<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 03/08/2014 01:32 AM, <a class="moz-txt-link-abbreviated" href="mailto:Rashard.Kelly@sita.aero">Rashard.Kelly@sita.aero</a> wrote:
<blockquote
cite="mid:OF6F1E7DA3.25CF791A-ON85257C95.0022C9B0-85257C95.0023EC2A@sita.aero"
type="cite"><font face="sans-serif" size="2">Hello all!!</font>
<br>
<br>
<font face="sans-serif" size="2">I cannot get a RHEL5.10 client to
install!</font>
<br>
<br>
<font face="sans-serif" size="2">[root@hostname ~]#
ipa-client-install
--hostname=hostname.domain.com --no-ntp
--ca-cert-file=/etc/ipa/ca.crt</font>
<br>
<font face="sans-serif" size="2">DNS domain 'doman.com' is not
configured
for automatic KDC address lookup.</font>
<br>
<font face="sans-serif" size="2">KDC address will be set to fixed
value.</font>
<br>
<br>
<font face="sans-serif" size="2">Discovery was successful!</font>
<br>
<font face="sans-serif" size="2">Hostname:hostname.com</font>
<br>
<font face="sans-serif" size="2">Realm:DOMAIN.COM</font>
<br>
<font face="sans-serif" size="2">DNS Domain: domain.com</font>
<br>
<font face="sans-serif" size="2">IPA Server: ipaserver.com</font>
<br>
<font face="sans-serif" size="2">BaseDN:
dc=ipa,dc=dc,dc=sita,dc=com</font>
<br>
<br>
<font face="sans-serif" size="2">Joining realm failed: SASL Bind
failed
Local error (-2) !</font>
<br>
<font face="sans-serif" size="2">child exited with 9</font>
<br>
<font face="sans-serif" size="2">Installation failed. Rolling back
changes.</font>
<br>
<br>
<br>
<font face="sans-serif" size="2">This is what the krb log had to
say</font>
<br>
<br>
<font face="sans-serif" size="2">Mar 08 06:24:00
<a class="moz-txt-link-abbreviated" href="mailto:ipaserver@domain.com">ipaserver@domain.com</a>
krb5kdc[29358](info): TGS_REQ (1 etypes {18}) 10.226.124.10:
ISSUE: authtime
1394259840, etypes {rep=18 tkt=18 ses=18}, <a class="moz-txt-link-abbreviated" href="mailto:rkelly@DOMAIN.COM">rkelly@DOMAIN.COM</a> for
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/DOMAIN.COM@DOMAIN.COM">krbtgt/DOMAIN.COM@DOMAIN.COM</a></font>
<br>
<font face="sans-serif" size="2">Mar 08 06:24:00
<a class="moz-txt-link-abbreviated" href="mailto:ipaserver@domain.com">ipaserver@domain.com</a>
krb5kdc[29357](info): TGS_REQ (4 etypes {18 17 16 23})
10.226.20.31: ISSUE:
authtime 1394259840, etypes {rep=18 tkt=18 ses=18},
<a class="moz-txt-link-abbreviated" href="mailto:rkelly@DOMAIN.COM">rkelly@DOMAIN.COM</a> for
<a class="moz-txt-link-abbreviated" href="mailto:ldap/ipaserver.domain.com@DOMAIN.COM">ldap/ipaserver.domain.com@DOMAIN.COM</a></font>
<br>
<font face="sans-serif" size="2">krb5kdc: Cannot determine realm
for
numeric host address - unable to find realm of host</font>
<br>
</blockquote>
<br>
Check your DNS. It seems that the client can't resolve the server.
It should be either in /etc/hosts or resolve.conf should include DNS
server that has records about the server.<br>
<br>
<blockquote
cite="mid:OF6F1E7DA3.25CF791A-ON85257C95.0022C9B0-85257C95.0023EC2A@sita.aero"
type="cite"><font face="sans-serif" size="2">Mar 08 06:24:00
<a class="moz-txt-link-abbreviated" href="mailto:ipaserver@domain.como">ipaserver@domain.como</a>
krb5kdc[29358](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2})
10.22.22.10:
UNKNOWN_SERVER: authtime 0, <a class="moz-txt-link-abbreviated" href="mailto:rkelly@IPA2.DC.SITA.AERO">rkelly@IPA2.DC.SITA.AERO</a> for
<a class="moz-txt-link-abbreviated" href="mailto:ldap/10.226.20.31@DOMAIN.COM">ldap/10.226.20.31@DOMAIN.COM</a>,
Server not found in Kerberos database</font>
<br>
<font face="sans-serif" size="2">Mar 08 06:24:00
<a class="moz-txt-link-abbreviated" href="mailto:ipaserver@domain.com">ipaserver@domain.com</a>
krb5kdc[29357](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2})
10.22.22.10:
UNKNOWN_SERVER: authtime 0, <a class="moz-txt-link-abbreviated" href="mailto:rkelly@IPA2.DC.SITA.AERO">rkelly@IPA2.DC.SITA.AERO</a> for
<a class="moz-txt-link-abbreviated" href="mailto:ldap/10.226.20.31@DOMAIN.COM">ldap/10.226.20.31@DOMAIN.COM</a>,
Server not found in Kerberos database</font>
<br>
<br>
<br>
<font face="Arial" size="3">After reviewing </font><font
color="#2f2f2f" face="Arial" size="3">the
</font><a moz-do-not-send="true"
href="https://access.redhat.com/site/solutions/231543"><font
color="#2f2f2f" face="Arial" size="3">https://access.redhat.com/site/solutions/231543</font></a><font
face="Arial" size="3">
post </font><font color="#2f2f2f" face="Arial" size="3">IPA:
Joining realm
failed: SASL Bind failed Local error (-2) ! child exited with 9.
I checked
all my DNS info via dig and took a working DNS config from
another server.
Everything appears to be setup right. What could I be
overlooking?</font>
<br>
<br>
<font face="sans-serif" size="2">Thank You,</font>
<br>
<font face="sans-serif" size="2"><b>Rashard Kelly</b></font><font
face="sans-serif" size="2"><b><br>
</b></font><font color="#000080" face="sans-serif" size="2"><b>SITA</b></font><font
face="sans-serif" size="2">
</font><font face="sans-serif" size="2"><b> S</b>enior Linux
Specialist</font>
<br>
<br>
<br>
<br>
<font color="#5f5f5f" face="sans-serif" size="1">From:
</font><font face="sans-serif" size="1">Dmitri Pal
<a class="moz-txt-link-rfc2396E" href="mailto:dpal@redhat.com"><dpal@redhat.com></a></font>
<br>
<font color="#5f5f5f" face="sans-serif" size="1">To:
</font><font face="sans-serif" size="1">Trey Dockendorf
<a class="moz-txt-link-rfc2396E" href="mailto:treydock@gmail.com"><treydock@gmail.com></a></font>
<br>
<font color="#5f5f5f" face="sans-serif" size="1">Cc:
</font><font face="sans-serif" size="1"><a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a></font>
<br>
<font color="#5f5f5f" face="sans-serif" size="1">Date:
</font><font face="sans-serif" size="1">03/07/2014 05:43 PM</font>
<br>
<font color="#5f5f5f" face="sans-serif" size="1">Subject:
</font><font face="sans-serif" size="1">Re: [Freeipa-users]
Using external KDC</font>
<br>
<font color="#5f5f5f" face="sans-serif" size="1">Sent by:
</font><font face="sans-serif" size="1"><a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a></font>
<br>
<hr noshade="noshade">
<br>
<br>
<br>
<tt><font size="2">On 03/07/2014 05:26 PM, Trey Dockendorf wrote:<br>
> On Thu, Mar 6, 2014 at 7:20 PM, Dmitri
Pal<a class="moz-txt-link-rfc2396E" href="mailto:dpal@redhat.com"><dpal@redhat.com></a>
wrote:<br>
>> On 03/05/2014 06:24 PM, Trey Dockendorf wrote:<br>
>>> Correction from my email, the condition that sets
if a 389DS
user is<br>
>>> proxied to pam_krb5 is the "pamFilter", sorry.<br>
>>><br>
>>> On Wed, Mar 5, 2014 at 5:22 PM, Trey
Dockendorf<a class="moz-txt-link-rfc2396E" href="mailto:treydock@gmail.com"><treydock@gmail.com></a><br>
>>> wrote:<br>
>>>> On Mon, Mar 3, 2014 at 7:29 PM, Dmitri
Pal<a class="moz-txt-link-rfc2396E" href="mailto:dpal@redhat.com"><dpal@redhat.com></a>
wrote:<br>
>>>>> On 03/03/2014 07:47 PM, Simo Sorce wrote:<br>
>>>>>> On Mon, 2014-03-03 at 18:42 -0600,
Trey Dockendorf
wrote:<br>
>>>>>>> Is it possible with FreeIPA to
use an external
KDC or pass some or all<br>
>>>>>>> authentication to an external
KDC? The
KDC at our University may give<br>
>>>>>>> me a one way trust if I describe
my implementation
plan for FreeIPA.<br>
>>>>>>> Currently I use 389DS with PAM
pass through
using untrusted pam_krb5.<br>
>>>>>>> I'd like to fully utilize FreeIPA
without
managing passwords since all<br>
>>>>>>> my users already have University
accounts.
I just want to manage<br>
>>>>>>> authorization for my systems, not
authentication.<br>
>>>>>> You could set up a kerberos trust
manually but
at the moment we do not<br>
>>>>>> support it in the code or the
utilities.<br>
>>>>>><br>
>>>>>> SSSD in particular will have no place
to find
identity information if<br>
>>>>>> all you have is a kerberos trust,
you'd need also
an external identity<br>
>>>>>> store to point to, but there is no
builtin code
in SSSD to link the 2<br>
>>>>>> domain at this point.<br>
>>>>>><br>
>>>>>> We are planning on working on
IPA-to-IPA trust,
and possibly<br>
>>>>>> IPA-to-*other* so any requirements
you can throw
at us will be made<br>
>>>>>> part<br>
>>>>>> of the consideration and planning to
add this
kind of functionality in<br>
>>>>>> the future.<br>
>>>>>><br>
>>>>>> NM B HTH,<br>
>>>>>> Simo.<br>
>>>>>><br>
>>>>> Can you describe your workflows because I
have some
idea in mind?<br>
>>>> Right now the workflow I have with 389ds
using PAM Pass
Through Auth<br>
>>>> is the following:<br>
>>>><br>
>>>> For users with the proper attribute defined
in 'pamIDAttr'<br>
>>>><br>
>>>> client ---> 389DS ---> 389DS
server's
pam_krb5 ---> Campus KDC<br>
>>>><br>
>>>> For users lacking the attribute for
'pamIDAttr'<br>
>>>><br>
>>>> client ---> 389DS<br>
>>>><br>
>>>> The Kerberos setup currently on the 389DS
server is untrusted
(no<br>
>>>> krb5.keytab).<br>
>>>><br>
>>>> The ideal workflow with FreeIPA would be<br>
>>>><br>
>>>> client ----> IPA ---> Campus KDC<br>
>>>><br>
>>>>> Would you be OK if your accounts would be
in IPA but
the authentication<br>
>>>>> would be proxied out?<br>
>>>> This is fine with me. Does the idea you
describe
allow for some<br>
>>>> authentication (ie system accounts or
internal accounts)
to be handled<br>
>>>> by FreeIPA? That's the benefit to us when
using
PAM Pass Through<br>
>>>> Auth, is that we can conditionally proxy out
the authentication.<br>
>>>><br>
>>>>> The idea is that you can use OTP RADIUS
capability
to proxy passwords to<br>
>>>>> your main KDC.<br>
>>>>><br>
>>>>> client ---OTP---> IPA ---> OTP
Proxy ---> RADIUS ---> Your KDC<br>
>>>>><br>
>>>>> Disclaimer: that would defeat the purpose
of Kerberos
and the password<br>
>>>>> will<br>
>>>>> be sent over the wire but it seems that
you are already
in this setup.<br>
>>>>><br>
>>>>> Would you be interested to give it a try?<br>
>>>> Absolutely. Right now I need to contact our
campus
IT group and let<br>
>>>> them know what I require to make our setup
work. I
have been told a<br>
>>>> one way trust is the most I can get. Will
that facilitate
what you<br>
>>>> described?<br>
>><br>
>> You do not need trust for that setup. Any user
account (i am not
sure about<br>
>> special system accounts that are not created in
cn=users) would
be able to<br>
>> go to external RADIUS server.<br>
>><br>
>><br>
>>>>> Would require latest SSSD and kerberos
library on
the client though but<br>
>>>>> would work with LDAP binds too.<br>
>>>> Latest SSSD and Kerberos that's available in
EL6, or latest
upstream?<br>
>><br>
>> Upstream.<br>
>><br>
> Is it possible use these latest versions in EL6, or is
using Fedora<br>
> 19+ the only feasible way to do this? If using EL6 is
not possible,<br>
> is it going to be something possible in EL7?<br>
<br>
<br>
Latest RHEL7 beta snapshots might be a good starting point.<br>
This will not be a part of RHEL6, sorry.<br>
<br>
><br>
>> Please take a look at the design page: </font></tt><a
moz-do-not-send="true" href="http://www.freeipa.org/page/V3/OTP"><tt><font
size="2">http://www.freeipa.org/page/V3/OTP</font></tt></a><tt><font
size="2">
-<br>
>> that will give you an idea about the internals.<br>
>><br>
>> Latest upstream UI should be able to allow to
configure external
RADIUS<br>
>> servers and then change per user policy to proxy via
RADIUS. Then
you can<br>
>> try binding with LDAP to IPA using password from your
main KDC.<br>
>> Then you can use SSSD on the same system to try to
authenticate
using<br>
>> Kerberos. You will create a new user, set him to use
RADIUS server
for<br>
>> authentication and then try to su to this user or ssh
into the
box as that<br>
>> user. It should work and klist should report a TGT
for this user
on the box.<br>
>><br>
> Thanks for the info. I'll see if I can piece together
how to
make this work.<br>
<br>
Let me know if you need any help or guidance with this POC.<br>
<br>
><br>
>>>>> --<br>
>>>>> Thank you,<br>
>>>>> Dmitri Pal<br>
>>>>><br>
>>>>> Sr. Engineering Manager for IdM portfolio<br>
>>>>> Red Hat Inc.<br>
>>>>><br>
>>>>><br>
>>>>> -------------------------------<br>
>>>>> Looking to carve out IT costs?<br>
>>>>> </font></tt><a moz-do-not-send="true"
href="www.redhat.com/carveoutcosts/"><tt><font size="2">www.redhat.com/carveoutcosts/</font></tt></a><tt><font
size="2"><br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>>
_______________________________________________<br>
>>>>> Freeipa-users mailing list<br>
>>>>> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
>>>>> </font></tt><a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt><font
size="2">https://www.redhat.com/mailman/listinfo/freeipa-users</font></tt></a><tt><font
size="2"><br>
>><br>
>><br>
>> --<br>
>> Thank you,<br>
>> Dmitri Pal<br>
>><br>
>> Sr. Engineering Manager for IdM portfolio<br>
>> Red Hat Inc.<br>
>><br>
>><br>
>> -------------------------------<br>
>> Looking to carve out IT costs?<br>
>> </font></tt><a moz-do-not-send="true"
href="www.redhat.com/carveoutcosts/"><tt><font size="2">www.redhat.com/carveoutcosts/</font></tt></a><tt><font
size="2"><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Freeipa-users mailing list<br>
>> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
>> </font></tt><a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt><font
size="2">https://www.redhat.com/mailman/listinfo/freeipa-users</font></tt></a><tt><font
size="2"><br>
<br>
<br>
-- <br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager for IdM portfolio<br>
Red Hat Inc.<br>
<br>
<br>
-------------------------------<br>
Looking to carve out IT costs?<br>
</font></tt><a moz-do-not-send="true"
href="www.redhat.com/carveoutcosts/"><tt><font size="2">www.redhat.com/carveoutcosts/</font></tt></a><tt><font
size="2"><br>
<br>
<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
</font></tt><a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt><font
size="2">https://www.redhat.com/mailman/listinfo/freeipa-users</font></tt></a><tt><font
size="2"><br>
</font></tt>
<br>
<br>
<p>
This document is strictly confidential and intended only for use
by the
addressee unless otherwise stated. If you are not the intended
recipient,
please notify the sender immediately and delete it from your
system.
</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>