicas are assigned the same priority by default. Check out "ipa help dns" for some srv examples if you need to change the proiority. > If so how does the client survive while one replica is off line? The client includes a pretty sophisticated fail over mechanism that seamlessly reconnects to another configured server if the current one does not respond From jhrozek at redhat.com Thu Sep 29 21:34:46 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 29 Sep 2011 23:34:46 +0200 Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20110929213446.GD12370@zeppelin.brq.redhat.com> On Thu, Sep 29, 2011 at 08:55:35PM +0000, Steven Jones wrote: > Hi, > > Backing up > > I cant find anything in the documentation discussing backing up and recovering IPA/ldap?....in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.....I think there was a gui to do that.... > > So even if its a case of now its easy just backup /var/lib/dirsrv and nothing more is needed, it should say so IMHO. > > Restoring > > Is there a restore process? so with FDS/389 you would import the exported file. > > regards > Why not just create a replica? Saves you the restore part at least.. From Steven.Jones at vuw.ac.nz Thu Sep 29 21:35:04 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 29 Sep 2011 21:35:04 +0000 Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz>, Message-ID: <833D8E48405E064EBC54C84EC6B36E404461A219@STAWINCOX10MBX1.staff.vuw.ac.nz> 4.3.1.2. Backing up All Databases from the Command Line "To avoid shutting down the server when running a backup, use the db2bak.pl Perl script instead of the bd2bak tool. These are both located in the /usr/lib[64]/dirsrv/slapd-example directory." This script doesn't seem to be available/present (I did a find on /usr and a yum provides) can it be made available/official? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Deon Lackey [dlackey at redhat.com] Sent: Friday, 30 September 2011 10:20 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] backing up and restoring the backend First off, I have opened a ticket to make it clear in the FreeIPA docs what you should do: https://fedorahosted.org/freeipa-guide/ticket/25 Okay, until I get that done, here is the info on what to do for backing up and restoring the DS in general: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Populating_Directory_Databases-Backing_Up_and_Restoring_Data.html There are a couple of different options and scripts you can use, aside from just importing and exporting data. Hope that helps! Deon ________________________________ From: "Steven Jones" To: freeipa-users at redhat.com Sent: Thursday, September 29, 2011 3:55:35 PM Subject: [Freeipa-users] backing up and restoring the backend Hi, Backing up I cant find anything in the documentation discussing backing up and recovering IPA/ldap?....in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.....I think there was a gui to do that.... So even if its a case of now its easy just backup /var/lib/dirsrv and nothing more is needed, it should say so IMHO. Restoring Is there a restore process? so with FDS/389 you would import the exported file. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Thu Sep 29 21:36:17 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 29 Sep 2011 23:36:17 +0200 Subject: [Freeipa-users] [Fwd: [Freeipa-devel] script to proxy-ize a dogtag instance] In-Reply-To: <1317245777.28092.94.camel@localhost.localdomain> References: <1317245777.28092.94.camel@localhost.localdomain> Message-ID: <4E84E4D1.9090103@nixtra.com> On 09/28/2011 11:36 PM, Ade Lee wrote: > Cross-posting to freeipa-users. > > In addition, Adam determined that the following dirctives need to be > enabled in /etc/httpd/conf.d/nss.conf : > > NSSRenegotiation on > NSSRequireSafeNegotiation on > > Ade > I have manually verified the files from reading your script, while cross referencing with the replies from Adam Young. I am still receiveing an error both in the webui and the cli: "ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Bad Request)". Have you verified this script as working in another environment? ... Meaning there would be something wrong with the changes I've done manually along the way... I have done these changes on one IPA server only so far for testing, I don't see the any traffic going to the other IPA servers while I'm doing ipa cert-show or ipa host-disable. Does it need to be done on the IPA servers all to work successfully? Rgds, Siggi From rmeggins at redhat.com Thu Sep 29 21:40:32 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 29 Sep 2011 15:40:32 -0600 Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404461A219@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404461A219@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E84E5D0.3050303@redhat.com> On 09/29/2011 03:35 PM, Steven Jones wrote: > 4.3.1.2. Backing up All Databases from the Command Line > "To avoid shutting down the server when running a backup, use the db2bak.pl Perl script instead of the bd2bak tool. These are both located in the /usr/lib[64]/dirsrv/slapd-example directory." > > This script doesn't seem to be available/present (I did a find on /usr and a yum provides) can it be made available/official? ipa has moved it to under /var/lib/dirsrv > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________ > From: Deon Lackey [dlackey at redhat.com] > Sent: Friday, 30 September 2011 10:20 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] backing up and restoring the backend > > > First off, I have opened a ticket to make it clear in the FreeIPA docs what you should do: > > https://fedorahosted.org/freeipa-guide/ticket/25 > > > > Okay, until I get that done, here is the info on what to do for backing up and restoring the DS in general: > > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Populating_Directory_Databases-Backing_Up_and_Restoring_Data.html > > > > There are a couple of different options and scripts you can use, aside from just importing and exporting data. > > > > Hope that helps! > > Deon > > > ________________________________ > > From: "Steven Jones" > To: freeipa-users at redhat.com > Sent: Thursday, September 29, 2011 3:55:35 PM > Subject: [Freeipa-users] backing up and restoring the backend > > Hi, > > Backing up > > I cant find anything in the documentation discussing backing up and recovering IPA/ldap?....in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.....I think there was a gui to do that.... > > So even if its a case of now its easy just backup /var/lib/dirsrv and nothing more is needed, it should say so IMHO. > > Restoring > > Is there a restore process? so with FDS/389 you would import the exported file. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Sep 29 21:43:22 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 29 Sep 2011 21:43:22 +0000 Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: <20110929213446.GD12370@zeppelin.brq.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20110929213446.GD12370@zeppelin.brq.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404461A233@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, A replica does not survive an internal corruption....surely you would just duplicate the corruption?......unless you are telling me there is a way to avoid that with replication alone? So for me its like Raiding disks.....a tape backup survives a data corruption and isnt really there for a hardware failure....call my paranoid but a tape (OK, I now have a virtual tape library) has saved my ass often enough that want them. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com] Sent: Friday, 30 September 2011 10:34 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] backing up and restoring the backend On Thu, Sep 29, 2011 at 08:55:35PM +0000, Steven Jones wrote: > Hi, > > Backing up > > I cant find anything in the documentation discussing backing up and recovering IPA/ldap?....in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.....I think there was a gui to do that.... > > So even if its a case of now its easy just backup /var/lib/dirsrv and nothing more is needed, it should say so IMHO. > > Restoring > > Is there a restore process? so with FDS/389 you would import the exported file. > > regards > Why not just create a replica? Saves you the restore part at least.. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Sep 29 21:45:15 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 29 Sep 2011 21:45:15 +0000 Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: <4E84E5D0.3050303@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404461A219@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E84E5D0.3050303@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404461A24E@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Thanks, yum provides didnt return anything......I must of made a typo... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Friday, 30 September 2011 10:40 a.m. To: Steven Jones Cc: Deon Lackey; freeipa-users at redhat.com Subject: Re: [Freeipa-users] backing up and restoring the backend On 09/29/2011 03:35 PM, Steven Jones wrote: > 4.3.1.2. Backing up All Databases from the Command Line > "To avoid shutting down the server when running a backup, use the db2bak.pl Perl script instead of the bd2bak tool. These are both located in the /usr/lib[64]/dirsrv/slapd-example directory." > > This script doesn't seem to be available/present (I did a find on /usr and a yum provides) can it be made available/official? ipa has moved it to under /var/lib/dirsrv > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________ > From: Deon Lackey [dlackey at redhat.com] > Sent: Friday, 30 September 2011 10:20 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] backing up and restoring the backend > > > First off, I have opened a ticket to make it clear in the FreeIPA docs what you should do: > > https://fedorahosted.org/freeipa-guide/ticket/25 > > > > Okay, until I get that done, here is the info on what to do for backing up and restoring the DS in general: > > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Populating_Directory_Databases-Backing_Up_and_Restoring_Data.html > > > > There are a couple of different options and scripts you can use, aside from just importing and exporting data. > > > > Hope that helps! > > Deon > > > ________________________________ > > From: "Steven Jones" > To: freeipa-users at redhat.com > Sent: Thursday, September 29, 2011 3:55:35 PM > Subject: [Freeipa-users] backing up and restoring the backend > > Hi, > > Backing up > > I cant find anything in the documentation discussing backing up and recovering IPA/ldap?....in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.....I think there was a gui to do that.... > > So even if its a case of now its easy just backup /var/lib/dirsrv and nothing more is needed, it should say so IMHO. > > Restoring > > Is there a restore process? so with FDS/389 you would import the exported file. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Thu Sep 29 21:47:40 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 29 Sep 2011 15:47:40 -0600 Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404461A24E@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404461A219@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E84E5D0.3050303@redhat.com> <833D8E48405E064EBC54C84EC6B36E404461A24E@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E84E77C.7070406@redhat.com> On 09/29/2011 03:45 PM, Steven Jones wrote: > Hi, > > Thanks, yum provides didnt return anything......I must of made a typo... No, yum is correct. These files are not provided by yum (i.e. in the package) they are instead created when you set up your instances, by ipa eventually calling setup-ds.pl the reason ipa moved them from /usr to /var is that they felt it was not proper to dynamically create files under /usr since many deployments want /usr to be mounted read-only. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Friday, 30 September 2011 10:40 a.m. > To: Steven Jones > Cc: Deon Lackey; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] backing up and restoring the backend > > On 09/29/2011 03:35 PM, Steven Jones wrote: >> 4.3.1.2. Backing up All Databases from the Command Line >> "To avoid shutting down the server when running a backup, use the db2bak.pl Perl script instead of the bd2bak tool. These are both located in the /usr/lib[64]/dirsrv/slapd-example directory." >> >> This script doesn't seem to be available/present (I did a find on /usr and a yum provides) can it be made available/official? > ipa has moved it to under /var/lib/dirsrv >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________ >> From: Deon Lackey [dlackey at redhat.com] >> Sent: Friday, 30 September 2011 10:20 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] backing up and restoring the backend >> >> >> First off, I have opened a ticket to make it clear in the FreeIPA docs what you should do: >> >> https://fedorahosted.org/freeipa-guide/ticket/25 >> >> >> >> Okay, until I get that done, here is the info on what to do for backing up and restoring the DS in general: >> >> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Populating_Directory_Databases-Backing_Up_and_Restoring_Data.html >> >> >> >> There are a couple of different options and scripts you can use, aside from just importing and exporting data. >> >> >> >> Hope that helps! >> >> Deon >> >> >> ________________________________ >> >> From: "Steven Jones" >> To: freeipa-users at redhat.com >> Sent: Thursday, September 29, 2011 3:55:35 PM >> Subject: [Freeipa-users] backing up and restoring the backend >> >> Hi, >> >> Backing up >> >> I cant find anything in the documentation discussing backing up and recovering IPA/ldap?....in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.....I think there was a gui to do that.... >> >> So even if its a case of now its easy just backup /var/lib/dirsrv and nothing more is needed, it should say so IMHO. >> >> Restoring >> >> Is there a restore process? so with FDS/389 you would import the exported file. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Sep 29 21:51:13 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 29 Sep 2011 21:51:13 +0000 Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: <4E84E77C.7070406@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404461A219@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E84E5D0.3050303@redhat.com> <833D8E48405E064EBC54C84EC6B36E404461A24E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E84E77C.7070406@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404461A26A@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have no problem with /var/ being used its "variable" after all.....makes the most sense....consistency is good. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Friday, 30 September 2011 10:47 a.m. To: Steven Jones Cc: Deon Lackey; freeipa-users at redhat.com Subject: Re: [Freeipa-users] backing up and restoring the backend On 09/29/2011 03:45 PM, Steven Jones wrote: > Hi, > > Thanks, yum provides didnt return anything......I must of made a typo... No, yum is correct. These files are not provided by yum (i.e. in the package) they are instead created when you set up your instances, by ipa eventually calling setup-ds.pl the reason ipa moved them from /usr to /var is that they felt it was not proper to dynamically create files under /usr since many deployments want /usr to be mounted read-only. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Friday, 30 September 2011 10:40 a.m. > To: Steven Jones > Cc: Deon Lackey; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] backing up and restoring the backend > > On 09/29/2011 03:35 PM, Steven Jones wrote: >> 4.3.1.2. Backing up All Databases from the Command Line >> "To avoid shutting down the server when running a backup, use the db2bak.pl Perl script instead of the bd2bak tool. These are both located in the /usr/lib[64]/dirsrv/slapd-example directory." >> >> This script doesn't seem to be available/present (I did a find on /usr and a yum provides) can it be made available/official? > ipa has moved it to under /var/lib/dirsrv >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________ >> From: Deon Lackey [dlackey at redhat.com] >> Sent: Friday, 30 September 2011 10:20 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] backing up and restoring the backend >> >> >> First off, I have opened a ticket to make it clear in the FreeIPA docs what you should do: >> >> https://fedorahosted.org/freeipa-guide/ticket/25 >> >> >> >> Okay, until I get that done, here is the info on what to do for backing up and restoring the DS in general: >> >> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Populating_Directory_Databases-Backing_Up_and_Restoring_Data.html >> >> >> >> There are a couple of different options and scripts you can use, aside from just importing and exporting data. >> >> >> >> Hope that helps! >> >> Deon >> >> >> ________________________________ >> >> From: "Steven Jones" >> To: freeipa-users at redhat.com >> Sent: Thursday, September 29, 2011 3:55:35 PM >> Subject: [Freeipa-users] backing up and restoring the backend >> >> Hi, >> >> Backing up >> >> I cant find anything in the documentation discussing backing up and recovering IPA/ldap?....in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.....I think there was a gui to do that.... >> >> So even if its a case of now its easy just backup /var/lib/dirsrv and nothing more is needed, it should say so IMHO. >> >> Restoring >> >> Is there a restore process? so with FDS/389 you would import the exported file. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Thu Sep 29 22:04:15 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 29 Sep 2011 18:04:15 -0400 Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1317333855.15918.250.camel@willson.li.ssimo.org> On Thu, 2011-09-29 at 20:55 +0000, Steven Jones wrote: > Hi, > > Backing up > > I cant find anything in the documentation discussing backing up and recovering IPA/ldap?....in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.....I think there was a gui to do that.... > > So even if its a case of now its easy just backup /var/lib/dirsrv and nothing more is needed, it should say so IMHO. > > Restoring > > Is there a restore process? so with FDS/389 you would import the exported file. I would do a full system backup and recovery if necessary, IPA uses multiple components and just backing up DS data is not sufficient for a full restore. There are configuration files, certificate stores keytabs in the filesystem too. One way to do disaster recovery is also to have a VM join as a replica and then regularly take full snapshots of the VM. From there disaster recovery is as simple as reviving the VM from the last goo snapshot and then reinstalling and making replicas from it. Note that if you use selfsing CA you must backup the CA cert/store from the first master a replica does not have that info. If you instead use the full CA with dogtag make sure you also configure the snapshotted VM to be a CA replica too. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Thu Sep 29 22:10:30 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 29 Sep 2011 18:10:30 -0400 Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404461A233@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20110929213446.GD12370@zeppelin.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404461A233@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E84ECD6.1020900@redhat.com> On 09/29/2011 05:43 PM, Steven Jones wrote: > Hi, > > A replica does not survive an internal corruption....surely you would just duplicate the corruption?......unless you are telling me there is a way to avoid that with replication alone? > > So for me its like Raiding disks.....a tape backup survives a data corruption and isnt really there for a hardware failure....call my paranoid but a tape (OK, I now have a virtual tape library) has saved my ass often enough that want them. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com] > Sent: Friday, 30 September 2011 10:34 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] backing up and restoring the backend > > On Thu, Sep 29, 2011 at 08:55:35PM +0000, Steven Jones wrote: >> Hi, >> >> Backing up >> >> I cant find anything in the documentation discussing backing up and recovering IPA/ldap?....in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.....I think there was a gui to do that.... >> >> So even if its a case of now its easy just backup /var/lib/dirsrv and nothing more is needed, it should say so IMHO. >> >> Restoring >> >> Is there a restore process? so with FDS/389 you would import the exported file. >> >> regards >> > Why not just create a replica? Saves you the restore part at least.. We have discussed the a backup strategies in the past several times. Replicas a definitely viable. If there is a data corruption there are ways to deal with it though it is extremely rare situation. The problem is that saving just database is not enough. There are certs, keys, config files, NSS database etc. that needs to be backed too. As IPA is trying to hide all this complexity on one side and is changing as we develop new functionality on the other we thought that for cases like yours it might make sense to save a snapshot of the machine image rather than only backup the content of the LDAP. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Thu Sep 29 22:58:16 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 29 Sep 2011 22:58:16 +0000 Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: <4E84ECD6.1020900@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20110929213446.GD12370@zeppelin.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404461A233@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E84ECD6.1020900@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404461A2B5@STAWINCOX10MBX1.staff.vuw.ac.nz> VM? VMWare snapshot? VMWare snapshots are best described as spawn of the devil, they should have a life of 2 or 3 days max.... One of my next Qs was what else needs backing up....however I assumed that everything else outside the database is simple to back up.....its just "files" or is this not the case? Yes I will have replicas.....at least one in DR.....maybe a second elsewhere.....I need to do a design document that lays this out. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 8><---- >> Backing up >> >> I cant find anything in the documentation discussing backing up and recovering IPA/ldap?....in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.....I think there was a gui to do that.... >> >> So even if its a case of now its easy just backup /var/lib/dirsrv and nothing more is needed, it should say so IMHO. >> >> Restoring >> >> Is there a restore process? so with FDS/389 you would import the exported file. >> >> regards >> > Why not just create a replica? Saves you the restore part at least.. We have discussed the a backup strategies in the past several times. Replicas a definitely viable. If there is a data corruption there are ways to deal with it though it is extremely rare situation. The problem is that saving just database is not enough. There are certs, keys, config files, NSS database etc. that needs to be backed too. As IPA is trying to hide all this complexity on one side and is changing as we develop new functionality on the other we thought that for cases like yours it might make sense to save a snapshot of the machine image rather than only backup the content of the LDAP. 8><---------- -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. From simo at redhat.com Fri Sep 30 13:28:01 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 30 Sep 2011 09:28:01 -0400 Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404461A2B5@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz> , <20110929213446.GD12370@zeppelin.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404461A233@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4E84ECD6.1020900@redhat.com> <833D8E48405E064EBC54C84EC6B36E404461A2B5@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1317389281.15918.255.camel@willson.li.ssimo.org> On Thu, 2011-09-29 at 22:58 +0000, Steven Jones wrote: > VM? > > VMWare snapshot? > > VMWare snapshots are best described as spawn of the devil, they should > have a life of 2 or 3 days max.... I use KVM so I can't tell how good/bad VMWare fares in this regard, but I didn't mean VM snapshot, sorry if I was unclear. I literally meant you turn off the VM and save a copy of the disk image. It may not be the most efficient way of course, and you can also simply use normal backup software with disaster recovery functionality. As long as it is able to properly deal with dirsrv database it should be fine. > One of my next Qs was what else needs backing up....however I assumed > that everything else outside the database is simple to back up.....its > just "files" > > or is this not the case? Everything but dirsrv databases is just files, that is correct. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Sep 30 16:40:23 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 30 Sep 2011 12:40:23 -0400 Subject: [Freeipa-users] backing up and restoring the backend In-Reply-To: <1317389281.15918.255.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E404461A1D5@STAWINCOX10MBX1.staff.vuw.ac.nz> , <20110929213446.GD12370@zeppelin.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404461A233@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4E84ECD6.1020900@redhat.com> <833D8E48405E064EBC54C84EC6B36E404461A2B5@STAWINCOX10MBX1.staff.vuw.ac.nz> <1317389281.15918.255.camel@willson.li.ssimo.org> Message-ID: <4E85F0F7.4000103@redhat.com> On 09/30/2011 09:28 AM, Simo Sorce wrote: > On Thu, 2011-09-29 at 22:58 +0000, Steven Jones wrote: >> VM? >> >> VMWare snapshot? >> >> VMWare snapshots are best described as spawn of the devil, they should >> have a life of 2 or 3 days max.... > I use KVM so I can't tell how good/bad VMWare fares in this regard, but > I didn't mean VM snapshot, sorry if I was unclear. > > I literally meant you turn off the VM and save a copy of the disk image. > > It may not be the most efficient way of course, and you can also simply > use normal backup software with disaster recovery functionality. > As long as it is able to properly deal with dirsrv database it should be > fine. > >> One of my next Qs was what else needs backing up....however I assumed >> that everything else outside the database is simple to back up.....its >> just "files" >> >> or is this not the case? > Everything but dirsrv databases is just files, that is correct. Well... there are two DS instances. One for main and one for PKI. And as we move forward and integrate other components other storage elements might be introduced. This is why doing full backup is probably much better than dealing with individual elements. > Simo. > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mark.cinense at gmail.com Fri Sep 30 17:10:09 2011 From: mark.cinense at gmail.com (Mark A Cinense) Date: Fri, 30 Sep 2011 12:10:09 -0500 Subject: [Freeipa-users] Install problem with --setup-dns Message-ID: Hi, new to the list. I have been pounding away at this for the past month or so, and I am stumped as to why when installing IPA, it keeps wanting to setup DNS with a domain name of ipaserver.test.mark.cinense.org. During the interaction part of the install, I defined the domain as mark.cinense.org. The message I get is: Do you want to configure the reverse zone? [yes]: Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone Unexpected error - see ipaserver-install.log for details: test.mark.cinense.org: DNS zone not found Here is how I answer the interactive questions: Server host name [ipaserver.test.mark.cinense.org]: Warning: skipping DNS resolution of host ipaserver.test.mark.cinense.org The domain name has been calculated based on the host name. Please confirm the domain name [test.mark.cinense.org]: mark.cinense.org The IPA Master Server will be configured with Hostname: ipaserver.test.mark.cinense.org IP address: 156.119.45.254 Domain name: mark.cinense.org When I do a hostname I get: [root at ipaserver log]# hostname ipaserver.test.mark.cinense.org Any ideas? Is there something I am missing? -- Mark Cinense CNA A+ MCP CVE RHCSA 6 MACDAV Productions a Cinense Consulting Service Company -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Sep 30 18:00:30 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 30 Sep 2011 14:00:30 -0400 Subject: [Freeipa-users] Install problem with --setup-dns In-Reply-To: References: Message-ID: <4E8603BE.2000700@redhat.com> On 09/30/2011 01:10 PM, Mark A Cinense wrote: > Hi, new to the list. I have been pounding away at this for the past > month or so, and I am stumped as to why when installing IPA, it keeps > wanting to setup DNS with a domain name of > ipaserver.test.mark.cinense.org > . During the interaction part > of the install, I defined the domain as mark.cinense.org > . > > The message I get is: > > Do you want to configure the reverse zone? [yes]: > Configuring named: > [1/9]: adding DNS container > [2/9]: setting up our zone > Unexpected error - see ipaserver-install.log for details: > test.mark.cinense.org : DNS zone not found > > Here is how I answer the interactive questions: > > Server host name [ipaserver.test.mark.cinense.org > ]: I think the problem is the you are adding to an invalid zone here. I am guessing siomething is silently failing. You are stating that your domain is mark.cinense.org but I think you want it do be test.mark.cinense.org And then your server ipaserver.test.mark.cinense.org makes sense. The zone is the zone you are going to control by default, not the zone you are joining....if that makes sense > > Warning: skipping DNS resolution of host > ipaserver.test.mark.cinense.org > The domain name has been calculated based on the host name. > > Please confirm the domain name [test.mark.cinense.org > ]: mark.cinense.org > > > The IPA Master Server will be configured with > Hostname: ipaserver.test.mark.cinense.org > > IP address: 156.119.45.254 > Domain name: mark.cinense.org > > When I do a hostname I get: > > [root at ipaserver log]# hostname > ipaserver.test.mark.cinense.org > > Any ideas? Is there something I am missing? > > -- > Mark Cinense CNA A+ MCP CVE RHCSA 6 > MACDAV Productions a Cinense Consulting Service Company > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: