From natxo.asenjo at gmail.com Sun Dec 2 14:24:42 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sun, 2 Dec 2012 15:24:42 +0100 Subject: [Freeipa-users] error adding replica Message-ID: hi, I have a 6.3 centos server that has been upgraded since 6.1. According to the ipaserver-install.log, I installed it on feb 3 2012 so it has been upgraded at least once. Now that I have more hardware to run a few more vm's I can test replicas. But apparently I am running into this problem: https://bugzilla.redhat.com/show_bug.cgi?id=867640 I have exactly the same error: 2012-10-17T22:07:50Z DEBUG stderr= 2012-10-17T22:07:50Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname rhel6-2.testrelm.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Q8ad1f -client_certdb_pwd XXXXXXXX -preop_pin w53uYQUJBSyYNddpO5Xk -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.COM -ldap_host rhel6-2.testrelm.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.COM -ca_server_cert_subject_name CN=rhel6-2.testrelm.com,O=TESTRELM.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname rhel6-1.testrelm.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri https://rhel6-1.testrelm.com:443' returned non-zero exit status 255 My realm realm is different, but the rest is the same. Apparently there is a newer ou ou=csusers somewhere (this is what I understand from the bugzilla), but I am not sure where it must be created. Is it in the the ipa slapd or in the pki slapd? When I log in as 'Directory Mangager' in both slapd dirsrv I do not find a ou=config anywhere in the directory tree. Any clues? -- Groeten, natxo From Steven.Jones at vuw.ac.nz Sun Dec 2 20:02:51 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 2 Dec 2012 20:02:51 +0000 Subject: [Freeipa-users] error adding replica (2) Message-ID: <833D8E48405E064EBC54C84EC6B36E4054729521@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Any ideas? I have moved the CA cert off the original ipam001 to ipam002 and built a fresh iapm001 when I try and join it to ipam002 I get the error below. ipam003 was removed off the old ipam001 and added to ipam002 perfectly. >From google it was suggested kerberos might be caching but Ive rebooted all the IPA servers at least once and ipam002 (it holds the CA) 3 times over 8 hours....no joy. I also did a search for the principal as suggested by Rob, output below. ============== [root at vuwunicoipam001 ~]# ipa-replica-install --setup-dns --no-reverse --forwarder=130.195.85.25 /root/replica/replica-info-vuwunicoipam001.ods.vuw.ac.nz.gpg --skip-conncheck Directory Manager (existing master) password: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root at vuwunicoipam001 ~]# ============ ============ [20/30]: restarting directory server ipa : DEBUG args=/sbin/service dirsrv restart ODS-VUW-AC-NZ ipa : DEBUG stdout=Shutting down dirsrv: ODS-VUW-AC-NZ... [ OK ] Starting dirsrv: ODS-VUW-AC-NZ... [ OK ] ipa : DEBUG stderr= ipa : DEBUG args=/sbin/service dirsrv status ODS-VUW-AC-NZ ipa : DEBUG stdout=dirsrv ODS-VUW-AC-NZ (pid 10552) is running... ipa : DEBUG stderr= ipa : DEBUG duration: 3 seconds ipa : DEBUG [21/30]: setting up initial replication [21/30]: setting up initial replication ipa : DEBUG args=/sbin/service dirsrv restart ODS-VUW-AC-NZ ipa : DEBUG stdout=Shutting down dirsrv: ODS-VUW-AC-NZ... [ OK ] Starting dirsrv: ODS-VUW-AC-NZ... [ OK ] ipa : DEBUG stderr= Starting replication, please wait until this has completed. [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication ipa : DEBUG Failed to start replication File "/usr/sbin/ipa-replica-install", line 496, in main() File "/usr/sbin/ipa-replica-install", line 432, in main ds = install_replica_ds(config) File "/usr/sbin/ipa-replica-install", line 147, in install_replica_ds pkcs12_info) File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 282, in create_replica self.start_creation("Configuring directory server", 60) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 257, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 295, in __setup_replica r_bindpw=self.dm_password) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 748, in setup_replication raise RuntimeError("Failed to start replication") Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root at vuwunicoipam001 ~]# ============ [root at vuwunicoipam002 ~]# ldapsearch -x -b 'cn=services,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz' '(krbprincipalname=*ods-directory*)' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (krbprincipalname=*ods-directory*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 [root at vuwunicoipam002 ~]# =========== regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rcritten at redhat.com Mon Dec 3 15:50:21 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 Dec 2012 10:50:21 -0500 Subject: [Freeipa-users] error adding replica In-Reply-To: References: Message-ID: <50BCCA3D.6070807@redhat.com> Natxo Asenjo wrote: > hi, > > I have a 6.3 centos server that has been upgraded since 6.1. According > to the ipaserver-install.log, I installed it on feb 3 2012 so it has > been upgraded at least once. > > Now that I have more hardware to run a few more vm's I can test > replicas. But apparently I am running into this problem: > > https://bugzilla.redhat.com/show_bug.cgi?id=867640 > > I have exactly the same error: > > 2012-10-17T22:07:50Z DEBUG stderr= > 2012-10-17T22:07:50Z CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > rhel6-2.testrelm.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Q8ad1f > -client_certdb_pwd XXXXXXXX -preop_pin w53uYQUJBSyYNddpO5Xk > -domain_name IPA -admin_user admin -admin_email root at localhost > -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 > -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.COM > -ldap_host rhel6-2.testrelm.com -ldap_port 7389 -bind_dn cn=Directory > Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca > -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 > true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.COM > -ca_server_cert_subject_name CN=rhel6-2.testrelm.com,O=TESTRELM.COM > -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.COM > -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.COM > -external false -clone true -clone_p12_file ca.p12 -clone_p12_password > XXXXXXXX -sd_hostname rhel6-1.testrelm.com -sd_admin_port 443 > -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true > -clone_uri https://rhel6-1.testrelm.com:443' returned non-zero exit > status 255 > > My realm realm is different, but the rest is the same. > > Apparently there is a newer ou ou=csusers somewhere (this is what I > understand from the bugzilla), but I am not sure where it must be > created. Is it in the the ipa slapd or in the pki slapd? When I log in > as 'Directory Mangager' in both slapd dirsrv I do not find a ou=config > anywhere in the directory tree. > > Any clues? It is likely not the same bug. The output from the installer on failures is rather generic (and granted, awful). You'll need to look at the full /var/log/ipaserver-install.log for clues. Sometimes we need to examine /var/log/pki-ca/debug as well. rob From rcritten at redhat.com Mon Dec 3 16:52:26 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 03 Dec 2012 11:52:26 -0500 Subject: [Freeipa-users] error adding replica (2) In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4054729521@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4054729521@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50BCD8CA.60205@redhat.com> Steven Jones wrote: > Hi, > > Any ideas? I have moved the CA cert off the original ipam001 to ipam002 and built a fresh iapm001 when I try and join it to ipam002 I get the error below. > > ipam003 was removed off the old ipam001 and added to ipam002 perfectly. > >>From google it was suggested kerberos might be caching but Ive rebooted all the IPA servers at least once and ipam002 (it holds the CA) 3 times over 8 hours....no joy. > > I also did a search for the principal as suggested by Rob, output below. > > ============== > [root at vuwunicoipam001 ~]# ipa-replica-install --setup-dns --no-reverse --forwarder=130.195.85.25 /root/replica/replica-info-vuwunicoipam001.ods.vuw.ac.nz.gpg --skip-conncheck > Directory Manager (existing master) password: > > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > Configuring directory server: Estimated time 1 minute > [1/30]: creating directory server user > [2/30]: creating directory server instance > [3/30]: adding default schema > [4/30]: enabling memberof plugin > [5/30]: enabling referential integrity plugin > [6/30]: enabling winsync plugin > [7/30]: configuring replication version plugin > [8/30]: enabling IPA enrollment plugin > [9/30]: enabling ldapi > [10/30]: configuring uniqueness plugin > [11/30]: configuring uuid plugin > [12/30]: configuring modrdn plugin > [13/30]: enabling entryUSN plugin > [14/30]: configuring lockout plugin > [15/30]: creating indices > [16/30]: configuring ssl for ds instance > [17/30]: configuring certmap.conf > [18/30]: configure autobind for root > [19/30]: configure new location for managed entries > [20/30]: restarting directory server > [21/30]: setting up initial replication > Starting replication, please wait until this has completed. > [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-2 - System error] > creation of replica failed: Failed to start replication > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > [root at vuwunicoipam001 ~]# > ============ > > ============ > [20/30]: restarting directory server > ipa : DEBUG args=/sbin/service dirsrv restart ODS-VUW-AC-NZ > ipa : DEBUG stdout=Shutting down dirsrv: > ODS-VUW-AC-NZ... [ OK ] > Starting dirsrv: > ODS-VUW-AC-NZ... [ OK ] > > ipa : DEBUG stderr= > ipa : DEBUG args=/sbin/service dirsrv status ODS-VUW-AC-NZ > ipa : DEBUG stdout=dirsrv ODS-VUW-AC-NZ (pid 10552) is running... > > ipa : DEBUG stderr= > ipa : DEBUG duration: 3 seconds > ipa : DEBUG [21/30]: setting up initial replication > [21/30]: setting up initial replication > ipa : DEBUG args=/sbin/service dirsrv restart ODS-VUW-AC-NZ > ipa : DEBUG stdout=Shutting down dirsrv: > ODS-VUW-AC-NZ... [ OK ] > Starting dirsrv: > ODS-VUW-AC-NZ... [ OK ] > > ipa : DEBUG stderr= > Starting replication, please wait until this has completed. > [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-2 - System error] > creation of replica failed: Failed to start replication > ipa : DEBUG Failed to start replication > File "/usr/sbin/ipa-replica-install", line 496, in > main() > > File "/usr/sbin/ipa-replica-install", line 432, in main > ds = install_replica_ds(config) > > File "/usr/sbin/ipa-replica-install", line 147, in install_replica_ds > pkcs12_info) > > File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 282, in create_replica > self.start_creation("Configuring directory server", 60) > > File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 257, in start_creation > method() > > File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 295, in __setup_replica > r_bindpw=self.dm_password) > > File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 748, in setup_replication > raise RuntimeError("Failed to start replication") > > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > [root at vuwunicoipam001 ~]# > > ============ > > [root at vuwunicoipam002 ~]# ldapsearch -x -b 'cn=services,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz' '(krbprincipalname=*ods-directory*)' > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (krbprincipalname=*ods-directory*) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > [root at vuwunicoipam002 ~]# This is failing during the initial replication which is a bit strange. Are you seeing anything logged in errors on either directory server? rob From natxo.asenjo at gmail.com Wed Dec 5 13:20:40 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Wed, 5 Dec 2012 14:20:40 +0100 Subject: [Freeipa-users] sssd cache Message-ID: hi, why would I want sssd to cache group/hostgroup/netgroup membership? Is the performance hit so huge on the ldap servers? I ask this because Windows admins are used to apply membership of groups to objects and the changes in a single site domain (or even in a multisite domain with fast wan links) are replicated very fast, it is nearly instantanous. So for those admins, having to wait x minutes for the sssd cache to expire is, to put it mildly, strange. What are the consequences of disabling the cache with an entry like this: entry_cache_timeout = 0 in sssd.conf? Thanks in advance for your input. -- Groeten, natxo From dpal at redhat.com Wed Dec 5 14:07:37 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 05 Dec 2012 09:07:37 -0500 Subject: [Freeipa-users] sssd cache In-Reply-To: References: Message-ID: <50BF5529.8040503@redhat.com> On 12/05/2012 08:20 AM, Natxo Asenjo wrote: > hi, > > why would I want sssd to cache group/hostgroup/netgroup membership? Going to the server for every identity lookup is very expensive and creates a lot of traffic. Some level of caching is needed to avoid unnecessary lookups. NSCD has been filling these shoes but SSSD does not work with NSCD. In 1.9 we added a similar fast cache on top of the SSSD caching. It is useful for the cases when OS level applications (and many of them do) do identity related lookups multiple times per second. It is up to your environment to decide for how long it makes sense to cache. Several seconds is probably a reasonable balance. > > Is the performance hit so huge on the ldap servers? > > I ask this because Windows admins are used to apply membership of > groups to objects and the changes in a single site domain (or even in > a multisite domain with fast wan links) are replicated very fast, it > is nearly instantanous. So for those admins, having to wait x minutes > for the sssd cache to expire is, to put it mildly, strange. > > What are the consequences of disabling the cache with an entry like this: > > entry_cache_timeout = 0 I think you would significantly increase the response time and network traffic but I would leave to experts to confirm. > > in sssd.conf? > > Thanks in advance for your input. > > -- > Groeten, > natxo > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jhrozek at redhat.com Wed Dec 5 14:11:42 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 5 Dec 2012 15:11:42 +0100 Subject: [Freeipa-users] sssd cache In-Reply-To: References: Message-ID: <20121205141142.GE2662@hendrix.brq.redhat.com> On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote: > hi, > > why would I want sssd to cache group/hostgroup/netgroup membership? > > Is the performance hit so huge on the ldap servers? > > I ask this because Windows admins are used to apply membership of > groups to objects and the changes in a single site domain (or even in > a multisite domain with fast wan links) are replicated very fast, it > is nearly instantanous. So for those admins, having to wait x minutes > for the sssd cache to expire is, to put it mildly, strange. > > What are the consequences of disabling the cache with an entry like this: > > entry_cache_timeout = 0 > > in sssd.conf? > > Thanks in advance for your input. Feel free to tune down the cache timeout, it should just work. Speed benefits depend on your configuration, I guess. With large group memberships, the speed benefit of caching is quite visible. However, is it really that necessary to see the group memberships updated with "id" for instance? One reason is that during login, the SSS never just consults the cache, but always performs e.g. fetches the group list for the initgroups operation for the server to make sure that access control mechanisms have the latest group memberships available. So while lookups that only go through the Name Service Switch, such as getent or id might display outdated information for some limited period of time, authentication should never allow or deny access based on obsolete cached data. From natxo.asenjo at gmail.com Wed Dec 5 14:19:51 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Wed, 5 Dec 2012 15:19:51 +0100 Subject: [Freeipa-users] sssd cache In-Reply-To: <20121205141142.GE2662@hendrix.brq.redhat.com> References: <20121205141142.GE2662@hendrix.brq.redhat.com> Message-ID: On Wed, Dec 5, 2012 at 3:11 PM, Jakub Hrozek wrote: > On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote: >> hi, >> >> why would I want sssd to cache group/hostgroup/netgroup membership? >> >> Is the performance hit so huge on the ldap servers? >> >> I ask this because Windows admins are used to apply membership of >> groups to objects and the changes in a single site domain (or even in >> a multisite domain with fast wan links) are replicated very fast, it >> is nearly instantanous. So for those admins, having to wait x minutes >> for the sssd cache to expire is, to put it mildly, strange. >> >> What are the consequences of disabling the cache with an entry like this: >> >> entry_cache_timeout = 0 >> >> in sssd.conf? >> >> Thanks in advance for your input. > > Feel free to tune down the cache timeout, it should just work. Speed > benefits depend on your configuration, I guess. With large group > memberships, the speed benefit of caching is quite visible. > > However, is it really that necessary to see the group memberships > updated with "id" for instance? One reason is that during login, the SSS > never just consults the cache, but always performs e.g. fetches the > group list for the initgroups operation for the server to make sure that > access control mechanisms have the latest group memberships available. is this the case too for hostgroups? I am bootstrapping an infrastructure with ipa and cfengine and I am seeing that it caches the hostgroups/netgroups information, so when I join a host to the ipa realm, I need to empty the netgroup cache or it will take 90 minutes to apply configs from cfengine based on netgroup info. > So while lookups that only go through the Name Service Switch, such as > getent or id might display outdated information for some limited period > of time, authentication should never allow or deny access based on > obsolete cached data. well, this is apparently the case for me. I use the netgroup database from nss, so it is caching. Thanks, natxo From jhrozek at redhat.com Wed Dec 5 14:26:38 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 5 Dec 2012 15:26:38 +0100 Subject: [Freeipa-users] sssd cache In-Reply-To: References: <20121205141142.GE2662@hendrix.brq.redhat.com> Message-ID: <20121205142638.GF2662@hendrix.brq.redhat.com> On Wed, Dec 05, 2012 at 03:19:51PM +0100, Natxo Asenjo wrote: > On Wed, Dec 5, 2012 at 3:11 PM, Jakub Hrozek wrote: > > On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote: > >> hi, > >> > >> why would I want sssd to cache group/hostgroup/netgroup membership? > >> > >> Is the performance hit so huge on the ldap servers? > >> > >> I ask this because Windows admins are used to apply membership of > >> groups to objects and the changes in a single site domain (or even in > >> a multisite domain with fast wan links) are replicated very fast, it > >> is nearly instantanous. So for those admins, having to wait x minutes > >> for the sssd cache to expire is, to put it mildly, strange. > >> > >> What are the consequences of disabling the cache with an entry like this: > >> > >> entry_cache_timeout = 0 > >> > >> in sssd.conf? > >> > >> Thanks in advance for your input. > > > > Feel free to tune down the cache timeout, it should just work. Speed > > benefits depend on your configuration, I guess. With large group > > memberships, the speed benefit of caching is quite visible. > > > > However, is it really that necessary to see the group memberships > > updated with "id" for instance? One reason is that during login, the SSS > > never just consults the cache, but always performs e.g. fetches the > > group list for the initgroups operation for the server to make sure that > > access control mechanisms have the latest group memberships available. > > is this the case too for hostgroups? I am bootstrapping an > infrastructure with ipa and cfengine and I am seeing that it caches > the hostgroups/netgroups information, so when I join a host to the ipa > realm, I need to empty the netgroup cache or it will take 90 minutes > to apply configs from cfengine based on netgroup info. > No, I'm afraid you'd hit the cache here. But in this case, as hostgroups are translated to netgroups and looked up as netgroups, you can use a separate timeout for netgroups only. See the parameter entry_cache_netgroup_timeout in man sssd.conf. > > So while lookups that only go through the Name Service Switch, such as > > getent or id might display outdated information for some limited period > > of time, authentication should never allow or deny access based on > > obsolete cached data. > > well, this is apparently the case for me. I use the netgroup database > from nss, so it is caching. Right.. From simo at redhat.com Wed Dec 5 14:29:48 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 05 Dec 2012 09:29:48 -0500 Subject: [Freeipa-users] sssd cache In-Reply-To: References: Message-ID: <1354717788.19871.460.camel@willson.li.ssimo.org> On Wed, 2012-12-05 at 14:20 +0100, Natxo Asenjo wrote: > hi, > > why would I want sssd to cache group/hostgroup/netgroup membership? > > Is the performance hit so huge on the ldap servers? Yes, and not only on servers, on the client too. > I ask this because Windows admins are used to apply membership of > groups to objects and the changes in a single site domain (or even in > a multisite domain with fast wan links) are replicated very fast, it > is nearly instantanous. So for those admins, having to wait x minutes > for the sssd cache to expire is, to put it mildly, strange. You can shorten the cache expiration time if you really need to, but going on the wire for each request is what we built SSSD to actually avoid. It is in fact not possible for SSSD to go straight to the wire. > What are the consequences of disabling the cache with an entry like this: > > entry_cache_timeout = 0 I think this would make the cache never expire actually, the opposite of what you want to do. However you can set it to a very low value I guess, the consequence will be that your traffic and the time needed to resolve each entry will be higher, sometime much higher. > in sssd.conf? > > Thanks in advance for your input. As a test to show why the cache is important do this: 1. Create a directory 2. create 100 files in this dirctory 3. chown each file to a different user and a different group each 4. stop sssd, wipe cache file and restart 5. do a ls -al of the directory 6. wait 10 seconds 7. do a second ls -al of the directory You should notice a difference in the time needed to run ls. Now bring down the cache time down to 5 seconds and repeat the above procedure. Feel free to report your numbers. Simo. -- Simo Sorce * Red Hat, Inc * New York From viroos.pl at gmail.com Thu Dec 6 16:32:13 2012 From: viroos.pl at gmail.com (Maciej Sawicki) Date: Thu, 6 Dec 2012 17:32:13 +0100 Subject: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18 Message-ID: Hi, I would like to install FreeIpa server on my fedora machine. Unfortunately I have an error: [root at freeipa ~]# ipa-server-install (...) Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/19]: creating certificate server user [2/19]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpAmKZ0f' returned non-zero exit status 1 Configuration of CA failed I will appreciate any help. best regards, Maciek Sawicki From rcritten at redhat.com Thu Dec 6 16:46:50 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 Dec 2012 11:46:50 -0500 Subject: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18 In-Reply-To: References: Message-ID: <50C0CBFA.2070606@redhat.com> Maciej Sawicki wrote: > Hi, > I would like to install FreeIpa server on my fedora machine. > Unfortunately I have an error: > > [root at freeipa ~]# ipa-server-install > (...) > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes > 30 seconds > [1/19]: creating certificate server user > [2/19]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmpAmKZ0f' returned non-zero exit > status 1 > Configuration of CA failed > > I will appreciate any help. Look in the log /var/log/ipaserver-install.log for more details on why the installation failed. rob From viroos.pl at gmail.com Thu Dec 6 16:52:47 2012 From: viroos.pl at gmail.com (Maciej Sawicki) Date: Thu, 6 Dec 2012 17:52:47 +0100 Subject: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18 In-Reply-To: <50C0CBFA.2070606@redhat.com> References: <50C0CBFA.2070606@redhat.com> Message-ID: On Thu, Dec 6, 2012 at 5:46 PM, Rob Crittenden wrote: > Look in the log /var/log/ipaserver-install.log for more details on why the > installation failed. > hi rob, thank you for quick answer. sorry for forgetting to post the log. here it is: 2012-12-06T16:30:29Z DEBUG stderr=Traceback (most recent call last): File "/usr/sbin/pkispawn", line 223, in main(sys.argv) File "/usr/sbin/pkispawn", line 207, in main fromlist = [pki_scriptlet[4:]]) File "/usr/lib/python2.7/site-packages/pki/deployment/initialization.py", line 25, in import pkihelper as util File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", line 39, in import seobject File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in import sepolicy File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 43, in policy(policy_file) File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 40, in policy _policy.policy(policy_file) RuntimeError: Cannot allocate memory 2012-12-06T16:30:29Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpAmKZ0f' returned non-zero exit status 1 2012-12-06T16:30:29Z INFO File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/sbin/ipa-server-install", line 943, in main subject_base=options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 591, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 695, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2012-12-06T16:30:29Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed I still have no idea whats wrong :(. best regards, Maciek From jdennis at redhat.com Thu Dec 6 16:57:15 2012 From: jdennis at redhat.com (John Dennis) Date: Thu, 06 Dec 2012 11:57:15 -0500 Subject: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18 In-Reply-To: References: Message-ID: <50C0CE6B.6020705@redhat.com> On 12/06/2012 11:32 AM, Maciej Sawicki wrote: > Hi, > I would like to install FreeIpa server on my fedora machine. > Unfortunately I have an error: > > [root at freeipa ~]# ipa-server-install > (...) > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes > 30 seconds > [1/19]: creating certificate server user > [2/19]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmpAmKZ0f' returned non-zero exit > status 1 > Configuration of CA failed > > I will appreciate any help. I ran into similar issues. 1) Make sure F18 is fully updated via yum 2) reboot 3) reboot Yes, that's right, reboot twice! (Apparently that's needed to get systemd updates installed and working) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From viroos.pl at gmail.com Thu Dec 6 17:44:38 2012 From: viroos.pl at gmail.com (Maciej Sawicki) Date: Thu, 6 Dec 2012 18:44:38 +0100 Subject: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18 In-Reply-To: <50C0CE6B.6020705@redhat.com> References: <50C0CE6B.6020705@redhat.com> Message-ID: On Thu, Dec 6, 2012 at 5:57 PM, John Dennis wrote: > Yes, that's right, reboot twice! (Apparently that's needed to get systemd > updates installed and working) > unfortunately it didn't help. the strange thing is that during first try (remove freeipa-server packege, reboot, reboot, install free-ipaserver, reboot, reboot, run ipa-server-install) i get one more error: Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpWS7pd0' returned non-zero exit status 1 [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/19]: creating certificate server user [2/19]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpTf7vHu' returned non-zero exit status 1 and log: ############################################################################### ## 'TPS' Data: ## ## ## ## Values in this section are common to PKI TPS subsystems, and contain ## ## required information which MAY be overridden by users as necessary. ## ############################################################################### [TPS] pki_subsystem=TPS pki_subsystem_name= 2012-12-06T17:40:27Z DEBUG Starting external process 2012-12-06T17:40:27Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpTf7vHu 2012-12-06T17:40:31Z DEBUG Process finished, return code=1 2012-12-06T17:40:31Z DEBUG stdout= 2012-12-06T17:40:31Z DEBUG stderr=Traceback (most recent call last): File "/usr/sbin/pkispawn", line 223, in main(sys.argv) File "/usr/sbin/pkispawn", line 207, in main fromlist = [pki_scriptlet[4:]]) File "/usr/lib/python2.7/site-packages/pki/deployment/initialization.py", line 25, in import pkihelper as util File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", line 39, in import seobject File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in import sepolicy File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 43, in policy(policy_file) File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 40, in policy _policy.policy(policy_file) RuntimeError: Cannot allocate memory 2012-12-06T17:40:31Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpTf7vHu' returned non-zero exit status 1 2012-12-06T17:40:31Z INFO File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/sbin/ipa-server-install", line 943, in main subject_base=options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 591, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 695, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2012-12-06T17:40:31Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed but after: ipa-server-install --uninstall, ipa-server-install i get only second error: [2/19]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpTf7vHu' returned non-zero exit status 1 regards, Maciek Sawicki From dpal at redhat.com Thu Dec 6 23:57:10 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 06 Dec 2012 18:57:10 -0500 Subject: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18 In-Reply-To: References: <50C0CE6B.6020705@redhat.com> Message-ID: <50C130D6.9010104@redhat.com> On 12/06/2012 12:44 PM, Maciej Sawicki wrote: > On Thu, Dec 6, 2012 at 5:57 PM, John Dennis wrote: >> Yes, that's right, reboot twice! (Apparently that's needed to get systemd >> updates installed and working) >> > unfortunately it didn't help. > > the strange thing is that during first try (remove freeipa-server > packege, reboot, reboot, install free-ipaserver, reboot, reboot, run > ipa-server-install) i get one more error: > > > Configuring directory server for the CA (pkids): Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > ipa : CRITICAL failed to create ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpWS7pd0' > returned non-zero exit status 1 > [3/3]: restarting directory server > ipa : CRITICAL Failed to restart the directory server. See the > installation log for details. > Done configuring directory server for the CA (pkids). > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes > 30 seconds > [1/19]: creating certificate server user > [2/19]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmpTf7vHu' returned non-zero exit > status 1 > > and log: > > ############################################################################### > ## 'TPS' Data: ## > ## ## > ## Values in this section are common to PKI TPS subsystems, and contain ## > ## required information which MAY be overridden by users as necessary. ## > ############################################################################### > [TPS] > pki_subsystem=TPS > pki_subsystem_name= > > 2012-12-06T17:40:27Z DEBUG Starting external process > 2012-12-06T17:40:27Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpTf7vHu > 2012-12-06T17:40:31Z DEBUG Process finished, return code=1 > 2012-12-06T17:40:31Z DEBUG stdout= > 2012-12-06T17:40:31Z DEBUG stderr=Traceback (most recent call last): > File "/usr/sbin/pkispawn", line 223, in > main(sys.argv) > File "/usr/sbin/pkispawn", line 207, in main > fromlist = [pki_scriptlet[4:]]) > File "/usr/lib/python2.7/site-packages/pki/deployment/initialization.py", > line 25, in > import pkihelper as util > File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py", > line 39, in > import seobject > File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in > import sepolicy > File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line > 43, in > policy(policy_file) > File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line > 40, in policy > _policy.policy(policy_file) > RuntimeError: Cannot allocate memory > > 2012-12-06T17:40:31Z CRITICAL failed to configure ca instance Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmpTf7vHu' returned non-zero exit > status 1 > 2012-12-06T17:40:31Z INFO File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 614, in run_script > return_value = main_function() > > File "/sbin/ipa-server-install", line 943, in main > subject_base=options.subject) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 591, in configure_instance > self.start_creation(runtime=210) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 358, in start_creation > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 695, in __spawn_instance > raise RuntimeError('Configuration of CA failed') > > 2012-12-06T17:40:31Z INFO The ipa-server-install command failed, > exception: RuntimeError: Configuration of CA failed > > but after: ipa-server-install --uninstall, ipa-server-install i get > only second error: > [2/19]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmpTf7vHu' returned non-zero exit > status 1 > > regards, > Maciek Sawicki > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Do you have SELinux enabled? Any AVCs? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From biteoag at gmail.com Fri Dec 7 01:02:50 2012 From: biteoag at gmail.com (Albert Adams) Date: Thu, 6 Dec 2012 20:02:50 -0500 Subject: [Freeipa-users] select users cannot sudo or login at the console Message-ID: I have a small IPA domain setup on RHEL 6 server with a FreeIPA server, a replica and two clients. There are six users setup in the domain. All users are able to login over SSH to both client systems. I am not using IPA to control sudo access. Sudo privilges are granted by group membership (group memberships are managed by IPA). So here is where it gets weird. Client Systems system1 - testuser1 can authenticate over SSH using public key,can login at the console, and CAN sudo (all other users are able to do the same) system2 - testuser1 can authenticate over SSH using public key and CANNOT login at the console or sudo (two out of six users can login and sudo) So for example: system1 - SSH, console and sudo access testuser1, testuser2, testuser3, testuser4, testuser5, testuser6 system2 - SSH access only testuser1, testuser2, testuser3, testuser4 system2 - SSH, console and sudo access testuser5, testuser6 All users have the same group memberships and use SSH keys to authenticate to the system. Errors when the user tries to sudo ------------------------------------------------------------ /var/log/secure Dec 6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): authentication failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1 rhost= user=testuser1 Dec 6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): received for user testuser1: 4 (System error) Dec 6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): authentication failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1 rhost= user=testuser1 Dec 6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): received for user testuser1: 4 (System error) Dec 6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): authentication failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1 rhost= user=testuser1 Dec 6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): received for user testuser1: 4 (System error) Dec 6 18:54:52 ipa-client1 sudo: testuser1 : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/testuser1 ; USER=root ; COMMAND=/bin/su - Errors when the user tries to login at the console ------------------------------------------------------------- /var/log/secure Dec 6 19:53:56 ipa-client1 login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser1 Dec 6 19:53:56 ipa-client1 login: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser1 Dec 6 19:53:56 ipa-client1 login: pam_sss(login:auth): received for user testuser1: 4 (System error) Dec 6 19:53:58 ipa-client1 login: FAILED LOGIN 1 FROM (null) FOR testuser1, Authentication failure I found this post and it looks similar but my /var/log/sssd/krb5_child.log is empty. https://www.redhat.com/archives/freeipa-users/2012-October/msg00004.html The link to http://www.mail-archive.com/sssd-devel%20lists%20fedorahosted%20org/msg10176.htmlwas dead but I check the /tmp permissions like the guy in the forum post and they were: # ll -dZ /tmp/ drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /tmp/ It's really puzzling that sudo works for some users but not others and it's only on one system. I've thought about enrolling additional systems to the IPA domain to determine if this one system is just a problem child but I'd rather get it ironed out before moving over any additional systems. Thanks in advance, Albert -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Dec 7 04:08:11 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 06 Dec 2012 23:08:11 -0500 Subject: [Freeipa-users] select users cannot sudo or login at the console In-Reply-To: References: Message-ID: <50C16BAB.30805@redhat.com> Albert Adams wrote: > I have a small IPA domain setup on RHEL 6 server with a FreeIPA server, > a replica and two clients. There are six users setup in the domain. > All users are able > to login over SSH to both client systems. I am not using IPA to control > sudo access. Sudo privilges are granted by group membership (group > memberships are managed > by IPA). So here is where it gets weird. > > Client Systems > > system1 - testuser1 can authenticate over SSH using public key,can login > at the console, and CAN sudo (all other users are able to do the same) > system2 - testuser1 can authenticate over SSH using public key and > CANNOT login at the console or sudo (two out of six users can login and > sudo) > > So for example: > > system1 - SSH, console and sudo access > testuser1, testuser2, testuser3, testuser4, testuser5, testuser6 > > system2 - SSH access only > testuser1, testuser2, testuser3, testuser4 > > system2 - SSH, console and sudo access > testuser5, testuser6 > > All users have the same group memberships and use SSH keys to > authenticate to the system. > > Errors when the user tries to sudo > ------------------------------------------------------------ > /var/log/secure > Dec 6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): authentication > failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1 > rhost= user=testuser1 > Dec 6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): received for user > testuser1: 4 (System error) > Dec 6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): authentication > failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1 > rhost= user=testuser1 > Dec 6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): received for user > testuser1: 4 (System error) > Dec 6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): authentication > failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 ruser=testuser1 > rhost= user=testuser1 > Dec 6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): received for user > testuser1: 4 (System error) > Dec 6 18:54:52 ipa-client1 sudo: testuser1 : 3 incorrect password > attempts ; TTY=pts/1 ; PWD=/home/testuser1 ; USER=root ; COMMAND=/bin/su - > > Errors when the user tries to login at the console > ------------------------------------------------------------- > /var/log/secure > Dec 6 19:53:56 ipa-client1 login: pam_unix(login:auth): authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser1 > Dec 6 19:53:56 ipa-client1 login: pam_sss(login:auth): authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=testuser1 > Dec 6 19:53:56 ipa-client1 login: pam_sss(login:auth): received for > user testuser1: 4 (System error) > Dec 6 19:53:58 ipa-client1 login: FAILED LOGIN 1 FROM (null) FOR > testuser1, Authentication failure > > > I found this post and it looks similar but my > /var/log/sssd/krb5_child.log is empty. > > https://www.redhat.com/archives/freeipa-users/2012-October/msg00004.html > > The link to > http://www.mail-archive.com/sssd-devel%20lists%20fedorahosted%20org/msg10176.html > was dead but I check the /tmp permissions like the guy in the > forum post and they were: > > # ll -dZ /tmp/ > drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /tmp/ > > It's really puzzling that sudo works for some users but not others and > it's only on one system. I've thought about enrolling additional > systems to the IPA domain > to determine if this one system is just a problem child but I'd rather > get it ironed out before moving over any additional systems. > > Thanks in advance, > Albert I would look to see if you have any Host-based access (HBAC) rules defined. This would explain the behavior. rob From pspacek at redhat.com Fri Dec 7 12:02:01 2012 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 07 Dec 2012 13:02:01 +0100 Subject: [Freeipa-users] NFS v4 integration how to Message-ID: <50C1DAB9.2050005@redhat.com> Hello list, I accidentally found following how-to: http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA Did somebody try it? Did it work? -- Petr^2 Spacek From chorn at fluxcoil.net Fri Dec 7 12:13:42 2012 From: chorn at fluxcoil.net (Christian Horn) Date: Fri, 7 Dec 2012 13:13:42 +0100 Subject: [Freeipa-users] NFS v4 integration how to In-Reply-To: <50C1DAB9.2050005@redhat.com> References: <50C1DAB9.2050005@redhat.com> Message-ID: <20121207121342.GA11228@fluxcoil.net> On Fri, Dec 07, 2012 at 01:02:01PM +0100, Petr Spacek wrote: > > I accidentally found following how-to: > http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA > Did somebody try it? Did it work? Looks good, althou I like the 'nfsroot' style of nfsv4. My notes are at http://fluxcoil.net/doku.php/software/nfs/01_setup_with_ipa . Christian From ondrejv at s3group.cz Fri Dec 7 12:40:20 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Fri, 07 Dec 2012 13:40:20 +0100 Subject: [Freeipa-users] NFS v4 integration how to In-Reply-To: <20121207121342.GA11228@fluxcoil.net> References: <50C1DAB9.2050005@redhat.com> <20121207121342.GA11228@fluxcoil.net> Message-ID: <50C1E3B4.4050507@s3group.cz> Three notes: 1. /export *(rw,sec=krb5,no_subtree_check,no_root_squash) is better than /export gss/krb5(rw,no_subtree_check,no_root_squash) 2. Kerberos library is still too picky about reverse DNS records - i.e. if the reverse DNS does not match the principal name in keytab, you are most likely to fail. 3. We should still mention the rpc.idmapd settings I think - people are still used to nfsv3 so this might be confusing to them. Ondrej On 12/07/2012 01:13 PM, Christian Horn wrote: > On Fri, Dec 07, 2012 at 01:02:01PM +0100, Petr Spacek wrote: >> I accidentally found following how-to: >> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >> Did somebody try it? Did it work? > Looks good, althou I like the 'nfsroot' style of nfsv4. > My notes are at > http://fluxcoil.net/doku.php/software/nfs/01_setup_with_ipa . > > Christian > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From viroos.pl at gmail.com Fri Dec 7 13:05:58 2012 From: viroos.pl at gmail.com (Maciej Sawicki) Date: Fri, 7 Dec 2012 14:05:58 +0100 Subject: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18 In-Reply-To: <50C130D6.9010104@redhat.com> References: <50C0CE6B.6020705@redhat.com> <50C130D6.9010104@redhat.com> Message-ID: On Fri, Dec 7, 2012 at 12:57 AM, Dmitri Pal wrote: > Do you have SELinux enabled? > Any AVCs? > it's disabled [maciek at freeipa ~]$ sudo sestatus [sudo] password for maciek: SELinux status: disabled best regards, Maciek From rcritten at redhat.com Fri Dec 7 14:23:04 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Dec 2012 09:23:04 -0500 Subject: [Freeipa-users] NFS v4 integration how to In-Reply-To: <50C1E3B4.4050507@s3group.cz> References: <50C1DAB9.2050005@redhat.com> <20121207121342.GA11228@fluxcoil.net> <50C1E3B4.4050507@s3group.cz> Message-ID: <50C1FBC8.6030905@redhat.com> Ondrej Valousek wrote: > Three notes: > > 1. > > /export *(rw,sec=krb5,no_subtree_check,no_root_squash) > is better than > /export gss/krb5(rw,no_subtree_check,no_root_squash) > > 2. Kerberos library is still too picky about reverse DNS records - i.e. > if the reverse DNS does not match the principal name in keytab, you are > most likely to fail. > > 3. We should still mention the rpc.idmapd settings I think - people are > still used to nfsv3 so this might be confusing to them. This is good for F-16 (and probably RHEL 6) but it is dated for Fedora. The ipa-client-automount tool will do all this for a client. It is still an exercise for the user to set up a server. The mechanism for configuring weak crypto on the server needs work too. We disable DES by default now. rob From rcritten at redhat.com Fri Dec 7 14:33:22 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Dec 2012 09:33:22 -0500 Subject: [Freeipa-users] select users cannot sudo or login at the console In-Reply-To: References: <50C16BAB.30805@redhat.com> Message-ID: <50C1FE32.30307@redhat.com> Albert Adams wrote: > Rob, > There are no HBAC rules defined other than the default "allow_all" rule > which has not been customized. It is a vanilla instal at this point. I > have not added anything other than the replica, a few clients, one user > group and the users to the system. Ok. I would update the sssd debug level and restart it, then try the login again. On system2 are you able to use nss tools to identify IPA users (id, getent, etc)? rob > > > On Thu, Dec 6, 2012 at 11:08 PM, Rob Crittenden > wrote: > > Albert Adams wrote: > > I have a small IPA domain setup on RHEL 6 server with a FreeIPA > server, > a replica and two clients. There are six users setup in the domain. > All users are able > to login over SSH to both client systems. I am not using IPA to > control > sudo access. Sudo privilges are granted by group membership (group > memberships are managed > by IPA). So here is where it gets weird. > > Client Systems > > system1 - testuser1 can authenticate over SSH using public > key,can login > at the console, and CAN sudo (all other users are able to do the > same) > system2 - testuser1 can authenticate over SSH using public key and > CANNOT login at the console or sudo (two out of six users can > login and > sudo) > > So for example: > > system1 - SSH, console and sudo access > testuser1, testuser2, testuser3, testuser4, testuser5, testuser6 > > system2 - SSH access only > testuser1, testuser2, testuser3, testuser4 > > system2 - SSH, console and sudo access > testuser5, testuser6 > > All users have the same group memberships and use SSH keys to > authenticate to the system. > > Errors when the user tries to sudo > ------------------------------__------------------------------ > /var/log/secure > Dec 6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): authentication > failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 > ruser=testuser1 > rhost= user=testuser1 > Dec 6 18:54:39 ipa-client1 sudo: pam_sss(sudo:auth): received > for user > testuser1: 4 (System error) > Dec 6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): authentication > failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 > ruser=testuser1 > rhost= user=testuser1 > Dec 6 18:54:47 ipa-client1 sudo: pam_sss(sudo:auth): received > for user > testuser1: 4 (System error) > Dec 6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): authentication > failure; logname=testuser1 uid=0 euid=0 tty=/dev/pts/1 > ruser=testuser1 > rhost= user=testuser1 > Dec 6 18:54:51 ipa-client1 sudo: pam_sss(sudo:auth): received > for user > testuser1: 4 (System error) > Dec 6 18:54:52 ipa-client1 sudo: testuser1 : 3 incorrect password > attempts ; TTY=pts/1 ; PWD=/home/testuser1 ; USER=root ; > COMMAND=/bin/su - > > Errors when the user tries to login at the console > ------------------------------__------------------------------__- > /var/log/secure > Dec 6 19:53:56 ipa-client1 login: pam_unix(login:auth): > authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= > user=testuser1 > Dec 6 19:53:56 ipa-client1 login: pam_sss(login:auth): > authentication > failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= > user=testuser1 > Dec 6 19:53:56 ipa-client1 login: pam_sss(login:auth): received for > user testuser1: 4 (System error) > Dec 6 19:53:58 ipa-client1 login: FAILED LOGIN 1 FROM (null) FOR > testuser1, Authentication failure > > > I found this post and it looks similar but my > /var/log/sssd/krb5_child.log is empty. > > https://www.redhat.com/__archives/freeipa-users/2012-__October/msg00004.html > > > The link to > http://www.mail-archive.com/__sssd-devel%20lists%__20fedorahosted%20org/msg10176.__html > > was dead but I check the /tmp permissions like the guy in the > forum post and they were: > > # ll -dZ /tmp/ > drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /tmp/ > > It's really puzzling that sudo works for some users but not > others and > it's only on one system. I've thought about enrolling additional > systems to the IPA domain > to determine if this one system is just a problem child but I'd > rather > get it ironed out before moving over any additional systems. > > Thanks in advance, > Albert > > > I would look to see if you have any Host-based access (HBAC) rules > defined. This would explain the behavior. > > rob > > From simo at redhat.com Fri Dec 7 14:36:50 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 07 Dec 2012 09:36:50 -0500 Subject: [Freeipa-users] NFS v4 integration how to In-Reply-To: <50C1E3B4.4050507@s3group.cz> References: <50C1DAB9.2050005@redhat.com> <20121207121342.GA11228@fluxcoil.net> <50C1E3B4.4050507@s3group.cz> Message-ID: <1354891010.14475.43.camel@willson.li.ssimo.org> On Fri, 2012-12-07 at 13:40 +0100, Ondrej Valousek wrote: > Three notes: > > 1. > /export *(rw,sec=krb5,no_subtree_check,no_root_squash) > is better than > /export gss/krb5(rw,no_subtree_check,no_root_squash) It would be even better with root_squash imo :-) (as a default) > 2. Kerberos library is still too picky about reverse DNS records - > i.e. if the reverse DNS does not match the principal name in keytab, > you are most likely to fail. Can you open bugs about this. We do our best to make it work, unfortunately we have encountered time and again bugs all the way down to glibc (where we still have one to date :-/ ). > 3. We should still mention the rpc.idmapd settings I think - people > are still used to nfsv3 so this might be confusing to them. Yes, we discovered recently that for some reason rpc.idmapd is hell bent in looking only at its own config file and requires you set the default kerberos realm and doesn't ask libkrb5 for the default realm. So if you do not set it there it fails. We want to change this in time, but for the time being and on RHEL5/6 and current Fedoras it is what it is. Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Fri Dec 7 15:15:02 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 7 Dec 2012 16:15:02 +0100 Subject: [Freeipa-users] select users cannot sudo or login at the console In-Reply-To: <50C1FE32.30307@redhat.com> References: <50C16BAB.30805@redhat.com> <50C1FE32.30307@redhat.com> Message-ID: <20121207151502.GK8351@hendrix.brq.redhat.com> On Fri, Dec 07, 2012 at 09:33:22AM -0500, Rob Crittenden wrote: > Albert Adams wrote: > >Rob, > >There are no HBAC rules defined other than the default "allow_all" rule > >which has not been customized. It is a vanilla instal at this point. I > >have not added anything other than the replica, a few clients, one user > >group and the users to the system. > > Ok. I would update the sssd debug level and restart it, then try the > login again. On system2 are you able to use nss tools to identify > IPA users (id, getent, etc)? > > rob > Please also check out /var/log/secure. Is pam_sss mentioned at all? What are the messages coming from pam_sss ? From natxo.asenjo at gmail.com Fri Dec 7 15:10:22 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 7 Dec 2012 16:10:22 +0100 Subject: [Freeipa-users] error adding replica In-Reply-To: <50BCCA3D.6070807@redhat.com> References: <50BCCA3D.6070807@redhat.com> Message-ID: On Mon, Dec 3, 2012 at 4:50 PM, Rob Crittenden wrote: > Natxo Asenjo wrote: >> >> hi, >> >> I have a 6.3 centos server that has been upgraded since 6.1. According >> to the ipaserver-install.log, I installed it on feb 3 2012 so it has >> been upgraded at least once. >> >> Now that I have more hardware to run a few more vm's I can test >> replicas. But apparently I am running into this problem: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=867640 >> >> I have exactly the same error: >> >> 2012-10-17T22:07:50Z DEBUG stderr= >> 2012-10-17T22:07:50Z CRITICAL failed to configure ca instance Command >> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >> rhel6-2.testrelm.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Q8ad1f >> -client_certdb_pwd XXXXXXXX -preop_pin w53uYQUJBSyYNddpO5Xk >> -domain_name IPA -admin_user admin -admin_email root at localhost >> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 >> -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.COM >> -ldap_host rhel6-2.testrelm.com -ldap_port 7389 -bind_dn cn=Directory >> Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca >> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 >> true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM >> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.COM >> -ca_server_cert_subject_name CN=rhel6-2.testrelm.com,O=TESTRELM.COM >> -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.COM >> -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.COM >> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password >> XXXXXXXX -sd_hostname rhel6-1.testrelm.com -sd_admin_port 443 >> -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true >> -clone_uri https://rhel6-1.testrelm.com:443' returned non-zero exit >> status 255 >> >> My realm realm is different, but the rest is the same. >> >> Apparently there is a newer ou ou=csusers somewhere (this is what I >> understand from the bugzilla), but I am not sure where it must be >> created. Is it in the the ipa slapd or in the pki slapd? When I log in >> as 'Directory Mangager' in both slapd dirsrv I do not find a ou=config >> anywhere in the directory tree. >> >> Any clues? > > > It is likely not the same bug. The output from the installer on failures is > rather generic (and granted, awful). > > You'll need to look at the full /var/log/ipaserver-install.log for clues. > Sometimes we need to examine /var/log/pki-ca/debug as well. a bit late, but here is the output of /var/log/ipareplica-install.log en /var/log/pki-ca/debug ; I did not find a /var/log/ipaserver-install.log in the replica server. TIA, -- groet, natxo -------------- next part -------------- A non-text attachment was scrubbed... Name: ipareplica-install.log Type: application/octet-stream Size: 73472 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: debug Type: application/octet-stream Size: 151214 bytes Desc: not available URL: From viroos.pl at gmail.com Fri Dec 7 15:16:48 2012 From: viroos.pl at gmail.com (Maciej Sawicki) Date: Fri, 7 Dec 2012 16:16:48 +0100 Subject: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18 In-Reply-To: References: <50C0CE6B.6020705@redhat.com> <50C130D6.9010104@redhat.com> Message-ID: enabling SELinux fixed the problem. thank you for help!. regards, Maciek On Fri, Dec 7, 2012 at 2:05 PM, Maciej Sawicki wrote: > On Fri, Dec 7, 2012 at 12:57 AM, Dmitri Pal wrote: >> Do you have SELinux enabled? >> Any AVCs? >> > > it's disabled > > [maciek at freeipa ~]$ sudo sestatus > [sudo] password for maciek: > SELinux status: disabled > > best regards, > Maciek From james.hogarth at gmail.com Fri Dec 7 15:22:39 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Fri, 7 Dec 2012 15:22:39 +0000 Subject: [Freeipa-users] Certificate serial number not found error Message-ID: Hi, When trying to view a particular service (or the related host) I'm getting the following error in the UI: IPA Error 4301 Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0xffe000c not found) Now I've seen similar issue in the past when replication has played up and then using ipa-csmanage-replica and forcing syncs (or finding the system the certificate is registered on and deleting it there) has cleared it up... Unfortunately I suspect this was on an old replica which no longer exists given the error occurs on either of the pair I now have for this host and service... Given there's no 'ignore warning and remove what you can' so far as I can see I suspect I'm going to have to delve into LDAP to unravel the mess but does anyone know the relevant areas in both 389 servers to do this as safely as possible and reduce the risk in doing so as much as possible? Regards, James -------------- next part -------------- An HTML attachment was scrubbed... URL: From biteoag at gmail.com Fri Dec 7 15:26:21 2012 From: biteoag at gmail.com (Albert Adams) Date: Fri, 7 Dec 2012 10:26:21 -0500 Subject: [Freeipa-users] select users cannot sudo or login at the console Message-ID: Jakub, Thanks for the reply. Please see the original post. I included a couple of snippets from /var/log/secure and pam_sss is being used. Albert On Fri, Dec 7, 2012 at 10:16 AM, wrote: > select users cannot sudo or login at the > console > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Dec 7 15:28:07 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 07 Dec 2012 10:28:07 -0500 Subject: [Freeipa-users] error adding replica In-Reply-To: References: <50BCCA3D.6070807@redhat.com> Message-ID: <50C20B07.3040805@redhat.com> Natxo Asenjo wrote: > On Mon, Dec 3, 2012 at 4:50 PM, Rob Crittenden wrote: >> Natxo Asenjo wrote: >>> >>> hi, >>> >>> I have a 6.3 centos server that has been upgraded since 6.1. According >>> to the ipaserver-install.log, I installed it on feb 3 2012 so it has >>> been upgraded at least once. >>> >>> Now that I have more hardware to run a few more vm's I can test >>> replicas. But apparently I am running into this problem: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=867640 >>> >>> I have exactly the same error: >>> >>> 2012-10-17T22:07:50Z DEBUG stderr= >>> 2012-10-17T22:07:50Z CRITICAL failed to configure ca instance Command >>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >>> rhel6-2.testrelm.com -cs_port 9445 -client_certdb_dir /tmp/tmp-Q8ad1f >>> -client_certdb_pwd XXXXXXXX -preop_pin w53uYQUJBSyYNddpO5Xk >>> -domain_name IPA -admin_user admin -admin_email root at localhost >>> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 >>> -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.COM >>> -ldap_host rhel6-2.testrelm.com -ldap_port 7389 -bind_dn cn=Directory >>> Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca >>> -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 >>> true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal >>> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM >>> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.COM >>> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.COM >>> -ca_server_cert_subject_name CN=rhel6-2.testrelm.com,O=TESTRELM.COM >>> -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.COM >>> -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.COM >>> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password >>> XXXXXXXX -sd_hostname rhel6-1.testrelm.com -sd_admin_port 443 >>> -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true >>> -clone_uri https://rhel6-1.testrelm.com:443' returned non-zero exit >>> status 255 >>> >>> My realm realm is different, but the rest is the same. >>> >>> Apparently there is a newer ou ou=csusers somewhere (this is what I >>> understand from the bugzilla), but I am not sure where it must be >>> created. Is it in the the ipa slapd or in the pki slapd? When I log in >>> as 'Directory Mangager' in both slapd dirsrv I do not find a ou=config >>> anywhere in the directory tree. >>> >>> Any clues? >> >> >> It is likely not the same bug. The output from the installer on failures is >> rather generic (and granted, awful). >> >> You'll need to look at the full /var/log/ipaserver-install.log for clues. >> Sometimes we need to examine /var/log/pki-ca/debug as well. > > a bit late, but here is the output of /var/log/ipareplica-install.log > en /var/log/pki-ca/debug ; I did not find a > /var/log/ipaserver-install.log in the replica server. The dogtag installer is failing with the error "The pkcs12 file is not correct." I'll need to defer to a dogtag engineer to explain what this means, and how to fix it. rob From natxo.asenjo at gmail.com Fri Dec 7 20:24:50 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 7 Dec 2012 21:24:50 +0100 Subject: [Freeipa-users] sssd cache In-Reply-To: <1354717788.19871.460.camel@willson.li.ssimo.org> References: <1354717788.19871.460.camel@willson.li.ssimo.org> Message-ID: On Wed, Dec 5, 2012 at 3:29 PM, Simo Sorce wrote: > As a test to show why the cache is important do this: > > 1. Create a directory > 2. create 100 files in this dirctory > 3. chown each file to a different user and a different group each > 4. stop sssd, wipe cache file and restart > 5. do a ls -al of the directory > 6. wait 10 seconds > 7. do a second ls -al of the directory > > You should notice a difference in the time needed to run ls. I am convinced ;-) After deleting the cache it takes 43 secs to ls -la a dir. With cached info ls -la only takes a fraction of a second. -- groet, natxo From shelltoesuperstar at gmail.com Sat Dec 8 03:15:04 2012 From: shelltoesuperstar at gmail.com (Charlie Derwent) Date: Sat, 8 Dec 2012 03:15:04 +0000 Subject: [Freeipa-users] Cmd-line Unprovision & OTP setting for a host In-Reply-To: <5058882A.6010208@redhat.com> References: <1996182256.1044935.1347936809705.JavaMail.root@redhat.com> <1FB7AD4E-C6CC-4B40-A9C9-0A88F991938E@citrixonline.com> <56343345B145C043AE990701E3D193952B5644@EXVS2.nrplc.localnet> <5058882A.6010208@redhat.com> Message-ID: Sorry for the extremely late reply, rebuilds of clients, keytab and configuration primarily but certs too would be nice. What we currently do during our provisioning process is disable the host and reset the password (as previously mentioned) during the kickstart setup process so the server can successfully enroll (or in the situation I'm thinking of re-enroll) later on. The problem that causes is when you need to log onto the server to reboot it but you've just removed your account. So we have to use a shared local account to log on, limiting the need to do things like that was the exact reason we installed IPA on our network in the first place. So if there was a command like ipa-client-backup or ipa-client-restore that you could run to generate/restore a gpg file with your clients info we could safely restore the config after disk had been wiped. Another possibly simpler option would be being able to reset the OTP without having to disable the host first, so the first time the IPA server sees a new ipa-client-install request with the right OTP it automatically disables the host server side then enrolls the client that made the request. (Or even simpler if there's any documentation on what files you would need to back up) I prefer option 2 :-) Thanks, Charlie On Tue, Sep 18, 2012 at 3:41 PM, Dmitri Pal wrote: > On 09/18/2012 07:34 AM, Charlie Derwent wrote: > > Hi > > I've used "ipa host-disable ${HOST}; ipa host-mod --password=${PASS} > ${HOST}" In the past and that seems to work quite well. The ideal for me > would be a situation where the IPA information could persist between > rebuilds. > > > > Can you please elaborate more? > Between rebuilds of what client or server? > And what information you want to persist: cert, keytab, OTP? > > Thanks > Dmitri > > > > Cheers, > Charlie > On Tue, Sep 18, 2012 at 12:05 PM, Innes, Duncan < > Duncan.Innes at virginmoney.com> wrote: > >> Folks, >> >> Juggling a problem here that perhaps doesn't have a perfect solution. >> I'm looking at systems that get re-provisioned by a >> Satellite/Spacewalk/Installation method. For full (Free)IPA >> integration, we normally delete the old entry from IPA, create a new one >> from scratch and set the OTP to match what we put in our post-install >> script called by the kickstart file. >> >> Just noticed that I can do the same thing by Unprovisioning the system >> via the WebUI and then setting the OTP. >> >> Is there a way to Unprovision a registered host and set a OTP via the >> command line? I was looking at 'ipa host-mod --setattr' but not getting >> too far with the Unprovisioning aspect. >> >> Duncan Innes | Linux Architect | Virgin Money | +44 1603 215476 | +44 >> 7801 134507 | duncan.innes at virginmoney.com >> >> >> >> > -----Original Message----- >> > From: freeipa-users-bounces at redhat.com >> > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of JR Aquino >> > Sent: 18 September 2012 03:58 >> > To: Tim Hildred >> > Cc: freeipa-users >> > Subject: Re: [Freeipa-users] Password requirements too stringent >> > >> > >> > On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: >> > >> > > JR >> > > >> > > I had that line. I commented it out. Thank you. >> > > >> > > Now, what do I have to restart? >> > >> > I believe it should take effect in real time, but you may >> > need to test to be sure. If it is still happening, you may >> > need to double check that some other pam cfg doesn't also >> > have it present: $ cd /etc/pam.d/ && grep pam_cracklib * >> > >> > If you have removed it from everything and it is still giving >> > you the same error, then I would try a reboot... perhaps >> > getty needs to reinitialize or something. But I'd try those >> > steps before a reboot! >> > >> > ;) >> > >> > > Tim Hildred, RHCE >> > > Content Author II - Engineering Content Services, Red Hat, Inc. >> > > Brisbane, Australia >> > > Email: thildred at redhat.com >> > > Internal: 8588287 >> > > Mobile: +61 4 666 25242 <%2B61%204%20666%2025242> >> > > IRC: thildred >> > > >> > > ----- Original Message ----- >> > >> From: "JR Aquino" >> > >> To: "Tim Hildred" >> > >> Cc: "freeipa-users" >> > >> Sent: Tuesday, September 18, 2012 12:37:48 PM >> > >> Subject: Re: [Freeipa-users] Password requirements too stringent >> > >> >> > >> Tim, please check your /etc/pam.d/system-auth with the password >> > >> block. If you see password requisite pam_cracklib.so, then >> > >> this is why you are having a problem. >> > >> >> > >> $ man pam_cracklib >> > >> >> > >> It is a local security library for enforcing strong password >> > >> practices from the unix cli. >> > >> >> > >> ProTip: >> > >> If you don't need this, you can remove it from pam If you want to >> > >> work around this, set your password from the IPA webui or via the >> > >> cli: "ipa passwd username" >> > >> >> > >> Hope this info helps! >> > >> >> > >> "Keeping your head in the cloud" >> > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> > >> JR Aquino >> > >> >> > >> Senior Information Security Specialist, Technical Operations >> > >> T: +1 805 690 3478 <%2B1%20805%20690%203478> | F: +1 805 879 3730<%2B1%20805%20879%203730>| M: +1 >> 805 717 0365 <%2B1%20805%20717%200365> GIAC >> > >> Certified Incident Handler | GIAC WebApplication >> > Penetration Tester >> > >> JR.Aquino at citrix.com >> > >> >> > >> >> > >> [cid:image002.jpg at 01CD4A37.5451DC00] >> > >> >> > >> Powering mobile workstyles and cloud services >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: >> > >> >> > >> Hey all; >> > >> >> > >> I'm running IPA internally to control access to our cloud >> > >> environment. >> > >> >> > >> I must admit, I do not understand the password >> > requirements. I have >> > >> had them set to the defaults. I read this: >> > >> >> > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Lin >> > >> ux/6/html/Identity_Management_Guide/user-pwdpolicy.html >> > >> >> > >> I have the minimum character classes set to 0. When people >> > use SSH to >> > >> change their passwords, they get "Based on a dictionary word" for >> > >> passwords that have nothing to do with dictionary words. >> > >> >> > >> I can't find anywhere in the documentation a break down of >> > what makes >> > >> an unacceptable versus acceptable password. >> > >> >> > >> Can anyone help me figure out what to tell my users? I >> > think people >> > >> would get a lot less frustrated if they knew why >> > "C679V375" was "too >> > >> simple" when the password policy has 0 required classes. >> > >> >> > >> Tim Hildred, RHCE >> > >> Content Author II - Engineering Content Services, Red Hat, Inc. >> > >> Brisbane, Australia >> > >> Email: thildred at redhat.com >> > >> Internal: 8588287 >> > >> Mobile: +61 4 666 25242 <%2B61%204%20666%2025242> >> > >> IRC: thildred >> > >> >> > >> ps: funny exchange with user: >> > >> Jul 12 14:12:33 i feel like im being punked Jul 12 >> > 14:12:40 >> > >> it is based on a dictionary word Jul 12 14:12:43 >> > it >> > >> is too short Jul 12 14:12:49 is does not have >> > enough unique >> > >> letters Jul 12 14:12:51 etc >> > >> >> > >> _______________________________________________ >> > >> Freeipa-users mailing list >> > >> Freeipa-users at redhat.com >> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > >> >> > >> >> > >> > >> > _______________________________________________ >> > Freeipa-users mailing list >> > Freeipa-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > >> > This message has been checked for viruses and spam by the >> > Virgin Money email scanning system powered by Messagelabs. >> > >> >> >> Northern Rock plc is part of the Virgin Money group of companies. >> >> This e-mail is intended to be confidential to the recipient. If you >> receive a copy in error, please inform the sender and then delete this >> message. >> >> Virgin Money Personal Financial Service Limited is authorised and >> regulated by the Financial Services Authority. Company no. 3072766. >> >> Virgin Money Unit Trust Managers Limited is authorised and regulated by >> the Financial Services Authority. Company no. 3000482. >> >> Virgin Money Cards Limited. Introducer appointed representative only of >> Virgin Money Personal Financial Service Limited. Company no. 4232392. >> >> Virgin Money Management Services Limited. Company no. 3072772. >> >> Virgin Money Holdings (UK) Limited. Company no. 3087587. >> >> Each of the above companies is registered in England and Wales and has >> its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. >> >> Northern Rock plc. Authorised and regulated by the Financial Services >> Authority. Registered in England and Wales (Company no. 6952311) with its >> registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 >> 4PL. >> >> The above companies use the trading name Virgin Money. >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bcook at redhat.com Mon Dec 10 01:30:38 2012 From: bcook at redhat.com (Brian Cook) Date: Sun, 9 Dec 2012 17:30:38 -0800 Subject: [Freeipa-users] cross realm trust - SID doesn't resolve Message-ID: I was able to get cross realm trust working with 2k8 R2 DC and RHEL 6.4 beta. I created an external group in IPA and then added member MSAD\Domain Users Now in the members of group external-test I have an unresolved sid instead of the name of the group. How might I go about troubleshooting / fixing this? Thanks, Brian From abokovoy at redhat.com Mon Dec 10 06:13:29 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 10 Dec 2012 01:13:29 -0500 (EST) Subject: [Freeipa-users] cross realm trust - SID doesn't resolve In-Reply-To: Message-ID: <1838043011.5731623.1355120009579.JavaMail.root@redhat.com> ----- Original Message ----- > From: "Brian Cook" > To: freeipa-users at redhat.com > Sent: Monday, December 10, 2012 3:30:38 AM > Subject: [Freeipa-users] cross realm trust - SID doesn't resolve > > I was able to get cross realm trust working with 2k8 R2 DC and RHEL > 6.4 beta. > > I created an external group in IPA and then added member MSAD\Domain > Users > > Now in the members of group external-test I have an unresolved sid > instead of the name of the group. How might I go about > troubleshooting / fixing this? It should be SID, not group/user name, that's by design, so there is nothing broken in your setup. Since normal groups in IPA LDAP are using referential membership and all these trust users/groups do not exist in IPA LDAP as LDAP objects, we don't reference them by names directly but rather store SIDs only. MS-PAC structure in the kerberos ticket uses SIDs, and sssd consults IPA LDAP server (and then winbindd on IPA server) for SID to name translation when parsing MS-PAC. -- / Alexander Bokovoy From bcook at redhat.com Mon Dec 10 06:39:14 2012 From: bcook at redhat.com (Brian Cook) Date: Sun, 9 Dec 2012 22:39:14 -0800 Subject: [Freeipa-users] how to allow a remote realm user to be an IPA admin? Message-ID: How do you let a remote user be an admin for IPA? I followed the fedora group example external group:ad_admins_external Posix Group: ad_admins Then I made ad_admins a group member of ipa group 'admins' - theoretically now MSAD\Administrator is an IPA admin? I get the following. How does this work? Thanks, Brian sh-4.1$ kinit administrator at MSAD.TEST Password for administrator at MSAD.TEST: sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_1653800500 Default principal: administrator at MSAD.TEST Valid starting Expires Service principal 12/09/12 22:34:43 12/10/12 08:35:09 krbtgt/MSAD.TEST at MSAD.TEST renew until 12/10/12 22:34:43 sh-4.1$ sh-4.1$ kinit administrator at MSAD.TEST^C sh-4.1$ sh-4.1$ ipa user-add ipa: ERROR: Could not create log_dir u'/home/msad.test/administrator/.ipa/log' First name: joe Last name: blo User login [jblo]: ipa: ERROR: Insufficient access: SASL(-14): authorization failure: Invalid credentials sh-4.1$ klist Ticket cache: FILE:/tmp/krb5cc_1653800500 Default principal: administrator at MSAD.TEST Valid starting Expires Service principal 12/09/12 22:34:43 12/10/12 08:35:09 krbtgt/MSAD.TEST at MSAD.TEST renew until 12/10/12 22:34:43 12/09/12 22:35:31 12/10/12 08:35:09 krbtgt/IPA.TEST at MSAD.TEST renew until 12/10/12 22:34:43 12/09/12 22:35:09 12/10/12 08:35:09 HTTP/ipa1.ipa.test at IPA.TEST renew until 12/10/12 22:34:43 sh-4.1$ From bcook at redhat.com Mon Dec 10 07:04:40 2012 From: bcook at redhat.com (Brian Cook) Date: Sun, 9 Dec 2012 23:04:40 -0800 Subject: [Freeipa-users] cross realm trust - SID doesn't resolve In-Reply-To: <1838043011.5731623.1355120009579.JavaMail.root@redhat.com> References: <1838043011.5731623.1355120009579.JavaMail.root@redhat.com> Message-ID: Good to know my setup is working, but for administration purposes displaying a SID in the GUI is as useless as displaying UID's with no user name. SID's are not meant for human eyes. Is there some issue with resolving it to the name and displaying the name instead? Should I open an RFE? Brian On Dec 9, 2012, at 10:13 PM, Alexander Bokovoy wrote: > ----- Original Message ----- >> From: "Brian Cook" >> To: freeipa-users at redhat.com >> Sent: Monday, December 10, 2012 3:30:38 AM >> Subject: [Freeipa-users] cross realm trust - SID doesn't resolve >> >> I was able to get cross realm trust working with 2k8 R2 DC and RHEL >> 6.4 beta. >> >> I created an external group in IPA and then added member MSAD\Domain >> Users >> >> Now in the members of group external-test I have an unresolved sid >> instead of the name of the group. How might I go about >> troubleshooting / fixing this? > It should be SID, not group/user name, that's by design, so there is nothing broken in your setup. > Since normal groups in IPA LDAP are using referential membership and all these trust users/groups do not exist in IPA LDAP as LDAP objects, we don't reference them by names directly but rather store SIDs only. > > MS-PAC structure in the kerberos ticket uses SIDs, and sssd consults IPA LDAP server (and then winbindd on IPA server) for SID to name translation when parsing MS-PAC. > -- > / Alexander Bokovoy From abokovoy at redhat.com Mon Dec 10 12:12:58 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 10 Dec 2012 14:12:58 +0200 Subject: [Freeipa-users] cross realm trust - SID doesn't resolve In-Reply-To: References: <1838043011.5731623.1355120009579.JavaMail.root@redhat.com> Message-ID: <20121210121258.GA1779@redhat.com> On Sun, 09 Dec 2012, Brian Cook wrote: >Good to know my setup is working, but for administration purposes >displaying a SID in the GUI is as useless as displaying UID's with no >user name. SID's are not meant for human eyes. Is there some issue >with resolving it to the name and displaying the name instead? Should >I open an RFE? Since resolving SID means contacting AD's global catalog, there might be delays and even failure. I'll see how we can do it in a safe way. Please add an RFE. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Dec 10 12:25:26 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 10 Dec 2012 14:25:26 +0200 Subject: [Freeipa-users] how to allow a remote realm user to be an IPA admin? In-Reply-To: References: Message-ID: <20121210122526.GB1779@redhat.com> On Sun, 09 Dec 2012, Brian Cook wrote: >How do you let a remote user be an admin for IPA? You cannot do it, at least right now. > >I followed the fedora group example > >external group:ad_admins_external >Posix Group: ad_admins > >Then I made ad_admins a group member of ipa group 'admins' - >theoretically now MSAD\Administrator is an IPA admin? I get the >following. How does this work? Being able to perform IPA management operations means being able to bind to IPA LDAP with the identity in question. For Kerberos authentication LDAP server maps user principal to a DN of an object in LDAP. In case of trust users there are no LDAP objects that they represent since the whole idea of a trust was to avoid replicating objects between the realms, so while IPA KDC accepts AD realm's tickets for the users, IPA LDAP server doesn't know what they map to in terms of LDAP objects. Thus, trust users cannot be used to bind for LDAP access. >sh-4.1$ ipa user-add >ipa: ERROR: Could not create log_dir u'/home/msad.test/administrator/.ipa/log' >First name: joe >Last name: blo >User login [jblo]: >ipa: ERROR: Insufficient access: SASL(-14): authorization failure: Invalid credentials At this step IPA server code you are talking to attempts to bind to LDAP server on your (administrator at MSAD.TEST) behalf. LDAP server cannot map administrator at MSAD.TEST to an existing DN, thus a failure is raised. Since access controls in 389-ds LDAP server are built around DNs of existing objects, you need to be able to map these ephemeral users to some existing objects first to allow them to bind to LDAP. We haven't done that yet but may at some point in future consider adding sort of ephemeral bind support. It is unclear how to do it properly, considering all security implications. -- / Alexander Bokovoy From rcritten at redhat.com Mon Dec 10 13:30:21 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Dec 2012 08:30:21 -0500 Subject: [Freeipa-users] Certificate serial number not found error In-Reply-To: References: Message-ID: <50C5E3ED.80209@redhat.com> James Hogarth wrote: > Hi, > > When trying to view a particular service (or the related host) I'm > getting the following error in the UI: > > IPA Error 4301 > Certificate operation cannot be completed: EXCEPTION (Certificate serial > number 0xffe000c not found) > > Now I've seen similar issue in the past when replication has played up > and then using ipa-csmanage-replica and forcing syncs (or finding the > system the certificate is registered on and deleting it there) has > cleared it up... > > Unfortunately I suspect this was on an old replica which no longer > exists given the error occurs on either of the pair I now have for this > host and service... > > Given there's no 'ignore warning and remove what you can' so far as I > can see I suspect I'm going to have to delve into LDAP to unravel the > mess but does anyone know the relevant areas in both 389 servers to do > this as safely as possible and reduce the risk in doing so as much as > possible? You can use ldapmodify to remove the userCertificate attribute from the host. # kinit admin # ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: admin at EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. dn: fqdn=pacer.example.com,cn=computers,cn=accounts,dc=example,dc=com changetype: modify delete: usercertificate modifying entry "fqdn=pacer.example.com,cn=computers,cn=accounts,dc=example,dc=com" You'll probably want to delete the certificate out of /etc/pki/nssdb on the host too. rob From dpal at redhat.com Mon Dec 10 13:57:24 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Dec 2012 08:57:24 -0500 Subject: [Freeipa-users] Cmd-line Unprovision & OTP setting for a host In-Reply-To: References: <1996182256.1044935.1347936809705.JavaMail.root@redhat.com> <1FB7AD4E-C6CC-4B40-A9C9-0A88F991938E@citrixonline.com> <56343345B145C043AE990701E3D193952B5644@EXVS2.nrplc.localnet> <5058882A.6010208@redhat.com> Message-ID: <50C5EA44.40502@redhat.com> On 12/07/2012 10:15 PM, Charlie Derwent wrote: > Sorry for the extremely late reply, rebuilds of clients, keytab and > configuration primarily but certs too would be nice. > > What we currently do during our provisioning process is disable the > host and reset the password (as previously mentioned) during the > kickstart setup process so the server can successfully enroll (or in > the situation I'm thinking of re-enroll) later on. The problem that > causes is when you need to log onto the server to reboot it but you've > just removed your account. So we have to use a shared local account > to log on, limiting the need to do things like that was the exact > reason we installed IPA on our network in the first place. > > So if there was a command like ipa-client-backup or ipa-client-restore > that you could run to generate/restore a gpg file with your clients > info we could safely restore the config after disk had been wiped. > Another possibly simpler option would be being able to reset the OTP > without having to disable the host first, so the first time the IPA > server sees a new ipa-client-install request with the right OTP it > automatically disables the host server side then enrolls the client > that made the request. (Or even simpler if there's any documentation > on what files you would need to back up) > > I prefer option 2 :-) I am trying to understand the sequence of the operations here. You have a client that you need to periodically re-install or re-deploy it. Before you re-install you need to set the OTP (because it is OTP) anyways. This means you need some software to run a command against IPA. OK so at that moment you can remove the host and then re-create it again in IPA and set the OTP there. On the client side you run ipa-client-install providing OTP and it creates the host keytab and does all configuration steps. After that you can log with any user account you have into that client (unless you prohibited this user from logging in via HBAC). It seems that what you are asking above is the ability to set OTP without disabling the host... Is the problem with sequencing? Are you saying that while the client is still working you already need to prepare it for the next re-enrollment without disrupting current operations? I can understand that. But what prevents you from doing operations in sequence: uninstall client, recreate the host and OTP on the server side, re-install the client? > > Thanks, > Charlie > > > On Tue, Sep 18, 2012 at 3:41 PM, Dmitri Pal > wrote: > > On 09/18/2012 07:34 AM, Charlie Derwent wrote: >> Hi >> >> I've used "ipa host-disable ${HOST}; ipa host-mod >> --password=${PASS} ${HOST}" In the past and that seems to work >> quite well. The ideal for me would be a situation where the IPA >> information could persist between rebuilds. > > > Can you please elaborate more? > Between rebuilds of what client or server? > And what information you want to persist: cert, keytab, OTP? > > Thanks > Dmitri > > >> >> Cheers, >> Charlie >> On Tue, Sep 18, 2012 at 12:05 PM, Innes, Duncan >> > > wrote: >> >> Folks, >> >> Juggling a problem here that perhaps doesn't have a perfect >> solution. >> I'm looking at systems that get re-provisioned by a >> Satellite/Spacewalk/Installation method. For full (Free)IPA >> integration, we normally delete the old entry from IPA, >> create a new one >> from scratch and set the OTP to match what we put in our >> post-install >> script called by the kickstart file. >> >> Just noticed that I can do the same thing by Unprovisioning >> the system >> via the WebUI and then setting the OTP. >> >> Is there a way to Unprovision a registered host and set a OTP >> via the >> command line? I was looking at 'ipa host-mod --setattr' but >> not getting >> too far with the Unprovisioning aspect. >> >> Duncan Innes | Linux Architect | Virgin Money | +44 1603 >> 215476 | +44 >> 7801 134507 | duncan.innes at virginmoney.com >> >> >> >> >> > -----Original Message----- >> > From: freeipa-users-bounces at redhat.com >> >> > [mailto:freeipa-users-bounces at redhat.com >> ] On Behalf Of JR Aquino >> > Sent: 18 September 2012 03:58 >> > To: Tim Hildred >> > Cc: freeipa-users >> > Subject: Re: [Freeipa-users] Password requirements too >> stringent >> > >> > >> > On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: >> > >> > > JR >> > > >> > > I had that line. I commented it out. Thank you. >> > > >> > > Now, what do I have to restart? >> > >> > I believe it should take effect in real time, but you may >> > need to test to be sure. If it is still happening, you may >> > need to double check that some other pam cfg doesn't also >> > have it present: $ cd /etc/pam.d/ && grep pam_cracklib * >> > >> > If you have removed it from everything and it is still giving >> > you the same error, then I would try a reboot... perhaps >> > getty needs to reinitialize or something. But I'd try those >> > steps before a reboot! >> > >> > ;) >> > >> > > Tim Hildred, RHCE >> > > Content Author II - Engineering Content Services, Red >> Hat, Inc. >> > > Brisbane, Australia >> > > Email: thildred at redhat.com >> > > Internal: 8588287 >> > > Mobile: +61 4 666 25242 >> > > IRC: thildred >> > > >> > > ----- Original Message ----- >> > >> From: "JR Aquino" > > >> > >> To: "Tim Hildred" > > >> > >> Cc: "freeipa-users" > > >> > >> Sent: Tuesday, September 18, 2012 12:37:48 PM >> > >> Subject: Re: [Freeipa-users] Password requirements too >> stringent >> > >> >> > >> Tim, please check your /etc/pam.d/system-auth with the >> password >> > >> block. If you see password requisite >> pam_cracklib.so, then >> > >> this is why you are having a problem. >> > >> >> > >> $ man pam_cracklib >> > >> >> > >> It is a local security library for enforcing strong password >> > >> practices from the unix cli. >> > >> >> > >> ProTip: >> > >> If you don't need this, you can remove it from pam If >> you want to >> > >> work around this, set your password from the IPA webui >> or via the >> > >> cli: "ipa passwd username" >> > >> >> > >> Hope this info helps! >> > >> >> > >> "Keeping your head in the cloud" >> > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> > >> JR Aquino >> > >> >> > >> Senior Information Security Specialist, Technical Operations >> > >> T: +1 805 690 3478 | F: +1 >> 805 879 3730 | M: +1 805 717 >> 0365 GIAC >> > >> Certified Incident Handler | GIAC WebApplication >> > Penetration Tester >> > >> JR.Aquino at citrix.com >> > > >> > >> >> > >> >> > >> [cid:image002.jpg at 01CD4A37.5451DC00] >> > >> >> > >> Powering mobile workstyles and cloud services >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: >> > >> >> > >> Hey all; >> > >> >> > >> I'm running IPA internally to control access to our cloud >> > >> environment. >> > >> >> > >> I must admit, I do not understand the password >> > requirements. I have >> > >> had them set to the defaults. I read this: >> > >> >> > >> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Lin >> > >> ux/6/html/Identity_Management_Guide/user-pwdpolicy.html >> > >> >> > >> I have the minimum character classes set to 0. When people >> > use SSH to >> > >> change their passwords, they get "Based on a dictionary >> word" for >> > >> passwords that have nothing to do with dictionary words. >> > >> >> > >> I can't find anywhere in the documentation a break down of >> > what makes >> > >> an unacceptable versus acceptable password. >> > >> >> > >> Can anyone help me figure out what to tell my users? I >> > think people >> > >> would get a lot less frustrated if they knew why >> > "C679V375" was "too >> > >> simple" when the password policy has 0 required classes. >> > >> >> > >> Tim Hildred, RHCE >> > >> Content Author II - Engineering Content Services, Red >> Hat, Inc. >> > >> Brisbane, Australia >> > >> Email: thildred at redhat.com >> > >> Internal: 8588287 >> > >> Mobile: +61 4 666 25242 >> > >> IRC: thildred >> > >> >> > >> ps: funny exchange with user: >> > >> Jul 12 14:12:33 i feel like im being punked Jul 12 >> > 14:12:40 >> > >> it is based on a dictionary word Jul 12 14:12:43 >> > it >> > >> is too short Jul 12 14:12:49 is does not have >> > enough unique >> > >> letters Jul 12 14:12:51 etc >> > >> >> > >> _______________________________________________ >> > >> Freeipa-users mailing list >> > >> Freeipa-users at redhat.com >> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > >> >> > >> >> > >> > >> > _______________________________________________ >> > Freeipa-users mailing list >> > Freeipa-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > >> > This message has been checked for viruses and spam by the >> > Virgin Money email scanning system powered by Messagelabs. >> > >> >> >> Northern Rock plc is part of the Virgin Money group of companies. >> >> This e-mail is intended to be confidential to the recipient. >> If you receive a copy in error, please inform the sender and >> then delete this message. >> >> Virgin Money Personal Financial Service Limited is authorised >> and regulated by the Financial Services Authority. Company >> no. 3072766. >> >> Virgin Money Unit Trust Managers Limited is authorised and >> regulated by the Financial Services Authority. Company no. >> 3000482. >> >> Virgin Money Cards Limited. Introducer appointed >> representative only of Virgin Money Personal Financial >> Service Limited. Company no. 4232392. >> >> Virgin Money Management Services Limited. Company no. 3072772. >> >> Virgin Money Holdings (UK) Limited. Company no. 3087587. >> >> Each of the above companies is registered in England and >> Wales and has its registered office at Discovery House, >> Whiting Road, Norwich NR4 6EJ. >> >> Northern Rock plc. Authorised and regulated by the Financial >> Services Authority. Registered in England and Wales (Company >> no. 6952311) with its registered office at Northern Rock >> House, Gosforth, Newcastle upon Tyne NE3 4PL. >> >> The above companies use the trading name Virgin Money. >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Dec 10 15:50:32 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 10 Dec 2012 10:50:32 -0500 Subject: [Freeipa-users] how to allow a remote realm user to be an IPA admin? In-Reply-To: <20121210122526.GB1779@redhat.com> References: <20121210122526.GB1779@redhat.com> Message-ID: <1355154632.5073.26.camel@willson.li.ssimo.org> On Mon, 2012-12-10 at 14:25 +0200, Alexander Bokovoy wrote: > On Sun, 09 Dec 2012, Brian Cook wrote: > >How do you let a remote user be an admin for IPA? > You cannot do it, at least right now. > > > > >I followed the fedora group example > > > >external group:ad_admins_external > >Posix Group: ad_admins > > > >Then I made ad_admins a group member of ipa group 'admins' - > >theoretically now MSAD\Administrator is an IPA admin? I get the > >following. How does this work? > > Being able to perform IPA management operations means being able to bind > to IPA LDAP with the identity in question. For Kerberos authentication > LDAP server maps user principal to a DN of an object in LDAP. > > In case of trust users there are no LDAP objects that they represent > since the whole idea of a trust was to avoid replicating objects between > the realms, so while IPA KDC accepts AD realm's tickets for the users, > IPA LDAP server doesn't know what they map to in terms of LDAP objects. > > Thus, trust users cannot be used to bind for LDAP access. Note that this[1] DS tickeet needs to be implemented for us to be able, at some point to create a fallback mapping so we can map foreign user to a 'role' object in DS. This way we will be able to properly authorize remote users to operate on freeipa, even as admins at some point as long as we can map them to an object role based on a SAL mapping. This will take a while though. For the moment you need a real FreeIPA user to manage freeipa, you can think of foreign uses as 'guests' atm. Simo. [1] https://fedorahosted.org/389/ticket/534 -- Simo Sorce * Red Hat, Inc * New York From bcook at redhat.com Mon Dec 10 17:04:21 2012 From: bcook at redhat.com (Brian Cook) Date: Mon, 10 Dec 2012 09:04:21 -0800 Subject: [Freeipa-users] cross realm trust - SID doesn't resolve In-Reply-To: <20121210121258.GA1779@redhat.com> References: <1838043011.5731623.1355120009579.JavaMail.root@redhat.com> <20121210121258.GA1779@redhat.com> Message-ID: <2C0244F6-E670-43C4-9CEF-B09F084E2623@redhat.com> Okay, I'll open an RFE. Fwiw, when AD can't resolve a SID for any reason, it does display the SID itself but only as a fallback mechanism. I think this would be acceptable behavior. -Brian On Dec 10, 2012, at 4:12 AM, Alexander Bokovoy wrote: > On Sun, 09 Dec 2012, Brian Cook wrote: >> Good to know my setup is working, but for administration purposes >> displaying a SID in the GUI is as useless as displaying UID's with no >> user name. SID's are not meant for human eyes. Is there some issue >> with resolving it to the name and displaying the name instead? Should >> I open an RFE? > Since resolving SID means contacting AD's global catalog, there might be > delays and even failure. I'll see how we can do it in a safe way. > > Please add an RFE. > > -- > / Alexander Bokovoy From dpal at redhat.com Mon Dec 10 17:36:12 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Dec 2012 12:36:12 -0500 Subject: [Freeipa-users] cross realm trust - SID doesn't resolve In-Reply-To: <2C0244F6-E670-43C4-9CEF-B09F084E2623@redhat.com> References: <1838043011.5731623.1355120009579.JavaMail.root@redhat.com> <20121210121258.GA1779@redhat.com> <2C0244F6-E670-43C4-9CEF-B09F084E2623@redhat.com> Message-ID: <50C61D8C.4040009@redhat.com> On 12/10/2012 12:04 PM, Brian Cook wrote: > Okay, I'll open an RFE. Fwiw, when AD can't resolve a SID for any reason, it does display the SID itself but only as a fallback mechanism. I think this would be acceptable behavior. Now I think you understand why it is a tech preview. You hit right away couple things that QE was also expecting to work. > > -Brian > > > > On Dec 10, 2012, at 4:12 AM, Alexander Bokovoy wrote: > >> On Sun, 09 Dec 2012, Brian Cook wrote: >>> Good to know my setup is working, but for administration purposes >>> displaying a SID in the GUI is as useless as displaying UID's with no >>> user name. SID's are not meant for human eyes. Is there some issue >>> with resolving it to the name and displaying the name instead? Should >>> I open an RFE? >> Since resolving SID means contacting AD's global catalog, there might be >> delays and even failure. I'll see how we can do it in a safe way. >> >> Please add an RFE. >> >> -- >> / Alexander Bokovoy > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Dec 10 18:58:18 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Dec 2012 13:58:18 -0500 Subject: [Freeipa-users] Announcing FreeIPA v3.1.0 Release Message-ID: <50C630CA.7000700@redhat.com> The FreeIPA team is proud to announce version FreeIPA v3.1.0. It can be downloaded from http://www.freeipa.org/page/Downloads. A build will be submitted to updates-testing for Fedora 18 soon. == Highlights in 3.1.0 == * A single 389-ds instance is used both for IPA identity data and for the dogtag CA server on new installs. * Support for Windows 2012 Server Trusts. * Verify that the IPA certificates are not tracked by certmonger after server uninstallation. * Enable 389-ds transactions. * If chronyd is running on a server disable it and replace it with ntpd by default. * Add new OCSP and CRL URIs to the IPA certificate profile for a new CNAME entry, ipa-ca.example.com. * Fix potential security error in cookie handling in ipa client tool, CVE-2012-5631. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested. Upgrading from a previous version will not consolidate the 389-ds instances. Only new installations get a unified 389-ds backend. Upgraded servers will retain both instances. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed Changelog since 3.0.1 == Ade Lee (1): * Changes to use a single database for dogtag and IPA Alexander Bokovoy (8): * ipa-kdb: Support Windows 2012 Server * Remove bogus check for smbpasswd * Warn about DNA plugin configuration when working with local ID ranges * Resolve external members from trusted domain via Global Catalog * Clarify trust-add help regarding multiple runs against the same domain * ipasam: better Kerberos error handling in ipasam * trusts: replace use of python-crypto by m2crypto * Propagate kinit errors with trust account Endi Sukma Dewata (1): * Configuring CA with ConfigParser. Jakub Hrozek (5): * ipa-client-automount: Add the autofs service if it doesn't exist yet * Make enabling the autofs service more robust * ipachangeconf: allow specifying non-default delimeter for options * Specify includedir in krb5.conf on new installs * Add the includedir to krb5.conf on upgrades Jan Cholasta (1): * Reword description of the --passsync option of ipa-replica-manage. John Dennis (2): * log dogtag errors * Compliant client side session cookie behavior Lubomir Rintel (1): * Drop unused readline import Martin Kosek (18): * Update SELinux policy for dogtag10 * Bump 389-ds-base minimum in our spec file * Add OCSP and CRL URIs to certificates * Stop and disable conflicting time&date services * Create reverse zone in unattended mode * Add fallback for httpd restarts on sysV platforms * Report ipa-upgradeconfig errors during RPM upgrade * Avoid uninstalling dependencies during package lifetime * Remove servertrls and clientctrls options from rename_s * Use common encoding in modlist generation * Process relative nameserver DNS record correctly * Do not require resolvable nameserver in DNS install * Disable global forwarding per-zone * Prepare spec file for Fedora 18 * Filter suffix in replication management tools * Change network configuration file * Improve ipa-replica-prepare error message * Fix sshd feature check Nikolai Kondrashov (1): * Add uninstall command hints to ipa-*-instal Petr Viktorin (12): * Fix schema replication from old masters * Use correct Dogtag configuration in get_pin and get_ca_certchain * Update certmap.conf on IPA upgrades * Properly stop tracking certificates on uninstall * Provide 'protocol' argument to IPAdmin * Make ipa-csreplica-manage work with both merged and non-merged DBs * Use DN objects for Dogtag configuration * ipautil.run: Log the command line before running the command * ipa-replica-install: Use configured IPA DNS servers in forward/reverse resolution check * Make sure the CA is running when starting services * Provide explicit user name for Dogtag installation scripts * Add Lubomir Rintel to Contributors.txt Petr Vobornik (7): * Simpler instructions to generate certificate * Fixed incorrect link to browser config after session expiration * Web UI: disable global forwarding per zone * WebUI: Change of default value of type of new group back to POSIX * Editable sshkey, mac address field after upgrade * Better licensing information of 3rd party code * Better error message for login of users from other realms Rob Crittenden (16): * Enable transactions by default, make password and modrdn TXN-aware * Become IPA 3.1.0 * Password change in a transaction, ensure passwords are truly expired * Don't configure a reverse zone if not desired in interactive installer. * Fix requesting certificates that contain subject altnames. * Improve error messages in ipa-replica-manage. * Close connection after each request, avoid NSS shutdown problem. * The SECURE_NFS value needs to be lower-case yes on SysV systems. * After unininstall see if certmonger is still tracking any of our certs. * Wait for the directory server to come up when updating the agent certificate. * Set MLS/MCS for user_u context to what will be on remote systems. * Handle the case where there are no replicas with list-ruv * Honor the kdb options disabling KDC writes in ipa_lockout plugin * Only update the list of running services in the installer or ipactl. * Set min for selinux-policy to 3.11.1-60 * Reorder XML-RPC initialization in ipa-join to avoid segfault. Simo Sorce (7): * Add support for using AES for cross-realm TGTs * Preserve original service_name in services * Save service name on service startup * Get list of service from LDAP only at startup * Revert "Save service name on service startup" * Save service name on service startup/shutdown * MS-PAC: Special case NFS services Sumit Bose (7): * Fix various issues found by Coverity * extdom: handle INP_POSIX_UID and INP_POSIX_GID requests * Restart httpd if ipa-server-trust-ad is installed or updated * ipa-adtrust-install: allow to reset te NetBIOS domain name * Lookup the user SID in external group as well * Restart sssd after authconfig update * Do not recommend how to configure DNS in error message Tomas Babej (5): * Forbid overlapping primary and secondary rid ranges * Refactoring of default.conf man page * Make service naming in ipa-server-install consistent * IPA Server check in ipa-replica-manage * Add detection for users from trusted/invalid realms From james.hogarth at gmail.com Tue Dec 11 13:33:06 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Tue, 11 Dec 2012 13:33:06 +0000 Subject: [Freeipa-users] Managing Sudo through FreeIPA In-Reply-To: <509CCE08.7070502@redhat.com> References: <509AF934.8090202@redhat.com> <509CCE08.7070502@redhat.com> Message-ID: > > Hi, caching capabilities were not optimal in the tech preview, but it was > fully functional (or at least should be, I don't think anyone really tried > it in production), unless sssd is configured with multiple domains. > > > > I looked at the 6.3 technical notes for sudo, sssd and ipa but couldn't see any reference to sudo support in IPA/SSSD natively (as opposed to LDAP integration) ... the Identity Management guide still refers to the old nslcd.conf file and not sudo-ldap.conf neveremind native integration... Do you have any details on how to go about testing this? -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Tue Dec 11 15:53:43 2012 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 11 Dec 2012 10:53:43 -0500 Subject: [Freeipa-users] ipa-replica-install fails Message-ID: My replica install fails to create a DS instance: : [2/30]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/ setup-ds.pl --silent --logfile - -f /tmp/tmpp80GFc' returned non-zero exit status 1 [3/30]: adding default schema : : [21/30]: setting up initial replication Starting replication, please wait until this has completed. [ipa.damascusgrp.com] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication What could cause the DS setup to fail? And is the second error likely related as I believe it to be? -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Dec 11 16:25:20 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 11 Dec 2012 11:25:20 -0500 Subject: [Freeipa-users] ipa-replica-install fails In-Reply-To: References: Message-ID: <50C75E70.80901@redhat.com> On 12/11/2012 10:53 AM, Bret Wortman wrote: > My replica install fails to create a DS instance: > > : > [2/30]: creating directory server instance > ipa : CRITICAL failed to create ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f > /tmp/tmpp80GFc' returned non-zero exit status 1 > [3/30]: adding default schema > : > : > [21/30]: setting up initial replication > Starting replication, please wait until this has completed. > [ipa.damascusgrp.com ] reports: Update > failed! Status: [-2 - System error] > creation of replica failed: Failed to start replication > > What could cause the DS setup to fail? SELinux policy for example, disk being out of space, previous install of DS that has not been properly cleaned, etc... > And is the second error likely related as I believe it to be? > Yes. Please look at the install logs, they might have more info about what is going on and why DS install failed. > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Dec 11 16:25:57 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 11 Dec 2012 11:25:57 -0500 Subject: [Freeipa-users] Managing Sudo through FreeIPA In-Reply-To: References: <509AF934.8090202@redhat.com> <509CCE08.7070502@redhat.com> Message-ID: <50C75E95.5010000@redhat.com> On 12/11/2012 08:33 AM, James Hogarth wrote: > > > Hi, caching capabilities were not optimal in the tech preview, but > it was fully functional (or at least should be, I don't think > anyone really tried it in production), unless sssd is configured > with multiple domains. > > > > > > I looked at the 6.3 technical notes for sudo, sssd and ipa but > couldn't see any reference to sudo support in IPA/SSSD natively (as > opposed to LDAP integration) ... the Identity Management guide still > refers to the old nslcd.conf file and not sudo-ldap.conf neveremind > native integration... Yes this is a known bug in the documentation. > > Do you have any details on how to go about testing this? The native integration in SSSD was a tech preview in 6.3 and was pretty much broken. If you are interested in SSSD+SUDO integration please see SSSD 1.9 It seems that the feature is not yet documented in the formal doc set. You can try sssd man pages. http://jhrozek.fedorapeople.org/sssd/1.9.3/man/sssd-sudo.5.html > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Dec 11 16:50:06 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 11 Dec 2012 17:50:06 +0100 Subject: [Freeipa-users] Managing Sudo through FreeIPA In-Reply-To: <50C75E95.5010000@redhat.com> References: <509AF934.8090202@redhat.com> <509CCE08.7070502@redhat.com> <50C75E95.5010000@redhat.com> Message-ID: <20121211165006.GH3112@hendrix.brq.redhat.com> On Tue, Dec 11, 2012 at 11:25:57AM -0500, Dmitri Pal wrote: > The native integration in SSSD was a tech preview in 6.3 and was pretty > much broken. It wasn't a TP in 6.3 because the sudo 1.8 package wasn't in 6.3 all. It was rewritten after F-17, because its cache update mechanism was extremely inefficient, but I wouldn't call it "broken". The code worked, just slow. > If you are interested in SSSD+SUDO integration please see SSSD 1.9 > It seems that the feature is not yet documented in the formal doc set. > You can try sssd man pages. > http://jhrozek.fedorapeople.org/sssd/1.9.3/man/sssd-sudo.5.html There are still couple of known bugs (see https://fedorahosted.org/sssd/report/3 and search for sudo, for instance), but in general the feature is working now. From mkosek at redhat.com Tue Dec 11 17:04:56 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 11 Dec 2012 18:04:56 +0100 Subject: [Freeipa-users] ipa-replica-install fails In-Reply-To: <50C75E70.80901@redhat.com> References: <50C75E70.80901@redhat.com> Message-ID: <50C767B8.8050503@redhat.com> On 12/11/2012 05:25 PM, Dmitri Pal wrote: > On 12/11/2012 10:53 AM, Bret Wortman wrote: >> My replica install fails to create a DS instance: >> >> : >> [2/30]: creating directory server instance >> ipa : CRITICAL failed to create ds instance Command >> '/usr/sbin/setup-ds.pl --silent --logfile - -f >> /tmp/tmpp80GFc' returned non-zero exit status 1 >> [3/30]: adding default schema >> : >> : >> [21/30]: setting up initial replication >> Starting replication, please wait until this has completed. >> [ipa.damascusgrp.com ] reports: Update failed! >> Status: [-2 - System error] >> creation of replica failed: Failed to start replication >> >> What could cause the DS setup to fail? > > SELinux policy for example, disk being out of space, previous install of DS > that has not been properly cleaned, etc... > >> And is the second error likely related as I believe it to be? >> > Yes. > Please look at the install logs, they might have more info about what is going > on and why DS install failed. > I am not sure what version of IPA/DS you use, but if you are using Fedora 18, you may need to update your SELinux version. There was a relevant fix to the behavior you described. This is the most recent build available: http://koji.fedoraproject.org/koji/buildinfo?buildID=372172 Martin From bret.wortman at damascusgrp.com Tue Dec 11 18:04:37 2012 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 11 Dec 2012 13:04:37 -0500 Subject: [Freeipa-users] Announcing FreeIPA v3.1.0 Release In-Reply-To: <50C630CA.7000700@redhat.com> References: <50C630CA.7000700@redhat.com> Message-ID: This appears to require dirsrv-1.3, which I assume is part of 389-base-devel. I don't see where 1.3 has been made available yet, or am I missing something? On Mon, Dec 10, 2012 at 1:58 PM, Rob Crittenden wrote: > The FreeIPA team is proud to announce version FreeIPA v3.1.0. > > It can be downloaded from http://www.freeipa.org/page/**Downloads > . > > A build will be submitted to updates-testing for Fedora 18 soon. > > == Highlights in 3.1.0 == > > * A single 389-ds instance is used both for IPA identity data and for the > dogtag CA server on new installs. > * Support for Windows 2012 Server Trusts. > * Verify that the IPA certificates are not tracked by certmonger after > server uninstallation. > * Enable 389-ds transactions. > * If chronyd is running on a server disable it and replace it with ntpd by > default. > * Add new OCSP and CRL URIs to the IPA certificate profile for a new CNAME > entry, ipa-ca.example.com. > * Fix potential security error in cookie handling in ipa client tool, > CVE-2012-5631. > > == Upgrading == > > An IPA server can be upgraded simply by installing updated rpms. The > server does not need to be shut down in advance. > > Please note, that the referential integrity extension requires an extended > set of indexes to be configured. RPM update for an IPA server with a > excessive number of hosts, SUDO or HBAC entries may require several minutes > to finish. > > If you have multiple servers you may upgrade them one at a time. It is > expected that all servers will be upgraded in a relatively short period > (days or weeks not months). They should be able to co-exist peacefully but > new features will not be available on old servers and enrolling a new > client against an old server will result in the SSH keys not being uploaded. > > Downgrading a server once upgraded is not supported. > > Upgrading from 2.2.0 is supported. Upgrading from previous versions is not > supported and has not been tested. > > Upgrading from a previous version will not consolidate the 389-ds > instances. Only new installations get a unified 389-ds backend. Upgraded > servers will retain both instances. > > An enrolled client does not need the new packages installed unless you > want to re-enroll it. SSH keys for already installed clients are not > uploaded, you will have to re-enroll the client or manually upload the keys. > > == Feedback == > > Please provide comments, bugs and other feedback via the freeipa-devel > mailing list: http://www.redhat.com/mailman/**listinfo/freeipa-devel > > == Detailed Changelog since 3.0.1 == > > Ade Lee (1): > * Changes to use a single database for dogtag and IPA > > Alexander Bokovoy (8): > * ipa-kdb: Support Windows 2012 Server > * Remove bogus check for smbpasswd > * Warn about DNA plugin configuration when working with local ID ranges > * Resolve external members from trusted domain via Global Catalog > * Clarify trust-add help regarding multiple runs against the same domain > * ipasam: better Kerberos error handling in ipasam > * trusts: replace use of python-crypto by m2crypto > * Propagate kinit errors with trust account > > Endi Sukma Dewata (1): > * Configuring CA with ConfigParser. > > Jakub Hrozek (5): > * ipa-client-automount: Add the autofs service if it doesn't exist yet > * Make enabling the autofs service more robust > * ipachangeconf: allow specifying non-default delimeter for options > * Specify includedir in krb5.conf on new installs > * Add the includedir to krb5.conf on upgrades > > Jan Cholasta (1): > * Reword description of the --passsync option of ipa-replica-manage. > > John Dennis (2): > * log dogtag errors > * Compliant client side session cookie behavior > > Lubomir Rintel (1): > * Drop unused readline import > > Martin Kosek (18): > * Update SELinux policy for dogtag10 > * Bump 389-ds-base minimum in our spec file > * Add OCSP and CRL URIs to certificates > * Stop and disable conflicting time&date services > * Create reverse zone in unattended mode > * Add fallback for httpd restarts on sysV platforms > * Report ipa-upgradeconfig errors during RPM upgrade > * Avoid uninstalling dependencies during package lifetime > * Remove servertrls and clientctrls options from rename_s > * Use common encoding in modlist generation > * Process relative nameserver DNS record correctly > * Do not require resolvable nameserver in DNS install > * Disable global forwarding per-zone > * Prepare spec file for Fedora 18 > * Filter suffix in replication management tools > * Change network configuration file > * Improve ipa-replica-prepare error message > * Fix sshd feature check > > Nikolai Kondrashov (1): > * Add uninstall command hints to ipa-*-instal > > Petr Viktorin (12): > * Fix schema replication from old masters > * Use correct Dogtag configuration in get_pin and get_ca_certchain > * Update certmap.conf on IPA upgrades > * Properly stop tracking certificates on uninstall > * Provide 'protocol' argument to IPAdmin > * Make ipa-csreplica-manage work with both merged and non-merged DBs > * Use DN objects for Dogtag configuration > * ipautil.run: Log the command line before running the command > * ipa-replica-install: Use configured IPA DNS servers in forward/reverse > resolution check > * Make sure the CA is running when starting services > * Provide explicit user name for Dogtag installation scripts > * Add Lubomir Rintel to Contributors.txt > > Petr Vobornik (7): > * Simpler instructions to generate certificate > * Fixed incorrect link to browser config after session expiration > * Web UI: disable global forwarding per zone > * WebUI: Change of default value of type of new group back to POSIX > * Editable sshkey, mac address field after upgrade > * Better licensing information of 3rd party code > * Better error message for login of users from other realms > > Rob Crittenden (16): > * Enable transactions by default, make password and modrdn TXN-aware > * Become IPA 3.1.0 > * Password change in a transaction, ensure passwords are truly expired > * Don't configure a reverse zone if not desired in interactive installer. > * Fix requesting certificates that contain subject altnames. > * Improve error messages in ipa-replica-manage. > * Close connection after each request, avoid NSS shutdown problem. > * The SECURE_NFS value needs to be lower-case yes on SysV systems. > * After unininstall see if certmonger is still tracking any of our certs. > * Wait for the directory server to come up when updating the agent > certificate. > * Set MLS/MCS for user_u context to what will be on remote systems. > * Handle the case where there are no replicas with list-ruv > * Honor the kdb options disabling KDC writes in ipa_lockout plugin > * Only update the list of running services in the installer or ipactl. > * Set min for selinux-policy to 3.11.1-60 > * Reorder XML-RPC initialization in ipa-join to avoid segfault. > > Simo Sorce (7): > * Add support for using AES for cross-realm TGTs > * Preserve original service_name in services > * Save service name on service startup > * Get list of service from LDAP only at startup > * Revert "Save service name on service startup" > * Save service name on service startup/shutdown > * MS-PAC: Special case NFS services > > Sumit Bose (7): > * Fix various issues found by Coverity > * extdom: handle INP_POSIX_UID and INP_POSIX_GID requests > * Restart httpd if ipa-server-trust-ad is installed or updated > * ipa-adtrust-install: allow to reset te NetBIOS domain name > * Lookup the user SID in external group as well > * Restart sssd after authconfig update > * Do not recommend how to configure DNS in error message > > Tomas Babej (5): > * Forbid overlapping primary and secondary rid ranges > * Refactoring of default.conf man page > * Make service naming in ipa-server-install consistent > * IPA Server check in ipa-replica-manage > * Add detection for users from trusted/invalid realms > > ______________________________**_________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/**mailman/listinfo/freeipa-users > -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Tue Dec 11 19:12:09 2012 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 11 Dec 2012 14:12:09 -0500 Subject: [Freeipa-users] ipa-replica-install fails In-Reply-To: <50C784F9.7020806@redhat.com> References: <50C75E70.80901@redhat.com> <50C784F9.7020806@redhat.com> Message-ID: I'm working through them and may simply abandon the idea of automating the replica install. On Tue, Dec 11, 2012 at 2:09 PM, Dmitri Pal wrote: > On 12/11/2012 12:09 PM, Bret Wortman wrote: > > > > > On Tue, Dec 11, 2012 at 11:25 AM, Dmitri Pal wrote: > >> On 12/11/2012 10:53 AM, Bret Wortman wrote: >> >> My replica install fails to create a DS instance: >> >> : >> [2/30]: creating directory server instance >> ipa : CRITICAL failed to create ds instance Command '/usr/sbin/ >> setup-ds.pl --silent --logfile - -f /tmp/tmpp80GFc' returned non-zero >> exit status 1 >> [3/30]: adding default schema >> : >> : >> [21/30]: setting up initial replication >> Starting replication, please wait until this has completed. >> [ipa.damascusgrp.com] reports: Update failed! Status: [-2 - System error] >> creation of replica failed: Failed to start replication >> >> What could cause the DS setup to fail? >> >> >> SELinux policy for example, disk being out of space, previous install of >> DS that has not been properly cleaned, etc... >> > > > Please reply to the list. > > > > getenforce returns "Disabled", the root filesystem has 3G free, and > this was a fresh kickstarted cobbler/puppet install. It is true that it was > running as an IPA client prior to installation of the IPA server package, > but I don't think that would have resulted in a piece of DS laying around, > would it? > > > It would not. > > > > The system is a virt-manager VM, in case that's related. I'm using > IPA-2.2.0 on F17, though I'm trying to get 3.1.0 to build. > > > > Have you looked into the logs as I suggested? > > >> >> And is the second error likely related as I believe it to be? >> >> Yes. >> Please look at the install logs, they might have more info about what is >> going on and why DS install failed. >> >> >> -- >> Bret Wortman >> The Damascus Group >> Fairfax, VA >> http://bretwortman.com/ >> http://twitter.com/BretWortman >> >> >> >> _______________________________________________ >> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -------------- next part -------------- An HTML attachment was scrubbed... URL: From nalin at redhat.com Tue Dec 11 19:21:11 2012 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 11 Dec 2012 14:21:11 -0500 Subject: [Freeipa-users] Announcing FreeIPA v3.1.0 Release In-Reply-To: References: <50C630CA.7000700@redhat.com> Message-ID: <20121211192111.GA10714@redhat.com> On Tue, Dec 11, 2012 at 01:04:37PM -0500, Bret Wortman wrote: > This appears to require dirsrv-1.3, which I assume is part of > 389-base-devel. I don't see where 1.3 has been made available yet, or am I > missing something? Hmm. I'm seeing packages for a 1.3.0-0.1.a1 in Fedora 18, and after a little digging, I find tarballs for it after hitting the Developers page and following the Source link to http://directory.fedoraproject.org/wiki/Source I guess we don't have a final 1.3.0 yet. HTH, Nalin From rmeggins at redhat.com Tue Dec 11 19:26:29 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 11 Dec 2012 12:26:29 -0700 Subject: [Freeipa-users] Announcing FreeIPA v3.1.0 Release In-Reply-To: <20121211192111.GA10714@redhat.com> References: <50C630CA.7000700@redhat.com> <20121211192111.GA10714@redhat.com> Message-ID: <50C788E5.6030806@redhat.com> On 12/11/2012 12:21 PM, Nalin Dahyabhai wrote: > On Tue, Dec 11, 2012 at 01:04:37PM -0500, Bret Wortman wrote: >> This appears to require dirsrv-1.3, which I assume is part of >> 389-base-devel. I don't see where 1.3 has been made available yet, or am I >> missing something? > Hmm. I'm seeing packages for a 1.3.0-0.1.a1 in Fedora 18, and after a > little digging, I find tarballs for it after hitting the Developers page > and following the Source link to > http://directory.fedoraproject.org/wiki/Source > > I guess we don't have a final 1.3.0 yet. 1.3.0.a1 has been tested extensively by the freeipa team - I don't think I would recommend using an alpha version in production, but it should be fine for testing/pilot deployments. > > HTH, > > Nalin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Dec 11 20:04:34 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 11 Dec 2012 20:04:34 +0000 Subject: [Freeipa-users] ipa-replica-install fails In-Reply-To: References: <50C75E70.80901@redhat.com> <50C784F9.7020806@redhat.com>, Message-ID: <833D8E48405E064EBC54C84EC6B36E405477D45B@STAWINCOX10MBX4.staff.vuw.ac.nz> Hi, I had this recently and it drove me nuts...might want to take more knowledgeable ppls than me advice on the process below to make sure its sane/OK. 8><--- [21/30]: setting up initial replication Starting replication, please wait until this has completed. [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root at vuwunicoipam001 replica]# The --uninstall seems to not clean up and remove some data in the ldap and a new machine fails to re-join. Something to do with tombstone references and I suppose other junk (to deep and techy for me). So, run the IPA-server-install --uninstall twice or thrice. Then look for ldap data on the problem replica (ipam001) server, ldapmodify -x -D "cn=directory manager" -W <<----------- [root at vuwunicoipam002 jonesst1]# ldapsearch -xLLL -D "cn=directory manager" -W -b dc=ods,dc=vuw,dc=ac,dc=nz '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' |grep ipam001 nsds50ruv: {replica 33 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} nsds50ruv: {replica 32 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} nsds50ruv: {replica 31 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} nsds50ruv: {replica 30 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} nsds50ruv: {replica 29 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} nsds50ruv: {replica 28 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} nsds50ruv: {replica 27 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} nsds50ruv: {replica 26 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} nsds50ruv: {replica 25 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} nsds50ruv: {replica 24 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} etc etc I then cleaned them out with, ldapmodify -x -D "cn=directory manager" -W -f 0001-mod.ldif more 0001-mod.ldif dn: cn=replica,cn=dc\3Dods\2Cdc\3Dvuw\2Cdc\3Dac\2Cdc\3Dnz,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV33 rinse and repeat 32 etc to all..... At that point I could get the ipa-replica command to work fine. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Bret Wortman [bret.wortman at damascusgrp.com] Sent: Wednesday, 12 December 2012 8:12 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-replica-install fails I'm working through them and may simply abandon the idea of automating the replica install. On Tue, Dec 11, 2012 at 2:09 PM, Dmitri Pal > wrote: On 12/11/2012 12:09 PM, Bret Wortman wrote: On Tue, Dec 11, 2012 at 11:25 AM, Dmitri Pal > wrote: On 12/11/2012 10:53 AM, Bret Wortman wrote: My replica install fails to create a DS instance: : [2/30]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpp80GFc' returned non-zero exit status 1 [3/30]: adding default schema : : [21/30]: setting up initial replication Starting replication, please wait until this has completed. [ipa.damascusgrp.com] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication What could cause the DS setup to fail? SELinux policy for example, disk being out of space, previous install of DS that has not been properly cleaned, etc... Please reply to the list. getenforce returns "Disabled", the root filesystem has 3G free, and this was a fresh kickstarted cobbler/puppet install. It is true that it was running as an IPA client prior to installation of the IPA server package, but I don't think that would have resulted in a piece of DS laying around, would it? It would not. The system is a virt-manager VM, in case that's related. I'm using IPA-2.2.0 on F17, though I'm trying to get 3.1.0 to build. Have you looked into the logs as I suggested? And is the second error likely related as I believe it to be? Yes. Please look at the install logs, they might have more info about what is going on and why DS install failed. -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Dec 11 21:44:26 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Dec 2012 16:44:26 -0500 Subject: [Freeipa-users] Announcing FreeIPA v3.0.2 Release Message-ID: <50C7A93A.3020501@redhat.com> The FreeIPA team is proud to announce version FreeIPA v3.0.2. It can be downloaded from http://www.freeipa.org/page/Downloads. == Highlights in 3.0.2 == * WebUI: Change of default value of type of new group back to POSIX. * Lookup the user SID in external group as well. * Include sssd-managed domain/realm mapping file managed in krb5.conf. * Fix potential security error in cookie handling in ipa client tool, CVE-2012-5631. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed Changelog since 3.0.1 == Alexander Bokovoy (3): * ipasam: better Kerberos error handling in ipasam * trusts: replace use of python-crypto by m2crypto * Propagate kinit errors with trust account Jakub Hrozek (4): * Make enabling the autofs service more robust * ipachangeconf: allow specifying non-default delimeter for options * Specify includedir in krb5.conf on new installs * Add the includedir to krb5.conf on upgrades John Dennis (1): * Compliant client side session cookie behavior Lubomir Rintel (1): * Drop unused readline import Martin Kosek (5): * Prepare spec file for Fedora 18 * Filter suffix in replication management tools * Change network configuration file * Improve ipa-replica-prepare error message * Fix sshd feature check Petr Viktorin (2): * Provide explicit user name for Dogtag installation scripts * Add Lubomir Rintel to Contributors.txt Petr Vobornik (4): * WebUI: Change of default value of type of new group back to POSIX * Editable sshkey, mac address field after upgrade * Better licensing information of 3rd party code * Better error message for login of users from other realms Rob Crittenden (5): * Honor the kdb options disabling KDC writes in ipa_lockout plugin * Only update the list of running services in the installer or ipactl. * Set min for selinux-policy to 3.11.1-60 * Reorder XML-RPC initialization in ipa-join to avoid segfault. * Become IPA 3.0.2 Simo Sorce (1): * MS-PAC: Special case NFS services Sumit Bose (3): * Lookup the user SID in external group as well * Restart sssd after authconfig update * Do not recommend how to configure DNS in error message Tomas Babej (1): * Add detection for users from trusted/invalid realms From victor.rebli at gmail.com Wed Dec 12 02:01:15 2012 From: victor.rebli at gmail.com (victor nunes) Date: Wed, 12 Dec 2012 00:01:15 -0200 Subject: [Freeipa-users] Installing freeipa. Message-ID: Hello, I am trying to install FreeIPA ipa-server-install, but when the question appears, I type and the following error appears. Enter the fully qualified domain name of the computer Which you're setting up on server software. Using the form . Example: master.example.com. Server host name [localhost]: localhost.tcc.teste. The host name does not match localhost.tcc.teste the primary host name localhost. Please check / etc / hosts or DNS name resolution my /etc/hosts: 127.0.0.1 localhost localhost My /etc/ host.conf: order bind, order And I setup a dns server on the machine yet. see the result of nslookup command: nslookup localhost.tcc.teste Server: 127.0.0.1 Address: 127.0.0.1 # 53 Name: localhost.tcc.teste Address: 127.0.0.1 That is, I do not see why the error provided by FreeIPA. Anyone have any tips? -- ?Encarada do ponto de vista da juventude, a vida parece um futuro indefinidamente longo, ao passo que, na velhice, ela parece um passado deveras curto. Assim, a vida no seu in?cio se apresenta do mesmo modo que as coisas quando as olhamos atrav?s de um bin?culo usado ao contr?rio; mas, ao seu final, ela se parece com as coisas tal qual s?o vistas quando o bin?culo ? usado de modo normal. Um homem precisa ter envelhecido e vivido bastante para perceber como a vida ? curta?. (Poema de Arthur Schopenhauer) -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed Dec 12 02:12:09 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 12 Dec 2012 02:12:09 +0000 Subject: [Freeipa-users] Installing freeipa. In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E405477E393@STAWINCOX10MBX4.staff.vuw.ac.nz> Hi, 1) In /etc/sysconfig/network have the fully qualified domain name of the host, and not just its short name. 2) In hosts file have the IP, then FQDN then short name on a new line. 3) Turn NetworkManager off and network on 4) reboot regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of victor nunes [victor.rebli at gmail.com] Sent: Wednesday, 12 December 2012 3:01 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Installing freeipa. Hello, I am trying to install FreeIPA ipa-server-install, but when the question appears, I type and the following error appears. Enter the fully qualified domain name of the computer Which you're setting up on server software. Using the form . Example: master.example.com. Server host name [localhost]: localhost.tcc.teste. The host name does not match localhost.tcc.teste the primary host name localhost. Please check / etc / hosts or DNS name resolution my /etc/hosts: 127.0.0.1 localhost localhost My /etc/ host.conf: order bind, order And I setup a dns server on the machine yet. see the result of nslookup command: nslookup localhost.tcc.teste Server: 127.0.0.1 Address: 127.0.0.1 # 53 Name: localhost.tcc.teste Address: 127.0.0.1 That is, I do not see why the error provided by FreeIPA. Anyone have any tips? -- ?Encarada do ponto de vista da juventude, a vida parece um futuro indefinidamente longo, ao passo que, na velhice, ela parece um passado deveras curto. Assim, a vida no seu in?cio se apresenta do mesmo modo que as coisas quando as olhamos atrav?s de um bin?culo usado ao contr?rio; mas, ao seu final, ela se parece com as coisas tal qual s?o vistas quando o bin?culo ? usado de modo normal. Um homem precisa ter envelhecido e vivido bastante para perceber como a vida ? curta?. (Poema de Arthur Schopenhauer) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Dec 12 14:50:48 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Dec 2012 09:50:48 -0500 Subject: [Freeipa-users] Announcing FreeIPA v3.0.2 Release In-Reply-To: References: <50C7A93A.3020501@redhat.com> Message-ID: <50C899C8.8020405@redhat.com> Bret Wortman wrote: > Is this (like 3.1.0) also intended for f18? The sss_idmap package > doesn't seem to be available for f17. No, F-18 will have 3.1. 3.0 GA won't be backported to F-17. We did a couple of pre-releases of 3.0 in F-17 because F-18 wasn't easily usable for quite a long time (in our humble opinion). rob > On Tue, Dec 11, 2012 at 4:44 PM, Rob Crittenden > wrote: > > The FreeIPA team is proud to announce version FreeIPA v3.0.2. > > It can be downloaded from http://www.freeipa.org/page/__Downloads > . > > == Highlights in 3.0.2 == > > * WebUI: Change of default value of type of new group back to POSIX. > * Lookup the user SID in external group as well. > * Include sssd-managed domain/realm mapping file managed in krb5.conf. > * Fix potential security error in cookie handling in ipa client > tool, CVE-2012-5631. > > == Upgrading == > > An IPA server can be upgraded simply by installing updated rpms. The > server does not need to be shut down in advance. > > Please note, that the referential integrity extension requires an > extended set of indexes to be configured. RPM update for an IPA > server with a excessive number of hosts, SUDO or HBAC entries may > require several minutes to finish. > > If you have multiple servers you may upgrade them one at a time. It > is expected that all servers will be upgraded in a relatively short > period (days or weeks not months). They should be able to co-exist > peacefully but new features will not be available on old servers and > enrolling a new client against an old server will result in the SSH > keys not being uploaded. > > Downgrading a server once upgraded is not supported. > > Upgrading from 2.2.0 is supported. Upgrading from previous versions > is not supported and has not been tested. > > An enrolled client does not need the new packages installed unless > you want to re-enroll it. SSH keys for already installed clients are > not uploaded, you will have to re-enroll the client or manually > upload the keys. > > == Feedback == > > Please provide comments, bugs and other feedback via the > freeipa-devel mailing list: > http://www.redhat.com/mailman/__listinfo/freeipa-devel > > > == Detailed Changelog since 3.0.1 == > > Alexander Bokovoy (3): > * ipasam: better Kerberos error handling in ipasam > * trusts: replace use of python-crypto by m2crypto > * Propagate kinit errors with trust account > > Jakub Hrozek (4): > * Make enabling the autofs service more robust > * ipachangeconf: allow specifying non-default delimeter for options > * Specify includedir in krb5.conf on new installs > * Add the includedir to krb5.conf on upgrades > > John Dennis (1): > * Compliant client side session cookie behavior > > Lubomir Rintel (1): > * Drop unused readline import > > Martin Kosek (5): > * Prepare spec file for Fedora 18 > * Filter suffix in replication management tools > * Change network configuration file > * Improve ipa-replica-prepare error message > * Fix sshd feature check > > Petr Viktorin (2): > * Provide explicit user name for Dogtag installation scripts > * Add Lubomir Rintel to Contributors.txt > > Petr Vobornik (4): > * WebUI: Change of default value of type of new group back to POSIX > * Editable sshkey, mac address field after upgrade > * Better licensing information of 3rd party code > * Better error message for login of users from other realms > > Rob Crittenden (5): > * Honor the kdb options disabling KDC writes in ipa_lockout plugin > * Only update the list of running services in the installer or ipactl. > * Set min for selinux-policy to 3.11.1-60 > * Reorder XML-RPC initialization in ipa-join to avoid segfault. > * Become IPA 3.0.2 > > Simo Sorce (1): > * MS-PAC: Special case NFS services > > Sumit Bose (3): > * Lookup the user SID in external group as well > * Restart sssd after authconfig update > * Do not recommend how to configure DNS in error message > > Tomas Babej (1): > * Add detection for users from trusted/invalid realms > > _________________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/__mailman/listinfo/freeipa-users > > > > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > From bret.wortman at damascusgrp.com Wed Dec 12 14:46:17 2012 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Wed, 12 Dec 2012 09:46:17 -0500 Subject: [Freeipa-users] Announcing FreeIPA v3.0.2 Release In-Reply-To: <50C7A93A.3020501@redhat.com> References: <50C7A93A.3020501@redhat.com> Message-ID: Is this (like 3.1.0) also intended for f18? The sss_idmap package doesn't seem to be available for f17. On Tue, Dec 11, 2012 at 4:44 PM, Rob Crittenden wrote: > The FreeIPA team is proud to announce version FreeIPA v3.0.2. > > It can be downloaded from http://www.freeipa.org/page/**Downloads > . > > == Highlights in 3.0.2 == > > * WebUI: Change of default value of type of new group back to POSIX. > * Lookup the user SID in external group as well. > * Include sssd-managed domain/realm mapping file managed in krb5.conf. > * Fix potential security error in cookie handling in ipa client tool, > CVE-2012-5631. > > == Upgrading == > > An IPA server can be upgraded simply by installing updated rpms. The > server does not need to be shut down in advance. > > Please note, that the referential integrity extension requires an extended > set of indexes to be configured. RPM update for an IPA server with a > excessive number of hosts, SUDO or HBAC entries may require several minutes > to finish. > > If you have multiple servers you may upgrade them one at a time. It is > expected that all servers will be upgraded in a relatively short period > (days or weeks not months). They should be able to co-exist peacefully but > new features will not be available on old servers and enrolling a new > client against an old server will result in the SSH keys not being uploaded. > > Downgrading a server once upgraded is not supported. > > Upgrading from 2.2.0 is supported. Upgrading from previous versions is not > supported and has not been tested. > > An enrolled client does not need the new packages installed unless you > want to re-enroll it. SSH keys for already installed clients are not > uploaded, you will have to re-enroll the client or manually upload the keys. > > == Feedback == > > Please provide comments, bugs and other feedback via the freeipa-devel > mailing list: http://www.redhat.com/mailman/**listinfo/freeipa-devel > > == Detailed Changelog since 3.0.1 == > > Alexander Bokovoy (3): > * ipasam: better Kerberos error handling in ipasam > * trusts: replace use of python-crypto by m2crypto > * Propagate kinit errors with trust account > > Jakub Hrozek (4): > * Make enabling the autofs service more robust > * ipachangeconf: allow specifying non-default delimeter for options > * Specify includedir in krb5.conf on new installs > * Add the includedir to krb5.conf on upgrades > > John Dennis (1): > * Compliant client side session cookie behavior > > Lubomir Rintel (1): > * Drop unused readline import > > Martin Kosek (5): > * Prepare spec file for Fedora 18 > * Filter suffix in replication management tools > * Change network configuration file > * Improve ipa-replica-prepare error message > * Fix sshd feature check > > Petr Viktorin (2): > * Provide explicit user name for Dogtag installation scripts > * Add Lubomir Rintel to Contributors.txt > > Petr Vobornik (4): > * WebUI: Change of default value of type of new group back to POSIX > * Editable sshkey, mac address field after upgrade > * Better licensing information of 3rd party code > * Better error message for login of users from other realms > > Rob Crittenden (5): > * Honor the kdb options disabling KDC writes in ipa_lockout plugin > * Only update the list of running services in the installer or ipactl. > * Set min for selinux-policy to 3.11.1-60 > * Reorder XML-RPC initialization in ipa-join to avoid segfault. > * Become IPA 3.0.2 > > Simo Sorce (1): > * MS-PAC: Special case NFS services > > Sumit Bose (3): > * Lookup the user SID in external group as well > * Restart sssd after authconfig update > * Do not recommend how to configure DNS in error message > > Tomas Babej (1): > * Add detection for users from trusted/invalid realms > > ______________________________**_________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/**mailman/listinfo/freeipa-users > -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -------------- next part -------------- An HTML attachment was scrubbed... URL: From Rashard.Kelly at sita.aero Wed Dec 12 17:09:40 2012 From: Rashard.Kelly at sita.aero (Rashard.Kelly at sita.aero) Date: Wed, 12 Dec 2012 12:09:40 -0500 Subject: [Freeipa-users] Disadantages of using external DNS Message-ID: What are the disadvantages of using an external DNS source? My three options are install DNS services on the IPA server, use the local Active Directory DNS, or connect to a linux based DNS appliance. Is it common not to use DNS at all if so what are the drawbacks? My goal is consolidating all local administration of users to a centralized place in our environment. I have been reading the documentation and the mailing list archives, forgive me If I have overlooked this answer. Thanks, Rashard This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Dec 12 17:42:17 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 12 Dec 2012 18:42:17 +0100 Subject: [Freeipa-users] Disadantages of using external DNS In-Reply-To: References: Message-ID: <50C8C1F9.1080900@redhat.com> On 12/12/2012 06:09 PM, Rashard.Kelly at sita.aero wrote: > What are the disadvantages of using an external DNS source? You have to create and update all records by hand. Generally, it will work if you are careful. Also, you will get quest after adding a new IPA replica, potentially after adding a host to IPA realm and so on. > My three options > are install DNS services on the IPA server, That is the best way. It will provide seamless integration for you. All records will be created and updated as necessary. > use the local Active Directory > DNS, or connect to a linux based DNS appliance. Generally, they are external DNS servers. I'm not aware of any big differences (from IPA point of view). > Is it common not to use DNS at > all if so what are the drawbacks? You can run IPA without any DNS, but it will be pain. You have to configure each host with address of KDC etc. Generally, you have to statically configurure /etc/krb5.conf, /etc/sssd* and others. We don't support that (in other ways than recommendations). Also, configuration without DNS will not work with AD trusts. > My goal is consolidating all local administration of users to a centralized > place in our environment. I have been reading the documentation and the > mailing list archives, forgive me If I have overlooked this answer. I would recommend to add a sub-domain for IPA and let IPA to manage this sub domain. If you are in AD shop "example.com", then you can create sub-domain "ipa.example.com" and delegate (via NS+A records) this ipa sub-domain from AD server to IPA server with integrated DNS. Some very basic info can be found in https://fedorahosted.org/freeipa/ticket/3268 specifically https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2 Let us know if you need any assistance. > > Thanks, > Rashard > > > > > This document is strictly confidential and intended only for use by the > addressee unless otherwise stated. If you are not the intended recipient, > please notify the sender immediately and delete it from your system. Good joke (on public mailing list) :-D -- Petr^2 Spacek From bret.wortman at damascusgrp.com Wed Dec 12 17:53:33 2012 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Wed, 12 Dec 2012 12:53:33 -0500 Subject: [Freeipa-users] ipa-replica-install fails In-Reply-To: <833D8E48405E064EBC54C84EC6B36E405477D45B@STAWINCOX10MBX4.staff.vuw.ac.nz> References: <50C75E70.80901@redhat.com> <50C784F9.7020806@redhat.com> <833D8E48405E064EBC54C84EC6B36E405477D45B@STAWINCOX10MBX4.staff.vuw.ac.nz> Message-ID: Thanks! I'll give your approach a try before I surrender. On Tue, Dec 11, 2012 at 3:04 PM, Steven Jones wrote: > Hi, > > I had this recently and it drove me nuts...might want to take more > knowledgeable ppls than me advice on the process below to make sure its > sane/OK. > > 8><--- > [21/30]: setting up initial replication Starting replication, please wait > until this has completed. [vuwunicoipam002.ods.vuw.ac.nz] > > reports: Update failed! Status: [-2 - System error] creation of replica > failed: > Failed to start replication Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > [root at vuwunicoipam001 replica]# > > The --uninstall seems to not clean up and remove some data in the ldap and > a new machine fails to re-join. Something to do with tombstone references > and I suppose other junk (to deep and techy for me). > > So, run the IPA-server-install --uninstall twice or thrice. > > Then look for ldap data on the problem replica (ipam001) server, > > ldapmodify -x -D "cn=directory manager" -W < meTovuwunicoipam001.ods.vuw.ac.nz,cn=replica,cn=dc\3Dods\2Cdc\3Dvuw\2Cdc\3Dac\2Cdc\3Dcom,cn=mapping > tree,cn=config changetype: delete EOF > > I then did this and got all this cw*p... > > 8><----------- > [root at vuwunicoipam002 jonesst1]# ldapsearch -xLLL -D "cn=directory > manager" -W -b dc=ods,dc=vuw,dc=ac,dc=nz > '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' > |grep ipam001 > nsds50ruv: {replica 33 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} > nsds50ruv: {replica 32 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} > nsds50ruv: {replica 31 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} > nsds50ruv: {replica 30 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} > nsds50ruv: {replica 29 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} > nsds50ruv: {replica 28 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} > nsds50ruv: {replica 27 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} > nsds50ruv: {replica 26 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} > nsds50ruv: {replica 25 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} > nsds50ruv: {replica 24 ldap://vuwunicoipam001.ods.vuw.ac.nz:389} > > etc > > etc > > I then cleaned them out with, > > ldapmodify -x -D "cn=directory manager" -W -f 0001-mod.ldif > > more 0001-mod.ldif > dn: cn=replica,cn=dc\3Dods\2Cdc\3Dvuw\2Cdc\3Dac\2Cdc\3Dnz,cn=mapping > tree,cn=config > changetype: modify > replace: nsds5task > nsds5task: CLEANRUV33 > > rinse and repeat 32 etc to all..... > > At that point I could get the ipa-replica command to work fine. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > ------------------------------ > *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of Bret Wortman [bret.wortman at damascusgrp.com] > *Sent:* Wednesday, 12 December 2012 8:12 a.m. > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] ipa-replica-install fails > > I'm working through them and may simply abandon the idea of automating > the replica install. > > > On Tue, Dec 11, 2012 at 2:09 PM, Dmitri Pal wrote: > >> On 12/11/2012 12:09 PM, Bret Wortman wrote: >> >> >> >> >> On Tue, Dec 11, 2012 at 11:25 AM, Dmitri Pal wrote: >> >>> On 12/11/2012 10:53 AM, Bret Wortman wrote: >>> >>> My replica install fails to create a DS instance: >>> >>> : >>> [2/30]: creating directory server instance >>> ipa : CRITICAL failed to create ds instance Command '/usr/sbin/ >>> setup-ds.pl --silent --logfile - -f /tmp/tmpp80GFc' returned non-zero >>> exit status 1 >>> [3/30]: adding default schema >>> : >>> : >>> [21/30]: setting up initial replication >>> Starting replication, please wait until this has completed. >>> [ipa.damascusgrp.com] reports: Update failed! Status: [-2 - System >>> error] >>> creation of replica failed: Failed to start replication >>> >>> What could cause the DS setup to fail? >>> >>> >>> SELinux policy for example, disk being out of space, previous install >>> of DS that has not been properly cleaned, etc... >>> >> >> >> Please reply to the list. >> >> >> >> getenforce returns "Disabled", the root filesystem has 3G free, and >> this was a fresh kickstarted cobbler/puppet install. It is true that it was >> running as an IPA client prior to installation of the IPA server package, >> but I don't think that would have resulted in a piece of DS laying around, >> would it? >> >> >> It would not. >> >> >> >> The system is a virt-manager VM, in case that's related. I'm using >> IPA-2.2.0 on F17, though I'm trying to get 3.1.0 to build. >> >> >> >> Have you looked into the logs as I suggested? >> >> >>> >>> And is the second error likely related as I believe it to be? >>> >>> Yes. >>> Please look at the install logs, they might have more info about what is >>> going on and why DS install failed. >>> >>> >>> -- >>> Bret Wortman >>> The Damascus Group >>> Fairfax, VA >>> http://bretwortman.com/ >>> http://twitter.com/BretWortman >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> >> -- >> Bret Wortman >> The Damascus Group >> Fairfax, VA >> http://bretwortman.com/ >> http://twitter.com/BretWortman >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -------------- next part -------------- An HTML attachment was scrubbed... URL: From erinn.looneytriggs at gmail.com Wed Dec 12 18:15:26 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Wed, 12 Dec 2012 10:15:26 -0800 Subject: [Freeipa-users] Disadantages of using external DNS In-Reply-To: References: Message-ID: <50C8C9BE.9020703@gmail.com> On 12/12/12 09:09, Rashard.Kelly at sita.aero wrote: > What are the disadvantages of using an external DNS source? My three > options are install DNS services on the IPA server, use the local Active > Directory DNS, or connect to a linux based DNS appliance. Is it common > not to use DNS at all if so what are the drawbacks? > > My goal is consolidating all local administration of users to a > centralized place in our environment. I have been reading the > documentation and the mailing list archives, forgive me If I have > overlooked this answer. > > Thanks, > Rashard > > > > > This document is strictly confidential and intended only for use by the > addressee unless otherwise stated. If you are not the intended > recipient, please notify the sender immediately and delete it from your > system. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > You are going to lose out on some of the slicker integration features like putting SSHFP records in place for hosts, as well as automatic population when a host joins/leaves. However, other than that, I don't believe you lose much. I have been managing DNS separately via named from day one. In fact, though I haven't checked on this recently, I don't believe IPA support DNSSEC which I am running, so I am obliged to run my DNS separately. -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: From patrick at vanbelle.com Wed Dec 12 18:45:43 2012 From: patrick at vanbelle.com (Patrick Bakker) Date: Wed, 12 Dec 2012 10:45:43 -0800 Subject: [Freeipa-users] DNS: sub-domain or new domain Message-ID: I just joined this list because I was curious about the recent discussion that Rashard Kelly had started about whether to use FreeIPA's integrated DNS or whether to disable DNS. I'm wondering about a very similar thing. I have a bunch of Linux servers that I'd like to start manage more centrally but we have Active Directory running the network right now. I looked at the bug attachment Petr Spacek recommended ( https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2) but one thing I didn't see there is a discussion of whether to use an entirely different domain. As this is the direction I'm inclined to I'm curious if there is some good reason not to do it. Suppose I have a company ACME Widgets which is running *acmewidgets.local* under Active Directory. Does it simplify anything if I were to run all my Linux boxes under FreeIPA under an entirely different domain such as *acme.local*? Since I have completely separate DNS records I shouldn't need to worry about any DNS integration. Will this complicate a future trust between the AD domain *acmewidgets.local *and the FreeIPA domain *acme.local* if I want to do that at some point? Is the website planning to be updated again soon? Looking through the documentation I only see old versions listed. Also, clicking the roadmaps, future version plans, etc... appear to be updated. Thanks! Patrick -------------- next part -------------- An HTML attachment was scrubbed... URL: From victor.rebli at gmail.com Wed Dec 12 18:48:46 2012 From: victor.rebli at gmail.com (victor nunes) Date: Wed, 12 Dec 2012 16:48:46 -0200 Subject: [Freeipa-users] Installing freeipa. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E405477E393@STAWINCOX10MBX4.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E405477E393@STAWINCOX10MBX4.staff.vuw.ac.nz> Message-ID: Thanks for the reply. I guess I do not understand what you meant in item 2. What should I put in / etc / hosts? Att, 2012/12/12 Steven Jones > Hi, > > 1) In /etc/sysconfig/network have the fully qualified domain name of the > host, and not just its short name. > > 2) In hosts file have the IP, then FQDN then short name on a new line. > > 3) Turn NetworkManager off and network on > > 4) reboot > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > ------------------------------ > *From:* freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of victor nunes [victor.rebli at gmail.com] > *Sent:* Wednesday, 12 December 2012 3:01 p.m. > *To:* freeipa-users at redhat.com > *Subject:* [Freeipa-users] Installing freeipa. > > > Hello, I am trying to install FreeIPA ipa-server-install, but when the > question appears, I type and the following error appears. > > Enter the fully qualified domain name of the computer > Which you're setting up on server software. Using the form > . > Example: master.example.com. > > > Server host name [localhost]: localhost.tcc.teste. > > The host name does not match localhost.tcc.teste the primary host name > localhost. Please check / etc / hosts or DNS name resolution > > my /etc/hosts: > > 127.0.0.1 localhost localhost > > > My /etc/ host.conf: > > order bind, order > > > > And I setup a dns server on the machine yet. > see the result of nslookup command: > > nslookup localhost.tcc.teste > Server: 127.0.0.1 > Address: 127.0.0.1 # 53 > > Name: localhost.tcc.teste > Address: 127.0.0.1 > > > That is, I do not see why the error provided by FreeIPA. > > Anyone have any tips? > > > -- > ?Encarada do ponto de vista da juventude, a vida parece um futuro > indefinidamente longo, ao passo que, na velhice, ela parece um passado > deveras curto. Assim, a vida no seu in?cio se apresenta do mesmo modo > que as coisas quando as olhamos atrav?s de um bin?culo usado ao contr?rio; > mas, ao > seu final, ela se parece com as coisas tal qual s?o vistas quando o > bin?culo > ? usado de modo normal. Um homem precisa ter envelhecido e vivido > bastante para perceber como a vida ? curta?. > > (Poema de Arthur Schopenhauer) > -- ?Encarada do ponto de vista da juventude, a vida parece um futuro indefinidamente longo, ao passo que, na velhice, ela parece um passado deveras curto. Assim, a vida no seu in?cio se apresenta do mesmo modo que as coisas quando as olhamos atrav?s de um bin?culo usado ao contr?rio; mas, ao seu final, ela se parece com as coisas tal qual s?o vistas quando o bin?culo ? usado de modo normal. Um homem precisa ter envelhecido e vivido bastante para perceber como a vida ? curta?. (Poema de Arthur Schopenhauer) -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Dec 12 18:59:50 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 12 Dec 2012 13:59:50 -0500 Subject: [Freeipa-users] DNS: sub-domain or new domain In-Reply-To: References: Message-ID: <1355338790.5073.137.camel@willson.li.ssimo.org> On Wed, 2012-12-12 at 10:45 -0800, Patrick Bakker wrote: > I just joined this list because I was curious about the recent > discussion that Rashard Kelly had started about whether to > use FreeIPA's integrated DNS or whether to disable DNS. I'm wondering > about a very similar thing. I have a bunch of Linux servers that I'd > like to start manage more centrally but we have Active Directory > running the network right now. > > > I looked at the bug attachment Petr Spacek recommended > (https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2) but > one thing I didn't see there is a discussion of whether to use an > entirely different domain. As this is the direction I'm inclined to > I'm curious if there is some good reason not to do it. > > > Suppose I have a company ACME Widgets which is running > acmewidgets.local under Active Directory. Does it simplify anything if > I were to run all my Linux boxes under FreeIPA under an entirely > different domain such as acme.local? It will avoid the need to do delegation but you will need to set up conditional forwarders if you want to resolve both domain from all machines. Also do not use .local that domain name is used by zeroconf style stuff and can cause issues (in a windows domain too), use something like .lan > Since I have completely separate DNS records I shouldn't need to worry > about any DNS integration. Will this complicate a future trust between > the AD domain acmewidgets.local and the FreeIPA domain acme.local if I > want to do that at some point? No trusts are better with completely separate root domains, they certainly can't work if you use the same domain. However there is at least 1 minor 'integration; step, you need conditional forwarders in both systems so one can forward queries to the other for its clients. > > Is the website planning to be updated again soon? Looking through the > documentation I only see old versions listed. Also, clicking the > roadmaps, future version plans, etc... appear to be updated. > We keep adding documentation as we produce it. Is there anything specific you find missing besides updated manuals ? We should have docs for 3.0/3.1 soon courtesy of Fedora 18. Simo. -- Simo Sorce * Red Hat, Inc * New York From natxo.asenjo at gmail.com Wed Dec 12 19:16:18 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Wed, 12 Dec 2012 20:16:18 +0100 Subject: [Freeipa-users] DNS: sub-domain or new domain In-Reply-To: References: Message-ID: hi, On Wed, Dec 12, 2012 at 7:45 PM, Patrick Bakker wrote: > I just joined this list because I was curious about the recent discussion > that Rashard Kelly had started about whether to use FreeIPA's integrated DNS > or whether to disable DNS. I'm wondering about a very similar thing. I have > a bunch of Linux servers that I'd like to start manage more centrally but we > have Active Directory running the network right now. > > I looked at the bug attachment Petr Spacek recommended > (https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2) but one > thing I didn't see there is a discussion of whether to use an entirely > different domain. As this is the direction I'm inclined to I'm curious if > there is some good reason not to do it. > > Suppose I have a company ACME Widgets which is running acmewidgets.local > under Active Directory. Does it simplify anything if I were to run all my > Linux boxes under FreeIPA under an entirely different domain such as > acme.local? we have an acme.local AD domain as well. Our AD domain controllers have integrated dns. The AD dns servers have an acme.tld zone as well (voor a split dns view of our internet facing infrastructure). What we have done is delegate a new subdomain of this acme.tld domain: unix.acme.tld; the new subdomain is for IPA, in your AD dns server you create a delagation of the acme.tld zone and create glue records for the NS servers of the IPA unix.acme.tld. So every time you create a replica of an IPA server you add a glue NS record to the delegation record. This is a recommended best practice by Microsoft (see http://support.microsoft.com/kb/909264, scroll down to section 'Other factors', section 'best practices'). > Since I have completely separate DNS records I shouldn't need to worry about > any DNS integration. Will this complicate a future trust between the AD > domain acmewidgets.local and the FreeIPA domain acme.local if I want to do > that at some point? I do not think so. In typical unix kerberos trusts, a sub domain implicitly trusts its parent. If you use separate zones you do not have this risk. -- groet, natxo From rcritten at redhat.com Wed Dec 12 19:19:24 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Dec 2012 14:19:24 -0500 Subject: [Freeipa-users] Installing freeipa. In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E405477E393@STAWINCOX10MBX4.staff.vuw.ac.nz> Message-ID: <50C8D8BC.8030306@redhat.com> victor nunes wrote: > Thanks for the reply. > > I guess I do not understand what you meant in item 2. > > What should I put in / etc / hosts? If I understand what you're doing, you're trying to configure on localhost, 127.0.0.1? What is the purpose of this, it would be non-networked. rob > > Att, > > > > 2012/12/12 Steven Jones > > > Hi, > > 1) In /etc/sysconfig/network have the fully qualified domain name of > the host, and not just its short name. > > 2) In hosts file have the IP, then FQDN then short name on a new line. > > 3) Turn NetworkManager off and network on > > 4) reboot > > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ------------------------------------------------------------------------ > *From:* freeipa-users-bounces at redhat.com > > [freeipa-users-bounces at redhat.com > ] on behalf of victor nunes > [victor.rebli at gmail.com ] > *Sent:* Wednesday, 12 December 2012 3:01 p.m. > *To:* freeipa-users at redhat.com > *Subject:* [Freeipa-users] Installing freeipa. > > > Hello, I am trying to install FreeIPA ipa-server-install, but when > the question appears, I type and the following error appears. > > Enter the fully qualified domain name of the computer > Which you're setting up on server software. Using the form > . > Example: master.example.com . > > > Server host name [localhost]: localhost.tcc.teste. > > The host name does not match localhost.tcc.teste the primary host > name localhost. Please check / etc / hosts or DNS name resolution > > my /etc/hosts: > > 127.0.0.1 localhost localhost > > > My /etc/ host.conf: > > order bind, order > > > > And I setup a dns server on the machine yet. > see the result of nslookup command: > > nslookup localhost.tcc.teste > Server: 127.0.0.1 > Address: 127.0.0.1 # 53 > > Name: localhost.tcc.teste > Address: 127.0.0.1 > > > That is, I do not see why the error provided by FreeIPA. > > Anyone have any tips? > > > -- > ?Encarada do ponto de vista da juventude, a vida parece um futuro > indefinidamente longo, ao passo que, na velhice, ela parece um passado > deveras curto. Assim, a vida no seu in?cio se apresenta do mesmo modo > que as coisas quando as olhamos atrav?s de um bin?culo usado ao > contr?rio; mas, ao > seu final, ela se parece com as coisas tal qual s?o vistas quando o > bin?culo > ? usado de modo normal. Um homem precisa ter envelhecido e vivido > bastante para perceber como a vida ? curta?. > > (Poema de Arthur Schopenhauer) > > > > > -- > ?Encarada do ponto de vista da juventude, a vida parece um futuro > indefinidamente longo, ao passo que, na velhice, ela parece um passado > deveras curto. Assim, a vida no seu in?cio se apresenta do mesmo modo > que as coisas quando as olhamos atrav?s de um bin?culo usado ao > contr?rio; mas, ao > seu final, ela se parece com as coisas tal qual s?o vistas quando o > bin?culo > ? usado de modo normal. Um homem precisa ter envelhecido e vivido > bastante para perceber como a vida ? curta?. > > (Poema de Arthur Schopenhauer) > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From natxo.asenjo at gmail.com Wed Dec 12 19:29:51 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Wed, 12 Dec 2012 20:29:51 +0100 Subject: [Freeipa-users] error adding replica In-Reply-To: <50C20B07.3040805@redhat.com> References: <50BCCA3D.6070807@redhat.com> <50C20B07.3040805@redhat.com> Message-ID: hi, On Fri, Dec 7, 2012 at 4:28 PM, Rob Crittenden wrote: >> a bit late, but here is the output of /var/log/ipareplica-install.log >> en /var/log/pki-ca/debug ; I did not find a >> /var/log/ipaserver-install.log in the replica server. > > > The dogtag installer is failing with the error "The pkcs12 file is not > correct." I'll need to defer to a dogtag engineer to explain what this > means, and how to fix it. would you like me to keep a copy of this vm's in this state in order to keep testing this error? Otherwise I was planning on reinstalling the realm and starting afresh with the latest version, I have seen that creating replicas when starting with 6.3 (so no upgrading from 6.1 to 6,2 and then 6.3) just works (TM) and this was just a test lab anyway. -- groet, natxo From Steven.Jones at vuw.ac.nz Wed Dec 12 20:05:38 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 12 Dec 2012 20:05:38 +0000 Subject: [Freeipa-users] Installing freeipa. In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E405477E393@STAWINCOX10MBX4.staff.vuw.ac.nz>, Message-ID: <833D8E48405E064EBC54C84EC6B36E405477E65A@STAWINCOX10MBX4.staff.vuw.ac.nz> Hi, something like, 192.168.1.121 mymachine.unix.org.nz mymachine So IP, fully qualified domain name and hostname in that order... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: victor nunes [victor.rebli at gmail.com] Sent: Thursday, 13 December 2012 7:48 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Installing freeipa. Thanks for the reply. I guess I do not understand what you meant in item 2. What should I put in / etc / hosts? Att, 2012/12/12 Steven Jones > Hi, 1) In /etc/sysconfig/network have the fully qualified domain name of the host, and not just its short name. 2) In hosts file have the IP, then FQDN then short name on a new line. 3) Turn NetworkManager off and network on 4) reboot regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of victor nunes [victor.rebli at gmail.com] Sent: Wednesday, 12 December 2012 3:01 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Installing freeipa. Hello, I am trying to install FreeIPA ipa-server-install, but when the question appears, I type and the following error appears. Enter the fully qualified domain name of the computer Which you're setting up on server software. Using the form . Example: master.example.com. Server host name [localhost]: localhost.tcc.teste. The host name does not match localhost.tcc.teste the primary host name localhost. Please check / etc / hosts or DNS name resolution my /etc/hosts: 127.0.0.1 localhost localhost My /etc/ host.conf: order bind, order And I setup a dns server on the machine yet. see the result of nslookup command: nslookup localhost.tcc.teste Server: 127.0.0.1 Address: 127.0.0.1 # 53 Name: localhost.tcc.teste Address: 127.0.0.1 That is, I do not see why the error provided by FreeIPA. Anyone have any tips? -- ?Encarada do ponto de vista da juventude, a vida parece um futuro indefinidamente longo, ao passo que, na velhice, ela parece um passado deveras curto. Assim, a vida no seu in?cio se apresenta do mesmo modo que as coisas quando as olhamos atrav?s de um bin?culo usado ao contr?rio; mas, ao seu final, ela se parece com as coisas tal qual s?o vistas quando o bin?culo ? usado de modo normal. Um homem precisa ter envelhecido e vivido bastante para perceber como a vida ? curta?. (Poema de Arthur Schopenhauer) -- ?Encarada do ponto de vista da juventude, a vida parece um futuro indefinidamente longo, ao passo que, na velhice, ela parece um passado deveras curto. Assim, a vida no seu in?cio se apresenta do mesmo modo que as coisas quando as olhamos atrav?s de um bin?culo usado ao contr?rio; mas, ao seu final, ela se parece com as coisas tal qual s?o vistas quando o bin?culo ? usado de modo normal. Um homem precisa ter envelhecido e vivido bastante para perceber como a vida ? curta?. (Poema de Arthur Schopenhauer) -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Dec 13 00:46:10 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 12 Dec 2012 19:46:10 -0500 Subject: [Freeipa-users] error adding replica In-Reply-To: References: <50BCCA3D.6070807@redhat.com> <50C20B07.3040805@redhat.com> Message-ID: <50C92552.3080908@redhat.com> On 12/12/2012 02:29 PM, Natxo Asenjo wrote: > hi, > > On Fri, Dec 7, 2012 at 4:28 PM, Rob Crittenden wrote: > >>> a bit late, but here is the output of /var/log/ipareplica-install.log >>> en /var/log/pki-ca/debug ; I did not find a >>> /var/log/ipaserver-install.log in the replica server. >> >> The dogtag installer is failing with the error "The pkcs12 file is not >> correct." I'll need to defer to a dogtag engineer to explain what this >> means, and how to fix it. > would you like me to keep a copy of this vm's in this state in order > to keep testing this error? > > Otherwise I was planning on reinstalling the realm and starting afresh > with the latest version, I have seen that creating replicas when > starting with 6.3 (so no upgrading from 6.1 to 6,2 and then 6.3) just > works (TM) and this was just a test lab anyway. > The holidays are coming. It is unlikely that we would be able to look into it till Jan. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu Dec 13 01:05:54 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 12 Dec 2012 20:05:54 -0500 Subject: [Freeipa-users] DNS: sub-domain or new domain In-Reply-To: References: Message-ID: <50C929F2.5090801@redhat.com> On 12/12/2012 01:45 PM, Patrick Bakker wrote: > > Is the website planning to be updated again soon? Looking through the > documentation I only see old versions listed. Also, clicking the > roadmaps, future version plans, etc... appear to be updated. > Patrick, I would love to make the site more relevant. What do you have in mind? We use trac instance for all planning and scheduling and one can see a lot of activity there. It is sort of dynamic roadmap. https://fedorahosted.org/freeipa/report/3 Next big bucket is the Pilsner release. We we would have to slice it in multiple different chunks but it is the direction. I should probably put this information on the wiki. Is there anything else that jumps out? > Thanks! > Patrick > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Dec 13 00:53:52 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 12 Dec 2012 19:53:52 -0500 Subject: [Freeipa-users] Disadantages of using external DNS In-Reply-To: <50C8C1F9.1080900@redhat.com> References: <50C8C1F9.1080900@redhat.com> Message-ID: <50C92720.3070907@redhat.com> On 12/12/2012 12:42 PM, Petr Spacek wrote: > On 12/12/2012 06:09 PM, Rashard.Kelly at sita.aero wrote: >> What are the disadvantages of using an external DNS source? > You have to create and update all records by hand. Generally, it will > work if you are careful. Also, you will get quest after adding a new > IPA replica, potentially after adding a host to IPA realm and so on. > > > > My three options >> are install DNS services on the IPA server, > That is the best way. It will provide seamless integration for you. > All records will be created and updated as necessary. > > >> use the local Active Directory >> DNS, or connect to a linux based DNS appliance. > Generally, they are external DNS servers. I'm not aware of any big > differences (from IPA point of view). > > > > Is it common not to use DNS at >> all if so what are the drawbacks? > You can run IPA without any DNS, but it will be pain. You have to > configure each host with address of KDC etc. Generally, you have to > statically configurure /etc/krb5.conf, /etc/sssd* and others. > > We don't support that (in other ways than recommendations). Also, > configuration without DNS will not work with AD trusts. We do support it in SSSD 1.9 and IPA 3.0 for IPA client machines. That was an explicit requirement to allow to use static host definitions and avoid relying on DNS. It is just a lot of management burden for someone to use but there are cases when internal company policies prevent from doing anything more reasonable. > >> My goal is consolidating all local administration of users to a >> centralized >> place in our environment. I have been reading the documentation and the >> mailing list archives, forgive me If I have overlooked this answer. > I would recommend to add a sub-domain for IPA and let IPA to manage > this sub domain. > > If you are in AD shop "example.com", then you can create sub-domain > "ipa.example.com" and delegate (via NS+A records) this ipa sub-domain > from AD server to IPA server with integrated DNS. > > Some very basic info can be found in > https://fedorahosted.org/freeipa/ticket/3268 > specifically > https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2 > > Let us know if you need any assistance. > >> >> Thanks, >> Rashard >> >> >> >> >> This document is strictly confidential and intended only for use by the >> addressee unless otherwise stated. If you are not the intended >> recipient, >> please notify the sender immediately and delete it from your system. > Good joke (on public mailing list) :-D > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From pspacek at redhat.com Thu Dec 13 08:21:50 2012 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 13 Dec 2012 09:21:50 +0100 Subject: [Freeipa-users] DNS: sub-domain or new domain In-Reply-To: <1355338790.5073.137.camel@willson.li.ssimo.org> References: <1355338790.5073.137.camel@willson.li.ssimo.org> Message-ID: <50C9901E.9000102@redhat.com> On 12/12/2012 07:59 PM, Simo Sorce wrote: > On Wed, 2012-12-12 at 10:45 -0800, Patrick Bakker wrote: >> I just joined this list because I was curious about the recent >> discussion that Rashard Kelly had started about whether to >> use FreeIPA's integrated DNS or whether to disable DNS. I'm wondering >> about a very similar thing. I have a bunch of Linux servers that I'd >> like to start manage more centrally but we have Active Directory >> running the network right now. >> >> >> I looked at the bug attachment Petr Spacek recommended >> (https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2) but >> one thing I didn't see there is a discussion of whether to use an >> entirely different domain. As this is the direction I'm inclined to >> I'm curious if there is some good reason not to do it. IMHO there is no real difference between scenarios a) "ad.comp.tld" + "ipa.comp.tld" vs b) "comp1.tld" + "comp2.tld" In both cases they are just different domains. It doesn't make any difference as long as all machines are able to resolve all names (from both domains). >> Suppose I have a company ACME Widgets which is running >> acmewidgets.local under Active Directory. Does it simplify anything if >> I were to run all my Linux boxes under FreeIPA under an entirely >> different domain such as acme.local? > > It will avoid the need to do delegation but you will need to set up > conditional forwarders if you want to resolve both domain from all > machines. If it is inevitable, I would recommend to establish top level domain "local" or "lan" and fill it with usual delegation records for "acmewidgets" and "acme". Please, avoid usage of forwarders as much as possible. Please see my next comment and try to avoid private TLDs. > Also do not use .local that domain name is used by zeroconf style stuff > and can cause issues (in a windows domain too), use something like .lan You can save some pain by using real domain "acme.com" instead of "acme.lan". Just configure your DNS servers on enterprise boundary to return different results to clients inside and outside the boundary. Background story: DNS is a tree with root in domain "". By using a non-existent top level domain "lan" you cut the root. Client asking root servers for "lan" will get NXDOMAIN for every query. You can see the problem very nicely with command: dig +trace "some.name.under.lan" (I don't have much experience with DNSSEC, please correct me if I'm wrong.) I would expect problems with DNSSEC deployment ... At least you will have to handle domain signature for "lan" in special way and configure another root of trust in each DNSSEC validating resolver etc. >> Since I have completely separate DNS records I shouldn't need to worry >> about any DNS integration. Will this complicate a future trust between >> the AD domain acmewidgets.local and the FreeIPA domain acme.local if I >> want to do that at some point? Again, I don't see any difference between scenarios a) "ad.comp.tld" + "ipa.comp.tld" vs b) "comp1.tld" + "comp2.tld" Both domain have to be resolvable. The difference is in place where NS records or forwarders are set. That should be all. > No trusts are better with completely separate root domains, they > certainly can't work if you use the same domain. Simo, can you elaborate this? I'm not experienced with trusts, but IMHO there should not be any difference between scenarios a) and b). > However there is at least 1 minor 'integration; step, you need > conditional forwarders in both systems so one can forward queries to the > other for its clients. -- Petr^2 Spacek From natxo.asenjo at gmail.com Thu Dec 13 08:48:51 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Thu, 13 Dec 2012 09:48:51 +0100 Subject: [Freeipa-users] error adding replica In-Reply-To: <50C92552.3080908@redhat.com> References: <50BCCA3D.6070807@redhat.com> <50C20B07.3040805@redhat.com> <50C92552.3080908@redhat.com> Message-ID: hi, On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal wrote: >> > The holidays are coming. It is unlikely that we would be able to look > into it till Jan. that is no problem at all, we have the same issues ;-) Do you want me to keep the vm's around for troubleshooting the issue when there is time? -- thanks, natxo From simo at redhat.com Thu Dec 13 15:08:56 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 13 Dec 2012 10:08:56 -0500 Subject: [Freeipa-users] DNS: sub-domain or new domain In-Reply-To: <50C9901E.9000102@redhat.com> References: <1355338790.5073.137.camel@willson.li.ssimo.org> <50C9901E.9000102@redhat.com> Message-ID: <1355411336.5073.153.camel@willson.li.ssimo.org> On Thu, 2012-12-13 at 09:21 +0100, Petr Spacek wrote: > > No trusts are better with completely separate root domains, they > > certainly can't work if you use the same domain. > Simo, can you elaborate this? I'm not experienced with trusts, but > IMHO there > should not be any difference between scenarios a) and b). > Correct, what I meant is that you can;t use the same domain for both AD and FreeIPA (so be careful if you use only the AD DNS server to create a separate DNS domain in AD DNS for freeIPA). Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Dec 14 00:36:02 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 13 Dec 2012 19:36:02 -0500 Subject: [Freeipa-users] error adding replica In-Reply-To: References: <50BCCA3D.6070807@redhat.com> <50C20B07.3040805@redhat.com> <50C92552.3080908@redhat.com> Message-ID: <50CA7472.5000706@redhat.com> On 12/13/2012 03:48 AM, Natxo Asenjo wrote: > hi, > > On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal wrote: >> The holidays are coming. It is unlikely that we would be able to look >> into it till Jan. > that is no problem at all, we have the same issues ;-) > > Do you want me to keep the vm's around for troubleshooting the issue > when there is time? > Would be great if you would be able to start this thread over after the holidays to draw our attention. So at that time every detail would be handy. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From biteoag at gmail.com Fri Dec 14 16:09:03 2012 From: biteoag at gmail.com (Albert Adams) Date: Fri, 14 Dec 2012 11:09:03 -0500 Subject: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell Message-ID: In our environment we have several systems where users require access to the system to setup an SSH tunnel but should not have a shell on the system. Prior to rolling out IPA we accomplished this with the authorized_keys file as follows: command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your webbrowser to connect to the tool\n\";while(1) { print localtime(time) . \"\n\"; sleep 60}'",permitopen="localhost:8834",no-agent-forwarding,no-X11-forwarding Is there a way to accomplish this in IPA? Regards, Albert -------------- next part -------------- An HTML attachment was scrubbed... URL: From Rashard.Kelly at sita.aero Fri Dec 14 21:18:57 2012 From: Rashard.Kelly at sita.aero (Rashard.Kelly at sita.aero) Date: Fri, 14 Dec 2012 16:18:57 -0500 Subject: [Freeipa-users] Disadantages of using external DNS In-Reply-To: <50C92720.3070907@redhat.com> References: <50C8C1F9.1080900@redhat.com> <50C92720.3070907@redhat.com> Message-ID: Thank everyone for the ideas. We will be adding the DNS service to the IPA server. This seems like the best solution. Thanks again, Rashard This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rendhalver at gmail.com Mon Dec 17 02:23:44 2012 From: rendhalver at gmail.com (Peter Brown) Date: Mon, 17 Dec 2012 12:23:44 +1000 Subject: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell In-Reply-To: References: Message-ID: Hi Albert, Have you tried putting that command in the public key for the user in freeipa and setting the user shell to /sbin/nologin or the equivalent? On 15 December 2012 02:09, Albert Adams wrote: > In our environment we have several systems where users require access to > the system to setup an SSH tunnel but should not have a shell on the > system. Prior to rolling out IPA we accomplished this with the > authorized_keys file as follows: > > command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your > webbrowser to connect to the tool\n\";while(1) { print localtime(time) . > \"\n\"; sleep > 60}'",permitopen="localhost:8834",no-agent-forwarding,no-X11-forwarding > > Is there a way to accomplish this in IPA? > > Regards, > Albert > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Mon Dec 17 09:08:59 2012 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 17 Dec 2012 10:08:59 +0100 Subject: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell In-Reply-To: References: Message-ID: <50CEE12B.8010000@redhat.com> Hi, this should work and you don't even have to set the shell to /sbin/nologin (depends on whether you want the users to be able to login to the system by other means or not), as the command directive in authorized_keys takes precedence. The tricky part is escaping the value correctly (there is shell escaping, IPA CSV quote escaping and authorized_keys quote escaping in effect): $ ipa user-mod user --sshpubkey='"command=""/usr/bin/perl -e '\''$|=1; print \""Tunnel created, use your webbrowser to connect to the tool\n\"";while(1) { print localtime(time) . \""\n\""; sleep 60}'\''"",permitopen=""localhost:8834"",no-agent-forwarding,no-X11-forwarding ssh-rsa ..."' Honza On 17.12.2012 03:23, Peter Brown wrote: > Hi Albert, > > Have you tried putting that command in the public key for the user in > freeipa and setting the user shell to /sbin/nologin or the equivalent? > > > On 15 December 2012 02:09, Albert Adams > wrote: > > In our environment we have several systems where users require > access to the system to setup an SSH tunnel but should not have a > shell on the system. Prior to rolling out IPA we accomplished this > with the authorized_keys file as follows: > > command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your > webbrowser to connect to the tool\n\";while(1) { print > localtime(time) . \"\n\"; sleep > 60}'",permitopen="localhost:8834",no-agent-forwarding,no-X11-forwarding > > Is there a way to accomplish this in IPA? > > Regards, > Albert > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Jan Cholasta From biteoag at gmail.com Mon Dec 17 14:07:57 2012 From: biteoag at gmail.com (Albert Adams) Date: Mon, 17 Dec 2012 09:07:57 -0500 Subject: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell In-Reply-To: <50CEE12B.8010000@redhat.com> References: <50CEE12B.8010000@redhat.com> Message-ID: Thank you for the responses. I was initially attempting to set this value via the web UI and if I entered anything other than the hash value of the user's public key it would get rejected. After thinking about your response I realize that I really need to determine a method of doing this via a HBAC rule. If I accomplish this with authorized_keys then the user is restricted across the board and would not be able to gain a shell on any system whereas HBAC would allow me to restrict thier access as needed. We currently require users to tunnel over SSH to gain access to certain sensitive web apps (like Nessus) but those same users have shell access on a few boxes. Thoughts?? Albert On Mon, Dec 17, 2012 at 4:08 AM, Jan Cholasta wrote: > Hi, > > this should work and you don't even have to set the shell to /sbin/nologin > (depends on whether you want the users to be able to login to the system by > other means or not), as the command directive in authorized_keys takes > precedence. > > The tricky part is escaping the value correctly (there is shell escaping, > IPA CSV quote escaping and authorized_keys quote escaping in effect): > > $ ipa user-mod user --sshpubkey='"command=""/usr/**bin/perl -e '\''$|=1; > print \""Tunnel created, use your webbrowser to connect to the > tool\n\"";while(1) { print localtime(time) . \""\n\""; sleep > 60}'\''"",permitopen=""**localhost:8834"",no-agent-**forwarding,no-X11-forwarding > ssh-rsa ..."' > > Honza > > > On 17.12.2012 03:23, Peter Brown wrote: > >> Hi Albert, >> >> Have you tried putting that command in the public key for the user in >> freeipa and setting the user shell to /sbin/nologin or the equivalent? >> >> >> On 15 December 2012 02:09, Albert Adams > > wrote: >> >> In our environment we have several systems where users require >> access to the system to setup an SSH tunnel but should not have a >> shell on the system. Prior to rolling out IPA we accomplished this >> with the authorized_keys file as follows: >> >> command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your >> webbrowser to connect to the tool\n\";while(1) { print >> localtime(time) . \"\n\"; sleep >> 60}'",permitopen="localhost:**8834",no-agent-forwarding,no-** >> X11-forwarding >> >> Is there a way to accomplish this in IPA? >> >> Regards, >> Albert >> >> ______________________________**_________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> > >> https://www.redhat.com/**mailman/listinfo/freeipa-users >> >> >> >> >> >> ______________________________**_________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/**mailman/listinfo/freeipa-users >> >> > > -- > Jan Cholasta > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Dec 17 14:36:11 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 17 Dec 2012 09:36:11 -0500 Subject: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell In-Reply-To: References: <50CEE12B.8010000@redhat.com> Message-ID: <1355754971.5073.307.camel@willson.li.ssimo.org> On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: > Thank you for the responses. I was initially attempting to set this > value via the web UI and if I entered anything other than the hash > value of the user's public key it would get rejected. After thinking > about your response I realize that I really need to determine a method > of doing this via a HBAC rule. If I accomplish this with > authorized_keys then the user is restricted across the board and would > not be able to gain a shell on any system whereas HBAC would allow me > to restrict thier access as needed. We currently require users to > tunnel over SSH to gain access to certain sensitive web apps (like > Nessus) but those same users have shell access on a few boxes. > Thoughts?? One thing you could do is to use the override_shell parameter in sssd. However this one would override the shell for all users so just putting /sbin/nologin there would not work if you need some users to be able to log in (if you care only for root logins it would be enough). However you can still manage to use it to point to a script that would test something like whether the user belongs to a group or not, and if so run either /bin/bash or /bin/nologin This seem like a nice feature request for FreeIPA though, maybe we can extend HBAC to allow a special option to define a shell, maybe creating a special 'shell' service that sssd can properly interpret as a hint to set nologin vs the actual shell. Dmitri, should we open a RFE on this ? Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Mon Dec 17 15:04:39 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 17 Dec 2012 16:04:39 +0100 (CET) Subject: [Freeipa-users] User expiration on a certain date Message-ID: <24868.213.225.75.97.1355756679.squirrel@www.nixtra.com> Hi, Is it possible to lock out an user account on a set date? Regards, Siggi From biteoag at gmail.com Mon Dec 17 15:30:21 2012 From: biteoag at gmail.com (Albert Adams) Date: Mon, 17 Dec 2012 10:30:21 -0500 Subject: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell In-Reply-To: <1355754971.5073.307.camel@willson.li.ssimo.org> References: <50CEE12B.8010000@redhat.com> <1355754971.5073.307.camel@willson.li.ssimo.org> Message-ID: An HBAC extension would certainly be appreciated. I'm not sure how other organizations are setup but in our environment we don't give shell access unless absolutely necessary and we use a lot of SSH tunneling with target services bound to localhost. If I can figure out the correct syntax to get the perl command added to the users public key in IPA (as Honza suggested) then that will provide a work around for the time being. Ultimately it would be awesome to have the same level of granularity that the local authorized_keys file allowed while reaping the benefits of centralized management. Albert On Mon, Dec 17, 2012 at 9:36 AM, Simo Sorce wrote: > On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: > > Thank you for the responses. I was initially attempting to set this > > value via the web UI and if I entered anything other than the hash > > value of the user's public key it would get rejected. After thinking > > about your response I realize that I really need to determine a method > > of doing this via a HBAC rule. If I accomplish this with > > authorized_keys then the user is restricted across the board and would > > not be able to gain a shell on any system whereas HBAC would allow me > > to restrict thier access as needed. We currently require users to > > tunnel over SSH to gain access to certain sensitive web apps (like > > Nessus) but those same users have shell access on a few boxes. > > Thoughts?? > > One thing you could do is to use the override_shell parameter in sssd. > However this one would override the shell for all users so just > putting /sbin/nologin there would not work if you need some users to be > able to log in (if you care only for root logins it would be enough). > > However you can still manage to use it to point to a script that would > test something like whether the user belongs to a group or not, and if > so run either /bin/bash or /bin/nologin > > This seem like a nice feature request for FreeIPA though, maybe we can > extend HBAC to allow a special option to define a shell, maybe creating > a special 'shell' service that sssd can properly interpret as a hint to > set nologin vs the actual shell. > > Dmitri, should we open a RFE on this ? > > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Dec 17 17:40:10 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 17 Dec 2012 12:40:10 -0500 Subject: [Freeipa-users] User expiration on a certain date In-Reply-To: <24868.213.225.75.97.1355756679.squirrel@www.nixtra.com> References: <24868.213.225.75.97.1355756679.squirrel@www.nixtra.com> Message-ID: <1355766010.5073.313.camel@willson.li.ssimo.org> On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: > Hi, > > Is it possible to lock out an user account on a set date? You should be able to set the krbPrincipalExpiration attribute to expire an account on a set date. However note this: https://fedorahosted.org/freeipa/ticket/3305 It means ti will work with krb auth but not with ldap binds for now. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Mon Dec 17 18:08:37 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 17 Dec 2012 19:08:37 +0100 (CET) Subject: [Freeipa-users] User expiration on a certain date In-Reply-To: <1355766010.5073.313.camel@willson.li.ssimo.org> References: <24868.213.225.75.97.1355756679.squirrel@www.nixtra.com> <1355766010.5073.313.camel@willson.li.ssimo.org> Message-ID: <20667.213.225.75.97.1355767717.squirrel@www.nixtra.com> On Mon, December 17, 2012 18:40, Simo Sorce wrote: > On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: > >> Hi, >> >> >> Is it possible to lock out an user account on a set date? >> > > You should be able to set the krbPrincipalExpiration attribute to expire > an account on a set date. > > However note this: https://fedorahosted.org/freeipa/ticket/3305 > > > It means ti will work with krb auth but not with ldap binds for now. > > Thanks! That worked like a charm!! Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? Rgds, Siggi From simo at redhat.com Mon Dec 17 18:32:48 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 17 Dec 2012 13:32:48 -0500 Subject: [Freeipa-users] User expiration on a certain date In-Reply-To: <20667.213.225.75.97.1355767717.squirrel@www.nixtra.com> References: <24868.213.225.75.97.1355756679.squirrel@www.nixtra.com> <1355766010.5073.313.camel@willson.li.ssimo.org> <20667.213.225.75.97.1355767717.squirrel@www.nixtra.com> Message-ID: <1355769168.5073.314.camel@willson.li.ssimo.org> On Mon, 2012-12-17 at 19:08 +0100, Sigbjorn Lie wrote: > > > On Mon, December 17, 2012 18:40, Simo Sorce wrote: > > On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: > > > >> Hi, > >> > >> > >> Is it possible to lock out an user account on a set date? > >> > > > > You should be able to set the krbPrincipalExpiration attribute to expire > > an account on a set date. > > > > However note this: https://fedorahosted.org/freeipa/ticket/3305 > > > > > > It means ti will work with krb auth but not with ldap binds for now. > > > > > > Thanks! That worked like a charm!! > > Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? No, an RFE ticket would be welcome though. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Mon Dec 17 18:42:24 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 17 Dec 2012 19:42:24 +0100 (CET) Subject: [Freeipa-users] User expiration on a certain date In-Reply-To: <1355769168.5073.314.camel@willson.li.ssimo.org> References: <24868.213.225.75.97.1355756679.squirrel@www.nixtra.com> <1355766010.5073.313.camel@willson.li.ssimo.org> <20667.213.225.75.97.1355767717.squirrel@www.nixtra.com> <1355769168.5073.314.camel@willson.li.ssimo.org> Message-ID: <22727.213.225.75.97.1355769744.squirrel@www.nixtra.com> On Mon, December 17, 2012 19:32, Simo Sorce wrote: > On Mon, 2012-12-17 at 19:08 +0100, Sigbjorn Lie wrote: > >> >> >> On Mon, December 17, 2012 18:40, Simo Sorce wrote: >> >>> On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: >>> >>> >>>> Hi, >>>> >>>> >>>> >>>> Is it possible to lock out an user account on a set date? >>>> >>>> >>> >>> You should be able to set the krbPrincipalExpiration attribute to expire >>> an account on a set date. >>> >>> However note this: https://fedorahosted.org/freeipa/ticket/3305 >>> >>> >>> >>> It means ti will work with krb auth but not with ldap binds for now. >>> >>> >>> >> >> Thanks! That worked like a charm!! >> >> >> Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? >> > > No, an RFE ticket would be welcome though. > Ok, for the record: https://bugzilla.redhat.com/show_bug.cgi?id=887988 Rgds, Siggi From bcook at redhat.com Mon Dec 17 19:00:49 2012 From: bcook at redhat.com (Brian Cook) Date: Mon, 17 Dec 2012 11:00:49 -0800 Subject: [Freeipa-users] User expiration on a certain date In-Reply-To: <22727.213.225.75.97.1355769744.squirrel@www.nixtra.com> References: <24868.213.225.75.97.1355756679.squirrel@www.nixtra.com> <1355766010.5073.313.camel@willson.li.ssimo.org> <20667.213.225.75.97.1355767717.squirrel@www.nixtra.com> <1355769168.5073.314.camel@willson.li.ssimo.org> <22727.213.225.75.97.1355769744.squirrel@www.nixtra.com> Message-ID: <0437159B-DB64-4199-B893-A97B5949F5B1@redhat.com> >>>>> >>>>> Is it possible to lock out an user account on a set date? >>>>> >>>>> >>>> >>>> You should be able to set the krbPrincipalExpiration attribute to expire >>>> an account on a set date. >>>> >>>> However note this: https://fedorahosted.org/freeipa/ticket/3305 >>>> >>>> >>>> >>>> It means ti will work with krb auth but not with ldap binds for now. >>>> >>>> >>>> >>> >>> Thanks! That worked like a charm!! >>> >>> >>> Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? >>> >> >> No, an RFE ticket would be welcome though. >> > > Ok, for the record: > > https://bugzilla.redhat.com/show_bug.cgi?id=887988 > > > Rgds, > Siggi > It would be better though to have a real account expiration setting in the UI that not only set krbPrincipalExpiration but also locked the ldap user account and any other appropriate actions. Brian From simo at redhat.com Mon Dec 17 19:04:26 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 17 Dec 2012 14:04:26 -0500 Subject: [Freeipa-users] User expiration on a certain date In-Reply-To: <0437159B-DB64-4199-B893-A97B5949F5B1@redhat.com> References: <24868.213.225.75.97.1355756679.squirrel@www.nixtra.com> <1355766010.5073.313.camel@willson.li.ssimo.org> <20667.213.225.75.97.1355767717.squirrel@www.nixtra.com> <1355769168.5073.314.camel@willson.li.ssimo.org> <22727.213.225.75.97.1355769744.squirrel@www.nixtra.com> <0437159B-DB64-4199-B893-A97B5949F5B1@redhat.com> Message-ID: <1355771066.5073.315.camel@willson.li.ssimo.org> On Mon, 2012-12-17 at 11:00 -0800, Brian Cook wrote: > >>>>> > >>>>> Is it possible to lock out an user account on a set date? > >>>>> > >>>>> > >>>> > >>>> You should be able to set the krbPrincipalExpiration attribute to expire > >>>> an account on a set date. > >>>> > >>>> However note this: https://fedorahosted.org/freeipa/ticket/3305 > >>>> > >>>> > >>>> > >>>> It means ti will work with krb auth but not with ldap binds for now. > >>>> > >>>> > >>>> > >>> > >>> Thanks! That worked like a charm!! > >>> > >>> > >>> Is there any active ticket to have this property exposed for editing in the IPA CLI / WEBUI? > >>> > >> > >> No, an RFE ticket would be welcome though. > >> > > > > Ok, for the record: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=887988 > > > > > > Rgds, > > Siggi > > > > It would be better though to have a real account expiration setting in the UI that not only set krbPrincipalExpiration but also locked the ldap user account and any other appropriate actions. > > > Brian Brian, that's what #3305 above is for. Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven at simplycircus.com Mon Dec 17 19:58:12 2012 From: Steven at simplycircus.com (Steven Santos) Date: Mon, 17 Dec 2012 14:58:12 -0500 Subject: [Freeipa-users] FreeIPA and Samba 4 Message-ID: I know this may be a loaded question, but I am asking it anyways. Can anyone tell me what the current status and future plan for IPA / Samba 4 is? --- Steven Santos Director Simply Circus, Inc. 86 Los Angeles Street Newton, MA 02458 P: 617-527-0667 F: 617-934-1870 E: Steven at SimplyCircus.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Mon Dec 17 20:07:41 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Mon, 17 Dec 2012 21:07:41 +0100 Subject: [Freeipa-users] FreeIPA and Samba 4 In-Reply-To: References: Message-ID: On Mon, Dec 17, 2012 at 8:58 PM, Steven Santos wrote: > I know this may be a loaded question, but I am asking it anyways. > > Can anyone tell me what the current status and future plan for IPA / Samba 4 > is? probably the same as with AD: cross realm trusts. -- groet, natxo From sakodak at gmail.com Mon Dec 17 20:11:43 2012 From: sakodak at gmail.com (KodaK) Date: Mon, 17 Dec 2012 14:11:43 -0600 Subject: [Freeipa-users] anyone know how to do sssd filters? Message-ID: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group "dba" must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to "take." The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba at fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From sigbjorn at nixtra.com Mon Dec 17 20:19:56 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 17 Dec 2012 21:19:56 +0100 (CET) Subject: [Freeipa-users] netapp filer AD + ipa: possible? In-Reply-To: <504A17BA.4090408@redhat.com> References: <50490822.5030207@nixtra.com> <26583.213.225.75.97.1347005220.squirrel@www.nixtra.com> <5049DB8D.2080304@s3group.cz> <504A17BA.4090408@redhat.com> Message-ID: <20546.213.225.75.97.1355775596.squirrel@www.nixtra.com> On Fri, September 7, 2012 16:50, Dmitri Pal wrote: > On 09/07/2012 07:33 AM, Ondrej Valousek wrote: > >> That is actually the main benefit of the 'ldap.ADdomain' parameter. It >> will allow you to simplify configuration and allows easy load balancing/failover functionality. We >> are paying for NetApp support, too so if anyone is going to bug NetApp about this, I am happy to >> join you. >> >> Ondrej >> >> >> On 09/07/2012 10:07 AM, Sigbjorn Lie wrote: >> >>> Yes it would be great if NetApp would do that. The ldap.ADdomain option is used to configure >>> the NetApp LDAP client from AD SRV DNS records. It would be great (and should be easy for >>> NetApp) to >>> have an option for ldap.IPAdomain. I don't remember exactly why I did not use this for IPA, as >>> far as I remember most things worked, but I stumbeled across some issue. >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > I will. > > > Siggi I will also send you a private email to give you access to the wiki. > > I don't think I ever posted the wiki link for my details around NetApp configuration in a mixed environment... See below. http://www.freeipa.org/page/NetApp_integration_in_a_mixed_environment From simo at redhat.com Mon Dec 17 20:22:42 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 17 Dec 2012 15:22:42 -0500 Subject: [Freeipa-users] FreeIPA and Samba 4 In-Reply-To: References: Message-ID: <1355775762.5073.317.camel@willson.li.ssimo.org> On Mon, 2012-12-17 at 14:58 -0500, Steven Santos wrote: > I know this may be a loaded question, but I am asking it anyways. > > > Can anyone tell me what the current status and future plan for IPA / > Samba 4 is? We plan to support setting up trusts with Samba4 just like we do with AD when Samba4 will start supporting Cross-forest trusts. It currently doesn't. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Mon Dec 17 21:03:03 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 17 Dec 2012 16:03:03 -0500 Subject: [Freeipa-users] anyone know how to do sssd filters? In-Reply-To: References: Message-ID: <50CF8887.9020306@redhat.com> On 12/17/2012 03:11 PM, KodaK wrote: > I'm attempting to install Satellite in my IPA domain. There is a > ridiculous requirement that the group "dba" must not already exist > prior to installing. Red Hat support wanted me to *remove* the DBA > group and then install. > > Anyway, I'm trying to play around with filter_groups in sssd, and I > can't seem to get it to "take." The man page isn't exactly clear, but > here's what I've tried: > > filter_groups = dba > filter_groups= dba at fqdn > > In the [domain], [sssd] and [nss] sections of the config file. > > What's the right syntax? Do I need it in every section? > Is it a local group or a central group? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Dec 17 21:29:00 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 17 Dec 2012 16:29:00 -0500 Subject: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell In-Reply-To: <1355754971.5073.307.camel@willson.li.ssimo.org> References: <50CEE12B.8010000@redhat.com> <1355754971.5073.307.camel@willson.li.ssimo.org> Message-ID: <50CF8E9C.4020508@redhat.com> On 12/17/2012 09:36 AM, Simo Sorce wrote: > On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: >> Thank you for the responses. I was initially attempting to set this >> value via the web UI and if I entered anything other than the hash >> value of the user's public key it would get rejected. After thinking >> about your response I realize that I really need to determine a method >> of doing this via a HBAC rule. If I accomplish this with >> authorized_keys then the user is restricted across the board and would >> not be able to gain a shell on any system whereas HBAC would allow me >> to restrict thier access as needed. We currently require users to >> tunnel over SSH to gain access to certain sensitive web apps (like >> Nessus) but those same users have shell access on a few boxes. >> Thoughts?? > One thing you could do is to use the override_shell parameter in sssd. > However this one would override the shell for all users so just > putting /sbin/nologin there would not work if you need some users to be > able to log in (if you care only for root logins it would be enough). > > However you can still manage to use it to point to a script that would > test something like whether the user belongs to a group or not, and if > so run either /bin/bash or /bin/nologin > > This seem like a nice feature request for FreeIPA though, maybe we can > extend HBAC to allow a special option to define a shell, maybe creating > a special 'shell' service that sssd can properly interpret as a hint to > set nologin vs the actual shell. > > Dmitri, should we open a RFE on this ? > > > Simo. > OK , RFE would make sense. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Johan.Petersson at sscspace.com Tue Dec 18 00:15:42 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Tue, 18 Dec 2012 00:15:42 +0000 Subject: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA. Message-ID: <558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal> Hi, When trying to generate a host and nfs principal + keys from the Oracle ZFS 7120/7320 Appliance i get the following error message (note that the information pasted are from a simulator but i get exactly the same error from our real Appliances). I can't generate a key on the IPA server and copy it to the Appliance unfortunately it does not support that since it has a specialised webinterface and CLI. The Appliance wants to generate the principals and keys itself after i add the Kerberos information realm/KDC and admin principal. NTP is synced and DNS is working with reverse, no firewalls and SELinux disabled. I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the same results. Any ideas on what is wrong and if it is possible to get it working? An unanticipated system error occurred: failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) Exception type: coXmlrpcFault Native message: failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) Mapped stack trace: Native file: line ? Native stack trace: Message: Wrapped exception: Stack trace: at https://192.168.0.112:215/lib/crazyolait/index.js:370:21 Additional native members: faultCode: 600 faultString: failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) coStack: top.akMulticall(argv: "[object Object]", abort:true, func: "function (ret, err, idx) {\n\t\t\tif (err && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}") nasServiceNFS.prototype.commit(callback: "function (err) {\n\t\tif (akHandleFault(err, {\n\t\t set: view.aksvc_current_set\n\t\t })) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}") akSvcView.prototype.commitToServer(enable:false, callback: "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done && !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}") akSvcView.prototype.commit(callback:null) ( "[object Object]", "[object MouseEvent]") (e: "[object MouseEvent]") [akEventListenerWrap,click,undefined](e: "[object MouseEvent]") faultName: EAK_KADM5 In the kadmind.log on the IPA server i get the following: Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init, admin at HOME, success, client=admin at HOME, service=kadmin/server.home at HOME, addr=192.168.0.112, vers=2, flavor=6 Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request: kadm5_create_principal, host/zfs1.home at HOME, client=admin at HOME, service=kadmin/server.home at HOME, addr=192.168.0.112 And in the krb5kdc.log: Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home at HOME for krbtgt/HOME at HOME, Client not found in Kerberos database Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home at HOME for krbtgt/HOME at HOME, Client not found in Kerberos database If i add the host in IPA i instead get: Dec 17 23:48:18 server.home krb5kdc[4016](info): ... CONSTRAINED-DELEGATION s4u-client=admin at HOME Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin at HOME for kadmin/server.home at HOME, Additional pre-authentication required Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes {rep=18 tkt=18 ses=18}, admin at HOME for kadmin/server.home at HOME -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Dec 18 00:36:29 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 17 Dec 2012 19:36:29 -0500 Subject: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA. In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal> Message-ID: <50CFBA8D.6070902@redhat.com> On 12/17/2012 07:15 PM, Johan Petersson wrote: > Hi, > > When trying to generate a host and nfs principal + keys from the > Oracle ZFS 7120/7320 Appliance i get the following error message (note > that the information pasted are from a simulator but i get exactly the > same error from our real Appliances). > I can't generate a key on the IPA server and copy it to the Appliance > unfortunately it does not support that since it has a specialised > webinterface and CLI. > The Appliance wants to generate the principals and keys itself after i > add the Kerberos information realm/KDC and admin principal. > > NTP is synced and DNS is working with reverse, no firewalls and > SELinux disabled. > > I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers > with the same results. > > Any ideas on what is wrong and if it is possible to get it working? > > > An unanticipated system error occurred: > > failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: > 43787522 (Operation requires ``add'' privilege) Do you have this principal already precreated? It seems that the client tries to create a principal using its kadmin library. I am not sure it would work. The protocol we use in ipa-getkeytab is not a kadmin protocol. As far as I recall it does an LDAP extended operation. > > Exception type: coXmlrpcFault > Native message: failed to create principal 'host/zfs1.home at HOME': > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > Mapped stack trace: > > Native file: line ? > Native stack trace: > Message: > Wrapped exception: > Stack trace: > > > at https://192.168.0.112:215/lib/crazyolait/index.js:370:21 > Additional native members: > faultCode: 600 > faultString: failed to create principal 'host/zfs1.home at HOME': > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > coStack: top.akMulticall(argv: "[object Object]", > abort:true, func: "function (ret, err, idx) {\n\t\t\tif (err > && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { > set: widget.aknsn_vs > });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}") > nasServiceNFS.prototype.commit(callback: "function (err) > {\n\t\tif (akHandleFault(err, {\n\t\t set: > view.aksvc_current_set\n\t\t })) {\n\t\t\tif > (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t > */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif > (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t > akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif > (akHandleFault(err)) {\n\t\t\t\tif > (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif > (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}") > akSvcView.prototype.commitToServer(enable:false, callback: > "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif > (view.aksvc_done && > !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}") > akSvcView.prototype.commit(callback:null) > ( "[object Object]", "[object MouseEvent]") > (e: "[object MouseEvent]") > [akEventListenerWrap,click,undefined](e: "[object MouseEvent]") > > faultName: EAK_KADM5 > > In the kadmind.log on the IPA server i get the following: > > Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: > kadm5_init, admin at HOME, success, client=admin at HOME, > service=kadmin/server.home at HOME, addr=192.168.0.112, vers=2, flavor=6 > Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized > request: kadm5_create_principal, host/zfs1.home at HOME, > client=admin at HOME, service=kadmin/server.home at HOME, addr=192.168.0.112 > > And in the krb5kdc.log: > > Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home at HOME > for krbtgt/HOME at HOME, Client not found in Kerberos database > Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home at HOME > for krbtgt/HOME at HOME, Client not found in Kerberos database > > If i add the host in IPA i instead get: > > Dec 17 23:48:18 server.home krb5kdc[4016](info): ... > CONSTRAINED-DELEGATION s4u-client=admin at HOME > Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin at HOME for > kadmin/server.home at HOME, Additional pre-authentication required > Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes > {rep=18 tkt=18 ses=18}, admin at HOME for kadmin/server.home at HOME > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Dec 18 02:20:59 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 17 Dec 2012 21:20:59 -0500 Subject: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA. In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal> Message-ID: <1355797259.5073.444.camel@willson.li.ssimo.org> On Tue, 2012-12-18 at 00:15 +0000, Johan Petersson wrote: > Hi, Hi Johan, see inline. > When trying to generate a host and nfs principal + keys from the > Oracle ZFS 7120/7320 Appliance i get the following error message (note > that the information pasted are from a simulator but i get exactly the > same error from our real Appliances). > I can't generate a key on the IPA server and copy it to the Appliance > unfortunately it does not support that since it has a specialised > webinterface and CLI. > The Appliance wants to generate the principals and keys itself after i > add the Kerberos information realm/KDC and admin principal. > > > NTP is synced and DNS is working with reverse, no firewalls and > SELinux disabled. > > > I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers > with the same results. > > > Any ideas on what is wrong and if it is possible to get it working? > > > > > An unanticipated system error occurred: > > > failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: > 43787522 (Operation requires ``add'' privilege) > we do not allow tools the permissions to perform add operations via the kadmin interface, this is done by explicitly disallowing certin internal DAL operations in out driver, so it is not configurable. This is because that interface is not rich enough to provide all the information we normally associate to principals in LDAP entries. Does the appliance work if you pre-create the principal ? It sounds very odd that these 'appliances' really require you to give them credentials that have very high privileges, so high as to be able to actually add principals into a kerberos database. I would consider that a very serious bug and security issue in the appliance. Note that the kadmin interface can be allowed to change principals, including getting a new keytab. That will require you to manually edit the ACL file that is not normally configured as we do not need to allow modifications via the kadmin interface in normal IPA domains. So if this appliance can deal with just modifying a principal to get a keytab as opposed to try to create one from scratch then you may be able to configure FreeIPA's kadmin to do that. > Exception type: coXmlrpcFault > Native message: failed to create principal 'host/zfs1.home at HOME': > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > Mapped stack trace: > > > Native file: line ? > Native stack trace: > Message: > Wrapped exception: > Stack trace: > > > > at https://192.168.0.112:215/lib/crazyolait/index.js:370:21 > Additional native members: > faultCode: 600 > faultString: failed to create principal 'host/zfs1.home at HOME': > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > coStack: top.akMulticall(argv: "[object Object]", > abort:true, func: "function (ret, err, idx) {\n\t\t\tif (err > && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, > { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t > \tcommitprop(callback);\n\t\t}") > nasServiceNFS.prototype.commit(callback: "function (err) {\n > \t\tif (akHandleFault(err, {\n\t\t set: view.aksvc_current_set\n\t > \t })) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t > \tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t > \tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif > (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t > \takService.svc.setCompositeState(view.aksvc_id,\n\t\t > akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif > (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t > \tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t > \tcallback();\n\t\t\t}\n\t\t});\n\t}") > akSvcView.prototype.commitToServer(enable:false, callback: > "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif > (view.aksvc_done && !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n > \t\t}") > akSvcView.prototype.commit(callback:null) > ( "[object Object]", "[object > MouseEvent]") > (e: "[object MouseEvent]") > [akEventListenerWrap,click,undefined](e: "[object > MouseEvent]") > > > faultName: EAK_KADM5 > > > In the kadmind.log on the IPA server i get the following: > > > Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: > kadm5_init, admin at HOME, success, client=admin at HOME, > service=kadmin/server.home at HOME, addr=192.168.0.112, vers=2, flavor=6 > Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized > request: kadm5_create_principal, host/zfs1.home at HOME, > client=admin at HOME, service=kadmin/server.home at HOME, addr=192.168.0.112 > > > And in the krb5kdc.log: > > > Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home at HOME > for krbtgt/HOME at HOME, Client not found in Kerberos database > Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home at HOME > for krbtgt/HOME at HOME, Client not found in Kerberos database All this is pretty much expected if this appliance tries to create principals via the kadmin add API. > > If i add the host in IPA i instead get: > > > Dec 17 23:48:18 server.home krb5kdc[4016](info): ... > CONSTRAINED-DELEGATION s4u-client=admin at HOME > Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin at HOME for > kadmin/server.home at HOME, Additional pre-authentication required > Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes > {rep=18 tkt=18 ses=18}, admin at HOME for kadmin/server.home at HOME I see no problem in here, so does the appliance cope with pre-existing principals ? Simo. -- Simo Sorce * Red Hat, Inc * New York From william.muriithi at gmail.com Tue Dec 18 03:48:07 2012 From: william.muriithi at gmail.com (William Muriithi) Date: Mon, 17 Dec 2012 22:48:07 -0500 Subject: [Freeipa-users] FreeIPA and Samba 4 Message-ID: > > I know this may be a loaded question, but I am asking it anyways. > > > > > > Can anyone tell me what the current status and future plan for IPA / > > Samba 4 is? > > We plan to support setting up trusts with Samba4 just like we do with AD > when Samba4 will start supporting Cross-forest trusts. It currently > doesn't. > > Simo. > Yes, its amazing samba4 has finally gone GA. Plan to set up an instance as a backup AD to existing AD some day when I get some time. Not well documented though, wish there was well writen book on it. Anyway backup AD would be the best way to set some experience I am assuming A related question, would there be any need to have a replica when using trust if the AD is just one instance? What I am asking in another way is, if the AD fail, wouldn't the FreeIPA fail to authenticate users till AD issues are fixed? Regards, William > -- > Simo Sorce * Red Hat, Inc * New York > > > > ------------------------------ > > Message: 2 > Date: Mon, 17 Dec 2012 16:03:03 -0500 > From: Dmitri Pal > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] anyone know how to do sssd filters? > Message-ID: <50CF8887.9020306 at redhat.com> > Content-Type: text/plain; charset=ISO-8859-1 > > On 12/17/2012 03:11 PM, KodaK wrote: > > I'm attempting to install Satellite in my IPA domain. There is a > > ridiculous requirement that the group "dba" must not already exist > > prior to installing. Red Hat support wanted me to *remove* the DBA > > group and then install. > > > > Anyway, I'm trying to play around with filter_groups in sssd, and I > > can't seem to get it to "take." The man page isn't exactly clear, but > > here's what I've tried: > > > > filter_groups = dba > > filter_groups= dba at fqdn > > > > In the [domain], [sssd] and [nss] sections of the config file. > > > > What's the right syntax? Do I need it in every section? > > > Is it a local group or a central group? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > ------------------------------ > > Message: 3 > Date: Mon, 17 Dec 2012 16:29:00 -0500 > From: Dmitri Pal > To: Simo Sorce > Cc: freeipa-users , Albert Adams > > Subject: Re: [Freeipa-users] Allow IPA users to create SSH tunnel with > no shell > Message-ID: <50CF8E9C.4020508 at redhat.com> > Content-Type: text/plain; charset=UTF-8 > > On 12/17/2012 09:36 AM, Simo Sorce wrote: > > On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: > >> Thank you for the responses. I was initially attempting to set this > >> value via the web UI and if I entered anything other than the hash > >> value of the user's public key it would get rejected. After thinking > >> about your response I realize that I really need to determine a method > >> of doing this via a HBAC rule. If I accomplish this with > >> authorized_keys then the user is restricted across the board and would > >> not be able to gain a shell on any system whereas HBAC would allow me > >> to restrict thier access as needed. We currently require users to > >> tunnel over SSH to gain access to certain sensitive web apps (like > >> Nessus) but those same users have shell access on a few boxes. > >> Thoughts?? > > One thing you could do is to use the override_shell parameter in sssd. > > However this one would override the shell for all users so just > > putting /sbin/nologin there would not work if you need some users to be > > able to log in (if you care only for root logins it would be enough). > > > > However you can still manage to use it to point to a script that would > > test something like whether the user belongs to a group or not, and if > > so run either /bin/bash or /bin/nologin > > > > This seem like a nice feature request for FreeIPA though, maybe we can > > extend HBAC to allow a special option to define a shell, maybe creating > > a special 'shell' service that sssd can properly interpret as a hint to > > set nologin vs the actual shell. > > > > Dmitri, should we open a RFE on this ? > > > > > > Simo. > > > OK , RFE would make sense. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > ------------------------------ > > Message: 4 > Date: Tue, 18 Dec 2012 00:15:42 +0000 > From: Johan Petersson > To: "freeipa-users at redhat.com" > Subject: [Freeipa-users] Problem generating Oracle ZFS Storage > Appliance host and nfs principals and keys to IPA/Free IPA. > Message-ID: > <558C15177F5E714F83334217C9A197DF5DB40720 at SSC-MBX2.ssc.internal> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > > When trying to generate a host and nfs principal + keys from the Oracle ZFS 7120/7320 Appliance i get the following error message (note that the information pasted are from a simulator but i get exactly the same error from our real Appliances). > I can't generate a key on the IPA server and copy it to the Appliance unfortunately it does not support that since it has a specialised webinterface and CLI. > The Appliance wants to generate the principals and keys itself after i add the Kerberos information realm/KDC and admin principal. > > NTP is synced and DNS is working with reverse, no firewalls and SELinux disabled. > > I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers with the same results. > > Any ideas on what is wrong and if it is possible to get it working? > > > An unanticipated system error occurred: > > failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > > Exception type: coXmlrpcFault > Native message: failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > Mapped stack trace: > > Native file: line ? > Native stack trace: > Message: > Wrapped exception: > Stack trace: > > > at https://192.168.0.112:215/lib/crazyolait/index.js:370:21 > Additional native members: > faultCode: 600 > faultString: failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > coStack: top.akMulticall(argv: "[object Object]", abort:true, func: "function (ret, err, idx) {\n\t\t\tif (err && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}") > nasServiceNFS.prototype.commit(callback: "function (err) {\n\t\tif (akHandleFault(err, {\n\t\t set: view.aksvc_current_set\n\t\t })) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}") > akSvcView.prototype.commitToServer(enable:false, callback: "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif (view.aksvc_done && !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}") > akSvcView.prototype.commit(callback:null) > ( "[object Object]", "[object MouseEvent]") > (e: "[object MouseEvent]") > [akEventListenerWrap,click,undefined](e: "[object MouseEvent]") > > faultName: EAK_KADM5 > > In the kadmind.log on the IPA server i get the following: > > Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: kadm5_init, admin at HOME, success, client=admin at HOME, service=kadmin/server.home at HOME, addr=192.168.0.112, vers=2, flavor=6 > Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized request: kadm5_create_principal, host/zfs1.home at HOME, client=admin at HOME, service=kadmin/server.home at HOME, addr=192.168.0.112 > > And in the krb5kdc.log: > > Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home at HOME for krbtgt/HOME at HOME, Client not found in Kerberos database > Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home at HOME for krbtgt/HOME at HOME, Client not found in Kerberos database > > If i add the host in IPA i instead get: > > Dec 17 23:48:18 server.home krb5kdc[4016](info): ... CONSTRAINED-DELEGATION s4u-client=admin at HOME > Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin at HOME for kadmin/server.home at HOME, Additional pre-authentication required > Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes {rep=18 tkt=18 ses=18}, admin at HOME for kadmin/server.home at HOME > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < https://www.redhat.com/archives/freeipa-users/attachments/20121218/aa8c09ef/attachment.html > > > ------------------------------ > > Message: 5 > Date: Mon, 17 Dec 2012 19:36:29 -0500 > From: Dmitri Pal > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Problem generating Oracle ZFS Storage > Appliance host and nfs principals and keys to IPA/Free IPA. > Message-ID: <50CFBA8D.6070902 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > On 12/17/2012 07:15 PM, Johan Petersson wrote: > > Hi, > > > > When trying to generate a host and nfs principal + keys from the > > Oracle ZFS 7120/7320 Appliance i get the following error message (note > > that the information pasted are from a simulator but i get exactly the > > same error from our real Appliances). > > I can't generate a key on the IPA server and copy it to the Appliance > > unfortunately it does not support that since it has a specialised > > webinterface and CLI. > > The Appliance wants to generate the principals and keys itself after i > > add the Kerberos information realm/KDC and admin principal. > > > > NTP is synced and DNS is working with reverse, no firewalls and > > SELinux disabled. > > > > I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers > > with the same results. > > > > Any ideas on what is wrong and if it is possible to get it working? > > > > > > An unanticipated system error occurred: > > > > failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: > > 43787522 (Operation requires ``add'' privilege) > > Do you have this principal already precreated? > It seems that the client tries to create a principal using its kadmin > library. I am not sure it would work. > The protocol we use in ipa-getkeytab is not a kadmin protocol. As far as > I recall it does an LDAP extended operation. > > > > > Exception type: coXmlrpcFault > > Native message: failed to create principal 'host/zfs1.home at HOME': > > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > > Mapped stack trace: > > > > Native file: line ? > > Native stack trace: > > Message: > > Wrapped exception: > > Stack trace: > > > > > > at https://192.168.0.112:215/lib/crazyolait/index.js:370:21 > > Additional native members: > > faultCode: 600 > > faultString: failed to create principal 'host/zfs1.home at HOME': > > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > > coStack: top.akMulticall(argv: "[object Object]", > > abort:true, func: "function (ret, err, idx) {\n\t\t\tif (err > > && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, { > > set: widget.aknsn_vs > > });\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tcommitprop(callback);\n\t\t}") > > nasServiceNFS.prototype.commit(callback: "function (err) > > {\n\t\tif (akHandleFault(err, {\n\t\t set: > > view.aksvc_current_set\n\t\t })) {\n\t\t\tif > > (callback)\n\t\t\t\tcallback(true);\n\t\t\tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t > > */\n\t\tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif > > (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t\takService.svc.setCompositeState(view.aksvc_id,\n\t\t > > akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif > > (akHandleFault(err)) {\n\t\t\t\tif > > (callback)\n\t\t\t\t\tcallback(true);\n\t\t\t} else {\n\t\t\t\tif > > (callback)\n\t\t\t\t\tcallback();\n\t\t\t}\n\t\t});\n\t}") > > akSvcView.prototype.commitToServer(enable:false, callback: > > "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif > > (view.aksvc_done && > > !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n\t\t}") > > akSvcView.prototype.commit(callback:null) > > ( "[object Object]", "[object MouseEvent]") > > (e: "[object MouseEvent]") > > [akEventListenerWrap,click,undefined](e: "[object MouseEvent]") > > > > faultName: EAK_KADM5 > > > > In the kadmind.log on the IPA server i get the following: > > > > Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: > > kadm5_init, admin at HOME, success, client=admin at HOME, > > service=kadmin/server.home at HOME, addr=192.168.0.112, vers=2, flavor=6 > > Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized > > request: kadm5_create_principal, host/zfs1.home at HOME, > > client=admin at HOME, service=kadmin/server.home at HOME, addr=192.168.0.112 > > > > And in the krb5kdc.log: > > > > Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > > 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home at HOME > > for krbtgt/HOME at HOME, Client not found in Kerberos database > > Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > > 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home at HOME > > for krbtgt/HOME at HOME, Client not found in Kerberos database > > > > If i add the host in IPA i instead get: > > > > Dec 17 23:48:18 server.home krb5kdc[4016](info): ... > > CONSTRAINED-DELEGATION s4u-client=admin at HOME > > Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > > 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin at HOME for > > kadmin/server.home at HOME, Additional pre-authentication required > > Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > > 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes > > {rep=18 tkt=18 ses=18}, admin at HOME for kadmin/server.home at HOME > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < https://www.redhat.com/archives/freeipa-users/attachments/20121217/7f262831/attachment.html > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 53, Issue 25 > ********************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Tue Dec 18 05:24:08 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Tue, 18 Dec 2012 05:24:08 +0000 Subject: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA. In-Reply-To: <1355797259.5073.444.camel@willson.li.ssimo.org> References: <558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal>, <1355797259.5073.444.camel@willson.li.ssimo.org> Message-ID: <558C15177F5E714F83334217C9A197DF5DB41749@SSC-MBX2.ssc.internal> Hi, Unfortunately i still get the same error from the Appliance even after having added both host and nfs principals in the IPA web interface. "failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)" I get the impression that the Appliance does not recognize existing principals since i still get the same create principal error. So it seems that it does not cope with pre existing principals, at least not from IPA Server. I will contact Oracle about this issue and see what they say. Thank you for your help, Johan. ________________________________________ From: Simo Sorce [simo at redhat.com] Sent: Tuesday, December 18, 2012 03:20 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA. On Tue, 2012-12-18 at 00:15 +0000, Johan Petersson wrote: > Hi, Hi Johan, see inline. > When trying to generate a host and nfs principal + keys from the > Oracle ZFS 7120/7320 Appliance i get the following error message (note > that the information pasted are from a simulator but i get exactly the > same error from our real Appliances). > I can't generate a key on the IPA server and copy it to the Appliance > unfortunately it does not support that since it has a specialised > webinterface and CLI. > The Appliance wants to generate the principals and keys itself after i > add the Kerberos information realm/KDC and admin principal. > > > NTP is synced and DNS is working with reverse, no firewalls and > SELinux disabled. > > > I have tested on both Red Hat/CentOS 6.3 and fedora 17 as IPA servers > with the same results. > > > Any ideas on what is wrong and if it is possible to get it working? > > > > > An unanticipated system error occurred: > > > failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: > 43787522 (Operation requires ``add'' privilege) > we do not allow tools the permissions to perform add operations via the kadmin interface, this is done by explicitly disallowing certin internal DAL operations in out driver, so it is not configurable. This is because that interface is not rich enough to provide all the information we normally associate to principals in LDAP entries. Does the appliance work if you pre-create the principal ? It sounds very odd that these 'appliances' really require you to give them credentials that have very high privileges, so high as to be able to actually add principals into a kerberos database. I would consider that a very serious bug and security issue in the appliance. Note that the kadmin interface can be allowed to change principals, including getting a new keytab. That will require you to manually edit the ACL file that is not normally configured as we do not need to allow modifications via the kadmin interface in normal IPA domains. So if this appliance can deal with just modifying a principal to get a keytab as opposed to try to create one from scratch then you may be able to configure FreeIPA's kadmin to do that. > Exception type: coXmlrpcFault > Native message: failed to create principal 'host/zfs1.home at HOME': > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > Mapped stack trace: > > > Native file: line ? > Native stack trace: > Message: > Wrapped exception: > Stack trace: > > > > at https://192.168.0.112:215/lib/crazyolait/index.js:370:21 > Additional native members: > faultCode: 600 > faultString: failed to create principal 'host/zfs1.home at HOME': > libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) > coStack: top.akMulticall(argv: "[object Object]", > abort:true, func: "function (ret, err, idx) {\n\t\t\tif (err > && err.faultName !== 'EAK_KRB5_NOENT') {\n\t\t\t\takHandleFault(err, > { set: widget.aknsn_vs });\n\t\t\t\treturn;\n\t\t\t}\n\t\t > \tcommitprop(callback);\n\t\t}") > nasServiceNFS.prototype.commit(callback: "function (err) {\n > \t\tif (akHandleFault(err, {\n\t\t set: view.aksvc_current_set\n\t > \t })) {\n\t\t\tif (callback)\n\t\t\t\tcallback(true);\n\t\t > \tview.changed(true);\n\t\t\treturn;\n\t\t}\n\n\t\t/*\n\n\n\t\t */\n\t > \tview.changed(false);\n\n\t\tif (enable === false) {\n\t\t\tif > (callback)\n\t\t\t\tcallback();\n\t\t\treturn;\n\t\t}\n\n\t > \takService.svc.setCompositeState(view.aksvc_id,\n\t\t > akSvc.AK_SVC_STATE_ONLINE, function (ret, err) {\n\t\t\tif > (akHandleFault(err)) {\n\t\t\t\tif (callback)\n\t\t\t\t > \tcallback(true);\n\t\t\t} else {\n\t\t\t\tif (callback)\n\t\t\t\t > \tcallback();\n\t\t\t}\n\t\t});\n\t}") > akSvcView.prototype.commitToServer(enable:false, callback: > "function (error) {\n\t\t\takStopWaiting(function () {\n\t\t\t\tif > (view.aksvc_done && !error)\n\t\t\t\t\tview.aksvc_done();\n\t\t\t});\n > \t\t}") > akSvcView.prototype.commit(callback:null) > ( "[object Object]", "[object > MouseEvent]") > (e: "[object MouseEvent]") > [akEventListenerWrap,click,undefined](e: "[object > MouseEvent]") > > > faultName: EAK_KADM5 > > > In the kadmind.log on the IPA server i get the following: > > > Dec 17 23:12:05 server.home kadmind[3614](Notice): Request: > kadm5_init, admin at HOME, success, client=admin at HOME, > service=kadmin/server.home at HOME, addr=192.168.0.112, vers=2, flavor=6 > Dec 17 23:12:05 server.home kadmind[3614](Notice): Unauthorized > request: kadm5_create_principal, host/zfs1.home at HOME, > client=admin at HOME, service=kadmin/server.home at HOME, addr=192.168.0.112 > > > And in the krb5kdc.log: > > > Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home at HOME > for krbtgt/HOME at HOME, Client not found in Kerberos database > Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home at HOME > for krbtgt/HOME at HOME, Client not found in Kerberos database All this is pretty much expected if this appliance tries to create principals via the kadmin add API. > > If i add the host in IPA i instead get: > > > Dec 17 23:48:18 server.home krb5kdc[4016](info): ... > CONSTRAINED-DELEGATION s4u-client=admin at HOME > Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin at HOME for > kadmin/server.home at HOME, Additional pre-authentication required > Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18 > 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes > {rep=18 tkt=18 ses=18}, admin at HOME for kadmin/server.home at HOME I see no problem in here, so does the appliance cope with pre-existing principals ? Simo. -- Simo Sorce * Red Hat, Inc * New York From Johan.Petersson at sscspace.com Tue Dec 18 07:28:31 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Tue, 18 Dec 2012 07:28:31 +0000 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? Message-ID: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? Johan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Tue Dec 18 08:38:09 2012 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 18 Dec 2012 09:38:09 +0100 Subject: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell In-Reply-To: References: <50CEE12B.8010000@redhat.com> <1355754971.5073.307.camel@willson.li.ssimo.org> Message-ID: <50D02B71.5070400@redhat.com> Actually, I wanted to make something like this in SSH user impersonation, . My idea was to allow overriding of authorized_keys options in impersonation rules. In your case, you could have a special user account "tunnel" that would be used to access the tunnel and set up impersonation so that members of group "tunnelusers" could impersonate user "tunnel" with authorized_keys options command, permitopen, no-agent-forwarding and no-x11-forwarding overrided. That way, any user in the "tunnelusers" group would be able to log in with their normal public keys (with no authorized_keys options) as user "tunnel" and have authorized_keys options set to the needed values by the impersonation rule. Of course, that would work only with SSH public key authentication. BTW, if the tunnel is provided only by a single or a small number of systems, you can configure sshd on these systems to do what you want without using authorized_keys options (see man sshd_config, directives ForceCommand, PermitOpen, AllowAgentForwarding, X11Forwarding and possibly Match). Honza On 17.12.2012 16:30, Albert Adams wrote: > An HBAC extension would certainly be appreciated. I'm not sure how > other organizations are setup but in our environment we don't give shell > access unless absolutely necessary and we use a lot of SSH tunneling > with target services bound to localhost. If I can figure out the > correct syntax to get the perl command added to the users public key in > IPA (as Honza suggested) then that will provide a work around for the > time being. Ultimately it would be awesome to have the same level of > granularity that the local authorized_keys file allowed while reaping > the benefits of centralized management. > > Albert > > > On Mon, Dec 17, 2012 at 9:36 AM, Simo Sorce > wrote: > > On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: > > Thank you for the responses. I was initially attempting to set this > > value via the web UI and if I entered anything other than the hash > > value of the user's public key it would get rejected. After thinking > > about your response I realize that I really need to determine a > method > > of doing this via a HBAC rule. If I accomplish this with > > authorized_keys then the user is restricted across the board and > would > > not be able to gain a shell on any system whereas HBAC would allow me > > to restrict thier access as needed. We currently require users to > > tunnel over SSH to gain access to certain sensitive web apps (like > > Nessus) but those same users have shell access on a few boxes. > > Thoughts?? > > One thing you could do is to use the override_shell parameter in sssd. > However this one would override the shell for all users so just > putting /sbin/nologin there would not work if you need some users to be > able to log in (if you care only for root logins it would be enough). > > However you can still manage to use it to point to a script that would > test something like whether the user belongs to a group or not, and if > so run either /bin/bash or /bin/nologin > > This seem like a nice feature request for FreeIPA though, maybe we can > extend HBAC to allow a special option to define a shell, maybe creating > a special 'shell' service that sssd can properly interpret as a hint to > set nologin vs the actual shell. > > Dmitri, should we open a RFE on this ? > > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Jan Cholasta From sigbjorn at nixtra.com Tue Dec 18 09:06:09 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 18 Dec 2012 10:06:09 +0100 (CET) Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> Message-ID: <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com> On Tue, December 18, 2012 08:28, Johan Petersson wrote: > Hi, > > > We are implementing IPA Server and are gong to need to be able to authenticate properly with a > number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some > problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? > > I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? Regards, Siggi From jhrozek at redhat.com Tue Dec 18 09:39:56 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 18 Dec 2012 10:39:56 +0100 Subject: [Freeipa-users] anyone know how to do sssd filters? In-Reply-To: <50CF8887.9020306@redhat.com> References: <50CF8887.9020306@redhat.com> Message-ID: <20121218093956.GE11432@hendrix.redhat.com> On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: > On 12/17/2012 03:11 PM, KodaK wrote: > > I'm attempting to install Satellite in my IPA domain. There is a > > ridiculous requirement that the group "dba" must not already exist > > prior to installing. Red Hat support wanted me to *remove* the DBA > > group and then install. > > > > Anyway, I'm trying to play around with filter_groups in sssd, and I > > can't seem to get it to "take." The man page isn't exactly clear, but > > here's what I've tried: > > > > filter_groups = dba > > filter_groups= dba at fqdn > > > > In the [domain], [sssd] and [nss] sections of the config file. > > > > What's the right syntax? Do I need it in every section? > > > Is it a local group or a central group? Where Dmitri's question is headed is that if dba is a local group (aka stored in /etc/passwd), then the SSSD should be queried at all. From jhrozek at redhat.com Tue Dec 18 09:51:08 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 18 Dec 2012 10:51:08 +0100 Subject: [Freeipa-users] anyone know how to do sssd filters? In-Reply-To: <20121218093956.GE11432@hendrix.redhat.com> References: <50CF8887.9020306@redhat.com> <20121218093956.GE11432@hendrix.redhat.com> Message-ID: <20121218095108.GF11432@hendrix.redhat.com> On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: > On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: > > On 12/17/2012 03:11 PM, KodaK wrote: > > > I'm attempting to install Satellite in my IPA domain. There is a > > > ridiculous requirement that the group "dba" must not already exist > > > prior to installing. Red Hat support wanted me to *remove* the DBA > > > group and then install. > > > > > > Anyway, I'm trying to play around with filter_groups in sssd, and I > > > can't seem to get it to "take." The man page isn't exactly clear, but > > > here's what I've tried: > > > > > > filter_groups = dba > > > filter_groups= dba at fqdn > > > > > > In the [domain], [sssd] and [nss] sections of the config file. > > > > > > What's the right syntax? Do I need it in every section? > > > > > Is it a local group or a central group? > > Where Dmitri's question is headed is that if dba is a local group (aka > stored in /etc/passwd), then the SSSD should be queried at all. ^^^ /etc/group obviously From simo at redhat.com Tue Dec 18 12:58:20 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 18 Dec 2012 07:58:20 -0500 Subject: [Freeipa-users] FreeIPA and Samba 4 In-Reply-To: References: Message-ID: <1355835501.5073.447.camel@willson.li.ssimo.org> On Mon, 2012-12-17 at 22:48 -0500, William Muriithi wrote: > > > I know this may be a loaded question, but I am asking it anyways. > > > > > > > > > Can anyone tell me what the current status and future plan for > IPA / > > > Samba 4 is? > > > > We plan to support setting up trusts with Samba4 just like we do > with AD > > when Samba4 will start supporting Cross-forest trusts. It currently > > doesn't. > > > > Simo. > > > Yes, its amazing samba4 has finally gone GA. Plan to set up an > instance as a backup AD to existing AD some day when I get some time. > Not well documented though, wish there was well writen book on it. > Anyway backup AD would be the best way to set some experience I am > assuming > > A related question, would there be any need to have a replica when > using trust if the AD is just one instance? What I am asking in > another way is, if the AD fail, wouldn't the FreeIPA fail to > authenticate users till AD issues are fixed? It depends on the case. In general the answer would be yes, however. - if you already have a cross-realm TGT you should still be able to access all IPA services as the AD KDC is not required until a renew is necessary. - if you do password based logins then sssd may cache offline credentials and still let you in (but you will not have a TGT, so you may not use kerberized services). Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Dec 18 13:07:31 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 18 Dec 2012 08:07:31 -0500 Subject: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA. In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB41749@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal> ,<1355797259.5073.444.camel@willson.li.ssimo.org> <558C15177F5E714F83334217C9A197DF5DB41749@SSC-MBX2.ssc.internal> Message-ID: <1355836051.5073.450.camel@willson.li.ssimo.org> On Tue, 2012-12-18 at 05:24 +0000, Johan Petersson wrote: > Hi, > > Unfortunately i still get the same error from the Appliance even after having added both host and nfs principals in the IPA web interface. > > "failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: > 43787522 (Operation requires ``add'' privilege)" > > I get the impression that the Appliance does not recognize existing principals since i still get the same create principal error. > So it seems that it does not cope with pre existing principals, at least not from IPA Server. > I will contact Oracle about this issue and see what they say. Is there any support for using this appliance in an Active Directory domain ? It is possible that they have alternative instructions there. IIRC AD also does not allow you to create principals via the kadmin interface. However they may have tied the 'AD option; if any in knots so that it also doesn't work with anything but a real AD. IT would be nice to hear how Oracle justifies requiring high credentials on an appliance otherwise. Simo. -- Simo Sorce * Red Hat, Inc * New York From sakodak at gmail.com Tue Dec 18 15:07:25 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 18 Dec 2012 09:07:25 -0600 Subject: [Freeipa-users] anyone know how to do sssd filters? In-Reply-To: <20121218095108.GF11432@hendrix.redhat.com> References: <50CF8887.9020306@redhat.com> <20121218093956.GE11432@hendrix.redhat.com> <20121218095108.GF11432@hendrix.redhat.com> Message-ID: On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek wrote: > On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: >> On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: >> > On 12/17/2012 03:11 PM, KodaK wrote: >> > > I'm attempting to install Satellite in my IPA domain. There is a >> > > ridiculous requirement that the group "dba" must not already exist >> > > prior to installing. Red Hat support wanted me to *remove* the DBA >> > > group and then install. >> > > >> > > Anyway, I'm trying to play around with filter_groups in sssd, and I >> > > can't seem to get it to "take." The man page isn't exactly clear, but >> > > here's what I've tried: >> > > >> > > filter_groups = dba >> > > filter_groups= dba at fqdn >> > > >> > > In the [domain], [sssd] and [nss] sections of the config file. >> > > >> > > What's the right syntax? Do I need it in every section? >> > > >> > Is it a local group or a central group? >> >> Where Dmitri's question is headed is that if dba is a local group (aka >> stored in /etc/passwd), then the SSSD should be queried at all. > ^^^ > /etc/group obviously I figured. :) The group "dba" is stored in IPA. Here's a funny thing, though (short rundown): Installed RHEL 6.3 on Satelite server, joined it to the domain. Try to install Satellite: get the "Could not install database." I try to filter out the group in IPA, try to install Satellite, get: "The group 'dba' should exist." This makes me think that the filter is doing every "dba" not just dba on the IPA server. I removed the Satellite server from IPA (ipa-client-install --uninstall) and I get the same message (dba should exist.) Fun stuff. Now I'm re-installing RHEL so I can start from scratch, and I'll attempt to install Satellite without joining it to the domain. I'm not fond of this option -- I don't want to have stand-alone machines that I have to manage separately, that's why I installed IPA in the first place. From sakodak at gmail.com Tue Dec 18 15:00:29 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 18 Dec 2012 09:00:29 -0600 Subject: [Freeipa-users] anyone know how to do sssd filters? In-Reply-To: <50CF8887.9020306@redhat.com> References: <50CF8887.9020306@redhat.com> Message-ID: On Mon, Dec 17, 2012 at 3:03 PM, Dmitri Pal wrote: > On 12/17/2012 03:11 PM, KodaK wrote: >> I'm attempting to install Satellite in my IPA domain. There is a >> ridiculous requirement that the group "dba" must not already exist >> prior to installing. Red Hat support wanted me to *remove* the DBA >> group and then install. >> >> Anyway, I'm trying to play around with filter_groups in sssd, and I >> can't seem to get it to "take." The man page isn't exactly clear, but >> here's what I've tried: >> >> filter_groups = dba >> filter_groups= dba at fqdn >> >> In the [domain], [sssd] and [nss] sections of the config file. >> >> What's the right syntax? Do I need it in every section? >> > Is it a local group or a central group? Central group, in IPA. From jhrozek at redhat.com Tue Dec 18 15:17:38 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 18 Dec 2012 16:17:38 +0100 Subject: [Freeipa-users] anyone know how to do sssd filters? In-Reply-To: References: <50CF8887.9020306@redhat.com> <20121218093956.GE11432@hendrix.redhat.com> <20121218095108.GF11432@hendrix.redhat.com> Message-ID: <20121218151738.GN11432@hendrix.redhat.com> On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote: > On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek wrote: > > On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: > >> On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: > >> > On 12/17/2012 03:11 PM, KodaK wrote: > >> > > I'm attempting to install Satellite in my IPA domain. There is a > >> > > ridiculous requirement that the group "dba" must not already exist > >> > > prior to installing. Red Hat support wanted me to *remove* the DBA > >> > > group and then install. > >> > > > >> > > Anyway, I'm trying to play around with filter_groups in sssd, and I > >> > > can't seem to get it to "take." The man page isn't exactly clear, but > >> > > here's what I've tried: > >> > > > >> > > filter_groups = dba > >> > > filter_groups= dba at fqdn > >> > > > >> > > In the [domain], [sssd] and [nss] sections of the config file. > >> > > > >> > > What's the right syntax? Do I need it in every section? > >> > > > >> > Is it a local group or a central group? > >> > >> Where Dmitri's question is headed is that if dba is a local group (aka > >> stored in /etc/passwd), then the SSSD should be queried at all. > > ^^^ > > /etc/group obviously > > I figured. :) > > The group "dba" is stored in IPA. Here's a funny thing, though (short rundown): > > Installed RHEL 6.3 on Satelite server, joined it to the domain. > > Try to install Satellite: get the "Could not install database." > > I try to filter out the group in IPA, try to install Satellite, get: > "The group 'dba' should exist." This makes me think that the filter > is doing every "dba" not just dba on the IPA server. > > I removed the Satellite server from IPA (ipa-client-install > --uninstall) and I get the same message (dba should exist.) > > Fun stuff. > Unless you wiped out the machine completely, do you know if: $ getent group -s sss dba Returned the group or not? I wouldn't be surprised if the installer tools checked the files directly.. > Now I'm re-installing RHEL so I can start from scratch, and I'll > attempt to install Satellite without joining it to the domain. I'm > not fond of this option -- I don't want to have stand-alone machines > that I have to manage separately, that's why I installed IPA in the > first place. From sakodak at gmail.com Tue Dec 18 16:38:49 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 18 Dec 2012 10:38:49 -0600 Subject: [Freeipa-users] anyone know how to do sssd filters? In-Reply-To: <20121218151738.GN11432@hendrix.redhat.com> References: <50CF8887.9020306@redhat.com> <20121218093956.GE11432@hendrix.redhat.com> <20121218095108.GF11432@hendrix.redhat.com> <20121218151738.GN11432@hendrix.redhat.com> Message-ID: On Tue, Dec 18, 2012 at 9:17 AM, Jakub Hrozek wrote: > On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote: >> On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek wrote: >> > On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: >> >> On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: >> >> > On 12/17/2012 03:11 PM, KodaK wrote: >> >> > > I'm attempting to install Satellite in my IPA domain. There is a >> >> > > ridiculous requirement that the group "dba" must not already exist >> >> > > prior to installing. Red Hat support wanted me to *remove* the DBA >> >> > > group and then install. >> >> > > >> >> > > Anyway, I'm trying to play around with filter_groups in sssd, and I >> >> > > can't seem to get it to "take." The man page isn't exactly clear, but >> >> > > here's what I've tried: >> >> > > >> >> > > filter_groups = dba >> >> > > filter_groups= dba at fqdn >> >> > > >> >> > > In the [domain], [sssd] and [nss] sections of the config file. >> >> > > >> >> > > What's the right syntax? Do I need it in every section? >> >> > > >> >> > Is it a local group or a central group? >> >> >> >> Where Dmitri's question is headed is that if dba is a local group (aka >> >> stored in /etc/passwd), then the SSSD should be queried at all. >> > ^^^ >> > /etc/group obviously >> >> I figured. :) >> >> The group "dba" is stored in IPA. Here's a funny thing, though (short rundown): >> >> Installed RHEL 6.3 on Satelite server, joined it to the domain. >> >> Try to install Satellite: get the "Could not install database." >> >> I try to filter out the group in IPA, try to install Satellite, get: >> "The group 'dba' should exist." This makes me think that the filter >> is doing every "dba" not just dba on the IPA server. >> >> I removed the Satellite server from IPA (ipa-client-install >> --uninstall) and I get the same message (dba should exist.) >> >> Fun stuff. >> > > Unless you wiped out the machine completely, do you know if: > > $ getent group -s sss dba > > Returned the group or not? > > I wouldn't be surprised if the installer tools checked the files directly.. I did wipe it out, but I do know that "getent group dba" returned the IPA group *before* I put in the filter, I stupidly didn't check after. I'm in the middle of re-installing the OS now on the VM, we'll see how it goes. Red Hat says they got it to work in their lab with an IPA controlled Oracle user and dba group. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From dpal at redhat.com Tue Dec 18 16:50:27 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 18 Dec 2012 11:50:27 -0500 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com> Message-ID: <50D09ED3.3030102@redhat.com> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: > On Tue, December 18, 2012 08:28, Johan Petersson wrote: >> Hi, >> >> >> We are implementing IPA Server and are gong to need to be able to authenticate properly with a >> number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some >> problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? >> >> > I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured > out how to configure it as an IPA client yet. > > I had a got at it a while ago (some of the posts you've probably found), and found that there was > enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it > work with the setup guide I've created for Solaris 10. And there was a need for further > investigation for finding out how to configure Solaris 11 as an IPA client. > > I've not looked into this further as we do not use Solaris 11 yet. > > I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. > > > Regards, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From andrerobauru at gmail.com Tue Dec 18 18:26:47 2012 From: andrerobauru at gmail.com (Andre Rodrigues) Date: Tue, 18 Dec 2012 16:26:47 -0200 Subject: [Freeipa-users] testing AD trust on Fedora 18 Message-ID: Hi all, I'm testing AD trust following this how to: http://www.freeipa.org/page/IPAv3_testing_AD_trust but when I set "ipa dnszone-add" I get this: [root at m ~] ipa dnszone-add --name-server= --admin-email= --force --forwarder= ?forward-policy=only ipa: ERROR: unable to parse cookie header 'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=; Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' and when I set "ipa trust-add" I get the following error: [root at m ~] ipa trust-add --type=ad --admin Adminstrator --password Active directory domain administrator's password: ipa: ERROR: unable to parse cookie header 'ipa_session=7d6aeb2c92ff3197a9d3c04421f6ba15; Domain=; Path=/ipa; Expires=Tue, 18 Dec 2012 18:32:05 GMT; Secure; HttpOnly': unable to parse expires datetime 'Tue, 18 Dec 2012 18:32:05' ipa: ERROR: Cannot perform join operation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA but I have the server-trust-ad installed: [root at m ~]# rpm -qa | grep freeipa freeipa-client-3.1.0-1.fc18.x86_64 freeipa-server-3.1.0-1.fc18.x86_64 freeipa-python-3.1.0-1.fc18.x86_64 freeipa-server-strict-3.1.0-1.fc18.x86_64 >freeipa-server-trust-ad-3.1.0-1.fc18.x86_64 freeipa-admintools-3.1.0-1.fc18.x86_64 freeipa-server-selinux-3.1.0-1.fc18.x86_64 so... any ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Tue Dec 18 18:39:50 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Tue, 18 Dec 2012 10:39:50 -0800 (PST) Subject: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? In-Reply-To: <50D09ED3.3030102@redhat.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com> <50D09ED3.3030102@redhat.com> Message-ID: <1355855990.95445.YahooMailNeo@web122603.mail.ne1.yahoo.com> Hi all, ? Is the backup and restore procedure for IPA available now? It's rumored months back that some one was working on it but not sure what is the progress on it. Please shed a light if you have any ideas. ?I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3. Thanks. David -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Dec 18 18:42:18 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 18 Dec 2012 13:42:18 -0500 Subject: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? In-Reply-To: <1355855990.95445.YahooMailNeo@web122603.mail.ne1.yahoo.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com> <50D09ED3.3030102@redhat.com> <1355855990.95445.YahooMailNeo@web122603.mail.ne1.yahoo.com> Message-ID: <50D0B90A.4070500@redhat.com> On 12/18/2012 01:39 PM, David Copperfield wrote: > Hi all, > > Is the backup and restore procedure for IPA available now? It's > rumored months back that some one was working on it but not sure what > is the progress on it. Please shed a light if you have any ideas. > > I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3. Yes there is a simmering effort. But there are unfortunately no results we can share yet. > > Thanks. > David > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Tue Dec 18 18:51:36 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Tue, 18 Dec 2012 10:51:36 -0800 (PST) Subject: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? In-Reply-To: <50D0B90A.4070500@redhat.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com> <50D09ED3.3030102@redhat.com> <1355855990.95445.YahooMailNeo@web122603.mail.ne1.yahoo.com> <50D0B90A.4070500@redhat.com> Message-ID: <1355856696.35742.YahooMailNeo@web122602.mail.ne1.yahoo.com> Got it. ?Is there any IPA resources on market we can hire for a backup/restoration solution? Our company is at Bay Area. Thanks. --David ________________________________ From: Dmitri Pal To: freeipa-users at redhat.com Sent: Tuesday, December 18, 2012 10:42 AM Subject: Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? On 12/18/2012 01:39 PM, David Copperfield wrote: Hi all, > >? Is the backup and restore procedure for IPA available now? It's rumored months back that some one was working on it but not sure what is the progress on it. Please shed a light if you have any ideas. > >?I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3. > Yes there is a simmering effort. But there are unfortunately no results we can share yet. >Thanks. >David > > > >_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Dec 18 19:45:35 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 18 Dec 2012 19:45:35 +0000 Subject: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? In-Reply-To: <1355855990.95445.YahooMailNeo@web122603.mail.ne1.yahoo.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com> <50D09ED3.3030102@redhat.com>, <1355855990.95445.YahooMailNeo@web122603.mail.ne1.yahoo.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4054799C8B@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, As in a backup software client that can talk to the IPA instance? Im not aware of one. What I do is dump a userroot to ldif every so often....before and after I do patching or any significant change....I do so on at least 2 of the 3 IPA masters with, /var/lib/dirsrv/scripts-ODS-VUW-AC-NZ/db2ldif.pl -D "cn=directory manager" -w - -n userroot -a /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/bak/userroot.`/bin/date +%Y%m%d%H%M`.ldif I have recovered using this as well. (oh joy!) I also have a proven method to swap CA cert function to another server ie promote a replica, I actually did it 3 weeks ago! regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of David Copperfield [cao2dan at yahoo.com] Sent: Wednesday, 19 December 2012 7:39 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? Hi all, Is the backup and restore procedure for IPA available now? It's rumored months back that some one was working on it but not sure what is the progress on it. Please shed a light if you have any ideas. I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3. Thanks. David -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Tue Dec 18 20:16:47 2012 From: jdennis at redhat.com (John Dennis) Date: Tue, 18 Dec 2012 15:16:47 -0500 Subject: [Freeipa-users] testing AD trust on Fedora 18 In-Reply-To: References: Message-ID: <50D0CF2F.40904@redhat.com> On 12/18/2012 01:26 PM, Andre Rodrigues wrote: > Hi all, > I'm testing AD trust following this how to: > http://www.freeipa.org/page/IPAv3_testing_AD_trust > but when I set "ipa dnszone-add" I get this: > [root at m ~] ipa dnszone-add --name-server= > --admin-email= --force --forwarder= > ?forward-policy=only > ipa: ERROR: unable to parse cookie header > 'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=; > Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': > unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' This is an error message from something I wrote. I can't explain why it can't parse the expires cookie attribute because using the value cited in the error message it parses just fine. The only thing I can think of is that the time module was not imported in cookie.py, but in my copy of the file it is imported. However one thing I did immediately notice, the cookie has Domain=, that's not valid, it's supposed to be a FQDN. What is the value of xmlrpc_uri in your /etc/ipa/default.conf? > > and when I set "ipa trust-add" I get the following error: > [root at m ~] ipa trust-add --type=ad --admin Adminstrator > --password > Active directory domain administrator's password: > ipa: ERROR: unable to parse cookie header > 'ipa_session=7d6aeb2c92ff3197a9d3c04421f6ba15; Domain=; > Path=/ipa; Expires=Tue, 18 Dec 2012 18:32:05 GMT; Secure; HttpOnly': > unable to parse expires datetime 'Tue, 18 Dec 2012 18:32:05' Sorry, someone else will have to help you with the below: > ipa: ERROR: Cannot perform join operation without Samba 4 support installed. > Make sure you have installed > server-trust-ad sub-package of IPA > > but I have the server-trust-ad installed:-- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sbose at redhat.com Tue Dec 18 20:30:50 2012 From: sbose at redhat.com (Sumit Bose) Date: Tue, 18 Dec 2012 21:30:50 +0100 Subject: [Freeipa-users] testing AD trust on Fedora 18 In-Reply-To: <50D0CF2F.40904@redhat.com> References: <50D0CF2F.40904@redhat.com> Message-ID: <20121218203050.GN22856@localhost.localdomain> On Tue, Dec 18, 2012 at 03:16:47PM -0500, John Dennis wrote: > On 12/18/2012 01:26 PM, Andre Rodrigues wrote: > >Hi all, > >I'm testing AD trust following this how to: > >http://www.freeipa.org/page/IPAv3_testing_AD_trust > >but when I set "ipa dnszone-add" I get this: > >[root at m ~] ipa dnszone-add --name-server= >> --admin-email= --force --forwarder= > >?forward-policy=only > >ipa: ERROR: unable to parse cookie header > >'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=; > >Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': > >unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' > > This is an error message from something I wrote. I can't explain why > it can't parse the expires cookie attribute because using the value > cited in the error message it parses just fine. The only thing I can > think of is that the time module was not imported in cookie.py, but > in my copy of the file it is imported. > > However one thing I did immediately notice, the cookie has > Domain=, that's not valid, it's supposed to be a FQDN. > What is the value of xmlrpc_uri in your /etc/ipa/default.conf? > > > > >and when I set "ipa trust-add" I get the following error: > >[root at m ~] ipa trust-add --type=ad --admin Adminstrator > >--password > >Active directory domain administrator's password: > >ipa: ERROR: unable to parse cookie header > >'ipa_session=7d6aeb2c92ff3197a9d3c04421f6ba15; Domain=; > >Path=/ipa; Expires=Tue, 18 Dec 2012 18:32:05 GMT; Secure; HttpOnly': > >unable to parse expires datetime 'Tue, 18 Dec 2012 18:32:05' > > Sorry, someone else will have to help you with the below: I guess this error message is just triggered by the cookie error. bye, Sumit > > >ipa: ERROR: Cannot perform join operation without Samba 4 support installed. > > Make sure you have installed > >server-trust-ad sub-package of IPA > > > >but I have the server-trust-ad installed:-- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Tue Dec 18 20:48:31 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 18 Dec 2012 21:48:31 +0100 Subject: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA. In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB41749@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal>, <1355797259.5073.444.camel@willson.li.ssimo.org> <558C15177F5E714F83334217C9A197DF5DB41749@SSC-MBX2.ssc.internal> Message-ID: <50D0D69F.8090301@nixtra.com> On 12/18/2012 06:24 AM, Johan Petersson wrote: > Hi, > > Unfortunately i still get the same error from the Appliance even after having added both host and nfs principals in the IPA web interface. > > "failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: > 43787522 (Operation requires ``add'' privilege)" > > I get the impression that the Appliance does not recognize existing principals since i still get the same create principal error. > So it seems that it does not cope with pre existing principals, at least not from IPA Server. > I will contact Oracle about this issue and see what they say. > > Thank you for your help, > Johan. We have these ZFS Storage Appliances at work too. There is a way to access the root shell of the ZFS Storage Appliance. It's been a long time since I've done it, but a quick googelig turned up this: http://weblogs.java.net/blog/kohsuke/archive/2009/01/under_the_hood.html Hopefully the "scp" commands still exists when you get access to the shell of the Solaris OS, so you can copy the pre-created keytab into /etc/krb5/krb5.keytab. CAUTION! The /etc/krb5/krb5.keytab is by default shared between the CIFS server and the NFS server. This file will already contain the keytab for the CIFS/SMB service if you have already joined the ZFS Storage Appliance to AD. In which case copy the pre-created keytab from IPA into /etc/krb5/krb5.keytab-IPA, and use ktutil to merge the two files together. I see I've kept the keytab from my AD in the beginning of the file and added the keytab from IPA to the end of the file. I do recall there being some significance to doing it this way. I've written this howto for NexentaStor a while back. Perhaps this will be of some assistance to complete the configuration of the ZFS Storage Appliance too? https://www.redhat.com/archives/freeipa-users/2011-July/msg00033.html Please let me know how you get on. Regards, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Tue Dec 18 20:56:27 2012 From: jdennis at redhat.com (John Dennis) Date: Tue, 18 Dec 2012 15:56:27 -0500 Subject: [Freeipa-users] testing AD trust on Fedora 18 In-Reply-To: <20121218203050.GN22856@localhost.localdomain> References: <50D0CF2F.40904@redhat.com> <20121218203050.GN22856@localhost.localdomain> Message-ID: <50D0D87B.1010500@redhat.com> On 12/18/2012 03:30 PM, Sumit Bose wrote: > On Tue, Dec 18, 2012 at 03:16:47PM -0500, John Dennis wrote: >> On 12/18/2012 01:26 PM, Andre Rodrigues wrote: >>> Hi all, >>> I'm testing AD trust following this how to: >>> http://www.freeipa.org/page/IPAv3_testing_AD_trust >>> but when I set "ipa dnszone-add" I get this: >>> [root at m ~] ipa dnszone-add --name-server=>> > --admin-email= --force --forwarder= >>> ?forward-policy=only >>> ipa: ERROR: unable to parse cookie header >>> 'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=; >>> Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': >>> unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' >> >> This is an error message from something I wrote. I can't explain why >> it can't parse the expires cookie attribute because using the value >> cited in the error message it parses just fine. The only thing I can >> think of is that the time module was not imported in cookie.py, but >> in my copy of the file it is imported. >> >> However one thing I did immediately notice, the cookie has >> Domain=, that's not valid, it's supposed to be a FQDN. >> What is the value of xmlrpc_uri in your /etc/ipa/default.conf? >> >>> >>> and when I set "ipa trust-add" I get the following error: >>> [root at m ~] ipa trust-add --type=ad --admin Adminstrator >>> --password >>> Active directory domain administrator's password: >>> ipa: ERROR: unable to parse cookie header >>> 'ipa_session=7d6aeb2c92ff3197a9d3c04421f6ba15; Domain=; >>> Path=/ipa; Expires=Tue, 18 Dec 2012 18:32:05 GMT; Secure; HttpOnly': >>> unable to parse expires datetime 'Tue, 18 Dec 2012 18:32:05' >> >> Sorry, someone else will have to help you with the below: > > I guess this error message is just triggered by the cookie error. In theory no, the inability to process a cookie should do nothing other than log the fact, everything else should proceed as normal (without cookies you just get slower performance, but it should continue to work). However, the values in the cookie show something is very wrong with the configuration. Please provide the contents of /etc/ipa/default.conf. Do you have a .ipa/default.conf file set? If so that overrides the values in /etc/ipa/default.conf. If you have that as well please provide that as well. Adding verbose debugging information will help. Add the -d option to the ipa command to turn on debug level information and capture the output. Those messages will help us diagnose the problem. > > bye, > Sumit > >> >>> ipa: ERROR: Cannot perform join operation without Samba 4 support installed. >>> Make sure you have installed >>> server-trust-ad sub-package of IPA >>> >>> but I have the server-trust-ad installed:-- -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sakodak at gmail.com Tue Dec 18 21:03:43 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 18 Dec 2012 15:03:43 -0600 Subject: [Freeipa-users] anyone know how to do sssd filters? In-Reply-To: References: <50CF8887.9020306@redhat.com> <20121218093956.GE11432@hendrix.redhat.com> <20121218095108.GF11432@hendrix.redhat.com> <20121218151738.GN11432@hendrix.redhat.com> Message-ID: On Tue, Dec 18, 2012 at 10:38 AM, KodaK wrote: > On Tue, Dec 18, 2012 at 9:17 AM, Jakub Hrozek wrote: >> On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote: >>> On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek wrote: >>> > On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: >>> >> On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: >>> >> > On 12/17/2012 03:11 PM, KodaK wrote: >>> >> > > I'm attempting to install Satellite in my IPA domain. There is a >>> >> > > ridiculous requirement that the group "dba" must not already exist >>> >> > > prior to installing. Red Hat support wanted me to *remove* the DBA >>> >> > > group and then install. >>> >> > > >>> >> > > Anyway, I'm trying to play around with filter_groups in sssd, and I >>> >> > > can't seem to get it to "take." The man page isn't exactly clear, but >>> >> > > here's what I've tried: >>> >> > > >>> >> > > filter_groups = dba >>> >> > > filter_groups= dba at fqdn >>> >> > > >>> >> > > In the [domain], [sssd] and [nss] sections of the config file. >>> >> > > >>> >> > > What's the right syntax? Do I need it in every section? >>> >> > > >>> >> > Is it a local group or a central group? >>> >> >>> >> Where Dmitri's question is headed is that if dba is a local group (aka >>> >> stored in /etc/passwd), then the SSSD should be queried at all. >>> > ^^^ >>> > /etc/group obviously >>> >>> I figured. :) >>> >>> The group "dba" is stored in IPA. Here's a funny thing, though (short rundown): >>> >>> Installed RHEL 6.3 on Satelite server, joined it to the domain. >>> >>> Try to install Satellite: get the "Could not install database." >>> >>> I try to filter out the group in IPA, try to install Satellite, get: >>> "The group 'dba' should exist." This makes me think that the filter >>> is doing every "dba" not just dba on the IPA server. >>> >>> I removed the Satellite server from IPA (ipa-client-install >>> --uninstall) and I get the same message (dba should exist.) >>> >>> Fun stuff. >>> >> >> Unless you wiped out the machine completely, do you know if: >> >> $ getent group -s sss dba >> >> Returned the group or not? >> >> I wouldn't be surprised if the installer tools checked the files directly.. > > I did wipe it out, but I do know that "getent group dba" returned the > IPA group *before* I put in the filter, I stupidly didn't check after. > > I'm in the middle of re-installing the OS now on the VM, we'll see how > it goes. Red Hat says they got it to work in their lab with an IPA > controlled Oracle user and dba group. > So, in case anyone else ever runs into this, this is what I had to do to get around the problem: First, maybe I missed it, but I don't see any recommendation in the documentation that the user oracle and dba *must* exist before you start the install. Combine that with the fact that the suggestion I got from support that the "dba" group can't exist and you have the recipe that had me going down the wrong path for quite some time. This had nothing to do with IPA at all, really. The answer, which like most is incredibly simple, was to create a local oracle user and dba group, overriding the dba group in IPA. After that the install went fine(ish.) --Jason From Johan.Petersson at sscspace.com Tue Dec 18 21:47:59 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Tue, 18 Dec 2012 21:47:59 +0000 Subject: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA. In-Reply-To: <50D0D69F.8090301@nixtra.com> References: <558C15177F5E714F83334217C9A197DF5DB40720@SSC-MBX2.ssc.internal>, <1355797259.5073.444.camel@willson.li.ssimo.org> <558C15177F5E714F83334217C9A197DF5DB41749@SSC-MBX2.ssc.internal>, <50D0D69F.8090301@nixtra.com> Message-ID: <558C15177F5E714F83334217C9A197DF5DB7BEBE@SSC-MBX1.ssc.internal> I pursued that idea myself earlier but when getting the huge warranty void message when accessing a shell + that the file system was read-only i gave up. I will definitely look at it again and read the information you provided, thank you for your help. ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Tuesday, December 18, 2012 21:48 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA. On 12/18/2012 06:24 AM, Johan Petersson wrote: Hi, Unfortunately i still get the same error from the Appliance even after having added both host and nfs principals in the IPA web interface. "failed to create principal 'host/zfs1.home at HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege)" I get the impression that the Appliance does not recognize existing principals since i still get the same create principal error. So it seems that it does not cope with pre existing principals, at least not from IPA Server. I will contact Oracle about this issue and see what they say. Thank you for your help, Johan. We have these ZFS Storage Appliances at work too. There is a way to access the root shell of the ZFS Storage Appliance. It's been a long time since I've done it, but a quick googelig turned up this: http://weblogs.java.net/blog/kohsuke/archive/2009/01/under_the_hood.html Hopefully the "scp" commands still exists when you get access to the shell of the Solaris OS, so you can copy the pre-created keytab into /etc/krb5/krb5.keytab. CAUTION! The /etc/krb5/krb5.keytab is by default shared between the CIFS server and the NFS server. This file will already contain the keytab for the CIFS/SMB service if you have already joined the ZFS Storage Appliance to AD. In which case copy the pre-created keytab from IPA into /etc/krb5/krb5.keytab-IPA, and use ktutil to merge the two files together. I see I've kept the keytab from my AD in the beginning of the file and added the keytab from IPA to the end of the file. I do recall there being some significance to doing it this way. I've written this howto for NexentaStor a while back. Perhaps this will be of some assistance to complete the configuration of the ZFS Storage Appliance too? https://www.redhat.com/archives/freeipa-users/2011-July/msg00033.html Please let me know how you get on. Regards, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Dec 19 08:13:21 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 19 Dec 2012 09:13:21 +0100 Subject: [Freeipa-users] testing AD trust on Fedora 18 In-Reply-To: <50D0D87B.1010500@redhat.com> References: <50D0CF2F.40904@redhat.com> <20121218203050.GN22856@localhost.localdomain> <50D0D87B.1010500@redhat.com> Message-ID: <50D17721.1070301@redhat.com> On 12/18/2012 09:56 PM, John Dennis wrote: > > ipa: ERROR: unable to parse cookie header > 'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=; > Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': > unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' John, could it be related to LANG environment variable? Is the parser sensitive to LANG/other variables? Andre, could you post output from "echo $LANG", please? (Logged in as user which ran IPA commands.) -- Petr^2 Spacek From Duncan.Innes at virginmoney.com Wed Dec 19 09:25:13 2012 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Wed, 19 Dec 2012 09:25:13 -0000 Subject: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? In-Reply-To: <50D0B90A.4070500@redhat.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal><20801.213.225.75.97.1355821569.squirrel@www.nixtra.com><50D09ED3.3030102@redhat.com><1355855990.95445.YahooMailNeo@web122603.mail.ne1.yahoo.com> <50D0B90A.4070500@redhat.com> Message-ID: <56343345B145C043AE990701E3D19395B9EB35@EXVS2.nrplc.localnet> Are there any results you can even talk about at this stage? If not, I'd suggest turning up the heat a notch or two to get it on the boil :-) I know this is FreeIPA, but RedHat shipping Identity Management as a supported feature without any backup/restore mechanism is a pretty big hole in functionality. D Duncan Innes | Linux Architect ________________________________ From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal Sent: 18 December 2012 18:42 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? On 12/18/2012 01:39 PM, David Copperfield wrote: Hi all, Is the backup and restore procedure for IPA available now? It's rumored months back that some one was working on it but not sure what is the progress on it. Please shed a light if you have any ideas. I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3. Yes there is a simmering effort. But there are unfortunately no results we can share yet. Thanks. David _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Authorised and regulated by the Financial Services Authority. The following companies also trade as Virgin Money and are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482) are authorised and regulated by the Financial Services Authority. Virgin Money Cards Limited (Company no. 4232392) is introducer appointed representative only of Virgin Money Personal Financial Service Limited. For further details of Virgin Money group companies please visit our website at virginmoney.com This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Authorised and regulated by the Financial Services Authority. The following companies also trade as Virgin Money and are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482) are authorised and regulated by the Financial Services Authority. Virgin Money Cards Limited (Company no. 4232392) is introducer appointed representative only of Virgin Money Personal Financial Service Limited. For further details of Virgin Money group companies please visit our website at virginmoney.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed Dec 19 10:50:52 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 19 Dec 2012 11:50:52 +0100 Subject: [Freeipa-users] testing AD trust on Fedora 18 In-Reply-To: <50D17721.1070301@redhat.com> References: <50D0CF2F.40904@redhat.com> <20121218203050.GN22856@localhost.localdomain> <50D0D87B.1010500@redhat.com> <50D17721.1070301@redhat.com> Message-ID: <20121219105052.GT22856@localhost.localdomain> On Wed, Dec 19, 2012 at 09:13:21AM +0100, Petr Spacek wrote: > On 12/18/2012 09:56 PM, John Dennis wrote: > > > >ipa: ERROR: unable to parse cookie header > >'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=; > >Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': > >unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' > > John, could it be related to LANG environment variable? Is the > parser sensitive to LANG/other variables? > > Andre, could you post output from "echo $LANG", please? > (Logged in as user which ran IPA commands.) Petr, I think you are right, I can reproduce this issue if httpd and the client session use "incompatible" LANG settings. E.g. I have LANG=C for httpd and LANG=de_DE.UTF-8 in the shell. # LANG=C date +'%a, %d %b %Y %H:%M:%S' Wed, 19 Dec 2012 11:49:14 # LANG=de_DE.UTF-8 date +'%a, %d %b %Y %H:%M:%S' Mi, 19 Dez 2012 11:49:37 HTH bye, Sumit > > -- > Petr^2 Spacek > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From dale at themacartneyclan.com Wed Dec 19 12:27:46 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 19 Dec 2012 12:27:46 +0000 Subject: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? In-Reply-To: <56343345B145C043AE990701E3D19395B9EB35@EXVS2.nrplc.localnet> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal><20801.213.225.75.97.1355821569.squirrel@www.nixtra.com><50D09ED3.3030102@redhat.com><1355855990.95445.YahooMailNeo@web122603.mail.ne1.yahoo.com> <50D0B90A.4070500@redhat.com> <56343345B145C043AE990701E3D19395B9EB35@EXVS2.nrplc.localnet> Message-ID: <50D1B2C2.9040205@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/19/2012 09:25 AM, Innes, Duncan wrote: > Are there any results you can even talk about at this stage? Although, not offical supported by Red Hat. Here's something I wrote for my own environments. It is just a scripted tool to tar up what I can see are the necessary directories. I've done more backup's and restores with this than I'd care to admit, but if you wish to use it, please test it yourself in your own test environment before you use on production. https://www.dalemacartney.com/2012/09/08/how-to-backup-restore-freeipa-2-2-0-on-red-hat-enterprise-linux-6/ > > If not, I'd suggest turning up the heat a notch or two to get it on the boil :-) > > I know this is FreeIPA, but RedHat shipping Identity Management as a supported feature without any backup/restore mechanism is a pretty big hole in functionality. I completely agree with Duncan here. > > D > > Duncan Innes | Linux Architect > > ------------------------- > *From:* freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Dmitri Pal > *Sent:* 18 December 2012 18:42 > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? > > On 12/18/2012 01:39 PM, David Copperfield wrote: >> Hi all, >> >> Is the backup and restore procedure for IPA available now? It's rumored months back that some one was working on it but not sure what is the progress on it. Please shed a light if you have any ideas. >> >> I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3. > > > Yes there is a simmering effort. But there are unfortunately no results we can share yet. > >> >> Thanks. >> David >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. > > ------------------------- > This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. > > Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Authorised and regulated by the Financial Services Authority. > > The following companies also trade as Virgin Money and are registered in England and Wales and have their registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: > > Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482) are authorised and regulated by the Financial Services Authority. > > Virgin Money Cards Limited (Company no. 4232392) is introducer appointed representative only of Virgin Money Personal Financial Service Limited. > > For further details of Virgin Money group companies please visit our website at virginmoney.com > > This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the > > sender and then delete this message. > > Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, > > Gosforth, Newcastle upon Tyne NE3 4PL. Authorised and regulated by the Financial Services Authority. > > The following companies also trade as Virgin Money and are registered in England and Wales and have their > > registered office at Discovery House, Whiting Road, Norwich NR4 6EJ: > > Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited > > (Company no. 3000482) are authorised and regulated by the Financial Services Authority. > > Virgin Money Cards Limited (Company no. 4232392) is introducer appointed representative only of Virgin Money > > Personal Financial Service Limited. > > > For further details of Virgin Money group companies please visit our website at virginmoney.com > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ0bLAAAoJEAJsWS61tB+qkT8P/jFqnAz+KNW2uDXuJFrSE0xh 6ArZ8ucjc2Fp8vTTHlThDceOTgXMKIDi8XMyfwUy8yazx01D3iZn4C1wMPb5SSsL 8CT8CR4sNsvahxOg6FLqWIDlwlky+TRL8fG7aGPon3W9Ra2rRrWsAh6OYfAQgFDJ OrIbFbaxxS+FEy5Jc94/2Ks2xciebZhJbXP4TyLRJTFRV/tGQUIuJ+R15mrwrLC+ OfLSvwQaLZ51lrxn0pxXM9NljNnrIfr6glAuJwXP/H8x6mBYginSHrbwe+HEVq8L zVFgvNiFJHM0rJH8dw8bchEPkCHV6mqYibwLhLyV7i+9xfihCGNwKaRdjmMypqpi OxdIYKCjZ/uA/uBlWCQbx3SsSUC1twgr38VFg419B/gnlhsGGwZD0CcSAJ2Ur1kB BJ3xu8XsNcxe1oqcOgMMXmg+QU+TNXleeM9c8Adz8otQ6AAokoKsPccfflQi6BwJ qX+GDlFUtHIEKy3x5twZthD0JbNM4am/1ajHWe3oDqGHHb7Hl2cs/1BaYxUVwcS9 IGzXvyapa1iNF0bS+p8j5lCwiCC8Ozkf78nYqIeFOzwSdWRODYwq1UsAPtyY+Kcn vcibWemiArf3HdK2ih1WedWeGJMZragVTDVAXT9Ssk0daPd6HPtQJfiuUG8jzzeF kNV0r9IlNOScGWshVyaZ =y5ao -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 8187 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From sbose at redhat.com Wed Dec 19 12:30:27 2012 From: sbose at redhat.com (Sumit Bose) Date: Wed, 19 Dec 2012 13:30:27 +0100 Subject: [Freeipa-users] testing AD trust on Fedora 18 In-Reply-To: <50D0D87B.1010500@redhat.com> References: <50D0CF2F.40904@redhat.com> <20121218203050.GN22856@localhost.localdomain> <50D0D87B.1010500@redhat.com> Message-ID: <20121219123026.GU22856@localhost.localdomain> On Tue, Dec 18, 2012 at 03:56:27PM -0500, John Dennis wrote: > On 12/18/2012 03:30 PM, Sumit Bose wrote: > >On Tue, Dec 18, 2012 at 03:16:47PM -0500, John Dennis wrote: > >>On 12/18/2012 01:26 PM, Andre Rodrigues wrote: > >>>Hi all, > >>>I'm testing AD trust following this how to: > >>>http://www.freeipa.org/page/IPAv3_testing_AD_trust > >>>but when I set "ipa dnszone-add" I get this: > >>>[root at m ~] ipa dnszone-add --name-server= >>>> --admin-email= --force --forwarder= > >>>?forward-policy=only > >>>ipa: ERROR: unable to parse cookie header > >>>'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=; > >>>Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': > >>>unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' > >> > >>This is an error message from something I wrote. I can't explain why > >>it can't parse the expires cookie attribute because using the value > >>cited in the error message it parses just fine. The only thing I can > >>think of is that the time module was not imported in cookie.py, but > >>in my copy of the file it is imported. > >> > >>However one thing I did immediately notice, the cookie has > >>Domain=, that's not valid, it's supposed to be a FQDN. > >>What is the value of xmlrpc_uri in your /etc/ipa/default.conf? > >> > >>> > >>>and when I set "ipa trust-add" I get the following error: > >>>[root at m ~] ipa trust-add --type=ad --admin Adminstrator > >>>--password > >>>Active directory domain administrator's password: > >>>ipa: ERROR: unable to parse cookie header > >>>'ipa_session=7d6aeb2c92ff3197a9d3c04421f6ba15; Domain=; > >>>Path=/ipa; Expires=Tue, 18 Dec 2012 18:32:05 GMT; Secure; HttpOnly': > >>>unable to parse expires datetime 'Tue, 18 Dec 2012 18:32:05' > >> > >>Sorry, someone else will have to help you with the below: > > > >I guess this error message is just triggered by the cookie error. > > In theory no, the inability to process a cookie should do nothing > other than log the fact, everything else should proceed as normal > (without cookies you just get slower performance, but it should > continue to work). John you are right, there are some issues in the F18 spec file, https://bugzilla.redhat.com/show_bug.cgi?id=888754 and https://bugzilla.redhat.com/show_bug.cgi?id=866969. Andre, as a workaround until the packages are fixed please call yum install m2crypto service httpd restart HTH bye, Sumit > > However, the values in the cookie show something is very wrong with > the configuration. > > Please provide the contents of /etc/ipa/default.conf. > > Do you have a .ipa/default.conf file set? If so that overrides the > values in /etc/ipa/default.conf. If you have that as well please > provide that as well. > > Adding verbose debugging information will help. Add the -d option to > the ipa command to turn on debug level information and capture the > output. Those messages will help us diagnose the problem. > > > > >bye, > >Sumit > > > >> > >>>ipa: ERROR: Cannot perform join operation without Samba 4 support installed. > >>> Make sure you have installed > >>>server-trust-ad sub-package of IPA > >>> > >>>but I have the server-trust-ad installed:-- > > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ From dale at themacartneyclan.com Wed Dec 19 12:30:23 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 19 Dec 2012 12:30:23 +0000 Subject: [Freeipa-users] Integrating Yubikey tokens into FreeIPA Message-ID: <50D1B35F.30403@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Morning all Heres something I was working on last night with Gavin Spurgeon. If anyone would like to comment on better ways to achieve this, i'd love to here it so I can update my own procedures (and the article of course) https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ I hope some people find it useful. Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ0bNbAAoJEAJsWS61tB+q7GIQAMXapL6GzaemqR9R6WgwmixE zVt6QBv7+4KBY9xRJHvf1ZW0qXAAvE93Vtv1TwxfK3NrUULnLS6kMEkht5U9SPrs vDDuF214WC2iyL/3afTX0Bxx63UTGtX5RYdsSRv7udV0Ambgyif1FbMbu9zhpIKN nvG22tDYrh2EjEdJKV5yaZZPkgR5Id/xZ/4objax9WEatV3G7L/xQUaD/YpisUXp hXGgdfwAw+2RtxsLxsmdc8bU29J7Gk2jJKHKTJj0TIZp9MkVanC0Xr78v3YdxHGz yxy/D7j71qrDiXYRxS/ioJ1QrCfN1DHx9AYDLh3S0/HCbFUn2e8fFTqFEY3J/aok 0ffI79JhxFZZifeqywthun7jXaPAK/mhiZZxa0da3ivToBWPx1EK58K2+J/ylANW cwjGz5E/LzzzV8rcVIfnvwjPhQEISGtKvRCRSNnfcFzD8DpMGuGmAU9rtn2jn28O VXuVfKIQZnFZL/yQVSuG7zUbqYJbYapW0BBC2AIizFxqQ7jIfDkQkdYX8GgqgKRR 6G4uKBQJR8av9y0stnx/ZkU93/B9V2SVhpD7d6A6Q3Uwxma2sQ9ViiQFCdmkiTIF bcTb4avmMLmEAJCwVHbcl5fxu+vRT7YVS3hRkX/NMcuL9U4DHZr7o1do7JMUniXd zkFHj48GnS5Rt2LXkYwc =Yh/1 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 8187 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From simo at redhat.com Wed Dec 19 13:20:57 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 19 Dec 2012 08:20:57 -0500 Subject: [Freeipa-users] Integrating Yubikey tokens into FreeIPA In-Reply-To: <50D1B35F.30403@themacartneyclan.com> References: <50D1B35F.30403@themacartneyclan.com> Message-ID: <1355923257.2894.24.camel@willson.li.ssimo.org> On Wed, 2012-12-19 at 12:30 +0000, Dale Macartney wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Morning all > > Heres something I was working on last night with Gavin Spurgeon. > > If anyone would like to comment on better ways to achieve this, i'd love > to here it so I can update my own procedures (and the article of course) > > https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ > > I hope some people find it useful. Hi Dale, what problem do you have adding new schema ? Simo. -- Simo Sorce * Red Hat, Inc * New York From dale at themacartneyclan.com Wed Dec 19 13:32:12 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Wed, 19 Dec 2012 13:32:12 +0000 Subject: [Freeipa-users] Integrating Yubikey tokens into FreeIPA In-Reply-To: <1355923257.2894.24.camel@willson.li.ssimo.org> References: <50D1B35F.30403@themacartneyclan.com> <1355923257.2894.24.camel@willson.li.ssimo.org> Message-ID: <50D1C1DC.7050609@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/19/2012 01:20 PM, Simo Sorce wrote: > On Wed, 2012-12-19 at 12:30 +0000, Dale Macartney wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Morning all >> >> Heres something I was working on last night with Gavin Spurgeon. >> >> If anyone would like to comment on better ways to achieve this, i'd love >> to here it so I can update my own procedures (and the article of course) >> >> https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ >> >> I hope some people find it useful. > > Hi Dale, > what problem do you have adding new schema ? we weren't able to add any objectIdentifier fields... when trying to search for existing schema entries, we received the below output. [root at ds01 ~]# ldapsearch -LLL -h localhost -D "cn=Directory Manager" -x -w redhat123 -b "cn=schema" dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema [root at ds01 ~]# We were trying to use this schema which what created by Michal, however we never managed to get it imported with the objectidentifier values there. dn: cn=yubikey,cn=config objectClass: SchemaConfig cn: yubikey # # YubiKey LDAP schema # # Author: Michal Ludvig # Consider a small PayPal donation: # http://logix.cz/michal/devel/yubikey-ldap/ # # Common Logix OID structure # ...<...> ObjectIdentifier: {0}logixOID 1.3.6.1.4.1.40789 ObjectIdentifier: {1}YubiKeyPrj logixOID:2012.11.1 ObjectIdentifier: {2}YkSNMP YubiKeyPrj:1 ObjectIdentifier: {3}YkLDAP YubiKeyPrj:2 # YubiKey schema sub-tree ObjectIdentifier: {4}YkAttribute YkLDAP:1 ObjectIdentifier: {5}YkObjectClass YkLDAP:2 AttributeTypes: {0}( YkAttribute:1 NAME 'yubiKeyId' DESC 'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) ObjectClasses: {0}( YkObjectClass:1 NAME 'yubiKeyUser' DESC 'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) ) we ended up having to settle for dn: cn=schema # attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC 'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1 objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2 NAME 'yubiKeyUser' DESC 'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) ) Is there any security restrictions on the schema or perhaps something done differently to normal LDAP? Unless of course I'm doing something silly. thoughts? > > > Simo. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ0cHaAAoJEAJsWS61tB+qwhwQAJF96eCzWsD2RYXZJpu9p2X9 bItiGZ5i1TYwc37CtSKkMaCf1TQzPcSvgCc3dGdUqpLYzO0zbiUmxJBXBCplTaXi J4ETOnkJQ5gheW1LpsCXGmGpX1eDIxC3PjtyjOFHKkFavdpvcxxgdzKhR7w1BK9J vw+QjPBs5DoUDQaihE0DbhEOPkZR2aqFHenI5ozv7ifSWpV3yq/zLpGADRAcOAEh /8FrYCu4GpIMKD7UTAee8U/Mrmekq8z2ZUVn5P1c/QOU41dy6aKMBS7tN6Evgpp6 SFOxX23wWd6ukIh3QSWCcwSOafiF0SQI9B9Ds2SHogf9FToq+R3xfXXM6bDEfU7B FhRQhIeqqUrz9zsj/FeL1rDvXgD7Moynm6x3pBokBEvQlHPdWwQteSzVi841eJg+ +akNxR9pJtvuigTF4md71M0JqBUx+vJVkpIN3SU5u/L2LOud6/d14GcybdIynrC6 FRYfvglR5NuwhcVEZZIn5fZmiROERXtgqqmxy0nTFDpJ1njm80jOH4blmmqtRFGM lumq+0jFDrWCpv4bJIPmlu3xlORSOpp8WcwqzKVS3Ss07owMXXqGmXCpmSxNMdJk 6hfnKvewQrH8Lpf9A8M92hFrvaXfbWp55EmN4VokiQjoFRpS51YjuLYPwMkT/8vA PNDkBUrrn2eUu/41BaNc =yKMg -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 8187 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From simo at redhat.com Wed Dec 19 14:04:04 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 19 Dec 2012 09:04:04 -0500 Subject: [Freeipa-users] Integrating Yubikey tokens into FreeIPA In-Reply-To: <50D1C1DC.7050609@themacartneyclan.com> References: <50D1B35F.30403@themacartneyclan.com> <1355923257.2894.24.camel@willson.li.ssimo.org> <50D1C1DC.7050609@themacartneyclan.com> Message-ID: <1355925844.2894.29.camel@willson.li.ssimo.org> On Wed, 2012-12-19 at 13:32 +0000, Dale Macartney wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 12/19/2012 01:20 PM, Simo Sorce wrote: > > On Wed, 2012-12-19 at 12:30 +0000, Dale Macartney wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Morning all > >> > >> Heres something I was working on last night with Gavin Spurgeon. > >> > >> If anyone would like to comment on better ways to achieve this, i'd love > >> to here it so I can update my own procedures (and the article of course) > >> > >> > https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ > >> > >> I hope some people find it useful. > > > > Hi Dale, > > what problem do you have adding new schema ? > we weren't able to add any objectIdentifier fields... when trying to > search for existing schema entries, we received the below output. > > [root at ds01 ~]# ldapsearch -LLL -h localhost -D "cn=Directory Manager" -x > -w redhat123 -b "cn=schema" > dn: cn=schema > objectClass: top > objectClass: ldapSubentry > objectClass: subschema > cn: schema For some reason the attribute you need to list are not returned by default and needs to be explicitly listed, they are treated as operatrional. The search you need is: ldapsearch -h localhost -x -b "cn=schema" "attributeTypes,objectClasses" Note that you do not need any auth to read the schema by default. > [root at ds01 ~]# > > > We were trying to use this schema which what created by Michal, however > we never managed to get it imported with the objectidentifier values there. > > dn: cn=yubikey,cn=config > objectClass: SchemaConfig > cn: yubikey > # > # YubiKey LDAP schema > # > # Author: Michal Ludvig > # Consider a small PayPal donation: > # http://logix.cz/michal/devel/yubikey-ldap/ > # > # Common Logix OID structure > # ...<...> > ObjectIdentifier: {0}logixOID 1.3.6.1.4.1.40789 > ObjectIdentifier: {1}YubiKeyPrj logixOID:2012.11.1 > ObjectIdentifier: {2}YkSNMP YubiKeyPrj:1 > ObjectIdentifier: {3}YkLDAP YubiKeyPrj:2 > # YubiKey schema sub-tree > ObjectIdentifier: {4}YkAttribute YkLDAP:1 > ObjectIdentifier: {5}YkObjectClass YkLDAP:2 > AttributeTypes: {0}( YkAttribute:1 > NAME 'yubiKeyId' > DESC 'Yubico YubiKey ID' > EQUALITY caseIgnoreIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) > ObjectClasses: {0}( YkObjectClass:1 > NAME 'yubiKeyUser' > DESC 'Yubico YubiKey User' > SUP top > AUXILIARY > MAY ( yubiKeyId ) ) > > we ended up having to settle for > > dn: cn=schema > # > attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC > 'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26{1 > objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2 NAME 'yubiKeyUser' DESC > 'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) ) > > > Is there any security restrictions on the schema or perhaps something > done differently to normal LDAP? Unless of course I'm doing something silly. > > thoughts? Ah no it's just that 389ds does not support the prettified OIDs yet. The schema file you ended up importing is 100% equivalent to the one with the OID prefix substitutions. Simo. -- Simo Sorce * Red Hat, Inc * New York From jdennis at redhat.com Wed Dec 19 14:30:02 2012 From: jdennis at redhat.com (John Dennis) Date: Wed, 19 Dec 2012 09:30:02 -0500 Subject: [Freeipa-users] testing AD trust on Fedora 18 In-Reply-To: <20121219105052.GT22856@localhost.localdomain> References: <50D0CF2F.40904@redhat.com> <20121218203050.GN22856@localhost.localdomain> <50D0D87B.1010500@redhat.com> <50D17721.1070301@redhat.com> <20121219105052.GT22856@localhost.localdomain> Message-ID: <50D1CF6A.7040707@redhat.com> On 12/19/2012 05:50 AM, Sumit Bose wrote: > On Wed, Dec 19, 2012 at 09:13:21AM +0100, Petr Spacek wrote: >> On 12/18/2012 09:56 PM, John Dennis wrote: >>> >>> ipa: ERROR: unable to parse cookie header >>> 'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=; >>> Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': >>> unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' >> >> John, could it be related to LANG environment variable? Is the >> parser sensitive to LANG/other variables? >> >> Andre, could you post output from "echo $LANG", please? >> (Logged in as user which ran IPA commands.) > > Petr, I think you are right, I can reproduce this issue if httpd and the > client session use "incompatible" LANG settings. E.g. I have LANG=C for > httpd and LANG=de_DE.UTF-8 in the shell. Thank you for confirming this. I too wondered if this might be the case. I recall wondering if the locale would be an issue when using using strptime() to parse the date. I'll file a ticket and provide a patch. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rmeggins at redhat.com Wed Dec 19 14:29:52 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 19 Dec 2012 07:29:52 -0700 Subject: [Freeipa-users] Integrating Yubikey tokens into FreeIPA In-Reply-To: <1355925844.2894.29.camel@willson.li.ssimo.org> References: <50D1B35F.30403@themacartneyclan.com> <1355923257.2894.24.camel@willson.li.ssimo.org> <50D1C1DC.7050609@themacartneyclan.com> <1355925844.2894.29.camel@willson.li.ssimo.org> Message-ID: <50D1CF60.5070701@redhat.com> On 12/19/2012 07:04 AM, Simo Sorce wrote: > On Wed, 2012-12-19 at 13:32 +0000, Dale Macartney wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> On 12/19/2012 01:20 PM, Simo Sorce wrote: >>> On Wed, 2012-12-19 at 12:30 +0000, Dale Macartney wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Morning all >>>> >>>> Heres something I was working on last night with Gavin Spurgeon. >>>> >>>> If anyone would like to comment on better ways to achieve this, i'd love >>>> to here it so I can update my own procedures (and the article of course) >>>> >>>> >> https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ >>>> I hope some people find it useful. >>> Hi Dale, >>> what problem do you have adding new schema ? >> we weren't able to add any objectIdentifier fields... when trying to >> search for existing schema entries, we received the below output. >> >> [root at ds01 ~]# ldapsearch -LLL -h localhost -D "cn=Directory Manager" -x >> -w redhat123 -b "cn=schema" >> dn: cn=schema >> objectClass: top >> objectClass: ldapSubentry >> objectClass: subschema >> cn: schema > > For some reason the attribute you need to list are not returned by > default and needs to be explicitly listed, they are treated as > operatrional. In LDAPv3, operational attributes are not returned by default - they must be explicitly specified. > > The search you need is: > ldapsearch -h localhost -x -b "cn=schema" "attributeTypes,objectClasses" ldapsearch -h localhost -x -b "cn=schema" "objectclass=*" \* attributeTypes objectClasses Also note that the lines will be wrapped, so if you are trying to grep for something, you will have to unwrap the lines first - see http://richmegginson.livejournal.com/18726.html > > Note that you do not need any auth to read the schema by default. > >> [root at ds01 ~]# >> >> >> We were trying to use this schema which what created by Michal, however >> we never managed to get it imported with the objectidentifier values there. >> >> dn: cn=yubikey,cn=config >> objectClass: SchemaConfig >> cn: yubikey >> # >> # YubiKey LDAP schema >> # >> # Author: Michal Ludvig >> # Consider a small PayPal donation: >> # http://logix.cz/michal/devel/yubikey-ldap/ >> # >> # Common Logix OID structure >> #...<...> >> ObjectIdentifier: {0}logixOID 1.3.6.1.4.1.40789 >> ObjectIdentifier: {1}YubiKeyPrj logixOID:2012.11.1 >> ObjectIdentifier: {2}YkSNMP YubiKeyPrj:1 >> ObjectIdentifier: {3}YkLDAP YubiKeyPrj:2 >> # YubiKey schema sub-tree >> ObjectIdentifier: {4}YkAttribute YkLDAP:1 >> ObjectIdentifier: {5}YkObjectClass YkLDAP:2 >> AttributeTypes: {0}( YkAttribute:1 >> NAME 'yubiKeyId' >> DESC 'Yubico YubiKey ID' >> EQUALITY caseIgnoreIA5Match >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) >> ObjectClasses: {0}( YkObjectClass:1 >> NAME 'yubiKeyUser' >> DESC 'Yubico YubiKey User' >> SUP top >> AUXILIARY >> MAY ( yubiKeyId ) ) >> >> we ended up having to settle for >> >> dn: cn=schema >> # >> attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC >> 'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26{1 >> objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2 NAME 'yubiKeyUser' DESC >> 'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) ) >> >> >> Is there any security restrictions on the schema or perhaps something >> done differently to normal LDAP? Unless of course I'm doing something silly. >> >> thoughts? > Ah no it's just that 389ds does not support the prettified OIDs yet. The > schema file you ended up importing is 100% equivalent to the one with > the OID prefix substitutions. > > Simo. > From andrerobauru at gmail.com Wed Dec 19 18:10:14 2012 From: andrerobauru at gmail.com (Andre Rodrigues) Date: Wed, 19 Dec 2012 16:10:14 -0200 Subject: [Freeipa-users] testing AD trust on Fedora 18 Message-ID: Thank you all for the answers.. I noticed that I had installed freeipa with incorrect parameters, so I reinstalled freeipa and I think now default.conf is correct. answering some questions: On 12/18/2012, John Dennis wrote: >Please provide the contents of /etc/ipa/default.conf. [root at mtest ~]# more /etc/ipa/default.conf [global] host=mtest.unicamp.br basedn=dc=ipa,dc=unicamp,dc=br realm=IPA.UNICAMP.BR domain=ipa.unicamp.br xmlrpc_uri=https://mtest.unicamp.br/ipa/xml ldap_uri=ldapi://%2fvar%2frun%2fslapd-IPA-CCUEC-UNICAMP-BR.socket enable_ra=True mode=production >Do you have a .ipa/default.conf file set? If so that overrides the values in /etc/ipa/default.conf. If you have that as well please provide that as well. No On 12/19/2012, Petr Spacek wrote: >John, could it be related to LANG environment variable? Is the parser sensitive to LANG/other variables? >Andre, could you post output from "echo $LANG", please? (Logged in as user which ran IPA commands.) -- Petr^2 Spacek yes it could be... [root at mtest ~]# echo $LANG pt_BR.UTF-8 On 12/19/2012, Sumit Bose wrote: > Andre, as a workaround until the packages are fixed please call > > yum install m2crypto > service httpd restart > > HTH Thanks Sumit! The error with ad-trust package is not returned to me. Now it seems that the problem is with the DNS settings of AD domain: ipa: ERROR: Unable to resolve domain controller for 'adtest.unicamp.br' domain. Additional instructions: IPA manages DNS, please verify your DNS configuration and make sure that service records of the 'adtest.unicamp.br' domain can be resolved. Examples how to configure DNS with CLI commands or the Web UI can be found in the documentation. but I think I will solve it quickly. From jdennis at redhat.com Wed Dec 19 18:27:54 2012 From: jdennis at redhat.com (John Dennis) Date: Wed, 19 Dec 2012 13:27:54 -0500 Subject: [Freeipa-users] testing AD trust on Fedora 18 In-Reply-To: References: Message-ID: <50D2072A.70002@redhat.com> On 12/19/2012 01:10 PM, Andre Rodrigues wrote: > Thank you all for the answers.. > I noticed that I had installed freeipa with incorrect parameters, so I > reinstalled freeipa and I think now default.conf is correct. > answering some questions: > > On 12/18/2012, John Dennis wrote: >> Please provide the contents of /etc/ipa/default.conf. > [root at mtest ~]# more /etc/ipa/default.conf > [global] > host=mtest.unicamp.br > basedn=dc=ipa,dc=unicamp,dc=br > realm=IPA.UNICAMP.BR > domain=ipa.unicamp.br > xmlrpc_uri=https://mtest.unicamp.br/ipa/xml > ldap_uri=ldapi://%2fvar%2frun%2fslapd-IPA-CCUEC-UNICAMP-BR.socket > enable_ra=True > mode=production > >> Do you have a .ipa/default.conf file set? If so that overrides the values in /etc/ipa/default.conf. If you have that as well please provide that as well. > No > > On 12/19/2012, Petr Spacek wrote: >> John, could it be related to LANG environment variable? Is the parser sensitive to LANG/other variables? >> Andre, could you post output from "echo $LANG", please? (Logged in as user which ran IPA commands.) -- Petr^2 Spacek > yes it could be... > [root at mtest ~]# echo $LANG > pt_BR.UTF-8 Thank you, this is a bug in the cookie handling that only shows up with non-English locales. We already have a patch for it. https://fedorahosted.org/freeipa/ticket/3313 > > On 12/19/2012, Sumit Bose wrote: >> Andre, as a workaround until the packages are fixed please call >> >> yum install m2crypto >> service httpd restart >> >> HTH > Thanks Sumit! The error with ad-trust package is not returned to me. > Now it seems that the problem is with the DNS settings of AD domain: > > ipa: ERROR: Unable to resolve domain controller for 'adtest.unicamp.br' domain. > Additional instructions: > IPA manages DNS, please verify your DNS configuration and make sure > that service records of the 'adtest.unicamp.br' domain can be > resolved. Examples how to configure DNS with CLI commands or the Web > UI can be found in the documentation. > > but I think I will solve it quickly. > -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From cao2dan at yahoo.com Wed Dec 19 22:11:34 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 19 Dec 2012 14:11:34 -0800 (PST) Subject: [Freeipa-users] Any way to delegate subordinate account management to managers? In-Reply-To: <50D1CF60.5070701@redhat.com> References: <50D1B35F.30403@themacartneyclan.com> <1355923257.2894.24.camel@willson.li.ssimo.org> <50D1C1DC.7050609@themacartneyclan.com> <1355925844.2894.29.camel@willson.li.ssimo.org> <50D1CF60.5070701@redhat.com> Message-ID: <1355955094.13973.YahooMailNeo@web122601.mail.ne1.yahoo.com> Hi all, ?Just wonder whether there is a way to delegate to managers the authority/permissions to manage his/her subordinate user accounts? Similar to host/services delegation. Please elaborate if there is a way to reach this or similar. Let's say, we create a user group of subordinate employee accounts, then let the particular manager to do the management work for the group, like: 1, reset passwords for the subordinates (main work) 2, change/update some attributes of the subordinates. 3, if possible, remove one or more subordinate accounts. Thanks. --Guolin -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Wed Dec 19 22:24:08 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 19 Dec 2012 14:24:08 -0800 (PST) Subject: [Freeipa-users] IPA 2.2.0-16 still needs CLEANRUV and CLEANALLRUV In-Reply-To: <1355925844.2894.29.camel@willson.li.ssimo.org> References: <50D1B35F.30403@themacartneyclan.com> <1355923257.2894.24.camel@willson.li.ssimo.org> <50D1C1DC.7050609@themacartneyclan.com> <1355925844.2894.29.camel@willson.li.ssimo.org> Message-ID: <1355955848.21219.YahooMailNeo@web122603.mail.ne1.yahoo.com> Hi howdy, ?This is trying to confirm whether we still need to perform the steps of cleaning RUV records, when a freeIPA master, or a replica is removed. Months back it was rumored that some work was being done on underlying 389 LDAP and the RNV cleaning steps would be obsoleted when IPA Master&replica servers were removed, or removed and added back. The RUV staff could be found at?http://directory.fedoraproject.org/wiki/Howto:CLEANRUV. ?Some one familiar with this topic please elaborate/confirm. Thanks a lot. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Dec 19 22:58:25 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 19 Dec 2012 17:58:25 -0500 Subject: [Freeipa-users] Any way to delegate subordinate account management to managers? In-Reply-To: <1355955094.13973.YahooMailNeo@web122601.mail.ne1.yahoo.com> References: <50D1B35F.30403@themacartneyclan.com> <1355923257.2894.24.camel@willson.li.ssimo.org> <50D1C1DC.7050609@themacartneyclan.com> <1355925844.2894.29.camel@willson.li.ssimo.org> <50D1CF60.5070701@redhat.com> <1355955094.13973.YahooMailNeo@web122601.mail.ne1.yahoo.com> Message-ID: <50D24691.5020606@redhat.com> On 12/19/2012 05:11 PM, David Copperfield wrote: > > Hi all, > > Just wonder whether there is a way to delegate to managers the > authority/permissions to manage his/her subordinate user accounts? > Similar to host/services delegation. Please elaborate if there is a > way to reach this or similar. > > Let's say, we create a user group of subordinate employee accounts, > then let the particular manager to do the management work for the > group, like: > > 1, reset passwords for the subordinates (main work) > 2, change/update some attributes of the subordinates. > 3, if possible, remove one or more subordinate accounts. > > Thanks. > I think you need to look at the Delegated administration capabilities of IPA. https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#delegating-users > --Guolin > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Wed Dec 19 23:34:05 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 19 Dec 2012 15:34:05 -0800 (PST) Subject: [Freeipa-users] two questions on IPA usage In-Reply-To: <1355955094.13973.YahooMailNeo@web122601.mail.ne1.yahoo.com> References: <50D1B35F.30403@themacartneyclan.com> <1355923257.2894.24.camel@willson.li.ssimo.org> <50D1C1DC.7050609@themacartneyclan.com> <1355925844.2894.29.camel@willson.li.ssimo.org> <50D1CF60.5070701@redhat.com> <1355955094.13973.YahooMailNeo@web122601.mail.ne1.yahoo.com> Message-ID: <1355960045.98502.YahooMailNeo@web122601.mail.ne1.yahoo.com> Hi Howdy, ?Two questions on IPA usage are listed below. Please help. ?1, How to reset a normal IPA user's password through web interface when the password is expired? ?when the normal user's password is close to expiration but still not expired, he/she can change it by self through the web interface https://ipaserver/. Otherwise he/she has to do ssh/kinit to update his/her password. But the problem is: quite some users are non tech-savy -- managers, marketing, sales -- and they have no ideas of Linux or Kerberos, what they can do is accessing a web interface and filling HTML forms. ?2, When the freeIPA 3.0 and 3.1 series RPM will be available on Redhat 6? does IPA version 3.0/3.1 has backup/restore solutions, and merged CA LDAP instance and IPA LDAP instance? ? Presently the IPA version on redhat 6.3 is 2.2.0, I can wait if IPA 3.0 or 3.1 will comes out soon for redhat 6 and have the cool features. Thanks a lot. --Guolin -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Wed Dec 19 23:34:51 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 19 Dec 2012 15:34:51 -0800 (PST) Subject: [Freeipa-users] Any way to delegate subordinate account management to managers? In-Reply-To: <50D24691.5020606@redhat.com> References: <50D1B35F.30403@themacartneyclan.com> <1355923257.2894.24.camel@willson.li.ssimo.org> <50D1C1DC.7050609@themacartneyclan.com> <1355925844.2894.29.camel@willson.li.ssimo.org> <50D1CF60.5070701@redhat.com> <1355955094.13973.YahooMailNeo@web122601.mail.ne1.yahoo.com> <50D24691.5020606@redhat.com> Message-ID: <1355960091.91668.YahooMailNeo@web122603.mail.ne1.yahoo.com> Thanks a lot, Dmitri. That's exactly I am looking for. --David. ________________________________ From: Dmitri Pal To: freeipa-users at redhat.com Sent: Wednesday, December 19, 2012 2:58 PM Subject: Re: [Freeipa-users] Any way to delegate subordinate account management to managers? On 12/19/2012 05:11 PM, David Copperfield wrote: > >Hi all, > > >?Just wonder whether there is a way to delegate to managers the authority/permissions to manage his/her subordinate user accounts? Similar to host/services delegation. Please elaborate if there is a way to reach this or similar. > > >Let's say, we create a user group of subordinate employee accounts, then let the particular manager to do the management work for the group, like: > > >1, reset passwords for the subordinates (main work) >2, change/update some attributes of the subordinates. >3, if possible, remove one or more subordinate accounts. > > >Thanks. > > I think you need to look at the Delegated administration capabilities of IPA. https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#delegating-users > > > >_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Thu Dec 20 08:40:29 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Thu, 20 Dec 2012 08:40:29 +0000 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <50D09ED3.3030102@redhat.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> Message-ID: <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal> I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console too, probably something about autofs. Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: > On Tue, December 18, 2012 08:28, Johan Petersson wrote: >> Hi, >> >> >> We are implementing IPA Server and are gong to need to be able to authenticate properly with a >> number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some >> problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? >> >> > I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured > out how to configure it as an IPA client yet. > > I had a got at it a while ago (some of the posts you've probably found), and found that there was > enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it > work with the setup guide I've created for Solaris 10. And there was a need for further > investigation for finding out how to configure Solaris 11 as an IPA client. > > I've not looked into this further as we do not use Solaris 11 yet. > > I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. > > > Regards, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Thu Dec 20 09:13:56 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 20 Dec 2012 10:13:56 +0100 (CET) Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal> Message-ID: <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: > I have now managed to use a Solaris 11 system as a client to IPA Server. > su - testuser works ssh works and console login works. I get a delay before getting the prompt > through ssh though and maybe from console too, probably something about autofs. Going to see if i > can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's > instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration > example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now > and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile > too from Bug 815515 and hopefully i can get everything working. > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal > [dpal at redhat.com] > Sent: Tuesday, December 18, 2012 17:50 > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > > On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: > >> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >> >>> Hi, >>> >>> >>> >>> We are implementing IPA Server and are gong to need to be able to authenticate properly with >>> a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning >>> some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? >>> >>> >> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and >> figured out how to configure it as an IPA client yet. >> >> I had a got at it a while ago (some of the posts you've probably found), and found that there >> was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making >> it work with the setup guide I've created for Solaris 10. And there was a need for further >> investigation for finding out how to configure Solaris 11 as an IPA client. >> >> I've not looked into this further as we do not use Solaris 11 yet. >> >> >> I don't know if anyone else has had time to sit down and have a crack at this? >> > > And we would like to hear about this effort. > If it produces instructions we would like to put them on the wiki. > If it produces bugs we would investigate them. > > >> >> >> Regards, >> Siggi >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- > Thank you, > Dmitri Pal > > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From npmarks at gmail.com Thu Dec 20 11:04:08 2012 From: npmarks at gmail.com (Nate Marks) Date: Thu, 20 Dec 2012 06:04:08 -0500 Subject: [Freeipa-users] ipa-replica-manage error Message-ID: I'm struggling with this output from ipa-replica-manage against an AD machine. Can anyone tell me what the '-11 -System Error means? Thanks! Added CA certificate /etc/openldap/cacerts/testdc.testdomain.corp_testdomain-TESTDC-CA.crt to certificate database for ipa01.inframax.ncare ipa: INFO: AD Suffix is: DC=testdomain,DC=corp The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=inframax,dc=ncare Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipa01.inframax.ncare] reports: Update failed! Status: [-11 - System error] Failed to start replication -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Thu Dec 20 12:40:21 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Thu, 20 Dec 2012 12:40:21 +0000 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> Message-ID: <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal> Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method "start" exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) ________________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: > I have now managed to use a Solaris 11 system as a client to IPA Server. > su - testuser works ssh works and console login works. I get a delay before getting the prompt > through ssh though and maybe from console too, probably something about autofs. Going to see if i > can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's > instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration > example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now > and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile > too from Bug 815515 and hopefully i can get everything working. > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal > [dpal at redhat.com] > Sent: Tuesday, December 18, 2012 17:50 > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > > On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: > >> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >> >>> Hi, >>> >>> >>> >>> We are implementing IPA Server and are gong to need to be able to authenticate properly with >>> a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning >>> some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? >>> >>> >> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and >> figured out how to configure it as an IPA client yet. >> >> I had a got at it a while ago (some of the posts you've probably found), and found that there >> was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making >> it work with the setup guide I've created for Solaris 10. And there was a need for further >> investigation for finding out how to configure Solaris 11 as an IPA client. >> >> I've not looked into this further as we do not use Solaris 11 yet. >> >> >> I don't know if anyone else has had time to sit down and have a crack at this? >> > > And we would like to hear about this effort. > If it produces instructions we would like to put them on the wiki. > If it produces bugs we would investigate them. > > >> >> >> Regards, >> Siggi >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- > Thank you, > Dmitri Pal > > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From sigbjorn at nixtra.com Thu Dec 20 14:20:44 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 20 Dec 2012 15:20:44 +0100 (CET) Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal> Message-ID: <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: > Hi, > > > Here is my pam.conf cleaned up a bit. > > > login auth requisite pam_authtok_get.so.1 login auth required > pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required > pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required > pam_dial_auth.so.1 > > gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 > > other auth requisite pam_authtok_get.so.1 other auth required > pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient > pam_krb5.so.1 other auth required pam_unix_auth.so.1 > > passwd auth required pam_passwd_auth.so.1 > > gdm-autologin account sufficient pam_allow.so.1 > > other account requisite pam_roles.so.1 other account required > pam_unix_account.so.1 other account required pam_krb5.so.1 > > other session required pam_unix_session.so.1 > > other password required pam_dhkeys.so.1 other password requisite > pam_authtok_get.so.1 > > other password requisite pam_authtok_check.so.1 force_check other password sufficient > pam_krb5.so.1 other password required pam_authtok_store.so.1 > > I am getting one error and it is for autofs. > > > /var/adm/messages: > Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found > > > /var/svc/log/system.filesystem-autofs:default.log: > [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] > automount: /net mounted > automount: /nfs4 mounted > automount: no unmounts > [ Dec 20 12:24:22 Method "start" exited with status 0. ] > > > ldapclient list NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= servername > NS_LDAP_SEARCH_BASEDN= dc=home > NS_LDAP_AUTH= none > NS_LDAP_SEARCH_REF= TRUE > NS_LDAP_SEARCH_TIME= 15 > NS_LDAP_PROFILE= default > NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home > NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home > NS_LDAP_BIND_TIME= 5 > NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount > > > Thinking it has to do with missing automountmap in default DUAProfile. > Automount still works though but takes time during login and everything is nobody:nobody :) > > > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Thursday, December 20, 2012 10:13 > To: Johan Petersson > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > > Hi, > > > This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However > console login did not work giving some PAM errors. > > Could you please share your entire pam.conf file? > > > Is this Solaris 11 or Solaris 11.1? > > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 09:40, Johan Petersson wrote: > >> I have now managed to use a Solaris 11 system as a client to IPA Server. >> su - testuser works ssh works and console login works. I get a delay before getting the prompt >> through ssh though and maybe from console too, probably something about autofs Going to see if >> i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn >> Lie's >> instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration >> example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for >> now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other >> DUAProfile >> too from Bug 815515 and hopefully i can get everything working. >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri >> Pal >> [dpal at redhat.com] >> Sent: Tuesday, December 18, 2012 17:50 >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >> >> >> >> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: >> >> >>> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >>> >>> >>>> Hi, >>>> >>>> >>>> >>>> >>>> We are implementing IPA Server and are gong to need to be able to authenticate properly >>>> with a number of Solaris 11 servers. I have browsed the archives and found a few threads >>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have >>>> been solved? >>>> >>>> >>> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and >>> figured out how to configure it as an IPA client yet. >>> >>> I had a got at it a while ago (some of the posts you've probably found), and found that there >>> was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for >>> making it work with the setup guide I've created for Solaris 10. And there was a need for >>> further investigation for finding out how to configure Solaris 11 as an IPA client. >>> >>> I've not looked into this further as we do not use Solaris 11 yet. >>> >>> >>> >>> I don't know if anyone else has had time to sit down and have a crack at this? >>> >>> >> >> And we would like to hear about this effort. >> If it produces instructions we would like to put them on the wiki. >> If it produces bugs we would investigate them. >> >> >> >>> >>> >>> Regards, >>> Siggi >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> > >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > From rmeggins at redhat.com Thu Dec 20 14:29:03 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 20 Dec 2012 07:29:03 -0700 Subject: [Freeipa-users] ipa-replica-manage error In-Reply-To: References: Message-ID: <50D320AF.6010709@redhat.com> On 12/20/2012 04:04 AM, Nate Marks wrote: > I'm struggling with this output from ipa-replica-manage against an AD > machine. Can anyone tell me what the '-11 -System Error means? > Thanks! > > > Added CA certificate > /etc/openldap/cacerts/testdc.testdomain.corp_testdomain-TESTDC-CA.crt > to certificate database for ipa01.inframax.ncare > ipa: INFO: AD Suffix is: DC=testdomain,DC=corp > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=inframax,dc=ncare > Windows PassSync entry exists, not resetting password > ipa: INFO: Added new sync agreement, waiting for it to become ready . . . > ipa: INFO: Replication Update in progress: FALSE: status: -11 - > System error: start: 0: end: 0 > ipa: INFO: Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > [ipa01.inframax.ncare] reports: Update failed! Status: [-11 - System > error] > Failed to start replication What's in the 389 errors log /var/log/dirsrv/slapd-YOUR-DOMAIN/errors from around this time? > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From hboetes at gmail.com Thu Dec 20 15:38:40 2012 From: hboetes at gmail.com (Han Boetes) Date: Thu, 20 Dec 2012 16:38:40 +0100 Subject: [Freeipa-users] login with kerberos on a webserver, just like with the ipa interface. Message-ID: Hi, I followed http://freeipa.org/page/Apache_SNI_With_Kerberos to enable login in to a webserver with kerberos tickets. I followed everything to the letter and all looks well. I can log in with a username and password, but when I set the httpd.conf entry to KrbMethodK5Passwd off I can't log in. What works great with the ipa admin interface does not work with this recipe. I even compared it to /etc/httpd/conf.d/ipa.conf and added the KrbAuthRealms setting but to no avail. Adding KrbConstrainedDelegation on does not work alas. Although I am using centos 6.3 I checked the http logfiles and the /var/log/krb5kdc.log, everything else on that host works fine. I can log in without a password and sudo -s works like it should. Please help me debugging this issue. What am I missing? # Han -------------- next part -------------- An HTML attachment was scrubbed... URL: From hboetes at gmail.com Thu Dec 20 15:43:08 2012 From: hboetes at gmail.com (Han Boetes) Date: Thu, 20 Dec 2012 16:43:08 +0100 Subject: [Freeipa-users] sudo made a bit easier to configure Message-ID: Hi, I discovered that using this recipe makes setting up sudo-ldap very simple. Even when anonymous binds is disabled. TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT demand SASL_MECH GSSAPI BASE dc=domain,dc=com URI ldap://auth-ipa.domain.com ROOTUSE_SASL on SUDOERS_BASE ou=SUDOers,dc=domain,dc=com SUDOERS_DEBUG 2 Of course you can set DEBUG to 0 once everything works. I'd like to share this since the docs on the freeipa site on how to set up sudo were quite a bit more complicated. # Han -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Thu Dec 20 16:33:06 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 20 Dec 2012 11:33:06 -0500 Subject: [Freeipa-users] login with kerberos on a webserver, just like with the ipa interface. In-Reply-To: References: Message-ID: <1356021186.2894.83.camel@willson.li.ssimo.org> On Thu, 2012-12-20 at 16:38 +0100, Han Boetes wrote: > Hi, > > > I followed http://freeipa.org/page/Apache_SNI_With_Kerberos to enable > login in to a webserver with kerberos tickets. I followed everything > to the letter and all looks well. > > > I can log in with a username and password, but when I set the > httpd.conf entry to > > > KrbMethodK5Passwd off > > > > I can't log in. What works great with the ipa admin interface does not > work with this recipe. > > I even compared it to /etc/httpd/conf.d/ipa.conf and added the > KrbAuthRealms setting but to no avail. > > > > Adding KrbConstrainedDelegation on does not work alas. Although I am > using centos 6.3 > > > I checked the http logfiles and the /var/log/krb5kdc.log, everything > else on that host works fine. I can log in without a password and sudo > -s works like it should. > > > Please help me debugging this issue. What am I missing? Are you using the same fully qualified name you have a keytab for ? Do you see a ticket for the target server in the user ccache on the client ? Simo. -- Simo Sorce * Red Hat, Inc * New York From Johan.Petersson at sscspace.com Thu Dec 20 18:03:21 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Thu, 20 Dec 2012 18:03:21 +0000 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> Message-ID: <558C15177F5E714F83334217C9A197DF5DB8231A@SSC-MBX2.ssc.internal> Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. ________________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: > Hi, > > > Here is my pam.conf cleaned up a bit. > > > login auth requisite pam_authtok_get.so.1 login auth required > pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required > pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required > pam_dial_auth.so.1 > > gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 > > other auth requisite pam_authtok_get.so.1 other auth required > pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient > pam_krb5.so.1 other auth required pam_unix_auth.so.1 > > passwd auth required pam_passwd_auth.so.1 > > gdm-autologin account sufficient pam_allow.so.1 > > other account requisite pam_roles.so.1 other account required > pam_unix_account.so.1 other account required pam_krb5.so.1 > > other session required pam_unix_session.so.1 > > other password required pam_dhkeys.so.1 other password requisite > pam_authtok_get.so.1 > > other password requisite pam_authtok_check.so.1 force_check other password sufficient > pam_krb5.so.1 other password required pam_authtok_store.so.1 > > I am getting one error and it is for autofs. > > > /var/adm/messages: > Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found > > > /var/svc/log/system.filesystem-autofs:default.log: > [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] > automount: /net mounted > automount: /nfs4 mounted > automount: no unmounts > [ Dec 20 12:24:22 Method "start" exited with status 0. ] > > > ldapclient list NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= servername > NS_LDAP_SEARCH_BASEDN= dc=home > NS_LDAP_AUTH= none > NS_LDAP_SEARCH_REF= TRUE > NS_LDAP_SEARCH_TIME= 15 > NS_LDAP_PROFILE= default > NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home > NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home > NS_LDAP_BIND_TIME= 5 > NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount > > > Thinking it has to do with missing automountmap in default DUAProfile. > Automount still works though but takes time during login and everything is nobody:nobody :) > > > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Thursday, December 20, 2012 10:13 > To: Johan Petersson > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > > Hi, > > > This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However > console login did not work giving some PAM errors. > > Could you please share your entire pam.conf file? > > > Is this Solaris 11 or Solaris 11.1? > > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 09:40, Johan Petersson wrote: > >> I have now managed to use a Solaris 11 system as a client to IPA Server. >> su - testuser works ssh works and console login works. I get a delay before getting the prompt >> through ssh though and maybe from console too, probably something about autofs Going to see if >> i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn >> Lie's >> instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration >> example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for >> now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other >> DUAProfile >> too from Bug 815515 and hopefully i can get everything working. >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri >> Pal >> [dpal at redhat.com] >> Sent: Tuesday, December 18, 2012 17:50 >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >> >> >> >> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: >> >> >>> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >>> >>> >>>> Hi, >>>> >>>> >>>> >>>> >>>> We are implementing IPA Server and are gong to need to be able to authenticate properly >>>> with a number of Solaris 11 servers. I have browsed the archives and found a few threads >>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have >>>> been solved? >>>> >>>> >>> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and >>> figured out how to configure it as an IPA client yet. >>> >>> I had a got at it a while ago (some of the posts you've probably found), and found that there >>> was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for >>> making it work with the setup guide I've created for Solaris 10. And there was a need for >>> further investigation for finding out how to configure Solaris 11 as an IPA client. >>> >>> I've not looked into this further as we do not use Solaris 11 yet. >>> >>> >>> >>> I don't know if anyone else has had time to sit down and have a crack at this? >>> >>> >> >> And we would like to hear about this effort. >> If it produces instructions we would like to put them on the wiki. >> If it produces bugs we would investigate them. >> >> >> >>> >>> >>> Regards, >>> Siggi >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> > >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > From Johan.Petersson at sscspace.com Fri Dec 21 00:13:21 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Fri, 21 Dec 2012 00:13:21 +0000 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB8231A@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com>, <558C15177F5E714F83334217C9A197DF5DB8231A@SSC-MBX2.ssc.internal> Message-ID: <558C15177F5E714F83334217C9A197DF5DB8234C@SSC-MBX2.ssc.internal> Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Johan Petersson [Johan.Petersson at sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. ________________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: > Hi, > > > Here is my pam.conf cleaned up a bit. > > > login auth requisite pam_authtok_get.so.1 login auth required > pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required > pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required > pam_dial_auth.so.1 > > gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 > > other auth requisite pam_authtok_get.so.1 other auth required > pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient > pam_krb5.so.1 other auth required pam_unix_auth.so.1 > > passwd auth required pam_passwd_auth.so.1 > > gdm-autologin account sufficient pam_allow.so.1 > > other account requisite pam_roles.so.1 other account required > pam_unix_account.so.1 other account required pam_krb5.so.1 > > other session required pam_unix_session.so.1 > > other password required pam_dhkeys.so.1 other password requisite > pam_authtok_get.so.1 > > other password requisite pam_authtok_check.so.1 force_check other password sufficient > pam_krb5.so.1 other password required pam_authtok_store.so.1 > > I am getting one error and it is for autofs. > > > /var/adm/messages: > Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found > > > /var/svc/log/system.filesystem-autofs:default.log: > [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] > automount: /net mounted > automount: /nfs4 mounted > automount: no unmounts > [ Dec 20 12:24:22 Method "start" exited with status 0. ] > > > ldapclient list NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= servername > NS_LDAP_SEARCH_BASEDN= dc=home > NS_LDAP_AUTH= none > NS_LDAP_SEARCH_REF= TRUE > NS_LDAP_SEARCH_TIME= 15 > NS_LDAP_PROFILE= default > NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home > NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home > NS_LDAP_BIND_TIME= 5 > NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount > > > Thinking it has to do with missing automountmap in default DUAProfile. > Automount still works though but takes time during login and everything is nobody:nobody :) > > > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Thursday, December 20, 2012 10:13 > To: Johan Petersson > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > > Hi, > > > This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However > console login did not work giving some PAM errors. > > Could you please share your entire pam.conf file? > > > Is this Solaris 11 or Solaris 11.1? > > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 09:40, Johan Petersson wrote: > >> I have now managed to use a Solaris 11 system as a client to IPA Server. >> su - testuser works ssh works and console login works. I get a delay before getting the prompt >> through ssh though and maybe from console too, probably something about autofs Going to see if >> i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn >> Lie's >> instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration >> example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for >> now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other >> DUAProfile >> too from Bug 815515 and hopefully i can get everything working. >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri >> Pal >> [dpal at redhat.com] >> Sent: Tuesday, December 18, 2012 17:50 >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >> >> >> >> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: >> >> >>> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >>> >>> >>>> Hi, >>>> >>>> >>>> >>>> >>>> We are implementing IPA Server and are gong to need to be able to authenticate properly >>>> with a number of Solaris 11 servers. I have browsed the archives and found a few threads >>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have >>>> been solved? >>>> >>>> >>> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and >>> figured out how to configure it as an IPA client yet. >>> >>> I had a got at it a while ago (some of the posts you've probably found), and found that there >>> was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for >>> making it work with the setup guide I've created for Solaris 10. And there was a need for >>> further investigation for finding out how to configure Solaris 11 as an IPA client. >>> >>> I've not looked into this further as we do not use Solaris 11 yet. >>> >>> >>> >>> I don't know if anyone else has had time to sit down and have a crack at this? >>> >>> >> >> And we would like to hear about this effort. >> If it produces instructions we would like to put them on the wiki. >> If it produces bugs we would investigate them. >> >> >> >>> >>> >>> Regards, >>> Siggi >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> > >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From cao2dan at yahoo.com Fri Dec 21 01:06:28 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Thu, 20 Dec 2012 17:06:28 -0800 (PST) Subject: [Freeipa-users] freeIPA 3.1.0 for Redhat Enterprise 6.3? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB8231A@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB8231A@SSC-MBX2.ssc.internal> Message-ID: <1356051988.92255.YahooMailNeo@web122605.mail.ne1.yahoo.com> Hi Rob and all, Can FreeIPA be compiled and installed on Redhat Enterprise 6.3? ?Or I have to upgrade/install some underlying packages first? Thanks. --David ________________________________ From: Johan Petersson To: Sigbjorn Lie Cc: "freeipa-users at redhat.com" Sent: Thursday, December 20, 2012 10:03 AM Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. ________________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: > Hi, > > > Here is my pam.conf cleaned up a bit. > > > login? auth requisite? ? ? ? ? pam_authtok_get.so.1 login? auth required > pam_dhkeys.so.1 login? auth sufficient? ? ? ? pam_krb5.so.1 try_first_pass login? auth required > pam_unix_cred.so.1 login? auth required? ? ? ? ? pam_unix_auth.so.1 login? auth required > pam_dial_auth.so.1 > > gdm-autologin auth? required? ? pam_unix_cred.so.1 gdm-autologin auth? sufficient? pam_allow.so.1 > > other? auth requisite? ? ? ? ? pam_authtok_get.so.1 other? auth required > pam_dhkeys.so.1 other? auth required? ? ? ? ? pam_unix_cred.so.1 other? auth sufficient > pam_krb5.so.1 other? auth required? ? ? ? ? pam_unix_auth.so.1 > > passwd? auth required? ? ? ? ? pam_passwd_auth.so.1 > > gdm-autologin account? sufficient? pam_allow.so.1 > > other? account requisite? ? ? pam_roles.so.1 other? account required > pam_unix_account.so.1 other? account required? ? ? ? pam_krb5.so.1 > > other? session required? ? ? ? pam_unix_session.so.1 > > other? password required? ? ? pam_dhkeys.so.1 other? password requisite > pam_authtok_get.so.1 > > other? password requisite? ? ? pam_authtok_check.so.1 force_check other? password sufficient > pam_krb5.so.1 other? password required? ? ? pam_authtok_store.so.1 > > I am getting one error and it is for autofs. > > > /var/adm/messages: > Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found > > > /var/svc/log/system.filesystem-autofs:default.log: > [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] > automount: /net mounted > automount: /nfs4 mounted > automount: no unmounts > [ Dec 20 12:24:22 Method "start" exited with status 0. ] > > > ldapclient list NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= servername > NS_LDAP_SEARCH_BASEDN= dc=home > NS_LDAP_AUTH= none > NS_LDAP_SEARCH_REF= TRUE > NS_LDAP_SEARCH_TIME= 15 > NS_LDAP_PROFILE= default > NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home > NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home > NS_LDAP_BIND_TIME= 5 > NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount > > > Thinking it has to do with missing automountmap in default DUAProfile. > Automount still works though but takes time during login and everything is nobody:nobody :) > > > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Thursday, December 20, 2012 10:13 > To: Johan Petersson > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > > Hi, > > > This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However > console login did not work giving some PAM errors. > > Could you please share your entire pam.conf file? > > > Is this Solaris 11 or Solaris 11.1? > > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 09:40, Johan Petersson wrote: > >> I have now managed to use a Solaris 11 system as a client to IPA Server. >> su - testuser works ssh works and console login works. I get a delay before getting the prompt >> through ssh though and maybe from console too, probably something about autofs Going to see if >> i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn >> Lie's >> instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration >> example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for >> now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other >> DUAProfile >> too from Bug 815515 and hopefully i can get everything working. >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri >> Pal >> [dpal at redhat.com] >> Sent: Tuesday, December 18, 2012 17:50 >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >> >> >> >> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: >> >> >>> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >>> >>> >>>> Hi, >>>> >>>> >>>> >>>> >>>> We are implementing IPA Server and are gong to need to be able to authenticate properly >>>> with a number of Solaris 11 servers. I have browsed the archives and found a few threads >>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have >>>> been solved? >>>> >>>> >>> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and >>> figured out how to configure it as an IPA client yet. >>> >>> I had a got at it a while ago (some of the posts you've probably found), and found that there >>>? was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for >>> making it work with the setup guide I've created for Solaris 10. And there was a need for >>> further investigation for finding out how to configure Solaris 11 as an IPA client. >>> >>> I've not looked into this further as we do not use Solaris 11 yet. >>> >>> >>> >>> I don't know if anyone else has had time to sit down and have a crack at this? >>> >>> >> >> And we would like to hear about this effort. >> If it produces instructions we would like to put them on the wiki. >> If it produces bugs we would investigate them. >> >> >> >>> >>> >>> Regards, >>> Siggi >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> > >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.findley at gmx.com Fri Dec 21 11:30:33 2012 From: james.findley at gmx.com (James Findley) Date: Fri, 21 Dec 2012 12:30:33 +0100 Subject: [Freeipa-users] AD permissions needed for setting up AD trusts Message-ID: <20121221113033.41120@gmx.com> Hi What permission level is needed for the AD user when creating an AD trust? ?Can a regular domain user account do it, or is a domain admin needed? If write access to the AD server is needed, then could someone please tell me what the command will actually change in the AD server? The windows team at my place of work will want to know exactly what the tool will do before they grant permission. Thanks From npmarks at gmail.com Fri Dec 21 11:36:13 2012 From: npmarks at gmail.com (Nate Marks) Date: Fri, 21 Dec 2012 06:36:13 -0500 Subject: [Freeipa-users] user sync works, passsync eludes me Message-ID: Here's what the log says: LDAP bind error in connect 81: Can't contact LDAP server Can not connect to ldap server in SyncPasswords I keep changing the passsync config values by re-running the msi with the modify option. I'm not sure if that's the way to do this, but my current options are: hostname: IPA server FQDN. it seems to resolve fine port number: 636 username: (i checked this in ldap:uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= password: matches the one set in ipa-replica-manage connect --passsync option certtoken: string copied from the IPA server (/etc/dirsrv/slapd-/pwdfile.txt) search base : same as win-subtree value so close, but stuck. thanks in advance for any help ! nate -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri Dec 21 12:19:28 2012 From: sbose at redhat.com (Sumit Bose) Date: Fri, 21 Dec 2012 13:19:28 +0100 Subject: [Freeipa-users] AD permissions needed for setting up AD trusts In-Reply-To: <20121221113033.41120@gmx.com> References: <20121221113033.41120@gmx.com> Message-ID: <20121221121928.GB22856@localhost.localdomain> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote: > Hi > > What permission level is needed for the AD user when creating an AD trust? ?Can a regular domain user account do it, or is a domain admin needed? The account used here must be a member of the Domain Admins group. > > If write access to the AD server is needed, then could someone please tell me what the command will actually change in the AD server? > 'ipa trust-add' will only use LSA calls on the AD server. The most important one is CreateTrustedDomainEx2 (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the trust between the two domains. Additionally QueryTrustedDomainInfoByName (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the trust is already added and SetInformationTrustedDomain (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD server that the IPA server can handled AES encryption are used. HTH bye, Sumit > The windows team at my place of work will want to know exactly what the tool will do before they grant permission. > > Thanks > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From mkosek at redhat.com Fri Dec 21 12:22:16 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 21 Dec 2012 13:22:16 +0100 Subject: [Freeipa-users] sudo made a bit easier to configure In-Reply-To: References: Message-ID: <50D45478.6010906@redhat.com> On 12/20/2012 04:43 PM, Han Boetes wrote: > Hi, > > I discovered that using this recipe makes setting up sudo-ldap very simple. > Even when anonymous binds is disabled. > > TLS_CACERT /etc/ipa/ca.crt > TLS_REQCERT demand > SASL_MECH GSSAPI > BASE dc=domain,dc=com > URI ldap://auth-ipa.domain.com > ROOTUSE_SASL on > SUDOERS_BASE ou=SUDOers,dc=domain,dc=com > SUDOERS_DEBUG 2 > > Of course you can set DEBUG to 0 once everything works. > > I'd like to share this since the docs on the freeipa site on how to set up sudo > were quite a bit more complicated. > > > # Han > Hello Han, Thanks! I will forward this example to our doc guys to see if we can make the sudo client configuration example easier to follow. Martin From arthur at deus.pro Fri Dec 21 12:07:12 2012 From: arthur at deus.pro (=?koi8-r?Q?=E1=D2=D4=D5=D2_?= =?koi8-r?Q?=E6=C1=CA=DA=D5=CC=CC=C9=CE?=) Date: Fri, 21 Dec 2012 18:07:12 +0600 Subject: [Freeipa-users] backup create restore Message-ID: <1356091632.2026.9.camel@arthur.bashnl.ru> HI! What about adding this functionality to IPA-server: create backup # ipa backup-create --create --output-file=pathtofile restore from backup # ipa-server-install --restore-from-backup=pathtofile I think this feature will be very usefull :) From mkosek at redhat.com Fri Dec 21 12:31:07 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 21 Dec 2012 13:31:07 +0100 Subject: [Freeipa-users] backup create restore In-Reply-To: <1356091632.2026.9.camel@arthur.bashnl.ru> References: <1356091632.2026.9.camel@arthur.bashnl.ru> Message-ID: <50D4568B.5090104@redhat.com> On 12/21/2012 01:07 PM, ????? ????????? wrote: > HI! > What about adding this functionality to IPA-server: > > create backup > # ipa backup-create --create --output-file=pathtofile > > restore from backup > # ipa-server-install --restore-from-backup=pathtofile > > I think this feature will be very usefull :) > Hello ?????, We already have a ticket for this feature (you are right, it would be useful): https://fedorahosted.org/freeipa/ticket/3128 You can yourself to CC list to see a progress and to get echo when the ticket is finished. Martin From mkosek at redhat.com Fri Dec 21 13:03:00 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 21 Dec 2012 14:03:00 +0100 Subject: [Freeipa-users] freeIPA 3.1.0 for Redhat Enterprise 6.3? In-Reply-To: <1356051988.92255.YahooMailNeo@web122605.mail.ne1.yahoo.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB8231A@SSC-MBX2.ssc.internal> <1356051988.92255.YahooMailNeo@web122605.mail.ne1.yahoo.com> Message-ID: <50D45E04.9040302@redhat.com> Hello David, FreeIPA 3.1 requires several major dependencies that are not available in RHEL 6.x versions - the most notable ones are PKI-CA of version 10.0 and 389-ds-base of version 1.3.0 which introduced transaction support. I think the easiest way to get version 3.1 would be to wait for next major version of Red Hat Enterprise Linux unless you want to compile and build yourself this dependency chain. Martin On 12/21/2012 02:06 AM, David Copperfield wrote: > Hi Rob and all, > > Can FreeIPA be compiled and installed on Redhat Enterprise 6.3? Or I have to > upgrade/install some underlying packages first? Thanks. > > --David > > ------------------------------------------------------------------------------- > *From:* Johan Petersson > *To:* Sigbjorn Lie > *Cc:* "freeipa-users at redhat.com" > *Sent:* Thursday, December 20, 2012 10:03 AM > *Subject:* Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Hi, > > Thank you for the tip about NFSMAPID_DOMAIN > > It was not set properly. > sharectl get nfs > > nfsmapid_domain= > > And by using: > sharectl set -p nfsmapid_domain=servername nfs > > It was properly set. > I must add that i prefer editing files instead of sharectl,svccfg and so on. :) > > I also made a auto.home map in IPA Server to set the homedirectory automounts > right. > > And i almost forgot my Solaris version is 11 11/11. > > Regards, > Johan. > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com ] > Sent: Thursday, December 20, 2012 15:20 > To: Johan Petersson > Cc: freeipa-users at redhat.com > Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Thanks. > > I'm guessing it's taking such a long time because it's looking trough the > entire LDAP server for > your automount maps. The automountmap rules in the DUA profile will help with > that. You'll also > run into issues if you attempt to have several automount locations without > having specified which > one to use with a automountmap rule for auto master. > > If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to > your DNS or set > NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on > your NFS server to > get rid of the nobody:nobody default mapping and enable mapping between the NFS > server and the > client. > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 13:40, Johan Petersson wrote: > > Hi, > > > > > > Here is my pam.conf cleaned up a bit. > > > > > > login auth requisite pam_authtok_get.so.1 login auth required > > pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass > login auth required > > pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login > auth required > > pam_dial_auth.so.1 > > > > gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth > sufficient pam_allow.so.1 > > > > other auth requisite pam_authtok_get.so.1 other auth required > > pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth > sufficient > > pam_krb5.so.1 other auth required pam_unix_auth.so.1 > > > > passwd auth required pam_passwd_auth.so.1 > > > > gdm-autologin account sufficient pam_allow.so.1 > > > > other account requisite pam_roles.so.1 other account required > > pam_unix_account.so.1 other account required pam_krb5.so.1 > > > > other session required pam_unix_session.so.1 > > > > other password required pam_dhkeys.so.1 other password requisite > > pam_authtok_get.so.1 > > > > other password requisite pam_authtok_check.so.1 force_check other > password sufficient > > pam_krb5.so.1 other password required pam_authtok_store.so.1 > > > > I am getting one error and it is for autofs. > > > > > > /var/adm/messages: > > Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object > not found > > > > > > /var/svc/log/system.filesystem-autofs:default.log: > > [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] > > automount: /net mounted > > automount: /nfs4 mounted > > automount: no unmounts > > [ Dec 20 12:24:22 Method "start" exited with status 0. ] > > > > > > ldapclient list NS_LDAP_FILE_VERSION= 2.0 > > NS_LDAP_SERVERS= servername > > NS_LDAP_SEARCH_BASEDN= dc=home > > NS_LDAP_AUTH= none > > NS_LDAP_SEARCH_REF= TRUE > > NS_LDAP_SEARCH_TIME= 15 > > NS_LDAP_PROFILE= default > > NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home > > NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home > > NS_LDAP_BIND_TIME= 5 > > NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount > > > > > > Thinking it has to do with missing automountmap in default DUAProfile. > > Automount still works though but takes time during login and everything is > nobody:nobody :) > > > > > > ________________________________________ > > From: Sigbjorn Lie [sigbjorn at nixtra.com ] > > Sent: Thursday, December 20, 2012 10:13 > > To: Johan Petersson > > Cc: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > > > > > Hi, > > > > > > This is interesting. When I tested Solaris 11 ssh worked, and su - testuser > worked. However > > console login did not work giving some PAM errors. > > > > Could you please share your entire pam.conf file? > > > > > > Is this Solaris 11 or Solaris 11.1? > > > > > > > > > > Regards, > > Siggi > > > > > > > > > > On Thu, December 20, 2012 09:40, Johan Petersson wrote: > > > >> I have now managed to use a Solaris 11 system as a client to IPA Server. > >> su - testuser works ssh works and console login works. I get a delay before > getting the prompt > >> through ssh though and maybe from console too, probably something about > autofs Going to see if > >> i can increase loginformation (Solaris newbie). To get it to work i mainly > followed Sigbjorn > >> Lie's > >> instructions for Solaris 10 in earlier posts here. I also used the > /etc/pam.conf configuration > >> example from the Solaris 10 client guide on Free IPA. I stuck with the > default DUAProfile for > >> now and use a NFS4 Kerberos share for home directories with autofs. Going > to try the other > >> DUAProfile > >> too from Bug 815515 and hopefully i can get everything working. > >> > >> ________________________________________ > >> From: freeipa-users-bounces at redhat.com > [freeipa-users-bounces at redhat.com > ] on behalf of Dmitri > >> Pal > >> [dpal at redhat.com ] > >> Sent: Tuesday, December 18, 2012 17:50 > >> To: freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > >> > >> > >> > >> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: > >> > >> > >>> On Tue, December 18, 2012 08:28, Johan Petersson wrote: > >>> > >>> > >>>> Hi, > >>>> > >>>> > >>>> > >>>> > >>>> We are implementing IPA Server and are gong to need to be able to > authenticate properly > >>>> with a number of Solaris 11 servers. I have browsed the archives and > found a few threads > >>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know > if the issue have > >>>> been solved? > >>>> > >>>> > >>> I don't think there is any problems with Solaris 11 except of nobody has > yet sat down and > >>> figured out how to configure it as an IPA client yet. > >>> > >>> I had a got at it a while ago (some of the posts you've probably found), > and found that there > >>> was enough differences in the LDAP/Kerberos client between Solaris 10 and > Solaris 11 for > >>> making it work with the setup guide I've created for Solaris 10. And there > was a need for > >>> further investigation for finding out how to configure Solaris 11 as an > IPA client. > >>> > >>> I've not looked into this further as we do not use Solaris 11 yet. > >>> > >>> > >>> > >>> I don't know if anyone else has had time to sit down and have a crack at this? > >>> > >>> > >> > >> And we would like to hear about this effort. > >> If it produces instructions we would like to put them on the wiki. > >> If it produces bugs we would investigate them. > >> > >> > >> > >>> > >>> > >>> Regards, > >>> Siggi > >>> > >>> > >>> > >>> > >>> _______________________________________________ > >>> Freeipa-users mailing list > >>> Freeipa-users at redhat.com > >>> > > > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> > >>> > >> > >> > >> -- > >> Thank you, > >> Dmitri Pal > >> > >> > >> > >> Sr. Engineering Manager for IdM portfolio > >> Red Hat Inc. > >> > >> > >> > >> > >> ------------------------------- > >> Looking to carve out IT costs? > >> www.redhat.com/carveoutcosts/ > >> > >> > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > >> > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > >> > >> > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From mkosek at redhat.com Fri Dec 21 13:31:48 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 21 Dec 2012 14:31:48 +0100 Subject: [Freeipa-users] two questions on IPA usage In-Reply-To: <1355960045.98502.YahooMailNeo@web122601.mail.ne1.yahoo.com> References: <50D1B35F.30403@themacartneyclan.com> <1355923257.2894.24.camel@willson.li.ssimo.org> <50D1C1DC.7050609@themacartneyclan.com> <1355925844.2894.29.camel@willson.li.ssimo.org> <50D1CF60.5070701@redhat.com> <1355955094.13973.YahooMailNeo@web122601.mail.ne1.yahoo.com> <1355960045.98502.YahooMailNeo@web122601.mail.ne1.yahoo.com> Message-ID: <50D464C4.7040403@redhat.com> On 12/20/2012 12:34 AM, David Copperfield wrote: > Hi Howdy, > > Two questions on IPA usage are listed below. Please help. > > 1, How to reset a normal IPA user's password through web interface when the > password is expired? > > when the normal user's password is close to expiration but still not expired, > he/she can change it by self through the web interface https://ipaserver/. > Otherwise he/she has to do ssh/kinit to update his/her password. But the > problem is: quite some users are non tech-savy -- managers, marketing, sales -- > and they have no ideas of Linux or Kerberos, what they can do is accessing a > web interface and filling HTML forms. Hello David, This feature was introduced in FreeIPA 3.0, you can see the relevant ticket: https://fedorahosted.org/freeipa/ticket/2755 When your IPA server is upgraded to this version (it will be part of next RHEL 6 minor version release), Web UI users with expired password will be automatically offered a form to reset it. > > 2, When the freeIPA 3.0 and 3.1 series RPM will be available on Redhat 6? > does IPA version 3.0/3.1 has backup/restore solutions, and merged CA LDAP > instance and IPA LDAP instance? Merged CA/LDAP instance is available in FreeIPA 3.1 which is not available in RHEL-6. As for Backup&Restore solution, a FreeIPA provided solution is not ready yet, but we have a ticket filed and planned already. You can take a look here: https://fedorahosted.org/freeipa/ticket/3128 HTH, Martin > > Presently the IPA version on redhat 6.3 is 2.2.0, I can wait if IPA 3.0 or > 3.1 will comes out soon for redhat 6 and have the cool features. > > Thanks a lot. > > --Guolin > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From mkosek at redhat.com Fri Dec 21 13:36:38 2012 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 21 Dec 2012 14:36:38 +0100 Subject: [Freeipa-users] IPA 2.2.0-16 still needs CLEANRUV and CLEANALLRUV In-Reply-To: <1355955848.21219.YahooMailNeo@web122603.mail.ne1.yahoo.com> References: <50D1B35F.30403@themacartneyclan.com> <1355923257.2894.24.camel@willson.li.ssimo.org> <50D1C1DC.7050609@themacartneyclan.com> <1355925844.2894.29.camel@willson.li.ssimo.org> <1355955848.21219.YahooMailNeo@web122603.mail.ne1.yahoo.com> Message-ID: <50D465E6.4040607@redhat.com> On 12/19/2012 11:24 PM, David Copperfield wrote: > Hi howdy, > > This is trying to confirm whether we still need to perform the steps of > cleaning RUV records, when a freeIPA master, or a replica is removed. Months > back it was rumored that some work was being done on underlying 389 LDAP and > the RNV cleaning steps would be obsoleted when IPA Master&replica servers were > removed, or removed and added back. The RUV staff could be found at > http://directory.fedoraproject.org/wiki/Howto:CLEANRUV. > > Some one familiar with this topic please elaborate/confirm. Thanks a lot. > > --David > Hello David, automatic clean up of RUV records is available from FreeIPA 3.0. You can see a relevant ticket: https://fedorahosted.org/freeipa/ticket/2303 With FreeIPA 3.0, CLEANALLRUV task is automatically run when a replica is being deleted. The task will clean all relevant RUV records on all FreeIPA replicas. In FreeIPA 2.2.x and earlier, a manual RUV clean up procedure is needed (as described in the 389 DS wiki page) to clean deprecated RUV data. HTH, Martin From hboetes at gmail.com Fri Dec 21 13:44:39 2012 From: hboetes at gmail.com (Han Boetes) Date: Fri, 21 Dec 2012 14:44:39 +0100 Subject: [Freeipa-users] login with kerberos on a webserver, just like with the ipa interface. In-Reply-To: <1356021186.2894.83.camel@willson.li.ssimo.org> References: <1356021186.2894.83.camel@willson.li.ssimo.org> Message-ID: Sorry I couldn't reply earlier, somehow I don't receive my own messages. I had set chrome to --auth-server-whitelist=ipa-server.domain.com, and not --auth-server-whitelist=*domain.com On Thu, Dec 20, 2012 at 5:33 PM, Simo Sorce wrote: > On Thu, 2012-12-20 at 16:38 +0100, Han Boetes wrote: > > Hi, > > > > > > I followed http://freeipa.org/page/Apache_SNI_With_Kerberos to enable > > login in to a webserver with kerberos tickets. I followed everything > > to the letter and all looks well. > > > > > > I can log in with a username and password, but when I set the > > httpd.conf entry to > > > > > > KrbMethodK5Passwd off > > > > > > > > I can't log in. What works great with the ipa admin interface does not > > work with this recipe. > > > > I even compared it to /etc/httpd/conf.d/ipa.conf and added the > > KrbAuthRealms setting but to no avail. > > > > > > > > Adding KrbConstrainedDelegation on does not work alas. Although I am > > using centos 6.3 > > > > > > I checked the http logfiles and the /var/log/krb5kdc.log, everything > > else on that host works fine. I can log in without a password and sudo > > -s works like it should. > > > > > > Please help me debugging this issue. What am I missing? > > Are you using the same fully qualified name you have a keytab for ? > Do you see a ticket for the target server in the user ccache on the > client ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- # Han -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmarks at gmail.com Fri Dec 21 14:41:19 2012 From: npmarks at gmail.com (Nate Marks) Date: Fri, 21 Dec 2012 09:41:19 -0500 Subject: [Freeipa-users] Fwd: user sync works, passsync eludes me In-Reply-To: References: Message-ID: Nevermind. I was mucking up the certificate. got it fixed. ---------- Forwarded message ---------- From: Nate Marks Date: Fri, Dec 21, 2012 at 6:36 AM Subject: user sync works, passsync eludes me To: freeipa-users at redhat.com Here's what the log says: LDAP bind error in connect 81: Can't contact LDAP server Can not connect to ldap server in SyncPasswords I keep changing the passsync config values by re-running the msi with the modify option. I'm not sure if that's the way to do this, but my current options are: hostname: IPA server FQDN. it seems to resolve fine port number: 636 username: (i checked this in ldap:uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= password: matches the one set in ipa-replica-manage connect --passsync option certtoken: string copied from the IPA server (/etc/dirsrv/slapd-/pwdfile.txt) search base : same as win-subtree value so close, but stuck. thanks in advance for any help ! nate -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmarks at gmail.com Fri Dec 21 14:47:04 2012 From: npmarks at gmail.com (Nate Marks) Date: Fri, 21 Dec 2012 09:47:04 -0500 Subject: [Freeipa-users] passync LDAP error in queryusername Message-ID: 32: no such object deferring password change for newinclude I'm baffled. I think I made the search base exactly the same as the DN I found in LDP. Capitalized "OU" and DC. no spaces. the ad dn for the search base is 'OU=syncinclude,OU=syncroot,DC=testdomain,DC=corp' it detected the password change for 'CN=newinclude,OU=syncinclude,OU=syncroot,DC=testdomain,DC=corp' Any tips -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Fri Dec 21 15:35:47 2012 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 21 Dec 2012 10:35:47 -0500 Subject: [Freeipa-users] Kerberos and Cisco Message-ID: My network guy wants to use our FreeIPA server to authenticate users on Cisco devices, but when we tried to import the keytab, it balked on every one of the keys. Has anyone done this? Any pointers if so? Thanks, and happy holidays! -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmarks at gmail.com Fri Dec 21 15:54:00 2012 From: npmarks at gmail.com (Nate Marks) Date: Fri, 21 Dec 2012 10:54:00 -0500 Subject: [Freeipa-users] Fwd: passync LDAP error in queryusername In-Reply-To: References: Message-ID: I solved this and I'll share my ignorance just in case it helps someone else: It wasn't clear to me that passsync needed the search base on the IPA server rather than the search base for the ad server. *facepalm* ---------- Forwarded message ---------- From: Nate Marks Date: Fri, Dec 21, 2012 at 9:47 AM Subject: passync LDAP error in queryusername To: freeipa-users at redhat.com 32: no such object deferring password change for newinclude I'm baffled. I think I made the search base exactly the same as the DN I found in LDP. Capitalized "OU" and DC. no spaces. the ad dn for the search base is 'OU=syncinclude,OU=syncroot,DC=testdomain,DC=corp' it detected the password change for 'CN=newinclude,OU=syncinclude,OU=syncroot,DC=testdomain,DC=corp' Any tips -------------- next part -------------- An HTML attachment was scrubbed... URL: From qchang at sri.utoronto.ca Fri Dec 21 16:33:56 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Fri, 21 Dec 2012 11:33:56 -0500 Subject: [Freeipa-users] disable user account in batch mode in IPA In-Reply-To: References: <509160E6.4070304@redhat.com> Message-ID: <50D48F74.1090003@sri.utoronto.ca> I hope google did not skip me when searching for an answer. I'd like to disable inactive accounts migrated from OpneLDAP, so far I can only do it per web UI. Because I have hundreds of accounts to disable, I really appreciate if someone can provide a command line for me. I actually tried to figure out what attribute corresponds to "disabled" but could not see it in ldapsearch output, for example: ldapsearch -LL -x -D 'cn=Directory Manager' -W -b 'dc=sri,dc=utoronto,dc=ca' '(uid=shassan)' Thanks you. Qing From natxo.asenjo at gmail.com Fri Dec 21 17:42:40 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 21 Dec 2012 18:42:40 +0100 Subject: [Freeipa-users] sudo made a bit easier to configure In-Reply-To: References: Message-ID: On Thu, Dec 20, 2012 at 4:43 PM, Han Boetes wrote: > Hi, > > I discovered that using this recipe makes setting up sudo-ldap very simple. > Even when anonymous binds is disabled. Thanks! I have not yet used sudo with IPA, but it sure is in the pipeline and this comes in handy ;-) > URI ldap://auth-ipa.domain.com can this be a srv record? Cannot test it right now but this would of course be the most ideal situation. -- groet, natxo From jhrozek at redhat.com Fri Dec 21 18:10:12 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 21 Dec 2012 19:10:12 +0100 Subject: [Freeipa-users] sudo made a bit easier to configure In-Reply-To: References: Message-ID: <20121221181012.GE8214@hendrix.redhat.com> On Fri, Dec 21, 2012 at 06:42:40PM +0100, Natxo Asenjo wrote: > On Thu, Dec 20, 2012 at 4:43 PM, Han Boetes wrote: > > Hi, > > > > I discovered that using this recipe makes setting up sudo-ldap very simple. > > Even when anonymous binds is disabled. > > Thanks! I have not yet used sudo with IPA, but it sure is in the > pipeline and this comes in handy ;-) > > > URI ldap://auth-ipa.domain.com > > can this be a srv record? Cannot test it right now but this would of > course be the most ideal situation. I haven't tried this myself, but maybe something like: URI ldap://dc=example,dc=com might work. If not, I'm pretty sure SRV records would just work if you leverage the integration with the SSSD :-) From simo at redhat.com Fri Dec 21 19:41:47 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 21 Dec 2012 14:41:47 -0500 Subject: [Freeipa-users] Kerberos and Cisco In-Reply-To: References: Message-ID: <1356118907.2894.108.camel@willson.li.ssimo.org> On Fri, 2012-12-21 at 10:35 -0500, Bret Wortman wrote: > My network guy wants to use our FreeIPA server to authenticate users > on Cisco devices, but when we tried to import the keytab, it balked on > every one of the keys. > > > Has anyone done this? Any pointers if so? > Can you provide info on which Cisco device ? Pointer on their docs, and exact errors you received ? Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri Dec 21 19:43:20 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 21 Dec 2012 14:43:20 -0500 Subject: [Freeipa-users] disable user account in batch mode in IPA In-Reply-To: <50D48F74.1090003@sri.utoronto.ca> References: <509160E6.4070304@redhat.com> <50D48F74.1090003@sri.utoronto.ca> Message-ID: <1356119000.2894.109.camel@willson.li.ssimo.org> On Fri, 2012-12-21 at 11:33 -0500, Qing Chang wrote: > I hope google did not skip me when searching for an answer. > > I'd like to disable inactive accounts migrated from OpneLDAP, so far > I can only do it per web UI. Because I have hundreds of accounts to > disable, I really appreciate if someone can provide a command line > for me. ipa user-disable shassan > I actually tried to figure out what attribute corresponds to "disabled" > but could not see it in ldapsearch output, for example: > > ldapsearch -LL -x -D 'cn=Directory Manager' -W -b 'dc=sri,dc=utoronto,dc=ca' '(uid=shassan)' You have to explicitly request the 'nsAccountLock' attribute. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Dec 21 22:26:45 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 21 Dec 2012 17:26:45 -0500 Subject: [Freeipa-users] two questions on IPA usage In-Reply-To: <50D464C4.7040403@redhat.com> References: <50D1B35F.30403@themacartneyclan.com> <1355923257.2894.24.camel@willson.li.ssimo.org> <50D1C1DC.7050609@themacartneyclan.com> <1355925844.2894.29.camel@willson.li.ssimo.org> <50D1CF60.5070701@redhat.com> <1355955094.13973.YahooMailNeo@web122601.mail.ne1.yahoo.com> <1355960045.98502.YahooMailNeo@web122601.mail.ne1.yahoo.com> <50D464C4.7040403@redhat.com> Message-ID: <50D4E225.3020105@redhat.com> On 12/21/2012 08:31 AM, Martin Kosek wrote: > On 12/20/2012 12:34 AM, David Copperfield wrote: >> Hi Howdy, >> >> Two questions on IPA usage are listed below. Please help. >> >> 1, How to reset a normal IPA user's password through web interface >> when the >> password is expired? >> >> when the normal user's password is close to expiration but still >> not expired, >> he/she can change it by self through the web interface >> https://ipaserver/. >> Otherwise he/she has to do ssh/kinit to update his/her password. But the >> problem is: quite some users are non tech-savy -- managers, >> marketing, sales -- >> and they have no ideas of Linux or Kerberos, what they can do is >> accessing a >> web interface and filling HTML forms. > > Hello David, > > This feature was introduced in FreeIPA 3.0, you can see the relevant > ticket: > https://fedorahosted.org/freeipa/ticket/2755 > > When your IPA server is upgraded to this version (it will be part of > next RHEL 6 minor version release), Web UI users with expired password > will be automatically offered a form to reset it. > >> >> 2, When the freeIPA 3.0 and 3.1 series RPM will be available on >> Redhat 6? >> does IPA version 3.0/3.1 has backup/restore solutions, and merged CA >> LDAP >> instance and IPA LDAP instance? > > Merged CA/LDAP instance is available in FreeIPA 3.1 which is not > available in RHEL-6. As for Backup&Restore solution, a FreeIPA > provided solution is not ready yet, but we have a ticket filed and > planned already. You can take a look here: > > https://fedorahosted.org/freeipa/ticket/3128 To elaborate a bit. 1) backup and restore This is a loaded topic. There are two major use cases that are confused. One is business continuity driven and another is data corruption driven. For business continuity case here are our current recommendations and I do not think there is anything else needed. a) Run sufficient amount of replicas in different data centers b) Backup the whole image of one of the replicas that has all the components you use periodically so that if you have to start over you have an image to use and create other replicas from. In case of disaster the procedure would be - boot this image, create other replicas from it and install following normal procedures. You are up and running back within minutes. c) For an easier snapshoting it might make sense to run a replica in a VM so you can easily make a copy of it. The recommendation above is pretty sufficient for the business continuity case. It is not however for the data corruption case. The ticket mentioned will be focusing on the data corruption case (when data is removed or DB gets corrupted and needs to be restored) and we have plans to look into this use case in the upcoming year. 2) Merged DB is 3.1 and will be supported in RHEL7 > > HTH, > Martin > >> >> Presently the IPA version on redhat 6.3 is 2.2.0, I can wait if >> IPA 3.0 or >> 3.1 will comes out soon for redhat 6 and have the cool features. >> >> Thanks a lot. >> >> --Guolin >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Dec 21 22:31:05 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 21 Dec 2012 17:31:05 -0500 Subject: [Freeipa-users] Fwd: passync LDAP error in queryusername In-Reply-To: References: Message-ID: <50D4E329.70904@redhat.com> On 12/21/2012 10:54 AM, Nate Marks wrote: > I solved this and I'll share my ignorance just in case it helps > someone else: It wasn't clear to me that passsync needed the search > base on the IPA server rather than the search base for the ad server. > *facepalm* > May be we can make the docs clear. Can you point to the place that confused you? > ---------- Forwarded message ---------- > From: *Nate Marks* > > Date: Fri, Dec 21, 2012 at 9:47 AM > Subject: passync LDAP error in queryusername > To: freeipa-users at redhat.com > > > 32: no such object > deferring password change for newinclude > > > I'm baffled. I think I made the search base exactly the same as the > DN I found in LDP. Capitalized "OU" and DC. no spaces. > > the ad dn for the search base is > 'OU=syncinclude,OU=syncroot,DC=testdomain,DC=corp' > > it detected the password change for > 'CN=newinclude,OU=syncinclude,OU=syncroot,DC=testdomain,DC=corp' > > Any tips > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Dec 21 22:37:13 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 21 Dec 2012 17:37:13 -0500 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB8234C@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com>, <558C15177F5E714F83334217C9A197DF5DB8231A@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF5DB8234C@SSC-MBX2.ssc.internal> Message-ID: <50D4E499.1060904@redhat.com> On 12/20/2012 07:13 PM, Johan Petersson wrote: > Hi, > > Was your example of a new DUAProfile ever added to Fedora or RHEL? > If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? > There is always the manual way otherwise i guess. > Are Red Hat going to support RHEL clients only in IPA Server? Red Hat has a clear support statement on the matter. https://access.redhat.com/knowledge/articles/261973 > We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) > Regards, > Johan > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Johan Petersson [Johan.Petersson at sscspace.com] > Sent: Thursday, December 20, 2012 19:03 > To: Sigbjorn Lie > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Hi, > > Thank you for the tip about NFSMAPID_DOMAIN > > It was not set properly. > sharectl get nfs > > nfsmapid_domain= > > And by using: > sharectl set -p nfsmapid_domain=servername nfs > > It was properly set. > I must add that i prefer editing files instead of sharectl,svccfg and so on. :) > > I also made a auto.home map in IPA Server to set the homedirectory automounts right. > > And i almost forgot my Solaris version is 11 11/11. > > Regards, > Johan. > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Thursday, December 20, 2012 15:20 > To: Johan Petersson > Cc: freeipa-users at redhat.com > Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Thanks. > > I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for > your automount maps. The automountmap rules in the DUA profile will help with that. You'll also > run into issues if you attempt to have several automount locations without having specified which > one to use with a automountmap rule for auto master. > > If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set > NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to > get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the > client. > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 13:40, Johan Petersson wrote: >> Hi, >> >> >> Here is my pam.conf cleaned up a bit. >> >> >> login auth requisite pam_authtok_get.so.1 login auth required >> pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required >> pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required >> pam_dial_auth.so.1 >> >> gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 >> >> other auth requisite pam_authtok_get.so.1 other auth required >> pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient >> pam_krb5.so.1 other auth required pam_unix_auth.so.1 >> >> passwd auth required pam_passwd_auth.so.1 >> >> gdm-autologin account sufficient pam_allow.so.1 >> >> other account requisite pam_roles.so.1 other account required >> pam_unix_account.so.1 other account required pam_krb5.so.1 >> >> other session required pam_unix_session.so.1 >> >> other password required pam_dhkeys.so.1 other password requisite >> pam_authtok_get.so.1 >> >> other password requisite pam_authtok_check.so.1 force_check other password sufficient >> pam_krb5.so.1 other password required pam_authtok_store.so.1 >> >> I am getting one error and it is for autofs. >> >> >> /var/adm/messages: >> Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found >> >> >> /var/svc/log/system.filesystem-autofs:default.log: >> [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] >> automount: /net mounted >> automount: /nfs4 mounted >> automount: no unmounts >> [ Dec 20 12:24:22 Method "start" exited with status 0. ] >> >> >> ldapclient list NS_LDAP_FILE_VERSION= 2.0 >> NS_LDAP_SERVERS= servername >> NS_LDAP_SEARCH_BASEDN= dc=home >> NS_LDAP_AUTH= none >> NS_LDAP_SEARCH_REF= TRUE >> NS_LDAP_SEARCH_TIME= 15 >> NS_LDAP_PROFILE= default >> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home >> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home >> NS_LDAP_BIND_TIME= 5 >> NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount >> >> >> Thinking it has to do with missing automountmap in default DUAProfile. >> Automount still works though but takes time during login and everything is nobody:nobody :) >> >> >> ________________________________________ >> From: Sigbjorn Lie [sigbjorn at nixtra.com] >> Sent: Thursday, December 20, 2012 10:13 >> To: Johan Petersson >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >> >> >> Hi, >> >> >> This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However >> console login did not work giving some PAM errors. >> >> Could you please share your entire pam.conf file? >> >> >> Is this Solaris 11 or Solaris 11.1? >> >> >> >> >> Regards, >> Siggi >> >> >> >> >> On Thu, December 20, 2012 09:40, Johan Petersson wrote: >> >>> I have now managed to use a Solaris 11 system as a client to IPA Server. >>> su - testuser works ssh works and console login works. I get a delay before getting the prompt >>> through ssh though and maybe from console too, probably something about autofs Going to see if >>> i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn >>> Lie's >>> instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration >>> example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for >>> now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other >>> DUAProfile >>> too from Bug 815515 and hopefully i can get everything working. >>> >>> ________________________________________ >>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri >>> Pal >>> [dpal at redhat.com] >>> Sent: Tuesday, December 18, 2012 17:50 >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >>> >>> >>> >>> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: >>> >>> >>>> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> >>>>> We are implementing IPA Server and are gong to need to be able to authenticate properly >>>>> with a number of Solaris 11 servers. I have browsed the archives and found a few threads >>>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have >>>>> been solved? >>>>> >>>>> >>>> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and >>>> figured out how to configure it as an IPA client yet. >>>> >>>> I had a got at it a while ago (some of the posts you've probably found), and found that there >>>> was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for >>>> making it work with the setup guide I've created for Solaris 10. And there was a need for >>>> further investigation for finding out how to configure Solaris 11 as an IPA client. >>>> >>>> I've not looked into this further as we do not use Solaris 11 yet. >>>> >>>> >>>> >>>> I don't know if anyone else has had time to sit down and have a crack at this? >>>> >>>> >>> And we would like to hear about this effort. >>> If it produces instructions we would like to put them on the wiki. >>> If it produces bugs we would investigate them. >>> >>> >>> >>>> >>>> Regards, >>>> Siggi >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >> >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Dec 21 22:39:06 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 21 Dec 2012 17:39:06 -0500 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB8234C@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com>, <558C15177F5E714F83334217C9A197DF5DB8231A@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF5DB8234C@SSC-MBX2.ssc.internal> Message-ID: <50D4E50A.3060109@redhat.com> On 12/20/2012 07:13 PM, Johan Petersson wrote: > Hi, > > Was your example of a new DUAProfile ever added to Fedora or RHEL? > If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? > There is always the manual way otherwise i guess. > Are Red Hat going to support RHEL clients only in IPA Server? > We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) > Regards, > Johan Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Johan Petersson [Johan.Petersson at sscspace.com] > Sent: Thursday, December 20, 2012 19:03 > To: Sigbjorn Lie > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Hi, > > Thank you for the tip about NFSMAPID_DOMAIN > > It was not set properly. > sharectl get nfs > > nfsmapid_domain= > > And by using: > sharectl set -p nfsmapid_domain=servername nfs > > It was properly set. > I must add that i prefer editing files instead of sharectl,svccfg and so on. :) > > I also made a auto.home map in IPA Server to set the homedirectory automounts right. > > And i almost forgot my Solaris version is 11 11/11. > > Regards, > Johan. > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Thursday, December 20, 2012 15:20 > To: Johan Petersson > Cc: freeipa-users at redhat.com > Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Thanks. > > I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for > your automount maps. The automountmap rules in the DUA profile will help with that. You'll also > run into issues if you attempt to have several automount locations without having specified which > one to use with a automountmap rule for auto master. > > If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set > NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to > get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the > client. > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 13:40, Johan Petersson wrote: >> Hi, >> >> >> Here is my pam.conf cleaned up a bit. >> >> >> login auth requisite pam_authtok_get.so.1 login auth required >> pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required >> pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required >> pam_dial_auth.so.1 >> >> gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 >> >> other auth requisite pam_authtok_get.so.1 other auth required >> pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient >> pam_krb5.so.1 other auth required pam_unix_auth.so.1 >> >> passwd auth required pam_passwd_auth.so.1 >> >> gdm-autologin account sufficient pam_allow.so.1 >> >> other account requisite pam_roles.so.1 other account required >> pam_unix_account.so.1 other account required pam_krb5.so.1 >> >> other session required pam_unix_session.so.1 >> >> other password required pam_dhkeys.so.1 other password requisite >> pam_authtok_get.so.1 >> >> other password requisite pam_authtok_check.so.1 force_check other password sufficient >> pam_krb5.so.1 other password required pam_authtok_store.so.1 >> >> I am getting one error and it is for autofs. >> >> >> /var/adm/messages: >> Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found >> >> >> /var/svc/log/system.filesystem-autofs:default.log: >> [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] >> automount: /net mounted >> automount: /nfs4 mounted >> automount: no unmounts >> [ Dec 20 12:24:22 Method "start" exited with status 0. ] >> >> >> ldapclient list NS_LDAP_FILE_VERSION= 2.0 >> NS_LDAP_SERVERS= servername >> NS_LDAP_SEARCH_BASEDN= dc=home >> NS_LDAP_AUTH= none >> NS_LDAP_SEARCH_REF= TRUE >> NS_LDAP_SEARCH_TIME= 15 >> NS_LDAP_PROFILE= default >> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home >> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home >> NS_LDAP_BIND_TIME= 5 >> NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount >> >> >> Thinking it has to do with missing automountmap in default DUAProfile. >> Automount still works though but takes time during login and everything is nobody:nobody :) >> >> >> ________________________________________ >> From: Sigbjorn Lie [sigbjorn at nixtra.com] >> Sent: Thursday, December 20, 2012 10:13 >> To: Johan Petersson >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >> >> >> Hi, >> >> >> This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However >> console login did not work giving some PAM errors. >> >> Could you please share your entire pam.conf file? >> >> >> Is this Solaris 11 or Solaris 11.1? >> >> >> >> >> Regards, >> Siggi >> >> >> >> >> On Thu, December 20, 2012 09:40, Johan Petersson wrote: >> >>> I have now managed to use a Solaris 11 system as a client to IPA Server. >>> su - testuser works ssh works and console login works. I get a delay before getting the prompt >>> through ssh though and maybe from console too, probably something about autofs Going to see if >>> i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn >>> Lie's >>> instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration >>> example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for >>> now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other >>> DUAProfile >>> too from Bug 815515 and hopefully i can get everything working. >>> >>> ________________________________________ >>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri >>> Pal >>> [dpal at redhat.com] >>> Sent: Tuesday, December 18, 2012 17:50 >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >>> >>> >>> >>> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: >>> >>> >>>> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> >>>>> We are implementing IPA Server and are gong to need to be able to authenticate properly >>>>> with a number of Solaris 11 servers. I have browsed the archives and found a few threads >>>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have >>>>> been solved? >>>>> >>>>> >>>> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and >>>> figured out how to configure it as an IPA client yet. >>>> >>>> I had a got at it a while ago (some of the posts you've probably found), and found that there >>>> was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for >>>> making it work with the setup guide I've created for Solaris 10. And there was a need for >>>> further investigation for finding out how to configure Solaris 11 as an IPA client. >>>> >>>> I've not looked into this further as we do not use Solaris 11 yet. >>>> >>>> >>>> >>>> I don't know if anyone else has had time to sit down and have a crack at this? >>>> >>>> >>> And we would like to hear about this effort. >>> If it produces instructions we would like to put them on the wiki. >>> If it produces bugs we would investigate them. >>> >>> >>> >>>> >>>> Regards, >>>> Siggi >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >> >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mmercier at gmail.com Fri Dec 21 22:40:33 2012 From: mmercier at gmail.com (Mike Mercier) Date: Fri, 21 Dec 2012 17:40:33 -0500 Subject: [Freeipa-users] Kerberos and Cisco In-Reply-To: References: Message-ID: Hi Bret, I tried this once in the past with no success. If I recall correctly (I can't find the reference anymore), Cisco (at least in IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This enctype disabled by default in FreeIPA. Thanks, Mike On Fri, Dec 21, 2012 at 10:35 AM, Bret Wortman wrote: > My network guy wants to use our FreeIPA server to authenticate users on > Cisco devices, but when we tried to import the keytab, it balked on every > one of the keys. > > Has anyone done this? Any pointers if so? > > Thanks, and happy holidays! > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Dec 21 23:23:12 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 21 Dec 2012 18:23:12 -0500 Subject: [Freeipa-users] Kerberos and Cisco In-Reply-To: References: Message-ID: <50D4EF60.6090409@redhat.com> On 12/21/2012 05:40 PM, Mike Mercier wrote: > Hi Bret, > > I tried this once in the past with no success. If I recall correctly > (I can't find the reference anymore), Cisco (at least in IOS 12.4 that > I tested) only supports the DES-CBC-CRC enctype. This enctype > disabled by default in FreeIPA. allow_weak_crypto = true in krb5.conf to enable it. > > Thanks, > Mike > > > On Fri, Dec 21, 2012 at 10:35 AM, Bret Wortman > > > wrote: > > My network guy wants to use our FreeIPA server to authenticate > users on Cisco devices, but when we tried to import the keytab, it > balked on every one of the keys. > > Has anyone done this? Any pointers if so? > > Thanks, and happy holidays! > > > -- > Bret Wortman > The Damascus Group > Fairfax, VA > http://bretwortman.com/ > http://twitter.com/BretWortman > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Fri Dec 21 23:31:26 2012 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 21 Dec 2012 18:31:26 -0500 Subject: [Freeipa-users] Kerberos and Cisco In-Reply-To: <50D4EF60.6090409@redhat.com> References: <50D4EF60.6090409@redhat.com> Message-ID: <38E1238B3A1245948A024987CD1374ED@damascusgrp.com> Thanks, all. I'll report back. -- Bret Wortman http://bretwortman.com/ http://twitter.com/bretwortman On Friday, December 21, 2012 at 6:23 PM, Dmitri Pal wrote: > On 12/21/2012 05:40 PM, Mike Mercier wrote: > > Hi Bret, > > > > I tried this once in the past with no success. If I recall correctly (I can't find the reference anymore), Cisco (at least in IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This enctype disabled by default in FreeIPA. > allow_weak_crypto = true > > in krb5.conf to enable it. > > > > > Thanks, > > Mike > > > > > > > > On Fri, Dec 21, 2012 at 10:35 AM, Bret Wortman wrote: > > > My network guy wants to use our FreeIPA server to authenticate users on Cisco devices, but when we tried to import the keytab, it balked on every one of the keys. > > > > > > Has anyone done this? Any pointers if so? > > > > > > Thanks, and happy holidays! > > > > > > > > > -- > > > Bret Wortman > > > The Damascus Group > > > Fairfax, VA > > > http://bretwortman.com/ > > > http://twitter.com/BretWortman > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com (mailto:Freeipa-users at redhat.com) > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com (mailto:Freeipa-users at redhat.com) https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ (http://www.redhat.com/carveoutcosts/) > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Sat Dec 22 09:24:54 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Sat, 22 Dec 2012 09:24:54 +0000 Subject: [Freeipa-users] Automount problems Message-ID: <558C15177F5E714F83334217C9A197DF5DB82402@SSC-MBX2.ssc.internal> I can't get automount to work for some reason on a CentOS 6.3 testserver with the NFS and IPA server on the same server. Was going to set this up for some other configuration testing but are stuck on this instead. :) Feels like i am missing something basic but can't figure it out. Followed the guide and tried a variety of automount maps but nothing works. Had automount working before installing IPA Client with: auto.master: /home /etc/auto.home auto.home * servername:/home/& I can mount /home from the client: mount -t nfs4 -o sec=krb5 servername:/home /mnt /etc/sysconfig/autofs: LDAP_URI="ldap://servername" SEARCH_BASE="cn=default,cn=automount,dc=home" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" Getting this from debug lvl logging on autofs: Dec 22 09:13:00 client2 automount[4528]: connected to uri ldap://servername Dec 22 09:13:00 client2 automount[4528]: read_one_map: lookup(ldap): searching for "(objectclass=automount)" under "automountmapname=auto.direct,cn=default,cn=automount,dc=home" Dec 22 09:13:00 client2 automount[4528]: do_get_entries: lookup(ldap): query succeeded, no matches for (objectclass=automount) Dec 22 09:13:00 client2 automount[4528]: read_one_map: lookup(ldap): done updating map Dec 22 09:13:00 client2 automount[4528]: st_ready: st_ready(): state = 0 path /- So what am i missing here? Regards, Johan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Sat Dec 22 10:16:55 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sat, 22 Dec 2012 11:16:55 +0100 Subject: [Freeipa-users] Automount problems In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB82402@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB82402@SSC-MBX2.ssc.internal> Message-ID: <50D58897.7000300@nixtra.com> On 12/22/2012 10:24 AM, Johan Petersson wrote: > I can't get automount to work for some reason on a CentOS 6.3 > testserver with the NFS and IPA server on the same server. > Was going to set this up for some other configuration testing but are > stuck on this instead. :) > > Feels like i am missing something basic but can't figure it out. > Followed the guide and tried a variety of automount maps but nothing > works. > Had automount working before installing IPA Client with: > auto.master: > /home/etc/auto.home > auto.home > *servername:/home/& > > I can mount /home from the client: > > mount -t nfs4 -o sec=krb5 servername:/home /mnt > > /etc/sysconfig/autofs: > > > LDAP_URI="ldap://servername" > SEARCH_BASE="cn=default,cn=automount,dc=home" > > MAP_OBJECT_CLASS="automountMap" > ENTRY_OBJECT_CLASS="automount" > MAP_ATTRIBUTE="automountMapName" > ENTRY_ATTRIBUTE="automountKey" > VALUE_ATTRIBUTE="automountInformation" > > Getting this from debug lvl logging on autofs: > > Dec 22 09:13:00 client2 automount[4528]: connected to uri > ldap://servername > Dec 22 09:13:00 client2 automount[4528]: read_one_map: lookup(ldap): > searching for "(objectclass=automount)" under > "automountmapname=auto.direct,cn=default,cn=automount,dc=home" > Dec 22 09:13:00 client2 automount[4528]: do_get_entries: lookup(ldap): > query succeeded, no matches for (objectclass=automount) > Dec 22 09:13:00 client2 automount[4528]: read_one_map: lookup(ldap): > done updating map > Dec 22 09:13:00 client2 automount[4528]: st_ready: st_ready(): state = > 0 path /- > > So what am i missing here? > > Hi, In your /etc/auto.master, do you still have the following line as the last line in the file? If not, add it back in. +auto.master Do you still have a specific map for auto.home in your /etc/auto.master? If so, add +auto.home to the end of your /etc/auto.home file. (Provided you named the automount map auto.home in IPA too...) In your /etc/nsswitch.conf file, make sure your automount line looks like this: automount: files ldap Let me know how you get on. Regards, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Sat Dec 22 12:14:01 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Sat, 22 Dec 2012 12:14:01 +0000 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <50D4E50A.3060109@redhat.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com>, <558C15177F5E714F83334217C9A197DF5DB8231A@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF5DB8234C@SSC-MBX2.ssc.internal>, <50D4E50A.3060109@redhat.com> Message-ID: <558C15177F5E714F83334217C9A197DF5DB8241D@SSC-MBX2.ssc.internal> Hi, yes of course i can document it properly as soon as i have checked everything. I will send it to you so you can review it. Regards, Johan. ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Friday, December 21, 2012 23:39 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/20/2012 07:13 PM, Johan Petersson wrote: > Hi, > > Was your example of a new DUAProfile ever added to Fedora or RHEL? > If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? > There is always the manual way otherwise i guess. > Are Red Hat going to support RHEL clients only in IPA Server? > We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) > Regards, > Johan Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Johan Petersson [Johan.Petersson at sscspace.com] > Sent: Thursday, December 20, 2012 19:03 > To: Sigbjorn Lie > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Hi, > > Thank you for the tip about NFSMAPID_DOMAIN > > It was not set properly. > sharectl get nfs > > nfsmapid_domain= > > And by using: > sharectl set -p nfsmapid_domain=servername nfs > > It was properly set. > I must add that i prefer editing files instead of sharectl,svccfg and so on. :) > > I also made a auto.home map in IPA Server to set the homedirectory automounts right. > > And i almost forgot my Solaris version is 11 11/11. > > Regards, > Johan. > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Thursday, December 20, 2012 15:20 > To: Johan Petersson > Cc: freeipa-users at redhat.com > Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Thanks. > > I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for > your automount maps. The automountmap rules in the DUA profile will help with that. You'll also > run into issues if you attempt to have several automount locations without having specified which > one to use with a automountmap rule for auto master. > > If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set > NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to > get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the > client. > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 13:40, Johan Petersson wrote: >> Hi, >> >> >> Here is my pam.conf cleaned up a bit. >> >> >> login auth requisite pam_authtok_get.so.1 login auth required >> pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required >> pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required >> pam_dial_auth.so.1 >> >> gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 >> >> other auth requisite pam_authtok_get.so.1 other auth required >> pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient >> pam_krb5.so.1 other auth required pam_unix_auth.so.1 >> >> passwd auth required pam_passwd_auth.so.1 >> >> gdm-autologin account sufficient pam_allow.so.1 >> >> other account requisite pam_roles.so.1 other account required >> pam_unix_account.so.1 other account required pam_krb5.so.1 >> >> other session required pam_unix_session.so.1 >> >> other password required pam_dhkeys.so.1 other password requisite >> pam_authtok_get.so.1 >> >> other password requisite pam_authtok_check.so.1 force_check other password sufficient >> pam_krb5.so.1 other password required pam_authtok_store.so.1 >> >> I am getting one error and it is for autofs. >> >> >> /var/adm/messages: >> Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found >> >> >> /var/svc/log/system.filesystem-autofs:default.log: >> [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] >> automount: /net mounted >> automount: /nfs4 mounted >> automount: no unmounts >> [ Dec 20 12:24:22 Method "start" exited with status 0. ] >> >> >> ldapclient list NS_LDAP_FILE_VERSION= 2.0 >> NS_LDAP_SERVERS= servername >> NS_LDAP_SEARCH_BASEDN= dc=home >> NS_LDAP_AUTH= none >> NS_LDAP_SEARCH_REF= TRUE >> NS_LDAP_SEARCH_TIME= 15 >> NS_LDAP_PROFILE= default >> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home >> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home >> NS_LDAP_BIND_TIME= 5 >> NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount >> >> >> Thinking it has to do with missing automountmap in default DUAProfile. >> Automount still works though but takes time during login and everything is nobody:nobody :) >> >> >> ________________________________________ >> From: Sigbjorn Lie [sigbjorn at nixtra.com] >> Sent: Thursday, December 20, 2012 10:13 >> To: Johan Petersson >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >> >> >> Hi, >> >> >> This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However >> console login did not work giving some PAM errors. >> >> Could you please share your entire pam.conf file? >> >> >> Is this Solaris 11 or Solaris 11.1? >> >> >> >> >> Regards, >> Siggi >> >> >> >> >> On Thu, December 20, 2012 09:40, Johan Petersson wrote: >> >>> I have now managed to use a Solaris 11 system as a client to IPA Server. >>> su - testuser works ssh works and console login works. I get a delay before getting the prompt >>> through ssh though and maybe from console too, probably something about autofs Going to see if >>> i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn >>> Lie's >>> instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration >>> example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for >>> now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other >>> DUAProfile >>> too from Bug 815515 and hopefully i can get everything working. >>> >>> ________________________________________ >>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri >>> Pal >>> [dpal at redhat.com] >>> Sent: Tuesday, December 18, 2012 17:50 >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >>> >>> >>> >>> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: >>> >>> >>>> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> >>>>> We are implementing IPA Server and are gong to need to be able to authenticate properly >>>>> with a number of Solaris 11 servers. I have browsed the archives and found a few threads >>>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have >>>>> been solved? >>>>> >>>>> >>>> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and >>>> figured out how to configure it as an IPA client yet. >>>> >>>> I had a got at it a while ago (some of the posts you've probably found), and found that there >>>> was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for >>>> making it work with the setup guide I've created for Solaris 10. And there was a need for >>>> further investigation for finding out how to configure Solaris 11 as an IPA client. >>>> >>>> I've not looked into this further as we do not use Solaris 11 yet. >>>> >>>> >>>> >>>> I don't know if anyone else has had time to sit down and have a crack at this? >>>> >>>> >>> And we would like to hear about this effort. >>> If it produces instructions we would like to put them on the wiki. >>> If it produces bugs we would investigate them. >>> >>> >>> >>>> >>>> Regards, >>>> Siggi >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >> >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From npmarks at gmail.com Sat Dec 22 19:19:57 2012 From: npmarks at gmail.com (Nate Marks) Date: Sat, 22 Dec 2012 14:19:57 -0500 Subject: [Freeipa-users] passsync ssl help? Message-ID: I've got a default freeipa installation. account sync is working great. passsync makes me sad. here are the passsync settings: hostname: port: 636 username: uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= password: cert token : tried it with and without the /etc/dirsrv/slapd-instance/pwdfile.txt contents serach base=cn=users,cn=accounts,dc=inframax,dc=ncare I cheked the passsync acocunt/pass work with ldp (not ssl) and it worked fine. it looks like I correctly imported the cert from my freeipa server into the db in program files\389 directory server I just keep getting : ldap bind error in connect 81: can't contact ldap server can not connect to ldap server in syncpassowrds I'd really appreciate some help. I've also disabled UAC. -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmarks at gmail.com Sun Dec 23 13:56:50 2012 From: npmarks at gmail.com (Nate Marks) Date: Sun, 23 Dec 2012 08:56:50 -0500 Subject: [Freeipa-users] Fwd: passsync ssl help? In-Reply-To: References: Message-ID: I'm pretty sure this is an ssl problem, but the steps for troubleshooting in the 389 server docs don't seem to work well here. I think they use a different version of ldapsearch that seems to allow me to specify the location of my cert db. the ldapsearch I'm using doesn't work that way. The question then, is how to test ssl for passsync with freeipa. I try to run this on my freeipa server: openssl s_client -connect :636 and I get: verify error:num=20:unable to get local issuer certificate but I don't even knwo if that's a valid, relevant test for passync. do I need that to run error free in both directions? do I need to add an argument to make sure it's using the same DBs as the passsync pocess? ---------- Forwarded message ---------- From: Nate Marks Date: Sat, Dec 22, 2012 at 2:19 PM Subject: passsync ssl help? To: freeipa-users at redhat.com I've got a default freeipa installation. account sync is working great. passsync makes me sad. here are the passsync settings: hostname: port: 636 username: uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= password: cert token : tried it with and without the /etc/dirsrv/slapd-instance/pwdfile.txt contents serach base=cn=users,cn=accounts,dc=inframax,dc=ncare I cheked the passsync acocunt/pass work with ldp (not ssl) and it worked fine. it looks like I correctly imported the cert from my freeipa server into the db in program files\389 directory server I just keep getting : ldap bind error in connect 81: can't contact ldap server can not connect to ldap server in syncpassowrds I'd really appreciate some help. I've also disabled UAC. -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmarks at gmail.com Sun Dec 23 17:38:30 2012 From: npmarks at gmail.com (Nate Marks) Date: Sun, 23 Dec 2012 12:38:30 -0500 Subject: [Freeipa-users] working on an expanded/updated guide for freeipa and passsync Message-ID: I apologize if this is just too much text, but I've had some struggles and I'm hoping to make things better for myself and others at the same time. I'd love to have some feedback here. I've gotten passsync to work once in a lab and never in production. Introduction This guide starts at the point where your freeipa server is correctly replicating accounts from a windows active directory server. The following steps are intended to help you roll out the passync software to all of your domain controllers. Detailed descriptions of how the software works are available from people far more competent than myself. I?m just covering some installation tips. Before you begin One thing I think is missing are adequate tools for testing SSL on the windows side. It?s just as likely that I simply don?t know what tools are available. In fact the article below seems to suggest that there?s a way to run openssl.exe s_client on a windows machine. Not sure where that executable would come from. http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_with_Active_Directory The thing I think is really missing is the ability to do ldapsearch with -zz using the certificate database in c:\program files\389 directory password synchronization\ directory. I suspect that would be the best test. I think that?s where I fall on my face the most. I hope someone can help me figure that part out a little better. Getting started: It?s theoretically possible to get the passsync to work on the first attempt. I?ve just never done it. In order for that to work, you have to have exactly the right values ready to go when you run the passsync installer. The installer has input fields for the following items: verifying the hostname, username password and search base values hostname: port: 636 username: uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= password: cert token : tried it with and without the /etc/dirsrv/slapd-instance/pwdfile.txt contents serach base=cn=users,cn=accounts,dc=inframax,dc=ncare First I?ll talk about verifying the easy stuff (hostname, username, password, search base). run notepad on the windows server and put in the values you?re going to use before running the passsync installer. Then run ldp.exe and use the values from notepad and the steps below to verify the hostname, username, password and search base. this connection is a non-SSL connection but it?s a start. ldp.exe connection > connect enter the freeipa server hostname in the server field enter port 389 (non-ssl port) int he port field uncheck the SSL box click OK connection > bind select the 'simple bind' radio button enter the DN for the passsync account on the freeipa server in the userfield. this is "uid=passsync,cn=sysaccounts,cn=etc,dc=,dc=" by default enter the password for the passsync account in the password field click ok select view > tree and make sure you can browse the tree in the ipa server. browse to the subtree that you're going to use for search base and make sure you see your replicated accounts in that container. if you can, then the values you used for the hostname, username, password and search base are all correct Moving on: assuming you?ve verified all four values you stashed in notepad. I?ll talk through the remaining values: 1) the first four values are useless by themselves. passsync won?t work without SSL and if it did, it probably shouldn?t (someone correct this if I?m wrong please) 2) port or ldaps (ldap over SSL) is 636 by default. unless you have some good reason to change that port, just use it. 3) cert token: I think the only valid value for this field comes from the file on the freeipa server (/etc/dirsrv/slapd-instance/pwdfile.txt). what I don?t know is if I can break passsync by entering it when it?s not needed. The docs say to leave it empty to begin. I also don?t know if I can change that value just by entering it into the registry and restarting the passsync service. Honestly, I?m not even sure how to figure out if I need it. Hopefully someone will enlighten me. Installing Passsync: Now we?ve done a bunch fo work to check our values, but we haven?t accomplished anything. So go ahead and run the passsync msi installer and enter your values into the appropriate fields. The installer will create filed, directories and registry stuff, but we?re not nearly done. Step 5 in the link below looks like the correct next step but this is where my confidence starts to collapse. I?ve gotten passsync to work exactly once and have had at least one case where I appear to have and SSL problem that I just can?t figure out. https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html this other link seems to have more detailed instructions for the same import step, but I can?t say they helped me either: http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_with_Active_Directory One mroe thing before rebooting, use regedit to change the value of HKLM->Software->PasswordSync ?Log Level? from 0 to 1. If everything works and you don?t need it, great! If the stars line up, you?ve put good values into the passsync installer, imported the freeipa servers certificate into the cert DB that passsync uses and the installer registered a new dll to capture password change events. You need to reboot the server to get the dll registration to take effect. After it restarts, change the password on an account that?s being replicated to free ipa. use notepad to open the file c:\program files\389 directory password synchronization\ passsync.txt if the passhook.dll is working correctly, you?ll see an entry like: ?1 new entries loaded from data file? If ssl is working correctly, you?ll be able to log into the freeipa server with the test account and newly changed password. It seems more common that I end up with: ldp bind error in connet 81: can?t contact ldap server Can not connect to ldap server in Syncpasswords. This takes me to the point where I?d love more tools to troubleshoot the problem. Other things I?ve tried: 1) UAC. I disable it, but I?d love some feedback on whether or not that?s required on win 2k8R2. 2) some of my DCs have certificate services installed and some don?t. I don?t think any of that matters or passsync, but I?d love feedback there too. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Sun Dec 23 18:31:34 2012 From: simo at redhat.com (Simo Sorce) Date: Sun, 23 Dec 2012 13:31:34 -0500 Subject: [Freeipa-users] Kerberos and Cisco In-Reply-To: <50D4EF60.6090409@redhat.com> References: <50D4EF60.6090409@redhat.com> Message-ID: <1356287494.2894.154.camel@willson.li.ssimo.org> On Fri, 2012-12-21 at 18:23 -0500, Dmitri Pal wrote: > On 12/21/2012 05:40 PM, Mike Mercier wrote: > > Hi Bret, > > > > > > I tried this once in the past with no success. If I recall > > correctly (I can't find the reference anymore), Cisco (at least in > > IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This > > enctype disabled by default in FreeIPA. > > allow_weak_crypto = true > > in krb5.conf to enable it. These instructions are relevant only for a Linux based client. Bret, on top of changing the above on the server and restarting it, you need to add DES as an allowed enctype in the IPA server LDAP attribute that controls it(*) as well as explicitly specify you want a DES key when you use ipa-getkeytab to get a keytab for you device. (*) This attribute is called krbSupportedEncSaltTypes and is stored in cn=,cn=kerberos,cn= in your LDAP server. You probably want to add the value: des-cbc-crc:normal Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Sun Dec 23 19:02:10 2012 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 23 Dec 2012 14:02:10 -0500 Subject: [Freeipa-users] Fwd: passsync ssl help? In-Reply-To: References: Message-ID: <50D75532.6060802@redhat.com> On 12/23/2012 08:56 AM, Nate Marks wrote: > I'm pretty sure this is an ssl problem, but the steps for > troubleshooting in the 389 server docs don't seem to work well here. > I think they use a different version of ldapsearch that seems to allow > me to specify the location of my cert db. the ldapsearch I'm using > doesn't work that way. > > The question then, is how to test ssl for passsync with freeipa. I > try to run this on my freeipa server: > openssl s_client -connect :636 > and I get: verify error:num=20:unable to get local issuer certificate > but I don't even knwo if that's a valid, relevant test for passync. > > do I need that to run error free in both directions? do I need to > add an argument to make sure it's using the same DBs as the passsync > pocess? I am sorry but most likely you would not hear from us till new year. All knowledgeable people in this area are on vacation next week. Thanks Dmitri > > > ---------- Forwarded message ---------- > From: *Nate Marks* > > Date: Sat, Dec 22, 2012 at 2:19 PM > Subject: passsync ssl help? > To: freeipa-users at redhat.com > > > I've got a default freeipa installation. account sync is working > great. passsync makes me sad. > here are the passsync settings: > > hostname: > port: 636 > username: uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= > password: > cert token : tried it with and without the > /etc/dirsrv/slapd-instance/pwdfile.txt contents > serach base=cn=users,cn=accounts,dc=inframax,dc=ncare > > > I cheked the passsync acocunt/pass work with ldp (not ssl) and it > worked fine. > > > it looks like I correctly imported the cert from my freeipa server > into the db in program files\389 directory server > > I just keep getting : > ldap bind error in connect > 81: can't contact ldap server > can not connect to ldap server in syncpassowrds > > I'd really appreciate some help. > I've also disabled UAC. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmarks at gmail.com Sun Dec 23 19:06:53 2012 From: npmarks at gmail.com (Nate Marks) Date: Sun, 23 Dec 2012 14:06:53 -0500 Subject: [Freeipa-users] Fwd: passsync ssl help? In-Reply-To: <50D75532.6060802@redhat.com> References: <50D75532.6060802@redhat.com> Message-ID: Of course. No need to apologize at all. I'm grateful for all the support I've already received. Please enjoy the holidays and respond at your leisure On Dec 23, 2012 2:03 PM, "Dmitri Pal" wrote: > On 12/23/2012 08:56 AM, Nate Marks wrote: > > I'm pretty sure this is an ssl problem, but the steps for troubleshooting > in the 389 server docs don't seem to work well here. I think they use a > different version of ldapsearch that seems to allow me to specify the > location of my cert db. the ldapsearch I'm using doesn't work that way. > > The question then, is how to test ssl for passsync with freeipa. I try to > run this on my freeipa server: > openssl s_client -connect :636 > and I get: verify error:num=20:unable to get local issuer certificate > but I don't even knwo if that's a valid, relevant test for passync. > > do I need that to run error free in both directions? do I need to add an > argument to make sure it's using the same DBs as the passsync pocess? > > > I am sorry but most likely you would not hear from us till new year. All > knowledgeable people in this area are on vacation next week. > > Thanks > Dmitri > > > > ---------- Forwarded message ---------- > From: Nate Marks > Date: Sat, Dec 22, 2012 at 2:19 PM > Subject: passsync ssl help? > To: freeipa-users at redhat.com > > > I've got a default freeipa installation. account sync is working great. > passsync makes me sad. > here are the passsync settings: > > hostname: > port: 636 > username: uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= > password: > cert token : tried it with and without the > /etc/dirsrv/slapd-instance/pwdfile.txt contents > serach base=cn=users,cn=accounts,dc=inframax,dc=ncare > > > I cheked the passsync acocunt/pass work with ldp (not ssl) and it worked > fine. > > > it looks like I correctly imported the cert from my freeipa server > into the db in program files\389 directory server > > I just keep getting : > ldap bind error in connect > 81: can't contact ldap server > can not connect to ldap server in syncpassowrds > > I'd really appreciate some help. > I've also disabled UAC. > > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbt at naunetcorp.com Sun Dec 23 20:32:33 2012 From: mbt at naunetcorp.com (Michael B. Trausch) Date: Sun, 23 Dec 2012 15:32:33 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) Message-ID: Whoops. Let's try this again, I failed to post it correctly the first time. The Reader's Digest version: I set up a FreeIPA server on CentOS 6.3. I then setup a FreeIPA client on another CentOS 6.3 system. So far, so good. Then I attempted to setup a FreeIPA client on a F18 system, which has FreeIPA 3.1.0, but that fails with the error "Failed to obtain host TGT.", and then reverts the changes. The log file shows everything succeeding up to this point: -------------------------------------------------------------------------- 2012-12-23T19:39:38Z DEBUG args=/usr/sbin/ipa-join -s s0.ipa.naunetcorp.com -b dc=ipa,dc=naunetcorp,dc=com -h aloe.ipa.naunetcorp.com 2012-12-23T19:39:40Z DEBUG Process finished, return code=0 2012-12-23T19:39:40Z DEBUG stdout= 2012-12-23T19:39:40Z DEBUG stderr=Certificate subject base is: O=IPA.NAUNETCORP.COM 2012-12-23T19:39:40Z INFO Enrolled in IPA realm IPA.NAUNETCORP.COM 2012-12-23T19:39:40Z DEBUG Starting external process 2012-12-23T19:39:40Z DEBUG args=kdestroy 2012-12-23T19:39:40Z DEBUG Process finished, return code=0 2012-12-23T19:39:40Z DEBUG stdout= 2012-12-23T19:39:40Z DEBUG stderr= 2012-12-23T19:39:40Z DEBUG Starting external process 2012-12-23T19:39:40Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/aloe.ipa.naunetcorp.com at IPA.NAUNETCORP.COM 2012-12-23T19:39:40Z DEBUG Process finished, return code=1 2012-12-23T19:39:40Z DEBUG stdout= 2012-12-23T19:39:40Z DEBUG stderr=kinit: Generic preauthentication failure while getting initial credentials 2012-12-23T19:39:40Z ERROR Failed to obtain host TGT. 2012-12-23T19:39:40Z ERROR Installation failed. Rolling back changes. -------------------------------------------------------------------------- Every time I run the client script, the following appears in krb5kdc.log on the server: -------------------------------------------------------------------------- Dec 23 15:28:38 s0 krb5kdc[1208](info): AS_REQ (4 etypes {18 17 16 23}) 2001:db8::1: NEEDED_PREAUTH: host/aloe.ipa.naunetcorp.com at IPA.NAUNETCORP.COM for krbtgt/IPA.NAUNETCORP.COM at IPA.NAUNETCORP.COM, Additional pre-authentication required -------------------------------------------------------------------------- (Yes the timestamps are different, because I just thought to check the server log and so I ran the client command again; the clock skew between the two systems is not measurable.) The problem occurs every time I attempt to join the FreeIPA domain; I have run it about 100 times now, just to see, as I found a verified RH ticket against an older FreeIPA where a user was indicating that they had this same type of trouble intermittently, but that was no use to me. Anyone have an idea? Someplace else to look? Should I downgrade the client, or upgrade the server? Am I doing something wrong? Thanks a million! Mike From viktor.mendes at lmax.com Mon Dec 24 13:11:20 2012 From: viktor.mendes at lmax.com (Viktor Mendes) Date: Mon, 24 Dec 2012 13:11:20 +0000 (UTC) Subject: [Freeipa-users] How to backup / restore the FreeIPA server? In-Reply-To: <1333024270.3879316.1356354239117.JavaMail.root@co1mail04.co.tradefair> Message-ID: <645248111.3879839.1356354680776.JavaMail.root@co1mail04.co.tradefair> Hi guys, We are going to use the FreeIPA v2.2.0 (the latest one available on CentOS 6.3) and would like to know if there is a way to do a complete backup / restore of the server database for disaster recovery purposes? I have been able to successfully export the userRoot db ldif via db2ldif, make some changes, then import the ldif via ldif2db. However when I try to build a new server with the same hostname, then import the ldif, that does not work. The import is successfull, however when trying to log in to IPA web GUI, I get an error that the admin password has expired. Here is an output when tring to change the password (I have restarted krb5kdc service at this point, as it was coming up with a different error): KRB5_TRACE=/dev/stdout kinit admin [10814] 1356353589.809893: Getting initial credentials for admin at CO.YB.LMAX [10814] 1356353589.871805: Sending request (176 bytes) to CO.YB.LMAX [10814] 1356353589.879177: Sending initial UDP request to dgram 10.81.10.234:88 [10814] 1356353589.888809: Received answer from dgram 10.81.10.234:88 [10814] 1356353589.888893: Response was not from master KDC [10814] 1356353589.888941: Received error from KDC: -1765328361/Password has expired [10814] 1356353589.888969: Retrying AS request with master KDC [10814] 1356353589.888976: Getting initial credentials for admin at CO.YB.LMAX [10814] 1356353589.889033: Sending request (176 bytes) to CO.YB.LMAX (master) [10814] 1356353589.889087: Principal expired; getting changepw ticket [10814] 1356353589.889111: Getting initial credentials for admin at CO.YB.LMAX [10814] 1356353589.889148: Setting initial creds service to [10814] 1356353589.889208: Sending request (174 bytes) to CO.YB.LMAX [10814] 1356353589.889516: Sending initial UDP request to dgram 10.81.10.234:88 [10814] 1356353589.901098: Received answer from dgram 10.81.10.234:88 [10814] 1356353589.901326: Response was not from master KDC [10814] 1356353589.901340: Received error from KDC: -1765328359/Additional pre-authentication required [10814] 1356353589.901596: Processing preauth types: 2, 136, 19, 133 [10814] 1356353589.901818: Selected etype info: etype aes256-cts, salt "^X"Ed"/E2,L]'Zs)", params "" [10814] 1356353589.901825: Received cookie: MIT Password for admin at CO.YB.LMAX: [10814] 1356353596.402451: AS key obtained for encrypted timestamp: aes256-cts/78C9 [10814] 1356353596.402608: Encrypted timestamp (for 1356353596.402519): plain 301AA011180F32303132313232343132353331365AA1050203062457, encrypted 491EF490A7BFF756A7681BE9271E7925CCA41CC95916282FEFC3375FFBDC0B2A2E18B8501E81E1E14310762BC15351FE549633ABAB0CAB53 [10814] 1356353596.402627: Produced preauth for next request: 133, 2 [10814] 1356353596.402648: Sending request (269 bytes) to CO.YB.LMAX [10814] 1356353596.404303: Sending initial UDP request to dgram 10.81.10.234:88 [10814] 1356353596.447924: Received answer from dgram 10.81.10.234:88 [10814] 1356353596.448011: Response was not from master KDC [10814] 1356353596.448077: Processing preauth types: 19 [10814] 1356353596.448094: Selected etype info: etype aes256-cts, salt "^X"Ed"/E2,L]'Zs)", params "" [10814] 1356353596.448105: Produced preauth for next request: (empty) [10814] 1356353596.448116: AS key determined by preauth: aes256-cts/78C9 [10814] 1356353596.448295: Decrypted AS reply; session key is: aes256-cts/A68E [10814] 1356353596.448376: FAST negotiation: available [10814] 1356353596.448483: Attempting password change; 3 tries remaining Password expired. You must change it now. Enter new password: Enter it again: [10814] 1356353604.147282: Creating authenticator for admin at CO.YB.LMAX -> kadmin/changepw at CO.YB.LMAX, seqnum 0, subkey aes256-cts/E782, session key aes256-cts/A68E [10814] 1356353604.148689: Sending initial UDP request to dgram 10.81.10.234:464 [10814] 1356353604.154628: Received answer from dgram 10.81.10.234:464 kinit: Password change failed while getting initial credentials Thanks in advance for your help Viktor Mendes Systems Administrator viktor.mendes at lmax.com | http://www.LMAX.com LMAX, Yellow Building, 1a Nicholas Road, London. W11 4AN FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved. The information in this email is not directed at residents of the United States of America or any other jurisdiction where trading in CFDs and/or FX is restricted or prohibited by local laws or regulations. The information in this email and any attachment is confidential and is intended only for the named recipient(s). The email may not be disclosed or used by any person other than the addressee, nor may it be copied in any way. If you are not the intended recipient please notify the sender immediately and delete any copies of this message. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. LMAX operates a multilateral trading facility. Authorised and regulated by the Financial Services Authority (firm registration number 509778) and is registered in England and Wales (number 06505809). Our registered address is Yellow Building, 1A Nicholas Road, London, W11 4AN. From npmarks at gmail.com Mon Dec 24 13:24:03 2012 From: npmarks at gmail.com (Nate Marks) Date: Mon, 24 Dec 2012 08:24:03 -0500 Subject: [Freeipa-users] if passsyncservice starts , does that mean SSL is ok? Message-ID: This soudns like SSL is correctly configured is the service continues to run, ratehr than stopping right away. if that's corret, my problem is someplae else (unsername, hostname, etc.) Is that correct? http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Configuring_PassSync excerpt: *NOTE: PassSync will not work until TLS/SSL is configured.* The passsync.log will contain errors about SSL initialization until SSL is properly configured, and the service will not start. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Dec 24 14:35:13 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 24 Dec 2012 09:35:13 -0500 Subject: [Freeipa-users] How to backup / restore the FreeIPA server? In-Reply-To: <645248111.3879839.1356354680776.JavaMail.root@co1mail04.co.tradefair> References: <645248111.3879839.1356354680776.JavaMail.root@co1mail04.co.tradefair> Message-ID: <50D86821.3010609@redhat.com> On 12/24/2012 08:11 AM, Viktor Mendes wrote: > Hi guys, > > We are going to use the FreeIPA v2.2.0 (the latest one available on CentOS 6.3) and would like to know if there is a way to do a complete backup / restore of the server database for disaster recovery purposes? > Please see the thread about Backup and Restore earlier this month. https://www.redhat.com/archives/freeipa-users/2012-December/msg00118.html > > I have been able to successfully export the userRoot db ldif via db2ldif, make some changes, then import the ldif via ldif2db. > > However when I try to build a new server with the same hostname, then import the ldif, that does not work. > > The import is successfull, however when trying to log in to IPA web GUI, I get an error that the admin password has expired. Here is an output when tring to change the password (I have restarted krb5kdc service at this point, as it was coming up with a different error): > > KRB5_TRACE=/dev/stdout kinit admin > [10814] 1356353589.809893: Getting initial credentials for admin at CO.YB.LMAX > [10814] 1356353589.871805: Sending request (176 bytes) to CO.YB.LMAX > [10814] 1356353589.879177: Sending initial UDP request to dgram 10.81.10.234:88 > [10814] 1356353589.888809: Received answer from dgram 10.81.10.234:88 > [10814] 1356353589.888893: Response was not from master KDC > [10814] 1356353589.888941: Received error from KDC: -1765328361/Password has expired > [10814] 1356353589.888969: Retrying AS request with master KDC > [10814] 1356353589.888976: Getting initial credentials for admin at CO.YB.LMAX > [10814] 1356353589.889033: Sending request (176 bytes) to CO.YB.LMAX (master) > [10814] 1356353589.889087: Principal expired; getting changepw ticket > [10814] 1356353589.889111: Getting initial credentials for admin at CO.YB.LMAX > [10814] 1356353589.889148: Setting initial creds service to > [10814] 1356353589.889208: Sending request (174 bytes) to CO.YB.LMAX > [10814] 1356353589.889516: Sending initial UDP request to dgram 10.81.10.234:88 > [10814] 1356353589.901098: Received answer from dgram 10.81.10.234:88 > [10814] 1356353589.901326: Response was not from master KDC > [10814] 1356353589.901340: Received error from KDC: -1765328359/Additional pre-authentication required > [10814] 1356353589.901596: Processing preauth types: 2, 136, 19, 133 > [10814] 1356353589.901818: Selected etype info: etype aes256-cts, salt "^X"Ed"/E2,L]'Zs)", params "" > [10814] 1356353589.901825: Received cookie: MIT > Password for admin at CO.YB.LMAX: > [10814] 1356353596.402451: AS key obtained for encrypted timestamp: aes256-cts/78C9 > [10814] 1356353596.402608: Encrypted timestamp (for 1356353596.402519): plain 301AA011180F32303132313232343132353331365AA1050203062457, encrypted 491EF490A7BFF756A7681BE9271E7925CCA41CC95916282FEFC3375FFBDC0B2A2E18B8501E81E1E14310762BC15351FE549633ABAB0CAB53 > [10814] 1356353596.402627: Produced preauth for next request: 133, 2 > [10814] 1356353596.402648: Sending request (269 bytes) to CO.YB.LMAX > [10814] 1356353596.404303: Sending initial UDP request to dgram 10.81.10.234:88 > [10814] 1356353596.447924: Received answer from dgram 10.81.10.234:88 > [10814] 1356353596.448011: Response was not from master KDC > [10814] 1356353596.448077: Processing preauth types: 19 > [10814] 1356353596.448094: Selected etype info: etype aes256-cts, salt "^X"Ed"/E2,L]'Zs)", params "" > [10814] 1356353596.448105: Produced preauth for next request: (empty) > [10814] 1356353596.448116: AS key determined by preauth: aes256-cts/78C9 > [10814] 1356353596.448295: Decrypted AS reply; session key is: aes256-cts/A68E > [10814] 1356353596.448376: FAST negotiation: available > [10814] 1356353596.448483: Attempting password change; 3 tries remaining > Password expired. You must change it now. > Enter new password: > Enter it again: > [10814] 1356353604.147282: Creating authenticator for admin at CO.YB.LMAX -> kadmin/changepw at CO.YB.LMAX, seqnum 0, subkey aes256-cts/E782, session key aes256-cts/A68E > [10814] 1356353604.148689: Sending initial UDP request to dgram 10.81.10.234:464 > [10814] 1356353604.154628: Received answer from dgram 10.81.10.234:464 > kinit: Password change failed while getting initial credentials > > > Thanks in advance for your help > > > Viktor Mendes > > > > Systems Administrator > > > > viktor.mendes at lmax.com | http://www.LMAX.com > > > > LMAX, Yellow Building, 1a Nicholas Road, London. W11 4AN > > > > > FX and CFDs are leveraged products that can result in losses exceeding > your deposit. They are not suitable for everyone so please ensure you > fully understand the risks involved. The information in this email is not > directed at residents of the United States of America or any other > jurisdiction where trading in CFDs and/or FX is restricted or prohibited > by local laws or regulations. > > The information in this email and any attachment is confidential and is > intended only for the named recipient(s). The email may not be disclosed > or used by any person other than the addressee, nor may it be copied in > any way. If you are not the intended recipient please notify the sender > immediately and delete any copies of this message. Any unauthorised > copying, disclosure or distribution of the material in this e-mail is > strictly forbidden. > > LMAX operates a multilateral trading facility. Authorised and regulated > by the Financial Services Authority (firm registration number 509778) and > is registered in England and Wales (number 06505809). > Our registered address is Yellow Building, 1A Nicholas Road, London, W11 > 4AN. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From npmarks at gmail.com Mon Dec 24 16:13:10 2012 From: npmarks at gmail.com (Nate Marks) Date: Mon, 24 Dec 2012 11:13:10 -0500 Subject: [Freeipa-users] solved: here are some additional passsync notes Message-ID: I'd love some feedback on these. They seemed to work for me.Thanks! Introduction This guide starts at the point where your freeipa server is correctly replicating accounts from a windows active directory server. The following steps are intended to help you roll out the passync software to all of your domain controllers. Detailed descriptions of how the software works are available from people far more competent than myself. I?m just covering some installation tips. One thing that really screwed me up is that there are great passsync docs for 389 directory server and great passsync docs for freeipa server. They are similar. They are NOT interchangeable. When using freeipa server stick with freeipa docs . I know this seems obvious, but when passsync doesn?t work the first time, my instinct is to cast about on google for things that seem to be related. When you find the 389 server docs under those circumstances and try to apply them to freeipa, you find a rathole. Getting started: It?s theoretically possible to get the passsync to work on the first attempt. I?ve just never done it. In order for that to work, you have to have exactly the right values ready to go when you run the passsync installer. The installer has input fields for the following items: verifying the hostname, username password and search base values hostname: port: 636 username: uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= password: cert token : tried it with and without the /etc/dirsrv/slapd-instance/pwdfile.txt contents serach base=cn=users,cn=accounts,dc=inframax,dc=ncare The best tool I found in windows for checking the passsync installation settings is ldp. First I?ll talk about verifying the easy stuff (hostname, username, password, search base). run notepad on the windows server and put in the values you?re going to use before running the passsync installer. Then run ldp.exe and use the values from notepad and the steps below to verify the hostname, username, password and search base. ldp.exe connection > connect enter the freeipa server hostname in the server field enter port 636 (non-ssl port) in the port field check the SSL box click OK connection > bind select the 'simple bind' radio button enter the DN for the passsync account on the freeipa server in the userfield. this is "uid=passsync,cn=sysaccounts,cn=etc,dc=,dc=" by default enter the password for the passsync account in the password field click ok select view > tree and make sure you can browse the tree in the ipa server. browse to the subtree that you're going to use for search base and make sure you see your replicated accounts in that container. if you can, then the values you used for the hostname, username, password and search base are all correct. It also means that the ca.crt file you imported for ldap account syunchronization is working correctly. NOTE: I left cert token empty. it seems to be used for encrypting the certificate db in c:\program files\389 directory password synchronization. That can be done after you get password synchronization working. Installing Passsync: Now we?ve done a bunch of work to check our values, but we haven?t accomplished anything. So go ahead and run the passsync msi installer and enter your values into the appropriate fields. The installer will create files, directories and registry stuff, but we?re not nearly done. Step 5 in the link below seems to have the correct steps. Be sure to import the same certificate that you imported in the account synchronization process. I got mine with wget http:///ipa/config/ca.crt. https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html One mroe thing before rebooting, use regedit to change the value of HKLM->Software->PasswordSync ?Log Level? from 0 to 1. If everything works and you don?t need it, great! If the stars line up, you?ve put good values into the passsync installer, imported the freeipa servers certificate into the cert DB that passsync uses and the installer registered a new dll to capture password change events. You need to reboot the server to get the dll registration to take effect. After it restarts, change the password on an account that?s being replicated to free ipa. use notepad to open the file c:\program files\389 directory password synchronization\ passsync.txt if the passhook.dll is working correctly, you?ll see an entry like: ?1 new entries loaded from data file? If ssl is working correctly, you?ll be able to log into the freeipa server with the test account and newly changed password. Ifit doesn?t work, verify your cert and your values with ldp.exe. I just don?t have anything better that that yet. This takes me to the point where I?d love more tools to troubleshoot the problem. Other things I?ve tried: 1) UAC. I disable it, but I?d love some feedback on whether or not that?s required on win 2k8R2. 2) some of my DCs have certificate services installed and some don?t. I don?t think any of that matters or passsync, but I?d love feedback there too. 3) Here are the details on the 389 directory server steps that screwed me up.: I found these steps for exporting cert from the linux that apparently apply to 389 and not to freeipa( http://directory.fedoraproject.org/wiki/Howto:WindowsSync) and they really screwed me up with freeipa: ***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT*** cd /usr/lib/dirsrv/slapd-instance_name certutil -d . -L -n "CA certificate" -a > dsca.crt # NOTE - it might not be called CA certificate - use certutil -d . -L to list your certs ***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT*** instead, just use the process that worked for the account replication setup. just use the ca.crt from http:///ipa/config/ac.crt . The steps don?t throw any errors, but that certificate didn?t work for me. It may be a little obvious, but it only worked if I imported the same cert file used in the replication process. I got that file -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Mon Dec 24 22:27:58 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Mon, 24 Dec 2012 22:27:58 +0000 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB8241D@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com>, <558C15177F5E714F83334217C9A197DF5DB8231A@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF5DB8234C@SSC-MBX2.ssc.internal>, <50D4E50A.3060109@redhat.com>, <558C15177F5E714F83334217C9A197DF5DB8241D@SSC-MBX2.ssc.internal> Message-ID: <558C15177F5E714F83334217C9A197DF5DB82483@SSC-MBX2.ssc.internal> Here is a step by step instruction for a Solaris 11 machine as client to a IPA server based on the default DUAProfile. Console login works, su - and ssh. Home directories automounted have the correct permissions. The automount does not use wildcards since i had issues of the whole /home being grabbed by autofs and thus making local users home directories unavalable. This can probably be solved by someone with more extensive experience of Solaris autofs. I am working on a instruction based on Sigbjorn Lie's DUAProfile and added security and will post it too shortly. First make sure that the Solaris 11 machine are using the proper DNS and NTP servers. On the IPA server or Client run: ipa host-add --force --ip-address=192.168.0.1 solaris.example.com ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab Move the keytab to the Solaris machine /etc/krb5/krb5.keytab Make sure it have the proper owner and permissions: chown root:sys /etc/krb5/krb5.keytab chmod 700 /etc/krb5/krb5.keytab Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines: hosts: files dns ipnodes: files dns Edit /etc/krb5/krb5.conf: [libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false [realms] EXAMPLE.COM = { kdc = ipaserver.example.com admin_server = ipaserver.example.com } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM Run the ldapclient with the default DUAProfile. The -a domainName= example.com is needed so that ldapclient does not stop and complain about missing nisdomain name. ldapclient -v init -a profilename=default -a domainName=example.com ipaserver.example.com In Solaris 11.1 the pam configuration have changed but for simplicity i still use the /etc/pam.conf: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 For NFS and automount to work: In /etc/nfssec.conf enable these: krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS sharectl set -p nfsmapid_domain=example.com nfs If autofs is not on: svcadm enable system/filesystem/autofs:default In /etc/auto_home: testuser ipaserver.example.com:/home/testuser ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Johan Petersson [Johan.Petersson at sscspace.com] Sent: Saturday, December 22, 2012 13:14 To: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, yes of course i can document it properly as soon as i have checked everything. I will send it to you so you can review it. Regards, Johan. ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Friday, December 21, 2012 23:39 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/20/2012 07:13 PM, Johan Petersson wrote: > Hi, > > Was your example of a new DUAProfile ever added to Fedora or RHEL? > If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? > There is always the manual way otherwise i guess. > Are Red Hat going to support RHEL clients only in IPA Server? > We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) > Regards, > Johan Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Johan Petersson [Johan.Petersson at sscspace.com] > Sent: Thursday, December 20, 2012 19:03 > To: Sigbjorn Lie > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Hi, > > Thank you for the tip about NFSMAPID_DOMAIN > > It was not set properly. > sharectl get nfs > > nfsmapid_domain= > > And by using: > sharectl set -p nfsmapid_domain=servername nfs > > It was properly set. > I must add that i prefer editing files instead of sharectl,svccfg and so on. :) > > I also made a auto.home map in IPA Server to set the homedirectory automounts right. > > And i almost forgot my Solaris version is 11 11/11. > > Regards, > Johan. > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Thursday, December 20, 2012 15:20 > To: Johan Petersson > Cc: freeipa-users at redhat.com > Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Thanks. > > I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for > your automount maps. The automountmap rules in the DUA profile will help with that. You'll also > run into issues if you attempt to have several automount locations without having specified which > one to use with a automountmap rule for auto master. > > If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set > NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to > get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the > client. > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 13:40, Johan Petersson wrote: >> Hi, >> >> >> Here is my pam.conf cleaned up a bit. >> >> >> login auth requisite pam_authtok_get.so.1 login auth required >> pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required >> pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required >> pam_dial_auth.so.1 >> >> gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 >> >> other auth requisite pam_authtok_get.so.1 other auth required >> pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient >> pam_krb5.so.1 other auth required pam_unix_auth.so.1 >> >> passwd auth required pam_passwd_auth.so.1 >> >> gdm-autologin account sufficient pam_allow.so.1 >> >> other account requisite pam_roles.so.1 other account required >> pam_unix_account.so.1 other account required pam_krb5.so.1 >> >> other session required pam_unix_session.so.1 >> >> other password required pam_dhkeys.so.1 other password requisite >> pam_authtok_get.so.1 >> >> other password requisite pam_authtok_check.so.1 force_check other password sufficient >> pam_krb5.so.1 other password required pam_authtok_store.so.1 >> >> I am getting one error and it is for autofs. >> >> >> /var/adm/messages: >> Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found >> >> >> /var/svc/log/system.filesystem-autofs:default.log: >> [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] >> automount: /net mounted >> automount: /nfs4 mounted >> automount: no unmounts >> [ Dec 20 12:24:22 Method "start" exited with status 0. ] >> >> >> ldapclient list NS_LDAP_FILE_VERSION= 2.0 >> NS_LDAP_SERVERS= servername >> NS_LDAP_SEARCH_BASEDN= dc=home >> NS_LDAP_AUTH= none >> NS_LDAP_SEARCH_REF= TRUE >> NS_LDAP_SEARCH_TIME= 15 >> NS_LDAP_PROFILE= default >> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home >> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home >> NS_LDAP_BIND_TIME= 5 >> NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount >> >> >> Thinking it has to do with missing automountmap in default DUAProfile. >> Automount still works though but takes time during login and everything is nobody:nobody :) >> >> >> ________________________________________ >> From: Sigbjorn Lie [sigbjorn at nixtra.com] >> Sent: Thursday, December 20, 2012 10:13 >> To: Johan Petersson >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >> >> >> Hi, >> >> >> This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However >> console login did not work giving some PAM errors. >> >> Could you please share your entire pam.conf file? >> >> >> Is this Solaris 11 or Solaris 11.1? >> >> >> >> >> Regards, >> Siggi >> >> >> >> >> On Thu, December 20, 2012 09:40, Johan Petersson wrote: >> >>> I have now managed to use a Solaris 11 system as a client to IPA Server. >>> su - testuser works ssh works and console login works. I get a delay before getting the prompt >>> through ssh though and maybe from console too, probably something about autofs Going to see if >>> i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn >>> Lie's >>> instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration >>> example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for >>> now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other >>> DUAProfile >>> too from Bug 815515 and hopefully i can get everything working. >>> >>> ________________________________________ >>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri >>> Pal >>> [dpal at redhat.com] >>> Sent: Tuesday, December 18, 2012 17:50 >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >>> >>> >>> >>> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: >>> >>> >>>> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> >>>>> We are implementing IPA Server and are gong to need to be able to authenticate properly >>>>> with a number of Solaris 11 servers. I have browsed the archives and found a few threads >>>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have >>>>> been solved? >>>>> >>>>> >>>> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and >>>> figured out how to configure it as an IPA client yet. >>>> >>>> I had a got at it a while ago (some of the posts you've probably found), and found that there >>>> was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for >>>> making it work with the setup guide I've created for Solaris 10. And there was a need for >>>> further investigation for finding out how to configure Solaris 11 as an IPA client. >>>> >>>> I've not looked into this further as we do not use Solaris 11 yet. >>>> >>>> >>>> >>>> I don't know if anyone else has had time to sit down and have a crack at this? >>>> >>>> >>> And we would like to hear about this effort. >>> If it produces instructions we would like to put them on the wiki. >>> If it produces bugs we would investigate them. >>> >>> >>> >>>> >>>> Regards, >>>> Siggi >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >> >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From mbt at naunetcorp.com Tue Dec 25 02:30:19 2012 From: mbt at naunetcorp.com (Michael B. Trausch) Date: Mon, 24 Dec 2012 21:30:19 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: References: Message-ID: On 12/23/2012 03:32 PM, Michael B. Trausch wrote: > Whoops. Let's try this again, I failed to post it correctly the first > time. Hrm. It'd seem I overlooked something... [776940.813555] ipa-getkeytab[28840]: segfault at 0 ip 00007fa38cda61dc sp 00007fffbdf1bce0 error 6 in libgssapiv2.so.2.0.25[7fa38cda3000+7000] I guess I better get a bug filed if there isn't one already. I assume that the bug should go to Fedora, and not the FreeIPA project, would that be correct? Thanks and Happy Holidays! Mike From dpal at redhat.com Tue Dec 25 14:01:25 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 25 Dec 2012 09:01:25 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: References: Message-ID: <50D9B1B5.3020206@redhat.com> On 12/24/2012 09:30 PM, Michael B. Trausch wrote: > On 12/23/2012 03:32 PM, Michael B. Trausch wrote: >> Whoops. Let's try this again, I failed to post it correctly the first >> time. > Hrm. It'd seem I overlooked something... > > [776940.813555] ipa-getkeytab[28840]: segfault at 0 ip 00007fa38cda61dc > sp 00007fffbdf1bce0 error 6 in libgssapiv2.so.2.0.25[7fa38cda3000+7000] > > I guess I better get a bug filed if there isn't one already. I assume > that the bug should go to Fedora, and not the FreeIPA project, would > that be correct? Either way is OK. Putting it directly into the project trac will give it a bit more visibility. > Thanks and Happy Holidays! > > Mike > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Tue Dec 25 15:52:38 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 25 Dec 2012 10:52:38 -0500 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB82483@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com>, <558C15177F5E714F83334217C9A197DF5DB8231A@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF5DB8234C@SSC-MBX2.ssc.internal>, <50D4E50A.3060109@redhat.com>, <558C15177F5E714F83334217C9A197DF5DB8241D@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF5DB82483@SSC-MBX2.ssc.internal> Message-ID: <50D9CBC6.7080907@redhat.com> On 12/24/2012 05:27 PM, Johan Petersson wrote: > Here is a step by step instruction for a Solaris 11 machine as client to a IPA server based on the default DUAProfile. > Console login works, su - and ssh. > Home directories automounted have the correct permissions. > The automount does not use wildcards since i had issues of the whole /home being grabbed by autofs and thus making local users home directories unavalable. > This can probably be solved by someone with more extensive experience of Solaris autofs. > I am working on a instruction based on Sigbjorn Lie's DUAProfile and added security and will post it too shortly. > > First make sure that the Solaris 11 machine are using the proper DNS and NTP servers. > > On the IPA server or Client run: > > ipa host-add --force --ip-address=192.168.0.1 solaris.example.com > > ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab > > Move the keytab to the Solaris machine /etc/krb5/krb5.keytab > > Make sure it have the proper owner and permissions: > > chown root:sys /etc/krb5/krb5.keytab > chmod 700 /etc/krb5/krb5.keytab > > Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines: > > hosts: files dns > ipnodes: files dns > > Edit /etc/krb5/krb5.conf: > > [libdefaults] > default_realm = EXAMPLE.COM > verify_ap_req_nofail = false > [realms] > EXAMPLE.COM = { > kdc = ipaserver.example.com > admin_server = ipaserver.example.com > } > > [domain_realm] > example.com = EXAMPLE.COM > .example.com = EXAMPLE.COM > > > Run the ldapclient with the default DUAProfile. > The -a domainName= example.com is needed so that ldapclient does not stop and complain about missing nisdomain name. > > ldapclient -v init -a profilename=default -a domainName=example.com ipaserver.example.com > > In Solaris 11.1 the pam configuration have changed but for simplicity i still use the /etc/pam.conf: > > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth sufficient pam_krb5.so.1 try_first_pass > login auth required pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 > > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth sufficient pam_krb5.so.1 > other auth required pam_unix_auth.so.1 > > other account requisite pam_roles.so.1 > other account required pam_unix_account.so.1 > other account required pam_krb5.so.1 > > other password requisite pam_authtok_check.so.1 force_check > other password sufficient pam_krb5.so.1 > other password required pam_authtok_store.so.1 > > For NFS and automount to work: > > In /etc/nfssec.conf enable these: > > krb5 390003 kerberos_v5 default - # RPCSEC_GSS > krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS > krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS > > sharectl set -p nfsmapid_domain=example.com nfs > > If autofs is not on: > > svcadm enable system/filesystem/autofs:default > > In /etc/auto_home: > > testuser ipaserver.example.com:/home/testuser Thank you! Dmitri From mbt at naunetcorp.com Tue Dec 25 18:50:25 2012 From: mbt at naunetcorp.com (Michael B. Trausch) Date: Tue, 25 Dec 2012 13:50:25 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: <50D9B1B5.3020206@redhat.com> References: <50D9B1B5.3020206@redhat.com> Message-ID: On 12/25/2012 09:01 AM, Dmitri Pal wrote: >> Hrm. It'd seem I overlooked something... >> > >> > [776940.813555] ipa-getkeytab[28840]: segfault at 0 ip 00007fa38cda61dc >> > sp 00007fffbdf1bce0 error 6 in libgssapiv2.so.2.0.25[7fa38cda3000+7000] >> > >> > I guess I better get a bug filed if there isn't one already. I assume >> > that the bug should go to Fedora, and not the FreeIPA project, would >> > that be correct? > Either way is OK. > Putting it directly into the project trac will give it a bit more > visibility. > I'm trying to collect information for the bug report, but I'm having trouble; it seems that ipa-join calls ipa-getkeytab, so I can't, for example, get a useful dump of information using "catchsegv". ABRT keeps popping up that there's a problem detected, but I cannot get it to submit the bug report to save my life. That means that, at least for right now, the above is literally all I have to go on, and that doesn't make for a useful bug report (unless those numbers have some sort of magic meaning to the FreeIPA developers, but I'd reckon not, since they're specific to the F18 packages). I just made another package crash, and ABRT worked just fine for it. Any assistance so that I can provide a real, useful bug report would be very appreciated. Thanks! Mike From mbt at naunetcorp.com Tue Dec 25 19:08:05 2012 From: mbt at naunetcorp.com (Michael B. Trausch) Date: Tue, 25 Dec 2012 14:08:05 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: References: <50D9B1B5.3020206@redhat.com> Message-ID: On 12/25/2012 01:50 PM, Michael B. Trausch wrote: > I'm trying to collect information for the bug report, but I'm having > trouble; it seems that ipa-join calls ipa-getkeytab, so I can't, for > example, get a useful dump of information using "catchsegv". > > ABRT keeps popping up that there's a problem detected, but I cannot get > it to submit the bug report to save my life. > > That means that, at least for right now, the above is literally all I > have to go on, and that doesn't make for a useful bug report (unless > those numbers have some sort of magic meaning to the FreeIPA developers, > but I'd reckon not, since they're specific to the F18 packages). > > I just made another package crash, and ABRT worked just fine for it. > > Any assistance so that I can provide a real, useful bug report would be > very appreciated. Sorry to be replying to myself so much here. I just attempted to install debuginfo packages, but it says that none are available: [mbt at aloe ipa-client]$ sudo debuginfo-install ipa-client Loaded plugins: presto, refresh-packagekit enabling fedora-debuginfo enabling updates-debuginfo No debuginfo packages available to install Trying to manually run the commands the script does doesn't give me anything useful either; I'm not entirely sure why. So, to summarize, all I really know is that there is an apparent NULL pointer dereferenced somewhere in the GSS library when called from ipa-getkeytab, and I don't have any apparent way to collect a stack trace or otherwise get anything more useful. :-/ So, in short, I'll definitely need some help to report this usefully. Thanks a million, Mike From mbt at naunetcorp.com Tue Dec 25 23:34:58 2012 From: mbt at naunetcorp.com (Michael B. Trausch) Date: Tue, 25 Dec 2012 18:34:58 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: References: <50D9B1B5.3020206@redhat.com> Message-ID: On 12/25/2012 02:08 PM, Michael B. Trausch wrote: > So, to summarize, all I really know is that there is an apparent NULL > pointer dereferenced somewhere in the GSS library when called from > ipa-getkeytab, and I don't have any apparent way to collect a stack > trace or otherwise get anything more useful. :-/ > > So, in short, I'll definitely need some help to report this usefully. Hah! I got a core file. This has been reported in the FreeIPA tracker as #3317. Thanks, Mike From simo at redhat.com Wed Dec 26 00:47:45 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 25 Dec 2012 19:47:45 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: References: Message-ID: <1356482865.2894.155.camel@willson.li.ssimo.org> On Mon, 2012-12-24 at 21:30 -0500, Michael B. Trausch wrote: > On 12/23/2012 03:32 PM, Michael B. Trausch wrote: > > Whoops. Let's try this again, I failed to post it correctly the first > > time. > > Hrm. It'd seem I overlooked something... > > [776940.813555] ipa-getkeytab[28840]: segfault at 0 ip 00007fa38cda61dc > sp 00007fffbdf1bce0 error 6 in libgssapiv2.so.2.0.25[7fa38cda3000+7000] > > I guess I better get a bug filed if there isn't one already. I assume > that the bug should go to Fedora, and not the FreeIPA project, would > that be correct? Mike, what gssapi library is this ? This does not look like the MIT krb5 provided libgssapi, so you have non-standard gssapi libraries installed on your system ? Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Dec 26 00:53:11 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 25 Dec 2012 19:53:11 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: References: <50D9B1B5.3020206@redhat.com> Message-ID: <1356483191.2894.156.camel@willson.li.ssimo.org> On Tue, 2012-12-25 at 18:34 -0500, Michael B. Trausch wrote: > On 12/25/2012 02:08 PM, Michael B. Trausch wrote: > > So, to summarize, all I really know is that there is an apparent NULL > > pointer dereferenced somewhere in the GSS library when called from > > ipa-getkeytab, and I don't have any apparent way to collect a stack > > trace or otherwise get anything more useful. :-/ > > > > So, in short, I'll definitely need some help to report this usefully. > > Hah! I got a core file. > > This has been reported in the FreeIPA tracker as #3317. Ah nvm my previous email, it looks like the gssapi v2 plugin of the sasl library. Could you install the sasl debuginfo packages and provide a trace with debugging info ? Simo. -- Simo Sorce * Red Hat, Inc * New York From mbt at naunetcorp.com Wed Dec 26 00:53:52 2012 From: mbt at naunetcorp.com (Michael B. Trausch) Date: Tue, 25 Dec 2012 19:53:52 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: <1356482865.2894.155.camel@willson.li.ssimo.org> References: <1356482865.2894.155.camel@willson.li.ssimo.org> Message-ID: <50DA4AA0.8030704@naunetcorp.com> On 12/25/2012 07:47 PM, Simo Sorce wrote: > Mike, what gssapi library is this ? > > This does not look like the MIT krb5 provided libgssapi, so you have > non-standard gssapi libraries installed on your system ? It is whatever came with the system. I haven't done anything custom at all; in order to pull in the FreeIPA client, I simply did "yum install freeipa-client". The library is owned by the Cyrus package: [mbt at aloe ~]$ rpm -qf /usr/lib64/sasl2/libgssapiv2.so.2.0.25 cyrus-sasl-gssapi-2.1.25-2.fc18.x86_64 --- Mike From mbt at naunetcorp.com Wed Dec 26 00:54:33 2012 From: mbt at naunetcorp.com (Michael B. Trausch) Date: Tue, 25 Dec 2012 19:54:33 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: <1356483191.2894.156.camel@willson.li.ssimo.org> References: <50D9B1B5.3020206@redhat.com> <1356483191.2894.156.camel@willson.li.ssimo.org> Message-ID: <50DA4AC9.1070901@naunetcorp.com> On 12/25/2012 07:53 PM, Simo Sorce wrote: > Could you install the sasl debuginfo packages and provide a trace with > debugging info ? Did I do it wrong on the ticket? --- Mike From mbt at naunetcorp.com Wed Dec 26 00:56:54 2012 From: mbt at naunetcorp.com (Michael B. Trausch) Date: Tue, 25 Dec 2012 19:56:54 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: <1356483191.2894.156.camel@willson.li.ssimo.org> References: <50D9B1B5.3020206@redhat.com> <1356483191.2894.156.camel@willson.li.ssimo.org> Message-ID: On 12/25/2012 07:53 PM, Simo Sorce wrote: > On Tue, 2012-12-25 at 18:34 -0500, Michael B. Trausch wrote: >> On 12/25/2012 02:08 PM, Michael B. Trausch wrote: >>> So, to summarize, all I really know is that there is an apparent NULL >>> pointer dereferenced somewhere in the GSS library when called from >>> ipa-getkeytab, and I don't have any apparent way to collect a stack >>> trace or otherwise get anything more useful. :-/ >>> >>> So, in short, I'll definitely need some help to report this usefully. >> >> Hah! I got a core file. >> >> This has been reported in the FreeIPA tracker as #3317. > > Ah nvm my previous email, it looks like the gssapi v2 plugin of the sasl > library. > > Could you install the sasl debuginfo packages and provide a trace with > debugging info ? > > Simo. > It would appear that the answer to your question is no, I cannot: [root at aloe ~]# debuginfo-install cyrus-sasl-gssapi-2.1.25-2.fc18.x86_64 Loaded plugins: auto-update-debuginfo, presto, refresh-packagekit enabling fedora-debuginfo enabling updates-debuginfo Could not find debuginfo for main pkg: cyrus-sasl-gssapi-2.1.25-2.fc18.x86_64 Could not find debuginfo pkg for dependency package glibc-2.16-28.fc18.x86_64 Could not find debuginfo pkg for dependency package glibc-2.16-28.fc18.x86_64 Could not find debuginfo pkg for dependency package glibc-2.16-28.fc18.x86_64 Could not find debuginfo pkg for dependency package glibc-2.16-28.fc18.x86_64 Could not find debuginfo pkg for dependency package glibc-2.16-28.fc18.x86_64 Could not find debuginfo pkg for dependency package glibc-2.16-28.fc18.x86_64 Package e2fsprogs-debuginfo-1.42.5-1.fc18.x86_64 already installed and latest version Could not find debuginfo pkg for dependency package glibc-2.16-28.fc18.x86_64 Package krb5-debuginfo-1.10.3-5.fc18.x86_64 already installed and latest version Package krb5-debuginfo-1.10.3-5.fc18.x86_64 already installed and latest version Could not find debuginfo pkg for dependency package cyrus-sasl-gssapi-2.1.25-2.fc18.x86_64 Package krb5-debuginfo-1.10.3-5.fc18.x86_64 already installed and latest version Package krb5-debuginfo-1.10.3-5.fc18.x86_64 already installed and latest version Package krb5-debuginfo-1.10.3-5.fc18.x86_64 already installed and latest version Could not find debuginfo pkg for dependency package glibc-2.16-28.fc18.x86_64 No debuginfo packages available to install Thanks, Mike From mbt at naunetcorp.com Wed Dec 26 00:58:15 2012 From: mbt at naunetcorp.com (Michael B. Trausch) Date: Tue, 25 Dec 2012 19:58:15 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: References: <50D9B1B5.3020206@redhat.com> <1356483191.2894.156.camel@willson.li.ssimo.org> Message-ID: On 12/25/2012 07:56 PM, Michael B. Trausch wrote: > It would appear that the answer to your question is no, I cannot: The core dump file is available, though: https://fedorahosted.org/freeipa/ticket/3317 Thanks! Mike From Johan.Petersson at sscspace.com Wed Dec 26 12:28:42 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Wed, 26 Dec 2012 12:28:42 +0000 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> Message-ID: <558C15177F5E714F83334217C9A197DF5DB824EC@SSC-MBX2.ssc.internal> Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root at solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX NS_LDAP_SERVERS= server.example.org NS_LDAP_SEARCH_BASEDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root at solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= >From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=\2a)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 getmapent_ldap: exiting ... t4 do_lookup1: action=2 wildcard=FALSE error=2 t4 LOOKUP REPLY : status=2 The automount map is called auto.nethome key is: * -rw,soft server.example.org:/nethome/& Is it that Solaris automount dont like asterisk(*) in a automount key? Regards, Johan. ________________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: > Hi, > > > Here is my pam.conf cleaned up a bit. > > > login auth requisite pam_authtok_get.so.1 login auth required > pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required > pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required > pam_dial_auth.so.1 > > gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 > > other auth requisite pam_authtok_get.so.1 other auth required > pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient > pam_krb5.so.1 other auth required pam_unix_auth.so.1 > > passwd auth required pam_passwd_auth.so.1 > > gdm-autologin account sufficient pam_allow.so.1 > > other account requisite pam_roles.so.1 other account required > pam_unix_account.so.1 other account required pam_krb5.so.1 > > other session required pam_unix_session.so.1 > > other password required pam_dhkeys.so.1 other password requisite > pam_authtok_get.so.1 > > other password requisite pam_authtok_check.so.1 force_check other password sufficient > pam_krb5.so.1 other password required pam_authtok_store.so.1 > > I am getting one error and it is for autofs. > > > /var/adm/messages: > Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found > > > /var/svc/log/system.filesystem-autofs:default.log: > [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] > automount: /net mounted > automount: /nfs4 mounted > automount: no unmounts > [ Dec 20 12:24:22 Method "start" exited with status 0. ] > > > ldapclient list NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= servername > NS_LDAP_SEARCH_BASEDN= dc=home > NS_LDAP_AUTH= none > NS_LDAP_SEARCH_REF= TRUE > NS_LDAP_SEARCH_TIME= 15 > NS_LDAP_PROFILE= default > NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home > NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home > NS_LDAP_BIND_TIME= 5 > NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount > > > Thinking it has to do with missing automountmap in default DUAProfile. > Automount still works though but takes time during login and everything is nobody:nobody :) > > > ________________________________________ > From: Sigbjorn Lie [sigbjorn at nixtra.com] > Sent: Thursday, December 20, 2012 10:13 > To: Johan Petersson > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > > Hi, > > > This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However > console login did not work giving some PAM errors. > > Could you please share your entire pam.conf file? > > > Is this Solaris 11 or Solaris 11.1? > > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 09:40, Johan Petersson wrote: > >> I have now managed to use a Solaris 11 system as a client to IPA Server. >> su - testuser works ssh works and console login works. I get a delay before getting the prompt >> through ssh though and maybe from console too, probably something about autofs Going to see if >> i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn >> Lie's >> instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration >> example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for >> now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other >> DUAProfile >> too from Bug 815515 and hopefully i can get everything working. >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri >> Pal >> [dpal at redhat.com] >> Sent: Tuesday, December 18, 2012 17:50 >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >> >> >> >> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: >> >> >>> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >>> >>> >>>> Hi, >>>> >>>> >>>> >>>> >>>> We are implementing IPA Server and are gong to need to be able to authenticate properly >>>> with a number of Solaris 11 servers. I have browsed the archives and found a few threads >>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have >>>> been solved? >>>> >>>> >>> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and >>> figured out how to configure it as an IPA client yet. >>> >>> I had a got at it a while ago (some of the posts you've probably found), and found that there >>> was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for >>> making it work with the setup guide I've created for Solaris 10. And there was a need for >>> further investigation for finding out how to configure Solaris 11 as an IPA client. >>> >>> I've not looked into this further as we do not use Solaris 11 yet. >>> >>> >>> >>> I don't know if anyone else has had time to sit down and have a crack at this? >>> >>> >> >> And we would like to hear about this effort. >> If it produces instructions we would like to put them on the wiki. >> If it produces bugs we would investigate them. >> >> >> >>> >>> >>> Regards, >>> Siggi >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> > >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > From npmarks at gmail.com Wed Dec 26 14:07:22 2012 From: npmarks at gmail.com (Nate Marks) Date: Wed, 26 Dec 2012 09:07:22 -0500 Subject: [Freeipa-users] ipa client question Message-ID: I installed a temporary IPA server and connected a client. After I took my lessons from that, I rebuilt the ipa server with the same domain name. Now, I can't seem to get that client connected to the rebuilt server. kinit works, but sshd doesn't permit me to use freeipa accounts to login. I've uninstalled and reinstalled a couple of times. When I connect a different machine, sshd uses freeipa to authenticate me just fine, so I don't think there's a problem with the server. I'd rather not rebuild the client machine just because I can't find and clean the cruft from the first client installation (assuming that's the problem). Any tips? -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmarks at gmail.com Wed Dec 26 15:00:46 2012 From: npmarks at gmail.com (Nate Marks) Date: Wed, 26 Dec 2012 10:00:46 -0500 Subject: [Freeipa-users] ipa client question In-Reply-To: References: Message-ID: solved: I just removed the cache files. apparently that has to happen manually. they don't get cleaned up with the client uninstall or the package uninstalls. On Wed, Dec 26, 2012 at 9:07 AM, Nate Marks wrote: > I installed a temporary IPA server and connected a client. After I took > my lessons from that, I rebuilt the ipa server with the same domain name. > Now, I can't seem to get that client connected to the rebuilt server. > kinit works, but sshd doesn't permit me to use freeipa accounts to login. > I've uninstalled and reinstalled a couple of times. When I connect a > different machine, sshd uses freeipa to authenticate me just fine, so I > don't think there's a problem with the server. I'd rather not rebuild the > client machine just because I can't find and clean the cruft from the first > client installation (assuming that's the problem). Any tips? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Dec 26 15:23:42 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 26 Dec 2012 10:23:42 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: <50DA4AC9.1070901@naunetcorp.com> References: <50D9B1B5.3020206@redhat.com> <1356483191.2894.156.camel@willson.li.ssimo.org> <50DA4AC9.1070901@naunetcorp.com> Message-ID: <1356535422.2894.160.camel@willson.li.ssimo.org> On Tue, 2012-12-25 at 19:54 -0500, Michael B. Trausch wrote: > On 12/25/2012 07:53 PM, Simo Sorce wrote: > > Could you install the sasl debuginfo packages and provide a trace with > > debugging info ? > > Did I do it wrong on the ticket? It's missing the sasl library's debug info. Could you install cyrus-sasl-debuginfo and regenerate the stack trace from the core file ? I do not have a centos box handy. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Wed Dec 26 15:25:16 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 26 Dec 2012 10:25:16 -0500 Subject: [Freeipa-users] ipa client question In-Reply-To: References: Message-ID: <1356535516.2894.161.camel@willson.li.ssimo.org> On Wed, 2012-12-26 at 10:00 -0500, Nate Marks wrote: > solved: I just removed the cache files. apparently that has to > happen manually. they don't get cleaned up with the client uninstall > or the package uninstalls. If you accept the ipa ca cert in the browser you may also have to remove the old one to be able to access the webui. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Wed Dec 26 16:10:18 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 26 Dec 2012 17:10:18 +0100 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB824EC@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB824EC@SSC-MBX2.ssc.internal> Message-ID: <05280886-b1cd-43aa-8493-44c83c2a9cb0@email.android.com> What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson wrote: >Got everything except automount to work with Solaris 11 and the more >secure DUAProfile. >Verified that i can manually mount with krb5 on Solaris 11, ssh, su and >console login works (as well as expected with no home directory) and >automount map works for Red Hat clients. >I have now tried with another directory for users (/nethome) since when >trying with /home autofs made local users unavailable. They are >automounted locally to /home/ from /export/home/ on Solaris for some >strange reason and autofs then tried finding local users home >directories on the NFS Server :) > >root at solaris2:~# ldapclient list >NS_LDAP_FILE_VERSION= 2.0 >NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org >NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX >NS_LDAP_SERVERS= server.example.org >NS_LDAP_SEARCH_BASEDN= dc=example,dc=org >NS_LDAP_AUTH= tls:simple >NS_LDAP_SEARCH_REF= TRUE >NS_LDAP_SEARCH_SCOPE= one >NS_LDAP_SEARCH_TIME= 10 >NS_LDAP_CACHETTL= 6000 >NS_LDAP_PROFILE= solaris_authssl1 >NS_LDAP_CREDENTIAL_LEVEL= proxy >NS_LDAP_SERVICE_SEARCH_DESC= >passwd:cn=users,cn=accounts,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >group:cn=groups,cn=compat,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >ethers:cn=computers,cn=accounts,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >automount:cn=default,cn=automount,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >aliases:ou=aliases,ou=test,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >printers:ou=printers,ou=test,dc=example,dc=org >NS_LDAP_BIND_TIME= 5 >NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount >NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService > >root at solaris2:~# sharectl get autofs >timeout=600 >automount_verbose=true >automountd_verbose=true >nobrowse=false >trace=2 >environment= > >From /var/svc/log/system-filesystem-autofs\:default.log: > >t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 >t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 >t4 getmapent_ldap called >t4 getmapent_ldap: key=[ user02 ] >t4 ldap_match called >t4 ldap_match: key =[ user02 ] >t4 ldap_match: ldapkey =[ user02 ] >t4 ldap_match: Requesting list for >(&(objectClass=automount)(automountKey=user02)) in auto.nethome >t4 ldap_match: __ns_ldap_list FAILED (2) >t4 ldap_match: no entries found >t4 ldap_match called >t4 ldap_match: key =[ \2a ] >t4 ldap_match: ldapkey =[ \2a ] >t4 ldap_match: Requesting list for >(&(objectClass=automount)(automountKey=\2a)) in auto.nethome >t4 ldap_match: __ns_ldap_list FAILED (2) >t4 ldap_match: no entries found >t4 getmapent_ldap: exiting ... >t4 do_lookup1: action=2 wildcard=FALSE error=2 >t4 LOOKUP REPLY : status=2 >The automount map is called auto.nethome >key is: * -rw,soft server.example.org:/nethome/& > >Is it that Solaris automount dont like asterisk(*) in a automount key? > >Regards, >Johan. >________________________________________ >From: Sigbjorn Lie [sigbjorn at nixtra.com] >Sent: Thursday, December 20, 2012 15:20 >To: Johan Petersson >Cc: freeipa-users at redhat.com >Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > >Thanks. > >I'm guessing it's taking such a long time because it's looking trough >the entire LDAP server for >your automount maps. The automountmap rules in the DUA profile will >help with that. You'll also >run into issues if you attempt to have several automount locations >without having specified which >one to use with a automountmap rule for auto master. > >If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT >record to your DNS or set >NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id >used on your NFS server to >get rid of the nobody:nobody default mapping and enable mapping between >the NFS server and the >client. > > > >Regards, >Siggi > > > > >On Thu, December 20, 2012 13:40, Johan Petersson wrote: >> Hi, >> >> >> Here is my pam.conf cleaned up a bit. >> >> >> login auth requisite pam_authtok_get.so.1 login auth >required >> pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 >try_first_pass login auth required >> pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 >login auth required >> pam_dial_auth.so.1 >> >> gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth > sufficient pam_allow.so.1 >> >> other auth requisite pam_authtok_get.so.1 other auth >required >> pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 >other auth sufficient >> pam_krb5.so.1 other auth required pam_unix_auth.so.1 >> >> passwd auth required pam_passwd_auth.so.1 >> >> gdm-autologin account sufficient pam_allow.so.1 >> >> other account requisite pam_roles.so.1 other account >required >> pam_unix_account.so.1 other account required pam_krb5.so.1 >> >> other session required pam_unix_session.so.1 >> >> other password required pam_dhkeys.so.1 other password >requisite >> pam_authtok_get.so.1 >> >> other password requisite pam_authtok_check.so.1 force_check >other password sufficient >> pam_krb5.so1 other password required pam_authtok_store.so.1 >> >> I am getting one error and it is for autofs. >> >> >> /var/adm/messages: >> Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] >Object not found >> >> >> /var/svc/log/system.filesystem-autofs:default.log: >> [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs >start"). ] >> automount: /net mounted >> automount: /nfs4 mounted >> automount: no unmounts >> [ Dec 20 12:24:22 Method "start" exited with status 0. ] >> >> >> ldapclient list NS_LDAP_FILE_VERSION= 2.0 >> NS_LDAP_SERVERS= servername >> NS_LDAP_SEARCH_BASEDN= dc=home >> NS_LDAP_AUTH= none >> NS_LDAP_SEARCH_REF= TRUE >> NS_LDAP_SEARCH_TIME= 15 >> NS_LDAP_PROFILE= default >> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home >> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home >> NS_LDAP_BIND_TIME= 5 >> NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount >> >> >> Thinking it has to do with missing automountmap in default >DUAProfile. >> Automount still works though but takes time during login and >everything is nobody:nobody :) >> >> >> ________________________________________ >> From: Sigbjorn Lie [sigbjorn at nixtra.com] >> Sent: Thursday, December 20, 2012 10:13 >> To: Johan Petersson >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA >server? >> >> >> Hi, >> >> >> This is interesting. When I tested Solaris 11 ssh worked, and su - >testuser worked. However >> console login did not work giving some PAM errors. >> >> Could you please share your entire pam.conf file? >> >> >> Is this Solaris 11 or Solaris 11.1? >> >> >> >> >> Regards, >> Siggi >> >> >> >> >> On Thu, December 20, 2012 09:40, Johan Petersson wrote: >> >>> I have now managed to use a Solaris 11 system as a client to IPA >Server. >>> su - testuser works ssh works and console login works. I get a delay >before getting the prompt >>> through ssh though and maybe from console too, probably something >about autofs Going to see if >>> i can increase loginformation (Solaris newbie). To get it to work i >mainly followed Sigbjorn >>> Lie's >>> instructions for Solaris 10 in earlier posts here. I also used the >/etc/pam.conf configuration >>> example from the Solaris 10 client guide on Free IPA. I stuck with >the default DUAProfile for >>> now and use a NFS4 Kerberos share for home directories with autofs. >Going to try the other >>> DUAProfile >>> too from Bug 815515 and hopefully i can get everything working. >>> >>> ________________________________________ >>> From: freeipa-users-bounces at redhat.com >[freeipa-users-bounces at redhat.com] on behalf of Dmitri >>> Pal >>> [dpal at redhat.com] >>> Sent: Tuesday, December 18, 2012 17:50 >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA >server? >>> >>> >>> >>> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: >>> >>> >>>> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> >>>>> We are implementing IPA Server and are gong to need to be able to >authenticate properly >>>>> with a number of Solaris 11 servers. I have browsed the archives >and found a few threads >>>>> mentioning some problems with Solaris 11 and IPA Server. Does >anyone know if the issue have >>>>> been solved? >>>>> >>>>> >>>> I don't think there is any problems with Solaris 11 except of >nobody has yet sat down and >>>> figured out how to configure it as an IPA client yet. >>>> >>>> I had a got at it a while ago (some of the posts you've probably >found), and found that there >>>> was enough differences in the LDAP/Kerberos client between Solaris >10 and Solaris 11 for >>>> making it work with the setup guide I've created for Solaris 10. >And there was a need for >>>> further investigation for finding out how to configure Solaris 11 >as an IPA client. >>>> >>>> I've not looked into this further as we do not use Solaris 11 yet. >>>> >>>> >>>> >>>> I don't know if anyone else has had time to sit down and have a >crack at this? >>>> >>>> >>> >>> And we would like to hear about this effort. >>> If it produces instructions we would like to put them on the wiki. >>> If it produces bugs we would investigate them. >>> >>> >>> >>>> >>>> >>>> Regards, >>>> Siggi >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> >> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >> >> >> -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Wed Dec 26 17:06:38 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Wed, 26 Dec 2012 17:06:38 +0000 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <05280886-b1cd-43aa-8493-44c83c2a9cb0@email.android.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB824EC@SSC-MBX2.ssc.internal>, <05280886-b1cd-43aa-8493-44c83c2a9cb0@email.android.com> Message-ID: <558C15177F5E714F83334217C9A197DF5DB82517@SSC-MBX2.ssc.internal> Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. Thank you for that help! I did not even think that it was that simple. :) Now everything works for the more secure client configuration on Solaris 11. The only thing left to investigate is why there is a delay now for the IPA users. I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt. Regards, Johan. ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root at solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX NS_LDAP_SERVERS= server.example.org NS_LDAP_SEARCH_BASEDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root at solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= >From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=\2a)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 getmapent_ldap: exiting ... t4 do_lookup1: action=2 wildcard=FALSE error=2 t4 LOOKUP REPLY : status=2 The automount map is called auto.nethome key is: * -rw,soft server.example.org:/nethome/& Is it that Solaris automount dont like asterisk(*) in a automount key? Regards, Johan. ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficien t pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account suffici ent pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method "start" exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console t oo, probably something about autofs Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. Regards, Siggi ________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmi tri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ________________________________ Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Wed Dec 26 17:56:31 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 26 Dec 2012 18:56:31 +0100 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB82517@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB824EC@SSC-MBX2.ssc.internal>, <05280886-b1cd-43aa-8493-44c83c2a9cb0@email.android.com> <558C15177F5E714F83334217C9A197DF5DB82517@SSC-MBX2.ssc.internal> Message-ID: <2b562757-46f5-47e4-bc47-d75b0991d70a@email.android.com> Cool. :) What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon? Rgds Siggi Johan Petersson wrote: >Of course it was a simple thing like replacing auto.nethome with >auto_nethome that worked. >Thank you for that help! >I did not even think that it was that simple. :) > >Now everything works for the more secure client configuration on >Solaris 11. >The only thing left to investigate is why there is a delay now for the >IPA users. >I get the message : Your Kerberos account/password will expire in 89 >days quickly but then it waits for about 20 seconds until i get a >prompt. > >Regards, >Johan. >________________________________ >From: Sigbjorn Lie [sigbjorn at nixtra.com] >Sent: Wednesday, December 26, 2012 17:10 >To: Johan Petersson >Cc: freeipa-users at redhat.com >Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > >What is the name of the other maps besides auto.master? You should use >_ instead of . for any additional maps when you need Solaris autofs >compatibility. This also need to be reflected in the auto.master. > >The Linux automounter does not care about . or _ as long as the naming >is consistent between the additional maps and auto.master. The default >for Linux is auto.master with a . and auto_master for Solaris. Hence >the auto.master mapping in the Solaris dua profile. > > >Rgds >Siggi > >Johan Petersson wrote: > >Got everything except automount to work with Solaris 11 and the more >secure DUAProfile. >Verified that i can manually mount with krb5 on Solaris 11, ssh, su and >console login works (as well as expected with no home directory) and >automount map works for Red Hat clients. >I have now tried with another directory for users (/nethome) since when >trying with /home autofs made local users unavailable. They are >automounted locally to /home/ from /export/home/ on Solaris for some >strange reason and autofs then tried finding local users home >directories on the NFS Server :) > >root at solaris2:~# ldapclient list >NS_LDAP_FILE_VERSION= 2.0 >NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org >NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX >NS_LDAP_SERVERS= server.example.org >NS_LDAP_SEARCH_BASEDN= >dc=example,dc=org >NS_LDAP_AUTH= tls:simple >NS_LDAP_SEARCH_REF= TRUE >NS_LDAP_SEARCH_SCOPE= one >NS_LDAP_SEARCH_TIME= 10 >NS_LDAP_CACHETTL= 6000 >NS_LDAP_PROFILE= solaris_authssl1 >NS_LDAP_CREDENTIAL_LEVEL= proxy >NS_LDAP_SERVICE_SEARCH_DESC= >passwd:cn=users,cn=accounts,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >group:cn=groups,cn=compat,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >ethers:cn=computers,cn=accounts,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >automount:cn=default,cn=automount,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >aliases:ou=aliases,ou=test,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >printers:ou=printers,ou=test,dc=example,dc=org >NS_LDAP_BIND_TIME= 5 >NS_LDAP_OBJECTCLASSMAP= >shadow:shadowAccount=posixAccount >NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService > >root at solaris2:~# sharectl get autofs >timeout=600 >automount_verbose=true >automountd_verbose=true >nobrowse=false >trace=2 >environment= > >From /var/svc/log/system-filesystem-autofs\:default.log: > >t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 >t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 >t4 getmapent_ldap called >t4 getmapent_ldap: key=[ user02 ] >t4 ldap_match called >t4 ldap_match: key =[ user02 ] >t4 ldap_match: ldapkey =[ user02 ] >t4 ldap_match: Requesting list for >(&(objectClass=automount)(automountKey=user02)) in auto.nethome >t4 ldap_match: __ns_ldap_list FAILED (2) >t4 ldap_match: no entries found >t4 ldap_match called >t4 ldap_match: key =[ \2a ] >t4 ldap_match: ldapkey =[ \2a ] >t4 ldap_match: Requesting list for >(&(objectClass=automount)(automountKey=\2a)) in auto.nethome >t4 ldap_match: __ns_ldap_list FAILED (2) >t4 ldap_match: no entries found >t4 getmapent_ldap: exiting ... >t4 do_lookup1: action=2 wildcard=FALSE error=2 >t4 LOOKUP REPLY : status=2 >The automount map is called auto.nethome >key is: * -rw,soft >server.example.org:/nethome/& > >Is it that Solaris automount dont like asterisk(*) in a automount key? > >Regards, >Johan. >________________________________ > >From: Sigbjorn Lie [sigbjorn at nixtra.com] >Sent: Thursday, December 20, 2012 15:20 >To: Johan Petersson >Cc: freeipa-users at redhat.com >Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > >Thanks. > >I'm guessing it's taking such a long time because it's looking trough >the entire LDAP server for >your automount maps. The automountmap rules in the DUA profile will >help with that. You'll >also >run into issues if you attempt to have several automount locations >without having specified which >one to use with a automountmap rule for auto master. > >If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT >record to your DNS or set >NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id >used on your NFS server to >get rid of the nobody:nobody default mapping and enable mapping between >the NFS server and the >client. > > > >Regards, >Siggi > > > > >On Thu, December 20, 2012 13:40, Johan Petersson wrote: >Hi, > > >Here is my pam.conf cleaned up a bit. > > >login auth requisite pam_authtok_get.so.1 >login auth required >pam_dhkeys.so.1 login auth sufficien > t > pam_krb5.so.1 try_first_pass login auth required >pam_unix_cred.so.1 login auth required >pam_unix_auth.so.1 login auth required >pam_dial_auth.so.1 > >gdm-autologin auth required pam_unix_cred.so.1 >gdm-autologin auth sufficient pam_allow.so.1 > >other auth requisite pam_authtok_get.so.1 >other auth required >pam_dhkeys.so.1 other auth required >pam_unix_cred.so.1 other auth sufficient >pam_krb5.so.1 other auth required >pam_unix_auth.so.1 > >passwd auth required pam_passwd_auth.so.1 > >gdm-autologin account suffici > ent >pam_allow.so.1 > >other account requisite pam_roles.so.1 other >account required >pam_unix_account.so.1 other account required > pam_krb5.so.1 > >other session required >pam_unix_session.so.1 > >other password required pam_dhkeys.so.1 other > password requisite >pam_authtok_get.so.1 > >other password requisite pam_authtok_check.so.1 >force_check other password sufficient >pam_krb5.so1 other password required >pam_authtok_store.so.1 > >I am getting one error and it is for autofs. > > >/var/adm/messages: >Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] >Object not found > > >/var/svc/log/system.filesystem-autofs:default.log: >[ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs >start"). ] >automount: /net mounted >automount: /nfs4 mounted >automount: no unmounts >[ Dec 20 12:24:22 Method "start" exited with status 0. ] > > >ldapclient list NS_LDAP_FILE_VERSION= 2.0 >NS_LDAP_SERVERS= servername >NS_LDAP_SEARCH_BASEDN= dc=home >NS_LDAP_AUTH= none >NS_LDAP_SEARCH_REF= TRUE >NS_LDAP_SEARCH_TIME= 15 >NS_LDAP_PROFILE= default >NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home >NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home >NS_LDAP_BIND_TIME= 5 >NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount > > >Thinking it has to do with missing automountmap in default DUAProfile. >Automount still works though but takes time during login and everything >is nobody:nobody :) > > >________________________________ > >From: Sigbjorn Lie >[sigbjorn at nixtra.com] >Sent: Thursday, December 20, 2012 10:13 >To: Johan Petersson >Cc: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > > >Hi, > > >This is interesting. When I tested Solaris 11 ssh worked, and su - >testuser worked. However >console login did not work giving some PAM errors. > >Could you please share your entire pam.conf file? > > >Is this Solaris 11 or Solaris 11.1? > > > > >Regards, >Siggi > > > > >On Thu, December 20, 2012 09:40, Johan Petersson wrote: > >I have now managed to use a Solaris 11 system as a client to IPA >Server. >su - testuser works ssh works and console login works. I get a delay >before getting the prompt >through ssh though and maybe from console t > oo, >probably something about autofs Going to see if >i can increase loginformation (Solaris newbie). To get it to work i >mainly followed Sigbjorn >Lie's >instructions for Solaris 10 in earlier posts here. I also used the >/etc/pam.conf configuration >example from the Solaris 10 client guide on Free IPA. I stuck with the >default DUAProfile for >now and use a NFS4 Kerberos share for home directories with autofs. >Going to try the other >DUAProfile >too from Bug 815515 and hopefully i can get everything working. > >________________________________ > >From: freeipa-users-bounces at redhat.com >[freeipa-users-bounces at redhat.com] on behalf of Dmitri >Pal >[dpal at redhat.com] >Sent: Tuesday, December 18, 2012 17:50 >To: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > > > >On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: > > >On Tue, December 18, 2012 08:28, Johan Petersson wrote: > > >Hi, > > > > >We are implementing IPA Server and are gong to need to be able to >authenticate properly >with a number of Solaris 11 servers. I have browsed the archives and >found a few threads >mentioning some problems with Solaris 11 and IPA Server. Does anyone >know if the issue have >been solved? > > >I don't think there is any problems with Solaris 11 except of nobody >has yet sat down and >figured out how to configure it as an IPA client yet. > >I had a got at it a while ago (some of the posts you've probably >found), and found that there >was enough differences in the LDAP/Kerberos client between Solaris 10 >and Solaris 11 for >making it work with the setup guide I've >created for Solaris 10. And there was a need for >further investigation for finding out how to configure Solaris 11 as an >IPA client. > >I've not looked into this further as we do not use Solaris 11 yet. > > > >I don't know if anyone else has had time to sit down and have a crack >at this? > > > >And we would like to hear about this effort. >If it produces instructions we would like to put them on the wiki. >If it produces bugs we would investigate them. > > > > > >Regards, >Siggi > > > > >________________________________ > >Freeipa-users mailing list >Freeipa-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/freeipa-users > > > > >-- >Thank you, >Dmi > tri >Pal > > > >Sr. Engineering Manager for IdM portfolio >Red Hat Inc. > > > > >________________________________ > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > > >________________________________ > >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > > >________________________________ > >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > >-- >Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Wed Dec 26 23:57:13 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Wed, 26 Dec 2012 15:57:13 -0800 (PST) Subject: [Freeipa-users] delegation questions: how to reset password for subordinate? In-Reply-To: <2b562757-46f5-47e4-bc47-d75b0991d70a@email.android.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB824EC@SSC-MBX2.ssc.internal>, <05280886-b1cd-43aa-8493-44c83c2a9cb0@email.android.com> <558C15177F5E714F83334217C9A197DF5DB82517@SSC-MBX2.ssc.internal> <2b562757-46f5-47e4-bc47-d75b0991d70a@email.android.com> Message-ID: <1356566233.1175.YahooMailNeo@web122603.mail.ne1.yahoo.com> Hi all, ?What are the user attributes that A manager should be granted with read&write permissions to reset passwords for subordinate employees? The typical implementation case: managers need to take care of password reset requests for their subordinate employees. ?I select 'userpassword' field the first time but it fails, then combine it with other a few krb* fields but those don't help neither. ?If you have the minimum field combinations to make the 'password changing' delegation work, please feel free to post your results here. Presently I just select ALL fields with read&right permissions to make it work, but that definitely is a over kill and hurts privacy potentially. Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.cz Thu Dec 27 07:02:44 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 27 Dec 2012 08:02:44 +0100 Subject: [Freeipa-users] Automount problems In-Reply-To: <50D58897.7000300@nixtra.com> References: <558C15177F5E714F83334217C9A197DF5DB82402@SSC-MBX2.ssc.internal> <50D58897.7000300@nixtra.com> Message-ID: <50DBF294.9060102@s3group.cz> Or better, let sssd to serve maps for automounter, you save yourself a hassle with configuring automount ldap backend :-) Ondrej On 12/22/2012 11:16 AM, Sigbjorn Lie wrote: > On 12/22/2012 10:24 AM, Johan Petersson wrote: >> I can't get automount to work for some reason on a CentOS 6.3 testserver with the NFS and IPA server on the same server. >> Was going to set this up for some other configuration testing but are stuck on this instead. :) >> >> Feels like i am missing something basic but can't figure it out. >> Followed the guide and tried a variety of automount maps but nothing works. >> Had automount working before installing IPA Client with: >> auto.master: >> /home/etc/auto.home >> auto.home >> *servername:/home/& >> >> I can mount /home from the client: >> >> mount -t nfs4 -o sec=krb5 servername:/home /mnt >> >> /etc/sysconfig/autofs: >> >> >> LDAP_URI="ldap://servername" >> SEARCH_BASE="cn=default,cn=automount,dc=home" >> >> MAP_OBJECT_CLASS="automountMap" >> ENTRY_OBJECT_CLASS="automount" >> MAP_ATTRIBUTE="automountMapName" >> ENTRY_ATTRIBUTE="automountKey" >> VALUE_ATTRIBUTE="automountInformation" >> >> Getting this from debug lvl logging on autofs: >> >> Dec 22 09:13:00 client2 automount[4528]: connected to uri ldap://servername >> Dec 22 09:13:00 client2 automount[4528]: read_one_map: lookup(ldap): searching for "(objectclass=automount)" under >> "automountmapname=auto.direct,cn=default,cn=automount,dc=home" >> Dec 22 09:13:00 client2 automount[4528]: do_get_entries: lookup(ldap): query succeeded, no matches for (objectclass=automount) >> Dec 22 09:13:00 client2 automount[4528]: read_one_map: lookup(ldap): done updating map >> Dec 22 09:13:00 client2 automount[4528]: st_ready: st_ready(): state = 0 path /- >> >> So what am i missing here? >> >> > > Hi, > > In your /etc/auto.master, do you still have the following line as the last line in the file? If not, add it back in. > +auto.master > > > Do you still have a specific map for auto.home in your /etc/auto.master? If so, add +auto.home to the end of your /etc/auto.home file. > (Provided you named the automount map auto.home in IPA too...) > > > In your /etc/nsswitch.conf file, make sure your automount line looks like this: > automount: files ldap > > > Let me know how you get on. > > > > Regards, > Siggi > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmarks at gmail.com Thu Dec 27 13:04:16 2012 From: npmarks at gmail.com (Nate Marks) Date: Thu, 27 Dec 2012 08:04:16 -0500 Subject: [Freeipa-users] C5 freeipa clients? Message-ID: I have a freeipa server and some clients (Centos 6.3) that work great. My experience with CentOS 5 has been less positive. The freeipa-client package in the Centos Base doesn't seem to work with my server (server package versions below). i've tried downloading and building the client rpms from the 2.2.0 and 2.2.1 tarballs. The build scripts fail with python syntax errors (in plugable.py) on C5.7. Anyone recommend a plan for getting an ipa-client installed on c5 that's compatible with the ipa server versions below? TYVM! server package versions: ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbt at naunetcorp.com Thu Dec 27 15:11:24 2012 From: mbt at naunetcorp.com (Michael B. Trausch) Date: Thu, 27 Dec 2012 10:11:24 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: <1356535422.2894.160.camel@willson.li.ssimo.org> References: <50D9B1B5.3020206@redhat.com> <1356483191.2894.156.camel@willson.li.ssimo.org> <50DA4AC9.1070901@naunetcorp.com> <1356535422.2894.160.camel@willson.li.ssimo.org> Message-ID: On 12/26/2012 10:23 AM, Simo Sorce wrote: > It's missing the sasl library's debug info. > > Could you install cyrus-sasl-debuginfo and regenerate the stack trace > from the core file ? > > I do not have a centos box handy. Done; updated stack trace is on the ticket now. Thanks! Mike From cao2dan at yahoo.com Fri Dec 28 01:00:03 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Thu, 27 Dec 2012 17:00:03 -0800 (PST) Subject: [Freeipa-users] getent netgroup doesn't work on centos 6, but works on centos 5 In-Reply-To: <2b562757-46f5-47e4-bc47-d75b0991d70a@email.android.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB824EC@SSC-MBX2.ssc.internal>, <05280886-b1cd-43aa-8493-44c83c2a9cb0@email.android.com> <558C15177F5E714F83334217C9A197DF5DB82517@SSC-MBX2.ssc.internal> <2b562757-46f5-47e4-bc47-d75b0991d70a@email.android.com> Message-ID: <1356656403.70017.YahooMailNeo@web122602.mail.ne1.yahoo.com> Hi howdy, ?I've migrated some NIS netgroups from my old openLDAP to IPA 2.2.0, it imported all the old data without prompting problems. But now the issues are at the client side: ?redhat 5.8 clients can see all host netgroups and user netgroups without problems. while redhat 6.3 clients can only see all host based netgroups. user netgroups can not be seen. But when I create new user netgroups directly through web UI, both types of clients have no problems to see. Any one knows what could be the issue? if my importing/migration script have issues, then both types of clients will report problems at the same time, not 5.8 works while 6.3 fails, right? Any one has encountered same issue? Please shed a light here. Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Dec 28 11:53:58 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 28 Dec 2012 06:53:58 -0500 Subject: [Freeipa-users] C5 freeipa clients? In-Reply-To: References: Message-ID: <50DD8856.90106@redhat.com> Nate Marks wrote: > I have a freeipa server and some clients (Centos 6.3) that work great. > My experience with CentOS 5 has been less positive. The freeipa-client > package in the Centos Base doesn't seem to work with my server (server > package versions below). i've tried downloading and building the client > rpms from the 2.2.0 and 2.2.1 tarballs. The build scripts fail with > python syntax errors (in plugable.py) on C5.7. Anyone recommend a plan > for getting an ipa-client installed on c5 that's compatible with the ipa > server versions below? TYVM! > > > server package versions: > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-client-2.2.0-16.el6.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > ipa-admintools-2.2.0-16.el6.x86_64 > libipa_hbac-1.8.0-32.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.8.0-32.el6.x86_64 > ipa-python-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 What problems are you having with ipa 2.1.3 on centos 5? rob From rcritten at redhat.com Fri Dec 28 11:57:46 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 28 Dec 2012 06:57:46 -0500 Subject: [Freeipa-users] getent netgroup doesn't work on centos 6, but works on centos 5 In-Reply-To: <1356656403.70017.YahooMailNeo@web122602.mail.ne1.yahoo.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB824EC@SSC-MBX2.ssc.internal>, <05280886-b1cd-43aa-8493-44c83c2a9cb0@email.android.com> <558C15177F5E714F83334217C9A197DF5DB82517@SSC-MBX2.ssc.internal> <2b562757-46f5-47e4-bc47-d75b0991d70a@email.android.com> <1356656403.70017.YahooMailNeo@web122602.mail.ne1.yahoo.com> Message-ID: <50DD893A.3060100@redhat.com> David Copperfield wrote: > Hi howdy, > > I've migrated some NIS netgroups from my old openLDAP to IPA 2.2.0, it > imported all the old data without prompting problems. But now the issues > are at the client side: > > redhat 5.8 clients can see all host netgroups and user netgroups > without problems. > while redhat 6.3 clients can only see all host based netgroups. user > netgroups can not be seen. > > But when I create new user netgroups directly through web UI, both types > of clients have no problems to see. > > Any one knows what could be the issue? if my importing/migration script > have issues, then both types of clients will report problems at the same > time, not 5.8 works while 6.3 fails, right? Any one has encountered same > issue? Please shed a light here. Can you expand on how user netgroups can't be seen? You might try amping up the sssd debug level to see if it is having problems seeing things. rob From Johan.Petersson at sscspace.com Fri Dec 28 12:40:26 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Fri, 28 Dec 2012 12:40:26 +0000 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <2b562757-46f5-47e4-bc47-d75b0991d70a@email.android.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB824EC@SSC-MBX2.ssc.internal>, <05280886-b1cd-43aa-8493-44c83c2a9cb0@email.android.com> <558C15177F5E714F83334217C9A197DF5DB82517@SSC-MBX2.ssc.internal>, <2b562757-46f5-47e4-bc47-d75b0991d70a@email.android.com> Message-ID: <558C15177F5E714F83334217C9A197DF5DB82562@SSC-MBX2.ssc.internal> Hi, I am getting these messages in my log when setting all instances of pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login: Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable to open connection to ADMIN server (t_error 13) Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error] PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey: Communication failure with server If i disable the firewall on my IPA Server everything works as fast as it should so clearly a firewall issue with iptables. However, i have all the ports enabled and Red Hat clients works with the firewall on. Clearly Solaris is using some secret other port(s) that is not mentioned. I have tried with 749 and 750 tcp and udp with no difference. Regards, Johan. ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Wednesday, December 26, 2012 18:56 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Cool. :) What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon? Rgds Siggi Johan Petersson wrote: Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. Thank you for that help! I did not even think that it was that simple. :) Now everything works for the more secure client configuration on Solaris 11. The only thing left to investigate is why there is a delay now for the IPA users. I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt. Regards, Johan. ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root at solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX NS_LDAP_SERVERS= server.example.org NS_LDAP_SEARCH_BAS EDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root at solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= >From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=\2a)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 getmapent_ldap: exiting ... t4 do_lookup1: action=2 wildcard=FALSE error=2 t4 LOOKUP REPLY : status=2 The automount map is called auto.nethome key is: * -rw,soft server.example.org:/nethome/& Is it that Solaris automount dont like asterisk(*) in a automount key? Regards, Johan. ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help w ith that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so< /a>.1 login auth sufficien t pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so..1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth..so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account suffici ent pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method "start" exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console t oo, probably something about autofs Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. Regards, Siggi ________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank y ou, Dmi tri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc.. ________________________________ Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Fri Dec 28 13:29:53 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Fri, 28 Dec 2012 13:29:53 +0000 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB82562@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com>, <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal>, <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal>, <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB824EC@SSC-MBX2.ssc.internal>, <05280886-b1cd-43aa-8493-44c83c2a9cb0@email.android.com> <558C15177F5E714F83334217C9A197DF5DB82517@SSC-MBX2.ssc.internal>, <2b562757-46f5-47e4-bc47-d75b0991d70a@email.android.com>, <558C15177F5E714F83334217C9A197DF5DB82562@SSC-MBX2.ssc.internal> Message-ID: <558C15177F5E714F83334217C9A197DF5DB82578@SSC-MBX2.ssc.internal> Forgot to add the ports opened in my last message. :) 22 TCP 80 TCP 443 TCP 389 TCP 636 TCP 7389 TCP 88 TCP,UDP 464 TCP,UDP 53 TCP,UDP 123 TCP,UDP 111 TCP,UDP 2049 TCP,UDP Also tried 749,750 and everything kerberos related from Solaris /etc/services. Solaris.example.com and solaris2.example.com is same machine, just typo from me when editing the log for publishing. Regards, Johan ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Johan Petersson [Johan.Petersson at sscspace.com] Sent: Friday, December 28, 2012 13:40 To: Sigbjorn Lie Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, I am getting these messages in my log when setting all instances of pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login: Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable to open connection to ADMIN server (t_error 13) Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error] PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey: Communication failure with server If i disable the firewall on my IPA Server everything works as fast as it should so clearly a firewall issue with iptables. However, i have all the ports enabled and Red Hat clients works with the firewall on. Clearly Solaris is using some secret other port(s) that is not mentioned. I have tried with 749 and 750 tcp and udp with no difference. Regards, Johan. ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Wednesday, December 26, 2012 18:56 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Cool. :) What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon? Rgds Siggi Johan Petersson wrote: Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. Thank you for that help! I did not even think that it was that simple. :) Now everything works for the more secure client configuration on Solaris 11. The only thing left to investigate is why there is a delay now for the IPA users. I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt. Regards, Johan. ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root at solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX NS_LDAP_SERVERS= server.example.org NS_LDAP_SEARCH_BAS EDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root at solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= >From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=\2a)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 getmapent_ldap: exiting ... t4 do_lookup1: action=2 wildcard=FALSE error=2 t4 LOOKUP REPLY : status=2 The automount map is called auto.nethome key is: * -rw,soft server.example.org:/nethome/& Is it that Solaris automount dont like asterisk(*) in a automount key? Regards, Johan. ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help w ith that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so< /a>.1 login auth sufficien t pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so..1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth..so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account suffici ent pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method "start" exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console t oo, probably something about autofs Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. Regards, Siggi ________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank y ou, Dmi tri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc.. ________________________________ Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Dec 28 13:51:13 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 28 Dec 2012 08:51:13 -0500 Subject: [Freeipa-users] delegation questions: how to reset password for subordinate? In-Reply-To: <1356566233.1175.YahooMailNeo@web122603.mail.ne1.yahoo.com> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com> , <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal> , <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal> , <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB824EC@SSC-MBX2.ssc.internal> , <05280886-b1cd-43aa-8493-44c83c2a9cb0@email.android.com> <558C15177F5E714F83334217C9A197DF5DB82517@SSC-MBX2.ssc.internal> <2b562757-46f5-47e4-bc47-d75b0991d70a@email.android.com> <1356566233.1175.YahooMailNeo@web122603.mail.ne1.yahoo.com> Message-ID: <1356702673.2894.183.camel@willson.li.ssimo.org> On Wed, 2012-12-26 at 15:57 -0800, David Copperfield wrote: > Hi all, > > > What are the user attributes that A manager should be granted with > read&write permissions to reset passwords for subordinate employees? > The typical implementation case: managers need to take care of > password reset requests for their subordinate employees. > > > I select 'userpassword' field the first time but it fails, then > combine it with other a few krb* fields but those don't help neither. > > > If you have the minimum field combinations to make the 'password > changing' delegation work, please feel free to post your results here. > Presently I just select ALL fields with read&right permissions to make > it work, but that definitely is a over kill and hurts privacy > potentially. You need write access to at least userPassword and krbPrincipalKey. Simo. P.S. David, please do not start a new thread by replying to old mails. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri Dec 28 13:56:49 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 28 Dec 2012 08:56:49 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: References: <50D9B1B5.3020206@redhat.com> <1356483191.2894.156.camel@willson.li.ssimo.org> <50DA4AC9.1070901@naunetcorp.com> <1356535422.2894.160.camel@willson.li.ssimo.org> Message-ID: <1356703009.2894.186.camel@willson.li.ssimo.org> On Thu, 2012-12-27 at 10:11 -0500, Michael B. Trausch wrote: > On 12/26/2012 10:23 AM, Simo Sorce wrote: > > It's missing the sasl library's debug info. > > > > Could you install cyrus-sasl-debuginfo and regenerate the stack trace > > from the core file ? > > > > I do not have a centos box handy. > > Done; updated stack trace is on the ticket now. Unfortunately all the interesting info is still missing :-/ However re-reading the ticket made me wonder. Is this happening on the F18 machine or on the Centos 6.3 machine ? If you can add to the ticket the exact rpm version of the following packages I can try to use the core file. freeipa-client/ipa-client krb5-libs cyrus-sasl Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Fri Dec 28 14:08:10 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 28 Dec 2012 15:08:10 +0100 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: <558C15177F5E714F83334217C9A197DF5DB82578@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF5DB82578@SSC-MBX2.ssc.internal> Message-ID: How about enabling the firewall, and use tcpdump on the ipa server or snoop on the Solaris box to see where it stops and waits? Rgds Siggi Johan Petersson wrote: >Forgot to add the ports opened in my last message. :) > >22 TCP >80 TCP >443 TCP >389 TCP >636 TCP >7389 TCP >88 TCP,UDP >464 TCP,UDP >53 TCP,UDP >123 TCP,UDP >111 TCP,UDP >2049 TCP,UDP > >Also tried 749,750 and everything kerberos related from Solaris >/etc/services. >Solaris.example.com and solaris2.example.com is same machine, just typo >from me when editing the log for publishing. > >Regards, >Johan > > > >________________________________ >From: freeipa-users-bounces at redhat.com >[freeipa-users-bounces at redhat.com] on behalf of Johan Petersson >[Johan.Petersson at sscspace.com] >Sent: Friday, December 28, 2012 13:40 >To: Sigbjorn Lie >Cc: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > >Hi, > >I am getting these messages in my log when setting all instances of >pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login: > >Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable >to open connection to ADMIN server (t_error 13) >Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error] >PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey: >Communication failure with server > >If i disable the firewall on my IPA Server everything works as fast as >it should so clearly a firewall issue with iptables. >However, i have all the ports enabled and Red Hat clients works with >the firewall on. >Clearly Solaris is using some secret other port(s) that is not >mentioned. >I have tried with 749 and 750 tcp and udp with no difference. > >Regards, >Johan. > >________________________________ >From: Sigbjorn Lie [sigbjorn at nixtra.com] >Sent: Wednesday, December 26, 2012 18:56 >To: Johan Petersson >Cc: freeipa-users at redhat.com >Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > >Cool. :) > >What do you see if you turn on pam debugging by touching /etc/pam_debug >and enabling debug logging in the syslog daemon? > > >Rgds >Siggi > >Johan Petersson wrote: >Of course it was a simple thing like replacing auto.nethome with >auto_nethome that worked. >Thank you for that help! >I did not even think that it was that simple. :) > >Now everything works for the more secure client configuration on >Solaris 11. >The only thing left to investigate is why there is a delay now for the >IPA users. >I get the message : Your Kerberos account/password will expire in 89 >days quickly but then it waits for about 20 seconds until i get a >prompt. > >Regards, >Johan. >________________________________ >From: Sigbjorn Lie [sigbjorn at nixtra.com] >Sent: Wednesday, December 26, 2012 17:10 >To: Johan Petersson >Cc: freeipa-users at redhat.com >Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > >What is the name of the other maps besides auto.master? You should use >_ instead of . for any additional maps when you need Solaris autofs >compatibility. This also need to be reflected in the auto.master. > >The Linux automounter does not care about . or _ as long as the naming >is consistent between the additional maps and auto.master. The default >for Linux is auto.master with a . and auto_master for Solaris. Hence >the auto.master mapping in the Solaris dua profile. > > >Rgds >Siggi > >Johan Petersson wrote: > >Got everything except automount to work with Solaris 11 and the more >secure DUAProfile. >Verified that i can manually mount with krb5 on Solaris 11, ssh, su and >console login works (as well as expected with no home directory) and >automount map works for Red Hat clients. >I have now tried with another directory for users (/nethome) since when >trying with /home autofs made local users unavailable. They are >automounted locally to /home/ from /export/home/ on Solaris for some >strange reason and autofs then tried finding local users home >directories on the NFS Server :) > >root at solaris2:~# ldapclient list >NS_LDAP_FILE_VERSION= 2.0 >NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org >NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX >NS_LDAP_SERVERS= server.example.org >NS_LDAP_SEARCH_BAS > EDN= >dc=example,dc=org >NS_LDAP_AUTH= tls:simple >NS_LDAP_SEARCH_REF= TRUE >NS_LDAP_SEARCH_SCOPE= one >NS_LDAP_SEARCH_TIME= 10 >NS_LDAP_CACHETTL= 6000 >NS_LDAP_PROFILE= solaris_authssl1 >NS_LDAP_CREDENTIAL_LEVEL= proxy >NS_LDAP_SERVICE_SEARCH_DESC= >passwd:cn=users,cn=accounts,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >group:cn=groups,cn=compat,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >ethers:cn=computers,cn=accounts,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >automount:cn=default,cn=automount,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >aliases:ou=aliases,ou=test,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >printers:ou=printers,ou=test,dc=example,dc=org >NS_LDAP_BIND_TIME= 5 >NS_LDAP_OBJECTCLASSMAP= >shadow:shadowAccount=posixAccount >NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService > >root at solaris2:~# sharectl get autofs >timeout=600 >automount_verbose=true >automountd_verbose=true >nobrowse=false >trace=2 >environment= > >From /var/svc/log/system-filesystem-autofs\:default.log: > >t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 >t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 >t4 getmapent_ldap called >t4 getmapent_ldap: key=[ user02 ] >t4 ldap_match called >t4 ldap_match: key =[ user02 ] >t4 ldap_match: ldapkey =[ user02 ] >t4 ldap_match: Requesting list for >(&(objectClass=automount)(automountKey=user02)) in auto.nethome >t4 ldap_match: __ns_ldap_list FAILED (2) >t4 ldap_match: no entries found >t4 ldap_match called >t4 ldap_match: key =[ \2a ] >t4 ldap_match: ldapkey =[ \2a ] >t4 ldap_match: Requesting list for >(&(objectClass=automount)(automountKey=\2a)) in auto.nethome >t4 ldap_match: __ns_ldap_list FAILED (2) >t4 ldap_match: no entries found >t4 getmapent_ldap: exiting ... >t4 do_lookup1: action=2 wildcard=FALSE error=2 >t4 LOOKUP REPLY : status=2 >The automount map is called auto.nethome >key is: * -rw,soft >server.example.org:/nethome/& > >Is it that Solaris automount dont like asterisk(*) in a automount key? > >Regards, >Johan. >________________________________ > >From: Sigbjorn Lie [sigbjorn at nixtra.com] >Sent: Thursday, December 20, 2012 15:20 >To: Johan Petersson >Cc: freeipa-users at redhat.com >Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > >Thanks. > >I'm guessing it's taking such a long time because it's looking trough >the entire LDAP server for >your automount maps. The automountmap rules in the DUA profile will >help w > ith >that. You'll >also >run into issues if you attempt to have several automount locations >without having specified which >one to use with a automountmap rule for auto master. > >If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT >record to your DNS or set >NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id >used on your NFS server to >get rid of the nobody:nobody default mapping and enable mapping between >the NFS server and the >client. > > > >Regards, >Siggi > > > > >On Thu, December 20, 2012 13:40, Johan Petersson wrote: >Hi, > > >Here is my pam.conf cleaned up a bit. > > >login auth requisite pam_authtok_get.so.1 >login auth required >pam_dhkeys.so< > /a>.1 >login auth sufficien > t >pam_krb5.so.1 try_first_pass login >auth required >pam_unix_cred.so.1 login auth required >pam_unix_auth.so.1 login auth required >pam_dial_auth.so.1 > >gdm-autologin auth required pam_unix_cred.so.1 >gdm-autologin auth sufficient pam_allow.so.1 > >other auth requisite pam_authtok_get.so..1 >other auth required >pam_dhkeys.so.1 other auth required >pam_unix_cred.so.1 other auth sufficient >pam_krb5.so.1 other auth required >pam_unix_auth..so.1 > >passwd auth required pam_passwd_auth.so.1 > >gdm-autologin account suffici > ent >pam_allow.so.1 > >other account requisite pam_roles.so.1 other >account required >pam_unix_account.so.1 other account required > pam_krb5.so.1 > >other session required >pam_unix_session.so.1 > >other password required pam_dhkeys.so.1 other > password requisite >pam_authtok_get.so.1 > >other password requisite pam_authtok_check.so.1 >force_check other password sufficient >pam_krb5.so1 other password required >pam_authtok_store.so.1 > >I am getting one error and it is for >autofs. > > >/var/adm/messages: >Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] >Object not found > > >/var/svc/log/system.filesystem-autofs:default.log: >[ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs >start"). ] >automount: /net mounted >automount: /nfs4 mounted >automount: no unmounts >[ Dec 20 12:24:22 Method "start" exited with status 0. ] > > >ldapclient list NS_LDAP_FILE_VERSION= 2.0 >NS_LDAP_SERVERS= servername >NS_LDAP_SEARCH_BASEDN= dc=home >NS_LDAP_AUTH= none >NS_LDAP_SEARCH_REF= TRUE >NS_LDAP_SEARCH_TIME= 15 >NS_LDAP_PROFILE= default >NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home >NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home >NS_LDAP_BIND_TIME= 5 >NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount > > >Thinking it has to do with missing automountmap > in >default DUAProfile. >Automount still works though but takes time during login and everything >is nobody:nobody :) > > >________________________________ > >From: Sigbjorn Lie >[sigbjorn at nixtra.com] >Sent: Thursday, December 20, 2012 10:13 >To: Johan Petersson >Cc: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > > >Hi, > > >This is interesting. When I tested Solaris 11 ssh worked, and su - >testuser worked. However >console login did not work giving some PAM errors. > >Could you please share your entire pam.conf file? > > >Is this Solaris 11 or Solaris 11.1? > > > > >Regards, >Siggi > > > > >On Thu, December 20, 2012 09:40, Johan Petersson wrote: > >I have now managed to use a Solaris 11 system as a client to IPA >Server. >su - testuser works ssh works and console login works. I get a delay >before getting the prompt >through ssh though and maybe from console t > oo, >probably something about autofs Going to see if >i can increase loginformation (Solaris newbie). To get it to work i >mainly followed Sigbjorn >Lie's >instructions for Solaris 10 in earlier posts here. I also used the >/etc/pam.conf configuration >example from the Solaris 10 client guide on Free IPA. I stuck with the >default DUAProfile for >now and use a NFS4 Kerberos share for home directories with autofs. >Going to try the other >DUAProfile >too from Bug 815515 and hopefully i can get everything working. > >________________________________ > >From: freeipa-users-bounces at redhat.com >[freeipa-users-bounces at redhat.com] on behalf of Dmitri >Pal >[dpal at redhat.com] >Sent: Tuesday, December 18, 2012 17:50 >To: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > > > >On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: > > >On Tue, December 18, 2012 08:28, Johan Petersson wrote: > > >Hi, > > > > >We are implementing IPA Server and are gong to need to be able to >authenticate properly >with a number of Solaris 11 servers. I have browsed the archives and >found a few threads >mentioning some problems with Solaris 11 and IPA Server. Does anyone >know if the issue have >been solved? > > >I don't think there is any problems with Solaris 11 except of nobody >has yet sat down and >figured out how to configure it as an IPA client yet. > >I had a got at it a while ago (some of the posts you've probably >found), and found that there >was enough differences in the LDAP/Kerberos client between Solaris 10 >and Solaris 11 for >making it work with the setup guide I've >created for Solaris 10. And there was a need for >further investigation for finding out how to configure Solaris 11 as an >IPA client. > >I've not looked into this further as we do not use Solaris 11 yet. > > > >I don't know if anyone else has had time to sit down and have a crack >at this? > > > >And we would like to hear about this effort. >If it produces instructions we would like to put them on the wiki. >If it produces bugs we would investigate them. > > > > > >Regards, >Siggi > > > > >________________________________ > >Freeipa-users mailing list >Freeipa-users at redhat.com > > >https://www.redhat.com/mailman/listinfo/freeipa-users > > > > >-- >Thank y > ou, >Dmi > tri >Pal > > > >Sr. Engineering Manager for IdM portfolio >Red Hat Inc.. > > > > >________________________________ > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > > >________________________________ > >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > > >________________________________ > >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > >-- >Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbt at naunetcorp.com Fri Dec 28 15:23:29 2012 From: mbt at naunetcorp.com (Michael B. Trausch) Date: Fri, 28 Dec 2012 10:23:29 -0500 Subject: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1) In-Reply-To: <1356703009.2894.186.camel@willson.li.ssimo.org> References: <50D9B1B5.3020206@redhat.com> <1356483191.2894.156.camel@willson.li.ssimo.org> <50DA4AC9.1070901@naunetcorp.com> <1356535422.2894.160.camel@willson.li.ssimo.org> <1356703009.2894.186.camel@willson.li.ssimo.org> Message-ID: On 12/28/2012 08:56 AM, Simo Sorce wrote: > However re-reading the ticket made me wonder. Is this happening on the > F18 machine or on the Centos 6.3 machine ? The sigsegv is happening on the Fedora 18 box, the one running FreeIPA 3.1.0. I am completely unable to install debug symbols for the following libraries: ======================================================================= Missing separate debuginfos, use: debuginfo-install cyrus-sasl-gssapi-2.1.25-2.fc18.x86_64 cyrus-sasl-lib-2.1.25-2.fc18.x86_64 cyrus-sasl-md5-2.1.25-2.fc18.x86_64 cyrus-sasl-plain-2.1.25-2.fc18.x86_64 glibc-2.16-28.fc18.x86_64 pcre-8.31-3.fc18.x86_64 sssd-client-1.9.3-1.fc18.x86_64 ======================================================================= When I run that command, I get the following message: ======================================================================= No debuginfo packages available to install ======================================================================= Which of course, is unhelpful. --- Mike From rmeggins at redhat.com Fri Dec 28 20:40:45 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 28 Dec 2012 13:40:45 -0700 Subject: [Freeipa-users] solved: here are some additional passsync notes In-Reply-To: References: Message-ID: <50DE03CD.4090202@redhat.com> On 12/24/2012 09:13 AM, Nate Marks wrote: > I'd love some feedback on these. They seemed to work for me.Thanks! > > > Introduction > This guide starts at the point where your freeipa server is correctly > replicating accounts from a windows active directory server. The > following steps are intended to help you roll out the passync software > to all of your domain controllers. Detailed descriptions of how the > software works are available from people far more competent than > myself. I'm just covering some installation tips. One thing that > really screwed me up is that there are great passsync docs for 389 > directory server and great passsync docs for freeipa server. They are > similar. They are NOT interchangeable. When using freeipa server > stick with freeipa docs . I know this seems obvious, but when > passsync doesn't work the first time, my instinct is to cast about on > google for things that seem to be related. When you find the 389 > server docs under those circumstances and try to apply them to > freeipa, you find a rathole. Fixed - see below. > > Getting started: > > It's theoretically possible to get the passsync to work on the first > attempt. I've just never done it. In order for that to work, you > have to have exactly the right values ready to go when you run the > passsync installer. The installer has input fields for the following > items: > > verifying the hostname, username password and search base values > hostname: > port: 636 > username: uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= > password: > cert token : tried it with and without the > /etc/dirsrv/slapd-instance/pwdfile.txt contents Right - not needed > serach base=cn=users,cn=accounts,dc=inframax,dc=ncare > > The best tool I found in windows for checking the passsync > installation settings is ldp. > First I'll talk about verifying the easy stuff (hostname, username, > password, search base). run notepad on the windows server and put in > the values you're going to use before running the passsync installer. > Then run ldp.exe and use the values from notepad and the steps below > to verify the hostname, username, password and search base. > > ldp.exe > connection > connect > enter the freeipa server hostname in the server field > enter port 636 (non-ssl port) in the port field 636 is the SSL port Does ldp have an option for StartTLS? > check the SSL box > click OK > > > connection > bind > select the 'simple bind' radio button > enter the DN for the passsync account on the freeipa server in the > userfield. this is > "uid=passsync,cn=sysaccounts,cn=etc,dc=,dc=" by > default > enter the password for the passsync account in the password field > click ok > > select view > tree and make sure you can browse the tree in the ipa > server. browse to the subtree that you're going to use for search base > and make sure you > see your replicated accounts in that container. > if you can, then the values you used for the hostname, username, > password and search base are all correct. It also means that the > ca.crt file you imported for ldap account syunchronization is working > correctly. > > NOTE: I left cert token empty. it seems to be used for encrypting > the certificate db in c:\program files\389 directory password > synchronization. That can be done after you get password > synchronization working. Right - it is not needed > > Installing Passsync: > Now we've done a bunch of work to check our values, but we haven't > accomplished anything. So go ahead and run the passsync msi installer > and enter your values into the appropriate fields. > > The installer will create files, directories and registry stuff, but > we're not nearly done. > > Step 5 in the link below seems to have the correct steps. Be sure to > import the same certificate that you imported in the account > synchronization process. I got mine with wget > http:///ipa/config/ca.crt. > > https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html > > > > One mroe thing before rebooting, use regedit to change the value of > HKLM->Software->PasswordSync "Log Level" from 0 to 1. If everything > works and you don't need it, great! > > If the stars line up, you've put good values into the passsync > installer, imported the freeipa servers certificate into the cert DB > that passsync uses and the installer registered a new dll to capture > password change events. You need to reboot the server to get the dll > registration to take effect. > After it restarts, change the password on an account that's being > replicated to free ipa. use notepad to open the file c:\program > files\389 directory password synchronization\ passsync.txt > if the passhook.dll is working correctly, you'll see an entry like: > '1 new entries loaded from data file' > > > If ssl is working correctly, you'll be able to log into the freeipa > server with the test account and newly changed password. > > Ifit doesn't work, verify your cert and your values with ldp.exe. I > just don't have anything better that that yet. > > > This takes me to the point where I'd love more tools to troubleshoot > the problem. > > Other things I've tried: > 1) UAC. I disable it, but I'd love some feedback on whether or not > that's required on win 2k8R2. > 2) some of my DCs have certificate services installed and some don't. > I don't think any of that matters or passsync, but I'd love feedback > there too. It doesn't matter, as long as the Active Directory is using TLS/SSL somehow, and you have access to the CA cert of the CA that issued the Active Directory Server cert. > 3) Here are the details on the 389 directory server steps that > screwed me up.: > > I found these steps for exporting cert from the linux that apparently > apply to 389 and not to > freeipa(http://directory.fedoraproject.org/wiki/Howto:WindowsSync) and > they really screwed me up with freeipa: > ***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT*** > cd /usr/lib/dirsrv/slapd-instance_name > certutil -d . -L -n "CA certificate" -a > dsca.crt > # NOTE - it might not be called CA certificate - use certutil -d . -L > to list your certs > ***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT*** I think the problem is that it tells you to use /usr/lib/dirsrv/slapd-INST which is bogus - it should be /etc/dirsrv/slapd-INST - I've fixed the wiki page > > instead, just use the process that worked for the account replication > setup. > just use the ca.crt from http:///ipa/config/ac.crt > . this is probably simpler and will work from the windows machine as well > > The steps don't throw any errors, but that certificate didn't work for > me. It may be a little obvious, but it only worked if I imported > the same cert file used in the replication process. I got that file > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Sat Dec 29 00:26:05 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Fri, 28 Dec 2012 16:26:05 -0800 (PST) Subject: [Freeipa-users] delegation questions: how to reset password for subordinate? In-Reply-To: <1356702673.2894.183.camel@willson.li.ssimo.org> References: <558C15177F5E714F83334217C9A197DF5DB4175B@SSC-MBX2.ssc.internal> <20801.213.225.75.97.1355821569.squirrel@www.nixtra.com> , <50D09ED3.3030102@redhat.com> <558C15177F5E714F83334217C9A197DF5DB82294@SSC-MBX2.ssc.internal> , <51748.188.244.64.7.1355994836.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB822D5@SSC-MBX2.ssc.internal> , <55800.188.244.64.7.1356013244.squirrel@www.nixtra.com> <558C15177F5E714F83334217C9A197DF5DB824EC@SSC-MBX2.ssc.internal> , <05280886-b1cd-43aa-8493-44c83c2a9cb0@email.android.com> <558C15177F5E714F83334217C9A197DF5DB82517@SSC-MBX2.ssc.internal> <2b562757-46f5-47e4-bc47-d75b0991d70a@email.android.com> <1356566233.1175.YahooMailNeo@web122603.mail.ne1.yahoo.com> <1356702673.2894.183.camel@willson.li.ssimo.org> Message-ID: <1356740765.32084.YahooMailNeo@web164906.mail.bf1.yahoo.com> Hi Simo, ?That works perfectly. Thanks a lot. --David ________________________________ From: Simo Sorce To: David Copperfield Cc: "freeipa-users at redhat.com" Sent: Friday, December 28, 2012 5:51 AM Subject: Re: [Freeipa-users] delegation questions: how to reset password for subordinate? On Wed, 2012-12-26 at 15:57 -0800, David Copperfield wrote: > Hi all, > > >? What are the user attributes that A manager should be granted with > read&write permissions to reset passwords for subordinate employees? > The typical implementation case: managers need to take care of > password reset requests for their subordinate employees. > > >? I select 'userpassword' field the first time but it fails, then > combine it with other a few krb* fields but those don't help neither. > > >? If you have the minimum field combinations to make the 'password > changing' delegation work, please feel free to post your results here. > Presently I just select ALL fields with read&right permissions to make > it work, but that definitely is a over kill and hurts privacy > potentially. You need write access to at least userPassword and krbPrincipalKey. Simo. P.S. David, please do not start a new thread by replying to old mails. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Sat Dec 29 00:35:09 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Fri, 28 Dec 2012 16:35:09 -0800 (PST) Subject: [Freeipa-users] replication procedure and status check? Message-ID: <1356741309.99804.YahooMailNeo@web164903.mail.bf1.yahoo.com> Hi howdy, ?Is there a nagios check for replication check among IPA servers and replicas? If not, is there a way to test the replica status through some files or underlying LDAP command outputs? I have one test environment with a IPA server on a Vmware instance, two IPA replicas created from the server, and a few IPA clients which talks to replicas. I shutdown IPA server from time to time for whole machine level backups. after IPA server boots back up again, some times it fails 'IPA user-find' command.? I am not sure: ? 1, how long does it take for the IPA server to replicate/sync from changes on IPA replicas during the server's down time? ? 2, How to check the replication/sync processes? ? 3, are the IPA commands failed as a protection because the IPA server is still in replication/sync waiting/doing process? Thanks. --David. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sat Dec 29 01:21:44 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 28 Dec 2012 20:21:44 -0500 Subject: [Freeipa-users] replication procedure and status check? In-Reply-To: <1356741309.99804.YahooMailNeo@web164903.mail.bf1.yahoo.com> References: <1356741309.99804.YahooMailNeo@web164903.mail.bf1.yahoo.com> Message-ID: <50DE45A8.5050207@redhat.com> David Copperfield wrote: > Hi howdy, > > Is there a nagios check for replication check among IPA servers and > replicas? If not, is there a way to test the replica status through some > files or underlying LDAP command outputs? > > I have one test environment with a IPA server on a Vmware instance, two > IPA replicas created from the server, and a few IPA clients which talks > to replicas. > > I shutdown IPA server from time to time for whole machine level backups. > after IPA server boots back up again, some times it fails 'IPA > user-find' command. I am not sure: > > 1, how long does it take for the IPA server to replicate/sync from > changes on IPA replicas during the server's down time? It depends on the number of changes. 389-ds basically starts this when the connection comes back up. > 2, How to check the replication/sync processes? The agreements are in cn=mapping tree,cn=config. You'll need to bind as the directory manager or as a user delegated access to read this. There are some delegation status attributes. > 3, are the IPA commands failed as a protection because the IPA server > is still in replication/sync waiting/doing process? I'm not sure what you mean by failed. How did it fail? rob From npmarks at gmail.com Sat Dec 29 13:35:15 2012 From: npmarks at gmail.com (Nate Marks) Date: Sat, 29 Dec 2012 08:35:15 -0500 Subject: [Freeipa-users] solved: here are some additional passsync notes In-Reply-To: <50DE03CD.4090202@redhat.com> References: <50DE03CD.4090202@redhat.com> Message-ID: Thanks for the feedback! ldp.exe does support ssl. The comment about 636 being the non-ssl port was cruft from a previous version where I was trying to keep things simple. On Fri, Dec 28, 2012 at 3:40 PM, Rich Megginson wrote: > On 12/24/2012 09:13 AM, Nate Marks wrote: > > I'd love some feedback on these. They seemed to work for me.Thanks! > > > Introduction > This guide starts at the point where your freeipa server is correctly > replicating accounts from a windows active directory server. The following > steps are intended to help you roll out the passync software to all of your > domain controllers. Detailed descriptions of how the software works are > available from people far more competent than myself. I?m just covering > some installation tips. One thing that really screwed me up is that there > are great passsync docs for 389 directory server and great passsync docs > for freeipa server. They are similar. They are NOT interchangeable. When > using freeipa server stick with freeipa docs . I know this seems obvious, > but when passsync doesn?t work the first time, my instinct is to cast about > on google for things that seem to be related. When you find the 389 server > docs under those circumstances and try to apply them to freeipa, you find > a rathole. > > > Fixed - see below. > > > > Getting started: > > It?s theoretically possible to get the passsync to work on the first > attempt. I?ve just never done it. In order for that to work, you have to > have exactly the right values ready to go when you run the passsync > installer. The installer has input fields for the following items: > > verifying the hostname, username password and search base values > hostname: > port: 636 > username: uid=passsync,cn=sysaccounts,cn=etc,dc=,dc= > password: > cert token : tried it with and without the > /etc/dirsrv/slapd-instance/pwdfile.txt contents > > > Right - not needed > > > serach base=cn=users,cn=accounts,dc=inframax,dc=ncare > > The best tool I found in windows for checking the passsync installation > settings is ldp. > First I?ll talk about verifying the easy stuff (hostname, username, > password, search base). run notepad on the windows server and put in the > values you?re going to use before running the passsync installer. Then run > ldp.exe and use the values from notepad and the steps below to verify the > hostname, username, password and search base. > > ldp.exe > connection > connect > enter the freeipa server hostname in the server field > enter port 636 (non-ssl port) in the port field > > > 636 is the SSL port > Does ldp have an option for StartTLS? > > > check the SSL box > click OK > > > connection > bind > select the 'simple bind' radio button > enter the DN for the passsync account on the freeipa server in the > userfield. this is > "uid=passsync,cn=sysaccounts,cn=etc,dc=,dc=" by default > enter the password for the passsync account in the password field > click ok > > select view > tree and make sure you can browse the tree in the ipa > server. browse to the subtree that you're going to use for search base and > make sure you > see your replicated accounts in that container. > if you can, then the values you used for the hostname, username, password > and search base are all correct. It also means that the ca.crt file you > imported for ldap account syunchronization is working correctly. > > NOTE: I left cert token empty. it seems to be used for encrypting the > certificate db in c:\program files\389 directory password synchronization. > That can be done after you get password synchronization working. > > Right - it is not needed > > > Installing Passsync: > Now we?ve done a bunch of work to check our values, but we haven?t > accomplished anything. So go ahead and run the passsync msi installer and > enter your values into the appropriate fields. > > The installer will create files, directories and registry stuff, but we?re > not nearly done. > > Step 5 in the link below seems to have the correct steps. Be sure to > import the same certificate that you imported in the account > synchronization process. I got mine with wget http:///ipa/config/ca.crt. > > > > https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/pass-sync.html > > > > One mroe thing before rebooting, use regedit to change the value of > HKLM->Software->PasswordSync ?Log Level? from 0 to 1. If everything works > and you don?t need it, great! > > If the stars line up, you?ve put good values into the passsync installer, > imported the freeipa servers certificate into the cert DB that passsync > uses and the installer registered a new dll to capture password change > events. You need to reboot the server to get the dll registration to take > effect. > After it restarts, change the password on an account that?s being > replicated to free ipa. use notepad to open the file c:\program files\389 > directory password synchronization\ passsync.txt > if the passhook.dll is working correctly, you?ll see an entry like: > ?1 new entries loaded from data file? > > > If ssl is working correctly, you?ll be able to log into the freeipa server > with the test account and newly changed password. > > Ifit doesn?t work, verify your cert and your values with ldp.exe. I just > don?t have anything better that that yet. > > > This takes me to the point where I?d love more tools to troubleshoot the > problem. > > Other things I?ve tried: > 1) UAC. I disable it, but I?d love some feedback on whether or not that?s > required on win 2k8R2. > 2) some of my DCs have certificate services installed and some don?t. I > don?t think any of that matters or passsync, but I?d love feedback there > too. > > > It doesn't matter, as long as the Active Directory is using TLS/SSL > somehow, and you have access to the CA cert of the CA that issued the > Active Directory Server cert. > > > 3) Here are the details on the 389 directory server steps that screwed me > up.: > > I found these steps for exporting cert from the linux that apparently > apply to 389 and not to freeipa( > http://directory.fedoraproject.org/wiki/Howto:WindowsSync) and they > really screwed me up with freeipa: > ***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT*** > cd /usr/lib/dirsrv/slapd-instance_name > certutil -d . -L -n "CA certificate" -a > dsca.crt > # NOTE - it might not be called CA certificate - use certutil -d . -L to > list your certs > ***DO NOT USE THIS METHOD TO GET A PASSSYNC CERT*** > > I think the problem is that it tells you to use /usr/lib/dirsrv/slapd-INST > which is bogus - it should be /etc/dirsrv/slapd-INST - I've fixed the wiki > page > > > instead, just use the process that worked for the account replication > setup. > just use the ca.crt from http:///ipa/config/ac.crt > . > > this is probably simpler and will work from the windows machine as well > > > The steps don?t throw any errors, but that certificate didn?t work for > me. It may be a little obvious, but it only worked if I imported the > same cert file used in the replication process. I got that file > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dale at themacartneyclan.com Sat Dec 29 16:29:24 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Sat, 29 Dec 2012 16:29:24 +0000 Subject: [Freeipa-users] Fedora 18 + FreeIPA 3.1 Message-ID: <50DF1A64.90702@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Afternoon all using Fedora 18 Beta and attempting to install FreeIPA 3.1 when running through the install of "ipa-server-install --setup-dns" I end up with a failure with the below output [root at ds01 ~]# ipa-server-install --setup-dns ..... ..... Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance [3/20]: disabling nonces [4/20]: creating RA agent certificate database [5/20]: importing CA chain to RA certificate database [6/20]: fixing RA database permissions [7/20]: setting up signing cert profile [8/20]: set up CRL publishing [9/20]: set certificate subject base [10/20]: enabling Subject Key Identifier [11/20]: enabling CRL and OCSP extensions for certificates [12/20]: setting audit signing renewal to 2 years [13/20]: configuring certificate server to start on boot [14/20]: restarting certificate server [15/20]: requesting RA certificate from CA [16/20]: issuing RA agent certificate Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p XXXXXXXX -d /tmp/tmp-kUFAyN -r /ca/agent/ca/profileReview?requestId=7 ds01.domain.com:8443' returned non-zero exit status 6 there is absolutely nothing in any logs at all apart from a few selinux audit logs (system running in permissive mode). Any thoughts? Thanks all Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ3xpiAAoJEAJsWS61tB+qCdkP/RDaf4vRHXxWvriR+9fugLWD pynBdSncrqyGCmvHoGczXrHcEb50JX34I1kDoEsEcVqtBDnSi4mwHErRBYV1FYwi PVU6OWMOJa+0eplXqQHGSEPCuaXDWL5vWOrXHGcniYJwuwMIE10d10muVFIZYIeF fze97raaB1HgS6oJaT5bCT8qvMscbJ0Ccer2zPFEBwwxq5WZ8DzOH0pBN8DINWLd qUb6KC2WQzq2/c/tZGVTqfApB9IFhh9VjwQPm3axnuM24THNb4hwt0ngW5/KVFSN +uSEgRELeNv1IqfvRsGnxpsOsmRwPh77PyGfCjtpGV97Nq+/7c1tvEkxxilkLWVj W/UK70/9HQEm8+4LpRcUHgZhzf14WDY+7bjtz+TkNGQZe+h2xtDMU7aIiUTrQBhe bUGOAgoM0HsLAtQDVJ73ZvNFmVAyvg0G1uiGtbVg6NTQnMdts7IYmWfuyH645s2+ GpsrPzkW8hkY31l7aN47du6Ic2gOnLFm3W9pbXw0eDduEVPA87Kd/G/M8S16+BEh LJ9pHf4eUbN+Tlu0pObPdN4VnLvM8pmapdqAIBfBh2Wre8A+BN3hTzCKyk21Lrxb xxAdOlLhcVB6dOojIzDvrvK0MWiIO5KNejY3s6z+jMOiopq41khDS1OJ9u/pORTn qJ3SjPCNMcUwml9eUAjx =wYce -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 8187 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From rcritten at redhat.com Sat Dec 29 18:38:38 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 29 Dec 2012 13:38:38 -0500 Subject: [Freeipa-users] Fedora 18 + FreeIPA 3.1 In-Reply-To: <50DF1A64.90702@themacartneyclan.com> References: <50DF1A64.90702@themacartneyclan.com> Message-ID: <50DF38AE.8040307@redhat.com> Dale Macartney wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Afternoon all > > using Fedora 18 Beta and attempting to install FreeIPA 3.1 > > when running through the install of "ipa-server-install --setup-dns" I > end up with a failure with the below output > > > [root at ds01 ~]# ipa-server-install --setup-dns > ..... > ..... > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes > 30 seconds > [1/20]: creating certificate server user > [2/20]: configuring certificate server instance > [3/20]: disabling nonces > [4/20]: creating RA agent certificate database > [5/20]: importing CA chain to RA certificate database > [6/20]: fixing RA database permissions > [7/20]: setting up signing cert profile > [8/20]: set up CRL publishing > [9/20]: set certificate subject base > [10/20]: enabling Subject Key Identifier > [11/20]: enabling CRL and OCSP extensions for certificates > [12/20]: setting audit signing renewal to 2 years > [13/20]: configuring certificate server to start on boot > [14/20]: restarting certificate server > [15/20]: requesting RA certificate from CA > [16/20]: issuing RA agent certificate > Unexpected error - see /var/log/ipaserver-install.log for details: > CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p > XXXXXXXX -d /tmp/tmp-kUFAyN -r /ca/agent/ca/profileReview?requestId=7 > ds01.domain.com:8443' returned non-zero exit status 6 > > > there is absolutely nothing in any logs at all apart from a few selinux > audit logs (system running in permissive mode). > > Any thoughts? This usually means a problem with DNS. rob From dale at themacartneyclan.com Sat Dec 29 19:10:20 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Sat, 29 Dec 2012 19:10:20 +0000 Subject: [Freeipa-users] Fedora 18 + FreeIPA 3.1 In-Reply-To: <50DF38AE.8040307@redhat.com> References: <50DF1A64.90702@themacartneyclan.com> <50DF38AE.8040307@redhat.com> Message-ID: <50DF401C.7020401@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/29/2012 06:38 PM, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Afternoon all >> >> using Fedora 18 Beta and attempting to install FreeIPA 3.1 >> >> when running through the install of "ipa-server-install --setup-dns" I >> end up with a failure with the below output >> >> >> [root at ds01 ~]# ipa-server-install --setup-dns >> ..... >> ..... >> Done configuring directory server (dirsrv). >> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes >> 30 seconds >> [1/20]: creating certificate server user >> [2/20]: configuring certificate server instance >> [3/20]: disabling nonces >> [4/20]: creating RA agent certificate database >> [5/20]: importing CA chain to RA certificate database >> [6/20]: fixing RA database permissions >> [7/20]: setting up signing cert profile >> [8/20]: set up CRL publishing >> [9/20]: set certificate subject base >> [10/20]: enabling Subject Key Identifier >> [11/20]: enabling CRL and OCSP extensions for certificates >> [12/20]: setting audit signing renewal to 2 years >> [13/20]: configuring certificate server to start on boot >> [14/20]: restarting certificate server >> [15/20]: requesting RA certificate from CA >> [16/20]: issuing RA agent certificate >> Unexpected error - see /var/log/ipaserver-install.log for details: >> CalledProcessError: Command '/usr/bin/sslget -v -n ipa-ca-agent -p >> XXXXXXXX -d /tmp/tmp-kUFAyN -r /ca/agent/ca/profileReview?requestId=7 >> ds01.domain.com:8443' returned non-zero exit status 6 >> >> >> there is absolutely nothing in any logs at all apart from a few selinux >> audit logs (system running in permissive mode). >> >> Any thoughts? > > This usually means a problem with DNS. Hmm... normally I set a dns forwarder of 10.0.0.254... This time I tried it with no forwarder at all... Same error occurs... > > rob > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ30AZAAoJEAJsWS61tB+qJBQP/3c6YjecgM2+cSntcX5ZYoL0 SIxrIkSKg4DK2SAjlZiaDHCMEm05MxE1D0Px7CaRmx+pO4RCFTQJxKbn4wbrZW0G QzXZ22Vq64NuNqerKy0tSpp9owupKnOQuxiSIKVY1kWfx7+FuoydAzjlrvfOCNCO U/wV0XPd3W3HSRjklCRnQ+rn578zhAnyLJOVGcPBTAEzlqrEzgbAs5nRCdco1hnU WN0LDu662LgB7p0Uiwhz02FbMWEQ1WMEJLyvRHEj57R6n9O+GeXXUByCz4kknFme esCGmhM6iW6DVPjQ+HGd9V2JritDTt6eKLR9RNoFiX5aw6TJKH4D4Q40GtsyxL+D CvqMGJ0F8KBHDrm8ZbqP18MPlE3/VmVdx0qJPqlfYCPrZZpZxsU6rYt6rZJ9GzV4 O/TiYdhJ01USkqvE1YtMNnnQ5r29xgsnhQoeTZLRcFsEYuxrbsB2pJ6hn8x33/QM OfJyE+cen36iE3A2QC/ELwhLaQnbxpr7NqaSxpOUs3bm1vpXxXgmu1wB6kLuR8SS xAb+5QHUYgTWyJLPMfgnWofX0DHexAsrGrnNMBnzc74Mtbh2rFEXrTOVezyFX4Ot wX3UQI/SPE3MLRyDC4nJEel/b2Vr7A94KV/HDDccLUVekJb/HkAMwlM+Uc+kSJIz ViJuv3HKmZ/CTKPXCXHh =Vr+L -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 8187 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From Johan.Petersson at sscspace.com Sun Dec 30 14:37:44 2012 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Sun, 30 Dec 2012 14:37:44 +0000 Subject: [Freeipa-users] Does Solaris 11 work as client to IPA server? In-Reply-To: References: <558C15177F5E714F83334217C9A197DF5DB82578@SSC-MBX2.ssc.internal>, Message-ID: <558C15177F5E714F83334217C9A197DF5DB825D3@SSC-MBX2.ssc.internal> Tried that, on a new environment this time. First on the secured Solaris box but did not get so much information, most by port 636. I only have NFS 4 enabled as alternative on both IPA Server and on Solaris with port 2049 open TCP/UDP. All ports defined for IPA Server opened, both TCP and UDP (and a bunch more for kerberos error checking) I get the same delay on the Solaris with default DUAProfile as with secure DUAprofile I used snoop on the Solaris machine. On the Solaris configured with the default DUAProfile i managed to get this (spam varning): First with iptables enabled on IPA Server (server.home.hup): 9 0.00562 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 10 0.00072 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success 11 0.00069 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 12 0.00060 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone No Such Object 13 0.00016 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 14 0.00053 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone No Such Object 15 0.00427 solaris1.home.hup -> server.home.hup TCP D=2049 S=1022 Syn Seq=202740719 Len=0 Win=32804 Options= 16 0.00018 server.home.hup -> solaris1.home.hup TCP D=1022 S=2049 Syn Ack=202740720 Seq=26969365 Len=0 Win=14480 Options= 17 0.00001 solaris1.home.hup -> server.home.hup TCP D=2049 S=1022 Ack=26969366 Seq=202740720 Len=0 Win=32806 Options= 18 0.00006 solaris1.home.hup -> server.home.hup NFS C 4 (access ) PUTFH FH=6D78 ACCESS rd,lk,mo,ext,dl GETATTR 10011a b0a23a 19 0.00023 server.home.hup -> solaris1.home.hup TCP D=1022 S=2049 Ack=202740900 Seq=26969366 Len=0 Win=122 Options= 20 0.00014 server.home.hup -> solaris1.home.hup NFS R 4 (access ) NFS4_OK PUTFH NFS4_OK ACCESS NFS4_OK Supp=rd,lk,mo,ext,dl Allow=rd,lk,mo,ext,dl GETATTR NFS4_OK 21 0.00001 solaris1.home.hup -> server.home.hup TCP D=2049 S=1022 Ack=26969618 Seq=202740900 Len=0 Win=32806 Options= 22 0.00371 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .hushlogin GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 1001... 23 0.00045 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4ERR_NOENT PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4ERR_NOENT 24 0.00001 solaris1.home.hup -> server.home.hup TCP D=2049 S=1022 Ack=26969694 Seq=202741156 Len=0 Win=32806 Options= 25 0.00863 solaris1.home.hup -> server.home.hup DNS C server.home.hup. Internet AAAA ? 26 0.00180 server.home.hup -> solaris1.home.hup DNS R 27 0.00006 solaris1.home.hup -> server.home.hup DNS C server.home.hup.home.hup. Internet AAAA ? 28 0.00155 server.home.hup -> solaris1.home.hup DNS R Error: 3(Name Error) 29 0.00006 solaris1.home.hup -> server.home.hup DNS C server.home.hup. Internet Addr ? 30 0.00038 server.home.hup -> solaris1.home.hup DNS R server.home.hup. Internet Addr 192.168.0.111 31 0.00045 solaris1.home.hup -> server.home.hup PORTMAP C GETPORT prog=100011 (RQUOTA) vers=1 proto=UDP 32 0.00041 server.home.hup -> solaris1.home.hup PORTMAP R GETPORT port=875 33 0.00007 solaris1.home.hup -> server.home.hup RQUOTA C GETACTIVE Uid=27200004 Path=/nethome/user02 34 0.00026 server.home.hup -> solaris1.home.hup ICMP Destination unreachable (Host administratively prohibited) 35 0.03349 solaris1.home.hup -> server.home.hup LDAP C port=45876 69 0.32692 solaris1.home.hup -> server.home.hup RQUOTA C GETACTIVE Uid=27200004 Path=/nethome/user02 (retransmit) 70 0.00036 server.home.hup -> solaris1.home.hup ICMP Destination unreachable (Host administratively prohibited) 82 0.06871 server.home.hup -> * ARP C Who is 192.168.0.210, solaris1.home.hup ? 83 0.00001 solaris1.home.hup -> server.home.hup ARP R 192.168.0.210, solaris1.home.hup is 8:0:27:1c:dc:a8 85 0.00202 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .profile GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 10011a... 86 0.00041 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4ERR_NOENT PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4ERR_NOENT 87 0.00009 solaris1.home.hup -> server.home.hup NFS C 4 (lookup valid) PUTFH FH=6D78 NVERIFY GETATTR 10011a b0a23a ACCESS rd,lk,mo,ext,dl LOOKUP .profile GETFH GETATTR ... 88 0.00041 server.home.hup -> solaris1.home.hup NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK NVERIFY NFS4ERR_SAME 89 0.00081 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .kshrc GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 10011a b... 90 0.00032 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4ERR_NOENT PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4ERR_NOENT 91 0.00017 solaris1.home.hup -> server.home.hup NFS C 4 (access ) PUTFH FH=6993 ACCESS rd,mo,ext,exc GETATTR 10011a b0a23a 92 0.00030 server.home.hup -> solaris1.home.hup NFS R 4 (access ) NFS4_OK PUTFH NFS4_OK ACCESS NFS4_OK Supp=rd,mo,ext,exc Allow=rd,mo,ext GETATTR NFS4_OK 93 0.00008 solaris1.home.hup -> server.home.hup NFS C 4 (open ) PUTFH FH=6D78 OPEN .sh_history OT=NC SQ=4 CT=N AC=RW DN=N OO=0012 GETFH GETATTR 10011a b0a23a 94 0.00036 server.home.hup -> solaris1.home.hup NFS R 4 (open ) NFS4ERR_EXPIRED PUTFH NFS4_OK OPEN NFS4ERR_EXPIRED 95 0.00009 solaris1.home.hup -> server.home.hup NFS C 4 (setclientid ) PUTROOTFH GETATTR 400 0 SETCLIENTID Prog=1073741824 ID=tcp Addr=127.0.0.1.204.217 CBID=1073741824 96 0.00043 server.home.hup -> solaris1.home.hup NFS R 4 (setclientid ) NFS4_OK PUTROOTFH NFS4_OK GETATTR NFS4_OK SETCLIENTID NFS4_OK CL=b05de503f000000 CFV=1948E0503E000000 97 0.00004 solaris1.home.hup -> server.home.hup NFS C 4 (sclntid_conf) SETCLIENTID_CONFIRM CL=b05de503f000000 CFV=1948E0503E000000 98 0.00031 server.home.hup -> solaris1.home.hup NFS R 4 (sclntid_conf) NFS4_OK SETCLIENTID_CONFIRM NFS4_OK 99 0.00592 solaris1.home.hup -> server.home.hup NFS C 4 (open ) PUTFH FH=6D78 OPEN .sh_history OT=NC SQ=5 CT=N AC=RW DN=N OO=0012 GETFH GETATTR 10011a b0a23a 100 0.00040 server.home.hup -> solaris1.home.hup NFS R 4 (open ) NFS4_OK PUTFH NFS4_OK OPEN NFS4_OK ST=110C:0 RF=CF,PL DT=N GETFH NFS4_OK FH=6993 GETATTR NFS4_OK 101 0.00006 solaris1.home.hup -> server.home.hup NFS C 4 (open_confirm) PUTFH FH=6993 OPEN_CONFIRM SQ=6 OST=110C:0 102 0.02607 server.home.hup -> solaris1.home.hup NFS R 4 (open_confirm) NFS4_OK PUTFH NFS4_OK OPEN_CONFIRM NFS4_OK OST=110C:1 103 0.00015 solaris1.home.hup -> server.home.hup NFS C 4 (read ) PUTFH FH=6993 READ ST=110C:1 at 0 for 4096 104 0.00049 server.home.hup -> solaris1.home.hup NFS R 4 (read ) NFS4_OK PUTFH NFS4_OK READ NFS4_OK (388 bytes) EOF And then without any iptables on the IPA Server: 9 0.00342 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 10 0.00098 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success 11 0.00198 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 12 0.00092 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success 13 0.00028 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 14 0.00049 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success 15 0.00059 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 16 0.00051 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone No Such Object 17 0.00018 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 18 0.00064 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success 19 0.00023 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 20 0.00046 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone No Such Object 21 0.00555 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 22 0.00071 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success 23 0.00019 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 24 0.00054 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success 25 0.00988 solaris1.home.hup -> server.home.hup DNS C server.home.hup. Internet Addr ? 26 0.00151 server.home.hup -> solaris1.home.hup DNS R server.home.hup. Internet Addr 192.168.0.111 27 0.00041 solaris1.home.hup -> server.home.hup TCP D=2049 S=41914 Syn Seq=115340402 Len=0 Win=64240 Options= 28 0.00020 server.home.hup -> solaris1.home.hup TCP D=41914 S=2049 Syn Ack=115340403 Seq=1993365625 Len=0 Win=14480 Options= 29 0.00001 solaris1.home.hup -> server.home.hup TCP D=2049 S=41914 Ack=1993365626 Seq=115340403 Len=0 Win=64436 Options= 30 0.00012 solaris1.home.hup -> server.home.hup NFS C NULL4 31 0.00019 server.home.hup -> solaris1.home.hup TCP D=41914 S=2049 Ack=115340447 Seq=1993365626 Len=0 Win=114 Options= 32 0.00000 server.home.hup -> solaris1.home.hup NFS R NULL4 33 0.00002 solaris1.home.hup -> server.home.hup TCP D=2049 S=41914 Ack=1993365654 Seq=115340447 Len=0 Win=64436 Options= 34 0.00013 solaris1.home.hup -> server.home.hup TCP D=2049 S=41914 Fin Ack=1993365654 Seq=115340447 Len=0 Win=64436 Options= 35 0.00018 server.home.hup -> solaris1.home.hup TCP D=41914 S=2049 Fin Ack=115340448 Seq=1993365654 Len=0 Win=114 Options= 36 0.00000 solaris1.home.hup -> server.home.hup TCP D=2049 S=41914 Ack=1993365655 Seq=115340448 Len=0 Win=64436 Options= 37 0.00094 solaris1.home.hup -> server.home.hup TCP D=2049 S=41351 Syn Seq=115473283 Len=0 Win=64240 Options= 38 0.00026 server.home.hup -> solaris1.home.hup TCP D=41351 S=2049 Syn Ack=115473284 Seq=2502274248 Len=0 Win=14480 Options= 39 0.00002 solaris1.home.hup -> server.home.hup TCP D=2049 S=41351 Ack=2502274249 Seq=115473284 Len=0 Win=64436 Options= 40 0.00008 solaris1.home.hup -> server.home.hup NFS C NULL4 41 0.00024 server.home.hup -> solaris1.home.hup TCP D=41351 S=2049 Ack=115473328 Seq=2502274249 Len=0 Win=114 Options= 42 0.00000 server.home.hup -> solaris1.home.hup NFS R NULL4 43 0.00002 solaris1.home.hup -> server.home.hup TCP D=2049 S=41351 Ack=2502274277 Seq=115473328 Len=0 Win=64436 Options= 44 0.00006 solaris1.home.hup -> server.home.hup TCP D=2049 S=41351 Fin Ack=2502274277 Seq=115473328 Len=0 Win=64436 Options= 45 0.00019 server.home.hup -> solaris1.home.hup TCP D=41351 S=2049 Fin Ack=115473329 Seq=2502274277 Len=0 Win=114 Options= 46 0.00000 solaris1.home.hup -> server.home.hup TCP D=2049 S=41351 Ack=2502274278 Seq=115473329 Len=0 Win=64436 Options= 47 0.03045 solaris1.home.hup -> server.home.hup LDAP C port=45876 48 0.04452 solaris1.home.hup -> server.home.hup TCP D=2049 S=1023 Syn Seq=115627513 Len=0 Win=32804 Options= 49 0.00023 server.home.hup -> solaris1.home.hup TCP D=1023 S=2049 Syn Ack=115627514 Seq=609303438 Len=0 Win=14480 Options= 50 0.00003 solaris1.home.hup -> server.home.hup TCP D=2049 S=1023 Ack=609303439 Seq=115627514 Len=0 Win=32806 Options= 51 0.00009 solaris1.home.hup -> server.home.hup NFS C 4 (secinfo ) PUTROOTFH LOOKUP nethome SECINFO user02 52 0.00018 server.home.hup -> solaris1.home.hup TCP D=1023 S=2049 Ack=115627658 Seq=609303439 Len=0 Win=122 Options= 53 0.00030 server.home.hup -> solaris1.home.hup NFS R 4 (secinfo ) NFS4_OK PUTROOTFH NFS4_OK LOOKUP NFS4_OK SECINFO NFS4_OK AUTH_SYS RPCSEC_GSS RPCSEC_GSS RPCSEC_GSS 54 0.00001 solaris1.home.hup -> server.home.hup TCP D=2049 S=1023 Ack=609303607 Seq=115627658 Len=0 Win=32806 Options= 55 0.00057 solaris1.home.hup -> server.home.hup NFS C 4 (mount ) PUTROOTFH GETFH LOOKUP nethome GETFH GETATTR c8000167 0 LOOKUP user02 GETFH GETATTR c8000167 0 OP... 56 0.00033 server.home.hup -> solaris1.home.hup NFS R 4 (mount ) NFS4ERR_NOTSUPP PUTROOTFH NFS4_OK GETFH NFS4_OK FH=0015 LOOKUP NFS4_OK GETFH NFS4_OK FH=458E GETATTR NFS4_OK LOOK... 57 0.00001 solaris1.home.hup -> server.home.hup TCP D=2049 S=1023 Ack=609303975 Seq=115627874 Len=0 Win=32806 Options= 58 0.00734 solaris1.home.hup -> server.home.hup NFS C 4 (setclientid ) PUTROOTFH GETATTR 400 0 SETCLIENTID Prog=1073741824 ID=tcp Addr=127.0.0.1.204.217 CBID=1073741824 59 0.00041 server.home.hup -> solaris1.home.hup NFS R 4 (setclientid ) NFS4_OK PUTROOTFH NFS4_OK GETATTR NFS4_OK SETCLIENTID NFS4_OK CL=b05de503e000000 CFV=A246E0503D000000 60 0.00011 solaris1.home.hup -> server.home.hup NFS C 4 (sclntid_conf) SETCLIENTID_CONFIRM CL=b05de503e000000 CFV=A246E0503D000000 61 0.00028 server.home.hup -> solaris1.home.hup NFS R 4 (sclntid_conf) NFS4_OK SETCLIENTID_CONFIRM NFS4_OK 62 0.00707 solaris1.home.hup -> server.home.hup NFS C 4 (fsinfo ) PUTFH FH=6D78 GETATTR 20e00000 1c00 63 0.00037 server.home.hup -> solaris1.home.hup NFS R 4 (fsinfo ) NFS4_OK PUTFH NFS4_OK GETATTR NFS4_OK 64 0.00870 solaris1.home.hup -> server.home.hup NFS C 4 (getattr ) PUTFH FH=6D78 GETATTR 10011a b0a23a 65 0.00028 server.home.hup -> solaris1.home.hup NFS R 4 (getattr ) NFS4_OK PUTFH NFS4_OK GETATTR NFS4_OK 66 0.01016 solaris1.home.hup -> server.home.hup NFS C 4 (access ) PUTFH FH=6D78 ACCESS rd,lk,mo,ext,dl GETATTR 10011a b0a23a 67 0.00029 server.home.hup -> solaris1.home.hup NFS R 4 (access ) NFS4_OK PUTFH NFS4_OK ACCESS NFS4_OK Supp=rd,lk,mo,ext,dl Allow=rd,lk,mo,ext,dl GETATTR NFS4_OK 68 0.00353 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .hushlogin GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 1001... 69 0.00031 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4ERR_NOENT PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4ERR_NOENT 70 0.00830 solaris1.home.hup -> server.home.hup PORTMAP C GETPORT prog=100011 (RQUOTA) vers=1 proto=UDP 71 0.00041 server.home.hup -> solaris1.home.hup PORTMAP R GETPORT port=875 72 0.00041 solaris1.home.hup -> server.home.hup RQUOTA C GETACTIVE Uid=27200004 Path=/nethome/user02 73 0.00051 server.home.hup -> solaris1.home.hup RQUOTA R GETACTIVE No quota 74 0.01358 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 75 0.00058 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success 76 0.00082 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 78 0.00002 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success 80 0.00018 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 81 0.00038 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success 82 0.00149 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 83 0.00017 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .profile GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 10011a... 84 0.00016 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success 85 0.00006 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4ERR_NOENT PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4ERR_NOENT 86 0.00023 solaris1.home.hup -> server.home.hup NFS C 4 (lookup valid) PUTFH FH=6D78 NVERIFY GETATTR 10011a b0a23a ACCESS rd,lk,mo,ext,dl LOOKUP .profile GETFH GETATTR ... 87 0.00028 server.home.hup -> solaris1.home.hup NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK NVERIFY NFS4ERR_SAME 88 0.13450 solaris1.home.hup -> server.home.hup TCP D=2049 S=1023 Ack=609304987 Seq=115629546 Len=0 Win=32806 Options= 89 0.00005 solaris1.home.hup -> server.home.hup LDAP C port=45876 90 0.00391 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .kshrc GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 10011a b... 91 0.00025 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4ERR_NOENT PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4ERR_NOENT 92 0.00071 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .sh_history GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 100... 94 0.00026 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4_OK PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4_OK GETFH NFS4_OK FH=6993 GETATTR NFS4_OK RESTOREFH NFS4_... 95 0.00043 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways 96 0.00062 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success 97 0.00094 solaris1.home.hup -> server.home.hup NFS C 4 (access ) PUTFH FH=6993 ACCESS rd,mo,ext,exc GETATTR 10011a b0a23a 98 0.00026 server.home.hup -> solaris1.home.hup NFS R 4 (access ) NFS4_OK PUTFH NFS4_OK ACCESS NFS4_OK Supp=rd,mo,ext,exc Allow=rd,mo,ext GETATTR NFS4_OK 99 0.00005 solaris1.home.hup -> server.home.hup NFS C 4 (open ) PUTFH FH=6D78 OPEN .sh_history OT=NC SQ=1 CT=N AC=RW DN=N OO=0012 GETFH GETATTR 10011a b0a23a 100 0.00037 server.home.hup -> solaris1.home.hup NFS R 4 (open ) NFS4_OK PUTFH NFS4_OK OPEN NFS4_OK ST=1103:0 RF=CF,PL DT=N GETFH NFS4_OK FH=6993 GETATTR NFS4_OK 101 0.00004 solaris1.home.hup -> server.home.hup NFS C 4 (open_confirm) PUTFH FH=6993 OPEN_CONFIRM SQ=2 OST=1103:0 102 0.01161 server.home.hup -> solaris1.home.hup NFS R 4 (open_confirm) NFS4_OK PUTFH NFS4_OK OPEN_CONFIRM NFS4_OK OST=1103:1 103 0.00017 solaris1.home.hup -> server.home.hup NFS C 4 (read ) PUTFH FH=6993 READ ST=1103:1 at 0 for 4096 104 0.00035 server.home.hup -> solaris1.home.hup NFS R 4 (read ) NFS4_OK PUTFH NFS4_OK READ NFS4_OK (382 bytes) EOF 106 0.04916 solaris1.home.hup -> server.home.hup TCP D=2049 S=1023 Ack=609306715 Seq=115630838 Len=0 Win=32806 Options= 107 0.00008 solaris1.home.hup -> server.home.hup LDAP C port=45876 Regards, Johan. ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Friday, December 28, 2012 15:08 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? How about enabling the firewall, and use tcpdump on the ipa server or snoop on the Solaris box to see where it stops and waits? Rgds Siggi Johan Petersson wrote: Forgot to add the ports opened in my last message. :) 22 TCP 80 TCP 443 TCP 389 TCP 636 TCP 7389 TCP 88 TCP,UDP 464 TCP,UDP 53 TCP,UDP 123 TCP,UDP 111 TCP,UDP 2049 TCP,UDP Also tried 749,750 and everything kerberos related from Solaris /etc/services. Solaris.example.com and solaris2.example.com is same machine, just typo from me when editing the log for publishing. Regards, Johan ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Johan Petersson [Johan.Petersson at sscspace.com] Sent: Friday, December 28, 2012 13:40 To: Sigbjorn Lie Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, I am getting these messages in my log when setting all instances of pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login: Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable to open connection to ADMIN server (t_error 13) Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error] PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey: Communication failure with server If i disable the firewall on my IPA Server everything works as fast as it should so clearly a firewall issue with iptables. However, i have all the ports enabled and Red Hat clients works with the firewall on. Clearly Solaris is using some secret other port(s) that is not mentioned. I have tried with 749 and 750 tcp and udp with no difference. Regards, Johan. ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Wednesday, December 26, 2012 18:56 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Cool. :) What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon? Rgds Siggi Johan Petersson wrote: Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. Thank you for that help! I did not even think that it was that simple. :) Now everything works for the more secure client configuration on Solaris 11. The only thing left to investigate is why there is a delay now for the IPA users. I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt. Regards, Johan. ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root at solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX NS_LDAP_SERVERS= server.example.org NS_LDAP_SEARCH_BAS EDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root at solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= >From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=\2a)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 getmapent_ldap: exiting ... t4 do_lookup1: action=2 wildcard=FALSE error=2 t4 LOOKUP REPLY : status=2 The automount map is called auto.nethome key is: * -rw,soft server.example.org:/nethome/& Is it that Solaris automount dont like asterisk(*) in a automount key? Regards, Johan. ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help w ith that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pamconf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so&l t; /a>.1 login auth sufficien t pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth required pam_unix_cred.so1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so..1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth..so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account suffici ent pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 other session required pam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method "start" exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) ________________________________ From: Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console t oo, probably something about autofs Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. Regards, Siggi ________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank y ou, Dmi tri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc... ________________________________ Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: