From kabbey at biomaps.rutgers.edu Thu Sep 3 21:03:07 2009 From: kabbey at biomaps.rutgers.edu (Kevin Abbey) Date: Thu, 03 Sep 2009 17:03:07 -0400 Subject: [Freeipa-users] Roadmap to release 2.0 ? Message-ID: <4AA02F0B.1050103@biomaps.rutgers.edu> Hi, I am really interested to try FreeIPA but if you are near releasing 2.0 then I'd rather just wait. Is there any update for the Roadmap? Release 2 Target Date: Targeting April/May 2009 Thank you, Kevin -- Kevin C. Abbey System Administrator Rutgers University - BioMaPS Institute Email: kabbey at biomaps.rutgers.edu Hill Center - Room 259 110 Frelinghuysen Road Piscataway, NJ 08854 Phone and Voice mail: 732-445-3288 Wright-Rieman Laboratories Room 201 610 Taylor Rd. Piscataway, NJ 08854-8087 Phone: 732-445-2069 Fax: 732-445-5958 From dpal at redhat.com Thu Sep 3 21:30:09 2009 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 03 Sep 2009 17:30:09 -0400 Subject: [Freeipa-users] Roadmap to release 2.0 ? In-Reply-To: <4AA02F0B.1050103@biomaps.rutgers.edu> References: <4AA02F0B.1050103@biomaps.rutgers.edu> Message-ID: <4AA03561.9010401@redhat.com> Kevin Abbey wrote: > Hi, > > I am really interested to try FreeIPA but if you are near releasing 2.0 > then I'd rather just wait. > > Is there any update for the Roadmap? > > Release 2 > Target Date: Targeting April/May 2009 > > > Thank you, > Kevin > > Hello Kevin, We hope to be functional complete with freeIPA v2 in November. The scope however is significantly reduced in comparison to what we originally planned and I need to update this on wiki. Just do not have time to keep it updated (my fault), sorry overwhelmed with other tasks. After functional complete milestone in November-December we will either release it or will continue adding features to it. This decision will be made based on the assessment of different factors (stability of code, feature coverage and so on as well as demand from the community). You can definitely affect this decision making by giving us a little bit more information about your interest. Is there any specific feature that you are looking for? -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From kabbey at biomaps.rutgers.edu Thu Sep 3 21:00:49 2009 From: kabbey at biomaps.rutgers.edu (Kevin Abbey) Date: Thu, 03 Sep 2009 17:00:49 -0400 Subject: [Freeipa-users] Roadmap to release 2.0 ? Message-ID: <4AA02E81.30901@biomaps.rutgers.edu> Hi, I am really interested to try FreeIPA but if you are near releasing 2.0 then I'd rather just wait. Is there any update for the Roadmap? Release 2 Target Date: Targeting April/May 2009 Thank you, Kevin -- Kevin C. Abbey System Administrator Rutgers University - BioMaPS Institute Email: kabbey at biomaps.rutgers.edu Hill Center - Room 259 110 Frelinghuysen Road Piscataway, NJ 08854 Phone and Voice mail: 732-445-3288 Wright-Rieman Laboratories Room 201 610 Taylor Rd. Piscataway, NJ 08854-8087 Phone: 732-445-2069 Fax: 732-445-5958 From loris at lgs.com.ve Fri Sep 4 03:56:57 2009 From: loris at lgs.com.ve (Loris Santamaria) Date: Thu, 03 Sep 2009 23:26:57 -0430 Subject: [Freeipa-users] Roadmap to release 2.0 ? In-Reply-To: <4AA03561.9010401@redhat.com> References: <4AA02F0B.1050103@biomaps.rutgers.edu> <4AA03561.9010401@redhat.com> Message-ID: <1252036617.12996.658.camel@arepa.pzo.lgs.com.ve> El jue, 03-09-2009 a las 17:30 -0400, Dmitri Pal escribi?: > After functional complete milestone in November-December > we will either release it or will continue adding features to it. > This decision will be made based on the assessment of different > factors (stability of code, feature coverage and so on as > well as demand from the community). > > You can definitely affect this decision making by giving us > a little bit more information about your interest. > Is there any specific feature that you are looking for? For us, just the CA integration would be enough to upgrade to the new version ASAP. Of course netgroup and DNS management are very desiderable features, and for our role as systems integrators a more hackable interface is definitely a plus. -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ -O9 -omg-optimize -fomit-instructions -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3149 bytes Desc: not available URL: From dpal at redhat.com Fri Sep 4 14:49:07 2009 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 04 Sep 2009 10:49:07 -0400 Subject: [Freeipa-users] Roadmap to release 2.0 ? In-Reply-To: <1252036617.12996.658.camel@arepa.pzo.lgs.com.ve> References: <4AA02F0B.1050103@biomaps.rutgers.edu> <4AA03561.9010401@redhat.com> <1252036617.12996.658.camel@arepa.pzo.lgs.com.ve> Message-ID: <4AA128E3.7060804@redhat.com> Loris Santamaria wrote: > El jue, 03-09-2009 a las 17:30 -0400, Dmitri Pal escribi?: > > >> After functional complete milestone in November-December >> we will either release it or will continue adding features to it. >> This decision will be made based on the assessment of different >> factors (stability of code, feature coverage and so on as >> well as demand from the community). >> >> You can definitely affect this decision making by giving us >> a little bit more information about your interest. >> Is there any specific feature that you are looking for? >> > > For us, just the CA integration would be enough to upgrade to the new > version ASAP. > > Of course netgroup and DNS management are very desiderable features, and > for our role as systems integrators a more hackable interface is > definitely a plus. > > The CA integration is not stable and there are several things that are yet not completed related to cert management and provisioning. It is unlikely they will be available before functional complete milestone. DNS is also being polished right now. It is there but it is not stable too. The netgroups should be Ok and work now. It seems that we are on the right track with the features you are looking for. I will see what we can do about clarifying our release plans and giving you a more precise guidance. Please give me couple weeks. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From james.roman at ssaihq.com Fri Sep 11 21:26:15 2009 From: james.roman at ssaihq.com (James Roman) Date: Fri, 11 Sep 2009 17:26:15 -0400 Subject: [Freeipa-users] ipa-replica-prepare clarification Message-ID: <4AAAC077.5080505@ssaihq.com> Can anyone elaborate on the options for the ipa-replica-prepare command? I have a third party signed certificate for both my master and replica server. Am I supposed to provide the PKCS12 file for the master server or the replica? If it is looking for the master server, I really don't want the script generating a new certificate for the replica. I already have one. Any way to by-pass that option? From rcritten at redhat.com Sat Sep 12 12:17:50 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 12 Sep 2009 08:17:50 -0400 Subject: [Freeipa-users] ipa-replica-prepare clarification In-Reply-To: <4AAAC077.5080505@ssaihq.com> References: <4AAAC077.5080505@ssaihq.com> Message-ID: <4AAB916E.8090506@redhat.com> James Roman wrote: > Can anyone elaborate on the options for the ipa-replica-prepare command? > I have a third party signed certificate for both my master and replica > server. Am I supposed to provide the PKCS12 file for the master server > or the replica? If it is looking for the master server, I really don't > want the script generating a new certificate for the replica. I already > have one. Any way to by-pass that option? The PKCS#12 file(s) are for the replica server. If you provide both then IPA will not attempt to generate one. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From james.roman at ssaihq.com Mon Sep 14 15:35:06 2009 From: james.roman at ssaihq.com (James Roman) Date: Mon, 14 Sep 2009 11:35:06 -0400 Subject: [Freeipa-users] ipa-replica-prepare clarification In-Reply-To: <4AAB916E.8090506@redhat.com> References: <4AAAC077.5080505@ssaihq.com> <4AAB916E.8090506@redhat.com> Message-ID: <4AAE62AA.2060705@ssaihq.com> OK I am still running into a similar problem when installing the replica server. It appears that the problem stems from the chained CA certificates from GoDaddy again. On the replica server, all the certs appear to be installed properly. The script is choking when modifying the trust arguments. It looks like it is grabbing the certificate name from the wrong place again. ipa-replica-install Error: NOTE: Take a look at where the quotes are showing up in the "certutil -d" lines. root : DEBUG [10/17]: configuring ssl for ds instance [10/17]: configuring ssl for ds instance root : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' root : INFO root : INFO root : INFO pk12util: PKCS12 IMPORT SUCCESSFUL root : INFO root : INFO root : INFO certutil: could not find certificate named "valicert.com" [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.": The security card or token does not exist, needs to be initialized, or has been removed. creation of replica failed: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned non-zero exit status 255 root : DEBUG Command '/usr/bin/certutil -d /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned non-zero exit status 255 File "/usr/sbin/ipa-replica-install", line 294, in main() File "/usr/sbin/ipa-replica-install", line 244, in main ds = install_ds(config) File "/usr/sbin/ipa-replica-install", line 115, in install_ds ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info) File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line 193, in create_instance self.start_creation("Configuring directory server:") File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line 139, in start_creation method() File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line 345, in __enable_ssl ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 403, in create_from_pkcs12 self.trust_root_cert(nickname) File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322, in trust_root_cert "-t", "CT,CT,"]) File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, in run_certutil return ipautil.run(new_args, stdin) File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run raise CalledProcessError(p.returncode, ' '.join(args)) Replica server Cert DB: [root at replica slapd-REALM-COM]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u Go Daddy Secure Certification Authority ,, Go Daddy Class 2 Certification Authority ,, valicert.com ,, Rob Crittenden wrote: > James Roman wrote: >> Can anyone elaborate on the options for the ipa-replica-prepare >> command? I have a third party signed certificate for both my master >> and replica server. Am I supposed to provide the PKCS12 file for the >> master server or the replica? If it is looking for the master server, >> I really don't want the script generating a new certificate for the >> replica. I already have one. Any way to by-pass that option? > > The PKCS#12 file(s) are for the replica server. If you provide both > then IPA will not attempt to generate one. > > rob From rcritten at redhat.com Mon Sep 14 15:55:55 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Sep 2009 11:55:55 -0400 Subject: [Freeipa-users] ipa-replica-prepare clarification In-Reply-To: <4AAE62AA.2060705@ssaihq.com> References: <4AAAC077.5080505@ssaihq.com> <4AAB916E.8090506@redhat.com> <4AAE62AA.2060705@ssaihq.com> Message-ID: <4AAE678B.4010901@redhat.com> James Roman wrote: > OK I am still running into a similar problem when installing the replica > server. It appears that the problem stems from the chained CA > certificates from GoDaddy again. On the replica server, all the certs > appear to be installed properly. The script is choking when modifying > the trust arguments. It looks like it is grabbing the certificate name > from the wrong place again. This should be fixed in ipa v1.2.2 which is in the Fedora updates-testing repo. rob > > > ipa-replica-install Error: > > NOTE: Take a look at where the quotes are showing up in the "certutil > -d" lines. > > root : DEBUG [10/17]: configuring ssl for ds instance > [10/17]: configuring ssl for ds instance > root : DEBUG Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > root : INFO root : INFO root : INFO > pk12util: PKCS12 IMPORT SUCCESSFUL > > root : INFO root : INFO root : INFO > certutil: could not find certificate named "valicert.com" > [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 > Policy Validation Authority,O="ValiCert, Inc.": The security card or > token does not exist, needs to be initialized, or has been removed. > > creation of replica failed: Command '/usr/bin/certutil -d > /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" > [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 > Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned > non-zero exit status 255 > root : DEBUG Command '/usr/bin/certutil -d > /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" > [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 > Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned > non-zero exit status 255 > File "/usr/sbin/ipa-replica-install", line 294, in > main() > > File "/usr/sbin/ipa-replica-install", line 244, in main > ds = install_ds(config) > > File "/usr/sbin/ipa-replica-install", line 115, in install_ds > ds.create_instance(config.ds_user, config.realm_name, > config.host_name, config.domain_name, config.dirman_password, pkcs12_info) > > File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line > 193, in create_instance > self.start_creation("Configuring directory server:") > > File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line 139, > in start_creation > method() > > File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line > 345, in __enable_ssl > ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) > > File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 403, > in create_from_pkcs12 > self.trust_root_cert(nickname) > > File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 322, > in trust_root_cert > "-t", "CT,CT,"]) > > File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 126, > in run_certutil > return ipautil.run(new_args, stdin) > > File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run > raise CalledProcessError(p.returncode, ' '.join(args)) > > > Replica server Cert DB: > > [root at replica slapd-REALM-COM]# certutil -L -d . > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > Go Daddy Secure Certification Authority ,, Go > Daddy Class 2 Certification Authority ,, > valicert.com ,, > > > Rob Crittenden wrote: >> James Roman wrote: >>> Can anyone elaborate on the options for the ipa-replica-prepare >>> command? I have a third party signed certificate for both my master >>> and replica server. Am I supposed to provide the PKCS12 file for the >>> master server or the replica? If it is looking for the master server, >>> I really don't want the script generating a new certificate for the >>> replica. I already have one. Any way to by-pass that option? >> >> The PKCS#12 file(s) are for the replica server. If you provide both >> then IPA will not attempt to generate one. >> >> rob > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From james.roman at ssaihq.com Mon Sep 14 18:05:13 2009 From: james.roman at ssaihq.com (James Roman) Date: Mon, 14 Sep 2009 14:05:13 -0400 Subject: [Freeipa-users] ipa-replica-prepare clarification In-Reply-To: <4AAE678B.4010901@redhat.com> References: <4AAAC077.5080505@ssaihq.com> <4AAB916E.8090506@redhat.com> <4AAE62AA.2060705@ssaihq.com> <4AAE678B.4010901@redhat.com> Message-ID: <4AAE85D9.4050709@ssaihq.com> I installed the 1.2.2-1 version from the test repo. I get really close to the end, but it is still bombing when trying to set the trust permissions on the web server cert. For some reason the final cert in the chain did not get installed into the /etc/httpd/alias directory. All worked fine for the directory server. root : DEBUG [6/9]: Setting up ssl [6/9]: Setting up ssl root : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' root : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' root : INFO root : INFO root : INFO pk12util: PKCS12 IMPORT SUCCESSFUL root : INFO root : INFO Key(shrouded): Friendly Name: Server-Cert Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC Parameters: Salt: 60:9a:79:e9:17:26:64:78:84:fc:4a:99:8f:19:ad:da Iteration Count: 1 (0x1) Certificate: Data: Version: 3 (0x2) Serial Number: 769 (0x301) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US" Validity: Not Before: Thu Nov 16 01:54:37 2006 Not After : Mon Nov 16 01:54:37 2026 Subject: "serialNumber=07969287,CN=Go Daddy Secure Certification Auth ority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.co m, Inc.",L=Scottsdale,ST=Arizona,C=US" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: c4:2d:d5:15:8c:9c:26:4c:ec:32:35:eb:5f:b8:59:01: 5a:a6:61:81:59:3b:70:63:ab:e3:dc:3d:c7:2a:b8:c9: 33:d3:79:e4:3a:ed:3c:30:23:84:8e:b3:30:14:b6:b2: 87:c3:3d:95:54:04:9e:df:99:dd:0b:25:1e:21:de:65: 29:7e:35:a8:a9:54:eb:f6:f7:32:39:d4:26:55:95:ad: ef:fb:fe:58:86:d7:9e:f4:00:8d:8c:2a:0c:bd:42:04: ce:a7:3f:04:f6:ee:80:f2:aa:ef:52:a1:69:66:da:be: 1a:ad:5d:da:2c:66:ea:1a:6b:bb:e5:1a:51:4a:00:2f: 48:c7:98:75:d8:b9:29:c8:ee:f8:66:6d:0a:9c:b3:f3: fc:78:7c:a2:f8:a3:f2:b5:c3:f3:b9:7a:91:c1:a7:e6: 25:2e:9c:a8:ed:12:65:6e:6a:f6:12:44:53:70:30:95: c3:9c:2b:58:2b:3d:08:74:4a:f2:be:51:b0:bf:87:d0: 4c:27:58:6b:b5:35:c5:9d:af:17:31:f8:0b:8f:ee:ad: 81:36:05:89:08:98:cf:3a:af:25:87:c0:49:ea:a7:fd: 67:f7:45:8e:97:cc:14:39:e2:36:85:b5:7e:1a:37:fd: 16:f6:71:11:9a:74:30:16:fe:13:94:a3:3f:84:0d:4f Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Subject Key ID Data: fd:ac:61:32:93:6c:45:d6:e2:ee:85:5f:9a:ba:e7:76: 99:68:cc:e7 Name: Certificate Authority Key Identifier Key ID: d2:c4:b0:d2:91:d4:4c:11:71:b3:61:cb:3d:a1:fe:dd: a8:6a:d4:e3 Name: Certificate Basic Constraints Critical: True Data: Is a CA with a maximum path length of 0. Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ocsp.godaddy.com" Name: CRL Distribution Points URI: "http://certificates.godaddy.com/repository/gdroot.crl" Name: Certificate Policies Data: Policy Name: Certificate Policies AnyPolicy Policy Qualifier Name: PKIX CPS Pointer Qualifier Policy Qualifier Data: "http://certificates.godaddy.com/r epository" Name: Certificate Key Usage Critical: True Usages: Certificate Signing CRL Signing Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: d2:86:c0:ec:bd:f9:a1:b6:67:ee:66:0b:a2:06:3a:04: 50:8e:15:72:ac:4a:74:95:53:cb:37:cb:44:49:ef:07: 90:6b:33:d9:96:f0:94:56:a5:13:30:05:3c:85:32:21: 7b:c9:c7:0a:a8:24:a4:90:de:46:d3:25:23:14:03:67: c2:10:d6:6f:0f:5d:7b:7a:cc:9f:c5:58:2a:c1:c4:9e: 21:a8:5a:f3:ac:a4:46:f3:9e:e4:63:cb:2f:90:a4:29: 29:01:d9:72:2c:29:df:37:01:27:bc:4f:ee:68:d3:21: 8f:c0:b3:e4:f5:09:ed:d2:10:aa:53:b4:be:f0:cc:59: 0b:d6:3b:96:1c:95:24:49:df:ce:ec:fd:a7:48:91:14: 45:0e:3a:36:6f:da:45:b3:45:a2:41:c9:d4:d7:44:4e: 3e:b9:74:76:d5:a2:13:55:2c:c6:87:a3:b5:99:ac:06: 84:87:7f:75:06:fc:bf:14:4c:0e:cc:6e:c4:df:3d:b7: 12:71:f4:e8:f1:51:40:22:28:49:e0:1d:4b:87:a8:34: cc:06:a2:dd:12:5a:d1:86:36:64:03:35:6f:6f:77:6e: eb:f2:85:50:98:5e:ab:03:53:ad:91:23:63:1f:16:9c: cd:b9:b2:05:63:3a:e1:f4:68:1b:17:05:35:95:53:ee Fingerprint (MD5): D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34 Fingerprint (SHA1): 7C:46:56:C3:06:1F:7F:4C:0D:67:B3:19:A8:55:F6:0E:BC:11:FC:44 Friendly Name: Go Daddy Secure Certification Authority Certificate: Data: Version: 3 (0x2) Serial Number: 269 (0x10d) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network" Validity: Not Before: Tue Jun 29 17:06:20 2004 Not After : Sat Jun 29 17:06:20 2024 Subject: "OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: de:9d:d7:ea:57:18:49:a1:5b:eb:d7:5f:48:86:ea:be: dd:ff:e4:ef:67:1c:f4:65:68:b3:57:71:a0:5e:77:bb: ed:9b:49:e9:70:80:3d:56:18:63:08:6f:da:f2:cc:d0: 3f:7f:02:54:22:54:10:d8:b2:81:d4:c0:75:3d:4b:7f: c7:77:c3:3e:78:ab:1a:03:b5:20:6b:2f:6a:2b:b1:c5: 88:7e:c4:bb:1e:b0:c1:d8:45:27:6f:aa:37:58:f7:87: 26:d7:d8:2d:f6:a9:17:b7:1f:72:36:4e:a6:17:3f:65: 98:92:db:2a:6e:5d:a2:fe:88:e0:0b:de:7f:e5:8d:15: e1:eb:cb:3a:d5:e2:12:a2:13:2d:d8:8e:af:5f:12:3d: a0:08:05:08:b6:5c:a5:65:38:04:45:99:1e:a3:60:60: 74:c5:41:a5:72:62:1b:62:c5:1f:6f:5f:1a:42:be:02: 51:65:a8:ae:23:18:6a:fc:78:03:a9:4d:7f:80:c3:fa: ab:5a:fc:a1:40:a4:ca:19:16:fe:b2:c8:ef:5e:73:0d: ee:77:bd:9a:f6:79:98:bc:b1:07:67:a2:15:0d:dd:a0: 58:c6:44:7b:0a:3e:62:28:5f:ba:41:07:53:58:cf:11: 7e:38:74:c5:f8:ff:b5:69:90:8f:84:74:ea:97:1b:af Exponent: 3 (0x3) Signed Extensions: Name: Certificate Subject Key ID Data: d2:c4:b0:d2:91:d4:4c:11:71:b3:61:cb:3d:a1:fe:dd: a8:6a:d4:e3 Name: Certificate Authority Key Identifier Issuer: Directory Name: "E=info at valicert.com,CN=http://www.valicert.c om/,OU=ValiCert Class 2 Policy Validation Authority,O="Va liCert, Inc.",L=ValiCert Validation Network" Serial Number: 1 (0x1) Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ocsp.godaddy.com" Name: CRL Distribution Points URI: "http://certificates.godaddy.com/repository/root.crl" Name: Certificate Policies Data: Policy Name: Certificate Policies AnyPolicy Policy Qualifier Name: PKIX CPS Pointer Qualifier Policy Qualifier Data: "http://certificates.godaddy.com/r epository" Name: Certificate Key Usage Critical: True Usages: Certificate Signing CRL Signing Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: b5:40:f9:a7:1d:f6:ea:fe:a4:1a:42:5a:44:f7:15:d4: 85:46:89:c0:be:9e:e3:e3:eb:c5:e3:58:89:8f:92:9f: 57:a8:71:2c:48:d1:81:b2:79:1f:ac:06:35:19:b0:4e: 0e:58:1b:14:b3:98:81:d1:04:1e:c8:07:c9:83:9f:78: 44:0a:18:0b:98:dc:76:7a:65:0d:0d:6d:80:c4:0b:01: 1c:cb:ad:47:3e:71:be:77:4b:cc:06:77:d0:f4:56:6b: 1f:4b:13:9a:14:8a:88:23:a8:51:f0:83:4c:ab:35:bf: 46:7e:39:dc:75:a4:ae:e8:29:fb:ef:39:8f:4f:55:67 Fingerprint (MD5): 82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45 Fingerprint (SHA1): DE:70:F4:E2:11:6F:7F:DC:E7:5F:9D:13:01:2B:7E:68:7A:3B:2C:62 Friendly Name: Go Daddy Class 2 Certification Authority Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network" Validity: Not Before: Sat Jun 26 00:19:54 1999 Not After : Wed Jun 26 00:19:54 2019 Subject: "E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCer t Validation Network" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ce:3a:71:ca:e5:ab:c8:59:92:55:d7:ab:d8:74:0e:f9: ee:d9:f6:55:47:59:65:47:0e:05:55:dc:eb:98:36:3c: 5c:53:5d:d3:30:cf:38:ec:bd:41:89:ed:25:42:09:24: 6b:0a:5e:b3:7c:dd:52:2d:4c:e6:d4:d6:7d:5a:59:a9: 65:d4:49:13:2d:24:4d:1c:50:6f:b5:c1:85:54:3b:fe: 71:e4:d3:5c:42:f9:80:e0:91:1a:0a:5b:39:36:67:f3: 3f:55:7c:1b:3f:b4:5f:64:73:34:e3:b4:12:bf:87:64: f8:da:12:ff:37:27:c1:b3:43:bb:ef:7b:6e:2e:69:f7 Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: 3b:7f:50:6f:6f:50:94:99:49:62:38:38:1f:4b:f8:a5: c8:3e:a7:82:81:f6:2b:c7:e8:c5:ce:e8:3a:10:82:cb: 18:00:8e:4d:bd:a8:58:7f:a1:79:00:b5:bb:e9:8d:af: 41:d9:0f:34:ee:21:81:19:a0:32:49:28:f4:c4:8e:56: d5:52:33:fd:50:d5:7e:99:6c:03:e4:c9:4c:fc:cb:6c: ab:66:b3:4a:21:8c:e5:b5:0c:32:3e:10:b2:cc:6c:a1: dc:9a:98:4c:02:5b:f3:ce:b9:9e:a5:72:0e:4a:b7:3f: 3c:e6:16:68:f8:be:ed:74:4c:bc:5b:d5:62:1f:43:dd Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87 Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6 Friendly Name: valicert.com Certificate(has private key): Data: Version: 3 (0x2) Serial Number: 04:71:37:7b:34:f8:99 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "serialNumber=07969287,CN=Go Daddy Secure Certification Autho rity,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com , Inc.",L=Scottsdale,ST=Arizona,C=US" ...... Details about my server key removed ......... root : INFO root : INFO root : INFO root : INFO root : INFO root : INFO root : INFO certutil: could not find certificate named "valicert.com": security library: bad database. creation of replica failed: Command '/usr/bin/certutil -d /etc/httpd/alias -M -n valicert.com -t CT,CT,' returned non-zero exit status 255 root : DEBUG Command '/usr/bin/certutil -d /etc/httpd/alias -M -n valicert.com -t CT,CT,' returned non-zero exit status 255 File "/usr/sbin/ipa-replica-install", line 294, in main() File "/usr/sbin/ipa-replica-install", line 259, in main install_http(config) File "/usr/sbin/ipa-replica-install", line 146, in install_http http.create_instance(config.realm_name, config.host_name, config.domain_name, False, pkcs12_info) File "/usr/lib/python2.5/site-packages/ipaserver/httpinstance.py", line 81, in create_instance self.start_creation("Configuring the web interface") File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line 139, in start_creation method() File "/usr/lib/python2.5/site-packages/ipaserver/httpinstance.py", line 160, in __setup_ssl ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1], passwd="") File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 476, in create_from_pkcs12 self.trust_root_cert(nickname) File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 390, in trust_root_cert "-t", "CT,CT,"]) File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 133, in run_certutil return ipautil.run(new_args, stdin) File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run raise CalledProcessError(p.returncode, ' '.join(args)) [root at replica ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u Go Daddy Secure Certification Authority CT,C, Go Daddy Class 2 Certification Authority CT,C, Rob Crittenden wrote: > James Roman wrote: >> OK I am still running into a similar problem when installing the >> replica server. It appears that the problem stems from the chained CA >> certificates from GoDaddy again. On the replica server, all the certs >> appear to be installed properly. The script is choking when modifying >> the trust arguments. It looks like it is grabbing the certificate >> name from the wrong place again. > > This should be fixed in ipa v1.2.2 which is in the Fedora > updates-testing repo. > > rob > >> >> >> ipa-replica-install Error: >> >> NOTE: Take a look at where the quotes are showing up in the "certutil >> -d" lines. >> >> root : DEBUG [10/17]: configuring ssl for ds instance >> [10/17]: configuring ssl for ds instance >> root : DEBUG Loading Index file from >> '/var/lib/ipa/sysrestore/sysrestore.index' >> root : INFO root : INFO root : INFO >> pk12util: PKCS12 IMPORT SUCCESSFUL >> >> root : INFO root : INFO root : INFO >> certutil: could not find certificate named "valicert.com" >> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 >> Policy Validation Authority,O="ValiCert, Inc.": The security card or >> token does not exist, needs to be initialized, or has been removed. >> >> creation of replica failed: Command '/usr/bin/certutil -d >> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" >> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 >> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned >> non-zero exit status 255 >> root : DEBUG Command '/usr/bin/certutil -d >> /etc/dirsrv/slapd-REALM-COM/ -M -n valicert.com" >> [E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 >> Policy Validation Authority,O="ValiCert, Inc. -t CT,CT,' returned >> non-zero exit status 255 >> File "/usr/sbin/ipa-replica-install", line 294, in >> main() >> >> File "/usr/sbin/ipa-replica-install", line 244, in main >> ds = install_ds(config) >> >> File "/usr/sbin/ipa-replica-install", line 115, in install_ds >> ds.create_instance(config.ds_user, config.realm_name, >> config.host_name, config.domain_name, config.dirman_password, >> pkcs12_info) >> >> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", >> line 193, in create_instance >> self.start_creation("Configuring directory server:") >> >> File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line >> 139, in start_creation >> method() >> >> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", >> line 345, in __enable_ssl >> ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) >> >> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line >> 403, in create_from_pkcs12 >> self.trust_root_cert(nickname) >> >> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line >> 322, in trust_root_cert >> "-t", "CT,CT,"]) >> >> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line >> 126, in run_certutil >> return ipautil.run(new_args, stdin) >> >> File "/usr/lib/python2.5/site-packages/ipa/ipautil.py", line 97, in run >> raise CalledProcessError(p.returncode, ' '.join(args)) >> >> >> Replica server Cert DB: >> >> [root at replica slapd-REALM-COM]# certutil -L -d . >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> Server-Cert u,u,u >> Go Daddy Secure Certification Authority ,, Go >> Daddy Class 2 Certification Authority ,, >> valicert.com ,, >> >> Rob Crittenden wrote: >>> James Roman wrote: >>>> Can anyone elaborate on the options for the ipa-replica-prepare >>>> command? I have a third party signed certificate for both my master >>>> and replica server. Am I supposed to provide the PKCS12 file for >>>> the master server or the replica? If it is looking for the master >>>> server, I really don't want the script generating a new certificate >>>> for the replica. I already have one. Any way to by-pass that option? >>> >>> The PKCS#12 file(s) are for the replica server. If you provide both >>> then IPA will not attempt to generate one. >>> >>> rob >> > From jrobertm8 at yahoo.com Tue Sep 15 06:15:55 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Mon, 14 Sep 2009 23:15:55 -0700 (PDT) Subject: [Freeipa-users] Migrate data from OpenLdap to FreeIPA In-Reply-To: Message-ID: <517996.39007.qm@web76316.mail.sg1.yahoo.com> Hi Thu, Rob, and All, Have you made the necessary migration to FreeIPA. I too have migrated from an OpenLDAP to freeipa but have encountered some problems.? ? After I have imported all the users from the OpenLDAP server to FreeIPA, I can't seem to get a Kerberos ticket.? Is there any workaround on how I can make this migration work.? All the entries have been successfully added and bind to the FreeIPA server works but doing kinit doesn't. TIA. John Robert Mendoza --- On Fri, 8/14/09, Thu Nguyen Thi Anh wrote: From: Thu Nguyen Thi Anh Subject: RE: [Freeipa-users] Migrate data from OpenLdap to FreeIPA To: "Rob Crittenden" , "Thu Nguyen" Cc: freeipa-users at redhat.com Date: Friday, 14 August, 2009, 6:56 PM RE: [Freeipa-users] Migrate data from OpenLdap to FreeIPA Thanks Rob very much. I will try of course on the test system :) -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Tue 6/30/2009 12:58 AM To: Thu Nguyen Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Migrate data from OpenLdap to FreeIPA Thu Nguyen wrote: > Dear all, > >? > > I did use OpenLDAP for our system which used to authenticate all web > services (bugzilla, svn,..) and mail service (dovecot) . Now I would > like to replace it by FreeIPA. Would you please instruct (step-by-step > if possible) how to migrate all data/structures from OpenLDAP to FreeIPA? > We don't currently have instructions on how to do this. Basically what you need to do is: - install freeIPA - get an ldif dump of your OpenLDAP server - remove any unneeded structural and configuration options from the ldif - convert this ldif to the IPA DIT - load the ldif You can see the DIT we use at http://freeipa.org/page/UsingRhdsWithIpa When converting to our DIT you'll also need to ensure that the user entries are set up properly. This means having: - the krbprincipalname attribute set to @ - update the objectclass list - set gidnumber to the ipausers group You'll end up with a bunch of users that will work with simple auth but don't have kerberos keys yet so kinit will fail. You'll need to create some mechanism where they authenticate using their user password in order to get kerberos keys. And of course, do this on a test system first to make sure I haven't missed something :-) rob -----Inline Attachment Follows----- _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Sep 15 12:30:14 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Sep 2009 08:30:14 -0400 Subject: [Freeipa-users] Migrate data from OpenLdap to FreeIPA In-Reply-To: <517996.39007.qm@web76316.mail.sg1.yahoo.com> References: <517996.39007.qm@web76316.mail.sg1.yahoo.com> Message-ID: <4AAF88D6.40805@redhat.com> John Robert Mendoza wrote: > Hi Thu, Rob, and All, > > Have you made the necessary migration to FreeIPA. I too have migrated > from an OpenLDAP to freeipa but have encountered some problems. > > After I have imported all the users from the OpenLDAP server to FreeIPA, > I can't seem to get a Kerberos ticket. Is there any workaround on how I > can make this migration work. All the entries have been successfully > added and bind to the FreeIPA server works but doing kinit doesn't. > You're probably lacking at least kerberos keys. Did you set the krbprinicpalname on each entry? In order to generate the kerberos keys you need a cleartext password which is why it isn't as simple as loading an LDIF. If you change the password of your users that should generate the keys assuming they have the appropriate object class (krbprincipalaux). We are working on a mechanism where a user will be able to authenticate using their migrated password and this will generate the kerberos keys but it isn't quite finished yet. rob > TIA. > > John Robert Mendoza > > --- On *Fri, 8/14/09, Thu Nguyen Thi Anh //* wrote: > > > From: Thu Nguyen Thi Anh > Subject: RE: [Freeipa-users] Migrate data from OpenLdap to FreeIPA > To: "Rob Crittenden" , "Thu Nguyen" > > Cc: freeipa-users at redhat.com > Date: Friday, 14 August, 2009, 6:56 PM > > Thanks Rob very much. I will try of course on the test system :) > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Tue 6/30/2009 12:58 AM > To: Thu Nguyen > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Migrate data from OpenLdap to FreeIPA > > Thu Nguyen wrote: > > Dear all, > > > > > > > > I did use OpenLDAP for our system which used to authenticate all web > > services (bugzilla, svn,..) and mail service (dovecot) . Now I would > > like to replace it by FreeIPA. Would you please instruct > (step-by-step > > if possible) how to migrate all data/structures from OpenLDAP to > FreeIPA? > > > > We don't currently have instructions on how to do this. > > Basically what you need to do is: > > - install freeIPA > - get an ldif dump of your OpenLDAP server > - remove any unneeded structural and configuration options from the ldif > - convert this ldif to the IPA DIT > - load the ldif > > You can see the DIT we use at http://freeipa.org/page/UsingRhdsWithIpa > > When converting to our DIT you'll also need to ensure that the user > entries are set up properly. This means having: > > - the krbprincipalname attribute set to @ > - update the objectclass list > - set gidnumber to the ipausers group > > You'll end up with a bunch of users that will work with simple auth but > don't have kerberos keys yet so kinit will fail. You'll need to create > some mechanism where they authenticate using their user password in > order to get kerberos keys. > > And of course, do this on a test system first to make sure I haven't > missed something :-) > > rob > > > > -----Inline Attachment Follows----- > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > ------------------------------------------------------------------------ > Importing contacts has never been easier. > > > Bring your friends over to Yahoo! Mail today! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Sep 15 12:50:01 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Sep 2009 08:50:01 -0400 Subject: [Freeipa-users] ipa-replica-prepare clarification In-Reply-To: <4AAE85D9.4050709@ssaihq.com> References: <4AAAC077.5080505@ssaihq.com> <4AAB916E.8090506@redhat.com> <4AAE62AA.2060705@ssaihq.com> <4AAE678B.4010901@redhat.com> <4AAE85D9.4050709@ssaihq.com> Message-ID: <4AAF8D79.7090101@redhat.com> James Roman wrote: > I installed the 1.2.2-1 version from the test repo. I get really close > to the end, but it is still bombing when trying to set the trust > permissions on the web server cert. For some reason the final cert in > the chain did not get installed into the /etc/httpd/alias directory. All > worked fine for the directory server. Strange, Does the valicert.com certificate exist in the DS database? I guess I assumed that if the certificate was in the PKCS#12 file then it would be loaded by NSS. That doesn't seem to be the case. This patch should help. It will log the failure of setting trust but will continue. If the certificate is indeed not needed then it shouldn't hurt anything. diff --git a/ipa-server/ipaserver/certs.py b/ipa-server/ipaserver/certs.py index 95e6ac7..3782acf 100644 --- a/ipa-server/ipaserver/certs.py +++ b/ipa-server/ipaserver/certs.py @@ -386,8 +386,11 @@ class CertDB(object): if root_nickname[:7] == "Builtin": logging.debug("No need to add trust for built-in root CA's, skippi else: - self.run_certutil(["-M", "-n", root_nickname, - "-t", "CT,CT,"]) + try: + self.run_certutil(["-M", "-n", root_nickname, + "-t", "CT,CT,"]) + except ipautil.CalledProcessError, e: + logging.error("Setting trust on %s failed" % root_nickname) def find_server_certs(self): p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, The file to modify on an installed system is /usr/lib[64]/python*/site-packages/ipaserver/certs.py Let me know if this fixes it for you and I'll see about getting this committed. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From james.roman at ssaihq.com Tue Sep 15 14:00:29 2009 From: james.roman at ssaihq.com (James Roman) Date: Tue, 15 Sep 2009 10:00:29 -0400 Subject: [Freeipa-users] ipa-replica-prepare clarification In-Reply-To: <4AAF8D79.7090101@redhat.com> References: <4AAAC077.5080505@ssaihq.com> <4AAB916E.8090506@redhat.com> <4AAE62AA.2060705@ssaihq.com> <4AAE678B.4010901@redhat.com> <4AAE85D9.4050709@ssaihq.com> <4AAF8D79.7090101@redhat.com> Message-ID: <4AAF9DFD.9010808@ssaihq.com> Yes the valicert.com certificate did get installed in the DS cert database and then subsequently failed to install in the web server database. I can't find any output to indicate why it was missed. The answer to your next question is yes, I did specify the same PKCS12 certificate file and pin for the dirsrv and http options when I ran ipa-replica-prepare. Now I am getting past the certificate trust failure, but have encountered a whole new set of problems. My Directory server is failing to start with the following error: Starting dirsrv: REALM-COM...[15/Sep/2009:09:39:18 -0400] dse - The entry cn=schema in file /etc/dirsrv/slapd-REALM-COM/schema/99user.ldif is invalid, error code 21 (Invalid syntax) - object class nsAIMpresence: Unknown allowed attribute type "nsaimid" [15/Sep/2009:09:39:18 -0400] dse - Please edit the file to correct the reported problems and then restart the server. I am pretty sure I know why this is happening, I'm just not sure how I want to address it. My Master is a FC9 install, my replica is a FC10 install. My master was installed as FC9 due to issues loading FC10 into a Cent 5 Xen VM. Now that I've overcome those, I was hoping that I could go this route to provide a migration path. Perhaps not. This will be subject of a new thread. Rob Crittenden wrote: > James Roman wrote: >> I installed the 1.2.2-1 version from the test repo. I get really >> close to the end, but it is still bombing when trying to set the >> trust permissions on the web server cert. For some reason the final >> cert in the chain did not get installed into the /etc/httpd/alias >> directory. All worked fine for the directory server. > > Strange, Does the valicert.com certificate exist in the DS database? > > I guess I assumed that if the certificate was in the PKCS#12 file then > it would be loaded by NSS. That doesn't seem to be the case. > > This patch should help. It will log the failure of setting trust but > will continue. If the certificate is indeed not needed then it > shouldn't hurt anything. > > diff --git a/ipa-server/ipaserver/certs.py > b/ipa-server/ipaserver/certs.py > index 95e6ac7..3782acf 100644 > --- a/ipa-server/ipaserver/certs.py > +++ b/ipa-server/ipaserver/certs.py > @@ -386,8 +386,11 @@ class CertDB(object): > if root_nickname[:7] == "Builtin": > logging.debug("No need to add trust for built-in root > CA's, skippi > else: > - self.run_certutil(["-M", "-n", root_nickname, > - "-t", "CT,CT,"]) > + try: > + self.run_certutil(["-M", "-n", root_nickname, > + "-t", "CT,CT,"]) > + except ipautil.CalledProcessError, e: > + logging.error("Setting trust on %s failed" % > root_nickname) > > def find_server_certs(self): > p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, > > The file to modify on an installed system is > /usr/lib[64]/python*/site-packages/ipaserver/certs.py > > Let me know if this fixes it for you and I'll see about getting this > committed. > > rob From rcritten at redhat.com Tue Sep 15 17:33:23 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Sep 2009 13:33:23 -0400 Subject: [Freeipa-users] ipa-replica-prepare clarification In-Reply-To: <4AAF9DFD.9010808@ssaihq.com> References: <4AAAC077.5080505@ssaihq.com> <4AAB916E.8090506@redhat.com> <4AAE62AA.2060705@ssaihq.com> <4AAE678B.4010901@redhat.com> <4AAE85D9.4050709@ssaihq.com> <4AAF8D79.7090101@redhat.com> <4AAF9DFD.9010808@ssaihq.com> Message-ID: <4AAFCFE3.5030900@redhat.com> James Roman wrote: > Yes the valicert.com certificate did get installed in the DS cert > database and then subsequently failed to install in the web server > database. I can't find any output to indicate why it was missed. The > answer to your next question is yes, I did specify the same PKCS12 > certificate file and pin for the dirsrv and http options when I ran > ipa-replica-prepare. > > Now I am getting past the certificate trust failure, but have > encountered a whole new set of problems. My Directory server is failing > to start with the following error: > > Starting dirsrv: > REALM-COM...[15/Sep/2009:09:39:18 -0400] dse - The entry cn=schema in > file /etc/dirsrv/slapd-REALM-COM/schema/99user.ldif is invalid, error > code 21 (Invalid syntax) - object class nsAIMpresence: Unknown allowed > attribute type "nsaimid" > [15/Sep/2009:09:39:18 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. > > I am pretty sure I know why this is happening, I'm just not sure how I > want to address it. My Master is a FC9 install, my replica is a FC10 > install. My master was installed as FC9 due to issues loading FC10 into > a Cent 5 Xen VM. Now that I've overcome those, I was hoping that I could > go this route to provide a migration path. Perhaps not. This will be > subject of a new thread. I've seen this happen too, it is a bug in 389-DS I think. It doesn't happen all the time though, I've worked around it by trying the replica installation again. rob > > Rob Crittenden wrote: >> James Roman wrote: >>> I installed the 1.2.2-1 version from the test repo. I get really >>> close to the end, but it is still bombing when trying to set the >>> trust permissions on the web server cert. For some reason the final >>> cert in the chain did not get installed into the /etc/httpd/alias >>> directory. All worked fine for the directory server. >> >> Strange, Does the valicert.com certificate exist in the DS database? >> >> I guess I assumed that if the certificate was in the PKCS#12 file then >> it would be loaded by NSS. That doesn't seem to be the case. >> >> This patch should help. It will log the failure of setting trust but >> will continue. If the certificate is indeed not needed then it >> shouldn't hurt anything. >> >> diff --git a/ipa-server/ipaserver/certs.py >> b/ipa-server/ipaserver/certs.py >> index 95e6ac7..3782acf 100644 >> --- a/ipa-server/ipaserver/certs.py >> +++ b/ipa-server/ipaserver/certs.py >> @@ -386,8 +386,11 @@ class CertDB(object): >> if root_nickname[:7] == "Builtin": >> logging.debug("No need to add trust for built-in root >> CA's, skippi >> else: >> - self.run_certutil(["-M", "-n", root_nickname, >> - "-t", "CT,CT,"]) >> + try: >> + self.run_certutil(["-M", "-n", root_nickname, >> + "-t", "CT,CT,"]) >> + except ipautil.CalledProcessError, e: >> + logging.error("Setting trust on %s failed" % >> root_nickname) >> >> def find_server_certs(self): >> p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir, >> >> The file to modify on an installed system is >> /usr/lib[64]/python*/site-packages/ipaserver/certs.py >> >> Let me know if this fixes it for you and I'll see about getting this >> committed. >> >> rob > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Sep 15 17:58:22 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Sep 2009 13:58:22 -0400 Subject: [Freeipa-users] FreeIPA v1.2.2 released Message-ID: <4AAFD5BE.4080008@redhat.com> The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA version 1.22. FreeIPA is an integrated security information management solution combining Linux (Fedora), Fedora Directory Server, MIT Kerberos and NTP. FreeIPA binds together a number of technologies and adds a web interface and command-line administration tools. Currently it supports identity management with plans to support policy and auditing management. This is a bugfix release. The main bugs addressed are: * Fix group deletion in the web UI. 484050 * Make the web UI work when both python-cherrypy and python-cherrypy2 are installed. 505686 * Fix some Python 2.6 deprecation warnings * Change method used to determine CAs to trust. 509111 * Add the CA constraint to the self-signed CA IPA generates. 514027 If you are upgrading an existing IPA installation see http://freeipa.org/page/NewCA for details on re-issuing the CA so it will work with FF 3.5 The Fedora packages are currently in updates-testing and will be moved to updates on Thursday, Sept 17. You can install/upgrade from the Fedora testing repository with: # yum --enablerepo updates-testing install ipa-server The FreeIPA Project Team. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Attached Message Part URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Tue Sep 15 19:55:24 2009 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 15 Sep 2009 15:55:24 -0400 Subject: [Freeipa-users] IPA license Message-ID: <4AAFF12C.50107@redhat.com> Hello, We are considering to release freeIPA v2 under a less restrictive license than we used in IPA v1. It was "GPLv2 only" in v1.x and we think about "GPLv2 and later" or "GPLv3 and later". Please respond to this mail if there are any suggestions, comments or concerns. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From amrossi at linux.it Tue Sep 15 20:59:42 2009 From: amrossi at linux.it (Andrea Modesto Rossi) Date: Tue, 15 Sep 2009 22:59:42 +0200 (CEST) Subject: [Freeipa-users] IPA license In-Reply-To: <4AAFF12C.50107@redhat.com> References: <4AAFF12C.50107@redhat.com> Message-ID: <54027.79.30.159.52.1253048382.squirrel@picard.linux.it> On Mar, 15 Settembre 2009 9:55 pm, Dmitri Pal wrote: > > We are considering to release freeIPA v2 under a less restrictive > license than we used in IPA v1. > It was "GPLv2 only" in v1.x and we think about "GPLv2 and later" or > "GPLv3 and later". > Please respond to this mail if there are any suggestions, comments or > concerns. Well, GPL3 is a good idea but ts there a particular reason to change license policy? -- Andrea Modesto Rossi Fedora Ambassador +---------------------------------------------------------------------+ | Bello. Che gli diciamo? Che sono tutti stronzi monopolisti di merda,| | con i loro protocolli brevettati e i loro driver finestrosi? | | Ci sono! | | Alessandro Rubini | +---------------------------------------------------------------------+ From dpal at redhat.com Tue Sep 15 22:09:28 2009 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 15 Sep 2009 18:09:28 -0400 Subject: [Freeipa-devel] Re: [Freeipa-users] IPA license In-Reply-To: <54027.79.30.159.52.1253048382.squirrel@picard.linux.it> References: <4AAFF12C.50107@redhat.com> <54027.79.30.159.52.1253048382.squirrel@picard.linux.it> Message-ID: <4AB01098.8030604@redhat.com> Andrea Modesto Rossi wrote: > On Mar, 15 Settembre 2009 9:55 pm, Dmitri Pal wrote: > >> We are considering to release freeIPA v2 under a less restrictive >> license than we used in IPA v1. >> It was "GPLv2 only" in v1.x and we think about "GPLv2 and later" or >> "GPLv3 and later". >> Please respond to this mail if there are any suggestions, comments or >> concerns. >> > > > Well, GPL3 is a good idea but ts there a particular reason to change > license policy? > > > It is just the fact that we came up with other components that we want to treat independently. It makes sense to license them with more flexible license for better adoption but exiting freeIPA license would create obstacles for it. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jderose at redhat.com Wed Sep 16 04:00:41 2009 From: jderose at redhat.com (Jason Gerard DeRose) Date: Tue, 15 Sep 2009 22:00:41 -0600 Subject: [Freeipa-devel] Re: [Freeipa-users] IPA license In-Reply-To: <4AB01098.8030604@redhat.com> References: <4AAFF12C.50107@redhat.com> <54027.79.30.159.52.1253048382.squirrel@picard.linux.it> <4AB01098.8030604@redhat.com> Message-ID: <1253073641.7182.30.camel@jgd-dsk> On Tue, 2009-09-15 at 18:09 -0400, Dmitri Pal wrote: > Andrea Modesto Rossi wrote: > > On Mar, 15 Settembre 2009 9:55 pm, Dmitri Pal wrote: > > > >> We are considering to release freeIPA v2 under a less restrictive > >> license than we used in IPA v1. > >> It was "GPLv2 only" in v1.x and we think about "GPLv2 and later" or > >> "GPLv3 and later". > >> Please respond to this mail if there are any suggestions, comments or > >> concerns. > >> > > > > > > Well, GPL3 is a good idea but ts there a particular reason to change > > license policy? > > > > > > > It is just the fact that we came up with other components that we want > to treat > independently. It makes sense to license them with more flexible license > for better adoption but exiting freeIPA license would create obstacles > for it. Andrea, To elaborate on what Dmitri said, I would like to license the widget library used for the IPAv2 WebUI under GPLv3+ or LGPLv3+, but unfortunately there's a weird gotcha that prevents IPA under "GPLv2 only" from using any (L)GPLv3 libraries. This wouldn't be a problem if IPA was "GPLv2 or later" instead of "GPLv2 only", but I think the consensus is that as long as we make any change to the IPA license, we might as well migrate to "GPLv3 or later" (or at least that's my opinion). Although the widget library is the first place we encountered this gotcha with "GPLv2 only", I'm sure it will come up again in the near future, especially as IPA has such a plugin-focused architecture. If I understand the situation correctly, as it stands now you can't write an IPA plugin that links to (um, imports) any (L)GPLv3 libraries/modules, which is obviously far too restrictive and really limits what the community can do with the code. So sooner or later we're going to have to make this change. In an internal email conversation, Simo pointed me to this helpful chart: http://www.fsf.org/licensing/licenses/gpl-faq.html#AllCompatibility Thoughts? Cheers, Jason From jrobertm8 at yahoo.com Wed Sep 16 05:24:21 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Tue, 15 Sep 2009 22:24:21 -0700 (PDT) Subject: [Freeipa-users] Migrate data from OpenLdap to FreeIPA In-Reply-To: <4AAF88D6.40805@redhat.com> Message-ID: <718175.22555.qm@web76304.mail.sg1.yahoo.com> Thanks Rob for your reply. I'll keep you all updated on my migration. Bert John Robert Mendoza --- On Tue, 9/15/09, Rob Crittenden wrote: From: Rob Crittenden Subject: Re: [Freeipa-users] Migrate data from OpenLdap to FreeIPA To: "John Robert Mendoza" Cc: "Thu Nguyen" , "Thu Nguyen Thi Anh" , freeipa-users at redhat.com Date: Tuesday, 15 September, 2009, 8:30 PM John Robert Mendoza wrote: > Hi Thu, Rob, and All, > > Have you made the necessary migration to FreeIPA. I too have migrated from an OpenLDAP to freeipa but have encountered some problems.? After I have imported all the users from the OpenLDAP server to FreeIPA, I can't seem to get a Kerberos ticket.? Is there any workaround on how I can make this migration work.? All the entries have been successfully added and bind to the FreeIPA server works but doing kinit doesn't. > You're probably lacking at least kerberos keys. Did you set the krbprinicpalname on each entry? In order to generate the kerberos keys you need a cleartext password which is why it isn't as simple as loading an LDIF. If you change the password of your users that should generate the keys assuming they have the appropriate object class (krbprincipalaux). We are working on a mechanism where a user will be able to authenticate using their migrated password and this will generate the kerberos keys but it isn't quite finished yet. rob > TIA. > > John Robert Mendoza > > --- On *Fri, 8/14/09, Thu Nguyen Thi Anh //* wrote: > > >? ???From: Thu Nguyen Thi Anh >? ???Subject: RE: [Freeipa-users] Migrate data from OpenLdap to FreeIPA >? ???To: "Rob Crittenden" , "Thu Nguyen" >? ??? >? ???Cc: freeipa-users at redhat.com >? ???Date: Friday, 14 August, 2009, 6:56 PM > >? ???Thanks Rob very much. I will try of course on the test system :) > > >? ???-----Original Message----- >? ???From: Rob Crittenden [mailto:rcritten at redhat.com] >? ???Sent: Tue 6/30/2009 12:58 AM >? ???To: Thu Nguyen >? ???Cc: freeipa-users at redhat.com >? ???Subject: Re: [Freeipa-users] Migrate data from OpenLdap to FreeIPA > >? ???Thu Nguyen wrote: >? ? ? > Dear all, >? ? ? > >? ? ? >? ? ? > >? ? ? > I did use OpenLDAP for our system which used to authenticate all web >? ? ? > services (bugzilla, svn,..) and mail service (dovecot) . Now I would >? ? ? > like to replace it by FreeIPA. Would you please instruct >? ???(step-by-step >? ? ? > if possible) how to migrate all data/structures from OpenLDAP to >? ???FreeIPA? >? ? ? > > >? ???We don't currently have instructions on how to do this. > >? ???Basically what you need to do is: > >? ???- install freeIPA >? ???- get an ldif dump of your OpenLDAP server >? ???- remove any unneeded structural and configuration options from the ldif >? ???- convert this ldif to the IPA DIT >? ???- load the ldif > >? ???You can see the DIT we use at http://freeipa.org/page/UsingRhdsWithIpa > >? ???When converting to our DIT you'll also need to ensure that the user >? ???entries are set up properly. This means having: > >? ???- the krbprincipalname attribute set to @ >? ???- update the objectclass list >? ???- set gidnumber to the ipausers group > >? ???You'll end up with a bunch of users that will work with simple auth but >? ???don't have kerberos keys yet so kinit will fail. You'll need to create >? ???some mechanism where they authenticate using their user password in >? ???order to get kerberos keys. > >? ???And of course, do this on a test system first to make sure I haven't >? ???missed something :-) > >? ???rob > > > >? ???-----Inline Attachment Follows----- > >? ???_______________________________________________ >? ???Freeipa-users mailing list >? ???Freeipa-users at redhat.com >? ???https://www.redhat.com/mailman/listinfo/freeipa-users > > > ------------------------------------------------------------------------ > Importing contacts has never been easier. > Bring your friends over to Yahoo! Mail today! How do I pick the best badminton racket? Discover the secret on Yahoo! Answers! http://ph.answers.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.roman at ssaihq.com Wed Sep 16 18:22:03 2009 From: james.roman at ssaihq.com (James Roman) Date: Wed, 16 Sep 2009 14:22:03 -0400 Subject: [Freeipa-users] ipa-replica-prepare clarification In-Reply-To: <4AAFCFE3.5030900@redhat.com> References: <4AAAC077.5080505@ssaihq.com> <4AAB916E.8090506@redhat.com> <4AAE62AA.2060705@ssaihq.com> <4AAE678B.4010901@redhat.com> <4AAE85D9.4050709@ssaihq.com> <4AAF8D79.7090101@redhat.com> <4AAF9DFD.9010808@ssaihq.com> <4AAFCFE3.5030900@redhat.com> Message-ID: <4AB12CCB.2060601@ssaihq.com> In case any one runs into this error while trying to create a replica: Starting dirsrv: REALM-COM...[15/Sep/2009:09:39:18 -0400] dse - The entry cn=schema in file /etc/dirsrv/slapd-REALM-COM/schema/##xxxxxx.ldif is invalid, error code 21 (Invalid syntax) - object class nsAIMpresence: Unknown allowed attribute type "nsaimid" [15/Sep/2009:09:39:18 -0400] dse - Please edit the file to correct the reported problems and then restart the server. In this case, all customizations had been added to the /etc/dirsrv/slapd--COM/schema/99user.ldif file. Simply commenting out the offending parts of the schema was sufficient to start the replica directory server. It looks like the specific attribute is supposed to be nsAIMid, not nsaimid. From rcritten at redhat.com Thu Sep 17 12:54:10 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Sep 2009 08:54:10 -0400 Subject: [Freeipa-users] ipa-replica-prepare clarification In-Reply-To: <4AB12CCB.2060601@ssaihq.com> References: <4AAAC077.5080505@ssaihq.com> <4AAB916E.8090506@redhat.com> <4AAE62AA.2060705@ssaihq.com> <4AAE678B.4010901@redhat.com> <4AAE85D9.4050709@ssaihq.com> <4AAF8D79.7090101@redhat.com> <4AAF9DFD.9010808@ssaihq.com> <4AAFCFE3.5030900@redhat.com> <4AB12CCB.2060601@ssaihq.com> Message-ID: <4AB23172.7040707@redhat.com> James Roman wrote: > In case any one runs into this error while trying to create a replica: > > Starting dirsrv: > REALM-COM...[15/Sep/2009:09:39:18 -0400] dse - The entry cn=schema in > file /etc/dirsrv/slapd-REALM-COM/schema/##xxxxxx.ldif is invalid, error > code 21 (Invalid syntax) - object class nsAIMpresence: Unknown allowed > attribute type "nsaimid" > [15/Sep/2009:09:39:18 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. > > In this case, all customizations had been added to the > /etc/dirsrv/slapd--COM/schema/99user.ldif file. Simply commenting > out the offending parts of the schema was sufficient to start the > replica directory server. It looks like the specific attribute is > supposed to be nsAIMid, not nsaimid. I'm not sure why 99user.ldif is getting confused but it is not case sensitive so this isn't the problem. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kambiz at mcnc.org Mon Sep 21 13:37:25 2009 From: kambiz at mcnc.org (Kambiz Aghaiepour) Date: Mon, 21 Sep 2009 09:37:25 -0400 Subject: [Freeipa-users] question about password sync .... Message-ID: <4AB78195.3030601@mcnc.org> I have setup cross-realm trust between AD and the Kerberos KDC component of FreeIPA (1.2.1). What I'd like to do is to setup a one-way password sync going from FreeIPA -> AD. Windows users always select the Kerberos Realm (of FreeIPA) when logging into machines joined to the AD domain. However, for various reasons it would be nice to have the AD password in sync with the FreeIPA password. Since users will always be authenticating against FreeIPA, is it possible to setup a one-way password sync such that when passwords are changed in FreeIPA, the new password is propagated to the AD domain controller(s)? And if so, can this be done without installing the PassSync.msi on each of the domain controllers? (I want to ensure that the password expirations are in sync; that's the only thing I actually care about, since as far as the users are concerned, their AD passwords can be taken away from them and made into sufficiently complex random strings, and expirations on AD turned off; but I doubt I can convince others to go along with that approach). Kambiz -- "All tyranny needs to gain a foothold is for people of good conscience to remain silent." --Thomas Jefferson From psundaram at wgen.net Mon Sep 21 15:28:51 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 21 Sep 2009 11:28:51 -0400 Subject: [Freeipa-users] 389-ds and AD integration questions Message-ID: Dear FreeIPA community, I have a bunch of requirements that I am looking forward from ipa-server. Please clarify if these are possible Background: We are planning to deploy 389-ds(formerly Fedora DS) as our core ldap server in a Multi-Master Replication scenario. We will be having set of slave server to cater at different locations. We want to integrate password authentication with MS Active Directory. 389-DS offers PAM Pass-thru plugin, but it has been quite difficult to configure the parameters and kerberos to get that working. Some of the features I am looking are 1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active Directory for password. 2. Syncing new users automatically between AD and 389-ds including UNIX attributes in AD(after installing SFU 3.5). Though Windows Sync agreement does it, we are looking on a finer control over the OU?s and objectclass/attributes imported. 3. Password change in unix world reflect on AD, 4. Netgroups, adding hosts to the Directory server and have a inventory withhostname and IP address and/or perform basic host tasks. 5. Create ACI?s such that support team has only access to create ldap accounts and update group memberships. 6. How is the easy is it going to be if upgraded from 1.2.2 to 2.0? Any issues anticipated? I am still going through the vast Admin Guide, release notes, user config guide to get these answers and know more. Also let me know if it is worth waiting till 2.0 Thanks, Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Sep 21 16:56:49 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 21 Sep 2009 10:56:49 -0600 Subject: [Freeipa-users] Re: 389-ds and AD integration questions Message-ID: <4AB7B051.1060807@redhat.com> > Dear FreeIPA community, > > I have a bunch of requirements that I am looking forward from > ipa-server. Please clarify if these are possible > > Background: We are planning to deploy 389-ds(formerly Fedora DS) as > our core ldap server in a Multi-Master Replication scenario. We will > be having set of slave server to cater at different locations. We want > to integrate password authentication with MS Active Directory. 389-DS > offers PAM Pass-thru plugin, but it has been quite difficult to > configure the parameters and kerberos to get that working. Some of the > features I am looking are > > 1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active > Directory for password. > If you have PAM Kerberos auth working, you should be able to use PAM Pass thru. I don't know the details though, but I do know that this is one of the primary use cases, to allow simple bind (username/password auth) clients to use their kerberos password. > > 1. > > > 2. Syncing new users automatically between AD and 389-ds including > UNIX attributes in AD(after installing SFU 3.5). Though Windows > Sync agreement does it, we are looking on a finer control over > the OU?s and objectclass/attributes imported. > The IPA winsync plugin will add missing posix attributes when syncing a new user entry from AD to IPA. It will not keep them in sync. > > 1. > > > 2. Password change in unix world reflect on AD, > Yes. IPA winsync will sync password changes from IPA to AD. > > 1. > > > 2. Netgroups, adding hosts to the Directory server and have a > inventory withhostname and IP address and/or perform basic host > tasks. > Winsync will not sync the netgroups schema. > > 1. > > > 2. Create ACI?s such that support team has only access to create > ldap accounts and update group memberships. > 3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0? > Any issues anticipated? > > > I am still going through the vast Admin Guide, release notes, user > config guide to get these answers and know more. Also let me know if > it is worth waiting till 2.0 > > Thanks, > Prashanth -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Sep 21 16:59:24 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 21 Sep 2009 10:59:24 -0600 Subject: [Freeipa-users] Re: question about password sync ... Message-ID: <4AB7B0EC.30908@redhat.com> > > I have setup cross-realm trust between AD and the Kerberos KDC component > of FreeIPA (1.2.1). What I'd like to do is to setup a one-way password > sync going from FreeIPA -> AD. Windows users always select the Kerberos > Realm (of FreeIPA) when logging into machines joined to the AD domain. > However, for various reasons it would be nice to have the AD password in > sync with the FreeIPA password. Since users will always be > authenticating against FreeIPA, is it possible to setup a one-way > password sync such that when passwords are changed in FreeIPA, the new > password is propagated to the AD domain controller(s)? And if so, can > this be done without installing the PassSync.msi on each of the domain > controllers? Yes. Since you only want to sync passwords one way, from IPA to AD, you do not need PassSync.msi > (I want to ensure that the password expirations are in > sync; that's the only thing I actually care about, since as far as the > users are concerned, their AD passwords can be taken away from them and > made into sufficiently complex random strings, and expirations on AD > turned off; but I doubt I can convince others to go along with that > approach). > IPA winsync will not sync password expiration. IPA winsync will sync account disable/enable. > Kambiz -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From kambiz at mcnc.org Mon Sep 21 17:07:18 2009 From: kambiz at mcnc.org (Kambiz Aghaiepour) Date: Mon, 21 Sep 2009 13:07:18 -0400 Subject: [Freeipa-users] Re: question about password sync ... In-Reply-To: <4AB7B0EC.30908@redhat.com> References: <4AB7B0EC.30908@redhat.com> Message-ID: <4AB7B2C6.5000804@mcnc.org> Rich Megginson wrote: >> >> I have setup cross-realm trust between AD and the Kerberos KDC component >> of FreeIPA (1.2.1). What I'd like to do is to setup a one-way password >> sync going from FreeIPA -> AD. Windows users always select the Kerberos >> Realm (of FreeIPA) when logging into machines joined to the AD domain. >> However, for various reasons it would be nice to have the AD password in >> sync with the FreeIPA password. Since users will always be >> authenticating against FreeIPA, is it possible to setup a one-way >> password sync such that when passwords are changed in FreeIPA, the new >> password is propagated to the AD domain controller(s)? And if so, can >> this be done without installing the PassSync.msi on each of the domain >> controllers? > Yes. Since you only want to sync passwords one way, from IPA to AD, you > do not need PassSync.msi >> (I want to ensure that the password expirations are in >> sync; that's the only thing I actually care about, since as far as the >> users are concerned, their AD passwords can be taken away from them and >> made into sufficiently complex random strings, and expirations on AD >> turned off; but I doubt I can convince others to go along with that >> approach). >> > IPA winsync will not sync password expiration. IPA winsync will sync > account disable/enable. >> Kambiz > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Hmmm ... so what is the correct method of syncing password expiration ? -- "All tyranny needs to gain a foothold is for people of good conscience to remain silent." --Thomas Jefferson From rmeggins at redhat.com Mon Sep 21 17:17:05 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 21 Sep 2009 11:17:05 -0600 Subject: [Freeipa-users] Re: question about password sync ... In-Reply-To: <4AB7B2C6.5000804@mcnc.org> References: <4AB7B0EC.30908@redhat.com> <4AB7B2C6.5000804@mcnc.org> Message-ID: <4AB7B511.3040808@redhat.com> Kambiz Aghaiepour wrote: > Rich Megginson wrote: > >>> I have setup cross-realm trust between AD and the Kerberos KDC component >>> of FreeIPA (1.2.1). What I'd like to do is to setup a one-way password >>> sync going from FreeIPA -> AD. Windows users always select the Kerberos >>> Realm (of FreeIPA) when logging into machines joined to the AD domain. >>> However, for various reasons it would be nice to have the AD password in >>> sync with the FreeIPA password. Since users will always be >>> authenticating against FreeIPA, is it possible to setup a one-way >>> password sync such that when passwords are changed in FreeIPA, the new >>> password is propagated to the AD domain controller(s)? And if so, can >>> this be done without installing the PassSync.msi on each of the domain >>> controllers? >>> >> Yes. Since you only want to sync passwords one way, from IPA to AD, you >> do not need PassSync.msi >> >>> (I want to ensure that the password expirations are in >>> sync; that's the only thing I actually care about, since as far as the >>> users are concerned, their AD passwords can be taken away from them and >>> made into sufficiently complex random strings, and expirations on AD >>> turned off; but I doubt I can convince others to go along with that >>> approach). >>> >>> >> IPA winsync will not sync password expiration. IPA winsync will sync >> account disable/enable. >> >>> Kambiz >>> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > Hmmm ... so what is the correct method of syncing password expiration ? > You'll have to have some sort of external agent that polls the directory looking for expired passwords, then expires them in AD. I don't know of such a tool. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From psundaram at wgen.net Mon Sep 21 21:56:55 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 21 Sep 2009 17:56:55 -0400 Subject: [Freeipa-users] Re: 389-ds and AD integration questions In-Reply-To: <4AB7B051.1060807@redhat.com> Message-ID: On 9/21/09 12:56 PM, "Rich Megginson" wrote: >> Dear FreeIPA community, >> >> I have a bunch of requirements that I am looking forward from >> ipa-server. Please clarify if these are possible >> >> Background: We are planning to deploy 389-ds(formerly Fedora DS) as >> our core ldap server in a Multi-Master Replication scenario. We will >> be having set of slave server to cater at different locations. We want >> to integrate password authentication with MS Active Directory. 389-DS >> offers PAM Pass-thru plugin, but it has been quite difficult to >> configure the parameters and kerberos to get that working. Some of the >> features I am looking are >> >> 1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active >> Directory for password. >> > If you have PAM Kerberos auth working, you should be able to use PAM > Pass thru. I don't know the details though, but I do know that this is > one of the primary use cases, to allow simple bind (username/password > auth) clients to use their kerberos password. Isn't IPA creating its own Kerberos/kdc server? For my setup, AD is the kerberos server and I want 389-ds to query the AD for password. I do not want to configure kerberos on 389-ds or do I have to do that anyway?. So If I am right, for 389-ds and AD to communicate and exchange data they both need to be Kerb servers? If that is then do client unix machines need to be configured with krb5.conf? I am following the HowToKerberos from 389-ds, where you generate the keytab in Windows and register it in DS server. I haven't seen a case scenario in documentation where PAM Passthru is implemented with AD. And how the Krb5 is configured. >> >> 1. >> >> >> 2. Syncing new users automatically between AD and 389-ds including >> UNIX attributes in AD(after installing SFU 3.5). Though Windows >> Sync agreement does it, we are looking on a finer control over >> the OU?s and objectclass/attributes imported. >> > The IPA winsync plugin will add missing posix attributes when syncing a > new user entry from AD to IPA. It will not keep them in sync. Is this same as passsync.msi plugin? We are using Windows server 2008 64-bit. Do we have it compatible? How can I setup IPA for the above scenario? >> 1. >> >> >> 2. Password change in unix world reflect on AD, >> > Yes. IPA winsync will sync password changes from IPA to AD. Is this a case where, >> >> 1. >> >> >> 2. Netgroups, adding hosts to the Directory server and have a >> inventory withhostname and IP address and/or perform basic host >> tasks. >> > Winsync will not sync the netgroups schema. I wanted the unix hosts to be shown in 389-ds. Just like Windows boxes are joined to AD. >> 1. >> >> >> 2. Create ACI?s such that support team has only access to create >> ldap accounts and update group memberships. >> 3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0? >> Any issues anticipated? >> >> >> I am still going through the vast Admin Guide, release notes, user >> config guide to get these answers and know more. Also let me know if >> it is worth waiting till 2.0 >> >> Thanks, >> Prashanth > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Mon Sep 21 22:29:28 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 21 Sep 2009 16:29:28 -0600 Subject: [Freeipa-users] Re: 389-ds and AD integration questions In-Reply-To: References: Message-ID: <4AB7FE48.5010205@redhat.com> Prashanth Sundaram wrote: > > On 9/21/09 12:56 PM, "Rich Megginson" wrote: > > >>> Dear FreeIPA community, >>> >>> I have a bunch of requirements that I am looking forward from >>> ipa-server. Please clarify if these are possible >>> >>> Background: We are planning to deploy 389-ds(formerly Fedora DS) as >>> our core ldap server in a Multi-Master Replication scenario. We will >>> be having set of slave server to cater at different locations. We want >>> to integrate password authentication with MS Active Directory. 389-DS >>> offers PAM Pass-thru plugin, but it has been quite difficult to >>> configure the parameters and kerberos to get that working. Some of the >>> features I am looking are >>> >>> 1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active >>> Directory for password. >>> >>> >> If you have PAM Kerberos auth working, you should be able to use PAM >> Pass thru. I don't know the details though, but I do know that this is >> one of the primary use cases, to allow simple bind (username/password >> auth) clients to use their kerberos password. >> > > Isn't IPA creating its own Kerberos/kdc server? For my setup, AD is the > kerberos server and I want 389-ds to query the AD for password. I do not > want to configure kerberos on 389-ds or do I have to do that anyway?. > You do not have to configure kerberos on 389-ds to use pam passthrough. > So If I am right, for 389-ds and AD to communicate and exchange data they > both need to be Kerb servers? No. > If that is then do client unix machines need > to be configured with krb5.conf? > I believe you use something like pam_krb5 with 389 pam passthrough, which also requires krb5.conf > I am following the HowToKerberos from 389-ds, where you generate the keytab > in Windows and register it in DS server. > But you're not using kerberos auth to 389-ds, you are using simple auth, and pam passthrough "passes through" the credentials to kerberos via pam and pam_krb5 > I haven't seen a case scenario in documentation where PAM Passthru is > implemented with AD. And how the Krb5 is configured. > > > >>> 1. >>> >>> >>> 2. Syncing new users automatically between AD and 389-ds including >>> UNIX attributes in AD(after installing SFU 3.5). Though Windows >>> Sync agreement does it, we are looking on a finer control over >>> the OU?s and objectclass/attributes imported. >>> >>> >> The IPA winsync plugin will add missing posix attributes when syncing a >> new user entry from AD to IPA. It will not keep them in sync. >> > > Is this same as passsync.msi plugin? No. > We are using Windows server 2008 > 64-bit. Do we have it compatible? It doesn't matter - if you don't want to sync passwords from AD to IPA, you do not use PassSync.msi > How can I setup IPA for the above > scenario? > I think IPA enables the ipa-winsync plugin by default. > > >>> 1. >>> >>> >>> 2. Password change in unix world reflect on AD, >>> >>> >> Yes. IPA winsync will sync password changes from IPA to AD. >> > Is this a case where, > > >>> 1. >>> >>> >>> 2. Netgroups, adding hosts to the Directory server and have a >>> inventory withhostname and IP address and/or perform basic host >>> tasks. >>> >>> >> Winsync will not sync the netgroups schema. >> > > I wanted the unix hosts to be shown in 389-ds. Just like Windows boxes are > joined to AD. > Ok. IPA should handle that. > > >>> 1. >>> >>> >>> 2. Create ACI?s such that support team has only access to create >>> ldap accounts and update group memberships. >>> 3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0? >>> Any issues anticipated? >>> >>> >>> I am still going through the vast Admin Guide, release notes, user >>> config guide to get these answers and know more. Also let me know if >>> it is worth waiting till 2.0 >>> >>> Thanks, >>> Prashanth >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From wxiluo at gmail.com Tue Sep 22 06:46:09 2009 From: wxiluo at gmail.com (Michael Kang) Date: Tue, 22 Sep 2009 14:46:09 +0800 Subject: [Freeipa-users] Problem with Kerberos Authentication Message-ID: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> Dear FreeIPA community, I successfully installed FreeIPA this morning. Now I got a problem about Kerberos Authentication. New user cannot modify their password in shell. I added a new user named *haha(group: ipauser)* based on the webUI. This user is not a existed system user. Then I added a new Delegations(allow people in group ipauser can modify password for group ipauser) . *[michael at freeipa Desktop]$ su - haha* > *Password: * > > *Warning: Your password will expire in less than one hour.* > *Warning: password has expired.* > *Kerberos 5 Password: * > *Warning: Your password will expire in less than one hour.* > *New UNIX password: * > *Retype new UNIX password: * > *su: incorrect password* > *[michael at freeipa Desktop]$ su - root* > *Password: * > *[root at freeipa ~]# su - haha* > *su: warning: cannot change directory to /home/haha: No such file or > directory* > *-sh-3.2$ * > Root can su - haha successfully. I think that means the Kerberos works, but new user cannot reset their password in their shell. What should I do? Best Regards, Michael -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Sep 22 10:43:48 2009 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 22 Sep 2009 06:43:48 -0400 Subject: [Freeipa-users] Re: 389-ds and AD integration questions In-Reply-To: <4AB7FE48.5010205@redhat.com> References: <4AB7FE48.5010205@redhat.com> Message-ID: <4AB8AA64.9070303@redhat.com> Rich Megginson wrote: > Prashanth Sundaram wrote: >> >> On 9/21/09 12:56 PM, "Rich Megginson" wrote: >> >> >>>> Dear FreeIPA community, >>>> >>>> I have a bunch of requirements that I am looking forward from >>>> ipa-server. Please clarify if these are possible >>>> >>>> Background: We are planning to deploy 389-ds(formerly Fedora DS) as >>>> our core ldap server in a Multi-Master Replication scenario. We will >>>> be having set of slave server to cater at different locations. We want >>>> to integrate password authentication with MS Active Directory. 389-DS >>>> offers PAM Pass-thru plugin, but it has been quite difficult to >>>> configure the parameters and kerberos to get that working. Some of the >>>> features I am looking are >>>> >>>> 1. Easy setup of PAM Pass-thru setup. Where 389-ds queries Active >>>> Directory for password. >>>> >>>> >>> If you have PAM Kerberos auth working, you should be able to use PAM >>> Pass thru. I don't know the details though, but I do know that this is >>> one of the primary use cases, to allow simple bind (username/password >>> auth) clients to use their kerberos password. >>> >> >> Isn't IPA creating its own Kerberos/kdc server? For my setup, AD is the >> kerberos server and I want 389-ds to query the AD for password. I do not >> want to configure kerberos on 389-ds or do I have to do that anyway?. >> > You do not have to configure kerberos on 389-ds to use pam passthrough. >> So If I am right, for 389-ds and AD to communicate and exchange data >> they >> both need to be Kerb servers? > No. >> If that is then do client unix machines need >> to be configured with krb5.conf? >> > I believe you use something like pam_krb5 with 389 pam passthrough, > which also requires krb5.conf >> I am following the HowToKerberos from 389-ds, where you generate the >> keytab >> in Windows and register it in DS server. >> > But you're not using kerberos auth to 389-ds, you are using simple > auth, and pam passthrough "passes through" the credentials to kerberos > via pam and pam_krb5 >> I haven't seen a case scenario in documentation where PAM Passthru is >> implemented with AD. And how the Krb5 is configured. >> >> >> >>>> 1. >>>> >>>> >>>> 2. Syncing new users automatically between AD and 389-ds including >>>> UNIX attributes in AD(after installing SFU 3.5). Though Windows >>>> Sync agreement does it, we are looking on a finer control over >>>> the OU?s and objectclass/attributes imported. >>>> >>>> >>> The IPA winsync plugin will add missing posix attributes when syncing a >>> new user entry from AD to IPA. It will not keep them in sync. >>> >> >> Is this same as passsync.msi plugin? > No. >> We are using Windows server 2008 >> 64-bit. Do we have it compatible? > It doesn't matter - if you don't want to sync passwords from AD to > IPA, you do not use PassSync.msi >> How can I setup IPA for the above >> scenario? >> > I think IPA enables the ipa-winsync plugin by default. >> >> >>>> 1. >>>> >>>> >>>> 2. Password change in unix world reflect on AD, >>>> >>>> >>> Yes. IPA winsync will sync password changes from IPA to AD. >>> >> Is this a case where, >> >> >>>> 1. >>>> >>>> >>>> 2. Netgroups, adding hosts to the Directory server and have a >>>> inventory withhostname and IP address and/or perform basic host >>>> tasks. >>>> >>>> >>> Winsync will not sync the netgroups schema. >>> >> >> I wanted the unix hosts to be shown in 389-ds. Just like Windows >> boxes are >> joined to AD. > Ok. IPA should handle that. >> >> >>>> 1. >>>> >>>> >>>> 2. Create ACI?s such that support team has only access to create >>>> ldap accounts and update group memberships. >>>> 3. How is the easy is it going to be if upgraded from 1.2.2 to 2.0? >>>> Any issues anticipated? >>>> >>>> >>>> I am still going through the vast Admin Guide, release notes, user >>>> config guide to get these answers and know more. Also let me know if >>>> it is worth waiting till 2.0 >>>> >>>> Thanks, >>>> Prashanth >>>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> > Prashanth, The setup is a bit confusing. IPA v1 that is currently available can serve users and groups to UNIX/Linux clients via nss_ldap. One can also configure pam_ldap or pam_rkb5 to authenticate against IPA v1. IPA v1 does not handle netgroups or hosts. These are the features of v2 that are coming. However the whole point of the IPA is to be a domain controller for UNIX/Linux machines and users. If you are not planning to use IPA as a domain controller then you should look at pure 389 deployment. With 389 you can proxy authentications to AD and follow recommendations and solutions described on 389 wiki. However in this case you can't expect any of the IPA features (especially the ones that we are working on now: netgroups, automounts, hosts etc.) Thank you Dmitri From jgalipea at redhat.com Tue Sep 22 13:20:21 2009 From: jgalipea at redhat.com (Jenny Galipeau) Date: Tue, 22 Sep 2009 09:20:21 -0400 Subject: [Freeipa-users] Problem with Kerberos Authentication In-Reply-To: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> References: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> Message-ID: <4AB8CF15.1020905@redhat.com> Michael Kang wrote: > Dear FreeIPA community, > > I successfully installed FreeIPA this morning. Now I got a problem > about Kerberos Authentication. New user cannot modify their password > in shell. Hi Michael: Did you set the new user's initial password? kinit admin ipa passwd haha Thanks Jenny > > I added a new user named /haha(group: ipauser)/ based on the webUI. > This user is not a existed system user. Then I added a new > Delegations(allow people in group ipauser can modify password for > group ipauser) . > > /[michael at freeipa Desktop]$ su - haha/ > /Password: / > > /Warning: Your password will expire in less than one hour./ > /Warning: password has expired./ > /Kerberos 5 Password: / > /Warning: Your password will expire in less than one hour./ > /New UNIX password: / > /Retype new UNIX password: / > /su: incorrect password/ > /[michael at freeipa Desktop]$ su - root/ > /Password: / > /[root at freeipa ~]# su - haha/ > /su: warning: cannot change directory to /home/haha: No such file > or directory/ > /-sh-3.2$ / > > > Root can su - haha successfully. I think that means the Kerberos > works, but new user cannot reset their password in their shell. > > What should I do? > > Best Regards, > Michael > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From jgalipea at redhat.com Tue Sep 22 13:22:57 2009 From: jgalipea at redhat.com (Jenny Galipeau) Date: Tue, 22 Sep 2009 09:22:57 -0400 Subject: [Freeipa-users] Problem with Kerberos Authentication In-Reply-To: <4AB8CF15.1020905@redhat.com> References: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> <4AB8CF15.1020905@redhat.com> Message-ID: <4AB8CFB1.1020407@redhat.com> Jenny Galipeau wrote: > > Michael Kang wrote: >> Dear FreeIPA community, >> >> I successfully installed FreeIPA this morning. Now I got a problem >> about Kerberos Authentication. New user cannot modify their password >> in shell. > Hi Michael: > Did you set the new user's initial password? > kinit admin > ipa passwd haha > Thanks > Jenny Also kinit as haha, because haha will be asked to change the password on first authentication. Thanks Jenny >> >> I added a new user named /haha(group: ipauser)/ based on the webUI. >> This user is not a existed system user. Then I added a new >> Delegations(allow people in group ipauser can modify password for >> group ipauser) . >> >> /[michael at freeipa Desktop]$ su - haha/ >> /Password: / >> >> /Warning: Your password will expire in less than one hour./ >> /Warning: password has expired./ >> /Kerberos 5 Password: / >> /Warning: Your password will expire in less than one hour./ >> /New UNIX password: / >> /Retype new UNIX password: / >> /su: incorrect password/ >> /[michael at freeipa Desktop]$ su - root/ >> /Password: / >> /[root at freeipa ~]# su - haha/ >> /su: warning: cannot change directory to /home/haha: No such file >> or directory/ >> /-sh-3.2$ / >> >> >> Root can su - haha successfully. I think that means the Kerberos >> works, but new user cannot reset their password in their shell. >> >> What should I do? >> >> Best Regards, >> Michael >> >> -- >> Michael Kang?????? >> There is a giant asleep within every man. When the giant >> awakens,miracles happen. >> >> Personal blog: http://ufusion.org - United Fusion >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From wxiluo at gmail.com Wed Sep 23 01:49:08 2009 From: wxiluo at gmail.com (Michael Kang) Date: Wed, 23 Sep 2009 09:49:08 +0800 Subject: [Freeipa-users] Problem with Kerberos Authentication In-Reply-To: <4AB8CFB1.1020407@redhat.com> References: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> <4AB8CF15.1020905@redhat.com> <4AB8CFB1.1020407@redhat.com> Message-ID: <97725cf0909221849n35754423m859d00064baf5ad5@mail.gmail.com> Dear FreeIPA community, I did try set the new user's initial password. But it didn't work either. I got a protocol error. Here is the output of console : [root at freeipa ~]# kinit admin Password for admin at ARAGON.LOCAL: [root at freeipa ~]# ipa-passwd haha Changing password for haha at ARAGON.LOCAL New Password: Confirm Password: [root at freeipa ~]# kinit haha Password for haha at ARAGON.LOCAL: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Requested protocol version not supported while getting initial credentials On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau wrote: > Jenny Galipeau wrote: > >> >> Michael Kang wrote: >> >>> Dear FreeIPA community, >>> >>> I successfully installed FreeIPA this morning. Now I got a problem about >>> Kerberos Authentication. New user cannot modify their password in shell. >>> >> Hi Michael: >> Did you set the new user's initial password? >> kinit admin >> ipa passwd haha >> Thanks >> Jenny >> > Also kinit as haha, because haha will be asked to change the password on > first authentication. > > Thanks > Jenny > >> >>> I added a new user named /haha(group: ipauser)/ based on the webUI. This >>> user is not a existed system user. Then I added a new Delegations(allow >>> people in group ipauser can modify password for group ipauser) . >>> >>> /[michael at freeipa Desktop]$ su - haha/ >>> /Password: / >>> >>> /Warning: Your password will expire in less than one hour./ >>> /Warning: password has expired./ >>> /Kerberos 5 Password: / >>> /Warning: Your password will expire in less than one hour./ >>> /New UNIX password: / >>> /Retype new UNIX password: / >>> /su: incorrect password/ >>> /[michael at freeipa Desktop]$ su - root/ >>> /Password: / >>> /[root at freeipa ~]# su - haha/ >>> /su: warning: cannot change directory to /home/haha: No such file >>> or directory/ >>> /-sh-3.2$ / >>> >>> >>> Root can su - haha successfully. I think that means the Kerberos works, >>> but new user cannot reset their password in their shell. >>> >>> What should I do? >>> >>> Best Regards, >>> Michael >>> >>> -- >>> Michael Kang?????? >>> There is a giant asleep within every man. When the giant awakens,miracles >>> happen. >>> >>> Personal blog: http://ufusion.org - United Fusion >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> > > -- > Jenny Galipeau > Principal Software QA Engineer > Red Hat, Inc. Security Engineering > > -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From wxiluo at gmail.com Wed Sep 23 02:14:06 2009 From: wxiluo at gmail.com (Michael Kang) Date: Wed, 23 Sep 2009 10:14:06 +0800 Subject: [Freeipa-users] Migrating a Directory Server from 389-ds to FreeIPA Message-ID: <97725cf0909221914s32a28e39ha197feb50fb65707@mail.gmail.com> Dear FreeIPA community, My PL wants to migrate a directory server(storing employees info and Linux user accounts) from 389-ds(1.1.x) to FreeIPA(1.2.2). I backed up from the command line using the *db2bak* command-line script. I got two LDIF files and two folders(userRoot and NetscapeRoot) which contains many db4 files. After reading the FreeIPA Administrator Guide, I realized there is no * db2bak* or *bak2db* commands for FreeIPA users. So I copy those LDIF files and folders to /var/lib/dirsrv/ directly. Then I run *service dirsvr restart*, the dirsvr instance cannot start anymore. The instance names of 389-ds and FreeIPA are different. How can I finish this hard job? Have anybody ever migrated successfully? I need your help.. Best Regards, Michael -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomasz.napierala at allegro.pl Wed Sep 23 08:46:18 2009 From: tomasz.napierala at allegro.pl (Tomasz Z. Napierala) Date: Wed, 23 Sep 2009 10:46:18 +0200 Subject: [Freeipa-users] Using FreeIPA as password backend for Samba Message-ID: <1253695578.18011.7.camel@alledrag> Hi, I'm currently deploying IPA in our server infrastructure and I came across one particular problem. I have several development servers hooked up to IPA. Devs are locally developing code on them, accessing it through Samba shares. We have like 120+ devs currently working, so it's a big hassle to manually create smb accounts, while there's IPA providing logins and passwords. Is there any way to sync samba passwords with IPA. pz -- Tomasz Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ QXL Poland sp. z o.o. ul. Marceli?ska 90, 60-324 Pozna? NIP 779-21-25-257; S?d Rejonowy Pozna? - Nowe Miasto i Wilda w Poznaniu, Wydzia? VIII Gospodarczy KRS nr 0000104322 Kapita? zak?adowy: 1.046.000 z?. From jgalipea at redhat.com Wed Sep 23 12:45:47 2009 From: jgalipea at redhat.com (Jenny Galipeau) Date: Wed, 23 Sep 2009 08:45:47 -0400 Subject: [Freeipa-users] Problem with Kerberos Authentication In-Reply-To: <97725cf0909221849n35754423m859d00064baf5ad5@mail.gmail.com> References: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> <4AB8CF15.1020905@redhat.com> <4AB8CFB1.1020407@redhat.com> <97725cf0909221849n35754423m859d00064baf5ad5@mail.gmail.com> Message-ID: <4ABA187B.80404@redhat.com> Michael Kang wrote: > Dear FreeIPA community, > > I did try set the new user's initial password. But it didn't work > either. I got a protocol error. > > Here is the output of console : > > [root at freeipa ~]# kinit admin > Password for admin at ARAGON.LOCAL: > [root at freeipa ~]# ipa-passwd haha > Changing password for haha at ARAGON.LOCAL > New Password: > Confirm Password: > [root at freeipa ~]# kinit haha > Password for haha at ARAGON.LOCAL: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit(v5): Requested protocol version not supported while getting > initial credentials > Sounds like, a Kerberos V4 request was sent to the KDC? What's in the client's krb5.conf? Jenny > > > On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau > wrote: > > Jenny Galipeau wrote: > > > Michael Kang wrote: > > Dear FreeIPA community, > > I successfully installed FreeIPA this morning. Now I got a > problem about Kerberos Authentication. New user cannot > modify their password in shell. > > Hi Michael: > Did you set the new user's initial password? > kinit admin > ipa passwd haha > Thanks > Jenny > > Also kinit as haha, because haha will be asked to change the > password on first authentication. > > Thanks > Jenny > > > I added a new user named /haha(group: ipauser)/ based on > the webUI. This user is not a existed system user. Then I > added a new Delegations(allow people in group ipauser can > modify password for group ipauser) . > > /[michael at freeipa Desktop]$ su - haha/ > /Password: / > > /Warning: Your password will expire in less than one hour./ > /Warning: password has expired./ > /Kerberos 5 Password: / > /Warning: Your password will expire in less than one hour./ > /New UNIX password: / > /Retype new UNIX password: / > /su: incorrect password/ > /[michael at freeipa Desktop]$ su - root/ > /Password: / > /[root at freeipa ~]# su - haha/ > /su: warning: cannot change directory to /home/haha: No > such file > or directory/ > /-sh-3.2$ / > > > Root can su - haha successfully. I think that means the > Kerberos works, but new user cannot reset their password > in their shell. > > What should I do? > > Best Regards, > Michael > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > Jenny Galipeau > > Principal Software QA Engineer > Red Hat, Inc. Security Engineering > > > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From jgalipea at redhat.com Wed Sep 23 12:54:25 2009 From: jgalipea at redhat.com (Jenny Galipeau) Date: Wed, 23 Sep 2009 08:54:25 -0400 Subject: [Freeipa-users] Migrating a Directory Server from 389-ds to FreeIPA In-Reply-To: <97725cf0909221914s32a28e39ha197feb50fb65707@mail.gmail.com> References: <97725cf0909221914s32a28e39ha197feb50fb65707@mail.gmail.com> Message-ID: <4ABA1A81.4030508@redhat.com> Michael Kang wrote: > Dear FreeIPA community, > > My PL wants to migrate a directory server(storing employees info and > Linux user accounts) from 389-ds(1.1.x) to FreeIPA(1.2.2). I backed up > from the command line using the */db2bak/* command-line script. I got > two LDIF files and two folders(userRoot and NetscapeRoot) which > contains many db4 files. > > After reading the FreeIPA Administrator Guide, I realized there is no > */db2bak/* or */bak2db/* commands for FreeIPA users. So I copy those > LDIF files and folders to /var/lib/dirsrv/ directly. Then > I run */service dirsvr restart/*, the dirsvr instance cannot start > anymore. The instance names of 389-ds and FreeIPA are different. > > How can I finish this hard job? Have anybody ever migrated > successfully? I need your help.. > > remove any unneeded structural and configuration options from the ldif > convert this ldif to the IPA DIT > load the ldif > > You can see the DIT we use at http://freeipa.org/page/UsingRhdsWithIpa HTH Jenny > Best Regards, > Michael > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From psundaram at wgen.net Wed Sep 23 14:28:40 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Wed, 23 Sep 2009 10:28:40 -0400 Subject: [Freeipa-users] Re: 389-ds and AD integration questions In-Reply-To: <4AB8AA64.9070303@redhat.com> Message-ID: Thanks Dimitri, I was clarified about the setup yesterday. Looks like, I do not need Kerberos implemented for PAM Pass-through. Since IPA is to be a domain controller, is it necessary to implement Kerberos for server and clients? Since, I only need Unix hosts to talk to the DC? I mean can I separate the Kerb part from the IPA and just use it for password change on both sides? >>> >>> >> > Prashanth, > > The setup is a bit confusing. > IPA v1 that is currently available can serve users and groups to > UNIX/Linux clients via nss_ldap. > One can also configure pam_ldap or pam_rkb5 to authenticate against IPA v1. > IPA v1 does not handle netgroups or hosts. These are the features of v2 > that are coming. > However the whole point of the IPA is to be a domain controller for > UNIX/Linux machines and users. > If you are not planning to use IPA as a domain controller then you > should look at pure 389 deployment. > With 389 you can proxy authentications to AD and follow recommendations > and solutions described on 389 wiki. > However in this case you can't expect any of the IPA features > (especially the ones that we are working on now: > netgroups, automounts, hosts etc.) > > Thank you > Dmitri > From rcritten at redhat.com Wed Sep 23 14:45:53 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Sep 2009 10:45:53 -0400 Subject: [Freeipa-users] Migrating a Directory Server from 389-ds to FreeIPA In-Reply-To: <4ABA1A81.4030508@redhat.com> References: <97725cf0909221914s32a28e39ha197feb50fb65707@mail.gmail.com> <4ABA1A81.4030508@redhat.com> Message-ID: <4ABA34A1.6030704@redhat.com> Jenny Galipeau wrote: > Michael Kang wrote: >> Dear FreeIPA community, >> >> My PL wants to migrate a directory server(storing employees info and >> Linux user accounts) from 389-ds(1.1.x) to FreeIPA(1.2.2). I backed up >> from the command line using the */db2bak/* command-line script. I got >> two LDIF files and two folders(userRoot and NetscapeRoot) which >> contains many db4 files. >> >> After reading the FreeIPA Administrator Guide, I realized there is no >> */db2bak/* or */bak2db/* commands for FreeIPA users. So I copy those >> LDIF files and folders to /var/lib/dirsrv/ directly. Then >> I run */service dirsvr restart/*, the dirsvr instance cannot start >> anymore. The instance names of 389-ds and FreeIPA are different. >> >> How can I finish this hard job? Have anybody ever migrated >> successfully? I need your help.. >> >> remove any unneeded structural and configuration options from the ldif >> convert this ldif to the IPA DIT >> load the ldif >> >> You can see the DIT we use at http://freeipa.org/page/UsingRhdsWithIpa > HTH > Jenny Note that this will get the users added with their existing passwords but does not give them kerberos principals. We don't currently provide any mechanism for setting this on a migrated user though we are working on it. What I would recommend also is to create a few IPA users and compare the objectclasses that we use to the users you are migrating. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Sep 23 15:19:53 2009 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 23 Sep 2009 11:19:53 -0400 Subject: [Freeipa-users] Using FreeIPA as password backend for Samba In-Reply-To: <1253695578.18011.7.camel@alledrag> References: <1253695578.18011.7.camel@alledrag> Message-ID: <1253719193.3126.32.camel@localhost.localdomain> On Wed, 2009-09-23 at 10:46 +0200, Tomasz Z. Napierala wrote: > Hi, > > I'm currently deploying IPA in our server infrastructure and I came > across one particular problem. > I have several development servers hooked up to IPA. Devs are locally > developing code on them, accessing it through Samba shares. We have like > 120+ devs currently working, so it's a big hassle to manually create smb > accounts, while there's IPA providing logins and passwords. Is there any > way to sync samba passwords with IPA. If you keep samba passwords in Ldap, IPA can automatically generate LM and NT hashes. All you need is the sambaSamAccount objectclass on the user object. Simo. From tomasz.napierala at allegro.pl Wed Sep 23 17:50:50 2009 From: tomasz.napierala at allegro.pl (Tomasz Z. Napierala) Date: Wed, 23 Sep 2009 19:50:50 +0200 Subject: [Freeipa-users] Using FreeIPA as password backend for Samba In-Reply-To: <1253719193.3126.32.camel@localhost.localdomain> References: <1253695578.18011.7.camel@alledrag> <1253719193.3126.32.camel@localhost.localdomain> Message-ID: <1253728250.8314.2.camel@alledrag> Dnia 2009-09-23, ?ro o godzinie 17:19 +0200, Simo Sorce pisze: > On Wed, 2009-09-23 at 10:46 +0200, Tomasz Z. Napierala wrote: > > Hi, > > > > I'm currently deploying IPA in our server infrastructure and I came > > across one particular problem. > > I have several development servers hooked up to IPA. Devs are locally > > developing code on them, accessing it through Samba shares. We have like > > 120+ devs currently working, so it's a big hassle to manually create smb > > accounts, while there's IPA providing logins and passwords. Is there any > > way to sync samba passwords with IPA. > > If you keep samba passwords in Ldap, IPA can automatically generate LM > and NT hashes. All you need is the sambaSamAccount objectclass on the > user object. Thank you Simo. Do I have to manually extend schema or is there any semi-automatic way to achieve that? pz -- Tomasz Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ QXL Poland sp. z o.o. ul. Marceli?ska 90, 60-324 Pozna? NIP 779-21-25-257; S?d Rejonowy Pozna? - Nowe Miasto i Wilda w Poznaniu, Wydzia? VIII Gospodarczy KRS nr 0000104322 Kapita? zak?adowy: 1.046.000 z?. From dpal at redhat.com Wed Sep 23 18:38:38 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 23 Sep 2009 14:38:38 -0400 Subject: [Freeipa-users] Re: 389-ds and AD integration questions In-Reply-To: References: Message-ID: <4ABA6B2E.5010101@redhat.com> Prashanth Sundaram wrote: > Thanks Dimitri, > > I was clarified about the setup yesterday. Looks like, I do not need > Kerberos implemented for PAM Pass-through. > > Since IPA is to be a domain controller, is it necessary to implement > Kerberos for server and clients? Since, I only need Unix hosts to talk to > the DC? > > I am sorry can you be a bit more specific and give a bigger picture. It seems that you are going to configure UNIX/Linux clients to use IPA as DC. So who is going to provide auth for the users via pam? Would it be configured to use ldap, kerberos or something else? It is unclear from the description above. It seems that you do not have a clear picture too. So may be it would be simpler to start describing what you have, what are the constraints and what is the goal you are trying to accomplish. With this we can try to come with the best approach using tools we have. > I mean can I separate the Kerb part from the IPA and just use it for > password change on both sides? > > > Why? Can you explain the reasoning behind this? Thank you Dmitri > >>>> >>>> >> Prashanth, >> >> The setup is a bit confusing. >> IPA v1 that is currently available can serve users and groups to >> UNIX/Linux clients via nss_ldap. >> One can also configure pam_ldap or pam_rkb5 to authenticate against IPA v1. >> IPA v1 does not handle netgroups or hosts. These are the features of v2 >> that are coming. >> However the whole point of the IPA is to be a domain controller for >> UNIX/Linux machines and users. >> If you are not planning to use IPA as a domain controller then you >> should look at pure 389 deployment. >> With 389 you can proxy authentications to AD and follow recommendations >> and solutions described on 389 wiki. >> However in this case you can't expect any of the IPA features >> (especially the ones that we are working on now: >> netgroups, automounts, hosts etc.) >> >> Thank you >> Dmitri >> >> > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From loris at lgs.com.ve Wed Sep 23 18:46:37 2009 From: loris at lgs.com.ve (Loris Santamaria) Date: Wed, 23 Sep 2009 14:16:37 -0430 Subject: [Freeipa-users] Using FreeIPA as password backend for Samba In-Reply-To: <1253728250.8314.2.camel@alledrag> References: <1253695578.18011.7.camel@alledrag> <1253719193.3126.32.camel@localhost.localdomain> <1253728250.8314.2.camel@alledrag> Message-ID: <1253731597.3617.443.camel@arepa.pzo.lgs.com.ve> El mi?, 23-09-2009 a las 19:50 +0200, Tomasz Z. Napierala escribi?: > Dnia 2009-09-23, ?ro o godzinie 17:19 +0200, Simo Sorce pisze: > > On Wed, 2009-09-23 at 10:46 +0200, Tomasz Z. Napierala wrote: > > > Hi, > > > > > > I'm currently deploying IPA in our server infrastructure and I came > > > across one particular problem. > > > I have several development servers hooked up to IPA. Devs are locally > > > developing code on them, accessing it through Samba shares. We have like > > > 120+ devs currently working, so it's a big hassle to manually create smb > > > accounts, while there's IPA providing logins and passwords. Is there any > > > way to sync samba passwords with IPA. > > > > If you keep samba passwords in Ldap, IPA can automatically generate LM > > and NT hashes. All you need is the sambaSamAccount objectclass on the > > user object. > > Thank you Simo. Do I have to manually extend schema or is there any > semi-automatic way to achieve that? We integrate freeipa and samba 3 having freeipa generating automatically the sambaSID for users and groups. First step, you need to modify cn=ipaconfig to have freeipa add the appropriate objectclasses: ldapmodify < From kambiz at mcnc.org Wed Sep 23 20:05:08 2009 From: kambiz at mcnc.org (Kambiz Aghaiepour) Date: Wed, 23 Sep 2009 16:05:08 -0400 Subject: [Freeipa-users] a couple of questions regarding windows password sync agreements .... Message-ID: <4ABA7F74.70604@mcnc.org> I've established a windows sync agreement on my IPA master server using: ipa-replica-manage add --winsync --win-subtree='cn=users,dc=mcnc,dc=org' --binddn cn=someusergoeshere,cn=users,dc=mcnc,dc=org --bindpw nottherealpassword --cacert /root/my.cert --passsync=someotherpass myadserver.mcnc.org -v Everything seems fine so far, but I have a few questions about the setup. 1) it appear that users on the AD side that did not exist already on IPA get created upon the initial full sync. Is there anyway to turn off this behavior? 2) Also, new users that are created in AD are created in IPA. Can this behavior be turned off (I think this is the same setting as #1). 3) Will new users that are created in IPA be created in AD? 4) When a user previously created in AD be automatically deleted from IPA when the user is deleted from AD? 5) Will the user be deleted from AD if the users entry is deleted in IPA? 6) what does ntUserDeleteAccount: true do? Thanks Kambiz -- "All tyranny needs to gain a foothold is for people of good conscience to remain silent." --Thomas Jefferson From rmeggins at redhat.com Wed Sep 23 20:27:39 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 23 Sep 2009 14:27:39 -0600 Subject: [Freeipa-users] a couple of questions regarding windows password sync agreements .... In-Reply-To: <4ABA7F74.70604@mcnc.org> References: <4ABA7F74.70604@mcnc.org> Message-ID: <4ABA84BB.3030500@redhat.com> Kambiz Aghaiepour wrote: > I've established a windows sync agreement on my IPA master server using: > > ipa-replica-manage add --winsync --win-subtree='cn=users,dc=mcnc,dc=org' > --binddn cn=someusergoeshere,cn=users,dc=mcnc,dc=org --bindpw > nottherealpassword --cacert /root/my.cert --passsync=someotherpass > myadserver.mcnc.org -v > > > Everything seems fine so far, but I have a few questions about the setup. > This should answer most of the questions below http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html The main differences are that in IPA * IPA will only sync user data - not groups * IPA will not send new users to AD - the users must also be added to AD, at which point changes to that user will be sync'd between IPA and AD ** The sync key is the uid, which must be the same as the samAccountName on the AD side * IPA will sync new users added to AD - IPA will change the DN and schema ** IPA will flatten the DN, removing any ou RDNs, and (optionally) store these in the ou attribute in the user entry * IPA will be able to force all users to be in sync with the AD counterpart (IPA uid == AD samAccountName) ** forceSync option > 1) it appear that users on the AD side that did not exist already on IPA > get created upon the initial full sync. Is there anyway to turn off > this behavior? > > 2) Also, new users that are created in AD are created in IPA. Can this > behavior be turned off (I think this is the same setting as #1). > > 3) Will new users that are created in IPA be created in AD? > No - see above > 4) When a user previously created in AD be automatically deleted from > IPA when the user is deleted from AD? > yes > 5) Will the user be deleted from AD if the users entry is deleted in IPA? > > 6) what does ntUserDeleteAccount: true do? > > Thanks > Kambiz > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From wxiluo at gmail.com Thu Sep 24 02:27:52 2009 From: wxiluo at gmail.com (Michael Kang) Date: Thu, 24 Sep 2009 10:27:52 +0800 Subject: [Freeipa-users] Problem with Kerberos Authentication In-Reply-To: <4ABA187B.80404@redhat.com> References: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> <4AB8CF15.1020905@redhat.com> <4AB8CFB1.1020407@redhat.com> <97725cf0909221849n35754423m859d00064baf5ad5@mail.gmail.com> <4ABA187B.80404@redhat.com> Message-ID: <97725cf0909231927p24058c4aue943f79bf9bff682@mail.gmail.com> Here is client's krb5.conf: #File modified by ipa-client-install > > [libdefaults] > default_realm = ARAGON.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > EOF On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau wrote: > Michael Kang wrote: > >> Dear FreeIPA community, >> >> I did try set the new user's initial password. But it didn't work either. >> I got a protocol error. >> >> Here is the output of console : >> >> [root at freeipa ~]# kinit admin >> Password for admin at ARAGON.LOCAL: >> [root at freeipa ~]# ipa-passwd haha >> Changing password for haha at ARAGON.LOCAL >> New Password: >> Confirm Password: >> [root at freeipa ~]# kinit haha >> Password for haha at ARAGON.LOCAL: >> Password expired. You must change it now. >> Enter new password: >> Enter it again: >> kinit(v5): Requested protocol version not supported while getting >> initial credentials >> >> > Sounds like, a Kerberos V4 request was sent to the KDC? What's in the > client's krb5.conf? > Jenny > >> >> >> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau > jgalipea at redhat.com>> wrote: >> >> Jenny Galipeau wrote: >> >> >> Michael Kang wrote: >> >> Dear FreeIPA community, >> >> I successfully installed FreeIPA this morning. Now I got a >> problem about Kerberos Authentication. New user cannot >> modify their password in shell. >> >> Hi Michael: >> Did you set the new user's initial password? >> kinit admin >> ipa passwd haha >> Thanks >> Jenny >> >> Also kinit as haha, because haha will be asked to change the >> password on first authentication. >> >> Thanks >> Jenny >> >> >> I added a new user named /haha(group: ipauser)/ based on >> the webUI. This user is not a existed system user. Then I >> added a new Delegations(allow people in group ipauser can >> modify password for group ipauser) . >> >> /[michael at freeipa Desktop]$ su - haha/ >> /Password: / >> >> /Warning: Your password will expire in less than one hour./ >> /Warning: password has expired./ >> /Kerberos 5 Password: / >> /Warning: Your password will expire in less than one hour./ >> /New UNIX password: / >> /Retype new UNIX password: / >> /su: incorrect password/ >> /[michael at freeipa Desktop]$ su - root/ >> /Password: / >> /[root at freeipa ~]# su - haha/ >> /su: warning: cannot change directory to /home/haha: No >> such file >> or directory/ >> /-sh-3.2$ / >> >> >> Root can su - haha successfully. I think that means the >> Kerberos works, but new user cannot reset their password >> in their shell. >> >> What should I do? >> >> Best Regards, >> Michael >> >> -- Michael Kang?????? >> There is a giant asleep within every man. When the giant >> awakens,miracles happen. >> >> Personal blog: http://ufusion.org - United Fusion >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> -- Jenny Galipeau > >> >> Principal Software QA Engineer >> Red Hat, Inc. Security Engineering >> >> >> >> >> -- >> Michael Kang?????? >> There is a giant asleep within every man. When the giant awakens,miracles >> happen. >> >> Personal blog: http://ufusion.org - United Fusion >> > > > -- > Jenny Galipeau > Principal Software QA Engineer > Red Hat, Inc. Security Engineering > > -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From wxiluo at gmail.com Thu Sep 24 03:02:57 2009 From: wxiluo at gmail.com (Michael Kang) Date: Thu, 24 Sep 2009 11:02:57 +0800 Subject: [Freeipa-users] Problem with Kerberos Authentication In-Reply-To: <97725cf0909231927p24058c4aue943f79bf9bff682@mail.gmail.com> References: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> <4AB8CF15.1020905@redhat.com> <4AB8CFB1.1020407@redhat.com> <97725cf0909221849n35754423m859d00064baf5ad5@mail.gmail.com> <4ABA187B.80404@redhat.com> <97725cf0909231927p24058c4aue943f79bf9bff682@mail.gmail.com> Message-ID: <97725cf0909232002i3f1f7ad4qabbd9da7c0026ab3@mail.gmail.com> According to the FreeIPA Client Configure Guide, I realized I may miss something in my client's krb5.conf. It had been created by ipa-client-install script. I never edit it. But there are *no* *[realms]* and *[domain_realm] *in krb5.conf file. So I added them, show it below: > #File modified by ipa-client-install > > [libdefaults] > default_realm = ARAGON.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > [realms] > ARAGON.LOCAL = { > kdc = ipa.aragon.local:88 > admin_server = ipa.aragon.local:749 > default_domain = aragon.local > } > > [domain_realm] > .aragon.local = ARAGON.LOCAL > aragon.local = ARAGON.LOCAL > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > It doesn't work either by using the new krb5.conf. *kinit(v5): Password change failed while getting initial credentials* I'd like to post more detail outputs. Hope it could be helpful. > [root at freeipa ~]# kinit admin > Password for admin at ARAGON.LOCAL: > [root at freeipa ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at ARAGON.LOCAL > > Valid starting Expires Service principal > 09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/ARAGON.LOCAL at ARAGON.LOCAL > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > [root at freeipa ~]# ipa-finduser admin > Full Name: Administrator > Home Directory: /home/admin > Login Shell: /bin/bash > Login: admin > > [root at freeipa ~]# ipa-finduser haha > Full Name: haha haha > Home Directory: /home/haha > Login Shell: /bin/sh > Login: haha > Regards, Michael On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang wrote: > Here is client's krb5.conf: > > #File modified by ipa-client-install >> >> [libdefaults] >> default_realm = ARAGON.LOCAL >> dns_lookup_realm = true >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> } >> > > EOF > > > On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau wrote: > >> Michael Kang wrote: >> >>> Dear FreeIPA community, >>> >>> I did try set the new user's initial password. But it didn't work either. >>> I got a protocol error. >>> >>> Here is the output of console : >>> >>> [root at freeipa ~]# kinit admin >>> Password for admin at ARAGON.LOCAL: >>> [root at freeipa ~]# ipa-passwd haha >>> Changing password for haha at ARAGON.LOCAL >>> New Password: >>> Confirm Password: >>> [root at freeipa ~]# kinit haha >>> Password for haha at ARAGON.LOCAL: >>> Password expired. You must change it now. >>> Enter new password: >>> Enter it again: >>> kinit(v5): Requested protocol version not supported while getting >>> initial credentials >>> >>> >> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the >> client's krb5.conf? >> Jenny >> >>> >>> >>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau >> jgalipea at redhat.com>> wrote: >>> >>> Jenny Galipeau wrote: >>> >>> >>> Michael Kang wrote: >>> >>> Dear FreeIPA community, >>> >>> I successfully installed FreeIPA this morning. Now I got a >>> problem about Kerberos Authentication. New user cannot >>> modify their password in shell. >>> >>> Hi Michael: >>> Did you set the new user's initial password? >>> kinit admin >>> ipa passwd haha >>> Thanks >>> Jenny >>> >>> Also kinit as haha, because haha will be asked to change the >>> password on first authentication. >>> >>> Thanks >>> Jenny >>> >>> >>> I added a new user named /haha(group: ipauser)/ based on >>> the webUI. This user is not a existed system user. Then I >>> added a new Delegations(allow people in group ipauser can >>> modify password for group ipauser) . >>> >>> /[michael at freeipa Desktop]$ su - haha/ >>> /Password: / >>> >>> /Warning: Your password will expire in less than one hour./ >>> /Warning: password has expired./ >>> /Kerberos 5 Password: / >>> /Warning: Your password will expire in less than one hour./ >>> /New UNIX password: / >>> /Retype new UNIX password: / >>> /su: incorrect password/ >>> /[michael at freeipa Desktop]$ su - root/ >>> /Password: / >>> /[root at freeipa ~]# su - haha/ >>> /su: warning: cannot change directory to /home/haha: No >>> such file >>> or directory/ >>> /-sh-3.2$ / >>> >>> >>> Root can su - haha successfully. I think that means the >>> Kerberos works, but new user cannot reset their password >>> in their shell. >>> >>> What should I do? >>> >>> Best Regards, >>> Michael >>> >>> -- Michael Kang?????? >>> There is a giant asleep within every man. When the giant >>> awakens,miracles happen. >>> >>> Personal blog: http://ufusion.org - United Fusion >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> >>> >>> -- Jenny Galipeau >> >> >>> Principal Software QA Engineer >>> Red Hat, Inc. Security Engineering >>> >>> >>> >>> >>> -- >>> Michael Kang?????? >>> There is a giant asleep within every man. When the giant awakens,miracles >>> happen. >>> >>> Personal blog: http://ufusion.org - United Fusion >>> >> >> >> -- >> Jenny Galipeau >> Principal Software QA Engineer >> Red Hat, Inc. Security Engineering >> >> > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant awakens,miracles > happen. > > Personal blog: http://ufusion.org - United Fusion > -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From davido at redhat.com Thu Sep 24 03:13:12 2009 From: davido at redhat.com (David O'Brien) Date: Thu, 24 Sep 2009 13:13:12 +1000 Subject: [Freeipa-users] Problem with Kerberos Authentication In-Reply-To: <97725cf0909232002i3f1f7ad4qabbd9da7c0026ab3@mail.gmail.com> References: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> <4AB8CF15.1020905@redhat.com> <4AB8CFB1.1020407@redhat.com> <97725cf0909221849n35754423m859d00064baf5ad5@mail.gmail.com> <4ABA187B.80404@redhat.com> <97725cf0909231927p24058c4aue943f79bf9bff682@mail.gmail.com> <97725cf0909232002i3f1f7ad4qabbd9da7c0026ab3@mail.gmail.com> Message-ID: <4ABAE3C8.9090704@redhat.com> Michael, did you restart the kdc after you updated the krb5.conf file? David Michael Kang wrote: > According to the FreeIPA Client Configure Guide, I realized I may miss > something in my client's krb5.conf. It had been created by > ipa-client-install script. I never edit it. But there are *no* *[realms]* and > *[domain_realm] *in krb5.conf file. > > So I added them, show it below: > > >> #File modified by ipa-client-install >> >> [libdefaults] >> default_realm = ARAGON.LOCAL >> dns_lookup_realm = true >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> [realms] >> ARAGON.LOCAL = { >> kdc = ipa.aragon.local:88 >> admin_server = ipa.aragon.local:749 >> default_domain = aragon.local >> } >> >> [domain_realm] >> .aragon.local = ARAGON.LOCAL >> aragon.local = ARAGON.LOCAL >> >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> } >> >> > > It doesn't work either by using the new krb5.conf. > *kinit(v5): Password change failed while getting initial credentials* > > I'd like to post more detail outputs. Hope it could be helpful. > > >> [root at freeipa ~]# kinit admin >> Password for admin at ARAGON.LOCAL: >> [root at freeipa ~]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: admin at ARAGON.LOCAL >> >> Valid starting Expires Service principal >> 09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/ARAGON.LOCAL at ARAGON.LOCAL >> >> >> Kerberos 4 ticket cache: /tmp/tkt0 >> klist: You have no tickets cached >> [root at freeipa ~]# ipa-finduser admin >> Full Name: Administrator >> Home Directory: /home/admin >> Login Shell: /bin/bash >> Login: admin >> >> [root at freeipa ~]# ipa-finduser haha >> Full Name: haha haha >> Home Directory: /home/haha >> Login Shell: /bin/sh >> Login: haha >> >> > > Regards, > Michael > > On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang wrote: > > >> Here is client's krb5.conf: >> >> #File modified by ipa-client-install >> >>> [libdefaults] >>> default_realm = ARAGON.LOCAL >>> dns_lookup_realm = true >>> dns_lookup_kdc = true >>> ticket_lifetime = 24h >>> forwardable = yes >>> >>> [appdefaults] >>> pam = { >>> debug = false >>> ticket_lifetime = 36000 >>> renew_lifetime = 36000 >>> forwardable = true >>> krb4_convert = false >>> } >>> >>> >> EOF >> >> >> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau wrote: >> >> >>> Michael Kang wrote: >>> >>> >>>> Dear FreeIPA community, >>>> >>>> I did try set the new user's initial password. But it didn't work either. >>>> I got a protocol error. >>>> >>>> Here is the output of console : >>>> >>>> [root at freeipa ~]# kinit admin >>>> Password for admin at ARAGON.LOCAL: >>>> [root at freeipa ~]# ipa-passwd haha >>>> Changing password for haha at ARAGON.LOCAL >>>> New Password: >>>> Confirm Password: >>>> [root at freeipa ~]# kinit haha >>>> Password for haha at ARAGON.LOCAL: >>>> Password expired. You must change it now. >>>> Enter new password: >>>> Enter it again: >>>> kinit(v5): Requested protocol version not supported while getting >>>> initial credentials >>>> >>>> >>>> >>> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the >>> client's krb5.conf? >>> Jenny >>> >>> >>>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau >>> jgalipea at redhat.com>> wrote: >>>> >>>> Jenny Galipeau wrote: >>>> >>>> >>>> Michael Kang wrote: >>>> >>>> Dear FreeIPA community, >>>> >>>> I successfully installed FreeIPA this morning. Now I got a >>>> problem about Kerberos Authentication. New user cannot >>>> modify their password in shell. >>>> >>>> Hi Michael: >>>> Did you set the new user's initial password? >>>> kinit admin >>>> ipa passwd haha >>>> Thanks >>>> Jenny >>>> >>>> Also kinit as haha, because haha will be asked to change the >>>> password on first authentication. >>>> >>>> Thanks >>>> Jenny >>>> >>>> >>>> I added a new user named /haha(group: ipauser)/ based on >>>> the webUI. This user is not a existed system user. Then I >>>> added a new Delegations(allow people in group ipauser can >>>> modify password for group ipauser) . >>>> >>>> /[michael at freeipa Desktop]$ su - haha/ >>>> /Password: / >>>> >>>> /Warning: Your password will expire in less than one hour./ >>>> /Warning: password has expired./ >>>> /Kerberos 5 Password: / >>>> /Warning: Your password will expire in less than one hour./ >>>> /New UNIX password: / >>>> /Retype new UNIX password: / >>>> /su: incorrect password/ >>>> /[michael at freeipa Desktop]$ su - root/ >>>> /Password: / >>>> /[root at freeipa ~]# su - haha/ >>>> /su: warning: cannot change directory to /home/haha: No >>>> such file >>>> or directory/ >>>> /-sh-3.2$ / >>>> >>>> >>>> Root can su - haha successfully. I think that means the >>>> Kerberos works, but new user cannot reset their password >>>> in their shell. >>>> >>>> What should I do? >>>> >>>> Best Regards, >>>> Michael >>>> >>>> -- Michael Kang?????? >>>> There is a giant asleep within every man. When the giant >>>> awakens,miracles happen. >>>> >>>> Personal blog: http://ufusion.org - United Fusion >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >>>> >>>> >>>> -- Jenny Galipeau >>> >>>> Principal Software QA Engineer >>>> Red Hat, Inc. Security Engineering >>>> >>>> >>>> >>>> >>>> -- >>>> Michael Kang?????? >>>> There is a giant asleep within every man. When the giant awakens,miracles >>>> happen. >>>> >>>> Personal blog: http://ufusion.org - United Fusion >>>> >>>> >>> -- >>> Jenny Galipeau >>> Principal Software QA Engineer >>> Red Hat, Inc. Security Engineering >>> >>> >>> >> -- >> Michael Kang?????? >> There is a giant asleep within every man. When the giant awakens,miracles >> happen. >> >> Personal blog: http://ufusion.org - United Fusion >> >> > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- David O'Brien IPA Content Author Red Hat Asia Pacific +61 7 3514 8189 "The most valuable of all talents is that of never using two words when one will do." Thomas Jefferson From wxiluo at gmail.com Thu Sep 24 03:18:08 2009 From: wxiluo at gmail.com (Michael Kang) Date: Thu, 24 Sep 2009 11:18:08 +0800 Subject: [Freeipa-users] Problem with Kerberos Authentication In-Reply-To: <4ABAE3C8.9090704@redhat.com> References: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> <4AB8CF15.1020905@redhat.com> <4AB8CFB1.1020407@redhat.com> <97725cf0909221849n35754423m859d00064baf5ad5@mail.gmail.com> <4ABA187B.80404@redhat.com> <97725cf0909231927p24058c4aue943f79bf9bff682@mail.gmail.com> <97725cf0909232002i3f1f7ad4qabbd9da7c0026ab3@mail.gmail.com> <4ABAE3C8.9090704@redhat.com> Message-ID: <97725cf0909232018u139911a9v676fa8a3122c3ec8@mail.gmail.com> Hi David, I reboot the system after I edit the configure file. Regard, Michael On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien wrote: > Michael, > did you restart the kdc after you updated the krb5.conf file? > > David > > Michael Kang wrote: > >> According to the FreeIPA Client Configure Guide, I realized I may miss >> something in my client's krb5.conf. It had been created by >> ipa-client-install script. I never edit it. But there are *no* *[realms]* >> and >> *[domain_realm] *in krb5.conf file. >> >> So I added them, show it below: >> >> >> >>> #File modified by ipa-client-install >>> >>> [libdefaults] >>> default_realm = ARAGON.LOCAL >>> dns_lookup_realm = true >>> dns_lookup_kdc = true >>> ticket_lifetime = 24h >>> forwardable = yes >>> >>> [realms] >>> ARAGON.LOCAL = { >>> kdc = ipa.aragon.local:88 >>> admin_server = ipa.aragon.local:749 >>> default_domain = aragon.local >>> } >>> >>> [domain_realm] >>> .aragon.local = ARAGON.LOCAL >>> aragon.local = ARAGON.LOCAL >>> >>> [appdefaults] >>> pam = { >>> debug = false >>> ticket_lifetime = 36000 >>> renew_lifetime = 36000 >>> forwardable = true >>> krb4_convert = false >>> } >>> >>> >>> >> >> It doesn't work either by using the new krb5.conf. >> *kinit(v5): Password change failed while getting initial credentials* >> >> I'd like to post more detail outputs. Hope it could be helpful. >> >> >> >>> [root at freeipa ~]# kinit admin >>> Password for admin at ARAGON.LOCAL: >>> [root at freeipa ~]# klist >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: admin at ARAGON.LOCAL >>> >>> Valid starting Expires Service principal >>> 09/23/09 22:52:57 09/24/09 22:52:58 krbtgt/ARAGON.LOCAL at ARAGON.LOCAL >>> >>> >>> Kerberos 4 ticket cache: /tmp/tkt0 >>> klist: You have no tickets cached >>> [root at freeipa ~]# ipa-finduser admin >>> Full Name: Administrator >>> Home Directory: /home/admin >>> Login Shell: /bin/bash >>> Login: admin >>> >>> [root at freeipa ~]# ipa-finduser haha >>> Full Name: haha haha >>> Home Directory: /home/haha >>> Login Shell: /bin/sh >>> Login: haha >>> >>> >>> >> >> Regards, >> Michael >> >> On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang wrote: >> >> >> >>> Here is client's krb5.conf: >>> >>> #File modified by ipa-client-install >>> >>> >>>> [libdefaults] >>>> default_realm = ARAGON.LOCAL >>>> dns_lookup_realm = true >>>> dns_lookup_kdc = true >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> >>>> [appdefaults] >>>> pam = { >>>> debug = false >>>> ticket_lifetime = 36000 >>>> renew_lifetime = 36000 >>>> forwardable = true >>>> krb4_convert = false >>>> } >>>> >>>> >>>> >>> EOF >>> >>> >>> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau >> >wrote: >>> >>> >>> >>>> Michael Kang wrote: >>>> >>>> >>>> >>>>> Dear FreeIPA community, >>>>> >>>>> I did try set the new user's initial password. But it didn't work >>>>> either. >>>>> I got a protocol error. >>>>> >>>>> Here is the output of console : >>>>> >>>>> [root at freeipa ~]# kinit admin >>>>> Password for admin at ARAGON.LOCAL: >>>>> [root at freeipa ~]# ipa-passwd haha >>>>> Changing password for haha at ARAGON.LOCAL >>>>> New Password: >>>>> Confirm Password: >>>>> [root at freeipa ~]# kinit haha >>>>> Password for haha at ARAGON.LOCAL: >>>>> Password expired. You must change it now. >>>>> Enter new password: >>>>> Enter it again: >>>>> kinit(v5): Requested protocol version not supported while getting >>>>> initial credentials >>>>> >>>>> >>>>> >>>>> >>>> Sounds like, a Kerberos V4 request was sent to the KDC? What's in the >>>> client's krb5.conf? >>>> Jenny >>>> >>>> >>>> >>>>> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau >>>> >>>> jgalipea at redhat.com>> wrote: >>>>> >>>>> Jenny Galipeau wrote: >>>>> >>>>> >>>>> Michael Kang wrote: >>>>> >>>>> Dear FreeIPA community, >>>>> >>>>> I successfully installed FreeIPA this morning. Now I got a >>>>> problem about Kerberos Authentication. New user cannot >>>>> modify their password in shell. >>>>> >>>>> Hi Michael: >>>>> Did you set the new user's initial password? >>>>> kinit admin >>>>> ipa passwd haha >>>>> Thanks >>>>> Jenny >>>>> >>>>> Also kinit as haha, because haha will be asked to change the >>>>> password on first authentication. >>>>> >>>>> Thanks >>>>> Jenny >>>>> >>>>> >>>>> I added a new user named /haha(group: ipauser)/ based on >>>>> the webUI. This user is not a existed system user. Then I >>>>> added a new Delegations(allow people in group ipauser can >>>>> modify password for group ipauser) . >>>>> >>>>> /[michael at freeipa Desktop]$ su - haha/ >>>>> /Password: / >>>>> >>>>> /Warning: Your password will expire in less than one hour./ >>>>> /Warning: password has expired./ >>>>> /Kerberos 5 Password: / >>>>> /Warning: Your password will expire in less than one hour./ >>>>> /New UNIX password: / >>>>> /Retype new UNIX password: / >>>>> /su: incorrect password/ >>>>> /[michael at freeipa Desktop]$ su - root/ >>>>> /Password: / >>>>> /[root at freeipa ~]# su - haha/ >>>>> /su: warning: cannot change directory to /home/haha: No >>>>> such file >>>>> or directory/ >>>>> /-sh-3.2$ / >>>>> >>>>> >>>>> Root can su - haha successfully. I think that means the >>>>> Kerberos works, but new user cannot reset their password >>>>> in their shell. >>>>> >>>>> What should I do? >>>>> >>>>> Best Regards, >>>>> Michael >>>>> >>>>> -- Michael Kang?????? >>>>> There is a giant asleep within every man. When the giant >>>>> awakens,miracles happen. >>>>> >>>>> Personal blog: http://ufusion.org - United Fusion >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- Jenny Galipeau >>>> jgalipea at redhat.com >>>>> Principal Software QA Engineer >>>>> Red Hat, Inc. Security Engineering >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Michael Kang?????? >>>>> There is a giant asleep within every man. When the giant >>>>> awakens,miracles >>>>> happen. >>>>> >>>>> Personal blog: http://ufusion.org - United Fusion >>>>> >>>>> >>>>> >>>> -- >>>> Jenny Galipeau >>>> Principal Software QA Engineer >>>> Red Hat, Inc. Security Engineering >>>> >>>> >>>> >>>> >>> -- >>> Michael Kang?????? >>> There is a giant asleep within every man. When the giant awakens,miracles >>> happen. >>> >>> Personal blog: http://ufusion.org - United Fusion >>> >>> >>> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- > > David O'Brien > IPA Content Author > Red Hat Asia Pacific > +61 7 3514 8189 > > "The most valuable of all talents is that of never using two words when > one will do." > Thomas Jefferson > -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From wxiluo at gmail.com Thu Sep 24 10:14:58 2009 From: wxiluo at gmail.com (Michael Kang) Date: Thu, 24 Sep 2009 18:14:58 +0800 Subject: [Freeipa-users] Migrating a Directory Server from 389-ds to FreeIPA In-Reply-To: <4ABA34A1.6030704@redhat.com> References: <97725cf0909221914s32a28e39ha197feb50fb65707@mail.gmail.com> <4ABA1A81.4030508@redhat.com> <4ABA34A1.6030704@redhat.com> Message-ID: <97725cf0909240314l5d345298j416ee94b3dc2104b@mail.gmail.com> Thank you for your help. Hope I could handle this job... Thank you guys. On Wed, Sep 23, 2009 at 10:45 PM, Rob Crittenden wrote: > Jenny Galipeau wrote: > >> Michael Kang wrote: >> >>> Dear FreeIPA community, >>> >>> My PL wants to migrate a directory server(storing employees info and >>> Linux user accounts) from 389-ds(1.1.x) to FreeIPA(1.2.2). I backed up from >>> the command line using the */db2bak/* command-line script. I got two LDIF >>> files and two folders(userRoot and NetscapeRoot) which contains many db4 >>> files. >>> >>> After reading the FreeIPA Administrator Guide, I realized there is no >>> */db2bak/* or */bak2db/* commands for FreeIPA users. So I copy those LDIF >>> files and folders to /var/lib/dirsrv/ directly. Then I run >>> */service dirsvr restart/*, the dirsvr instance cannot start anymore. The >>> instance names of 389-ds and FreeIPA are different. >>> >>> How can I finish this hard job? Have anybody ever migrated successfully? >>> I need your help.. >>> >>> remove any unneeded structural and configuration options from the ldif >>> convert this ldif to the IPA DIT >>> load the ldif >>> >>> You can see the DIT we use at http://freeipa.org/page/UsingRhdsWithIpa >>> >> HTH >> Jenny >> > > Note that this will get the users added with their existing passwords but > does not give them kerberos principals. We don't currently provide any > mechanism for setting this on a migrated user though we are working on it. > > What I would recommend also is to create a few IPA users and compare the > objectclasses that we use to the users you are migrating. > > rob > -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From jgalipea at redhat.com Thu Sep 24 12:41:54 2009 From: jgalipea at redhat.com (Jenny Galipeau) Date: Thu, 24 Sep 2009 08:41:54 -0400 Subject: [Freeipa-users] Problem with Kerberos Authentication In-Reply-To: <97725cf0909232018u139911a9v676fa8a3122c3ec8@mail.gmail.com> References: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> <4AB8CF15.1020905@redhat.com> <4AB8CFB1.1020407@redhat.com> <97725cf0909221849n35754423m859d00064baf5ad5@mail.gmail.com> <4ABA187B.80404@redhat.com> <97725cf0909231927p24058c4aue943f79bf9bff682@mail.gmail.com> <97725cf0909232002i3f1f7ad4qabbd9da7c0026ab3@mail.gmail.com> <4ABAE3C8.9090704@redhat.com> <97725cf0909232018u139911a9v676fa8a3122c3ec8@mail.gmail.com> Message-ID: <4ABB6912.8040801@redhat.com> Hi Michael: Let's rule in or out the delegation you added. Can you remove the delegation and try it? If it works, I think we may have a bug. If it behaves the same, if you could provide more debug info that would be great. Thanks Jenny Michael Kang wrote: > Hi David, > > I reboot the system after I edit the configure file. > > Regard, > Michael > > On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien > wrote: > > Michael, > did you restart the kdc after you updated the krb5.conf file? > > David > > Michael Kang wrote: > > According to the FreeIPA Client Configure Guide, I realized I > may miss > something in my client's krb5.conf. It had been created by > ipa-client-install script. I never edit it. But there are *no* > *[realms]* and > *[domain_realm] *in krb5.conf file. > > So I added them, show it below: > > > #File modified by ipa-client-install > > [libdefaults] > default_realm = ARAGON.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > [realms] > ARAGON.LOCAL = { > kdc = ipa.aragon.local:88 > admin_server = ipa.aragon.local:749 > default_domain = aragon.local > } > > [domain_realm] > .aragon.local = ARAGON.LOCAL > aragon.local = ARAGON.LOCAL > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > > > It doesn't work either by using the new krb5.conf. > *kinit(v5): Password change failed while getting initial > credentials* > > I'd like to post more detail outputs. Hope it could be helpful. > > > [root at freeipa ~]# kinit admin > Password for admin at ARAGON.LOCAL: > [root at freeipa ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at ARAGON.LOCAL > > Valid starting Expires Service principal > 09/23/09 22:52:57 09/24/09 22:52:58 > krbtgt/ARAGON.LOCAL at ARAGON.LOCAL > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > [root at freeipa ~]# ipa-finduser admin > Full Name: Administrator > Home Directory: /home/admin > Login Shell: /bin/bash > Login: admin > > [root at freeipa ~]# ipa-finduser haha > Full Name: haha haha > Home Directory: /home/haha > Login Shell: /bin/sh > Login: haha > > > > Regards, > Michael > > On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang > > wrote: > > > Here is client's krb5.conf: > > #File modified by ipa-client-install > > [libdefaults] > default_realm = ARAGON.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > > EOF > > > On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau > >wrote: > > > Michael Kang wrote: > > > Dear FreeIPA community, > > I did try set the new user's initial password. But > it didn't work either. > I got a protocol error. > > Here is the output of console : > > [root at freeipa ~]# kinit admin > Password for admin at ARAGON.LOCAL: > [root at freeipa ~]# ipa-passwd haha > Changing password for haha at ARAGON.LOCAL > New Password: > Confirm Password: > [root at freeipa ~]# kinit haha > Password for haha at ARAGON.LOCAL: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit(v5): Requested protocol version not > supported while getting > initial credentials > > > > Sounds like, a Kerberos V4 request was sent to the > KDC? What's in the > client's krb5.conf? > Jenny > > > On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau > jgalipea at redhat.com >> > wrote: > > Jenny Galipeau wrote: > > > Michael Kang wrote: > > Dear FreeIPA community, > > I successfully installed FreeIPA this morning. Now > I got a > problem about Kerberos Authentication. New user cannot > modify their password in shell. > > Hi Michael: > Did you set the new user's initial password? > kinit admin > ipa passwd haha > Thanks > Jenny > > Also kinit as haha, because haha will be asked to > change the > password on first authentication. > > Thanks > Jenny > > > I added a new user named /haha(group: ipauser)/ > based on > the webUI. This user is not a existed system user. > Then I > added a new Delegations(allow people in group > ipauser can > modify password for group ipauser) . > > /[michael at freeipa Desktop]$ su - haha/ > /Password: / > > /Warning: Your password will expire in less than > one hour./ > /Warning: password has expired./ > /Kerberos 5 Password: / > /Warning: Your password will expire in less than > one hour./ > /New UNIX password: / > /Retype new UNIX password: / > /su: incorrect password/ > /[michael at freeipa Desktop]$ su - root/ > /Password: / > /[root at freeipa ~]# su - haha/ > /su: warning: cannot change directory to > /home/haha: No > such file > or directory/ > /-sh-3.2$ / > > > Root can su - haha successfully. I think that > means the > Kerberos works, but new user cannot reset their > password > in their shell. > > What should I do? > > Best Regards, > Michael > > -- Michael Kang?????? > There is a giant asleep within every man. When the > giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- Jenny Galipeau > > Principal Software QA Engineer > Red Hat, Inc. Security Engineering > > > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the > giant awakens,miracles > happen. > > Personal blog: http://ufusion.org - United Fusion > > > -- > Jenny Galipeau > > Principal Software QA Engineer > Red Hat, Inc. Security Engineering > > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles > happen. > > Personal blog: http://ufusion.org - United Fusion > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > > David O'Brien > IPA Content Author > Red Hat Asia Pacific > +61 7 3514 8189 > > "The most valuable of all talents is that of never using two words > when > one will do." > Thomas Jefferson > > > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering From jrobertm8 at yahoo.com Fri Sep 25 01:20:12 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Thu, 24 Sep 2009 18:20:12 -0700 (PDT) Subject: [Freeipa-users] webgui won't load Message-ID: <733039.70171.qm@web76303.mail.sg1.yahoo.com> hi, I just installed freeipa 1.2.2-1 on a test machine. I think there's something wrong with the webgui. After I have installed FreeIPA, I tried accessing the webgui with my browser but it won't load. httpd starts perfectly and logs no errors. My procedure for installation is as follows: 1. Install Fedora 11. 2. Update using yum. 3. Install freeipa using yum. I have reproduced the problem everytime I try to setup with a fresh install. Any thoughts? TIA. John Robert Mendoza Try the new Yahoo! Messenger 9.0. It is finally here! http://ph.messenger.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jrobertm8 at yahoo.com Fri Sep 25 01:52:38 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Thu, 24 Sep 2009 18:52:38 -0700 (PDT) Subject: [Freeipa-users] webgui won't load In-Reply-To: <733039.70171.qm@web76303.mail.sg1.yahoo.com> References: <733039.70171.qm@web76303.mail.sg1.yahoo.com> Message-ID: <856610.68406.qm@web76316.mail.sg1.yahoo.com> I have enabled pythonDebug from the ipa.conf. here is what i got. [Fri Sep 25 09:46:33 2009] [error] SSL Library Error: -12271 SSL client cannot verify your certificate John Robert Mendoza ________________________________ From: John Robert Mendoza To: freeipa-users at redhat.com Sent: Friday, September 25, 2009 9:20:12 AM Subject: [Freeipa-users] webgui won't load hi, I just installed freeipa 1.2.2-1 on a test machine. I think there's something wrong with the webgui. After I have installed FreeIPA, I tried accessing the webgui with my browser but it won't load. httpd starts perfectly and logs no errors. My procedure for installation is as follows: 1. Install Fedora 11. 2. Update using yum. 3. Install freeipa using yum. I have reproduced the problem everytime I try to setup with a fresh install. Any thoughts? TIA. John Robert Mendoza ________________________________ Try the new Yahoo! Messenger 9.0 It is finally here! -------------- next part -------------- An HTML attachment was scrubbed... URL: From wxiluo at gmail.com Fri Sep 25 08:09:48 2009 From: wxiluo at gmail.com (Michael Kang) Date: Fri, 25 Sep 2009 16:09:48 +0800 Subject: Fwd: [Freeipa-users] Problem with Kerberos Authentication In-Reply-To: <97725cf0909250109jd4e926exbefc453dd3e29fc4@mail.gmail.com> References: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> <4AB8CFB1.1020407@redhat.com> <97725cf0909221849n35754423m859d00064baf5ad5@mail.gmail.com> <4ABA187B.80404@redhat.com> <97725cf0909231927p24058c4aue943f79bf9bff682@mail.gmail.com> <97725cf0909232002i3f1f7ad4qabbd9da7c0026ab3@mail.gmail.com> <4ABAE3C8.9090704@redhat.com> <97725cf0909232018u139911a9v676fa8a3122c3ec8@mail.gmail.com> <4ABB6912.8040801@redhat.com> <97725cf0909250109jd4e926exbefc453dd3e29fc4@mail.gmail.com> Message-ID: <97725cf0909250109m4c30dca2nb052c602a0c5c459@mail.gmail.com> ---------- Forwarded message ---------- From: Michael Kang Date: Fri, Sep 25, 2009 at 4:09 PM Subject: Re: [Freeipa-users] Problem with Kerberos Authentication To: Jenny Galipeau Dear Jenny Galipeau, Thank you and Everyone who helped me with this project. Thanks for being patient and answering my questions :) My problem was solved by using Fedora 11(upgraded completely). FreeIPA may have bugs with Fedora 9. If I install Fedora 11(not upgrade),then install ipa-server, the Apache crashed many times per seconds. Here is log ouputs: > *Apache chill pid xxxx exit singal Segmentation fault(11)* > After upgrade the whole system, this problem disappeared. Also new user can pass the Kerberos Authentication and login system successfully. If you want to get the details about bugs on Fedora 9, I could send it for you. Please let me know what do you want. Thank you again. Michael On Thu, Sep 24, 2009 at 8:41 PM, Jenny Galipeau wrote: > Hi Michael: > > Let's rule in or out the delegation you added. Can you remove the > delegation and try it? If it works, I think we may have a bug. If it behaves > the same, if you could provide more debug info that would be great. > > Thanks > Jenny > > Michael Kang wrote: > >> Hi David, >> >> I reboot the system after I edit the configure file. >> >> Regard, >> Michael >> >> On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien > davido at redhat.com>> wrote: >> >> Michael, >> did you restart the kdc after you updated the krb5.conf file? >> >> David >> >> Michael Kang wrote: >> >> According to the FreeIPA Client Configure Guide, I realized I >> may miss >> something in my client's krb5.conf. It had been created by >> ipa-client-install script. I never edit it. But there are *no* >> *[realms]* and >> *[domain_realm] *in krb5.conf file. >> >> So I added them, show it below: >> >> >> #File modified by ipa-client-install >> >> [libdefaults] >> default_realm = ARAGON.LOCAL >> dns_lookup_realm = true >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> [realms] >> ARAGON.LOCAL = { >> kdc = ipa.aragon.local:88 >> admin_server = ipa.aragon.local:749 >> default_domain = aragon.local >> } >> >> [domain_realm] >> .aragon.local = ARAGON.LOCAL >> aragon.local = ARAGON.LOCAL >> >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> } >> >> >> >> It doesn't work either by using the new krb5.conf. >> *kinit(v5): Password change failed while getting initial >> credentials* >> >> I'd like to post more detail outputs. Hope it could be helpful. >> >> >> [root at freeipa ~]# kinit admin >> Password for admin at ARAGON.LOCAL: >> [root at freeipa ~]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: admin at ARAGON.LOCAL >> >> Valid starting Expires Service principal >> 09/23/09 22:52:57 09/24/09 22:52:58 >> krbtgt/ARAGON.LOCAL at ARAGON.LOCAL >> >> >> Kerberos 4 ticket cache: /tmp/tkt0 >> klist: You have no tickets cached >> [root at freeipa ~]# ipa-finduser admin >> Full Name: Administrator >> Home Directory: /home/admin >> Login Shell: /bin/bash >> Login: admin >> >> [root at freeipa ~]# ipa-finduser haha >> Full Name: haha haha >> Home Directory: /home/haha >> Login Shell: /bin/sh >> Login: haha >> >> >> >> Regards, >> Michael >> >> On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang >> > wrote: >> >> >> Here is client's krb5.conf: >> >> #File modified by ipa-client-install >> >> [libdefaults] >> default_realm = ARAGON.LOCAL >> dns_lookup_realm = true >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> } >> >> >> EOF >> >> >> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau >> >wrote: >> >> >> >> Michael Kang wrote: >> >> >> Dear FreeIPA community, >> >> I did try set the new user's initial password. But >> it didn't work either. >> I got a protocol error. >> >> Here is the output of console : >> >> [root at freeipa ~]# kinit admin >> Password for admin at ARAGON.LOCAL: >> [root at freeipa ~]# ipa-passwd haha >> Changing password for haha at ARAGON.LOCAL >> New Password: >> Confirm Password: >> [root at freeipa ~]# kinit haha >> Password for haha at ARAGON.LOCAL: >> Password expired. You must change it now. >> Enter new password: >> Enter it again: >> kinit(v5): Requested protocol version not >> supported while getting >> initial credentials >> >> >> >> Sounds like, a Kerberos V4 request was sent to the >> KDC? What's in the >> client's krb5.conf? >> Jenny >> >> >> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau >> > > >> jgalipea at redhat.com >> >> wrote: >> >> Jenny Galipeau wrote: >> >> >> Michael Kang wrote: >> >> Dear FreeIPA community, >> >> I successfully installed FreeIPA this morning. Now >> I got a >> problem about Kerberos Authentication. New user cannot >> modify their password in shell. >> >> Hi Michael: >> Did you set the new user's initial password? >> kinit admin >> ipa passwd haha >> Thanks >> Jenny >> >> Also kinit as haha, because haha will be asked to >> change the >> password on first authentication. >> >> Thanks >> Jenny >> >> >> I added a new user named /haha(group: ipauser)/ >> based on >> the webUI. This user is not a existed system user. >> Then I >> added a new Delegations(allow people in group >> ipauser can >> modify password for group ipauser) . >> >> /[michael at freeipa Desktop]$ su - haha/ >> /Password: / >> >> /Warning: Your password will expire in less than >> one hour./ >> /Warning: password has expired./ >> /Kerberos 5 Password: / >> /Warning: Your password will expire in less than >> one hour./ >> /New UNIX password: / >> /Retype new UNIX password: / >> /su: incorrect password/ >> /[michael at freeipa Desktop]$ su - root/ >> /Password: / >> /[root at freeipa ~]# su - haha/ >> /su: warning: cannot change directory to >> /home/haha: No >> such file >> or directory/ >> /-sh-3.2$ / >> >> >> Root can su - haha successfully. I think that >> means the >> Kerberos works, but new user cannot reset their >> password >> in their shell. >> >> What should I do? >> >> Best Regards, >> Michael >> >> -- Michael Kang?????? >> There is a giant asleep within every man. When the >> giant >> awakens,miracles happen. >> >> Personal blog: http://ufusion.org - United Fusion >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> >> > > >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> -- Jenny Galipeau > >> > >> Principal Software QA Engineer >> Red Hat, Inc. Security Engineering >> >> >> >> >> -- >> Michael Kang?????? >> There is a giant asleep within every man. When the >> giant awakens,miracles >> happen. >> >> Personal blog: http://ufusion.org - United Fusion >> >> >> -- >> Jenny Galipeau > > >> Principal Software QA Engineer >> Red Hat, Inc. Security Engineering >> >> >> >> -- >> Michael Kang?????? >> There is a giant asleep within every man. When the giant >> awakens,miracles >> happen. >> >> Personal blog: http://ufusion.org - United Fusion >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> David O'Brien >> IPA Content Author >> Red Hat Asia Pacific >> +61 7 3514 8189 >> >> "The most valuable of all talents is that of never using two words >> when >> one will do." >> Thomas Jefferson >> >> >> >> >> -- >> Michael Kang?????? >> There is a giant asleep within every man. When the giant awakens,miracles >> happen. >> >> Personal blog: http://ufusion.org - United Fusion >> > > > -- > Jenny Galipeau > Principal Software QA Engineer > Red Hat, Inc. Security Engineering > > -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From jrobertm8 at yahoo.com Fri Sep 25 09:56:22 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Fri, 25 Sep 2009 02:56:22 -0700 (PDT) Subject: [Freeipa-users] webgui won't load In-Reply-To: <856610.68406.qm@web76316.mail.sg1.yahoo.com> Message-ID: <626087.75630.qm@web76312.mail.sg1.yahoo.com> Ok. I have figured out whats causing my lwebgui not to load. It was about my network configuration. John Robert Mendoza --- On Fri, 9/25/09, John Robert Mendoza wrote: From: John Robert Mendoza Subject: Re: [Freeipa-users] webgui won't load To: "John Robert Mendoza" Cc: freeipa-users at redhat.com Date: Friday, 25 September, 2009, 9:52 AM I have enabled pythonDebug from the ipa.conf. here is what i got. [Fri Sep 25 09:46:33 2009] [error] SSL Library Error: -12271 SSL client cannot verify your certificate John Robert Mendoza From: John Robert Mendoza To: freeipa-users at redhat.com Sent: Friday, September 25, 2009 9:20:12 AM Subject: [Freeipa-users] webgui won't load hi, I just installed freeipa 1.2.2-1 on a test machine. I think there's something wrong with the webgui. After I have installed FreeIPA, I tried accessing the webgui with my browser but it won't load. httpd starts perfectly and logs no errors. My procedure for installation is as follows: 1. Install Fedora 11. 2. Update using yum. 3. Install freeipa using yum. I have reproduced the problem everytime I try to setup with a fresh install. Any thoughts? TIA. ?John Robert Mendoza Try the new Yahoo! Messenger 9.0 It is finally here! Interested in growing your business? Find out how with Yahoo! Search Marketing! "Try the new FASTER Yahoo! Mail. Experience it today at http://ph.mail.yahoo.com" -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Sep 25 13:33:45 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Sep 2009 09:33:45 -0400 Subject: Fwd: [Freeipa-users] Problem with Kerberos Authentication In-Reply-To: <97725cf0909250109m4c30dca2nb052c602a0c5c459@mail.gmail.com> References: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> <4AB8CFB1.1020407@redhat.com> <97725cf0909221849n35754423m859d00064baf5ad5@mail.gmail.com> <4ABA187B.80404@redhat.com> <97725cf0909231927p24058c4aue943f79bf9bff682@mail.gmail.com> <97725cf0909232002i3f1f7ad4qabbd9da7c0026ab3@mail.gmail.com> <4ABAE3C8.9090704@redhat.com> <97725cf0909232018u139911a9v676fa8a3122c3ec8@mail.gmail.com> <4ABB6912.8040801@redhat.com> <97725cf0909250109jd4e926exbefc453dd3e29fc4@mail.gmail.com> <97725cf0909250109m4c30dca2nb052c602a0c5c459@mail.gmail.com> Message-ID: <4ABCC6B9.5020806@redhat.com> Michael Kang wrote: > > > ---------- Forwarded message ---------- > From: *Michael Kang* > > Date: Fri, Sep 25, 2009 at 4:09 PM > Subject: Re: [Freeipa-users] Problem with Kerberos Authentication > To: Jenny Galipeau > > > > Dear Jenny Galipeau, > > Thank you and Everyone who helped me with this project. Thanks for being > patient and answering my questions :) > > My problem was solved by using Fedora 11(upgraded completely). FreeIPA > may have bugs with Fedora 9. > > If I install Fedora 11(not upgrade),then install ipa-server, the Apache > crashed many times per seconds. Here is log ouputs: > > /Apache chill pid xxxx exit singal Segmentation fault(11)/ Yes, this was a bug in the original NSS package that shipped with F-11. > > After upgrade the whole system, this problem disappeared. Also new user > can pass the Kerberos Authentication and login system successfully. > > If you want to get the details about bugs on Fedora 9, I could send it > for you. Please let me know what do you want. Fedora 9 isn't supported by Fedora anymore so we don't test on it either. rob > > Thank you again. > Michael > > > On Thu, Sep 24, 2009 at 8:41 PM, Jenny Galipeau > wrote: > > Hi Michael: > > Let's rule in or out the delegation you added. Can you remove the > delegation and try it? If it works, I think we may have a bug. If it > behaves the same, if you could provide more debug info that would be > great. > > Thanks > Jenny > > Michael Kang wrote: > > Hi David, > > I reboot the system after I edit the configure file. > > Regard, > Michael > > On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien > > >> wrote: > > Michael, > did you restart the kdc after you updated the krb5.conf file? > > David > > Michael Kang wrote: > > According to the FreeIPA Client Configure Guide, I realized I > may miss > something in my client's krb5.conf. It had been created by > ipa-client-install script. I never edit it. But there are > *no* > *[realms]* and > *[domain_realm] *in krb5.conf file. > > So I added them, show it below: > > > #File modified by ipa-client-install > > [libdefaults] > default_realm = ARAGON.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > [realms] > ARAGON.LOCAL = { > kdc = ipa.aragon.local:88 > admin_server = ipa.aragon.local:749 > default_domain = aragon.local > } > > [domain_realm] > .aragon.local = ARAGON.LOCAL > aragon.local = ARAGON.LOCAL > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > > > It doesn't work either by using the new krb5.conf. > *kinit(v5): Password change failed while getting initial > credentials* > > I'd like to post more detail outputs. Hope it could be > helpful. > > > [root at freeipa ~]# kinit admin > Password for admin at ARAGON.LOCAL: > [root at freeipa ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at ARAGON.LOCAL > > Valid starting Expires Service principal > 09/23/09 22:52:57 09/24/09 22:52:58 > krbtgt/ARAGON.LOCAL at ARAGON.LOCAL > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > [root at freeipa ~]# ipa-finduser admin > Full Name: Administrator > Home Directory: /home/admin > Login Shell: /bin/bash > Login: admin > > [root at freeipa ~]# ipa-finduser haha > Full Name: haha haha > Home Directory: /home/haha > Login Shell: /bin/sh > Login: haha > > > > Regards, > Michael > > On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang > > >> wrote: > > > Here is client's krb5.conf: > > #File modified by ipa-client-install > > [libdefaults] > default_realm = ARAGON.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > > EOF > > > On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau > > >>wrote: > > > > Michael Kang wrote: > > > Dear FreeIPA community, > > I did try set the new user's initial > password. But > it didn't work either. > I got a protocol error. > > Here is the output of console : > > [root at freeipa ~]# kinit admin > Password for admin at ARAGON.LOCAL: > [root at freeipa ~]# ipa-passwd haha > Changing password for haha at ARAGON.LOCAL > New Password: > Confirm Password: > [root at freeipa ~]# kinit haha > Password for haha at ARAGON.LOCAL: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit(v5): Requested protocol version not > supported while getting > initial credentials > > > > Sounds like, a Kerberos V4 request was sent to the > KDC? What's in the > client's krb5.conf? > Jenny > > > On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau > > > > jgalipea at redhat.com > >>> > wrote: > > Jenny Galipeau wrote: > > > Michael Kang wrote: > > Dear FreeIPA community, > > I successfully installed FreeIPA this > morning. Now > I got a > problem about Kerberos Authentication. New > user cannot > modify their password in shell. > > Hi Michael: > Did you set the new user's initial password? > kinit admin > ipa passwd haha > Thanks > Jenny > > Also kinit as haha, because haha will be asked to > change the > password on first authentication. > > Thanks > Jenny > > > I added a new user named /haha(group: ipauser)/ > based on > the webUI. This user is not a existed system > user. > Then I > added a new Delegations(allow people in group > ipauser can > modify password for group ipauser) . > > /[michael at freeipa Desktop]$ su - haha/ > /Password: / > > /Warning: Your password will expire in less than > one hour./ > /Warning: password has expired./ > /Kerberos 5 Password: / > /Warning: Your password will expire in less than > one hour./ > /New UNIX password: / > /Retype new UNIX password: / > /su: incorrect password/ > /[michael at freeipa Desktop]$ su - root/ > /Password: / > /[root at freeipa ~]# su - haha/ > /su: warning: cannot change directory to > /home/haha: No > such file > or directory/ > /-sh-3.2$ / > > > Root can su - haha successfully. I think that > means the > Kerberos works, but new user cannot reset their > password > in their shell. > > What should I do? > > Best Regards, > Michael > > -- Michael Kang?????? > There is a giant asleep within every man. > When the > giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > > >> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- Jenny Galipeau > > > > > > > Principal Software QA Engineer > Red Hat, Inc. Security Engineering > > > > > -- > Michael Kang?????? > There is a giant asleep within every man. > When the > giant awakens,miracles > happen. > > Personal blog: http://ufusion.org - United Fusion > > > -- > Jenny Galipeau > >> > Principal Software QA Engineer > Red Hat, Inc. Security Engineering > > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles > happen. > > Personal blog: http://ufusion.org - United Fusion > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > David O'Brien > IPA Content Author > Red Hat Asia Pacific > +61 7 3514 8189 > > "The most valuable of all talents is that of never using two > words > when > one will do." > Thomas Jefferson > > > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > > > > -- > Jenny Galipeau > > Principal Software QA Engineer > Red Hat, Inc. Security Engineering > > > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Sep 25 13:34:47 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Sep 2009 09:34:47 -0400 Subject: [Freeipa-users] webgui won't load In-Reply-To: <626087.75630.qm@web76312.mail.sg1.yahoo.com> References: <626087.75630.qm@web76312.mail.sg1.yahoo.com> Message-ID: <4ABCC6F7.6000609@redhat.com> John Robert Mendoza wrote: > Ok. > > I have figured out whats causing my lwebgui not to load. > > It was about my network configuration. > Whew, glad you got it working. I was just about to inundate you with requests for more data :-) Is this network config problem something others might run into? Is it something worth adding to our documentation? thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From wxiluo at gmail.com Fri Sep 25 13:46:15 2009 From: wxiluo at gmail.com (Michael Kang) Date: Fri, 25 Sep 2009 21:46:15 +0800 Subject: Fwd: [Freeipa-users] Problem with Kerberos Authentication In-Reply-To: <4ABCC6B9.5020806@redhat.com> References: <97725cf0909212346s4820a265j447042a506dc3641@mail.gmail.com> <4ABA187B.80404@redhat.com> <97725cf0909231927p24058c4aue943f79bf9bff682@mail.gmail.com> <97725cf0909232002i3f1f7ad4qabbd9da7c0026ab3@mail.gmail.com> <4ABAE3C8.9090704@redhat.com> <97725cf0909232018u139911a9v676fa8a3122c3ec8@mail.gmail.com> <4ABB6912.8040801@redhat.com> <97725cf0909250109jd4e926exbefc453dd3e29fc4@mail.gmail.com> <97725cf0909250109m4c30dca2nb052c602a0c5c459@mail.gmail.com> <4ABCC6B9.5020806@redhat.com> Message-ID: <97725cf0909250646h25da3aefjdd0fe6d19afad16@mail.gmail.com> Thank you for telling my about the NSS package bug. FreeIPA works well on Fedora 11 until now. I want to deploy FreeIPA instead of Fedora Directory Server to do identity management in my company. I think there must be many problems and questions which need your help. Also I'd like to share my journey(FreeIPA exploration) with you guys. Thank you again, Michael On Fri, Sep 25, 2009 at 9:33 PM, Rob Crittenden wrote: > Michael Kang wrote: > >> >> >> ---------- Forwarded message ---------- >> From: *Michael Kang* > >> Date: Fri, Sep 25, 2009 at 4:09 PM >> Subject: Re: [Freeipa-users] Problem with Kerberos Authentication >> To: Jenny Galipeau > >> >> >> Dear Jenny Galipeau, >> >> Thank you and Everyone who helped me with this project. Thanks for being >> patient and answering my questions :) >> >> My problem was solved by using Fedora 11(upgraded completely). FreeIPA may >> have bugs with Fedora 9. >> >> If I install Fedora 11(not upgrade),then install ipa-server, the Apache >> crashed many times per seconds. Here is log ouputs: >> >> /Apache chill pid xxxx exit singal Segmentation fault(11)/ >> > > Yes, this was a bug in the original NSS package that shipped with F-11. > > >> After upgrade the whole system, this problem disappeared. Also new user >> can pass the Kerberos Authentication and login system successfully. >> >> If you want to get the details about bugs on Fedora 9, I could send it for >> you. Please let me know what do you want. >> > > Fedora 9 isn't supported by Fedora anymore so we don't test on it either. > > rob > > >> Thank you again. >> Michael >> >> >> On Thu, Sep 24, 2009 at 8:41 PM, Jenny Galipeau > jgalipea at redhat.com>> wrote: >> >> Hi Michael: >> >> Let's rule in or out the delegation you added. Can you remove the >> delegation and try it? If it works, I think we may have a bug. If it >> behaves the same, if you could provide more debug info that would be >> great. >> >> Thanks >> Jenny >> >> Michael Kang wrote: >> >> Hi David, >> >> I reboot the system after I edit the configure file. >> >> Regard, >> Michael >> >> On Thu, Sep 24, 2009 at 11:13 AM, David O'Brien >> >> >> wrote: >> >> Michael, >> did you restart the kdc after you updated the krb5.conf file? >> >> David >> >> Michael Kang wrote: >> >> According to the FreeIPA Client Configure Guide, I realized >> I >> may miss >> something in my client's krb5.conf. It had been created by >> ipa-client-install script. I never edit it. But there are >> *no* >> *[realms]* and >> *[domain_realm] *in krb5.conf file. >> >> So I added them, show it below: >> >> >> #File modified by ipa-client-install >> >> [libdefaults] >> default_realm = ARAGON.LOCAL >> dns_lookup_realm = true >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> [realms] >> ARAGON.LOCAL = { >> kdc = ipa.aragon.local:88 >> admin_server = ipa.aragon.local:749 >> default_domain = aragon.local >> } >> >> [domain_realm] >> .aragon.local = ARAGON.LOCAL >> aragon.local = ARAGON.LOCAL >> >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> } >> >> >> >> It doesn't work either by using the new krb5.conf. >> *kinit(v5): Password change failed while getting initial >> credentials* >> >> I'd like to post more detail outputs. Hope it could be >> helpful. >> >> >> [root at freeipa ~]# kinit admin >> Password for admin at ARAGON.LOCAL: >> [root at freeipa ~]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: admin at ARAGON.LOCAL >> >> Valid starting Expires Service principal >> 09/23/09 22:52:57 09/24/09 22:52:58 >> krbtgt/ARAGON.LOCAL at ARAGON.LOCAL >> >> >> Kerberos 4 ticket cache: /tmp/tkt0 >> klist: You have no tickets cached >> [root at freeipa ~]# ipa-finduser admin >> Full Name: Administrator >> Home Directory: /home/admin >> Login Shell: /bin/bash >> Login: admin >> >> [root at freeipa ~]# ipa-finduser haha >> Full Name: haha haha >> Home Directory: /home/haha >> Login Shell: /bin/sh >> Login: haha >> >> >> >> Regards, >> Michael >> >> On Thu, Sep 24, 2009 at 10:27 AM, Michael Kang >> >> >> wrote: >> >> >> Here is client's krb5.conf: >> >> #File modified by ipa-client-install >> >> [libdefaults] >> default_realm = ARAGON.LOCAL >> dns_lookup_realm = true >> dns_lookup_kdc = true >> ticket_lifetime = 24h >> forwardable = yes >> >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> } >> >> >> EOF >> >> >> On Wed, Sep 23, 2009 at 8:45 PM, Jenny Galipeau >> >> >>wrote: >> >> >> >> Michael Kang wrote: >> >> >> Dear FreeIPA community, >> >> I did try set the new user's initial >> password. But >> it didn't work either. >> I got a protocol error. >> >> Here is the output of console : >> >> [root at freeipa ~]# kinit admin >> Password for admin at ARAGON.LOCAL: >> [root at freeipa ~]# ipa-passwd haha >> Changing password for haha at ARAGON.LOCAL >> New Password: >> Confirm Password: >> [root at freeipa ~]# kinit haha >> Password for haha at ARAGON.LOCAL: >> Password expired. You must change it now. >> Enter new password: >> Enter it again: >> kinit(v5): Requested protocol version not >> supported while getting >> initial credentials >> >> >> >> Sounds like, a Kerberos V4 request was sent to the >> KDC? What's in the >> client's krb5.conf? >> Jenny >> >> >> On Tue, Sep 22, 2009 at 9:22 PM, Jenny Galipeau >> > jgalipea at redhat.com> >> > >> >> >> jgalipea at redhat.com >> > >>> >> wrote: >> >> Jenny Galipeau wrote: >> >> >> Michael Kang wrote: >> >> Dear FreeIPA community, >> >> I successfully installed FreeIPA this >> morning. Now >> I got a >> problem about Kerberos Authentication. New >> user cannot >> modify their password in shell. >> >> Hi Michael: >> Did you set the new user's initial password? >> kinit admin >> ipa passwd haha >> Thanks >> Jenny >> >> Also kinit as haha, because haha will be asked >> to >> change the >> password on first authentication. >> >> Thanks >> Jenny >> >> >> I added a new user named /haha(group: ipauser)/ >> based on >> the webUI. This user is not a existed system >> user. >> Then I >> added a new Delegations(allow people in group >> ipauser can >> modify password for group ipauser) . >> >> /[michael at freeipa Desktop]$ su - haha/ >> /Password: / >> >> /Warning: Your password will expire in less than >> one hour./ >> /Warning: password has expired./ >> /Kerberos 5 Password: / >> /Warning: Your password will expire in less than >> one hour./ >> /New UNIX password: / >> /Retype new UNIX password: / >> /su: incorrect password/ >> /[michael at freeipa Desktop]$ su - root/ >> /Password: / >> /[root at freeipa ~]# su - haha/ >> /su: warning: cannot change directory to >> /home/haha: No >> such file >> or directory/ >> /-sh-3.2$ / >> >> >> Root can su - haha successfully. I think that >> means the >> Kerberos works, but new user cannot reset their >> password >> in their shell. >> >> What should I do? >> >> Best Regards, >> Michael >> >> -- Michael Kang?????? >> There is a giant asleep within every man. >> When the >> giant >> awakens,miracles happen. >> >> Personal blog: http://ufusion.org - United >> Fusion >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> >> > > >> > >> > >> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> >> -- Jenny Galipeau > >> > > >> > >> >> > > >> Principal Software QA Engineer >> Red Hat, Inc. Security Engineering >> >> >> >> >> -- >> Michael Kang?????? >> There is a giant asleep within every man. >> When the >> giant awakens,miracles >> happen. >> >> Personal blog: http://ufusion.org - United >> Fusion >> >> >> -- >> Jenny Galipeau > >> > >> >> Principal Software QA Engineer >> Red Hat, Inc. Security Engineering >> >> >> >> -- >> Michael Kang?????? >> There is a giant asleep within every man. When the giant >> awakens,miracles >> happen. >> >> Personal blog: http://ufusion.org - United Fusion >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> >> > >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> David O'Brien >> IPA Content Author >> Red Hat Asia Pacific >> +61 7 3514 8189 >> >> "The most valuable of all talents is that of never using two >> words >> when >> one will do." >> Thomas Jefferson >> >> >> >> >> -- Michael Kang?????? >> There is a giant asleep within every man. When the giant >> awakens,miracles happen. >> >> Personal blog: http://ufusion.org - United Fusion >> >> >> >> -- Jenny Galipeau > >> >> Principal Software QA Engineer >> Red Hat, Inc. Security Engineering >> >> >> >> >> -- >> Michael Kang?????? >> There is a giant asleep within every man. When the giant awakens,miracles >> happen. >> >> Personal blog: http://ufusion.org - United Fusion >> >> >> >> -- >> Michael Kang?????? >> There is a giant asleep within every man. When the giant awakens,miracles >> happen. >> >> Personal blog: http://ufusion.org - United Fusion >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From wxiluo at gmail.com Mon Sep 28 09:43:54 2009 From: wxiluo at gmail.com (Michael Kang) Date: Mon, 28 Sep 2009 17:43:54 +0800 Subject: [Freeipa-users] Confused,HELP Message-ID: <97725cf0909280243l241a4b83t317829d3dabecbb6@mail.gmail.com> Dear FreeIPA community, I'm confused those days. My PL wants to find a AAA solution for our company by using LDAP to storing employee information. Now they use phpLDAPadmin to manage Fedora directory server. Using Apache ladp mod to authenticate for internal websites. Now I'm learning FreeIPA. But I don't know what's different with FreeIPA and 389-ds? What could FreeIPA offer? What is the benefit of deploying FreeIPA in my company. I'm a junior Linux system administrator. I really need your help. Regards, Michael -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From davido at redhat.com Mon Sep 28 12:06:12 2009 From: davido at redhat.com (David O'Brien) Date: Mon, 28 Sep 2009 22:06:12 +1000 Subject: [Freeipa-users] Confused,HELP In-Reply-To: <97725cf0909280243l241a4b83t317829d3dabecbb6@mail.gmail.com> References: <97725cf0909280243l241a4b83t317829d3dabecbb6@mail.gmail.com> Message-ID: <4AC0A6B4.3090100@redhat.com> Michael Kang wrote: > Dear FreeIPA community, > > I'm confused those days. My PL wants to find a AAA solution for our company > by using LDAP to storing employee information. Now they use phpLDAPadmin to > manage Fedora directory server. Using Apache ladp mod to authenticate for > internal websites. > > Now I'm learning FreeIPA. But I don't know what's different with FreeIPA and > 389-ds? > > What could FreeIPA offer? What is the benefit of deploying FreeIPA in my > company. > > I'm a junior Linux system administrator. I really need your help. > > Regards, > Michael > > > ------------------------------------------------------------------------ Hi Michael Have you had a look at the freeIPA home page for a description of what freeIPA provides, what its goals are, and the different technologies involved? You will no doubt get a much more detailed reply from the developers, but the home page will provide a good overview. While 389-ds is just that - a directory server - freeIPA uses this directory server in conjunction with MIT Kerberos, DNS, and other technologies to provide an integrated security management system. 389-ds is a single product; freeIPA is all about integrating a number of products to ease the process of security and identity management. ???? -- David O'Brien IPA Content Author Red Hat Asia Pacific +61 7 3514 8189 http://freeipa.org/page/DocumentationPortal http://git.fedorahosted.org/git/ipadocs.git "The most valuable of all talents is that of never using two words when one will do." Thomas Jefferson From tomasz.napierala at allegro.pl Mon Sep 28 12:07:21 2009 From: tomasz.napierala at allegro.pl (Tomasz Z. Napierala) Date: Mon, 28 Sep 2009 14:07:21 +0200 Subject: [Freeipa-users] Confused,HELP In-Reply-To: <97725cf0909280243l241a4b83t317829d3dabecbb6@mail.gmail.com> References: <97725cf0909280243l241a4b83t317829d3dabecbb6@mail.gmail.com> Message-ID: <1254139641.4577.245.camel@alledrag> Dnia 2009-09-28, pon o godzinie 11:43 +0200, Michael Kang pisze: > Dear FreeIPA community, > > I'm confused those days. My PL wants to find a AAA solution for our > company by using LDAP to storing employee information. Now they use > phpLDAPadmin to manage Fedora directory server. Using Apache ladp mod > to authenticate for internal websites. > > Now I'm learning FreeIPA. But I don't know what's different with > FreeIPA and 389-ds? > > What could FreeIPA offer? What is the benefit of deploying FreeIPA in > my company. FreeIPA is LDAP and more, where more is Kerberos and fancy web gui (to name a few). So read about Kerberos to find out what that beast is for, and you will have a bigger picture. Regards, -- Tomasz Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ QXL Poland sp. z o.o. ul. Marceli?ska 90, 60-324 Pozna? NIP 779-21-25-257; S?d Rejonowy Pozna? - Nowe Miasto i Wilda w Poznaniu, Wydzia? VIII Gospodarczy KRS nr 0000104322 Kapita? zak?adowy: 1.046.000 z?. From dpal at redhat.com Mon Sep 28 12:15:39 2009 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 28 Sep 2009 08:15:39 -0400 Subject: [Freeipa-users] Confused,HELP In-Reply-To: <97725cf0909280243l241a4b83t317829d3dabecbb6@mail.gmail.com> References: <97725cf0909280243l241a4b83t317829d3dabecbb6@mail.gmail.com> Message-ID: <4AC0A8EB.2070109@redhat.com> Michael Kang wrote: > Dear FreeIPA community, > > I'm confused those days. My PL wants to find a AAA solution for our > company by using LDAP to storing employee information. Now they use > phpLDAPadmin to manage Fedora directory server. Using Apache ladp mod > to authenticate for internal websites. > > Now I'm learning FreeIPA. But I don't know what's different with > FreeIPA and 389-ds? > > What could FreeIPA offer? What is the benefit of deploying FreeIPA in > my company. > > I'm a junior Linux system administrator. I really need your help. > FreeIPA v1.x is a combination of the Directory Server and Kerberos Domain Controller glued together. It has web UI and CLI interfaces. Kerberos brings to the table SSO. Once one is authenticated and got his kerberos ticket he can access any kerberized service in the same domain without being prompted for re-authentication. The FreeIPA 2.x (in works) adds embedded DNS, CA. Allows tracking and autorenewal of the server certificates, allows enrollment of the hosts in the IPA domain , supports automount and netgroups, provides host based access control and more. This is a quick overview. What is different between 389 and IPA? IPA is more than just as DS. There are also differences in how the DIT is organized. What is the value? IPA is aiming at being a fully functional domain controller for Linux/UNIX hosts with big set of native UNIX/Linux features as AD does for Windows. Hope this helps. Dmitri From ssorce at redhat.com Mon Sep 28 12:22:37 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 28 Sep 2009 08:22:37 -0400 Subject: [Freeipa-users] Confused,HELP In-Reply-To: <4AC0A8EB.2070109@redhat.com> References: <97725cf0909280243l241a4b83t317829d3dabecbb6@mail.gmail.com> <4AC0A8EB.2070109@redhat.com> Message-ID: <1254140557.5039.6.camel@localhost.localdomain> On Mon, 2009-09-28 at 08:15 -0400, Dmitri Pal wrote: > The FreeIPA 2.x (in works) adds embedded DNS, CA. Just to set expectations right, v2 "integrates" with DNS and CA, does not "embed" them, we use bind for DNS and dogtag for the CA parts. The DNS integration is also optional, though recommended if you want an easier life. Simo. From james.roman at ssaihq.com Mon Sep 28 14:08:26 2009 From: james.roman at ssaihq.com (James Roman) Date: Mon, 28 Sep 2009 10:08:26 -0400 Subject: [Freeipa-users] OS Migration path Message-ID: <4AC0C35A.5040703@ssaihq.com> I am currently running free-ipa 1.2.1 on a FC9 install with fedora-ds 1.2.0-4. I would like to upgrade the operating system for my IPA server to FC10. I'd like to hear some recommendations for migrating the server to FC10 without losing the IPA server LDAP database (or at least, not losing the users and groups). I am running the server in a VM, so I can easily recover the server to its original state from snapshot. My initial plans are this: 1. Export PKCS12 server certificate for /etc/dirsv/slapd-INSTANCE and /etc/httpd/alias certificates. 2. Use db2bak to backup the entire DS database 3. Backup all the directories in http://freeipa.org/docs/1.2/Administration_Guide/en-US/html/chap-Administration_Guide-Backup_and_Recovery.html to a separate disk partition. 4. export the "dc=realm,dc=com" and "cn=etc" directory branches to ldif 5. Disable automatic start of dirsrv, ipa_kpasswd and ipa_webgui 6. Boot VM from Fedora 10 DVD and choose to upgrade existing install 7. After install reboots, log into server and run "yum upgrade" to bring OS up to date (This will also migrate fedora-ds to 389-ds). 8. Verify dirsrv, ipa_kpasswd and ipa_webgui won't restart automatically again. Reboot server once more to run upgraded OS. 9. Start dirsrv, ipa_kpasswd and ipa_webgui manually. Address any issues that arise. 10. Configure dirsrv, ipa_kpasswd and ipa_webgui to restart automatically. Questions: Do I need to change authentication in any way to remove LDAP dependencies while dirsrv is disabled? Are there any risks from the directory server upgrade? Should I only upgrade the the OS packages during the "yum upgrade" and make sure that the directory server loads properly prior to upgrading the directory server and freeipa? Will the OS upgrade overwrite or modify any of the existing fedora database configurations? Will the OS upgrade overwrite or modify any of the certificate databases? From rcritten at redhat.com Mon Sep 28 14:56:15 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Sep 2009 10:56:15 -0400 Subject: [Freeipa-users] OS Migration path In-Reply-To: <4AC0C35A.5040703@ssaihq.com> References: <4AC0C35A.5040703@ssaihq.com> Message-ID: <4AC0CE8F.9050309@redhat.com> James Roman wrote: > I am currently running free-ipa 1.2.1 on a FC9 install with fedora-ds > 1.2.0-4. I would like to upgrade the operating system for my IPA server > to FC10. I'd like to hear some recommendations for migrating the server > to FC10 without losing the IPA server LDAP database (or at least, not > losing the users and groups). > > I am running the server in a VM, so I can easily recover the server to > its original state from snapshot. > > My initial plans are this: > > 1. Export PKCS12 server certificate for /etc/dirsv/slapd-INSTANCE and > /etc/httpd/alias certificates. If you are using our self-signed CA be sure to backup the CA certificate in the DS instance. Also back up /var/lib/ipa/ca_serialno. > 2. Use db2bak to backup the entire DS database > 3. Backup all the directories in > > http://freeipa.org/docs/1.2/Administration_Guide/en-US/html/chap-Administration_Guide-Backup_and_Recovery.html > > to a separate disk partition. > 4. export the "dc=realm,dc=com" and "cn=etc" directory branches to ldif I'd add dse.ldif which is found in your DS instance dir. > 5. Disable automatic start of dirsrv, ipa_kpasswd and ipa_webgui If you disable dirsrv you'll want to disable krb5kdc as well. I'd also back up /var/kerberos/krb5kdc/ > 6. Boot VM from Fedora 10 DVD and choose to upgrade existing install > 7. After install reboots, log into server and run "yum upgrade" to > bring OS up to date (This will also migrate fedora-ds to 389-ds). > 8. Verify dirsrv, ipa_kpasswd and ipa_webgui won't restart > automatically again. Reboot server once more to run upgraded OS. > 9. Start dirsrv, ipa_kpasswd and ipa_webgui manually. Address any > issues that arise. > 10. Configure dirsrv, ipa_kpasswd and ipa_webgui to restart automatically. > > Questions: > Do I need to change authentication in any way to remove LDAP > dependencies while dirsrv is disabled? You could run ipa-client-install --uninstall to restore auth to its previous state. Then run ipa-client-install again when the server comes back up. IMPORTANT, include the --on-master flag when you set it up again. > Are there any risks from the directory server upgrade? I don't think so. I upgraded on my F-11 from fedora-ds-base to 389-ds-base with no problems. > Should I only upgrade the the OS packages during the "yum upgrade" and > make sure that the directory server loads properly prior to upgrading > the directory server and freeipa? I'm not sure it would make a difference. If you're worried then yes, you can do this. > Will the OS upgrade overwrite or modify any of the existing fedora > database configurations? It shouldn't. The DS instances are not affected by the DS package. > Will the OS upgrade overwrite or modify any of the certificate databases? It shouldn't though the backups you propose will protect you. Good luck and let us know how things go. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Andy.Singleton at tipp24os.co.uk Mon Sep 28 14:18:13 2009 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Mon, 28 Sep 2009 15:18:13 +0100 Subject: [Freeipa-users] Root access to NFS Message-ID: <1CD40A4DEEA320479C98D8A93A5C690601AAD758@waterloo.t24uk.tipp24.net> Hello, I have a 4-way multi-master setup, with a separate NFS server which provides automounted home directories. This works pretty well, except when I try to access a mounted users directory as Root. Unless the directory is exported as globally readable, I can't get access as root. I have tried: using my normal user credentials via kinit, adding a root principal (as suggested for a plain Kerberos install), and various group memberships. Nothing seems to work. All the servers involved are RHEL5 64bit plus latest patches. Any suggestions? Thanks Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: From bene at crystal.harvard.edu Mon Sep 28 15:00:17 2009 From: bene at crystal.harvard.edu (Ben Eisenbraun) Date: Mon, 28 Sep 2009 11:00:17 -0400 Subject: [Freeipa-users] Root access to NFS In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C690601AAD758@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C690601AAD758@waterloo.t24uk.tipp24.net> Message-ID: <20090928150017.GB13669@crystal.harvard.edu> On Mon, Sep 28, 2009 at 03:18:13PM +0100, Andy Singleton wrote: > I have a 4-way multi-master setup, with a separate NFS server which > provides automounted home directories. > > This works pretty well, except when I try to access a mounted users > directory as Root. > > Unless the directory is exported as globally readable, I can't get > access as root. What are your export options? Did you enable no_root_squash? -ben -- | Ben Eisenbraun | Software Sysadmin | | Structural Biology Grid | http://sbgrid.org | | Harvard Medical School | http://hms.harvard.edu | From Andy.Singleton at tipp24os.co.uk Mon Sep 28 15:09:54 2009 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Mon, 28 Sep 2009 16:09:54 +0100 Subject: [Freeipa-users] Root access to NFS References: <1CD40A4DEEA320479C98D8A93A5C690601AAD758@waterloo.t24uk.tipp24.net> <20090928150017.GB13669@crystal.harvard.edu> Message-ID: <1CD40A4DEEA320479C98D8A93A5C690601AAD770@waterloo.t24uk.tipp24.net> Yes I did use no_root_squash. Here is the export line im using: /rhome gss/krb5(no_root_squash,fsid=0,rw,insecure,no_subtree_check) And here is the corresponding automount entry from the server: * -fstype=nfs4,sec=krb5,port=2049 [myservernamehere]:/& Cheers Andy -----Original Message----- From: Ben Eisenbraun [mailto:bene at crystal.harvard.edu] Sent: 28 September 2009 16:00 To: Andy Singleton Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Root access to NFS On Mon, Sep 28, 2009 at 03:18:13PM +0100, Andy Singleton wrote: > I have a 4-way multi-master setup, with a separate NFS server which > provides automounted home directories. > > This works pretty well, except when I try to access a mounted users > directory as Root. > > Unless the directory is exported as globally readable, I can't get > access as root. What are your export options? Did you enable no_root_squash? -ben -- | Ben Eisenbraun | Software Sysadmin | | Structural Biology Grid | http://sbgrid.org | | Harvard Medical School | http://hms.harvard.edu | From ssorce at redhat.com Mon Sep 28 15:43:41 2009 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 28 Sep 2009 11:43:41 -0400 Subject: [Freeipa-users] Root access to NFS In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C690601AAD770@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C690601AAD758@waterloo.t24uk.tipp24.net> <20090928150017.GB13669@crystal.harvard.edu> <1CD40A4DEEA320479C98D8A93A5C690601AAD770@waterloo.t24uk.tipp24.net> Message-ID: <1254152621.5039.15.camel@localhost.localdomain> I don't think you can use no_root_squash with sec=krb5 When using krb5 you are working in a "user auth" model, not in a "client is trusted" model so you can't access stuff as root. In any case I'd suggest you ask in an NFS specific forum, they'll have much better advice. FreeIPA is just an easy way to get a krb infrastructure up, doesn't change anything from the NFSv4 pov. Simo. On Mon, 2009-09-28 at 16:09 +0100, Andy Singleton wrote: > Yes I did use no_root_squash. Here is the export line im using: > /rhome gss/krb5(no_root_squash,fsid=0,rw,insecure,no_subtree_check) > > And here is the corresponding automount entry from the server: > * -fstype=nfs4,sec=krb5,port=2049 [myservernamehere]:/& > > Cheers > Andy > > -----Original Message----- > From: Ben Eisenbraun [mailto:bene at crystal.harvard.edu] > Sent: 28 September 2009 16:00 > To: Andy Singleton > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Root access to NFS > > On Mon, Sep 28, 2009 at 03:18:13PM +0100, Andy Singleton wrote: > > I have a 4-way multi-master setup, with a separate NFS server which > > provides automounted home directories. > > > > This works pretty well, except when I try to access a mounted users > > directory as Root. > > > > Unless the directory is exported as globally readable, I can't get > > access as root. > > What are your export options? Did you enable no_root_squash? > > -ben > > -- > | Ben Eisenbraun | Software Sysadmin | > | Structural Biology Grid | http://sbgrid.org | > | Harvard Medical School | http://hms.harvard.edu | > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From David.Christensen at viveli.com Mon Sep 28 21:11:35 2009 From: David.Christensen at viveli.com (David Christensen) Date: Mon, 28 Sep 2009 16:11:35 -0500 Subject: [Freeipa-users] Slave Replication Message-ID: <4AC12687.3090706@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Since FreeIPA uses FDS for LDAP, there is a limit of four masters in a replication configuration. Is there a documented method for configuring master/slave replication? I want to setup 4 masters in different data centers, and then have slaves in other locations to keep lookups local when needed. Any help would be appreciated. Thanks, David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkrBJocACgkQ5B+8XEnAvquveACeIGeh4se0EqJBoazYXjJ8R3OQ SQ4An0umIL+5+QA8qIjTAu7ZHhiE+E/i =YGO8 -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Sep 28 21:46:53 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Sep 2009 17:46:53 -0400 Subject: [Freeipa-users] Slave Replication In-Reply-To: <4AC12687.3090706@viveli.com> References: <4AC12687.3090706@viveli.com> Message-ID: <4AC12ECD.6030402@redhat.com> David Christensen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Since FreeIPA uses FDS for LDAP, there is a limit of four masters in a > replication configuration. Is there a documented method for configuring > master/slave replication? > > I want to setup 4 masters in different data centers, and then have > slaves in other locations to keep lookups local when needed. > > Any help would be appreciated. The limit of 4 masters is more a "this is all 389 has certified/tested" limitation. It may be able to support more but it hasn't been thoroughly tested. We don't currently support read-only replicas. It isn't a technical limitation, as you point out DS supports it just fine, a tool just hasn't been written. It really opens the world up to some nasty looking network diagrams so we want to think carefully about what we're doing before we enable it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Sep 28 22:48:12 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 28 Sep 2009 16:48:12 -0600 Subject: [Freeipa-users] Slave Replication In-Reply-To: <4AC12ECD.6030402@redhat.com> References: <4AC12687.3090706@viveli.com> <4AC12ECD.6030402@redhat.com> Message-ID: <4AC13D2C.8000602@redhat.com> Rob Crittenden wrote: > David Christensen wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Since FreeIPA uses FDS for LDAP, there is a limit of four masters in a >> replication configuration. Is there a documented method for configuring >> master/slave replication? >> >> I want to setup 4 masters in different data centers, and then have >> slaves in other locations to keep lookups local when needed. >> >> Any help would be appreciated. > > The limit of 4 masters is more a "this is all 389 has > certified/tested" limitation. It may be able to support more but it > hasn't been thoroughly tested. There is no real technical limit - 389 will support up to 65534 masters. Since there is no real "support" for 389, the limit "support for 4 masters" does not apply to 389. > > We don't currently support read-only replicas. It isn't a technical > limitation, as you point out DS supports it just fine, a tool just > hasn't been written. It really opens the world up to some nasty > looking network diagrams so we want to think carefully about what > we're doing before we enable it. > > rob > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From David.Christensen at viveli.com Wed Sep 30 19:09:51 2009 From: David.Christensen at viveli.com (David Christensen) Date: Wed, 30 Sep 2009 14:09:51 -0500 Subject: [Freeipa-users] ipa-replica install failing Message-ID: <4AC3ACFF.9070006@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When I installed my first ipa server I used the self signed ssl cert and soon followed up with a replica. Shortly after installing the replica I attempted to import a wild card CA signed cert and ran into an issue. I discovered (thanks to the helpful folks on the FREEIPA irc, that a regex in /usr/lib/python2.5/site-packages/ipaserver/certs.py for root_nickname was bad. I modified root_nickname = re.match('\ *"(.*)".*', chain[0]).groups()[0] to re.match('\ *"(.*)" \[.*', chain[0]).groups()[0] and was able to import the cert. I had to do the same thing to the replica and replication continued. Now I am trying to create a 3rd replica and have run into what I think is a similar issue. I can export the replica package from the "master" ipa server using the pk12 options however the replica install fails. I ran the debug on the replica install and this is where the install fails: root : INFO creation of replica failed: Could not find a CA cert in /tmp/tmplO4Bp3ipa/realm_info/dscert.p12 root : DEBUG Could not find a CA cert in /tmp/tmplO4Bp3ipa/realm_info/dscert.p12 File "/usr/sbin/ipa-replica-install", line 294, in main() File "/usr/sbin/ipa-replica-install", line 244, in main ds = install_ds(config) File "/usr/sbin/ipa-replica-install", line 115, in install_ds ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info) File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line 193, in create_instance self.start_creation("Configuring directory server:") File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line 139, in start_creation method() File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line 345, in __enable_ssl ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 472, in create_from_pkcs12 raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) Your system may be partly configured. Is this issue similar to what I experienced with the ssl cert import or is it something entirely different? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkrDrP8ACgkQ5B+8XEnAvqtBCgCgnO75V05RxkDtpxTzK0gdk1Cg pRQAniFkA0G4JHjChzeyZ7bP/oTHTurz =F7r+ -----END PGP SIGNATURE----- From dpal at redhat.com Wed Sep 30 20:25:14 2009 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 30 Sep 2009 16:25:14 -0400 Subject: [Freeipa-users] ipa-replica install failing In-Reply-To: <4AC3ACFF.9070006@viveli.com> References: <4AC3ACFF.9070006@viveli.com> Message-ID: <4AC3BEAA.7020204@redhat.com> David Christensen wrote: > When I installed my first ipa server I used the self signed ssl cert and > soon followed up with a replica. Shortly after installing the replica I > attempted to import a wild card CA signed cert and ran into an issue. > > I discovered (thanks to the helpful folks on the FREEIPA irc, that a > regex in /usr/lib/python2.5/site-packages/ipaserver/certs.py for > root_nickname was bad. I modified root_nickname = re.match('\ > *"(.*)".*', chain[0]).groups()[0] to re.match('\ *"(.*)" \[.*', > chain[0]).groups()[0] and was able to import the cert. > > I had to do the same thing to the replica and replication continued. > > Now I am trying to create a 3rd replica and have run into what I think > is a similar issue. I can export the replica package from the "master" > ipa server using the pk12 options however the replica install fails. > > I ran the debug on the replica install and this is where the install > fails: > > root : INFO > creation of replica failed: Could not find a CA cert in > /tmp/tmplO4Bp3ipa/realm_info/dscert.p12 > root : DEBUG Could not find a CA cert in > /tmp/tmplO4Bp3ipa/realm_info/dscert.p12 > File "/usr/sbin/ipa-replica-install", line 294, in > main() > > File "/usr/sbin/ipa-replica-install", line 244, in main > ds = install_ds(config) > > File "/usr/sbin/ipa-replica-install", line 115, in install_ds > ds.create_instance(config.ds_user, config.realm_name, > config.host_name, config.domain_name, config.dirman_password, pkcs12_info) > > File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line > 193, in create_instance > self.start_creation("Configuring directory server:") > > File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line > 139, in start_creation > method() > > File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line > 345, in __enable_ssl > ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) > > File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 472, > in create_from_pkcs12 > raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) > > > Your system may be partly configured. > > Is this issue similar to what I experienced with the ssl cert import or > is it something entirely different? > > David Are you running latest 1.2.2 FreeIPA on the server? Some of the cert issues were addressed in the recently published patch. The issue that you see should be addressed by these patches. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From David.Christensen at viveli.com Wed Sep 30 20:58:35 2009 From: David.Christensen at viveli.com (David Christensen) Date: Wed, 30 Sep 2009 15:58:35 -0500 Subject: [Freeipa-users] ipa-replica install failing In-Reply-To: <4AC3BEAA.7020204@redhat.com> References: <4AC3ACFF.9070006@viveli.com> <4AC3BEAA.7020204@redhat.com> Message-ID: <4AC3C67B.4030403@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dmitri Pal wrote: > David Christensen wrote: >> When I installed my first ipa server I used the self signed ssl cert and >> soon followed up with a replica. Shortly after installing the replica I >> attempted to import a wild card CA signed cert and ran into an issue. >> >> I discovered (thanks to the helpful folks on the FREEIPA irc, that a >> regex in /usr/lib/python2.5/site-packages/ipaserver/certs.py for >> root_nickname was bad. I modified root_nickname = re.match('\ >> *"(.*)".*', chain[0]).groups()[0] to re.match('\ *"(.*)" \[.*', >> chain[0]).groups()[0] and was able to import the cert. >> >> I had to do the same thing to the replica and replication continued. >> >> Now I am trying to create a 3rd replica and have run into what I think >> is a similar issue. I can export the replica package from the "master" >> ipa server using the pk12 options however the replica install fails. >> >> I ran the debug on the replica install and this is where the install >> fails: >> >> root : INFO >> creation of replica failed: Could not find a CA cert in >> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12 >> root : DEBUG Could not find a CA cert in >> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12 >> File "/usr/sbin/ipa-replica-install", line 294, in >> main() >> >> File "/usr/sbin/ipa-replica-install", line 244, in main >> ds = install_ds(config) >> >> File "/usr/sbin/ipa-replica-install", line 115, in install_ds >> ds.create_instance(config.ds_user, config.realm_name, >> config.host_name, config.domain_name, config.dirman_password, pkcs12_info) >> >> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line >> 193, in create_instance >> self.start_creation("Configuring directory server:") >> >> File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line >> 139, in start_creation >> method() >> >> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line >> 345, in __enable_ssl >> ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) >> >> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 472, >> in create_from_pkcs12 >> raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) >> >> >> Your system may be partly configured. >> >> Is this issue similar to what I experienced with the ssl cert import or >> is it something entirely different? >> >> David > Are you running latest 1.2.2 FreeIPA on the server? > Some of the cert issues were addressed in the recently published patch. > The issue that you see shmould be addressed by these patches. > I am running 1.2.1-2 on FC10 from the repos. So looks like I am not running the latest. Must have missed the patches. Are there any release notes and where do I need to grab them? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkrDxnsACgkQ5B+8XEnAvqs3ZgCfUBrxBn+M+FyPiKNx2ouM+h2b PlkAniIdB/EnvsaqzLXXAGKgvCbgo8JO =aA4L -----END PGP SIGNATURE----- From David.Christensen at viveli.com Wed Sep 30 21:05:11 2009 From: David.Christensen at viveli.com (David Christensen) Date: Wed, 30 Sep 2009 16:05:11 -0500 Subject: [Freeipa-users] ipa-replica install failing In-Reply-To: <4AC3BEAA.7020204@redhat.com> References: <4AC3ACFF.9070006@viveli.com> <4AC3BEAA.7020204@redhat.com> Message-ID: <4AC3C807.5040702@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dmitri Pal wrote: > David Christensen wrote: >> When I installed my first ipa server I used the self signed ssl cert and >> soon followed up with a replica. Shortly after installing the replica I >> attempted to import a wild card CA signed cert and ran into an issue. >> >> I discovered (thanks to the helpful folks on the FREEIPA irc, that a >> regex in /usr/lib/python2.5/site-packages/ipaserver/certs.py for >> root_nickname was bad. I modified root_nickname = re.match('\ >> *"(.*)".*', chain[0]).groups()[0] to re.match('\ *"(.*)" \[.*', >> chain[0]).groups()[0] and was able to import the cert. >> >> I had to do the same thing to the replica and replication continued. >> >> Now I am trying to create a 3rd replica and have run into what I think >> is a similar issue. I can export the replica package from the "master" >> ipa server using the pk12 options however the replica install fails. >> >> I ran the debug on the replica install and this is where the install >> fails: >> >> root : INFO >> creation of replica failed: Could not find a CA cert in >> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12 >> root : DEBUG Could not find a CA cert in >> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12 >> File "/usr/sbin/ipa-replica-install", line 294, in >> main() >> >> File "/usr/sbin/ipa-replica-install", line 244, in main >> ds = install_ds(config) >> >> File "/usr/sbin/ipa-replica-install", line 115, in install_ds >> ds.create_instance(config.ds_user, config.realm_name, >> config.host_name, config.domain_name, config.dirman_password, pkcs12_info) >> >> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line >> 193, in create_instance >> self.start_creation("Configuring directory server:") >> >> File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line >> 139, in start_creation >> method() >> >> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line >> 345, in __enable_ssl >> ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) >> >> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 472, >> in create_from_pkcs12 >> raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) >> >> >> Your system may be partly configured. >> >> Is this issue similar to what I experienced with the ssl cert import or >> is it something entirely different? >> >> David > Are you running latest 1.2.2 FreeIPA on the server? > Some of the cert issues were addressed in the recently published patch. > The issue that you see should be addressed by these patches. > Nevermind the request for the updates, I see they are in the repo now, must have missed them. Thanks for pointing it out none the less. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkrDyAcACgkQ5B+8XEnAvqtVzgCfbWD3rI6LjwfzAK3585JsrTjm Eu8AoI6JuWZmIAGvfpQa4w6vCch7kz21 =mwIL -----END PGP SIGNATURE----- From David.Christensen at viveli.com Wed Sep 30 22:15:08 2009 From: David.Christensen at viveli.com (David Christensen) Date: Wed, 30 Sep 2009 17:15:08 -0500 Subject: [Freeipa-users] ipa-replica install failing In-Reply-To: <4AC3C807.5040702@viveli.com> References: <4AC3ACFF.9070006@viveli.com> <4AC3BEAA.7020204@redhat.com> <4AC3C807.5040702@viveli.com> Message-ID: <4AC3D86C.9030807@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Christensen wrote: > Dmitri Pal wrote: >> David Christensen wrote: >>> When I installed my first ipa server I used the self signed ssl cert and >>> soon followed up with a replica. Shortly after installing the replica I >>> attempted to import a wild card CA signed cert and ran into an issue. >>> >>> I discovered (thanks to the helpful folks on the FREEIPA irc, that a >>> regex in /usr/lib/python2.5/site-packages/ipaserver/certs.py for >>> root_nickname was bad. I modified root_nickname = re.match('\ >>> *"(.*)".*', chain[0]).groups()[0] to re.match('\ *"(.*)" \[.*', >>> chain[0]).groups()[0] and was able to import the cert. >>> >>> I had to do the same thing to the replica and replication continued. >>> >>> Now I am trying to create a 3rd replica and have run into what I think >>> is a similar issue. I can export the replica package from the "master" >>> ipa server using the pk12 options however the replica install fails. >>> >>> I ran the debug on the replica install and this is where the install >>> fails: >>> >>> root : INFO >>> creation of replica failed: Could not find a CA cert in >>> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12 >>> root : DEBUG Could not find a CA cert in >>> /tmp/tmplO4Bp3ipa/realm_info/dscert.p12 >>> File "/usr/sbin/ipa-replica-install", line 294, in >>> main() >>> >>> File "/usr/sbin/ipa-replica-install", line 244, in main >>> ds = install_ds(config) >>> >>> File "/usr/sbin/ipa-replica-install", line 115, in install_ds >>> ds.create_instance(config.ds_user, config.realm_name, >>> config.host_name, config.domain_name, config.dirman_password, pkcs12_info) >>> >>> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line >>> 193, in create_instance >>> self.start_creation("Configuring directory server:") >>> >>> File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line >>> 139, in start_creation >>> method() >>> >>> File "/usr/lib/python2.5/site-packages/ipaserver/dsinstance.py", line >>> 345, in __enable_ssl >>> ca.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1]) >>> >>> File "/usr/lib/python2.5/site-packages/ipaserver/certs.py", line 472, >>> in create_from_pkcs12 >>> raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) >>> >>> >>> Your system may be partly configured. >>> >>> Is this issue similar to what I experienced with the ssl cert import or >>> is it something entirely different? >>> >>> David >> Are you running latest 1.2.2 FreeIPA on the server? >> Some of the cert issues were addressed in the recently published patch. >> The issue that you see should be addressed by these patches. > > Nevermind the request for the updates, I see they are in the repo now, > must have missed them. > > Thanks for pointing it out none the less. > > David Dmitri, After upgrading to 1.2.2 and redoing the ipa-replication packaging, I got the same error. David _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkrD2GwACgkQ5B+8XEnAvqtZRwCePJQK03C1ZlEPpSDkViEvQ/VJ ecEAn1VbiGViI/+tVlQ9+dngbmmICsmf =Kbl4 -----END PGP SIGNATURE-----