From vijivijayakumar at gmail.com Thu Jan 1 10:05:10 2009 From: vijivijayakumar at gmail.com (Viji V Nair) Date: Thu, 1 Jan 2009 15:35:10 +0530 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <495B9530.2010703@spbcas.ru> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> <4958CB1E.1050005@spbcas.ru> <84c89ac10812300915l5950aa26xf09a8949a0b1c272@mail.gmail.com> <495A656D.7000400@spbcas.ru> <84c89ac10812310046ie1fee75r8b636494c440ecc5@mail.gmail.com> <495B9530.2010703@spbcas.ru> Message-ID: <84c89ac10901010205x739c8b86jbfa6bf1227a8ec5d@mail.gmail.com> Hi, Yes, my goal is to setup an Active Directory substitution, but not looking for a complete AD replacement. I really don't want to use windows active directory. In my organization around 60% of the users are using Linux as their desktop, remaining 40% is on windows XP SP3. I want to setup single sign on using free IPA, I found the attached document on the internet, so I tried to setup samba as a client to freeIPA and autheticate windows clients to samba and samba to freeIPA. (I tried this because I was struggling with windows to authenticate to the kerberos) Please have a look at the attached document, I will try your suggestions and post the results. Wishing you all a Happy and peaceful NEW YEAR. Thanks & Regards Viji On Wed, Dec 31, 2008 at 9:22 PM, Kozlov wrote: > Hi, > > I saw your posts on samba list :) > Is your goal to make the Active Directory substitution? > > Samba3 + FreeIPA won't work that way. Look for explanations on > freeipa-users list. You either need Samba4 or no kerberos on Windows. > > However, samba3 can be used with FreeIPA as File Sharing solution and will > use Single Sign On when you'll managed to setup winxp for IPA. > > Best regards and Happy New Year! > > Kostya > > Viji V Nair ?????: > > Hi, > > > > I have setup samba as a PDC with kerberos and ldap. While adding the > windows > > clients I get the following error message on the logs, and windows says > the > > user name and password is incorrect > > > > [2008/12/31 19:00:09, 0] lib/util_sock.c:write_data(1059) > > [2008/12/31 19:00:09, 0] lib/util_sock.c:get_peer_addr_internal(1607) > > getpeername failed. Error was Transport endpoint is not connected > > write_data: write failure in writing to client 0.0.0.0. Error > Connection > > reset by peer > > [2008/12/31 19:00:09, 0] smbd/process.c:srv_send_smb(74) > > Error writing 4 bytes to client. -1. (Transport endpoint is not > connected) > > > > Any help on the same will be gratly appreciated. > > > > # rpm -qa |grep samba > > samba-client-3.2.5-0.23.fc10.x86_64 > > samba-common-3.2.5-0.23.fc10.x86_64 > > samba-3.2.5-0.23.fc10.x86_64 > > samba-winbind-3.2.5-0.23.fc10.x86_64 > > > > # uname -a > > Linux viji.testing.com 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 > 22:21:35 > > EST 2008 x86_64 x86_64 x86_64 GNU/Linux > > > > # cat /etc/samba/smb.conf > > [global] > > workgroup = TESTING.COM > > server string = Samba Server Version %v > > security = user > > passdb backend = smbpasswd > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > os level = 33 > > domain logons = yes > > domain master = yes > > local master = yes > > preferred master = yes > > wins support = yes > > template shell = /bin/false > > realm = TESTING.COM > > use kerberos keytab = yes > > load printers = yes > > cups options = raw > > # log level = 3 passdb:5 auth:10 > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > [printers] > > comment = All Printers > > path = /var/spool/samba > > browseable = no > > guest ok = no > > writable = no > > printable = yes > > [share] > > comment = Share > > path = /share > > browseable = yes > > guest ok = no > > writable = yes > > valid users = admin > > > > Thanks > > Viji > > > > Viji V Nair ?????: > >> Hi, >> >> I have done the modifications as suggested, but no luck, getting the same >> error. >> >> # kinit admin >> # ipa-addservice host/bmdata01.testing.com >> # ipa-getkeytab -s viji.testing.com -p host/ >> bmdata01.testing.com -k /etc/krb5.keytab >> >> Could you please elaborate the steps which you have done to get it working >> on both the client and server side? >> >> Thanks >> Viji >> >> On Tue, Dec 30, 2008 at 11:46 PM, Kozlov > mackoel at gmail.com>> wrote: >> >> Hi, >> >> The minor comment is that kadmin is supposed to be substituted with >> ipa-addservice. >> >> The major comment is that you've missed ipa-getkeytab on ipaserver >> that actually SETS password that you then install on winxp. >> >> And try to map all users to one: for example, >> "* Administrator". >> >> Best regards, >> >> Kostya >> >> Viji V Nair ?????: >> >> Hi, >> >> Thank you for the information, I have tried all these steps, but >> no success >> >> 1. On the IPA Server I have created a host principal using the >> following command. >> >> # kadmin -q "ank host/bmdata01.testing.com >> " >> >> >> 2. On the windows xp client >> >> C:> ksetup /setrealm TESTING.COM >> >> C:> ksetup /addkdc TESTING.COM >> viji.bigmaps.com >> >> C:> ksetup /setmachpassword >> C:> ksetup /mapuser admin at TESTING.COM >> > guest >> C:> ksetup /mapuser * * >> >> After the above setup windows is showing TESTING.COM >> as a Kerberos Realm on >> the login screen, but when I try to login using the user name >> "admin" it is throwing the following error. >> >> >> "The system could not log you on. Make sure your user name and >> domain are correct, and then type your password again. Letters >> in passwords must be typed using the correct case." >> >> But the IPA (kerberos) server is issuing the tickets, the log >> shows: >> >> Dec 30 22:36:03 viji.testing.com >> krb5kdc[5179](info): AS_REQ (7 etypes >> {23 -133 -128 3 1 24 -135}) 172.16.33.112 >> : NEEDED_PREAUTH: admin at TESTING.COM >> > > for krbtgt/TESTING.COM >> @TESTING.COM >> , Additional >> pre-authentication required >> Dec 30 22:36:03 viji.testing.com >> krb5kdc[5179](info): AS_REQ (3 etypes >> {23 3 1}) 172.16.33.112 : ISSUE: authtime >> 1230656763, etypes {rep=23 tkt=18 ses=23}, admin at TESTING.COM >> > > for krbtgt/TESTING.COM >> @TESTING.COM >> >> Dec 30 22:36:03 viji.testing.com >> krb5kdc[5179](info): TGS_REQ (7 etypes >> {23 -133 -128 3 1 24 -135}) 172.16.33.112 >> : ISSUE: authtime 1230656763, etypes >> {rep=23 tkt=18 ses=23}, admin at TESTING.COM >> > > for host/bmdata01.testing.com >> >> @TESTING.COM >> >> >> >> I have found some article on Microsoft website, saying this is a >> bug and apply the latest service pack (SP3), I even tried that, >> but no success. >> >> http://support.microsoft.com/kb/825081 >> >> Similar Thread: >> http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html >> >> Thanks & Regards >> >> Viji >> >> >> On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov >> >> >> wrote: >> >> Hi, >> >> You can search the list for a similar thread and here are the >> steps >> I've followed with success: >> >> Add host principal for winxp machine with the encoding >> des-cbc-crc >> and passowrd (-P ioption for ipa-getkeytab). Do not store this >> keytab in /etc/krb5.keytab but rather in some other file. >> >> Install MS Support Tools on WinXP, and run >> >> ksetup /setdomain ... >> ksetup /addkdc ... >> ksetup /setcomputerpassword ... >> ksetup /mapuser * >> >> WinXP machine asks to login to Kerberos realm at login screen. >> >> I failed to map one ipa-user to one win-user. But may be >> because I >> didn't have enough time. If you will succeed - leave a note >> here please. >> >> Best regards, >> >> Kostya >> >> Viji V Nair wrote: >> >> Hi, >> >> I am a new user of free-ipa, I have installed the free-ipa >> packages shipped with fedora 10. I have more that 100 >> windows >> clients to authenticate. Here is my problem, >> >> All the clients are XP SP2, I have installed MIT Kerberos >> for >> Windows 3.2.2. Always the native windows login prompt >> appears >> first, when i login to windows the kerberos client is >> asking for >> authentication. >> >> I want to replace this windows authentication with kerberos >> >> Any help on the same will be greatly appreciated. >> >> Thanks >> Viji >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> >> > >> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- Konstantin Kozlov >> Department of Computational Biology, >> Center for Advanced Studies, >> SPb State Polytechnical University, >> 195251, Polytechnicheskaya ul., 29, >> bld 4, office 204, >> St.Petersburg, Russia. >> >> Tel./fax: +7 812 596 2831 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> > >> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Securing_Samba_with_IPA-1.0.pdf Type: application/pdf Size: 198467 bytes Desc: not available URL: From mackoel at gmail.com Thu Jan 1 18:35:10 2009 From: mackoel at gmail.com (Kozlov) Date: Thu, 01 Jan 2009 21:35:10 +0300 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <84c89ac10901010205x739c8b86jbfa6bf1227a8ec5d@mail.gmail.com> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> <4958CB1E.1050005@spbcas.ru> <84c89ac10812300915l5950aa26xf09a8949a0b1c272@mail.gmail.com> <495A656D.7000400@spbcas.ru> <84c89ac10812310046ie1fee75r8b636494c440ecc5@mail.gmail.com> <495B9530.2010703@spbcas.ru> <84c89ac10901010205x739c8b86jbfa6bf1227a8ec5d@mail.gmail.com> Message-ID: <495D0CDE.7050109@gmail.com> Hi, I know this document and had set up samba3 that way. The problem is samba3 can't use kerberos from winxp. No way for now. Samba4 is in alpha stage, it uses ADS schema in LDAP and can't work with FreeIPA. Samba is not needed for winxp to authenticate in freeipa. So if you need to authenticate winxp users in freeipa try to follow the steps for setting up kerberos on winxp. Did you try the ipa-getkeytab with -e and -P? winxp needs that enctype and password to work with freeipa. And it worked for me and some people on this list. Best regards, Kostya Viji V Nair ?????: > Hi, > > Yes, my goal is to setup an Active Directory substitution, but not > looking for a complete AD replacement. I really don't want to use > windows active directory. In my organization around 60% of the users > are using Linux as their desktop, remaining 40% is on windows XP SP3. > > I want to setup single sign on using free IPA, I found the attached > document on the internet, so I tried to setup samba as a client to > freeIPA and autheticate windows clients to samba and samba to freeIPA. > (I tried this because I was struggling with windows to authenticate > to the kerberos) > > Please have a look at the attached document, I will try your > suggestions and post the results. > > Wishing you all a Happy and peaceful NEW YEAR. > > Thanks & Regards > Viji > > On Wed, Dec 31, 2008 at 9:22 PM, Kozlov > wrote: > > Hi, > > I saw your posts on samba list :) > Is your goal to make the Active Directory substitution? > > Samba3 + FreeIPA won't work that way. Look for explanations on > freeipa-users list. You either need Samba4 or no kerberos on Windows. > > However, samba3 can be used with FreeIPA as File Sharing solution > and will use Single Sign On when you'll managed to setup winxp for > IPA. > > > Best regards and Happy New Year! > > Kostya > > Viji V Nair ?????: > > Hi, > > > > I have setup samba as a PDC with kerberos and ldap. While adding > the windows > > clients I get the following error message on the logs, and > windows says the > > user name and password is incorrect > > > > [2008/12/31 19:00:09, 0] lib/util_sock.c:write_data(1059) > > [2008/12/31 19:00:09, 0] > lib/util_sock.c:get_peer_addr_internal(1607) > > getpeername failed. Error was Transport endpoint is not connected > > write_data: write failure in writing to client 0.0.0.0. Error > Connection > > reset by peer > > [2008/12/31 19:00:09, 0] smbd/process.c:srv_send_smb(74) > > Error writing 4 bytes to client. -1. (Transport endpoint is > not connected) > > > > Any help on the same will be gratly appreciated. > > > > # rpm -qa |grep samba > > samba-client-3.2.5-0.23.fc10.x86_64 > > samba-common-3.2.5-0.23.fc10.x86_64 > > samba-3.2.5-0.23.fc10.x86_64 > > samba-winbind-3.2.5-0.23.fc10.x86_64 > > > > # uname -a > > Linux viji.testing.com > 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 > > EST 2008 x86_64 x86_64 x86_64 GNU/Linux > > > > # cat /etc/samba/smb.conf > > [global] > > workgroup = TESTING.COM > > server string = Samba Server Version %v > > security = user > > passdb backend = smbpasswd > > socket options = TCP_NODELAY SO_RCVBUF=8192 > SO_SNDBUF=8192 > > os level = 33 > > domain logons = yes > > domain master = yes > > local master = yes > > preferred master = yes > > wins support = yes > > template shell = /bin/false > > realm = TESTING.COM > > use kerberos keytab = yes > > load printers = yes > > cups options = raw > > # log level = 3 passdb:5 auth:10 > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > [printers] > > comment = All Printers > > path = /var/spool/samba > > browseable = no > > guest ok = no > > writable = no > > printable = yes > > [share] > > comment = Share > > path = /share > > browseable = yes > > guest ok = no > > writable = yes > > valid users = admin > > > > Thanks > > Viji > > > > Viji V Nair ?????: > > Hi, > > I have done the modifications as suggested, but no luck, > getting the same error. > > # kinit admin > # ipa-addservice host/bmdata01.testing.com > > # ipa-getkeytab -s viji.testing.com > -p host/bmdata01.testing.com > -k > /etc/krb5.keytab > > > Could you please elaborate the steps which you have done to > get it working on both the client and server side? > > Thanks > Viji > > On Tue, Dec 30, 2008 at 11:46 PM, Kozlov >> wrote: > > Hi, > > The minor comment is that kadmin is supposed to be > substituted with > ipa-addservice. > > The major comment is that you've missed ipa-getkeytab on > ipaserver > that actually SETS password that you then install on winxp. > > And try to map all users to one: for example, > "* Administrator". > > Best regards, > > Kostya > > Viji V Nair ?????: > > Hi, > > Thank you for the information, I have tried all these > steps, but > no success > > 1. On the IPA Server I have created a host principal > using the > following command. > > # kadmin -q "ank host/bmdata01.testing.com > > > " > > > > 2. On the windows xp client > > C:> ksetup /setrealm TESTING.COM > > > C:> ksetup /addkdc TESTING.COM > > viji.bigmaps.com > > > C:> ksetup /setmachpassword > C:> ksetup /mapuser admin at TESTING.COM > > > > >> guest > > C:> ksetup /mapuser * * > > After the above setup windows is showing TESTING.COM > > as a Kerberos > Realm on > > the login screen, but when I try to login using the > user name > "admin" it is throwing the following error. > > > "The system could not log you on. Make sure your user > name and > domain are correct, and then type your password again. > Letters > in passwords must be typed using the correct case." > > But the IPA (kerberos) server is issuing the tickets, > the log shows: > > Dec 30 22:36:03 viji.testing.com > > krb5kdc[5179](info): AS_REQ > (7 etypes > {23 -133 -128 3 1 24 -135}) 172.16.33.112 > : NEEDED_PREAUTH: > admin at TESTING.COM > > > > > >> > for krbtgt/TESTING.COM > @TESTING.COM > > , Additional > > pre-authentication required > Dec 30 22:36:03 viji.testing.com > > krb5kdc[5179](info): AS_REQ > (3 etypes > {23 3 1}) 172.16.33.112 : ISSUE: > authtime > 1230656763, etypes {rep=23 tkt=18 ses=23}, > admin at TESTING.COM > > > > > >> > for krbtgt/TESTING.COM > @TESTING.COM > > > > Dec 30 22:36:03 viji.testing.com > > krb5kdc[5179](info): TGS_REQ > (7 etypes > {23 -133 -128 3 1 24 -135}) 172.16.33.112 > : ISSUE: authtime 1230656763, etypes > {rep=23 tkt=18 ses=23}, admin at TESTING.COM > > > > > > >> > for host/bmdata01.testing.com > > @TESTING.COM > > > > > I have found some article on Microsoft website, saying > this is a > bug and apply the latest service pack (SP3), I even > tried that, > but no success. > > http://support.microsoft.com/kb/825081 > > Similar Thread: > > http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html > > Thanks & Regards > > Viji > > > On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov > > > > > >>> wrote: > > Hi, > > You can search the list for a similar thread and > here are the > steps > I've followed with success: > > Add host principal for winxp machine with the encoding > des-cbc-crc > and passowrd (-P ioption for ipa-getkeytab). Do not > store this > keytab in /etc/krb5.keytab but rather in some other > file. > > Install MS Support Tools on WinXP, and run > > ksetup /setdomain ... > ksetup /addkdc ... > ksetup /setcomputerpassword ... > ksetup /mapuser * > > WinXP machine asks to login to Kerberos realm at > login screen. > > I failed to map one ipa-user to one win-user. But may be > because I > didn't have enough time. If you will succeed - leave > a note > here please. > > Best regards, > > Kostya > > Viji V Nair wrote: > > Hi, > > I am a new user of free-ipa, I have installed > the free-ipa > packages shipped with fedora 10. I have more > that 100 windows > clients to authenticate. Here is my problem, > > All the clients are XP SP2, I have installed MIT > Kerberos for > Windows 3.2.2. Always the native windows login > prompt appears > first, when i login to windows the kerberos > client is > asking for > authentication. > > I want to replace this windows authentication > with kerberos > > Any help on the same will be greatly appreciated. > > Thanks > Viji > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > > >> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- Konstantin Kozlov > Department of Computational Biology, > Center for Advanced Studies, > SPb State Polytechnical University, > 195251, Polytechnicheskaya ul., 29, > bld 4, office 204, > St.Petersburg, Russia. > > Tel./fax: +7 812 596 2831 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > > >> > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > From vijivijayakumar at gmail.com Thu Jan 1 20:36:32 2009 From: vijivijayakumar at gmail.com (Viji V Nair) Date: Fri, 2 Jan 2009 02:06:32 +0530 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <495D0CDE.7050109@gmail.com> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> <4958CB1E.1050005@spbcas.ru> <84c89ac10812300915l5950aa26xf09a8949a0b1c272@mail.gmail.com> <495A656D.7000400@spbcas.ru> <84c89ac10812310046ie1fee75r8b636494c440ecc5@mail.gmail.com> <495B9530.2010703@spbcas.ru> <84c89ac10901010205x739c8b86jbfa6bf1227a8ec5d@mail.gmail.com> <495D0CDE.7050109@gmail.com> Message-ID: <84c89ac10901011236o52603ecau21a210144d1996dd@mail.gmail.com> Hi, I did the same, still having the same problem. I know that samba is not needed for windowsxp to authenticate to freeIPA, as I said kerberos was not working for me (still trying on it with fresh windows client installation), so I have done a try with samba (removed samba and did a fresh IPA installation). Here are the exact steps I have followed. On the IPA Server. 1. Added host principal and set the password for the xp client # ipa-addservice host/bmdata01.testing.com # ipa-getkeytab -s viji.testing.com -p host/bmdata01.testing.com -e des-cbc-crc -k krb5.keytab.txt -P (asked for the password) 2. On the Client (Windows XP) a. Installed MIT kerberos windows client b. Created a user called ipauser c. Configured kerberos C:> ksetup /setrealm TESTING.COM C:> ksetup /addkdc TESTING.COM viji.testing.com C:> ksetup /setmachpassword C:> ksetup /mapuser * ipauser d. Rebooted the machine, after the reboot windows is showing "TESTING.COM(Kerberos Realm)" in the login screen, but when I enter a valid ipa user name it is throwing the following error. "The system could not log you on. Make sure your user name and domain are correct, and then type your password again. Letters in passwords must be typed using the correct case." But the kerberos server issuing the tickets, I could see this in logs. Dont know what happened, hope I did something wrong, but not getting what went wrong and where. Your suggestions are greatly appreciated. Thanks Viji On Fri, Jan 2, 2009 at 12:05 AM, Kozlov wrote: > Hi, > > I know this document and had set up samba3 that way. > > The problem is samba3 can't use kerberos from winxp. No way for now. > > Samba4 is in alpha stage, it uses ADS schema in LDAP and can't work with > FreeIPA. > > Samba is not needed for winxp to authenticate in freeipa. > > So if you need to authenticate winxp users in freeipa try to follow the > steps for setting up kerberos on winxp. > > Did you try the ipa-getkeytab with -e and -P? > > winxp needs that enctype and password to work with freeipa. And it worked > for me and some people on this list. > > Best regards, > > Kostya > > Viji V Nair ?????: > >> Hi, >> >> Yes, my goal is to setup an Active Directory substitution, but not looking >> for a complete AD replacement. I really don't want to use windows active >> directory. In my organization around 60% of the users are using Linux as >> their desktop, remaining 40% is on windows XP SP3. >> >> I want to setup single sign on using free IPA, I found the attached >> document on the internet, so I tried to setup samba as a client to freeIPA >> and autheticate windows clients to samba and samba to freeIPA. (I tried this >> because I was struggling with windows to authenticate to the kerberos) >> >> Please have a look at the attached document, I will try your suggestions >> and post the results. >> >> Wishing you all a Happy and peaceful NEW YEAR. >> >> Thanks & Regards >> Viji >> >> On Wed, Dec 31, 2008 at 9:22 PM, Kozlov > mackoel at gmail.com>> wrote: >> >> Hi, >> >> I saw your posts on samba list :) >> Is your goal to make the Active Directory substitution? >> >> Samba3 + FreeIPA won't work that way. Look for explanations on >> freeipa-users list. You either need Samba4 or no kerberos on Windows. >> >> However, samba3 can be used with FreeIPA as File Sharing solution >> and will use Single Sign On when you'll managed to setup winxp for >> IPA. >> >> >> Best regards and Happy New Year! >> >> Kostya >> >> Viji V Nair ?????: >> > Hi, >> > >> > I have setup samba as a PDC with kerberos and ldap. While adding >> the windows >> > clients I get the following error message on the logs, and >> windows says the >> > user name and password is incorrect >> > >> > [2008/12/31 19:00:09, 0] lib/util_sock.c:write_data(1059) >> > [2008/12/31 19:00:09, 0] >> lib/util_sock.c:get_peer_addr_internal(1607) >> > getpeername failed. Error was Transport endpoint is not connected >> > write_data: write failure in writing to client 0.0.0.0. Error >> Connection >> > reset by peer >> > [2008/12/31 19:00:09, 0] smbd/process.c:srv_send_smb(74) >> > Error writing 4 bytes to client. -1. (Transport endpoint is >> not connected) >> > >> > Any help on the same will be gratly appreciated. >> > >> > # rpm -qa |grep samba >> > samba-client-3.2.5-0.23.fc10.x86_64 >> > samba-common-3.2.5-0.23.fc10.x86_64 >> > samba-3.2.5-0.23.fc10.x86_64 >> > samba-winbind-3.2.5-0.23.fc10.x86_64 >> > >> > # uname -a >> > Linux viji.testing.com >> 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 >> > EST 2008 x86_64 x86_64 x86_64 GNU/Linux >> > >> > # cat /etc/samba/smb.conf >> > [global] >> > workgroup = TESTING.COM >> > server string = Samba Server Version %v >> > security = user >> > passdb backend = smbpasswd >> > socket options = TCP_NODELAY SO_RCVBUF=8192 >> SO_SNDBUF=8192 >> > os level = 33 >> > domain logons = yes >> > domain master = yes >> > local master = yes >> > preferred master = yes >> > wins support = yes >> > template shell = /bin/false >> > realm = TESTING.COM >> >> > use kerberos keytab = yes >> > load printers = yes >> > cups options = raw >> > # log level = 3 passdb:5 auth:10 >> > [homes] >> > comment = Home Directories >> > browseable = no >> > writable = yes >> > [printers] >> > comment = All Printers >> > path = /var/spool/samba >> > browseable = no >> > guest ok = no >> > writable = no >> > printable = yes >> > [share] >> > comment = Share >> > path = /share >> > browseable = yes >> > guest ok = no >> > writable = yes >> > valid users = admin >> > >> > Thanks >> > Viji >> >> >> >> Viji V Nair ?????: >> >> Hi, >> >> I have done the modifications as suggested, but no luck, >> getting the same error. >> >> # kinit admin >> # ipa-addservice host/bmdata01.testing.com >> >> # ipa-getkeytab -s viji.testing.com >> -p host/bmdata01.testing.com >> -k >> /etc/krb5.keytab >> >> >> Could you please elaborate the steps which you have done to >> get it working on both the client and server side? >> >> Thanks >> Viji >> >> On Tue, Dec 30, 2008 at 11:46 PM, Kozlov > > >> >> wrote: >> >> Hi, >> >> The minor comment is that kadmin is supposed to be >> substituted with >> ipa-addservice. >> >> The major comment is that you've missed ipa-getkeytab on >> ipaserver >> that actually SETS password that you then install on winxp. >> >> And try to map all users to one: for example, >> "* Administrator". >> >> Best regards, >> >> Kostya >> >> Viji V Nair ?????: >> >> Hi, >> >> Thank you for the information, I have tried all these >> steps, but >> no success >> >> 1. On the IPA Server I have created a host principal >> using the >> following command. >> >> # kadmin -q "ank host/bmdata01.testing.com >> >> >> " >> >> >> >> 2. On the windows xp client >> >> C:> ksetup /setrealm TESTING.COM >> >> >> C:> ksetup /addkdc TESTING.COM >> >> viji.bigmaps.com >> >> >> C:> ksetup /setmachpassword >> C:> ksetup /mapuser admin at TESTING.COM >> > > >> >> >> guest >> >> C:> ksetup /mapuser * * >> >> After the above setup windows is showing TESTING.COM >> >> as a Kerberos >> Realm on >> >> the login screen, but when I try to login using the >> user name >> "admin" it is throwing the following error. >> >> >> "The system could not log you on. Make sure your user >> name and >> domain are correct, and then type your password again. >> Letters >> in passwords must be typed using the correct case." >> >> But the IPA (kerberos) server is issuing the tickets, >> the log shows: >> >> Dec 30 22:36:03 viji.testing.com >> >> krb5kdc[5179](info): AS_REQ >> (7 etypes >> {23 -133 -128 3 1 24 -135}) 172.16.33.112 >> : NEEDED_PREAUTH: >> admin at TESTING.COM >> > >> >> >> >> >> for krbtgt/TESTING.COM >> @TESTING.COM >> >> , Additional >> >> pre-authentication required >> Dec 30 22:36:03 viji.testing.com >> >> krb5kdc[5179](info): AS_REQ >> (3 etypes >> {23 3 1}) 172.16.33.112 : ISSUE: >> authtime >> 1230656763, etypes {rep=23 tkt=18 ses=23}, >> admin at TESTING.COM >> > >> >> >> >> >> for krbtgt/TESTING.COM >> @TESTING.COM >> >> >> >> Dec 30 22:36:03 viji.testing.com >> >> krb5kdc[5179](info): TGS_REQ >> (7 etypes >> {23 -133 -128 3 1 24 -135}) 172.16.33.112 >> : ISSUE: authtime 1230656763, etypes >> {rep=23 tkt=18 ses=23}, admin at TESTING.COM >> >> > >> >> >> >> >> >> for host/bmdata01.testing.com >> >> @TESTING.COM >> >> >> >> >> I have found some article on Microsoft website, saying >> this is a >> bug and apply the latest service pack (SP3), I even >> tried that, >> but no success. >> >> http://support.microsoft.com/kb/825081 >> >> Similar Thread: >> >> http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html >> >> Thanks & Regards >> >> Viji >> >> >> On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov >> >> > >> >> >>> wrote: >> >> Hi, >> >> You can search the list for a similar thread and >> here are the >> steps >> I've followed with success: >> >> Add host principal for winxp machine with the encoding >> des-cbc-crc >> and passowrd (-P ioption for ipa-getkeytab). Do not >> store this >> keytab in /etc/krb5.keytab but rather in some other >> file. >> >> Install MS Support Tools on WinXP, and run >> >> ksetup /setdomain ... >> ksetup /addkdc ... >> ksetup /setcomputerpassword ... >> ksetup /mapuser * >> >> WinXP machine asks to login to Kerberos realm at >> login screen. >> >> I failed to map one ipa-user to one win-user. But may be >> because I >> didn't have enough time. If you will succeed - leave >> a note >> here please. >> >> Best regards, >> >> Kostya >> >> Viji V Nair wrote: >> >> Hi, >> >> I am a new user of free-ipa, I have installed >> the free-ipa >> packages shipped with fedora 10. I have more >> that 100 windows >> clients to authenticate. Here is my problem, >> >> All the clients are XP SP2, I have installed MIT >> Kerberos for >> Windows 3.2.2. Always the native windows login >> prompt appears >> first, when i login to windows the kerberos >> client is >> asking for >> authentication. >> >> I want to replace this windows authentication >> with kerberos >> >> Any help on the same will be greatly appreciated. >> >> Thanks >> Viji >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> >> > > >> > >> > >> >> >> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- Konstantin Kozlov >> Department of Computational Biology, >> Center for Advanced Studies, >> SPb State Polytechnical University, >> 195251, Polytechnicheskaya ul., 29, >> bld 4, office 204, >> St.Petersburg, Russia. >> >> Tel./fax: +7 812 596 2831 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> >> > > >> > >> > >> >> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mackoel at gmail.com Sat Jan 3 18:35:57 2009 From: mackoel at gmail.com (Kozlov) Date: Sat, 03 Jan 2009 21:35:57 +0300 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <84c89ac10901011236o52603ecau21a210144d1996dd@mail.gmail.com> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> <4958CB1E.1050005@spbcas.ru> <84c89ac10812300915l5950aa26xf09a8949a0b1c272@mail.gmail.com> <495A656D.7000400@spbcas.ru> <84c89ac10812310046ie1fee75r8b636494c440ecc5@mail.gmail.com> <495B9530.2010703@spbcas.ru> <84c89ac10901010205x739c8b86jbfa6bf1227a8ec5d@mail.gmail.com> <495D0CDE.7050109@gmail.com> <84c89ac10901011236o52603ecau21a210144d1996dd@mail.gmail.com> Message-ID: <495FB00D.3070204@gmail.com> Hi, Puzzling... Did you try to put ipaserver and winxp box in /etc/hosts on both client and server? can you kinit from winxp? Best regards, Kostya Viji V Nair ?????: > Hi, > > I did the same, still having the same problem. I know that samba is > not needed for windowsxp to authenticate to freeIPA, as I said > kerberos was not working for me (still trying on it with fresh windows > client installation), so I have done a try with samba (removed samba > and did a fresh IPA installation). Here are the exact steps I have > followed. > > On the IPA Server. > > 1. Added host principal and set the password for the xp client > > # ipa-addservice host/bmdata01.testing.com > # ipa-getkeytab -s viji.testing.com -p > host/bmdata01.testing.com -e des-cbc-crc > -k krb5.keytab.txt -P (asked for the password) > > 2. On the Client (Windows XP) > > a. Installed MIT kerberos windows client > > b. Created a user called ipauser > > c. Configured kerberos > > C:> ksetup /setrealm TESTING.COM > C:> ksetup /addkdc TESTING.COM viji.testing.com > > C:> ksetup /setmachpassword > C:> ksetup /mapuser * ipauser > > d. Rebooted the machine, after the reboot windows is showing > "TESTING.COM (Kerberos Realm)" in the login > screen, but when I enter a valid ipa user name it is throwing the > following error. > > "The system could not log you on. Make sure your user name and > domain are correct, and then type your password again. Letters in > passwords must be typed using the correct case." > > But the kerberos server issuing the tickets, I could see this in > logs. Dont know what happened, hope I did something wrong, but not > getting what went wrong and where. Your suggestions are greatly > appreciated. > > Thanks > Viji > > > > On Fri, Jan 2, 2009 at 12:05 AM, Kozlov > wrote: > > Hi, > > I know this document and had set up samba3 that way. > > The problem is samba3 can't use kerberos from winxp. No way for now. > > Samba4 is in alpha stage, it uses ADS schema in LDAP and can't > work with FreeIPA. > > Samba is not needed for winxp to authenticate in freeipa. > > So if you need to authenticate winxp users in freeipa try to > follow the steps for setting up kerberos on winxp. > > Did you try the ipa-getkeytab with -e and -P? > > winxp needs that enctype and password to work with freeipa. And it > worked for me and some people on this list. > > > Best regards, > > Kostya > > Viji V Nair ?????: > > Hi, > > Yes, my goal is to setup an Active Directory substitution, but > not looking for a complete AD replacement. I really don't want > to use windows active directory. In my organization around 60% > of the users are using Linux as their desktop, remaining 40% > is on windows XP SP3. > > I want to setup single sign on using free IPA, I found the > attached document on the internet, so I tried to setup samba > as a client to freeIPA and autheticate windows clients to > samba and samba to freeIPA. (I tried this because I was > struggling with windows to authenticate to the kerberos) > > Please have a look at the attached document, I will try your > suggestions and post the results. > > Wishing you all a Happy and peaceful NEW YEAR. > > Thanks & Regards > Viji > > On Wed, Dec 31, 2008 at 9:22 PM, Kozlov >> wrote: > > Hi, > > I saw your posts on samba list :) > Is your goal to make the Active Directory substitution? > > Samba3 + FreeIPA won't work that way. Look for explanations on > freeipa-users list. You either need Samba4 or no kerberos > on Windows. > > However, samba3 can be used with FreeIPA as File Sharing > solution > and will use Single Sign On when you'll managed to setup > winxp for > IPA. > > > Best regards and Happy New Year! > > Kostya > > Viji V Nair ?????: > > Hi, > > > > I have setup samba as a PDC with kerberos and ldap. While > adding > the windows > > clients I get the following error message on the logs, and > windows says the > > user name and password is incorrect > > > > [2008/12/31 19:00:09, 0] lib/util_sock.c:write_data(1059) > > [2008/12/31 19:00:09, 0] > lib/util_sock.c:get_peer_addr_internal(1607) > > getpeername failed. Error was Transport endpoint is not > connected > > write_data: write failure in writing to client 0.0.0.0. > Error > Connection > > reset by peer > > [2008/12/31 19:00:09, 0] smbd/process.c:srv_send_smb(74) > > Error writing 4 bytes to client. -1. (Transport endpoint is > not connected) > > > > Any help on the same will be gratly appreciated. > > > > # rpm -qa |grep samba > > samba-client-3.2.5-0.23.fc10.x86_64 > > samba-common-3.2.5-0.23.fc10.x86_64 > > samba-3.2.5-0.23.fc10.x86_64 > > samba-winbind-3.2.5-0.23.fc10.x86_64 > > > > # uname -a > > Linux viji.testing.com > > > 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 > > EST 2008 x86_64 x86_64 x86_64 GNU/Linux > > > > # cat /etc/samba/smb.conf > > [global] > > workgroup = TESTING.COM > > > > server string = Samba Server Version %v > > security = user > > passdb backend = smbpasswd > > socket options = TCP_NODELAY SO_RCVBUF=8192 > SO_SNDBUF=8192 > > os level = 33 > > domain logons = yes > > domain master = yes > > local master = yes > > preferred master = yes > > wins support = yes > > template shell = /bin/false > > realm = TESTING.COM > > > > use kerberos keytab = yes > > load printers = yes > > cups options = raw > > # log level = 3 passdb:5 auth:10 > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > [printers] > > comment = All Printers > > path = /var/spool/samba > > browseable = no > > guest ok = no > > writable = no > > printable = yes > > [share] > > comment = Share > > path = /share > > browseable = yes > > guest ok = no > > writable = yes > > valid users = admin > > > > Thanks > > Viji > > > > Viji V Nair ?????: > > Hi, > > I have done the modifications as suggested, but no luck, > getting the same error. > > # kinit admin > # ipa-addservice host/bmdata01.testing.com > > > > > # ipa-getkeytab -s viji.testing.com > > -p host/bmdata01.testing.com > > > -k > > /etc/krb5.keytab > > > Could you please elaborate the steps which you have done to > get it working on both the client and server side? > > Thanks > Viji > > On Tue, Dec 30, 2008 at 11:46 PM, Kozlov > > > > > > >>> > wrote: > > Hi, > > The minor comment is that kadmin is supposed to be > substituted with > ipa-addservice. > > The major comment is that you've missed ipa-getkeytab on > ipaserver > that actually SETS password that you then install on > winxp. > > And try to map all users to one: for example, > "* Administrator". > > Best regards, > > Kostya > > Viji V Nair ?????: > > Hi, > > Thank you for the information, I have tried all > these > steps, but > no success > > 1. On the IPA Server I have created a host principal > using the > following command. > > # kadmin -q "ank host/bmdata01.testing.com > > > > " > > > > 2. On the windows xp client > > C:> ksetup /setrealm TESTING.COM > > > > C:> ksetup /addkdc TESTING.COM > > > viji.bigmaps.com > > > > C:> ksetup /setmachpassword > C:> ksetup /mapuser admin at TESTING.COM > > > > > >> > > > > >>> guest > > C:> ksetup /mapuser * * > > After the above setup windows is showing > TESTING.COM > > as a > Kerberos > Realm on > > the login screen, but when I try to login using the > user name > "admin" it is throwing the following error. > > > "The system could not log you on. Make sure your > user > name and > domain are correct, and then type your password > again. > Letters > in passwords must be typed using the correct case." > > But the IPA (kerberos) server is issuing the > tickets, > the log shows: > > Dec 30 22:36:03 viji.testing.com > > > krb5kdc[5179](info): > AS_REQ > (7 etypes > {23 -133 -128 3 1 24 -135}) 172.16.33.112 > : NEEDED_PREAUTH: > admin at TESTING.COM > > > >> > > > > > >>> > > for krbtgt/TESTING.COM > > > @TESTING.COM > > , > Additional > > pre-authentication required > Dec 30 22:36:03 viji.testing.com > > > krb5kdc[5179](info): > AS_REQ > (3 etypes > {23 3 1}) 172.16.33.112 : > ISSUE: > authtime > 1230656763, etypes {rep=23 tkt=18 ses=23}, > admin at TESTING.COM > > > >> > > > > > >>> > > for krbtgt/TESTING.COM > > > @TESTING.COM > > > > Dec 30 22:36:03 viji.testing.com > > > krb5kdc[5179](info): > TGS_REQ > (7 etypes > {23 -133 -128 3 1 24 -135}) 172.16.33.112 > : ISSUE: authtime > 1230656763, etypes > {rep=23 tkt=18 ses=23}, admin at TESTING.COM > > > > >> > > > > > >>> > > for host/bmdata01.testing.com > > > @TESTING.COM > > > > > > I have found some article on Microsoft website, > saying > this is a > bug and apply the latest service pack (SP3), I even > tried that, > but no success. > > http://support.microsoft.com/kb/825081 > > Similar Thread: > > http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html > > Thanks & Regards > > Viji > > > On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov > > > > > >> > > > > >>>> wrote: > > Hi, > > You can search the list for a similar thread and > here are the > steps > I've followed with success: > > Add host principal for winxp machine with the > encoding > des-cbc-crc > and passowrd (-P ioption for ipa-getkeytab). > Do not > store this > keytab in /etc/krb5.keytab but rather in some > other > file. > > Install MS Support Tools on WinXP, and run > > ksetup /setdomain ... > ksetup /addkdc ... > ksetup /setcomputerpassword ... > ksetup /mapuser * > > WinXP machine asks to login to Kerberos realm at > login screen. > > I failed to map one ipa-user to one win-user. > But may be > because I > didn't have enough time. If you will succeed > - leave > a note > here please. > > Best regards, > > Kostya > > Viji V Nair wrote: > > Hi, > > I am a new user of free-ipa, I have installed > the free-ipa > packages shipped with fedora 10. I have more > that 100 windows > clients to authenticate. Here is my problem, > > All the clients are XP SP2, I have > installed MIT > Kerberos for > Windows 3.2.2. Always the native windows > login > prompt appears > first, when i login to windows the kerberos > client is > asking for > authentication. > > I want to replace this windows authentication > with kerberos > > Any help on the same will be greatly > appreciated. > > Thanks > Viji > > > > ------------------------------------------------------------------------ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > > >> > > > > > >>> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- Konstantin Kozlov > Department of Computational Biology, > Center for Advanced Studies, > SPb State Polytechnical University, > 195251, Polytechnicheskaya ul., 29, > bld 4, office 204, > St.Petersburg, Russia. > > Tel./fax: +7 812 596 2831 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > > >> > > > > > >>> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > From blikosar at redhat.com Mon Jan 5 04:29:03 2009 From: blikosar at redhat.com (Brian Likosar) Date: Sun, 04 Jan 2009 22:29:03 -0600 Subject: [Freeipa-users] IPA Solaris Clients Message-ID: <49618C8F.5080500@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've tried with 4 different Solaris clients, but I can't seem to get IPA to work following the documentation at http://www.freeipa.org/page/ConfiguringSolarisClients. Each of the following clients fails (as in, returns nothing) to the getent commands suggested in section 4: Solaris 8 SPARC Solaris 9 SPARC Solaris 10 SPARC Solaris 10 x86 Is there something I'm doing wrong? Any ideas as to what I can troubleshoot/what logs to look in? I don't actually see any requests come to IPA at all when I perform the getent, but nsswitch.conf is configured as specified in the link. Any suggestions? - -- Brian Likosar +1.224.627.8238 Solutions Architect blikosar at redhat.com Global Services Red Hat, Inc. GPG Key ID: 0x0FC7CAD4 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org iD8DBQFJYYyP1ix0cQ/HytQRAt9aAJ9FZVv+1PJSiY2oR5pD6vKVGvk0zQCfZzrQ xEfgzxRMkh7+TmFpZjcj3aw= =q/lg -----END PGP SIGNATURE----- From vijivijayakumar at gmail.com Mon Jan 5 05:42:51 2009 From: vijivijayakumar at gmail.com (Viji V Nair) Date: Mon, 5 Jan 2009 11:12:51 +0530 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <495FB00D.3070204@gmail.com> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> <4958CB1E.1050005@spbcas.ru> <84c89ac10812300915l5950aa26xf09a8949a0b1c272@mail.gmail.com> <495A656D.7000400@spbcas.ru> <84c89ac10812310046ie1fee75r8b636494c440ecc5@mail.gmail.com> <495B9530.2010703@spbcas.ru> <84c89ac10901010205x739c8b86jbfa6bf1227a8ec5d@mail.gmail.com> <495D0CDE.7050109@gmail.com> <84c89ac10901011236o52603ecau21a210144d1996dd@mail.gmail.com> <495FB00D.3070204@gmail.com> Message-ID: <84c89ac10901042142q4026c74awd6c36c2e6768f6cd@mail.gmail.com> Hi, I got it working!!!!!!, I turned off windows firewall, synced all the servers to a common ntp server!!!, it simply got added. But, in windows stll we need to create a local user with local privileges to map the kerberos principle.... I could also see that ipa server alrday have the samba schema in the directory server, can we follow the below documentation to get it working as a PDC with IPA backend. http://directory.fedoraproject.org/wiki/Howto:Samba Thank you so much for all of your suggestions and support. Thanks & Reagrds Viji On Sun, Jan 4, 2009 at 12:05 AM, Kozlov wrote: > Hi, > > Puzzling... > > Did you try to put ipaserver and winxp box in /etc/hosts on both client and > server? > > can you kinit from winxp? > > Best regards, > > Kostya > > Viji V Nair ?????: > >> Hi, >> >> I did the same, still having the same problem. I know that samba is not >> needed for windowsxp to authenticate to freeIPA, as I said kerberos was not >> working for me (still trying on it with fresh windows client installation), >> so I have done a try with samba (removed samba and did a fresh IPA >> installation). Here are the exact steps I have followed. >> >> On the IPA Server. >> >> 1. Added host principal and set the password for the xp client >> >> # ipa-addservice host/bmdata01.testing.com >> # ipa-getkeytab -s viji.testing.com -p host/ >> bmdata01.testing.com -e des-cbc-crc -k >> krb5.keytab.txt -P (asked for the password) >> >> 2. On the Client (Windows XP) >> >> a. Installed MIT kerberos windows client >> >> b. Created a user called ipauser >> >> c. Configured kerberos >> >> C:> ksetup /setrealm TESTING.COM >> C:> ksetup /addkdc TESTING.COM viji.testing.com < >> http://viji.testing.com> >> C:> ksetup /setmachpassword >> C:> ksetup /mapuser * ipauser >> >> d. Rebooted the machine, after the reboot windows is showing "TESTING.COM< >> http://TESTING.COM> (Kerberos Realm)" in the login screen, but when I >> enter a valid ipa user name it is throwing the following error. >> >> "The system could not log you on. Make sure your user name and domain are >> correct, and then type your password again. Letters in passwords must be >> typed using the correct case." >> >> But the kerberos server issuing the tickets, I could see this in logs. >> Dont know what happened, hope I did something wrong, but not getting what >> went wrong and where. Your suggestions are greatly appreciated. >> >> Thanks >> Viji >> >> >> On Fri, Jan 2, 2009 at 12:05 AM, Kozlov > mackoel at gmail.com>> wrote: >> >> Hi, >> >> I know this document and had set up samba3 that way. >> >> The problem is samba3 can't use kerberos from winxp. No way for now. >> >> Samba4 is in alpha stage, it uses ADS schema in LDAP and can't >> work with FreeIPA. >> >> Samba is not needed for winxp to authenticate in freeipa. >> >> So if you need to authenticate winxp users in freeipa try to >> follow the steps for setting up kerberos on winxp. >> >> Did you try the ipa-getkeytab with -e and -P? >> >> winxp needs that enctype and password to work with freeipa. And it >> worked for me and some people on this list. >> >> >> Best regards, >> >> Kostya >> >> Viji V Nair ?????: >> >> Hi, >> >> Yes, my goal is to setup an Active Directory substitution, but >> not looking for a complete AD replacement. I really don't want >> to use windows active directory. In my organization around 60% >> of the users are using Linux as their desktop, remaining 40% >> is on windows XP SP3. >> >> I want to setup single sign on using free IPA, I found the >> attached document on the internet, so I tried to setup samba >> as a client to freeIPA and autheticate windows clients to >> samba and samba to freeIPA. (I tried this because I was >> struggling with windows to authenticate to the kerberos) >> >> Please have a look at the attached document, I will try your >> suggestions and post the results. >> >> Wishing you all a Happy and peaceful NEW YEAR. >> >> Thanks & Regards >> Viji >> >> On Wed, Dec 31, 2008 at 9:22 PM, Kozlov > > >> wrote: >> >> Hi, >> >> I saw your posts on samba list :) >> Is your goal to make the Active Directory substitution? >> >> Samba3 + FreeIPA won't work that way. Look for explanations on >> freeipa-users list. You either need Samba4 or no kerberos >> on Windows. >> >> However, samba3 can be used with FreeIPA as File Sharing >> solution >> and will use Single Sign On when you'll managed to setup >> winxp for >> IPA. >> >> >> Best regards and Happy New Year! >> >> Kostya >> >> Viji V Nair ?????: >> > Hi, >> > >> > I have setup samba as a PDC with kerberos and ldap. While >> adding >> the windows >> > clients I get the following error message on the logs, and >> windows says the >> > user name and password is incorrect >> > >> > [2008/12/31 19:00:09, 0] lib/util_sock.c:write_data(1059) >> > [2008/12/31 19:00:09, 0] >> lib/util_sock.c:get_peer_addr_internal(1607) >> > getpeername failed. Error was Transport endpoint is not >> connected >> > write_data: write failure in writing to client 0.0.0.0. >> Error >> Connection >> > reset by peer >> > [2008/12/31 19:00:09, 0] smbd/process.c:srv_send_smb(74) >> > Error writing 4 bytes to client. -1. (Transport endpoint is >> not connected) >> > >> > Any help on the same will be gratly appreciated. >> > >> > # rpm -qa |grep samba >> > samba-client-3.2.5-0.23.fc10.x86_64 >> > samba-common-3.2.5-0.23.fc10.x86_64 >> > samba-3.2.5-0.23.fc10.x86_64 >> > samba-winbind-3.2.5-0.23.fc10.x86_64 >> > >> > # uname -a >> > Linux viji.testing.com >> >> >> 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 >> > EST 2008 x86_64 x86_64 x86_64 GNU/Linux >> > >> > # cat /etc/samba/smb.conf >> > [global] >> > workgroup = TESTING.COM >> >> >> > server string = Samba Server Version %v >> > security = user >> > passdb backend = smbpasswd >> > socket options = TCP_NODELAY SO_RCVBUF=8192 >> SO_SNDBUF=8192 >> > os level = 33 >> > domain logons = yes >> > domain master = yes >> > local master = yes >> > preferred master = yes >> > wins support = yes >> > template shell = /bin/false >> > realm = TESTING.COM >> >> >> >> > use kerberos keytab = yes >> > load printers = yes >> > cups options = raw >> > # log level = 3 passdb:5 auth:10 >> > [homes] >> > comment = Home Directories >> > browseable = no >> > writable = yes >> > [printers] >> > comment = All Printers >> > path = /var/spool/samba >> > browseable = no >> > guest ok = no >> > writable = no >> > printable = yes >> > [share] >> > comment = Share >> > path = /share >> > browseable = yes >> > guest ok = no >> > writable = yes >> > valid users = admin >> > >> > Thanks >> > Viji >> >> >> >> Viji V Nair ?????: >> >> Hi, >> >> I have done the modifications as suggested, but no luck, >> getting the same error. >> >> # kinit admin >> # ipa-addservice host/bmdata01.testing.com >> >> >> >> >> # ipa-getkeytab -s viji.testing.com >> >> -p host/bmdata01.testing.com >> >> >> -k >> >> /etc/krb5.keytab >> >> >> Could you please elaborate the steps which you have done to >> get it working on both the client and server side? >> >> Thanks >> Viji >> >> On Tue, Dec 30, 2008 at 11:46 PM, Kozlov >> >> > >> >> >> >>> >> >> wrote: >> >> Hi, >> >> The minor comment is that kadmin is supposed to be >> substituted with >> ipa-addservice. >> >> The major comment is that you've missed ipa-getkeytab on >> ipaserver >> that actually SETS password that you then install on >> winxp. >> >> And try to map all users to one: for example, >> "* Administrator". >> >> Best regards, >> >> Kostya >> >> Viji V Nair ?????: >> >> Hi, >> >> Thank you for the information, I have tried all >> these >> steps, but >> no success >> >> 1. On the IPA Server I have created a host principal >> using the >> following command. >> >> # kadmin -q "ank host/bmdata01.testing.com >> >> >> >> " >> >> >> >> 2. On the windows xp client >> >> C:> ksetup /setrealm TESTING.COM >> >> >> >> C:> ksetup /addkdc TESTING.COM >> >> >> viji.bigmaps.com >> >> >> >> C:> ksetup /setmachpassword >> C:> ksetup /mapuser admin at TESTING.COM >> >> > >> >> >> >> > > > >> >> >>> guest >> >> C:> ksetup /mapuser * * >> >> After the above setup windows is showing >> TESTING.COM >> >> as a >> Kerberos >> Realm on >> >> the login screen, but when I try to login using the >> user name >> "admin" it is throwing the following error. >> >> >> "The system could not log you on. Make sure your >> user >> name and >> domain are correct, and then type your password >> again. >> Letters >> in passwords must be typed using the correct case." >> >> But the IPA (kerberos) server is issuing the >> tickets, >> the log shows: >> >> Dec 30 22:36:03 viji.testing.com >> >> >> krb5kdc[5179](info): >> AS_REQ >> (7 etypes >> {23 -133 -128 3 1 24 -135}) 172.16.33.112 >> : NEEDED_PREAUTH: >> admin at TESTING.COM >> > >> > > >> >> >> > >> >> > > >>> >> >> for krbtgt/TESTING.COM >> >> >> @TESTING.COM >> >> , >> Additional >> >> pre-authentication required >> Dec 30 22:36:03 viji.testing.com >> >> >> krb5kdc[5179](info): >> AS_REQ >> (3 etypes >> {23 3 1}) 172.16.33.112 : >> ISSUE: >> authtime >> 1230656763, etypes {rep=23 tkt=18 ses=23}, >> admin at TESTING.COM >> > >> > > >> >> >> > >> >> > > >>> >> >> for krbtgt/TESTING.COM >> >> >> @TESTING.COM >> >> >> >> Dec 30 22:36:03 viji.testing.com >> >> >> krb5kdc[5179](info): >> TGS_REQ >> (7 etypes >> {23 -133 -128 3 1 24 -135}) 172.16.33.112 >> : ISSUE: authtime >> 1230656763, etypes >> {rep=23 tkt=18 ses=23}, admin at TESTING.COM >> >> > >> > > >> >> >> > >> >> > > >>> >> >> for host/bmdata01.testing.com >> >> >> @TESTING.COM >> >> >> >> >> >> I have found some article on Microsoft website, >> saying >> this is a >> bug and apply the latest service pack (SP3), I even >> tried that, >> but no success. >> >> http://support.microsoft.com/kb/825081 >> >> Similar Thread: >> >> http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html >> >> Thanks & Regards >> >> Viji >> >> >> On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov >> >> > >> >> >> >> > > > >> >> >>>> wrote: >> >> Hi, >> >> You can search the list for a similar thread and >> here are the >> steps >> I've followed with success: >> >> Add host principal for winxp machine with the >> encoding >> des-cbc-crc >> and passowrd (-P ioption for ipa-getkeytab). >> Do not >> store this >> keytab in /etc/krb5.keytab but rather in some >> other >> file. >> >> Install MS Support Tools on WinXP, and run >> >> ksetup /setdomain ... >> ksetup /addkdc ... >> ksetup /setcomputerpassword ... >> ksetup /mapuser * >> >> WinXP machine asks to login to Kerberos realm at >> login screen. >> >> I failed to map one ipa-user to one win-user. >> But may be >> because I >> didn't have enough time. If you will succeed >> - leave >> a note >> here please. >> >> Best regards, >> >> Kostya >> >> Viji V Nair wrote: >> >> Hi, >> >> I am a new user of free-ipa, I have installed >> the free-ipa >> packages shipped with fedora 10. I have more >> that 100 windows >> clients to authenticate. Here is my problem, >> >> All the clients are XP SP2, I have >> installed MIT >> Kerberos for >> Windows 3.2.2. Always the native windows >> login >> prompt appears >> first, when i login to windows the kerberos >> client is >> asking for >> authentication. >> >> I want to replace this windows authentication >> with kerberos >> >> Any help on the same will be greatly >> appreciated. >> >> Thanks >> Viji >> >> >> >> ------------------------------------------------------------------------ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> >> > > >> > >> > >> >> > >> > > >> > >> > >>> >> >> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- Konstantin Kozlov >> Department of Computational Biology, >> Center for Advanced Studies, >> SPb State Polytechnical University, >> 195251, Polytechnicheskaya ul., 29, >> bld 4, office 204, >> St.Petersburg, Russia. >> >> Tel./fax: +7 812 596 2831 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> >> > > >> > >> > >> >> > >> > > >> > >> > >>> >> >> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> >> > > >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mackoel at gmail.com Mon Jan 5 06:03:10 2009 From: mackoel at gmail.com (Kozlov) Date: Mon, 05 Jan 2009 09:03:10 +0300 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <84c89ac10901042142q4026c74awd6c36c2e6768f6cd@mail.gmail.com> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> <4958CB1E.1050005@spbcas.ru> <84c89ac10812300915l5950aa26xf09a8949a0b1c272@mail.gmail.com> <495A656D.7000400@spbcas.ru> <84c89ac10812310046ie1fee75r8b636494c440ecc5@mail.gmail.com> <495B9530.2010703@spbcas.ru> <84c89ac10901010205x739c8b86jbfa6bf1227a8ec5d@mail.gmail.com> <495D0CDE.7050109@gmail.com> <84c89ac10901011236o52603ecau21a210144d1996dd@mail.gmail.com> <495FB00D.3070204@gmail.com> <84c89ac10901042142q4026c74awd6c36c2e6768f6cd@mail.gmail.com> Message-ID: <4961A29E.8010407@gmail.com> Hi, Congratulations! Samba3 can be a PDC with FDS backend without Kerberos (i.e IPA), though I didn't try such set up and don't know if anybody else did. But then you'll have users that correspond to winxp computers. Did you try to map individual ipauser to individual winxpuser? Best regards, Kostya Viji V Nair ?????: > Hi, > > I got it working!!!!!!, I turned off windows firewall, synced all the > servers to a common ntp server!!!, it simply got added. > > But, in windows stll we need to create a local user with local > privileges to map the kerberos principle.... > > I could also see that ipa server alrday have the samba schema in the > directory server, can we follow the below documentation to get it > working as a PDC with IPA backend. > > http://directory.fedoraproject.org/wiki/Howto:Samba > > Thank you so much for all of your suggestions and support. > > Thanks & Reagrds > > Viji > > > > On Sun, Jan 4, 2009 at 12:05 AM, Kozlov > wrote: > > Hi, > > Puzzling... > > Did you try to put ipaserver and winxp box in /etc/hosts on both > client and server? > > can you kinit from winxp? > > > Best regards, > > Kostya > > Viji V Nair ?????: > > Hi, > > I did the same, still having the same problem. I know that > samba is not needed for windowsxp to authenticate to freeIPA, > as I said kerberos was not working for me (still trying on it > with fresh windows client installation), so I have done a try > with samba (removed samba and did a fresh IPA installation). > Here are the exact steps I have followed. > > On the IPA Server. > > 1. Added host principal and set the password for the xp client > > # ipa-addservice host/bmdata01.testing.com > > # ipa-getkeytab -s viji.testing.com > -p host/bmdata01.testing.com > -e > des-cbc-crc -k krb5.keytab.txt -P (asked for the password) > > > 2. On the Client (Windows XP) > > a. Installed MIT kerberos windows client > > b. Created a user called ipauser > > c. Configured kerberos > > C:> ksetup /setrealm TESTING.COM > > C:> ksetup /addkdc TESTING.COM > viji.testing.com > > > C:> ksetup /setmachpassword > C:> ksetup /mapuser * ipauser > > d. Rebooted the machine, after the reboot windows is showing > "TESTING.COM > (Kerberos Realm)" in the login screen, but when I enter a > valid ipa user name it is throwing the following error. > > > "The system could not log you on. Make sure your user name > and domain are correct, and then type your password again. > Letters in passwords must be typed using the correct case." > > But the kerberos server issuing the tickets, I could see this > in logs. Dont know what happened, hope I did something wrong, > but not getting what went wrong and where. Your suggestions > are greatly appreciated. > > Thanks > Viji > > > On Fri, Jan 2, 2009 at 12:05 AM, Kozlov >> wrote: > > Hi, > > I know this document and had set up samba3 that way. > > The problem is samba3 can't use kerberos from winxp. No way > for now. > > Samba4 is in alpha stage, it uses ADS schema in LDAP and can't > work with FreeIPA. > > Samba is not needed for winxp to authenticate in freeipa. > > So if you need to authenticate winxp users in freeipa try to > follow the steps for setting up kerberos on winxp. > > Did you try the ipa-getkeytab with -e and -P? > > winxp needs that enctype and password to work with freeipa. > And it > worked for me and some people on this list. > > > Best regards, > > Kostya > > Viji V Nair ?????: > > Hi, > > Yes, my goal is to setup an Active Directory > substitution, but > not looking for a complete AD replacement. I really > don't want > to use windows active directory. In my organization > around 60% > of the users are using Linux as their desktop, > remaining 40% > is on windows XP SP3. > > I want to setup single sign on using free IPA, I found the > attached document on the internet, so I tried to setup > samba > as a client to freeIPA and autheticate windows clients to > samba and samba to freeIPA. (I tried this because I was > struggling with windows to authenticate to the kerberos) > > Please have a look at the attached document, I will try > your > suggestions and post the results. > > Wishing you all a Happy and peaceful NEW YEAR. > > Thanks & Regards > Viji > > On Wed, Dec 31, 2008 at 9:22 PM, Kozlov > > > > > >>> > wrote: > > Hi, > > I saw your posts on samba list :) > Is your goal to make the Active Directory substitution? > > Samba3 + FreeIPA won't work that way. Look for > explanations on > freeipa-users list. You either need Samba4 or no > kerberos > on Windows. > > However, samba3 can be used with FreeIPA as File Sharing > solution > and will use Single Sign On when you'll managed to setup > winxp for > IPA. > > > Best regards and Happy New Year! > > Kostya > > Viji V Nair ?????: > > Hi, > > > > I have setup samba as a PDC with kerberos and > ldap. While > adding > the windows > > clients I get the following error message on the > logs, and > windows says the > > user name and password is incorrect > > > > [2008/12/31 19:00:09, 0] > lib/util_sock.c:write_data(1059) > > [2008/12/31 19:00:09, 0] > lib/util_sock.c:get_peer_addr_internal(1607) > > getpeername failed. Error was Transport endpoint > is not > connected > > write_data: write failure in writing to client > 0.0.0.0. > Error > Connection > > reset by peer > > [2008/12/31 19:00:09, 0] > smbd/process.c:srv_send_smb(74) > > Error writing 4 bytes to client. -1. (Transport > endpoint is > not connected) > > > > Any help on the same will be gratly appreciated. > > > > # rpm -qa |grep samba > > samba-client-3.2.5-0.23.fc10.x86_64 > > samba-common-3.2.5-0.23.fc10.x86_64 > > samba-3.2.5-0.23.fc10.x86_64 > > samba-winbind-3.2.5-0.23.fc10.x86_64 > > > > # uname -a > > Linux viji.testing.com > > > > 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 > > EST 2008 x86_64 x86_64 x86_64 GNU/Linux > > > > # cat /etc/samba/smb.conf > > [global] > > workgroup = TESTING.COM > > > > > > server string = Samba Server Version %v > > security = user > > passdb backend = smbpasswd > > socket options = TCP_NODELAY > SO_RCVBUF=8192 > SO_SNDBUF=8192 > > os level = 33 > > domain logons = yes > > domain master = yes > > local master = yes > > preferred master = yes > > wins support = yes > > template shell = /bin/false > > realm = TESTING.COM > > > > > > use kerberos keytab = yes > > load printers = yes > > cups options = raw > > # log level = 3 passdb:5 auth:10 > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > [printers] > > comment = All Printers > > path = /var/spool/samba > > browseable = no > > guest ok = no > > writable = no > > printable = yes > > [share] > > comment = Share > > path = /share > > browseable = yes > > guest ok = no > > writable = yes > > valid users = admin > > > > Thanks > > Viji > > > > Viji V Nair ?????: > > Hi, > > I have done the modifications as suggested, but > no luck, > getting the same error. > > # kinit admin > # ipa-addservice host/bmdata01.testing.com > > > > > > # ipa-getkeytab -s viji.testing.com > > > -p > host/bmdata01.testing.com > > > -k > > /etc/krb5.keytab > > > Could you please elaborate the steps which you > have done to > get it working on both the client and server side? > > Thanks > Viji > > On Tue, Dec 30, 2008 at 11:46 PM, Kozlov > > > > >> > > > > > >>>> > > wrote: > > Hi, > > The minor comment is that kadmin is supposed > to be > substituted with > ipa-addservice. > > The major comment is that you've missed > ipa-getkeytab on > ipaserver > that actually SETS password that you then > install on > winxp. > > And try to map all users to one: for example, > "* Administrator". > > Best regards, > > Kostya > > Viji V Nair ?????: > > Hi, > > Thank you for the information, I have > tried all > these > steps, but > no success > > 1. On the IPA Server I have created a > host principal > using the > following command. > > # kadmin -q "ank > host/bmdata01.testing.com > > > > " > > > > 2. On the windows xp client > > C:> ksetup /setrealm TESTING.COM > > > > > C:> ksetup /addkdc TESTING.COM > > > > viji.bigmaps.com > > > > > C:> ksetup /setmachpassword > C:> ksetup /mapuser admin at TESTING.COM > > > > >> > > > > >>> > > > > > >> > > > > >>>> guest > > C:> ksetup /mapuser * * > > After the above setup windows is showing > TESTING.COM > > > as a > Kerberos > Realm on > > the login screen, but when I try to login > using the > user name > "admin" it is throwing the following error. > > > "The system could not log you on. Make > sure your > user > name and > domain are correct, and then type your > password > again. > Letters > in passwords must be typed using the > correct case." > > But the IPA (kerberos) server is issuing the > tickets, > the log shows: > > Dec 30 22:36:03 viji.testing.com > > > > > krb5kdc[5179](info): > AS_REQ > (7 etypes > {23 -133 -128 3 1 24 -135}) 172.16.33.112 > : NEEDED_PREAUTH: > admin at TESTING.COM > > > > >> > > > > > >>> > > > > >> > > > > > > >>>> > > for krbtgt/TESTING.COM > > > > @TESTING.COM > > > , > Additional > > pre-authentication required > Dec 30 22:36:03 viji.testing.com > > > > > krb5kdc[5179](info): > AS_REQ > (3 etypes > {23 3 1}) 172.16.33.112 > : > ISSUE: > authtime > 1230656763, etypes {rep=23 tkt=18 ses=23}, > admin at TESTING.COM > > > > >> > > > > > >>> > > > > >> > > > > > > >>>> > > for krbtgt/TESTING.COM > > > > @TESTING.COM > > > > > Dec 30 22:36:03 viji.testing.com > > > > > krb5kdc[5179](info): > TGS_REQ > (7 etypes > {23 -133 -128 3 1 24 -135}) 172.16.33.112 > : ISSUE: authtime > 1230656763, etypes > {rep=23 tkt=18 ses=23}, admin at TESTING.COM > > > > >> > > > > > >>> > > > > >> > > > > > > >>>> > > for host/bmdata01.testing.com > > > > @TESTING.COM > > > > > > > I have found some article on Microsoft > website, > saying > this is a > bug and apply the latest service pack > (SP3), I even > tried that, > but no success. > > http://support.microsoft.com/kb/825081 > > Similar Thread: > > http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html > > Thanks & Regards > > Viji > > > On Mon, Dec 29, 2008 at 6:35 PM, > Konstantin Kozlov > > > > >> > > > > >>> > > > > > >> > > > > >>>>> wrote: > > Hi, > > You can search the list for a similar > thread and > here are the > steps > I've followed with success: > > Add host principal for winxp machine > with the > encoding > des-cbc-crc > and passowrd (-P ioption for > ipa-getkeytab). > Do not > store this > keytab in /etc/krb5.keytab but rather > in some > other > file. > > Install MS Support Tools on WinXP, and run > > ksetup /setdomain ... > ksetup /addkdc ... > ksetup /setcomputerpassword ... > ksetup /mapuser * > > WinXP machine asks to login to > Kerberos realm at > login screen. > > I failed to map one ipa-user to one > win-user. > But may be > because I > didn't have enough time. If you will > succeed > - leave > a note > here please. > > Best regards, > > Kostya > > Viji V Nair wrote: > > Hi, > > I am a new user of free-ipa, I > have installed > the free-ipa > packages shipped with fedora 10. I > have more > that 100 windows > clients to authenticate. Here is > my problem, > > All the clients are XP SP2, I have > installed MIT > Kerberos for > Windows 3.2.2. Always the native > windows > login > prompt appears > first, when i login to windows the > kerberos > client is > asking for > authentication. > > I want to replace this windows > authentication > with kerberos > > Any help on the same will be greatly > appreciated. > > Thanks > Viji > > > > ------------------------------------------------------------------------ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > > >> > > > > > >>> > > > > > >> > > > > > >>>> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- Konstantin Kozlov > Department of Computational Biology, > Center for Advanced Studies, > SPb State Polytechnical University, > 195251, Polytechnicheskaya ul., 29, > bld 4, office 204, > St.Petersburg, Russia. > > Tel./fax: +7 812 596 2831 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > > >> > > > > > >>> > > > > > >> > > > > > >>>> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > > >> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > From vijivijayakumar at gmail.com Mon Jan 5 07:43:19 2009 From: vijivijayakumar at gmail.com (Viji V Nair) Date: Mon, 5 Jan 2009 13:13:19 +0530 Subject: [Freeipa-users] Windows Client Problem In-Reply-To: <4961A29E.8010407@gmail.com> References: <84c89ac10812270448j24d6ff44m5c31d5a0e938256b@mail.gmail.com> <495A656D.7000400@spbcas.ru> <84c89ac10812310046ie1fee75r8b636494c440ecc5@mail.gmail.com> <495B9530.2010703@spbcas.ru> <84c89ac10901010205x739c8b86jbfa6bf1227a8ec5d@mail.gmail.com> <495D0CDE.7050109@gmail.com> <84c89ac10901011236o52603ecau21a210144d1996dd@mail.gmail.com> <495FB00D.3070204@gmail.com> <84c89ac10901042142q4026c74awd6c36c2e6768f6cd@mail.gmail.com> <4961A29E.8010407@gmail.com> Message-ID: <84c89ac10901042343h37797bb9ia38bf28d1aa9b799@mail.gmail.com> Hi, Not yet, I will try it today and let you know. I am also panning to have a try with samab3+IPA backend Thanks & Regards Viji On Mon, Jan 5, 2009 at 11:33 AM, Kozlov wrote: > Hi, > > Congratulations! > > Samba3 can be a PDC with FDS backend without Kerberos (i.e IPA), though I > didn't try such set up and don't know if anybody else did. But then you'll > have users that correspond to winxp computers. Did you try to map individual > ipauser to individual winxpuser? > > Best regards, > > Kostya > > Viji V Nair ?????: > >> Hi, >> >> I got it working!!!!!!, I turned off windows firewall, synced all the >> servers to a common ntp server!!!, it simply got added. >> >> But, in windows stll we need to create a local user with local privileges >> to map the kerberos principle.... >> >> I could also see that ipa server alrday have the samba schema in the >> directory server, can we follow the below documentation to get it working as >> a PDC with IPA backend. >> >> http://directory.fedoraproject.org/wiki/Howto:Samba >> >> Thank you so much for all of your suggestions and support. >> >> Thanks & Reagrds >> >> Viji >> >> >> >> On Sun, Jan 4, 2009 at 12:05 AM, Kozlov > mackoel at gmail.com>> wrote: >> >> Hi, >> >> Puzzling... >> >> Did you try to put ipaserver and winxp box in /etc/hosts on both >> client and server? >> >> can you kinit from winxp? >> >> >> Best regards, >> >> Kostya >> >> Viji V Nair ?????: >> >> Hi, >> >> I did the same, still having the same problem. I know that >> samba is not needed for windowsxp to authenticate to freeIPA, >> as I said kerberos was not working for me (still trying on it >> with fresh windows client installation), so I have done a try >> with samba (removed samba and did a fresh IPA installation). >> Here are the exact steps I have followed. >> >> On the IPA Server. >> >> 1. Added host principal and set the password for the xp client >> >> # ipa-addservice host/bmdata01.testing.com >> >> # ipa-getkeytab -s viji.testing.com >> -p host/bmdata01.testing.com >> -e >> des-cbc-crc -k krb5.keytab.txt -P (asked for the password) >> >> >> 2. On the Client (Windows XP) >> >> a. Installed MIT kerberos windows client >> >> b. Created a user called ipauser >> >> c. Configured kerberos >> >> C:> ksetup /setrealm TESTING.COM >> >> C:> ksetup /addkdc TESTING.COM >> viji.testing.com >> >> >> C:> ksetup /setmachpassword >> C:> ksetup /mapuser * ipauser >> >> d. Rebooted the machine, after the reboot windows is showing >> "TESTING.COM >> (Kerberos Realm)" in the login screen, but when I enter a >> valid ipa user name it is throwing the following error. >> >> >> "The system could not log you on. Make sure your user name >> and domain are correct, and then type your password again. >> Letters in passwords must be typed using the correct case." >> >> But the kerberos server issuing the tickets, I could see this >> in logs. Dont know what happened, hope I did something wrong, >> but not getting what went wrong and where. Your suggestions >> are greatly appreciated. >> >> Thanks >> Viji >> >> >> On Fri, Jan 2, 2009 at 12:05 AM, Kozlov > > >> wrote: >> >> Hi, >> >> I know this document and had set up samba3 that way. >> >> The problem is samba3 can't use kerberos from winxp. No way >> for now. >> >> Samba4 is in alpha stage, it uses ADS schema in LDAP and can't >> work with FreeIPA. >> >> Samba is not needed for winxp to authenticate in freeipa. >> >> So if you need to authenticate winxp users in freeipa try to >> follow the steps for setting up kerberos on winxp. >> >> Did you try the ipa-getkeytab with -e and -P? >> >> winxp needs that enctype and password to work with freeipa. >> And it >> worked for me and some people on this list. >> >> >> Best regards, >> >> Kostya >> >> Viji V Nair ?????: >> >> Hi, >> >> Yes, my goal is to setup an Active Directory >> substitution, but >> not looking for a complete AD replacement. I really >> don't want >> to use windows active directory. In my organization >> around 60% >> of the users are using Linux as their desktop, >> remaining 40% >> is on windows XP SP3. >> >> I want to setup single sign on using free IPA, I found the >> attached document on the internet, so I tried to setup >> samba >> as a client to freeIPA and autheticate windows clients to >> samba and samba to freeIPA. (I tried this because I was >> struggling with windows to authenticate to the kerberos) >> >> Please have a look at the attached document, I will try >> your >> suggestions and post the results. >> >> Wishing you all a Happy and peaceful NEW YEAR. >> >> Thanks & Regards >> Viji >> >> On Wed, Dec 31, 2008 at 9:22 PM, Kozlov >> >> > >> >> >>> >> wrote: >> >> Hi, >> >> I saw your posts on samba list :) >> Is your goal to make the Active Directory substitution? >> >> Samba3 + FreeIPA won't work that way. Look for >> explanations on >> freeipa-users list. You either need Samba4 or no >> kerberos >> on Windows. >> >> However, samba3 can be used with FreeIPA as File Sharing >> solution >> and will use Single Sign On when you'll managed to setup >> winxp for >> IPA. >> >> >> Best regards and Happy New Year! >> >> Kostya >> >> Viji V Nair ?????: >> > Hi, >> > >> > I have setup samba as a PDC with kerberos and >> ldap. While >> adding >> the windows >> > clients I get the following error message on the >> logs, and >> windows says the >> > user name and password is incorrect >> > >> > [2008/12/31 19:00:09, 0] >> lib/util_sock.c:write_data(1059) >> > [2008/12/31 19:00:09, 0] >> lib/util_sock.c:get_peer_addr_internal(1607) >> > getpeername failed. Error was Transport endpoint >> is not >> connected >> > write_data: write failure in writing to client >> 0.0.0.0. >> Error >> Connection >> > reset by peer >> > [2008/12/31 19:00:09, 0] >> smbd/process.c:srv_send_smb(74) >> > Error writing 4 bytes to client. -1. (Transport >> endpoint is >> not connected) >> > >> > Any help on the same will be gratly appreciated. >> > >> > # rpm -qa |grep samba >> > samba-client-3.2.5-0.23.fc10.x86_64 >> > samba-common-3.2.5-0.23.fc10.x86_64 >> > samba-3.2.5-0.23.fc10.x86_64 >> > samba-winbind-3.2.5-0.23.fc10.x86_64 >> > >> > # uname -a >> > Linux viji.testing.com >> >> >> >> 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 >> > EST 2008 x86_64 x86_64 x86_64 GNU/Linux >> > >> > # cat /etc/samba/smb.conf >> > [global] >> > workgroup = TESTING.COM >> >> >> >> >> > server string = Samba Server Version %v >> > security = user >> > passdb backend = smbpasswd >> > socket options = TCP_NODELAY >> SO_RCVBUF=8192 >> SO_SNDBUF=8192 >> > os level = 33 >> > domain logons = yes >> > domain master = yes >> > local master = yes >> > preferred master = yes >> > wins support = yes >> > template shell = /bin/false >> > realm = TESTING.COM >> >> >> >> >> > use kerberos keytab = yes >> > load printers = yes >> > cups options = raw >> > # log level = 3 passdb:5 auth:10 >> > [homes] >> > comment = Home Directories >> > browseable = no >> > writable = yes >> > [printers] >> > comment = All Printers >> > path = /var/spool/samba >> > browseable = no >> > guest ok = no >> > writable = no >> > printable = yes >> > [share] >> > comment = Share >> > path = /share >> > browseable = yes >> > guest ok = no >> > writable = yes >> > valid users = admin >> > >> > Thanks >> > Viji >> >> >> >> Viji V Nair ?????: >> >> Hi, >> >> I have done the modifications as suggested, but >> no luck, >> getting the same error. >> >> # kinit admin >> # ipa-addservice host/bmdata01.testing.com >> >> >> >> >> >> # ipa-getkeytab -s viji.testing.com >> >> >> -p >> host/bmdata01.testing.com >> >> >> -k >> >> /etc/krb5.keytab >> >> >> Could you please elaborate the steps which you >> have done to >> get it working on both the client and server side? >> >> Thanks >> Viji >> >> On Tue, Dec 30, 2008 at 11:46 PM, Kozlov >> >> > >> > > >> >> >> > >> >> > > >>>> >> >> wrote: >> >> Hi, >> >> The minor comment is that kadmin is supposed >> to be >> substituted with >> ipa-addservice. >> >> The major comment is that you've missed >> ipa-getkeytab on >> ipaserver >> that actually SETS password that you then >> install on >> winxp. >> >> And try to map all users to one: for example, >> "* Administrator". >> >> Best regards, >> >> Kostya >> >> Viji V Nair ?????: >> >> Hi, >> >> Thank you for the information, I have >> tried all >> these >> steps, but >> no success >> >> 1. On the IPA Server I have created a >> host principal >> using the >> following command. >> >> # kadmin -q "ank >> host/bmdata01.testing.com >> >> >> >> " >> >> >> >> 2. On the windows xp client >> >> C:> ksetup /setrealm TESTING.COM >> >> >> >> >> C:> ksetup /addkdc TESTING.COM >> >> >> >> viji.bigmaps.com >> >> >> >> >> C:> ksetup /setmachpassword >> C:> ksetup /mapuser admin at TESTING.COM >> >> > >> > > >> >> >> > >> > > >>> >> > >> > >> >> >> >> > > > >> >> >>>> guest >> >> C:> ksetup /mapuser * * >> >> After the above setup windows is showing >> TESTING.COM >> >> >> as a >> Kerberos >> Realm on >> >> the login screen, but when I try to login >> using the >> user name >> "admin" it is throwing the following error. >> >> >> "The system could not log you on. Make >> sure your >> user >> name and >> domain are correct, and then type your >> password >> again. >> Letters >> in passwords must be typed using the >> correct case." >> >> But the IPA (kerberos) server is issuing the >> tickets, >> the log shows: >> >> Dec 30 22:36:03 viji.testing.com >> >> >> >> >> krb5kdc[5179](info): >> AS_REQ >> (7 etypes >> {23 -133 -128 3 1 24 -135}) 172.16.33.112 >> : NEEDED_PREAUTH: >> admin at TESTING.COM >> > >> >> >> >> > >> > >> >> >>> >> > > > >> >> >> >> >> > >> > >> >> >>>> >> >> >> for krbtgt/TESTING.COM >> >> >> >> @TESTING.COM >> >> >> , >> Additional >> >> pre-authentication required >> Dec 30 22:36:03 viji.testing.com >> >> >> >> >> krb5kdc[5179](info): >> AS_REQ >> (3 etypes >> {23 3 1}) 172.16.33.112 >> : >> ISSUE: >> authtime >> 1230656763, etypes {rep=23 tkt=18 ses=23}, >> admin at TESTING.COM >> > >> >> >> >> > >> > >> >> >>> >> > > > >> >> >> >> >> > >> > >> >> >>>> >> >> for krbtgt/TESTING.COM >> >> >> >> @TESTING.COM >> >> >> >> >> Dec 30 22:36:03 viji.testing.com >> >> >> >> >> krb5kdc[5179](info): >> TGS_REQ >> (7 etypes >> {23 -133 -128 3 1 24 -135}) 172.16.33.112 >> : ISSUE: authtime >> 1230656763, etypes >> {rep=23 tkt=18 ses=23}, admin at TESTING.COM >> >> > >> > > >> >> > >> > >> >> >>> >> > > > >> >> >> >> >> > >> > >> >> >>>> >> >> >> for host/bmdata01.testing.com >> >> >> >> @TESTING.COM >> >> >> >> >> >> >> I have found some article on Microsoft >> website, >> saying >> this is a >> bug and apply the latest service pack >> (SP3), I even >> tried that, >> but no success. >> >> http://support.microsoft.com/kb/825081 >> >> Similar Thread: >> >> http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html >> >> Thanks & Regards >> >> Viji >> >> >> On Mon, Dec 29, 2008 at 6:35 PM, >> Konstantin Kozlov >> > > > >> >> >> >> > > > >> >> >>> >> > >> > >> >> >> >> > > > >> >> >>>>> wrote: >> >> Hi, >> >> You can search the list for a similar >> thread and >> here are the >> steps >> I've followed with success: >> >> Add host principal for winxp machine >> with the >> encoding >> des-cbc-crc >> and passowrd (-P ioption for >> ipa-getkeytab). >> Do not >> store this >> keytab in /etc/krb5.keytab but rather >> in some >> other >> file. >> >> Install MS Support Tools on WinXP, and run >> >> ksetup /setdomain ... >> ksetup /addkdc ... >> ksetup /setcomputerpassword ... >> ksetup /mapuser * >> >> WinXP machine asks to login to >> Kerberos realm at >> login screen. >> >> I failed to map one ipa-user to one >> win-user. >> But may be >> because I >> didn't have enough time. If you will >> succeed >> - leave >> a note >> here please. >> >> Best regards, >> >> Kostya >> >> Viji V Nair wrote: >> >> Hi, >> >> I am a new user of free-ipa, I >> have installed >> the free-ipa >> packages shipped with fedora 10. I >> have more >> that 100 windows >> clients to authenticate. Here is >> my problem, >> >> All the clients are XP SP2, I have >> installed MIT >> Kerberos for >> Windows 3.2.2. Always the native >> windows >> login >> prompt appears >> first, when i login to windows the >> kerberos >> client is >> asking for >> authentication. >> >> I want to replace this windows >> authentication >> with kerberos >> >> Any help on the same will be greatly >> appreciated. >> >> Thanks >> Viji >> >> >> >> ------------------------------------------------------------------------ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> >> > > >> > >> > >> >> > >> > > >> > >> > >>> >> > >> > > >> > >> > >> >> > >> > > >> > >> > >>>> >> >> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- Konstantin Kozlov >> Department of Computational Biology, >> Center for Advanced Studies, >> SPb State Polytechnical University, >> 195251, Polytechnicheskaya ul., 29, >> bld 4, office 204, >> St.Petersburg, Russia. >> >> Tel./fax: +7 812 596 2831 >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> >> > > >> > >> > >> >> > >> > > >> > >> > >>> >> > >> > > >> > >> > >> >> > >> > > >> > >> > >>>> >> >> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> >> > > >> > >> > >> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jan 5 18:36:13 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 Jan 2009 13:36:13 -0500 Subject: [Freeipa-users] IPA Solaris Clients In-Reply-To: <49618C8F.5080500@redhat.com> References: <49618C8F.5080500@redhat.com> Message-ID: <4962531D.3010005@redhat.com> Brian Likosar wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I've tried with 4 different Solaris clients, but I can't seem to get IPA > to work following the documentation at > http://www.freeipa.org/page/ConfiguringSolarisClients. > > Each of the following clients fails (as in, returns nothing) to the > getent commands suggested in section 4: > Solaris 8 SPARC > Solaris 9 SPARC > Solaris 10 SPARC > Solaris 10 x86 > > Is there something I'm doing wrong? Any ideas as to what I can > troubleshoot/what logs to look in? I don't actually see any requests > come to IPA at all when I perform the getent, but nsswitch.conf is > configured as specified in the link. Look in /var/ldap/ldap_client_file on a Solaris machine to verify that the configuration is ok (you don't want to make manual changes here, they will be lost). See if you can contact the LDAP server using ldapsearch: % ldapsearch -h ipa.example.com -b "dc=example,dc=com" uid=admin If the connection fails see if you have a firewall in between (iptables on Linux). Logs to check are: Solaris: /var/adm/messages Linux: /var/log/dirsrv/slapd-INSTANCE/access If the Solaris machine is issuing LDAP queries you'd see them in the FDS access log eventually (there is a 30-second buffer by default). rob From blikosar at redhat.com Tue Jan 6 15:20:23 2009 From: blikosar at redhat.com (Brian Likosar) Date: Tue, 06 Jan 2009 09:20:23 -0600 Subject: [Freeipa-users] IPA Solaris Clients In-Reply-To: <4962531D.3010005@redhat.com> References: <49618C8F.5080500@redhat.com> <4962531D.3010005@redhat.com> Message-ID: <496376B7.70705@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Crittenden wrote: > Look in /var/ldap/ldap_client_file on a Solaris machine to verify that > the configuration is ok (you don't want to make manual changes here, > they will be lost). This file does not exist, nor is it referenced in the Client Config documentation. Does Solaris not respect the /etc/ldap.conf file? > See if you can contact the LDAP server using ldapsearch: > > % ldapsearch -h ipa.example.com -b "dc=example,dc=com" uid=admin This worked perfectly. > If the connection fails see if you have a firewall in between (iptables > on Linux). > > Logs to check are: > > Solaris: /var/adm/messages > Linux: /var/log/dirsrv/slapd-INSTANCE/access > > If the Solaris machine is issuing LDAP queries you'd see them in the FDS > access log eventually (there is a 30-second buffer by default). The only LDAP queries the Solaris machine makes are when I run the ldapsearch command. I've followed the setup on the freeipa.org site, and ldap[NOTFOUND=return] is included in /etc/nsswitch.conf, but it still seems to make no calls to FDS. Any other ideas? Thanks for the tips! - -- Brian Likosar +1.224.627.8238 Solutions Architect blikosar at redhat.com Global Services Red Hat, Inc. GPG Key ID: 0x0FC7CAD4 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org iD8DBQFJY3a31ix0cQ/HytQRAt8aAJ48DdBGW/YlB/DaEvm5xjErD0bV7gCfQMHZ D2IMQ04gG20rMZO0JPj83KM= =+drw -----END PGP SIGNATURE----- From rcritten at redhat.com Tue Jan 6 15:30:49 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 Jan 2009 10:30:49 -0500 Subject: [Freeipa-users] IPA Solaris Clients In-Reply-To: <496376B7.70705@redhat.com> References: <49618C8F.5080500@redhat.com> <4962531D.3010005@redhat.com> <496376B7.70705@redhat.com> Message-ID: <49637929.1030605@redhat.com> Brian Likosar wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rob Crittenden wrote: >> Look in /var/ldap/ldap_client_file on a Solaris machine to verify that >> the configuration is ok (you don't want to make manual changes here, >> they will be lost). > > This file does not exist, nor is it referenced in the Client Config > documentation. Does Solaris not respect the /etc/ldap.conf file? Ah, sorry. I incorrectly assumed you were using the native nss_ldap instead of the PAM nss_ldap that we built. freeIPA v1.2 added support for the native nss_ldap so our package isn't required any more. Still, it should work. You did install the package using pkgadd, right? >> See if you can contact the LDAP server using ldapsearch: >> >> % ldapsearch -h ipa.example.com -b "dc=example,dc=com" uid=admin > > This worked perfectly. Ok, that's good to know. > >> If the connection fails see if you have a firewall in between (iptables >> on Linux). >> >> Logs to check are: >> >> Solaris: /var/adm/messages >> Linux: /var/log/dirsrv/slapd-INSTANCE/access >> >> If the Solaris machine is issuing LDAP queries you'd see them in the FDS >> access log eventually (there is a 30-second buffer by default). > > The only LDAP queries the Solaris machine makes are when I run the > ldapsearch command. I've followed the setup on the freeipa.org site, > and ldap[NOTFOUND=return] is included in /etc/nsswitch.conf, but it > still seems to make no calls to FDS. Any other ideas? Hmm. Can you restart/kill nscd? rob From blikosar at redhat.com Tue Jan 6 15:35:43 2009 From: blikosar at redhat.com (Brian Likosar) Date: Tue, 06 Jan 2009 09:35:43 -0600 Subject: [Freeipa-users] IPA Solaris Clients In-Reply-To: <49637929.1030605@redhat.com> References: <49618C8F.5080500@redhat.com> <4962531D.3010005@redhat.com> <496376B7.70705@redhat.com> <49637929.1030605@redhat.com> Message-ID: <49637A4F.2080003@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Crittenden wrote: > Ah, sorry. I incorrectly assumed you were using the native nss_ldap > instead of the PAM nss_ldap that we built. freeIPA v1.2 added support > for the native nss_ldap so our package isn't required any more. > > Still, it should work. You did install the package using pkgadd, right? I did get it working by killing nscd, which is really odd as I'm certain I've done that before. How embarassing! Regardless, should I remove the PAM nss_ldap that we provide? It might be worth updating the Client Configuration guide to reflect that if it's no longer needed. Thanks again for everything Rob! - -- Brian Likosar +1.224.627.8238 Solutions Architect blikosar at redhat.com Global Services Red Hat, Inc. GPG Key ID: 0x0FC7CAD4 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org iD8DBQFJY3pP1ix0cQ/HytQRAvs0AJ9SqsoapqRJ2gW4cOiYap5nPM50xQCeO5/F dtin/CAh0hP2Q1AICSe6XTY= =ksu0 -----END PGP SIGNATURE----- From rcritten at redhat.com Tue Jan 6 17:43:03 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 Jan 2009 12:43:03 -0500 Subject: [Freeipa-users] IPA Solaris Clients In-Reply-To: <49637A4F.2080003@redhat.com> References: <49618C8F.5080500@redhat.com> <4962531D.3010005@redhat.com> <496376B7.70705@redhat.com> <49637929.1030605@redhat.com> <49637A4F.2080003@redhat.com> Message-ID: <49639827.4050902@redhat.com> Brian Likosar wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rob Crittenden wrote: >> Ah, sorry. I incorrectly assumed you were using the native nss_ldap >> instead of the PAM nss_ldap that we built. freeIPA v1.2 added support >> for the native nss_ldap so our package isn't required any more. >> >> Still, it should work. You did install the package using pkgadd, right? > > I did get it working by killing nscd, which is really odd as I'm certain > I've done that before. How embarassing! Regardless, should I remove > the PAM nss_ldap that we provide? It might be worth updating the Client > Configuration guide to reflect that if it's no longer needed. > > Thanks again for everything Rob! Glad it's working. Sorry the documentation is a tad behind. I'll add updating it to my list o' things to do. rob From millerdc at fusion.gat.com Thu Jan 8 02:39:04 2009 From: millerdc at fusion.gat.com (David Miller) Date: Wed, 7 Jan 2009 18:39:04 -0800 Subject: [Freeipa-users] Host based access control and IPA Message-ID: <7D541289-30D7-4951-AF20-1AC503707296@fusion.gat.com> I'm trying to get host based access working. I followed the instructions on doing host based access control. Here is the URL to the section to see what I'm referring to. http://freeipa.org/page/AdministratorsGuide#Configuring_Host-Based_Access_Control I'm trying to limit which machines users can SSH into. I have a host setup to only allow root, a group called managers, a group called theory, and deny all at the end. What I'm finding is that if I create a user account that is not apart of either of those groups it denies access like it should. However, if I add the user to either of those groups after the user has attempted to login, it still won't let them in if they try after I add them to the group. If I create a new user and add said user to one of those groups at creation time it will allow them in like it should. After logging in once and removing the user from those groups it still allows the user to log in later. The machine using host based access control seems to be caching whether the user belongs to a group or not the first time they attempt a login. How do you force the machine to check the IPA server to see what groups the user belongs to each time they attempt to SSH in? Thanks. From rcritten at redhat.com Thu Jan 8 02:49:18 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 07 Jan 2009 21:49:18 -0500 Subject: [Freeipa-users] Host based access control and IPA In-Reply-To: <7D541289-30D7-4951-AF20-1AC503707296@fusion.gat.com> References: <7D541289-30D7-4951-AF20-1AC503707296@fusion.gat.com> Message-ID: <496569AE.5070201@redhat.com> David Miller wrote: > I'm trying to get host based access working. I followed the instructions > on doing host based access control. Here is the URL to the section to > see what I'm referring to. > > http://freeipa.org/page/AdministratorsGuide#Configuring_Host-Based_Access_Control > > > I'm trying to limit which machines users can SSH into. I have a host > setup to only allow root, a group called managers, a group called > theory, and deny all at the end. What I'm finding is that if I create a > user account that is not apart of either of those groups it denies > access like it should. However, if I add the user to either of those > groups after the user has attempted to login, it still won't let them in > if they try after I add them to the group. If I create a new user and > add said user to one of those groups at creation time it will allow them > in like it should. After logging in once and removing the user from > those groups it still allows the user to log in later. The machine using > host based access control seems to be caching whether the user belongs > to a group or not the first time they attempt a login. How do you force > the machine to check the IPA server to see what groups the user belongs > to each time they attempt to SSH in? > I would guess that nscd is the culprit here. It does both positive and negative caching. Try restarting nscd on the client between changes and it should do what you expect. nscd can be annoying like this but it does help keep the LDAP load down. If this really annoys you you can: - disable nscd on clients - tune the positive and negative caches in /etc/nscd.conf on each client nscd provides a lot of knobs to turn which is nice. rob From millerdc at fusion.gat.com Thu Jan 8 18:08:10 2009 From: millerdc at fusion.gat.com (David Miller) Date: Thu, 8 Jan 2009 10:08:10 -0800 Subject: [Freeipa-users] Host based access control and IPA In-Reply-To: <496569AE.5070201@redhat.com> References: <7D541289-30D7-4951-AF20-1AC503707296@fusion.gat.com> <496569AE.5070201@redhat.com> Message-ID: Rob, Thanks, disabling the cache for group in the nscd.conf did the trick. David. On Jan 7, 2009, at 6:49 PM, Rob Crittenden wrote: > David Miller wrote: >> I'm trying to get host based access working. I followed the >> instructions on doing host based access control. Here is the URL to >> the section to see what I'm referring to. >> http://freeipa.org/page/AdministratorsGuide#Configuring_Host-Based_Access_Control >> I'm trying to limit which machines users can SSH into. I have a >> host setup to only allow root, a group called managers, a group >> called theory, and deny all at the end. What I'm finding is that if >> I create a user account that is not apart of either of those groups >> it denies access like it should. However, if I add the user to >> either of those groups after the user has attempted to login, it >> still won't let them in if they try after I add them to the group. >> If I create a new user and add said user to one of those groups at >> creation time it will allow them in like it should. After logging >> in once and removing the user from those groups it still allows the >> user to log in later. The machine using host based access control >> seems to be caching whether the user belongs to a group or not the >> first time they attempt a login. How do you force the machine to >> check the IPA server to see what groups the user belongs to each >> time they attempt to SSH in? >> > > I would guess that nscd is the culprit here. It does both positive > and negative caching. Try restarting nscd on the client between > changes and it should do what you expect. > > nscd can be annoying like this but it does help keep the LDAP load > down. If this really annoys you you can: > > - disable nscd on clients > - tune the positive and negative caches in /etc/nscd.conf on each > client > > nscd provides a lot of knobs to turn which is nice. > > rob From ashay.humane at gmail.com Fri Jan 9 15:45:50 2009 From: ashay.humane at gmail.com (Ashay Humane) Date: Fri, 9 Jan 2009 10:45:50 -0500 Subject: [Freeipa-users] Restrict access to certain hosts Message-ID: <158e29890901090745g748090eby98322d4fb8aeb58b@mail.gmail.com> Hi List, Does FreeIPA have a feature to restrict users to certain hosts/hostgroups? If so, can this policy be fine grained? For example, if hostgroup1 contains host1, host2, host3, can we say: "Allow user1 to access all hosts in hostgroup1, except host2". Thanks, Ashay From rcritten at redhat.com Fri Jan 9 15:54:28 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 09 Jan 2009 10:54:28 -0500 Subject: [Freeipa-users] Restrict access to certain hosts In-Reply-To: <158e29890901090745g748090eby98322d4fb8aeb58b@mail.gmail.com> References: <158e29890901090745g748090eby98322d4fb8aeb58b@mail.gmail.com> Message-ID: <49677334.7080900@redhat.com> Ashay Humane wrote: > Hi List, > > Does FreeIPA have a feature to restrict users to certain hosts/hostgroups? > If so, can this policy be fine grained? > > For example, if hostgroup1 contains host1, host2, host3, can we say: > "Allow user1 to access all hosts in hostgroup1, except host2". > > Thanks, > Ashay It is limited to a client-side control currently and is documented at http://freeipa.org/page/AdministratorsGuide#Configuring_Host-Based_Access_Control rob From fobeastic at yahoo.com Mon Jan 12 13:06:14 2009 From: fobeastic at yahoo.com (Peter Wolf) Date: Mon, 12 Jan 2009 05:06:14 -0800 (PST) Subject: [Freeipa-users] Radius Server install doesn't work Message-ID: <957076.42733.qm@web32602.mail.mud.yahoo.com> Hi all, Just installed and configured FreeIPA 2 on a Fedora 10 x86 machine with yum. Everything seems to work fine but I'm not able to install the RadiusServer. I used "yum install ipa-radius-*" and installs all the modules but when I run "ipa-radius-server" it says it doesn't has the plugin(s)! So it won't be installed. In the repository there isn't a modile of ipa-plugin(s). Does has any one already tried to install the Radius-part of FreeIPA? Or does any one knows Ho can I can install the Radius Server? Fobe. From dpal at redhat.com Mon Jan 12 15:30:16 2009 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 12 Jan 2009 10:30:16 -0500 Subject: [Freeipa-users] Radius Server install doesn't work In-Reply-To: <957076.42733.qm@web32602.mail.mud.yahoo.com> References: <957076.42733.qm@web32602.mail.mud.yahoo.com> Message-ID: <496B6208.7060407@redhat.com> Peter Wolf wrote: > Hi all, > > Just installed and configured FreeIPA 2 on a Fedora 10 x86 machine with yum. Everything seems to work fine but I'm not able to install the RadiusServer. > I used "yum install ipa-radius-*" and installs all the modules but when I run "ipa-radius-server" it says it doesn't has the plugin(s)! So it won't be installed. > > In the repository there isn't a modile of ipa-plugin(s). Does has any one already tried to install the Radius-part of FreeIPA? Or does any one knows Ho can I can install the Radius Server? > > Fobe. > Unfortunately RADIUS portion has been deferred to later version(s). But you can install free RADIUS and configure it to use IPA. They won't be managed together from one interface but they can be configured to work. We do not have special instructions since there are multiple ways how they can be configured to work together depending on the situation you have and what you are trying to accomplish. Sorry for inconvenience, Thank you Dmitri From rcritten at redhat.com Mon Jan 12 15:53:38 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Jan 2009 10:53:38 -0500 Subject: [Freeipa-users] Radius Server install doesn't work In-Reply-To: <957076.42733.qm@web32602.mail.mud.yahoo.com> References: <957076.42733.qm@web32602.mail.mud.yahoo.com> Message-ID: <496B6782.1070804@redhat.com> Peter Wolf wrote: > Hi all, > > Just installed and configured FreeIPA 2 on a Fedora 10 x86 machine with yum. Everything seems to work fine but I'm not able to install the RadiusServer. > I used "yum install ipa-radius-*" and installs all the modules but when I run "ipa-radius-server" it says it doesn't has the plugin(s)! So it won't be installed. > > In the repository there isn't a modile of ipa-plugin(s). Does has any one already tried to install the Radius-part of FreeIPA? Or does any one knows Ho can I can install the Radius Server? > > Fobe. Unfortunately radius isn't getting a lot of attention right now. It was release as a tech-preview but we aren't actively working on it. Another user reported a similar problem and a resolution was discussed in this thread: https://www.redhat.com/archives/freeipa-users/2008-October/msg00033.html The python fix is: --- a/ipa-radius-server/ipa-radius-install +++ b/ipa-radius-server/ipa-radius-install @@ -19,11 +19,12 @@ # import sys +sys.path.append("/usr/share/ipa/ipaserver") import traceback, logging, krbV from ipaserver import installutils -from ipaserver.plugins import radiusinstance +from plugins import radiusinstance from ipa import ipautil That still isn't enough because the configuration we create doesn't work on F10. You have to comment out the INCLUDE snmp.conf among other things, and notably krb5 support seems to be missing!? The rlm-krb5 radius plugin doesn't seem to be included in the freeradius package. rob From viji at fedoraproject.org Mon Jan 12 16:17:09 2009 From: viji at fedoraproject.org (Viji V Nair) Date: Mon, 12 Jan 2009 21:47:09 +0530 Subject: [Freeipa-users] RHEL 5 Compiling ipa-client (only) from source Message-ID: <84c89ac10901120817o2e5d0358saab96622d5466b24@mail.gmail.com> Hi, I have done a manual compilation of ipa-client on an RHEL 5.2 x86_64 system. After struggling with a lot of errors I finally got it working by following the below steps. Can anyone suggest is there anything wrong in my steps? Can I use the same steps to configure other clients also? 1. Download and un-compress freeipa source, http://freeipa.org/downloads/src/freeipa-1.2.1.tar.gz # tar -zxvf freeipa-1.2.1.tar.gz # cd freeipa-1.2.1/ipa-client 2. I have installed the following prerequisites after seeing the dependency errors. # yum install autoconf automake pkgconfig.x86_64 libtool.x86_64 mozldap-devel.x86_64 krb5-devel.x86_64 openldap-devel.x86_64 python-ldap.x86_64 3. System was complaining about there is no version.m4 file, so I did a copy paste of # cp version.m4.in version.m4 4. System was telling I should add the contents of /usr/share/aclocal/libtool.m4 to aclocal.m4, so I did # cat /usr/share/aclocal/libtool.m4 >> aclocal.m4 5. After this I have complied the source using the following commands. # ./autogen.sh # make # make install 6. When I started ipa-client-install, it was showing so many missing python module errors, so I have done the following steps to get rid of it. a. Downloaded python-krbV-1.0.13-5.el5.x86_64.rpm from ( http://download.fedora.redhat.com/pub/epel/5Server/x86_64/python-krbV-1.0.13-5.el5.x86_64.rpm) and installed # rpm -ivh python-krbV-1.0.13-5.el5.x86_64.rpm b. Manually build the other python modules. # cd freeipa-1.2.1/ipa-python # python setup.py.in build # python setup.py.in install c. Copied the required python modules to the actual location # cp -a /usr/local/lib/python2.4/site-packages/ipaclient /usr/lib64/python2.4/site-packages/ d. Finally I got a version error, I have done a hard coding to fix it. # cp version.py.in /usr/lib/python2.4/site-packages/ipa/version.py # cat /usr/lib/python2.4/site-packages/ipa/version.py #VERSION="__VERSION__" VERSION="1.2.1" #NUM_VERSION=__NUM_VERSION__ NUM_VERSION="1.2.1" Thanks & Regards Viji -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jan 12 16:31:14 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 Jan 2009 11:31:14 -0500 Subject: [Freeipa-users] RHEL 5 Compiling ipa-client (only) from source In-Reply-To: <84c89ac10901120817o2e5d0358saab96622d5466b24@mail.gmail.com> References: <84c89ac10901120817o2e5d0358saab96622d5466b24@mail.gmail.com> Message-ID: <496B7052.8020007@redhat.com> Viji V Nair wrote: > Hi, > > I have done a manual compilation of ipa-client on an RHEL 5.2 x86_64 > system. After struggling with a lot of errors I finally got it working > by following the below steps. > > Can anyone suggest is there anything wrong in my steps? Can I use the > same steps to configure other clients also? You'd be better off using the attached patch. This will let you do a build from the top-level and avoid all the version problems. Plus it can build rpms for you. % make IPA_VERSION_IS_GIT_SNAPSHOT=no local-dist The rpms will be in dist/rpms rob > > 1. Download and un-compress freeipa source, > http://freeipa.org/downloads/src/freeipa-1.2.1.tar.gz > > # tar -zxvf freeipa-1.2.1.tar.gz > # cd freeipa-1.2.1/ipa-client > > 2. I have installed the following prerequisites after seeing the > dependency errors. > > # yum install autoconf automake pkgconfig.x86_64 libtool.x86_64 > mozldap-devel.x86_64 krb5-devel.x86_64 openldap-devel.x86_64 > python-ldap.x86_64 > > 3. System was complaining about there is no version.m4 file, so I did a > copy paste of > > # cp version.m4.in version.m4 > > 4. System was telling I should add the contents of > /usr/share/aclocal/libtool.m4 to aclocal.m4, so I did > > # cat /usr/share/aclocal/libtool.m4 >> aclocal.m4 > > 5. After this I have complied the source using the following commands. > > # ./autogen.sh > # make > # make install > > 6. When I started ipa-client-install, it was showing so many missing > python module errors, so I have done the following steps to get rid of it. > > a. Downloaded python-krbV-1.0.13-5.el5.x86_64.rpm from > (http://download.fedora.redhat.com/pub/epel/5Server/x86_64/python-krbV-1.0.13-5.el5.x86_64.rpm) > and installed > > # rpm -ivh python-krbV-1.0.13-5.el5.x86_64.rpm > > b. Manually build the other python modules. > > # cd freeipa-1.2.1/ipa-python > # python setup.py.in build > # python setup.py.in install > > c. Copied the required python modules to the actual location > > # cp -a /usr/local/lib/python2.4/site-packages/ipaclient > /usr/lib64/python2.4/site-packages/ > > d. Finally I got a version error, I have done a hard coding to fix it. > > # cp version.py.in > /usr/lib/python2.4/site-packages/ipa/version.py > # cat /usr/lib/python2.4/site-packages/ipa/version.py > > #VERSION="__VERSION__" > VERSION="1.2.1" > #NUM_VERSION=__NUM_VERSION__ > NUM_VERSION="1.2.1" > > Thanks & Regards > Viji > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: make.patch Type: text/x-patch Size: 4507 bytes Desc: not available URL: From viji at fedoraproject.org Mon Jan 12 17:08:20 2009 From: viji at fedoraproject.org (Viji V Nair) Date: Mon, 12 Jan 2009 22:38:20 +0530 Subject: [Freeipa-users] RHEL 5 Compiling ipa-client (only) from source In-Reply-To: <496B7052.8020007@redhat.com> References: <84c89ac10901120817o2e5d0358saab96622d5466b24@mail.gmail.com> <496B7052.8020007@redhat.com> Message-ID: <84c89ac10901120908i6ddd70cbo392f199efcdaae25@mail.gmail.com> Hi, Worked for me Thanks Viji On Mon, Jan 12, 2009 at 10:01 PM, Rob Crittenden wrote: > Viji V Nair wrote: > >> Hi, >> >> I have done a manual compilation of ipa-client on an RHEL 5.2 x86_64 >> system. After struggling with a lot of errors I finally got it working by >> following the below steps. >> >> Can anyone suggest is there anything wrong in my steps? Can I use the same >> steps to configure other clients also? >> > > You'd be better off using the attached patch. This will let you do a build > from the top-level and avoid all the version problems. Plus it can build > rpms for you. > > % make IPA_VERSION_IS_GIT_SNAPSHOT=no local-dist > > The rpms will be in dist/rpms > > rob > > >> 1. Download and un-compress freeipa source, >> http://freeipa.org/downloads/src/freeipa-1.2.1.tar.gz >> >> # tar -zxvf freeipa-1.2.1.tar.gz >> # cd freeipa-1.2.1/ipa-client >> >> 2. I have installed the following prerequisites after seeing the >> dependency errors. >> >> # yum install autoconf automake pkgconfig.x86_64 libtool.x86_64 >> mozldap-devel.x86_64 krb5-devel.x86_64 openldap-devel.x86_64 >> python-ldap.x86_64 >> >> 3. System was complaining about there is no version.m4 file, so I did a >> copy paste of >> >> # cp version.m4.in version.m4 >> >> 4. System was telling I should add the contents of >> /usr/share/aclocal/libtool.m4 to aclocal.m4, so I did >> >> # cat /usr/share/aclocal/libtool.m4 >> aclocal.m4 >> >> 5. After this I have complied the source using the following commands. >> >> # ./autogen.sh >> # make >> # make install >> >> 6. When I started ipa-client-install, it was showing so many missing >> python module errors, so I have done the following steps to get rid of it. >> >> a. Downloaded python-krbV-1.0.13-5.el5.x86_64.rpm from ( >> http://download.fedora.redhat.com/pub/epel/5Server/x86_64/python-krbV-1.0.13-5.el5.x86_64.rpm) >> and installed >> >> # rpm -ivh python-krbV-1.0.13-5.el5.x86_64.rpm >> >> b. Manually build the other python modules. >> >> # cd freeipa-1.2.1/ipa-python >> # python setup.py.in build >> # python setup.py.in install >> >> c. Copied the required python modules to the actual location >> >> # cp -a /usr/local/lib/python2.4/site-packages/ipaclient >> /usr/lib64/python2.4/site-packages/ >> >> d. Finally I got a version error, I have done a hard coding to fix it. >> >> # cp version.py.in >> /usr/lib/python2.4/site-packages/ipa/version.py >> # cat /usr/lib/python2.4/site-packages/ipa/version.py >> >> #VERSION="__VERSION__" >> VERSION="1.2.1" >> #NUM_VERSION=__NUM_VERSION__ >> NUM_VERSION="1.2.1" >> >> Thanks & Regards >> Viji >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From viji at fedoraproject.org Tue Jan 13 05:25:47 2009 From: viji at fedoraproject.org (Viji V Nair) Date: Tue, 13 Jan 2009 10:55:47 +0530 Subject: [Freeipa-users] RHEL 5 Compiling ipa-client (only) from source In-Reply-To: <455674.63660.qm@web32604.mail.mud.yahoo.com> References: <84c89ac10901120817o2e5d0358saab96622d5466b24@mail.gmail.com> <496B7052.8020007@redhat.com> <84c89ac10901120908i6ddd70cbo392f199efcdaae25@mail.gmail.com> <455674.63660.qm@web32604.mail.mud.yahoo.com> Message-ID: <84c89ac10901122125k102b6e15v9127818a46d56d66@mail.gmail.com> Hi, I could see that you have run "./make.patch", this is not the right way. You have to patch the original Makefile with the attached patch # patch Makefile make.patch (have a look at "man patch", patch [options] [originalfile [patchfile]]) then run # make IPA_VERSION_IS_GIT_SNAPSHOT=no local-dist Also FYI, Fedora 8, 9 & 10 ships all the IPA packages. You can do a yum install Thanks & Regards Viji On Tue, Jan 13, 2009 at 2:15 AM, Peter Wolf wrote: > Hi, > it's not working for me. I'm using Fedora 10 i386. I did the following: > > - I download the http://freeipa.org/downloads/src/freeipa-1.2.1.tar.gz and > put it in a directory, I also install autoconf & automake. > - uncompressed the downloaded file > - go into the uncompressed directory and used the make.patch > - I have attached the error log > > Also, F10 is not supported, is F9 i386 supported? > > Hopefully to hear from you soon, > > regards, > > Fobe > ------------------------------ > *From:* Viji V Nair > *To:* Rob Crittenden > *Cc:* freeipa-users at redhat.com > *Sent:* Monday, January 12, 2009 6:08:20 PM > *Subject:* Re: [Freeipa-users] RHEL 5 Compiling ipa-client (only) from > source > > Hi, > > Worked for me > > Thanks > Viji > > > > On Mon, Jan 12, 2009 at 10:01 PM, Rob Crittenden wrote: > >> Viji V Nair wrote: >> >>> Hi, >>> >>> I have done a manual compilation of ipa-client on an RHEL 5.2 x86_64 >>> system. After struggling with a lot of errors I finally got it working by >>> following the below steps. >>> >>> Can anyone suggest is there anything wrong in my steps? Can I use the >>> same steps to configure other clients also? >>> >> >> You'd be better off using the attached patch. This will let you do a build >> from the top-level and avoid all the version problems. Plus it can build >> rpms for you. >> >> % make IPA_VERSION_IS_GIT_SNAPSHOT=no local-dist >> >> The rpms will be in dist/rpms >> >> rob >> >> >>> 1. Download and un-compress freeipa source, >>> http://freeipa.org/downloads/src/freeipa-1.2.1.tar.gz >>> >>> # tar -zxvf freeipa-1.2.1.tar.gz >>> # cd freeipa-1.2.1/ipa-client >>> >>> 2. I have installed the following prerequisites after seeing the >>> dependency errors. >>> >>> # yum install autoconf automake pkgconfig.x86_64 libtool.x86_64 >>> mozldap-devel.x86_64 krb5-devel.x86_64 openldap-devel.x86_64 >>> python-ldap.x86_64 >>> >>> 3. System was complaining about there is no version.m4 file, so I did a >>> copy paste of >>> >>> # cp version.m4.in version.m4 >>> >>> 4. System was telling I should add the contents of >>> /usr/share/aclocal/libtool.m4 to aclocal.m4, so I did >>> >>> # cat /usr/share/aclocal/libtool.m4 >> aclocal.m4 >>> >>> 5. After this I have complied the source using the following commands. >>> >>> # ./autogen.sh >>> # make >>> # make install >>> >>> 6. When I started ipa-client-install, it was showing so many missing >>> python module errors, so I have done the following steps to get rid of it. >>> >>> a. Downloaded python-krbV-1.0.13-5.el5.x86_64.rpm from ( >>> http://download.fedora.redhat.com/pub/epel/5Server/x86_64/python-krbV-1.0.13-5.el5.x86_64.rpm) >>> and installed >>> >>> # rpm -ivh python-krbV-1.0.13-5.el5.x86_64.rpm >>> >>> b. Manually build the other python modules. >>> >>> # cd freeipa-1.2.1/ipa-python >>> # python setup.py.in build >>> # python setup.py.in install >>> >>> c. Copied the required python modules to the actual location >>> >>> # cp -a /usr/local/lib/python2.4/site-packages/ipaclient >>> /usr/lib64/python2.4/site-packages/ >>> >>> d. Finally I got a version error, I have done a hard coding to fix it. >>> >>> # cp version.py.in >>> /usr/lib/python2.4/site-packages/ipa/version.py >>> # cat /usr/lib/python2.4/site-packages/ipa/version.py >>> >>> #VERSION="__VERSION__" >>> VERSION="1.2.1" >>> #NUM_VERSION=__NUM_VERSION__ >>> NUM_VERSION="1.2.1" >>> >>> Thanks & Regards >>> Viji >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rom at twister.dyndns.org Tue Jan 13 15:12:18 2009 From: rom at twister.dyndns.org (Fred Wittekind) Date: Tue, 13 Jan 2009 10:12:18 -0500 Subject: [Freeipa-users] Radius Server install doesn't work In-Reply-To: <496B6782.1070804@redhat.com> References: <957076.42733.qm@web32602.mail.mud.yahoo.com> <496B6782.1070804@redhat.com> Message-ID: <496CAF52.3030907@twister.dyndns.org> Rob Crittenden wrote: > Peter Wolf wrote: >> Hi all, >> >> Just installed and configured FreeIPA 2 on a Fedora 10 x86 machine >> with yum. Everything seems to work fine but I'm not able to install >> the RadiusServer. >> I used "yum install ipa-radius-*" and installs all the modules but >> when I run "ipa-radius-server" it says it doesn't has the plugin(s)! >> So it won't be installed. >> >> In the repository there isn't a modile of ipa-plugin(s). Does has any >> one already tried to install the Radius-part of FreeIPA? Or does any >> one knows Ho can I can install the Radius Server? >> >> Fobe. > > Unfortunately radius isn't getting a lot of attention right now. It > was release as a tech-preview but we aren't actively working on it. > > Another user reported a similar problem and a resolution was discussed > in this thread: > https://www.redhat.com/archives/freeipa-users/2008-October/msg00033.html > > The python fix is: > > --- a/ipa-radius-server/ipa-radius-install > +++ b/ipa-radius-server/ipa-radius-install > @@ -19,11 +19,12 @@ > # > > import sys > +sys.path.append("/usr/share/ipa/ipaserver") > > import traceback, logging, krbV > > from ipaserver import installutils > -from ipaserver.plugins import radiusinstance > +from plugins import radiusinstance > > from ipa import ipautil > > That still isn't enough because the configuration we create doesn't > work on F10. You have to comment out the INCLUDE snmp.conf among other > things, and notably krb5 support seems to be missing!? The rlm-krb5 > radius plugin doesn't seem to be included in the freeradius package. On Fedora 9 & 10, there is a freeradius-krb5 package that includes the following files: /etc/raddb/modules/krb5 /usr/lib/freeradius/rlm_krb5-2.1.3.so /usr/lib/freeradius/rlm_krb5.so Fred > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From email.marc at gmail.com Wed Jan 14 22:18:44 2009 From: email.marc at gmail.com (Marc Richards) Date: Wed, 14 Jan 2009 17:18:44 -0500 Subject: [Freeipa-users] RHEL 5 Compiling ipa-client (only) from source Message-ID: <496E64C4.5060107@gmail.com> Rob Crittenden wrote: > Viji V Nair wrote: > > > Hi, > > > > I have done a manual compilation of ipa-client on an RHEL 5.2 > x86_64 system. After struggling with a lot of errors I finally got > it working by following the below steps. Can anyone suggest is > there anything wrong in my steps? Can I use the same steps to > configure other clients also? > > You'd be better off using the attached patch. This will let you do a > build from the top-level and avoid all the version problems. Plus it > can build rpms for you. > % make IPA_VERSION_IS_GIT_SNAPSHOT=no local-dist > > The rpms will be in dist/rpms > > rob > > Does this replace everything after step 2 or everything after step 4? Are there any plans to make client binaries available for download for systems other than Fedora? It would certainly make things easier for testing against existing systems. > 1. Download and un-compress freeipa source, > http://freeipa.org/downloads/src/freeipa-1.2.1.tar.gz > # tar -zxvf freeipa-1.2.1.tar.gz > # cd freeipa-1.2.1/ipa-client > > > 2. I have installed the following prerequisites after seeing the > dependency errors. # yum install autoconf automake pkgconfig.x86_64 > libtool.x86_64 mozldap-devel.x86_64 krb5-devel.x86_64 > openldap-devel.x86_64 python-ldap.x86_64 3. System was complaining > about there is no version.m4 file, so I did a copy paste of > # cp version.m4.in version.m4 > > > 4. System was telling I should add the contents of > /usr/share/aclocal/libtool.m4 to aclocal.m4, so I did > # cat /usr/share/aclocal/libtool.m4>> aclocal.m4 > > 5. After this I have complied the source using the following commands. > > # ./autogen.sh > # make > # make install > > > 6. When I started ipa-client-install, it was showing so many missing > python module errors, so I have done the following steps to get rid of > it. a. Downloaded python-krbV-1.0.13-5.el5.x86_64.rpm from > (http://download.fedora.redhat.com/pub/epel/5Server/x86_64/python-krbV-1.0.13-5.el5.x86_64.rpm) > and installed > # rpm -ivh python-krbV-1.0.13-5.el5.x86_64.rpm > > b. Manually build the other python modules. > > # cd freeipa-1.2.1/ipa-python > # python setup.py.in build > # python setup.py.in install > > c. Copied the required python modules to the actual location > > > # cp -a /usr/local/lib/python2.4/site-packages/ipaclient > /usr/lib64/python2.4/site-packages/ > d. Finally I got a version error, I have done a hard coding to fix it. > > > # cp version.py.in > /usr/lib/python2.4/site-packages/ipa/version.py > # cat /usr/lib/python2.4/site-packages/ipa/version.py > > #VERSION="__VERSION__" > VERSION="1.2.1" > #NUM_VERSION=__NUM_VERSION__ > NUM_VERSION="1.2.1" > > Thanks& Regards > Viji > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jan 14 22:29:00 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Jan 2009 17:29:00 -0500 Subject: [Freeipa-users] RHEL 5 Compiling ipa-client (only) from source In-Reply-To: <496E64C4.5060107@gmail.com> References: <496E64C4.5060107@gmail.com> Message-ID: <496E672C.2080701@redhat.com> Marc Richards wrote: > Rob Crittenden wrote: >> Viji V Nair wrote: >> >> >> Hi, >> >> >> >> I have done a manual compilation of ipa-client on an RHEL 5.2 >> x86_64 system. After struggling with a lot of errors I finally got >> it working by following the below steps. Can anyone suggest is >> there anything wrong in my steps? Can I use the same steps to >> configure other clients also? >> >> You'd be better off using the attached patch. This will let you do a >> build from the top-level and avoid all the version problems. Plus it >> can build rpms for you. >> % make IPA_VERSION_IS_GIT_SNAPSHOT=no local-dist >> >> The rpms will be in dist/rpms >> >> rob >> >> > > Does this replace everything after step 2 or everything after step 4? Step 2. The new steps are: 1. Download and un-compress freeipa source, http://freeipa.org/downloads/src/freeipa-1.2.1.tar.gz % tar -zxvf freeipa-1.2.1.tar.gz % cd freeipa-1.2.1 2. Apply the patch % patch -p1 < /path/to/make.patch 3. Get the prerequisites yum -y install autoconf automake pkgconfig libtool mozldap-devel krb5-devel openldap-devel python-ldap You'll need to get python-krbV from EPEL (http://fedoraproject.org/wiki/EPEL) 4. Make rpms % make IPA_VERSION_IS_GIT_SNAPSHOT=no local-dist The rpms will be in dist/rpms > Are there any plans to make client binaries available for download for > systems other than Fedora? It would certainly make things easier for > testing against existing systems. We did our own Fedora builds before we got it accepted and the binaries were almost always woefully behind so I doubt it. Someone could probably use these instructions to get it built in EPEL though. rob > >> 1. Download and un-compress freeipa source, >> http://freeipa.org/downloads/src/freeipa-1.2.1.tar.gz >> # tar -zxvf freeipa-1.2.1.tar.gz >> # cd freeipa-1.2.1/ipa-client >> >> >> 2. I have installed the following prerequisites after seeing the >> dependency errors. # yum install autoconf automake pkgconfig.x86_64 >> libtool.x86_64 mozldap-devel.x86_64 krb5-devel.x86_64 >> openldap-devel.x86_64 python-ldap.x86_64 3. System was complaining >> about there is no version.m4 file, so I did a copy paste of >> # cp version.m4.in version.m4 >> >> >> 4. System was telling I should add the contents of >> /usr/share/aclocal/libtool.m4 to aclocal.m4, so I did >> # cat /usr/share/aclocal/libtool.m4 >> aclocal.m4 >> >> 5. After this I have complied the source using the following commands. >> >> # ./autogen.sh >> # make >> # make install >> >> >> 6. When I started ipa-client-install, it was showing so many missing >> python module errors, so I have done the following steps to get rid of >> it. a. Downloaded python-krbV-1.0.13-5.el5.x86_64.rpm from >> (http://download.fedora.redhat.com/pub/epel/5Server/x86_64/python-krbV-1.0.13-5.el5.x86_64.rpm) >> and installed >> # rpm -ivh python-krbV-1.0.13-5.el5.x86_64.rpm >> >> b. Manually build the other python modules. >> >> # cd freeipa-1.2.1/ipa-python >> # python setup.py.in build >> # python setup.py.in install >> >> c. Copied the required python modules to the actual location >> >> >> # cp -a /usr/local/lib/python2.4/site-packages/ipaclient >> /usr/lib64/python2.4/site-packages/ >> d. Finally I got a version error, I have done a hard coding to fix it. >> >> >> # cp version.py.in >> /usr/lib/python2.4/site-packages/ipa/version.py >> # cat /usr/lib/python2.4/site-packages/ipa/version.py >> >> #VERSION="__VERSION__" >> VERSION="1.2.1" >> #NUM_VERSION=__NUM_VERSION__ >> NUM_VERSION="1.2.1" >> >> Thanks & Regards >> Viji >> From email.marc at gmail.com Thu Jan 15 01:37:17 2009 From: email.marc at gmail.com (Marc Richards) Date: Wed, 14 Jan 2009 20:37:17 -0500 Subject: [Freeipa-users] RHEL 5 Compiling ipa-client (only) from source In-Reply-To: <496E672C.2080701@redhat.com> References: <496E64C4.5060107@gmail.com> <496E672C.2080701@redhat.com> Message-ID: <496E934D.5030202@gmail.com> On 01/14/2009 5:29 PM, Rob Crittenden wrote: > Marc Richards wrote: >> Rob Crittenden wrote: >>> Viji V Nair wrote: >>> >>> Hi, >>> >>> >>> I have done a manual compilation of ipa-client on an RHEL 5.2 >>> x86_64 system. After struggling with a lot of errors I finally got >>> it working by following the below steps. Can anyone suggest is >>> there anything wrong in my steps? Can I use the same steps to >>> configure other clients also? >>> You'd be better off using the attached patch. This will let you do a >>> build from the top-level and avoid all the version problems. Plus it >>> can build rpms for you. >>> % make IPA_VERSION_IS_GIT_SNAPSHOT=no local-dist >>> >>> The rpms will be in dist/rpms >>> >>> rob >>> >> >> Does this replace everything after step 2 or everything after step 4? > > Step 2. The new steps are: > > 1. Download and un-compress freeipa source, > http://freeipa.org/downloads/src/freeipa-1.2.1.tar.gz > % tar -zxvf freeipa-1.2.1.tar.gz > % cd freeipa-1.2.1 > > 2. Apply the patch > % patch -p1 < /path/to/make.patch > > 3. Get the prerequisites > yum -y install autoconf automake pkgconfig libtool mozldap-devel > krb5-devel openldap-devel python-ldap > > You'll need to get python-krbV from EPEL > (http://fedoraproject.org/wiki/EPEL) > > 4. Make rpms > % make IPA_VERSION_IS_GIT_SNAPSHOT=no local-dist > > The rpms will be in dist/rpms > Thanks. I'll give that a shot. From rom at twister.dyndns.org Mon Jan 19 00:35:10 2009 From: rom at twister.dyndns.org (Fred Wittekind) Date: Sun, 18 Jan 2009 19:35:10 -0500 Subject: [Freeipa-users] dirsrv doesn't start after upgrade from Fedora 9 to Fedora 10 Message-ID: <4973CABE.8080501@twister.dyndns.org> After an upgrade from Fedora 9 to Fedora 10, so some reason dirsrv won't start any more. Ran yum update to update all packages, I noticed fedora-ds-dsgw wouldn't update to the Fedora 10 version, so I did it manually as part of my troubleshooting as to why it wouldn't start. Entered following bug report: https://bugzilla.redhat.com/show_bug.cgi?id=480550 Any help / suggestions would be greatly appreciated. Fred Wittekind -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: errors URL: From rcritten at redhat.com Mon Jan 19 03:41:38 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Sun, 18 Jan 2009 22:41:38 -0500 Subject: [Freeipa-users] dirsrv doesn't start after upgrade from Fedora 9 to Fedora 10 In-Reply-To: <4973CABE.8080501@twister.dyndns.org> References: <4973CABE.8080501@twister.dyndns.org> Message-ID: <4973F672.1070509@redhat.com> Fred Wittekind wrote: > After an upgrade from Fedora 9 to Fedora 10, so some reason dirsrv won't > start any more. Ran yum update to update all packages, I noticed > fedora-ds-dsgw wouldn't update to the Fedora 10 version, so I did it > manually as part of my troubleshooting as to why it wouldn't start. > Entered following bug report: > https://bugzilla.redhat.com/show_bug.cgi?id=480550 > > Any help / suggestions would be greatly appreciated. I think this is because of a db4 update in F10. Someone from the FDS team will respond to the bug you filed. There should be a relatively straightforward way to update the database environment. rob From daniel.nall at extension.org Mon Jan 19 16:15:37 2009 From: daniel.nall at extension.org (Daniel Nall) Date: Mon, 19 Jan 2009 11:15:37 -0500 Subject: [Freeipa-users] The IPA XML-RPC service is not responding. Message-ID: <86fe7d980901190815j4619a9a6qa08c3f45ce91e433@mail.gmail.com> Hi all, I seem to have run into some trouble that I have not been able to successfully troubleshoot. My IPA server is currently still correctly handling authentication requests, however, when I try to run any ipa related command (ex ipa-finduser) on the machine, it responds with : The IPA XML-RPC service is not responding. I have not seen any helpful information that would give me a hint as to what is wrong with the machine in any of the system logs. Nothing has changed configuration-wise on the machine except for keeping the systems installed packages up to date. I know that the information I'm providing is vague at best, so if there's something specific I can reply with to help shed any light on this then please let me know. Thanks, Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jan 19 16:27:50 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 19 Jan 2009 11:27:50 -0500 Subject: [Freeipa-users] The IPA XML-RPC service is not responding. In-Reply-To: <86fe7d980901190815j4619a9a6qa08c3f45ce91e433@mail.gmail.com> References: <86fe7d980901190815j4619a9a6qa08c3f45ce91e433@mail.gmail.com> Message-ID: <4974AA06.8010005@redhat.com> Daniel Nall wrote: > Hi all, > > I seem to have run into some trouble that I have not been able to > successfully troubleshoot. My IPA server is currently still correctly > handling authentication requests, however, when I try to run any ipa > related command (ex ipa-finduser) on the machine, it responds with : The > IPA XML-RPC service is not responding. > > I have not seen any helpful information that would give me a hint as to > what is wrong with the machine in any of the system logs. Nothing has > changed configuration-wise on the machine except for keeping the systems > installed packages up to date. I know that the information I'm providing > is vague at best, so if there's something specific I can reply with to > help shed any light on this then please let me know. > The XML-RPC service is being run by Apache. Make sure the httpd process is started. If it is started, run: ipa-finduser -v admin The -v will display the server it is trying to contact. Make sure it is the right one. rob From shunt at recordsreduction.com Thu Jan 22 16:37:35 2009 From: shunt at recordsreduction.com (Shane Hunt) Date: Thu, 22 Jan 2009 08:37:35 -0800 Subject: [Freeipa-users] =?utf-8?q?Do_you_dread_moving_the_=E2=80=9908_fi?= =?utf-8?q?les_to_make_room_for_=E2=80=9909=3F?= Message-ID: <200901221657.n0MGonvC000884@mx2.redhat.com> Let us do it for you?.FREE of charge. Records Reduction, Inc. is offering FREE pickup for new customers in January & February, 2009. In addition, we will also pull the files from the filing cabinets and box them at NO CHARGE! That?s right, this year you will have to touch a file to get ready for ?09 files. It?s the perfect time for you to begin using our services. Scanning ? This is the best solutions for files that you must keep long term,or that require a lot of retrievals. Records Reduction, Inc. will scan them in and provide a legal copy on disk. You can save the files on your system and have a networked imaging solution with no additional software. Off site file storage ? This is the most economical solution for files that you don?t have to keep long term and for those that are rarely retrieved. Shredding ? If you have files that no longer have to be kept, let us pick them up and provide secure shredding. It?s also a great solution for any documents that contain Names, Social Security Numbers, or other identifying information. We can do large purges, or provide secure bins for ongoing shredding. Please call Shane Hunt @ 704-724-3313, or email shunt at recordsreduction.com for more information. www.recordsreduction.com Electronic filing (scanning/imaging) is the best long-term storage solution for any files that you must keep long term, or if you do a lot of retrievals from them. Examples include, but are not limited to: Accounts Payable Human Resources Medical Charts EOBs Sales Files Job Files Accounts Receivable Engineering Drawings School Records Educational Materials Legal Files Real Estate Files Bill of Ladings Workers Comp Files Which Service is Right for You? Document Scanning Document scanning is perfect for files that you must store for a long time ? typically five years or greater. Also, if you have to do many retrievals, scanning will pay for itself by increasing efficiencies in the office. With scanning, there are no ongoing costs. You pay once and you have a legal copy of your business documents forever. Some examples where scanning makes sense include Accounts Payables, Job Files, Corporate Financials, Medical Files, Legal Files, Insurance Documents, Human Resources, etc. www.recordsreduction.com Offsite Record Storage Offsite document Storage is best for files that you do not have to keep forever, and do very little retrievals. Records Reduction, Inc. provides records storage, retrieval, delivery and pick-up services for companies in the Carolinas. Records are stored at our secure service center where our team members retrieve boxes or individual files as requested by our clients. Records are normally delivered the next day & emergency delivery options are also available. We can always retrieve the file, scan it and email or fax it to you within minutes. Records Reduction, Inc. will become an extension to your existing file room or storage area by providing: - Secure, confidential document storage - Efficient retrieval of records - Next-day & emergency deliveries - The highest level of customer service in the industry We manage your records inventory through computer software tracking system. Once records are entered into our database and placed into storage, our customers can simply call or email and have their files physically or electronically delivered. www.recordsreduction.com Ongoing, Onsite Document Destruction Identity theft is the fastest rising crime in America. Companies can be found liable if they do not protect information that can be used in identity theft. You can use our secure bins for paper that contains information that might be used for identity theft. Many companies now use the bins for ALL of their discarded paper - sensitive or not - simply because they know it will be recycled. It's just another way to help protect our planet! Records Reduction, Inc. provides FREE locked, secure containers for thestorage of your confidential material while awaiting destruction. The containers are attractive and fit in well with all office environments. Our containers will segregate and secure sensitive materials in between our service visits. The containers are locked and can only be opened by authorized personnel, eliminating the chance of sensitive documents being made public or falling into the wrong hands. The locked containers will be picked up and placed in a secure document shredding system. In addition to paper document shredding services, Records Reduction provides secure destruction services for X-Rays, Computer Hard Drives, CDs, and Magnetic Media Tapes. www.recordsreduction.com Bulk Purge Shredding Services Companies file away storage boxes year after year. Often, they are kept long after their legal requirement. Shredding has become a necessary business service to not only comply with regulatory requirements but to protect your business, employees and customers from identity theft. Experts recommend that you shred most files as soon as it is legally permissible. Records Reduction, Inc. can provide onsite or offsite secure shredding services. www.recordsreduction.com eDocHealth ? Electronic Medical Records Solution Enhance Patient Care, reduce cost of operations and increase revenues through eDocHealth. eDocHealth is a proven medical document management solution that instantly improves medical office document access as well as practice workflow by electronically scanning and filing your documents and making them accessible to your entire staff regardless of their location. When you minimize paper-based activity and work within a digital environment, you trim overhead costs by reducing reliance on paper, streamline workflow with quick access to information, and protect patient records with strict user-control. The burden of administrative and clinical documents in a medical practice is considerable. Busy offices lead to inaccessible administrative documents and charts; whether misplaced, lost, or in use by another staff member. Physician practices continue to seek a solution to reduce or eliminate the increasing volumes of paper within their organizations. The optimal product would eliminate the issues of overcrowded office space and storage facilities as well as the problems associated with paper medical records such as lost or misplaced patient charts, patient EOBs, etc. Medical staff and providers demand a user friendly HIPAA compliant solution that enhances patient care, and reduces cost of operations while increasing revenue and generating a rapid return on investment (ROI). eDocHealth is a cost-effective way to meet those needs, by automation of administrative and clinical documents management. eDocHealth does not force you to change your office workflow, instead, it can adapt to it or be configured for ?best operational practices?. eDocHealth can work in conjunction with your Practice Management software and Electronic Medical Records software (EMR/EHR). In most cases document management solutions are better suited to manage medical records than traditional EMR/EHR. It is a non fact that document management solutions have near 98% implementation success while traditional EMR/HER solutions are more challenging endeavors. www.recordsreduction.com PO Box 3322, Matthews, NC 28106 http://app.streamsend.com/private/tF8d/2bm/3KEYWN9/unsubscribe/2511712 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rom at twister.dyndns.org Sat Jan 24 20:22:40 2009 From: rom at twister.dyndns.org (Fred Wittekind) Date: Sat, 24 Jan 2009 15:22:40 -0500 Subject: [Freeipa-users] dirsrv doesn't start after upgrade from Fedora 9 to Fedora 10 In-Reply-To: <4973F672.1070509@redhat.com> References: <4973CABE.8080501@twister.dyndns.org> <4973F672.1070509@redhat.com> Message-ID: <497B7890.9070701@twister.dyndns.org> Rob Crittenden wrote: > Fred Wittekind wrote: >> After an upgrade from Fedora 9 to Fedora 10, so some reason dirsrv >> won't start any more. Ran yum update to update all packages, I >> noticed fedora-ds-dsgw wouldn't update to the Fedora 10 version, so I >> did it manually as part of my troubleshooting as to why it wouldn't >> start. >> Entered following bug report: >> https://bugzilla.redhat.com/show_bug.cgi?id=480550 >> >> Any help / suggestions would be greatly appreciated. > > I think this is because of a db4 update in F10. Someone from the FDS > team will respond to the bug you filed. There should be a relatively > straightforward way to update the database environment. > > rob > I think I'm pretty close to giving up on recovering the ldap database. Can it be recreated without reinstalling the IPA server, retaining my existing cert, and keytabs? Or is my best bet to re-run the IPA install on the server, and on the client machines? Fred From Daniel.Domberger at it-austria.com Mon Jan 26 09:57:15 2009 From: Daniel.Domberger at it-austria.com (DOMBERGER Daniel) Date: Mon, 26 Jan 2009 10:57:15 +0100 Subject: [Freeipa-users] host based access control on solaris Message-ID: <17E165E51AB48F4785805D7429899B0B01651445@SRES1MXS5V1.res1.loc.lan.at> Hi Is there any way to control host access on a Solaris Client for IPA users? There seems to be no such thing as pam_access.so. dan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jan 26 15:25:23 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 26 Jan 2009 10:25:23 -0500 Subject: [Freeipa-users] host based access control on solaris In-Reply-To: <17E165E51AB48F4785805D7429899B0B01651445@SRES1MXS5V1.res1.loc.lan.at> References: <17E165E51AB48F4785805D7429899B0B01651445@SRES1MXS5V1.res1.loc.lan.at> Message-ID: <497DD5E3.4060106@redhat.com> DOMBERGER Daniel wrote: > Hi > > > > Is there any way to control host access on a Solaris Client for IPA > users? There seems to be no such thing as pam_access.so. > Unfortunately we haven't been able to find a way either. We're working on it but won't be ready for a while. rob From n.gresham at manchester.ac.uk Thu Jan 29 16:55:44 2009 From: n.gresham at manchester.ac.uk (Nick Gresham) Date: Thu, 29 Jan 2009 16:55:44 +0000 Subject: [Freeipa-users] Moving the master server Message-ID: <4981DF90.2050109@manchester.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have a couple of machines in a running freeipa-1.2.1 in a master/replica set up. However the the master server in this scenario is now out of warranty and needs to be retired. I have another machine readied to assume its role (with a different hostname and ip number, however), or preferably, I could promote the existing replica to master. There doesn't seem to be an easy way to accomplish this, short of starting again (which is not a practical option for me). Cany anyone give some advice? Thanks in advance, Regards [NG] - -- N.J. Gresham FLS/IS AIO Systems Administration and Support University of Manchester Faculty of Life Sciences int: 7759349 ext: 0790-989-3684 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmB34oACgkQoqZzfMI0UdlysACfVgkmmcd6ropbBBp2DwMzt5PI fKEAnidVC8iASm4BghErmOf8D990iKdN =STeb -----END PGP SIGNATURE----- From rcritten at redhat.com Thu Jan 29 17:15:19 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 Jan 2009 12:15:19 -0500 Subject: [Freeipa-users] Moving the master server In-Reply-To: <4981DF90.2050109@manchester.ac.uk> References: <4981DF90.2050109@manchester.ac.uk> Message-ID: <4981E427.4040803@redhat.com> Nick Gresham wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I have a couple of machines in a running freeipa-1.2.1 in a > master/replica set up. However the the master server in this scenario is > now out of warranty and needs to be retired. > > I have another machine readied to assume its role (with a different > hostname and ip number, however), or preferably, I could promote the > existing replica to master. > > There doesn't seem to be an easy way to accomplish this, short of > starting again (which is not a practical option for me). > > Cany anyone give some advice? Thanks in advance, > The only difference between a replica and the initial IPA install (the "master") is that the first server owns the self-signed CA. You should be able to do this to make your "replica" the master: - copy /var/lib/ipa/ca_serialno from master to replica - import the CA into the replica DS NSS database with: # cd /etc/dirsrv/slapd-REALM # pk12util -i /path/to/cacert.p12 -d . The password on the PKCS#12 file is on the original server in /etc/dirsrv/slapd-REALM/pwdfile.txt as is the file cacert.p12 (which you backed up elsewhere too, right?) - Delete the existing replication agreements: # ipa-replica-manage del master.example.com Now you should have 2 identical IPA servers, neither of which know about each other. Shut down the old master and stand up the new box. Create a replica file on the newly promoted master and install that on the new box. You should be back in business. Note: I haven't actually tried this but it should do the trick. Backups are always a good idea. rob From dqarras at yahoo.com Sat Jan 31 13:42:09 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Sat, 31 Jan 2009 05:42:09 -0800 (PST) Subject: [Freeipa-users] IPA/SASL Implementation Message-ID: <683742.54263.qm@web36808.mail.mud.yahoo.com> Hi! I was reading the FreeIPA License page at http://www.freeipa.org/page/License and I found out the not-so-clear licensing terms of Cyrus SASL package. This made me wonder has it been considered to use LGPL licensed GNU SASL in IPA instead of Cyrus SASL? GNU SASL pages are at: http://www.gnu.org/software/gsasl/ This is more an academic question than a real issue with Cyrus SASL (at least for the moment) but I think simplifying licensing terms would always be beneficial. Thanks! From ssorce at redhat.com Sat Jan 31 15:34:26 2009 From: ssorce at redhat.com (Simo Sorce) Date: Sat, 31 Jan 2009 10:34:26 -0500 Subject: [Freeipa-users] IPA/SASL Implementation In-Reply-To: <683742.54263.qm@web36808.mail.mud.yahoo.com> References: <683742.54263.qm@web36808.mail.mud.yahoo.com> Message-ID: <1233416066.30808.26.camel@localhost.localdomain> On Sat, 2009-01-31 at 05:42 -0800, Daniel Qarras wrote: > Hi! > > I was reading the FreeIPA License page at > > http://www.freeipa.org/page/License > > and I found out the not-so-clear licensing terms of Cyrus SASL > package. This made me wonder has it been considered to use LGPL > licensed GNU SASL in IPA instead of Cyrus SASL? GNU SASL pages are at: > > http://www.gnu.org/software/gsasl/ > > This is more an academic question than a real issue with Cyrus SASL > (at least for the moment) but I think simplifying licensing terms > would always be beneficial. We actually have not considered it, and we do not own all the components of FreeIPA that uses SASL. But thanks for pointing out, I will take a look at it. Simo. -- Simo Sorce * Red Hat, Inc * New York