From rcritten at redhat.com Mon Mar 2 18:27:02 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 Mar 2009 13:27:02 -0500 Subject: [Freeipa-users] new freeipa user In-Reply-To: <90f6e8270902260709u3d6225f5v64d5fcfc1adb968f@mail.gmail.com> References: <90f6e8270902251437y62c4f3f6le17cb5e859ef1739@mail.gmail.com> <49A60A94.8050601@redhat.com> <90f6e8270902260709u3d6225f5v64d5fcfc1adb968f@mail.gmail.com> Message-ID: <49AC24F6.4070705@redhat.com> Natxo Asenjo wrote: > On Thu, Feb 26, 2009 at 4:20 AM, Rob Crittenden wrote: >> Natxo Asenjo wrote: > >>> I have so far only run into a problem and that is the auto creation of >>> home dirs on the firs login. I used the authenthication configuration >>> gui from fedora10 on the ipaclient and checked the option to >>> auto-create homedirs but that doesn't work. There is a selinux error: >>> >>> Feb 25 23:28:47 ipaclient01 setroubleshoot: SELinux is preventing sshd >>> (sshd_t) "write" to ./home (home_root_t). For complete SELinux >>> messages. run sealert -l 2f194ec1-0764-48b0-b66c-d84734105283 >>> apparently the pam_mkhomedir.so is not allowed to work with selinux. >>> Any workarounds? >> It would be helpful to see the sealert output for this error. We may be able >> to include a generic fix in IPA, or pass this by the SELinux guys to see >> what they think. > > ok, the output of sealert -l 2f194ec1-0764-48b0-b66c-d84734105283 > > Summary: > > SELinux is preventing sshd (sshd_t) "write" to ./home (home_root_t). > > Detailed Description: > > SELinux denied access requested by sshd. The current boolean settings do not > allow this access. If you have not setup sshd to require this access this may > signal an intrusion attempt. If you do intend this access you need to change the > booleans on this system to allow the access. > > Allowing Access: > > Confined processes can be configured to to run requiring different access, > SELinux provides booleans to allow you to turn on/off access as needed. The > boolean allow_polyinstantiation is set incorrectly. > Boolean Description: > Allow login programs to use polyinstantiated directories. > > > Fix Command: > # setsebool -P allow_polyinstantiation 1 > > Additional Information: > > Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 > Target Context system_u:object_r:home_root_t:s0 > Target Objects ./home [ dir ] > Source sshd > Source Path /usr/sbin/sshd > Port > Host ipaclient01.virtual.local > Source RPM Packages openssh-server-5.1p1-3.fc10 > Target RPM Packages filesystem-2.4.19-1.fc10 > Policy RPM selinux-policy-3.5.13-45.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_boolean > Host Name ipaclient01.virtual.local > Platform Linux ipaclient01.virtual.local > 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11 > 23:14:31 EST 2009 x86_64 x86_64 > Alert Count 1 > First Seen Wed Feb 25 23:28:47 2009 > Last Seen Wed Feb 25 23:28:47 2009 > Local ID 2f194ec1-0764-48b0-b66c-d84734105283 > Line Numbers > > Raw Audit Messages > > node=ipaclient01.virtual.local type=AVC msg=audit(1235600927.386:53): avc: deni > ed { write } for pid=3055 comm="sshd" name="home" dev=dm-0 ino=211745 scontext > =system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t: > s0 tclass=dir > > node=ipaclient01.virtual.local type=SYSCALL msg=audit(1235600927.386:53): arch=c > 000003e syscall=83 success=no exit=-13 a0=173bd66 a1=1ed a2=21 a3=6a6e657361632f > 65 items=0 ppid=1870 pid=3055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) > > > so I run: > # setsebool -P allow_polyinstantiation 1 > > And next time I tried login on the console through gdm: > > Feb 26 15:41:53 ipaclient01 setroubleshoot: SELinux is preventing gdm-session-wo > r (xdm_t) "write" to ./home (home_root_t). For complete SELinux messages. run se > alert -l cf03e02d-4bdd-484d-bf6f-d70c553bdab8 > > running sealert -l cf03e02d-4bdd-484d-bf6f-d70c553bdab8 provides a > similar output but one substitutes sshd for gdm als source, obviously. > > There is another SElinux error in the log: > > Feb 26 15:46:34 ipaclient01 setroubleshoot: SELinux is preventing gdm-session-wo > r (xdm_t) "create" to ./casenjo (home_root_t). For complete SELinux messages. ru > n sealert -l a104e0b3-0dc4-4dc7-ba6a-494b7ca070de > > Summary: > > SELinux is preventing gdm-session-wor (xdm_t) "create" to ./casenjo > (home_root_t). > > Detailed Description: > > SELinux denied access requested by gdm-session-wor. It is not expected that this > access is required by gdm-session-wor and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to restore > the default system file context for ./casenjo, > > restorecon -v './casenjo' > > If this does not work, there is currently no automatic way to allow this access. > Instead, you can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:home_root_t:s0 > Target Objects ./casenjo [ dir ] > Source gdm-session-wor > Source Path /usr/libexec/gdm-session-worker > Port > Host ipaclient01.virtual.local > Source RPM Packages gdm-2.24.0-12.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-45.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name ipaclient01.virtual.local > Platform Linux ipaclient01.virtual.local > 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11 > 23:14:31 EST 2009 x86_64 x86_64 > Alert Count 1 > First Seen Thu Feb 26 15:46:32 2009 > Last Seen Thu Feb 26 15:46:32 2009 > Local ID a104e0b3-0dc4-4dc7-ba6a-494b7ca070de > Line Numbers > > Raw Audit Messages > > node=ipaclient01.virtual.local type=AVC msg=audit(1235659592.554:36): avc: deni > ed { create } for pid=4301 comm="gdm-session-wor" name="casenjo" scontext=syst > em_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tcl > ass=dir > > node=ipaclient01.virtual.local type=SYSCALL msg=audit(1235659592.554:36): arch=c > 000003e syscall=83 success=no exit=-13 a0=7f577ce13bb6 a1=1ed a2=21 a3=810101010 > 1010100 items=0 ppid=4174 pid=4301 auid=1100 uid=0 gid=1002 euid=0 suid=0 fsuid= > 0 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4 comm="gdm-session-wor" exe="/u > sr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=( > null) > > > This time I cannot run restorecon -v './casenjo' because the folder > ./casenjo simply does not exist., neither gdm nor sshd could > autocreate them. > > I'd very much rather that selinux stayed enabled, obviously. > > Hope the output of sealert is helpful to you guys. > Ok, the selinux list is recommending using pam_oddjob-mkhomedir which is part of oddjobd, a d-bus service (http://people.redhat.com/nalin/oddjob/oddjob.html) These are available in the Fedora repos. rob From dqarras at yahoo.com Wed Mar 4 20:39:53 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Wed, 4 Mar 2009 12:39:53 -0800 (PST) Subject: [Freeipa-users] IPA/SASL Implementation In-Reply-To: <1233416066.30808.26.camel@localhost.localdomain> Message-ID: <726330.33698.qm@web36806.mail.mud.yahoo.com> Hi! > > and I found out the not-so-clear licensing terms of Cyrus SASL > > package. This made me wonder has it been considered to use LGPL > > licensed GNU SASL in IPA instead of Cyrus SASL? GNU SASL pages > > are at: > > > > http://www.gnu.org/software/gsasl/ > > We actually have not considered it, and we do not own all the > components of FreeIPA that uses SASL. But thanks for pointing out, > I will take a look at it. FWIW, I opened an RFE for Fedora to consolidate the world to GNU SASL [1], let's see what happens (no, I'm not holding my breath :-) 1) https://bugzilla.redhat.com/show_bug.cgi?id=488556 Cheers! From dqarras at yahoo.com Wed Mar 4 20:51:14 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Wed, 4 Mar 2009 12:51:14 -0800 (PST) Subject: [Freeipa-users] Separation of NSS/PAM LDAP sein SSSD? Message-ID: <889461.89969.qm@web36803.mail.mud.yahoo.com> Hi, upon stumbling across to an ancient but IMHO still relevant RFE in RH Bugzilla I started to wonder whether SSSD will support separation of NSS and PAM LDAP servers? https://bugzilla.redhat.com/show_bug.cgi?id=103568 Thanks! From ssorce at redhat.com Wed Mar 4 23:30:01 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 04 Mar 2009 18:30:01 -0500 Subject: [Freeipa-users] IPA/SASL Implementation In-Reply-To: <726330.33698.qm@web36806.mail.mud.yahoo.com> References: <726330.33698.qm@web36806.mail.mud.yahoo.com> Message-ID: <1236209401.19057.14.camel@localhost.localdomain> On Wed, 2009-03-04 at 12:39 -0800, Daniel Qarras wrote: > Hi! > > > > and I found out the not-so-clear licensing terms of Cyrus SASL > > > package. This made me wonder has it been considered to use LGPL > > > licensed GNU SASL in IPA instead of Cyrus SASL? GNU SASL pages > > > are at: > > > > > > http://www.gnu.org/software/gsasl/ > > > > We actually have not considered it, and we do not own all the > > components of FreeIPA that uses SASL. But thanks for pointing out, > > I will take a look at it. > > FWIW, I opened an RFE for Fedora to consolidate the world to GNU SASL [1], let's see what happens (no, I'm not holding my breath :-) > > 1) https://bugzilla.redhat.com/show_bug.cgi?id=488556 Thanks! Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Mar 4 23:32:01 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 04 Mar 2009 18:32:01 -0500 Subject: [Freeipa-users] Separation of NSS/PAM LDAP sein SSSD? In-Reply-To: <889461.89969.qm@web36803.mail.mud.yahoo.com> References: <889461.89969.qm@web36803.mail.mud.yahoo.com> Message-ID: <1236209521.19057.15.camel@localhost.localdomain> On Wed, 2009-03-04 at 12:51 -0800, Daniel Qarras wrote: > Hi, > > upon stumbling across to an ancient but IMHO still relevant RFE in RH Bugzilla I started to wonder whether SSSD will support separation of NSS and PAM LDAP servers? > > https://bugzilla.redhat.com/show_bug.cgi?id=103568 We will certainly keep this in mind, thanks! Simo. -- Simo Sorce * Red Hat, Inc * New York From john at mintra.com Thu Mar 5 17:28:46 2009 From: john at mintra.com (John B. Adams) Date: Thu, 5 Mar 2009 17:28:46 +0000 (GMT) Subject: [Freeipa-users] Difficulty setting up free-ipa In-Reply-To: <8463034.1561236273664581.JavaMail.root@zimtos.mintra.net> Message-ID: <23941924.1581236274126847.JavaMail.root@zimtos.mintra.net> Hi I am little concerned that it is really difficult for us mortals to check out free-ipa. Especially as I feel it will become a significant part of our work if it does what it says on the tin. I tried last year on Fedora 10 which is becoming my standard platform for all things linux. I followed the setup instructions. I made a posting on 6th December 2008 listing the problems I was getting with the web browser and kerberos. We had another two attempts go after Dimitri kindly offered some suggestions. However we gave up. We were encouraged in the new year when the Step by step howto appeared. But we are still upable to get a result. Referring to the step by step howto our first hurdle was "The IPA server may show a conflict with mod_ssl package. IPA uses mod_nss in apache. You can remove mod_ssl for the time being" 1) How would we know if free-ipa was conflicting where would it show the conflict? 2) How would we remove mod_ssl if we identified the issue. Anyway we ignored this did an iptables -F (SE linux is enabled but I can turn it off) and went for the install with ipa-server-install --setup-bind In the listing of the install it says "disabling mod_ssl in httpd" so it looks like that gets done for us. I do get "named service failed to start" So we tried to edit the minimal named.conf as suggested this is what we have _____________________________________________________________________________________________________ [root at fedipa named]cat /etc/named.conf options { query-source port 53; query-source-v6 port 53; // Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; /* Not used yet, support only on very recent bind versions */ # tkey-gssapi-credential "DNS/fedipa.atmosi.com"; # tkey-domain "ATMOSI.COM"; }; logging { /* If you want to enable debugging, eg. using the 'rndc trace' command, * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; zone "atmosi.com" { type master; file "atmosi.com.zone.db"; }; zone "251.168.192.in-addr.arpa" IN { type master; file "atmosi.com.zone.rev.db"; }; ____________________________________________________________________________________________ [root at fedipa named]# cat atmosi.com.zone.db $ORIGIN atmosi.com. $TTL 86400 @ IN SOA atmosi.com. root.atmosi.com. ( 01 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS fedipa fedipa IN A 192.168.251.101 ; ; ldap servers _ldap._tcp IN SRV 0 100 389 fedipa ;kerberos realm _kerberos IN TXT ATMOSI.COM ; kerberos servers _kerberos._tcp IN SRV 0 100 88 fedipa _kerberos._udp IN SRV 0 100 88 fedipa _kerberos-master._tcp IN SRV 0 100 88 fedipa _kerberos-master._udp IN SRV 0 100 88 fedipa _kpasswd._tcp IN SRV 0 100 464 fedipa _kpasswd._udp IN SRV 0 100 464 fedipa ;ntp server _ntp._udp IN SRV 0 100 123 fedipa _______________________________________________________________________________________________________ [root at fedipa named]# cat atmosi.com.rev.db $ORIGIN 251.168.192.in-addr.arpa. $TTL 86400 @ IN SOA atmosi.com. root.atmosi.com. ( 01 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS ds.atmosi.com. 1 IN PTR ds.atmosi.com. _______________________________________________________________________________________________________ Both these files are in /var/named and have been copied to /var/named/chroot/var/named When we restart named we get. service named start Starting named: Error in named configuration: zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: NS '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa' has no address records (A or AAAA) zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: NS '1.0.0.127.in-addr.arpa' has no address records (A or AAAA) zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: NS '0.in-addr.arpa' has no address records (A or AAAA) zone 0.in-addr.arpa/IN: loaded serial 0 zone atmosi.com/IN: loaded serial 1 zone 251.168.192.in-addr.arpa/IN: loading from master file atmosi.com.zone.rev.db failed: file not found _default/251.168.192.in-addr.arpa/IN: file not found [FAILED] _________________________________________________________________________________________________________ I notice in our original setup it says: Installing : ipa-server 64/64 Missing Certification Authority file. You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt So this may cause some issues. Where do I get the CA certificates from do I have to self sign a certificate or something or buy one? I usually configure linux machines with webmin so my interaction with BIND is well serviced by that webmin module, I am a little hopeless when it comes to certificates. Any help to get past these hurdles would be most welcome. Thanks John Adams From rcritten at redhat.com Thu Mar 5 20:22:19 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Mar 2009 15:22:19 -0500 Subject: [Freeipa-users] Difficulty setting up free-ipa In-Reply-To: <23941924.1581236274126847.JavaMail.root@zimtos.mintra.net> References: <23941924.1581236274126847.JavaMail.root@zimtos.mintra.net> Message-ID: <49B0347B.8080808@redhat.com> John B. Adams wrote: > Hi > > I am little concerned that it is really difficult for us mortals to check out free-ipa. Especially as I feel it will become a significant part of our work if it does what it says on the tin. > > I tried last year on Fedora 10 which is becoming my standard platform for all things linux. I followed the setup instructions. I made a posting on 6th December 2008 listing the problems I was getting with the web browser and kerberos. We had another two attempts go after Dimitri kindly offered some suggestions. However we gave up. I'm sorry you had problems. I'll see if I can help you. > > We were encouraged in the new year when the Step by step howto appeared. But we are still upable to get a result. > > Referring to the step by step howto our first hurdle was "The IPA server may show a conflict with mod_ssl package. IPA uses mod_nss in apache. You can remove mod_ssl for the time being" > > 1) How would we know if free-ipa was conflicting where would it show the conflict? > 2) How would we remove mod_ssl if we identified the issue. The assumption, apparently a bad one, is that there user is familiar with Fedora package upgrade and management. The conflict is in the package itself. You cannot install ipa-server package if mod_ssl is installed (unless you explicitly force it). To remove mod_ssl you can do either (as root): # rpm -e mod_ssl # yum erase mod_ssl mod_nss and mod_ssl both provide SSL services to Apache. We chose to go with mod_nss. Normally mod_nss and mod_ssl can coexist peacefully if they are using unique ports. The reason for the conflict is that if mod_ssl is loaded then the Apache module that does proxying (mod_proxy) will use the mod_ssl crypto routines instead of the mod_nss crypto routines. So by merely being loaded mod_ssl will cause UI failures, so we do what we can to make sure mod_ssl isn't on the system at all. > > Anyway we ignored this did an iptables -F (SE linux is enabled but I can turn it off) and went for the install with > > ipa-server-install --setup-bind > > In the listing of the install it says "disabling mod_ssl in httpd" so it looks like that gets done for us. This was the original method we used to disable mod_ssl. It renames the configuration file. The problem is that the next time the package is updated the package manager says "oh, I can write a new configuration file" which will then cause the IPA UI to start failing. > > I do get "named service failed to start" > > So we tried to edit the minimal named.conf as suggested this is what we have Our bind support is experimental at this point though your issue seems related directly to basic bind configuration. I'm not sure what the issue is though it seems to simply not be able to find the file it is looking for. I'm not sure why. > > I notice in our original setup it says: > > Installing : ipa-server 64/64 > Missing Certification Authority file. > You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt Looks like a bug, this can be ignored. Some previous versions of IPA didn't place a copy of the self-signed CA into /usr/share/ipa/html and we were trying to catch that on upgrades. Apparently this can also be displayed on an initial install which is confusing. I've filed a bug. > > So this may cause some issues. Where do I get the CA certificates from do I have to self sign a certificate or something > or buy one? By default, when you run ipa-server-install it will generate a self-signed CA which will issue all the necessary certificates. You can optionally provide your own certificates. See ipa-server-install --help for all the options. > I usually configure linux machines with webmin so my interaction with BIND is well serviced by that webmin module, I am a little hopeless > when it comes to certificates. If you let IPA generate its own CA the only issue is having your clients trust it (this is the one of the reasons that we check that the CA file is installed in the proper location). > > Any help to get past these hurdles would be most welcome. Hope this helps. regards rob From natxo.asenjo at gmail.com Fri Mar 6 08:00:26 2009 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 6 Mar 2009 09:00:26 +0100 Subject: [Freeipa-users] new freeipa user In-Reply-To: <49AC24F6.4070705@redhat.com> References: <90f6e8270902251437y62c4f3f6le17cb5e859ef1739@mail.gmail.com> <49A60A94.8050601@redhat.com> <90f6e8270902260709u3d6225f5v64d5fcfc1adb968f@mail.gmail.com> <49AC24F6.4070705@redhat.com> Message-ID: <90f6e8270903060000p161bbb5dmf914c690f7f6440e@mail.gmail.com> On Mon, Mar 2, 2009 at 7:27 PM, Rob Crittenden wrote: > Natxo Asenjo wrote: [knip problems with pam_mkhomedir.so and selinux] > Ok, the selinux list is recommending using pam_oddjob-mkhomedir which is > part of oddjobd, a d-bus service > (http://people.redhat.com/nalin/oddjob/oddjob.html) right, this was solution. I am a bit surprised though that I had to edit the pam file myself, I am not used to having to do this with fedora :-) (this is actually a compliment, I am unfortunately more than used to having to do this in debian(based) distributions, so it is no biggy) Where can I file a bug about this unexpected behaviour of fedora? I mean, if you check the box "create home directories on first login" in "authentication configuration", the administrator expects it to work, obviously. thanks! natxo asenjo From per at norhex.com Sun Mar 8 17:22:20 2009 From: per at norhex.com (Per Qvindesland) Date: Sun, 08 Mar 2009 18:22:20 +0100 Subject: [Freeipa-users] Newbie problems Message-ID: Hi list, I hava finally managed to install IPA on a Centos 5.2 server and it's working just fine, but I am having some questions that I hope I can get answers to. 1. if I add in a new group through the web interface will it then be the same as a ou? Since we have multiple servers here dealing with multiple countries I would like to add in a ou for each country and add users to each countries ou, not sure but would it then be something like ou=no,dc=company,dc=com 2. Can I configure each server to log on with ldap so it would be ou=no,dc=company,dc=com and ldap://ipaserver.company.com or must I use the client? 3. How can I configure it so that I don't have to use a Kerberos login but get a login page so no single login. 4. can I configure it so that a normal person can add in a user for his/her own country without being added into the admins group? 5. is there anyways to configure it to set the username as the default password on creation and then when the user logs on the first time the user has to change the password? I have looked but I can't find anything about this in the manual so I am really hoping that someone could help me out here. Kind regards Per Qvindesland From rcritten at redhat.com Mon Mar 9 14:37:54 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Mar 2009 10:37:54 -0400 Subject: [Freeipa-users] Newbie problems In-Reply-To: References: Message-ID: <49B529C2.10604@redhat.com> Per Qvindesland wrote: > Hi list, > > I hava finally managed to install IPA on a Centos 5.2 server and it's > working just fine, but I am having some questions that I hope I can get > answers to. > > 1. if I add in a new group through the web interface will it then be the > same as a ou? Since we have multiple servers here dealing with multiple > countries I would like to add in a ou for each country and add users to each > countries ou, not sure but would it then be something like > ou=no,dc=company,dc=com No, currently we have a very flat tree layout. Do you want this for performance reasons or to apply an organization onto the tree? We purposely selected a flat tree because organizations are constantly reorganizing, people move, etc. Storing the data to reflect the organization of the company doesn't really buy you much more than a lot of pain (IMHO). You can add ou to each entry without having it part of the DN though. > > 2. Can I configure each server to log on with ldap so it would be > ou=no,dc=company,dc=com and ldap://ipaserver.company.com or must I use the > client? I'm not sure I understand the question. > > 3. How can I configure it so that I don't have to use a Kerberos login but > get a login page so no single login. You can set KrbMethodK5Passwd to "on" in /etc/httpd/conf.d/ipa.conf to have the UI fall back to username/password. This hasn't been very well tested so we'd appreciate any feedback on this. > 4. can I configure it so that a normal person can add in a user for his/her > own country without being added into the admins group? You'd have to write an LDAP ACI to allow this. The current delegation system is very limited and I don't think it would do what you want. I think something like: aci: (targetattr = "c")(version 3.0; acl "Self can write own country"; allow (write) userdn="ldap:///self";) > > 5. is there anyways to configure it to set the username as the default > password on creation and then when the user logs on the first time the user > has to change the password? Not without code changes, no. The patch looks something like: --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -623,6 +623,9 @@ class IPAServer: if user.get('gn'): del user['gn'] + if not user.get('userpassword'): + user['userpassword'] = user['uid'] + rob > > I have looked but I can't find anything about this in the manual so I am > really hoping that someone could help me out here. > > Kind regards > Per Qvindesland > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From terry.huang at ce.com.au Fri Mar 13 00:42:57 2009 From: terry.huang at ce.com.au (Terry Huang) Date: Fri, 13 Mar 2009 11:42:57 +1100 Subject: [Freeipa-users] SSH to ipa-client Message-ID: <49B9AC11.8080505@ce.com.au> Hi, I tried to add host service principal (for SSH) for a Fedora 10 IPA client machine by running followings: 1. "kinit admin" which gave me a valid Kereros TGT. 2. "ipa-addservice -v host/",which give me following error message: Connecting to IPA server: https:///ipa/xml Unable to connect to IPA server: Moved Permanently I tried from web browser and looked as if "/ipa/xml" didn't exist. Any one can help please? Thanks ahead. Regards, Terry The information contained in this email and any attached files are strictly private and confidential. This email should be read by the intended addressee only. If the recipient of this message is not the intended addressee, please call Corporate Express Australia Limited on +61 2 9335 0555 or Corporate Express New Zealand Limited on +64 9 279 2555 and promptly delete this email and any attachments. The intended recipient of this email may only use, reproduce, disclose or distribute the information contained in this email and any attached files with Corporate Express' permission. If you are not the intended addressee, you are strictly prohibited from using, reproducing, disclosing or distributing the information contained in this email and any attached files. Corporate Express advises that this email and any attached files should be scanned to detect viruses. Corporate Express accepts no liability for loss or damage (whether caused by negligence or not) resulting from the use of any attached files. From ssorce at redhat.com Fri Mar 13 12:35:23 2009 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 13 Mar 2009 08:35:23 -0400 Subject: [Freeipa-users] Re: freeipa server + how to joining opensuse clients In-Reply-To: <1236930680.6988.10.camel@tango> References: <1236927682.18679.5.camel@jgd-dsk> <1236930680.6988.10.camel@tango> Message-ID: <1236947723.23130.12.camel@localhost.localdomain> Reply moved to freeipa-users. On Fri, 2009-03-13 at 15:51 +0800, Byambaa Mendbayar wrote: > Dear developers, > > I want to join my linux clients (opensuse 11.1) in freeipa server domain > (rmwg.mn.), how can I do that. Of course before I had read some > documents from freeipa.org web site [1]. But I have still unclear to > joining my clients on my server domain. In v1, there isn't actually a formal join to perform. All you need to get users and authenticate is configure nss_ldap to point to your server and pam_krb for krb authentication. If you also want to offer kerberized services (like SSO auth via sshd) then you can use ipa-addservice to add a 'host' service for your machine and ipa-getkeytab to retrieve a keytab for the machine. Details on the single operations are in the docs. > Should I use 'Yast->Network Services->Windows Domain Membership' > function for joining my opensuse client to the freeipa server's > domain? No. > [1] - > http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step This page is to configure windows clients, you want to read this one for linux/unix clients: http://www.freeipa.org/page/ClientConfigurationGuide Simo. -- Simo Sorce * Red Hat, Inc * New York From mendbayar_b at e-map.mn Sat Mar 14 09:42:35 2009 From: mendbayar_b at e-map.mn (Byambaa Mendbayar) Date: Sat, 14 Mar 2009 17:42:35 +0800 Subject: [Freeipa-users] Re: freeipa server + how to joining opensuse clients In-Reply-To: <1236947723.23130.12.camel@localhost.localdomain> References: <1236927682.18679.5.camel@jgd-dsk> <1236930680.6988.10.camel@tango> <1236947723.23130.12.camel@localhost.localdomain> Message-ID: <1237023755.5086.1.camel@tango> Dear Simo, Thank you very much for your response. With best regards, B. Mendbayar On Fri, 2009-03-13 at 08:35 -0400, Simo Sorce wrote: > Reply moved to freeipa-users. > > On Fri, 2009-03-13 at 15:51 +0800, Byambaa Mendbayar wrote: > > Dear developers, > > > > I want to join my linux clients (opensuse 11.1) in freeipa server domain > > (rmwg.mn.), how can I do that. Of course before I had read some > > documents from freeipa.org web site [1]. But I have still unclear to > > joining my clients on my server domain. > > In v1, there isn't actually a formal join to perform. > All you need to get users and authenticate is configure nss_ldap to > point to your server and pam_krb for krb authentication. > > If you also want to offer kerberized services (like SSO auth via sshd) > then you can use ipa-addservice to add a 'host' service for your machine > and ipa-getkeytab to retrieve a keytab for the machine. > > Details on the single operations are in the docs. > > > Should I use 'Yast->Network Services->Windows Domain Membership' > > function for joining my opensuse client to the freeipa server's > > domain? > > No. > > > [1] - > > http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step > > This page is to configure windows clients, you want to read this one for > linux/unix clients: > http://www.freeipa.org/page/ClientConfigurationGuide > > Simo. > From dqarras at yahoo.com Sat Mar 14 15:40:23 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Sat, 14 Mar 2009 08:40:23 -0700 (PDT) Subject: [Freeipa-users] Re: freeipa server + how to joining opensuse clients In-Reply-To: <1236947723.23130.12.camel@localhost.localdomain> Message-ID: <470352.69157.qm@web36808.mail.mud.yahoo.com> Hi! > If you also want to offer kerberized services (like SSO > auth via sshd) then you can use ipa-addservice to add a 'host' > service for your machine and ipa-getkeytab to retrieve a keytab > for the machine. > > Details on the single operations are in the docs. The doc was good, perhaps it should stress for the unenlightened (like me) that this must be done for each and every host? > This page is to configure windows clients, you want to read > this one for linux/unix clients: > > http://www.freeipa.org/page/ClientConfigurationGuide Again, nice doc but a bit outdated, Fedora version speaks about testing repos for 7 and 8 and rawhide for F9. In general though, great to see this kind of documentation! Few quick questions about the actual content: - I've been setting up KerberosV5 lately and practically all guides have set these to false: dns_lookup_realm = true dns_lookup_kdc = true Isn't those unneeded when the servers have been already defined in krb5.conf? - TLS section lists TLS_REQCERT allow Doesn't this mean that if TLS procedures fail a non-TLS connection will be used instead? Perhaps it could be mentioned that using "demand" would force TLS usage (and in lack of it the termination)? Thanks! From rcritten at redhat.com Mon Mar 16 14:14:20 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Mar 2009 10:14:20 -0400 Subject: [Freeipa-users] Re: freeipa server + how to joining opensuse clients In-Reply-To: <470352.69157.qm@web36808.mail.mud.yahoo.com> References: <470352.69157.qm@web36808.mail.mud.yahoo.com> Message-ID: <49BE5EBC.3070409@redhat.com> Daniel Qarras wrote: > Hi! > >> If you also want to offer kerberized services (like SSO >> auth via sshd) then you can use ipa-addservice to add a 'host' >> service for your machine and ipa-getkeytab to retrieve a keytab >> for the machine. >> >> Details on the single operations are in the docs. > > The doc was good, perhaps it should stress for the unenlightened (like me) that this must be done for each and every host? > >> This page is to configure windows clients, you want to read >> this one for linux/unix clients: >> >> http://www.freeipa.org/page/ClientConfigurationGuide > > Again, nice doc but a bit outdated, Fedora version speaks about testing repos for 7 and 8 and rawhide for F9. In general though, great to see this kind of documentation! Thanks, I've fixed this. > > Few quick questions about the actual content: > > - I've been setting up KerberosV5 lately and practically all guides have set these to false: > > dns_lookup_realm = true > dns_lookup_kdc = true > > Isn't those unneeded when the servers have been already defined in krb5.conf? Yes, as I understand it if you go to a realm/domain specified in the file these will not be used. Doesn't hurt to have them defined I suppose, I'm not sure what the defaults are. Do you think having these will cause confusion? > > - TLS section lists > > TLS_REQCERT allow > > Doesn't this mean that if TLS procedures fail a non-TLS connection will be used instead? Perhaps it could be mentioned that using "demand" would force TLS usage (and in lack of it the termination)? Not really. As I understand it if TLS is not available then it will fall back to non-TLS. If the TLS is available but fails because of a bad cert, no trust of the CA, etc. then the connection will fail. > > Thanks! Thanks for the feedback. rob From dpal at redhat.com Mon Mar 16 14:30:00 2009 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 16 Mar 2009 10:30:00 -0400 Subject: [Freeipa-users] organizational units In-Reply-To: <90f6e8270902271046j4ae6c7e6me191d2a30ab4bdcf@mail.gmail.com> References: <90f6e8270902261205v6aa6f7f6j7db50534063b11eb@mail.gmail.com> <49A82963.20809@redhat.com> <90f6e8270902271046j4ae6c7e6me191d2a30ab4bdcf@mail.gmail.com> Message-ID: <49BE6268.7030801@redhat.com> Natxo Asenjo wrote: > On Fri, Feb 27, 2009 at 6:56 PM, Rob Crittenden wrote: > >> Natxo Asenjo wrote: >> >>> hi, >>> >>> In freeipa 1.2.1 from fedora10, is it possible to create different ou >>> in the directory server in order to organize the directory for >>> different branches, like, ou=europe,dc=example,dc=lcom; >>> ou=asia,dc=example,dc=com etc. Having all users under >>> cn=users,cn=accounts,dc=example,dc=com can be a bit disorganized. >>> >> Storing users in one place is on purpose. Trying to separate users by OU, >> region, etc tends to be difficult because people move a lot, companies >> reorganize, etc >> > > ok, that's an interesting startpoint. So how will policies be > implemented then? Excuse my asking, I guess I am a bit used to the AD > way of coupling policies to ou's. > The machine related policies will be related to the policy groups. Policy groups will be associated with groups of hosts. http://www.freeipa.org/page/Overall_Design_of_Policy_Related_Components http://www.freeipa.org/page/DS_Design_Summary_2 Use related policies will be looked at in later versions. > >>> Another question: will the webgui have a ldap browser interface? Will >>> the ipa-admintools be able to create objects in different >>> ou/containers in the directory? >>> >> There are no plans for a generic ldap browser. One of the goals is to hide >> the implementation so we may never provide one. >> > > I see. Well, I suppose one can always use any of the available ldap > browsers if the need arises. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dqarras at yahoo.com Mon Mar 16 18:28:08 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Mon, 16 Mar 2009 11:28:08 -0700 (PDT) Subject: [Freeipa-users] Re: freeipa server + how to joining opensuse clients In-Reply-To: <49BE5EBC.3070409@redhat.com> Message-ID: <21731.66198.qm@web36804.mail.mud.yahoo.com> Hi! > > Few quick questions about the actual content: > > > > - I've been setting up KerberosV5 lately and > > practically all guides have set these to false: > > > > dns_lookup_realm = true > > dns_lookup_kdc = true > > > > Isn't those unneeded when the servers have been > > already defined in krb5.conf? > > Yes, as I understand it if you go to a realm/domain > specified in the file these will not be used. Doesn't > hurt to have them defined I suppose, I'm not sure what > the defaults are. Do you think having these will cause > confusion? Ok, thanks for the clarification, I got the same impression from the man page. I think it's ok to leave them there, I'd suppose most people just copy and paste and those few interested in details (like me) will read the man page if in doubt :-) >From the nit-picking department: one thing that perhaps could be spelled out is that in the "Installing IPA Client" section there is: add the server's IP address to the client's /etc/resolv.conf file. Could be: add the server's IP address to the client's /etc/resolv.conf file, e.g.: nameserver 192.168.122.1 . > > - TLS section lists > > > > TLS_REQCERT allow > > > > Doesn't this mean that if TLS procedures fail a > > non-TLS connection will be used instead? Perhaps it could be > > mentioned that using "demand" would force TLS > > usage (and in lack of it the termination)? > > Not really. As I understand it if TLS is not available then > it will fall back to non-TLS. If the TLS is available but > fails because of a bad cert, no trust of the CA, etc. then > the connection will fail. Hmm, after inspecting this a bit more I'm confused. The TLS client configuration section should IMHO mention that this is for PAM (and not for OpenLDAP tools and libraries which use /etc/openldap/ldap.conf). But the guide says: 1. Modify the following in the /etc/ldap.conf file: URI ldap://ipaserver.example.com BASE dc=example,dc=com HOST ipaserver.example.com TLS_CACERTDIR /etc/cacerts/ TLS_REQCERT allow but these upper case options are described in ldap.conf(5) which is for OpenLDAP configuration file /etc/openldap/ldap.conf! /etc/ldap.conf configuration file syntax is described in nss_ldap(5) which uses lower case syntax and does not mention tls_reqcert (or TLS_REQCERT) at all but tls_checkpeer. Also, the above example does not say anything about actually using TLS, one would need "ssl start_tls" to use it, now to me it seems that the connections would be unencrypted (if the server accepts such connections - that is something I haven't checked). One minor additional detail is that HOST/URI provide duplicate information and URI/uri probably should be preferred and HOST/host could be dropped. Cheers! From mahendra at latticenetworks.com Tue Mar 17 07:32:29 2009 From: mahendra at latticenetworks.com (mahen) Date: Tue, 17 Mar 2009 13:02:29 +0530 Subject: [Freeipa-users] Ipa-client error (windows XP) Message-ID: <1237275149.4081.12.camel@mars.pragati-automation.co.in> Hi, I am using IPA-Server on FC9. I am trying to log in to ipa server through windows xp(as client). If it is a new user in ipa-server, windows xp asks me to change the password and change happens successfully but xp fails to login. It give error message saying... "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found." Step-by-Step Procedure followed ( in IPA-Server) 1. ipa-addservice host/client.example.com) 2. ipa-getkeytab -s server.example.com -p host/client.example.com -e des-cbc-crc -k krb5.keytab.txt IN Windows XP 1. ksetup /setrealm EXAMPLE.COM 2. ksetup /addkdc EXAMPLE.COM server.example.com 3. ksetup /setmachpassword (I dont know why this is used. since all my passwords are same it can match to any user) 4. ksetup /mapuser * ipauser Thanks.. Mahendra From kozlov at spbcas.ru Tue Mar 17 08:01:56 2009 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Tue, 17 Mar 2009 11:01:56 +0300 Subject: [Freeipa-users] Ipa-client error (windows XP) In-Reply-To: <1237275149.4081.12.camel@mars.pragati-automation.co.in> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> Message-ID: <49BF58F4.6050506@spbcas.ru> Hi, you've missed password stuff! mahen wrote: > Hi, > I am using IPA-Server on FC9. > > I am trying to log in to ipa server through windows xp(as client). If it > is a new user in ipa-server, windows xp asks me to change the password > and change happens successfully but xp fails to login. It give error > message saying... > "Windows cannot connect to the domain, either because the domain > controller is down or otherwise unavailable, or because your computer > account was not found." > > Step-by-Step Procedure followed ( in IPA-Server) > 1. ipa-addservice host/client.example.com) > 2. ipa-getkeytab -s server.example.com -p host/client.example.com -e > des-cbc-crc -k krb5.keytab.txt > > IN Windows XP > 1. ksetup /setrealm EXAMPLE.COM > 2. ksetup /addkdc EXAMPLE.COM server.example.com > 3. ksetup /setmachpassword (I dont know why this is used. since all my passwords are same it can match to any user) This machine password not user password. It is set up on ipa-server in step 2 as: ipa-getkeytab -s server.example.com -p host/client.example.com -e des-cbc-crc -k krb5.keytab.txt -P > 4. ksetup /mapuser * ipauser > Mapping individula users works if you name him ipauser at EXAMPLE.COM. Best regards, Kostya > Thanks.. > Mahendra > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From kozlov at spbcas.ru Tue Mar 17 09:04:39 2009 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Tue, 17 Mar 2009 12:04:39 +0300 Subject: [Freeipa-users] Ipa-client error (windows XP) In-Reply-To: <1237279838.4081.21.camel@mars.pragati-automation.co.in> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> Message-ID: <49BF67A7.3060802@spbcas.ru> Hi, reply to the list also. I am also on FC9 and with ipa 1.2.1 from yum. Have you installed the repo "updates new key"? Do that if no and update everything from there before ipa install. Also if possible install on FC10 or (FC11 Beta), or even CentOS 5, compiling ipa-server from source. It was reported that FC9->FC10 upgrade may brake LDAP database. Also, did you read the how to for windows on freeipa.org? And list archives - there were a couple of disscussions about winxp. mahen wrote: > Hi, > Thanks for quick reply. > > I think my IPA-Server is not supporting -P (password) switch with > ipa-getkeytab. > > I have installed ipa-server through yum and it installed > ipa-server-1.0.0-4.fc9.i386. > > Can I do this task with this version of IPA? > > Is there any easy way to upgrade ipa1.0 to ipa 1.2. > Look at the top of the letter for binaries. RPM does upgrade of other things, at least it did for me. > One more question. Is it required to keep the keytab file in windows > system? If yes then where should I place this? No, windows uses password instead (so keytab doesn't really matter). Best regards, Kostya > > Thanks again.. > mahendra > > On Tue, 2009-03-17 at 11:01 +0300, Konstantin Kozlov wrote: >> Hi, >> >> you've missed password stuff! >> >> mahen wrote: >>> Hi, >>> I am using IPA-Server on FC9. >>> >>> I am trying to log in to ipa server through windows xp(as client). If it >>> is a new user in ipa-server, windows xp asks me to change the password >>> and change happens successfully but xp fails to login. It give error >>> message saying... >>> "Windows cannot connect to the domain, either because the domain >>> controller is down or otherwise unavailable, or because your computer >>> account was not found." >>> >>> Step-by-Step Procedure followed ( in IPA-Server) >>> 1. ipa-addservice host/client.example.com) >>> 2. ipa-getkeytab -s server.example.com -p host/client.example.com -e >>> des-cbc-crc -k krb5.keytab.txt >>> >>> IN Windows XP >>> 1. ksetup /setrealm EXAMPLE.COM >>> 2. ksetup /addkdc EXAMPLE.COM server.example.com >>> 3. ksetup /setmachpassword (I dont know why this is used. since all my passwords are same it can match to any user) >> This machine password not user password. It is set up on ipa-server in >> step 2 as: >> >> ipa-getkeytab -s server.example.com -p host/client.example.com -e >> des-cbc-crc -k krb5.keytab.txt -P >> >>> 4. ksetup /mapuser * ipauser >>> >> Mapping individula users works if you name him ipauser at EXAMPLE.COM. >> >> Best regards, >> >> Kostya >> >>> Thanks.. >>> Mahendra >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> > > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From mahendra at latticenetworks.com Tue Mar 17 11:47:49 2009 From: mahendra at latticenetworks.com (mahen) Date: Tue, 17 Mar 2009 17:17:49 +0530 Subject: [Freeipa-users] Ipa-client error (windows XP) In-Reply-To: <49BF67A7.3060802@spbcas.ru> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> Message-ID: <1237290469.4081.31.camel@mars.pragati-automation.co.in> Hi, Thanks a lot. It worked. Everything is fine now. Can I have ADS type of effect for IPA-Server. I don't want to create local users or to map all IPA users to a single user. Thanks... Mahendra On Tue, 2009-03-17 at 12:04 +0300, Konstantin Kozlov wrote: > Hi, > > reply to the list also. > > I am also on FC9 and with ipa 1.2.1 from yum. Have you installed the > repo "updates new key"? Do that if no and update everything from there > before ipa install. Also if possible install on FC10 or (FC11 Beta), or > even CentOS 5, compiling ipa-server from source. It was reported that > FC9->FC10 upgrade may brake LDAP database. > > Also, did you read the how to for windows on freeipa.org? And list > archives - there were a couple of disscussions about winxp. > > mahen wrote: > > Hi, > > Thanks for quick reply. > > > > I think my IPA-Server is not supporting -P (password) switch with > > ipa-getkeytab. > > > > I have installed ipa-server through yum and it installed > > ipa-server-1.0.0-4.fc9.i386. > > > > Can I do this task with this version of IPA? > > > > Is there any easy way to upgrade ipa1.0 to ipa 1.2. > > > > Look at the top of the letter for binaries. RPM does upgrade of other > things, at least it did for me. > > > One more question. Is it required to keep the keytab file in windows > > system? If yes then where should I place this? > > No, windows uses password instead (so keytab doesn't really matter). > > Best regards, > > Kostya > > > > > Thanks again.. > > mahendra > > > > On Tue, 2009-03-17 at 11:01 +0300, Konstantin Kozlov wrote: > >> Hi, > >> > >> you've missed password stuff! > >> > >> mahen wrote: > >>> Hi, > >>> I am using IPA-Server on FC9. > >>> > >>> I am trying to log in to ipa server through windows xp(as client). If it > >>> is a new user in ipa-server, windows xp asks me to change the password > >>> and change happens successfully but xp fails to login. It give error > >>> message saying... > >>> "Windows cannot connect to the domain, either because the domain > >>> controller is down or otherwise unavailable, or because your computer > >>> account was not found." > >>> > >>> Step-by-Step Procedure followed ( in IPA-Server) > >>> 1. ipa-addservice host/client.example.com) > >>> 2. ipa-getkeytab -s server.example.com -p host/client.example.com -e > >>> des-cbc-crc -k krb5.keytab.txt > >>> > >>> IN Windows XP > >>> 1. ksetup /setrealm EXAMPLE.COM > >>> 2. ksetup /addkdc EXAMPLE.COM server.example.com > >>> 3. ksetup /setmachpassword (I dont know why this is used. since all my passwords are same it can match to any user) > >> This machine password not user password. It is set up on ipa-server in > >> step 2 as: > >> > >> ipa-getkeytab -s server.example.com -p host/client.example.com -e > >> des-cbc-crc -k krb5.keytab.txt -P > >> > >>> 4. ksetup /mapuser * ipauser > >>> > >> Mapping individula users works if you name him ipauser at EXAMPLE.COM. > >> > >> Best regards, > >> > >> Kostya > >> > >>> Thanks.. > >>> Mahendra > >>> > >>> > >>> > >>> _______________________________________________ > >>> Freeipa-users mailing list > >>> Freeipa-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> > >> > > > > > > From kozlov at spbcas.ru Tue Mar 17 12:45:43 2009 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Tue, 17 Mar 2009 15:45:43 +0300 Subject: [Freeipa-users] Ipa-client error (windows XP) In-Reply-To: <1237290469.4081.31.camel@mars.pragati-automation.co.in> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> <1237290469.4081.31.camel@mars.pragati-automation.co.in> Message-ID: <49BF9B77.3080108@spbcas.ru> Hi, mahen wrote: > Hi, > > Thanks a lot. It worked. Everything is fine now. Great! > > Can I have ADS type of effect for IPA-Server. I don't want to create > local users or to map all IPA users to a single user. > As you probably read already you can't get policies for "ou"'s. In IPAv1 there is one policy and in v2 policies will be for groups, as I know. The next step for IPA+winxp setup will be Samba 3: http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf It works for me. The next part, i.e. making network users is said to be impossible though it may be possible by the following trick: http://support.microsoft.com/kb/320043 The local test user is created but the path for home uses environment variable %username% that might be substituted with ipa username after login and hence different users mapped to a single one get different homes. I didn't test that. And map yourself to Administrator :) As for software installations like in ADS look at http://wpkg.org/ Best regards, Kostya > Thanks... > Mahendra > > > On Tue, 2009-03-17 at 12:04 +0300, Konstantin Kozlov wrote: >> Hi, >> >> reply to the list also. >> >> I am also on FC9 and with ipa 1.2.1 from yum. Have you installed the >> repo "updates new key"? Do that if no and update everything from there >> before ipa install. Also if possible install on FC10 or (FC11 Beta), or >> even CentOS 5, compiling ipa-server from source. It was reported that >> FC9->FC10 upgrade may brake LDAP database. >> >> Also, did you read the how to for windows on freeipa.org? And list >> archives - there were a couple of disscussions about winxp. >> >> mahen wrote: >>> Hi, >>> Thanks for quick reply. >>> >>> I think my IPA-Server is not supporting -P (password) switch with >>> ipa-getkeytab. >>> >>> I have installed ipa-server through yum and it installed >>> ipa-server-1.0.0-4.fc9.i386. >>> >>> Can I do this task with this version of IPA? >>> >>> Is there any easy way to upgrade ipa1.0 to ipa 1.2. >>> >> Look at the top of the letter for binaries. RPM does upgrade of other >> things, at least it did for me. >> >>> One more question. Is it required to keep the keytab file in windows >>> system? If yes then where should I place this? >> No, windows uses password instead (so keytab doesn't really matter). >> >> Best regards, >> >> Kostya >> >>> Thanks again.. >>> mahendra >>> >>> On Tue, 2009-03-17 at 11:01 +0300, Konstantin Kozlov wrote: >>>> Hi, >>>> >>>> you've missed password stuff! >>>> >>>> mahen wrote: >>>>> Hi, >>>>> I am using IPA-Server on FC9. >>>>> >>>>> I am trying to log in to ipa server through windows xp(as client). If it >>>>> is a new user in ipa-server, windows xp asks me to change the password >>>>> and change happens successfully but xp fails to login. It give error >>>>> message saying... >>>>> "Windows cannot connect to the domain, either because the domain >>>>> controller is down or otherwise unavailable, or because your computer >>>>> account was not found." >>>>> >>>>> Step-by-Step Procedure followed ( in IPA-Server) >>>>> 1. ipa-addservice host/client.example.com) >>>>> 2. ipa-getkeytab -s server.example.com -p host/client.example.com -e >>>>> des-cbc-crc -k krb5.keytab.txt >>>>> >>>>> IN Windows XP >>>>> 1. ksetup /setrealm EXAMPLE.COM >>>>> 2. ksetup /addkdc EXAMPLE.COM server.example.com >>>>> 3. ksetup /setmachpassword (I dont know why this is used. since all my passwords are same it can match to any user) >>>> This machine password not user password. It is set up on ipa-server in >>>> step 2 as: >>>> >>>> ipa-getkeytab -s server.example.com -p host/client.example.com -e >>>> des-cbc-crc -k krb5.keytab.txt -P >>>> >>>>> 4. ksetup /mapuser * ipauser >>>>> >>>> Mapping individula users works if you name him ipauser at EXAMPLE.COM. >>>> >>>> Best regards, >>>> >>>> Kostya >>>> >>>>> Thanks.. >>>>> Mahendra >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>> >> > > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From ssorce at redhat.com Tue Mar 17 13:16:08 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 17 Mar 2009 09:16:08 -0400 Subject: [Freeipa-users] Ipa-client error (windows XP) In-Reply-To: <1237290469.4081.31.camel@mars.pragati-automation.co.in> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> <1237290469.4081.31.camel@mars.pragati-automation.co.in> Message-ID: <1237295768.20848.5.camel@localhost.localdomain> On Tue, 2009-03-17 at 17:17 +0530, mahen wrote: > Hi, > > Thanks a lot. It worked. Everything is fine now. > > Can I have ADS type of effect for IPA-Server. I don't want to create > local users or to map all IPA users to a single user. No, unfortunately standard windows does not look up users list in any external repository (like our LDAP server) unless the server is AD. You will not see neither users nor groups in your client. You have to create users and groups manually and keep them in sync if you use a windows client at this stage. That's why we do not mark Windows clients as "officially" supported right now. Simo. -- Simo Sorce * Red Hat, Inc * New York From dejongm at gmail.com Thu Mar 19 21:28:45 2009 From: dejongm at gmail.com (Mark deJong) Date: Thu, 19 Mar 2009 17:28:45 -0400 Subject: [Freeipa-users] LDAP SRV Record Requests Message-ID: <5848caff0903191428n36573d53qb610734fe21f1323@mail.gmail.com> Hello, I'm running CentOS 5.2 and am trying to set it up as a IPA-Client. I'm have little luck getting nss_ldap to work as expected. The execution of ipa-client-install works fine and populates /etc/ldap.conf as follows: #File modified by ipa-client-install ldap_version 3 base dc=nix,dc=dom,dc=com nss_base_passwd cn=users,cn=accounts,dc=nix,dc=dom,dc=com?sub nss_base_group cn=groups,cn=accounts,dc=nix,dc=dom,dc=com?sub nss_schema rfc2307bis nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,dirsrv nss_reconnect_maxsleeptime 8 nss_reconnect_sleeptime 1 bind_timelimit 5 timelimit 15 nss_srv_domain nix.dom.com But this does not seem to work with the nss_ldap installed. I'm currently running nss_ldap-253-13.el5_2.1.x86_64. When I change nss_srv_domain to _ldap._tcp.nix.dom.com, everything works fine, but I'd rather not go down this road fearing that the next update of nss_ldap will break this. leaving nss_srv_domain be and installing nss_ldap-264 from the Fedora 10 distro also fixes the problem, but again, I'd like to avoid this due to any unforseen issues in the future. I've tried to back port some of Redhats patches from later versions of nss_ldap but that doesn't fix the problem. I'm sensing that, for others, this works fine. Is there something I'm missing? What's the best course of action I should take at this point? Thanks, M -------------- next part -------------- An HTML attachment was scrubbed... URL: From mahendra at latticenetworks.com Fri Mar 20 07:29:56 2009 From: mahendra at latticenetworks.com (mahen) Date: Fri, 20 Mar 2009 12:59:56 +0530 Subject: [Freeipa-users] ipa-user backend for samba In-Reply-To: <49BF9B77.3080108@spbcas.ru> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> <1237290469.4081.31.camel@mars.pragati-automation.co.in> <49BF9B77.3080108@spbcas.ru> Message-ID: <1237534196.2524.14.camel@mars.pragati-automation.co.in> Hi, Can I use IPA users as backend for samba i.e. can I access samba share from windows system (XP) using ipa user authentication. My settings are exactly the way it has been specified in the given document. ?http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf I think "passdb" parameter of smb.conf should point to IPA user database but don't know how to do that. currently it is pointing to smbpasswd as per the above document. With the current setup, I can access samba shares with smbclient -L sambaserver.example.com command. But smbclient -k -L sambaserver.example.com gives me error. "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) session setup failed: NT_STATUS_LOGON_FAILURE" please help. Thanks.... Mahendra From kozlov at spbcas.ru Fri Mar 20 08:10:14 2009 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Fri, 20 Mar 2009 11:10:14 +0300 Subject: [Freeipa-users] Re: ipa-user backend for samba In-Reply-To: <1237534196.2524.14.camel@mars.pragati-automation.co.in> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> <1237290469.4081.31.camel@mars.pragati-automation.co.in> <49BF9B77.3080108@spbcas.ru> <1237534196.2524.14.camel@mars.pragati-automation.co.in> Message-ID: <49C34F66.607@spbcas.ru> Hi, it works for me. mahen wrote: > Hi, > Can I use IPA users as backend for samba i.e. can I access samba share > from windows system (XP) using ipa user authentication. > I am using it that way. > My settings are exactly the way it has been specified in the given > document. > ?http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf > > I think "passdb" parameter of smb.conf should point to IPA user database > but don't know how to do that. > Well, samba is looking in Kerberos that is looking in LDAP, so my understanding is that 'passdb' is not used. > currently it is pointing to smbpasswd as per the above document. > With the current setup, I can access samba shares with smbclient -L > sambaserver.example.com command. > Under ipa-user? What kerberos ticket do you have in that case? From what machine? > But smbclient -k -L sambaserver.example.com gives me error. > "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) > session setup failed: NT_STATUS_LOGON_FAILURE" > Well I am not very good specialist in samba but I think you must check the following: 1. firewalls 2. time sync 3. kerberos tickets 4. increase samba logging and look in samba logs 5. do you have a coorect principal in ipa? regards, Kostya > please help. > > Thanks.... > Mahendra > > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From mahendra at latticenetworks.com Fri Mar 20 08:47:53 2009 From: mahendra at latticenetworks.com (mahen) Date: Fri, 20 Mar 2009 14:17:53 +0530 Subject: [Freeipa-users] Re: ipa-user backend for samba In-Reply-To: <49C34F66.607@spbcas.ru> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> <1237290469.4081.31.camel@mars.pragati-automation.co.in> <49BF9B77.3080108@spbcas.ru> <1237534196.2524.14.camel@mars.pragati-automation.co.in> <49C34F66.607@spbcas.ru> Message-ID: <1237538873.2704.15.camel@mars.pragati-automation.co.in> Hi, well these are the steps.... 1. ipaserver as server 2. sambaserver + ipaclient as smbserver 3. winXP ipa-client as ipa-client In IPA-Server: ipa-addservice cifs/sambaserver.example.com In SambaServer: kinit admin at EXAMPLE.COM ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com -k /etc/krb5.keytab The two key paramters of smb.conf related to kerberos are realm = EXAMPLE.COM use kerberos keytab = yes. SAMBASERVER WORKS FINE AS AN IPA-CLIENT. Please let me know if i have missed out any configuration. Thanks. mahendra On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote: > Hi, > > it works for me. > > mahen wrote: > > Hi, > > Can I use IPA users as backend for samba i.e. can I access samba share > > from windows system (XP) using ipa user authentication. > > > > I am using it that way. > > > My settings are exactly the way it has been specified in the given > > document. > > ?http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf > > > > I think "passdb" parameter of smb.conf should point to IPA user database > > but don't know how to do that. > > > > Well, samba is looking in Kerberos that is looking in LDAP, so my > understanding is that 'passdb' is not used. > > > currently it is pointing to smbpasswd as per the above document. > > With the current setup, I can access samba shares with smbclient -L > > sambaserver.example.com command. > > > > Under ipa-user? What kerberos ticket do you have in that case? From what > machine? > > > But smbclient -k -L sambaserver.example.com gives me error. > > "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) > > session setup failed: NT_STATUS_LOGON_FAILURE" > > > > Well I am not very good specialist in samba but I think you must check > the following: > > 1. firewalls > 2. time sync > 3. kerberos tickets > 4. increase samba logging and look in samba logs > 5. do you have a coorect principal in ipa? > > regards, > > Kostya > > > please help. > > > > Thanks.... > > Mahendra > > > > > > From kozlov at spbcas.ru Fri Mar 20 09:12:39 2009 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Fri, 20 Mar 2009 12:12:39 +0300 Subject: [Freeipa-users] Re: ipa-user backend for samba In-Reply-To: <1237538873.2704.15.camel@mars.pragati-automation.co.in> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> <1237290469.4081.31.camel@mars.pragati-automation.co.in> <49BF9B77.3080108@spbcas.ru> <1237534196.2524.14.camel@mars.pragati-automation.co.in> <49C34F66.607@spbcas.ru> <1237538873.2704.15.camel@mars.pragati-automation.co.in> Message-ID: <49C35E07.4050108@spbcas.ru> Hi, mahen wrote: > Hi, > well these are the steps.... > > 1. ipaserver as server > 2. sambaserver + ipaclient as smbserver > 3. winXP ipa-client as ipa-client > > In IPA-Server: > ipa-addservice cifs/sambaserver.example.com > > In SambaServer: > kinit admin at EXAMPLE.COM > ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com > -k /etc/krb5.keytab > > The two key paramters of smb.conf related to kerberos are > realm = EXAMPLE.COM > use kerberos keytab = yes. > > SAMBASERVER WORKS FINE AS AN IPA-CLIENT. > What happens when you log into ipaserver as ipauser and try smbclient? What happens when you log into ipaclient as ipauser and try smbclient? Kostya > > Please let me know if i have missed out any configuration. > > Thanks. > mahendra > > On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote: >> Hi, >> >> it works for me. >> >> mahen wrote: >>> Hi, >>> Can I use IPA users as backend for samba i.e. can I access samba share >>> from windows system (XP) using ipa user authentication. >>> >> I am using it that way. >> >>> My settings are exactly the way it has been specified in the given >>> document. >>> ?http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf >>> >>> I think "passdb" parameter of smb.conf should point to IPA user database >>> but don't know how to do that. >>> >> Well, samba is looking in Kerberos that is looking in LDAP, so my >> understanding is that 'passdb' is not used. >> >>> currently it is pointing to smbpasswd as per the above document. >>> With the current setup, I can access samba shares with smbclient -L >>> sambaserver.example.com command. >>> >> Under ipa-user? What kerberos ticket do you have in that case? From what >> machine? >> >>> But smbclient -k -L sambaserver.example.com gives me error. >>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) >>> session setup failed: NT_STATUS_LOGON_FAILURE" >>> >> Well I am not very good specialist in samba but I think you must check >> the following: >> >> 1. firewalls >> 2. time sync >> 3. kerberos tickets >> 4. increase samba logging and look in samba logs >> 5. do you have a coorect principal in ipa? >> >> regards, >> >> Kostya >> >>> please help. >>> >>> Thanks.... >>> Mahendra >>> >>> >> > > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From mahendra at latticenetworks.com Fri Mar 20 09:19:41 2009 From: mahendra at latticenetworks.com (mahen) Date: Fri, 20 Mar 2009 14:49:41 +0530 Subject: [Freeipa-users] Re: ipa-user backend for samba In-Reply-To: <49C35E07.4050108@spbcas.ru> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> <1237290469.4081.31.camel@mars.pragati-automation.co.in> <49BF9B77.3080108@spbcas.ru> <1237534196.2524.14.camel@mars.pragati-automation.co.in> <49C34F66.607@spbcas.ru> <1237538873.2704.15.camel@mars.pragati-automation.co.in> <49C35E07.4050108@spbcas.ru> Message-ID: <1237540781.2704.20.camel@mars.pragati-automation.co.in> Hi, ?In both the cases( ipa-user @ ipa-server and ipa-user @ ipa-client) smbclient -k works fine. mahendra On Fri, 2009-03-20 at 12:12 +0300, Konstantin Kozlov wrote: > Hi, > > mahen wrote: > > Hi, > > well these are the steps.... > > > > 1. ipaserver as server > > 2. sambaserver + ipaclient as smbserver > > 3. winXP ipa-client as ipa-client > > > > In IPA-Server: > > ipa-addservice cifs/sambaserver.example.com > > > > In SambaServer: > > kinit admin at EXAMPLE.COM > > ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com > > -k /etc/krb5.keytab > > > > The two key paramters of smb.conf related to kerberos are > > realm = EXAMPLE.COM > > use kerberos keytab = yes. > > > > SAMBASERVER WORKS FINE AS AN IPA-CLIENT. > > > What happens when you log into ipaserver as ipauser and try smbclient? > What happens when you log into ipaclient as ipauser and try smbclient? ? > Kostya > > > > > Please let me know if i have missed out any configuration. > > > > Thanks. > > mahendra > > > > On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote: > >> Hi, > >> > >> it works for me. > >> > >> mahen wrote: > >>> Hi, > >>> Can I use IPA users as backend for samba i.e. can I access samba share > >>> from windows system (XP) using ipa user authentication. > >>> > >> I am using it that way. > >> > >>> My settings are exactly the way it has been specified in the given > >>> document. > >>> ?http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf > >>> > >>> I think "passdb" parameter of smb.conf should point to IPA user database > >>> but don't know how to do that. > >>> > >> Well, samba is looking in Kerberos that is looking in LDAP, so my > >> understanding is that 'passdb' is not used. > >> > >>> currently it is pointing to smbpasswd as per the above document. > >>> With the current setup, I can access samba shares with smbclient -L > >>> sambaserver.example.com command. > >>> > >> Under ipa-user? What kerberos ticket do you have in that case? From what > >> machine? > >> > >>> But smbclient -k -L sambaserver.example.com gives me error. > >>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) > >>> session setup failed: NT_STATUS_LOGON_FAILURE" > >>> > >> Well I am not very good specialist in samba but I think you must check > >> the following: > >> > >> 1. firewalls > >> 2. time sync > >> 3. kerberos tickets > >> 4. increase samba logging and look in samba logs > >> 5. do you have a coorect principal in ipa? > >> > >> regards, > >> > >> Kostya > >> > >>> please help. > >>> > >>> Thanks.... > >>> Mahendra > >>> > >>> > >> > > > > > > From kozlov at spbcas.ru Fri Mar 20 09:41:06 2009 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Fri, 20 Mar 2009 12:41:06 +0300 Subject: [Freeipa-users] Re: ipa-user backend for samba In-Reply-To: <1237540781.2704.20.camel@mars.pragati-automation.co.in> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> <1237290469.4081.31.camel@mars.pragati-automation.co.in> <49BF9B77.3080108@spbcas.ru> <1237534196.2524.14.camel@mars.pragati-automation.co.in> <49C34F66.607@spbcas.ru> <1237538873.2704.15.camel@mars.pragati-automation.co.in> <49C35E07.4050108@spbcas.ru> <1237540781.2704.20.camel@mars.pragati-automation.co.in> Message-ID: <49C364B2.1030408@spbcas.ru> Hi, What's the problem then? Kostya mahen wrote: > Hi, > > ?In both the cases( ipa-user @ ipa-server and ipa-user @ ipa-client) > smbclient -k works fine. > > mahendra > > On Fri, 2009-03-20 at 12:12 +0300, Konstantin Kozlov wrote: >> Hi, >> >> mahen wrote: >>> Hi, >>> well these are the steps.... >>> >>> 1. ipaserver as server >>> 2. sambaserver + ipaclient as smbserver >>> 3. winXP ipa-client as ipa-client >>> >>> In IPA-Server: >>> ipa-addservice cifs/sambaserver.example.com >>> >>> In SambaServer: >>> kinit admin at EXAMPLE.COM >>> ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com >>> -k /etc/krb5.keytab >>> >>> The two key paramters of smb.conf related to kerberos are >>> realm = EXAMPLE.COM >>> use kerberos keytab = yes. >>> >>> SAMBASERVER WORKS FINE AS AN IPA-CLIENT. >>> >> What happens when you log into ipaserver as ipauser and try smbclient? >> What happens when you log into ipaclient as ipauser and try smbclient? > ? > > >> Kostya >> >>> Please let me know if i have missed out any configuration. >>> >>> Thanks. >>> mahendra >>> >>> On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote: >>>> Hi, >>>> >>>> it works for me. >>>> >>>> mahen wrote: >>>>> Hi, >>>>> Can I use IPA users as backend for samba i.e. can I access samba share >>>>> from windows system (XP) using ipa user authentication. >>>>> >>>> I am using it that way. >>>> >>>>> My settings are exactly the way it has been specified in the given >>>>> document. >>>>> ?http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf >>>>> >>>>> I think "passdb" parameter of smb.conf should point to IPA user database >>>>> but don't know how to do that. >>>>> >>>> Well, samba is looking in Kerberos that is looking in LDAP, so my >>>> understanding is that 'passdb' is not used. >>>> >>>>> currently it is pointing to smbpasswd as per the above document. >>>>> With the current setup, I can access samba shares with smbclient -L >>>>> sambaserver.example.com command. >>>>> >>>> Under ipa-user? What kerberos ticket do you have in that case? From what >>>> machine? >>>> >>>>> But smbclient -k -L sambaserver.example.com gives me error. >>>>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) >>>>> session setup failed: NT_STATUS_LOGON_FAILURE" >>>>> >>>> Well I am not very good specialist in samba but I think you must check >>>> the following: >>>> >>>> 1. firewalls >>>> 2. time sync >>>> 3. kerberos tickets >>>> 4. increase samba logging and look in samba logs >>>> 5. do you have a coorect principal in ipa? >>>> >>>> regards, >>>> >>>> Kostya >>>> >>>>> please help. >>>>> >>>>> Thanks.... >>>>> Mahendra >>>>> >>>>> >>> >> > > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From mahendra at latticenetworks.com Fri Mar 20 09:52:19 2009 From: mahendra at latticenetworks.com (mahen) Date: Fri, 20 Mar 2009 15:22:19 +0530 Subject: [Freeipa-users] Re: ipa-user backend for samba In-Reply-To: <49C364B2.1030408@spbcas.ru> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> <1237290469.4081.31.camel@mars.pragati-automation.co.in> <49BF9B77.3080108@spbcas.ru> <1237534196.2524.14.camel@mars.pragati-automation.co.in> <49C34F66.607@spbcas.ru> <1237538873.2704.15.camel@mars.pragati-automation.co.in> <49C35E07.4050108@spbcas.ru> <1237540781.2704.20.camel@mars.pragati-automation.co.in> <49C364B2.1030408@spbcas.ru> Message-ID: <1237542739.2704.27.camel@mars.pragati-automation.co.in> :) I want to ?access samba share from windows xp (ipa-client) using ipa-user authentication. > On Fri, 2009-03-20 at 12:41 +0300, Konstantin Kozlov wrote: > Hi, > > What's the problem then? > > Kostya > > mahen wrote: > > Hi, > > > > ?In both the cases( ipa-user @ ipa-server and ipa-user @ ipa-client) > > smbclient -k works fine. This ipa-client is a FC9 machine where smbclient -k works when i log in as an ipa-user. > > > > mahendra > > > > On Fri, 2009-03-20 at 12:12 +0300, Konstantin Kozlov wrote: > >> Hi, > >> > >> mahen wrote: > >>> Hi, > >>> well these are the steps.... > >>> > >>> 1. ipaserver as server > >>> 2. sambaserver + ipaclient as smbserver > >>> 3. winXP ipa-client as ipa-client > >>> > >>> In IPA-Server: > >>> ipa-addservice cifs/sambaserver.example.com > >>> > >>> In SambaServer: > >>> kinit admin at EXAMPLE.COM > >>> ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com > >>> -k /etc/krb5.keytab > >>> > >>> The two key paramters of smb.conf related to kerberos are > >>> realm = EXAMPLE.COM > >>> use kerberos keytab = yes. > >>> > >>> SAMBASERVER WORKS FINE AS AN IPA-CLIENT. > >>> > >> What happens when you log into ipaserver as ipauser and try smbclient? > >> What happens when you log into ipaclient as ipauser and try smbclient? > > ? > > > > > >> Kostya > >> > >>> Please let me know if i have missed out any configuration. > >>> > >>> Thanks. > >>> mahendra > >>> > >>> On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote: > >>>> Hi, > >>>> > >>>> it works for me. > >>>> > >>>> mahen wrote: > >>>>> Hi, > >>>>> Can I use IPA users as backend for samba i.e. can I access samba share > >>>>> from windows system (XP) using ipa user authentication. > >>>>> > >>>> I am using it that way. > >>>> > >>>>> My settings are exactly the way it has been specified in the given > >>>>> document. > >>>>> ?http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf > >>>>> > >>>>> I think "passdb" parameter of smb.conf should point to IPA user database > >>>>> but don't know how to do that. > >>>>> > >>>> Well, samba is looking in Kerberos that is looking in LDAP, so my > >>>> understanding is that 'passdb' is not used. > >>>> > >>>>> currently it is pointing to smbpasswd as per the above document. > >>>>> With the current setup, I can access samba shares with smbclient -L > >>>>> sambaserver.example.com command. > >>>>> > >>>> Under ipa-user? What kerberos ticket do you have in that case? From what > >>>> machine? > >>>> > >>>>> But smbclient -k -L sambaserver.example.com gives me error. > >>>>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) > >>>>> session setup failed: NT_STATUS_LOGON_FAILURE" > >>>>> > >>>> Well I am not very good specialist in samba but I think you must check > >>>> the following: > >>>> > >>>> 1. firewalls > >>>> 2. time sync > >>>> 3. kerberos tickets > >>>> 4. increase samba logging and look in samba logs > >>>> 5. do you have a coorect principal in ipa? > >>>> > >>>> regards, > >>>> > >>>> Kostya > >>>> > >>>>> please help. > >>>>> > >>>>> Thanks.... > >>>>> Mahendra > >>>>> > >>>>> > >>> > >> > > > > > > From kozlov at spbcas.ru Fri Mar 20 11:19:02 2009 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Fri, 20 Mar 2009 14:19:02 +0300 Subject: [Freeipa-users] Re: ipa-user backend for samba In-Reply-To: <1237542739.2704.27.camel@mars.pragati-automation.co.in> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> <1237290469.4081.31.camel@mars.pragati-automation.co.in> <49BF9B77.3080108@spbcas.ru> <1237534196.2524.14.camel@mars.pragati-automation.co.in> <49C34F66.607@spbcas.ru> <1237538873.2704.15.camel@mars.pragati-automation.co.in> <49C35E07.4050108@spbcas.ru> <1237540781.2704.20.camel@mars.pragati-automation.co.in> <49C364B2.1030408@spbcas.ru> <1237542739.2704.27.camel@mars.pragati-automation.co.in> Message-ID: <49C37BA6.9040106@spbcas.ru> Hi, I've got the point but the error you've posted was from smbclient not winxp. What happens when you try from winxp with ipauser? Samba log and kerberos log and other if you think it's relevant. Kostya mahen wrote: > :) > > I want to ?access samba share from windows xp (ipa-client) using > ipa-user authentication. > > > On Fri, 2009-03-20 at 12:41 +0300, Konstantin Kozlov wrote: >> Hi, >> >> What's the problem then? >> >> Kostya >> >> mahen wrote: >>> Hi, >>> >>> ?In both the cases( ipa-user @ ipa-server and ipa-user @ ipa-client) >>> smbclient -k works fine. > This ipa-client is a FC9 machine where smbclient -k works when i log in > as an ipa-user. >>> mahendra >>> >>> On Fri, 2009-03-20 at 12:12 +0300, Konstantin Kozlov wrote: >>>> Hi, >>>> >>>> mahen wrote: >>>>> Hi, >>>>> well these are the steps.... >>>>> >>>>> 1. ipaserver as server >>>>> 2. sambaserver + ipaclient as smbserver >>>>> 3. winXP ipa-client as ipa-client >>>>> >>>>> In IPA-Server: >>>>> ipa-addservice cifs/sambaserver.example.com >>>>> >>>>> In SambaServer: >>>>> kinit admin at EXAMPLE.COM >>>>> ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com >>>>> -k /etc/krb5.keytab >>>>> >>>>> The two key paramters of smb.conf related to kerberos are >>>>> realm = EXAMPLE.COM >>>>> use kerberos keytab = yes. >>>>> >>>>> SAMBASERVER WORKS FINE AS AN IPA-CLIENT. >>>>> >>>> What happens when you log into ipaserver as ipauser and try smbclient? >>>> What happens when you log into ipaclient as ipauser and try smbclient? >>> ? >>> >>> >>>> Kostya >>>> >>>>> Please let me know if i have missed out any configuration. >>>>> >>>>> Thanks. >>>>> mahendra >>>>> >>>>> On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote: >>>>>> Hi, >>>>>> >>>>>> it works for me. >>>>>> >>>>>> mahen wrote: >>>>>>> Hi, >>>>>>> Can I use IPA users as backend for samba i.e. can I access samba share >>>>>>> from windows system (XP) using ipa user authentication. >>>>>>> >>>>>> I am using it that way. >>>>>> >>>>>>> My settings are exactly the way it has been specified in the given >>>>>>> document. >>>>>>> ?http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf >>>>>>> >>>>>>> I think "passdb" parameter of smb.conf should point to IPA user database >>>>>>> but don't know how to do that. >>>>>>> >>>>>> Well, samba is looking in Kerberos that is looking in LDAP, so my >>>>>> understanding is that 'passdb' is not used. >>>>>> >>>>>>> currently it is pointing to smbpasswd as per the above document. >>>>>>> With the current setup, I can access samba shares with smbclient -L >>>>>>> sambaserver.example.com command. >>>>>>> >>>>>> Under ipa-user? What kerberos ticket do you have in that case? From what >>>>>> machine? >>>>>> >>>>>>> But smbclient -k -L sambaserver.example.com gives me error. >>>>>>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) >>>>>>> session setup failed: NT_STATUS_LOGON_FAILURE" >>>>>>> >>>>>> Well I am not very good specialist in samba but I think you must check >>>>>> the following: >>>>>> >>>>>> 1. firewalls >>>>>> 2. time sync >>>>>> 3. kerberos tickets >>>>>> 4. increase samba logging and look in samba logs >>>>>> 5. do you have a coorect principal in ipa? >>>>>> >>>>>> regards, >>>>>> >>>>>> Kostya >>>>>> >>>>>>> please help. >>>>>>> >>>>>>> Thanks.... >>>>>>> Mahendra >>>>>>> >>>>>>> >>> >> > > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 From shunt at recordsreduction.com Mon Mar 23 14:59:37 2009 From: shunt at recordsreduction.com (Shane Hunt) Date: Mon, 23 Mar 2009 07:59:37 -0700 Subject: [Freeipa-users] Document Imaging/Scanning to eliminate paper problems Message-ID: <200903231516.n2NF8aD6023264@mx1.redhat.com> Records Reduction, Inc. has been providing document imaging/scanning services throughout the Southeast US since 1998. We provide following services: * File pickup * Prepping files - removing staples, unfolding paper, moving sticky notes, etc. * Scan files (saved to PDF or Tif) * Index documents for easy retrieval * OCRing available for full text searching * Images returned on disc or uploaded to web for retrieval * Shredding files And we provide these services for much less than the large, national companies! Benefits of Document Imaging/Scanning * Recover Valuable Office Space * Find any file within seconds * Eliminate Lost Files * Save money on costly file cabinets, paper, copying, filing time * Increase worker productivity Benefits of Outsourcing * You do not have to purchase and maintain expensive imaging equipment * You do not have to spend time prepping and scanning documents * Provide a backup CD for offsite storage * Proven quality process already in place * Experts in digital storage and retrieval * We'll do EVERYTHING for you - box the files, scan them, index them, etc. We make your life easier! * We have many real world examples proving we can scan cheaper than you can in house. It's basic Business 101. We buy the best software and scanners on the market. This gives us extreme efficiencies and speed - which means less money to you! * We require no commitment. If you don't like our services, quit using us. You lose nothing for trying! Please respond with your Name, Company Name & Address and we will send you a FREE Sample Imaging CD and Document Imaging Report. There are no strings attached to this offer. It's simply the most effective way to show you how you can save time, space & money using our document management services. Call or email to get more information, or to schedule an appointment. We will scan in a sample at no charge. Shane Hunt 704-724-3313 shunt at recordsreduction.com PO Box 3322, Matthews, NC 28106 http://app.streamsend.com/private/tF8d/2bm/3KEYWN9/unsubscribe/3353212 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mahendra at latticenetworks.com Tue Mar 24 08:10:12 2009 From: mahendra at latticenetworks.com (mahen) Date: Tue, 24 Mar 2009 13:40:12 +0530 Subject: [Freeipa-users] Re: ipa-user backend for samba In-Reply-To: <49C37BA6.9040106@spbcas.ru> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> <1237290469.4081.31.camel@mars.pragati-automation.co.in> <49BF9B77.3080108@spbcas.ru> <1237534196.2524.14.camel@mars.pragati-automation.co.in> <49C34F66.607@spbcas.ru> <1237538873.2704.15.camel@mars.pragati-automation.co.in> <49C35E07.4050108@spbcas.ru> <1237540781.2704.20.camel@mars.pragati-automation.co.in> <49C364B2.1030408@spbcas.ru> <1237542739.2704.27.camel@mars.pragati-automation.co.in> <49C37BA6.9040106@spbcas.ru> Message-ID: <1237882212.7334.24.camel@mars.pragati-automation.co.in> Hi, It worked. Instead of IP address we need to use FQDN name of SambaServer from windows client. If you use ip address, DOMAIN field becomes empty (samba log observation). Can I protect individual user profile ?(should be accessable to the respective user only) of ipa users in windows machine. 1. when i do mapuser in windows xp, all ipa-users get mapped to the single windows user.In that case, all ipa-user profile (desktop) becomes one. 2. If I map individual users (one to one), i have to create local users for each ipa-user. I dont want to create local users for each ipa-users and still I want to protect ipa-user profiles privacy. (Somewhat similar to basic ADS) Can you through some light on this also? Thank.. Mahendra On Fri, 2009-03-20 at 14:19 +0300, Konstantin Kozlov wrote: > Hi, > > I've got the point but the error you've posted was from smbclient not winxp. > > What happens when you try from winxp with ipauser? > Samba log and kerberos log and other if you think it's relevant. > > Kostya > > mahen wrote: > > :) > > > > I want to ?access samba share from windows xp (ipa-client) using > > ipa-user authentication. > > > > > > On Fri, 2009-03-20 at 12:41 +0300, Konstantin Kozlov wrote: > >> Hi, > >> > >> What's the problem then? > >> > >> Kostya > >> > >> mahen wrote: > >>> Hi, > >>> > >>> ?In both the cases( ipa-user @ ipa-server and ipa-user @ ipa-client) > >>> smbclient -k works fine. > > This ipa-client is a FC9 machine where smbclient -k works when i log in > > as an ipa-user. > >>> mahendra > >>> > >>> On Fri, 2009-03-20 at 12:12 +0300, Konstantin Kozlov wrote: > >>>> Hi, > >>>> > >>>> mahen wrote: > >>>>> Hi, > >>>>> well these are the steps.... > >>>>> > >>>>> 1. ipaserver as server > >>>>> 2. sambaserver + ipaclient as smbserver > >>>>> 3. winXP ipa-client as ipa-client > >>>>> > >>>>> In IPA-Server: > >>>>> ipa-addservice cifs/sambaserver.example.com > >>>>> > >>>>> In SambaServer: > >>>>> kinit admin at EXAMPLE.COM > >>>>> ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com > >>>>> -k /etc/krb5.keytab > >>>>> > >>>>> The two key paramters of smb.conf related to kerberos are > >>>>> realm = EXAMPLE.COM > >>>>> use kerberos keytab = yes. > >>>>> > >>>>> SAMBASERVER WORKS FINE AS AN IPA-CLIENT. > >>>>> > >>>> What happens when you log into ipaserver as ipauser and try smbclient? > >>>> What happens when you log into ipaclient as ipauser and try smbclient? > >>> ? > >>> > >>> > >>>> Kostya > >>>> > >>>>> Please let me know if i have missed out any configuration. > >>>>> > >>>>> Thanks. > >>>>> mahendra > >>>>> > >>>>> On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote: > >>>>>> Hi, > >>>>>> > >>>>>> it works for me. > >>>>>> > >>>>>> mahen wrote: > >>>>>>> Hi, > >>>>>>> Can I use IPA users as backend for samba i.e. can I access samba share > >>>>>>> from windows system (XP) using ipa user authentication. > >>>>>>> > >>>>>> I am using it that way. > >>>>>> > >>>>>>> My settings are exactly the way it has been specified in the given > >>>>>>> document. > >>>>>>> ?http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf > >>>>>>> > >>>>>>> I think "passdb" parameter of smb.conf should point to IPA user database > >>>>>>> but don't know how to do that. > >>>>>>> > >>>>>> Well, samba is looking in Kerberos that is looking in LDAP, so my > >>>>>> understanding is that 'passdb' is not used. > >>>>>> > >>>>>>> currently it is pointing to smbpasswd as per the above document. > >>>>>>> With the current setup, I can access samba shares with smbclient -L > >>>>>>> sambaserver.example.com command. > >>>>>>> > >>>>>> Under ipa-user? What kerberos ticket do you have in that case? From what > >>>>>> machine? > >>>>>> > >>>>>>> But smbclient -k -L sambaserver.example.com gives me error. > >>>>>>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) > >>>>>>> session setup failed: NT_STATUS_LOGON_FAILURE" > >>>>>>> > >>>>>> Well I am not very good specialist in samba but I think you must check > >>>>>> the following: > >>>>>> > >>>>>> 1. firewalls > >>>>>> 2. time sync > >>>>>> 3. kerberos tickets > >>>>>> 4. increase samba logging and look in samba logs > >>>>>> 5. do you have a coorect principal in ipa? > >>>>>> > >>>>>> regards, > >>>>>> > >>>>>> Kostya > >>>>>> > >>>>>>> please help. > >>>>>>> > >>>>>>> Thanks.... > >>>>>>> Mahendra > >>>>>>> > >>>>>>> > >>> > >> > > > > > > From kozlov at spbcas.ru Tue Mar 24 08:26:53 2009 From: kozlov at spbcas.ru (Konstantin Kozlov) Date: Tue, 24 Mar 2009 11:26:53 +0300 Subject: [Freeipa-users] Re: ipa-user backend for samba In-Reply-To: <1237882212.7334.24.camel@mars.pragati-automation.co.in> References: <1237275149.4081.12.camel@mars.pragati-automation.co.in> <49BF58F4.6050506@spbcas.ru> <1237279838.4081.21.camel@mars.pragati-automation.co.in> <49BF67A7.3060802@spbcas.ru> <1237290469.4081.31.camel@mars.pragati-automation.co.in> <49BF9B77.3080108@spbcas.ru> <1237534196.2524.14.camel@mars.pragati-automation.co.in> <49C34F66.607@spbcas.ru> <1237538873.2704.15.camel@mars.pragati-automation.co.in> <49C35E07.4050108@spbcas.ru> <1237540781.2704.20.camel@mars.pragati-automation.co.in> <49C364B2.1030408@spbcas.ru> <1237542739.2704.27.camel@mars.pragati-automation.co.in> <49C37BA6.9040106@spbcas.ru> <1237882212.7334.24.camel@mars.pragati-automation.co.in> Message-ID: <49C8994D.4000908@spbcas.ru> Hi, mahen wrote: > Hi, > It worked. Instead of IP address we need to use FQDN name of SambaServer > from windows client. If you use ip address, DOMAIN field becomes empty > (samba log observation). > It is natural to use the first part only in windows like "samba" from "samba.example.com". For this you need principal cifs/samba at EXAMPLE.COM. > Can I protect individual user profile ?(should be accessable to the > respective user only) of ipa users in windows machine. > > 1. when i do mapuser in windows xp, all ipa-users get mapped to the > single windows user.In that case, all ipa-user profile (desktop) becomes > one. > > 2. If I map individual users (one to one), i have to create local users > for each ipa-user. > > I dont want to create local users for each ipa-users and still I want to > protect ipa-user profiles privacy. (Somewhat similar to basic ADS) > As I wrote: /* The next part, i.e. making network users is said to be impossible though it may be possible by the following trick: http://support.microsoft.com/kb/320043 The local test user is created but the path for home directory depends on environment variable %username% that might be substituted with ipa username after login and hence different users mapped to a single one get different homes. I didn't test that. */ Best regards, Kostya > Can you through some light on this also? > > Thank.. > Mahendra > > > > On Fri, 2009-03-20 at 14:19 +0300, Konstantin Kozlov wrote: >> Hi, >> >> I've got the point but the error you've posted was from smbclient not winxp. >> >> What happens when you try from winxp with ipauser? >> Samba log and kerberos log and other if you think it's relevant. >> >> Kostya >> >> mahen wrote: >>> :) >>> >>> I want to ?access samba share from windows xp (ipa-client) using >>> ipa-user authentication. >>> >>> >>> On Fri, 2009-03-20 at 12:41 +0300, Konstantin Kozlov wrote: >>>> Hi, >>>> >>>> What's the problem then? >>>> >>>> Kostya >>>> >>>> mahen wrote: >>>>> Hi, >>>>> >>>>> ?In both the cases( ipa-user @ ipa-server and ipa-user @ ipa-client) >>>>> smbclient -k works fine. >>> This ipa-client is a FC9 machine where smbclient -k works when i log in >>> as an ipa-user. >>>>> mahendra >>>>> >>>>> On Fri, 2009-03-20 at 12:12 +0300, Konstantin Kozlov wrote: >>>>>> Hi, >>>>>> >>>>>> mahen wrote: >>>>>>> Hi, >>>>>>> well these are the steps.... >>>>>>> >>>>>>> 1. ipaserver as server >>>>>>> 2. sambaserver + ipaclient as smbserver >>>>>>> 3. winXP ipa-client as ipa-client >>>>>>> >>>>>>> In IPA-Server: >>>>>>> ipa-addservice cifs/sambaserver.example.com >>>>>>> >>>>>>> In SambaServer: >>>>>>> kinit admin at EXAMPLE.COM >>>>>>> ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com >>>>>>> -k /etc/krb5.keytab >>>>>>> >>>>>>> The two key paramters of smb.conf related to kerberos are >>>>>>> realm = EXAMPLE.COM >>>>>>> use kerberos keytab = yes. >>>>>>> >>>>>>> SAMBASERVER WORKS FINE AS AN IPA-CLIENT. >>>>>>> >>>>>> What happens when you log into ipaserver as ipauser and try smbclient? >>>>>> What happens when you log into ipaclient as ipauser and try smbclient? >>>>> ? >>>>> >>>>> >>>>>> Kostya >>>>>> >>>>>>> Please let me know if i have missed out any configuration. >>>>>>> >>>>>>> Thanks. >>>>>>> mahendra >>>>>>> >>>>>>> On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> it works for me. >>>>>>>> >>>>>>>> mahen wrote: >>>>>>>>> Hi, >>>>>>>>> Can I use IPA users as backend for samba i.e. can I access samba share >>>>>>>>> from windows system (XP) using ipa user authentication. >>>>>>>>> >>>>>>>> I am using it that way. >>>>>>>> >>>>>>>>> My settings are exactly the way it has been specified in the given >>>>>>>>> document. >>>>>>>>> ?http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf >>>>>>>>> >>>>>>>>> I think "passdb" parameter of smb.conf should point to IPA user database >>>>>>>>> but don't know how to do that. >>>>>>>>> >>>>>>>> Well, samba is looking in Kerberos that is looking in LDAP, so my >>>>>>>> understanding is that 'passdb' is not used. >>>>>>>> >>>>>>>>> currently it is pointing to smbpasswd as per the above document. >>>>>>>>> With the current setup, I can access samba shares with smbclient -L >>>>>>>>> sambaserver.example.com command. >>>>>>>>> >>>>>>>> Under ipa-user? What kerberos ticket do you have in that case? From what >>>>>>>> machine? >>>>>>>> >>>>>>>>> But smbclient -k -L sambaserver.example.com gives me error. >>>>>>>>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) >>>>>>>>> session setup failed: NT_STATUS_LOGON_FAILURE" >>>>>>>>> >>>>>>>> Well I am not very good specialist in samba but I think you must check >>>>>>>> the following: >>>>>>>> >>>>>>>> 1. firewalls >>>>>>>> 2. time sync >>>>>>>> 3. kerberos tickets >>>>>>>> 4. increase samba logging and look in samba logs >>>>>>>> 5. do you have a coorect principal in ipa? >>>>>>>> >>>>>>>> regards, >>>>>>>> >>>>>>>> Kostya >>>>>>>> >>>>>>>>> please help. >>>>>>>>> >>>>>>>>> Thanks.... >>>>>>>>> Mahendra >>>>>>>>> >>>>>>>>> >>> >> > > From rcritten at redhat.com Tue Mar 24 18:26:17 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 Mar 2009 14:26:17 -0400 Subject: [Freeipa-users] Re: freeipa server + how to joining opensuse clients In-Reply-To: <21731.66198.qm@web36804.mail.mud.yahoo.com> References: <21731.66198.qm@web36804.mail.mud.yahoo.com> Message-ID: <49C925C9.90402@redhat.com> Daniel Qarras wrote: > Hi! > >>> Few quick questions about the actual content: >>> >>> - I've been setting up KerberosV5 lately and >>> practically all guides have set these to false: >>> >>> dns_lookup_realm = true >>> dns_lookup_kdc = true >>> >>> Isn't those unneeded when the servers have been >>> already defined in krb5.conf? >> Yes, as I understand it if you go to a realm/domain >> specified in the file these will not be used. Doesn't >> hurt to have them defined I suppose, I'm not sure what >> the defaults are. Do you think having these will cause >> confusion? > > Ok, thanks for the clarification, I got the same impression from the man page. I think it's ok to leave them there, I'd suppose most people just copy and paste and those few interested in details (like me) will read the man page if in doubt :-) > >>From the nit-picking department: one thing that perhaps could be spelled out is that in the "Installing IPA Client" section there is: > > add the server's IP address to the client's /etc/resolv.conf file. > > Could be: > > add the server's IP address to the client's /etc/resolv.conf file, e.g.: nameserver 192.168.122.1 . Ok, I updated the documentation with your suggestion, thanks. > >>> - TLS section lists >>> >>> TLS_REQCERT allow >>> >>> Doesn't this mean that if TLS procedures fail a >>> non-TLS connection will be used instead? Perhaps it could be >>> mentioned that using "demand" would force TLS >>> usage (and in lack of it the termination)? >> Not really. As I understand it if TLS is not available then >> it will fall back to non-TLS. If the TLS is available but >> fails because of a bad cert, no trust of the CA, etc. then >> the connection will fail. > > Hmm, after inspecting this a bit more I'm confused. The TLS client configuration section should IMHO mention that this is for PAM (and not for OpenLDAP tools and libraries which use /etc/openldap/ldap.conf). But the guide says: > > 1. Modify the following in the /etc/ldap.conf file: > > URI ldap://ipaserver.example.com > BASE dc=example,dc=com > HOST ipaserver.example.com > TLS_CACERTDIR /etc/cacerts/ > TLS_REQCERT allow > > but these upper case options are described in ldap.conf(5) which is for OpenLDAP configuration file /etc/openldap/ldap.conf! /etc/ldap.conf configuration file syntax is described in nss_ldap(5) which uses lower case syntax and does not mention tls_reqcert (or TLS_REQCERT) at all but tls_checkpeer. Also, the above example does not say anything about actually using TLS, one would need "ssl start_tls" to use it, now to me it seems that the connections would be unencrypted (if the server accepts such connections - that is something I haven't checked). > > One minor additional detail is that HOST/URI provide duplicate information and URI/uri probably should be preferred and HOST/host could be dropped. Yes, there is a bit of a disconnect here. Simo, this is you area of expertise, do you have any comments? rob From ssorce at redhat.com Wed Mar 25 01:17:54 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 24 Mar 2009 21:17:54 -0400 Subject: [Freeipa-users] Re: freeipa server + how to joining opensuse clients In-Reply-To: <49C925C9.90402@redhat.com> References: <21731.66198.qm@web36804.mail.mud.yahoo.com> <49C925C9.90402@redhat.com> Message-ID: <1237943874.29561.2.camel@localhost.localdomain> On Tue, 2009-03-24 at 14:26 -0400, Rob Crittenden wrote: > > Hmm, after inspecting this a bit more I'm confused. The TLS client > configuration section should IMHO mention that this is for PAM (and > not for OpenLDAP tools and libraries which > use /etc/openldap/ldap.conf). But the guide says: > > > > 1. Modify the following in the /etc/ldap.conf file: > > > > URI ldap://ipaserver.example.com > > BASE dc=example,dc=com > > HOST ipaserver.example.com > > TLS_CACERTDIR /etc/cacerts/ > > TLS_REQCERT allow > > > > but these upper case options are described in ldap.conf(5) which is > for OpenLDAP configuration > file /etc/openldap/ldap.conf! /etc/ldap.conf configuration file syntax > is described in nss_ldap(5) which uses lower case syntax and does not > mention tls_reqcert (or TLS_REQCERT) at all but tls_checkpeer. Also, > the above example does not say anything about actually using TLS, one > would need "ssl start_tls" to use it, now to me it seems that the > connections would be unencrypted (if the server accepts such > connections - that is something I haven't checked). > > > > One minor additional detail is that HOST/URI provide duplicate > information and URI/uri probably should be preferred and HOST/host > could be dropped. > > Yes, there is a bit of a disconnect here. Simo, this is you area of > expertise, do you have any comments? I am not sure FDS at the moment supports start_tls, I think you have to use the ssl port. Simo. -- Simo Sorce * Red Hat, Inc * New York From nalin at redhat.com Wed Mar 25 15:30:48 2009 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 25 Mar 2009 11:30:48 -0400 Subject: [Freeipa-users] Re: freeipa server + how to joining opensuse clients In-Reply-To: <1237943874.29561.2.camel@localhost.localdomain> References: <21731.66198.qm@web36804.mail.mud.yahoo.com> <49C925C9.90402@redhat.com> <1237943874.29561.2.camel@localhost.localdomain> Message-ID: <20090325153048.GA16498@redhat.com> On Tue, Mar 24, 2009 at 09:17:54PM -0400, Simo Sorce wrote: > I am not sure FDS at the moment supports start_tls, I think you have to > use the ssl port. It supports start_tls. Cheers, Nalin From dqarras at yahoo.com Wed Mar 25 20:55:11 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Wed, 25 Mar 2009 13:55:11 -0700 (PDT) Subject: [Freeipa-users] Re: freeipa server + how to joining opensuse clients Message-ID: <300965.55054.qm@web36808.mail.mud.yahoo.com> Hi! > > > 1. Modify the following in the /etc/ldap.conf file: > > > > > > URI?ldap://ipaserver.example.com > > > BASE dc=example,dc=com > > > HOST ipaserver.example.com > > > TLS_CACERTDIR /etc/cacerts/ > > > TLS_REQCERT allow > > > > > > but these upper case options are described in ldap.conf(5) > > > which is for OpenLDAP configuration file /etc/openldap/ldap.conf! I inspected this a bit more and I suspect that this is just a quick copy/paste from Fedora Directory Server Guide's LDAP client section: http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients I think it would be beneficial to stress that this is to configure OpenLDAP command line utilities (e.g., ldapsearch(1)) to work against the IPA server. The following should do the this: N. Modify the following in the /etc/openldap/ldap.conf file: URI ldap://ipaserver.example.com/ BASE dc=example,dc=com TLS_CACERTDIR /etc/cacerts/ TLS_REQCERT demand I used "demand" as the next steps describe in detail how to export and install the CA certificate - if not "demand" then the whole exercise with the CA certificate becomes pretty pointless, IMHO. Of course, a quick comment about the difference between "demand" and "allow" would be useful alongside with a "ldapsearch -ZZ -Y GSSAPI uid=$USER" type tiny example. But, as said, this was just for OpenLDAP tools and libs. I am not quite sure does ipa-client-install create PAM/LDAP configuration or not (at /etc/ldap.conf)? Or does it configure SSSD (nss_sss/pam_sss)? And is pam_ldap used with IPA or not? Thanks! From dqarras at yahoo.com Sun Mar 29 13:28:45 2009 From: dqarras at yahoo.com (Daniel Qarras) Date: Sun, 29 Mar 2009 06:28:45 -0700 (PDT) Subject: [Freeipa-users] Re: freeipa server + how to joining opensuse clients Message-ID: <3088.61224.qm@web36802.mail.mud.yahoo.com> Hi! > I inspected this a bit more and I suspect that this is just > a quick copy/paste from Fedora Directory Server Guide's LDAP > client section: > > http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients > > I think it would be beneficial to stress that this is to > configure OpenLDAP command line utilities (e.g., > ldapsearch(1)) to work against the IPA server. The following > should do the this: > > > N. Modify the following in the /etc/openldap/ldap.conf > file: > > URI ldap://ipaserver.example.com/ > BASE dc=example,dc=com > TLS_CACERTDIR /etc/cacerts/ > TLS_REQCERT demand > > > I used "demand" as the next steps describe in detail how to > export and install the CA certificate - if not "demand" then > the whole exercise with the CA certificate becomes pretty > pointless, IMHO. Of course, a quick comment about the > difference between "demand" and "allow" would be useful > alongside with a "ldapsearch -ZZ -Y GSSAPI uid=$USER" type > tiny example. > > > But, as said, this was just for OpenLDAP tools and libs. I > am not quite sure does ipa-client-install create PAM/LDAP > configuration or not (at /etc/ldap.conf)? Or does it > configure SSSD (nss_sss/pam_sss)? And is pam_ldap used with > IPA or not? Continuing my monologue here, I think it would make sense (to at least provide an option) to modify both /etc/openldap/ldap.conf and /etc/ldap.conf in clients with ipa-client-install - IMHO it is very likely that the only LDAP server the clients are communicating with is the IPA server. Above the case of /etc/openldap/ldap.conf was already discussed but for /etc/ldap.conf no proper content has been mentioned. Based on this thread I think for /etc/ldap.conf this would be most IPA related content: N. Modify the following in the /etc/ldap.conf file: uri ldap://ipaserver.example.com/ base dc=example,dc=com ssl start_tls tls_checkpeer yes tls_cacertdir /etc/cacerts/ There are also some very much needed configuration directives in the default /etc/ldap.conf (e.g., nss_initgroups_ignoreusers) which should be leaved as-is and these changes only be added to the end of file. What do you think, do these suggestions make sense? Thanks. From john at adams.me.uk Mon Mar 30 11:51:14 2009 From: john at adams.me.uk (John B. Adams) Date: Mon, 30 Mar 2009 12:51:14 +0100 (BST) Subject: [Freeipa-users] Active Directory Sync Message-ID: <31734591.12161238413874839.JavaMail.root@mail.mintra.net> After having a lot of trouble getting free-ipa installed (I hope to document where we got stuck) I can at long last see the existing interface. All I want is one place to keep users and group data for a mixed network with three different active directory instances and an increasing number of fedora workstations. I need to find out how the active directory two way sync works, and can I sync with the three active directories separately, with separate users in each AD, and use Freeipa as the overall main directory server. Where would this be documented, do I need to look at it as if its was FDS and find the docs there. Or if anyoune could give me a rough outline of the ways that would be good. Thanks for the help so far. John From john at mintra.com Mon Mar 30 16:22:08 2009 From: john at mintra.com (John B. Adams) Date: Mon, 30 Mar 2009 17:22:08 +0100 (BST) Subject: [Freeipa-users] Active Directory integration Message-ID: <11987975.1091238430128217.JavaMail.root@zimtos.mintra.com> After having some trouble getting free-ipa installed (I hope to document where we got stuck) I can at long last see the existing interface. All I want is one place to keep users and group data for a mixed network with three different active directory instances and an increasing number of fedora workstations. I need to find out how the active directory two way sync works, and can I sync with the three active directories separately, with separate users in each AD, and use Freeipa as the overall main directory server. Where would this be documented, do I need to look at it as if its was FDS and find the docs there. Or if anyoune could give me a rough outline of the ways that would be good. Thanks for the help so far. John Adams From rcritten at redhat.com Mon Mar 30 17:18:30 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 30 Mar 2009 13:18:30 -0400 Subject: [Freeipa-users] Active Directory integration In-Reply-To: <11987975.1091238430128217.JavaMail.root@zimtos.mintra.com> References: <11987975.1091238430128217.JavaMail.root@zimtos.mintra.com> Message-ID: <49D0FEE6.3000606@redhat.com> John B. Adams wrote: > After having some trouble getting free-ipa installed (I hope to document where we got stuck) I can at long last see the existing interface. Sure, the feedback would be good. > > All I want is one place to keep users and group data for a mixed network with three different active directory instances and > an increasing number of fedora workstations. > > I need to find out how the active directory two way sync works, and can I sync with the three active directories separately, > with separate users in each AD, and use Freeipa as the overall main directory server. > > Where would this be documented, do I need to look at it as if its was FDS and find the docs there. > > Or if anyoune could give me a rough outline of the ways that would be good. > > Thanks for the help so far. We are in the process of updating our documentation now. We are going to drop the wiki-based documentation and replace it with plain HTML files. This is so we can keep our documentation under better revision control and focus on content and not so much on layout. This revision will include the AD sync docs you are looking for. We hope to have this done by the end of the week. So you want IPA to be essentially the union of all the AD accounts? I think that if you never have a user in more than one AD this may work. The way the IPA sync works is it only syncs users with a remote AD where the remote samAccountName attribute matches the IPA uid. So if your users are unique you should never have users from one AD appearing on another. rob From ssorce at redhat.com Tue Mar 31 20:18:49 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 31 Mar 2009 16:18:49 -0400 Subject: [Freeipa-users] Re: freeipa server + how to joining opensuse clients In-Reply-To: <3088.61224.qm@web36802.mail.mud.yahoo.com> References: <3088.61224.qm@web36802.mail.mud.yahoo.com> Message-ID: <1238530729.4858.43.camel@localhost.localdomain> On Sun, 2009-03-29 at 06:28 -0700, Daniel Qarras wrote: > Hi! > > > I inspected this a bit more and I suspect that this is just > > a quick copy/paste from Fedora Directory Server Guide's LDAP > > client section: > > > > http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients > > > > I think it would be beneficial to stress that this is to > > configure OpenLDAP command line utilities (e.g., > > ldapsearch(1)) to work against the IPA server. The following > > should do the this: > > > > > > N. Modify the following in the /etc/openldap/ldap.conf > > file: > > > > URI ldap://ipaserver.example.com/ > > BASE dc=example,dc=com > > TLS_CACERTDIR /etc/cacerts/ > > TLS_REQCERT demand > > > > > > I used "demand" as the next steps describe in detail how to > > export and install the CA certificate - if not "demand" then > > the whole exercise with the CA certificate becomes pretty > > pointless, IMHO. Of course, a quick comment about the > > difference between "demand" and "allow" would be useful > > alongside with a "ldapsearch -ZZ -Y GSSAPI uid=$USER" type > > tiny example. > > > > > > But, as said, this was just for OpenLDAP tools and libs. I > > am not quite sure does ipa-client-install create PAM/LDAP > > configuration or not (at /etc/ldap.conf)? Or does it > > configure SSSD (nss_sss/pam_sss)? And is pam_ldap used with > > IPA or not? > > Continuing my monologue here, I think it would make sense (to at least > provide an option) to modify both /etc/openldap/ldap.conf > and /etc/ldap.conf in clients with ipa-client-install - IMHO it is > very likely that the only LDAP server the clients are communicating > with is the IPA server. Not sure about that, I can definitely see cases where you want to use ipa for authentication but you daily use another ldap server for other purposes (addressbook ?) But maybe an option will do. > Above the case of /etc/openldap/ldap.conf was already discussed but > for /etc/ldap.conf no proper content has been mentioned. Based on this > thread I think for /etc/ldap.conf this would be most IPA related > content: > > > N. Modify the following in the /etc/ldap.conf file: > > uri ldap://ipaserver.example.com/ > base dc=example,dc=com > ssl start_tls > tls_checkpeer yes > tls_cacertdir /etc/cacerts/ > > > There are also some very much needed configuration directives in the > default /etc/ldap.conf (e.g., nss_initgroups_ignoreusers) which should > be leaved as-is and these changes only be added to the end of file. > > What do you think, do these suggestions make sense? I think they do. Simo. -- Simo Sorce * Red Hat, Inc * New York