[Freeipa-users] Re: Freeipa-users Digest, Vol 4, Issue 5
luis lugo
luis_lugo74 at yahoo.com
Mon Nov 10 02:01:04 UTC 2008
Hi all,
I need help to migrate NIS server to freeipa. What is the way to import ldif file to freeipa?
Thanks.
--- El vie 7-nov-08, freeipa-users-request at redhat.com <freeipa-users-request at redhat.com> escribió:
De: freeipa-users-request at redhat.com <freeipa-users-request at redhat.com>
Asunto: Freeipa-users Digest, Vol 4, Issue 5
A: freeipa-users at redhat.com
Fecha: viernes, 7 noviembre, 2008, 5:00 pm
Send Freeipa-users mailing list submissions to
freeipa-users at redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-users
or, via email, send a message with subject or body 'help' to
freeipa-users-request at redhat.com
You can reach the person managing the list at
freeipa-users-owner at redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeipa-users digest..."
Today's Topics:
1. Re: Need help with Solaris Host Based access control
(Christian Horn)
2. Re: Windows clients problem (Konstantin Kozlov)
3. Re: Windows clients problem (Konstantin Kozlov)
4. Re: [Freeipa-devel] Re: [Freeipa-users] Need help with
Solaris Host Based access control (Dmitri Pal)
----------------------------------------------------------------------
Message: 1
Date: Fri, 7 Nov 2008 09:13:30 +0100
From: Christian Horn <chorn at fluxcoil.net>
Subject: Re: [Freeipa-users] Need help with Solaris Host Based access
control
To: Dmitri Pal <dpal at redhat.com>
Cc: freeipa-devel <freeipa-devel at redhat.com>, freeipa-users at redhat.com
Message-ID: <20081107081330.GA13820 at fluxcoil.net>
Content-Type: text/plain; charset=us-ascii
Mornings,
On Wed, Nov 05, 2008 at 03:49:07PM -0500, Dmitri Pal wrote:
>
> The instructions are based on the ability of the pam_access PAM module
> to check the access control rules specified in the access.conf.
> The group information can be retrieved from the IPA server via nss_ldap.
>
> We tried to find similar functionality on other OS's. We spotted PAM
> modules on HP-UX and AIX that are responsible for the similar
> authorization checks.
>
> But we are stuck with Solaris. All our investigations about similar
> functionality in Solaris bear no fruits. We saw pam_roles and
> pam_unix_account on Solaris but they do not seem to accomplish what we
> are trying to do.
>
> We are looking for some help and advice from Solaris experts on this
> functionality.
Checked with solaris-guys, this is in use for pure ldap-authentication/
authorization.
Apparently just after hooking up a solaris-box to an ldap no user
is allowed to login.
The permissions to login are handled by this:
a) entries in /etc/passwd, containing names of NIS-netgroups
whose members are allowed to log in, i.e.
+ at netgroup1::::::
b) entries in /etc/shadow, containing names of NIS-netgroups
whose members are allowed to log in, i.e.
+ at netgroup1::::::::
(thats 8 colons vs. 6 on the /etcx/passwd-entries)
c) entries in /etc/nsswitch.conf for this to work:
passwd: compat
passwd_compat: ldap [NOTFOUND=return]
I dont use this myself on Solaris-boxen but should be enough to see
the Solaris-way to handle those login-authorizations.
Christian
------------------------------
Message: 2
Date: Fri, 07 Nov 2008 14:32:04 +0300
From: Konstantin Kozlov <kozlov at spbcas.ru>
Subject: Re: [Freeipa-users] Windows clients problem
To: freeipa-users at redhat.com
Message-ID: <49142734.4000008 at spbcas.ru>
Content-Type: text/plain; charset=KOI8-R; format=flowed
Hello,
Johan Venter wrote:
> Konstantin Kozlov wrote:
>> WinXP machine asks to login to Kerberos realm at login screen, but
>> doesn't let me in. The krb5 log file on IPA server shows that
ticket
>> was issued. I can get ticket with MIT Kerberos from WinXP machine but
>> I can't access samba share.
>
> I had to add -e des-cbc-crc to the ipa-getkeytab command line I used to
> generate the Windows host principal and set the password before Windows
> login to the Kerberos realm would work.
>
> Windows XP/Server 2003 doesn't support useful encryption mechanisms.
>
I did that also and that didn't work. Do I need to install the keytab on
WinXP machine? If yes, how?
Thank you,
--
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.
Tel./fax: +7 812 596 2831
------------------------------
Message: 3
Date: Fri, 07 Nov 2008 14:54:34 +0300
From: Konstantin Kozlov <kozlov at spbcas.ru>
Subject: Re: [Freeipa-users] Windows clients problem
To: freeipa-users at redhat.com
Message-ID: <49142C7A.5010508 at spbcas.ru>
Content-Type: text/plain; charset=KOI8-R; format=flowed
Thank you for the help!
After another round of googling I've found that XP uses rc4-hmac...I'll
try that next day.
Johan Venter wrote:
> Konstantin Kozlov wrote:
>> Hello,
>>
>> Johan Venter wrote:
>>> Konstantin Kozlov wrote:
>>>> WinXP machine asks to login to Kerberos realm at login screen,
but
>>>> doesn't let me in. The krb5 log file on IPA server shows
that ticket
>>>> was issued. I can get ticket with MIT Kerberos from WinXP
machine
>>>> but I can't access samba share.
>>>
>>> I had to add -e des-cbc-crc to the ipa-getkeytab command line I
used
>>> to generate the Windows host principal and set the password before
>>> Windows login to the Kerberos realm would work.
>>>
>>> Windows XP/Server 2003 doesn't support useful encryption
mechanisms.
>>>
>>
>> I did that also and that didn't work. Do I need to install the
keytab
>> on WinXP machine? If yes, how?
>>
>
> Hmm .. I had to use the latest version of ipa-getkeytab (which supported
> the password option - I compiled my own RPMs for CentOS) and between
> that, then -e option and ksetup /setcomputerpassword it finally worked
> on my Windows Server 2003 machines.
>
> Maybe there is something different with XP machines, all I can suggest
> is try the different encryption types and see what works (DES generally,
> no AES or SHA hashes).
>
> Johan
>
--
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.
Tel./fax: +7 812 596 2831
------------------------------
Message: 4
Date: Fri, 07 Nov 2008 09:27:00 -0500
From: Dmitri Pal <dpal at redhat.com>
Subject: Re: [Freeipa-devel] Re: [Freeipa-users] Need help with
Solaris Host Based access control
To: Christian Horn <chorn at fluxcoil.net>
Cc: freeipa-devel <freeipa-devel at redhat.com>, freeipa-users at redhat.com
Message-ID: <49145034.8030409 at redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Thank you Christian!
I will dig more into it.
Dmitri
Christian Horn wrote:
> Mornings,
>
> On Wed, Nov 05, 2008 at 03:49:07PM -0500, Dmitri Pal wrote:
>
>> The instructions are based on the ability of the pam_access PAM module
>> to check the access control rules specified in the access.conf.
>> The group information can be retrieved from the IPA server via
nss_ldap.
>>
>> We tried to find similar functionality on other OS's. We spotted
PAM
>> modules on HP-UX and AIX that are responsible for the similar
>> authorization checks.
>>
>> But we are stuck with Solaris. All our investigations about similar
>> functionality in Solaris bear no fruits. We saw pam_roles and
>> pam_unix_account on Solaris but they do not seem to accomplish what we
>> are trying to do.
>>
>> We are looking for some help and advice from Solaris experts on this
>> functionality.
>>
>
> Checked with solaris-guys, this is in use for pure ldap-authentication/
> authorization.
> Apparently just after hooking up a solaris-box to an ldap no user
> is allowed to login.
>
> The permissions to login are handled by this:
>
> a) entries in /etc/passwd, containing names of NIS-netgroups
> whose members are allowed to log in, i.e.
>
> + at netgroup1::::::
>
> b) entries in /etc/shadow, containing names of NIS-netgroups
> whose members are allowed to log in, i.e.
>
> + at netgroup1::::::::
> (thats 8 colons vs. 6 on the /etcx/passwd-entries)
>
> c) entries in /etc/nsswitch.conf for this to work:
>
> passwd: compat
> passwd_compat: ldap [NOTFOUND=return]
>
>
> I dont use this myself on Solaris-boxen but should be enough to see
> the Solaris-way to handle those login-authorizations.
>
>
> Christian
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>
------------------------------
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
End of Freeipa-users Digest, Vol 4, Issue 5
*******************************************
____________________________________________________________________________________
¡Todo sobre Amor y Sexo!
La guía completa para tu vida en Mujer de Hoy.
http://mujerdehoy.telemundo.yahoo.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20081109/2e5fc195/attachment.htm>
More information about the Freeipa-users
mailing list