From zxvdr.au at gmail.com Tue Nov 4 00:19:13 2008 From: zxvdr.au at gmail.com (David Robinson) Date: Tue, 4 Nov 2008 00:19:13 +0000 Subject: [Freeipa-users] scalability Message-ID: Hi all, Fedora Directory Server supports up to 4-way multi-master replication, and afaict freeIPA only uses multi-master replication. Does freeIPA therefore only support 4 freeIPA servers per realm? Is it possible to setup freeIPA to use a combination of multi-master and single-master replication to increase scalability (where updates are forwarded back to a master)? If so, how can this be configured (I assume its not as simple as just setting up the replication agreements)? The use-case I'm thinking of is where one has multiple datacentres (say 5). Ideally you would have two centralized masters (for redundancy) and two freeIPA servers per datacentre (one as a backup, but I can't think of a reason they couldn't be active/active). Am I correct in thinking that 4-way multi-master replication is overkill if LDAP is only being used for authentication? Would it really matter if you couldn't change your password from each datacentre?! Thoughts? --Dave From mythtv at vulturest.com Tue Nov 4 01:05:50 2008 From: mythtv at vulturest.com (Johan Venter) Date: Tue, 04 Nov 2008 11:05:50 +1000 Subject: [Freeipa-users] New project Message-ID: <490F9FEE.90209@vulturest.com> Hi all, After my last foray into IPA and authentication on Windows I have a new project that I would like some ideas on. Basically my requirements are the normal ones: - Centralised authentication on: * Unix/Linux * Windows - Directory-based users where I can modify/add objectClasses to achieve the property schema required - Group-based access control on Unix (already achievable through security.conf and sudoers) Obviously IPA meets all of the above requirements and I'm quite comfortable setting it up. However, I need to be able to do group-based access control on Windows (ie mapping IPA groups to Windows local users instead of * or individuals). I know this may not be an IPA specific answer, but I am unsure of other communities where a number of domain experts frequent (if you could name some I will take my questions there if needed). I would like to achieve the above without the use of Active Directory - if Samba 4 was in a usable state it would be perfect for this sort of project, however I cannot wait for it to stabilise to implement what is needed. Given all the technologies involved: Kerberos (MIT), LDAP (doesn't matter, happy with OpenLDAP, Fedora/RedHat/etc DS), AD (if we have to) can anyone suggest a way to achieve the above with or without IPA, with or without AD? Thank you for all the assistance I have received on this list in the past, you guys really know your stuff. Regards, Johan From rcritten at redhat.com Tue Nov 4 21:28:49 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 04 Nov 2008 16:28:49 -0500 Subject: [Freeipa-users] scalability In-Reply-To: References: Message-ID: <4910BE91.3080809@redhat.com> David Robinson wrote: > Hi all, > > Fedora Directory Server supports up to 4-way multi-master replication, > and afaict freeIPA only uses multi-master replication. Does freeIPA > therefore only support 4 freeIPA servers per realm? Is it possible to > setup freeIPA to use a combination of multi-master and single-master > replication to increase scalability (where updates are forwarded back > to a master)? If so, how can this be configured (I assume its not as > simple as just setting up the replication agreements)? Not yet. FDS supports read-only replicas but we don't have support for setting this up yet. It is on our list of things to do. The topology can get really ugly if we aren't careful, and we're trying to be careful. From what I understand FDS can handle more than 4-way MMR it just isn't tested at all past 4 so you'll be going into uncharted territory if you try :-) > The use-case I'm thinking of is where one has multiple datacentres > (say 5). Ideally you would have two centralized masters (for > redundancy) and two freeIPA servers per datacentre (one as a backup, > but I can't think of a reason they couldn't be active/active). Am I > correct in thinking that 4-way multi-master replication is overkill if > LDAP is only being used for authentication? Would it really matter if > you couldn't change your password from each datacentre?! Well, when we handle read-only replicas we'll enable the chain-on-update plugin which will forward write requests to a writable master, so administration would be possible anywhere. LDAP is used for a lot more than authentication. Right now it is just used for user/group info and as the KDC backend. In the future it will do a lot more. rob From dpal at redhat.com Wed Nov 5 20:49:07 2008 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 05 Nov 2008 15:49:07 -0500 Subject: [Freeipa-users] Need help with Solaris Host Based access control Message-ID: <491206C3.9070204@redhat.com> Hello, As a part of the IPA client configuration in IPA v1.x we allow implementing host based access control. We provide the instructions on how to configure client (actually PAM and NSS) to allow or deny user access to a host based on the information in the IPA back end. The example of such instructions for Linux is: You can configure Linux to allow or deny access to IPA resources and services based on the configuration of the host from which access is attempted. This requires modification to the |/etc/security/access.conf| and |/etc/pam.d/system-auth| files, as described below. 1. Modify the |/etc/security/access.conf| file to include the following lines: + : root : ALL + : ipausers : ALL - : ALL : ALL 2. Modify the |/etc/pam.d/system-auth| file to include the following line: account required pam_access.so This configuration specifies that: * The |root| user can log in. * All members of the |ipausers| group can log in. * IPA administrators can not log in (because the |admin| account is not a member of the |ipausers| group). ========= The instructions are based on the ability of the pam_access PAM module to check the access control rules specified in the access.conf. The group information can be retrieved from the IPA server via nss_ldap. We tried to find similar functionality on other OS's. We spotted PAM modules on HP-UX and AIX that are responsible for the similar authorization checks. But we are stuck with Solaris. All our investigations about similar functionality in Solaris bear no fruits. We saw pam_roles and pam_unix_account on Solaris but they do not seem to accomplish what we are trying to do. We are looking for some help and advice from Solaris experts on this functionality. Thank you, Dmitri From kozlov at spbcas.ru Thu Nov 6 10:29:17 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Thu, 06 Nov 2008 13:29:17 +0300 Subject: [Freeipa-users] Windows clients problem Message-ID: <4912C6FD.805@spbcas.ru> Hello, I am trying to setup a mixed Linux/Windows network. I have IPA server on Fedora 9 and IPA clients on Fedora and CentOS. Now I want ipausers to be able to login to WinXP machines or local winxp users to be able to use samba shares. Samba server is configures on the same machine as IPA server and IPA clients can happily use these shares. I've followed the steps in the other thread on this list but didn't succeed. I have cifs principal, the entry for it in krb5.keytab with password, host principal for winxp machine. I've installed MIT Kerberos and MS Support Tools on WinXP, ran ksetup /setdomain ... ksetup /addkdc ... ksetup /setcomputerpassword ... ksetup /mapuser ... WinXP machine asks to login to Kerberos realm at login screen, but doesn't let me in. The krb5 log file on IPA server shows that ticket was issued. I can get ticket with MIT Kerberos from WinXP machine but I can't access samba share. Help me please, where the error can be? Thank you, -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From chorn at fluxcoil.net Fri Nov 7 08:13:30 2008 From: chorn at fluxcoil.net (Christian Horn) Date: Fri, 7 Nov 2008 09:13:30 +0100 Subject: [Freeipa-users] Need help with Solaris Host Based access control In-Reply-To: <491206C3.9070204@redhat.com> References: <491206C3.9070204@redhat.com> Message-ID: <20081107081330.GA13820@fluxcoil.net> Mornings, On Wed, Nov 05, 2008 at 03:49:07PM -0500, Dmitri Pal wrote: > > The instructions are based on the ability of the pam_access PAM module > to check the access control rules specified in the access.conf. > The group information can be retrieved from the IPA server via nss_ldap. > > We tried to find similar functionality on other OS's. We spotted PAM > modules on HP-UX and AIX that are responsible for the similar > authorization checks. > > But we are stuck with Solaris. All our investigations about similar > functionality in Solaris bear no fruits. We saw pam_roles and > pam_unix_account on Solaris but they do not seem to accomplish what we > are trying to do. > > We are looking for some help and advice from Solaris experts on this > functionality. Checked with solaris-guys, this is in use for pure ldap-authentication/ authorization. Apparently just after hooking up a solaris-box to an ldap no user is allowed to login. The permissions to login are handled by this: a) entries in /etc/passwd, containing names of NIS-netgroups whose members are allowed to log in, i.e. + at netgroup1:::::: b) entries in /etc/shadow, containing names of NIS-netgroups whose members are allowed to log in, i.e. + at netgroup1:::::::: (thats 8 colons vs. 6 on the /etcx/passwd-entries) c) entries in /etc/nsswitch.conf for this to work: passwd: compat passwd_compat: ldap [NOTFOUND=return] I dont use this myself on Solaris-boxen but should be enough to see the Solaris-way to handle those login-authorizations. Christian From kozlov at spbcas.ru Fri Nov 7 11:32:04 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Fri, 07 Nov 2008 14:32:04 +0300 Subject: [Freeipa-users] Windows clients problem In-Reply-To: <49142300.1080104@vulturest.com> References: <4912C6FD.805@spbcas.ru> <49142300.1080104@vulturest.com> Message-ID: <49142734.4000008@spbcas.ru> Hello, Johan Venter wrote: > Konstantin Kozlov wrote: >> WinXP machine asks to login to Kerberos realm at login screen, but >> doesn't let me in. The krb5 log file on IPA server shows that ticket >> was issued. I can get ticket with MIT Kerberos from WinXP machine but >> I can't access samba share. > > I had to add -e des-cbc-crc to the ipa-getkeytab command line I used to > generate the Windows host principal and set the password before Windows > login to the Kerberos realm would work. > > Windows XP/Server 2003 doesn't support useful encryption mechanisms. > I did that also and that didn't work. Do I need to install the keytab on WinXP machine? If yes, how? Thank you, -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From kozlov at spbcas.ru Fri Nov 7 11:54:34 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Fri, 07 Nov 2008 14:54:34 +0300 Subject: [Freeipa-users] Windows clients problem In-Reply-To: <49142916.5000403@vulturest.com> References: <4912C6FD.805@spbcas.ru> <49142300.1080104@vulturest.com> <49142734.4000008@spbcas.ru> <49142916.5000403@vulturest.com> Message-ID: <49142C7A.5010508@spbcas.ru> Thank you for the help! After another round of googling I've found that XP uses rc4-hmac...I'll try that next day. Johan Venter wrote: > Konstantin Kozlov wrote: >> Hello, >> >> Johan Venter wrote: >>> Konstantin Kozlov wrote: >>>> WinXP machine asks to login to Kerberos realm at login screen, but >>>> doesn't let me in. The krb5 log file on IPA server shows that ticket >>>> was issued. I can get ticket with MIT Kerberos from WinXP machine >>>> but I can't access samba share. >>> >>> I had to add -e des-cbc-crc to the ipa-getkeytab command line I used >>> to generate the Windows host principal and set the password before >>> Windows login to the Kerberos realm would work. >>> >>> Windows XP/Server 2003 doesn't support useful encryption mechanisms. >>> >> >> I did that also and that didn't work. Do I need to install the keytab >> on WinXP machine? If yes, how? >> > > Hmm .. I had to use the latest version of ipa-getkeytab (which supported > the password option - I compiled my own RPMs for CentOS) and between > that, then -e option and ksetup /setcomputerpassword it finally worked > on my Windows Server 2003 machines. > > Maybe there is something different with XP machines, all I can suggest > is try the different encryption types and see what works (DES generally, > no AES or SHA hashes). > > Johan > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From dpal at redhat.com Fri Nov 7 14:27:00 2008 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 07 Nov 2008 09:27:00 -0500 Subject: [Freeipa-devel] Re: [Freeipa-users] Need help with Solaris Host Based access control In-Reply-To: <20081107081330.GA13820@fluxcoil.net> References: <491206C3.9070204@redhat.com> <20081107081330.GA13820@fluxcoil.net> Message-ID: <49145034.8030409@redhat.com> Thank you Christian! I will dig more into it. Dmitri Christian Horn wrote: > Mornings, > > On Wed, Nov 05, 2008 at 03:49:07PM -0500, Dmitri Pal wrote: > >> The instructions are based on the ability of the pam_access PAM module >> to check the access control rules specified in the access.conf. >> The group information can be retrieved from the IPA server via nss_ldap. >> >> We tried to find similar functionality on other OS's. We spotted PAM >> modules on HP-UX and AIX that are responsible for the similar >> authorization checks. >> >> But we are stuck with Solaris. All our investigations about similar >> functionality in Solaris bear no fruits. We saw pam_roles and >> pam_unix_account on Solaris but they do not seem to accomplish what we >> are trying to do. >> >> We are looking for some help and advice from Solaris experts on this >> functionality. >> > > Checked with solaris-guys, this is in use for pure ldap-authentication/ > authorization. > Apparently just after hooking up a solaris-box to an ldap no user > is allowed to login. > > The permissions to login are handled by this: > > a) entries in /etc/passwd, containing names of NIS-netgroups > whose members are allowed to log in, i.e. > > + at netgroup1:::::: > > b) entries in /etc/shadow, containing names of NIS-netgroups > whose members are allowed to log in, i.e. > > + at netgroup1:::::::: > (thats 8 colons vs. 6 on the /etcx/passwd-entries) > > c) entries in /etc/nsswitch.conf for this to work: > > passwd: compat > passwd_compat: ldap [NOTFOUND=return] > > > I dont use this myself on Solaris-boxen but should be enough to see > the Solaris-way to handle those login-authorizations. > > > Christian > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > From luis_lugo74 at yahoo.com Mon Nov 10 02:01:04 2008 From: luis_lugo74 at yahoo.com (luis lugo) Date: Sun, 9 Nov 2008 18:01:04 -0800 (PST) Subject: [Freeipa-users] Re: Freeipa-users Digest, Vol 4, Issue 5 In-Reply-To: <20081107170012.05B818E042D@hormel.redhat.com> Message-ID: <100913.40731.qm@web38601.mail.mud.yahoo.com> Hi all, I need help to migrate NIS server to freeipa. What is the way to import ldif file to freeipa? Thanks. --- El vie 7-nov-08, freeipa-users-request at redhat.com escribi?: De: freeipa-users-request at redhat.com Asunto: Freeipa-users Digest, Vol 4, Issue 5 A: freeipa-users at redhat.com Fecha: viernes, 7 noviembre, 2008, 5:00 pm Send Freeipa-users mailing list submissions to freeipa-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-request at redhat.com You can reach the person managing the list at freeipa-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Re: Need help with Solaris Host Based access control (Christian Horn) 2. Re: Windows clients problem (Konstantin Kozlov) 3. Re: Windows clients problem (Konstantin Kozlov) 4. Re: [Freeipa-devel] Re: [Freeipa-users] Need help with Solaris Host Based access control (Dmitri Pal) ---------------------------------------------------------------------- Message: 1 Date: Fri, 7 Nov 2008 09:13:30 +0100 From: Christian Horn Subject: Re: [Freeipa-users] Need help with Solaris Host Based access control To: Dmitri Pal Cc: freeipa-devel , freeipa-users at redhat.com Message-ID: <20081107081330.GA13820 at fluxcoil.net> Content-Type: text/plain; charset=us-ascii Mornings, On Wed, Nov 05, 2008 at 03:49:07PM -0500, Dmitri Pal wrote: > > The instructions are based on the ability of the pam_access PAM module > to check the access control rules specified in the access.conf. > The group information can be retrieved from the IPA server via nss_ldap. > > We tried to find similar functionality on other OS's. We spotted PAM > modules on HP-UX and AIX that are responsible for the similar > authorization checks. > > But we are stuck with Solaris. All our investigations about similar > functionality in Solaris bear no fruits. We saw pam_roles and > pam_unix_account on Solaris but they do not seem to accomplish what we > are trying to do. > > We are looking for some help and advice from Solaris experts on this > functionality. Checked with solaris-guys, this is in use for pure ldap-authentication/ authorization. Apparently just after hooking up a solaris-box to an ldap no user is allowed to login. The permissions to login are handled by this: a) entries in /etc/passwd, containing names of NIS-netgroups whose members are allowed to log in, i.e. + at netgroup1:::::: b) entries in /etc/shadow, containing names of NIS-netgroups whose members are allowed to log in, i.e. + at netgroup1:::::::: (thats 8 colons vs. 6 on the /etcx/passwd-entries) c) entries in /etc/nsswitch.conf for this to work: passwd: compat passwd_compat: ldap [NOTFOUND=return] I dont use this myself on Solaris-boxen but should be enough to see the Solaris-way to handle those login-authorizations. Christian ------------------------------ Message: 2 Date: Fri, 07 Nov 2008 14:32:04 +0300 From: Konstantin Kozlov Subject: Re: [Freeipa-users] Windows clients problem To: freeipa-users at redhat.com Message-ID: <49142734.4000008 at spbcas.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Hello, Johan Venter wrote: > Konstantin Kozlov wrote: >> WinXP machine asks to login to Kerberos realm at login screen, but >> doesn't let me in. The krb5 log file on IPA server shows that ticket >> was issued. I can get ticket with MIT Kerberos from WinXP machine but >> I can't access samba share. > > I had to add -e des-cbc-crc to the ipa-getkeytab command line I used to > generate the Windows host principal and set the password before Windows > login to the Kerberos realm would work. > > Windows XP/Server 2003 doesn't support useful encryption mechanisms. > I did that also and that didn't work. Do I need to install the keytab on WinXP machine? If yes, how? Thank you, -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 ------------------------------ Message: 3 Date: Fri, 07 Nov 2008 14:54:34 +0300 From: Konstantin Kozlov Subject: Re: [Freeipa-users] Windows clients problem To: freeipa-users at redhat.com Message-ID: <49142C7A.5010508 at spbcas.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Thank you for the help! After another round of googling I've found that XP uses rc4-hmac...I'll try that next day. Johan Venter wrote: > Konstantin Kozlov wrote: >> Hello, >> >> Johan Venter wrote: >>> Konstantin Kozlov wrote: >>>> WinXP machine asks to login to Kerberos realm at login screen, but >>>> doesn't let me in. The krb5 log file on IPA server shows that ticket >>>> was issued. I can get ticket with MIT Kerberos from WinXP machine >>>> but I can't access samba share. >>> >>> I had to add -e des-cbc-crc to the ipa-getkeytab command line I used >>> to generate the Windows host principal and set the password before >>> Windows login to the Kerberos realm would work. >>> >>> Windows XP/Server 2003 doesn't support useful encryption mechanisms. >>> >> >> I did that also and that didn't work. Do I need to install the keytab >> on WinXP machine? If yes, how? >> > > Hmm .. I had to use the latest version of ipa-getkeytab (which supported > the password option - I compiled my own RPMs for CentOS) and between > that, then -e option and ksetup /setcomputerpassword it finally worked > on my Windows Server 2003 machines. > > Maybe there is something different with XP machines, all I can suggest > is try the different encryption types and see what works (DES generally, > no AES or SHA hashes). > > Johan > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 ------------------------------ Message: 4 Date: Fri, 07 Nov 2008 09:27:00 -0500 From: Dmitri Pal Subject: Re: [Freeipa-devel] Re: [Freeipa-users] Need help with Solaris Host Based access control To: Christian Horn Cc: freeipa-devel , freeipa-users at redhat.com Message-ID: <49145034.8030409 at redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Thank you Christian! I will dig more into it. Dmitri Christian Horn wrote: > Mornings, > > On Wed, Nov 05, 2008 at 03:49:07PM -0500, Dmitri Pal wrote: > >> The instructions are based on the ability of the pam_access PAM module >> to check the access control rules specified in the access.conf. >> The group information can be retrieved from the IPA server via nss_ldap. >> >> We tried to find similar functionality on other OS's. We spotted PAM >> modules on HP-UX and AIX that are responsible for the similar >> authorization checks. >> >> But we are stuck with Solaris. All our investigations about similar >> functionality in Solaris bear no fruits. We saw pam_roles and >> pam_unix_account on Solaris but they do not seem to accomplish what we >> are trying to do. >> >> We are looking for some help and advice from Solaris experts on this >> functionality. >> > > Checked with solaris-guys, this is in use for pure ldap-authentication/ > authorization. > Apparently just after hooking up a solaris-box to an ldap no user > is allowed to login. > > The permissions to login are handled by this: > > a) entries in /etc/passwd, containing names of NIS-netgroups > whose members are allowed to log in, i.e. > > + at netgroup1:::::: > > b) entries in /etc/shadow, containing names of NIS-netgroups > whose members are allowed to log in, i.e. > > + at netgroup1:::::::: > (thats 8 colons vs. 6 on the /etcx/passwd-entries) > > c) entries in /etc/nsswitch.conf for this to work: > > passwd: compat > passwd_compat: ldap [NOTFOUND=return] > > > I dont use this myself on Solaris-boxen but should be enough to see > the Solaris-way to handle those login-authorizations. > > > Christian > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > ------------------------------ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 4, Issue 5 ******************************************* ____________________________________________________________________________________ ?Todo sobre Amor y Sexo! La gu?a completa para tu vida en Mujer de Hoy. http://mujerdehoy.telemundo.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From kozlov at spbcas.ru Mon Nov 10 13:53:08 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Mon, 10 Nov 2008 16:53:08 +0300 Subject: [Freeipa-users] GSSAPI Failure Message-ID: <49183CC4.6070209@spbcas.ru> Hello, I have the following problem. On the ipaserver after reboot I get the following error: # kinit admin # ipa-finduser admin Connection to database failed: Invalid credentials: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context However it is possible to login to ipaclient with ipauser. Before reboot it worked. Does anybody have any ideas what is wrong? Thank you in advance, -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From luis_lugo74 at yahoo.com Mon Nov 10 17:16:45 2008 From: luis_lugo74 at yahoo.com (luis lugo) Date: Mon, 10 Nov 2008 09:16:45 -0800 (PST) Subject: [Freeipa-users] Migrate NIS to FreeIPA In-Reply-To: <20081110170014.764CB61B18D@hormel.redhat.com> Message-ID: <496701.7185.qm@web38602.mail.mud.yahoo.com> Hi all, I need help to migrate NIS server to freeipa. What is the way to import ldif file to freeipa? Thanks. --- El lun 10-nov-08, freeipa-users-request at redhat.com escribi?: De: freeipa-users-request at redhat.com Asunto: Freeipa-users Digest, Vol 4, Issue 6 A: freeipa-users at redhat.com Fecha: lunes, 10 noviembre, 2008, 5:00 pm Send Freeipa-users mailing list submissions to freeipa-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-request at redhat.com You can reach the person managing the list at freeipa-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Re: Freeipa-users Digest, Vol 4, Issue 5 (luis lugo) 2. GSSAPI Failure (Konstantin Kozlov) ---------------------------------------------------------------------- Message: 1 Date: Sun, 9 Nov 2008 18:01:04 -0800 (PST) From: luis lugo Subject: [Freeipa-users] Re: Freeipa-users Digest, Vol 4, Issue 5 To: freeipa-users at redhat.com Message-ID: <100913.40731.qm at web38601.mail.mud.yahoo.com> Content-Type: text/plain; charset="utf-8" Hi all, I need help to migrate NIS server to freeipa. What is the way to import ldif file to freeipa? Thanks. --- El vie 7-nov-08, freeipa-users-request at redhat.com escribi?: De: freeipa-users-request at redhat.com Asunto: Freeipa-users Digest, Vol 4, Issue 5 A: freeipa-users at redhat.com Fecha: viernes, 7 noviembre, 2008, 5:00 pm Send Freeipa-users mailing list submissions to freeipa-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-request at redhat.com You can reach the person managing the list at freeipa-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Re: Need help with Solaris Host Based access control (Christian Horn) 2. Re: Windows clients problem (Konstantin Kozlov) 3. Re: Windows clients problem (Konstantin Kozlov) 4. Re: [Freeipa-devel] Re: [Freeipa-users] Need help with Solaris Host Based access control (Dmitri Pal) ---------------------------------------------------------------------- Message: 1 Date: Fri, 7 Nov 2008 09:13:30 +0100 From: Christian Horn Subject: Re: [Freeipa-users] Need help with Solaris Host Based access control To: Dmitri Pal Cc: freeipa-devel , freeipa-users at redhat.com Message-ID: <20081107081330.GA13820 at fluxcoil.net> Content-Type: text/plain; charset=us-ascii Mornings, On Wed, Nov 05, 2008 at 03:49:07PM -0500, Dmitri Pal wrote: > > The instructions are based on the ability of the pam_access PAM module > to check the access control rules specified in the access.conf. > The group information can be retrieved from the IPA server via nss_ldap. > > We tried to find similar functionality on other OS's. We spotted PAM > modules on HP-UX and AIX that are responsible for the similar > authorization checks. > > But we are stuck with Solaris. All our investigations about similar > functionality in Solaris bear no fruits. We saw pam_roles and > pam_unix_account on Solaris but they do not seem to accomplish what we > are trying to do. > > We are looking for some help and advice from Solaris experts on this > functionality. Checked with solaris-guys, this is in use for pure ldap-authentication/ authorization. Apparently just after hooking up a solaris-box to an ldap no user is allowed to login. The permissions to login are handled by this: a) entries in /etc/passwd, containing names of NIS-netgroups whose members are allowed to log in, i.e. + at netgroup1:::::: b) entries in /etc/shadow, containing names of NIS-netgroups whose members are allowed to log in, i.e. + at netgroup1:::::::: (thats 8 colons vs. 6 on the /etcx/passwd-entries) c) entries in /etc/nsswitch.conf for this to work: passwd: compat passwd_compat: ldap [NOTFOUND=return] I dont use this myself on Solaris-boxen but should be enough to see the Solaris-way to handle those login-authorizations. Christian ------------------------------ Message: 2 Date: Fri, 07 Nov 2008 14:32:04 +0300 From: Konstantin Kozlov Subject: Re: [Freeipa-users] Windows clients problem To: freeipa-users at redhat.com Message-ID: <49142734.4000008 at spbcas.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Hello, Johan Venter wrote: > Konstantin Kozlov wrote: >> WinXP machine asks to login to Kerberos realm at login screen, but >> doesn't let me in. The krb5 log file on IPA server shows that ticket >> was issued. I can get ticket with MIT Kerberos from WinXP machine but >> I can't access samba share. > > I had to add -e des-cbc-crc to the ipa-getkeytab command line I used to > generate the Windows host principal and set the password before Windows > login to the Kerberos realm would work. > > Windows XP/Server 2003 doesn't support useful encryption mechanisms. > I did that also and that didn't work. Do I need to install the keytab on WinXP machine? If yes, how? Thank you, -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 ------------------------------ Message: 3 Date: Fri, 07 Nov 2008 14:54:34 +0300 From: Konstantin Kozlov Subject: Re: [Freeipa-users] Windows clients problem To: freeipa-users at redhat.com Message-ID: <49142C7A.5010508 at spbcas.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Thank you for the help! After another round of googling I've found that XP uses rc4-hmac...I'll try that next day. Johan Venter wrote: > Konstantin Kozlov wrote: >> Hello, >> >> Johan Venter wrote: >>> Konstantin Kozlov wrote: >>>> WinXP machine asks to login to Kerberos realm at login screen, but >>>> doesn't let me in. The krb5 log file on IPA server shows that ticket >>>> was issued. I can get ticket with MIT Kerberos from WinXP machine >>>> but I can't access samba share. >>> >>> I had to add -e des-cbc-crc to the ipa-getkeytab command line I used >>> to generate the Windows host principal and set the password before >>> Windows login to the Kerberos realm would work. >>> >>> Windows XP/Server 2003 doesn't support useful encryption mechanisms. >>> >> >> I did that also and that didn't work. Do I need to install the keytab >> on WinXP machine? If yes, how? >> > > Hmm .. I had to use the latest version of ipa-getkeytab (which supported > the password option - I compiled my own RPMs for CentOS) and between > that, then -e option and ksetup /setcomputerpassword it finally worked > on my Windows Server 2003 machines. > > Maybe there is something different with XP machines, all I can suggest > is try the different encryption types and see what works (DES generally, > no AES or SHA hashes). > > Johan > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 ------------------------------ Message: 4 Date: Fri, 07 Nov 2008 09:27:00 -0500 From: Dmitri Pal Subject: Re: [Freeipa-devel] Re: [Freeipa-users] Need help with Solaris Host Based access control To: Christian Horn Cc: freeipa-devel , freeipa-users at redhat.com Message-ID: <49145034.8030409 at redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Thank you Christian! I will dig more into it. Dmitri Christian Horn wrote: > Mornings, > > On Wed, Nov 05, 2008 at 03:49:07PM -0500, Dmitri Pal wrote: > >> The instructions are based on the ability of the pam_access PAM module >> to check the access control rules specified in the access.conf. >> The group information can be retrieved from the IPA server via nss_ldap. >> >> We tried to find similar functionality on other OS's. We spotted PAM >> modules on HP-UX and AIX that are responsible for the similar >> authorization checks. >> >> But we are stuck with Solaris. All our investigations about similar >> functionality in Solaris bear no fruits. We saw pam_roles and >> pam_unix_account on Solaris but they do not seem to accomplish what we >> are trying to do. >> >> We are looking for some help and advice from Solaris experts on this >> functionality. >> > > Checked with solaris-guys, this is in use for pure ldap-authentication/ > authorization. > Apparently just after hooking up a solaris-box to an ldap no user > is allowed to login. > > The permissions to login are handled by this: > > a) entries in /etc/passwd, containing names of NIS-netgroups > whose members are allowed to log in, i.e. > > + at netgroup1:::::: > > b) entries in /etc/shadow, containing names of NIS-netgroups > whose members are allowed to log in, i.e. > > + at netgroup1:::::::: > (thats 8 colons vs. 6 on the /etcx/passwd-entries) > > c) entries in /etc/nsswitch.conf for this to work: > > passwd: compat > passwd_compat: ldap [NOTFOUND=return] > > > I dont use this myself on Solaris-boxen but should be enough to see > the Solaris-way to handle those login-authorizations. > > > Christian > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > ------------------------------ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 4, Issue 5 ******************************************* ____________________________________________________________________________________ ?Todo sobre Amor y Sexo! La gu?a completa para tu vida en Mujer de Hoy. http://mujerdehoy.telemundo.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/freeipa-users/attachments/20081109/2e5fc195/attachment.html ------------------------------ Message: 2 Date: Mon, 10 Nov 2008 16:53:08 +0300 From: Konstantin Kozlov Subject: [Freeipa-users] GSSAPI Failure To: freeipa-users at redhat.com Message-ID: <49183CC4.6070209 at spbcas.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Hello, I have the following problem. On the ipaserver after reboot I get the following error: # kinit admin # ipa-finduser admin Connection to database failed: Invalid credentials: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context However it is possible to login to ipaclient with ipauser. Before reboot it worked. Does anybody have any ideas what is wrong? Thank you in advance, -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 ------------------------------ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 4, Issue 6 ******************************************* ____________________________________________________________________________________ Premios MTV 2008?En exclusiva! Fotos, nominados, videos, y mucho m?s! Mira aqu? http://mtvla.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Nov 10 17:40:21 2008 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 10 Nov 2008 12:40:21 -0500 Subject: [Freeipa-users] Migrate NIS to FreeIPA In-Reply-To: <496701.7185.qm@web38602.mail.mud.yahoo.com> References: <496701.7185.qm@web38602.mail.mud.yahoo.com> Message-ID: <49187205.5090602@redhat.com> luis lugo wrote: > Hi all, > > > I need help to migrate NIS server to freeipa. What is the way to import ldif > file to freeipa? > > > Hi, Luis You can import ldif using the standard LDAP tools since IPA is built on top of the DS. Be aware that the freeIPA's DIT is flattened and the LDIF should this put entries into the places where IPA expects them. See freeIPA documentation for more details http://www.freeipa.org/page/DocumentationPortal If you need a more gradual NIS migration then Penrose OSS project is something that would help you a lot. See http://penrose.safehaus.org/penrose12/network-information-service.html for more details. Thanks Dmitri From ssorce at redhat.com Tue Nov 11 13:37:37 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 11 Nov 2008 08:37:37 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <49183CC4.6070209@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> Message-ID: <1226410657.10160.499.camel@localhost.localdomain> On Mon, 2008-11-10 at 16:53 +0300, Konstantin Kozlov wrote: > Hello, > > I have the following problem. > > On the ipaserver after reboot I get the following error: > > # kinit admin > # ipa-finduser admin > Connection to database failed: Invalid credentials: SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context > > However it is possible to login to ipaclient with ipauser. Do you have multiple masters ? > Before reboot it worked. > > Does anybody have any ideas what is wrong? Is krb5kdc up and runnig ? What do you see in /var/log/krb5kdc.log ? Simo. -- Simo Sorce * Red Hat, Inc * New York From kozlov at spbcas.ru Tue Nov 11 13:50:39 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Tue, 11 Nov 2008 16:50:39 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <1226410657.10160.499.camel@localhost.localdomain> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> Message-ID: <49198DAF.5010209@spbcas.ru> Well, during the last day I've reinstalled ipaserver (Fedora 9) and ipaclient (CentOS 5). It worked for about 15 min :). I've added one user, nfs, cifs and host principals, automounter schema and principal for winxp host with rc4-hmac encryption. Automounter worked, I could login to ipaserver with ipauser and had the home dir automounted. Then "suddenly" I've started to get the same error. I have one master - ipaserver on Fedora 9 and one client on CentOS 5 with recompiled srpms from RHEL. rpm on Fedora are all updated (may be this is bad?) Kerberos works, I can get tickets for admin and ipauser. Do you have any ideas? May be its better to go for git ipa on CentOS? Best regards, Kostya Simo Sorce wrote: > On Mon, 2008-11-10 at 16:53 +0300, Konstantin Kozlov wrote: >> Hello, >> >> I have the following problem. >> >> On the ipaserver after reboot I get the following error: >> >> # kinit admin >> # ipa-finduser admin >> Connection to database failed: Invalid credentials: SASL(-13): >> authentication failure: GSSAPI Failure: gss_accept_sec_context >> >> However it is possible to login to ipaclient with ipauser. > > Do you have multiple masters ? > >> Before reboot it worked. >> >> Does anybody have any ideas what is wrong? > > Is krb5kdc up and runnig ? > What do you see in /var/log/krb5kdc.log ? > > Simo. > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From ssorce at redhat.com Tue Nov 11 13:55:30 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 11 Nov 2008 08:55:30 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <49198DAF.5010209@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> Message-ID: <1226411730.10160.501.camel@localhost.localdomain> On Tue, 2008-11-11 at 16:50 +0300, Konstantin Kozlov wrote: > Well, during the last day I've reinstalled ipaserver (Fedora 9) and > ipaclient (CentOS 5). It worked for about 15 min :). I've added one > user, nfs, cifs and host principals, automounter schema and principal > for winxp host with rc4-hmac encryption. Automounter worked, I could > login to ipaserver with ipauser and had the home dir automounted. > Then > "suddenly" I've started to get the same error. > > I have one master - ipaserver on Fedora 9 > and one client on CentOS 5 with recompiled srpms from RHEL. > > rpm on Fedora are all updated (may be this is bad?) > > Kerberos works, I can get tickets for admin and ipauser. > > Do you have any ideas? As I said check krb5kdc.log please. Simo. -- Simo Sorce * Red Hat, Inc * New York From kozlov at spbcas.ru Tue Nov 11 14:10:09 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Tue, 11 Nov 2008 17:10:09 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <1226411730.10160.501.camel@localhost.localdomain> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> Message-ID: <49199241.3090509@spbcas.ru> Simo Sorce wrote: > On Tue, 2008-11-11 at 16:50 +0300, Konstantin Kozlov wrote: >> Well, during the last day I've reinstalled ipaserver (Fedora 9) and >> ipaclient (CentOS 5). It worked for about 15 min :). I've added one >> user, nfs, cifs and host principals, automounter schema and principal >> for winxp host with rc4-hmac encryption. Automounter worked, I could >> login to ipaserver with ipauser and had the home dir automounted. >> Then >> "suddenly" I've started to get the same error. >> >> I have one master - ipaserver on Fedora 9 >> and one client on CentOS 5 with recompiled srpms from RHEL. >> >> rpm on Fedora are all updated (may be this is bad?) >> >> Kerberos works, I can get tickets for admin and ipauser. >> >> Do you have any ideas? > > As I said check krb5kdc.log please. > > Simo. > tail /var/log/krb5kdc.log: Nov 11 16:41:06 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.1.185: ISSUE: authtime 1226410666, etypes {rep=18 tkt=18 ses=18}, kkozlov at example.com for ldap/ipaserver.example.com at example.com Nov 11 16:41:06 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.1.185: ISSUE: authtime 1226410666, etypes {rep=18 tkt=18 ses=18}, kkozlov at example.com for ldap/ipaserver.example.com at example.com Nov 11 16:41:06 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.1.185: ISSUE: authtime 1226410666, etypes {rep=18 tkt=18 ses=18}, kkozlov at example.com for ldap/ipaserver.example.com at example.com Nov 11 16:41:10 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (1 etypes {18}) 10.10.1.185: ISSUE: authtime 1226410666, etypes {rep=18 tkt=18 ses=18}, kkozlov at example.com for krbtgt/example.com at example.com Nov 11 16:41:10 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.1.185: ISSUE: authtime 1226410666, etypes {rep=18 tkt=18 ses=18}, kkozlov at example.com for ldap/ipaserver.example.com at example.com Nov 11 17:03:09 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (1 etypes {18}) 10.10.1.185: ISSUE: authtime 1226407271, etypes {rep=18 tkt=18 ses=18}, admin at example.com for krbtgt/example.com at example.com Nov 11 17:03:10 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (1 etypes {18}) 10.10.1.185: ISSUE: authtime 1226407271, etypes {rep=18 tkt=18 ses=18}, admin at example.com for krbtgt/example.com at example.com Nov 11 17:03:10 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (1 etypes {18}) 10.10.1.185: ISSUE: authtime 1226407271, etypes {rep=18 tkt=18 ses=18}, admin at example.com for krbtgt/example.com at example.com Nov 11 17:03:10 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (1 etypes {18}) 10.10.1.185: ISSUE: authtime 1226407271, etypes {rep=18 tkt=18 ses=18}, admin at example.com for krbtgt/example.com at example.com Nov 11 17:03:10 ipaserver.example.com krb5kdc[11084](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.10.1.185: ISSUE: authtime 1226407271, etypes {rep=18 tkt=18 ses=18}, admin at example.com for ldap/ipaserver.example.com at example.com I suspect that the system was unhappy with rc4-hmac in ipa-getkeytab command as it is not listed in supported enctypes. Is it possible? -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From ssorce at redhat.com Tue Nov 11 15:40:41 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 11 Nov 2008 10:40:41 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <49199241.3090509@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> Message-ID: <1226418041.10160.503.camel@localhost.localdomain> On Tue, 2008-11-11 at 17:10 +0300, Konstantin Kozlov wrote: > I suspect that the system was unhappy with rc4-hmac in ipa-getkeytab > command as it is not listed in supported enctypes. Is it possible? Does not seem likely. Do you have problems only on the Windows box? Or on any client including the IPA server ? Simo. -- Simo Sorce * Red Hat, Inc * New York From mackoel at gmail.com Tue Nov 11 15:55:41 2008 From: mackoel at gmail.com (Kozlov) Date: Tue, 11 Nov 2008 18:55:41 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <1226418041.10160.503.camel@localhost.localdomain> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> Message-ID: <4919AAFD.7000403@spbcas.ru> Simo Sorce ?????: > On Tue, 2008-11-11 at 17:10 +0300, Konstantin Kozlov wrote: >> I suspect that the system was unhappy with rc4-hmac in ipa-getkeytab >> command as it is not listed in supported enctypes. Is it possible? > > Does not seem likely. > Do you have problems only on the Windows box? Or on any client including > the IPA server ? > > Simo. > WinXP never worked for me yet. I've got GSSAPI error on ipaserver - Fedora9 and ipaclient CentOS 5. It makes webgui and ipa tools unusable but surprisingly logging in with ipauser and automounting the home dir still work on ipaserver. I've failed to configure automounter on ipaclient. I've tried to change the 127.0.0.1 in krb5.conf to ipaserver.example.com but it didn't help. Kostya From kozlov at spbcas.ru Wed Nov 12 08:15:53 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Wed, 12 Nov 2008 11:15:53 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <4919AAFD.7000403@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> Message-ID: <491A90B9.2070208@spbcas.ru> Hello, So ran out of ideas for where to look for errors. I've got the GSSAPI error with ipa tools and ldap tools. [root at ipaserver ~]# ipa-finduser admin Connection to database failed: Invalid credentials: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context But the ipauser can login to ipaserver and ipaclient and get his home dir automounted. Is it a dead end? Are there any methods to add users/groups to ldap and kerberos consistently without ipa tools? Best regards, Kostya Kozlov wrote: > Simo Sorce ?????: >> On Tue, 2008-11-11 at 17:10 +0300, Konstantin Kozlov wrote: >>> I suspect that the system was unhappy with rc4-hmac in ipa-getkeytab >>> command as it is not listed in supported enctypes. Is it possible? >> >> Does not seem likely. >> Do you have problems only on the Windows box? Or on any client including >> the IPA server ? >> >> Simo. >> > > WinXP never worked for me yet. I've got GSSAPI error on ipaserver - > Fedora9 and ipaclient CentOS 5. It makes webgui and ipa tools unusable > but surprisingly logging in with ipauser and automounting the home dir > still work on ipaserver. I've failed to configure automounter on ipaclient. > > I've tried to change the 127.0.0.1 in krb5.conf to ipaserver.example.com > but it didn't help. > > Kostya > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From dpal at redhat.com Wed Nov 12 14:45:30 2008 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 12 Nov 2008 09:45:30 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491A90B9.2070208@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> Message-ID: <491AEC0A.8080502@redhat.com> Konstantin, Would it be a fair assumption to say that kinit and direct authentication works fine but GSSAPI based kerberos auth does not? Is it happening on one machine or all machines? I have seen in other product a similar situation and the cause of the problem was missing or outdated packages for SASL methods. Can it be the case? Thanks Dmitri Konstantin Kozlov wrote: > Hello, > > So ran out of ideas for where to look for errors. I've got the GSSAPI > error with ipa tools and ldap tools. > > [root at ipaserver ~]# ipa-finduser admin > Connection to database failed: Invalid credentials: SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context > > But the ipauser can login to ipaserver and ipaclient and get his home > dir automounted. > > Is it a dead end? > > Are there any methods to add users/groups to ldap and kerberos > consistently without ipa tools? > > Best regards, > > Kostya > > Kozlov wrote: >> Simo Sorce ?????: >>> On Tue, 2008-11-11 at 17:10 +0300, Konstantin Kozlov wrote: >>>> I suspect that the system was unhappy with rc4-hmac in >>>> ipa-getkeytab command as it is not listed in supported enctypes. Is >>>> it possible? >>> >>> Does not seem likely. >>> Do you have problems only on the Windows box? Or on any client >>> including >>> the IPA server ? >>> >>> Simo. >>> >> >> WinXP never worked for me yet. I've got GSSAPI error on ipaserver - >> Fedora9 and ipaclient CentOS 5. It makes webgui and ipa tools >> unusable but surprisingly logging in with ipauser and automounting >> the home dir still work on ipaserver. I've failed to configure >> automounter on ipaclient. >> >> I've tried to change the 127.0.0.1 in krb5.conf to >> ipaserver.example.com but it didn't help. >> >> Kostya >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > From rcritten at redhat.com Wed Nov 12 14:55:41 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Nov 2008 09:55:41 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491A90B9.2070208@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> Message-ID: <491AEE6D.5020909@redhat.com> Konstantin Kozlov wrote: > Hello, > > So ran out of ideas for where to look for errors. I've got the GSSAPI > error with ipa tools and ldap tools. > > [root at ipaserver ~]# ipa-finduser admin > Connection to database failed: Invalid credentials: SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context > > But the ipauser can login to ipaserver and ipaclient and get his home > dir automounted. > > Is it a dead end? Ok, this error indicates that the kerberos auth to the XML-RPC server worked but that it can't make a GSSAPI connection to the LDAP server. You can test this directly with: % ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin > > Are there any methods to add users/groups to ldap and kerberos > consistently without ipa tools? > > Best regards, > > Kostya > > Kozlov wrote: >> Simo Sorce ?????: >>> On Tue, 2008-11-11 at 17:10 +0300, Konstantin Kozlov wrote: >>>> I suspect that the system was unhappy with rc4-hmac in ipa-getkeytab >>>> command as it is not listed in supported enctypes. Is it possible? >>> >>> Does not seem likely. >>> Do you have problems only on the Windows box? Or on any client including >>> the IPA server ? >>> >>> Simo. >>> >> >> WinXP never worked for me yet. I've got GSSAPI error on ipaserver - >> Fedora9 and ipaclient CentOS 5. It makes webgui and ipa tools unusable >> but surprisingly logging in with ipauser and automounting the home dir >> still work on ipaserver. I've failed to configure automounter on >> ipaclient. >> >> I've tried to change the 127.0.0.1 in krb5.conf to >> ipaserver.example.com but it didn't help. >> >> Kostya >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > From ssorce at redhat.com Wed Nov 12 15:02:02 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Nov 2008 10:02:02 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491A90B9.2070208@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> Message-ID: <1226502122.10160.561.camel@localhost.localdomain> On Wed, 2008-11-12 at 11:15 +0300, Konstantin Kozlov wrote: > [root at ipaserver ~]# ipa-finduser admin > Connection to database failed: Invalid credentials: SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context > > But the ipauser can login to ipaserver and ipaclient and get his home > dir automounted. > > Is it a dead end? Have you turned off ticket forwarding in krb5.conf ? Simo. -- Simo Sorce * Red Hat, Inc * New York From kozlov at spbcas.ru Wed Nov 12 15:04:21 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Wed, 12 Nov 2008 18:04:21 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491AEC0A.8080502@redhat.com> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> Message-ID: <491AF075.9000007@spbcas.ru> Hello, Rob Crittenden wrote: > Konstantin Kozlov wrote: >> Hello, >> >> So ran out of ideas for where to look for errors. I've got the GSSAPI >> error with ipa tools and ldap tools. >> >> [root at ipaserver ~]# ipa-finduser admin >> Connection to database failed: Invalid credentials: SASL(-13): >> authentication failure: GSSAPI Failure: gss_accept_sec_context >> >> But the ipauser can login to ipaserver and ipaclient and get his home >> dir automounted. >> >> Is it a dead end? > > Ok, this error indicates that the kerberos auth to the XML-RPC server > worked but that it can't make a GSSAPI connection to the LDAP server. > > You can test this directly with: > > % ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin > >> This fails. Dmitri Pal wrote: > Konstantin, > > Would it be a fair assumption to say that kinit and direct > authentication works fine but GSSAPI based kerberos auth does not? Yes, that is correct. > Is it happening on one machine or all machines? > All two - ipaserver and ipaclient. > I have seen in other product a similar situation and the cause of the > problem was missing or outdated packages for SASL methods. > Can it be the case? > No. All packages are the latest version on ipaserver Fedora 9. Thanks, Kostya > Thanks > Dmitri > > Konstantin Kozlov wrote: >> Hello, >> >> So ran out of ideas for where to look for errors. I've got the GSSAPI >> error with ipa tools and ldap tools. >> >> [root at ipaserver ~]# ipa-finduser admin >> Connection to database failed: Invalid credentials: SASL(-13): >> authentication failure: GSSAPI Failure: gss_accept_sec_context >> >> But the ipauser can login to ipaserver and ipaclient and get his home >> dir automounted. >> >> Is it a dead end? >> >> Are there any methods to add users/groups to ldap and kerberos >> consistently without ipa tools? >> >> Best regards, >> >> Kostya >> >> Kozlov wrote: >>> Simo Sorce ?????: >>>> On Tue, 2008-11-11 at 17:10 +0300, Konstantin Kozlov wrote: >>>>> I suspect that the system was unhappy with rc4-hmac in >>>>> ipa-getkeytab command as it is not listed in supported enctypes. Is >>>>> it possible? >>>> >>>> Does not seem likely. >>>> Do you have problems only on the Windows box? Or on any client >>>> including >>>> the IPA server ? >>>> >>>> Simo. >>>> >>> >>> WinXP never worked for me yet. I've got GSSAPI error on ipaserver - >>> Fedora9 and ipaclient CentOS 5. It makes webgui and ipa tools >>> unusable but surprisingly logging in with ipauser and automounting >>> the home dir still work on ipaserver. I've failed to configure >>> automounter on ipaclient. >>> >>> I've tried to change the 127.0.0.1 in krb5.conf to >>> ipaserver.example.com but it didn't help. >>> >>> Kostya >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> > > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From dpal at redhat.com Wed Nov 12 15:15:59 2008 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 12 Nov 2008 10:15:59 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491AF075.9000007@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> Message-ID: <491AF32F.1030705@redhat.com> Konstantin Kozlov wrote: > Hello, > > Rob Crittenden wrote: > > Konstantin Kozlov wrote: > >> Hello, > >> > >> So ran out of ideas for where to look for errors. I've got the GSSAPI > >> error with ipa tools and ldap tools. > >> > >> [root at ipaserver ~]# ipa-finduser admin > >> Connection to database failed: Invalid credentials: SASL(-13): > >> authentication failure: GSSAPI Failure: gss_accept_sec_context > >> > >> But the ipauser can login to ipaserver and ipaclient and get his home > >> dir automounted. > >> > >> Is it a dead end? > > > > Ok, this error indicates that the kerberos auth to the XML-RPC server > > worked but that it can't make a GSSAPI connection to the LDAP server. > > > > You can test this directly with: > > > > % ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin > > > >> > > This fails. > If this fails you should see a reason in the IPA server DS's access log. This might give a hint. Thanks Dmitri From kozlov at spbcas.ru Thu Nov 13 07:25:38 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Thu, 13 Nov 2008 10:25:38 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491AF32F.1030705@redhat.com> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> Message-ID: <491BD672.8000000@spbcas.ru> Simo Sorce wrote: > On Wed, 2008-11-12 at 11:15 +0300, Konstantin Kozlov wrote: >> [root at ipaserver ~]# ipa-finduser admin >> Connection to database failed: Invalid credentials: SASL(-13): >> authentication failure: GSSAPI Failure: gss_accept_sec_context >> >> But the ipauser can login to ipaserver and ipaclient and get his home >> dir automounted. >> >> Is it a dead end? > > Have you turned off ticket forwarding in krb5.conf ? > I did not from the beginning but when I did and restarted krb5kdc and dirsrv nothing changed. My krb5.conf contains forwardable = no in two places - libdefaults and appdefaults. Is that correct? Dmitri Pal wrote: > Konstantin Kozlov wrote: >> Hello, >> >> Rob Crittenden wrote: >> > Konstantin Kozlov wrote: >> >> Hello, >> >> >> >> So ran out of ideas for where to look for errors. I've got the GSSAPI >> >> error with ipa tools and ldap tools. >> >> >> >> [root at ipaserver ~]# ipa-finduser admin >> >> Connection to database failed: Invalid credentials: SASL(-13): >> >> authentication failure: GSSAPI Failure: gss_accept_sec_context >> >> >> >> But the ipauser can login to ipaserver and ipaclient and get his home >> >> dir automounted. >> >> >> >> Is it a dead end? >> > >> > Ok, this error indicates that the kerberos auth to the XML-RPC server >> > worked but that it can't make a GSSAPI connection to the LDAP server. >> > >> > You can test this directly with: >> > >> > % ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin >> > >> >> >> >> This fails. >> > > If this fails you should see a reason in the IPA server DS's access log. > This might give a hint. > > ldapsearch doesn't produce entries in access log. ipa-finduser does: [root at ipaserver ~]# ipa-finduser admin Connection to database failed: Invalid credentials: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context access log: [13/Nov/2008:10:17:51 +0300] conn=4 op=26 RESULT err=0 tag=101 nentries=1 etime=0 [13/Nov/2008:10:17:51 +0300] conn=6 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [13/Nov/2008:10:17:51 +0300] conn=6 op=0 RESULT err=49 tag=97 nentries=0 etime=0 Best regards, Kostya From ssorce at redhat.com Thu Nov 13 13:17:52 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Nov 2008 08:17:52 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491BD672.8000000@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> Message-ID: <1226582272.10160.610.camel@localhost.localdomain> On Thu, 2008-11-13 at 10:25 +0300, Konstantin Kozlov wrote: > I did not from the beginning but when I did and restarted krb5kdc and > dirsrv nothing changed. My krb5.conf contains forwardable = no in two > places - libdefaults and appdefaults. Is that correct? No, without forwardable tickets you cannot successfully use the IPA Web UI or the CLI tools, they rely on the fact that the XML-RPC interface can use your forwarded ticket to contact the ldap server. Simo. -- Simo Sorce * Red Hat, Inc * New York From kozlov at spbcas.ru Thu Nov 13 14:03:08 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Thu, 13 Nov 2008 17:03:08 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <1226582272.10160.610.camel@localhost.localdomain> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> Message-ID: <491C339C.70605@spbcas.ru> Simo Sorce wrote: > On Thu, 2008-11-13 at 10:25 +0300, Konstantin Kozlov wrote: >> I did not from the beginning but when I did and restarted krb5kdc and >> dirsrv nothing changed. My krb5.conf contains forwardable = no in two >> places - libdefaults and appdefaults. Is that correct? > > No, without forwardable tickets you cannot successfully use the IPA Web > UI or the CLI tools, they rely on the fact that the XML-RPC interface > can use your forwarded ticket to contact the ldap server. > > Simo. > Unfortunately it doesn't change my situation. So is it the dead end? -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From ssorce at redhat.com Thu Nov 13 14:19:08 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 13 Nov 2008 09:19:08 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491C339C.70605@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> Message-ID: <1226585948.10160.615.camel@localhost.localdomain> On Thu, 2008-11-13 at 17:03 +0300, Konstantin Kozlov wrote: > > Unfortunately it doesn't change my situation. > > So is it the dead end? Have you done a kinit again after you changed it ? What does klist -f show you ? Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Thu Nov 13 19:08:25 2008 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 13 Nov 2008 14:08:25 -0500 Subject: [Freeipa-users] Replication setup bug in freeIPA 1.1 Message-ID: <491C7B29.5080201@redhat.com> Hello, Development recently uncovered a bug in the way freeIPA v1.1 sets up replication that would lead to data inconsistencies when there was a single master and more than one replica. Data created on one replica would appear on the master but would not appear on the other replica. The bug will be fixed in freeIPA v1.2 which is expected to be ready during next week. The bug details can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=468732 Thank you, Dmitri From mackoel at gmail.com Fri Nov 14 04:29:33 2008 From: mackoel at gmail.com (Kozlov) Date: Fri, 14 Nov 2008 07:29:33 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <1226585948.10160.615.camel@localhost.localdomain> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> Message-ID: <491CFEAD.8010406@spbcas.ru> Simo Sorce ?????: > On Thu, 2008-11-13 at 17:03 +0300, Konstantin Kozlov wrote: >> Unfortunately it doesn't change my situation. >> >> So is it the dead end? > > Have you done a kinit again after you changed it ? > What does klist -f show you ? > Hello, Thank you for not giving up Simo! Here is the log: [root at ipaserver ~]# klist -f Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at EXAMPLE.COM Valid starting Expires Service principal 11/13/08 16:54:34 11/14/08 16:54:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM Flags: FIA 11/13/08 16:54:55 11/14/08 16:54:30 HTTP/ipaserver.example.com at EXAMPLE.COM Flags: FAT Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root at ipaserver ~]# ipa-finduser admin Connection to database failed: Invalid credentials: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=bio,dc=spbcas,dc=ru" uid admin SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) [root at ipaserver ~]# kdestroy [root at ipaserver ~]# kinit admin Password for admin at EXAMPLE.COM: [root at ipaserver ~]# klist -f Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at EXAMPLE.COM Valid starting Expires Service principal 11/14/08 07:23:02 11/15/08 07:22:58 krbtgt/EXAMPLE.COM at EXAMPLE.COM Flags: FIA Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root at ipaserver ~]# ipa-finduser admin Connection to database failed: Invalid credentials: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid admin SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) Can it be a hardware related problem? The machine is rather old - HP NetServer Pentium 3, 500 GHz, 512 MB. Kostya From ssorce at redhat.com Fri Nov 14 05:05:21 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Nov 2008 00:05:21 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491CFEAD.8010406@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> <491CFEAD.8010406@spbcas.ru> Message-ID: <1226639121.32715.21.camel@localhost.localdomain> On Fri, 2008-11-14 at 07:29 +0300, Kozlov wrote: > Simo Sorce ?????: > > On Thu, 2008-11-13 at 17:03 +0300, Konstantin Kozlov wrote: > >> Unfortunately it doesn't change my situation. > >> > >> So is it the dead end? > > > > Have you done a kinit again after you changed it ? > > What does klist -f show you ? > > > > Hello, > > Thank you for not giving up Simo! > > Here is the log: > > [root at ipaserver ~]# klist -f > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at EXAMPLE.COM > > Valid starting Expires Service principal > 11/13/08 16:54:34 11/14/08 16:54:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM > Flags: FIA > 11/13/08 16:54:55 11/14/08 16:54:30 HTTP/ipaserver.example.com at EXAMPLE.COM > Flags: FAT > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > [root at ipaserver ~]# ipa-finduser admin > Connection to database failed: Invalid credentials: SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context > [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=bio,dc=spbcas,dc=ru" uid > admin > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > [root at ipaserver ~]# kdestroy > [root at ipaserver ~]# kinit admin > Password for admin at EXAMPLE.COM: > [root at ipaserver ~]# klist -f > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at EXAMPLE.COM > > Valid starting Expires Service principal > 11/14/08 07:23:02 11/15/08 07:22:58 krbtgt/EXAMPLE.COM at EXAMPLE.COM > Flags: FIA > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > [root at ipaserver ~]# ipa-finduser admin > Connection to database failed: Invalid credentials: SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context > [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid admin > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > > Can it be a hardware related problem? The machine is rather old - HP > NetServer Pentium 3, 500 GHz, 512 MB. Ok I think I know what it is if you are really using EXAMPLE.COM Before freeipa 1.2.0 we were not changing krb5.conf if the relam name used was EXAMPLE.COM (ie the default example). Can you post your server and client krb5.conf files ? Otherwise you can also try rebuilding your IPA server using a different realm name than EXAMPLE.COM Simo. -- Simo Sorce * Red Hat, Inc * New York From kozlov at spbcas.ru Fri Nov 14 06:04:17 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Fri, 14 Nov 2008 09:04:17 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <1226639121.32715.21.camel@localhost.localdomain> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> <491CFEAD.8010406@spbcas.ru> <1226639121.32715.21.camel@localhost.localdomain> Message-ID: <491D14E1.6090000@spbcas.ru> Hello, not I am not using EXAMPLE.COM Is ipa 1.2 usable on fedora or centos? server krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = BIO.SPBCAS.RU dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] BIO.SPBCAS.RU = { kdc = hedgehog.bio.spbcas.ru:88 admin_server = hedgehog.bio.spbcas.ru:749 default_domain = bio.spbcas.ru } [domain_realm] .bio.spbcas.ru = BIO.SPBCAS.RU bio.spbcas.ru = BIO.SPBCAS.RU [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = yes krb4_convert = false } [dbmodules] BIO.SPBCAS.RU = { db_library = kldap ldap_servers = ldap://127.0.0.1/ ldap_kerberos_container_dn = cn=kerberos,dc=bio,dc=spbcas,dc=ru ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd } Client krb5.conf: #File modified by ipa-client-install [libdefaults] default_realm = BIO.SPBCAS.RU dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [domain_realm] .bio.spbcas.ru = BIO.SPBCAS.RU bio.spbcas.ru = BIO.SPBCAS.RU [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } NTP, DNS and DHCP are on another server, they were set up alot earlier and working. Does the ldapsearch error indicate that FDS fails and not IPA? Kostya Simo Sorce ?????: > On Fri, 2008-11-14 at 07:29 +0300, Kozlov wrote: >> Simo Sorce ?????: >>> On Thu, 2008-11-13 at 17:03 +0300, Konstantin Kozlov wrote: >>>> Unfortunately it doesn't change my situation. >>>> >>>> So is it the dead end? >>> Have you done a kinit again after you changed it ? >>> What does klist -f show you ? >>> >> Hello, >> >> Thank you for not giving up Simo! >> >> Here is the log: >> >> [root at ipaserver ~]# klist -f >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: admin at EXAMPLE.COM >> >> Valid starting Expires Service principal >> 11/13/08 16:54:34 11/14/08 16:54:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM >> Flags: FIA >> 11/13/08 16:54:55 11/14/08 16:54:30 HTTP/ipaserver.example.com at EXAMPLE.COM >> Flags: FAT >> >> >> Kerberos 4 ticket cache: /tmp/tkt0 >> klist: You have no tickets cached >> [root at ipaserver ~]# ipa-finduser admin >> Connection to database failed: Invalid credentials: SASL(-13): >> authentication failure: GSSAPI Failure: gss_accept_sec_context >> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=bio,dc=spbcas,dc=ru" uid >> admin >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Invalid credentials (49) >> [root at ipaserver ~]# kdestroy >> [root at ipaserver ~]# kinit admin >> Password for admin at EXAMPLE.COM: >> [root at ipaserver ~]# klist -f >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: admin at EXAMPLE.COM >> >> Valid starting Expires Service principal >> 11/14/08 07:23:02 11/15/08 07:22:58 krbtgt/EXAMPLE.COM at EXAMPLE.COM >> Flags: FIA >> >> >> Kerberos 4 ticket cache: /tmp/tkt0 >> klist: You have no tickets cached >> [root at ipaserver ~]# ipa-finduser admin >> Connection to database failed: Invalid credentials: SASL(-13): >> authentication failure: GSSAPI Failure: gss_accept_sec_context >> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid admin >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Invalid credentials (49) >> >> Can it be a hardware related problem? The machine is rather old - HP >> NetServer Pentium 3, 500 GHz, 512 MB. > > Ok I think I know what it is if you are really using EXAMPLE.COM > Before freeipa 1.2.0 we were not changing krb5.conf if the relam name > used was EXAMPLE.COM (ie the default example). > > Can you post your server and client krb5.conf files ? > > Otherwise you can also try rebuilding your IPA server using a different > realm name than EXAMPLE.COM > > Simo. > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From dpal at redhat.com Fri Nov 14 07:18:18 2008 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 14 Nov 2008 02:18:18 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491D14E1.6090000@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> <491CFEAD.8010406@spbcas.ru> <1226639121.32715.21.camel@localhost.localdomain> <491D14E1.6090000@spbcas.ru> Message-ID: <491D263A.4080404@redhat.com> It seems you have a mismatch between how the kerberos server thinks about itself and what the client thinks about it. The fact that you have ticket against EXAMPLE.COM makes me think that the server thinks about itself as example.com. But I am not a specialist. Just trying to understand this myself, so sorry if this observation won't be correct or helpful. Thanks Dmitri Konstantin Kozlov wrote: > Hello, > > not I am not using EXAMPLE.COM > > Is ipa 1.2 usable on fedora or centos? > > server krb5.conf: > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = BIO.SPBCAS.RU > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > [realms] > BIO.SPBCAS.RU = { > kdc = hedgehog.bio.spbcas.ru:88 > admin_server = hedgehog.bio.spbcas.ru:749 > default_domain = bio.spbcas.ru > } > > [domain_realm] > .bio.spbcas.ru = BIO.SPBCAS.RU > bio.spbcas.ru = BIO.SPBCAS.RU > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = yes > krb4_convert = false > } > > [dbmodules] > BIO.SPBCAS.RU = { > db_library = kldap > ldap_servers = ldap://127.0.0.1/ > ldap_kerberos_container_dn = cn=kerberos,dc=bio,dc=spbcas,dc=ru > ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru > ldap_kadmind_dn = > uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru > ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd > } > > Client krb5.conf: > > #File modified by ipa-client-install > > [libdefaults] > default_realm = BIO.SPBCAS.RU > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > [domain_realm] > .bio.spbcas.ru = BIO.SPBCAS.RU > bio.spbcas.ru = BIO.SPBCAS.RU > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > NTP, DNS and DHCP are on another server, they were set up alot earlier > and working. > > Does the ldapsearch error indicate that FDS fails and not IPA? > > Kostya > > Simo Sorce ?????: >> On Fri, 2008-11-14 at 07:29 +0300, Kozlov wrote: >>> Simo Sorce ?????: >>>> On Thu, 2008-11-13 at 17:03 +0300, Konstantin Kozlov wrote: >>>>> Unfortunately it doesn't change my situation. >>>>> >>>>> So is it the dead end? >>>> Have you done a kinit again after you changed it ? >>>> What does klist -f show you ? >>>> >>> Hello, >>> >>> Thank you for not giving up Simo! >>> >>> Here is the log: >>> >>> [root at ipaserver ~]# klist -f >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: admin at EXAMPLE.COM >>> >>> Valid starting Expires Service principal >>> 11/13/08 16:54:34 11/14/08 16:54:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM >>> Flags: FIA >>> 11/13/08 16:54:55 11/14/08 16:54:30 >>> HTTP/ipaserver.example.com at EXAMPLE.COM >>> Flags: FAT >>> >>> >>> Kerberos 4 ticket cache: /tmp/tkt0 >>> klist: You have no tickets cached >>> [root at ipaserver ~]# ipa-finduser admin >>> Connection to database failed: Invalid credentials: SASL(-13): >>> authentication failure: GSSAPI Failure: gss_accept_sec_context >>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=bio,dc=spbcas,dc=ru" >>> uid admin >>> SASL/GSSAPI authentication started >>> ldap_sasl_interactive_bind_s: Invalid credentials (49) >>> [root at ipaserver ~]# kdestroy >>> [root at ipaserver ~]# kinit admin >>> Password for admin at EXAMPLE.COM: >>> [root at ipaserver ~]# klist -f >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: admin at EXAMPLE.COM >>> >>> Valid starting Expires Service principal >>> 11/14/08 07:23:02 11/15/08 07:22:58 krbtgt/EXAMPLE.COM at EXAMPLE.COM >>> Flags: FIA >>> >>> >>> Kerberos 4 ticket cache: /tmp/tkt0 >>> klist: You have no tickets cached >>> [root at ipaserver ~]# ipa-finduser admin >>> Connection to database failed: Invalid credentials: SASL(-13): >>> authentication failure: GSSAPI Failure: gss_accept_sec_context >>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid >>> admin >>> SASL/GSSAPI authentication started >>> ldap_sasl_interactive_bind_s: Invalid credentials (49) >>> >>> Can it be a hardware related problem? The machine is rather old - HP >>> NetServer Pentium 3, 500 GHz, 512 MB. >> >> Ok I think I know what it is if you are really using EXAMPLE.COM >> Before freeipa 1.2.0 we were not changing krb5.conf if the relam name >> used was EXAMPLE.COM (ie the default example). >> >> Can you post your server and client krb5.conf files ? >> >> Otherwise you can also try rebuilding your IPA server using a different >> realm name than EXAMPLE.COM >> >> Simo. >> > From kozlov at spbcas.ru Fri Nov 14 07:40:45 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Fri, 14 Nov 2008 10:40:45 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491D263A.4080404@redhat.com> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> <491CFEAD.8010406@spbcas.ru> <1226639121.32715.21.camel@localhost.localdomain> <491D14E1.6090000@spbcas.ru> <491D263A.4080404@redhat.com> Message-ID: <491D2B7D.5060901@spbcas.ru> Hello, Dmitri, thanks for reply. I don't have EXAMPLE.COM, I changed the domain to this value in the posts to be consistent with different examples. The domain is BIO.SPBCAS.RU everywhere it should be. Kostya Dmitri Pal ?????: > It seems you have a mismatch between how the kerberos server thinks > about itself and what the client thinks about it. > The fact that you have ticket against EXAMPLE.COM makes me think that > the server thinks about itself as example.com. > > But I am not a specialist. Just trying to understand this myself, so > sorry if this observation won't be correct or helpful. > Thanks > Dmitri > > Konstantin Kozlov wrote: >> Hello, >> >> not I am not using EXAMPLE.COM >> >> Is ipa 1.2 usable on fedora or centos? >> >> server krb5.conf: >> >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> default_realm = BIO.SPBCAS.RU >> dns_lookup_realm = true >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> [realms] >> BIO.SPBCAS.RU = { >> kdc = hedgehog.bio.spbcas.ru:88 >> admin_server = hedgehog.bio.spbcas.ru:749 >> default_domain = bio.spbcas.ru >> } >> >> [domain_realm] >> .bio.spbcas.ru = BIO.SPBCAS.RU >> bio.spbcas.ru = BIO.SPBCAS.RU >> >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = yes >> krb4_convert = false >> } >> >> [dbmodules] >> BIO.SPBCAS.RU = { >> db_library = kldap >> ldap_servers = ldap://127.0.0.1/ >> ldap_kerberos_container_dn = cn=kerberos,dc=bio,dc=spbcas,dc=ru >> ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru >> ldap_kadmind_dn = >> uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru >> ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd >> } >> >> Client krb5.conf: >> >> #File modified by ipa-client-install >> >> [libdefaults] >> default_realm = BIO.SPBCAS.RU >> dns_lookup_realm = true >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> [domain_realm] >> .bio.spbcas.ru = BIO.SPBCAS.RU >> bio.spbcas.ru = BIO.SPBCAS.RU >> >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> } >> >> NTP, DNS and DHCP are on another server, they were set up alot earlier >> and working. >> >> Does the ldapsearch error indicate that FDS fails and not IPA? >> >> Kostya >> >> Simo Sorce ?????: >>> On Fri, 2008-11-14 at 07:29 +0300, Kozlov wrote: >>>> Simo Sorce ?????: >>>>> On Thu, 2008-11-13 at 17:03 +0300, Konstantin Kozlov wrote: >>>>>> Unfortunately it doesn't change my situation. >>>>>> >>>>>> So is it the dead end? >>>>> Have you done a kinit again after you changed it ? >>>>> What does klist -f show you ? >>>>> >>>> Hello, >>>> >>>> Thank you for not giving up Simo! >>>> >>>> Here is the log: >>>> >>>> [root at ipaserver ~]# klist -f >>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>> Default principal: admin at EXAMPLE.COM >>>> >>>> Valid starting Expires Service principal >>>> 11/13/08 16:54:34 11/14/08 16:54:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM >>>> Flags: FIA >>>> 11/13/08 16:54:55 11/14/08 16:54:30 >>>> HTTP/ipaserver.example.com at EXAMPLE.COM >>>> Flags: FAT >>>> >>>> >>>> Kerberos 4 ticket cache: /tmp/tkt0 >>>> klist: You have no tickets cached >>>> [root at ipaserver ~]# ipa-finduser admin >>>> Connection to database failed: Invalid credentials: SASL(-13): >>>> authentication failure: GSSAPI Failure: gss_accept_sec_context >>>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=bio,dc=spbcas,dc=ru" >>>> uid admin >>>> SASL/GSSAPI authentication started >>>> ldap_sasl_interactive_bind_s: Invalid credentials (49) >>>> [root at ipaserver ~]# kdestroy >>>> [root at ipaserver ~]# kinit admin >>>> Password for admin at EXAMPLE.COM: >>>> [root at ipaserver ~]# klist -f >>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>> Default principal: admin at EXAMPLE.COM >>>> >>>> Valid starting Expires Service principal >>>> 11/14/08 07:23:02 11/15/08 07:22:58 krbtgt/EXAMPLE.COM at EXAMPLE.COM >>>> Flags: FIA >>>> >>>> >>>> Kerberos 4 ticket cache: /tmp/tkt0 >>>> klist: You have no tickets cached >>>> [root at ipaserver ~]# ipa-finduser admin >>>> Connection to database failed: Invalid credentials: SASL(-13): >>>> authentication failure: GSSAPI Failure: gss_accept_sec_context >>>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid >>>> admin >>>> SASL/GSSAPI authentication started >>>> ldap_sasl_interactive_bind_s: Invalid credentials (49) >>>> >>>> Can it be a hardware related problem? The machine is rather old - HP >>>> NetServer Pentium 3, 500 GHz, 512 MB. >>> >>> Ok I think I know what it is if you are really using EXAMPLE.COM >>> Before freeipa 1.2.0 we were not changing krb5.conf if the relam name >>> used was EXAMPLE.COM (ie the default example). >>> >>> Can you post your server and client krb5.conf files ? >>> >>> Otherwise you can also try rebuilding your IPA server using a different >>> realm name than EXAMPLE.COM >>> >>> Simo. >>> >> > > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From ssorce at redhat.com Fri Nov 14 13:10:01 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Nov 2008 13:10:01 +0000 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491D14E1.6090000@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> <491CFEAD.8010406@spbcas.ru> <1226639121.32715.21.camel@localhost.localdomain> <491D14E1.6090000@spbcas.ru> Message-ID: <1226668201.32715.28.camel@localhost.localdomain> On Fri, 2008-11-14 at 09:04 +0300, Konstantin Kozlov wrote: > > NTP, DNS and DHCP are on another server, they were set up alot > earlier > and working. > > Does the ldapsearch error indicate that FDS fails and not IPA? No the failure means that the kdc used and the ldap keytab are not in sync. Have you tried to manually create a keytab for ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU by chance and/or trying to get a keytab for this principal with ipa-getkeytab ? Simo. -- Simo Sorce * Red Hat, Inc * New York From kozlov at spbcas.ru Fri Nov 14 13:19:29 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Fri, 14 Nov 2008 16:19:29 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <1226668201.32715.28.camel@localhost.localdomain> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> <491CFEAD.8010406@spbcas.ru> <1226639121.32715.21.camel@localhost.localdomain> <491D14E1.6090000@spbcas.ru> <1226668201.32715.28.camel@localhost.localdomain> Message-ID: <491D7AE1.6060002@spbcas.ru> Simo Sorce wrote: > On Fri, 2008-11-14 at 09:04 +0300, Konstantin Kozlov wrote: >> NTP, DNS and DHCP are on another server, they were set up alot >> earlier >> and working. >> >> Does the ldapsearch error indicate that FDS fails and not IPA? > > No the failure means that the kdc used and the ldap keytab are not in > sync. > > Have you tried to manually create a keytab for > ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU by chance and/or trying to get > a keytab for this principal with ipa-getkeytab ? > > Simo. > Yes, I did that. Can it be the problem? Shoul I remove it? How? -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From ssorce at redhat.com Fri Nov 14 13:25:42 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Nov 2008 08:25:42 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491D7AE1.6060002@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> <491CFEAD.8010406@spbcas.ru> <1226639121.32715.21.camel@localhost.localdomain> <491D14E1.6090000@spbcas.ru> <1226668201.32715.28.camel@localhost.localdomain> <491D7AE1.6060002@spbcas.ru> Message-ID: <1226669142.32715.43.camel@localhost.localdomain> On Fri, 2008-11-14 at 16:19 +0300, Konstantin Kozlov wrote: > Simo Sorce wrote: > > On Fri, 2008-11-14 at 09:04 +0300, Konstantin Kozlov wrote: > >> NTP, DNS and DHCP are on another server, they were set up alot > >> earlier > >> and working. > >> > >> Does the ldapsearch error indicate that FDS fails and not IPA? > > > > No the failure means that the kdc used and the ldap keytab are not in > > sync. > > > > Have you tried to manually create a keytab for > > ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU by chance and/or trying to get > > a keytab for this principal with ipa-getkeytab ? > > > > Simo. > > > > Yes, I did that. Can it be the problem? Shoul I remove it? How? Yes, you basically cleared the secret ldap has and didn't tell it. You should *never* do that for the IPA server. If you created that principal with ipa-addservice, remove it, we already have a special entry in the kerberos part of the tree. That might be enough, otherwise you will have to reset the key again and store the new contents in the ds.keytab Simo. -- Simo Sorce * Red Hat, Inc * New York From kozlov at spbcas.ru Fri Nov 14 13:40:01 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Fri, 14 Nov 2008 16:40:01 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <1226669142.32715.43.camel@localhost.localdomain> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> <491CFEAD.8010406@spbcas.ru> <1226639121.32715.21.camel@localhost.localdomain> <491D14E1.6090000@spbcas.ru> <1226668201.32715.28.camel@localhost.localdomain> <491D7AE1.6060002@spbcas.ru> <1226669142.32715.43.camel@localhost.localdomain> Message-ID: <491D7FB1.5070308@spbcas.ru> Simo Sorce wrote: > On Fri, 2008-11-14 at 16:19 +0300, Konstantin Kozlov wrote: >> Simo Sorce wrote: >>> On Fri, 2008-11-14 at 09:04 +0300, Konstantin Kozlov wrote: >>>> NTP, DNS and DHCP are on another server, they were set up alot >>>> earlier >>>> and working. >>>> >>>> Does the ldapsearch error indicate that FDS fails and not IPA? >>> No the failure means that the kdc used and the ldap keytab are not in >>> sync. >>> >>> Have you tried to manually create a keytab for >>> ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU by chance and/or trying to get >>> a keytab for this principal with ipa-getkeytab ? >>> >>> Simo. >>> >> Yes, I did that. Can it be the problem? Shoul I remove it? How? > > Yes, you basically cleared the secret ldap has and didn't tell it. > You should *never* do that for the IPA server. > OK, I got it. Can it be put in some place on documentation part of ipa project? > If you created that principal with ipa-addservice, remove it, we already > have a special entry in the kerberos part of the tree. That might be > enough, otherwise you will have to reset the key again and store the new > contents in the ds.keytab > I tried to remove it with ktadmin.local but it didn't help. What is proper way to do that given that ipa-tools do not work? Kostya From ssorce at redhat.com Fri Nov 14 13:42:18 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Nov 2008 08:42:18 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491D7FB1.5070308@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> <491CFEAD.8010406@spbcas.ru> <1226639121.32715.21.camel@localhost.localdomain> <491D14E1.6090000@spbcas.ru> <1226668201.32715.28.camel@localhost.localdomain> <491D7AE1.6060002@spbcas.ru> <1226669142.32715.43.camel@localhost.localdomain> <491D7FB1.5070308@spbcas.ru> Message-ID: <1226670138.32715.45.camel@localhost.localdomain> On Fri, 2008-11-14 at 16:40 +0300, Konstantin Kozlov wrote: > > I tried to remove it with ktadmin.local but it didn't help. What is > proper way to do that given that ipa-tools do not work? Use ldapdelete with Directory Manager credentials. You have to remoce the one in cn=services, NOT the one in cn=kerberos. Simo. -- Simo Sorce * Red Hat, Inc * New York From kozlov at spbcas.ru Fri Nov 14 14:11:38 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Fri, 14 Nov 2008 17:11:38 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <1226670138.32715.45.camel@localhost.localdomain> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> <491CFEAD.8010406@spbcas.ru> <1226639121.32715.21.camel@localhost.localdomain> <491D14E1.6090000@spbcas.ru> <1226668201.32715.28.camel@localhost.localdomain> <491D7AE1.6060002@spbcas.ru> <1226669142.32715.43.camel@localhost.localdomain> <491D7FB1.5070308@spbcas.ru> <1226670138.32715.45.camel@localhost.localdomain> Message-ID: <491D871A.8050902@spbcas.ru> Simo Sorce wrote: > On Fri, 2008-11-14 at 16:40 +0300, Konstantin Kozlov wrote: >> I tried to remove it with ktadmin.local but it didn't help. What is >> proper way to do that given that ipa-tools do not work? > > Use ldapdelete with Directory Manager credentials. > You have to remoce the one in cn=services, NOT the one in cn=kerberos. > I don't have it in ldap - only this under cn-kerberos: dn: krbprincipalname=ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU,cn=BIO.SPBCAS.R U,cn=kerberos,dc=bio,dc=spbcas,dc=ru krbTicketFlags: 0 krbPrincipalName: ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU krbLastPwdChange: 20081114133612Z krbExtraData:: AALMfh1JYWRtaW4vYWRtaW5AQklPLlNQQkNBUy5SVQA= objectClass: krbprincipal objectClass: krbprincipalaux objectClass: krbTicketPolicyAux objectClass: top krbPasswordExpiration: 19700101000000Z I suppose its not that. Kostya From ssorce at redhat.com Fri Nov 14 14:33:00 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Nov 2008 09:33:00 -0500 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <491D871A.8050902@spbcas.ru> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> <491CFEAD.8010406@spbcas.ru> <1226639121.32715.21.camel@localhost.localdomain> <491D14E1.6090000@spbcas.ru> <1226668201.32715.28.camel@localhost.localdomain> <491D7AE1.6060002@spbcas.ru> <1226669142.32715.43.camel@localhost.localdomain> <491D7FB1.5070308@spbcas.ru> <1226670138.32715.45.camel@localhost.localdomain> <491D871A.8050902@spbcas.ru> Message-ID: <1226673180.32715.53.camel@localhost.localdomain> On Fri, 2008-11-14 at 17:11 +0300, Konstantin Kozlov wrote: > Simo Sorce wrote: > > On Fri, 2008-11-14 at 16:40 +0300, Konstantin Kozlov wrote: > >> I tried to remove it with ktadmin.local but it didn't help. What is > >> proper way to do that given that ipa-tools do not work? > > > > Use ldapdelete with Directory Manager credentials. > > You have to remoce the one in cn=services, NOT the one in cn=kerberos. > > > > I don't have it in ldap - only this under cn-kerberos: > > > > dn: > krbprincipalname=ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU,cn=BIO.SPBCAS.R > U,cn=kerberos,dc=bio,dc=spbcas,dc=ru > krbTicketFlags: 0 > krbPrincipalName: ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU > krbLastPwdChange: 20081114133612Z > krbExtraData:: AALMfh1JYWRtaW4vYWRtaW5AQklPLlNQQkNBUy5SVQA= > objectClass: krbprincipal > objectClass: krbprincipalaux > objectClass: krbTicketPolicyAux > objectClass: top > krbPasswordExpiration: 19700101000000Z > > I suppose its not that. As a last resort you can generate a new secret using kadmin.local and make sure it is stored in ds.keytab, then restart directory server. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Nov 14 17:15:24 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Nov 2008 12:15:24 -0500 Subject: [Freeipa-users] FreeIPA 1.2 Released Message-ID: <1226682924.32715.105.camel@localhost.localdomain> The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA version 1.2. FreeIPA is an integrated security information management solution combining Linux (Fedora), Fedora Directory Server, MIT Kerberos and NTP. FreeIPA binds together a number of technologies and adds a web interface and command-line administration tools. Currently it supports identity management with plans to support policy and auditing management. This is primarily a bugfix release and contains many improvements especially in the area of replication. With version 1.2 we finally introduced the ability to do some basic synchronization with a Windows Active Directory domain. However, for now, only users and passwords can be synchronized. A serious bug in the setup scripts generated incorrect replication agreements. This bug caused replication issues in setups with more than 2 IPA servers. This bug is now fixed, if you intend to deploy more than 2 IPA servers, you should use this release. The complete source code is available for download here: http://www.freeipa.org/page/Downloads FreeIPA 1.2 is available in Fedora 9 and will be available in Fedora 10. Have Fun! The FreeIPA Project Team. -- Simo Sorce * Red Hat, Inc * New York From robert at marcanoonline.com Sun Nov 16 19:11:21 2008 From: robert at marcanoonline.com (Robert Marcano) Date: Sun, 16 Nov 2008 14:41:21 -0430 Subject: [Freeipa-users] Re: kadmin help when using LDAP db (MIT kerberos) In-Reply-To: <1226682767.32715.102.camel@localhost.localdomain> References: <1226681790.3491.15.camel@localhost.localdomain> <1226682767.32715.102.camel@localhost.localdomain> Message-ID: <1226862681.3432.12.camel@localhost.localdomain> On Fri, 2008-11-14 at 12:12 -0500, Simo Sorce wrote: > On Fri, 2008-11-14 at 12:26 -0430, Robert Marcano wrote: > > I am relatively new to kerberos, and as part of the installation of > > freeipa, I am writing a script to be used by Samba for password changes. > > I read about kadmin.local but the man pages says > > > > "If the database is LDAP, kadmin.local need not be run on the KDC." > > > > so I am unable to use it instead of kadmin that requires a password that > > I do not understand very well how to supply, The fist time I started the > > kadmin service on a CentOS server, it says it was adding a few > > principals with these two commands > > > > > > /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin${KRB5REALM:+@$KRB5REALM} kadmin/changepw${KRB5REALM:+@$KRB5REALM}" > > /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/`hostname`${KRB5REALM:+@$KRB5REALM}" 2> /dev/null && success > > If you read freeipa documentation you will see that using kadmin or > kadmin.local is discouraged if you do not know exactly what you are > doing. Umm. maybe the freeipa installer script must call "chkconfig --del kadmin" and move it out of init.d, maybe I will not be the only one that will miss that part of the documentation :-(, because just starting the kadmin server, the ipa installation will broke > > > This immediately disabled the usage of kpasswd (unable to find KDC > > error) or kinit with a expired password > > Yes you reset the secret and did not update the keytab file that > ipa_kpasswd uses. > > > how can I use the network version of kadmin in order to change a user > > password? which principal can i use with the right privileges: > > At this stage you cannot use kadmind with Freeipa, you can use kpasswd, > ipa-passwd, ldappasswd, and recently also ipa-getkeytab kpasswd requires to know the current password (can not be used on a samba password sync script) ipa-passwd requires to know the current password or to use admin, and when using admin the password is set as expired (can not be used on a samba password sync either) ldappasswd works... thanks (need some polishing to remove the credentials from the command line) /usr/lib64/mozldap/ldappasswd -D "cn=Directory Manager" -w [password] -P /etc/dirsrv/slapd-[instance]/cert8.db -s [newpassword] uid=test,cn=users,cn=accounts,dc=example,dc=com I needed the script because the samba "ldap passwd sync" option is not working on my setup. It says the password is changed, but it only changes the samba password (no errors) I added a little patch to freeipa in order to update sambaPwdLastSet on the DS plugin code (ipa_pwd_extop.c), see attachment > > I'd suggest you use freeipa-users at redhat.com if you have freeipa related > questions. > > Simo. > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-samba-pwd-last-set.patch Type: text/x-patch Size: 1051 bytes Desc: not available URL: From ssorce at redhat.com Sun Nov 16 21:58:36 2008 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 16 Nov 2008 16:58:36 -0500 Subject: [Freeipa-users] Re: kadmin help when using LDAP db (MIT kerberos) In-Reply-To: <1226862681.3432.12.camel@localhost.localdomain> References: <1226681790.3491.15.camel@localhost.localdomain> <1226682767.32715.102.camel@localhost.localdomain> <1226862681.3432.12.camel@localhost.localdomain> Message-ID: <1226872716.32715.132.camel@localhost.localdomain> On Sun, 2008-11-16 at 14:41 -0430, Robert Marcano wrote: > On Fri, 2008-11-14 at 12:12 -0500, Simo Sorce wrote: > > On Fri, 2008-11-14 at 12:26 -0430, Robert Marcano wrote: > > > I am relatively new to kerberos, and as part of the installation of > > > freeipa, I am writing a script to be used by Samba for password changes. > > > I read about kadmin.local but the man pages says > > > > > > "If the database is LDAP, kadmin.local need not be run on the KDC." > > > > > > so I am unable to use it instead of kadmin that requires a password that > > > I do not understand very well how to supply, The fist time I started the > > > kadmin service on a CentOS server, it says it was adding a few > > > principals with these two commands > > > > > > > > > /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin${KRB5REALM:+@$KRB5REALM} kadmin/changepw${KRB5REALM:+@$KRB5REALM}" > > > /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/`hostname`${KRB5REALM:+@$KRB5REALM}" 2> /dev/null && success > > > > If you read freeipa documentation you will see that using kadmin or > > kadmin.local is discouraged if you do not know exactly what you are > > doing. > > Umm. maybe the freeipa installer script must call "chkconfig --del > kadmin" and move it out of init.d, maybe I will not be the only one that > will miss that part of the documentation :-(, because just starting the > kadmin server, the ipa installation will broke > > > > > > This immediately disabled the usage of kpasswd (unable to find KDC > > > error) or kinit with a expired password > > > > Yes you reset the secret and did not update the keytab file that > > ipa_kpasswd uses. > > > > > how can I use the network version of kadmin in order to change a user > > > password? which principal can i use with the right privileges: > > > > At this stage you cannot use kadmind with Freeipa, you can use kpasswd, > > ipa-passwd, ldappasswd, and recently also ipa-getkeytab > > kpasswd requires to know the current password (can not be used on a > samba password sync script) Yes you have both the old and the new password, but you do not want to use kpasswd for samba sync. > ipa-passwd requires to know the current password or to use admin, and > when using admin the password is set as expired (can not be used on a > samba password sync either) not the right tool either > ldappasswd works... thanks (need some polishing to remove the > credentials from the command line) > > /usr/lib64/mozldap/ldappasswd -D "cn=Directory Manager" -w [password] > -P /etc/dirsrv/slapd-[instance]/cert8.db -s [newpassword] > uid=test,cn=users,cn=accounts,dc=example,dc=com not ideal > I needed the script because the samba "ldap passwd sync" option is not > working on my setup. It says the password is changed, but it only > changes the samba password (no errors) You must use 'ldap passwd sync = only', and use freeipa 1.2 which now intercepts also ldapmodify operations. If this does not work it is something I'd like to investigate, it would mean either a bug in samba or freeipa. to be able to perform a password change in freeipa you may want to use Directory Manager or samba or use a different admin user and add it to the list of users that are permitted to change the password without obeying password policies. The attribute is passsyncManagersDNs in the ipa-pwd-extop plugin configuration entry (under cn=config) and contains the DN of users permitted to skip any password policy check including immediate expiration of passwords. > I added a little patch to freeipa in order to update sambaPwdLastSet on > the DS plugin code (ipa_pwd_extop.c), see attachment Interesting, although we should probbaly better patch samba to use freeipa's own fields, keeping mulitple copies of the same data is always a mess as they easily get out of sync. Simo. -- Simo Sorce * Red Hat, Inc * New York From robert at marcanoonline.com Mon Nov 17 13:27:15 2008 From: robert at marcanoonline.com (Robert Marcano) Date: Mon, 17 Nov 2008 08:57:15 -0430 Subject: [Freeipa-users] Re: kadmin help when using LDAP db (MIT kerberos) In-Reply-To: <1226872716.32715.132.camel@localhost.localdomain> References: <1226681790.3491.15.camel@localhost.localdomain> <1226682767.32715.102.camel@localhost.localdomain> <1226862681.3432.12.camel@localhost.localdomain> <1226872716.32715.132.camel@localhost.localdomain> Message-ID: <1226928435.3242.7.camel@localhost.localdomain> On Sun, 2008-11-16 at 16:58 -0500, Simo Sorce wrote: > On Sun, 2008-11-16 at 14:41 -0430, Robert Marcano wrote: > > I added a little patch to freeipa in order to update sambaPwdLastSet on > > the DS plugin code (ipa_pwd_extop.c), see attachment > > Interesting, although we should probbaly better patch samba to use > freeipa's own fields, keeping mulitple copies of the same data is always > a mess as they easily get out of sync. The same can be said about the password hashes that can go out of sync for some unexpected reason (and those can not be merged with any existing field). I think the only way to have this patched on Samba is to build a new passdb backend (reusing code from the ldap backend), that way no schema change will occur for any current Samba/LDAP user, and the samba configuration for IPA can be made easier, no "ldap * suffix" to be defined, minimum one setting will be needed, the IPA domain > > Simo. > From ssorce at redhat.com Mon Nov 17 13:51:42 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 17 Nov 2008 08:51:42 -0500 Subject: [Freeipa-users] Re: kadmin help when using LDAP db (MIT kerberos) In-Reply-To: <1226928435.3242.7.camel@localhost.localdomain> References: <1226681790.3491.15.camel@localhost.localdomain> <1226682767.32715.102.camel@localhost.localdomain> <1226862681.3432.12.camel@localhost.localdomain> <1226872716.32715.132.camel@localhost.localdomain> <1226928435.3242.7.camel@localhost.localdomain> Message-ID: <1226929902.32715.149.camel@localhost.localdomain> On Mon, 2008-11-17 at 08:57 -0430, Robert Marcano wrote: > On Sun, 2008-11-16 at 16:58 -0500, Simo Sorce wrote: > > On Sun, 2008-11-16 at 14:41 -0430, Robert Marcano wrote: > > > I added a little patch to freeipa in order to update sambaPwdLastSet on > > > the DS plugin code (ipa_pwd_extop.c), see attachment > > > > Interesting, although we should probbaly better patch samba to use > > freeipa's own fields, keeping mulitple copies of the same data is always > > a mess as they easily get out of sync. > > The same can be said about the password hashes that can go out of sync > for some unexpected reason (and those can not be merged with any > existing field). That's why I said you should use ldap passwd sync = only Using this option ipa will generate the hashes itself as part of one unique password change operation. This makes is mush less likely that passwords will go out of sync. The only way would be for someone to manually mess with the ldap entry. > I think the only way to have this patched on Samba is > to build a new passdb backend (reusing code from the ldap backend), that > way no schema change will occur for any current Samba/LDAP user, and the > samba configuration for IPA can be made easier, no "ldap * suffix" to be > defined, minimum one setting will be needed, the IPA domain Yes an entire new backend could make things easier, but another way is to take the edirectory variant (already in the sources) and see if that can be modified, should be less work. Simo. -- Simo Sorce * Red Hat, Inc * New York From robert at marcanoonline.com Tue Nov 18 00:33:58 2008 From: robert at marcanoonline.com (Robert Marcano) Date: Mon, 17 Nov 2008 20:03:58 -0430 Subject: [Freeipa-users] ipausers default group Message-ID: <1226968438.3242.22.camel@localhost.localdomain> Is a good idea that "ipausers" group be the default primary group for all users? i see everyday applications that create temporary files that does not follows the 0600 file permissions. All RedHat/Fedora tools create a user and a group by default, unless you request a different primary group. Just one example: http://java.sun.com/j2se/1.3/docs/api/java/io/File.html#createTempFile(java.lang.String,%20java.lang.String) the Java method to generate temporary files does not create them with permissions 0600 (there is no way to change that in plain Java). Creating a group by hand for each user is repetitive and there is no way to assign them easily, you need to copy the GID and copy it to the user by hand From ssorce at redhat.com Tue Nov 18 13:39:59 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 18 Nov 2008 08:39:59 -0500 Subject: [Freeipa-users] ipausers default group In-Reply-To: <1226968438.3242.22.camel@localhost.localdomain> References: <1226968438.3242.22.camel@localhost.localdomain> Message-ID: <1227015599.32715.227.camel@localhost.localdomain> On Mon, 2008-11-17 at 20:03 -0430, Robert Marcano wrote: > Is a good idea that "ipausers" group be the default primary group for > all users? i see everyday applications that create temporary files that > does not follows the 0600 file permissions. > > All RedHat/Fedora tools create a user and a group by default, unless you > request a different primary group. > > Just one example: > > http://java.sun.com/j2se/1.3/docs/api/java/io/File.html#createTempFile(java.lang.String,%20java.lang.String) > > the Java method to generate temporary files does not create them with > permissions 0600 (there is no way to change that in plain Java). You should be able to change the default umask for users so that groups do not get permissions like others. The umask can be changed from 0002 to 0022 so that group sdo not get write permissions by default. If you want by default no readability to anyone but the user y9ou can also set it to 0077 The default umask can be changed in /etc/bashrc on Fedora and similar files on other distributions, or even just per-user in ~/.bashrc > Creating a group by hand for each user is repetitive and there is no way > to assign them easily, you need to copy the GID and copy it to the user > by hand Creating a group for each user creates an unnecessary proliferation of groups that clogs the group interface with mostly useless groups. Managing user/groups makes it more complex to create delete and rename existing users, as the relative groups would need to follow, and exceptions would need to be handled. In case you find the you nonetheless want to create a group for each user you can use CLI tools and some scripts to make it simpler for you to create users the way you prefer. Simo. -- Simo Sorce * Red Hat, Inc * New York From robert at marcanoonline.com Tue Nov 18 14:31:59 2008 From: robert at marcanoonline.com (Robert Marcano) Date: Tue, 18 Nov 2008 10:01:59 -0430 Subject: [Freeipa-users] ipausers default group In-Reply-To: <1227015599.32715.227.camel@localhost.localdomain> References: <1226968438.3242.22.camel@localhost.localdomain> <1227015599.32715.227.camel@localhost.localdomain> Message-ID: <1227018719.3568.29.camel@localhost.localdomain> On Tue, 2008-11-18 at 08:39 -0500, Simo Sorce wrote: > On Mon, 2008-11-17 at 20:03 -0430, Robert Marcano wrote: > > Is a good idea that "ipausers" group be the default primary group for > > all users? i see everyday applications that create temporary files that > > does not follows the 0600 file permissions. > > > > All RedHat/Fedora tools create a user and a group by default, unless you > > request a different primary group. > > ... > You should be able to change the default umask for users so that groups > do not get permissions like others. > The umask can be changed from 0002 to 0022 so that group sdo not get > write permissions by default. > If you want by default no readability to anyone but the user y9ou can > also set it to 0077 Yes i know about the umask option, but if you are trying to deploy not only servers but Linux workstations, that must be done on each one of them, leaving the possibility of a security hole if you miss one of them. and things can be worse if you do not have control of all the servers (in my case i have servers from another company that I will only request them to be added to the IPA realm) > > The default umask can be changed in /etc/bashrc on Fedora and similar > files on other distributions, or even just per-user in ~/.bashrc > > > Creating a group by hand for each user is repetitive and there is no way > > to assign them easily, you need to copy the GID and copy it to the user > > by hand > > Creating a group for each user creates an unnecessary proliferation of > groups that clogs the group interface with mostly useless groups. So, Freeipa create a (little) insecure environment by default. I understand that things must be made easy for the users but remember that making things easier can compromise security too. I think it is possible to make the GUI create the primary group on another part of the LDAP tree (like i do with samba machine posix accounts because I was worried like you are with the machine$ accounts cluttering the Web UI), I only needed to change the ldap configuration to get users from the common parent nss_base_passwd cn=accounts,dc=example,dc=com,dc=ve?sub this way the UI will not be cluttered with the primary groups > Managing user/groups makes it more complex to create delete and rename > existing users, as the relative groups would need to follow, and > exceptions would need to be handled. > Well the simple adduser/removeuser script are able to do that (no rename), so I think it is feasible to replicate that on an LDAP environment What people think about this option? this is something that I will hopefully try to get sometime to help with, and could be the excuse to learn a little of python web development (I have no knowledge of TurboGears :-P) > > In case you find the you nonetheless want to create a group for each > user you can use CLI tools and some scripts to make it simpler for you > to create users the way you prefer. That is the temporary solution that I will propose here, but I am sad because it will not be very welcome, because we lose the integrated GUI (the primary reason we opted for freeipa) > > Simo. > From rob at lazzurs.net Tue Nov 18 14:38:10 2008 From: rob at lazzurs.net (Robert Lazzurs) Date: Tue, 18 Nov 2008 14:38:10 +0000 Subject: [Freeipa-users] ipausers default group Message-ID: <1220a920811180638r4f0eb9c4n788c32408e712a9a@mail.gmail.com> I think in summary what Robert M is trying to say here is FreeIPA should be secure by default rather than create a possible hole by default which can be fixed by tweaking a setting. Think of it as the difference between Windows and OpenBSD...I know which one I would rather be using to run my network. IM(very)HO I believe he is correct that this should no longer be the default. Just my thoughts, Take care. -- Rob Lazzurs On 18 Nov 2008, 2:32 PM, "Robert Marcano" wrote: On Tue, 2008-11-18 at 08:39 -0500, Simo Sorce wrote: > On Mon, 2008-11-17 at 20:03 -0430, Robert Mar... ... > You should be able to change the default umask for users so that groups > do not get permissions ... Yes i know about the umask option, but if you are trying to deploy not only servers but Linux workstations, that must be done on each one of them, leaving the possibility of a security hole if you miss one of them. and things can be worse if you do not have control of all the servers (in my case i have servers from another company that I will only request them to be added to the IPA realm) > > The default umask can be changed in /etc/bashrc on Fedora and similar > files on other distrib... So, Freeipa create a (little) insecure environment by default. I understand that things must be made easy for the users but remember that making things easier can compromise security too. I think it is possible to make the GUI create the primary group on another part of the LDAP tree (like i do with samba machine posix accounts because I was worried like you are with the machine$ accounts cluttering the Web UI), I only needed to change the ldap configuration to get users from the common parent nss_base_passwd cn=accounts,dc=example,dc=com,dc=ve?sub this way the UI will not be cluttered with the primary groups > Managing user/groups makes it more complex to create delete and rename > existing users, as the r... Well the simple adduser/removeuser script are able to do that (no rename), so I think it is feasible to replicate that on an LDAP environment What people think about this option? this is something that I will hopefully try to get sometime to help with, and could be the excuse to learn a little of python web development (I have no knowledge of TurboGears :-P) > > In case you find the you nonetheless want to create a group for each > user you can use CLI to... That is the temporary solution that I will propose here, but I am sad because it will not be very welcome, because we lose the integrated GUI (the primary reason we opted for freeipa) > > Simo. > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.... -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Tue Nov 18 15:00:01 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 18 Nov 2008 15:00:01 +0000 Subject: [Freeipa-users] ipausers default group In-Reply-To: <1227018719.3568.29.camel@localhost.localdomain> References: <1226968438.3242.22.camel@localhost.localdomain> <1227015599.32715.227.camel@localhost.localdomain> <1227018719.3568.29.camel@localhost.localdomain> Message-ID: <1227020401.32715.242.camel@localhost.localdomain> On Tue, 2008-11-18 at 10:01 -0430, Robert Marcano wrote: > On Tue, 2008-11-18 at 08:39 -0500, Simo Sorce wrote: > > On Mon, 2008-11-17 at 20:03 -0430, Robert Marcano wrote: > > > Is a good idea that "ipausers" group be the default primary group for > > > all users? i see everyday applications that create temporary files that > > > does not follows the 0600 file permissions. > > > > > > All RedHat/Fedora tools create a user and a group by default, unless you > > > request a different primary group. > > > > > ... > > > You should be able to change the default umask for users so that groups > > do not get permissions like others. > > The umask can be changed from 0002 to 0022 so that group sdo not get > > write permissions by default. > > If you want by default no readability to anyone but the user y9ou can > > also set it to 0077 > > Yes i know about the umask option, but if you are trying to deploy not > only servers but Linux workstations, that must be done on each one of > them, leaving the possibility of a security hole if you miss one of > them. and things can be worse if you do not have control of all the > servers (in my case i have servers from another company that I will only > request them to be added to the IPA realm) There are many things that need to be configured properly to avoid security issues, this is just on of them, maybe we should make it better known in the docs. > > The default umask can be changed in /etc/bashrc on Fedora and similar > > files on other distributions, or even just per-user in ~/.bashrc > > > > > Creating a group by hand for each user is repetitive and there is no way > > > to assign them easily, you need to copy the GID and copy it to the user > > > by hand > > > > Creating a group for each user creates an unnecessary proliferation of > > groups that clogs the group interface with mostly useless groups. > > So, Freeipa create a (little) insecure environment by default. No, it is just a different environment, security depends on how well or bad you configure your environment. We could make ipa-client-install to change the umask by default maybe, and with v2 we should be able to have policies that do that on all clients. > I > understand that things must be made easy for the users but remember that > making things easier can compromise security too. Making things more complex the same, sorry I do not buy the argument that easier = less secure, I wouldn't have worked on the FreeIPA project at all if I thought that. > I think it is possible > to make the GUI create the primary group on another part of the LDAP > tree (like i do with samba machine posix accounts because I was worried > like you are with the machine$ accounts cluttering the Web UI), I only > needed to change the ldap configuration to get users from the common > parent > > nss_base_passwd cn=accounts,dc=example,dc=com,dc=ve?sub > > this way the UI will not be cluttered with the primary groups If it were just about concealing personal user we could it in many different ways without having to put them elsewhere but there are other aspects than UI ugliness. > > Managing user/groups makes it more complex to create delete and rename > > existing users, as the relative groups would need to follow, and > > exceptions would need to be handled. > > > Well the simple adduser/removeuser script are able to do that (no > rename), so I think it is feasible to replicate that on an LDAP > environment It's more complex than you think. What do you do if you create a new user and a group of the same name already exists ? What do you do if you remove a user and its associated group has other memberships ? And so on. Adding a group per user just to keep the umask 022 is honestly just an hack, that makes managing groups cumbersome. > What people think about this option? this is something that I will > hopefully try to get sometime to help with, and could be the excuse to > learn a little of python web development (I have no knowledge of > TurboGears :-P) Well if you want to propose patches so that the admins can optional observe one or the other behavior we may consider them. You whould work on the v2 code base though, as I don't think we will pursue so radical changes in the 1.1.x series at this point. > > In case you find the you nonetheless want to create a group for each > > user you can use CLI tools and some scripts to make it simpler for you > > to create users the way you prefer. > > That is the temporary solution that I will propose here, but I am sad > because it will not be very welcome, because we lose the integrated GUI > (the primary reason we opted for freeipa) It would be easier to change the umask indeed it's not that difficult :) Simo. -- Simo Sorce * Red Hat, Inc * New York From robert at marcanoonline.com Tue Nov 18 16:04:11 2008 From: robert at marcanoonline.com (Robert Marcano) Date: Tue, 18 Nov 2008 11:34:11 -0430 Subject: [Freeipa-users] ipausers default group In-Reply-To: <1227020401.32715.242.camel@localhost.localdomain> References: <1226968438.3242.22.camel@localhost.localdomain> <1227015599.32715.227.camel@localhost.localdomain> <1227018719.3568.29.camel@localhost.localdomain> <1227020401.32715.242.camel@localhost.localdomain> Message-ID: <1227024252.3568.79.camel@localhost.localdomain> On Tue, 2008-11-18 at 15:00 +0000, Simo Sorce wrote: > There are many things that need to be configured properly to avoid > security issues, this is just on of them, maybe we should make it better > known in the docs. I do not buy this either, this is like if Red Hat Enterpise Linux docs say me that in order to have more security i need to change the umask, because the default is not good enough, and the adduser script just create by default users on the rhusers group. > > > So, Freeipa create a (little) insecure environment by default. > > No, it is just a different environment, security depends on how well or > bad you configure your environment. a different evironment whose defaults are less secure than a default RH/Fedora install, Freeipa (in its current state) can protect password being stealed on the net (Kerberos) but local security is less secure than a plain RH/Fedora installation > > We could make ipa-client-install to change the umask by default maybe, > and with v2 we should be able to have policies that do that on all > clients. if V2 will do that, then the group per user issue is resolved, but it does not do that today, and by default current freeipa is insecure and a security advisory is needed (some temporary files could be writeable by any member of ipausers). (note that I am a little extremist on file security issues https://bugzilla.redhat.com/show_bug.cgi?id=447430 ) > > > I > > understand that things must be made easy for the users but remember that > > making things easier can compromise security too. > > Making things more complex the same, sorry I do not buy the argument > that easier = less secure, I wouldn't have worked on the FreeIPA project > at all if I thought that. I am not saying the UI must be made complex, but simplicity means to be more careful of what you do, because you do not give the options to the user to customize and blame him/her of any error. ... > Adding a group per user just to keep the umask 022 is honestly just an > hack, that makes managing groups cumbersome. Could be, but do you not replace a hack without doing the real well done fix (freeipa removes the hack but does not change the umask) ... > > > > That is the temporary solution that I will propose here, but I am sad > > because it will not be very welcome, because we lose the integrated GUI > > (the primary reason we opted for freeipa) > > It would be easier to change the umask indeed it's not that difficult :) again the easier argument, it is not easier, do things on a central location is easier or more manageable that changing the umask on each ipa client . in summary, current freeipa needs a patch to set the umask to users whose primary group is ipauser (or uid greather than 1000?), until V2 policies can do that Just a note, umask is for the user session, not having a group per user will make that all services provided on the network must be checked, for example, all Samba shares "create mask" and "create directory mask" must be checked > Simo. > From ssorce at redhat.com Tue Nov 18 17:36:30 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 18 Nov 2008 17:36:30 +0000 Subject: [Freeipa-users] ipausers default group In-Reply-To: <1227024252.3568.79.camel@localhost.localdomain> References: <1226968438.3242.22.camel@localhost.localdomain> <1227015599.32715.227.camel@localhost.localdomain> <1227018719.3568.29.camel@localhost.localdomain> <1227020401.32715.242.camel@localhost.localdomain> <1227024252.3568.79.camel@localhost.localdomain> Message-ID: <1227029790.32715.261.camel@localhost.localdomain> On Tue, 2008-11-18 at 11:34 -0430, Robert Marcano wrote: > On Tue, 2008-11-18 at 15:00 +0000, Simo Sorce wrote: > > > There are many things that need to be configured properly to avoid > > security issues, this is just on of them, maybe we should make it better > > known in the docs. > > I do not buy this either, this is like if Red Hat Enterpise Linux docs > say me that in order to have more security i need to change the umask, > because the default is not good enough, and the adduser script just > create by default users on the rhusers group. A matter of Points of View in my opinion, I respect yours. > > > So, Freeipa create a (little) insecure environment by default. > > > > No, it is just a different environment, security depends on how well or > > bad you configure your environment. > > a different evironment whose defaults are less secure than a default > RH/Fedora install, Freeipa (in its current state) can protect password > being stealed on the net (Kerberos) but local security is less secure > than a plain RH/Fedora installation Given that Freeipa does not create home directories or set up the disk layout in any way and that admins can easily use ACLs on the file system to attain the level of security they prefer I do not think this to be a freeipa problem, not yet. When you configure your file system or home creation scripts you will probably make sure user home directories are set 700. > > We could make ipa-client-install to change the umask by default maybe, > > and with v2 we should be able to have policies that do that on all > > clients. > > if V2 will do that, then the group per user issue is resolved, but it > does not do that today, and by default current freeipa is insecure and a > security advisory is needed (some temporary files could be writeable by > any member of ipausers). I don't think we need any security advisory. > (note that I am a little extremist on file security issues > https://bugzilla.redhat.com/show_bug.cgi?id=447430 ) Sure your right to be, but it's your decision. Admins are free to adopt whatever default they prefer and manage file access and umasks the way they choose. Eventually overriding defaults. > > > I > > > understand that things must be made easy for the users but remember that > > > making things easier can compromise security too. > > > > Making things more complex the same, sorry I do not buy the argument > > that easier = less secure, I wouldn't have worked on the FreeIPA project > > at all if I thought that. > > I am not saying the UI must be made complex, but simplicity means to be > more careful of what you do, because you do not give the options to the > user to customize and blame him/her of any error. changing umask in /etc/bashrc is not complex for any sysadmin. > > Adding a group per user just to keep the umask 022 is honestly just an > > hack, that makes managing groups cumbersome. > > Could be, but do you not replace a hack without doing the real well done > fix (freeipa removes the hack but does not change the umask) We do not touch machines configuration too much in freeipa 1.x, we do not even create home directories. It is very clear that file system management is not a Freeipa goal in v1 and admins need to mange it themselves. > > > > > > That is the temporary solution that I will propose here, but I am sad > > > because it will not be very welcome, because we lose the integrated GUI > > > (the primary reason we opted for freeipa) > > > > It would be easier to change the umask indeed it's not that difficult :) > > again the easier argument, it is not easier, do things on a central > location is easier or more manageable that changing the umask on each > ipa client . True, that's why we are adding policy support. But because you have to install and configure the client to access IPA anyway, I cannot consider changing another file an issue. Also you may decide to do that in the single user profile instead, again because you have to provision home directories yourself as IPA does not do it, it is just a matter of adjusting your provisioning process. > in summary, current freeipa needs a patch to set the umask to users > whose primary group is ipauser (or uid greather than 1000?), until V2 > policies can do that Yes I will consider adding something to that effect in ipa-client-install so that it can be done at the same time the client is enrolled. > Just a note, umask is for the user session, not having a group per user > will make that all services provided on the network must be checked, for > example, all Samba shares "create mask" and "create directory mask" must > be checked I really think that ACLs (and default ACLs) is the real answer here, umask has always been an issue, the right answer is to use proper ACLs on the directories the user has access to for writing (normally only their home and /tmp, so any other directory is custom made by admins). The only reason why umask even exists is that back in the time unix didn't have ACLs. We have them since long now, it's really time to start using these tools to solve the problem at the right level. As for /tmp I hope we will soon mode to have per user temp dirs which will completely solve the umask problem even without changing it in the default install. Simo. -- Simo Sorce * Red Hat, Inc * New York From kozlov at spbcas.ru Thu Nov 20 12:49:37 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Thu, 20 Nov 2008 15:49:37 +0300 Subject: [Freeipa-users] GSSAPI Failure In-Reply-To: <1226673180.32715.53.camel@localhost.localdomain> References: <49183CC4.6070209@spbcas.ru> <1226410657.10160.499.camel@localhost.localdomain> <49198DAF.5010209@spbcas.ru> <1226411730.10160.501.camel@localhost.localdomain> <49199241.3090509@spbcas.ru> <1226418041.10160.503.camel@localhost.localdomain> <4919AAFD.7000403@spbcas.ru> <491A90B9.2070208@spbcas.ru> <491AEC0A.8080502@redhat.com> <491AF075.9000007@spbcas.ru> <491AF32F.1030705@redhat.com> <491BD672.8000000@spbcas.ru> <1226582272.10160.610.camel@localhost.localdomain> <491C339C.70605@spbcas.ru> <1226585948.10160.615.camel@localhost.localdomain> <491CFEAD.8010406@spbcas.ru> <1226639121.32715.21.camel@localhost.localdomain> <491D14E1.6090000@spbcas.ru> <1226668201.32715.28.camel@localhost.localdomain> <491D7AE1.6060002@spbcas.ru> <1226669142.32715.43.camel@localhost.localdomain> <491D7FB1.5070308@spbcas.ru> <1226670138.32715.45.camel@localhost.localdomain> <491D871A.8050902@spbcas.ru> <1226673180.32715.53.camel@localhost.localdomain> Message-ID: <49255CE1.6060504@spbcas.ru> Simo Sorce wrote: > On Fri, 2008-11-14 at 17:11 +0300, Konstantin Kozlov wrote: >> Simo Sorce wrote: >>> On Fri, 2008-11-14 at 16:40 +0300, Konstantin Kozlov wrote: >>>> I tried to remove it with ktadmin.local but it didn't help. What is >>>> proper way to do that given that ipa-tools do not work? >>> Use ldapdelete with Directory Manager credentials. >>> You have to remoce the one in cn=services, NOT the one in cn=kerberos. >>> >> I don't have it in ldap - only this under cn-kerberos: >> >> >> >> dn: >> krbprincipalname=ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU,cn=BIO.SPBCAS.R >> U,cn=kerberos,dc=bio,dc=spbcas,dc=ru >> krbTicketFlags: 0 >> krbPrincipalName: ldap/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU >> krbLastPwdChange: 20081114133612Z >> krbExtraData:: AALMfh1JYWRtaW4vYWRtaW5AQklPLlNQQkNBUy5SVQA= >> objectClass: krbprincipal >> objectClass: krbprincipalaux >> objectClass: krbTicketPolicyAux >> objectClass: top >> krbPasswordExpiration: 19700101000000Z >> >> I suppose its not that. > > As a last resort you can generate a new secret using kadmin.local and > make sure it is stored in ds.keytab, then restart directory server. > > Simo. > Hello, Thank you very much for your help Simo! I tried to recover ds keytab but failed and reinstalled the thing. I am pretty sure that I've killed the previous installations with adding ldap pric. - I won't do that next time. Unfortunately, I still haven't got WinXP working. Kostya From kozlov at spbcas.ru Thu Nov 20 13:00:00 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Thu, 20 Nov 2008 16:00:00 +0300 Subject: [Freeipa-users] Windows clients problem In-Reply-To: <49142C7A.5010508@spbcas.ru> References: <4912C6FD.805@spbcas.ru> <49142300.1080104@vulturest.com> <49142734.4000008@spbcas.ru> <49142916.5000403@vulturest.com> <49142C7A.5010508@spbcas.ru> Message-ID: <49255F50.6020700@spbcas.ru> Hello, I've run into other problems but now I am facing the same thing - WinXP can't log the ipauser in. I have the host principal, I've set up the Kerberos on WinXP with ksetup, and got the key into krb5.keytab with password and enctype des-cbc-crc. I've tried rc4-hmac but it made no difference. I have a question concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap as supported enctype but ipa-getkeytab didn't show an error when I tried to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or it is irrelevant as WinXP is also said to support des-cbc-crc? Thank you, Kostya Konstantin Kozlov wrote: > Thank you for the help! > > After another round of googling I've found that XP uses rc4-hmac...I'll > try that next day. > > Johan Venter wrote: >> Konstantin Kozlov wrote: >>> Hello, >>> >>> Johan Venter wrote: >>>> Konstantin Kozlov wrote: >>>>> WinXP machine asks to login to Kerberos realm at login screen, but >>>>> doesn't let me in. The krb5 log file on IPA server shows that >>>>> ticket was issued. I can get ticket with MIT Kerberos from WinXP >>>>> machine but I can't access samba share. >>>> >>>> I had to add -e des-cbc-crc to the ipa-getkeytab command line I used >>>> to generate the Windows host principal and set the password before >>>> Windows login to the Kerberos realm would work. >>>> >>>> Windows XP/Server 2003 doesn't support useful encryption mechanisms. >>>> >>> >>> I did that also and that didn't work. Do I need to install the keytab >>> on WinXP machine? If yes, how? >>> >> >> Hmm .. I had to use the latest version of ipa-getkeytab (which >> supported the password option - I compiled my own RPMs for CentOS) and >> between that, then -e option and ksetup /setcomputerpassword it >> finally worked on my Windows Server 2003 machines. >> >> Maybe there is something different with XP machines, all I can suggest >> is try the different encryption types and see what works (DES >> generally, no AES or SHA hashes). >> >> Johan >> > > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From daniel.nall at extension.org Thu Nov 20 21:39:06 2008 From: daniel.nall at extension.org (Daniel Nall) Date: Thu, 20 Nov 2008 16:39:06 -0500 Subject: [Freeipa-users] uid manipulation Message-ID: <4925D8FA.4060903@extension.org> Hey all, First off, many thanks for providing this great tool. It's allowed someone with very little knowledge of kerberos and ldap to create something that works. With that said, I've run into a problem, which I know is most likely my own doing. I'm just hoping that someone with more knowledge could lend some insight. I've recently started testing out Free IPA, and have a couple of questions that I have been unable to find answer for. Currently, we're using Open LDAP running on an Apple Xserve, but want to migrate away from the XServes. Because we don't have a gigantic amount of users, I made a simple "import" script that basically uses the ipa-adduser command and adds all of our needed user accounts. I did the same thing with groups and ipa-addgroup. Initially, this worked great. Everything came across fine, ssh worked on ipa-clients, all was good. Users could be added and removed from groups, and the results from running "groups username" would correctly display the expected information. Now comes the problem. I'm trying to alter the uidnumber and gidnumber values in an attempt to mirror our existing configuration, and I'm coming up way short. I've found that when using ipa-adduser, you can specify the uidnumber or gidnumber by using the setattr option. ( ex: ipa-adduser -f john -l doe --setattr uidnumber=1111 jdoe ) Once this is done however, the output from "groups username" is nowhere near what I would expect. In fact, the output from "groups jdoe" didn't change at all from the intial return of "ipausers". What's really throwing me is that the output from ipa-finduser -a jdoe is returning what looks to be the correct information, but it's like the system isn't getting that information from freeipa, or I've somehow misconfigured freeipa to not know how to convey that information. A quick example to illustrate my issue: Clean Fedora Core 9 / ipa-server installation. Install ipa-server, provide the required information to set up the domain and realm etc. ipa-adduser -f jane -l doe -p xxxxxx janedoe ipa-adduser -f john -l doe -p yyyyyy --setattr uidnumber=1111 johndoe ipa-adduser -f jim -l doe -p zzzzzz jimdoe Both commands successfully create the users. Next, I created a testgroup, and add the users ipa-addgroup -d "testgroup" testgroup ipa-modgroup -a janedoe testgroup ipa-modgroup -a johndoe testgroup ipa-modgroup -a jimdoe testgroup groups janedoe returns ipausers and testgroup groups johndoe returns ipausers groups jimdoe returns ipausers and testgroup ipa-finduser -a janedoe returns that janedoe is a memeberof: ipausers and testgroup, and her uid is the default auto-assigned by ipa number 1100 (first user that was made) ipa-finduser -a johndoe returns that johndoe is a memberof: ipausers and testgroup, and his uid is the expected 1111 ipa-finduser -a jimdoe returns that jimdoe is a memeberof: ipausers and testgroup, and his uid is the default auto-assigned by ipa number 1101 Is there something I'm missing here? Is what I'm trying to do completely insane? :) Thanks for any advice, Daniel From ssorce at redhat.com Thu Nov 20 22:24:40 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Nov 2008 17:24:40 -0500 Subject: [Freeipa-users] uid manipulation In-Reply-To: <4925D8FA.4060903@extension.org> References: <4925D8FA.4060903@extension.org> Message-ID: <1227219880.32715.335.camel@localhost.localdomain> On Thu, 2008-11-20 at 16:39 -0500, Daniel Nall wrote: > > Is there something I'm missing here? Is what I'm trying to do > completely > insane? :) I think this is nscd in action. Try with 'service nscd reload' after you change ids Simo. -- Simo Sorce * Red Hat, Inc * New York From edwardpopoola at gmail.com Fri Nov 21 17:57:04 2008 From: edwardpopoola at gmail.com (Edward Popoola) Date: Fri, 21 Nov 2008 18:57:04 +0100 Subject: [Freeipa-users] nss_ldap: Can't contact LDAP server Message-ID: Hello all, I just joined this list and I was wondering if anyone could help with my problem or provide a link to a similar discussion if it has been held before. I successfully installed the redhat IPA on the server and on one client for starters. On the server, after creating ipa users through the web interface, I'm able to switch to the new ipa user (i had to edit the add the pam_mkdir module in the login and su pam.d files) However trying to switch user from the ipa-client is telling me 'account does not exist' ... Part of my /etc/nsswitch file on the client and on the server has the entry . passwd: files ldap shadow: files ldap group: files ldap The log file on the ipa-client is given below: Nov 21 14:12:33 phbdnssrv su: nss_ldap: failed to bind to LDAP server ldap://ipaserver.mydomain.com: Can't contact LDAP server Nov 21 14:12:33 phbdnssrv su: nss_ldap: could not search LDAP server - Server is unavailable Nov 21 15:44:49 phbdnssrv su: nss_ldap: failed to bind to LDAP server ldap://ipaserver.mydomain.com: Can't contact LDAP server Nov 21 15:44:49 phbdnssrv su: nss_ldap: could not search LDAP server - Server is unavailable My DNS seems to be up and it returns queries on both server and client...Please is there anything I could do and that I am missing. Thanks in advance ed -- Edward Popoola (RHCE, SCSA, C|EH) -------------- next part -------------- An HTML attachment was scrubbed... URL: From kozlov at spbcas.ru Mon Nov 24 11:44:55 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Mon, 24 Nov 2008 14:44:55 +0300 Subject: [Freeipa-users] Windows XP client can't login In-Reply-To: <49142C7A.5010508@spbcas.ru> References: <4912C6FD.805@spbcas.ru> <49142300.1080104@vulturest.com> <49142734.4000008@spbcas.ru> <49142916.5000403@vulturest.com> <49142C7A.5010508@spbcas.ru> Message-ID: <492A93B7.4000406@spbcas.ru> Hello, I had not got any reply on the last post in https://www.redhat.com/archives/freeipa-users/2008-November/msg00004.html so I start a new thread with more precise title. I have ipaserver 1.2 on Fedora 9 and ipaclient on CentOS 5 with recompiled rpms from RHEL. I want to let an ipauser to login to Windows XP box. Did anybody succeed in such a challenge? I have the host principal, I've set up the Kerberos on WinXP with ksetup, and got the key into krb5.keytab on ipaserver with password and enctype des-cbc-crc. But WinXP can't log the ipauser in. I've tried rc4-hmac but it made no difference. I have a question concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap as supported enctype but ipa-getkeytab didn't show an error when I tried to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or it is irrelevant as WinXP is also said to support des-cbc-crc? Thank you, Kostya Konstantin Kozlov wrote: > Thank you for the help! > > After another round of googling I've found that XP uses rc4-hmac...I'll > try that next day. > > Johan Venter wrote: >> Konstantin Kozlov wrote: >>> Hello, >>> >>> Johan Venter wrote: >>>> Konstantin Kozlov wrote: >>>>> WinXP machine asks to login to Kerberos realm at login screen, but >>>>> doesn't let me in. The krb5 log file on IPA server shows that >>>>> ticket was issued. I can get ticket with MIT Kerberos from WinXP >>>>> machine but I can't access samba share. >>>> >>>> I had to add -e des-cbc-crc to the ipa-getkeytab command line I used >>>> to generate the Windows host principal and set the password before >>>> Windows login to the Kerberos realm would work. >>>> >>>> Windows XP/Server 2003 doesn't support useful encryption mechanisms. >>>> >>> >>> I did that also and that didn't work. Do I need to install the keytab >>> on WinXP machine? If yes, how? >>> >> >> Hmm .. I had to use the latest version of ipa-getkeytab (which >> supported the password option - I compiled my own RPMs for CentOS) and >> between that, then -e option and ksetup /setcomputerpassword it >> finally worked on my Windows Server 2003 machines. >> >> Maybe there is something different with XP machines, all I can suggest >> is try the different encryption types and see what works (DES >> generally, no AES or SHA hashes). >> >> Johan >> > > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From ssorce at redhat.com Mon Nov 24 13:34:00 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 24 Nov 2008 08:34:00 -0500 Subject: [Freeipa-users] Windows XP client can't login In-Reply-To: <492A93B7.4000406@spbcas.ru> References: <4912C6FD.805@spbcas.ru> <49142300.1080104@vulturest.com> <49142734.4000008@spbcas.ru> <49142916.5000403@vulturest.com> <49142C7A.5010508@spbcas.ru> <492A93B7.4000406@spbcas.ru> Message-ID: <1227533640.32715.379.camel@localhost.localdomain> On Mon, 2008-11-24 at 14:44 +0300, Konstantin Kozlov wrote: > Hello, > > I had not got any reply on the last post in > https://www.redhat.com/archives/freeipa-users/2008-November/msg00004.html > so I start a new thread with more precise title. > > I have ipaserver 1.2 on Fedora 9 and ipaclient on CentOS 5 with > recompiled rpms from RHEL. I want to let an ipauser to login to Windows > XP box. > > Did anybody succeed in such a challenge? > > I have the host principal, I've set up the Kerberos on WinXP with > ksetup, and got the key into krb5.keytab on ipaserver with password and > enctype des-cbc-crc. But WinXP can't log the ipauser in. > > I've tried rc4-hmac but it made no difference. I have a question > concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap > as supported enctype but ipa-getkeytab didn't show an error when I tried > to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or > it is irrelevant as WinXP is also said to support des-cbc-crc? > > Thank you, I assume you also installed a GINA dll that can use the kerberos libraris to perform a login ? Just setting up kerberos is not enough to allow a login. At least for test des-cbc-crc shouldn't be a problem. It would be certainly better to use something more strong in production , but one step at a time :) For a start, does kinit work at all on the WinXP client ? Simo. -- Simo Sorce * Red Hat, Inc * New York From mackoel at gmail.com Tue Nov 25 04:55:10 2008 From: mackoel at gmail.com (Kozlov) Date: Tue, 25 Nov 2008 07:55:10 +0300 Subject: [Freeipa-users] Windows XP client can't login In-Reply-To: <1227533640.32715.379.camel@localhost.localdomain> References: <4912C6FD.805@spbcas.ru> <49142300.1080104@vulturest.com> <49142734.4000008@spbcas.ru> <49142916.5000403@vulturest.com> <49142C7A.5010508@spbcas.ru> <492A93B7.4000406@spbcas.ru> <1227533640.32715.379.camel@localhost.localdomain> Message-ID: <492B852E.3080400@spbcas.ru> Simo Sorce ?????: > On Mon, 2008-11-24 at 14:44 +0300, Konstantin Kozlov wrote: >> Hello, >> >> I had not got any reply on the last post in >> https://www.redhat.com/archives/freeipa-users/2008-November/msg00004.html >> so I start a new thread with more precise title. >> >> I have ipaserver 1.2 on Fedora 9 and ipaclient on CentOS 5 with >> recompiled rpms from RHEL. I want to let an ipauser to login to Windows >> XP box. >> >> Did anybody succeed in such a challenge? >> >> I have the host principal, I've set up the Kerberos on WinXP with >> ksetup, and got the key into krb5.keytab on ipaserver with password and >> enctype des-cbc-crc. But WinXP can't log the ipauser in. >> >> I've tried rc4-hmac but it made no difference. I have a question >> concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap >> as supported enctype but ipa-getkeytab didn't show an error when I tried >> to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or >> it is irrelevant as WinXP is also said to support des-cbc-crc? >> >> Thank you, > > I assume you also installed a GINA dll that can use the kerberos > libraris to perform a login ? At what place GINA come to the scene? Following the steps from another thread I've ran ksetup /setdomain ... ksetup /addkdc ... ksetup /setcomputerpassword ... ksetup /mapuser ... And WinXP asks for the login to Realm, kdc issues the ticket but WinXP doesn't accept the password. I've mapped the ipauser to winxpuser, not all to Administrator as in https://www.redhat.com/archives/freeipa-users/2008-October/msg00006.html. Can it be a problem? > Just setting up kerberos is not enough to allow a login. > At least for test des-cbc-crc shouldn't be a problem. It would be > certainly better to use something more strong in production , but one > step at a time :) > > For a start, does kinit work at all on the WinXP client ? > Yes, 'kinit ipauser' accepts password, but klist doesn't show tickets. Thanks for the help! Kostya From kozlov at spbcas.ru Tue Nov 25 06:56:34 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Tue, 25 Nov 2008 09:56:34 +0300 Subject: [Freeipa-users] Windows XP client can't login In-Reply-To: <492B9EB9.9090500@vulturest.com> References: <4912C6FD.805@spbcas.ru> <49142300.1080104@vulturest.com> <49142734.4000008@spbcas.ru> <49142916.5000403@vulturest.com> <49142C7A.5010508@spbcas.ru> <492A93B7.4000406@spbcas.ru> <492B9EB9.9090500@vulturest.com> Message-ID: <492BA1A2.70704@spbcas.ru> Johan Venter wrote: > Konstantin Kozlov wrote: >> I have the host principal, I've set up the Kerberos on WinXP with >> ksetup, and got the key into krb5.keytab on ipaserver with password >> and enctype des-cbc-crc. But WinXP can't log the ipauser in. > > I don't understand - you put the host principal key for your Windows XP > machine in the /etc/krb5.keytab of your IPA server? > > That seems very wrong. > I suspect that. Does it prevent the ipaserver or winxp to work correctly? > When I got Windows Server 2003 to login to IPA domain I just ignored the > keys that ipa-getkeytab exported as there is no where to put them on > Windows. > Where then I can set the password for WinXP machine that will go to the "ksetup /setcomputerpassword" ? Kostya From kozlov at spbcas.ru Tue Nov 25 09:14:04 2008 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Tue, 25 Nov 2008 12:14:04 +0300 Subject: [Freeipa-users] Windows XP client can't login - Solved partially In-Reply-To: <492B852E.3080400@spbcas.ru> References: <4912C6FD.805@spbcas.ru> <49142300.1080104@vulturest.com> <49142734.4000008@spbcas.ru> <49142916.5000403@vulturest.com> <49142C7A.5010508@spbcas.ru> <492A93B7.4000406@spbcas.ru> <1227533640.32715.379.camel@localhost.localdomain> <492B852E.3080400@spbcas.ru> Message-ID: <492BC1DC.2060004@spbcas.ru> Kozlov wrote: > Simo Sorce ?????: >> On Mon, 2008-11-24 at 14:44 +0300, Konstantin Kozlov wrote: >>> Hello, >>> >>> I had not got any reply on the last post in >>> https://www.redhat.com/archives/freeipa-users/2008-November/msg00004.html >>> >>> so I start a new thread with more precise title. >>> >>> I have ipaserver 1.2 on Fedora 9 and ipaclient on CentOS 5 with >>> recompiled rpms from RHEL. I want to let an ipauser to login to >>> Windows XP box. >>> >>> Did anybody succeed in such a challenge? >>> >>> I have the host principal, I've set up the Kerberos on WinXP with >>> ksetup, and got the key into krb5.keytab on ipaserver with password >>> and enctype des-cbc-crc. But WinXP can't log the ipauser in. >>> >>> I've tried rc4-hmac but it made no difference. I have a question >>> concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap >>> as supported enctype but ipa-getkeytab didn't show an error when I tried >>> to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or >>> it is irrelevant as WinXP is also said to support des-cbc-crc? >>> >>> Thank you, >> >> I assume you also installed a GINA dll that can use the kerberos >> libraris to perform a login ? > > At what place GINA come to the scene? > > Following the steps from another thread I've ran > > ksetup /setdomain ... > ksetup /addkdc ... > ksetup /setcomputerpassword ... > ksetup /mapuser ... > > And WinXP asks for the login to Realm, kdc issues the ticket but WinXP > doesn't accept the password. I've mapped the ipauser to winxpuser, not > all to Administrator as in > https://www.redhat.com/archives/freeipa-users/2008-October/msg00006.html. > Can it be a problem? > This was a problem :) I've mapped issued ksetup /mapuser * User and login now works. klist shows tickets and tgt now. But I can't access the samba share and ipa webui. When I try to access samba share I get Nov 25 11:40:32 hedgehog.bio.spbcas.ru krb5kdc[30198](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 10.10.1.201: UNKNOWN_SERVER: authtime 1227602267, kkozlov at BIO.SPBCAS.RU for cifs/hedgehog at BIO.SPBCAS.RU, Server not found in Kerberos database in krb5kdc.log on ipaserver and when I try webui (from Firefox 3.0.4 on WinXP after setting it up like on Linux with certificates and negotiation) Nov 25 12:04:57 hedgehog.bio.spbcas.ru krb5kdc[30198](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 10.10.1.201: ISSUE: authtime 1227602267, etypes {rep=23 tkt=18 ses=23}, kkozlov at BIO.SPBCAS.RU for HTTP/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU and Permission denied page. I really need samba to work. Kostya >> Just setting up kerberos is not enough to allow a login. >> At least for test des-cbc-crc shouldn't be a problem. It would be >> certainly better to use something more strong in production , but one >> step at a time :) >> >> For a start, does kinit work at all on the WinXP client ? >> > > Yes, 'kinit ipauser' accepts password, but klist doesn't show tickets. > > Thanks for the help! > > Kostya > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From goetz.reinicke at filmakademie.de Wed Nov 26 14:17:47 2008 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke?=) Date: Wed, 26 Nov 2008 15:17:47 +0100 Subject: [Freeipa-users] Some questions - using LDAP and mac os x version Message-ID: <492D5A8B.3040901@filmakademie.de> Hi, recently I started to investigate freeIPA as we do have a lot of windows and mac os x clients and mostly RH EL 5.x Servers. I set up a test server and installed and followed the instructions from the FreeIPA documentation homepage. At most I'm interissted in authenticating mac os x clients so I started to test the client installation. As for the moment I have only 10.5 Clients; the doc referes to 10.4. After some steps I saw, that some parameters and options are different, so I stopped :). My questions: Is freeIPA usable with 10.5? If so, what has to be changed? May I help by providing my experience? Can I use freeIPA also as a LDAP directory for e.g. E-Mail-Clients like thunderbird to look up addresses? Thanks and best regards. G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium Gesch?ftsf?hrer: Prof. Thomas Schadt From ssorce at redhat.com Wed Nov 26 15:09:02 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 26 Nov 2008 10:09:02 -0500 Subject: [Freeipa-users] Windows XP client can't login - Solved partially In-Reply-To: <492BC1DC.2060004@spbcas.ru> References: <4912C6FD.805@spbcas.ru> <49142300.1080104@vulturest.com> <49142734.4000008@spbcas.ru> <49142916.5000403@vulturest.com> <49142C7A.5010508@spbcas.ru> <492A93B7.4000406@spbcas.ru> <1227533640.32715.379.camel@localhost.localdomain> <492B852E.3080400@spbcas.ru> <492BC1DC.2060004@spbcas.ru> Message-ID: <1227712142.3838.21.camel@localhost.localdomain> On Tue, 2008-11-25 at 12:14 +0300, Konstantin Kozlov wrote: > Kozlov wrote: > > Simo Sorce ?????: > >> On Mon, 2008-11-24 at 14:44 +0300, Konstantin Kozlov wrote: > >>> Hello, > >>> > >>> I had not got any reply on the last post in > >>> https://www.redhat.com/archives/freeipa-users/2008-November/msg00004.html > >>> > >>> so I start a new thread with more precise title. > >>> > >>> I have ipaserver 1.2 on Fedora 9 and ipaclient on CentOS 5 with > >>> recompiled rpms from RHEL. I want to let an ipauser to login to > >>> Windows XP box. > >>> > >>> Did anybody succeed in such a challenge? > >>> > >>> I have the host principal, I've set up the Kerberos on WinXP with > >>> ksetup, and got the key into krb5.keytab on ipaserver with password > >>> and enctype des-cbc-crc. But WinXP can't log the ipauser in. > >>> > >>> I've tried rc4-hmac but it made no difference. I have a question > >>> concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap > >>> as supported enctype but ipa-getkeytab didn't show an error when I tried > >>> to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or > >>> it is irrelevant as WinXP is also said to support des-cbc-crc? > >>> > >>> Thank you, > >> > >> I assume you also installed a GINA dll that can use the kerberos > >> libraris to perform a login ? > > > > At what place GINA come to the scene? > > > > Following the steps from another thread I've ran > > > > ksetup /setdomain ... > > ksetup /addkdc ... > > ksetup /setcomputerpassword ... > > ksetup /mapuser ... > > > > And WinXP asks for the login to Realm, kdc issues the ticket but WinXP > > doesn't accept the password. I've mapped the ipauser to winxpuser, not > > all to Administrator as in > > https://www.redhat.com/archives/freeipa-users/2008-October/msg00006.html. > > Can it be a problem? > > > > This was a problem :) I've mapped issued > ksetup /mapuser * User > and login now works. > > klist shows tickets and tgt now. > > But I can't access the samba share and ipa webui. > > When I try to access samba share I get > > Nov 25 11:40:32 hedgehog.bio.spbcas.ru krb5kdc[30198](info): TGS_REQ (7 > etypes {23 -133 -128 3 1 24 -135}) 10.10.1.201: UNKNOWN_SERVER: authtime > 1227602267, kkozlov at BIO.SPBCAS.RU for cifs/hedgehog at BIO.SPBCAS.RU, > Server not found in Kerberos database You need to get a keytab for samba using the principal: cifs/hedgehog at BIO.SPBCAS.RU, then you need to tell samba to use that keytab. > in krb5kdc.log on ipaserver > > and when I try webui (from Firefox 3.0.4 on WinXP after setting it up > like on Linux with certificates and negotiation) > > Nov 25 12:04:57 hedgehog.bio.spbcas.ru krb5kdc[30198](info): TGS_REQ (7 > etypes {23 -133 -128 3 1 24 -135}) 10.10.1.201: ISSUE: authtime > 1227602267, etypes {rep=23 tkt=18 ses=23}, kkozlov at BIO.SPBCAS.RU for > HTTP/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU You need to check if WinXP gets a forwardable ticket by default. check it with klist -f Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Nov 26 15:09:59 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 26 Nov 2008 10:09:59 -0500 Subject: [Freeipa-users] nss_ldap: Can't contact LDAP server In-Reply-To: References: Message-ID: <1227712199.3838.23.camel@localhost.localdomain> On Fri, 2008-11-21 at 18:57 +0100, Edward Popoola wrote: > Hello all, > > I just joined this list and I was wondering if anyone could help with > my problem or provide a link to a similar discussion if it has been > held before. > > I successfully installed the redhat IPA on the server and on one > client for starters. On the server, after creating ipa users through > the web interface, I'm able to switch to the new ipa user (i had to > edit the add the pam_mkdir module in the login and su pam.d files) > > However trying to switch user from the ipa-client is telling me > 'account does not exist' ... > > Part of my /etc/nsswitch file on the client and on the server has the > entry > . > passwd: files ldap > shadow: files ldap > group: files ldap > > The log file on the ipa-client is given below: > > Nov 21 14:12:33 phbdnssrv su: nss_ldap: failed to bind to LDAP server > ldap://ipaserver.mydomain.com: Can't contact LDAP server > Nov 21 14:12:33 phbdnssrv su: nss_ldap: could not search LDAP server - > Server is unavailable > Nov 21 15:44:49 phbdnssrv su: nss_ldap: failed to bind to LDAP server > ldap://ipaserver.mydomain.com: Can't contact LDAP server > Nov 21 15:44:49 phbdnssrv su: nss_ldap: could not search LDAP server - > Server is unavailable You probably have network issues or a firewall blocking your access to the ldap server. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Wed Nov 26 15:11:05 2008 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 26 Nov 2008 10:11:05 -0500 Subject: [Freeipa-users] Some questions - using LDAP and mac os x version In-Reply-To: <492D5A8B.3040901@filmakademie.de> References: <492D5A8B.3040901@filmakademie.de> Message-ID: <492D6709.8080508@redhat.com> G?tz Reinicke wrote: > Hi, > > recently I started to investigate freeIPA as we do have a lot of windows > and mac os x clients and mostly RH EL 5.x Servers. > > I set up a test server and installed and followed the instructions from > the FreeIPA documentation homepage. > > At most I'm interissted in authenticating mac os x clients so I started > to test the client installation. As for the moment I have only 10.5 > Clients; the doc referes to 10.4. > > After some steps I saw, that some parameters and options are different, > so I stopped :). > > My questions: > > Is freeIPA usable with 10.5? If so, what has to be changed? > Probably yes but we do not know for sure. > May I help by providing my experience? > > Yes. Please. If you can share your experience about configuring 10.5 would be really great. > Can I use freeIPA also as a LDAP directory for e.g. E-Mail-Clients like > thunderbird to look up addresses? > Yes. IPA is a directory. When configuring lookups please keep in mind that IPA has a flat tree of user accounts. http://www.freeipa.org/page/Image:IPA-DIT.png > Thanks and best regards. > > G?tz > From edwardpopoola at gmail.com Wed Nov 26 16:17:28 2008 From: edwardpopoola at gmail.com (Edward Popoola) Date: Wed, 26 Nov 2008 17:17:28 +0100 Subject: [Freeipa-users] nss_ldap: Can't contact LDAP server In-Reply-To: <1227712199.3838.23.camel@localhost.localdomain> References: <1227712199.3838.23.camel@localhost.localdomain> Message-ID: Thank you. I was able to establish connectivity again after disabling the firewall. On Wed, Nov 26, 2008 at 4:09 PM, Simo Sorce wrote: > On Fri, 2008-11-21 at 18:57 +0100, Edward Popoola wrote: > > Hello all, > > > > I just joined this list and I was wondering if anyone could help with > > my problem or provide a link to a similar discussion if it has been > > held before. > > > > I successfully installed the redhat IPA on the server and on one > > client for starters. On the server, after creating ipa users through > > the web interface, I'm able to switch to the new ipa user (i had to > > edit the add the pam_mkdir module in the login and su pam.d files) > > > > However trying to switch user from the ipa-client is telling me > > 'account does not exist' ... > > > > Part of my /etc/nsswitch file on the client and on the server has the > > entry > > . > > passwd: files ldap > > shadow: files ldap > > group: files ldap > > > > The log file on the ipa-client is given below: > > > > Nov 21 14:12:33 phbdnssrv su: nss_ldap: failed to bind to LDAP server > > ldap://ipaserver.mydomain.com: Can't contact LDAP server > > Nov 21 14:12:33 phbdnssrv su: nss_ldap: could not search LDAP server - > > Server is unavailable > > Nov 21 15:44:49 phbdnssrv su: nss_ldap: failed to bind to LDAP server > > ldap://ipaserver.mydomain.com: Can't contact LDAP server > > Nov 21 15:44:49 phbdnssrv su: nss_ldap: could not search LDAP server - > > Server is unavailable > > You probably have network issues or a firewall blocking your access to > the ldap server. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- Edward Popoola (RHCE, SCSA, C|EH) -------------- next part -------------- An HTML attachment was scrubbed... URL: