From fraginhell at gmail.com Mon Sep 1 01:49:54 2008 From: fraginhell at gmail.com (Fraginhell) Date: Mon, 1 Sep 2008 11:49:54 +1000 Subject: [Freeipa-users] FreeIPA Installation / Configuration Message-ID: <9584ef450808311849v7a660d5am8bba0d4e1f6611@mail.gmail.com> Hi Everyone. I have just installed the FreeIPA server onto a Fedora Core 9 Base (fresh install) running on Vmware server. I've installed the ipa server with --setup-bind --no-ntp options. Following the installation instructions I can get a ticket and sucessfully return ipa-finduser admin. My problem is trying to view the web gui. My Kerb Relm is .labs.myexample.com I have firefox setup with .labs.myexample.com network.negotiate-auth.trusted-uris .labs.myexample.com network.negotiate-auth.delegation-uris .labs.myexample.com network.negotiate-auth.using-native-gsslib true I've hit the button "configure firefox" and it tell me it now setup for single sign on, but if I check /var/log/httpd/error.log I get this message gss_accept_sec_context() failed: Invalid token was supplied (No error). I have deleted the CA and repeated the step a few times. I cant get past this point at the moment, have I missed some thing, any advice please? Thanks Keith. From rcritten at redhat.com Tue Sep 2 19:05:52 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Sep 2008 15:05:52 -0400 Subject: [Freeipa-users] FreeIPA Installation / Configuration In-Reply-To: <9584ef450808311849v7a660d5am8bba0d4e1f6611@mail.gmail.com> References: <9584ef450808311849v7a660d5am8bba0d4e1f6611@mail.gmail.com> Message-ID: <48BD8E90.3070000@redhat.com> Fraginhell wrote: > Hi Everyone. > I have just installed the FreeIPA server onto a Fedora Core 9 Base > (fresh install) running on Vmware server. > I've installed the ipa server with --setup-bind --no-ntp options. > Following the installation instructions I can get a ticket and > sucessfully return ipa-finduser admin. > My problem is trying to view the web gui. > My Kerb Relm is .labs.myexample.com > I have firefox setup with .labs.myexample.com > network.negotiate-auth.trusted-uris .labs.myexample.com > network.negotiate-auth.delegation-uris .labs.myexample.com > network.negotiate-auth.using-native-gsslib true > I've hit the button "configure firefox" and it tell me it now setup > for single sign on, but if I check /var/log/httpd/error.log I get > this message gss_accept_sec_context() failed: Invalid token was > supplied (No error). > I have deleted the CA and repeated the step a few times. > I cant get past this point at the moment, have I missed some thing, > any advice please? You can learn how to debug on the client side here: http://people.redhat.com/mikeb/negotiate/ Also check /var/log/krb5kdc.log on the IPA server. It may contain useful information about the kerberos request. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From levchenko.i at gmail.com Thu Sep 4 21:15:55 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Fri, 5 Sep 2008 00:15:55 +0300 Subject: [Freeipa-users] upstream ipa on centos inside openvz container Message-ID: I'm trying to install rh ipa server on centos 5.2. i downloaded the srpms and built them on centos 5.2. they installed perfectly (via yum localinstall to handle the dependencies). While going through the ipa-server-install script, while starting, ns-slapd seg faults. i did some digging and when i turned on debugging for ns-slapd, here is what i found out: [04/Sep/2008:09:32:16 -0700] - dse_read_one_file processing entry "cn=config" in file /etc/dirsrv/slapd-MYDOMAIN-COM/dse.ldif (primary file) Segmentation fault This is all going on inside a centos host node running openvz and a centos 5.2 container. Does anybody have some exp. with ipa? i'm a bit lost here. I'm installing it in the first place to have a unified directory for the users/emails/permissions. Thanks in advance. -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From anmar at anmar.eu.org Fri Sep 5 06:56:16 2008 From: anmar at anmar.eu.org (Angel Marin) Date: Fri, 05 Sep 2008 08:56:16 +0200 Subject: [Freeipa-users] upstream ipa on centos inside openvz container In-Reply-To: References: Message-ID: <48C0D810.2020304@anmar.eu.org> Ivan Levchenko wrote: > I'm trying to install rh ipa server on centos 5.2. i downloaded the > srpms and built them on centos 5.2. they installed perfectly (via yum > localinstall to handle the dependencies). > > While going through the ipa-server-install script, while starting, > ns-slapd seg faults. i did some digging and when i turned on debugging > for ns-slapd, here is what i found out: > > [04/Sep/2008:09:32:16 -0700] - dse_read_one_file processing entry > "cn=config" in file /etc/dirsrv/slapd-MYDOMAIN-COM/dse.ldif (primary > file) > Segmentation fault > > This is all going on inside a centos host node running openvz and a > centos 5.2 container. > > Does anybody have some exp. with ipa? i'm a bit lost here. > > I'm installing it in the first place to have a unified directory for > the users/emails/permissions. When we did the first tests here, the slapd setup scripts seemed to be kind of buggy while dealing with input it doen't like. For example a directory service admin password containing same special chars (can't remember which) generated an invalid dse.ldif config section. To make things worse slapd segfaulted instead of dealing with it more gracefully. Try running ns-slapd with debug enabled or inside gdb, it should give you a hint on what attribute is making it choke. -- Angel Marin http://anmar.eu.org/ From levchenko.i at gmail.com Fri Sep 5 08:16:12 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Fri, 05 Sep 2008 11:16:12 +0300 Subject: [Freeipa-users] upstream ipa on centos inside openvz container In-Reply-To: <48C0D810.2020304@anmar.eu.org> References: <48C0D810.2020304@anmar.eu.org> Message-ID: <48C0EACC.10509@gmail.com> Angel Marin wrote: > > When we did the first tests here, the slapd setup scripts seemed to be > kind of buggy while dealing with input it doen't like. For example a > directory service admin password containing same special chars (can't > remember which) generated an invalid dse.ldif config section. To make > things worse slapd segfaulted instead of dealing with it more gracefully. > > Try running ns-slapd with debug enabled or inside gdb, it should give > you a hint on what attribute is making it choke. > You're right, I did use a password with some special chars =) Are there any other such caveats that might cause some strange behavior (more segfaults)? And more importantly, is IPA ready enough to use on a production system to handle user/email accounts? I'm just looking into the various ldap implementations and I really like IPA based on its description... (and gui tools) Regards, Ivan From anmar at anmar.eu.org Fri Sep 5 11:20:03 2008 From: anmar at anmar.eu.org (Angel Marin) Date: Fri, 05 Sep 2008 13:20:03 +0200 Subject: [Freeipa-users] upstream ipa on centos inside openvz container In-Reply-To: <48C0EACC.10509@gmail.com> References: <48C0D810.2020304@anmar.eu.org> <48C0EACC.10509@gmail.com> Message-ID: <48C115E3.7070802@anmar.eu.org> Ivan Levchenko wrote: > Angel Marin wrote: >> When we did the first tests here, the slapd setup scripts seemed to be >> kind of buggy while dealing with input it doen't like. For example a >> directory service admin password containing same special chars (can't >> remember which) generated an invalid dse.ldif config section. To make >> things worse slapd segfaulted instead of dealing with it more gracefully. >> >> Try running ns-slapd with debug enabled or inside gdb, it should give >> you a hint on what attribute is making it choke. > > You're right, I did use a password with some special chars =) > > Are there any other such caveats that might cause some strange behavior > (more segfaults)? Only with the setup process (I can't recall what triggered them though). We also had to apply some of the post 1.1.0 patches to get some of the tools going, but other than that once we got it setup and running, it's been rock solid. > And more importantly, is IPA ready enough to use on a production system > to handle user/email accounts? It's on production now here (we're still migrating workstations). Its main components (DS and MIT kdc) have been around for quite some time so it's not like it's some kind of new and untested piece of code :) IPA will mainly glue them for you and provide nice admin tools while at it :) > I'm just looking into the various ldap implementations and I really like > IPA based on its description... (and gui tools) Regards, -- Angel Marin http://anmar.eu.org/ From levchenko.i at gmail.com Fri Sep 5 11:37:42 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Fri, 5 Sep 2008 14:37:42 +0300 Subject: [Freeipa-users] upstream ipa on centos inside openvz container In-Reply-To: <48C115E3.7070802@anmar.eu.org> References: <48C0D810.2020304@anmar.eu.org> <48C0EACC.10509@gmail.com> <48C115E3.7070802@anmar.eu.org> Message-ID: On Fri, Sep 5, 2008 at 2:20 PM, Angel Marin wrote: > It's on production now here (we're still migrating workstations). Its main > components (DS and MIT kdc) have been around for quite some time so it's not > like it's some kind of new and untested piece of code :) IPA will mainly > glue them for you and provide nice admin tools while at it :) > Ok, thanks, I'll try again with a simpler password. i'll hope that I'll be able to post a success story. i'm new to ldap, so i hope i'll get onto it quick. From rcritten at redhat.com Fri Sep 5 13:27:35 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 05 Sep 2008 09:27:35 -0400 Subject: [Freeipa-users] upstream ipa on centos inside openvz container In-Reply-To: <48C0EACC.10509@gmail.com> References: <48C0D810.2020304@anmar.eu.org> <48C0EACC.10509@gmail.com> Message-ID: <48C133C7.8060305@redhat.com> Ivan Levchenko wrote: > Angel Marin wrote: >> >> When we did the first tests here, the slapd setup scripts seemed to be >> kind of buggy while dealing with input it doen't like. For example a >> directory service admin password containing same special chars (can't >> remember which) generated an invalid dse.ldif config section. To make >> things worse slapd segfaulted instead of dealing with it more gracefully. >> >> Try running ns-slapd with debug enabled or inside gdb, it should give >> you a hint on what attribute is making it choke. >> > > You're right, I did use a password with some special chars =) We should probably file a bug against the FDS to get this fixed. What special characters did you use? I should note that IPA isn't fully internationalized yet and you may have problems if you use non-ascii characters for login or group names. thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From levchenko.i at gmail.com Fri Sep 5 14:31:36 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Fri, 5 Sep 2008 17:31:36 +0300 Subject: [Freeipa-users] upstream ipa on centos inside openvz container In-Reply-To: <48C133C7.8060305@redhat.com> References: <48C0D810.2020304@anmar.eu.org> <48C0EACC.10509@gmail.com> <48C133C7.8060305@redhat.com> Message-ID: On Fri, Sep 5, 2008 at 4:27 PM, Rob Crittenden wrote: > > We should probably file a bug against the FDS to get this fixed. What > special characters did you use? > > I should note that IPA isn't fully internationalized yet and you may have > problems if you use non-ascii characters for login or group names. > > thanks > > rob > Here are the non alphabetic characters that I used(space separated list): for the Directory manager password: ' ! = 0 IPA admin pass: { no non-english characters were used as per the bug filing, sure, a bit later today. From anmar at anmar.eu.org Fri Sep 5 14:38:09 2008 From: anmar at anmar.eu.org (Angel Marin) Date: Fri, 05 Sep 2008 16:38:09 +0200 Subject: [Freeipa-users] upstream ipa on centos inside openvz container In-Reply-To: <48C133C7.8060305@redhat.com> References: <48C0D810.2020304@anmar.eu.org> <48C0EACC.10509@gmail.com> <48C133C7.8060305@redhat.com> Message-ID: <48C14451.30703@anmar.eu.org> Rob Crittenden wrote: > Ivan Levchenko wrote: >> Angel Marin wrote: >>> >>> When we did the first tests here, the slapd setup scripts seemed to >>> be kind of buggy while dealing with input it doen't like. For example >>> a directory service admin password containing same special chars >>> (can't remember which) generated an invalid dse.ldif config section. >>> To make things worse slapd segfaulted instead of dealing with it more >>> gracefully. >>> >>> Try running ns-slapd with debug enabled or inside gdb, it should give >>> you a hint on what attribute is making it choke. >>> >> >> You're right, I did use a password with some special chars =) > > We should probably file a bug against the FDS to get this fixed. What > special characters did you use? It's been on my TODO for a while, but haven't had the time to pinpoint which chars are a problem to what attributes. There are at least two different issues here: 1. FDS segfaults when it doesn't like what it finds on some attributes. For example leave an empty nsslapd-rootpw in dse.ldif and FDS crashes. 2. IPA setup script generates an empty nsslapd-rootpw when the directory server admin password typed contains certain chars. I think it was at least '. Same password provided for kdc admin user does not exhibit this problem (same setup script a couple steps later). > I should note that IPA isn't fully internationalized yet and you may > have problems if you use non-ascii characters for login or group names. -- Angel Marin http://anmar.eu.org/ From levchenko.i at gmail.com Fri Sep 5 14:41:32 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Fri, 5 Sep 2008 17:41:32 +0300 Subject: [Freeipa-users] upstream ipa on centos inside openvz container In-Reply-To: <48C14451.30703@anmar.eu.org> References: <48C0D810.2020304@anmar.eu.org> <48C0EACC.10509@gmail.com> <48C133C7.8060305@redhat.com> <48C14451.30703@anmar.eu.org> Message-ID: On Fri, Sep 5, 2008 at 5:38 PM, Angel Marin wrote: > > It's been on my TODO for a while, but haven't had the time to pinpoint > which chars are a problem to what attributes. > > There are at least two different issues here: I would say three actually - the script doesn't handle/catch the issue if the directory server itself doesn't start. it just carries on like everything is ok and tries to connect to it. after a bunch of things cannot connect to the directory server, it then exits. > > 1. FDS segfaults when it doesn't like what it finds on some attributes. > For example leave an empty nsslapd-rootpw in dse.ldif and FDS crashes. > > 2. IPA setup script generates an empty nsslapd-rootpw when the > directory server admin password typed contains certain chars. I think it > was at least '. Same password provided for kdc admin user does not Bingo, I had that character, and some more (see previous post) From levchenko.i at gmail.com Mon Sep 8 19:28:50 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Mon, 8 Sep 2008 22:28:50 +0300 Subject: [Freeipa-users] virtual memory usage Message-ID: Hi, I've gotten through the install without using any special chars only to find myself another problem =) (no surprise with luck) I'm using OpenVZ on a host with limited ram (and the box is very far away with nobody to add some ram, so its not a solution, unfortunately) - i have set the virtual memory limit to 600 MiB (privvmpages). The install went through ok, but as soon as the directory server started, it ate up all the virtual memory available to it: [root at master /]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.8 0.1 1988 664 ? Ss 12:21 0:00 init [3] root 28218 0.1 0.2 2368 1232 ? Ss 12:21 0:00 /bin/bash /etc/rc.d/rc 3 root 28413 0.0 0.0 1644 560 ? Ss 12:21 0:00 syslogd -m 0 root 28416 0.0 0.0 1596 408 ? Ss 12:21 0:00 klogd -x root 28424 0.0 0.2 2508 1268 ? S 12:21 0:00 /bin/sh /etc/rc3.d/S21dirsrv start dirsrv 28439 1.8 3.1 449468 19248 ? Sl 12:21 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-MYDOMAIN-COM -i /var/run/dirsrv/slapd-MYDOMAIN-COM.pid root 28488 0.0 0.0 11200 340 ? Ss 12:21 0:00 vzctl: pts/0 root 28489 0.3 0.2 2380 1304 pts/0 Ss 12:21 0:00 -bash root 28516 0.0 0.0 1576 404 ? S 12:21 0:00 sleep 1 root 28517 0.0 0.1 2096 820 pts/0 R+ 12:21 0:00 ps aux And I can't start anything else - i keep getting errors that it cannot allocate enough memory. I can tweak the privvmpages a bit more, but I wanted to ask beforehand if ns-slapd is always so memory hungry? based on http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_IPA/1.0/html/Release_Notes/sect-Release_Notes-System_Requirements-Hardware_Requirements.html i should have enough memory allocated to the vps. Is there any way to trim down ns-slapd's footprint? Thanks in advance. -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From rcritten at redhat.com Mon Sep 8 21:23:44 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 08 Sep 2008 17:23:44 -0400 Subject: [Freeipa-users] virtual memory usage In-Reply-To: References: Message-ID: <48C597E0.7080106@redhat.com> Ivan Levchenko wrote: > Hi, > > I've gotten through the install without using any special chars only > to find myself another problem =) (no surprise with luck) > > I'm using OpenVZ on a host with limited ram (and the box is very far > away with nobody to add some ram, so its not a solution, > unfortunately) - i have set the virtual memory limit to 600 MiB > (privvmpages). > The install went through ok, but as soon as the directory server > started, it ate up all the virtual memory available to it: > > [root at master /]# ps aux > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 1 0.8 0.1 1988 664 ? Ss 12:21 0:00 init [3] > root 28218 0.1 0.2 2368 1232 ? Ss 12:21 0:00 > /bin/bash /etc/rc.d/rc 3 > root 28413 0.0 0.0 1644 560 ? Ss 12:21 0:00 syslogd -m 0 > root 28416 0.0 0.0 1596 408 ? Ss 12:21 0:00 klogd -x > root 28424 0.0 0.2 2508 1268 ? S 12:21 0:00 > /bin/sh /etc/rc3.d/S21dirsrv start > dirsrv 28439 1.8 3.1 449468 19248 ? Sl 12:21 0:00 > /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-MYDOMAIN-COM -i > /var/run/dirsrv/slapd-MYDOMAIN-COM.pid > root 28488 0.0 0.0 11200 340 ? Ss 12:21 0:00 vzctl: pts/0 > root 28489 0.3 0.2 2380 1304 pts/0 Ss 12:21 0:00 -bash > root 28516 0.0 0.0 1576 404 ? S 12:21 0:00 sleep 1 > root 28517 0.0 0.1 2096 820 pts/0 R+ 12:21 0:00 ps aux > > And I can't start anything else - i keep getting errors that it cannot > allocate enough memory. I can tweak the privvmpages a bit more, but I > wanted to ask beforehand if ns-slapd is always so memory hungry? > > based on http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_IPA/1.0/html/Release_Notes/sect-Release_Notes-System_Requirements-Hardware_Requirements.html > i should have enough memory allocated to the vps. Is there any way to > trim down ns-slapd's footprint? > Add a swap file/partition? I've run it in VMWare with 384 MB of RAM. It can be slow due to swapping but I've never had the processes fail. I tend to add 1GB of swap space though. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From levchenko.i at gmail.com Tue Sep 9 06:46:27 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Tue, 9 Sep 2008 09:46:27 +0300 Subject: [Freeipa-users] virtual memory usage In-Reply-To: <48C597E0.7080106@redhat.com> References: <48C597E0.7080106@redhat.com> Message-ID: On Tue, Sep 9, 2008 at 12:23 AM, Rob Crittenden wrote: > > Add a swap file/partition? > > I've run it in VMWare with 384 MB of RAM. It can be slow due to swapping but > I've never had the processes fail. I tend to add 1GB of swap space though. > > rob > OpenVZ doesn't support swap inside the virtual containers =( thats one of the downsides to it, but its bearable, just need to get all the memory counters right if you are going to use a memory hungry app. -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From ssorce at redhat.com Wed Sep 10 20:55:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 10 Sep 2008 16:55:51 -0400 Subject: [Freeipa-users] FreeIPA 1.1.1 SECURITY Release Message-ID: <1221080151.15726.119.camel@localhost.localdomain> This is a security release in order to address CVE-2008-3274 CVE-2008-3274: A flaw was found in the Red Hat Enterprise IPA installation procedure. The master Kerberos password was set up in the LDAP server in such a way that it was possible to retrieve the password via an anonymous LDAP connection. Note: the master Kerberos password is used to encrypt keys. This flaw does not lead to individual keys being exposed. To solve the issue it is *not* sufficient to simply download and update the binaries. Instructions to completely patch and resolve the issue are available here: http://freeipa.org/page/CVE-2008-3274 The complete source code is available for download here: http://www.freeipa.org/page/Downloads Binary packages for Fedora 8 and 9 will be available shortly. The FreeIPA Project Team. From levchenko.i at gmail.com Mon Sep 15 12:44:29 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Mon, 15 Sep 2008 15:44:29 +0300 Subject: [Freeipa-users] dns problems with kerberos Message-ID: Hi All, I installed IPA ok, no errors, i can even authenticate to it from a remote host using the admin user. I created a new users via the web panel, and as soon as I log in, it says that the pass is expired and that i need to change it, as soon as it gets the confirmation pass, i get an error: $ kinit ivan Password for ivan at MYDOMAIN.COM: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials as i understand it, its a dns problem... I added the needed info to my domains zone file like so: ;IPA master IN A 192.168.0.112 _ldap._tcp IN SRV 0 100 389 master ;kerberos realm _kerberos IN TXT MYDOMAIN.COM ; kerberos servers _kerberos IN SRV 0 100 88 master _kerberos IN SRV 0 100 88 master _kerberos-master IN SRV 0 100 88 master _kerberos-master IN SRV 0 100 88 master _kpasswd._tcp IN SRV 0 100 464 master _kpasswd._udp IN SRV 0 100 464 master ;ntp server _ntp._udp IN SRV 0 100 123 ntp-server using dig, i can verify that all of this works just fine.. is there anything that I missing? I'm very new to ipa, kerberos, ldap.. but I REALLY want to get a single signon and single user/pass environment working... thanks in advance!!! -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From ssorce at redhat.com Mon Sep 15 13:25:16 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Sep 2008 09:25:16 -0400 Subject: [Freeipa-users] dns problems with kerberos In-Reply-To: References: Message-ID: <1221485116.17402.5.camel@localhost.localdomain> On Mon, 2008-09-15 at 15:44 +0300, Ivan Levchenko wrote: > Hi All, > > I installed IPA ok, no errors, i can even authenticate to it from a > remote host using the admin user. > I created a new users via the web panel, and as soon as I log in, it > says that the pass is expired and that i need to change it, as soon as > it gets the confirmation pass, i get an error: > > $ kinit ivan > Password for ivan at MYDOMAIN.COM: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit(v5): Cannot contact any KDC for requested realm while getting > initial credentials > > as i understand it, its a dns problem... > > I added the needed info to my domains zone file like so: > > ;IPA > master IN A 192.168.0.112 > > _ldap._tcp IN SRV 0 100 389 master > > ;kerberos realm > _kerberos IN TXT MYDOMAIN.COM > > ; kerberos servers > _kerberos IN SRV 0 100 88 master > _kerberos IN SRV 0 100 88 master > _kerberos-master IN SRV 0 100 88 master > _kerberos-master IN SRV 0 100 88 master > _kpasswd._tcp IN SRV 0 100 464 master > _kpasswd._udp IN SRV 0 100 464 master > > ;ntp server > _ntp._udp IN SRV 0 100 123 ntp-server > > using dig, i can verify that all of this works just fine.. is there > anything that I missing? > I'm very new to ipa, kerberos, ldap.. but I REALLY want to get a > single signon and single user/pass environment working... What IPA version? If installed using an rpm can you tell exactly the rpm version as printed by rpm -qi ipa-server ? Simo. -- Simo Sorce * Red Hat, Inc * New York From levchenko.i at gmail.com Mon Sep 15 13:30:53 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Mon, 15 Sep 2008 16:30:53 +0300 Subject: [Freeipa-users] dns problems with kerberos In-Reply-To: <1221485116.17402.5.camel@localhost.localdomain> References: <1221485116.17402.5.camel@localhost.localdomain> Message-ID: On Mon, Sep 15, 2008 at 4:25 PM, Simo Sorce wrote: > > What IPA version? If installed using an rpm can you tell exactly the rpm > version as printed by rpm -qi ipa-server ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > I rebuilt the srpms from rh download site on a centos 5.2 system (without any problems, all packges built cleanly) : # rpm -qi ipa-server Name : ipa-server Relocations: (not relocatable) Version : 1.0.0 Vendor: (none) Release : 15 Build Date: Sat Aug 2 08:24:24 2008 Install Date: Thu Sep 4 01:29:25 2008 Build Host: amigo.ivanelle.com Group : System Environment/Base Source RPM: ipa-1.0.0-15.src.rpm Size : 1766717 License: GPLv2 Signature : (none) URL : http://www.freeipa.org/ Summary : The IPA authentication server Description : IPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy (configuration settings, access control information) and Audit (events, logs, analysis thereof). If you are installing an IPA server you need to install this package (in other words, most people should NOT install this package). -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From ssorce at redhat.com Mon Sep 15 13:40:18 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Sep 2008 09:40:18 -0400 Subject: [Freeipa-users] dns problems with kerberos In-Reply-To: References: <1221485116.17402.5.camel@localhost.localdomain> Message-ID: <1221486018.17402.7.camel@localhost.localdomain> On Mon, 2008-09-15 at 16:30 +0300, Ivan Levchenko wrote: > On Mon, Sep 15, 2008 at 4:25 PM, Simo Sorce wrote: > > > > What IPA version? If installed using an rpm can you tell exactly the rpm > > version as printed by rpm -qi ipa-server ? > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > I rebuilt the srpms from rh download site on a centos 5.2 system > (without any problems, all packges built cleanly) : > > # rpm -qi ipa-server > Name : ipa-server Relocations: (not relocatable) > Version : 1.0.0 Vendor: (none) > Release : 15 Build Date: Sat Aug 2 08:24:24 2008 > Install Date: Thu Sep 4 01:29:25 2008 Build Host: amigo.ivanelle.com > Group : System Environment/Base Source RPM: ipa-1.0.0-15.src.rpm > Size : 1766717 License: GPLv2 > Signature : (none) > URL : http://www.freeipa.org/ > Summary : The IPA authentication server > Description : > IPA is an integrated solution to provide centrally managed Identity (machine, > user, virtual machines, groups, authentication credentials), Policy > (configuration settings, access control information) and Audit (events, > logs, analysis thereof). If you are installing an IPA server you need > to install this package (in other words, most people should NOT install > this package). It seem like the ipa-kpasswd service is not up and running. can you check it is, and see if there is anything in the system logs about it ? Simo. -- Simo Sorce * Red Hat, Inc * New York From levchenko.i at gmail.com Mon Sep 15 13:52:03 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Mon, 15 Sep 2008 16:52:03 +0300 Subject: [Freeipa-users] dns problems with kerberos In-Reply-To: <1221486018.17402.7.camel@localhost.localdomain> References: <1221485116.17402.5.camel@localhost.localdomain> <1221486018.17402.7.camel@localhost.localdomain> Message-ID: On Mon, Sep 15, 2008 at 4:40 PM, Simo Sorce wrote: > It seem like the ipa-kpasswd service is not up and running. > can you check it is, and see if there is anything in the system logs > about it ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > Here is everything that is available in /var/log about ipa_kpasswd: /var/log ]# grep -R "ipa_kpasswd" * ipaserver-install.log:2008-09-14 02:38:54,554 DEBUG Backing up system configuration file '/etc/sysconfig/ipa_kpasswd' ipaserver-install.log:2008-09-14 02:38:54,748 DEBUG Configuring ipa_kpasswd ipaserver-install.log:2008-09-14 02:38:54,749 DEBUG [1/2]: starting ipa_kpasswd ipaserver-install.log:2008-09-14 02:38:54,809 INFO ipa_kpasswd dead but pid file exists ipaserver-install.log:2008-09-14 02:38:54,885 INFO Shutting[FAILED]a_kpasswd: ipaserver-install.log:Starting ipa_kpasswd: [ OK ] ipaserver-install.log:2008-09-14 02:38:54,886 DEBUG [2/2]: configuring ipa_kpasswd to start on boot ipaserver-install.log:2008-09-14 02:38:54,932 INFO ipa_kpasswd 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipaserver-install.log:2008-09-14 02:38:54,957 DEBUG done configuring ipa_kpasswd. [root at master log]# grep -R "ipa_kpasswd" * ipaserver-install.log:2008-09-14 02:38:54,554 DEBUG Backing up system configuration file '/etc/sysconfig/ipa_kpasswd' ipaserver-install.log:2008-09-14 02:38:54,748 DEBUG Configuring ipa_kpasswd ipaserver-install.log:2008-09-14 02:38:54,749 DEBUG [1/2]: starting ipa_kpasswd ipaserver-install.log:2008-09-14 02:38:54,809 INFO ipa_kpasswd dead but pid file exists ipaserver-install.log:2008-09-14 02:38:54,885 INFO Shutting[FAILED]a_kpasswd: ipaserver-install.log:Starting ipa_kpasswd: [ OK ] ipaserver-install.log:2008-09-14 02:38:54,886 DEBUG [2/2]: configuring ipa_kpasswd to start on boot ipaserver-install.log:2008-09-14 02:38:54,932 INFO ipa_kpasswd 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipaserver-install.log:2008-09-14 02:38:54,957 DEBUG done configuring ipa_kpasswd. It looks like it tries to start, but dies... : [root at master log]# /etc/init.d/ipa_kpasswd status ipa_kpasswd dead but pid file exists [root at master log]# /etc/init.d/ipa_kpasswd start Starting ipa_kpasswd: [ OK ] [root at master log]# /etc/init.d/ipa_kpasswd status ipa_kpasswd dead but pid file exists and nothing in the logs about why it doesn't start..... i try to start ipa_kpasswd directrly, but it doesn't give any output at all. any debug options that I can look into ??? -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From ssorce at redhat.com Mon Sep 15 14:08:11 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Sep 2008 10:08:11 -0400 Subject: [Freeipa-users] dns problems with kerberos In-Reply-To: References: <1221485116.17402.5.camel@localhost.localdomain> <1221486018.17402.7.camel@localhost.localdomain> Message-ID: <1221487691.17402.12.camel@localhost.localdomain> On Mon, 2008-09-15 at 16:52 +0300, Ivan Levchenko wrote: > On Mon, Sep 15, 2008 at 4:40 PM, Simo Sorce wrote: > > It seem like the ipa-kpasswd service is not up and running. > > can you check it is, and see if there is anything in the system logs > > about it ? > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > Here is everything that is available in /var/log about ipa_kpasswd: > > /var/log ]# grep -R "ipa_kpasswd" * > ipaserver-install.log:2008-09-14 02:38:54,554 DEBUG Backing up system > configuration file '/etc/sysconfig/ipa_kpasswd' > ipaserver-install.log:2008-09-14 02:38:54,748 DEBUG Configuring ipa_kpasswd > ipaserver-install.log:2008-09-14 02:38:54,749 DEBUG [1/2]: starting > ipa_kpasswd > ipaserver-install.log:2008-09-14 02:38:54,809 INFO ipa_kpasswd dead > but pid file exists > ipaserver-install.log:2008-09-14 02:38:54,885 INFO Shutting[FAILED]a_kpasswd: > ipaserver-install.log:Starting ipa_kpasswd: [ OK ] > ipaserver-install.log:2008-09-14 02:38:54,886 DEBUG [2/2]: > configuring ipa_kpasswd to start on boot > ipaserver-install.log:2008-09-14 02:38:54,932 INFO ipa_kpasswd > 0:off 1:off 2:on 3:on 4:on 5:on 6:off > ipaserver-install.log:2008-09-14 02:38:54,957 DEBUG done configuring > ipa_kpasswd. > > [root at master log]# grep -R "ipa_kpasswd" * > ipaserver-install.log:2008-09-14 02:38:54,554 DEBUG Backing up system > configuration file '/etc/sysconfig/ipa_kpasswd' > ipaserver-install.log:2008-09-14 02:38:54,748 DEBUG Configuring ipa_kpasswd > ipaserver-install.log:2008-09-14 02:38:54,749 DEBUG [1/2]: starting > ipa_kpasswd > ipaserver-install.log:2008-09-14 02:38:54,809 INFO ipa_kpasswd dead > but pid file exists > ipaserver-install.log:2008-09-14 02:38:54,885 INFO Shutting[FAILED]a_kpasswd: > ipaserver-install.log:Starting ipa_kpasswd: [ OK ] > ipaserver-install.log:2008-09-14 02:38:54,886 DEBUG [2/2]: > configuring ipa_kpasswd to start on boot > ipaserver-install.log:2008-09-14 02:38:54,932 INFO ipa_kpasswd > 0:off 1:off 2:on 3:on 4:on 5:on 6:off > ipaserver-install.log:2008-09-14 02:38:54,957 DEBUG done configuring > ipa_kpasswd. > > It looks like it tries to start, but dies... : > > [root at master log]# /etc/init.d/ipa_kpasswd status > ipa_kpasswd dead but pid file exists > [root at master log]# /etc/init.d/ipa_kpasswd start > Starting ipa_kpasswd: [ OK ] > [root at master log]# /etc/init.d/ipa_kpasswd status > ipa_kpasswd dead but pid file exists > > and nothing in the logs about why it doesn't start..... > i try to start ipa_kpasswd directrly, but it doesn't give any output at all. > > any debug options that I can look into ??? You can set the IPA_KPASSWD_DEBUG in /etc/sysconfig/ipa-kpasswd Set it to 1 to enable normal debugging. It seem like there is something that is making it crash, we have solved some crash bugs after that release so maybe this is a known problem we have already solved. Any chance you can rebuild from the master tree and see if that fixes your problem ? Simo. -- Simo Sorce * Red Hat, Inc * New York From levchenko.i at gmail.com Mon Sep 15 15:40:39 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Mon, 15 Sep 2008 18:40:39 +0300 Subject: [Freeipa-users] dns problems with kerberos In-Reply-To: <1221487691.17402.12.camel@localhost.localdomain> References: <1221485116.17402.5.camel@localhost.localdomain> <1221486018.17402.7.camel@localhost.localdomain> <1221487691.17402.12.camel@localhost.localdomain> Message-ID: On Mon, Sep 15, 2008 at 5:08 PM, Simo Sorce wrote: > > You can set the IPA_KPASSWD_DEBUG in /etc/sysconfig/ipa-kpasswd > > Set it to 1 to enable normal debugging. > > It seem like there is something that is making it crash, we have solved > some crash bugs after that release so maybe this is a known problem we > have already solved. > > Any chance you can rebuild from the master tree and see if that fixes > your problem ? > > Simo. > > > -- > Simo Sorce * Red Hat, Inc * New York > > Sure, I'll rebuild it. Do I need to rebuild ipa-server only? Should in download the srpm from http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEIPA/SRPMS/ or some other place? Thanks in advance. Ivan From ssorce at redhat.com Mon Sep 15 17:28:19 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Sep 2008 13:28:19 -0400 Subject: [Freeipa-users] dns problems with kerberos In-Reply-To: References: <1221485116.17402.5.camel@localhost.localdomain> <1221486018.17402.7.camel@localhost.localdomain> <1221487691.17402.12.camel@localhost.localdomain> Message-ID: <1221499699.22248.7.camel@localhost.localdomain> On Mon, 2008-09-15 at 18:40 +0300, Ivan Levchenko wrote: > On Mon, Sep 15, 2008 at 5:08 PM, Simo Sorce wrote: > > > > You can set the IPA_KPASSWD_DEBUG in /etc/sysconfig/ipa-kpasswd > > > > Set it to 1 to enable normal debugging. > > > > It seem like there is something that is making it crash, we have solved > > some crash bugs after that release so maybe this is a known problem we > > have already solved. > > > > Any chance you can rebuild from the master tree and see if that fixes > > your problem ? > > > > Simo. > > > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > Sure, I'll rebuild it. > > Do I need to rebuild ipa-server only? > > Should in download the srpm from > http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEIPA/SRPMS/ > or some other place? I meant, try a build from the git master tree. Although that one would probably require some work on the ipa.spec file if you want to build rpms. Simo. -- Simo Sorce * Red Hat, Inc * New York From levchenko.i at gmail.com Mon Sep 15 17:41:11 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Mon, 15 Sep 2008 20:41:11 +0300 Subject: [Freeipa-users] dns problems with kerberos In-Reply-To: <1221499699.22248.7.camel@localhost.localdomain> References: <1221485116.17402.5.camel@localhost.localdomain> <1221486018.17402.7.camel@localhost.localdomain> <1221487691.17402.12.camel@localhost.localdomain> <1221499699.22248.7.camel@localhost.localdomain> Message-ID: On Mon, Sep 15, 2008 at 8:28 PM, Simo Sorce wrote: > > I meant, try a build from the git master tree. Although that one would > probably require some work on the ipa.spec file if you want to build > rpms. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > Ok, i'll try it out from git. Yup, i do want to use rpms, since i want to keep it clean - i intend to use this system in the future, and want to make sure upgrade would be simple and relatively painless... From ssorce at redhat.com Mon Sep 15 17:44:06 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Sep 2008 13:44:06 -0400 Subject: [Freeipa-users] dns problems with kerberos In-Reply-To: References: <1221485116.17402.5.camel@localhost.localdomain> <1221486018.17402.7.camel@localhost.localdomain> <1221487691.17402.12.camel@localhost.localdomain> <1221499699.22248.7.camel@localhost.localdomain> Message-ID: <1221500646.22248.12.camel@localhost.localdomain> On Mon, 2008-09-15 at 20:41 +0300, Ivan Levchenko wrote: > On Mon, Sep 15, 2008 at 8:28 PM, Simo Sorce wrote: > > > > I meant, try a build from the git master tree. Although that one would > > probably require some work on the ipa.spec file if you want to build > > rpms. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > Ok, i'll try it out from git. > > Yup, i do want to use rpms, since i want to keep it clean - i intend > to use this system in the future, and want to make sure upgrade would > be simple and relatively painless... make local-dist will generate rpms if you run it on the target platform. Simo. -- Simo Sorce * Red Hat, Inc * New York From levchenko.i at gmail.com Mon Sep 15 20:50:31 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Mon, 15 Sep 2008 23:50:31 +0300 Subject: [Freeipa-users] dns problems with kerberos In-Reply-To: <1221500646.22248.12.camel@localhost.localdomain> References: <1221485116.17402.5.camel@localhost.localdomain> <1221486018.17402.7.camel@localhost.localdomain> <1221487691.17402.12.camel@localhost.localdomain> <1221499699.22248.7.camel@localhost.localdomain> <1221500646.22248.12.camel@localhost.localdomain> Message-ID: On Mon, Sep 15, 2008 at 8:44 PM, Simo Sorce wrote: > > make local-dist will generate rpms if you run it on the target platform. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > Woohooh! i'm able to change my password. the latest version 1.1.0 built from git works just fine.. at least it looks like it... i'm just hoping that there wouldn't be any conflict... Ok, things are looking good, but I would prefer to wait for the next rh version of it. ( i had to remove the slapi-nss stuff from the spec) i was using version 1.0.0-15 of ipa-server. would 1.0.0-23 by any chance have these fixes needed? plus i see a lot of other patches in the rh version that were not in the reg. freeipa spec.. my favorite line: perl -pi -e "s/Free IPA/Red Hat Enterprise IPA/" .... =) From ssorce at redhat.com Tue Sep 16 00:16:26 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 15 Sep 2008 20:16:26 -0400 Subject: [Freeipa-users] dns problems with kerberos In-Reply-To: References: <1221485116.17402.5.camel@localhost.localdomain> <1221486018.17402.7.camel@localhost.localdomain> <1221487691.17402.12.camel@localhost.localdomain> <1221499699.22248.7.camel@localhost.localdomain> <1221500646.22248.12.camel@localhost.localdomain> Message-ID: <1221524186.12851.8.camel@localhost.localdomain> On Mon, 2008-09-15 at 23:50 +0300, Ivan Levchenko wrote: > On Mon, Sep 15, 2008 at 8:44 PM, Simo Sorce wrote: > > > > make local-dist will generate rpms if you run it on the target platform. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > Woohooh! i'm able to change my password. the latest version 1.1.0 > built from git works just fine.. at least it looks like it... i'm just > hoping that there wouldn't be any conflict... > > Ok, things are looking good, but I would prefer to wait for the next > rh version of it. ( i had to remove the slapi-nss stuff from the spec) > i was using version 1.0.0-15 of ipa-server. would 1.0.0-23 by any > chance have these fixes needed? I am not aware of problems in the RHEIPA builds to be honest. But we will do some extra checking against the next package. Btw, did you use the --with-openldap=yes flag in the spec file of your first build ? > plus i see a lot of other patches in the rh version that were not in > the reg. freeipa spec.. Yest they are all included upstream now, they were as patches in rheipa spec as they were developed during the beta/qa cycle. > my favorite line: > perl -pi -e "s/Free IPA/Red Hat Enterprise IPA/" .... =) Fast branding :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From levchenko.i at gmail.com Tue Sep 16 07:49:25 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Tue, 16 Sep 2008 10:49:25 +0300 Subject: [Freeipa-users] dns problems with kerberos In-Reply-To: <1221524186.12851.8.camel@localhost.localdomain> References: <1221486018.17402.7.camel@localhost.localdomain> <1221487691.17402.12.camel@localhost.localdomain> <1221499699.22248.7.camel@localhost.localdomain> <1221500646.22248.12.camel@localhost.localdomain> <1221524186.12851.8.camel@localhost.localdomain> Message-ID: On Tue, Sep 16, 2008 at 3:16 AM, Simo Sorce wrote: > > I am not aware of problems in the RHEIPA builds to be honest. > But we will do some extra checking against the next package. > > Btw, did you use the --with-openldap=yes flag in the spec file of your > first build ? > >> plus i see a lot of other patches in the rh version that were not in >> the reg. freeipa spec.. > > Yest they are all included upstream now, they were as patches in rheipa > spec as they were developed during the beta/qa cycle. > >> my favorite line: >> perl -pi -e "s/Free IPA/Red Hat Enterprise IPA/" .... =) > > Fast branding :-) > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > No, i didn't use the --with-openldap=yes, but in the spec file for the rhel build, it has openldap as a required package to install, and on the system where i installed it, the directory server is running, and in the kerberos config file, i see that it has ldap in it.... Thanks a lot for your help on this! -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From levchenko.i at gmail.com Tue Sep 16 22:56:25 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Wed, 17 Sep 2008 01:56:25 +0300 Subject: [Freeipa-users] ipa impressions and more questions Message-ID: HI All, Thanks to to SImo Sorce for his time and help with getting ipa up and running. Everything that I have been going through the docs works good. I just don't understand the what these service principals are. Now i can understand a service principle for ssh. If we add a service principle for ssh for a host, we allow ipa users to connect via ssh to this host and auth. (would be great if it were more granual - as i understand, this is for version 2). But what is a service principle for DHCP, or snmp, or DNS???? how do those work? Thanks in advance. -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From adingman at redhat.com Wed Sep 17 14:27:23 2008 From: adingman at redhat.com (Andrew C. Dingman) Date: Wed, 17 Sep 2008 10:27:23 -0400 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: References: Message-ID: <1221661643.4486.18.camel@sinope> On Wed, 2008-09-17 at 01:56 +0300, Ivan Levchenko wrote: > HI All, > > Thanks to to SImo Sorce for his time and help with getting ipa up and > running. Everything that I have been going through the docs works > good. > > I just don't understand the what these service principals are. Now i > can understand a service principle for ssh. If we add a service > principle for ssh for a host, we allow ipa users to connect via ssh to > this host and auth. (would be great if it were more granual - as i > understand, this is for version 2). > But what is a service principle for DHCP, or snmp, or DNS???? how do those work? Mostly, they don't :) That is, most services don't need service principles. Generally speaking, DHCP, SNMP, and DNS are all unauthenticated services, and therefore have no need of service principles. DHCP is pretty much devoid of any authentication capability. SNMP has some authentication capability, but it's currently built around an SNMP-specific mechanism that doesn't play with Kerberos. Likewise, DNS has some limited authentication capability that almost nobody uses, and Kerberos support is a non-standard extension that's only even useful for a few operations that most clients never attempt. Kerberos principles are identities in Kerberos. Any service that is going to accept Kerberos tickets to authenticate users needs to have one. Any service that doesn't accept Kerberos tickets for authentication doesn't need a service principle. Sometimes, a few services will share an identity, as is the case when you have multiple services using the 'host/' principle to provide shell access. Suppose, for example, that I have a server named myhost.example.com offering public, unauthenticated web services, SSH shell access to a few users, and an IMAP mail server. If I'm using Kerberos authentication, I'll need these principles: host/myhost.example.com for SSH imap/myhost.example.com for whatever IMAP server I don't need a service principle for the web server, because the web server isn't doing authentication with Kerberos. That doesn't mean it can't -- it most certainly can be done -- but I only need a service principle for the web server if it's using Kerberos authentication. Just to be clear, my example here is only relevant to how Kerberos works. It is not meant to reflect how IPA is configured. In particular, IPA *does* authenticate users to the web server using Kerberos, and therefore *does* need a service principle for the web service. -- Andrew C. Dingman, RHCA, RHCSS, RHCX Instructor, Red Hat Global Learning Services adingman at redhat.com gpg: 4DEB 3DF1 1007 B26D EC76 80F4 3C26 A4EB 2975 74B2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From ssorce at redhat.com Wed Sep 17 14:45:34 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 10:45:34 -0400 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: <1221661643.4486.18.camel@sinope> References: <1221661643.4486.18.camel@sinope> Message-ID: <1221662734.12851.100.camel@localhost.localdomain> On Wed, 2008-09-17 at 10:27 -0400, Andrew C. Dingman wrote: > On Wed, 2008-09-17 at 01:56 +0300, Ivan Levchenko wrote: > > HI All, > > > > Thanks to to SImo Sorce for his time and help with getting ipa up and > > running. Everything that I have been going through the docs works > > good. > > > > I just don't understand the what these service principals are. Now i > > can understand a service principle for ssh. If we add a service > > principle for ssh for a host, we allow ipa users to connect via ssh to > > this host and auth. (would be great if it were more granual - as i > > understand, this is for version 2). > > But what is a service principle for DHCP, or snmp, or DNS???? how do those work? > > Mostly, they don't :) > > That is, most services don't need service principles. Generally > speaking, DHCP, SNMP, and DNS are all unauthenticated services, and > therefore have no need of service principles. DHCP is pretty much devoid > of any authentication capability. SNMP has some authentication > capability, but it's currently built around an SNMP-specific mechanism > that doesn't play with Kerberos. Likewise, DNS has some limited > authentication capability that almost nobody uses, and Kerberos support > is a non-standard extension that's only even useful for a few operations > that most clients never attempt. I agree for DHCP and SNMP (do we really have entries for those in the UI?), but disagree about DNS. Kerberos can be used (and we plan to use it in v2) for GSS-TSIG authenticated DNS update requests. Simo. -- Simo Sorce * Red Hat, Inc * New York From levchenko.i at gmail.com Wed Sep 17 14:59:14 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Wed, 17 Sep 2008 17:59:14 +0300 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: <1221662734.12851.100.camel@localhost.localdomain> References: <1221661643.4486.18.camel@sinope> <1221662734.12851.100.camel@localhost.localdomain> Message-ID: On Wed, Sep 17, 2008 at 5:45 PM, Simo Sorce wrote: > On Wed, 2008-09-17 at 10:27 -0400, Andrew C. Dingman wrote: >> On Wed, 2008-09-17 at 01:56 +0300, Ivan Levchenko wrote: >> > HI All, >> > >> > Thanks to to SImo Sorce for his time and help with getting ipa up and >> > running. Everything that I have been going through the docs works >> > good. >> > >> > I just don't understand the what these service principals are. Now i >> > can understand a service principle for ssh. If we add a service >> > principle for ssh for a host, we allow ipa users to connect via ssh to >> > this host and auth. (would be great if it were more granual - as i >> > understand, this is for version 2). >> > But what is a service principle for DHCP, or snmp, or DNS???? how do those work? >> >> Mostly, they don't :) >> >> That is, most services don't need service principles. Generally >> speaking, DHCP, SNMP, and DNS are all unauthenticated services, and >> therefore have no need of service principles. DHCP is pretty much devoid >> of any authentication capability. SNMP has some authentication >> capability, but it's currently built around an SNMP-specific mechanism >> that doesn't play with Kerberos. Likewise, DNS has some limited >> authentication capability that almost nobody uses, and Kerberos support >> is a non-standard extension that's only even useful for a few operations >> that most clients never attempt. > > I agree for DHCP and SNMP (do we really have entries for those in the > UI?), but disagree about DNS. Kerberos can be used (and we plan to use > it in v2) for GSS-TSIG authenticated DNS update requests. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > Thanks Andrew, it makes a lot more sense now! Simo, yes, those options exist in the UI, thats why I was a bit confused about their purpose. With the current state of IPA, is it possible to provide granular access to resources? Or is it setup for v2 ( if so, I REALLY hope upgrade will be an option...) When authenticating against ldap, are there any requirements? or do I just have to setup my application to get what it needs from the ldap server? btw, OT, but could anybody reccomend some app that could automate the build process of rpms for i386 and x64? Its pretty tedious to do all of it by hand. I could of course write a perl script to hack it, but there probably is something that could do a better job.... Thanks for all of your help guys, with all this info, maybe I could help collect it, write out my experiences (and your answers) to the wiki to fill in the gaps in the howto part of the documentation? -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From ssorce at redhat.com Wed Sep 17 15:09:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 11:09:14 -0400 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: References: <1221661643.4486.18.camel@sinope> <1221662734.12851.100.camel@localhost.localdomain> Message-ID: <1221664154.12851.110.camel@localhost.localdomain> On Wed, 2008-09-17 at 17:59 +0300, Ivan Levchenko wrote: > On Wed, Sep 17, 2008 at 5:45 PM, Simo Sorce wrote: > > On Wed, 2008-09-17 at 10:27 -0400, Andrew C. Dingman wrote: > >> On Wed, 2008-09-17 at 01:56 +0300, Ivan Levchenko wrote: > >> > HI All, > >> > > >> > Thanks to to SImo Sorce for his time and help with getting ipa up and > >> > running. Everything that I have been going through the docs works > >> > good. > >> > > >> > I just don't understand the what these service principals are. Now i > >> > can understand a service principle for ssh. If we add a service > >> > principle for ssh for a host, we allow ipa users to connect via ssh to > >> > this host and auth. (would be great if it were more granual - as i > >> > understand, this is for version 2). > >> > But what is a service principle for DHCP, or snmp, or DNS???? how do those work? > >> > >> Mostly, they don't :) > >> > >> That is, most services don't need service principles. Generally > >> speaking, DHCP, SNMP, and DNS are all unauthenticated services, and > >> therefore have no need of service principles. DHCP is pretty much devoid > >> of any authentication capability. SNMP has some authentication > >> capability, but it's currently built around an SNMP-specific mechanism > >> that doesn't play with Kerberos. Likewise, DNS has some limited > >> authentication capability that almost nobody uses, and Kerberos support > >> is a non-standard extension that's only even useful for a few operations > >> that most clients never attempt. > > > > I agree for DHCP and SNMP (do we really have entries for those in the > > UI?), but disagree about DNS. Kerberos can be used (and we plan to use > > it in v2) for GSS-TSIG authenticated DNS update requests. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Thanks Andrew, it makes a lot more sense now! > > Simo, yes, those options exist in the UI, thats why I was a bit > confused about their purpose. > > With the current state of IPA, is it possible to provide granular > access to resources? Or is it setup for v2 ( if so, I REALLY hope > upgrade will be an option...) At the moment you can use pam_access and access.conf and use groups to grant/deny access to people > When authenticating against ldap, are there any requirements? or do I > just have to setup my application to get what it needs from the ldap > server? Ideally we suggest you use kerberos for authentication, but you can use ldap too. > btw, OT, but could anybody reccomend some app that could automate the > build process of rpms for i386 and x64? Its pretty tedious to do all > of it by hand. I could of course write a perl script to hack it, but > there probably is something that could do a better job.... We use koji for fedora, probably something using mock can help. > Thanks for all of your help guys, with all this info, maybe I could > help collect it, write out my experiences (and your answers) to the > wiki to fill in the gaps in the howto part of the documentation? Sure, any contribution is welcome. Simo. -- Simo Sorce * Red Hat, Inc * New York From levchenko.i at gmail.com Wed Sep 17 15:16:13 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Wed, 17 Sep 2008 18:16:13 +0300 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: <1221664154.12851.110.camel@localhost.localdomain> References: <1221661643.4486.18.camel@sinope> <1221662734.12851.100.camel@localhost.localdomain> <1221664154.12851.110.camel@localhost.localdomain> Message-ID: On Wed, Sep 17, 2008 at 6:09 PM, Simo Sorce wrote: > Ideally we suggest you use kerberos for authentication, but you can use > ldap too. I asking, because I want to setup email servers with a unified user database. Can kerberos return the email address of the user and/or mailbox location? This brings up another question that I was very interested in. Will IPA's web interface support adding custom fields to a users description/profile? for example: mailbox location and any other things that could be used for any arbitrary app? Currently, I'm planning on adding it directly to ldap. to the users that I will be needing to have it. > >> btw, OT, but could anybody reccomend some app that could automate the >> build process of rpms for i386 and x64? Its pretty tedious to do all >> of it by hand. I could of course write a perl script to hack it, but >> there probably is something that could do a better job.... > > We use koji for fedora, probably something using mock can help. Thanks! > >> Thanks for all of your help guys, with all this info, maybe I could >> help collect it, write out my experiences (and your answers) to the >> wiki to fill in the gaps in the howto part of the documentation? > > Sure, any contribution is welcome. Ok, I'll prepare some docs. Ivan From ssorce at redhat.com Wed Sep 17 15:33:28 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 11:33:28 -0400 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: References: <1221661643.4486.18.camel@sinope> <1221662734.12851.100.camel@localhost.localdomain> <1221664154.12851.110.camel@localhost.localdomain> Message-ID: <1221665608.12851.119.camel@localhost.localdomain> On Wed, 2008-09-17 at 18:16 +0300, Ivan Levchenko wrote: > On Wed, Sep 17, 2008 at 6:09 PM, Simo Sorce wrote: > > Ideally we suggest you use kerberos for authentication, but you can use > > ldap too. > > I asking, because I want to setup email servers with a unified user > database. Can kerberos return the email address of the user and/or > mailbox location? No kerberos is used only for authentication, it is not an information source, for that you can use ldap. > This brings up another question that I was very interested in. Will > IPA's web interface support adding custom fields to a users > description/profile? for example: mailbox location and any other > things that could be used for any arbitrary app? Currently, I'm > planning on adding it directly to ldap. to the users that I will be > needing to have it. I think we had a way to add new fields, but I can't recall details right now, worst case you can "customize" the python code, although that is a bit of last resort option as it would mean you have to keep your patch updated for each update/upgrade :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From levchenko.i at gmail.com Wed Sep 17 15:40:38 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Wed, 17 Sep 2008 18:40:38 +0300 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: <1221665608.12851.119.camel@localhost.localdomain> References: <1221661643.4486.18.camel@sinope> <1221662734.12851.100.camel@localhost.localdomain> <1221664154.12851.110.camel@localhost.localdomain> <1221665608.12851.119.camel@localhost.localdomain> Message-ID: On Wed, Sep 17, 2008 at 6:33 PM, Simo Sorce wrote: > > I think we had a way to add new fields, but I can't recall details right > now, worst case you can "customize" the python code, although that is a > bit of last resort option as it would mean you have to keep your patch > updated for each update/upgrade :-) > For me personally, this would be a very important feature. Maybe it could be added into the plans for v2? in the meantime, I'll just be adding the info directly to ldap. Thanks again, you guys are really helping me grasp all of this very quickly! -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From rom at twister.dyndns.org Wed Sep 17 15:57:58 2008 From: rom at twister.dyndns.org (Fred Wittekind) Date: Wed, 17 Sep 2008 11:57:58 -0400 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: References: <1221661643.4486.18.camel@sinope> <1221662734.12851.100.camel@localhost.localdomain> <1221664154.12851.110.camel@localhost.localdomain> Message-ID: <48D12906.20900@twister.dyndns.org> Ivan Levchenko wrote: > On Wed, Sep 17, 2008 at 6:09 PM, Simo Sorce wrote: > >> Ideally we suggest you use kerberos for authentication, but you can use >> ldap too. >> > > I asking, because I want to setup email servers with a unified user > database. Can kerberos return the email address of the user and/or > mailbox location? > > This brings up another question that I was very interested in. Will > IPA's web interface support adding custom fields to a users > description/profile? for example: mailbox location and any other > things that could be used for any arbitrary app? Currently, I'm > planning on adding it directly to ldap. to the users that I will be > needing to have it. > Assuming you aren't doing email hosting for multiple domains, you might find that it just works as is. I'm running Exim/Dovecot with IPA, and users that are in the IPA & not in /etc/passwd can get and receive mail just fine. Only thing that I had to do was to make GSSAPI work with Exim & Dovecot, and I posted a howto for that that you can find in the archive of this list. > >>> btw, OT, but could anybody reccomend some app that could automate the >>> build process of rpms for i386 and x64? Its pretty tedious to do all >>> of it by hand. I could of course write a perl script to hack it, but >>> there probably is something that could do a better job.... >>> >> We use koji for fedora, probably something using mock can help. >> > > Thanks! > > >>> Thanks for all of your help guys, with all this info, maybe I could >>> help collect it, write out my experiences (and your answers) to the >>> wiki to fill in the gaps in the howto part of the documentation? >>> >> Sure, any contribution is welcome. >> > > Ok, I'll prepare some docs. > > Ivan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From levchenko.i at gmail.com Wed Sep 17 16:01:13 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Wed, 17 Sep 2008 19:01:13 +0300 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: <48D12906.20900@twister.dyndns.org> References: <1221661643.4486.18.camel@sinope> <1221662734.12851.100.camel@localhost.localdomain> <1221664154.12851.110.camel@localhost.localdomain> <48D12906.20900@twister.dyndns.org> Message-ID: On Wed, Sep 17, 2008 at 6:57 PM, Fred Wittekind wrote: > > Assuming you aren't doing email hosting for multiple domains, you might find > that it just works as is. I'm running Exim/Dovecot with IPA, and users that > are in the IPA & not in /etc/passwd can get and receive mail just fine. > Only thing that I had to do was to make GSSAPI work with Exim & Dovecot, > and I posted a howto for that that you can find in the archive of this list. I'm not going to be doing hosting, but I will be needing to provide email for multiple domains with the same users. About your howto, yes, I found it earlier, thanks. I'm probably going to use the dovecot part, just with postfix. Ivan From acd at redhat.com Wed Sep 17 16:07:34 2008 From: acd at redhat.com (Andrew C. Dingman) Date: Wed, 17 Sep 2008 12:07:34 -0400 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: <1221662734.12851.100.camel@localhost.localdomain> References: <1221661643.4486.18.camel@sinope> <1221662734.12851.100.camel@localhost.localdomain> Message-ID: <1221667654.4486.25.camel@sinope> On Wed, 2008-09-17 at 10:45 -0400, Simo Sorce wrote: > > That is, most services don't need service principles. Generally > > speaking, DHCP, SNMP, and DNS are all unauthenticated services, and > > therefore have no need of service principles. DHCP is pretty much > devoid > > of any authentication capability. SNMP has some authentication > > capability, but it's currently built around an SNMP-specific > mechanism > > that doesn't play with Kerberos. Likewise, DNS has some limited > > authentication capability that almost nobody uses, and Kerberos > support > > is a non-standard extension that's only even useful for a few > operations > > that most clients never attempt. > > I agree for DHCP and SNMP (do we really have entries for those in the > UI?), but disagree about DNS. Kerberos can be used (and we plan to use > it in v2) for GSS-TSIG authenticated DNS update requests. I wasn't speaking about what I think *should* be. GSS-TSIG is *vastly* nicer in my opinion than TSIG on its own, and I'm glad to see increasing support for it. I simply meant that in most current deployments, clients don't do any form of TSIG. My comments were meant to be descriptive of current widespread usage, not prescriptive. IPA is an improvement on that common usage that I'm quite happy to see. In general, you and I tend to be in close agreement about what *should* be. -- Andrew C. Dingman, RHCA, RHCSS, RHCX Instructor, Red Hat Global Learning Services adingman at redhat.com gpg: 4DEB 3DF1 1007 B26D EC76 80F4 3C26 A4EB 2975 74B2 From ssorce at redhat.com Wed Sep 17 16:30:50 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 17 Sep 2008 12:30:50 -0400 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: <1221667654.4486.25.camel@sinope> References: <1221661643.4486.18.camel@sinope> <1221662734.12851.100.camel@localhost.localdomain> <1221667654.4486.25.camel@sinope> Message-ID: <1221669050.12851.146.camel@localhost.localdomain> On Wed, 2008-09-17 at 12:07 -0400, Andrew C. Dingman wrote: > On Wed, 2008-09-17 at 10:45 -0400, Simo Sorce wrote: > > > That is, most services don't need service principles. Generally > > > speaking, DHCP, SNMP, and DNS are all unauthenticated services, and > > > therefore have no need of service principles. DHCP is pretty much > > devoid > > > of any authentication capability. SNMP has some authentication > > > capability, but it's currently built around an SNMP-specific > > mechanism > > > that doesn't play with Kerberos. Likewise, DNS has some limited > > > authentication capability that almost nobody uses, and Kerberos > > support > > > is a non-standard extension that's only even useful for a few > > operations > > > that most clients never attempt. > > > > I agree for DHCP and SNMP (do we really have entries for those in the > > UI?), but disagree about DNS. Kerberos can be used (and we plan to use > > it in v2) for GSS-TSIG authenticated DNS update requests. > > I wasn't speaking about what I think *should* be. GSS-TSIG is *vastly* > nicer in my opinion than TSIG on its own, and I'm glad to see increasing > support for it. I simply meant that in most current deployments, clients > don't do any form of TSIG. My comments were meant to be descriptive of > current widespread usage, not prescriptive. IPA is an improvement on > that common usage that I'm quite happy to see. In general, you and I > tend to be in close agreement about what *should* be. Unsurprisingly I agree :-) Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Sep 17 16:48:32 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 17 Sep 2008 12:48:32 -0400 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: References: <1221661643.4486.18.camel@sinope> <1221662734.12851.100.camel@localhost.localdomain> <1221664154.12851.110.camel@localhost.localdomain> <1221665608.12851.119.camel@localhost.localdomain> Message-ID: <48D134E0.2010001@redhat.com> Ivan Levchenko wrote: > On Wed, Sep 17, 2008 at 6:33 PM, Simo Sorce wrote: >> I think we had a way to add new fields, but I can't recall details right >> now, worst case you can "customize" the python code, although that is a >> bit of last resort option as it would mean you have to keep your patch >> updated for each update/upgrade :-) >> > > For me personally, this would be a very important feature. Maybe it > could be added into the plans for v2? > in the meantime, I'll just be adding the info directly to ldap. We have something very limited currently. In the record cn=ipaconfig you can add the attribute ipacustomfields. This attribute takes the format (field1 $ field2 $ field3 ...) Field is a comma-separated value and is made up of: label: The label displayed to the user field: the attribute name required: true/false So something like: See Also, seeAlso, false $ Country, c, true Be careful when adding attributes that have additional objectClass requirements. If you do this then you'll need to also update ipaUserObjectClasses (which you can do in the UI) to include this for new users. For existing users you will need to manually add the new objectclass to them. These new fields will then get tacked onto the end of the User pages in the UI. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From levchenko.i at gmail.com Wed Sep 17 17:35:41 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Wed, 17 Sep 2008 20:35:41 +0300 Subject: [Freeipa-users] ipa impressions and more questions In-Reply-To: <48D134E0.2010001@redhat.com> References: <1221661643.4486.18.camel@sinope> <1221662734.12851.100.camel@localhost.localdomain> <1221664154.12851.110.camel@localhost.localdomain> <1221665608.12851.119.camel@localhost.localdomain> <48D134E0.2010001@redhat.com> Message-ID: On Wed, Sep 17, 2008 at 7:48 PM, Rob Crittenden wrote: > > We have something very limited currently. > > In the record cn=ipaconfig you can add the attribute ipacustomfields. > > This attribute takes the format (field1 $ field2 $ field3 ...) > > Field is a comma-separated value and is made up of: > label: The label displayed to the user > field: the attribute name > required: true/false > > So something like: See Also, seeAlso, false $ Country, c, true > > Be careful when adding attributes that have additional objectClass > requirements. If you do this then you'll need to also update > ipaUserObjectClasses (which you can do in the UI) to include this for new > users. For existing users you will need to manually add the new objectclass > to them. > > These new fields will then get tacked onto the end of the User pages in the > UI. > > rob > Great! This is exactly what I needed! Of course it would be great to get this whole process in the UI, but even as it is its good enough. IPA is really making working with accounts a lot easier in the long run.. thanks guys! Ivan From levchenko.i at gmail.com Thu Sep 18 11:41:18 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Thu, 18 Sep 2008 14:41:18 +0300 Subject: [Freeipa-users] logging on via ssh using a new account that has an expired password fails Message-ID: Hi All, I'm starting to deploy this my IPA setup one system at a time, and I just came into one other issue: I added the host principle for hostname, I can login in using existing ipa accounts via ssh fine. BUT, I just created a new account for a user, and gave him the login details. He logs in remotely through a vpn connection (does not have any kerberos install or something like that). and when he ties to log in he gets an auth, failure. this is going on at the ipa client: Sep 18 04:29:02 svn sshd[31766]: pam_krb5[31766]: authentication fails for 'user' (user at REALTOOLSTECH.COM): Authentication failure (Password change failed) Sep 18 04:29:04 svn sshd[31766]: Failed password for user from 192.168.0.112 port 33131 ssh2 How can ssh change the password for this user? -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From rcritten at redhat.com Thu Sep 18 12:56:23 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Sep 2008 08:56:23 -0400 Subject: [Freeipa-users] logging on via ssh using a new account that has an expired password fails In-Reply-To: References: Message-ID: <48D24FF7.30602@redhat.com> Ivan Levchenko wrote: > Hi All, > > I'm starting to deploy this my IPA setup one system at a time, and I > just came into one other issue: > > I added the host principle for hostname, I can login in using > existing ipa accounts via ssh fine. > > BUT, I just created a new account for a user, and gave him the login > details. He logs in remotely through a vpn connection (does not have > any kerberos install or something like that). > > and when he ties to log in he gets an auth, failure. this is going on > at the ipa client: > Sep 18 04:29:02 svn sshd[31766]: pam_krb5[31766]: authentication fails > for 'user' (user at REALTOOLSTECH.COM): Authentication failure (Password > change failed) > Sep 18 04:29:04 svn sshd[31766]: Failed password for user from > 192.168.0.112 port 33131 ssh2 > > How can ssh change the password for this user? See this: http://freeipa.org/page/AdministratorsGuide#Using_Password_Authentication Basically, set ChallengeResponseAuthentication to "yes" in /etc/sshd/sshd_config rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From levchenko.i at gmail.com Thu Sep 18 13:09:00 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Thu, 18 Sep 2008 16:09:00 +0300 Subject: [Freeipa-users] logging on via ssh using a new account that has an expired password fails In-Reply-To: <48D24FF7.30602@redhat.com> References: <48D24FF7.30602@redhat.com> Message-ID: On Thu, Sep 18, 2008 at 3:56 PM, Rob Crittenden wrote: > http://freeipa.org/page/AdministratorsGuide#Using_Password_Authentication > > Basically, set ChallengeResponseAuthentication to "yes" in > /etc/sshd/sshd_config > > rob > Thanks.. Err.. sorry, missed that somehow in the docs.. will take more care this time. Thanks again -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From levchenko.i at gmail.com Thu Sep 18 13:30:56 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Thu, 18 Sep 2008 16:30:56 +0300 Subject: [Freeipa-users] logging on via ssh using a new account that has an expired password fails In-Reply-To: References: <48D24FF7.30602@redhat.com> Message-ID: On Thu, Sep 18, 2008 at 4:09 PM, Ivan Levchenko wrote: > On Thu, Sep 18, 2008 at 3:56 PM, Rob Crittenden wrote: > >> http://freeipa.org/page/AdministratorsGuide#Using_Password_Authentication >> >> Basically, set ChallengeResponseAuthentication to "yes" in >> /etc/sshd/sshd_config >> >> rob >> Works as expected =) but it asked for a password, even though klist shows that I have a ticket.. but as long as I can log in, i'm good to go. -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From rcritten at redhat.com Thu Sep 18 13:37:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Sep 2008 09:37:31 -0400 Subject: [Freeipa-users] logging on via ssh using a new account that has an expired password fails In-Reply-To: References: <48D24FF7.30602@redhat.com> Message-ID: <48D2599B.4080000@redhat.com> Ivan Levchenko wrote: > On Thu, Sep 18, 2008 at 4:09 PM, Ivan Levchenko wrote: >> On Thu, Sep 18, 2008 at 3:56 PM, Rob Crittenden wrote: >> >>> http://freeipa.org/page/AdministratorsGuide#Using_Password_Authentication >>> >>> Basically, set ChallengeResponseAuthentication to "yes" in >>> /etc/sshd/sshd_config >>> >>> rob >>> > > Works as expected =) > > but it asked for a password, even though klist shows that I have a > ticket.. but as long as I can log in, i'm good to go. > Do you have a keytab with a host/ service ticket installed on the remote server you are ssh'ing into? You might want to use ssh -v to see if it is trying a GSSAPI authentication. This should work without prompting for a password (except the case of a password reset). rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From levchenko.i at gmail.com Fri Sep 26 14:28:23 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Fri, 26 Sep 2008 17:28:23 +0300 Subject: [Freeipa-users] sasl binding failed when running ipa-getkeytab Message-ID: Hi All! Installed ipa-client on a 64 bit os, (centos 5.2). ipa-client install went fine, no errors, but when i ran ipa-getkeytab: ipa-getkeytab -s master.mydomain.com -p host/client.mydomain.com.com -k /etc/krb5.keytab I get the following error message: SASL Bind failed! I can login using the ipa users, but I need to enter them manually... What does this error mean? I checked on http://freeipa.org/page/TroubleshootingGuide#Service_Principals , but on the server, nothing appears like that in the logs. On the client, in /var/log/messages, I found this: ipa-getkeytab: No worthy mechs found googling didn't help on this error... Thanks in advance. -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From rom at twister.dyndns.org Sat Sep 27 23:46:16 2008 From: rom at twister.dyndns.org (Fred Wittekind) Date: Sat, 27 Sep 2008 19:46:16 -0400 Subject: [Freeipa-users] Locked Screen saver & Renew Ticket window. Message-ID: <48DEC5C8.7040000@twister.dyndns.org> If you've been away from a long time, and the screen is both locked, and the ticket has expired triggering a renew ticket window, you have to your password twice in close succession, both validated by the IPA directly or indirectly. I was wondering if this should be altered, so that when the screen saver password window sends a auth request to validate the password entered to unlock the screen, if the ticket also needs renewed it should do so, and make the renew ticket window go away. Thoughts? Fred Wittekind From ssorce at redhat.com Sun Sep 28 23:07:38 2008 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 28 Sep 2008 19:07:38 -0400 Subject: [Freeipa-users] Locked Screen saver & Renew Ticket window. In-Reply-To: <48DEC5C8.7040000@twister.dyndns.org> References: <48DEC5C8.7040000@twister.dyndns.org> Message-ID: <1222643258.6122.4.camel@localhost.localdomain> On Sat, 2008-09-27 at 19:46 -0400, Fred Wittekind wrote: > If you've been away from a long time, and the screen is both locked, and > the ticket has expired triggering a renew ticket window, you have to > your password twice in close succession, both validated by the IPA > directly or indirectly. > > I was wondering if this should be altered, so that when the screen saver > password window sends a auth request to validate the password entered to > unlock the screen, if the ticket also needs renewed it should do so, and > make the renew ticket window go away. Yes the screen-saver should trigger correct renewal of credentials. Are you sure that does not happen ? I think the renew window does not go away even if the screen-saver does it right now as I think it does not do any polling to monitor if the situation is changed once it display the prompt :/ Simo. -- Simo Sorce * Red Hat, Inc * New York From rom at twister.dyndns.org Sun Sep 28 23:12:57 2008 From: rom at twister.dyndns.org (Fred Wittekind) Date: Sun, 28 Sep 2008 19:12:57 -0400 Subject: [Freeipa-users] Locked Screen saver & Renew Ticket window. In-Reply-To: <1222643258.6122.4.camel@localhost.localdomain> References: <48DEC5C8.7040000@twister.dyndns.org> <1222643258.6122.4.camel@localhost.localdomain> Message-ID: <48E00F79.2060902@twister.dyndns.org> Simo Sorce wrote: > On Sat, 2008-09-27 at 19:46 -0400, Fred Wittekind wrote: > >> If you've been away from a long time, and the screen is both locked, and >> the ticket has expired triggering a renew ticket window, you have to >> your password twice in close succession, both validated by the IPA >> directly or indirectly. >> >> I was wondering if this should be altered, so that when the screen saver >> password window sends a auth request to validate the password entered to >> unlock the screen, if the ticket also needs renewed it should do so, and >> make the renew ticket window go away. >> > > Yes the screen-saver should trigger correct renewal of credentials. > Are you sure that does not happen ? I think the renew window does not go > away even if the screen-saver does it right now as I think it does not > do any polling to monitor if the situation is changed once it display > the prompt :/ > I'm not actually sure that the screen saver doesn't renew the credentials. I'll check next time it happens. Could / should the renew window be modified to poll? > Simo. > > From ssorce at redhat.com Sun Sep 28 23:25:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 28 Sep 2008 19:25:14 -0400 Subject: [Freeipa-users] Locked Screen saver & Renew Ticket window. In-Reply-To: <48E00F79.2060902@twister.dyndns.org> References: <48DEC5C8.7040000@twister.dyndns.org> <1222643258.6122.4.camel@localhost.localdomain> <48E00F79.2060902@twister.dyndns.org> Message-ID: <1222644314.6122.8.camel@localhost.localdomain> On Sun, 2008-09-28 at 19:12 -0400, Fred Wittekind wrote: > Simo Sorce wrote: > > On Sat, 2008-09-27 at 19:46 -0400, Fred Wittekind wrote: > > > >> If you've been away from a long time, and the screen is both locked, and > >> the ticket has expired triggering a renew ticket window, you have to > >> your password twice in close succession, both validated by the IPA > >> directly or indirectly. > >> > >> I was wondering if this should be altered, so that when the screen saver > >> password window sends a auth request to validate the password entered to > >> unlock the screen, if the ticket also needs renewed it should do so, and > >> make the renew ticket window go away. > >> > > > > Yes the screen-saver should trigger correct renewal of credentials. > > Are you sure that does not happen ? I think the renew window does not go > > away even if the screen-saver does it right now as I think it does not > > do any polling to monitor if the situation is changed once it display > > the prompt :/ > > > I'm not actually sure that the screen saver doesn't renew the > credentials. I'll check next time it happens. Could / should the renew > window be modified to poll? Yeah it would be nice if it were smarter indeed. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Mon Sep 29 11:29:55 2008 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 29 Sep 2008 07:29:55 -0400 Subject: [Freeipa-users] Locked Screen saver & Renew Ticket window. In-Reply-To: <1222644314.6122.8.camel@localhost.localdomain> References: <48DEC5C8.7040000@twister.dyndns.org> <1222643258.6122.4.camel@localhost.localdomain> <48E00F79.2060902@twister.dyndns.org> <1222644314.6122.8.camel@localhost.localdomain> Message-ID: <48E0BC33.30705@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simo Sorce wrote: > On Sun, 2008-09-28 at 19:12 -0400, Fred Wittekind wrote: >> Simo Sorce wrote: >>> On Sat, 2008-09-27 at 19:46 -0400, Fred Wittekind wrote: >>> >>>> If you've been away from a long time, and the screen is both locked, and >>>> the ticket has expired triggering a renew ticket window, you have to >>>> your password twice in close succession, both validated by the IPA >>>> directly or indirectly. >>>> >>>> I was wondering if this should be altered, so that when the screen saver >>>> password window sends a auth request to validate the password entered to >>>> unlock the screen, if the ticket also needs renewed it should do so, and >>>> make the renew ticket window go away. >>>> >>> Yes the screen-saver should trigger correct renewal of credentials. >>> Are you sure that does not happen ? I think the renew window does not go >>> away even if the screen-saver does it right now as I think it does not >>> do any polling to monitor if the situation is changed once it display >>> the prompt :/ >>> >> I'm not actually sure that the screen saver doesn't renew the >> credentials. I'll check next time it happens. Could / should the renew >> window be modified to poll? > > Yeah it would be nice if it were smarter indeed. > > Simo. > Well, the reason that the screensaver requires two password entries is that it needs to support traditional kerberos authentication schemes where it is fully possible to have a separate password for login and for kerberos authentication. Furthermore, we need to be able to support the case where a user performs the initial logon using a different authentication mechanism. In my case, I have the fingerprint scanner set up to act as a shortcut to waking my computer up from the screensaver. This biometric signature is obviously not going to function the same as the kerberos password, so when I unlock the screensaver and it is time for kerberos ticket renewal, I still need to enter my kerberos password. - -- - -------------------- Stephen Gallagher RHCE 804006346421761 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjgvDAACgkQc7MaxVic+2oasgCfSQyyeSWsO7wABC67GEQV8YdQ ItwAn1fgXhKVigDSKRNd0ieBRjBlfsQb =Ee0i -----END PGP SIGNATURE----- From rom at twister.dyndns.org Mon Sep 29 13:01:20 2008 From: rom at twister.dyndns.org (Fred Wittekind) Date: Mon, 29 Sep 2008 09:01:20 -0400 Subject: [Freeipa-users] Locked Screen saver & Renew Ticket window. In-Reply-To: <48E0BC33.30705@redhat.com> References: <48DEC5C8.7040000@twister.dyndns.org> <1222643258.6122.4.camel@localhost.localdomain> <48E00F79.2060902@twister.dyndns.org> <1222644314.6122.8.camel@localhost.localdomain> <48E0BC33.30705@redhat.com> Message-ID: <48E0D1A0.10100@twister.dyndns.org> Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simo Sorce wrote: > >> On Sun, 2008-09-28 at 19:12 -0400, Fred Wittekind wrote: >> >>> Simo Sorce wrote: >>> >>>> On Sat, 2008-09-27 at 19:46 -0400, Fred Wittekind wrote: >>>> >>>> >>>>> If you've been away from a long time, and the screen is both locked, and >>>>> the ticket has expired triggering a renew ticket window, you have to >>>>> your password twice in close succession, both validated by the IPA >>>>> directly or indirectly. >>>>> >>>>> I was wondering if this should be altered, so that when the screen saver >>>>> password window sends a auth request to validate the password entered to >>>>> unlock the screen, if the ticket also needs renewed it should do so, and >>>>> make the renew ticket window go away. >>>>> >>>>> >>>> Yes the screen-saver should trigger correct renewal of credentials. >>>> Are you sure that does not happen ? I think the renew window does not go >>>> away even if the screen-saver does it right now as I think it does not >>>> do any polling to monitor if the situation is changed once it display >>>> the prompt :/ >>>> >>>> >>> I'm not actually sure that the screen saver doesn't renew the >>> credentials. I'll check next time it happens. Could / should the renew >>> window be modified to poll? >>> >> Yeah it would be nice if it were smarter indeed. >> >> Simo. >> >> > > Well, the reason that the screensaver requires two password entries is > that it needs to support traditional kerberos authentication schemes > where it is fully possible to have a separate password for login and for > kerberos authentication. Furthermore, we need to be able to support the > case where a user performs the initial logon using a different > authentication mechanism. > > I'm not suggesting a change to the screensaver itself. Just a suggesting that the program that brings up the renew windows could be made smarter. (Making it detect if the ticket was renewed by another means.) I did verify that the screensaver is in fact renewing the ticket for my setup. > In my case, I have the fingerprint scanner set up to act as a shortcut > to waking my computer up from the screensaver. This biometric signature > is obviously not going to function the same as the kerberos password, so > when I unlock the screensaver and it is time for kerberos ticket > renewal, I still need to enter my kerberos password. > And making the renew ticket window smart enough to detect if something else renewed the ticket would not effect this case, since it wouldn't detect a ticket renewal from your fingerprint scanner auth. > - -- > > - -------------------- > Stephen Gallagher > RHCE 804006346421761 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkjgvDAACgkQc7MaxVic+2oasgCfSQyyeSWsO7wABC67GEQV8YdQ > ItwAn1fgXhKVigDSKRNd0ieBRjBlfsQb > =Ee0i > -----END PGP SIGNATURE----- > > From rcritten at redhat.com Mon Sep 29 14:55:39 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Sep 2008 10:55:39 -0400 Subject: [Freeipa-users] sasl binding failed when running ipa-getkeytab In-Reply-To: References: Message-ID: <48E0EC6B.4030200@redhat.com> Ivan Levchenko wrote: > Hi All! > > Installed ipa-client on a 64 bit os, (centos 5.2). > > ipa-client install went fine, no errors, but when i ran ipa-getkeytab: > > ipa-getkeytab -s master.mydomain.com -p host/client.mydomain.com.com > -k /etc/krb5.keytab > > I get the following error message: > SASL Bind failed! > > I can login using the ipa users, but I need to enter them manually... > What does this error mean? I checked on > http://freeipa.org/page/TroubleshootingGuide#Service_Principals , but > on the server, nothing appears like that in the logs. > > On the client, in /var/log/messages, I found this: > > ipa-getkeytab: No worthy mechs found > > googling didn't help on this error... Did you have a kerberos ticket before running ipa-getkeytab? You need to do a kinit before running this. I'm not sure what you mean by "enter them manually" when logging on as an ipa user. You will want to look on the IPA server in /var/log/krb5kdc.log and/or /var/log/dirsrv/slapd-INSTANCE/error for more information. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From levchenko.i at gmail.com Tue Sep 30 11:09:13 2008 From: levchenko.i at gmail.com (Ivan Levchenko) Date: Tue, 30 Sep 2008 14:09:13 +0300 Subject: [Freeipa-users] sasl binding failed when running ipa-getkeytab In-Reply-To: <48E0EC6B.4030200@redhat.com> References: <48E0EC6B.4030200@redhat.com> Message-ID: On Mon, Sep 29, 2008 at 5:55 PM, Rob Crittenden wrote: > > Did you have a kerberos ticket before running ipa-getkeytab? You need to do > a kinit before running this. Yes, I did kinit for admin, and klist shows that I have a ticket. > > I'm not sure what you mean by "enter them manually" when logging on as an > ipa user. i.e. when i ssh to the box, it prompts me for a password and authenticates via pam (which checks against the ipa server), and i get logged in successfully using the user that is defined on the ipa server. > > You will want to look on the IPA server in /var/log/krb5kdc.log and/or > /var/log/dirsrv/slapd-INSTANCE/error for more information. I was just tailing those two files while running the ipa-getkeytab command.. nothing.... also checked any other even remotely relevant log files (messages, secure...) - nothing... The architecture of the client is 64 bit. on all of the other 32 bit clients that I am using - everything is working fine. > > rob > -- Best Regards, Ivan Levchenko levchenko.i at gmail.com From rcritten at redhat.com Tue Sep 30 13:28:49 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Sep 2008 09:28:49 -0400 Subject: [Freeipa-users] sasl binding failed when running ipa-getkeytab In-Reply-To: References: <48E0EC6B.4030200@redhat.com> Message-ID: <48E22991.9040503@redhat.com> Ivan Levchenko wrote: > On Mon, Sep 29, 2008 at 5:55 PM, Rob Crittenden wrote: >> Did you have a kerberos ticket before running ipa-getkeytab? You need to do >> a kinit before running this. > > Yes, I did kinit for admin, and klist shows that I have a ticket. > >> I'm not sure what you mean by "enter them manually" when logging on as an >> ipa user. > > i.e. when i ssh to the box, it prompts me for a password and > authenticates via pam (which checks against the ipa server), and i get > logged in successfully using the user that is defined on the ipa > server. Log into which box? The IPA server or another server? If not the IPA server, does this other server have a host service principal and has sshd been restarted? Using the -v argument with ssh will show you more details on what authentication methods it is trying. >> You will want to look on the IPA server in /var/log/krb5kdc.log and/or >> /var/log/dirsrv/slapd-INSTANCE/error for more information. > I was just tailing those two files while running the ipa-getkeytab > command.. nothing.... > also checked any other even remotely relevant log files (messages, > secure...) - nothing... I'm not sure how that is possible. The error you reported from ipa-getkeytab is returned if an LDAP GSSAPI bind to the IPA LDAP server fails. You can try a similar operation by doing something like: % ldapsearch -Y GSSAPI -h ipa.freeipa.org -b "dc=freeipa,dc=org" uid=admin rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: