From goetz.reinicke at filmakademie.de Mon Dec 1 15:06:32 2008 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke?=) Date: Mon, 01 Dec 2008 16:06:32 +0100 Subject: [Freeipa-users] Some questions - using LDAP and mac os x version In-Reply-To: <492D6709.8080508@redhat.com> References: <492D5A8B.3040901@filmakademie.de> <492D6709.8080508@redhat.com> Message-ID: <4933FD78.3030604@filmakademie.de> Dmitri Pal schrieb: > G?tz Reinicke wrote: >> Hi, >> >> recently I started to investigate freeIPA as we do have a lot of windows >> and mac os x clients and mostly RH EL 5.x Servers. >> >> I set up a test server and installed and followed the instructions from >> the FreeIPA documentation homepage. >> >> At most I'm interissted in authenticating mac os x clients so I started >> to test the client installation. As for the moment I have only 10.5 >> Clients; the doc referes to 10.4. >> >> After some steps I saw, that some parameters and options are different, >> so I stopped :). >> >> My questions: >> >> Is freeIPA usable with 10.5? If so, what has to be changed? >> > Probably yes but we do not know for sure. > > >> May I help by providing my experience? >> >> > > Yes. Please. If you can share your experience about configuring 10.5 > would be really great. O.K. as soon as I have time, I'll document the different steps. I'm shure that I than need some help. > >> Can I use freeIPA also as a LDAP directory for e.g. E-Mail-Clients like >> thunderbird to look up addresses? >> > > Yes. IPA is a directory. When configuring lookups please keep in mind > that IPA has a flat tree of user accounts. > http://www.freeipa.org/page/Image:IPA-DIT.png Could you give me a hint, what I have to configure and how? That would be greate! Regards G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium Gesch?ftsf?hrer: Prof. Thomas Schadt From rcritten at redhat.com Mon Dec 1 20:09:03 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Dec 2008 15:09:03 -0500 Subject: [Freeipa-users] Some questions - using LDAP and mac os x version In-Reply-To: <4933FD78.3030604@filmakademie.de> References: <492D5A8B.3040901@filmakademie.de> <492D6709.8080508@redhat.com> <4933FD78.3030604@filmakademie.de> Message-ID: <4934445F.9040704@redhat.com> G?tz Reinicke wrote: > Dmitri Pal schrieb: >> G?tz Reinicke wrote: >>> Hi, >>> >>> recently I started to investigate freeIPA as we do have a lot of windows >>> and mac os x clients and mostly RH EL 5.x Servers. >>> >>> I set up a test server and installed and followed the instructions from >>> the FreeIPA documentation homepage. >>> >>> At most I'm interissted in authenticating mac os x clients so I started >>> to test the client installation. As for the moment I have only 10.5 >>> Clients; the doc referes to 10.4. >>> >>> After some steps I saw, that some parameters and options are different, >>> so I stopped :). >>> >>> My questions: >>> >>> Is freeIPA usable with 10.5? If so, what has to be changed? >>> >> Probably yes but we do not know for sure. >> >> >>> May I help by providing my experience? >>> >>> >> Yes. Please. If you can share your experience about configuring 10.5 >> would be really great. > > O.K. as soon as I have time, I'll document the different steps. I'm > shure that I than need some help. > >>> Can I use freeIPA also as a LDAP directory for e.g. E-Mail-Clients like >>> thunderbird to look up addresses? >>> >> Yes. IPA is a directory. When configuring lookups please keep in mind >> that IPA has a flat tree of user accounts. >> http://www.freeipa.org/page/Image:IPA-DIT.png > > Could you give me a hint, what I have to configure and how? That would > be greate! > Sure, from Thunderbird bring up the address book (Tools->Address Book). Define a new LDAP server with File->New->LDAP Directory... Enter a useful name and the hostname of the IPA server. For the Base DN use something like: cn=users,cn=accounts,dc=freeipa,dc=org You don't need to provide a Bind DN and you can optionally enable SSL. It should work either way. rob From goetz.reinicke at filmakademie.de Tue Dec 2 09:05:27 2008 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke?=) Date: Tue, 02 Dec 2008 10:05:27 +0100 Subject: [Freeipa-users] Some questions - using LDAP and mac os x version In-Reply-To: <4934445F.9040704@redhat.com> References: <492D5A8B.3040901@filmakademie.de> <492D6709.8080508@redhat.com> <4933FD78.3030604@filmakademie.de> <4934445F.9040704@redhat.com> Message-ID: <4934FA57.30503@filmakademie.de> Rob Crittenden schrieb: > G?tz Reinicke wrote: >> Dmitri Pal schrieb: >>> G?tz Reinicke wrote: >>>> Hi, >>>> >>>> recently I started to investigate freeIPA as we do have a lot of >>>> windows >>>> and mac os x clients and mostly RH EL 5.x Servers. >>>> >>>> I set up a test server and installed and followed the instructions from >>>> the FreeIPA documentation homepage. >>>> >>>> At most I'm interissted in authenticating mac os x clients so I started >>>> to test the client installation. As for the moment I have only 10.5 >>>> Clients; the doc referes to 10.4. >>>> >>>> After some steps I saw, that some parameters and options are different, >>>> so I stopped :). >>>> >>>> My questions: >>>> >>>> Is freeIPA usable with 10.5? If so, what has to be changed? >>>> >>> Probably yes but we do not know for sure. >>> >>> >>>> May I help by providing my experience? >>>> >>>> >>> Yes. Please. If you can share your experience about configuring 10.5 >>> would be really great. >> >> O.K. as soon as I have time, I'll document the different steps. I'm >> shure that I than need some help. >> >>>> Can I use freeIPA also as a LDAP directory for e.g. E-Mail-Clients like >>>> thunderbird to look up addresses? >>>> >>> Yes. IPA is a directory. When configuring lookups please keep in mind >>> that IPA has a flat tree of user accounts. >>> http://www.freeipa.org/page/Image:IPA-DIT.png >> >> Could you give me a hint, what I have to configure and how? That would >> be greate! >> > > Sure, from Thunderbird bring up the address book (Tools->Address Book). > > Define a new LDAP server with File->New->LDAP Directory... > > Enter a useful name and the hostname of the IPA server. > > For the Base DN use something like: cn=users,cn=accounts,dc=freeipa,dc=org > > You don't need to provide a Bind DN and you can optionally enable SSL. > It should work either way. Thanks, that worked! /G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium Gesch?ftsf?hrer: Prof. Thomas Schadt From goetz.reinicke at filmakademie.de Wed Dec 3 08:34:52 2008 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke?=) Date: Wed, 03 Dec 2008 09:34:52 +0100 Subject: [Freeipa-users] How to mass import users and groupe Message-ID: <493644AC.8030807@filmakademie.de> Hi, for now I'm playing with freeipa. Firstly I'd like to use the directory for lookups, therefore I'm looking for a easy way to import user data. (name, e-mail, phone, location, ...) At the moment, I have the data in a database, so I can export the data as csv, custom script or what ever input type is needed. But, which (freeipa) tool may I use? What may be the syntax? Thanks for some more hints or links to webpages/mails. Best regards G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium Gesch?ftsf?hrer: Prof. Thomas Schadt From dpal at redhat.com Wed Dec 3 15:09:06 2008 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 03 Dec 2008 10:09:06 -0500 Subject: [Freeipa-users] How to mass import users and groupe In-Reply-To: <493644AC.8030807@filmakademie.de> References: <493644AC.8030807@filmakademie.de> Message-ID: <4936A112.8080306@redhat.com> G?tz Reinicke wrote: > Hi, > > for now I'm playing with freeipa. Firstly I'd like to use the directory > for lookups, therefore I'm looking for a easy way to import user data. > (name, e-mail, phone, location, ...) > > You can create a script that will use ipa-adduser command or use ldapmodify command and follow the standard syntax. If you are going to migrate passwords you can pass the user password attribute in LDIF in clear text and the DS plugins will do the right thing (freeIPA 1.2 or later). > At the moment, I have the data in a database, so I can export the data > as csv, custom script or what ever input type is needed. > > You need to create a script that will use the data you exported as the input to ipa-adduser (and other ipa-* commands) or as input to ldapmodify command. > But, which (freeipa) tool may I use? What may be the syntax? > > Thanks for some more hints or links to webpages/mails. > > > Best regards > > G?tz > From ssorce at redhat.com Wed Dec 3 20:39:48 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 03 Dec 2008 15:39:48 -0500 Subject: [Freeipa-users] [Freeipa-devel] FreeIPA 1.2.1 Released Message-ID: <1228336788.2188.21.camel@localhost.localdomain> The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA version 1.2.1. FreeIPA is an integrated security information management solution combining Linux (Fedora), Fedora Directory Server, MIT Kerberos and NTP. FreeIPA binds together a number of technologies and adds a web interface and command-line administration tools. Currently it supports identity management with plans to support policy and auditing management. This is primarily a bugfix release and contains the following minor fixes: * fixed an interface bug that caused problems editing groups through the web UI. * fixed some rare crash bugs and memory leaks in the password plugin. * fixed some CA Certificate handling regressions that affected replica installation in some scenarios. * added a tool to enable or disable the schema compatibility plugin (requires the latest slapi-nis packages). The complete source code is available for download here: http://www.freeipa.org/page/Downloads FreeIPA 1.2.1 binaries will be shortly available in Fedora 9 and Fedora 10. Have Fun! The FreeIPA Project Team. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From goetz.reinicke at filmakademie.de Thu Dec 4 10:40:38 2008 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke?=) Date: Thu, 04 Dec 2008 11:40:38 +0100 Subject: [Freeipa-users] How to mass import users and groupe In-Reply-To: <4936A112.8080306@redhat.com> References: <493644AC.8030807@filmakademie.de> <4936A112.8080306@redhat.com> Message-ID: <4937B3A6.10206@filmakademie.de> Dmitri Pal schrieb: > G?tz Reinicke wrote: >> Hi, >> >> for now I'm playing with freeipa. Firstly I'd like to use the directory >> for lookups, therefore I'm looking for a easy way to import user data. >> (name, e-mail, phone, location, ...) >> >> > You can create a script that will use ipa-adduser command or use > ldapmodify command and follow the standard syntax. > If you are going to migrate passwords you can pass the user password > attribute in LDIF in clear text and the DS plugins will do the right > thing (freeIPA 1.2 or later). O.K. and thank you. Adding the basic information work; could you give me a hint, how to add more attributes? ipa-adduser -f G?tz -l Reinicke -p TestPassword -M goetz.reinicke at filmakademie.de -c G?tz Reinicke works ipa-adduser -f G?tz -l Reinicke -p TestPassword -M goetz.reinicke at filmakademie.de --addattr=organization=Filmakademie --addattr=username=greinick -c G?tz Reinicke fails A database error occurred: Object class violation: attribute "username" not allowed Thanks and best regards G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium Gesch?ftsf?hrer: Prof. Thomas Schadt From john at mintra.com Sat Dec 6 17:18:22 2008 From: john at mintra.com (John B. Adams) Date: Sat, 6 Dec 2008 17:18:22 +0000 (GMT) Subject: [Freeipa-users] Kerberos Authentication Failed when following setup instructions Message-ID: <24606625.31228583902885.JavaMail.root@zimtos.mintra.net> Hi I am keen to try out Free IPA as it would solve a lot of problems for me, I have set up a Fedora 10 machine and installed with yum. I have followed the install instructions, and the (kinit - klist - ipa-finduser) looks OK then I go to configure your browser, and put the test domain in network.negotiate-auth.trusted-uris .mintra.net network.negotiate-auth.delegation-uris .mintra.net network.negotiate-auth.using-native-gsslib true Then I do IPA Certificate Authority bit. And configure firefox the refresh But it still comes up with Kerberos Authentication failed. my server is called ipa.mintra.net on a private subnet, I have got the /etc/hosts set up right, and I have set the system up as a DNS server looking at itself with ipa.mintra.net with an A record pointing to itself. I would welcome some help here as I am dead keen to see the interface. John From dpal at redhat.com Sun Dec 7 19:02:18 2008 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 07 Dec 2008 14:02:18 -0500 Subject: [Freeipa-users] Kerberos Authentication Failed when following setup instructions In-Reply-To: <24606625.31228583902885.JavaMail.root@zimtos.mintra.net> References: <24606625.31228583902885.JavaMail.root@zimtos.mintra.net> Message-ID: <493C1DBA.9050201@redhat.com> John B. Adams wrote: > Hi > > I am keen to try out Free IPA as it would solve a lot of problems for me, I have set up a Fedora 10 machine > and installed with yum. > > I have followed the install instructions, and the (kinit - klist - ipa-finduser) looks OK > then I go to configure your browser, and put the test domain in > > network.negotiate-auth.trusted-uris .mintra.net > network.negotiate-auth.delegation-uris .mintra.net > network.negotiate-auth.using-native-gsslib true > Make sure that the shell from which you start FF points to the right kerberos configuration file. If needed use KRB5_CONFIG env variable to point to the krb5.conf. If it does but you still have a problem then the kerberos log would be helpful. If you do not see anything in the log it would indicate that the request does not hit the server. That would mean that the FF is not getting the right kerberos configuration. > Then I do IPA Certificate Authority bit. And configure firefox the refresh > > But it still comes up with Kerberos Authentication failed. > > my server is called ipa.mintra.net on a private subnet, I have got the /etc/hosts set up right, and I have set the system up as a DNS server looking at itself with ipa.mintra.net with an A record pointing to itself. > > I would welcome some help here as I am dead keen to see the interface. > > John > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From fraginhell at gmail.com Thu Dec 11 03:15:32 2008 From: fraginhell at gmail.com (Fraginhell) Date: Thu, 11 Dec 2008 14:15:32 +1100 Subject: [Freeipa-users] Kerberos Authentication (again) Message-ID: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> Hi, Sorry to bring the subject up again, but I can't see for looking where I might have gone wrong. I have setup a lab with Fedora 9. I have an ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au. Dns and reverse is working correctly. IPA server installed without problems and so did the client. On the server I can kinit admin and then ipa-finduser admin and ldapsearch -Y GSSAPI -h ipaserver.labs.example.com.au -b "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem. My client is configured using the krb5.conf from the docs [libdefaults] default_realm = LABS.EXAMPLE.COM.AU dns_lookup_realm = true dns_lookup_kdc = true #forwardable = yes ticket_lifetime = 24h [realms] LABS.EXAMPLE.COM.AU = { kdc = ipaserver.labs.example.com.au:88 admin_server = ipaserver.labs.example.com.au:749 default_domain = labs.example.com.au } [domain_realm] .labs.example.com.au = LABS.EXAMPLE.COM.AU labs.example.com.au = LABS.EXAMPLE.COM.AU on the client I can kinit admin Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at LABS.EXAMPLE.COM.AU Valid starting Expires Service principal 12/11/08 14:03:18 12/12/08 14:03:16 krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached on the ipaserver I can see the authentication complete Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH: admin at LABS.EXAMPLE.COM.AU for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional pre-authentication required Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU now when I add the host service ipa-addservice host/ipaclient.labs.example.com.au Could not initialize GSSAPI: Unspecified GSS failure. Minor code may provide more information/Server not found in Kerberos database On the server I see Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not found in Kerberos database According to troubleshooting, this is a dns problem: on the server nslookup ipaclient Server: 127.0.0.1 Address: 127.0.0.1#53 Name: ipaclient.labs.example.com.au Address: 10.212.50.31 nslookup 10.212.50.31 Server: 127.0.0.1 Address: 127.0.0.1#53 31.50.212.10.in-addr.arpa name = ipaclient.labs.example.com.au. The other mention in the troubleshooting guide is : You may have multiple entries for the same host created by different KDCs. Not sure what this means? or where to go from here. Thanks Keith. From dpal at redhat.com Thu Dec 11 03:37:25 2008 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 10 Dec 2008 22:37:25 -0500 Subject: [Freeipa-users] Kerberos Authentication (again) In-Reply-To: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> References: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> Message-ID: <49408AF5.1030702@redhat.com> Fraginhell wrote: > Hi, > > Sorry to bring the subject up again, but I can't see for looking where > I might have gone wrong. I have setup a lab with Fedora 9. I have an > ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au. > Dns and reverse is working correctly. > IPA server installed without problems and so did the client. On the > server I can kinit admin and then ipa-finduser admin and ldapsearch > -Y GSSAPI -h ipaserver.labs.example.com.au -b > "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem. > My client is configured using the krb5.conf from the docs > > [libdefaults] > default_realm = LABS.EXAMPLE.COM.AU > dns_lookup_realm = true > dns_lookup_kdc = true > #forwardable = yes > ticket_lifetime = 24h > > [realms] > LABS.EXAMPLE.COM.AU = { > kdc = ipaserver.labs.example.com.au:88 > admin_server = ipaserver.labs.example.com.au:749 > default_domain = labs.example.com.au > } > [domain_realm] > .labs.example.com.au = LABS.EXAMPLE.COM.AU > labs.example.com.au = LABS.EXAMPLE.COM.AU > > on the client I can kinit admin > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: admin at LABS.EXAMPLE.COM.AU > > Valid starting Expires Service principal > 12/11/08 14:03:18 12/12/08 14:03:16 > krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > on the ipaserver I can see the authentication complete > Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info): > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH: > admin at LABS.EXAMPLE.COM.AU for > krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional > pre-authentication required > > Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info): > AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime > 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU > for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU > > now when I add the host service > ipa-addservice host/ipaclient.labs.example.com.au > Could not initialize GSSAPI: Unspecified GSS failure. Minor code may > provide more information/Server not found in Kerberos database > On the server I see > > Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info): > TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: > authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for > HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not > found in Kerberos database > > Did you do ipa-getkeytab on the client where the service is going to run? See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to retrieve keytab before using service. The operation will initialize kerberos attributes inside the service entry. Without it the service is just an empty container not yet known to KDC. Thanks Dmitri > According to troubleshooting, this is a dns problem: > on the server > nslookup ipaclient > > Server: 127.0.0.1 > Address: 127.0.0.1#53 > Name: ipaclient.labs.example.com.au > Address: 10.212.50.31 > > nslookup 10.212.50.31 > Server: 127.0.0.1 > Address: 127.0.0.1#53 > 31.50.212.10.in-addr.arpa name = ipaclient.labs.example.com.au. > > The other mention in the troubleshooting guide is : > You may have multiple entries for the same host created by different KDCs. > Not sure what this means? or where to go from here. > > Thanks > > Keith. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From fraginhell at gmail.com Thu Dec 11 04:05:32 2008 From: fraginhell at gmail.com (Fraginhell) Date: Thu, 11 Dec 2008 15:05:32 +1100 Subject: [Freeipa-users] Kerberos Authentication (again) In-Reply-To: <49408AF5.1030702@redhat.com> References: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> <49408AF5.1030702@redhat.com> Message-ID: <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> Dmitri, wow thanks for such a quick reply, ipa-getkeytab -s ipaserver.labs.example.com.au -p host/ipaclient.labs.example.com.au -k /etc/krb5.keytab SASL Bind failed! on the server I see # Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not found in Kerberos database Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: authtime 1228964598, admin at LABS.INFOPLEX.COM.AU for ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not found in Kerberos database The guide says to add the host principle first on the server if I do a ipa-findservice I can see lots entry for the server but non for the client. Keith. 2008/12/11 Dmitri Pal : > Fraginhell wrote: >> >> Hi, >> >> Sorry to bring the subject up again, but I can't see for looking where >> I might have gone wrong. I have setup a lab with Fedora 9. I have an >> ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au. >> Dns and reverse is working correctly. >> IPA server installed without problems and so did the client. On the >> server I can kinit admin and then ipa-finduser admin and ldapsearch >> -Y GSSAPI -h ipaserver.labs.example.com.au -b >> "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem. >> My client is configured using the krb5.conf from the docs >> >> [libdefaults] >> default_realm = LABS.EXAMPLE.COM.AU >> dns_lookup_realm = true >> dns_lookup_kdc = true >> #forwardable = yes >> ticket_lifetime = 24h >> >> [realms] >> LABS.EXAMPLE.COM.AU = { >> kdc = ipaserver.labs.example.com.au:88 >> admin_server = ipaserver.labs.example.com.au:749 >> default_domain = labs.example.com.au >> } >> [domain_realm] >> .labs.example.com.au = LABS.EXAMPLE.COM.AU >> labs.example.com.au = LABS.EXAMPLE.COM.AU >> >> on the client I can kinit admin >> >> Ticket cache: FILE:/tmp/krb5cc_0 >> >> Default principal: admin at LABS.EXAMPLE.COM.AU >> >> Valid starting Expires Service principal >> 12/11/08 14:03:18 12/12/08 14:03:16 >> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU >> >> Kerberos 4 ticket cache: /tmp/tkt0 >> klist: You have no tickets cached >> >> on the ipaserver I can see the authentication complete >> Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info): >> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH: >> admin at LABS.EXAMPLE.COM.AU for >> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional >> pre-authentication required >> >> Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info): >> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime >> 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU >> for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU >> >> now when I add the host service >> ipa-addservice host/ipaclient.labs.example.com.au >> Could not initialize GSSAPI: Unspecified GSS failure. Minor code may >> provide more information/Server not found in Kerberos database >> On the server I see >> >> Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info): >> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: >> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for >> HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not >> found in Kerberos database >> >> > > Did you do ipa-getkeytab on the client where the service is going to run? > See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to > retrieve keytab before using service. > The operation will initialize kerberos attributes inside the service entry. > Without it the service is just an empty container not yet known to KDC. > > Thanks > Dmitri >> >> According to troubleshooting, this is a dns problem: >> on the server >> nslookup ipaclient >> >> Server: 127.0.0.1 >> Address: 127.0.0.1#53 >> Name: ipaclient.labs.example.com.au >> Address: 10.212.50.31 >> >> nslookup 10.212.50.31 >> Server: 127.0.0.1 >> Address: 127.0.0.1#53 >> 31.50.212.10.in-addr.arpa name = ipaclient.labs.example.com.au. >> >> The other mention in the troubleshooting guide is : >> You may have multiple entries for the same host created by different KDCs. >> Not sure what this means? or where to go from here. >> >> Thanks >> >> Keith. >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > From dpal at redhat.com Thu Dec 11 04:34:55 2008 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 10 Dec 2008 23:34:55 -0500 Subject: [Freeipa-users] Kerberos Authentication (again) In-Reply-To: <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> References: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> <49408AF5.1030702@redhat.com> <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> Message-ID: <4940986F.8010807@redhat.com> Fraginhell wrote: > Dmitri, > > wow thanks for such a quick reply, > > Hm, I might have misread the error in your original post. I thought that you managed to create the service record. It looks like it failed first. Are you saying it fails to create the service itself? Then this is really on the edge of what I understand (learning product myself). Can it be that the host is already enrolled with some other kerberos server and has a keytab from it? Sorry if there will be more confusion then help. Dmitri > ipa-getkeytab -s ipaserver.labs.example.com.au -p > host/ipaclient.labs.example.com.au -k /etc/krb5.keytab > SASL Bind failed! > > on the server I see > # Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): > TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: > authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for > ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not > found in Kerberos database > > Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): > TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: > authtime 1228964598, admin at LABS.INFOPLEX.COM.AU for > ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not > found in Kerberos database > > The guide says to add the host principle first on the server if I do a > ipa-findservice I can see lots entry for the server but non for the > client. > > Keith. > > > > > > 2008/12/11 Dmitri Pal : > >> Fraginhell wrote: >> >>> Hi, >>> >>> Sorry to bring the subject up again, but I can't see for looking where >>> I might have gone wrong. I have setup a lab with Fedora 9. I have an >>> ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au. >>> Dns and reverse is working correctly. >>> IPA server installed without problems and so did the client. On the >>> server I can kinit admin and then ipa-finduser admin and ldapsearch >>> -Y GSSAPI -h ipaserver.labs.example.com.au -b >>> "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem. >>> My client is configured using the krb5.conf from the docs >>> >>> [libdefaults] >>> default_realm = LABS.EXAMPLE.COM.AU >>> dns_lookup_realm = true >>> dns_lookup_kdc = true >>> #forwardable = yes >>> ticket_lifetime = 24h >>> >>> [realms] >>> LABS.EXAMPLE.COM.AU = { >>> kdc = ipaserver.labs.example.com.au:88 >>> admin_server = ipaserver.labs.example.com.au:749 >>> default_domain = labs.example.com.au >>> } >>> [domain_realm] >>> .labs.example.com.au = LABS.EXAMPLE.COM.AU >>> labs.example.com.au = LABS.EXAMPLE.COM.AU >>> >>> on the client I can kinit admin >>> >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> >>> Default principal: admin at LABS.EXAMPLE.COM.AU >>> >>> Valid starting Expires Service principal >>> 12/11/08 14:03:18 12/12/08 14:03:16 >>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU >>> >>> Kerberos 4 ticket cache: /tmp/tkt0 >>> klist: You have no tickets cached >>> >>> on the ipaserver I can see the authentication complete >>> Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info): >>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH: >>> admin at LABS.EXAMPLE.COM.AU for >>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional >>> pre-authentication required >>> >>> Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info): >>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime >>> 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU >>> for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU >>> >>> now when I add the host service >>> ipa-addservice host/ipaclient.labs.example.com.au >>> Could not initialize GSSAPI: Unspecified GSS failure. Minor code may >>> provide more information/Server not found in Kerberos database >>> On the server I see >>> >>> Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info): >>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: >>> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for >>> HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not >>> found in Kerberos database >>> >>> >>> >> Did you do ipa-getkeytab on the client where the service is going to run? >> See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to >> retrieve keytab before using service. >> The operation will initialize kerberos attributes inside the service entry. >> Without it the service is just an empty container not yet known to KDC. >> >> Thanks >> Dmitri >> >>> According to troubleshooting, this is a dns problem: >>> on the server >>> nslookup ipaclient >>> >>> Server: 127.0.0.1 >>> Address: 127.0.0.1#53 >>> Name: ipaclient.labs.example.com.au >>> Address: 10.212.50.31 >>> >>> nslookup 10.212.50.31 >>> Server: 127.0.0.1 >>> Address: 127.0.0.1#53 >>> 31.50.212.10.in-addr.arpa name = ipaclient.labs.example.com.au. >>> >>> The other mention in the troubleshooting guide is : >>> You may have multiple entries for the same host created by different KDCs. >>> Not sure what this means? or where to go from here. >>> >>> Thanks >>> >>> Keith. >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> From fraginhell at gmail.com Thu Dec 11 04:49:17 2008 From: fraginhell at gmail.com (Fraginhell) Date: Thu, 11 Dec 2008 15:49:17 +1100 Subject: [Freeipa-users] Kerberos Authentication (again) In-Reply-To: <4940986F.8010807@redhat.com> References: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> <49408AF5.1030702@redhat.com> <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> <4940986F.8010807@redhat.com> Message-ID: <9584ef450812102049u54dd8978l953a19056fb0319a@mail.gmail.com> Yes I cannot create the service, It works on the IPA server, I can create it there ( and delete it again) maybe thats the problem. I'm sure its not on the IPA server anymore as ipa-findservice host/ipaclient.labs.example.com.au No entries found for host/ipaclient.labs.example.com.au I just checked the clients /etc/krb5.keytab file and it does not exist. What bothers me is on the server (/var/log/krb5kdc.log) the log says UNKOWN_SERVER I'm not sure how much of the problem this is. Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not found in Kerberos database 2008/12/11 Dmitri Pal : > Fraginhell wrote: >> >> Dmitri, >> >> wow thanks for such a quick reply, >> >> > > Hm, I might have misread the error in your original post. > I thought that you managed to create the service record. It looks like it > failed first. > Are you saying it fails to create the service itself? > > Then this is really on the edge of what I understand (learning product > myself). > Can it be that the host is already enrolled with some other kerberos server > and has a keytab from it? > > Sorry if there will be more confusion then help. > Dmitri > > >> ipa-getkeytab -s ipaserver.labs.example.com.au -p >> host/ipaclient.labs.example.com.au -k /etc/krb5.keytab >> SASL Bind failed! >> >> on the server I see >> # Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): >> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: >> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for >> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not >> found in Kerberos database >> >> Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): >> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: >> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for >> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not >> found in Kerberos database >> >> The guide says to add the host principle first on the server if I do a >> ipa-findservice I can see lots entry for the server but non for the >> client. >> >> Keith. >> >> >> >> >> >> 2008/12/11 Dmitri Pal : >> >>> >>> Fraginhell wrote: >>> >>>> >>>> Hi, >>>> >>>> Sorry to bring the subject up again, but I can't see for looking where >>>> I might have gone wrong. I have setup a lab with Fedora 9. I have an >>>> ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au. >>>> Dns and reverse is working correctly. >>>> IPA server installed without problems and so did the client. On the >>>> server I can kinit admin and then ipa-finduser admin and ldapsearch >>>> -Y GSSAPI -h ipaserver.labs.example.com.au -b >>>> "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem. >>>> My client is configured using the krb5.conf from the docs >>>> >>>> [libdefaults] >>>> default_realm = LABS.EXAMPLE.COM.AU >>>> dns_lookup_realm = true >>>> dns_lookup_kdc = true >>>> #forwardable = yes >>>> ticket_lifetime = 24h >>>> >>>> [realms] >>>> LABS.EXAMPLE.COM.AU = { >>>> kdc = ipaserver.labs.example.com.au:88 >>>> admin_server = ipaserver.labs.example.com.au:749 >>>> default_domain = labs.example.com.au >>>> } >>>> [domain_realm] >>>> .labs.example.com.au = LABS.EXAMPLE.COM.AU >>>> labs.example.com.au = LABS.EXAMPLE.COM.AU >>>> >>>> on the client I can kinit admin >>>> >>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>> >>>> Default principal: admin at LABS.EXAMPLE.COM.AU >>>> >>>> Valid starting Expires Service principal >>>> 12/11/08 14:03:18 12/12/08 14:03:16 >>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU >>>> >>>> Kerberos 4 ticket cache: /tmp/tkt0 >>>> klist: You have no tickets cached >>>> >>>> on the ipaserver I can see the authentication complete >>>> Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info): >>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH: >>>> admin at LABS.EXAMPLE.COM.AU for >>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional >>>> pre-authentication required >>>> >>>> Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info): >>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime >>>> 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU >>>> for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU >>>> >>>> now when I add the host service >>>> ipa-addservice host/ipaclient.labs.example.com.au >>>> Could not initialize GSSAPI: Unspecified GSS failure. Minor code may >>>> provide more information/Server not found in Kerberos database >>>> On the server I see >>>> >>>> Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info): >>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: >>>> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for >>>> HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not >>>> found in Kerberos database >>>> >>>> >>>> >>> >>> Did you do ipa-getkeytab on the client where the service is going to run? >>> See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to >>> retrieve keytab before using service. >>> The operation will initialize kerberos attributes inside the service >>> entry. >>> Without it the service is just an empty container not yet known to KDC. >>> >>> Thanks >>> Dmitri >>> >>>> >>>> According to troubleshooting, this is a dns problem: >>>> on the server >>>> nslookup ipaclient >>>> >>>> Server: 127.0.0.1 >>>> Address: 127.0.0.1#53 >>>> Name: ipaclient.labs.example.com.au >>>> Address: 10.212.50.31 >>>> >>>> nslookup 10.212.50.31 >>>> Server: 127.0.0.1 >>>> Address: 127.0.0.1#53 >>>> 31.50.212.10.in-addr.arpa name = ipaclient.labs.example.com.au. >>>> >>>> The other mention in the troubleshooting guide is : >>>> You may have multiple entries for the same host created by different >>>> KDCs. >>>> Not sure what this means? or where to go from here. >>>> >>>> Thanks >>>> >>>> Keith. >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>> >>> > > From dpal at redhat.com Thu Dec 11 05:02:44 2008 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 11 Dec 2008 00:02:44 -0500 Subject: [Freeipa-users] Kerberos Authentication (again) In-Reply-To: <9584ef450812102049u54dd8978l953a19056fb0319a@mail.gmail.com> References: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> <49408AF5.1030702@redhat.com> <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> <4940986F.8010807@redhat.com> <9584ef450812102049u54dd8978l953a19056fb0319a@mail.gmail.com> Message-ID: <49409EF4.8080602@redhat.com> Fraginhell wrote: > Yes I cannot create the service, It works on the IPA server, I can > create it there ( and delete it again) maybe thats the problem. > I'm sure its not on the IPA server anymore as > > So on the IPA server you run: ipa-addservice host/ipaclient.labs.example.com.au and it works. Then you delete it on the server, go to the client and try it there and it fails. Right? On the client you did the ipa-client-install and followed the instructions. And you did "kinit admin" on client and it worked. I see the ticket below. Hm... Does the client nslookup also work and return same result as the one you have on the server? Dmitri > ipa-findservice host/ipaclient.labs.example.com.au > No entries found for host/ipaclient.labs.example.com.au > > I just checked the clients /etc/krb5.keytab file and it does not exist. > What bothers me is on the server (/var/log/krb5kdc.log) the log says > UNKOWN_SERVER I'm not sure how much of the problem this is. > > Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): > TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: > authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for > ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not > found in Kerberos database > > > > 2008/12/11 Dmitri Pal : > >> Fraginhell wrote: >> >>> Dmitri, >>> >>> wow thanks for such a quick reply, >>> >>> >>> >> Hm, I might have misread the error in your original post. >> I thought that you managed to create the service record. It looks like it >> failed first. >> Are you saying it fails to create the service itself? >> >> Then this is really on the edge of what I understand (learning product >> myself). >> Can it be that the host is already enrolled with some other kerberos server >> and has a keytab from it? >> >> Sorry if there will be more confusion then help. >> Dmitri >> >> >> >>> ipa-getkeytab -s ipaserver.labs.example.com.au -p >>> host/ipaclient.labs.example.com.au -k /etc/krb5.keytab >>> SASL Bind failed! >>> >>> on the server I see >>> # Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): >>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: >>> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for >>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not >>> found in Kerberos database >>> >>> Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): >>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: >>> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for >>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not >>> found in Kerberos database >>> >>> The guide says to add the host principle first on the server if I do a >>> ipa-findservice I can see lots entry for the server but non for the >>> client. >>> >>> Keith. >>> >>> >>> >>> >>> >>> 2008/12/11 Dmitri Pal : >>> >>> >>>> Fraginhell wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> Sorry to bring the subject up again, but I can't see for looking where >>>>> I might have gone wrong. I have setup a lab with Fedora 9. I have an >>>>> ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au. >>>>> Dns and reverse is working correctly. >>>>> IPA server installed without problems and so did the client. On the >>>>> server I can kinit admin and then ipa-finduser admin and ldapsearch >>>>> -Y GSSAPI -h ipaserver.labs.example.com.au -b >>>>> "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem. >>>>> My client is configured using the krb5.conf from the docs >>>>> >>>>> [libdefaults] >>>>> default_realm = LABS.EXAMPLE.COM.AU >>>>> dns_lookup_realm = true >>>>> dns_lookup_kdc = true >>>>> #forwardable = yes >>>>> ticket_lifetime = 24h >>>>> >>>>> [realms] >>>>> LABS.EXAMPLE.COM.AU = { >>>>> kdc = ipaserver.labs.example.com.au:88 >>>>> admin_server = ipaserver.labs.example.com.au:749 >>>>> default_domain = labs.example.com.au >>>>> } >>>>> [domain_realm] >>>>> .labs.example.com.au = LABS.EXAMPLE.COM.AU >>>>> labs.example.com.au = LABS.EXAMPLE.COM.AU >>>>> >>>>> on the client I can kinit admin >>>>> >>>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>>> >>>>> Default principal: admin at LABS.EXAMPLE.COM.AU >>>>> >>>>> Valid starting Expires Service principal >>>>> 12/11/08 14:03:18 12/12/08 14:03:16 >>>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU >>>>> >>>>> Kerberos 4 ticket cache: /tmp/tkt0 >>>>> klist: You have no tickets cached >>>>> >>>>> on the ipaserver I can see the authentication complete >>>>> Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info): >>>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH: >>>>> admin at LABS.EXAMPLE.COM.AU for >>>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional >>>>> pre-authentication required >>>>> >>>>> Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info): >>>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime >>>>> 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU >>>>> for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU >>>>> >>>>> now when I add the host service >>>>> ipa-addservice host/ipaclient.labs.example.com.au >>>>> Could not initialize GSSAPI: Unspecified GSS failure. Minor code may >>>>> provide more information/Server not found in Kerberos database >>>>> On the server I see >>>>> >>>>> Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info): >>>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: >>>>> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for >>>>> HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not >>>>> found in Kerberos database >>>>> >>>>> >>>>> >>>>> >>>> Did you do ipa-getkeytab on the client where the service is going to run? >>>> See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to >>>> retrieve keytab before using service. >>>> The operation will initialize kerberos attributes inside the service >>>> entry. >>>> Without it the service is just an empty container not yet known to KDC. >>>> >>>> Thanks >>>> Dmitri >>>> >>>> >>>>> According to troubleshooting, this is a dns problem: >>>>> on the server >>>>> nslookup ipaclient >>>>> >>>>> Server: 127.0.0.1 >>>>> Address: 127.0.0.1#53 >>>>> Name: ipaclient.labs.example.com.au >>>>> Address: 10.212.50.31 >>>>> >>>>> nslookup 10.212.50.31 >>>>> Server: 127.0.0.1 >>>>> Address: 127.0.0.1#53 >>>>> 31.50.212.10.in-addr.arpa name = ipaclient.labs.example.com.au. >>>>> >>>>> The other mention in the troubleshooting guide is : >>>>> You may have multiple entries for the same host created by different >>>>> KDCs. >>>>> Not sure what this means? or where to go from here. >>>>> >>>>> Thanks >>>>> >>>>> Keith. >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>>> >>>> >> From fraginhell at gmail.com Thu Dec 11 05:10:38 2008 From: fraginhell at gmail.com (Fraginhell) Date: Thu, 11 Dec 2008 16:10:38 +1100 Subject: [Freeipa-users] Kerberos Authentication (again) In-Reply-To: <49409EF4.8080602@redhat.com> References: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> <49408AF5.1030702@redhat.com> <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> <4940986F.8010807@redhat.com> <9584ef450812102049u54dd8978l953a19056fb0319a@mail.gmail.com> <49409EF4.8080602@redhat.com> Message-ID: <9584ef450812102110s764d52ebvde295c1f59bcb343@mail.gmail.com> Spot on, just doubled checked the nslookup on both client and server and I get the same result. Followed the client install, Configuring Kerberos, and then Configuring Client SSH Access, as I dont need NFS or TLS in this lab. I also checked the server times, which look correct too, since they are both VM's they get the time from the host. I did notice a slight difference between the /etc/krb5.conf file that IPA client install creates and the one from the docs, I copied the one from the docs, might try the original file from the install see if that makes a difference. 2008/12/11 Dmitri Pal : > Fraginhell wrote: >> >> Yes I cannot create the service, It works on the IPA server, I can >> create it there ( and delete it again) maybe thats the problem. >> I'm sure its not on the IPA server anymore as >> >> > > So on the IPA server you run: > > ipa-addservice host/ipaclient.labs.example.com.au > > and it works. > > Then you delete it on the server, go to the client and try it there and it > fails. Right? > On the client you did the ipa-client-install and followed the instructions. > And you did "kinit admin" on client and it worked. I see the ticket below. > > Hm... > Does the client nslookup also work and return same result as the one you > have on the server? > > Dmitri >> >> ipa-findservice host/ipaclient.labs.example.com.au >> No entries found for host/ipaclient.labs.example.com.au >> >> I just checked the clients /etc/krb5.keytab file and it does not exist. >> What bothers me is on the server (/var/log/krb5kdc.log) the log says >> UNKOWN_SERVER I'm not sure how much of the problem this is. >> >> Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): >> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: >> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for >> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not >> found in Kerberos database >> >> >> >> 2008/12/11 Dmitri Pal : >> >>> >>> Fraginhell wrote: >>> >>>> >>>> Dmitri, >>>> >>>> wow thanks for such a quick reply, >>>> >>>> >>>> >>> >>> Hm, I might have misread the error in your original post. >>> I thought that you managed to create the service record. It looks like it >>> failed first. >>> Are you saying it fails to create the service itself? >>> >>> Then this is really on the edge of what I understand (learning product >>> myself). >>> Can it be that the host is already enrolled with some other kerberos >>> server >>> and has a keytab from it? >>> >>> Sorry if there will be more confusion then help. >>> Dmitri >>> >>> >>> >>>> >>>> ipa-getkeytab -s ipaserver.labs.example.com.au -p >>>> host/ipaclient.labs.example.com.au -k /etc/krb5.keytab >>>> SASL Bind failed! >>>> >>>> on the server I see >>>> # Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): >>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: >>>> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for >>>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not >>>> found in Kerberos database >>>> >>>> Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): >>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: >>>> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for >>>> ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not >>>> found in Kerberos database >>>> >>>> The guide says to add the host principle first on the server if I do a >>>> ipa-findservice I can see lots entry for the server but non for the >>>> client. >>>> >>>> Keith. >>>> >>>> >>>> >>>> >>>> >>>> 2008/12/11 Dmitri Pal : >>>> >>>> >>>>> >>>>> Fraginhell wrote: >>>>> >>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> Sorry to bring the subject up again, but I can't see for looking where >>>>>> I might have gone wrong. I have setup a lab with Fedora 9. I have an >>>>>> ipaserver.labs.exmaple.com.au and ipaclient.labs.example.com.au. >>>>>> Dns and reverse is working correctly. >>>>>> IPA server installed without problems and so did the client. On the >>>>>> server I can kinit admin and then ipa-finduser admin and ldapsearch >>>>>> -Y GSSAPI -h ipaserver.labs.example.com.au -b >>>>>> "dc=labs,dc=example,dc=com,dc=au" uid=admin without problem. >>>>>> My client is configured using the krb5.conf from the docs >>>>>> >>>>>> [libdefaults] >>>>>> default_realm = LABS.EXAMPLE.COM.AU >>>>>> dns_lookup_realm = true >>>>>> dns_lookup_kdc = true >>>>>> #forwardable = yes >>>>>> ticket_lifetime = 24h >>>>>> >>>>>> [realms] >>>>>> LABS.EXAMPLE.COM.AU = { >>>>>> kdc = ipaserver.labs.example.com.au:88 >>>>>> admin_server = ipaserver.labs.example.com.au:749 >>>>>> default_domain = labs.example.com.au >>>>>> } >>>>>> [domain_realm] >>>>>> .labs.example.com.au = LABS.EXAMPLE.COM.AU >>>>>> labs.example.com.au = LABS.EXAMPLE.COM.AU >>>>>> >>>>>> on the client I can kinit admin >>>>>> >>>>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>>>> >>>>>> Default principal: admin at LABS.EXAMPLE.COM.AU >>>>>> >>>>>> Valid starting Expires Service principal >>>>>> 12/11/08 14:03:18 12/12/08 14:03:16 >>>>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU >>>>>> >>>>>> Kerberos 4 ticket cache: /tmp/tkt0 >>>>>> klist: You have no tickets cached >>>>>> >>>>>> on the ipaserver I can see the authentication complete >>>>>> Dec 11 14:03:16 ipaserver.labs.example.com.au krb5kdc[2005](info): >>>>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: NEEDED_PREAUTH: >>>>>> admin at LABS.EXAMPLE.COM.AU for >>>>>> krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU, Additional >>>>>> pre-authentication required >>>>>> >>>>>> Dec 11 14:03:18 ipaserver.labs.example.com.au krb5kdc[2005](info): >>>>>> AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: ISSUE: authtime >>>>>> 1228964598, etypes {rep=18 tkt=18 ses=18}, admin at LABS.EXAMPLE.COM.AU >>>>>> for krbtgt/LABS.EXAMPLE.COM.AU at LABS.EXAMPLE.COM.AU >>>>>> >>>>>> now when I add the host service >>>>>> ipa-addservice host/ipaclient.labs.example.com.au >>>>>> Could not initialize GSSAPI: Unspecified GSS failure. Minor code may >>>>>> provide more information/Server not found in Kerberos database >>>>>> On the server I see >>>>>> >>>>>> Dec 11 14:07:25 ipaserver.labs.example.com.au krb5kdc[2005](info): >>>>>> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: >>>>>> authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for >>>>>> HTTP/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not >>>>>> found in Kerberos database >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> Did you do ipa-getkeytab on the client where the service is going to >>>>> run? >>>>> See http://www.freeipa.org/page/ConfiguringFedoraClients and steps to >>>>> retrieve keytab before using service. >>>>> The operation will initialize kerberos attributes inside the service >>>>> entry. >>>>> Without it the service is just an empty container not yet known to KDC. >>>>> >>>>> Thanks >>>>> Dmitri >>>>> >>>>> >>>>>> >>>>>> According to troubleshooting, this is a dns problem: >>>>>> on the server >>>>>> nslookup ipaclient >>>>>> >>>>>> Server: 127.0.0.1 >>>>>> Address: 127.0.0.1#53 >>>>>> Name: ipaclient.labs.example.com.au >>>>>> Address: 10.212.50.31 >>>>>> >>>>>> nslookup 10.212.50.31 >>>>>> Server: 127.0.0.1 >>>>>> Address: 127.0.0.1#53 >>>>>> 31.50.212.10.in-addr.arpa name = ipaclient.labs.example.com.au. >>>>>> >>>>>> The other mention in the troubleshooting guide is : >>>>>> You may have multiple entries for the same host created by different >>>>>> KDCs. >>>>>> Not sure what this means? or where to go from here. >>>>>> >>>>>> Thanks >>>>>> >>>>>> Keith. >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>> >>> > > From dpal at redhat.com Thu Dec 11 05:43:36 2008 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 11 Dec 2008 00:43:36 -0500 Subject: [Freeipa-users] Kerberos Authentication (again) In-Reply-To: <9584ef450812102110s764d52ebvde295c1f59bcb343@mail.gmail.com> References: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> <49408AF5.1030702@redhat.com> <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> <4940986F.8010807@redhat.com> <9584ef450812102049u54dd8978l953a19056fb0319a@mail.gmail.com> <49409EF4.8080602@redhat.com> <9584ef450812102110s764d52ebvde295c1f59bcb343@mail.gmail.com> Message-ID: <4940A888.3050507@redhat.com> Fraginhell wrote: > Spot on, just doubled checked the nslookup on both client and server > and I get the same result. > Followed the client install, Configuring Kerberos, and then > Configuring Client SSH Access, as I dont need NFS or TLS in this lab. > I also checked the server times, which look correct too, since they > are both VM's they get the time from the host. > I did notice a slight difference between the /etc/krb5.conf file that > IPA client install creates and the one from the docs, I copied the one > from the docs, might try the original file from the install see if > that makes a difference. > > > Well then I need to give way to real gurus. I hope they will be able to help you in the morning. Sorry that I was not of much help. Dmitri From ssorce at redhat.com Thu Dec 11 13:42:41 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 11 Dec 2008 08:42:41 -0500 Subject: [Freeipa-users] Kerberos Authentication (again) In-Reply-To: <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> References: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> <49408AF5.1030702@redhat.com> <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> Message-ID: <1229002961.10907.4.camel@localhost.localdomain> On Thu, 2008-12-11 at 15:05 +1100, Fraginhell wrote: > > The guide says to add the host principle first on the server if I do a > ipa-findservice I can see lots entry for the server but non for the > client. Have you interpreted this passage as an incitemnt to do something like: ipa-addservice HTTP/ipaserver.labs.example.com.au Ie, have you added services with the name of the server? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Dec 11 14:17:00 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 11 Dec 2008 09:17:00 -0500 Subject: [Freeipa-users] Kerberos Authentication (again) In-Reply-To: <9584ef450812102049u54dd8978l953a19056fb0319a@mail.gmail.com> References: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> <49408AF5.1030702@redhat.com> <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> <4940986F.8010807@redhat.com> <9584ef450812102049u54dd8978l953a19056fb0319a@mail.gmail.com> Message-ID: <494120DC.1040605@redhat.com> Fraginhell wrote: > Yes I cannot create the service, It works on the IPA server, I can > create it there ( and delete it again) maybe thats the problem. > I'm sure its not on the IPA server anymore as > > ipa-findservice host/ipaclient.labs.example.com.au > No entries found for host/ipaclient.labs.example.com.au > > I just checked the clients /etc/krb5.keytab file and it does not exist. > What bothers me is on the server (/var/log/krb5kdc.log) the log says > UNKOWN_SERVER I'm not sure how much of the problem this is. > > Dec 11 14:59:41 ipaserver.labs.example.com.au krb5kdc[2005](info): > TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.212.50.31: UNKNOWN_SERVER: > authtime 1228964598, admin at LABS.EXAMPLE.COM.AU for > ldap/ipasever.labs.example.com.au at LABS.EXAMPLE.COM.AU, Server not > found in Kerberos database Note the server it is trying to get a ticket for ipasever.labs.example.com.au (mis-spelled) Can you check /etc/ipa/ipa.conf to see if that contains the misspelled server name? rob From fraginhell at gmail.com Sun Dec 14 22:25:40 2008 From: fraginhell at gmail.com (Fraginhell) Date: Mon, 15 Dec 2008 09:25:40 +1100 Subject: [Freeipa-users] Kerberos Authentication (again) In-Reply-To: <494120DC.1040605@redhat.com> References: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> <49408AF5.1030702@redhat.com> <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> <4940986F.8010807@redhat.com> <9584ef450812102049u54dd8978l953a19056fb0319a@mail.gmail.com> <494120DC.1040605@redhat.com> Message-ID: <9584ef450812141425o217b4e83nb516654d227162f1@mail.gmail.com> Hi, I checked /etc/ipa/ipa.conf and /etc/hosts and dns no luck, here's the ipa.conf file. [defaults] server=ipaserver.labs.example.com.au realm=LABS.EXMAPLE.COM.AU domain=labs.example.com.au I also tried Simo's suggestion of adding the service, but got the following A database error occurred: Constraint violation: Another entry with the same attribute value already exists From fraginhell at gmail.com Mon Dec 15 04:10:16 2008 From: fraginhell at gmail.com (Fraginhell) Date: Mon, 15 Dec 2008 15:10:16 +1100 Subject: [Freeipa-users] Kerberos Authentication (again) In-Reply-To: <9584ef450812141425o217b4e83nb516654d227162f1@mail.gmail.com> References: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> <49408AF5.1030702@redhat.com> <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> <4940986F.8010807@redhat.com> <9584ef450812102049u54dd8978l953a19056fb0319a@mail.gmail.com> <494120DC.1040605@redhat.com> <9584ef450812141425o217b4e83nb516654d227162f1@mail.gmail.com> Message-ID: <9584ef450812142010n84719e8j843652d2311bc2a9@mail.gmail.com> Thought I would report that I found the problem, doh! reverse DNS record had the typo, but nscd had it cached, a total reboot and nscd shutdown fixed the issue. Thanks for all the help, I've learnt alot. 2008/12/15 Fraginhell : > Hi, > I checked /etc/ipa/ipa.conf and /etc/hosts and dns no luck, here's the > ipa.conf file. > > [defaults] > server=ipaserver.labs.example.com.au > realm=LABS.EXMAPLE.COM.AU > domain=labs.example.com.au > > I also tried Simo's suggestion of adding the service, but got the following > > A database error occurred: Constraint violation: Another entry with > the same attribute value already exists > From ssorce at redhat.com Mon Dec 15 13:27:10 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Dec 2008 08:27:10 -0500 Subject: [Freeipa-users] Kerberos Authentication (again) In-Reply-To: <9584ef450812141425o217b4e83nb516654d227162f1@mail.gmail.com> References: <9584ef450812101915m1d84a669y651fd470a8f5b4c1@mail.gmail.com> <49408AF5.1030702@redhat.com> <9584ef450812102005y64cb3515od408aa77f1b46c83@mail.gmail.com> <4940986F.8010807@redhat.com> <9584ef450812102049u54dd8978l953a19056fb0319a@mail.gmail.com> <494120DC.1040605@redhat.com> <9584ef450812141425o217b4e83nb516654d227162f1@mail.gmail.com> Message-ID: <1229347631.3687.66.camel@localhost.localdomain> On Mon, 2008-12-15 at 09:25 +1100, Fraginhell wrote: > Hi, > I checked /etc/ipa/ipa.conf and /etc/hosts and dns no luck, here's the > ipa.conf file. > > [defaults] > server=ipaserver.labs.example.com.au > realm=LABS.EXMAPLE.COM.AU a typo here too ^^^^^^ :) > domain=labs.example.com.au > > I also tried Simo's suggestion of adding the service, but got the following My request was to make sure you actually did *not* do that. We used to allow it in older version and it would have seriously crippled your IPA server. Simo. -- Simo Sorce * Red Hat, Inc * New York From t.sailer at alumni.ethz.ch Mon Dec 15 14:33:44 2008 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Mon, 15 Dec 2008 15:33:44 +0100 Subject: [Freeipa-users] ipa-server-install problem Message-ID: <1229351624.13313.58.camel@localhost.localdomain> Hi, I'm trying to install ipa-server using the ipa-server-install script on a freshly installed and uptodate Fedora 10 x86_64 machine (on bare metal). The script terminates with the following error: The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: [1/17]: creating directory server user [2/17]: creating directory server instance [3/17]: adding default schema [4/17]: enabling memberof plugin [5/17]: enabling referential integrity plugin [6/17]: enabling distributed numeric assignment plugin [7/17]: enabling winsync plugin [8/17]: configuring uniqueness plugin [9/17]: creating indices [10/17]: configuring ssl for ds instance [11/17]: configuring certmap.conf [12/17]: restarting directory server [13/17]: adding default layout [14/17]: configuring Posix uid/gid generation as first master [15/17]: adding master entry as first master [16/17]: initializing group membership [17/17]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC [1/13]: setting KDC account password [2/13]: adding sasl mappings to the directory root : CRITICAL failed to add Full Principal Sasl mapping Unexpected error - see ipaserver-install.log for details: local variable 'e' referenced before assignment I also tried to upgrade to ipa 1.2.1-0 available in updates-testing, but I get the same error. DNS works. What's wrong? ipa-python-1.2.1-0.fc10.x86_64 fedora-ds-base-1.1.3-6.fc10.x86_64 ipa-admintools-1.2.1-0.fc10.x86_64 ipa-server-selinux-1.2.1-0.fc10.x86_64 ipa-server-1.2.1-0.fc10.x86_64 ipa-client-1.2.1-0.fc10.x86_64 Thanks, Tom -------------- next part -------------- A non-text attachment was scrubbed... Name: ipaserver-install.log Type: text/x-log Size: 20091 bytes Desc: not available URL: From rcritten at redhat.com Mon Dec 15 16:39:06 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Dec 2008 11:39:06 -0500 Subject: [Freeipa-users] ipa-server-install problem In-Reply-To: <1229351624.13313.58.camel@localhost.localdomain> References: <1229351624.13313.58.camel@localhost.localdomain> Message-ID: <4946882A.2070102@redhat.com> Thomas Sailer wrote: > Hi, > > I'm trying to install ipa-server using the ipa-server-install script on > a freshly installed and uptodate Fedora 10 x86_64 machine (on bare > metal). The script terminates with the following error: > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > Configuring directory server: > [1/17]: creating directory server user > [2/17]: creating directory server instance > [3/17]: adding default schema > [4/17]: enabling memberof plugin > [5/17]: enabling referential integrity plugin > [6/17]: enabling distributed numeric assignment plugin > [7/17]: enabling winsync plugin > [8/17]: configuring uniqueness plugin > [9/17]: creating indices > [10/17]: configuring ssl for ds instance > [11/17]: configuring certmap.conf > [12/17]: restarting directory server > [13/17]: adding default layout > [14/17]: configuring Posix uid/gid generation as first master > [15/17]: adding master entry as first master > [16/17]: initializing group membership > [17/17]: configuring directory to start on boot > done configuring dirsrv. > Configuring Kerberos KDC > [1/13]: setting KDC account password > [2/13]: adding sasl mappings to the directory > root : CRITICAL failed to add Full Principal Sasl mapping > Unexpected error - see ipaserver-install.log for details: > local variable 'e' referenced before assignment The root problem is the inability to add the SASL mapping because it already exists. The local variable is a bug in the exception handling. We are trying to add this entry: cn=Full Principal,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: Full Principal nsSaslMapRegexString: \(.*\)@\(.*\) nsSaslMapBaseDNTemplate: SUFFIX nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2) Can you see if this entry already exists in your DS? I'm not sure how it could. % ldapsearch -x -D "cn=directory manager" -W -b "cn=Full Principal,cn=mapping,cn=sasl,cn=config" thanks rob > I also tried to upgrade to ipa 1.2.1-0 available in updates-testing, but > I get the same error. > > DNS works. What's wrong? > > ipa-python-1.2.1-0.fc10.x86_64 > fedora-ds-base-1.1.3-6.fc10.x86_64 > ipa-admintools-1.2.1-0.fc10.x86_64 > ipa-server-selinux-1.2.1-0.fc10.x86_64 > ipa-server-1.2.1-0.fc10.x86_64 > ipa-client-1.2.1-0.fc10.x86_64 > > Thanks, > Tom > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From t.sailer at alumni.ethz.ch Mon Dec 15 17:39:04 2008 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Mon, 15 Dec 2008 18:39:04 +0100 Subject: [Freeipa-users] ipa-server-install problem In-Reply-To: <4946882A.2070102@redhat.com> References: <1229351624.13313.58.camel@localhost.localdomain> <4946882A.2070102@redhat.com> Message-ID: <1229362744.13313.104.camel@localhost.localdomain> On Mon, 2008-12-15 at 11:39 -0500, Rob Crittenden wrote: > Can you see if this entry already exists in your DS? I'm not sure how it > could. > > % ldapsearch -x -D "cn=directory manager" -W -b "cn=Full > Principal,cn=mapping,cn=sasl,cn=config" Yep it does. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 But I now found the problems: 1) /etc/hosts was wrong (maybe ipa-server-install could check whether hosts is consistent with dns?) 2) I had an uri pointing to another dirsrv in /etc/ldap.conf I fixed both, it works now... Thanks, Tom From t.sailer at alumni.ethz.ch Mon Dec 15 17:39:04 2008 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Mon, 15 Dec 2008 18:39:04 +0100 Subject: [Freeipa-users] ipa-server-install problem In-Reply-To: <4946882A.2070102@redhat.com> References: <1229351624.13313.58.camel@localhost.localdomain> <4946882A.2070102@redhat.com> Message-ID: <1229362744.13313.104.camel@localhost.localdomain> On Mon, 2008-12-15 at 11:39 -0500, Rob Crittenden wrote: > Can you see if this entry already exists in your DS? I'm not sure how it > could. > > % ldapsearch -x -D "cn=directory manager" -W -b "cn=Full > Principal,cn=mapping,cn=sasl,cn=config" Yep it does. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 But I now found the problems: 1) /etc/hosts was wrong (maybe ipa-server-install could check whether hosts is consistent with dns?) 2) I had an uri pointing to another dirsrv in /etc/ldap.conf I fixed both, it works now... Thanks, Tom From rcritten at redhat.com Mon Dec 15 18:30:53 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Dec 2008 13:30:53 -0500 Subject: [Freeipa-users] ipa-server-install problem In-Reply-To: <1229362744.13313.104.camel@localhost.localdomain> References: <1229351624.13313.58.camel@localhost.localdomain> <4946882A.2070102@redhat.com> <1229362744.13313.104.camel@localhost.localdomain> Message-ID: <4946A25D.9060306@redhat.com> Thomas Sailer wrote: > On Mon, 2008-12-15 at 11:39 -0500, Rob Crittenden wrote: > >> Can you see if this entry already exists in your DS? I'm not sure how it >> could. >> >> % ldapsearch -x -D "cn=directory manager" -W -b "cn=Full >> Principal,cn=mapping,cn=sasl,cn=config" > > Yep it does. > > # extended LDIF > # > # LDAPv3 > # base with scope > subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > > But I now found the problems: > > 1) /etc/hosts was wrong (maybe ipa-server-install could check whether > hosts is consistent with dns?) We do some amount of verification now. > 2) I had an uri pointing to another dirsrv in /etc/ldap.conf I wonder if a tool was contacting the wrong server. > I fixed both, it works now... Would it be possible to test these one at a time to see which one actually fixed it? rob From t.sailer at alumni.ethz.ch Tue Dec 16 10:44:27 2008 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Tue, 16 Dec 2008 11:44:27 +0100 Subject: [Freeipa-users] ipa-server-install problem In-Reply-To: <4946A25D.9060306@redhat.com> References: <1229351624.13313.58.camel@localhost.localdomain> <4946882A.2070102@redhat.com> <1229362744.13313.104.camel@localhost.localdomain> <4946A25D.9060306@redhat.com> Message-ID: <1229424267.13313.119.camel@localhost.localdomain> On Mon, 2008-12-15 at 13:30 -0500, Rob Crittenden wrote: > Would it be possible to test these one at a time to see which one > actually fixed it? It's the entry in /etc/hosts, the uri in /etc/ldap.conf does not matter. Tom From t.sailer at alumni.ethz.ch Tue Dec 16 16:29:41 2008 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Tue, 16 Dec 2008 17:29:41 +0100 Subject: [Freeipa-users] ipa-*: Did not receive Kerberos credentials. Message-ID: <1229444981.13313.127.camel@localhost.localdomain> Now the final problem I seem to be having is the command line tools. The gui works fine. When I invoke an ipa-* command line tool, I get the following: # ipa-finduser admin Did not receive Kerberos credentials. # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at XXXX.COM Valid starting Expires Service principal 12/16/08 17:01:28 12/17/08 17:01:25 krbtgt/XXXX.COM at XXXX.COM 12/16/08 17:02:05 12/17/08 17:01:25 HTTP/server.xxxx.com at XXXX.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached The httpd debug log doesn't show any error, and setting PythonDebug and IPADebug to on does not help either. The httpd forensic log shows that both firefox and ipa-finduser send an Authorization:negotiate header, but the latter sends different and less coded binary data. Does anyone have an idea what could be wrong? Thanks, Tom From ssorce at redhat.com Tue Dec 16 16:34:13 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 16 Dec 2008 11:34:13 -0500 Subject: [Freeipa-users] ipa-*: Did not receive Kerberos credentials. In-Reply-To: <1229444981.13313.127.camel@localhost.localdomain> References: <1229444981.13313.127.camel@localhost.localdomain> Message-ID: <1229445253.3687.87.camel@localhost.localdomain> On Tue, 2008-12-16 at 17:29 +0100, Thomas Sailer wrote: > Now the final problem I seem to be having is the command line tools. > > The gui works fine. > > When I invoke an ipa-* command line tool, I get the following: > # ipa-finduser admin > Did not receive Kerberos credentials. > > # klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at XXXX.COM > > Valid starting Expires Service principal > 12/16/08 17:01:28 12/17/08 17:01:25 krbtgt/XXXX.COM at XXXX.COM > 12/16/08 17:02:05 12/17/08 17:01:25 HTTP/server.xxxx.com at XXXX.COM > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > The httpd debug log doesn't show any error, and setting PythonDebug and > IPADebug to on does not help either. The httpd forensic log shows that > both firefox and ipa-finduser send an Authorization:negotiate header, > but the latter sends different and less coded binary data. > > Does anyone have an idea what could be wrong? It's the said effect of an unfortunate package update in Fedora. Make sure you have python-kerberos-1.1-3 and ipa-server-1.2.1-1 packages The patch that fix this but for PyKerberos 1.1 is not yet in the master branch, I will add it soon. Simo. -- Simo Sorce * Red Hat, Inc * New York From t.sailer at alumni.ethz.ch Tue Dec 16 17:23:43 2008 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Tue, 16 Dec 2008 18:23:43 +0100 Subject: [Freeipa-users] ipa-*: Did not receive Kerberos credentials. In-Reply-To: <1229445253.3687.87.camel@localhost.localdomain> References: <1229444981.13313.127.camel@localhost.localdomain> <1229445253.3687.87.camel@localhost.localdomain> Message-ID: <1229448223.13313.128.camel@localhost.localdomain> On Tue, 2008-12-16 at 11:34 -0500, Simo Sorce wrote: > It's the said effect of an unfortunate package update in Fedora. > Make sure you have python-kerberos-1.1-3 and ipa-server-1.2.1-1 packages Thanks, that fixes it. Tom From rcritten at redhat.com Tue Dec 16 20:05:34 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 16 Dec 2008 15:05:34 -0500 Subject: [Freeipa-users] ipa-server-install problem In-Reply-To: <1229424267.13313.119.camel@localhost.localdomain> References: <1229351624.13313.58.camel@localhost.localdomain> <4946882A.2070102@redhat.com> <1229362744.13313.104.camel@localhost.localdomain> <4946A25D.9060306@redhat.com> <1229424267.13313.119.camel@localhost.localdomain> Message-ID: <49480A0E.6080908@redhat.com> Thomas Sailer wrote: > On Mon, 2008-12-15 at 13:30 -0500, Rob Crittenden wrote: > >> Would it be possible to test these one at a time to see which one >> actually fixed it? > > It's the entry in /etc/hosts, the uri in /etc/ldap.conf does not matter. > > Tom > > Thanks for checking. I've filed a bug to track this: https://bugzilla.redhat.com/show_bug.cgi?id=476731 At a minimum we should improve the error messages to tell you what host it is trying to connect to. rob From freeipa at olo.org.pl Wed Dec 17 11:33:28 2008 From: freeipa at olo.org.pl (Aleksander Adamowski) Date: Wed, 17 Dec 2008 12:33:28 +0100 Subject: [Freeipa-users] [PATCH] A script to register Fedora Directory Admin Server with a FreeIPA-created Directory Server instance Message-ID: <1c690d740812170333o2ebd2725v5d2ba431856cd48b@mail.gmail.com> Hi! I've played around with the latest FreeIPA server (1.2.1) and wanted a comfortable method for customising the Directory Server schema, ACIs, et cetera. The ideal tool for this is the fedora-idm-console. However, it requires a working administration server instance and that the directory server instance is registered with it. There seem to be no existing tools for this task, so I took the setup-ds-admin.pl script, trimmed it down so that only the bits related to admin server instance creation are there (turned out quite short) and supplied my own setup .INF file to configure its invocation. It worked fine and now I can use fedora-idm-console with FreeIPA's directory server instance. So I've figured I could post back this trimmed down script and .INF file in case someone want to do a similar thing. The procedure is as follows: 1) Download the setup-register-admin.inf.txt, rename it to setup-register-admin.inf and customise it to your installation 2) Download setup-admin.pl and run it, specifying the inf file on command line: "..../setup-admin.pl --file=setup-register-admin.inf" 3) It should ask the usual setup questions. If all goes well, try accessing the admin server with fedora-idm-console (the administration URL will be http://YOUR_HOSTNAME:9830). 4) There might be no directory server instance visible in the servers tree (I don't remember whether setup-admin.pl registers FDS instance in configuration DS). If that's the case, run register-ds-admin.pl to register your directory server instance in configuration DS. The directory server should then appear in fedora-idm-console's server group tree. -- Best Regards, Aleksander Adamowski http://olo.org.pl -------------- next part -------------- A non-text attachment was scrubbed... Name: setup-admin.pl Type: application/octet-stream Size: 4211 bytes Desc: not available URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: setup-register-admin.inf.txt URL: From kozlov at spbcas.ru Mon Dec 22 11:22:14 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Mon, 22 Dec 2008 14:22:14 +0300 Subject: [Freeipa-users] samba4 and freeipa Message-ID: <494F7866.1070609@spbcas.ru> Hello, Did anybody try to integrate samba4 and freeipa? Does samba4 work with directory server and kerberos from freeipa installation? Or ipa-winsync is a better solution? Is there any code maybe in alpha stage for such integration? Best regards, -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From mackoel at gmail.com Mon Dec 22 17:05:56 2008 From: mackoel at gmail.com (Kozlov) Date: Mon, 22 Dec 2008 20:05:56 +0300 Subject: [Freeipa-users] samba4 and freeipa In-Reply-To: <494FB162.5040501@redhat.com> References: <494F7866.1070609@spbcas.ru> <494FB162.5040501@redhat.com> Message-ID: <494FC8F4.1040708@spbcas.ru> Dmitri Pal ?????: > Konstantin Kozlov wrote: >> Hello, >> >> Did anybody try to integrate samba4 and freeipa? >> >> Does samba4 work with directory server and kerberos from freeipa >> installation? Or ipa-winsync is a better solution? >> >> Is there any code maybe in alpha stage for such integration? >> >> Best regards, >> > This is something we plan to do down the road but in distant future. > We are investigating possible architectures. One of them is having IPA > and Samba share the same DS and Kerberos. > There are several obstacles on this path. Samba 4 and IPA tree > structures are very different. > Samba follows the AD tree structure. So there should be some kind of > remapping. We are thinking that Penrose can be the answer but we did not > have time to try it yet. > The second part is Kerberos. Samba 4 uses Heimdal implementation while > we use MIT. > Heimdal is a bit more advanced in features at the moment and Samba 4 > takes advantage of it but MIT is building the same set of features so > they should become feature aligned soon. > Once we start talking about alternatives that do not share the same > data store some sort of sync would be required. > ipa-winsync is the answer for now. But there might be others. > > So to summarize the AD/Samba/IPA integration is a complex issue. > ipa-winsync is what we have so far but we are working in this direction. > Solution is not anticipated in IPA v2, at best v3, so some time late > 2010 early 2011, may be even later. > Thank you very much for information! So for now the best way will be to setup a separate samba4 with another realm and sync realm with ipa-winsync. Is the latter known to work in this combination? Best regards, Konstantin > Thanks > Dmitri > > __________ NOD32 3688 (20081212) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > > From dpal at redhat.com Mon Dec 22 17:28:15 2008 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 22 Dec 2008 12:28:15 -0500 Subject: [Freeipa-users] samba4 and freeipa In-Reply-To: <494FC8F4.1040708@spbcas.ru> References: <494F7866.1070609@spbcas.ru> <494FB162.5040501@redhat.com> <494FC8F4.1040708@spbcas.ru> Message-ID: <494FCE2F.8080803@redhat.com> Kozlov wrote: > Dmitri Pal ?????: >> Konstantin Kozlov wrote: >>> Hello, >>> >>> Did anybody try to integrate samba4 and freeipa? >>> >>> Does samba4 work with directory server and kerberos from freeipa >>> installation? Or ipa-winsync is a better solution? >>> >>> Is there any code maybe in alpha stage for such integration? >>> >>> Best regards, >>> >> This is something we plan to do down the road but in distant future. >> We are investigating possible architectures. One of them is having >> IPA and Samba share the same DS and Kerberos. >> There are several obstacles on this path. Samba 4 and IPA tree >> structures are very different. >> Samba follows the AD tree structure. So there should be some kind of >> remapping. We are thinking that Penrose can be the answer but we did >> not have time to try it yet. >> The second part is Kerberos. Samba 4 uses Heimdal implementation >> while we use MIT. >> Heimdal is a bit more advanced in features at the moment and Samba 4 >> takes advantage of it but MIT is building the same set of features so >> they should become feature aligned soon. >> Once we start talking about alternatives that do not share the same >> data store some sort of sync would be required. >> ipa-winsync is the answer for now. But there might be others. >> >> So to summarize the AD/Samba/IPA integration is a complex issue. >> ipa-winsync is what we have so far but we are working in this direction. >> Solution is not anticipated in IPA v2, at best v3, so some time late >> 2010 early 2011, may be even later. >> > > Thank you very much for information! > > So for now the best way will be to setup a separate samba4 with > another realm and sync realm with ipa-winsync. Is the latter known to > work in this combination? I am not sure anyone tried it so far. > > Best regards, > > Konstantin > >> Thanks >> Dmitri >> >> __________ NOD32 3688 (20081212) Information __________ >> >> This message was checked by NOD32 antivirus system. >> http://www.eset.com >> >> >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From vijivijayakumar at gmail.com Sat Dec 27 12:48:52 2008 From: vijivijayakumar at gmail.com (Viji V Nair) Date: Sat, 27 Dec 2008 18:18:52 +0530 Subject: [Freeipa-users] Windows Client Problem Message-ID: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> Hi, I am a new user of free-ipa, I have installed the free-ipa packages shipped with fedora 10. I have more that 100 windows clients to authenticate. Here is my problem, All the clients are XP SP2, I have installed MIT Kerberos for Windows 3.2.2. Always the native windows login prompt appears first, when i login to windows the kerberos client is asking for authentication. I want to replace this windows authentication with kerberos Any help on the same will be greatly appreciated. Thanks Viji -------------- next part -------------- An HTML attachment was scrubbed... URL: From jet.travel.solutions at gmail.com Sun Dec 28 05:46:58 2008 From: jet.travel.solutions at gmail.com (Dan Probert) Date: Sat, 27 Dec 2008 22:46:58 -0700 Subject: [Freeipa-users] Duke Jets - Reducing cost... Message-ID: An HTML attachment was scrubbed... URL: From kozlov at spbcas.ru Mon Dec 29 13:05:34 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Mon, 29 Dec 2008 16:05:34 +0300 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> Message-ID: <4958CB1E.1050005@spbcas.ru> Hi, You can search the list for a similar thread and here are the steps I've followed with success: Add host principal for winxp machine with the encoding des-cbc-crc and passowrd (-P ioption for ipa-getkeytab). Do not store this keytab in /etc/krb5.keytab but rather in some other file. Install MS Support Tools on WinXP, and run ksetup /setdomain ... ksetup /addkdc ... ksetup /setcomputerpassword ... ksetup /mapuser * WinXP machine asks to login to Kerberos realm at login screen. I failed to map one ipa-user to one win-user. But may be because I didn't have enough time. If you will succeed - leave a note here please. Best regards, Kostya Viji V Nair wrote: > Hi, > > I am a new user of free-ipa, I have installed the free-ipa packages > shipped with fedora 10. I have more that 100 windows clients to > authenticate. Here is my problem, > > All the clients are XP SP2, I have installed MIT Kerberos for Windows > 3.2.2. Always the native windows login prompt appears first, when i > login to windows the kerberos client is asking for authentication. > > I want to replace this windows authentication with kerberos > > Any help on the same will be greatly appreciated. > > Thanks > Viji > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From vijivijayakumar at gmail.com Tue Dec 30 17:15:47 2008 From: vijivijayakumar at gmail.com (Viji V Nair) Date: Tue, 30 Dec 2008 22:45:47 +0530 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <4958CB1E.1050005@spbcas.ru> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> <4958CB1E.1050005@spbcas.ru> Message-ID: <84c89ac10812300915l5950aa26xf09a8949a0b1c272@mail.gmail.com> Hi, Thank you for the information, I have tried all these steps, but no success 1. On the IPA Server I have created a host principal using the following command. # kadmin -q "ank host/bmdata01.testing.com" 2. On the windows xp client C:> ksetup /setrealm TESTING.COM C:> ksetup /addkdc TESTING.COM viji.bigmaps.com C:> ksetup /setmachpassword C:> ksetup /mapuser admin at TESTING.COM guest C:> ksetup /mapuser * * After the above setup windows is showing TESTING.COM as a Kerberos Realm on the login screen, but when I try to login using the user name "admin" it is throwing the following error. "The system could not log you on. Make sure your user name and domain are correct, and then type your password again. Letters in passwords must be typed using the correct case." But the IPA (kerberos) server is issuing the tickets, the log shows: Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 172.16.33.112: NEEDED_PREAUTH: admin at TESTING.COM for krbtgt/TESTING.COM at TESTING.COM, Additional pre-authentication required Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): AS_REQ (3 etypes {23 3 1}) 172.16.33.112: ISSUE: authtime 1230656763, etypes {rep=23 tkt=18 ses=23}, admin at TESTING.COM for krbtgt/TESTING.COM at TESTING.COM Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 172.16.33.112: ISSUE: authtime 1230656763, etypes {rep=23 tkt=18 ses=23}, admin at TESTING.COM for host/bmdata01.testing.com@ TESTING.COM I have found some article on Microsoft website, saying this is a bug and apply the latest service pack (SP3), I even tried that, but no success. http://support.microsoft.com/kb/825081 Similar Thread: http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html Thanks & Regards Viji On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov wrote: > Hi, > > You can search the list for a similar thread and here are the steps I've > followed with success: > > Add host principal for winxp machine with the encoding des-cbc-crc and > passowrd (-P ioption for ipa-getkeytab). Do not store this keytab in > /etc/krb5.keytab but rather in some other file. > > Install MS Support Tools on WinXP, and run > > ksetup /setdomain ... > ksetup /addkdc ... > ksetup /setcomputerpassword ... > ksetup /mapuser * > > WinXP machine asks to login to Kerberos realm at login screen. > > I failed to map one ipa-user to one win-user. But may be because I didn't > have enough time. If you will succeed - leave a note here please. > > Best regards, > > Kostya > > Viji V Nair wrote: > >> Hi, >> >> I am a new user of free-ipa, I have installed the free-ipa packages >> shipped with fedora 10. I have more that 100 windows clients to >> authenticate. Here is my problem, >> >> All the clients are XP SP2, I have installed MIT Kerberos for Windows >> 3.2.2. Always the native windows login prompt appears first, when i login to >> windows the kerberos client is asking for authentication. >> >> I want to replace this windows authentication with kerberos >> >> Any help on the same will be greatly appreciated. >> >> Thanks >> Viji >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- > Konstantin Kozlov > Department of Computational Biology, > Center for Advanced Studies, > SPb State Polytechnical University, > 195251, Polytechnicheskaya ul., 29, > bld 4, office 204, > St.Petersburg, Russia. > > Tel./fax: +7 812 596 2831 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mackoel at gmail.com Tue Dec 30 18:16:13 2008 From: mackoel at gmail.com (Kozlov) Date: Tue, 30 Dec 2008 21:16:13 +0300 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <84c89ac10812300915l5950aa26xf09a8949a0b1c272@mail.gmail.com> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> <4958CB1E.1050005@spbcas.ru> <84c89ac10812300915l5950aa26xf09a8949a0b1c272@mail.gmail.com> Message-ID: <495A656D.7000400@spbcas.ru> Hi, The minor comment is that kadmin is supposed to be substituted with ipa-addservice. The major comment is that you've missed ipa-getkeytab on ipaserver that actually SETS password that you then install on winxp. And try to map all users to one: for example, "* Administrator". Best regards, Kostya Viji V Nair ?????: > Hi, > > Thank you for the information, I have tried all these steps, but no success > > 1. On the IPA Server I have created a host principal using the following > command. > > # kadmin -q "ank host/bmdata01.testing.com " > > 2. On the windows xp client > > C:> ksetup /setrealm TESTING.COM > C:> ksetup /addkdc TESTING.COM viji.bigmaps.com > > C:> ksetup /setmachpassword > C:> ksetup /mapuser admin at TESTING.COM guest > C:> ksetup /mapuser * * > > After the above setup windows is showing TESTING.COM > as a Kerberos Realm on the login screen, but when I > try to login using the user name "admin" it is throwing the following error. > > "The system could not log you on. Make sure your user name and domain > are correct, and then type your password again. Letters in passwords > must be typed using the correct case." > > But the IPA (kerberos) server is issuing the tickets, the log shows: > > Dec 30 22:36:03 viji.testing.com > krb5kdc[5179](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) > 172.16.33.112 : NEEDED_PREAUTH: admin at TESTING.COM > for krbtgt/TESTING.COM > @TESTING.COM , Additional > pre-authentication required > Dec 30 22:36:03 viji.testing.com > krb5kdc[5179](info): AS_REQ (3 etypes {23 3 1}) 172.16.33.112 > : ISSUE: authtime 1230656763, etypes {rep=23 > tkt=18 ses=23}, admin at TESTING.COM for > krbtgt/TESTING.COM @TESTING.COM > Dec 30 22:36:03 viji.testing.com > krb5kdc[5179](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) > 172.16.33.112 : ISSUE: authtime 1230656763, etypes > {rep=23 tkt=18 ses=23}, admin at TESTING.COM for > host/bmdata01.testing.com @TESTING.COM > > > I have found some article on Microsoft website, saying this is a bug and > apply the latest service pack (SP3), I even tried that, but no success. > > http://support.microsoft.com/kb/825081 > > Similar Thread: > http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html > > Thanks & Regards > > Viji > > > On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov > wrote: > > Hi, > > You can search the list for a similar thread and here are the steps > I've followed with success: > > Add host principal for winxp machine with the encoding des-cbc-crc > and passowrd (-P ioption for ipa-getkeytab). Do not store this > keytab in /etc/krb5.keytab but rather in some other file. > > Install MS Support Tools on WinXP, and run > > ksetup /setdomain ... > ksetup /addkdc ... > ksetup /setcomputerpassword ... > ksetup /mapuser * > > WinXP machine asks to login to Kerberos realm at login screen. > > I failed to map one ipa-user to one win-user. But may be because I > didn't have enough time. If you will succeed - leave a note here please. > > Best regards, > > Kostya > > Viji V Nair wrote: > > Hi, > > I am a new user of free-ipa, I have installed the free-ipa > packages shipped with fedora 10. I have more that 100 windows > clients to authenticate. Here is my problem, > > All the clients are XP SP2, I have installed MIT Kerberos for > Windows 3.2.2. Always the native windows login prompt appears > first, when i login to windows the kerberos client is asking for > authentication. > > I want to replace this windows authentication with kerberos > > Any help on the same will be greatly appreciated. > > Thanks > Viji > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Konstantin Kozlov > Department of Computational Biology, > Center for Advanced Studies, > SPb State Polytechnical University, > 195251, Polytechnicheskaya ul., 29, > bld 4, office 204, > St.Petersburg, Russia. > > Tel./fax: +7 812 596 2831 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From vijivijayakumar at gmail.com Wed Dec 31 08:46:03 2008 From: vijivijayakumar at gmail.com (Viji V Nair) Date: Wed, 31 Dec 2008 14:16:03 +0530 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <495A656D.7000400@spbcas.ru> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> <4958CB1E.1050005@spbcas.ru> <84c89ac10812300915l5950aa26xf09a8949a0b1c272@mail.gmail.com> <495A656D.7000400@spbcas.ru> Message-ID: <84c89ac10812310046ie1fee75r8b636494c440ecc5@mail.gmail.com> Hi, I have done the modifications as suggested, but no luck, getting the same error. # kinit admin # ipa-addservice host/bmdata01.testing.com # ipa-getkeytab -s viji.testing.com -p host/bmdata01.testing.com -k /etc/krb5.keytab Could you please elaborate the steps which you have done to get it working on both the client and server side? Thanks Viji On Tue, Dec 30, 2008 at 11:46 PM, Kozlov wrote: > Hi, > > The minor comment is that kadmin is supposed to be substituted with > ipa-addservice. > > The major comment is that you've missed ipa-getkeytab on ipaserver that > actually SETS password that you then install on winxp. > > And try to map all users to one: for example, > "* Administrator". > > Best regards, > > Kostya > > Viji V Nair ?????: > >> Hi, >> >> Thank you for the information, I have tried all these steps, but no >> success >> >> 1. On the IPA Server I have created a host principal using the following >> command. >> >> # kadmin -q "ank host/bmdata01.testing.com " >> >> 2. On the windows xp client >> >> C:> ksetup /setrealm TESTING.COM >> C:> ksetup /addkdc TESTING.COM viji.bigmaps.com < >> http://viji.bigmaps.com> >> C:> ksetup /setmachpassword >> C:> ksetup /mapuser admin at TESTING.COM guest >> C:> ksetup /mapuser * * >> >> After the above setup windows is showing TESTING.COM >> as a Kerberos Realm on the login screen, but when I try to login using the >> user name "admin" it is throwing the following error. >> >> "The system could not log you on. Make sure your user name and domain are >> correct, and then type your password again. Letters in passwords must be >> typed using the correct case." >> >> But the IPA (kerberos) server is issuing the tickets, the log shows: >> >> Dec 30 22:36:03 viji.testing.com >> krb5kdc[5179](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) >> 172.16.33.112 : NEEDED_PREAUTH: admin at TESTING.COM> admin at TESTING.COM> for krbtgt/TESTING.COM @ >> TESTING.COM , Additional pre-authentication required >> Dec 30 22:36:03 viji.testing.com >> krb5kdc[5179](info): AS_REQ (3 etypes {23 3 1}) 172.16.33.112 < >> http://172.16.33.112>: ISSUE: authtime 1230656763, etypes {rep=23 tkt=18 >> ses=23}, admin at TESTING.COM for krbtgt/ >> TESTING.COM @TESTING.COM >> Dec 30 22:36:03 viji.testing.com >> krb5kdc[5179](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) >> 172.16.33.112 : ISSUE: authtime 1230656763, etypes >> {rep=23 tkt=18 ses=23}, admin at TESTING.COM for >> host/bmdata01.testing.com @TESTING.COM < >> http://TESTING.COM> >> >> I have found some article on Microsoft website, saying this is a bug and >> apply the latest service pack (SP3), I even tried that, but no success. >> >> http://support.microsoft.com/kb/825081 >> >> Similar Thread: >> http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html >> >> Thanks & Regards >> >> Viji >> >> >> On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov > kozlov at spbcas.ru>> wrote: >> >> Hi, >> >> You can search the list for a similar thread and here are the steps >> I've followed with success: >> >> Add host principal for winxp machine with the encoding des-cbc-crc >> and passowrd (-P ioption for ipa-getkeytab). Do not store this >> keytab in /etc/krb5.keytab but rather in some other file. >> >> Install MS Support Tools on WinXP, and run >> >> ksetup /setdomain ... >> ksetup /addkdc ... >> ksetup /setcomputerpassword ... >> ksetup /mapuser * >> >> WinXP machine asks to login to Kerberos realm at login screen. >> >> I failed to map one ipa-user to one win-user. But may be because I >> didn't have enough time. If you will succeed - leave a note here >> please. >> >> Best regards, >> >> Kostya >> >> Viji V Nair wrote: >> >> Hi, >> >> I am a new user of free-ipa, I have installed the free-ipa >> packages shipped with fedora 10. I have more that 100 windows >> clients to authenticate. Here is my problem, >> >> All the clients are XP SP2, I have installed MIT Kerberos for >> Windows 3.2.2. Always the native windows login prompt appears >> first, when i login to windows the kerberos client is asking for >> authentication. >> >> I want to replace this windows authentication with kerberos >> >> Any help on the same will be greatly appreciated. >> >> Thanks >> Viji >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- Konstantin Kozlov >> Department of Computational Biology, >> Center for Advanced Studies, >> SPb State Polytechnical University, >> 195251, Polytechnicheskaya ul., 29, >> bld 4, office 204, >> St.Petersburg, Russia. >> >> Tel./fax: +7 812 596 2831 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mackoel at gmail.com Wed Dec 31 15:34:15 2008 From: mackoel at gmail.com (Kozlov) Date: Wed, 31 Dec 2008 18:34:15 +0300 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <84c89ac10812310046ie1fee75r8b636494c440ecc5@mail.gmail.com> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> <4958CB1E.1050005@spbcas.ru> <84c89ac10812300915l5950aa26xf09a8949a0b1c272@mail.gmail.com> <495A656D.7000400@spbcas.ru> <84c89ac10812310046ie1fee75r8b636494c440ecc5@mail.gmail.com> Message-ID: <495B90F7.2060806@gmail.com> Hi, As I mentioned in the first reply to your post the right command is: ipa-getkeytab -s viji.testing.com -p host/bmdata01.testing.com -e des-cbc-crc -k krb5.keytab.txt -P in which you set the password that then goes to winxp host. Best regards and Happy New Year! Kostya Viji V Nair ?????: > Hi, > > I have done the modifications as suggested, but no luck, getting the > same error. > > # kinit admin > # ipa-addservice host/bmdata01.testing.com > # ipa-getkeytab -s viji.testing.com -p > host/bmdata01.testing.com -k > /etc/krb5.keytab > > Could you please elaborate the steps which you have done to get it > working on both the client and server side? > > Thanks > Viji > > On Tue, Dec 30, 2008 at 11:46 PM, Kozlov > wrote: > > Hi, > > The minor comment is that kadmin is supposed to be substituted > with ipa-addservice. > > The major comment is that you've missed ipa-getkeytab on ipaserver > that actually SETS password that you then install on winxp. > > And try to map all users to one: for example, > "* Administrator". > > Best regards, > > Kostya > > Viji V Nair ?????: > > Hi, > > Thank you for the information, I have tried all these steps, > but no success > > 1. On the IPA Server I have created a host principal using the > following command. > > # kadmin -q "ank host/bmdata01.testing.com > " > > > 2. On the windows xp client > > C:> ksetup /setrealm TESTING.COM > > C:> ksetup /addkdc TESTING.COM > viji.bigmaps.com > > C:> ksetup /setmachpassword > C:> ksetup /mapuser admin at TESTING.COM > > guest > C:> ksetup /mapuser * * > > After the above setup windows is showing TESTING.COM > as a Kerberos Realm > on the login screen, but when I try to login using the user > name "admin" it is throwing the following error. > > > "The system could not log you on. Make sure your user name and > domain are correct, and then type your password again. Letters > in passwords must be typed using the correct case." > > But the IPA (kerberos) server is issuing the tickets, the log > shows: > > Dec 30 22:36:03 viji.testing.com > krb5kdc[5179](info): AS_REQ (7 > etypes {23 -133 -128 3 1 24 -135}) 172.16.33.112 > : NEEDED_PREAUTH: admin at TESTING.COM > > for krbtgt/TESTING.COM > @TESTING.COM > , Additional > pre-authentication required > Dec 30 22:36:03 viji.testing.com > krb5kdc[5179](info): AS_REQ (3 > etypes {23 3 1}) 172.16.33.112 : ISSUE: > authtime 1230656763, etypes {rep=23 tkt=18 ses=23}, > admin at TESTING.COM > > for > krbtgt/TESTING.COM > @TESTING.COM > > Dec 30 22:36:03 viji.testing.com > krb5kdc[5179](info): TGS_REQ (7 > etypes {23 -133 -128 3 1 24 -135}) 172.16.33.112 > : ISSUE: authtime 1230656763, etypes > {rep=23 tkt=18 ses=23}, admin at TESTING.COM > > for host/bmdata01.testing.com > > @TESTING.COM > > > > I have found some article on Microsoft website, saying this is > a bug and apply the latest service pack (SP3), I even tried > that, but no success. > > http://support.microsoft.com/kb/825081 > > Similar Thread: > http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html > > Thanks & Regards > > Viji > > > On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov > > >> wrote: > > Hi, > > You can search the list for a similar thread and here are > the steps > I've followed with success: > > Add host principal for winxp machine with the encoding > des-cbc-crc > and passowrd (-P ioption for ipa-getkeytab). Do not store this > keytab in /etc/krb5.keytab but rather in some other file. > > Install MS Support Tools on WinXP, and run > > ksetup /setdomain ... > ksetup /addkdc ... > ksetup /setcomputerpassword ... > ksetup /mapuser * > > WinXP machine asks to login to Kerberos realm at login screen. > > I failed to map one ipa-user to one win-user. But may be > because I > didn't have enough time. If you will succeed - leave a note > here please. > > Best regards, > > Kostya > > Viji V Nair wrote: > > Hi, > > I am a new user of free-ipa, I have installed the free-ipa > packages shipped with fedora 10. I have more that 100 > windows > clients to authenticate. Here is my problem, > > All the clients are XP SP2, I have installed MIT > Kerberos for > Windows 3.2.2. Always the native windows login prompt > appears > first, when i login to windows the kerberos client is > asking for > authentication. > > I want to replace this windows authentication with kerberos > > Any help on the same will be greatly appreciated. > > Thanks > Viji > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- Konstantin Kozlov > Department of Computational Biology, > Center for Advanced Studies, > SPb State Polytechnical University, > 195251, Polytechnicheskaya ul., 29, > bld 4, office 204, > St.Petersburg, Russia. > > Tel./fax: +7 812 596 2831 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > From mackoel at gmail.com Wed Dec 31 15:52:16 2008 From: mackoel at gmail.com (Kozlov) Date: Wed, 31 Dec 2008 18:52:16 +0300 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <84c89ac10812310046ie1fee75r8b636494c440ecc5@mail.gmail.com> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> <4958CB1E.1050005@spbcas.ru> <84c89ac10812300915l5950aa26xf09a8949a0b1c272@mail.gmail.com> <495A656D.7000400@spbcas.ru> <84c89ac10812310046ie1fee75r8b636494c440ecc5@mail.gmail.com> Message-ID: <495B9530.2010703@spbcas.ru> Hi, I saw your posts on samba list :) Is your goal to make the Active Directory substitution? Samba3 + FreeIPA won't work that way. Look for explanations on freeipa-users list. You either need Samba4 or no kerberos on Windows. However, samba3 can be used with FreeIPA as File Sharing solution and will use Single Sign On when you'll managed to setup winxp for IPA. Best regards and Happy New Year! Kostya Viji V Nair ?????: > Hi, > > I have setup samba as a PDC with kerberos and ldap. While adding the windows > clients I get the following error message on the logs, and windows says the > user name and password is incorrect > > [2008/12/31 19:00:09, 0] lib/util_sock.c:write_data(1059) > [2008/12/31 19:00:09, 0] lib/util_sock.c:get_peer_addr_internal(1607) > getpeername failed. Error was Transport endpoint is not connected > write_data: write failure in writing to client 0.0.0.0. Error Connection > reset by peer > [2008/12/31 19:00:09, 0] smbd/process.c:srv_send_smb(74) > Error writing 4 bytes to client. -1. (Transport endpoint is not connected) > > Any help on the same will be gratly appreciated. > > # rpm -qa |grep samba > samba-client-3.2.5-0.23.fc10.x86_64 > samba-common-3.2.5-0.23.fc10.x86_64 > samba-3.2.5-0.23.fc10.x86_64 > samba-winbind-3.2.5-0.23.fc10.x86_64 > > # uname -a > Linux viji.testing.com 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 > EST 2008 x86_64 x86_64 x86_64 GNU/Linux > > # cat /etc/samba/smb.conf > [global] > workgroup = TESTING.COM > server string = Samba Server Version %v > security = user > passdb backend = smbpasswd > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > os level = 33 > domain logons = yes > domain master = yes > local master = yes > preferred master = yes > wins support = yes > template shell = /bin/false > realm = TESTING.COM > use kerberos keytab = yes > load printers = yes > cups options = raw > # log level = 3 passdb:5 auth:10 > [homes] > comment = Home Directories > browseable = no > writable = yes > [printers] > comment = All Printers > path = /var/spool/samba > browseable = no > guest ok = no > writable = no > printable = yes > [share] > comment = Share > path = /share > browseable = yes > guest ok = no > writable = yes > valid users = admin > > Thanks > Viji Viji V Nair ?????: > Hi, > > I have done the modifications as suggested, but no luck, getting the > same error. > > # kinit admin > # ipa-addservice host/bmdata01.testing.com > # ipa-getkeytab -s viji.testing.com -p > host/bmdata01.testing.com -k /etc/krb5.keytab > > Could you please elaborate the steps which you have done to get it > working on both the client and server side? > > Thanks > Viji > > On Tue, Dec 30, 2008 at 11:46 PM, Kozlov > wrote: > > Hi, > > The minor comment is that kadmin is supposed to be substituted with > ipa-addservice. > > The major comment is that you've missed ipa-getkeytab on ipaserver > that actually SETS password that you then install on winxp. > > And try to map all users to one: for example, > "* Administrator". > > Best regards, > > Kostya > > Viji V Nair ?????: > > Hi, > > Thank you for the information, I have tried all these steps, but > no success > > 1. On the IPA Server I have created a host principal using the > following command. > > # kadmin -q "ank host/bmdata01.testing.com > " > > > 2. On the windows xp client > > C:> ksetup /setrealm TESTING.COM > > C:> ksetup /addkdc TESTING.COM > viji.bigmaps.com > > C:> ksetup /setmachpassword > C:> ksetup /mapuser admin at TESTING.COM > > guest > C:> ksetup /mapuser * * > > After the above setup windows is showing TESTING.COM > as a Kerberos Realm on > the login screen, but when I try to login using the user name > "admin" it is throwing the following error. > > > "The system could not log you on. Make sure your user name and > domain are correct, and then type your password again. Letters > in passwords must be typed using the correct case." > > But the IPA (kerberos) server is issuing the tickets, the log shows: > > Dec 30 22:36:03 viji.testing.com > krb5kdc[5179](info): AS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 172.16.33.112 > : NEEDED_PREAUTH: admin at TESTING.COM > > for krbtgt/TESTING.COM > @TESTING.COM > , Additional > pre-authentication required > Dec 30 22:36:03 viji.testing.com > krb5kdc[5179](info): AS_REQ (3 etypes > {23 3 1}) 172.16.33.112 : ISSUE: authtime > 1230656763, etypes {rep=23 tkt=18 ses=23}, admin at TESTING.COM > > for krbtgt/TESTING.COM > @TESTING.COM > > Dec 30 22:36:03 viji.testing.com > krb5kdc[5179](info): TGS_REQ (7 etypes > {23 -133 -128 3 1 24 -135}) 172.16.33.112 > : ISSUE: authtime 1230656763, etypes > {rep=23 tkt=18 ses=23}, admin at TESTING.COM > > for host/bmdata01.testing.com > > @TESTING.COM > > > > I have found some article on Microsoft website, saying this is a > bug and apply the latest service pack (SP3), I even tried that, > but no success. > > http://support.microsoft.com/kb/825081 > > Similar Thread: > http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html > > Thanks & Regards > > Viji > > > On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov > > >> wrote: > > Hi, > > You can search the list for a similar thread and here are the > steps > I've followed with success: > > Add host principal for winxp machine with the encoding > des-cbc-crc > and passowrd (-P ioption for ipa-getkeytab). Do not store this > keytab in /etc/krb5.keytab but rather in some other file. > > Install MS Support Tools on WinXP, and run > > ksetup /setdomain ... > ksetup /addkdc ... > ksetup /setcomputerpassword ... > ksetup /mapuser * > > WinXP machine asks to login to Kerberos realm at login screen. > > I failed to map one ipa-user to one win-user. But may be > because I > didn't have enough time. If you will succeed - leave a note > here please. > > Best regards, > > Kostya > > Viji V Nair wrote: > > Hi, > > I am a new user of free-ipa, I have installed the free-ipa > packages shipped with fedora 10. I have more that 100 windows > clients to authenticate. Here is my problem, > > All the clients are XP SP2, I have installed MIT Kerberos for > Windows 3.2.2. Always the native windows login prompt appears > first, when i login to windows the kerberos client is > asking for > authentication. > > I want to replace this windows authentication with kerberos > > Any help on the same will be greatly appreciated. > > Thanks > Viji > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- Konstantin Kozlov > Department of Computational Biology, > Center for Advanced Studies, > SPb State Polytechnical University, > 195251, Polytechnicheskaya ul., 29, > bld 4, office 204, > St.Petersburg, Russia. > > Tel./fax: +7 812 596 2831 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users