From dpal at redhat.com Tue Nov 1 01:37:20 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 31 Oct 2011 21:37:20 -0400 Subject: [Freeipa-users] Youtube In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4045839049@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4045839049@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4EAF4D50.4030007@redhat.com> On 10/31/2011 03:25 PM, Steven Jones wrote: > Hi, > > Looking for info on freeIPA I came across Simo's talk from 2009.....its a good technical talk but not suitable for managers..... > > http://www.youtube.com/watch?v=7rljVIVHT6o > > Any chance of some not to technical "howto" pieces on how things are done? Even simple things like creating users adding to groups and then the BACLs to a server group is really good as it shows off IPA's capability...good intro as well as it demos stuff for admins who have never seen it. > > I can then also demo such things to my Windows orientated managers if they ask about various aspects of IPA...... This is a great idea but we are so head down coding that we do not have time to put together a public training session. I will take a note and try to do it myself but this rout will be slow. Can anyone help? Please... Really! > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Tue Nov 1 01:49:23 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 31 Oct 2011 21:49:23 -0400 Subject: [Freeipa-users] Overall Design of Policy Related Components In-Reply-To: <1320096004.2019.27.camel@ratbert.evn.harris.com> References: <1320096004.2019.27.camel@ratbert.evn.harris.com> Message-ID: <4EAF5023.10102@redhat.com> On 10/31/2011 05:20 PM, Rodney Mercer wrote: > We have previously developed Solaris RBAC authorization within our > application to validate users and roles to our application's internal > commanding capability using the definitions that populate the name > service switch maps. > > I have been searching for a method for implementing similar capability > using RHEL and had found promise with the following proposed > documentation for IPAv2: > http://freeipa.org/page/Overall_Design_of_Policy_Related_Components#Adding_Support_for_New_applications > > > However backing up within the documentation, I see that this Policy > Related Component capability is being deferred. > http://www.freeipa.org/page/IPAv2_development_status > > Is there a defined timeline when the Policy Related Components support > for New applications will move forward and be adopted for a RHEL6 update > release? We decided to back away from trying to provide central RBAC. Our experience with multiple projects revealed that there is no one size fits all solution regarding RBAC. But we were talking about geral Role base access control model not specific RBAC as Solaris implemented it. The Solaris RBAC is similar to sudo and HBAC combined together. Both features are managed by IPA. We also have SELinux policies on Linux that can constrain the root access. The user SELinux roles management is on the roadmap but HBAC + SUDO should give you the equivalent if not more functionality than Solaris RBAC. http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html Or you can use RHEL6.2 beta and see the docs about SUDO and HBAC there. > Thanks and regards, > Rodney. > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Tue Nov 1 02:30:24 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 Nov 2011 02:30:24 +0000 Subject: [Freeipa-users] What is the approx release time frame for freeIPA v3? Message-ID: <833D8E48405E064EBC54C84EC6B36E404584424C@STAWINCOX10MBX1.staff.vuw.ac.nz> regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From sigbjorn at nixtra.com Tue Nov 1 08:09:02 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 1 Nov 2011 09:09:02 +0100 (CET) Subject: [Freeipa-users] Overall Design of Policy Related Components In-Reply-To: <4EAF5023.10102@redhat.com> References: <1320096004.2019.27.camel@ratbert.evn.harris.com> <4EAF5023.10102@redhat.com> Message-ID: <27364.213.225.75.97.1320134942.squirrel@www.nixtra.com> > We decided to back away from trying to provide central RBAC. Our > experience with multiple projects revealed that there is no one size fits all solution regarding > RBAC. But we were talking about geral Role > base access control model not specific RBAC as Solaris implemented it. The Solaris RBAC is similar > to sudo and HBAC combined together. Both features are managed by IPA. We also have SELinux policies > on Linux that can constrain the root access. The user SELinux roles management is on the roadmap > but HBAC + SUDO should give you the equivalent if not more functionality than > Solaris RBAC. It's a false statement that Solaris RBAC is like sudo and HBAC combined. There so much more options in the Solaris RBAC when it comes to such as limiting/granting cpu/memory resources, OS privileges, based on a group, a project, a user, a service, etc. Besides, RBAC comes with Solaris, sudo need to be installed. And as I understand it, SSSD is required to installed on Solaris to implement the HBAC rules from IPA? Rgds, Siggi From rmercer at harris.com Tue Nov 1 17:04:19 2011 From: rmercer at harris.com (Rodney Mercer) Date: Tue, 1 Nov 2011 13:04:19 -0400 Subject: [Freeipa-users] Freeipa-users] Overall Design of Policy Related Components In-Reply-To: References: Message-ID: <1320167059.2336.47.camel@ratbert.evn.harris.com> On Tue, 2011-11-01 at 12:00 -0400, freeipa-users-request at redhat.com wrote: > On 10/31/2011 05:20 PM, Rodney Mercer wrote: > > We have previously developed Solaris RBAC authorization within our > > application to validate users and roles to our application's > internal > > commanding capability using the definitions that populate the name > > service switch maps. > > > > I have been searching for a method for implementing similar > capability > > using RHEL and had found promise with the following proposed > > documentation for IPAv2: > We decided to back away from trying to provide central RBAC. Our > experience with multiple projects revealed that there is no one size > fits all solution regarding RBAC. But we were talking about geral Role > base access control model not specific RBAC as Solaris implemented it. > The Solaris RBAC is similar to sudo and HBAC combined together. Both > features are managed by IPA. > We also have SELinux policies on Linux that can constrain the root > access. The user SELinux roles management is on the roadmap but HBAC + > SUDO should give you the equivalent if not more functionality than > Solaris RBAC. > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html > > Or you can use RHEL6.2 beta and see the docs about SUDO and HBAC > there. The RBAC structure that I speak of is contained within our application. Being able to have IPA clients request the XML blob of role mappings to internal application commanding authorizations is what I was looking for. Is it possible to create IPA Roles that mean nothing to IPA yet our independent application could query and use them with it's internal security mechanisms? Could extending the dirsrv schema to include attributes to be accessed for the security of the independent application be created to work in conjunction with these custom defined roles? Having the IPA Server available to all hosts that run the application is what we desire. We use *_attr Name Service Switch maps to access these roles and attributes from our Solaris implementation. Unless I am mistaken, HBAC might give us options as to whom may run our applications on particular hosts, but it would not help in defining who could run the internal application directives that we seek to map to users roles. Sudo doesn't help for the internal commanding our application desires to control. Thanks for any ideas you can lend. Regards, Rodney. -- Rodney Mercer Systems Administrator From ayoung at redhat.com Tue Nov 1 18:31:36 2011 From: ayoung at redhat.com (Adam Young) Date: Tue, 01 Nov 2011 14:31:36 -0400 Subject: [Freeipa-users] Freeipa-users] Overall Design of Policy Related Components In-Reply-To: <1320167059.2336.47.camel@ratbert.evn.harris.com> References: <1320167059.2336.47.camel@ratbert.evn.harris.com> Message-ID: <4EB03B08.6000802@redhat.com> On 11/01/2011 01:04 PM, Rodney Mercer wrote: > On Tue, 2011-11-01 at 12:00 -0400, freeipa-users-request at redhat.com > wrote: >> On 10/31/2011 05:20 PM, Rodney Mercer wrote: >>> We have previously developed Solaris RBAC authorization within our >>> application to validate users and roles to our application's >> internal >>> commanding capability using the definitions that populate the name >>> service switch maps. >>> >>> I have been searching for a method for implementing similar >> capability >>> using RHEL and had found promise with the following proposed >>> documentation for IPAv2: >> We decided to back away from trying to provide central RBAC. Our >> experience with multiple projects revealed that there is no one size >> fits all solution regarding RBAC. But we were talking about geral Role >> base access control model not specific RBAC as Solaris implemented it. >> The Solaris RBAC is similar to sudo and HBAC combined together. Both >> features are managed by IPA. >> We also have SELinux policies on Linux that can constrain the root >> access. The user SELinux roles management is on the roadmap but HBAC + >> SUDO should give you the equivalent if not more functionality than >> Solaris RBAC. >> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html >> >> Or you can use RHEL6.2 beta and see the docs about SUDO and HBAC >> there. > The RBAC structure that I speak of is contained within our application. > Being able to have IPA clients request the XML blob of role mappings to > internal application commanding authorizations is what I was looking > for. > > Is it possible to create IPA Roles that mean nothing to IPA yet our > independent application could query and use them with it's internal > security mechanisms? Yes it is possible. The role mechanism does not have to have any permissions or privileges assigned to it, and they will show up as "member of" relations in an LDAP query. > > Could extending the dirsrv schema to include attributes to be accessed > for the security of the independent application be created to work in > conjunction with these custom defined roles? > > Having the IPA Server available to all hosts that run the application is > what we desire. We use *_attr Name Service Switch maps to access these > roles and attributes from our Solaris implementation. > > Unless I am mistaken, HBAC might give us options as to whom may run our > applications on particular hosts, but it would not help in defining who > could run the internal application directives that we seek to map to > users roles. > Sudo doesn't help for the internal commanding our application desires to > control. > > Thanks for any ideas you can lend. > > Regards, > Rodney. > From simo at redhat.com Tue Nov 1 18:33:54 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 01 Nov 2011 14:33:54 -0400 Subject: [Freeipa-users] Freeipa-users] Overall Design of Policy Related Components In-Reply-To: <4EB03B08.6000802@redhat.com> References: <1320167059.2336.47.camel@ratbert.evn.harris.com> <4EB03B08.6000802@redhat.com> Message-ID: <1320172434.7734.284.camel@willson.li.ssimo.org> On Tue, 2011-11-01 at 14:31 -0400, Adam Young wrote: > On 11/01/2011 01:04 PM, Rodney Mercer wrote: > > On Tue, 2011-11-01 at 12:00 -0400, freeipa-users-request at redhat.com > > wrote: > >> On 10/31/2011 05:20 PM, Rodney Mercer wrote: > >>> We have previously developed Solaris RBAC authorization within our > >>> application to validate users and roles to our application's > >> internal > >>> commanding capability using the definitions that populate the name > >>> service switch maps. > >>> > >>> I have been searching for a method for implementing similar > >> capability > >>> using RHEL and had found promise with the following proposed > >>> documentation for IPAv2: > >> We decided to back away from trying to provide central RBAC. Our > >> experience with multiple projects revealed that there is no one size > >> fits all solution regarding RBAC. But we were talking about geral Role > >> base access control model not specific RBAC as Solaris implemented it. > >> The Solaris RBAC is similar to sudo and HBAC combined together. Both > >> features are managed by IPA. > >> We also have SELinux policies on Linux that can constrain the root > >> access. The user SELinux roles management is on the roadmap but HBAC + > >> SUDO should give you the equivalent if not more functionality than > >> Solaris RBAC. > >> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html > >> > >> Or you can use RHEL6.2 beta and see the docs about SUDO and HBAC > >> there. > > The RBAC structure that I speak of is contained within our application. > > Being able to have IPA clients request the XML blob of role mappings to > > internal application commanding authorizations is what I was looking > > for. > > > > Is it possible to create IPA Roles that mean nothing to IPA yet our > > independent application could query and use them with it's internal > > security mechanisms? > > Yes it is possible. The role mechanism does not have to have any > permissions or privileges assigned to it, and they will show up as > "member of" relations in an LDAP query. IIRC only if you are authenticated. We constrict who can see memberof attributes in some of the subtrees to avoid disclosing what privileges users have unless you are authenticated to the directory. Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Tue Nov 1 18:59:32 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 Nov 2011 18:59:32 +0000 Subject: [Freeipa-users] problem with replica install In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40457D651B@STAWINCOX10MBX4.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40457CDE1F@STAWINCOX10MBX4.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40457D651B@STAWINCOX10MBX4.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40458484E6@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, No fix for this? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Monday, 31 October 2011 1:47 p.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] problem with replica install Couple of logs I have found..... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Monday, 31 October 2011 10:03 a.m. Cc: freeipa-users at redhat.com Subject: [Freeipa-users] problem with replica install Hi, I am getting this failure, [root at vuwunicoipamt02 ipa]# ipa-replica-install --setup-dns --forwarder=130.195.85.25 --forwarder=130.195.98.151 --no-reverse /var/lib/ipa/replica-info-vuwunicoipamt02.unix.vuw.ac.nz.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'vuwunicoipamt01.unix.vuw.ac.nz': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Password for admin at UNIX.VUW.AC.NZ: Execute check on remote master Remote master check failed with following error message(s): Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. On the first master my firewall ruleset is, ===========8><--------master firewall ruleset-------- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:464 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:9443 ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:9444 ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:9445 ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:7389 ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:9443 ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:9444 ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:9445 ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:7389 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:88 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:464 ==========8><------ Cant see what else I have missed...... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Monday, 31 October 2011 8:21 a.m. To: Simo Sorce Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unique world wide UIDS Hi, Yeah I kind of wondered after ipv4 being so well known that "we" only went to 32bit... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Simo Sorce [simo at redhat.com] Sent: Monday, 31 October 2011 3:41 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unique world wide UIDS I would rather lobby the Linux kernel people to give me 128bit IDs That would solve all problems, as the chance of collision in a carefully randomly selected 90something bit prefix are basically none. Simo. On Thu, 2011-10-27 at 20:40 +0000, Steven Jones wrote: > Yes I can appreciate that, we have done the same thing im '500'... > > oops.... > > As an educational setup we are looking to federate worldwide, that > means Shibboleth or similar....a unique UID per academic world wide > might be worthwhile....there wont be 2billion > academics...students...well i guess that would one day be a "ipv4" > problem. > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Friday, 28 October 2011 9:34 a.m. > To: Steven Jones > Cc: Adam Young; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unique world wide UIDS > > Steven Jones wrote: > > Hi, > > > > Well if you understand Peak Oil and that the "green revolution" was > actually truning fossil fuel into food ie we eat oil....only having > 2billion UIDs wont be a problem. > > > > :/ > > Many, many organizations start with the same uid base, 500 or 1000. > When > company A buys company B there are tons and tons of uid collisions. If > each started at a random start point then the chances of collision, > while not zero, are much lower. > > Our goal wasn't to guarantee uniqueness in the universe, just to make > integration hopefully easier in the future when namespaces are merged. > > rob > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Tue Nov 1 19:12:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Nov 2011 15:12:27 -0400 Subject: [Freeipa-users] Freeipa-users] Overall Design of Policy Related Components In-Reply-To: <1320172434.7734.284.camel@willson.li.ssimo.org> References: <1320167059.2336.47.camel@ratbert.evn.harris.com> <4EB03B08.6000802@redhat.com> <1320172434.7734.284.camel@willson.li.ssimo.org> Message-ID: <4EB0449B.8030901@redhat.com> Simo Sorce wrote: > On Tue, 2011-11-01 at 14:31 -0400, Adam Young wrote: >> On 11/01/2011 01:04 PM, Rodney Mercer wrote: >>> On Tue, 2011-11-01 at 12:00 -0400, freeipa-users-request at redhat.com >>> wrote: >>>> On 10/31/2011 05:20 PM, Rodney Mercer wrote: >>>>> We have previously developed Solaris RBAC authorization within our >>>>> application to validate users and roles to our application's >>>> internal >>>>> commanding capability using the definitions that populate the name >>>>> service switch maps. >>>>> >>>>> I have been searching for a method for implementing similar >>>> capability >>>>> using RHEL and had found promise with the following proposed >>>>> documentation for IPAv2: >>>> We decided to back away from trying to provide central RBAC. Our >>>> experience with multiple projects revealed that there is no one size >>>> fits all solution regarding RBAC. But we were talking about geral Role >>>> base access control model not specific RBAC as Solaris implemented it. >>>> The Solaris RBAC is similar to sudo and HBAC combined together. Both >>>> features are managed by IPA. >>>> We also have SELinux policies on Linux that can constrain the root >>>> access. The user SELinux roles management is on the roadmap but HBAC + >>>> SUDO should give you the equivalent if not more functionality than >>>> Solaris RBAC. >>>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html >>>> >>>> Or you can use RHEL6.2 beta and see the docs about SUDO and HBAC >>>> there. >>> The RBAC structure that I speak of is contained within our application. >>> Being able to have IPA clients request the XML blob of role mappings to >>> internal application commanding authorizations is what I was looking >>> for. >>> >>> Is it possible to create IPA Roles that mean nothing to IPA yet our >>> independent application could query and use them with it's internal >>> security mechanisms? >> >> Yes it is possible. The role mechanism does not have to have any >> permissions or privileges assigned to it, and they will show up as >> "member of" relations in an LDAP query. > > IIRC only if you are authenticated. > > We constrict who can see memberof attributes in some of the subtrees to > avoid disclosing what privileges users have unless you are authenticated > to the directory. > > Simo. > And you'd have to update the set of objectclasses. You might also have problems managing role entries that have changed in this way. You would probably be better off creating your own framework plugin to manage this type of object and put them into a new place in the LDAP tree. rob From rcritten at redhat.com Tue Nov 1 19:15:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Nov 2011 15:15:19 -0400 Subject: [Freeipa-users] problem with replica install In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40458484E6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40457CDE1F@STAWINCOX10MBX4.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40457D651B@STAWINCOX10MBX4.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40458484E6@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4EB04547.2020009@redhat.com> Steven Jones wrote: > Hi, > > No fix for this? Are both running the same version of IPA? Does ipa-replica-conncheck exist on the master? What this does is on the replica it checks to be sure it can talk to the master. Then it starts listeners on a bunch of ports and tries to log into the master to see if it can talk to them. This second step is what is failing, it doesn't seem to be doing anything on the master at all. rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Monday, 31 October 2011 1:47 p.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] problem with replica install > > Couple of logs I have found..... > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Monday, 31 October 2011 10:03 a.m. > Cc: freeipa-users at redhat.com > Subject: [Freeipa-users] problem with replica install > > Hi, > > I am getting this failure, > > [root at vuwunicoipamt02 ipa]# ipa-replica-install --setup-dns --forwarder=130.195.85.25 --forwarder=130.195.98.151 --no-reverse /var/lib/ipa/replica-info-vuwunicoipamt02.unix.vuw.ac.nz.gpg > Directory Manager (existing master) password: > > Run connection check to master > Check connection from replica to remote master 'vuwunicoipamt01.unix.vuw.ac.nz': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos KDC: UDP (88): OK > Kerberos Kpasswd: TCP (464): OK > Kerberos Kpasswd: UDP (464): OK > HTTP Server: port 80 (80): OK > HTTP Server: port 443(https) (443): OK > > Connection from replica to master is OK. > Start listening on required ports for remote master check > Get credentials to log in to remote master > Password for admin at UNIX.VUW.AC.NZ: > Execute check on remote master > > Remote master check failed with following error message(s): > > Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck parameter. > > On the first master my firewall ruleset is, > > > ===========8><--------master firewall ruleset-------- > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:464 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 > ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:9443 > ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:9444 > ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:9445 > ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:7389 > ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:9443 > ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:9444 > ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:9445 > ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:7389 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:88 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:464 > ==========8><------ > > Cant see what else I have missed...... > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Monday, 31 October 2011 8:21 a.m. > To: Simo Sorce > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unique world wide UIDS > > Hi, > > Yeah I kind of wondered after ipv4 being so well known that "we" only went to 32bit... > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Simo Sorce [simo at redhat.com] > Sent: Monday, 31 October 2011 3:41 a.m. > To: Steven Jones > Cc: Rob Crittenden; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unique world wide UIDS > > I would rather lobby the Linux kernel people to give me 128bit IDs > That would solve all problems, as the chance of collision in a carefully > randomly selected 90something bit prefix are basically none. > > Simo. > > On Thu, 2011-10-27 at 20:40 +0000, Steven Jones wrote: >> Yes I can appreciate that, we have done the same thing im '500'... >> >> oops.... >> >> As an educational setup we are looking to federate worldwide, that >> means Shibboleth or similar....a unique UID per academic world wide >> might be worthwhile....there wont be 2billion >> academics...students...well i guess that would one day be a "ipv4" >> problem. >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Friday, 28 October 2011 9:34 a.m. >> To: Steven Jones >> Cc: Adam Young; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Unique world wide UIDS >> >> Steven Jones wrote: >>> Hi, >>> >>> Well if you understand Peak Oil and that the "green revolution" was >> actually truning fossil fuel into food ie we eat oil....only having >> 2billion UIDs wont be a problem. >>> >>> :/ >> >> Many, many organizations start with the same uid base, 500 or 1000. >> When >> company A buys company B there are tons and tons of uid collisions. If >> each started at a random start point then the chances of collision, >> while not zero, are much lower. >> >> Our goal wasn't to guarantee uniqueness in the universe, just to make >> integration hopefully easier in the future when namespaces are merged. >> >> rob >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Simo Sorce * Red Hat, Inc * New York > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Nov 1 20:18:57 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 Nov 2011 20:18:57 +0000 Subject: [Freeipa-users] problem with replica install In-Reply-To: <4EB04547.2020009@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E40457CDE1F@STAWINCOX10MBX4.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40457D651B@STAWINCOX10MBX4.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40458484E6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4EB04547.2020009@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404584854E@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Yes both the same rhel6.2beta.....did a yum -y ipa-replica-conncheck and there is no such package. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 2 November 2011 8:15 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] problem with replica install Steven Jones wrote: > Hi, > > No fix for this? Are both running the same version of IPA? Does ipa-replica-conncheck exist on the master? What this does is on the replica it checks to be sure it can talk to the master. Then it starts listeners on a bunch of ports and tries to log into the master to see if it can talk to them. This second step is what is failing, it doesn't seem to be doing anything on the master at all. rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Monday, 31 October 2011 1:47 p.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] problem with replica install > > Couple of logs I have found..... > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Monday, 31 October 2011 10:03 a.m. > Cc: freeipa-users at redhat.com > Subject: [Freeipa-users] problem with replica install > > Hi, > > I am getting this failure, > > [root at vuwunicoipamt02 ipa]# ipa-replica-install --setup-dns --forwarder=130.195.85.25 --forwarder=130.195.98.151 --no-reverse /var/lib/ipa/replica-info-vuwunicoipamt02.unix.vuw.ac.nz.gpg > Directory Manager (existing master) password: > > Run connection check to master > Check connection from replica to remote master 'vuwunicoipamt01.unix.vuw.ac.nz': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos KDC: UDP (88): OK > Kerberos Kpasswd: TCP (464): OK > Kerberos Kpasswd: UDP (464): OK > HTTP Server: port 80 (80): OK > HTTP Server: port 443(https) (443): OK > > Connection from replica to master is OK. > Start listening on required ports for remote master check > Get credentials to log in to remote master > Password for admin at UNIX.VUW.AC.NZ: > Execute check on remote master > > Remote master check failed with following error message(s): > > Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck parameter. > > On the first master my firewall ruleset is, > > > ===========8><--------master firewall ruleset-------- > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:464 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 > ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:9443 > ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:9444 > ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:9445 > ACCEPT tcp -- 130.195.87.247 0.0.0.0/0 tcp dpt:7389 > ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:9443 > ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:9444 > ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:9445 > ACCEPT tcp -- 130.195.87.248 0.0.0.0/0 tcp dpt:7389 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:88 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:464 > ==========8><------ > > Cant see what else I have missed...... > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Monday, 31 October 2011 8:21 a.m. > To: Simo Sorce > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unique world wide UIDS > > Hi, > > Yeah I kind of wondered after ipv4 being so well known that "we" only went to 32bit... > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Simo Sorce [simo at redhat.com] > Sent: Monday, 31 October 2011 3:41 a.m. > To: Steven Jones > Cc: Rob Crittenden; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unique world wide UIDS > > I would rather lobby the Linux kernel people to give me 128bit IDs > That would solve all problems, as the chance of collision in a carefully > randomly selected 90something bit prefix are basically none. > > Simo. > > On Thu, 2011-10-27 at 20:40 +0000, Steven Jones wrote: >> Yes I can appreciate that, we have done the same thing im '500'... >> >> oops.... >> >> As an educational setup we are looking to federate worldwide, that >> means Shibboleth or similar....a unique UID per academic world wide >> might be worthwhile....there wont be 2billion >> academics...students...well i guess that would one day be a "ipv4" >> problem. >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Friday, 28 October 2011 9:34 a.m. >> To: Steven Jones >> Cc: Adam Young; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Unique world wide UIDS >> >> Steven Jones wrote: >>> Hi, >>> >>> Well if you understand Peak Oil and that the "green revolution" was >> actually truning fossil fuel into food ie we eat oil....only having >> 2billion UIDs wont be a problem. >>> >>> :/ >> >> Many, many organizations start with the same uid base, 500 or 1000. >> When >> company A buys company B there are tons and tons of uid collisions. If >> each started at a random start point then the chances of collision, >> while not zero, are much lower. >> >> Our goal wasn't to guarantee uniqueness in the universe, just to make >> integration hopefully easier in the future when namespaces are merged. >> >> rob >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Simo Sorce * Red Hat, Inc * New York > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Tue Nov 1 21:01:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Nov 2011 17:01:12 -0400 Subject: [Freeipa-users] problem with replica install In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404584854E@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40457CDE1F@STAWINCOX10MBX4.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40457D651B@STAWINCOX10MBX4.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40458484E6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4EB04547.2020009@redhat.com> <833D8E48405E064EBC54C84EC6B36E404584854E@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4EB05E18.1000005@redhat.com> Steven Jones wrote: > Hi, > > Yes both the same rhel6.2beta.....did a yum -y ipa-replica-conncheck and there is no such package. > It isn't a package, it is a binary in /usr/sbin. You can always try --skip-conncheck and see if it installs anyway. rob From dpal at redhat.com Wed Nov 2 00:50:13 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 01 Nov 2011 20:50:13 -0400 Subject: [Freeipa-users] Overall Design of Policy Related Components In-Reply-To: <27364.213.225.75.97.1320134942.squirrel@www.nixtra.com> References: <1320096004.2019.27.camel@ratbert.evn.harris.com> <4EAF5023.10102@redhat.com> <27364.213.225.75.97.1320134942.squirrel@www.nixtra.com> Message-ID: <4EB093C5.6030803@redhat.com> On 11/01/2011 04:09 AM, Sigbjorn Lie wrote: >> We decided to back away from trying to provide central RBAC. Our >> experience with multiple projects revealed that there is no one size fits all solution regarding >> RBAC. But we were talking about geral Role >> base access control model not specific RBAC as Solaris implemented it. The Solaris RBAC is similar >> to sudo and HBAC combined together. Both features are managed by IPA. We also have SELinux policies >> on Linux that can constrain the root access. The user SELinux roles management is on the roadmap >> but HBAC + SUDO should give you the equivalent if not more functionality than >> Solaris RBAC. > > > It's a false statement that Solaris RBAC is like sudo and HBAC combined. There so much more > options in the Solaris RBAC when it comes to such as limiting/granting cpu/memory resources, OS > privileges, based on a group, a project, a user, a service, etc. Sounds a lot like and overlap with SELinux features to me... > Besides, RBAC comes with Solaris, sudo need to be installed. It was not clear if the client is actually on Solaris. I think here we have a different case. Here we are talking about an application that takes advantage of the Solaris RBAC as a policy container. > And as I understand it, SSSD is required to installed on Solaris to implement the HBAC rules from > IPA? > Yes but a different pam module can be built to takje advantage of HBAC for the platforms that do not support SSSD. > > Rgds, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Nov 2 00:57:05 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 01 Nov 2011 20:57:05 -0400 Subject: [Freeipa-users] Freeipa-users] Overall Design of Policy Related Components In-Reply-To: <1320167059.2336.47.camel@ratbert.evn.harris.com> References: <1320167059.2336.47.camel@ratbert.evn.harris.com> Message-ID: <4EB09561.30708@redhat.com> On 11/01/2011 01:04 PM, Rodney Mercer wrote: > On Tue, 2011-11-01 at 12:00 -0400, freeipa-users-request at redhat.com > wrote: >> On 10/31/2011 05:20 PM, Rodney Mercer wrote: >>> We have previously developed Solaris RBAC authorization within our >>> application to validate users and roles to our application's >> internal >>> commanding capability using the definitions that populate the name >>> service switch maps. >>> >>> I have been searching for a method for implementing similar >> capability >>> using RHEL and had found promise with the following proposed >>> documentation for IPAv2: >> We decided to back away from trying to provide central RBAC. Our >> experience with multiple projects revealed that there is no one size >> fits all solution regarding RBAC. But we were talking about geral Role >> base access control model not specific RBAC as Solaris implemented it. >> The Solaris RBAC is similar to sudo and HBAC combined together. Both >> features are managed by IPA. >> We also have SELinux policies on Linux that can constrain the root >> access. The user SELinux roles management is on the roadmap but HBAC + >> SUDO should give you the equivalent if not more functionality than >> Solaris RBAC. >> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html >> >> Or you can use RHEL6.2 beta and see the docs about SUDO and HBAC >> there. > The RBAC structure that I speak of is contained within our application. > Being able to have IPA clients request the XML blob of role mappings to > internal application commanding authorizations is what I was looking > for. > > Is it possible to create IPA Roles that mean nothing to IPA yet our > independent application could query and use them with it's internal > security mechanisms? > > Could extending the dirsrv schema to include attributes to be accessed > for the security of the independent application be created to work in > conjunction with these custom defined roles? > > Having the IPA Server available to all hosts that run the application is > what we desire. We use *_attr Name Service Switch maps to access these > roles and attributes from our Solaris implementation. > > Unless I am mistaken, HBAC might give us options as to whom may run our > applications on particular hosts, but it would not help in defining who > could run the internal application directives that we seek to map to > users roles. > Sudo doesn't help for the internal commanding our application desires to > control. > > Thanks for any ideas you can lend. > > Regards, > Rodney. > Rodney, I have read other responses too but reply to your clarification. It now makes more sense. I think that best approach would be to store this data in the special part of the tree and develop plugins for manage it. Would you be interested in investing in such an effort? If so I would go dig some of the designs and ideas and share them with you and everybody else. I think they were ubandoned before shaping up will enough to have a discussion on the list. I think we proposed some schema for storing Roles and related XML blobs. We are also working on the extensibility guide so it will be a perfect opportunity to test it out. What do you think? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Nov 2 00:58:59 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 01 Nov 2011 20:58:59 -0400 Subject: [Freeipa-users] What is the approx release time frame for freeIPA v3? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404584424C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404584424C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4EB095D3.2080104@redhat.com> On 10/31/2011 10:30 PM, Steven Jones wrote: > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > We will try to have a beta before Christmass. It will be rough. We will the do the stabilization for couple months so I would say some time in March. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From i.am.stack at gmail.com Wed Nov 2 12:14:19 2011 From: i.am.stack at gmail.com (~Stack~) Date: Wed, 02 Nov 2011 07:14:19 -0500 Subject: [Freeipa-users] Scientific Linux 6.1 client issues In-Reply-To: <4EA9B5F5.8050109@redhat.com> References: <4EA9B5F5.8050109@redhat.com> Message-ID: <4EB1341B.4090800@gmail.com> On 10/27/2011 02:50 PM, Rob Crittenden wrote: > Building 2.1.3 from source is going to require the same set of > dependencies as building from the src.rpm. Note though that upstream > development of freeipa is done in Fedora, not RHEL. I gave compiling it from the src.rpm a try. I was OK compiling all the dependencies that were directly related (and there were a good lot of them), however, by the time I got into compiling other random libraries for gtk3 I gave up and just modified the spec file to allow me to use the libraries I had just compiled. I didn't expect it to work, so I was a bit surprised when it compiled just fine. I was soon let down when I ran into the *exact* same problem. :-/ I can force the clients to join but I can't log into them as a user. I have reasons for needing to stay with Scientific Linux. Since this was just a because-I-am-interested project I may have to wait till someone far more familiar with the project at Red Hat pushes out updated binaries (which I fully understand may be a while). I am certain to keep an eye on this project because it seems to be a _much_ easier and better way to manage users then the LDAP solution I currently have setup. Thanks for the help Rob! ~Stack~ From rcritten at redhat.com Wed Nov 2 13:10:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Nov 2011 09:10:02 -0400 Subject: [Freeipa-users] Scientific Linux 6.1 client issues In-Reply-To: <4EB1341B.4090800@gmail.com> References: <4EA9B5F5.8050109@redhat.com> <4EB1341B.4090800@gmail.com> Message-ID: <4EB1412A.30301@redhat.com> ~Stack~ wrote: > On 10/27/2011 02:50 PM, Rob Crittenden wrote: >> Building 2.1.3 from source is going to require the same set of >> dependencies as building from the src.rpm. Note though that upstream >> development of freeipa is done in Fedora, not RHEL. > > I gave compiling it from the src.rpm a try. I was OK compiling all the > dependencies that were directly related (and there were a good lot of > them), however, by the time I got into compiling other random libraries > for gtk3 I gave up and just modified the spec file to allow me to use > the libraries I had just compiled. I didn't expect it to work, so I was > a bit surprised when it compiled just fine. I was soon let down when I > ran into the *exact* same problem. :-/ > > I can force the clients to join but I can't log into them as a user. > > I have reasons for needing to stay with Scientific Linux. Since this was > just a because-I-am-interested project I may have to wait till someone > far more familiar with the project at Red Hat pushes out updated > binaries (which I fully understand may be a while). I am certain to keep > an eye on this project because it seems to be a _much_ easier and better > way to manage users then the LDAP solution I currently have setup. > > Thanks for the help Rob! > > ~Stack~ Look in /var/log/ipaclient-install.log for more details. We do a lot more logging in 2.1.3. The original problem was due to how we set up a temporary krb5.conf in order to enrollment. We discovered (automatically or via the user) the environment then wrote out a krb5.conf that did not include all this data so it was re-discovered, sometimes incorrectly. The temporary krb5.conf should both be specific to the IPA server and also be included in the client install log. It might be an interesting exercise to set a one-time password on a host and see if you can enroll successfully using that. rob From Steven.Jones at vuw.ac.nz Wed Nov 2 01:12:53 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 2 Nov 2011 01:12:53 +0000 Subject: [Freeipa-users] What is the approx release time frame for freeIPA v3? In-Reply-To: <4EB095D3.2080104@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404584424C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4EB095D3.2080104@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4045849843@STAWINCOX10MBX1.staff.vuw.ac.nz> LOL... So IPA v4 about May then? More haste, less speed..... I have various "AD~Linux" integration companies (all three seem keen) wanting to sell to me quick.....very pushy......I'm sure they will make hay if you drop the ball..... I much prefer right than fast....but then Im always the one left cleaning up the mess if it goes wrong.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Wednesday, 2 November 2011 1:58 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] What is the approx release time frame for freeIPA v3? On 10/31/2011 10:30 PM, Steven Jones wrote: > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > We will try to have a beta before Christmass. It will be rough. We will the do the stabilization for couple months so I would say some time in March. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rmercer at harris.com Wed Nov 2 14:26:06 2011 From: rmercer at harris.com (Rodney Mercer) Date: Wed, 2 Nov 2011 10:26:06 -0400 Subject: [Freeipa-users] Freeipa-users] Overall Design of Policy Related Components In-Reply-To: <4EB09561.30708@redhat.com> References: <1320167059.2336.47.camel@ratbert.evn.harris.com> <4EB09561.30708@redhat.com> Message-ID: <1320243966.2336.84.camel@ratbert.evn.harris.com> On Tue, 2011-11-01 at 20:57 -0400, Dmitri Pal wrote: > On 11/01/2011 01:04 PM, Rodney Mercer wrote: > > On Tue, 2011-11-01 at 12:00 -0400, freeipa-users-request at redhat.com > > wrote: > >> On 10/31/2011 05:20 PM, Rodney Mercer wrote: > >>> We have previously developed Solaris RBAC authorization within our > >>> application to validate users and roles to our application's > >> internal > >>> commanding capability using the definitions that populate the name > >>> service switch maps. > >>> > >>> I have been searching for a method for implementing similar > >> capability > >>> using RHEL and had found promise with the following proposed > >>> documentation for IPAv2: > >> We decided to back away from trying to provide central RBAC. Our > >> experience with multiple projects revealed that there is no one size > >> fits all solution regarding RBAC. But we were talking about geral Role > >> base access control model not specific RBAC as Solaris implemented it. > >> The Solaris RBAC is similar to sudo and HBAC combined together. Both > >> features are managed by IPA. > >> We also have SELinux policies on Linux that can constrain the root > >> access. The user SELinux roles management is on the roadmap but HBAC + > >> SUDO should give you the equivalent if not more functionality than > >> Solaris RBAC. > >> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html > >> > >> Or you can use RHEL6.2 beta and see the docs about SUDO and HBAC > >> there. > > The RBAC structure that I speak of is contained within our application. > > Being able to have IPA clients request the XML blob of role mappings to > > internal application commanding authorizations is what I was looking > > for. > > > > Is it possible to create IPA Roles that mean nothing to IPA yet our > > independent application could query and use them with it's internal > > security mechanisms? > > > > Could extending the dirsrv schema to include attributes to be accessed > > for the security of the independent application be created to work in > > conjunction with these custom defined roles? > > > > Having the IPA Server available to all hosts that run the application is > > what we desire. We use *_attr Name Service Switch maps to access these > > roles and attributes from our Solaris implementation. > > > > Unless I am mistaken, HBAC might give us options as to whom may run our > > applications on particular hosts, but it would not help in defining who > > could run the internal application directives that we seek to map to > > users roles. > > Sudo doesn't help for the internal commanding our application desires to > > control. > > > > Thanks for any ideas you can lend. > > > > Regards, > > Rodney. > > > > Rodney, > > I have read other responses too but reply to your clarification. It now > makes more sense. > > I think that best approach would be to store this data in the special > part of the tree and develop plugins for manage it. > Would you be interested in investing in such an effort? > If so I would go dig some of the designs and ideas and share them with > you and everybody else. I think they were ubandoned before shaping up > will enough to have a discussion on the list. > I think we proposed some schema for storing Roles and related XML blobs. > We are also working on the extensibility guide so it will be a perfect > opportunity to test it out. > > What do you think? > Dmitri, I have been searching for some time for an elegant solution to our problem of porting this application RBAC configuration to RHEL from the proprietary Solaris platform solution that we currently have. I think that this is something that would benefit others that currently employee Solaris *_attr NSS maps for roles to migrate to an RHEL IPA solution. That said, I will need to have our management assign a developer to this effort. I think that is important to them as the requirements to implement application RBAC to our product on RHEL is imminent. I also think that employing IPA as a solution for our application running on other POSIX operating systems to take advantage of this proposed schema would be advantageous to us and others. I will respond to you as to resources as soon as I know more. -- Rodney Mercer Systems Administrator From i.am.stack at gmail.com Wed Nov 2 19:44:10 2011 From: i.am.stack at gmail.com (=?UTF-8?Q?Stack_Koror=C4=81?=) Date: Wed, 2 Nov 2011 14:44:10 -0500 Subject: [Freeipa-users] Scientific Linux 6.1 client issues In-Reply-To: <4EB1412A.30301@redhat.com> References: <4EA9B5F5.8050109@redhat.com> <4EB1341B.4090800@gmail.com> <4EB1412A.30301@redhat.com> Message-ID: > > Look in /var/log/ipaclient-install.log for more details. We do a lot more > logging in 2.1.3. > > The original problem was due to how we set up a temporary krb5.conf in > order to enrollment. We discovered (automatically or via the user) the > environment then wrote out a krb5.conf that did not include all this data > so it was re-discovered, sometimes incorrectly. > > The temporary krb5.conf should both be specific to the IPA server and also > be included in the client install log. > > It might be an interesting exercise to set a one-time password on a host > and see if you can enroll successfully using that. > > rob > It looks like I have more then one problem right now. Most likely from me poking and prodding in the spec file. Before I shut the VM's down my "user1" was able to log in on the ipa.blarg.local box and everything seemed to work fine. I shut the VM down over night and booted it up to look at the log files. Now that login doesn't work ("User not known to the underlying authentication module"). As root, I can run `kinit admin` and commands work (adding users and changing user information), but the web interface gives a "IPA Error 901: An internal error has occured". There are all sorts of python errors in the /var/log/http/error.log file and there are errors in the /var/log/sssd/sssd.log that say "waitpid returned -1 (errno: 10[No child processes]". Not sure what is going on but if I can't get users logging in on the server, trying to get them to log in on a dev box seems unlikely. So whatever I have done, I have buggered it up pretty good. :-) Since this is a self-compiled version from a hacked up spec file on a non-fedora system there is no reason to pester you guys about this. I know you are busy working on the next release. Thanks again for the help! ~Stack~ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed Nov 2 01:12:53 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 2 Nov 2011 01:12:53 +0000 Subject: [Freeipa-users] What is the approx release time frame for freeIPA v3? In-Reply-To: <4EB095D3.2080104@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404584424C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4EB095D3.2080104@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4045849843@STAWINCOX10MBX1.staff.vuw.ac.nz> LOL... So IPA v4 about May then? More haste, less speed..... I have various "AD~Linux" integration companies (all three seem keen) wanting to sell to me quick.....very pushy......I'm sure they will make hay if you drop the ball..... I much prefer right than fast....but then Im always the one left cleaning up the mess if it goes wrong.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Wednesday, 2 November 2011 1:58 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] What is the approx release time frame for freeIPA v3? On 10/31/2011 10:30 PM, Steven Jones wrote: > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > We will try to have a beta before Christmass. It will be rough. We will the do the stabilization for couple months so I would say some time in March. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From tomasz.napierala at allegro.pl Fri Nov 4 13:33:40 2011 From: tomasz.napierala at allegro.pl (tomasz.napierala at allegro.pl) Date: Fri, 4 Nov 2011 14:33:40 +0100 Subject: [Freeipa-users] Problem installing client on server Message-ID: Hi, We are (again) evaluationg FreeIPA 2.x and I run into troubles installing client on ipa server. It happend before on other server, but I thought it might be due to the fact, that FreeIPA was installed and uninstalled there for several times. This time it's a fresh install. [root at ipa20-test ~]# rpm -qa |grep freeipa freeipa-client-2.1.3-2.fc15.x86_64 freeipa-admintools-2.1.3-2.fc15.x86_64 freeipa-server-selinux-2.1.3-2.fc15.x86_64 freeipa-python-2.1.3-2.fc15.x86_64 freeipa-server-2.1.3-2.fc15.x86_64 Last lines form output: done configuring dirsrv. Restarting the directory server Restarting the KDC Restarting the web server Sample zone file for bind has been created in /tmp/sample.zone.iQ1QBH.db Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain dc2 --server ipa20-test.dc2 --realm GATECH --hostname ipa20-test.dc2' returned non-zero exit status 1 Launching it agian: [root at ipa20-test ~]# /usr/sbin/ipa-client-install --on-master --unattended --domain dc2 --server ipa20-test.dc2 --realm GATECH --hostname ipa20-test.dc2 Failed to verify that ipa20-test.dc2 is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Installation failed. Rolling back changes. IPA client is not configured on this system. ipaclient-install..og: 2011-11-04 14:11:18,799 DEBUG Init ldap with: ldap://ipa20-test.dc2:389 2011-11-04 14:11:18,812 DEBUG Search LDAP server for IPA base DN 2011-11-04 14:11:18,814 DEBUG Check if naming context 'dc=gatech' is for IPA 2011-11-04 14:11:18,815 DEBUG Naming context 'dc=gatech' is a valid IPA context 2011-11-04 14:11:18,815 DEBUG Search for (objectClass=krbRealmContainer) in dc=gatech(sub) 2011-11-04 14:11:18,816 DEBUG Found: [('cn=GATECH,cn=kerberos,dc=gatech', {'krbSubTrees': ['dc=gatech'], 'cn': ['GATECH'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] 2011-11-04 14:11:18,817 DEBUG will use domain: dc2 2011-11-04 14:11:18,817 DEBUG will use server: ipa20-test.dc2 Anyone have a clue what might be the reason? Regards, -- Tomasz Z. Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzib? w Poznaniu, 60-324 Pozna?, przy ul. Marceli?skiej 90, wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy Pozna? - Nowe Miasto i Wilda, Wydzia? VIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000268796, o kapitale zak?adowym w wysoko?ci 33 474 500 z?, posiadaj?ca numer identyfikacji podatkowej NIP: 5272525995. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2678 bytes Desc: not available URL: From rcritten at redhat.com Fri Nov 4 13:52:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Nov 2011 09:52:32 -0400 Subject: [Freeipa-users] Problem installing client on server In-Reply-To: References: Message-ID: <4EB3EE20.4000108@redhat.com> tomasz.napierala at allegro.pl wrote: > Hi, > > We are (again) evaluationg FreeIPA 2.x and I run into troubles installing client on ipa server. It happend before on other server, but I thought it might be due to the fact, that FreeIPA was installed and uninstalled there for several times. This time it's a fresh install. > [root at ipa20-test ~]# rpm -qa |grep freeipa > freeipa-client-2.1.3-2.fc15.x86_64 > freeipa-admintools-2.1.3-2.fc15.x86_64 > freeipa-server-selinux-2.1.3-2.fc15.x86_64 > freeipa-python-2.1.3-2.fc15.x86_64 > freeipa-server-2.1.3-2.fc15.x86_64 > > Last lines form output: > done configuring dirsrv. > Restarting the directory server > Restarting the KDC > Restarting the web server > Sample zone file for bind has been created in /tmp/sample.zone.iQ1QBH.db > Configuration of client side components failed! > ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain dc2 --server ipa20-test.dc2 --realm GATECH --hostname ipa20-test.dc2' returned non-zero exit status 1 > > Launching it agian: > [root at ipa20-test ~]# /usr/sbin/ipa-client-install --on-master --unattended --domain dc2 --server ipa20-test.dc2 --realm GATECH --hostname ipa20-test.dc2 > Failed to verify that ipa20-test.dc2 is an IPA Server. > This may mean that the remote server is not up or is not reachable > due to network or firewall settings. > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > ipaclient-install..og: > 2011-11-04 14:11:18,799 DEBUG Init ldap with: ldap://ipa20-test.dc2:389 > 2011-11-04 14:11:18,812 DEBUG Search LDAP server for IPA base DN > 2011-11-04 14:11:18,814 DEBUG Check if naming context 'dc=gatech' is for IPA > 2011-11-04 14:11:18,815 DEBUG Naming context 'dc=gatech' is a valid IPA context > 2011-11-04 14:11:18,815 DEBUG Search for (objectClass=krbRealmContainer) in dc=gatech(sub) > 2011-11-04 14:11:18,816 DEBUG Found: [('cn=GATECH,cn=kerberos,dc=gatech', {'krbSubTrees': ['dc=gatech'], 'cn': ['GATECH'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] > 2011-11-04 14:11:18,817 DEBUG will use domain: dc2 > > 2011-11-04 14:11:18,817 DEBUG will use server: ipa20-test.dc2 > > Anyone have a clue what might be the reason? > > Regards, Can you provide more context from the client install log (or the whole log)? rob From tomasz.napierala at allegro.pl Fri Nov 4 15:43:37 2011 From: tomasz.napierala at allegro.pl (tomasz.napierala at allegro.pl) Date: Fri, 4 Nov 2011 16:43:37 +0100 Subject: [Freeipa-users] Problem installing client on server In-Reply-To: <4EB3EE20.4000108@redhat.com> References: <4EB3EE20.4000108@redhat.com> Message-ID: <6FEAF48D-5772-4CE2-BFDB-45178BF0422B@allegro.pl> On 4 lis 2011, at 14:52, Rob Crittenden wrote: > Can you provide more context from the client install log (or the whole log)? Sure: http://pastie.org/2810505 One more thing:in that domain (.dc2) there is already working IPA 1.x, and we have DNS entries pointing to that installation. It might be KDC autodiscovery issue, but how can I disable auto discovery? Regards, -- Tomasz Z. Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzib? w Poznaniu, 60-324 Pozna?, przy ul. Marceli?skiej 90, wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy Pozna? - Nowe Miasto i Wilda, Wydzia? VIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000268796, o kapitale zak?adowym w wysoko?ci 33 474 500 z?, posiadaj?ca numer identyfikacji podatkowej NIP: 5272525995. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2678 bytes Desc: not available URL: From simo at redhat.com Fri Nov 4 15:57:47 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 04 Nov 2011 11:57:47 -0400 Subject: [Freeipa-users] Problem installing client on server In-Reply-To: <6FEAF48D-5772-4CE2-BFDB-45178BF0422B@allegro.pl> References: <4EB3EE20.4000108@redhat.com> <6FEAF48D-5772-4CE2-BFDB-45178BF0422B@allegro.pl> Message-ID: <1320422267.7734.725.camel@willson.li.ssimo.org> On Fri, 2011-11-04 at 16:43 +0100, tomasz.napierala at allegro.pl wrote: > On 4 lis 2011, at 14:52, Rob Crittenden wrote: > > > Can you provide more context from the client install log (or the whole log)? > > > Sure: > http://pastie.org/2810505 > > One more thing:in that domain (.dc2) there is already working IPA 1.x, and we have DNS entries pointing to that installation. It might be KDC autodiscovery issue, but how can I disable auto discovery? Not necessarily related to your problem, but in general I would strongly suggest all freeipa users to: a) use domain names that are longer than a single component (for example in your case 'ipa.dc2' instead of just 'dc2') b) let the kerberos realm exactly match the domain name. (In your case let it be 'IPA.DC2') We do not enforce these rules but not following them can cause you additional headaches in some cases. Simo. -- Simo Sorce * Red Hat, Inc * New York From tomasz.napierala at allegro.pl Fri Nov 4 16:07:34 2011 From: tomasz.napierala at allegro.pl (tomasz.napierala at allegro.pl) Date: Fri, 4 Nov 2011 17:07:34 +0100 Subject: [Freeipa-users] Problem installing client on server In-Reply-To: <1320422267.7734.725.camel@willson.li.ssimo.org> References: <4EB3EE20.4000108@redhat.com> <6FEAF48D-5772-4CE2-BFDB-45178BF0422B@allegro.pl> <1320422267.7734.725.camel@willson.li.ssimo.org> Message-ID: <2C524A60-2FE1-4C54-B84B-1900910C84F3@allegro.pl> On 4 lis 2011, at 16:57, Simo Sorce wrote: > Not necessarily related to your problem, but in general I would strongly > suggest all freeipa users to: > > a) use domain names that are longer than a single component > (for example in your case 'ipa.dc2' instead of just 'dc2') > > b) let the kerberos realm exactly match the domain name. > (In your case let it be 'IPA.DC2') > > We do not enforce these rules but not following them can cause you > additional headaches in some cases. I know that from 1.x deployment. Unfortunately adding another domain would completely destroy our infrastructure management tools ;) Regards, -- Tomasz Z. Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzib? w Poznaniu, 60-324 Pozna?, przy ul. Marceli?skiej 90, wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy Pozna? - Nowe Miasto i Wilda, Wydzia? VIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000268796, o kapitale zak?adowym w wysoko?ci 33 474 500 z?, posiadaj?ca numer identyfikacji podatkowej NIP: 5272525995. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2678 bytes Desc: not available URL: From simo at redhat.com Fri Nov 4 16:27:13 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 04 Nov 2011 12:27:13 -0400 Subject: [Freeipa-users] Problem installing client on server In-Reply-To: <2C524A60-2FE1-4C54-B84B-1900910C84F3@allegro.pl> References: <4EB3EE20.4000108@redhat.com> <6FEAF48D-5772-4CE2-BFDB-45178BF0422B@allegro.pl> <1320422267.7734.725.camel@willson.li.ssimo.org> <2C524A60-2FE1-4C54-B84B-1900910C84F3@allegro.pl> Message-ID: <1320424033.7734.733.camel@willson.li.ssimo.org> On Fri, 2011-11-04 at 17:07 +0100, tomasz.napierala at allegro.pl wrote: > On 4 lis 2011, at 16:57, Simo Sorce wrote: > > > Not necessarily related to your problem, but in general I would > strongly > > suggest all freeipa users to: > > > > a) use domain names that are longer than a single component > > (for example in your case 'ipa.dc2' instead of just 'dc2') > > > > b) let the kerberos realm exactly match the domain name. > > (In your case let it be 'IPA.DC2') > > > > We do not enforce these rules but not following them can cause you > > additional headaches in some cases. > > > I know that from 1.x deployment. Unfortunately adding another domain > would completely destroy our infrastructure management tools ;) > You seem to be in one of those corner cases for which we decided to not enforce those rule programmatically ... Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Nov 4 17:31:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Nov 2011 13:31:21 -0400 Subject: [Freeipa-users] Problem installing client on server In-Reply-To: <6FEAF48D-5772-4CE2-BFDB-45178BF0422B@allegro.pl> References: <4EB3EE20.4000108@redhat.com> <6FEAF48D-5772-4CE2-BFDB-45178BF0422B@allegro.pl> Message-ID: <4EB42169.5010005@redhat.com> tomasz.napierala at allegro.pl wrote: > > On 4 lis 2011, at 14:52, Rob Crittenden wrote: > >> Can you provide more context from the client install log (or the whole log)? > > > Sure: > http://pastie.org/2810505 > > One more thing:in that domain (.dc2) there is already working IPA 1.x, and we have DNS entries pointing to that installation. It might be KDC autodiscovery issue, but how can I disable auto discovery? > > Regards, I'm not really sure what is going on. It could be that there is some interference from the v1 server but we pass enough arguments into the client installer that it shouldn't need to do muhc. It would help if you instrumented ipa-client-install to display the value of ret when it is failing so we can know specifically why it failed. rob From g17jimmy at gmail.com Fri Nov 4 19:04:14 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 4 Nov 2011 15:04:14 -0400 Subject: [Freeipa-users] ipa-client-install error Message-ID: I'm running the ipa-client-install on a CentOS 6 client and get this error: [root at kudzu ~]# ipa-client-install Discovery was successful! Realm: PDH.CSP DNS Domain: pdh.csp IPA Server: csp-idm.pdh.csp BaseDN: dc=pdh,dc=csp Continue to configure the system with these values? [no]: yes Principal: admin Password for admin at PDH.CSP: Joining realm failed: Operation failed! unsupported extended operation child exited with 9 Certificate subject base is: O=PDH.CSP The only logs I see on the server are here: Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.201.199: NEEDED_PREAUTH: admin at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for HTTP/csp-idm.pdh.csp at PDH.CSP Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes {18}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.201.102: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for ldap/csp-idm.pdh.csp at PDH.CSP Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for ldap/csp-idm.pdh.csp at PDH.CSP -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Nov 4 19:12:50 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 04 Nov 2011 15:12:50 -0400 Subject: [Freeipa-users] ipa-client-install error In-Reply-To: References: Message-ID: <4EB43932.8030203@redhat.com> CentOS is far behind RHEL. Many of the issues you will find have been fixed in released versions of IPA. This one is due, I think to an earlier issue with directory server that has since been upgraded. You might want to see if the versions shipped with Scientifix Linux work better for you, but it is going to be quite a few packages. Aside from freeipa* it will be xmlrpc, 38-ds-base and DNS dyndb and possibly others. On 11/04/2011 03:04 PM, Jimmy wrote: > I'm running the ipa-client-install on a CentOS 6 client and get this > error: > > [root at kudzu ~]# ipa-client-install > Discovery was successful! > Realm: PDH.CSP > DNS Domain: pdh.csp > IPA Server: csp-idm.pdh.csp > BaseDN: dc=pdh,dc=csp > > Continue to configure the system with these values? [no]: yes > Principal: admin > Password for admin at PDH.CSP: > Joining realm failed: Operation failed! unsupported extended operation > child exited with 9 > Certificate subject base is: O=PDH.CSP > > The only logs I see on the server are here: > > Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes > {18 17 16 23}) 192.168.201.199 : > NEEDED_PREAUTH: admin at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional > pre-authentication required > Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes > {18 17 16 23}) 192.168.201.199 : ISSUE: > authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for > krbtgt/PDH.CSP at PDH.CSP > Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes > {18 17 16 23}) 192.168.201.199 : ISSUE: > authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for > HTTP/csp-idm.pdh.csp at PDH.CSP > Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes > {18}) 192.168.201.199 : ISSUE: authtime > 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for > krbtgt/PDH.CSP at PDH.CSP > Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes > {18 17 16 23}) 192.168.201.102 : ISSUE: > authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for > ldap/csp-idm.pdh.csp at PDH.CSP > Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes > {18 17 16 23}) 192.168.201.199 : ISSUE: > authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for > ldap/csp-idm.pdh.csp at PDH.CSP > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Fri Nov 4 19:20:02 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 4 Nov 2011 15:20:02 -0400 Subject: [Freeipa-users] ipa-client-install error In-Reply-To: <4EB43932.8030203@redhat.com> References: <4EB43932.8030203@redhat.com> Message-ID: I don't know if I was clear on the issue- the FreeIPA server is running on Fedora 15, the client is CentOS 6. If your suggestion still applies I will look into the SL packages. Thanks- J On Fri, Nov 4, 2011 at 3:12 PM, Adam Young wrote: > CentOS is far behind RHEL. Many of the issues you will find have been > fixed in released versions of IPA. This one is due, I think to an earlier > issue with directory server that has since been upgraded. > > You might want to see if the versions shipped with Scientifix Linux work > better for you, but it is going to be quite a few packages. Aside from > freeipa* it will be xmlrpc, 38-ds-base and DNS dyndb and possibly others. > > > > > > > > On 11/04/2011 03:04 PM, Jimmy wrote: > > I'm running the ipa-client-install on a CentOS 6 client and get this > error: > > [root at kudzu ~]# ipa-client-install > Discovery was successful! > Realm: PDH.CSP > DNS Domain: pdh.csp > IPA Server: csp-idm.pdh.csp > BaseDN: dc=pdh,dc=csp > > Continue to configure the system with these values? [no]: yes > Principal: admin > Password for admin at PDH.CSP: > Joining realm failed: Operation failed! unsupported extended operation > child exited with 9 > Certificate subject base is: O=PDH.CSP > > The only logs I see on the server are here: > > Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes > {18 17 16 23}) 192.168.201.199: NEEDED_PREAUTH: admin at PDH.CSP for > krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required > Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes {18 > 17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 > tkt=18 ses=18}, admin at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP > Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18 > 17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 > tkt=18 ses=18}, admin at PDH.CSP for HTTP/csp-idm.pdh.csp at PDH.CSP > Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes > {18}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18 > ses=18}, admin at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP > Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18 > 17 16 23}) 192.168.201.102: ISSUE: authtime 1320432800, etypes {rep=18 > tkt=18 ses=18}, admin at PDH.CSP for ldap/csp-idm.pdh.csp at PDH.CSP > Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18 > 17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 > tkt=18 ses=18}, admin at PDH.CSP for ldap/csp-idm.pdh.csp at PDH.CSP > > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Nov 4 19:20:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Nov 2011 15:20:29 -0400 Subject: [Freeipa-users] ipa-client-install error In-Reply-To: References: Message-ID: <4EB43AFD.4010104@redhat.com> Jimmy wrote: > I'm running the ipa-client-install on a CentOS 6 client and get this error: > > [root at kudzu ~]# ipa-client-install > Discovery was successful! > Realm: PDH.CSP > DNS Domain: pdh.csp > IPA Server: csp-idm.pdh.csp > BaseDN: dc=pdh,dc=csp > > Continue to configure the system with these values? [no]: yes > Principal: admin > Password for admin at PDH.CSP: > Joining realm failed: Operation failed! unsupported extended operation > child exited with 9 > Certificate subject base is: O=PDH.CSP > > The only logs I see on the server are here: > > Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes > {18 17 16 23}) 192.168.201.199 : NEEDED_PREAUTH: > admin at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication > required > Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes > {18 17 16 23}) 192.168.201.199 : ISSUE: authtime > 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for > krbtgt/PDH.CSP at PDH.CSP > Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes > {18 17 16 23}) 192.168.201.199 : ISSUE: authtime > 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for > HTTP/csp-idm.pdh.csp at PDH.CSP > Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes > {18}) 192.168.201.199 : ISSUE: authtime > 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for > krbtgt/PDH.CSP at PDH.CSP > Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes > {18 17 16 23}) 192.168.201.102 : ISSUE: authtime > 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for > ldap/csp-idm.pdh.csp at PDH.CSP > Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes > {18 17 16 23}) 192.168.201.199 : ISSUE: authtime > 1320432800, etypes {rep=18 tkt=18 ses=18}, admin at PDH.CSP for > ldap/csp-idm.pdh.csp at PDH.CSP > You need a newer ipa-client package. The extended operation we used for enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0. rob From g17jimmy at gmail.com Fri Nov 4 20:23:33 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 4 Nov 2011 16:23:33 -0400 Subject: [Freeipa-users] ipa-client-install error In-Reply-To: <4EB43AFD.4010104@redhat.com> References: <4EB43AFD.4010104@redhat.com> Message-ID: I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I guess the proper fix is to use the SL packages Adam referenced? Jimmy > > You need a newer ipa-client package. The extended operation we used for > enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Fri Nov 4 21:12:08 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 4 Nov 2011 17:12:08 -0400 Subject: [Freeipa-users] LDAP search for email address of user in a particular group Message-ID: Hi, I've just migrated a couple of servers from FreeIPA 1.2 to 2.1. I'm almost done. I just have a few custom LDAP searches to migrate. With the old system, I was trying to look users who are in a particular group by their email address i.e. ldapsearch -b cn=users,cn=accounts,dc=example,dc=com "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" -x In version 2, it looks like the memberOf attributes have been removed from the user entries and the user group membership information is stored only in the 'member' attribute of the individual group entries. Can someone help me modify the above command so that I can find users, using their email address, who are also members of a particular group? Preferably using one command. Thanks, Dan Scott From sbingram at gmail.com Fri Nov 4 21:38:33 2011 From: sbingram at gmail.com (Stephen Ingram) Date: Fri, 4 Nov 2011 14:38:33 -0700 Subject: [Freeipa-users] LDAP search for email address of user in a particular group In-Reply-To: References: Message-ID: On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott wrote: > ldapsearch -b cn=users,cn=accounts,dc=example,dc=com > "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" > -x > > In version 2, it looks like the memberOf attributes have been removed > from the user entries and the user group membership information is > stored only in the 'member' attribute of the individual group entries. > > Can someone help me modify the above command so that I can find users, > using their email address, who are also members of a particular group? > Preferably using one command. Dan- It looks like you are missing the cn=accounts in your filter: ldapsearch -b cn=users,cn=accounts,dc=example,dc=com "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)" -x ... Steve From danieljamesscott at gmail.com Fri Nov 4 22:05:33 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 4 Nov 2011 18:05:33 -0400 Subject: [Freeipa-users] LDAP search for email address of user in a particular group In-Reply-To: References: Message-ID: Hi, On Fri, Nov 4, 2011 at 17:38, Stephen Ingram wrote: > On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott wrote: >> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" >> -x >> >> In version 2, it looks like the memberOf attributes have been removed >> from the user entries and the user group membership information is >> stored only in the 'member' attribute of the individual group entries. >> >> Can someone help me modify the above command so that I can find users, >> using their email address, who are also members of a particular group? >> Preferably using one command. > > Dan- > > It looks like you are missing the cn=accounts in your filter: > > ldapsearch -b cn=users,cn=accounts,dc=example,dc=com > "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)" > -x ... Thanks for spotting that, it was an error from when I was removing my domain information. However, the problem remains that the memberOf attributes don't exist in FreeIPA V2, so I need to figure out another way to do the search. Thanks, Dan From sbingram at gmail.com Fri Nov 4 22:10:41 2011 From: sbingram at gmail.com (Stephen Ingram) Date: Fri, 4 Nov 2011 15:10:41 -0700 Subject: [Freeipa-users] LDAP search for email address of user in a particular group In-Reply-To: References: Message-ID: On Fri, Nov 4, 2011 at 3:05 PM, Dan Scott wrote: > Thanks for spotting that, it was an error from when I was removing my > domain information. > > However, the problem remains that the memberOf attributes don't exist > in FreeIPA V2, so I need to figure out another way to do the search. Maybe everything didn't come across correctly in the upgrade. memberOf attributes *do* exist in v2. I know because I'm using them at this very moment. Have you searched your tree to see how everything was converted? From rcritten at redhat.com Fri Nov 4 22:13:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Nov 2011 18:13:45 -0400 Subject: [Freeipa-users] LDAP search for email address of user in a particular group In-Reply-To: References: Message-ID: <4EB46399.7040600@redhat.com> Dan Scott wrote: > Hi, > > On Fri, Nov 4, 2011 at 17:38, Stephen Ingram wrote: >> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott wrote: >>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" >>> -x >>> >>> In version 2, it looks like the memberOf attributes have been removed >>> from the user entries and the user group membership information is >>> stored only in the 'member' attribute of the individual group entries. >>> >>> Can someone help me modify the above command so that I can find users, >>> using their email address, who are also members of a particular group? >>> Preferably using one command. >> >> Dan- >> >> It looks like you are missing the cn=accounts in your filter: >> >> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)" >> -x ... > > Thanks for spotting that, it was an error from when I was removing my > domain information. > > However, the problem remains that the memberOf attributes don't exist > in FreeIPA V2, so I need to figure out another way to do the search. > > Thanks, > > Dan memberof should exist. memberof should be calculated on the fly from the member information. I'm not sure why you aren't seeing it. You can try this, substituting for your domain: # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v This should rebuild the memberof values. rob From danieljamesscott at gmail.com Fri Nov 4 22:51:39 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 4 Nov 2011 18:51:39 -0400 Subject: [Freeipa-users] LDAP search for email address of user in a particular group In-Reply-To: <4EB46399.7040600@redhat.com> References: <4EB46399.7040600@redhat.com> Message-ID: Hi, On Fri, Nov 4, 2011 at 18:13, Rob Crittenden wrote: > Dan Scott wrote: >> >> Hi, >> >> On Fri, Nov 4, 2011 at 17:38, Stephen Ingram ?wrote: >>> >>> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott >>> ?wrote: >>>> >>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>> >>>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" >>>> -x >>>> >>>> In version 2, it looks like the memberOf attributes have been removed >>>> from the user entries and the user group membership information is >>>> stored only in the 'member' attribute of the individual group entries. >>>> >>>> Can someone help me modify the above command so that I can find users, >>>> using their email address, who are also members of a particular group? >>>> Preferably using one command. >>> >>> Dan- >>> >>> It looks like you are missing the cn=accounts in your filter: >>> >>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>> >>> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)" >>> -x ... >> >> Thanks for spotting that, it was an error from when I was removing my >> domain information. >> >> However, the problem remains that the memberOf attributes don't exist >> in FreeIPA V2, so I need to figure out another way to do the search. >> >> Thanks, >> >> Dan > > memberof should exist. memberof should be calculated on the fly from the > member information. I'm not sure why you aren't seeing it. > > You can try this, substituting for your domain: > > # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory > manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v > > This should rebuild the memberof values. Thanks for the tip, but it doesn't seem to be working. I run the command and get a response. It says: adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf task, cn=tasks, cn=config" modify complete But the memberOf attributes don't appear (on either server - I have 2 servers replicating). There are a couple of suspicious errors in the dirsrv log file: [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat, dc=example,dc=com [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no entries set up under ou=SUDOers, dc=example,dc=com [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which should be added before the CoS Definition. [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which should be added before the CoS Definition. The other server contains similar lines and also shows some errors when I rebooted the first server. But eventually it shows: Replication bind with GSSAPI auth resumed So I guess it's all OK? Thanks, Dan From dpal at redhat.com Fri Nov 4 23:07:35 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 04 Nov 2011 19:07:35 -0400 Subject: [Freeipa-users] ipa-client-install error In-Reply-To: References: <4EB43AFD.4010104@redhat.com> Message-ID: <4EB47037.9040603@redhat.com> On 11/04/2011 04:23 PM, Jimmy wrote: > > I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I > guess the proper fix is to use the SL packages Adam referenced? Correct. > Jimmy > > > You need a newer ipa-client package. The extended operation we > used for enrollment changed. This was fixed in ipa-client-2.0-9.1 > in RHEL 6.0. > > rob > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Nov 4 23:07:50 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 04 Nov 2011 17:07:50 -0600 Subject: [Freeipa-users] LDAP search for email address of user in a particular group In-Reply-To: References: <4EB46399.7040600@redhat.com> Message-ID: <4EB47046.9060407@redhat.com> On 11/04/2011 04:51 PM, Dan Scott wrote: > Hi, > > On Fri, Nov 4, 2011 at 18:13, Rob Crittenden wrote: >> Dan Scott wrote: >>> Hi, >>> >>> On Fri, Nov 4, 2011 at 17:38, Stephen Ingram wrote: >>>> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott >>>> wrote: >>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>>> >>>>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" >>>>> -x >>>>> >>>>> In version 2, it looks like the memberOf attributes have been removed >>>>> from the user entries and the user group membership information is >>>>> stored only in the 'member' attribute of the individual group entries. >>>>> >>>>> Can someone help me modify the above command so that I can find users, >>>>> using their email address, who are also members of a particular group? >>>>> Preferably using one command. >>>> Dan- >>>> >>>> It looks like you are missing the cn=accounts in your filter: >>>> >>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>> >>>> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)" >>>> -x ... >>> Thanks for spotting that, it was an error from when I was removing my >>> domain information. >>> >>> However, the problem remains that the memberOf attributes don't exist >>> in FreeIPA V2, so I need to figure out another way to do the search. >>> >>> Thanks, >>> >>> Dan >> memberof should exist. memberof should be calculated on the fly from the >> member information. I'm not sure why you aren't seeing it. >> >> You can try this, substituting for your domain: >> >> # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory >> manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v >> >> This should rebuild the memberof values. > Thanks for the tip, but it doesn't seem to be working. I run the > command and get a response. It says: > > adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf > task, cn=tasks, cn=config" > modify complete > > But the memberOf attributes don't appear (on either server - I have 2 > servers replicating). > > There are a couple of suspicious errors in the dirsrv log file: > > [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no > entries set up under cn=ng, cn=compat, dc=example,dc=com > [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no > entries set up under ou=SUDOers, dc=example,dc=com > [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which > should be added before the CoS Definition. > [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which > should be added before the CoS Definition. > > The other server contains similar lines and also shows some errors > when I rebooted the first server. But eventually it shows: > > Replication bind with GSSAPI auth resumed > > So I guess it's all OK? I don't see any problems there. Do you have objectclass: inetUser in your user entries? > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From danieljamesscott at gmail.com Fri Nov 4 23:12:48 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 4 Nov 2011 19:12:48 -0400 Subject: [Freeipa-users] LDAP search for email address of user in a particular group In-Reply-To: <4EB47046.9060407@redhat.com> References: <4EB46399.7040600@redhat.com> <4EB47046.9060407@redhat.com> Message-ID: On Fri, Nov 4, 2011 at 19:07, Rich Megginson wrote: > On 11/04/2011 04:51 PM, Dan Scott wrote: >> >> Hi, >> >> On Fri, Nov 4, 2011 at 18:13, Rob Crittenden ?wrote: >>> >>> Dan Scott wrote: >>>> >>>> Hi, >>>> >>>> On Fri, Nov 4, 2011 at 17:38, Stephen Ingram >>>> ?wrote: >>>>> >>>>> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott >>>>> ?wrote: >>>>>> >>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>>>> >>>>>> >>>>>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" >>>>>> -x >>>>>> >>>>>> In version 2, it looks like the memberOf attributes have been removed >>>>>> from the user entries and the user group membership information is >>>>>> stored only in the 'member' attribute of the individual group entries. >>>>>> >>>>>> Can someone help me modify the above command so that I can find users, >>>>>> using their email address, who are also members of a particular group? >>>>>> Preferably using one command. >>>>> >>>>> Dan- >>>>> >>>>> It looks like you are missing the cn=accounts in your filter: >>>>> >>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>>> >>>>> >>>>> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)" >>>>> -x ... >>>> >>>> Thanks for spotting that, it was an error from when I was removing my >>>> domain information. >>>> >>>> However, the problem remains that the memberOf attributes don't exist >>>> in FreeIPA V2, so I need to figure out another way to do the search. >>>> >>>> Thanks, >>>> >>>> Dan >>> >>> memberof should exist. memberof should be calculated on the fly from the >>> member information. I'm not sure why you aren't seeing it. >>> >>> You can try this, substituting for your domain: >>> >>> # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory >>> manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v >>> >>> This should rebuild the memberof values. >> >> Thanks for the tip, but it doesn't seem to be working. I run the >> command and get a response. It says: >> >> adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf >> task, cn=tasks, cn=config" >> modify complete >> >> But the memberOf attributes don't appear (on either server - I have 2 >> servers replicating). >> >> There are a couple of suspicious errors in the dirsrv log file: >> >> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no >> entries set up under cn=ng, cn=compat, dc=example,dc=com >> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no >> entries set up under ou=SUDOers, dc=example,dc=com >> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which >> should be added before the CoS Definition. >> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which >> should be added before the CoS Definition. >> >> The other server contains similar lines and also shows some errors >> when I rebooted the first server. But eventually it shows: >> >> Replication bind with GSSAPI auth resumed >> >> So I guess it's all OK? > > I don't see any problems there. > > Do you have objectclass: inetUser in your user entries? Yep. That attribute exists for all of the users that I checked. Dan From rmeggins at redhat.com Fri Nov 4 23:38:06 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 04 Nov 2011 17:38:06 -0600 Subject: [Freeipa-users] LDAP search for email address of user in a particular group In-Reply-To: References: <4EB46399.7040600@redhat.com> <4EB47046.9060407@redhat.com> Message-ID: <4EB4775E.5000904@redhat.com> On 11/04/2011 05:12 PM, Dan Scott wrote: > On Fri, Nov 4, 2011 at 19:07, Rich Megginson wrote: >> On 11/04/2011 04:51 PM, Dan Scott wrote: >>> Hi, >>> >>> On Fri, Nov 4, 2011 at 18:13, Rob Crittenden wrote: >>>> Dan Scott wrote: >>>>> Hi, >>>>> >>>>> On Fri, Nov 4, 2011 at 17:38, Stephen Ingram >>>>> wrote: >>>>>> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott >>>>>> wrote: >>>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>>>>> >>>>>>> >>>>>>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" >>>>>>> -x >>>>>>> >>>>>>> In version 2, it looks like the memberOf attributes have been removed >>>>>>> from the user entries and the user group membership information is >>>>>>> stored only in the 'member' attribute of the individual group entries. >>>>>>> >>>>>>> Can someone help me modify the above command so that I can find users, >>>>>>> using their email address, who are also members of a particular group? >>>>>>> Preferably using one command. >>>>>> Dan- >>>>>> >>>>>> It looks like you are missing the cn=accounts in your filter: >>>>>> >>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>>>> >>>>>> >>>>>> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)" >>>>>> -x ... >>>>> Thanks for spotting that, it was an error from when I was removing my >>>>> domain information. >>>>> >>>>> However, the problem remains that the memberOf attributes don't exist >>>>> in FreeIPA V2, so I need to figure out another way to do the search. >>>>> >>>>> Thanks, >>>>> >>>>> Dan >>>> memberof should exist. memberof should be calculated on the fly from the >>>> member information. I'm not sure why you aren't seeing it. >>>> >>>> You can try this, substituting for your domain: >>>> >>>> # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory >>>> manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v >>>> >>>> This should rebuild the memberof values. >>> Thanks for the tip, but it doesn't seem to be working. I run the >>> command and get a response. It says: >>> >>> adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf >>> task, cn=tasks, cn=config" >>> modify complete >>> >>> But the memberOf attributes don't appear (on either server - I have 2 >>> servers replicating). >>> >>> There are a couple of suspicious errors in the dirsrv log file: >>> >>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no >>> entries set up under cn=ng, cn=compat, dc=example,dc=com >>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no >>> entries set up under ou=SUDOers, dc=example,dc=com >>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password >>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which >>> should be added before the CoS Definition. >>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password >>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which >>> should be added before the CoS Definition. >>> >>> The other server contains similar lines and also shows some errors >>> when I rebooted the first server. But eventually it shows: >>> >>> Replication bind with GSSAPI auth resumed >>> >>> So I guess it's all OK? >> I don't see any problems there. >> >> Do you have objectclass: inetUser in your user entries? > Yep. That attribute exists for all of the users that I checked. Find a user that should exist in a group e.g. uid=dscott,...the rest of the dn... do a search for the group that should contain that user e.g. ldapsearch -x dc=example,dc=com '(member=uid=dscott,...the rest of the dn...)' Does it return the group entry? > Dan From ayoung at redhat.com Sat Nov 5 00:07:35 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 04 Nov 2011 20:07:35 -0400 Subject: [Freeipa-users] ipa-client-install error In-Reply-To: <4EB47037.9040603@redhat.com> References: <4EB43AFD.4010104@redhat.com> <4EB47037.9040603@redhat.com> Message-ID: <4EB47E47.7080804@redhat.com> On 11/04/2011 07:07 PM, Dmitri Pal wrote: > On 11/04/2011 04:23 PM, Jimmy wrote: >> >> I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I >> guess the proper fix is to use the SL packages Adam referenced? > > Correct. It looks like Scientific Linux is behind as well: The packages on http://ftp.scientificlinux.org/linux/scientific/ are all 2.0.0 forexample http://ftp.scientificlinux.org/linux/scientific/6rolling/x86_64/updates/fastbugs/ipa-client-2.0.0-23.el6_1.1.x86_64.rpm Not sure how they are doing their naming scheme, as they have 6/ 6.1/ 6x/ and 6rolling but they all look pretty much the same. > >> Jimmy >> >> >> You need a newer ipa-client package. The extended operation we >> used for enrollment changed. This was fixed in ipa-client-2.0-9.1 >> in RHEL 6.0. >> >> rob >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Sat Nov 5 13:00:14 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Sat, 5 Nov 2011 09:00:14 -0400 Subject: [Freeipa-users] LDAP search for email address of user in a particular group In-Reply-To: <4EB4775E.5000904@redhat.com> References: <4EB46399.7040600@redhat.com> <4EB47046.9060407@redhat.com> <4EB4775E.5000904@redhat.com> Message-ID: On Fri, Nov 4, 2011 at 19:38, Rich Megginson wrote: > On 11/04/2011 05:12 PM, Dan Scott wrote: >> >> On Fri, Nov 4, 2011 at 19:07, Rich Megginson ?wrote: >>> >>> On 11/04/2011 04:51 PM, Dan Scott wrote: >>>> >>>> Hi, >>>> >>>> On Fri, Nov 4, 2011 at 18:13, Rob Crittenden >>>> ?wrote: >>>>> >>>>> Dan Scott wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> On Fri, Nov 4, 2011 at 17:38, Stephen Ingram >>>>>> ?wrote: >>>>>>> >>>>>>> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott >>>>>>> ?wrote: >>>>>>>> >>>>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" >>>>>>>> -x >>>>>>>> >>>>>>>> In version 2, it looks like the memberOf attributes have been >>>>>>>> removed >>>>>>>> from the user entries and the user group membership information is >>>>>>>> stored only in the 'member' attribute of the individual group >>>>>>>> entries. >>>>>>>> >>>>>>>> Can someone help me modify the above command so that I can find >>>>>>>> users, >>>>>>>> using their email address, who are also members of a particular >>>>>>>> group? >>>>>>>> Preferably using one command. >>>>>>> >>>>>>> Dan- >>>>>>> >>>>>>> It looks like you are missing the cn=accounts in your filter: >>>>>>> >>>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>>>>> >>>>>>> >>>>>>> >>>>>>> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)" >>>>>>> -x ... >>>>>> >>>>>> Thanks for spotting that, it was an error from when I was removing my >>>>>> domain information. >>>>>> >>>>>> However, the problem remains that the memberOf attributes don't exist >>>>>> in FreeIPA V2, so I need to figure out another way to do the search. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Dan >>>>> >>>>> memberof should exist. memberof should be calculated on the fly from >>>>> the >>>>> member information. I'm not sure why you aren't seeing it. >>>>> >>>>> You can try this, substituting for your domain: >>>>> >>>>> # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D >>>>> 'cn=directory >>>>> manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v >>>>> >>>>> This should rebuild the memberof values. >>>> >>>> Thanks for the tip, but it doesn't seem to be working. I run the >>>> command and get a response. It says: >>>> >>>> adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf >>>> task, cn=tasks, cn=config" >>>> modify complete >>>> >>>> But the memberOf attributes don't appear (on either server - I have 2 >>>> servers replicating). >>>> >>>> There are a couple of suspicious errors in the dirsrv log file: >>>> >>>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no >>>> entries set up under cn=ng, cn=compat, dc=example,dc=com >>>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no >>>> entries set up under ou=SUDOers, dc=example,dc=com >>>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> >>>> The other server contains similar lines and also shows some errors >>>> when I rebooted the first server. But eventually it shows: >>>> >>>> Replication bind with GSSAPI auth resumed >>>> >>>> So I guess it's all OK? >>> >>> I don't see any problems there. >>> >>> Do you have objectclass: inetUser in your user entries? >> >> Yep. That attribute exists for all of the users that I checked. > > Find a user that should exist in a group e.g. uid=dscott,...the rest of the > dn... > do a search for the group that should contain that user e.g. > ldapsearch -x dc=example,dc=com '(member=uid=dscott,...the rest of the > dn...)' > > Does it return the group entry? Not with the command as you specified. I need to add a '-b' before the domain. i.e. ldapsearch -x -b dc=example,dc=com '(member=uid=djscott,cn=users,cn=accounts,dc=example,dc=com)' And then it works fine and returns all my groups. Thanks, Dan From sgallagh at redhat.com Mon Nov 7 13:20:05 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 07 Nov 2011 08:20:05 -0500 Subject: [Freeipa-users] LDAP search for email address of user in a particular group In-Reply-To: References: Message-ID: <1320672005.2271.2.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> On Fri, 2011-11-04 at 17:12 -0400, Dan Scott wrote: > Hi, > > I've just migrated a couple of servers from FreeIPA 1.2 to 2.1. I'm > almost done. I just have a few custom LDAP searches to migrate. > > With the old system, I was trying to look users who are in a > particular group by their email address i.e. > > ldapsearch -b cn=users,cn=accounts,dc=example,dc=com > "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" > -x > > In version 2, it looks like the memberOf attributes have been removed > from the user entries and the user group membership information is > stored only in the 'member' attribute of the individual group entries. memberOf exists, but you have to be connecting to LDAP with an authenticated user who has privilege to see the memberOf attribute. I believe (Rob can correct me) this means either an administrator or a host principal. So if you try doing (from an enrolled client): kinit -k -t /etc/krb5.keytab host/@IPAREALM ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com "(&(mail={email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" You should get results. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From danieljamesscott at gmail.com Mon Nov 7 14:53:37 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Mon, 7 Nov 2011 09:53:37 -0500 Subject: [Freeipa-users] LDAP search for email address of user in a particular group In-Reply-To: <1320672005.2271.2.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> References: <1320672005.2271.2.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: On Mon, Nov 7, 2011 at 08:20, Stephen Gallagher wrote: > On Fri, 2011-11-04 at 17:12 -0400, Dan Scott wrote: >> Hi, >> >> I've just migrated a couple of servers from FreeIPA 1.2 to 2.1. I'm >> almost done. I just have a few custom LDAP searches to migrate. >> >> With the old system, I was trying to look users who are in a >> particular group by their email address i.e. >> >> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" >> -x >> >> In version 2, it looks like the memberOf attributes have been removed >> from the user entries and the user group membership information is >> stored only in the 'member' attribute of the individual group entries. > > > memberOf exists, but you have to be connecting to LDAP with an > authenticated user who has privilege to see the memberOf attribute. I > believe (Rob can correct me) this means either an administrator or a > host principal. > > So if you try doing (from an enrolled client): > > kinit -k -t /etc/krb5.keytab host/@IPAREALM > ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com > "(&(mail={email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" > > You should get results. It works! Excellent. Thanks so much. Dan From jzeleny at redhat.com Tue Nov 8 17:38:08 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 8 Nov 2011 18:38:08 +0100 Subject: [Freeipa-users] OpenSSH integration - known_hosts Message-ID: <201111081838.13363.jzeleny@redhat.com> Hello everyone, there is a new effort in IPA and SSSD teams and that is SSH key integration in both parts of SSSD-IPA infrastructure. We've put together some basic plans and now we would like to know your opinion. Note that this is just shortened version to make it easier to read. It doesn't contain every bit of information about the design. For full version see https://fedorahosted.org/freeipa/wiki/SSH-FreeIPA-Integration Problems: ========= * the known_hosts file becomes outdated as machines get new host keys (e.g. re- installed systems in virtualized environment) * the user accepts any host key of the remote host without validating its authenticity Solution: ========= Instead of checking stale known_hosts file, provide a dynamic mechanism to lookup and deliver the public ssh key of the remote host to the client and use it for validation of the remote host identity. The dynamic mechanism would imply that no action is needed from the user because the source of the retrieved key is trusted. Limitations: ============ It is out of scope of this work to solve the problem in general. We propose a solution for following use case: Client host is a managed host meaning that it has SSSD installed and it is joined an IPA domain. It also has OpenSSH patched to interact with SSSD to get the information about the remote host Other UNIX machines or Windows machines as SSH clients are out of the scope of the current project. For the client hosts that can not be managed but can access IPA via the standard LDAP tools we will provide documentation on how to construct the content of the known_hosts file by querying LDAP server and saving the results. The remote host can be a managed (joined IPA domain via SSSD) or an unmanaged host. IPA server needs to provide a way to create entries for any managed and unmanaged hosts and store public keys for those hosts in that entries. What would change in IPA: ========================= * external host would have entries with the possibility of storing their public keys * new mechanism to work with keys through UI and CLI * host key fingerprints would be stored in SSHFP DNS records for each host joined in IPA domain What would change on the client: ================================ * SSSD would fetch and cache host public keys from IPA * joining to IPA domain would upload host public key * ssh client would communicate with SSSD, probably through ssh-agent, to check if the remote host is known It is still a question whether the solution is sufficient enough to address the needs and pains of the real deployments or other technologies outside the proposed should be used later (or instead). -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From jzeleny at redhat.com Tue Nov 8 17:39:27 2011 From: jzeleny at redhat.com (Jan =?iso-8859-1?q?Zelen=FD?=) Date: Tue, 8 Nov 2011 18:39:27 +0100 Subject: [Freeipa-users] OpenSSH integration - authorized_keys Message-ID: <201111081839.27385.jzeleny@redhat.com> Hello everyone, this is a follow-up on the email on OpenSSH integration - known_host. It describes another scenario we want to address in the process of integrating OpenSSH to SSSD-IPA infrastructure - user public keys and their central management. As in the previous email, we would also like to know your opinion. Note that this is just shortened version to make it easier to read. It doesn't contain every bit of information about the design. For full version see https://fedorahosted.org/freeipa/wiki/SSH-FreeIPA-Integration Problems: ========= * how to distribute keys for new users / regenerated keys through the domain. The authorized_keys is probably not an option, we also want to cover use case when home directories are remote and not mounted on the server. * user may want to log on to the remote server using different account. We need to determine if he is allowed to impersonate that account Solution: ========= Similarly to openssh-lpk, the solution is to centrally manage and store user public keys in the IPA server and deliver them to the host for validation when user accesses that host. In the central server provide a way to define which account can do impersonation of which other accounts. Optionally add a way to represent special service accounts that are not full user accounts but can be logged as via ssh (stretch goal). What would change on IPA: ========================= * user entry will have additional multi-valued attribute for storing public keys. Unlike in openssh-lpk, this attribute will store what keys the user has, not who can impersonate him. * user entry would also have a multi-valued attribute containg DNs of users he can impersonate * new mechanisms to work with account public keys and impersonation via UI and CLI * HBAC rules would be extended to cover impersonation * provide an LDAP control to get a list of ssh keys that correspond to accounts that can impersonate a particular account in one operation. On the client side: =================== * SSSD would fetch (and cache?) user public keys from IPA * new SSSD client would fetch user public keys from SSSD * use SSH agent feature to get user public key from an output of the SSSD client -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From danieljamesscott at gmail.com Tue Nov 8 19:56:45 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 8 Nov 2011 14:56:45 -0500 Subject: [Freeipa-users] OpenSSH integration - known_hosts In-Reply-To: <201111081838.13363.jzeleny@redhat.com> References: <201111081838.13363.jzeleny@redhat.com> Message-ID: Hi, This is a great feature. It feels like I'm always re-installing VMs and having to remove old SSH keys and re-accept new ones. One feature I'd like is to have this working cross-realm. We have 2 IPA realms here and it would be great if I could configure SSSD to check the local realm if I'm SSHing to a local PC and to check the other IPA server(s) if my SSH target is part of the other realm. Even better if it could do this without explicit configuration. Do you think it would be possible to do this securely? Dan On Tue, Nov 8, 2011 at 12:38, Jan Zelen? wrote: > Hello everyone, > there is a new effort in IPA and SSSD teams and that is SSH key integration in > both parts of SSSD-IPA infrastructure. We've put together some basic plans and > now we would like to know your opinion. > > Note that this is just shortened version to make it easier to read. It doesn't > contain every bit of information about the design. For full version see > https://fedorahosted.org/freeipa/wiki/SSH-FreeIPA-Integration > > Problems: > ========= > * the known_hosts file becomes outdated as machines get new host keys (e.g. re- > installed systems in virtualized environment) > * the user accepts any host key of the remote host without validating its > authenticity > > > Solution: > ========= > Instead of checking stale known_hosts file, provide a dynamic mechanism to > lookup and deliver the public ssh key of the remote host to the client and use > it for validation of the remote host identity. The dynamic mechanism would > imply that no action is needed from the user because the source of the > retrieved key is trusted. > > > Limitations: > ============ > It is out of scope of this work to solve the problem in general. We propose a > solution for following use case: > > Client host is a managed host meaning that it has SSSD installed and it is > joined an IPA domain. It also has OpenSSH patched to interact with SSSD to get > the information about the remote host > > Other UNIX machines or Windows machines as SSH clients are out of the scope of > the current project. For the client hosts that can not be managed but can > access IPA via the standard LDAP tools we will provide documentation on how to > construct the content of the known_hosts file by querying LDAP server and > saving the results. > > The remote host can be a managed (joined IPA domain via SSSD) or an unmanaged > host. IPA server needs to provide a way to create entries for any managed and > unmanaged hosts and store public keys for those hosts in that entries. > > What would change in IPA: > ========================= > * external host would have entries with the possibility of storing their > public keys > * new mechanism to work with keys through UI and CLI > * host key fingerprints would be stored in SSHFP DNS records for each host > joined in IPA domain > > What would change on the client: > ================================ > * SSSD would fetch and cache host public keys from IPA > * joining to IPA domain would upload host public key > * ssh client would communicate with SSSD, probably through ssh-agent, to check > if the remote host is known > > It is still a question whether the solution is sufficient enough to address the > needs and pains of the real deployments or other technologies outside the > proposed should be used later (or instead). > > -- > Thank you > Jan Zeleny > > Red Hat Software Engineer > Brno, Czech Republic > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From dpal at redhat.com Tue Nov 8 22:50:42 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 08 Nov 2011 17:50:42 -0500 Subject: [Freeipa-users] [Freeipa-interest] Is it ready? In-Reply-To: References: Message-ID: <4EB9B242.5000800@redhat.com> On 11/08/2011 04:16 PM, Griffing, Thomas (Tom) wrote: > Hello; > > I am a consultant for Verizon and have been tasked with determining the best technology for centralizing authentication for Red Hat servers to the Microsoft AD servers. I have looked at IPA and the JBoss presentation reads well, but I'd like to know if IPA is ready for use in the corporate environment. > > If it is ready, what is the best distribution for hosting IPA? RHEL 6.1, RHEL 6.2b, Fedora, ??? > > Looking forward to your rely. > > Thomas Griffing > > > Verizon Proprietary > NOTICE - This message and any attached files may contain information that is confidential and/or subject of legal privilege intended only for the use by the intended recipient. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, be advised that you have received this message in error and that any dissemination, copying or use of this message or attachment is strictly forbidden, as is the disclosure of the information therein. If you have received this message in error please notify the sender immediately and delete the message Hello, Best place for such questions is freeipa-users list. You can try IPA in Fedora. If you want some supported version than it is coming out as a part of the RHEL6.2 later _*this*_ year. It is currently a part of the RHEL6.2 beta so you can give it a try. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Nov 8 22:57:20 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 08 Nov 2011 17:57:20 -0500 Subject: [Freeipa-users] [Freeipa-devel] OpenSSH integration - known_hosts In-Reply-To: References: <201111081838.13363.jzeleny@redhat.com> Message-ID: <4EB9B3D0.9080904@redhat.com> On 11/08/2011 02:56 PM, Dan Scott wrote: > Hi, > > This is a great feature. It feels like I'm always re-installing VMs > and having to remove old SSH keys and re-accept new ones. > > One feature I'd like is to have this working cross-realm. We have 2 > IPA realms here and it would be great if I could configure SSSD to > check the local realm if I'm SSHing to a local PC and to check the > other IPA server(s) if my SSH target is part of the other realm. Even > better if it could do this without explicit configuration. > > Do you think it would be possible to do this securely? When we start to support Cross Realm Kerberos Trusts for IPA to IPA I think this would be doable but then I do not think the ssh host keys will be used (needed). Simo, am I correct? > Dan > > On Tue, Nov 8, 2011 at 12:38, Jan Zelen? wrote: >> Hello everyone, >> there is a new effort in IPA and SSSD teams and that is SSH key integration in >> both parts of SSSD-IPA infrastructure. We've put together some basic plans and >> now we would like to know your opinion. >> >> Note that this is just shortened version to make it easier to read. It doesn't >> contain every bit of information about the design. For full version see >> https://fedorahosted.org/freeipa/wiki/SSH-FreeIPA-Integration >> >> Problems: >> ========= >> * the known_hosts file becomes outdated as machines get new host keys (e.g. re- >> installed systems in virtualized environment) >> * the user accepts any host key of the remote host without validating its >> authenticity >> >> >> Solution: >> ========= >> Instead of checking stale known_hosts file, provide a dynamic mechanism to >> lookup and deliver the public ssh key of the remote host to the client and use >> it for validation of the remote host identity. The dynamic mechanism would >> imply that no action is needed from the user because the source of the >> retrieved key is trusted. >> >> >> Limitations: >> ============ >> It is out of scope of this work to solve the problem in general. We propose a >> solution for following use case: >> >> Client host is a managed host meaning that it has SSSD installed and it is >> joined an IPA domain. It also has OpenSSH patched to interact with SSSD to get >> the information about the remote host >> >> Other UNIX machines or Windows machines as SSH clients are out of the scope of >> the current project. For the client hosts that can not be managed but can >> access IPA via the standard LDAP tools we will provide documentation on how to >> construct the content of the known_hosts file by querying LDAP server and >> saving the results. >> >> The remote host can be a managed (joined IPA domain via SSSD) or an unmanaged >> host. IPA server needs to provide a way to create entries for any managed and >> unmanaged hosts and store public keys for those hosts in that entries. >> >> What would change in IPA: >> ========================= >> * external host would have entries with the possibility of storing their >> public keys >> * new mechanism to work with keys through UI and CLI >> * host key fingerprints would be stored in SSHFP DNS records for each host >> joined in IPA domain >> >> What would change on the client: >> ================================ >> * SSSD would fetch and cache host public keys from IPA >> * joining to IPA domain would upload host public key >> * ssh client would communicate with SSSD, probably through ssh-agent, to check >> if the remote host is known >> >> It is still a question whether the solution is sufficient enough to address the >> needs and pains of the real deployments or other technologies outside the >> proposed should be used later (or instead). >> >> -- >> Thank you >> Jan Zeleny >> >> Red Hat Software Engineer >> Brno, Czech Republic >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Tue Nov 8 23:35:10 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 08 Nov 2011 18:35:10 -0500 Subject: [Freeipa-users] [Freeipa-devel] OpenSSH integration - known_hosts In-Reply-To: <4EB9B3D0.9080904@redhat.com> References: <201111081838.13363.jzeleny@redhat.com> <4EB9B3D0.9080904@redhat.com> Message-ID: <1320795310.7734.853.camel@willson.li.ssimo.org> On Tue, 2011-11-08 at 17:57 -0500, Dmitri Pal wrote: > On 11/08/2011 02:56 PM, Dan Scott wrote: > > Hi, > > > > This is a great feature. It feels like I'm always re-installing VMs > > and having to remove old SSH keys and re-accept new ones. > > > > One feature I'd like is to have this working cross-realm. We have 2 > > IPA realms here and it would be great if I could configure SSSD to > > check the local realm if I'm SSHing to a local PC and to check the > > other IPA server(s) if my SSH target is part of the other realm. Even > > better if it could do this without explicit configuration. > > > > Do you think it would be possible to do this securely? > > When we start to support Cross Realm Kerberos Trusts for IPA to IPA I > think this would be doable but then I do not think the ssh host keys > will be used (needed). Simo, am I correct? We do not have the GSSAPI key exchange patches in OpenSSH. With those the ssh host key is not necessary when using GSSAPI auth, even in the same realm. But when you want to use ssh host keys, across realm kerberos trust is not going to help. In order to validate keys from different realms I guess we could use DNSSEC where the signatures of one realm are trusted by the other. Then by storing ssh host keys as DNS fields a different domain could still trust those keys. This works only for enrolled hosts though, I guess. Or at least only for hosts in DNS domains that are controlled by IPA. For hosts in other DNS domains we cannot distribute keys through DNS. If that is necessary then we would have to define some sort of protocol to allow fetching of keys from one domain to the other. We could use a mechanism similar to what we will need to implement for sid2name resolution for windows domain trusts. Where the IPA server becomes a proxy to request host keys from other domains. Bottom line, we can come up with something but it is not scoped yet. And needs some more thinking so that we put in place something that scales well. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Tue Nov 8 23:46:19 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 08 Nov 2011 18:46:19 -0500 Subject: [Freeipa-users] [Freeipa-devel] OpenSSH integration - known_hosts In-Reply-To: <1320795310.7734.853.camel@willson.li.ssimo.org> References: <201111081838.13363.jzeleny@redhat.com> <4EB9B3D0.9080904@redhat.com> <1320795310.7734.853.camel@willson.li.ssimo.org> Message-ID: <4EB9BF4B.3050604@redhat.com> On 11/08/2011 06:35 PM, Simo Sorce wrote: > On Tue, 2011-11-08 at 17:57 -0500, Dmitri Pal wrote: >> On 11/08/2011 02:56 PM, Dan Scott wrote: >>> Hi, >>> >>> This is a great feature. It feels like I'm always re-installing VMs >>> and having to remove old SSH keys and re-accept new ones. >>> >>> One feature I'd like is to have this working cross-realm. We have 2 >>> IPA realms here and it would be great if I could configure SSSD to >>> check the local realm if I'm SSHing to a local PC and to check the >>> other IPA server(s) if my SSH target is part of the other realm. Even >>> better if it could do this without explicit configuration. >>> >>> Do you think it would be possible to do this securely? >> When we start to support Cross Realm Kerberos Trusts for IPA to IPA I >> think this would be doable but then I do not think the ssh host keys >> will be used (needed). Simo, am I correct? > We do not have the GSSAPI key exchange patches in OpenSSH. With those > the ssh host key is not necessary when using GSSAPI auth, even in the > same realm. > > But when you want to use ssh host keys, across realm kerberos trust is > not going to help. > > In order to validate keys from different realms I guess we could use > DNSSEC where the signatures of one realm are trusted by the other. > Then by storing ssh host keys as DNS fields a different domain could > still trust those keys. This works only for enrolled hosts though, I > guess. Or at least only for hosts in DNS domains that are controlled by > IPA. For hosts in other DNS domains we cannot distribute keys through > DNS. > If that is necessary then we would have to define some sort of protocol > to allow fetching of keys from one domain to the other. > We could use a mechanism similar to what we will need to implement for > sid2name resolution for windows domain trusts. Where the IPA server > becomes a proxy to request host keys from other domains. > > Bottom line, we can come up with something but it is not scoped yet. And > needs some more thinking so that we put in place something that scales > well. > > Simo. > Ok: https://fedorahosted.org/freeipa/ticket/2081 -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Nov 9 00:24:58 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 08 Nov 2011 19:24:58 -0500 Subject: [Freeipa-users] Freeipa-users] Overall Design of Policy Related Components In-Reply-To: <1320243966.2336.84.camel@ratbert.evn.harris.com> References: <1320167059.2336.47.camel@ratbert.evn.harris.com> <4EB09561.30708@redhat.com> <1320243966.2336.84.camel@ratbert.evn.harris.com> Message-ID: <4EB9C85A.8010003@redhat.com> On 11/02/2011 10:26 AM, Rodney Mercer wrote: > On Tue, 2011-11-01 at 20:57 -0400, Dmitri Pal wrote: >> On 11/01/2011 01:04 PM, Rodney Mercer wrote: >>> On Tue, 2011-11-01 at 12:00 -0400, freeipa-users-request at redhat.com >>> wrote: >>>> On 10/31/2011 05:20 PM, Rodney Mercer wrote: >>>>> We have previously developed Solaris RBAC authorization within our >>>>> application to validate users and roles to our application's >>>> internal >>>>> commanding capability using the definitions that populate the name >>>>> service switch maps. >>>>> >>>>> I have been searching for a method for implementing similar >>>> capability >>>>> using RHEL and had found promise with the following proposed >>>>> documentation for IPAv2: >>>> We decided to back away from trying to provide central RBAC. Our >>>> experience with multiple projects revealed that there is no one size >>>> fits all solution regarding RBAC. But we were talking about geral Role >>>> base access control model not specific RBAC as Solaris implemented it. >>>> The Solaris RBAC is similar to sudo and HBAC combined together. Both >>>> features are managed by IPA. >>>> We also have SELinux policies on Linux that can constrain the root >>>> access. The user SELinux roles management is on the roadmap but HBAC + >>>> SUDO should give you the equivalent if not more functionality than >>>> Solaris RBAC. >>>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html >>>> >>>> Or you can use RHEL6.2 beta and see the docs about SUDO and HBAC >>>> there. >>> The RBAC structure that I speak of is contained within our application. >>> Being able to have IPA clients request the XML blob of role mappings to >>> internal application commanding authorizations is what I was looking >>> for. >>> >>> Is it possible to create IPA Roles that mean nothing to IPA yet our >>> independent application could query and use them with it's internal >>> security mechanisms? >>> >>> Could extending the dirsrv schema to include attributes to be accessed >>> for the security of the independent application be created to work in >>> conjunction with these custom defined roles? >>> >>> Having the IPA Server available to all hosts that run the application is >>> what we desire. We use *_attr Name Service Switch maps to access these >>> roles and attributes from our Solaris implementation. >>> >>> Unless I am mistaken, HBAC might give us options as to whom may run our >>> applications on particular hosts, but it would not help in defining who >>> could run the internal application directives that we seek to map to >>> users roles. >>> Sudo doesn't help for the internal commanding our application desires to >>> control. >>> >>> Thanks for any ideas you can lend. >>> >>> Regards, >>> Rodney. >>> >> Rodney, >> >> I have read other responses too but reply to your clarification. It now >> makes more sense. >> >> I think that best approach would be to store this data in the special >> part of the tree and develop plugins for manage it. >> Would you be interested in investing in such an effort? >> If so I would go dig some of the designs and ideas and share them with >> you and everybody else. I think they were ubandoned before shaping up >> will enough to have a discussion on the list. >> I think we proposed some schema for storing Roles and related XML blobs. >> We are also working on the extensibility guide so it will be a perfect >> opportunity to test it out. >> >> What do you think? >> > Dmitri, > > I have been searching for some time for an elegant solution to our > problem of porting this application RBAC configuration to RHEL from the > proprietary Solaris platform solution that we currently have. > > I think that this is something that would benefit others that currently > employee Solaris *_attr NSS maps for roles to migrate to an RHEL IPA > solution. > > That said, I will need to have our management assign a developer to this > effort. I think that is important to them as the requirements to > implement application RBAC to our product on RHEL is imminent. > > I also think that employing IPA as a solution for our application > running on other POSIX operating systems to take advantage of this > proposed schema would be advantageous to us and others. > > I will respond to you as to resources as soon as I know more. > Hello, Is there any update on this? Anyways please find attached two PDF files. It is enough to read first several pages of the overall design to get the idea of what we wanted to do. The actual data store design is in the second document. Also in addition to that a guide on how to extend IPA is brewing and soon will see the light of day (at least a draft). That should have enough information to: 1) Understand the design 2) Plan the effort 3) Implement it the right way. Patches welcome! -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: Overall design.pdf Type: application/pdf Size: 415294 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: DS Design summary for policies.pdf Type: application/pdf Size: 265592 bytes Desc: not available URL: From danieljamesscott at gmail.com Wed Nov 9 01:45:29 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 8 Nov 2011 20:45:29 -0500 Subject: [Freeipa-users] [Freeipa-devel] OpenSSH integration - known_hosts In-Reply-To: <1320795310.7734.853.camel@willson.li.ssimo.org> References: <201111081838.13363.jzeleny@redhat.com> <4EB9B3D0.9080904@redhat.com> <1320795310.7734.853.camel@willson.li.ssimo.org> Message-ID: Hi, On Tue, Nov 8, 2011 at 18:35, Simo Sorce wrote: > On Tue, 2011-11-08 at 17:57 -0500, Dmitri Pal wrote: >> On 11/08/2011 02:56 PM, Dan Scott wrote: >> > Hi, >> > >> > This is a great feature. It feels like I'm always re-installing VMs >> > and having to remove old SSH keys and re-accept new ones. >> > >> > One feature I'd like is to have this working cross-realm. We have 2 >> > IPA realms here and it would be great if I could configure SSSD to >> > check the local realm if I'm SSHing to a local PC and to check the >> > other IPA server(s) if my SSH target is part of the other realm. Even >> > better if it could do this without explicit configuration. >> > >> > Do you think it would be possible to do this securely? >> >> When we start to support Cross Realm Kerberos Trusts for IPA to IPA I >> think this would be doable but then I do not think the ssh host keys >> will be used (needed). Simo, am I correct? > > We do not have the GSSAPI key exchange patches in OpenSSH. With those > the ssh host key is not necessary when using GSSAPI auth, even in the > same realm. > > But when you want to use ssh host keys, across realm kerberos trust is > not going to help. I don't quite understand this. What trust is required, other than the cross-realm authentication of kerberos tickets? Surely each realm would manage its own host keys. All I'm looking for is an authenticated cross-realm key lookup so that my client can pre-cache entries in the known_hosts file. Wouldn't this just be an LDAP lookup? Dan From simo at redhat.com Wed Nov 9 13:55:28 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 09 Nov 2011 08:55:28 -0500 Subject: [Freeipa-users] [Freeipa-devel] OpenSSH integration - known_hosts In-Reply-To: References: <201111081838.13363.jzeleny@redhat.com> <4EB9B3D0.9080904@redhat.com> <1320795310.7734.853.camel@willson.li.ssimo.org> Message-ID: <1320846928.7734.859.camel@willson.li.ssimo.org> On Tue, 2011-11-08 at 20:45 -0500, Dan Scott wrote: > Hi, > > On Tue, Nov 8, 2011 at 18:35, Simo Sorce wrote: > > On Tue, 2011-11-08 at 17:57 -0500, Dmitri Pal wrote: > >> On 11/08/2011 02:56 PM, Dan Scott wrote: > >> > Hi, > >> > > >> > This is a great feature. It feels like I'm always re-installing VMs > >> > and having to remove old SSH keys and re-accept new ones. > >> > > >> > One feature I'd like is to have this working cross-realm. We have 2 > >> > IPA realms here and it would be great if I could configure SSSD to > >> > check the local realm if I'm SSHing to a local PC and to check the > >> > other IPA server(s) if my SSH target is part of the other realm. Even > >> > better if it could do this without explicit configuration. > >> > > >> > Do you think it would be possible to do this securely? > >> > >> When we start to support Cross Realm Kerberos Trusts for IPA to IPA I > >> think this would be doable but then I do not think the ssh host keys > >> will be used (needed). Simo, am I correct? > > > > We do not have the GSSAPI key exchange patches in OpenSSH. With those > > the ssh host key is not necessary when using GSSAPI auth, even in the > > same realm. > > > > But when you want to use ssh host keys, across realm kerberos trust is > > not going to help. > > I don't quite understand this. What trust is required, other than the > cross-realm authentication of kerberos tickets? Surely each realm > would manage its own host keys. All I'm looking for is an > authenticated cross-realm key lookup so that my client can pre-cache > entries in the known_hosts file. Wouldn't this just be an LDAP lookup? Well in 2-way trusts you could do that. But in general you do not want to have any client in realm1 to contact any server in realm2. They might be geographically very far and use high latency/low bandwidth links. So, for a first implementation, we could do what you say, but I rather think it through and see how to cache/transfer information making clients go through their IPA server rather than trying to connect directly to a remote one. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Wed Nov 9 15:24:52 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 09 Nov 2011 10:24:52 -0500 Subject: [Freeipa-users] [Freeipa-interest] Is it ready? In-Reply-To: <4EB9B338.1060104@redhat.com> References: <4EB9B338.1060104@redhat.com> Message-ID: <4EBA9B44.20703@redhat.com> Please continue this discussion on the freeipa-users list. On 11/08/2011 05:54 PM, Adam Young wrote: > On 11/08/2011 04:16 PM, Griffing, Thomas (Tom) wrote: >> >> Hello; >> >> >> >> I am a consultant for Verizon and have been tasked with determining >> the best technology for centralizing authentication for Red Hat >> servers to the Microsoft AD servers. I have looked at IPA and the >> JBoss presentation reads well, but I'd like to know if IPA is ready >> for use in the corporate environment. >> >> >> >> If it is ready, what is the best distribution for hosting IPA? RHEL >> 6.1, RHEL 6.2b, Fedora, ??? >> > > > It is ready, and GA with Red Hat 6.2. I would suggest RHEL, due to > the need for quick application of security updates on something as > sensitive as the Identity Management server. > > If you wish to test it out, I can recommend the Fedora 15 branch as > being quite stable. I've only recently started working with a Fedora > 16 install, so I can't personally vouch for that yet. > > > >> >> >> Looking forward to your rely. >> >> >> >> Thomas Griffing >> >> >> >> >> >> *Verizon Proprietary >> NOTICE - This message and any attached files may contain information >> that is confidential and/or subject of legal privilege intended only >> for the use by the intended recipient. If you are not the intended >> recipient or the person responsible for delivering the message to the >> intended recipient, be advised that you have received this message in >> error and that any dissemination, copying or use of this message or >> attachment is strictly forbidden, as is the disclosure of the >> information therein. If you have received this message in error >> please notify the sender immediately and delete the message.* >> >> >> >> >> >> _______________________________________________ >> Freeipa-interest mailing list >> Freeipa-interest at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-interest > > > _______________________________________________ > Freeipa-interest mailing list > Freeipa-interest at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-interest -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmercer at harris.com Wed Nov 9 16:30:49 2011 From: rmercer at harris.com (Rodney Mercer) Date: Wed, 9 Nov 2011 11:30:49 -0500 Subject: [Freeipa-users] Freeipa-users] Overall Design of Policy Related Components In-Reply-To: <4EB9C85A.8010003@redhat.com> References: <1320167059.2336.47.camel@ratbert.evn.harris.com> <4EB09561.30708@redhat.com> <1320243966.2336.84.camel@ratbert.evn.harris.com> <4EB9C85A.8010003@redhat.com> Message-ID: <1320856249.2008.56.camel@ratbert.evn.harris.com> On Tue, 2011-11-08 at 19:24 -0500, Dmitri Pal wrote: > On 11/02/2011 10:26 AM, Rodney Mercer wrote: > > On Tue, 2011-11-01 at 20:57 -0400, Dmitri Pal wrote: > >> On 11/01/2011 01:04 PM, Rodney Mercer wrote: > >>> On Tue, 2011-11-01 at 12:00 -0400, freeipa-users-request at redhat.com > >>> wrote: > >>>> On 10/31/2011 05:20 PM, Rodney Mercer wrote: > >>>>> We have previously developed Solaris RBAC authorization within our > >>>>> application to validate users and roles to our application's > >>>> internal > >>>>> commanding capability using the definitions that populate the name > >>>>> service switch maps. > >>>>> > >>>>> I have been searching for a method for implementing similar > >>>> capability > >>>>> using RHEL and had found promise with the following proposed > >>>>> documentation for IPAv2: > >>>> We decided to back away from trying to provide central RBAC. Our > >>>> experience with multiple projects revealed that there is no one size > >>>> fits all solution regarding RBAC. But we were talking about geral Role > >>>> base access control model not specific RBAC as Solaris implemented it. > >>>> The Solaris RBAC is similar to sudo and HBAC combined together. Both > >>>> features are managed by IPA. > >>>> We also have SELinux policies on Linux that can constrain the root > >>>> access. The user SELinux roles management is on the roadmap but HBAC + > >>>> SUDO should give you the equivalent if not more functionality than > >>>> Solaris RBAC. > >>>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html > >>>> > >>>> Or you can use RHEL6.2 beta and see the docs about SUDO and HBAC > >>>> there. > >>> The RBAC structure that I speak of is contained within our application. > >>> Being able to have IPA clients request the XML blob of role mappings to > >>> internal application commanding authorizations is what I was looking > >>> for. > >>> > >>> Is it possible to create IPA Roles that mean nothing to IPA yet our > >>> independent application could query and use them with it's internal > >>> security mechanisms? > >>> > >>> Could extending the dirsrv schema to include attributes to be accessed > >>> for the security of the independent application be created to work in > >>> conjunction with these custom defined roles? > >>> > >>> Having the IPA Server available to all hosts that run the application is > >>> what we desire. We use *_attr Name Service Switch maps to access these > >>> roles and attributes from our Solaris implementation. > >>> > >>> Unless I am mistaken, HBAC might give us options as to whom may run our > >>> applications on particular hosts, but it would not help in defining who > >>> could run the internal application directives that we seek to map to > >>> users roles. > >>> Sudo doesn't help for the internal commanding our application desires to > >>> control. > >>> > >>> Thanks for any ideas you can lend. > >>> > >>> Regards, > >>> Rodney. > >>> > >> Rodney, > >> > >> I have read other responses too but reply to your clarification. It now > >> makes more sense. > >> > >> I think that best approach would be to store this data in the special > >> part of the tree and develop plugins for manage it. > >> Would you be interested in investing in such an effort? > >> If so I would go dig some of the designs and ideas and share them with > >> you and everybody else. I think they were ubandoned before shaping up > >> will enough to have a discussion on the list. > >> I think we proposed some schema for storing Roles and related XML blobs. > >> We are also working on the extensibility guide so it will be a perfect > >> opportunity to test it out. > >> > >> What do you think? > >> > > Dmitri, > > > > I have been searching for some time for an elegant solution to our > > problem of porting this application RBAC configuration to RHEL from the > > proprietary Solaris platform solution that we currently have. > > > > I think that this is something that would benefit others that currently > > employee Solaris *_attr NSS maps for roles to migrate to an RHEL IPA > > solution. > > > > That said, I will need to have our management assign a developer to this > > effort. I think that is important to them as the requirements to > > implement application RBAC to our product on RHEL is imminent. > > > > I also think that employing IPA as a solution for our application > > running on other POSIX operating systems to take advantage of this > > proposed schema would be advantageous to us and others. > > > > I will respond to you as to resources as soon as I know more. > > > > Hello, > > Is there any update on this? > > Anyways please find attached two PDF files. > It is enough to read first several pages of the overall design to get > the idea of what we wanted to do. > The actual data store design is in the second document. > > Also in addition to that a guide on how to extend IPA is brewing and > soon will see the light of day (at least a draft). > That should have enough information to: > 1) Understand the design > 2) Plan the effort > 3) Implement it the right way. > > Patches welcome! > Dmitri, Thank you for the documentation. I am drumming up support for the effort within our organization. At this time the interest appears to be there but resources are scarce. I believe that we may still be able to go forward as one of our customers desire these capabilities down the road, possibly as early as Spring 2012. I have one question: If there is a relatively quick implementation within FreeIPA, what is the typical timeline for the functionality to get moved into RHEL? I am passing along the design docs that you forwarded to me to the engineers and management that support the project. I hope to hear back soon as to their interest. Please keep us informed as to the availability of the extensibility guide. I will let you know as soon as I can as to resources from our end. Thanks again. Rodney. -- Rodney Mercer Systems Administrator From borepstein at gmail.com Wed Nov 9 17:50:13 2011 From: borepstein at gmail.com (Boris Epstein) Date: Wed, 9 Nov 2011 12:50:13 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 Message-ID: Hello all, I am an absolute beginner here... So... I have a machine that only has 512 MB of RAM which is too small to house Fedora. So that machine is running CentOS 5.6. And now I want to install FreeIPA on it. Has anybody done it? If so, how have you done it? Thanks. Boris. From simo at redhat.com Wed Nov 9 18:24:06 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 09 Nov 2011 13:24:06 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: References: Message-ID: <1320863046.7734.870.camel@willson.li.ssimo.org> On Wed, 2011-11-09 at 12:50 -0500, Boris Epstein wrote: > Hello all, > > I am an absolute beginner here... So... I have a machine that only has > 512 MB of RAM which is too small to house Fedora. So that machine is > running CentOS 5.6. And now I want to install FreeIPA on it. Has > anybody done it? If so, how have you done it? I would advice against installing IPA on a machine so starved of RAM except for test purposes and small database sizes. Simo. -- Simo Sorce * Red Hat, Inc * New York From sgallagh at redhat.com Wed Nov 9 18:39:52 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 09 Nov 2011 13:39:52 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: References: Message-ID: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> On Wed, 2011-11-09 at 12:50 -0500, Boris Epstein wrote: > Hello all, > > I am an absolute beginner here... So... I have a machine that only has > 512 MB of RAM which is too small to house Fedora. So that machine is > running CentOS 5.6. And now I want to install FreeIPA on it. Has > anybody done it? If so, how have you done it? FreeIPA is not supported on RHEL/CentOS 5.x. It's simply too old and cannot meet the minimum pre-requisites. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From borepstein at gmail.com Wed Nov 9 18:41:28 2011 From: borepstein at gmail.com (Boris Epstein) Date: Wed, 9 Nov 2011 13:41:28 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: <1320863046.7734.870.camel@willson.li.ssimo.org> References: <1320863046.7734.870.camel@willson.li.ssimo.org> Message-ID: On Wed, Nov 9, 2011 at 1:24 PM, Simo Sorce wrote: > On Wed, 2011-11-09 at 12:50 -0500, Boris Epstein wrote: >> Hello all, >> >> I am an absolute beginner here... So... I have a machine that only has >> 512 MB of RAM which is too small to house Fedora. So that machine is >> running CentOS 5.6. And now I want to install FreeIPA on it. Has >> anybody done it? If so, how have you done it? > > I would advice against installing IPA on a machine so starved of RAM > except for test purposes and small database sizes. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > Simo, I agree with your advice. But yes, we are a small group, and even if every user login stalls by a second - well, so be if for now. How do you do that - that's the question? So far I have succeeded in neither finding the correct RPM, nor building the source from scratch. The build process breaks as follows: ... checking for nss3/nss.h... yes checking dirsrv/slapi-plugin.h usability... no checking dirsrv/slapi-plugin.h presence... no checking for dirsrv/slapi-plugin.h... no configure: error: Required DS slapi plugin header not available (fedora-ds-base-devel) make: *** [bootstrap-autogen] Error 1 [administrator at dellfluor freeipa-1.2.2]$ Any idea how to overcome this? Thanks. Boris. From sbingram at gmail.com Wed Nov 9 18:43:18 2011 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 9 Nov 2011 10:43:18 -0800 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: References: Message-ID: On Wed, Nov 9, 2011 at 9:50 AM, Boris Epstein wrote: > I am an absolute beginner here... So... I have a machine that only has > 512 MB of RAM which is too small to house Fedora. So that machine is > running CentOS 5.6. And now I want to install FreeIPA on it. Has > anybody done it? If so, how have you done it? My first install of FreeIPA was on an OpenVZ container with only 512MB. It didn't go so well. Luckily for me it was the only container on the system so I just bumped up the RAM. I had to set it to over 2GB just to get through the install process. Once installed, it does use less memory (if you have a small directory), but I still think you would be in trouble with only 512MB. I would also go with Fedora 15 so you can get the latest packages. And when you are ready, run the production version on a full system or KVM so you can take advantage of SELinux to protect the system as much as possible. Steve From borepstein at gmail.com Wed Nov 9 18:46:19 2011 From: borepstein at gmail.com (Boris Epstein) Date: Wed, 9 Nov 2011 13:46:19 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> References: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: On Wed, Nov 9, 2011 at 1:39 PM, Stephen Gallagher wrote: > On Wed, 2011-11-09 at 12:50 -0500, Boris Epstein wrote: >> Hello all, >> >> I am an absolute beginner here... So... I have a machine that only has >> 512 MB of RAM which is too small to house Fedora. So that machine is >> running CentOS 5.6. And now I want to install FreeIPA on it. Has >> anybody done it? If so, how have you done it? > > > FreeIPA is not supported on RHEL/CentOS 5.x. It's simply too old and > cannot meet the minimum pre-requisites. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > Too old? How? http://freeipa.org/page/IPAv2_213 This was released in October 2011. So yes, it is over a week old:) But I doubt that makes it ancient:) Boris. From sgallagh at redhat.com Wed Nov 9 18:49:08 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 09 Nov 2011 13:49:08 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: References: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: <1320864548.2252.15.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> On Wed, 2011-11-09 at 13:46 -0500, Boris Epstein wrote: > On Wed, Nov 9, 2011 at 1:39 PM, Stephen Gallagher wrote: > > On Wed, 2011-11-09 at 12:50 -0500, Boris Epstein wrote: > >> Hello all, > >> > >> I am an absolute beginner here... So... I have a machine that only has > >> 512 MB of RAM which is too small to house Fedora. So that machine is > >> running CentOS 5.6. And now I want to install FreeIPA on it. Has > >> anybody done it? If so, how have you done it? > > > > > > FreeIPA is not supported on RHEL/CentOS 5.x. It's simply too old and > > cannot meet the minimum pre-requisites. > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Too old? How? > > http://freeipa.org/page/IPAv2_213 > > This was released in October 2011. So yes, it is over a week old:) > > But I doubt that makes it ancient:) > > Boris. Sorry, that will teach me to leave my pronouns ambiguous. I mean that RHEL/CentOS 5 is too old to be capable of running FreeIPA. There are too many dependencies of FreeIPA that are unmet. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From borepstein at gmail.com Wed Nov 9 19:23:35 2011 From: borepstein at gmail.com (Boris Epstein) Date: Wed, 9 Nov 2011 14:23:35 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: <1320864548.2252.15.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> References: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320864548.2252.15.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: On Wed, Nov 9, 2011 at 1:49 PM, Stephen Gallagher wrote: > On Wed, 2011-11-09 at 13:46 -0500, Boris Epstein wrote: >> On Wed, Nov 9, 2011 at 1:39 PM, Stephen Gallagher wrote: >> > On Wed, 2011-11-09 at 12:50 -0500, Boris Epstein wrote: >> >> Hello all, >> >> >> >> I am an absolute beginner here... So... I have a machine that only has >> >> 512 MB of RAM which is too small to house Fedora. So that machine is >> >> running CentOS 5.6. And now I want to install FreeIPA on it. Has >> >> anybody done it? If so, how have you done it? >> > >> > >> > FreeIPA is not supported on RHEL/CentOS 5.x. It's simply too old and >> > cannot meet the minimum pre-requisites. >> > >> > _______________________________________________ >> > Freeipa-users mailing list >> > Freeipa-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > >> >> Too old? How? >> >> http://freeipa.org/page/IPAv2_213 >> >> This was released in October 2011. So yes, it is over a week old:) >> >> But I doubt that makes it ancient:) >> >> Boris. > > Sorry, that will teach me to leave my pronouns ambiguous. > > I mean that RHEL/CentOS 5 is too old to be capable of running FreeIPA. > There are too many dependencies of FreeIPA that are unmet. > This actually came out quite funny:) Thanks for your advice, by the way. So what OS would not be too old to run FreeIPA on? Would we be talking CentOS 6? Boris. From dpal at redhat.com Wed Nov 9 19:26:06 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 09 Nov 2011 14:26:06 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: References: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320864548.2252.15.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: <4EBAD3CE.9040101@redhat.com> On 11/09/2011 02:23 PM, Boris Epstein wrote: > On Wed, Nov 9, 2011 at 1:49 PM, Stephen Gallagher wrote: >> On Wed, 2011-11-09 at 13:46 -0500, Boris Epstein wrote: >>> On Wed, Nov 9, 2011 at 1:39 PM, Stephen Gallagher wrote: >>>> On Wed, 2011-11-09 at 12:50 -0500, Boris Epstein wrote: >>>>> Hello all, >>>>> >>>>> I am an absolute beginner here... So... I have a machine that only has >>>>> 512 MB of RAM which is too small to house Fedora. So that machine is >>>>> running CentOS 5.6. And now I want to install FreeIPA on it. Has >>>>> anybody done it? If so, how have you done it? >>>> >>>> FreeIPA is not supported on RHEL/CentOS 5.x. It's simply too old and >>>> cannot meet the minimum pre-requisites. >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> Too old? How? >>> >>> http://freeipa.org/page/IPAv2_213 >>> >>> This was released in October 2011. So yes, it is over a week old:) >>> >>> But I doubt that makes it ancient:) >>> >>> Boris. >> Sorry, that will teach me to leave my pronouns ambiguous. >> >> I mean that RHEL/CentOS 5 is too old to be capable of running FreeIPA. >> There are too many dependencies of FreeIPA that are unmet. >> > This actually came out quite funny:) > > Thanks for your advice, by the way. > > So what OS would not be too old to run FreeIPA on? Would we be talking CentOS 6? > Even current CentOS 6 is behind but at least it is closer to what Fedora 15 has and you might get better chance with it. > Boris. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sgallagh at redhat.com Wed Nov 9 19:27:52 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 09 Nov 2011 14:27:52 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: References: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320864548.2252.15.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: <1320866872.2252.17.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> On Wed, 2011-11-09 at 14:23 -0500, Boris Epstein wrote: > > So what OS would not be too old to run FreeIPA on? Would we be talking CentOS 6? > > Boris. Well, RHEL 6.2 (due out before the end of the year) will include a fully-supported version of FreeIPA as "Red Hat Identity Management". Presumably, whenever CentOS 6.2 is released, it will also carry this package. It's likely to be possible to get it to run on CentOS 6.0, but it will require some elbow grease. I also agree with the earlier comments that 512MB is not enough to run the OS + FreeIPA. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sigbjorn at nixtra.com Wed Nov 9 19:56:59 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 9 Nov 2011 20:56:59 +0100 (CET) Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: <1320866872.2252.17.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> References: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320864548.2252.15.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320866872.2252.17.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: <56648.192.168.211.11.1320868619.squirrel@www.nixtra.com> On Wed, November 9, 2011 20:27, Stephen Gallagher wrote: > On Wed, 2011-11-09 at 14:23 -0500, Boris Epstein wrote: > >> >> So what OS would not be too old to run FreeIPA on? Would we be talking CentOS 6? >> >> >> Boris. >> > > Well, RHEL 6.2 (due out before the end of the year) will include a > fully-supported version of FreeIPA as "Red Hat Identity Management". Presumably, whenever CentOS > 6.2 is released, it will also carry this > package. > > It's likely to be possible to get it to run on CentOS 6.0, but it will > require some elbow grease. I also agree with the earlier comments that 512MB is not enough to run > the OS + FreeIPA. _______________________________________________ Agreed! Even my test setup with 10 clients started swapping on an IPA server with 1GB of memory. It now uses approx 1,7GB of memory after the IPA server was increased to 2GB. From borepstein at gmail.com Wed Nov 9 20:02:59 2011 From: borepstein at gmail.com (Boris Epstein) Date: Wed, 9 Nov 2011 15:02:59 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: <56648.192.168.211.11.1320868619.squirrel@www.nixtra.com> References: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320864548.2252.15.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320866872.2252.17.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <56648.192.168.211.11.1320868619.squirrel@www.nixtra.com> Message-ID: On Wed, Nov 9, 2011 at 2:56 PM, Sigbjorn Lie wrote: > > On Wed, November 9, 2011 20:27, Stephen Gallagher wrote: > > On Wed, 2011-11-09 at 14:23 -0500, Boris Epstein wrote: > > > >> > >> So what OS would not be too old to run FreeIPA on? Would we be talking CentOS 6? > >> > >> > >> Boris. > >> > > > > Well, RHEL 6.2 (due out before the end of the year) will include a > > fully-supported version of FreeIPA as "Red Hat Identity Management". Presumably, whenever CentOS > > 6.2 is released, it will also carry this > > package. > > > > It's likely to be possible to get it to run on CentOS 6.0, but it will > > require some elbow grease. I also agree with the earlier comments that 512MB is not enough to run > > the OS + FreeIPA. _______________________________________________ > > > Agreed! Even my test setup with 10 clients started swapping on an IPA server with 1GB of memory. > It now uses approx 1,7GB of memory after the IPA server was increased to 2GB. > What if you just give it massive amounts of swap though? Boris. From sigbjorn at nixtra.com Wed Nov 9 20:08:14 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 9 Nov 2011 21:08:14 +0100 (CET) Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: References: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320864548.2252.15.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320866872.2252.17.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <56648.192.168.211.11.1320868619.squirrel@www.nixtra.com> Message-ID: <60042.192.168.211.11.1320869294.squirrel@www.nixtra.com> On Wed, November 9, 2011 21:02, Boris Epstein wrote: > On Wed, Nov 9, 2011 at 2:56 PM, Sigbjorn Lie wrote: > >> >> On Wed, November 9, 2011 20:27, Stephen Gallagher wrote: >> >>> On Wed, 2011-11-09 at 14:23 -0500, Boris Epstein wrote: >>> >>> >>>> >>>> So what OS would not be too old to run FreeIPA on? Would we be talking CentOS 6? >>>> >>>> >>>> >>>> Boris. >>>> >>>> >>> >>> Well, RHEL 6.2 (due out before the end of the year) will include a >>> fully-supported version of FreeIPA as "Red Hat Identity Management". Presumably, whenever >>> CentOS >>> 6.2 is released, it will also carry this >>> package. >>> >>> It's likely to be possible to get it to run on CentOS 6.0, but it will >>> require some elbow grease. I also agree with the earlier comments that 512MB is not enough to >>> run the OS + FreeIPA. _______________________________________________ >> >> >> Agreed! Even my test setup with 10 clients started swapping on an IPA server with 1GB of >> memory. It now uses approx 1,7GB of memory after the IPA server was increased to 2GB. >> >> > > What if you just give it massive amounts of swap though? > I had plenty of swap... The lookups and responsiveness of both client logins and using the webui increased significantly after adding more memory. Memory if cheap, 2GB is not asking much. Rgds, Siggi From ayoung at redhat.com Wed Nov 9 20:52:49 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 09 Nov 2011 15:52:49 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: <1320866872.2252.17.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> References: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320864548.2252.15.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320866872.2252.17.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: <4EBAE821.9070906@redhat.com> On 11/09/2011 02:27 PM, Stephen Gallagher wrote: > On Wed, 2011-11-09 at 14:23 -0500, Boris Epstein wrote: >> So what OS would not be too old to run FreeIPA on? Would we be talking CentOS 6? >> >> Boris. > Well, RHEL 6.2 (due out before the end of the year) will include a > fully-supported version of FreeIPA as "Red Hat Identity Management". > Presumably, whenever CentOS 6.2 is released, it will also carry this > package. > > It's likely to be possible to get it to run on CentOS 6.0, but it will > require some elbow grease. I also agree with the earlier comments that > 512MB is not enough to run the OS + FreeIPA. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users If you are looking for a means to evaluate it, look at a really stripped down Fedora 15 Install. People have also had better success with Scientific Linux for RHEL6 parity than they have had with Centos6, but no guarantees there: both have been significantly behind the RHEL 6 efforts. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Nov 9 21:10:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Nov 2011 16:10:41 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: References: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320864548.2252.15.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320866872.2252.17.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <56648.192.168.211.11.1320868619.squirrel@www.nixtra.com> Message-ID: <4EBAEC51.6050805@redhat.com> Boris Epstein wrote: > On Wed, Nov 9, 2011 at 2:56 PM, Sigbjorn Lie wrote: >> >> On Wed, November 9, 2011 20:27, Stephen Gallagher wrote: >>> On Wed, 2011-11-09 at 14:23 -0500, Boris Epstein wrote: >>> >>>> >>>> So what OS would not be too old to run FreeIPA on? Would we be talking CentOS 6? >>>> >>>> >>>> Boris. >>>> >>> >>> Well, RHEL 6.2 (due out before the end of the year) will include a >>> fully-supported version of FreeIPA as "Red Hat Identity Management". Presumably, whenever CentOS >>> 6.2 is released, it will also carry this >>> package. >>> >>> It's likely to be possible to get it to run on CentOS 6.0, but it will >>> require some elbow grease. I also agree with the earlier comments that 512MB is not enough to run >>> the OS + FreeIPA. _______________________________________________ >> >> >> Agreed! Even my test setup with 10 clients started swapping on an IPA server with 1GB of memory. >> It now uses approx 1,7GB of memory after the IPA server was increased to 2GB. >> > > What if you just give it massive amounts of swap though? I've developed IPA in some 512MB VMs with 1GB swap and it generally works ok but I usually only have a couple of clients. At the moment ~200MB is swapped. So yeah, I guess you could say it works, but I wouldn't deploy it this way. I'm not even sure it would make a fair evaluation machine given the inevitable performance issues. rob From simo at redhat.com Wed Nov 9 21:13:42 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 09 Nov 2011 16:13:42 -0500 Subject: [Freeipa-users] FreeIPA on CentOS 5.6 In-Reply-To: References: <1320863992.2252.11.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320864548.2252.15.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <1320866872.2252.17.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <56648.192.168.211.11.1320868619.squirrel@www.nixtra.com> Message-ID: <1320873222.7734.879.camel@willson.li.ssimo.org> On Wed, 2011-11-09 at 15:02 -0500, Boris Epstein wrote: > On Wed, Nov 9, 2011 at 2:56 PM, Sigbjorn Lie wrote: > > > > On Wed, November 9, 2011 20:27, Stephen Gallagher wrote: > > > On Wed, 2011-11-09 at 14:23 -0500, Boris Epstein wrote: > > > > > >> > > >> So what OS would not be too old to run FreeIPA on? Would we be talking CentOS 6? > > >> > > >> > > >> Boris. > > >> > > > > > > Well, RHEL 6.2 (due out before the end of the year) will include a > > > fully-supported version of FreeIPA as "Red Hat Identity Management". Presumably, whenever CentOS > > > 6.2 is released, it will also carry this > > > package. > > > > > > It's likely to be possible to get it to run on CentOS 6.0, but it will > > > require some elbow grease. I also agree with the earlier comments that 512MB is not enough to run > > > the OS + FreeIPA. _______________________________________________ > > > > > > Agreed! Even my test setup with 10 clients started swapping on an IPA server with 1GB of memory. > > It now uses approx 1,7GB of memory after the IPA server was increased to 2GB. > > > > What if you just give it massive amounts of swap though? Boris, I have virtual machines to which I give 768M of Ram, it works ok for few tests. Of course my host machine has much more RAM and probably caches the swap. a Bare metal with only 512M would probably be *very* slow. Although, maybe if you use the (non production/test only) --selfsign option to not install the PKI then java/tomcat would not be started which may make it work well enough. But then you wouldn't be able to fully test the PKI stuff. Simo. -- Simo Sorce * Red Hat, Inc * New York From JR.Aquino at citrix.com Thu Nov 10 00:11:41 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 10 Nov 2011 00:11:41 +0000 Subject: [Freeipa-users] FreeIPA 2.1.3 Replication Install Failure Message-ID: <336ECA65-DAA0-43DC-99C1-BF898D8EE061@citrixonline.com> Upon a FreeIPA Replica install, I am failing at: Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication creation of replica failed: list index out of range Per an IRC session with Rich, it looks like ldap/authdev1.qai.example.com at EXAMPLE.COM is not being created at all... So when the replica slave goes to search for it, it yields an empty list and throws the python exception... Does anyone know how and when that principal should be getting created/inserted? The /var/log/ipareplica-install.log: 2011-11-17 12:50:14,708 DEBUG stderr=ldap_initialize( ldap://authdev1.qai.example.com ) 2011-11-17 12:50:14,708 DEBUG duration: 0 seconds 2011-11-17 12:50:14,708 DEBUG [7/9]: enable GSSAPI for replication 2011-11-17 12:50:14,746 INFO Changing agreement cn=meToauthdev2.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2011-11-17 12:50:15,756 INFO Changing agreement cn=meToauthdev2.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456 2011-11-17 12:50:16,787 INFO Replication Update in progress: FALSE: status: -1 Incremental update has failed and requires administrator actionSystem error: start: 0: end: 0 2011-11-17 12:50:16,791 INFO Changing agreement cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2011-11-17 12:50:17,802 INFO Changing agreement cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456 2011-11-17 12:50:18,816 INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20111110000049Z: end: 20111110000049Z 2011-11-17 12:50:18,865 DEBUG list index out of range File "/usr/sbin/ipa-replica-install", line 483, in main() File "/usr/sbin/ipa-replica-install", line 444, in main install_krb(config, setup_pkinit=options.setup_pkinit) File "/usr/sbin/ipa-replica-install", line 156, in install_krb setup_pkinit, pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 212, in create_replica self.start_creation("Configuring Kerberos KDC", 30) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 248, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 553, in __convert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 798, in convert_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 532, in gssapi_update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 525, in setup_krb_princs_as_replica_binddns mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)] The Master server dirsrv access log: [09/Nov/2011:15:39:44 -0800] conn=28 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config" [09/Nov/2011:15:39:44 -0800] conn=28 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [09/Nov/2011:15:39:44 -0800] conn=28 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [09/Nov/2011:15:39:44 -0800] conn=28 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [09/Nov/2011:15:39:44 -0800] conn=28 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [09/Nov/2011:15:39:44 -0800] conn=28 op=4 EXT oid="2.16.840.1.113730.3.5.12" [09/Nov/2011:15:39:44 -0800] conn=28 op=4 RESULT err=0 tag=120 nentries=0 etime=0 [09/Nov/2011:15:40:00 -0800] conn=29 fd=76 slot=76 SSL connection from 10.230.6.100 to 10.230.6.96 [09/Nov/2011:15:40:00 -0800] conn=29 SSL 256-bit AES [09/Nov/2011:15:40:00 -0800] conn=29 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [09/Nov/2011:15:40:00 -0800] conn=29 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [09/Nov/2011:15:40:00 -0800] conn=29 op=1 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" [09/Nov/2011:15:40:00 -0800] conn=29 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [09/Nov/2011:15:40:01 -0800] conn=28 op=5 UNBIND [09/Nov/2011:15:40:01 -0800] conn=28 op=5 fd=75 closed - U1 [09/Nov/2011:15:40:01 -0800] conn=30 fd=75 slot=75 connection from 10.230.6.100 to 10.230.6.96 [09/Nov/2011:15:40:01 -0800] conn=30 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [09/Nov/2011:15:40:01 -0800] conn=30 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [09/Nov/2011:15:40:01 -0800] conn=30 SSL 256-bit AES [09/Nov/2011:15:40:01 -0800] conn=30 op=1 BIND dn="cn=replication manager,cn=config" method=128 version=3 [09/Nov/2011:15:40:01 -0800] conn=30 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config" [09/Nov/2011:15:40:01 -0800] conn=30 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [09/Nov/2011:15:40:01 -0800] conn=30 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [09/Nov/2011:15:40:01 -0800] conn=30 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [09/Nov/2011:15:40:01 -0800] conn=30 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [09/Nov/2011:15:40:01 -0800] conn=30 op=4 EXT oid="2.16.840.1.113730.3.5.12" [09/Nov/2011:15:40:01 -0800] conn=30 op=4 RESULT err=0 tag=120 nentries=0 etime=0 [09/Nov/2011:15:40:02 -0800] conn=29 op=2 SRCH base="cn=config" scope=2 filter="(&(nsDS5ReplicaHost=authdev1.qai.example.com)(|(objectClass=nsDSWindowsReplicationAgreement)(objectClass=nsds5ReplicationAgreement)))" attrs=ALL [09/Nov/2011:15:40:02 -0800] conn=29 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [09/Nov/2011:15:40:02 -0800] conn=29 op=3 MOD dn="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" [09/Nov/2011:15:40:02 -0800] conn=29 op=3 RESULT err=0 tag=103 nentries=0 etime=0 [09/Nov/2011:15:40:03 -0800] conn=29 op=4 MOD dn="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" [09/Nov/2011:15:40:03 -0800] conn=29 op=4 RESULT err=0 tag=103 nentries=0 etime=0 [09/Nov/2011:15:40:04 -0800] conn=29 op=5 SRCH base="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs="cn nsds5replicaUpdateInProgress nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd" [09/Nov/2011:15:40:04 -0800] conn=29 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [09/Nov/2011:15:40:04 -0800] conn=29 op=6 SRCH base="dc=example,dc=com" scope=2 filter="(krbPrincipalName=ldap/authdev1.qai.example.com at example.COM)" attrs=ALL [09/Nov/2011:15:40:04 -0800] conn=29 op=6 RESULT err=0 tag=101 nentries=0 etime=0 [09/Nov/2011:15:40:04 -0800] conn=29 op=7 UNBIND [09/Nov/2011:15:40:04 -0800] conn=29 op=7 fd=76 closed - U1 [09/Nov/2011:15:40:08 -0800] conn=30 op=5 UNBIND [09/Nov/2011:15:40:08 -0800] conn=30 op=5 fd=75 closed - U1 [09/Nov/2011:15:40:08 -0800] conn=31 fd=75 slot=75 connection from 10.230.6.100 to 10.230.6.96 [09/Nov/2011:15:40:08 -0800] conn=31 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [09/Nov/2011:15:40:08 -0800] conn=31 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [09/Nov/2011:15:40:08 -0800] conn=31 SSL 256-bit AES [09/Nov/2011:15:40:08 -0800] conn=31 op=1 BIND dn="cn=replication manager,cn=config" method=128 version=3 [09/Nov/2011:15:40:08 -0800] conn=31 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config" [09/Nov/2011:15:40:08 -0800] conn=31 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [09/Nov/2011:15:40:08 -0800] conn=31 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [09/Nov/2011:15:40:08 -0800] conn=31 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [09/Nov/2011:15:40:08 -0800] conn=31 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [09/Nov/2011:15:40:08 -0800] conn=31 op=4 EXT oid="2.16.840.1.113730.3.5.12" [09/Nov/2011:15:40:08 -0800] conn=31 op=4 RESULT err=0 tag=120 nentries=0 etime=0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino, GCIH, GWAPT | Sr. Information Security Specialist Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aquino at citrixonline.com http://www.citrixonline.com [cid:image001.jpg at 01CB2FE6.2B7BFA80] Access Your PC or Mac From Anywhere: www.gotomypc.com Online Meetings Made Easy: www.gotomeeting.com Web Events Made Easy: www.gotowebinar.com Remote Support Made Easy: www.gotoassist.com -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 3720 bytes Desc: image001.jpg URL: From rmeggins at redhat.com Thu Nov 10 00:27:12 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Nov 2011 17:27:12 -0700 Subject: [Freeipa-users] FreeIPA 2.1.3 Replication Install Failure In-Reply-To: <336ECA65-DAA0-43DC-99C1-BF898D8EE061@citrixonline.com> References: <336ECA65-DAA0-43DC-99C1-BF898D8EE061@citrixonline.com> Message-ID: <4EBB1A60.5020702@redhat.com> On 11/09/2011 05:11 PM, JR Aquino wrote: > Upon a FreeIPA Replica install, I am failing at: > Configuring Kerberos KDC: Estimated time 30 seconds > [1/9]: adding sasl mappings to the directory > [2/9]: writing stash file from DS > [3/9]: configuring KDC > [4/9]: creating a keytab for the directory > [5/9]: creating a keytab for the machine > [6/9]: adding the password extension to the directory > [7/9]: enable GSSAPI for replication > creation of replica failed: list index out of range > > Per an IRC session with Rich, it looks like ldap/authdev1.qai.example.com at EXAMPLE.COM is not being created at all... So when the replica slave goes to search for it, it yields an empty list and throws the python exception... > > Does anyone know how and when that principal should be getting created/inserted? > > The /var/log/ipareplica-install.log: > > > 2011-11-17 12:50:14,708 DEBUG stderr=ldap_initialize( ldap://authdev1.qai.example.com ) > > 2011-11-17 12:50:14,708 DEBUG duration: 0 seconds > 2011-11-17 12:50:14,708 DEBUG [7/9]: enable GSSAPI for replication > 2011-11-17 12:50:14,746 INFO Changing agreement cn=meToauthdev2.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch > 2011-11-17 12:50:15,756 INFO Changing agreement cn=meToauthdev2.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456 > 2011-11-17 12:50:16,787 INFO Replication Update in progress: FALSE: status: -1 Incremental update has failed and requires administrator actionSystem error: start: 0: end: 0 > 2011-11-17 12:50:16,791 INFO Changing agreement cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch > 2011-11-17 12:50:17,802 INFO Changing agreement cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456 > 2011-11-17 12:50:18,816 INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20111110000049Z: end: 20111110000049Z > 2011-11-17 12:50:18,865 DEBUG list index out of range > File "/usr/sbin/ipa-replica-install", line 483, in > main() > > File "/usr/sbin/ipa-replica-install", line 444, in main > install_krb(config, setup_pkinit=options.setup_pkinit) > > File "/usr/sbin/ipa-replica-install", line 156, in install_krb > setup_pkinit, pkcs12_info) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 212, in create_replica > self.start_creation("Configuring Kerberos KDC", 30) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 248, in start_creation > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 553, in __convert_to_gssapi_replication > r_bindpw=self.dm_password) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 798, in convert_to_gssapi_replication > self.gssapi_update_agreements(self.conn, r_conn) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 532, in gssapi_update_agreements > self.setup_krb_princs_as_replica_binddns(a, b) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 525, in setup_krb_princs_as_replica_binddns > mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)] One problem is at this point in the code, a_pn is [] - so the check for a_pn is None fails. I think the error checking here needs to be improved. But the real problem is that this search fails (from the master server dirsrv access log below): [09/Nov/2011:15:40:04 -0800] conn=29 op=6 SRCH base="dc=example,dc=com" scope=2 filter="(krbPrincipalName=ldap/authdev1.qai.example.com at example.COM)" attrs=ALL [09/Nov/2011:15:40:04 -0800] conn=29 op=6 RESULT err=0 tag=101 nentries=0 etime=0 note - nentries=0 means not found. Who adds this entry? > > The Master server dirsrv access log: > [09/Nov/2011:15:39:44 -0800] conn=28 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config" > [09/Nov/2011:15:39:44 -0800] conn=28 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [09/Nov/2011:15:39:44 -0800] conn=28 op=2 RESULT err=0 tag=101 nentries=1 etime=0 > [09/Nov/2011:15:39:44 -0800] conn=28 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [09/Nov/2011:15:39:44 -0800] conn=28 op=3 RESULT err=0 tag=101 nentries=1 etime=0 > [09/Nov/2011:15:39:44 -0800] conn=28 op=4 EXT oid="2.16.840.1.113730.3.5.12" > [09/Nov/2011:15:39:44 -0800] conn=28 op=4 RESULT err=0 tag=120 nentries=0 etime=0 > [09/Nov/2011:15:40:00 -0800] conn=29 fd=76 slot=76 SSL connection from 10.230.6.100 to 10.230.6.96 > [09/Nov/2011:15:40:00 -0800] conn=29 SSL 256-bit AES > [09/Nov/2011:15:40:00 -0800] conn=29 op=0 BIND dn="cn=Directory Manager" method=128 version=3 > [09/Nov/2011:15:40:00 -0800] conn=29 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" > [09/Nov/2011:15:40:00 -0800] conn=29 op=1 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" > [09/Nov/2011:15:40:00 -0800] conn=29 op=1 RESULT err=0 tag=101 nentries=1 etime=0 > [09/Nov/2011:15:40:01 -0800] conn=28 op=5 UNBIND > [09/Nov/2011:15:40:01 -0800] conn=28 op=5 fd=75 closed - U1 > [09/Nov/2011:15:40:01 -0800] conn=30 fd=75 slot=75 connection from 10.230.6.100 to 10.230.6.96 > [09/Nov/2011:15:40:01 -0800] conn=30 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [09/Nov/2011:15:40:01 -0800] conn=30 op=0 RESULT err=0 tag=120 nentries=0 etime=0 > [09/Nov/2011:15:40:01 -0800] conn=30 SSL 256-bit AES > [09/Nov/2011:15:40:01 -0800] conn=30 op=1 BIND dn="cn=replication manager,cn=config" method=128 version=3 > [09/Nov/2011:15:40:01 -0800] conn=30 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config" > [09/Nov/2011:15:40:01 -0800] conn=30 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [09/Nov/2011:15:40:01 -0800] conn=30 op=2 RESULT err=0 tag=101 nentries=1 etime=0 > [09/Nov/2011:15:40:01 -0800] conn=30 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [09/Nov/2011:15:40:01 -0800] conn=30 op=3 RESULT err=0 tag=101 nentries=1 etime=0 > [09/Nov/2011:15:40:01 -0800] conn=30 op=4 EXT oid="2.16.840.1.113730.3.5.12" > [09/Nov/2011:15:40:01 -0800] conn=30 op=4 RESULT err=0 tag=120 nentries=0 etime=0 > [09/Nov/2011:15:40:02 -0800] conn=29 op=2 SRCH base="cn=config" scope=2 filter="(&(nsDS5ReplicaHost=authdev1.qai.example.com)(|(objectClass=nsDSWindowsReplicationAgreement)(objectClass=nsds5ReplicationAgreement)))" attrs=ALL > [09/Nov/2011:15:40:02 -0800] conn=29 op=2 RESULT err=0 tag=101 nentries=1 etime=0 > [09/Nov/2011:15:40:02 -0800] conn=29 op=3 MOD dn="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" > [09/Nov/2011:15:40:02 -0800] conn=29 op=3 RESULT err=0 tag=103 nentries=0 etime=0 > [09/Nov/2011:15:40:03 -0800] conn=29 op=4 MOD dn="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" > [09/Nov/2011:15:40:03 -0800] conn=29 op=4 RESULT err=0 tag=103 nentries=0 etime=0 > [09/Nov/2011:15:40:04 -0800] conn=29 op=5 SRCH base="cn=meToauthdev1.qai.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs="cn nsds5replicaUpdateInProgress nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd" > [09/Nov/2011:15:40:04 -0800] conn=29 op=5 RESULT err=0 tag=101 nentries=1 etime=0 > [09/Nov/2011:15:40:04 -0800] conn=29 op=6 SRCH base="dc=example,dc=com" scope=2 filter="(krbPrincipalName=ldap/authdev1.qai.example.com at example.COM)" attrs=ALL > [09/Nov/2011:15:40:04 -0800] conn=29 op=6 RESULT err=0 tag=101 nentries=0 etime=0 > [09/Nov/2011:15:40:04 -0800] conn=29 op=7 UNBIND > [09/Nov/2011:15:40:04 -0800] conn=29 op=7 fd=76 closed - U1 > [09/Nov/2011:15:40:08 -0800] conn=30 op=5 UNBIND > [09/Nov/2011:15:40:08 -0800] conn=30 op=5 fd=75 closed - U1 > [09/Nov/2011:15:40:08 -0800] conn=31 fd=75 slot=75 connection from 10.230.6.100 to 10.230.6.96 > [09/Nov/2011:15:40:08 -0800] conn=31 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [09/Nov/2011:15:40:08 -0800] conn=31 op=0 RESULT err=0 tag=120 nentries=0 etime=0 > [09/Nov/2011:15:40:08 -0800] conn=31 SSL 256-bit AES > [09/Nov/2011:15:40:08 -0800] conn=31 op=1 BIND dn="cn=replication manager,cn=config" method=128 version=3 > [09/Nov/2011:15:40:08 -0800] conn=31 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config" > [09/Nov/2011:15:40:08 -0800] conn=31 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [09/Nov/2011:15:40:08 -0800] conn=31 op=2 RESULT err=0 tag=101 nentries=1 etime=0 > [09/Nov/2011:15:40:08 -0800] conn=31 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [09/Nov/2011:15:40:08 -0800] conn=31 op=3 RESULT err=0 tag=101 nentries=1 etime=0 > [09/Nov/2011:15:40:08 -0800] conn=31 op=4 EXT oid="2.16.840.1.113730.3.5.12" > [09/Nov/2011:15:40:08 -0800] conn=31 op=4 RESULT err=0 tag=120 nentries=0 etime=0 > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jr Aquino, GCIH, GWAPT | Sr. Information Security Specialist > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > T: +1 805.690.3478 > jr.aquino at citrixonline.com > http://www.citrixonline.com > > > [cid:image001.jpg at 01CB2FE6.2B7BFA80] > Access Your PC or Mac From Anywhere: www.gotomypc.com > Online Meetings Made Easy: www.gotomeeting.com > Web Events Made Easy: www.gotowebinar.com > Remote Support Made Easy: www.gotoassist.com > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From i.am.stack at gmail.com Thu Nov 10 03:21:02 2011 From: i.am.stack at gmail.com (~Stack~) Date: Wed, 09 Nov 2011 21:21:02 -0600 Subject: [Freeipa-users] Version of IPA in Red Hat 6.2? Message-ID: <4EBB431E.3040909@gmail.com> There was mention in another thread that Red Hat 6.2 was soon to be released. I didn't feel it right to hijack that thread so I am posting a new one. Does anyone know what version of IPA will be in 6.2? I dug around on their ftp site in the beta section [1] looking for SRPMS but I didn't see anything. Well they do have a ipa-client-2.0-2.el6.src.rpm but I didn't see anything for the server part. They have a IPA folder with a debug section but nothing of interest. I was unable to find anything about which version of the 389-ds they were going to have much less a SRPM. [1] http://ftp.redhat.com/pub/redhat/linux/enterprise/beta/6Server/source/SRPMS/ I have heard from several sources that 6.2 was going to have a big push from Red Hat for IPA but I don't see it in the beta section. Am I looking in the wrong spot or am I going a bit daft and somehow not finding either 389-ds or IPA server in the beta section? Thanks! ~Stack~ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: From chorn at fluxcoil.net Thu Nov 10 03:18:19 2011 From: chorn at fluxcoil.net (Christian Horn) Date: Thu, 10 Nov 2011 04:18:19 +0100 Subject: [Freeipa-users] Version of IPA in Red Hat 6.2? In-Reply-To: <4EBB431E.3040909@gmail.com> References: <4EBB431E.3040909@gmail.com> Message-ID: <20111110031819.GA26718@fluxcoil.net> On Wed, Nov 09, 2011 at 09:21:02PM -0600, ~Stack~ wrote: > > Does anyone know what version of IPA will be in 6.2? I dug around on > their ftp site in the beta section [1] looking for SRPMS but I didn't > see anything. Well they do have a ipa-client-2.0-2.el6.src.rpm but I > didn't see anything for the server part. They have a IPA folder with a > debug section but nothing of interest. I was unable to find anything > about which version of the 389-ds they were going to have much less a SRPM. Versions of ipa-server in some of the RHEL6.2beta releases were mentioned on this list, i.e. here: http://comments.gmane.org/gmane.linux.redhat.freeipa.user/2537 : "I have just installed RHEL 6.2 beta, with ipa-server-2.1.1-4.el6.x86_64". > I have heard from several sources that 6.2 was going to have a big push > from Red Hat for IPA but I don't see it in the beta section. This beta section contains 6.0 beta pieces, ipa was not part of 6.0 . Christian From i.am.stack at gmail.com Thu Nov 10 12:33:41 2011 From: i.am.stack at gmail.com (~Stack~) Date: Thu, 10 Nov 2011 06:33:41 -0600 Subject: [Freeipa-users] Version of IPA in Red Hat 6.2? In-Reply-To: <20111110031819.GA26718@fluxcoil.net> References: <4EBB431E.3040909@gmail.com> <20111110031819.GA26718@fluxcoil.net> Message-ID: <4EBBC4A5.4070609@gmail.com> > On 11/09/2011 09:18 PM, Christian Horn wrote: >> On Wed, Nov 09, 2011 at 09:21:02PM -0600, ~Stack~ wrote: >> Does anyone know what version of IPA will be in 6.2? [snip] > > Versions of ipa-server in some of the RHEL6.2beta releases were mentioned > on this list, i.e. here: > http://comments.gmane.org/gmane.linux.redhat.freeipa.user/2537 : > "I have just installed RHEL 6.2 beta, with ipa-server-2.1.1-4.el6.x86_64". Ahha! I thought I had seen mention of it before on the list. I just couldn't find it. Thanks! I appreciate it. >> I have heard from several sources that 6.2 was going to have a big push >> from Red Hat for IPA but I don't see it in the beta section. > > This beta section contains 6.0 beta pieces, ipa was not part of 6.0 . I see. So I was looking in the wrong spot. Thank you for your help! ~Stack~ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: From Steven.Jones at vuw.ac.nz Thu Nov 10 20:14:27 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 Nov 2011 20:14:27 +0000 Subject: [Freeipa-users] Version of IPA in Red Hat 6.2? In-Reply-To: <4EBBC4A5.4070609@gmail.com> References: <4EBB431E.3040909@gmail.com> <20111110031819.GA26718@fluxcoil.net>,<4EBBC4A5.4070609@gmail.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4049C005C6@STAWINCOX10MBX4.staff.vuw.ac.nz> Hi It will be in the 6.2beta channel....I am running it and yes it looks like it will be pushed by RH.......RH here in NZ seems keen for us to give it a go.....just have to convince my management who dont....... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of ~Stack~ [i.am.stack at gmail.com] Sent: Friday, 11 November 2011 1:33 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Version of IPA in Red Hat 6.2? > On 11/09/2011 09:18 PM, Christian Horn wrote: >> On Wed, Nov 09, 2011 at 09:21:02PM -0600, ~Stack~ wrote: >> Does anyone know what version of IPA will be in 6.2? [snip] > > Versions of ipa-server in some of the RHEL6.2beta releases were mentioned > on this list, i.e. here: > http://comments.gmane.org/gmane.linux.redhat.freeipa.user/2537 : > "I have just installed RHEL 6.2 beta, with ipa-server-2.1.1-4.el6.x86_64". Ahha! I thought I had seen mention of it before on the list. I just couldn't find it. Thanks! I appreciate it. >> I have heard from several sources that 6.2 was going to have a big push >> from Red Hat for IPA but I don't see it in the beta section. > > This beta section contains 6.0 beta pieces, ipa was not part of 6.0 . I see. So I was looking in the wrong spot. Thank you for your help! ~Stack~ From sigbjorn at nixtra.com Thu Nov 10 22:08:39 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 10 Nov 2011 23:08:39 +0100 Subject: [Freeipa-users] Fedora 16 installer Message-ID: <4EBC4B67.9020908@nixtra.com> Hi, I just installed Fedora 16 and noticed that there now was an option for using FreeIPA as autentication database. Awesome! But why the normal ldap/kerberos options that met me when I chose FreeIPA (see the attachment). I was picturing auto-detection, and just a username and password, same as the simplified CLI installer. Is this on the roadmap for the Fedora/RHEL installer? And, what about IPA options for the "auth" kickstart directive? Rgds, Siggi -------------- next part -------------- A non-text attachment was scrubbed... Name: fedora_16_ipa_setup.png Type: image/png Size: 115285 bytes Desc: not available URL: From Steven.Jones at vuw.ac.nz Thu Nov 10 22:27:03 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 Nov 2011 22:27:03 +0000 Subject: [Freeipa-users] I just setup replication Message-ID: <833D8E48405E064EBC54C84EC6B36E4049C006AB@STAWINCOX10MBX4.staff.vuw.ac.nz> Hi, Is there anyway to prove its working properly? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rcritten at redhat.com Thu Nov 10 23:00:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Nov 2011 18:00:19 -0500 Subject: [Freeipa-users] I just setup replication In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4049C006AB@STAWINCOX10MBX4.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4049C006AB@STAWINCOX10MBX4.staff.vuw.ac.nz> Message-ID: <4EBC5783.1010209@redhat.com> Steven Jones wrote: > Hi, > > Is there anyway to prove its working properly? Add an entry (any entry) on one side and confirm it shows up almost immediately on the other system, and vice versa is how I usually smoke test it. rob From Steven.Jones at vuw.ac.nz Thu Nov 10 23:10:08 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 Nov 2011 23:10:08 +0000 Subject: [Freeipa-users] I just setup replication In-Reply-To: <4EBC5783.1010209@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4049C006AB@STAWINCOX10MBX4.staff.vuw.ac.nz>, <4EBC5783.1010209@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4049C006E4@STAWINCOX10MBX4.staff.vuw.ac.nz> How do I see it on the other side? cli search for it? Feel like im missing something obvious.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Friday, 11 November 2011 12:00 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] I just setup replication Steven Jones wrote: > Hi, > > Is there anyway to prove its working properly? Add an entry (any entry) on one side and confirm it shows up almost immediately on the other system, and vice versa is how I usually smoke test it. rob From dpal at redhat.com Thu Nov 10 23:32:24 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 10 Nov 2011 18:32:24 -0500 Subject: [Freeipa-users] I just setup replication In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4049C006E4@STAWINCOX10MBX4.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4049C006AB@STAWINCOX10MBX4.staff.vuw.ac.nz>, <4EBC5783.1010209@redhat.com> <833D8E48405E064EBC54C84EC6B36E4049C006E4@STAWINCOX10MBX4.staff.vuw.ac.nz> Message-ID: <4EBC5F08.4060508@redhat.com> On 11/10/2011 06:10 PM, Steven Jones wrote: > How do I see it on the other side? > > cli search for it? > > Feel like im missing something obvious.... > ipa user-add on one side ipa user-find or ipa user-search on another > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Friday, 11 November 2011 12:00 p.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] I just setup replication > > Steven Jones wrote: >> Hi, >> >> Is there anyway to prove its working properly? > Add an entry (any entry) on one side and confirm it shows up almost > immediately on the other system, and vice versa is how I usually smoke > test it. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From abokovoy at redhat.com Fri Nov 11 06:09:04 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 11 Nov 2011 08:09:04 +0200 Subject: [Freeipa-users] Fedora 16 installer In-Reply-To: <4EBC4B67.9020908@nixtra.com> References: <4EBC4B67.9020908@nixtra.com> Message-ID: <20111111060903.GC1762@redhat.com> On Thu, 10 Nov 2011, Sigbjorn Lie wrote: > I just installed Fedora 16 and noticed that there now was an option > for using FreeIPA as autentication database. Awesome! > > But why the normal ldap/kerberos options that met me when I chose > FreeIPA (see the attachment). I was picturing auto-detection, and > just a username and password, same as the simplified CLI installer. Looks like it wasn't finished well enough in time to release and re-used existing LDAP settings page. This is just my guess, this was done outside FreeIPA team. > Is this on the roadmap for the Fedora/RHEL installer? Would be nice, indeed. Could you please raise a bug for Fedora installer to improve 'FreeIPA authentication' settings page? And add me to the CC: list. -- / Alexander Bokovoy From sigbjorn at nixtra.com Fri Nov 11 11:48:18 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 11 Nov 2011 12:48:18 +0100 (CET) Subject: [Freeipa-users] Fedora 16 installer In-Reply-To: <20111111060903.GC1762@redhat.com> References: <4EBC4B67.9020908@nixtra.com> <20111111060903.GC1762@redhat.com> Message-ID: <27461.213.225.75.97.1321012098.squirrel@www.nixtra.com> On Fri, November 11, 2011 07:09, Alexander Bokovoy wrote: > On Thu, 10 Nov 2011, Sigbjorn Lie wrote: > >> I just installed Fedora 16 and noticed that there now was an option >> for using FreeIPA as autentication database. Awesome! >> >> But why the normal ldap/kerberos options that met me when I chose >> FreeIPA (see the attachment). I was picturing auto-detection, and >> just a username and password, same as the simplified CLI installer. > Looks like it wasn't finished well enough in time to release and > re-used existing LDAP settings page. This is just my guess, this was done outside FreeIPA team. > >> Is this on the roadmap for the Fedora/RHEL installer? >> > Would be nice, indeed. Could you please raise a bug for Fedora > installer to improve 'FreeIPA authentication' settings page? And add me to the CC: list. > Done. :) https://bugzilla.redhat.com/show_bug.cgi?id=753120 From sgallagh at redhat.com Fri Nov 11 13:59:46 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 11 Nov 2011 08:59:46 -0500 Subject: [Freeipa-users] Fedora 16 installer In-Reply-To: <4EBC4B67.9020908@nixtra.com> References: <4EBC4B67.9020908@nixtra.com> Message-ID: <1321019986.2238.7.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> On Thu, 2011-11-10 at 23:08 +0100, Sigbjorn Lie wrote: > Hi, > > I just installed Fedora 16 and noticed that there now was an option for > using FreeIPA as autentication database. Awesome! > > But why the normal ldap/kerberos options that met me when I chose > FreeIPA (see the attachment). I was picturing auto-detection, and just a > username and password, same as the simplified CLI installer. > > Is this on the roadmap for the Fedora/RHEL installer? > > And, what about IPA options for the "auth" kickstart directive? > That has actually been there since Fedora 14, and it's meant for use with FreeIPA v1, not v2. We do need to do something about that for F17, though. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From abokovoy at redhat.com Fri Nov 11 14:17:59 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 11 Nov 2011 16:17:59 +0200 Subject: [Freeipa-users] Fedora 16 installer In-Reply-To: <1321019986.2238.7.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> References: <4EBC4B67.9020908@nixtra.com> <1321019986.2238.7.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: <20111111141758.GD1762@redhat.com> On Fri, 11 Nov 2011, Stephen Gallagher wrote: > > I just installed Fedora 16 and noticed that there now was an option for > > using FreeIPA as autentication database. Awesome! > > > > But why the normal ldap/kerberos options that met me when I chose > > FreeIPA (see the attachment). I was picturing auto-detection, and just a > > username and password, same as the simplified CLI installer. > > > > Is this on the roadmap for the Fedora/RHEL installer? > > > > And, what about IPA options for the "auth" kickstart directive? > > > > That has actually been there since Fedora 14, and it's meant for use > with FreeIPA v1, not v2. We do need to do something about that for F17, > though. Should installer schedule running ipa-client-install and enroll the machine? Many options can be re-used from the installer itself (hostname is known at this point, as well as how network was configured), so there is handful of things to discover. Though I would get discovery part of the ipa-client-install reused here -- like finding out kerberos setup via DNS and if that fails, show UI to enter all additional details, then schedule actual enrollment. -- / Alexander Bokovoy From simo at redhat.com Fri Nov 11 14:40:26 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 11 Nov 2011 09:40:26 -0500 Subject: [Freeipa-users] Fedora 16 installer In-Reply-To: <20111111141758.GD1762@redhat.com> References: <4EBC4B67.9020908@nixtra.com> <1321019986.2238.7.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <20111111141758.GD1762@redhat.com> Message-ID: <1321022426.20140.36.camel@willson.li.ssimo.org> On Fri, 2011-11-11 at 16:17 +0200, Alexander Bokovoy wrote: > On Fri, 11 Nov 2011, Stephen Gallagher wrote: > > > I just installed Fedora 16 and noticed that there now was an option for > > > using FreeIPA as autentication database. Awesome! > > > > > > But why the normal ldap/kerberos options that met me when I chose > > > FreeIPA (see the attachment). I was picturing auto-detection, and just a > > > username and password, same as the simplified CLI installer. > > > > > > Is this on the roadmap for the Fedora/RHEL installer? > > > > > > And, what about IPA options for the "auth" kickstart directive? > > > > > > > That has actually been there since Fedora 14, and it's meant for use > > with FreeIPA v1, not v2. We do need to do something about that for F17, > > though. > Should installer schedule running ipa-client-install and enroll the > machine? Many options can be re-used from the installer itself > (hostname is known at this point, as well as how network was > configured), so there is handful of things to discover. Hostname in many cases will probably be wrong (left to default localhost.localdomain) so we should detect if the host name is in the same domain as the ipa server and ask if the user wouldn't want to change is (suggesting the 'right' one). We would have to refuse to proceed if the hostname is localhost.localdomain or any combination where the host part is localhost and the domain part is localdomain. > Though I would get discovery part of the ipa-client-install reused > here -- like finding out kerberos setup via DNS and if that fails, > show UI to enter all additional details, then schedule > actual enrollment. The other problem here is that you may not have admin credentials. We will need to support using an enrollment password as well as just skip the join but otherwise configure the rest to work, and tell the user to call the admin to complete the join later (or maybe just skip it altogether). Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Fri Nov 11 14:44:35 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 11 Nov 2011 16:44:35 +0200 Subject: [Freeipa-users] Fedora 16 installer In-Reply-To: <1321022426.20140.36.camel@willson.li.ssimo.org> References: <4EBC4B67.9020908@nixtra.com> <1321019986.2238.7.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <20111111141758.GD1762@redhat.com> <1321022426.20140.36.camel@willson.li.ssimo.org> Message-ID: <20111111144434.GF1762@redhat.com> On Fri, 11 Nov 2011, Simo Sorce wrote: > > Should installer schedule running ipa-client-install and enroll the > > machine? Many options can be re-used from the installer itself > > (hostname is known at this point, as well as how network was > > configured), so there is handful of things to discover. > > Hostname in many cases will probably be wrong (left to default > localhost.localdomain) so we should detect if the host name is in the > same domain as the ipa server and ask if the user wouldn't want to > change is (suggesting the 'right' one). We would have to refuse to > proceed if the hostname is localhost.localdomain or any combination > where the host part is localhost and the domain part is localdomain. Indeed -- what I was more about is getting hints from previous stages of installer like "DHCP is enabled and hostname is left default => need to ask to set precise name and whether to enable Dynamic DNS update", etc. > > Though I would get discovery part of the ipa-client-install reused > > here -- like finding out kerberos setup via DNS and if that fails, > > show UI to enter all additional details, then schedule > > actual enrollment. > > The other problem here is that you may not have admin credentials. > We will need to support using an enrollment password as well as just > skip the join but otherwise configure the rest to work, and tell the > user to call the admin to complete the join later (or maybe just skip it > altogether). Yes. OTP, or admin credentials, or "postpone". -- / Alexander Bokovoy From sigbjorn at nixtra.com Fri Nov 11 16:21:29 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 11 Nov 2011 17:21:29 +0100 Subject: [Freeipa-users] Fedora 16 installer In-Reply-To: <1321019986.2238.7.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> References: <4EBC4B67.9020908@nixtra.com> <1321019986.2238.7.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: <4EBD4B89.7070100@nixtra.com> On 11/11/2011 02:59 PM, Stephen Gallagher wrote: > On Thu, 2011-11-10 at 23:08 +0100, Sigbjorn Lie wrote: >> Hi, >> >> I just installed Fedora 16 and noticed that there now was an option for >> using FreeIPA as autentication database. Awesome! >> >> But why the normal ldap/kerberos options that met me when I chose >> FreeIPA (see the attachment). I was picturing auto-detection, and just a >> username and password, same as the simplified CLI installer. >> >> Is this on the roadmap for the Fedora/RHEL installer? >> >> And, what about IPA options for the "auth" kickstart directive? >> > That has actually been there since Fedora 14, and it's meant for use > with FreeIPA v1, not v2. We do need to do something about that for F17, > though. > Ah, ok. Thanks for clarifying. :) Rgds, Siggi From sigbjorn at nixtra.com Fri Nov 11 17:09:13 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 11 Nov 2011 18:09:13 +0100 Subject: [Freeipa-users] Fedora 16 installer In-Reply-To: <1321022426.20140.36.camel@willson.li.ssimo.org> References: <4EBC4B67.9020908@nixtra.com> <1321019986.2238.7.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <20111111141758.GD1762@redhat.com> <1321022426.20140.36.camel@willson.li.ssimo.org> Message-ID: <4EBD56B9.2090806@nixtra.com> On 11/11/2011 03:40 PM, Simo Sorce wrote: > On Fri, 2011-11-11 at 16:17 +0200, Alexander Bokovoy wrote: >> On Fri, 11 Nov 2011, Stephen Gallagher wrote: >>>> I just installed Fedora 16 and noticed that there now was an option for >>>> using FreeIPA as autentication database. Awesome! >>>> >>>> But why the normal ldap/kerberos options that met me when I chose >>>> FreeIPA (see the attachment). I was picturing auto-detection, and just a >>>> username and password, same as the simplified CLI installer. >>>> >>>> Is this on the roadmap for the Fedora/RHEL installer? >>>> >>>> And, what about IPA options for the "auth" kickstart directive? >>>> >>> That has actually been there since Fedora 14, and it's meant for use >>> with FreeIPA v1, not v2. We do need to do something about that for F17, >>> though. >> Should installer schedule running ipa-client-install and enroll the >> machine? Many options can be re-used from the installer itself >> (hostname is known at this point, as well as how network was >> configured), so there is handful of things to discover. > Hostname in many cases will probably be wrong (left to default > localhost.localdomain) so we should detect if the host name is in the > same domain as the ipa server and ask if the user wouldn't want to > change is (suggesting the 'right' one). We would have to refuse to > proceed if the hostname is localhost.localdomain or any combination > where the host part is localhost and the domain part is localdomain. > >> Though I would get discovery part of the ipa-client-install reused >> here -- like finding out kerberos setup via DNS and if that fails, >> show UI to enter all additional details, then schedule >> actual enrollment. > The other problem here is that you may not have admin credentials. > We will need to support using an enrollment password as well as just > skip the join but otherwise configure the rest to work, and tell the > user to call the admin to complete the join later (or maybe just skip it > altogether). > I don't use the $ currency, but here's my 0.02 NOK. :) Keep it simple. If the hostname is not resolvable and not specified as a known IPA DNS domain -> fail with error message. Not enough permissions to complete enrollment -> fail with error message. Rgds, Siggi From g17jimmy at gmail.com Fri Nov 11 20:11:31 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 11 Nov 2011 15:11:31 -0500 Subject: [Freeipa-users] synchronizing with AD Message-ID: I am trying to get FreeIPA synchronizing with AD. The instructions I have found on the web go through setting up SSL for passsync, but they all reference installing the CA cert from the Directory Server without specifying how to go about getting the DS CA cert. I found a couple links on how to export the CA cert but they didn't work as described. (step 'f' in this link) https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_Active_Directory.html# -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Nov 11 20:33:43 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 11 Nov 2011 13:33:43 -0700 Subject: [Freeipa-users] synchronizing with AD In-Reply-To: References: Message-ID: <4EBD86A7.1040309@redhat.com> On 11/11/2011 01:11 PM, Jimmy wrote: > I am trying to get FreeIPA synchronizing with AD. The instructions I > have found on the web go through setting up SSL for passsync, but they > all reference installing the CA cert from the Directory Server without > specifying how to go about getting the DS CA cert. I found a couple > links on how to export the CA cert but they didn't work as described. > > (step 'f' in this link) > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_Active_Directory.html# Step f isn't necessary. And it is usually not necessary to manually setup AD for SSL. If you install the Microsoft Cert System in Enterprise Root CA mode, it will usually create and install the AD SSL cert automatically. This link http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Configuring_Windows_Sync-Install_the_Password_Sync_Service explains a bit more about how to set up PassSync to use SSL to talk to IPA (i.e. how and where to install the IPA CA cert for use by PassSync). Note that AD itself doesn't talk to IPA - it's only the PassSync "AD plugin" that talks to IPA, and only for the purpose of sending the clear text password changes from AD to IPA. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From borepstein at gmail.com Fri Nov 11 20:52:07 2011 From: borepstein at gmail.com (Boris Epstein) Date: Fri, 11 Nov 2011 15:52:07 -0500 Subject: [Freeipa-users] Kerberos authentication setup Message-ID: Hello all, I've got my FreeIPA seemingly running on a Fedora 16 machine but I can not log into it from a browser as I get the "Your kerberos ticket is no longer valid." message. So the question is: is there a good guide on how to set up the Kerberos components involved? Thanks. Boris. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Nov 11 21:18:43 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 11 Nov 2011 16:18:43 -0500 Subject: [Freeipa-users] Kerberos authentication setup In-Reply-To: References: Message-ID: <4EBD9133.9060808@redhat.com> On 11/11/2011 03:52 PM, Boris Epstein wrote: > Hello all, > > I've got my FreeIPA seemingly running on a Fedora 16 machine but I can > not log into it from a browser as I get the "Your kerberos ticket is > no longer valid." message. So the question is: is there a good guide > on how to set up the Kerberos components involved? Do you use browser from the same machine as you server or different? Is it a Linux machine? What is the browser you are using? The procedure is (on server): 1) Install server 2) kinit admin (or other user you want to use that you added) 3) start browser 4) follow the prompts reading carefully - accept certs and let the browser configuration script run 5) Enjoy the UI On non server: 1) Install client 2) kinit admin (or other user you want to use that you added) 3) start browser on that machine 4) follow the prompts reading carefully - accept certs and let the browser configuration script run 5) Enjoy the UI If you are trying to access it from a machine that is not a member of the domain you have to go to IPA and allow basic auth but we do not recommend it as it is insecure. > > Thanks. > > Boris. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Fri Nov 11 21:23:25 2011 From: g17jimmy at gmail.com (Jimmy) Date: Fri, 11 Nov 2011 16:23:25 -0500 Subject: [Freeipa-users] synchronizing with AD In-Reply-To: <4EBD86A7.1040309@redhat.com> References: <4EBD86A7.1040309@redhat.com> Message-ID: I do have the AD SSL cert installed, but from how I read it, I need to install the cert from the FreeIPA DS into Windows AD certificate store. On Fri, Nov 11, 2011 at 3:33 PM, Rich Megginson wrote: > ** > On 11/11/2011 01:11 PM, Jimmy wrote: > > I am trying to get FreeIPA synchronizing with AD. The instructions I have > found on the web go through setting up SSL for passsync, but they all > reference installing the CA cert from the Directory Server without > specifying how to go about getting the DS CA cert. I found a couple links > on how to export the CA cert but they didn't work as described. > > (step 'f' in this link) > > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_Active_Directory.html# > > Step f isn't necessary. And it is usually not necessary to manually setup > AD for SSL. If you install the Microsoft Cert System in Enterprise Root CA > mode, it will usually create and install the AD SSL cert automatically. > > This link > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Configuring_Windows_Sync-Install_the_Password_Sync_Serviceexplains a bit more about how to set up PassSync to use SSL to talk to IPA > (i.e. how and where to install the IPA CA cert for use by PassSync). Note > that AD itself doesn't talk to IPA - it's only the PassSync "AD plugin" > that talks to IPA, and only for the purpose of sending the clear text > password changes from AD to IPA. > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Nov 11 21:31:30 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 11 Nov 2011 14:31:30 -0700 Subject: [Freeipa-users] synchronizing with AD In-Reply-To: References: <4EBD86A7.1040309@redhat.com> Message-ID: <4EBD9432.2060701@redhat.com> On 11/11/2011 02:23 PM, Jimmy wrote: > I do have the AD SSL cert installed, but from how I read it, I need to > install the cert from the FreeIPA DS into Windows AD certificate store. Perhaps for something else, but for windows sync/passsync, you do not need to install the cert from the FreeIPA DS into Windows AD certificate store. > > On Fri, Nov 11, 2011 at 3:33 PM, Rich Megginson > wrote: > > On 11/11/2011 01:11 PM, Jimmy wrote: >> I am trying to get FreeIPA synchronizing with AD. The >> instructions I have found on the web go through setting up SSL >> for passsync, but they all reference installing the CA cert from >> the Directory Server without specifying how to go about getting >> the DS CA cert. I found a couple links on how to export the CA >> cert but they didn't work as described. >> >> (step 'f' in this link) >> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Setting_up_Active_Directory.html# > Step f isn't necessary. And it is usually not necessary to > manually setup AD for SSL. If you install the Microsoft Cert > System in Enterprise Root CA mode, it will usually create and > install the AD SSL cert automatically. > > This link > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Configuring_Windows_Sync-Install_the_Password_Sync_Service > explains a bit more about how to set up PassSync to use SSL to > talk to IPA (i.e. how and where to install the IPA CA cert for use > by PassSync). Note that AD itself doesn't talk to IPA - it's only > the PassSync "AD plugin" that talks to IPA, and only for the > purpose of sending the clear text password changes from AD to IPA. >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Nov 11 21:33:33 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Nov 2011 16:33:33 -0500 Subject: [Freeipa-users] Kerberos authentication setup In-Reply-To: References: Message-ID: <4EBD94AD.5070004@redhat.com> On 11/11/2011 03:52 PM, Boris Epstein wrote: > Hello all, > > I've got my FreeIPA seemingly running on a Fedora 16 machine but I can > not log into it from a browser as I get the "Your kerberos ticket is > no longer valid." message. So the question is: is there a good guide > on how to set up the Kerberos components involved? You will get this error for numerous reasons. If any of the security mechanisms are not in place, tht is the only error message that will get through. 1. You need to accept the CA cert 2. You need to accept the server cert...this will be automatic if you have the CA cert. 3. You need to configure your browser and accept the config potions that allow ticket forwarding All this is done by clicking through the options from the link in the same window as the Kerberos error message you mention. I'f you've been through all this, then the problem is likely that you do not have Kerberos set up on the machine running the browser, or you do not have a ticket. Assuming the browser is running on the IPA server, running kinit will be sufficient. If you installed IPA on a machine that has no X server, and you need to run the browser on a remote machine to talk to it, please follow the steps to set up the remote machine as an ipa-client. That will get the Kerberos ticket set up for you. > > Thanks. > > Boris. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From borepstein at gmail.com Fri Nov 11 21:50:41 2011 From: borepstein at gmail.com (Boris Epstein) Date: Fri, 11 Nov 2011 16:50:41 -0500 Subject: [Freeipa-users] Kerberos authentication setup In-Reply-To: <4EBD9133.9060808@redhat.com> References: <4EBD9133.9060808@redhat.com> Message-ID: On Fri, Nov 11, 2011 at 4:18 PM, Dmitri Pal wrote: > > On 11/11/2011 03:52 PM, Boris Epstein wrote: > > Hello all, > I've got my FreeIPA seemingly running on a Fedora 16 machine but I can not log into it from a browser as I get the "Your kerberos ticket is no longer valid." message. So the question is: is there a good guide on how to set up the Kerberos components involved? > > Do you use browser from the same machine as you server or different? > Is it a Linux machine? > What is the browser you are using? > > The procedure is (on server): > 1) Install server > 2) kinit admin (or other user you want to use that you added) > 3) start browser > 4) follow the prompts reading carefully - accept certs and let the browser configuration script run > 5) Enjoy the UI > > On non server: > 1) Install client > 2) kinit admin (or other user you want to use that you added) > 3) start browser on that machine > 4) follow the prompts reading carefully - accept certs and let the browser configuration script run > 5) Enjoy the UI > > If you are trying to access it from a machine that is not a member of the domain you have to go to IPA and allow basic auth but we do not recommend it as it is insecure. > > > > > Thanks. > Boris. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Dmitry, We intend to have this on a secure network so how do I enable basic authentication? And thanks for all your help. Boris. From ayoung at redhat.com Fri Nov 11 21:51:37 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 11 Nov 2011 16:51:37 -0500 Subject: [Freeipa-users] Kerberos authentication setup In-Reply-To: References: <4EBD9133.9060808@redhat.com> Message-ID: <4EBD98E9.5030609@redhat.com> On 11/11/2011 04:50 PM, Boris Epstein wrote: > On Fri, Nov 11, 2011 at 4:18 PM, Dmitri Pal wrote: >> On 11/11/2011 03:52 PM, Boris Epstein wrote: >> >> Hello all, >> I've got my FreeIPA seemingly running on a Fedora 16 machine but I can not log into it from a browser as I get the "Your kerberos ticket is no longer valid." message. So the question is: is there a good guide on how to set up the Kerberos components involved? >> >> Do you use browser from the same machine as you server or different? >> Is it a Linux machine? >> What is the browser you are using? >> >> The procedure is (on server): >> 1) Install server >> 2) kinit admin (or other user you want to use that you added) >> 3) start browser >> 4) follow the prompts reading carefully - accept certs and let the browser configuration script run >> 5) Enjoy the UI >> >> On non server: >> 1) Install client >> 2) kinit admin (or other user you want to use that you added) >> 3) start browser on that machine >> 4) follow the prompts reading carefully - accept certs and let the browser configuration script run >> 5) Enjoy the UI >> >> If you are trying to access it from a machine that is not a member of the domain you have to go to IPA and allow basic auth but we do not recommend it as it is insecure. >> >> >> >> >> Thanks. >> Boris. >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Dmitry, > > We intend to have this on a secure network so how do I enable basic > authentication? > > And thanks for all your help. > > Boris. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ipa-httpd-dekerb () { ssh root@$IPASERVER "sed 's!KrbMethodK5Passwd off!KrbMethodK5Passwd on!' < /etc/httpd/conf.d/ipa.conf > /etc/httpd/conf.d/ipa.conf.new ; mv /etc/httpd/conf.d/ipa.conf.new /etc/httpd/conf.d/ipa.conf ; service httpd restart " } From rcritten at redhat.com Fri Nov 11 21:55:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Nov 2011 16:55:03 -0500 Subject: [Freeipa-users] synchronizing with AD In-Reply-To: <4EBD9432.2060701@redhat.com> References: <4EBD86A7.1040309@redhat.com> <4EBD9432.2060701@redhat.com> Message-ID: <4EBD99B7.2090300@redhat.com> Rich Megginson wrote: > On 11/11/2011 02:23 PM, Jimmy wrote: >> I do have the AD SSL cert installed, but from how I read it, I need to >> install the cert from the FreeIPA DS into Windows AD certificate store. > Perhaps for something else, but for windows sync/passsync, you do not > need to install the cert from the FreeIPA DS into Windows AD certificate > store. Right, you just need to install it in the Passsync NSS databsae. rob From rcritten at redhat.com Fri Nov 11 21:56:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Nov 2011 16:56:58 -0500 Subject: [Freeipa-users] Kerberos authentication setup In-Reply-To: References: <4EBD9133.9060808@redhat.com> Message-ID: <4EBD9A2A.7010603@redhat.com> Boris Epstein wrote: > On Fri, Nov 11, 2011 at 4:18 PM, Dmitri Pal wrote: >> >> On 11/11/2011 03:52 PM, Boris Epstein wrote: >> >> Hello all, >> I've got my FreeIPA seemingly running on a Fedora 16 machine but I can not log into it from a browser as I get the "Your kerberos ticket is no longer valid." message. So the question is: is there a good guide on how to set up the Kerberos components involved? >> >> Do you use browser from the same machine as you server or different? >> Is it a Linux machine? >> What is the browser you are using? >> >> The procedure is (on server): >> 1) Install server >> 2) kinit admin (or other user you want to use that you added) >> 3) start browser >> 4) follow the prompts reading carefully - accept certs and let the browser configuration script run >> 5) Enjoy the UI >> >> On non server: >> 1) Install client >> 2) kinit admin (or other user you want to use that you added) >> 3) start browser on that machine >> 4) follow the prompts reading carefully - accept certs and let the browser configuration script run >> 5) Enjoy the UI >> >> If you are trying to access it from a machine that is not a member of the domain you have to go to IPA and allow basic auth but we do not recommend it as it is insecure. >> >> >> >> >> Thanks. >> Boris. >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > Dmitry, > > We intend to have this on a secure network so how do I enable basic > authentication? > > And thanks for all your help. > Basic auth defeats the benefits of single sign-on, I would not recommend it. If you are using Firefox then getting this set up is usually just a one-time bit of pain and then SSO goodness from then on. The beauty is you can extend it to all your other apps and get away from sending your passwords all over the place. rob From borepstein at gmail.com Fri Nov 11 22:12:42 2011 From: borepstein at gmail.com (Boris Epstein) Date: Fri, 11 Nov 2011 17:12:42 -0500 Subject: [Freeipa-users] importing old NIS passwd/group maps into Free IPA Message-ID: Hello all, The question is in the subject. Is there an established reliable way of doing that? Thanks. Boris. From sigbjorn at nixtra.com Sat Nov 12 14:55:33 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sat, 12 Nov 2011 15:55:33 +0100 Subject: [Freeipa-users] sssd not updating reverse dns Message-ID: <4EBE88E5.5040603@nixtra.com> Hi, I notice that when sssd is configured to update DNS, it's only updating the DNS forward zone, it's not updating the DNS reverse zone. And I cannot find any option for enabling updating of the reverse dns zone. Have I missed something? Or is updating the reverse zone not supported? Rgds, Siggi From sigbjorn at nixtra.com Sat Nov 12 15:10:37 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sat, 12 Nov 2011 16:10:37 +0100 Subject: [Freeipa-users] sssd not updating reverse dns In-Reply-To: <4EBE88E5.5040603@nixtra.com> References: <4EBE88E5.5040603@nixtra.com> Message-ID: <4EBE8C6D.50405@nixtra.com> On 11/12/2011 03:55 PM, Sigbjorn Lie wrote: > Hi, > > I notice that when sssd is configured to update DNS, it's only > updating the DNS forward zone, it's not updating the DNS reverse zone. > And I cannot find any option for enabling updating of the reverse dns > zone. > > Have I missed something? Or is updating the reverse zone not supported? > > > When I restarted SSSD on one of the clients, named crashed on one of my ipa servers with the output below in the messages log file. Nov 12 16:01:02 ipa01 named[2770]: client 2021:472:dcdd:10:a00:27ff:fe0c:8283#55995: updating zone 'ix.test.com/IN': deleting rrset at 'client8.ix.test.com' A Nov 12 16:01:03 ipa01 named[2770]: zone ix.test.com/IN: sending notifies (serial 2012) Nov 12 16:01:03 ipa01 named[2770]: client 2021:472:dcdd:10:a00:27ff:fe0c:8283#44246: updating zone 'ix.test.com/IN': deleting rrset at 'client8.ix.test.com' AAAA Nov 12 16:01:03 ipa01 named[2770]: client 2021:472:dcdd:10:a00:27ff:fe0c:8283#39501: updating zone 'ix.test.com/IN': adding an RR at 'client8.ix.test.com' A Nov 12 16:01:03 ipa01 named[2770]: rdata.c:814: REQUIRE(rdata != ((void *)0)) failed, back trace Nov 12 16:01:03 ipa01 named[2770]: #0 0x7f3cc069145b in ?? Nov 12 16:01:03 ipa01 named[2770]: #1 0x7f3cbe9426da in ?? Nov 12 16:01:03 ipa01 named[2770]: #2 0x7f3cbff607ad in ?? Nov 12 16:01:03 ipa01 named[2770]: #3 0x7f3cba5cf218 in ?? Nov 12 16:01:03 ipa01 named[2770]: #4 0x7f3cba5d2fe0 in ?? Nov 12 16:01:03 ipa01 named[2770]: #5 0x7f3cba5cd758 in ?? Nov 12 16:01:03 ipa01 named[2770]: #6 0x7f3cbfee502b in ?? Nov 12 16:01:03 ipa01 named[2770]: #7 0x7f3cc06af84d in ?? Nov 12 16:01:03 ipa01 named[2770]: #8 0x7f3cc06b4824 in ?? Nov 12 16:01:03 ipa01 named[2770]: #9 0x7f3cbe9618c8 in ?? Nov 12 16:01:03 ipa01 named[2770]: #10 0x7f3cbe318b31 in ?? Nov 12 16:01:03 ipa01 named[2770]: #11 0x7f3cbd860d2d in ?? Nov 12 16:01:03 ipa01 named[2770]: exiting (due to assertion failure) Nov 12 16:01:03 ipa01 systemd[1]: named.service: main process exited, code=killed, status=6 Nov 12 16:04:50 ipa01 systemd[1]: Unit named.service entered failed state. From simo at redhat.com Sun Nov 13 13:48:17 2011 From: simo at redhat.com (Simo Sorce) Date: Sun, 13 Nov 2011 08:48:17 -0500 Subject: [Freeipa-users] sssd not updating reverse dns In-Reply-To: <4EBE88E5.5040603@nixtra.com> References: <4EBE88E5.5040603@nixtra.com> Message-ID: <1321192097.17066.4.camel@willson.li.ssimo.org> On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote: > Hi, > > I notice that when sssd is configured to update DNS, it's only updating > the DNS forward zone, it's not updating the DNS reverse zone. And I > cannot find any option for enabling updating of the reverse dns zone. > > Have I missed something? Or is updating the reverse zone not supported? It is not supported at this time. While we have a way to determine if your host has any right to update the machine A/AAAA name because we can check if the host authenticated using a key of type host/@REALM we have no way to validate that a host has any right to update a PTR record. Allowing a host to change any PTR record in any reverse zone would be very disruptive as a compromised host could change PTR records for important servers. We are trying to make sure (patches, configurations) that reverse resolution is disabled for kerberos and canonicalization does not use it by default as it is unreliable in any case. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Sun Nov 13 13:49:10 2011 From: simo at redhat.com (Simo Sorce) Date: Sun, 13 Nov 2011 08:49:10 -0500 Subject: [Freeipa-users] sssd not updating reverse dns In-Reply-To: <4EBE8C6D.50405@nixtra.com> References: <4EBE88E5.5040603@nixtra.com> <4EBE8C6D.50405@nixtra.com> Message-ID: <1321192150.17066.5.camel@willson.li.ssimo.org> On Sat, 2011-11-12 at 16:10 +0100, Sigbjorn Lie wrote: > On 11/12/2011 03:55 PM, Sigbjorn Lie wrote: > > Hi, > > > > I notice that when sssd is configured to update DNS, it's only > > updating the DNS forward zone, it's not updating the DNS reverse zone. > > And I cannot find any option for enabling updating of the reverse dns > > zone. > > > > Have I missed something? Or is updating the reverse zone not supported? > > > > > > > > When I restarted SSSD on one of the clients, named crashed on one of my > ipa servers with the output below in the messages log file. > > > Nov 12 16:01:02 ipa01 named[2770]: client > 2021:472:dcdd:10:a00:27ff:fe0c:8283#55995: updating zone > 'ix.test.com/IN': deleting rrset at 'client8.ix.test.com' A > Nov 12 16:01:03 ipa01 named[2770]: zone ix.test.com/IN: sending notifies > (serial 2012) > Nov 12 16:01:03 ipa01 named[2770]: client > 2021:472:dcdd:10:a00:27ff:fe0c:8283#44246: updating zone > 'ix.test.com/IN': deleting rrset at 'client8.ix.test.com' AAAA > Nov 12 16:01:03 ipa01 named[2770]: client > 2021:472:dcdd:10:a00:27ff:fe0c:8283#39501: updating zone > 'ix.test.com/IN': adding an RR at 'client8.ix.test.com' A > Nov 12 16:01:03 ipa01 named[2770]: rdata.c:814: REQUIRE(rdata != ((void > *)0)) failed, back trace > Nov 12 16:01:03 ipa01 named[2770]: #0 0x7f3cc069145b in ?? > Nov 12 16:01:03 ipa01 named[2770]: #1 0x7f3cbe9426da in ?? > Nov 12 16:01:03 ipa01 named[2770]: #2 0x7f3cbff607ad in ?? > Nov 12 16:01:03 ipa01 named[2770]: #3 0x7f3cba5cf218 in ?? > Nov 12 16:01:03 ipa01 named[2770]: #4 0x7f3cba5d2fe0 in ?? > Nov 12 16:01:03 ipa01 named[2770]: #5 0x7f3cba5cd758 in ?? > Nov 12 16:01:03 ipa01 named[2770]: #6 0x7f3cbfee502b in ?? > Nov 12 16:01:03 ipa01 named[2770]: #7 0x7f3cc06af84d in ?? > Nov 12 16:01:03 ipa01 named[2770]: #8 0x7f3cc06b4824 in ?? > Nov 12 16:01:03 ipa01 named[2770]: #9 0x7f3cbe9618c8 in ?? > Nov 12 16:01:03 ipa01 named[2770]: #10 0x7f3cbe318b31 in ?? > Nov 12 16:01:03 ipa01 named[2770]: #11 0x7f3cbd860d2d in ?? > Nov 12 16:01:03 ipa01 named[2770]: exiting (due to assertion failure) > Nov 12 16:01:03 ipa01 systemd[1]: named.service: main process exited, > code=killed, status=6 > Nov 12 16:04:50 ipa01 systemd[1]: Unit named.service entered failed state. Can you please install debuginfo packages for named and bind-dyndb-ldap, reproduce and open a bug agains the bind-dyndb-ldap component. We'll want to fix this issue ASAP. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Sun Nov 13 18:19:02 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 13 Nov 2011 19:19:02 +0100 Subject: [Freeipa-users] sssd not updating reverse dns In-Reply-To: <1321192097.17066.4.camel@willson.li.ssimo.org> References: <4EBE88E5.5040603@nixtra.com> <1321192097.17066.4.camel@willson.li.ssimo.org> Message-ID: <4EC00A16.8020506@nixtra.com> On 11/13/2011 02:48 PM, Simo Sorce wrote: > On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote: >> Hi, >> >> I notice that when sssd is configured to update DNS, it's only updating >> the DNS forward zone, it's not updating the DNS reverse zone. And I >> cannot find any option for enabling updating of the reverse dns zone. >> >> Have I missed something? Or is updating the reverse zone not supported? > It is not supported at this time. > While we have a way to determine if your host has any right to update > the machine A/AAAA name because we can check if the host authenticated > using a key of type host/@REALM we have no way to validate that > a host has any right to update a PTR record. > > Allowing a host to change any PTR record in any reverse zone would be > very disruptive as a compromised host could change PTR records for > important servers. > Ok, I see the issue. I notice ISC dhcpd adds a TXT record along with the updated record with a string that identifies that host record being "owned" by that dhcpd. And it does not attempt to update DNS if it cannot validate the content of the TXT record, or there already exists a record without a corresponding TXT record. Perhaps a similar approach could be applied to IPA? Using attributes in the LDAP DNS tree instead of TXT records.. ? > We are trying to make sure (patches, configurations) that reverse > resolution is disabled for kerberos and canonicalization does not use it > by default as it is unreliable in any case. Yes, I've noticed. :) Authentication based on forward/reverse lookups aside, being able to look up reverse IP records does help troubleshooting. And it becomes almost a requirement for being able to manage IPv6 networks. It would be very nice to see reverse address update implemented in SSSD at some point. Is there already an open RFE? Rgds, Siggi From sigbjorn at nixtra.com Sun Nov 13 18:26:20 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 13 Nov 2011 19:26:20 +0100 Subject: [Freeipa-users] sssd not updating reverse dns In-Reply-To: <1321192150.17066.5.camel@willson.li.ssimo.org> References: <4EBE88E5.5040603@nixtra.com> <4EBE8C6D.50405@nixtra.com> <1321192150.17066.5.camel@willson.li.ssimo.org> Message-ID: <4EC00BCC.5070408@nixtra.com> On 11/13/2011 02:49 PM, Simo Sorce wrote: > On Sat, 2011-11-12 at 16:10 +0100, Sigbjorn Lie wrote: >> On 11/12/2011 03:55 PM, Sigbjorn Lie wrote: >>> Hi, >>> >>> I notice that when sssd is configured to update DNS, it's only >>> updating the DNS forward zone, it's not updating the DNS reverse zone. >>> And I cannot find any option for enabling updating of the reverse dns >>> zone. >>> >>> Have I missed something? Or is updating the reverse zone not supported? >>> >>> >>> >> When I restarted SSSD on one of the clients, named crashed on one of my >> ipa servers with the output below in the messages log file. >> >> >> Nov 12 16:01:02 ipa01 named[2770]: client >> 2021:472:dcdd:10:a00:27ff:fe0c:8283#55995: updating zone >> 'ix.test.com/IN': deleting rrset at 'client8.ix.test.com' A >> Nov 12 16:01:03 ipa01 named[2770]: zone ix.test.com/IN: sending notifies >> (serial 2012) >> Nov 12 16:01:03 ipa01 named[2770]: client >> 2021:472:dcdd:10:a00:27ff:fe0c:8283#44246: updating zone >> 'ix.test.com/IN': deleting rrset at 'client8.ix.test.com' AAAA >> Nov 12 16:01:03 ipa01 named[2770]: client >> 2021:472:dcdd:10:a00:27ff:fe0c:8283#39501: updating zone >> 'ix.test.com/IN': adding an RR at 'client8.ix.test.com' A >> Nov 12 16:01:03 ipa01 named[2770]: rdata.c:814: REQUIRE(rdata != ((void >> *)0)) failed, back trace >> Nov 12 16:01:03 ipa01 named[2770]: #0 0x7f3cc069145b in ?? >> Nov 12 16:01:03 ipa01 named[2770]: #1 0x7f3cbe9426da in ?? >> Nov 12 16:01:03 ipa01 named[2770]: #2 0x7f3cbff607ad in ?? >> Nov 12 16:01:03 ipa01 named[2770]: #3 0x7f3cba5cf218 in ?? >> Nov 12 16:01:03 ipa01 named[2770]: #4 0x7f3cba5d2fe0 in ?? >> Nov 12 16:01:03 ipa01 named[2770]: #5 0x7f3cba5cd758 in ?? >> Nov 12 16:01:03 ipa01 named[2770]: #6 0x7f3cbfee502b in ?? >> Nov 12 16:01:03 ipa01 named[2770]: #7 0x7f3cc06af84d in ?? >> Nov 12 16:01:03 ipa01 named[2770]: #8 0x7f3cc06b4824 in ?? >> Nov 12 16:01:03 ipa01 named[2770]: #9 0x7f3cbe9618c8 in ?? >> Nov 12 16:01:03 ipa01 named[2770]: #10 0x7f3cbe318b31 in ?? >> Nov 12 16:01:03 ipa01 named[2770]: #11 0x7f3cbd860d2d in ?? >> Nov 12 16:01:03 ipa01 named[2770]: exiting (due to assertion failure) >> Nov 12 16:01:03 ipa01 systemd[1]: named.service: main process exited, >> code=killed, status=6 >> Nov 12 16:04:50 ipa01 systemd[1]: Unit named.service entered failed state. > Can you please install debuginfo packages for named and bind-dyndb-ldap, > reproduce and open a bug agains the bind-dyndb-ldap component. We'll > want to fix this issue ASAP. > > Simo. > Ok, I've done that. I will let you know if/when it happens again. I also noticed that the "ipactl status" command still displayed: "DNS Service: RUNNING", even though the DNS service was crashed. Rgds, Siggi From sgallagh at redhat.com Mon Nov 14 12:40:33 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 14 Nov 2011 07:40:33 -0500 Subject: [Freeipa-users] sssd not updating reverse dns In-Reply-To: <4EC00A16.8020506@nixtra.com> References: <4EBE88E5.5040603@nixtra.com> <1321192097.17066.4.camel@willson.li.ssimo.org> <4EC00A16.8020506@nixtra.com> Message-ID: <1321274433.2315.9.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> On Sun, 2011-11-13 at 19:19 +0100, Sigbjorn Lie wrote: > On 11/13/2011 02:48 PM, Simo Sorce wrote: > > On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote: > >> Hi, > >> > >> I notice that when sssd is configured to update DNS, it's only updating > >> the DNS forward zone, it's not updating the DNS reverse zone. And I > >> cannot find any option for enabling updating of the reverse dns zone. > >> > >> Have I missed something? Or is updating the reverse zone not supported? > > It is not supported at this time. > > While we have a way to determine if your host has any right to update > > the machine A/AAAA name because we can check if the host authenticated > > using a key of type host/@REALM we have no way to validate that > > a host has any right to update a PTR record. > > > > Allowing a host to change any PTR record in any reverse zone would be > > very disruptive as a compromised host could change PTR records for > > important servers. > > > Ok, I see the issue. > > I notice ISC dhcpd adds a TXT record along with the updated record with > a string that identifies that host record being "owned" by that dhcpd. > And it does not attempt to update DNS if it cannot validate the content > of the TXT record, or there already exists a record without a > corresponding TXT record. > > Perhaps a similar approach could be applied to IPA? Using attributes in > the LDAP DNS tree instead of TXT records.. ? > SSSD doesn't user LDAP in any way while updating the DNS records. We actually just use GSS-TSIG to speak directly to the DNS server. We suggested using XML-RPC communication to the FreeIPA server at one point, but we decided that it was probably for the best to just stick with the standardized approach for now. The flip side of this is, of course, that we cannot update the PTR records (due to the security risks that Simo pointed out). So maybe we should consider putting this back on the table. > > We are trying to make sure (patches, configurations) that reverse > > resolution is disabled for kerberos and canonicalization does not use it > > by default as it is unreliable in any case. > Yes, I've noticed. :) Authentication based on forward/reverse lookups > aside, being able to look up reverse IP records does help > troubleshooting. And it becomes almost a requirement for being able to > manage IPv6 networks. > > It would be very nice to see reverse address update implemented in SSSD > at some point. Is there already an open RFE? There is no RFE for this yet. Please feel free to open one at https://fedorahosted.org/sssd -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From simo at redhat.com Mon Nov 14 14:30:07 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 14 Nov 2011 09:30:07 -0500 Subject: [Freeipa-users] sssd not updating reverse dns In-Reply-To: <1321274433.2315.9.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> References: <4EBE88E5.5040603@nixtra.com> <1321192097.17066.4.camel@willson.li.ssimo.org> <4EC00A16.8020506@nixtra.com> <1321274433.2315.9.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: <1321281007.17066.55.camel@willson.li.ssimo.org> On Mon, 2011-11-14 at 07:40 -0500, Stephen Gallagher wrote: > On Sun, 2011-11-13 at 19:19 +0100, Sigbjorn Lie wrote: > > On 11/13/2011 02:48 PM, Simo Sorce wrote: > > > On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote: > > >> Hi, > > >> > > >> I notice that when sssd is configured to update DNS, it's only updating > > >> the DNS forward zone, it's not updating the DNS reverse zone. And I > > >> cannot find any option for enabling updating of the reverse dns zone. > > >> > > >> Have I missed something? Or is updating the reverse zone not supported? > > > It is not supported at this time. > > > While we have a way to determine if your host has any right to update > > > the machine A/AAAA name because we can check if the host authenticated > > > using a key of type host/@REALM we have no way to validate that > > > a host has any right to update a PTR record. > > > > > > Allowing a host to change any PTR record in any reverse zone would be > > > very disruptive as a compromised host could change PTR records for > > > important servers. > > > > > Ok, I see the issue. > > > > I notice ISC dhcpd adds a TXT record along with the updated record with > > a string that identifies that host record being "owned" by that dhcpd. > > And it does not attempt to update DNS if it cannot validate the content > > of the TXT record, or there already exists a record without a > > corresponding TXT record. > > > > Perhaps a similar approach could be applied to IPA? Using attributes in > > the LDAP DNS tree instead of TXT records.. ? > > > > SSSD doesn't user LDAP in any way while updating the DNS records. We > actually just use GSS-TSIG to speak directly to the DNS server. We > suggested using XML-RPC communication to the FreeIPA server at one > point, but we decided that it was probably for the best to just stick > with the standardized approach for now. > > The flip side of this is, of course, that we cannot update the PTR > records (due to the security risks that Simo pointed out). So maybe we > should consider putting this back on the table. No, we made some vague plan to have a config option in LDAP and let bind-dyndb-ldap autonomously change the PTR record is the A/AAAA record change was successful and we do control the reverse. This has one downside which is that the same DNS server must be authoritative and manage both direct and reverse maps, but it allows for a simpler client side. Simo. -- Simo Sorce * Red Hat, Inc * New York From danieljamesscott at gmail.com Mon Nov 14 14:42:59 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Mon, 14 Nov 2011 09:42:59 -0500 Subject: [Freeipa-users] Fedora 16 failing to start dirsrv process Message-ID: Hi, I've just upgraded a server from Fedora 15 to 16 and I'm having problems starting the dirsrv process: /var/log/messages Nov 14 09:38:27 fileserver1 ipactl[1351]: Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 2] No such file or directory Nov 14 09:38:27 fileserver1 ipactl[1351]: Shutting down Nov 14 09:38:27 fileserver1 ipactl[1351]: Starting Directory Service Nov 14 09:38:27 fileserver1 systemd[1]: ipa.service: main process exited, code=exited, status=1 Nov 14 09:38:27 fileserver1 systemd[1]: Unit ipa.service entered failed state. The /var/log/dirsrv/slapd-EXAMPLE-COM/errors file contains no new entries since Friday 11th. Any ideas how I can get this fixed? How can I find out which 'file or directory' is missing? Thanks, Dan From abokovoy at redhat.com Mon Nov 14 15:19:24 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 14 Nov 2011 17:19:24 +0200 Subject: [Freeipa-users] Fedora 16 failing to start dirsrv process In-Reply-To: References: Message-ID: <20111114151923.GB3927@redhat.com> On Mon, 14 Nov 2011, Dan Scott wrote: > Hi, > > I've just upgraded a server from Fedora 15 to 16 and I'm having > problems starting the dirsrv process: > > /var/log/messages > Nov 14 09:38:27 fileserver1 ipactl[1351]: Failed to read data from > Directory Service: Unknown error when retrieving list of services from > LDAP: [Errno 2] No such file or directory > Nov 14 09:38:27 fileserver1 ipactl[1351]: Shutting down > Nov 14 09:38:27 fileserver1 ipactl[1351]: Starting Directory Service > Nov 14 09:38:27 fileserver1 systemd[1]: ipa.service: main process > exited, code=exited, status=1 > Nov 14 09:38:27 fileserver1 systemd[1]: Unit ipa.service entered failed state. > > The /var/log/dirsrv/slapd-EXAMPLE-COM/errors file contains no new > entries since Friday 11th. > > Any ideas how I can get this fixed? How can I find out which 'file or > directory' is missing? Looks like LDAP socket is not yet available at the time we try to contact it. I think this was fixed in Fedora 16 package with this patch: http://git.fedorahosted.org/git/?p=freeipa.git;a=commitdiff;h=5451328bc55fe964c61e7b87959310f9c6748cf8 Could you make sure 'systemctl start dirsrv.target' actually starts slapd for EXAMPLE-COM? If not, please show output of ls -l /etc/systemd/system/dirsrv.target.wants It may be that we would need to make a small upgrade script that re-installs proper systemd instances for dirsrv.target as those are produced during ipa-server-install and cannot be done automatically on upgrade without proper intervention yet. Fedora 15 to Fedora 16 upgrade is a bit complicated due to change from System V to systemd. -- / Alexander Bokovoy From dpal at redhat.com Mon Nov 14 15:33:55 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 14 Nov 2011 10:33:55 -0500 Subject: [Freeipa-users] importing old NIS passwd/group maps into Free IPA In-Reply-To: References: Message-ID: <4EC134E3.70509@redhat.com> On 11/11/2011 05:12 PM, Boris Epstein wrote: > Hello all, > > The question is in the subject. Is there an established reliable way > of doing that? > > Thanks. > > Boris. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/migrating-from-nis.html This is so far what we have. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From danieljamesscott at gmail.com Mon Nov 14 17:25:28 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Mon, 14 Nov 2011 12:25:28 -0500 Subject: [Freeipa-users] Fedora 16 failing to start dirsrv process In-Reply-To: <20111114151923.GB3927@redhat.com> References: <20111114151923.GB3927@redhat.com> Message-ID: Hi, On Mon, Nov 14, 2011 at 10:19, Alexander Bokovoy wrote: > On Mon, 14 Nov 2011, Dan Scott wrote: > >> Hi, >> >> I've just upgraded a server from Fedora 15 to 16 and I'm having >> problems starting the dirsrv process: >> >> /var/log/messages >> Nov 14 09:38:27 fileserver1 ipactl[1351]: Failed to read data from >> Directory Service: Unknown error when retrieving list of services from >> LDAP: [Errno 2] No such file or directory >> Nov 14 09:38:27 fileserver1 ipactl[1351]: Shutting down >> Nov 14 09:38:27 fileserver1 ipactl[1351]: Starting Directory Service >> Nov 14 09:38:27 fileserver1 systemd[1]: ipa.service: main process >> exited, code=exited, status=1 >> Nov 14 09:38:27 fileserver1 systemd[1]: Unit ipa.service entered failed state. >> >> The /var/log/dirsrv/slapd-EXAMPLE-COM/errors file contains no new >> entries since Friday 11th. >> >> Any ideas how I can get this fixed? How can I find out which 'file or >> directory' is missing? > Looks like LDAP socket is not yet available at the time we try to > contact it. I think this was fixed in Fedora 16 package with this > patch: > http://git.fedorahosted.org/git/?p=freeipa.git;a=commitdiff;h=5451328bc55fe964c61e7b87959310f9c6748cf8 > > Could you make sure 'systemctl start dirsrv.target' actually starts > slapd for EXAMPLE-COM? If not, please show output of > > ls -l /etc/systemd/system/dirsrv.target.wants 'systemctl start dirsrv.target' doesn't appear to do anything, nothing shown on the command line and the logs don't change. The directory is empty: [root at fileserver1 schema]# ls -l /etc/systemd/system/dirsrv.target.wants/ total 0 > It may be that we would need to make a small upgrade script that > re-installs proper systemd instances for dirsrv.target as those are > produced during ipa-server-install and cannot be done automatically on > upgrade without proper intervention yet. Is this related to this: https://fedoraproject.org/wiki/Common_F16_bugs#Upgrade_from_previous_releases_resets_the_enablement_status_of_services Or is it to do with the dependencies of FreeIPA startup? In any case, the process is still failing to start. Do I need to create a link in dirsrv.target.wants to somewhere? Thanks, Dan From abokovoy at redhat.com Mon Nov 14 18:06:15 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 14 Nov 2011 20:06:15 +0200 Subject: [Freeipa-users] Fedora 16 failing to start dirsrv process In-Reply-To: References: <20111114151923.GB3927@redhat.com> Message-ID: <20111114180614.GB14807@redhat.com> On Mon, 14 Nov 2011, Dan Scott wrote: > > Could you make sure 'systemctl start dirsrv.target' actually starts > > slapd for EXAMPLE-COM? If not, please show output of > > > > ls -l /etc/systemd/system/dirsrv.target.wants > > 'systemctl start dirsrv.target' doesn't appear to do anything, nothing > shown on the command line and the logs don't change. The directory is > empty: > > [root at fileserver1 schema]# ls -l /etc/systemd/system/dirsrv.target.wants/ > total 0 Yes, as I expected (below). > > It may be that we would need to make a small upgrade script that > > re-installs proper systemd instances for dirsrv.target as those are > > produced during ipa-server-install and cannot be done automatically on > > upgrade without proper intervention yet. > > Is this related to this: > https://fedoraproject.org/wiki/Common_F16_bugs#Upgrade_from_previous_releases_resets_the_enablement_status_of_services > > Or is it to do with the dependencies of FreeIPA startup? It is mixture of those cases. systemd is more complicated and if in F15 we were able to get away via SystemV emulation, in F16 dirsrv migrated natively to systemd, managing instances through native systemd mechanism (dirsrv at EXAMPLE-COM.service as a service name, for example). This new mechanism is not accessible via SystemV emulation and we had to migrate to systemd as well -- which means ipa-server-install creates proper links and edits systemd service files as needed. In addition, systemd does not really support our model of enabling services, as systemd is per-host while we need to replicate service state to multiple replicas. Thus, we do some of enable/disable/restart management in ipactl. > In any case, the process is still failing to start. Do I need to > create a link in dirsrv.target.wants to somewhere? You need to do some steps like ipa-server-install does. I'm trying to get them separated in a small upgrade script but something like following needs to be done, completely untested, may eat your kitten, and realm/dirsrv instance names need to be replaced before running: ---------------------------------------------------------------- #! /usr/bin/python -E from ipaserver.install.krbinstance import update_val_in_file from ipapython import ipautil from ipapython import services as ipaservices # 1. Upgrade /etc/sysconfig/dirsrv for systemd update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", "/etc/dirsrv/ds.keytab") update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab") # 2. Upgrade /etc/sysconfig/krb5kdc for systemd replacevars = {'KRB5REALM':"EXAMPLE.COM"} appendvars = {} ipautil.config_replace_variables("/etc/sysconfig/krb5kdc", replacevars=replacevars, appendvars=appendvars) ipaservices.restore_context("/etc/sysconfig/krb5kdc") # 3. Enable DS instances: ipaservices.knownservices.dirsrv.enable("EXAMPLE-COM") ipaservices.knownservices.dirsrv.enable("PKI-IPA") # 4. Enable FreeIPA ipaservices.knownservices.ipa.enable() ------------------------------------------------------- Note that these .enable() calls on Fedora 16 do much more than just 'systemctl enable foo.service', they copy and modify service files, create symlinks and so on, all the dirty work required by systemd. You may look at ipapython/platform/fedora16.py and systemd.py for details. -- / Alexander Bokovoy From danieljamesscott at gmail.com Mon Nov 14 20:08:45 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Mon, 14 Nov 2011 15:08:45 -0500 Subject: [Freeipa-users] Fedora 16 failing to start dirsrv process In-Reply-To: <20111114180614.GB14807@redhat.com> References: <20111114151923.GB3927@redhat.com> <20111114180614.GB14807@redhat.com> Message-ID: Hi, On Mon, Nov 14, 2011 at 13:06, Alexander Bokovoy wrote: > On Mon, 14 Nov 2011, Dan Scott wrote: >> In any case, the process is still failing to start. Do I need to >> create a link in dirsrv.target.wants to somewhere? > You need to do some steps like ipa-server-install does. I'm trying to > get them separated in a small upgrade script but something like > following needs to be done, completely untested, may eat your kitten, > and realm/dirsrv instance names need to be replaced before running: > ---------------------------------------------------------------- > #! /usr/bin/python -E > from ipaserver.install.krbinstance import update_val_in_file > from ipapython import ipautil > from ipapython import services as ipaservices > > # 1. Upgrade /etc/sysconfig/dirsrv for systemd > update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", "/etc/dirsrv/ds.keytab") > update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab") > # 2. Upgrade /etc/sysconfig/krb5kdc for systemd > replacevars = {'KRB5REALM':"EXAMPLE.COM"} > appendvars = {} > ipautil.config_replace_variables("/etc/sysconfig/krb5kdc", > ? ?replacevars=replacevars, appendvars=appendvars) > ipaservices.restore_context("/etc/sysconfig/krb5kdc") > # 3. Enable DS instances: > ipaservices.knownservices.dirsrv.enable("EXAMPLE-COM") > ipaservices.knownservices.dirsrv.enable("PKI-IPA") > # 4. Enable FreeIPA > ipaservices.knownservices.ipa.enable() > ------------------------------------------------------- > > Note that these .enable() calls on Fedora 16 do much more than just > 'systemctl enable foo.service', they copy and modify service files, > create symlinks and so on, all the dirty work required by systemd. > You may look at ipapython/platform/fedora16.py and systemd.py for > details. OK, looks like I'm getting there, but there's still a problem (I replaced EXAMPLE-COM above and re-replaced it in the output below): [root at fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants total 0 lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv at EXAMPLE-COM.service -> /etc/systemd/system/dirsrv at .service lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv at PKI-IPA.service -> /etc/systemd/system/dirsrv at .service [root at fileserver1 ~]# systemctl status dirsrv.service dirsrv.service Loaded: error (Reason: No such file or directory) Active: inactive (dead) [root at fileserver1 ~]# My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains: [14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial credentials for principal [ldap/fileserver1.example.com at EXAMPLE.COM] in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied) [14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_494' not found)) [14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) And the permissions on /etc/krb5.keytab: [root at fileserver1 ~]# ls -Z /etc/krb5.keytab -rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab The permissions are the same on my other, replica, IPA server (which is still Fedora 15). The other message above is correct: /tmp/krb5cc_494 does not exist. Thanks, Dan From rmeggins at redhat.com Mon Nov 14 20:12:43 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 14 Nov 2011 13:12:43 -0700 Subject: [Freeipa-users] Fedora 16 failing to start dirsrv process In-Reply-To: References: <20111114151923.GB3927@redhat.com> <20111114180614.GB14807@redhat.com> Message-ID: <4EC1763B.2050901@redhat.com> On 11/14/2011 01:08 PM, Dan Scott wrote: > Hi, > > On Mon, Nov 14, 2011 at 13:06, Alexander Bokovoy wrote: >> On Mon, 14 Nov 2011, Dan Scott wrote: >>> In any case, the process is still failing to start. Do I need to >>> create a link in dirsrv.target.wants to somewhere? >> You need to do some steps like ipa-server-install does. I'm trying to >> get them separated in a small upgrade script but something like >> following needs to be done, completely untested, may eat your kitten, >> and realm/dirsrv instance names need to be replaced before running: >> ---------------------------------------------------------------- >> #! /usr/bin/python -E >> from ipaserver.install.krbinstance import update_val_in_file >> from ipapython import ipautil >> from ipapython import services as ipaservices >> >> # 1. Upgrade /etc/sysconfig/dirsrv for systemd >> update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", "/etc/dirsrv/ds.keytab") >> update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab") >> # 2. Upgrade /etc/sysconfig/krb5kdc for systemd >> replacevars = {'KRB5REALM':"EXAMPLE.COM"} >> appendvars = {} >> ipautil.config_replace_variables("/etc/sysconfig/krb5kdc", >> replacevars=replacevars, appendvars=appendvars) >> ipaservices.restore_context("/etc/sysconfig/krb5kdc") >> # 3. Enable DS instances: >> ipaservices.knownservices.dirsrv.enable("EXAMPLE-COM") >> ipaservices.knownservices.dirsrv.enable("PKI-IPA") >> # 4. Enable FreeIPA >> ipaservices.knownservices.ipa.enable() >> ------------------------------------------------------- >> >> Note that these .enable() calls on Fedora 16 do much more than just >> 'systemctl enable foo.service', they copy and modify service files, >> create symlinks and so on, all the dirty work required by systemd. >> You may look at ipapython/platform/fedora16.py and systemd.py for >> details. > OK, looks like I'm getting there, but there's still a problem (I > replaced EXAMPLE-COM above and re-replaced it in the output below): > > [root at fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants > total 0 > lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv at EXAMPLE-COM.service -> > /etc/systemd/system/dirsrv at .service > lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv at PKI-IPA.service -> > /etc/systemd/system/dirsrv at .service > [root at fileserver1 ~]# systemctl status dirsrv.service > dirsrv.service > Loaded: error (Reason: No such file or directory) > Active: inactive (dead) Right - see http://directory.fedoraproject.org/wiki/Howto:systemd#FAQ > [root at fileserver1 ~]# > > My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains: > > [14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial > credentials for principal [ldap/fileserver1.example.com at EXAMPLE.COM] > in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied) > [14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Credentials > cache file '/tmp/krb5cc_494' not found)) > [14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local > error) > > And the permissions on /etc/krb5.keytab: > > [root at fileserver1 ~]# ls -Z /etc/krb5.keytab > -rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab Right - directory server usually runs as dirsrv:dirsrv not root:root - not sure what is responsible for ensuring the krb5.keytab is owned by the dirsrv user. > The permissions are the same on my other, replica, IPA server (which > is still Fedora 15). The other message above is correct: > /tmp/krb5cc_494 does not exist. > > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Mon Nov 14 20:38:51 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 14 Nov 2011 21:38:51 +0100 Subject: [Freeipa-users] importing old NIS passwd/group maps into Free IPA In-Reply-To: <4EC134E3.70509@redhat.com> References: <4EC134E3.70509@redhat.com> Message-ID: <4EC17C5B.2050706@nixtra.com> On 11/14/2011 04:33 PM, Dmitri Pal wrote: > On 11/11/2011 05:12 PM, Boris Epstein wrote: >> Hello all, >> >> The question is in the subject. Is there an established reliable way >> of doing that? >> >> Thanks. >> >> Boris. >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/migrating-from-nis.html > This is so far what we have. > I also wrote some scripts that will migrate the hosts, passwd, group, group members, and netgroup NIS maps into IPA a few months ago: https://www.redhat.com/archives/freeipa-users/2011-April/msg00007.html The automount maps can be imported using the ipa command: "ipa automountlocation-import". Regards, Siggi From abokovoy at redhat.com Mon Nov 14 20:50:15 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 14 Nov 2011 22:50:15 +0200 Subject: [Freeipa-users] Fedora 16 failing to start dirsrv process In-Reply-To: <4EC1763B.2050901@redhat.com> References: <20111114151923.GB3927@redhat.com> <20111114180614.GB14807@redhat.com> <4EC1763B.2050901@redhat.com> Message-ID: <20111114205015.GA17488@redhat.com> On Mon, 14 Nov 2011, Rich Megginson wrote: > >replaced EXAMPLE-COM above and re-replaced it in the output below): > > > >[root at fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants > >total 0 > >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv at EXAMPLE-COM.service -> > >/etc/systemd/system/dirsrv at .service > >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv at PKI-IPA.service -> > >/etc/systemd/system/dirsrv at .service > >[root at fileserver1 ~]# systemctl status dirsrv.service > >dirsrv.service > > Loaded: error (Reason: No such file or directory) > > Active: inactive (dead) > Right - see http://directory.fedoraproject.org/wiki/Howto:systemd#FAQ Yes, the target is dirsrv.target, not dirsrv.service, while instances are dirsrv at NAME.service. That is life. systemctl start dirsrv.target now would bring both instances up -- when you'll solve kerberos credentials access. > >[root at fileserver1 ~]# > > > >My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains: > > > >[14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial > >credentials for principal [ldap/fileserver1.example.com at EXAMPLE.COM] > >in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied) > >[14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error: > >could not perform interactive bind for id [] mech [GSSAPI]: error -2 > >(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > >GSS failure. Minor code may provide more information (Credentials > >cache file '/tmp/krb5cc_494' not found)) > >[14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not > >perform interactive bind for id [] mech [GSSAPI]: error -2 (Local > >error) > > > >And the permissions on /etc/krb5.keytab: > > > >[root at fileserver1 ~]# ls -Z /etc/krb5.keytab > >-rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab > Right - directory server usually runs as dirsrv:dirsrv not root:root > - not sure what is responsible for ensuring the krb5.keytab is owned > by the dirsrv user. It should be /etc/dirsrv/ds.keytab, not /etc/krb5.keytab. Could you please show your /etc/sysconfig/dirsrv? KRB5_KTNAME there should point to /etc/dirsrv/ds.keytab and as you have installation that worked before, the keytab should be in place already and with proper ownership (dirsrv:dirsrv). Dan, could you please file a bug against freeipa in Fedora 16 to ask about upgrade from Fedora 15. I'll then work out the script and how to use it. I'm not sure it will be possible to use it in %post for upgrades but at least running it after yum upgrade would be possible. -- / Alexander Bokovoy From sigbjorn at nixtra.com Mon Nov 14 20:54:52 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 14 Nov 2011 21:54:52 +0100 Subject: [Freeipa-users] sssd not updating reverse dns In-Reply-To: <1321274433.2315.9.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> References: <4EBE88E5.5040603@nixtra.com> <1321192097.17066.4.camel@willson.li.ssimo.org> <4EC00A16.8020506@nixtra.com> <1321274433.2315.9.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: <4EC1801C.4040609@nixtra.com> On 11/14/2011 01:40 PM, Stephen Gallagher wrote: > On Sun, 2011-11-13 at 19:19 +0100, Sigbjorn Lie wrote: >> On 11/13/2011 02:48 PM, Simo Sorce wrote: >>> On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote: >>>> Hi, >>>> >>>> I notice that when sssd is configured to update DNS, it's only updating >>>> the DNS forward zone, it's not updating the DNS reverse zone. And I >>>> cannot find any option for enabling updating of the reverse dns zone. >>>> >>>> Have I missed something? Or is updating the reverse zone not supported? >>> It is not supported at this time. >>> While we have a way to determine if your host has any right to update >>> the machine A/AAAA name because we can check if the host authenticated >>> using a key of type host/@REALM we have no way to validate that >>> a host has any right to update a PTR record. >>> >>> Allowing a host to change any PTR record in any reverse zone would be >>> very disruptive as a compromised host could change PTR records for >>> important servers. >>> >> Ok, I see the issue. >> >> I notice ISC dhcpd adds a TXT record along with the updated record with >> a string that identifies that host record being "owned" by that dhcpd. >> And it does not attempt to update DNS if it cannot validate the content >> of the TXT record, or there already exists a record without a >> corresponding TXT record. >> >> Perhaps a similar approach could be applied to IPA? Using attributes in >> the LDAP DNS tree instead of TXT records.. ? >> > SSSD doesn't user LDAP in any way while updating the DNS records. We > actually just use GSS-TSIG to speak directly to the DNS server. We > suggested using XML-RPC communication to the FreeIPA server at one > point, but we decided that it was probably for the best to just stick > with the standardized approach for now. > > The flip side of this is, of course, that we cannot update the PTR > records (due to the security risks that Simo pointed out). So maybe we > should consider putting this back on the table. > >>> We are trying to make sure (patches, configurations) that reverse >>> resolution is disabled for kerberos and canonicalization does not use it >>> by default as it is unreliable in any case. >> Yes, I've noticed. :) Authentication based on forward/reverse lookups >> aside, being able to look up reverse IP records does help >> troubleshooting. And it becomes almost a requirement for being able to >> manage IPv6 networks. >> >> It would be very nice to see reverse address update implemented in SSSD >> at some point. Is there already an open RFE? > There is no RFE for this yet. Please feel free to open one at > https://fedorahosted.org/sssd > > How about an option in SSSD for reverse update using the same GSS-TSIG, but turned off by default? IPA seem to ready for this by setting the "BIND update policy" and Dynamic update options under DNS -> reverse-zone -> Settings ? Hopefully the admin would configure the dhcp dynamic ip range outside of where he placed the servers, or have the clients on a different subnet than the servers. Where the server reverse zone can be disabled for dynamic updates, and the client reverse zone can be enabled for dynamic updates. At least having the option would be great. :) Besides, if the admin manages to configure his dhcp server so that duplicate IP address allocation occour, reverse dns will be the least of his problems. :) Regards, Siggi From danieljamesscott at gmail.com Mon Nov 14 20:56:16 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Mon, 14 Nov 2011 15:56:16 -0500 Subject: [Freeipa-users] Fedora 16 failing to start dirsrv process In-Reply-To: <20111114205015.GA17488@redhat.com> References: <20111114151923.GB3927@redhat.com> <20111114180614.GB14807@redhat.com> <4EC1763B.2050901@redhat.com> <20111114205015.GA17488@redhat.com> Message-ID: Hi, On Mon, Nov 14, 2011 at 15:50, Alexander Bokovoy wrote: > On Mon, 14 Nov 2011, Rich Megginson wrote: >> >replaced EXAMPLE-COM above and re-replaced it in the output below): >> > >> >[root at fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants >> >total 0 >> >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv at EXAMPLE-COM.service -> >> >/etc/systemd/system/dirsrv at .service >> >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv at PKI-IPA.service -> >> >/etc/systemd/system/dirsrv at .service >> >[root at fileserver1 ~]# systemctl status dirsrv.service >> >dirsrv.service >> > ? ? ? ? ? Loaded: error (Reason: No such file or directory) >> > ? ? ? ? ? Active: inactive (dead) >> Right - see http://directory.fedoraproject.org/wiki/Howto:systemd#FAQ > Yes, the target is dirsrv.target, not dirsrv.service, while instances > are dirsrv at NAME.service. That is life. :) Nice and consistent with other 'services'. Do you know if it's possible for 'systemctl status dirsrv.service' to return nothing, instead of saying that it's dead? This would help reduce the confusion. > systemctl start dirsrv.target > > now would bring both instances up -- when you'll solve > kerberos credentials access. > >> >[root at fileserver1 ~]# >> > >> >My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains: >> > >> >[14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial >> >credentials for principal [ldap/fileserver1.example.com at EXAMPLE.COM] >> >in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied) >> >[14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error: >> >could not perform interactive bind for id [] mech [GSSAPI]: error -2 >> >(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> >GSS failure. ?Minor code may provide more information (Credentials >> >cache file '/tmp/krb5cc_494' not found)) >> >[14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not >> >perform interactive bind for id [] mech [GSSAPI]: error -2 (Local >> >error) >> > >> >And the permissions on /etc/krb5.keytab: >> > >> >[root at fileserver1 ~]# ls -Z /etc/krb5.keytab >> >-rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab >> Right - directory server usually runs as dirsrv:dirsrv not root:root >> - not sure what is responsible for ensuring the krb5.keytab is owned >> by the dirsrv user. > It should be /etc/dirsrv/ds.keytab, not /etc/krb5.keytab. Could you > please show your /etc/sysconfig/dirsrv? KRB5_KTNAME there should point > to /etc/dirsrv/ds.keytab and as you have installation that worked > before, the keytab should be in place already and with proper > ownership (dirsrv:dirsrv). Thanks. I'd just figured this out and fixed my /etc/sysconfig/dirsrv file. The two servers seem to be working and syncing now. I've run into something else now though: djscott at pc35:~$ ipa host-del pc60 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) Could this be related? Or should I start a new thread to try and solve it. > Dan, could you please file a bug against freeipa in Fedora 16 to ask > about upgrade from Fedora 15. I'll then work out the script and how to use > it. I'm not sure it will be possible to use it in %post for upgrades > but at least running it after yum upgrade would be possible. Sure, will do. Thanks, Dan From abokovoy at redhat.com Mon Nov 14 21:11:01 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 14 Nov 2011 23:11:01 +0200 Subject: [Freeipa-users] Fedora 16 failing to start dirsrv process In-Reply-To: References: <20111114151923.GB3927@redhat.com> <20111114180614.GB14807@redhat.com> <4EC1763B.2050901@redhat.com> <20111114205015.GA17488@redhat.com> Message-ID: <20111114211100.GB17488@redhat.com> On Mon, 14 Nov 2011, Dan Scott wrote: > >> > ? ? ? ? ? Loaded: error (Reason: No such file or directory) > >> > ? ? ? ? ? Active: inactive (dead) > >> Right - see http://directory.fedoraproject.org/wiki/Howto:systemd#FAQ > > Yes, the target is dirsrv.target, not dirsrv.service, while instances > > are dirsrv at NAME.service. That is life. > > :) Nice and consistent with other 'services'. Do you know if it's > possible for 'systemctl status dirsrv.service' to return nothing, > instead of saying that it's dead? This would help reduce the > confusion. No, this is 'as designed' behaviour of systemd -- it loads list of services it knows once and then answers negatively to anything else unless it knows the service. I think the idea was to make targets as synchronization points to which other services can rely in their ordering. As there is no single dirsrv.service, dirsrv.target is used to allow behaviour close to 'service dirsrv ' > > before, the keytab should be in place already and with proper > > ownership (dirsrv:dirsrv). > > Thanks. I'd just figured this out and fixed my /etc/sysconfig/dirsrv > file. The two servers seem to be working and syncing now. > > I've run into something else now though: > > djscott at pc35:~$ ipa host-del pc60 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > Could this be related? Or should I start a new thread to try and solve it. https://bugzilla.redhat.com/show_bug.cgi?id=741458 Please start new thread. This most likely something that Dogtag expects in Fedora 16 which wasn't persisting from old install, as in bug #741458. -- / Alexander Bokovoy From danieljamesscott at gmail.com Mon Nov 14 21:39:56 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Mon, 14 Nov 2011 16:39:56 -0500 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) Message-ID: Hi, I receive the following error when I try to remove a host from IPA: djscott at pc35:~$ ipa host-del pc60 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I'm running a Fedora 16 (freeipa-server-2.1.3-5.fc16.x86_64) server replicated with a Fedora 15 (freeipa-server-2.1.3-2.fc15.i686) server. I've looked at this: https://fedorahosted.org/freeipa/ticket/1889 But it looks like it was fixed in 2.1.2 or 2.1.3. Any ideas for what I need to do? Thanks, Dan From borepstein at gmail.com Mon Nov 14 22:19:44 2011 From: borepstein at gmail.com (Boris Epstein) Date: Mon, 14 Nov 2011 17:19:44 -0500 Subject: [Freeipa-users] fixing port numbers associated with the NIS Message-ID: Hello all, I am using the FreeIPA to run NIS via a plugin. Works great - except that the ypserv port numbers end up different after every reboot. That makes it hard to run it with the firewall activated. Does anybody know how to make those port number assignments permanent? Thanks. Boris. -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Mon Nov 14 23:40:57 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Mon, 14 Nov 2011 18:40:57 -0500 Subject: [Freeipa-users] Reinstalling a host without deleting Message-ID: Hi, Is there a 'nice' way to reinstall a host? i.e. The host has already been installed in FreeIPA and for whatever reason I need to reinstall the OS, so I have a clean system and the host is already enrolled on the server. ipa-client-install fails with "Host already enrolled" and I have to connect to an enrolled client, remove the host, and then return to install the client. Would it be possible to have a '--reinstall' option to ipa-client-install? It wouldn't have to add the host into IPA, just configure the files and get the keytab. Looking at the manpage, maybe I'm just looking for the --force option to force the config files, and ipa-getkeytab. Is there anything else I need to do? Thanks, Dan From nalin at redhat.com Tue Nov 15 00:16:24 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 14 Nov 2011 19:16:24 -0500 Subject: [Freeipa-users] fixing port numbers associated with the NIS In-Reply-To: References: Message-ID: <20111115001624.GA24230@redhat.com> On Mon, Nov 14, 2011 at 05:19:44PM -0500, Boris Epstein wrote: > Hello all, > > I am using the FreeIPA to run NIS via a plugin. Works great - except > that the ypserv port numbers end up different after every reboot. That > makes it hard to run it with the firewall activated. > > Does anybody know how to make those port number assignments permanent? There's no tooling specifically for doing this, but the plugin supports it. In order to get it to use a fixed port, you'll need to edit the directory server entry for "cn=NIS Server, cn=plugins, cn=config" and add a "nsslapd-pluginarg0" value which contains the port number you'd like it to use. You can do this either by stopping the directory server, editing its dse.ldif file directly, and then restarting it, or by editing the entry "live" using ldapmodify and then restarting the server. The latter method (I'm using port 541 here) looks something like this: # ldapmodify -x -D "cn=Directory Manager" -W <<- EOF dn: cn=NIS Server,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: 541 - EOF # ipactl restart You'll need to supply the Directory Manager password. Once that's done, running "rpcinfo -p" on the server should show that the NIS service is listening on the desired port. HTH, Nalin From dpal at redhat.com Tue Nov 15 01:11:06 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 14 Nov 2011 20:11:06 -0500 Subject: [Freeipa-users] Reinstalling a host without deleting In-Reply-To: References: Message-ID: <4EC1BC2A.1070603@redhat.com> On 11/14/2011 06:40 PM, Dan Scott wrote: > Hi, > > Is there a 'nice' way to reinstall a host? i.e. The host has already > been installed in FreeIPA and for whatever reason I need to reinstall > the OS, so I have a clean system and the host is already enrolled on > the server. > > ipa-client-install fails with "Host already enrolled" and I have to > connect to an enrolled client, remove the host, and then return to > install the client. > > Would it be possible to have a '--reinstall' option to > ipa-client-install? It wouldn't have to add the host into IPA, just > configure the files and get the keytab. > > Looking at the manpage, maybe I'm just looking for the --force option > to force the config files, and ipa-getkeytab. Is there anything else I > need to do? > > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > Opened a ticket: https://fedorahosted.org/freeipa/ticket/2106 -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sigbjorn at nixtra.com Tue Nov 15 07:37:05 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 15 Nov 2011 08:37:05 +0100 (CET) Subject: [Freeipa-users] Reinstalling a host without deleting In-Reply-To: References: Message-ID: <28390.213.225.75.97.1321342625.squirrel@www.nixtra.com> On Tue, November 15, 2011 00:40, Dan Scott wrote: > Hi, > > > Is there a 'nice' way to reinstall a host? i.e. The host has already > been installed in FreeIPA and for whatever reason I need to reinstall the OS, so I have a clean > system and the host is already enrolled on the server. > > ipa-client-install fails with "Host already enrolled" and I have to connect to an enrolled client, > remove the host, and then return to install the client. > > Would it be possible to have a '--reinstall' option to > ipa-client-install? It wouldn't have to add the host into IPA, just configure the files and get the > keytab. > > Looking at the manpage, maybe I'm just looking for the --force option > to force the config files, and ipa-getkeytab. Is there anything else I need to do? > If you run "ipa host-diable " or click on "Unprovision" in the webUI before re-installing, then the host can be enrolled using the same IPA host account. Rgds, Siggi From natxo.asenjo at gmail.com Tue Nov 15 12:07:00 2011 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 15 Nov 2011 13:07:00 +0100 Subject: [Freeipa-users] Reinstalling a host without deleting In-Reply-To: References: Message-ID: On Tue, Nov 15, 2011 at 12:40 AM, Dan Scott wrote: > Hi, > > Is there a 'nice' way to reinstall a host? i.e. The host has already > been installed in FreeIPA and for whatever reason I need to reinstall > the OS, so I have a clean system and the host is already enrolled on > the server. > > ipa-client-install fails with "Host already enrolled" and I have to > connect to an enrolled client, remove the host, and then return to > install the client. > > Would it be possible to have a '--reinstall' option to > ipa-client-install? It wouldn't have to add the host into IPA, just > configure the files and get the keytab. If I understand it correctly, this could overwrite hosts passwords which is probably not what you want with a kerberos realm. You should manually remove the host first from the realm and then rejoin it. -- natxo From danieljamesscott at gmail.com Tue Nov 15 13:33:30 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 15 Nov 2011 08:33:30 -0500 Subject: [Freeipa-users] Reinstalling a host without deleting In-Reply-To: References: Message-ID: Hi, On Tue, Nov 15, 2011 at 07:07, Natxo Asenjo wrote: > On Tue, Nov 15, 2011 at 12:40 AM, Dan Scott wrote: >> Hi, >> >> Is there a 'nice' way to reinstall a host? i.e. The host has already >> been installed in FreeIPA and for whatever reason I need to reinstall >> the OS, so I have a clean system and the host is already enrolled on >> the server. >> >> ipa-client-install fails with "Host already enrolled" and I have to >> connect to an enrolled client, remove the host, and then return to >> install the client. >> >> Would it be possible to have a '--reinstall' option to >> ipa-client-install? It wouldn't have to add the host into IPA, just >> configure the files and get the keytab. > > If I understand it correctly, this could overwrite hosts passwords > which is probably not what you want with a kerberos realm. So *getting* a new keytab would overwrite host passwords? Why wouldn't I want that, if I'm reinstalling a host? > You should manually remove the host first from the realm and then rejoin it. Why? I'd much rather have the ipa-client-install script do the removal for me.... if it actually requires removal and re-addition. Do I really have to remove and re-add? Why can't I just re-provision? Dan From simo at redhat.com Tue Nov 15 13:38:32 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 15 Nov 2011 08:38:32 -0500 Subject: [Freeipa-users] Reinstalling a host without deleting In-Reply-To: References: Message-ID: <1321364312.30630.9.camel@willson.li.ssimo.org> On Tue, 2011-11-15 at 08:33 -0500, Dan Scott wrote: > Hi, > > On Tue, Nov 15, 2011 at 07:07, Natxo Asenjo wrote: > > On Tue, Nov 15, 2011 at 12:40 AM, Dan Scott wrote: > >> Hi, > >> > >> Is there a 'nice' way to reinstall a host? i.e. The host has already > >> been installed in FreeIPA and for whatever reason I need to reinstall > >> the OS, so I have a clean system and the host is already enrolled on > >> the server. > >> > >> ipa-client-install fails with "Host already enrolled" and I have to > >> connect to an enrolled client, remove the host, and then return to > >> install the client. > >> > >> Would it be possible to have a '--reinstall' option to > >> ipa-client-install? It wouldn't have to add the host into IPA, just > >> configure the files and get the keytab. > > > > If I understand it correctly, this could overwrite hosts passwords > > which is probably not what you want with a kerberos realm. > > So *getting* a new keytab would overwrite host passwords? Why wouldn't > I want that, if I'm reinstalling a host? > > > You should manually remove the host first from the realm and then rejoin it. No, actually if the host offers services you probably prefer rejoining in a way that keeps the original keys in the keytab and the new keys get a new kvno. This way clients that obtained a ticket before the re-install can still use them. > Why? I'd much rather have the ipa-client-install script do the removal > for me.... if it actually requires removal and re-addition. > > Do I really have to remove and re-add? Why can't I just re-provision? You should be able to. See other mails in this thread. Simo. -- Simo Sorce * Red Hat, Inc * New York From danieljamesscott at gmail.com Tue Nov 15 13:47:53 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 15 Nov 2011 08:47:53 -0500 Subject: [Freeipa-users] Reinstalling a host without deleting In-Reply-To: <1321364312.30630.9.camel@willson.li.ssimo.org> References: <1321364312.30630.9.camel@willson.li.ssimo.org> Message-ID: On Tue, Nov 15, 2011 at 08:38, Simo Sorce wrote: > On Tue, 2011-11-15 at 08:33 -0500, Dan Scott wrote: >> Hi, >> >> On Tue, Nov 15, 2011 at 07:07, Natxo Asenjo wrote: >> > On Tue, Nov 15, 2011 at 12:40 AM, Dan Scott wrote: >> >> Hi, >> >> >> >> Is there a 'nice' way to reinstall a host? i.e. The host has already >> >> been installed in FreeIPA and for whatever reason I need to reinstall >> >> the OS, so I have a clean system and the host is already enrolled on >> >> the server. >> >> >> >> ipa-client-install fails with "Host already enrolled" and I have to >> >> connect to an enrolled client, remove the host, and then return to >> >> install the client. >> >> >> >> Would it be possible to have a '--reinstall' option to >> >> ipa-client-install? It wouldn't have to add the host into IPA, just >> >> configure the files and get the keytab. >> > >> > If I understand it correctly, this could overwrite hosts passwords >> > which is probably not what you want with a kerberos realm. >> >> So *getting* a new keytab would overwrite host passwords? Why wouldn't >> I want that, if I'm reinstalling a host? >> >> > You should manually remove the host first from the realm and then rejoin it. > > No, actually if the host offers services you probably prefer rejoining > in a way that keeps the original keys in the keytab and the new keys get > a new kvno. This way clients that obtained a ticket before the > re-install can still use them. > >> Why? I'd much rather have the ipa-client-install script do the removal >> for me.... if it actually requires removal and re-addition. >> >> Do I really have to remove and re-add? Why can't I just re-provision? > > You should be able to. See other mails in this thread. Great, thanks. So we can make an 'ipa-client-install --reinstall' which does the equivalent of reconfiguring the config files and re-getting the keytab. Thanks. From borepstein at gmail.com Tue Nov 15 14:44:43 2011 From: borepstein at gmail.com (Boris Epstein) Date: Tue, 15 Nov 2011 09:44:43 -0500 Subject: [Freeipa-users] fixing port numbers associated with the NIS In-Reply-To: <20111115001624.GA24230@redhat.com> References: <20111115001624.GA24230@redhat.com> Message-ID: On Mon, Nov 14, 2011 at 7:16 PM, Nalin Dahyabhai wrote: > On Mon, Nov 14, 2011 at 05:19:44PM -0500, Boris Epstein wrote: > > Hello all, > > > > I am using the FreeIPA to run NIS via a plugin. Works great - except > > that the ypserv port numbers end up different after every reboot. That > > makes it hard to run it with the firewall activated. > > > > Does anybody know how to make those port number assignments permanent? > > There's no tooling specifically for doing this, but the plugin supports > it. In order to get it to use a fixed port, you'll need to edit the > directory server entry for "cn=NIS Server, cn=plugins, cn=config" and > add a "nsslapd-pluginarg0" value which contains the port number you'd > like it to use. > > You can do this either by stopping the directory server, editing its > dse.ldif file directly, and then restarting it, or by editing the entry > "live" using ldapmodify and then restarting the server. The latter > method (I'm using port 541 here) looks something like this: > > # ldapmodify -x -D "cn=Directory Manager" -W <<- EOF > dn: cn=NIS Server,cn=plugins,cn=config > changetype: modify > replace: nsslapd-pluginarg0 > nsslapd-pluginarg0: 541 > - > > EOF > # ipactl restart > > You'll need to supply the Directory Manager password. Once that's done, > running "rpcinfo -p" on the server should show that the NIS service is > listening on the desired port. > > HTH, > > Nalin > Nalin, Thanks a lot for the tip. It definitely looks like this put me on the right path though I am not quite there yet. Doing what you suggested did not quite work. For one thing, the right cn is "NIS", not "NIS Server". Another thing is, it does not look like the LDIF files in question have the nsslapd-pluginarg0 parameter - or are happy with it being added. Do you happen to have a copy of your LDIF configuration file with the relevant configuration by any chance? That could come in handy. Cheers, Boris. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Nov 15 15:08:05 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Nov 2011 08:08:05 -0700 Subject: [Freeipa-users] fixing port numbers associated with the NIS In-Reply-To: References: <20111115001624.GA24230@redhat.com> Message-ID: <4EC28055.70405@redhat.com> On 11/15/2011 07:44 AM, Boris Epstein wrote: > > > On Mon, Nov 14, 2011 at 7:16 PM, Nalin Dahyabhai > wrote: > > On Mon, Nov 14, 2011 at 05:19:44PM -0500, Boris Epstein wrote: > > Hello all, > > > > I am using the FreeIPA to run NIS via a plugin. Works great - > except > > that the ypserv port numbers end up different after every > reboot. That > > makes it hard to run it with the firewall activated. > > > > Does anybody know how to make those port number assignments > permanent? > > There's no tooling specifically for doing this, but the plugin > supports > it. In order to get it to use a fixed port, you'll need to edit the > directory server entry for "cn=NIS Server, cn=plugins, cn=config" and > add a "nsslapd-pluginarg0" value which contains the port number you'd > like it to use. > > You can do this either by stopping the directory server, editing its > dse.ldif file directly, and then restarting it, or by editing the > entry > "live" using ldapmodify and then restarting the server. The latter > method (I'm using port 541 here) looks something like this: > > # ldapmodify -x -D "cn=Directory Manager" -W <<- EOF > dn: cn=NIS Server,cn=plugins,cn=config > changetype: modify > replace: nsslapd-pluginarg0 > nsslapd-pluginarg0: 541 > - > > EOF > # ipactl restart > > You'll need to supply the Directory Manager password. Once that's > done, > running "rpcinfo -p" on the server should show that the NIS service is > listening on the desired port. > > HTH, > > Nalin > > > Nalin, > > Thanks a lot for the tip. It definitely looks like this put me on the > right path though I am not quite there yet. > > Doing what you suggested did not quite work. For one thing, the right > cn is "NIS", not "NIS Server". Another thing is, it does not look like > the LDIF files in question have the nsslapd-pluginarg0 parameter - or > are happy with it being added. You have to shutdown the directory server first service dirsrv stop or systemctl stop dirsrv.target > > Do you happen to have a copy of your LDIF configuration file with the > relevant configuration by any chance? That could come in handy. > > Cheers, > > Boris. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From borepstein at gmail.com Tue Nov 15 15:12:32 2011 From: borepstein at gmail.com (Boris Epstein) Date: Tue, 15 Nov 2011 10:12:32 -0500 Subject: [Freeipa-users] fixing port numbers associated with the NIS In-Reply-To: <4EC28055.70405@redhat.com> References: <20111115001624.GA24230@redhat.com> <4EC28055.70405@redhat.com> Message-ID: On Tue, Nov 15, 2011 at 10:08 AM, Rich Megginson wrote: > ** > On 11/15/2011 07:44 AM, Boris Epstein wrote: > > > > On Mon, Nov 14, 2011 at 7:16 PM, Nalin Dahyabhai wrote: > >> On Mon, Nov 14, 2011 at 05:19:44PM -0500, Boris Epstein wrote: >> > Hello all, >> > >> > I am using the FreeIPA to run NIS via a plugin. Works great - except >> > that the ypserv port numbers end up different after every reboot. >> That >> > makes it hard to run it with the firewall activated. >> > >> > Does anybody know how to make those port number assignments >> permanent? >> >> There's no tooling specifically for doing this, but the plugin supports >> it. In order to get it to use a fixed port, you'll need to edit the >> directory server entry for "cn=NIS Server, cn=plugins, cn=config" and >> add a "nsslapd-pluginarg0" value which contains the port number you'd >> like it to use. >> >> You can do this either by stopping the directory server, editing its >> dse.ldif file directly, and then restarting it, or by editing the entry >> "live" using ldapmodify and then restarting the server. The latter >> method (I'm using port 541 here) looks something like this: >> >> # ldapmodify -x -D "cn=Directory Manager" -W <<- EOF >> dn: cn=NIS Server,cn=plugins,cn=config >> changetype: modify >> replace: nsslapd-pluginarg0 >> nsslapd-pluginarg0: 541 >> - >> >> EOF >> # ipactl restart >> >> You'll need to supply the Directory Manager password. Once that's done, >> running "rpcinfo -p" on the server should show that the NIS service is >> listening on the desired port. >> >> HTH, >> >> Nalin >> > > Nalin, > > Thanks a lot for the tip. It definitely looks like this put me on the > right path though I am not quite there yet. > > Doing what you suggested did not quite work. For one thing, the right cn > is "NIS", not "NIS Server". Another thing is, it does not look like the > LDIF files in question have the nsslapd-pluginarg0 parameter - or are happy > with it being added. > > You have to shutdown the directory server first > service dirsrv stop > or > systemctl stop dirsrv.target > Rich, I even went as far as rebooting the whole machine - even that did not seem to make a difference. Boris. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Nov 15 15:22:19 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Nov 2011 10:22:19 -0500 Subject: [Freeipa-users] fixing port numbers associated with the NIS In-Reply-To: References: <20111115001624.GA24230@redhat.com> <4EC28055.70405@redhat.com> Message-ID: <4EC283AB.3040100@redhat.com> Boris Epstein wrote: > > > On Tue, Nov 15, 2011 at 10:08 AM, Rich Megginson > wrote: > > __ > On 11/15/2011 07:44 AM, Boris Epstein wrote: >> >> >> On Mon, Nov 14, 2011 at 7:16 PM, Nalin Dahyabhai > > wrote: >> >> On Mon, Nov 14, 2011 at 05:19:44PM -0500, Boris Epstein wrote: >> > Hello all, >> > >> > I am using the FreeIPA to run NIS via a plugin. Works >> great - except >> > that the ypserv port numbers end up different after every >> reboot. That >> > makes it hard to run it with the firewall activated. >> > >> > Does anybody know how to make those port number >> assignments permanent? >> >> There's no tooling specifically for doing this, but the plugin >> supports >> it. In order to get it to use a fixed port, you'll need to >> edit the >> directory server entry for "cn=NIS Server, cn=plugins, >> cn=config" and >> add a "nsslapd-pluginarg0" value which contains the port >> number you'd >> like it to use. >> >> You can do this either by stopping the directory server, >> editing its >> dse.ldif file directly, and then restarting it, or by editing >> the entry >> "live" using ldapmodify and then restarting the server. The >> latter >> method (I'm using port 541 here) looks something like this: >> >> # ldapmodify -x -D "cn=Directory Manager" -W <<- EOF >> dn: cn=NIS Server,cn=plugins,cn=config >> changetype: modify >> replace: nsslapd-pluginarg0 >> nsslapd-pluginarg0: 541 >> - >> >> EOF >> # ipactl restart >> >> You'll need to supply the Directory Manager password. Once >> that's done, >> running "rpcinfo -p" on the server should show that the NIS >> service is >> listening on the desired port. >> >> HTH, >> >> Nalin >> >> >> Nalin, >> >> Thanks a lot for the tip. It definitely looks like this put me on >> the right path though I am not quite there yet. >> >> Doing what you suggested did not quite work. For one thing, the >> right cn is "NIS", not "NIS Server". Another thing is, it does not >> look like the LDIF files in question have the nsslapd-pluginarg0 >> parameter - or are happy with it being added. > You have to shutdown the directory server first > service dirsrv stop > or > systemctl stop dirsrv.target > > > Rich, > > I even went as far as rebooting the whole machine - even that did not > seem to make a difference. > > Boris. Strange, it is NIS Server on my install too. Can you show the output of your entry? This worked for me: # ldapmodify -x -D 'cn=directory manager' -w secretpassword dn: cn=NIS Server,cn=plugins,cn=config changetype: modify add: nsslapd-pluginarg0 nsslapd-pluginarg0: 541 modifying entry "cn=NIS Server,cn=plugins,cn=config" rob From rmeggins at redhat.com Tue Nov 15 15:34:02 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Nov 2011 08:34:02 -0700 Subject: [Freeipa-users] fixing port numbers associated with the NIS In-Reply-To: References: <20111115001624.GA24230@redhat.com> <4EC28055.70405@redhat.com> Message-ID: <4EC2866A.2000708@redhat.com> On 11/15/2011 08:12 AM, Boris Epstein wrote: > > > On Tue, Nov 15, 2011 at 10:08 AM, Rich Megginson > wrote: > > On 11/15/2011 07:44 AM, Boris Epstein wrote: >> >> >> On Mon, Nov 14, 2011 at 7:16 PM, Nalin Dahyabhai >> > wrote: >> >> On Mon, Nov 14, 2011 at 05:19:44PM -0500, Boris Epstein wrote: >> > Hello all, >> > >> > I am using the FreeIPA to run NIS via a plugin. Works >> great - except >> > that the ypserv port numbers end up different after >> every reboot. That >> > makes it hard to run it with the firewall activated. >> > >> > Does anybody know how to make those port number >> assignments permanent? >> >> There's no tooling specifically for doing this, but the >> plugin supports >> it. In order to get it to use a fixed port, you'll need to >> edit the >> directory server entry for "cn=NIS Server, cn=plugins, >> cn=config" and >> add a "nsslapd-pluginarg0" value which contains the port >> number you'd >> like it to use. >> >> You can do this either by stopping the directory server, >> editing its >> dse.ldif file directly, and then restarting it, or by editing >> the entry >> "live" using ldapmodify and then restarting the server. The >> latter >> method (I'm using port 541 here) looks something like this: >> >> # ldapmodify -x -D "cn=Directory Manager" -W <<- EOF >> dn: cn=NIS Server,cn=plugins,cn=config >> changetype: modify >> replace: nsslapd-pluginarg0 >> nsslapd-pluginarg0: 541 >> - >> >> EOF >> # ipactl restart >> >> You'll need to supply the Directory Manager password. Once >> that's done, >> running "rpcinfo -p" on the server should show that the NIS >> service is >> listening on the desired port. >> >> HTH, >> >> Nalin >> >> >> Nalin, >> >> Thanks a lot for the tip. It definitely looks like this put me on >> the right path though I am not quite there yet. >> >> Doing what you suggested did not quite work. For one thing, the >> right cn is "NIS", not "NIS Server". Another thing is, it does >> not look like the LDIF files in question have >> the nsslapd-pluginarg0 parameter - or are happy with it being added. > You have to shutdown the directory server first > service dirsrv stop > or > systemctl stop dirsrv.target > > > Rich, > > I even went as far as rebooting the whole machine - even that did not > seem to make a difference. I mean - if you are editing dse.ldif instead of using ldapmodify, you must stop the server first - if you edit dse.ldif while the server is running, your edits will be lost. > > Boris. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nalin at redhat.com Tue Nov 15 15:53:26 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 15 Nov 2011 10:53:26 -0500 Subject: [Freeipa-users] fixing port numbers associated with the NIS In-Reply-To: References: <20111115001624.GA24230@redhat.com> Message-ID: <20111115155326.GA25229@redhat.com> On Tue, Nov 15, 2011 at 09:44:43AM -0500, Boris Epstein wrote: > Thanks a lot for the tip. It definitely looks like this put me on the > right path though I am not quite there yet. > > Doing what you suggested did not quite work. For one thing, the right > cn is "NIS", not "NIS Server". Another thing is, it does not look like > the LDIF files in question have the nsslapd-pluginarg0 parameter - or > are happy with it being added. On my system, the entry which directs the server to load the NIS server plugin is "cn=NIS Server". If you set things up using the tools provided, I'd have expected yours to look the same, so I can't be sure you're editing the right entry. Can you paste the LDIF for it? > Do you happen to have a copy of your LDIF configuration file with the > relevant configuration by any chance? That could come in handy. The relevant section in the server's dse.ldif (and as Rich reiterated, if you plan on editing the file directly, the server must be stopped while you edit it) on my system looks like this: dn: cn=NIS Server,cn=plugins,cn=config nsslapd-pluginId: nis-plugin cn: NIS Server nis-tcp-wrappers-name: nis-server objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject nsslapd-pluginDescription: NIS Server Plugin nsslapd-pluginEnabled: on nsslapd-pluginPath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so nsslapd-pluginVersion: 0.26 nsslapd-pluginVendor: redhat.com nsslapd-pluginType: object nsslapd-pluginInitfunc: nis_plugin_init creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20111115001037Z modifyTimestamp: 20111115001204Z nsslapd-pluginarg0: 541 numSubordinates: 6 HTH, Nalin From borepstein at gmail.com Tue Nov 15 16:09:31 2011 From: borepstein at gmail.com (Boris Epstein) Date: Tue, 15 Nov 2011 11:09:31 -0500 Subject: [Freeipa-users] fixing port numbers associated with the NIS In-Reply-To: <4EC283AB.3040100@redhat.com> References: <20111115001624.GA24230@redhat.com> <4EC28055.70405@redhat.com> <4EC283AB.3040100@redhat.com> Message-ID: On Tue, Nov 15, 2011 at 10:22 AM, Rob Crittenden wrote: > Boris Epstein wrote: > >> >> >> On Tue, Nov 15, 2011 at 10:08 AM, Rich Megginson > > wrote: >> >> __ >> >> On 11/15/2011 07:44 AM, Boris Epstein wrote: >> >>> >>> >>> On Mon, Nov 14, 2011 at 7:16 PM, Nalin Dahyabhai >> > wrote: >>> >>> On Mon, Nov 14, 2011 at 05:19:44PM -0500, Boris Epstein wrote: >>> > Hello all, >>> > >>> > I am using the FreeIPA to run NIS via a plugin. Works >>> great - except >>> > that the ypserv port numbers end up different after every >>> reboot. That >>> > makes it hard to run it with the firewall activated. >>> > >>> > Does anybody know how to make those port number >>> assignments permanent? >>> >>> There's no tooling specifically for doing this, but the plugin >>> supports >>> it. In order to get it to use a fixed port, you'll need to >>> edit the >>> directory server entry for "cn=NIS Server, cn=plugins, >>> cn=config" and >>> add a "nsslapd-pluginarg0" value which contains the port >>> number you'd >>> like it to use. >>> >>> You can do this either by stopping the directory server, >>> editing its >>> dse.ldif file directly, and then restarting it, or by editing >>> the entry >>> "live" using ldapmodify and then restarting the server. The >>> latter >>> method (I'm using port 541 here) looks something like this: >>> >>> # ldapmodify -x -D "cn=Directory Manager" -W <<- EOF >>> dn: cn=NIS Server,cn=plugins,cn=config >>> changetype: modify >>> replace: nsslapd-pluginarg0 >>> nsslapd-pluginarg0: 541 >>> - >>> >>> EOF >>> # ipactl restart >>> >>> You'll need to supply the Directory Manager password. Once >>> that's done, >>> running "rpcinfo -p" on the server should show that the NIS >>> service is >>> listening on the desired port. >>> >>> HTH, >>> >>> Nalin >>> >>> >>> Nalin, >>> >>> Thanks a lot for the tip. It definitely looks like this put me on >>> the right path though I am not quite there yet. >>> >>> Doing what you suggested did not quite work. For one thing, the >>> right cn is "NIS", not "NIS Server". Another thing is, it does not >>> look like the LDIF files in question have the nsslapd-pluginarg0 >>> parameter - or are happy with it being added. >>> >> You have to shutdown the directory server first >> service dirsrv stop >> or >> systemctl stop dirsrv.target >> >> >> Rich, >> >> I even went as far as rebooting the whole machine - even that did not >> seem to make a difference. >> >> Boris. >> > > Strange, it is NIS Server on my install too. Can you show the output of > your entry? > > This worked for me: > > # ldapmodify -x -D 'cn=directory manager' -w secretpassword > > dn: cn=NIS Server,cn=plugins,cn=config > changetype: modify > add: nsslapd-pluginarg0 > nsslapd-pluginarg0: 541 > > modifying entry "cn=NIS Server,cn=plugins,cn=config" > > rob > Rob, Brilliant, thanks! This seems to have done the trick. Here's my output: [root at noreaster ~]# ldapmodify -x -D 'cn=directory manager' -w dn: cn=NIS Server,cn=plugins,cn=config changetype: modify add: nsslapd-pluginarg0 nsslapd-pluginarg0: 995 modifying entry "cn=NIS Server,cn=plugins,cn=config" [root at noreaster ~]# ipactl restart Restarting Directory Service Restarting KDC Service Restarting KPASSWD Service Restarting HTTP Service Restarting CA Service [root at noreaster ~]# Cheers, Boris. -------------- next part -------------- An HTML attachment was scrubbed... URL: From borepstein at gmail.com Tue Nov 15 20:03:41 2011 From: borepstein at gmail.com (Boris Epstein) Date: Tue, 15 Nov 2011 15:03:41 -0500 Subject: [Freeipa-users] LDAP authentication into FreeIPA Message-ID: Hello all, This may be my general LDAP illiteracy - I only dealth with it briefly years ago - but I am trying to set up a FreeIPA server on Fedora 16 to have my Macs and Ubuntu Linux machines as well as a couple of Windows boxes to authenticate to - and seem not to be making much forward progress. Is there a step-by-step writeup on how to do that sort of thing? Thanks for any and all help. Boris. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Nov 15 20:40:41 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 15 Nov 2011 20:40:41 +0000 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I dont think there is much realistic hope of getting windows to authenticate to freeIPA......the others should be able to and the fedora docs on the freeipa documentation web page list a specific method for macs for one (but I have not tried it yet, but I will be)....ubuntu has been mentioned before....I have to try/do that as well.... Siggi sent me some notes a while back, ============= Ubuntu client install https://help.ubuntu.com/10.04/serverguide/C/kerberos.html sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config maybe also need libpam-ldap libnss-ldap Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, and copy this to /etc/krb5.keytab on the Ubuntu client. [root at ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab If you prefer you can use something like CFengine to automate the whole process. ============= Hope that helps............. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Boris Epstein [borepstein at gmail.com] Sent: Wednesday, 16 November 2011 9:03 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] LDAP authentication into FreeIPA Hello all, This may be my general LDAP illiteracy - I only dealth with it briefly years ago - but I am trying to set up a FreeIPA server on Fedora 16 to have my Macs and Ubuntu Linux machines as well as a couple of Windows boxes to authenticate to - and seem not to be making much forward progress. Is there a step-by-step writeup on how to do that sort of thing? Thanks for any and all help. Boris. From sgallagh at redhat.com Tue Nov 15 20:54:03 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 15 Nov 2011 15:54:03 -0500 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1321390443.2315.48.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> On Tue, 2011-11-15 at 20:40 +0000, Steven Jones wrote: > Hi, > > I dont think there is much realistic hope of getting windows to > authenticate to freeIPA......the others should be able to and the > fedora docs on the freeipa documentation web page list a specific > method for macs for one (but I have not tried it yet, but I will > be)....ubuntu has been mentioned before....I have to try/do that as > well.... > > Siggi sent me some notes a while back, > > ============= > > Ubuntu client install I don't have all of the details handy right now, but I know Timo Aaltonen was working on porting SSSD and ipa-client to Ubuntu in order to support the enhanced client enrollment available with those two packages. The SSSD and its dependencies are available in his PPA here: https://launchpad.net/~tjaalton/+archive/ppa -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From Steven.Jones at vuw.ac.nz Tue Nov 15 20:53:07 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 15 Nov 2011 20:53:07 +0000 Subject: [Freeipa-users] Selinux and FreeIPA Message-ID: <833D8E48405E064EBC54C84EC6B36E4049C21E57@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I cant find anything obvious that says the recommended mode for SElinux, I take it it is enforcing? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rcritten at redhat.com Tue Nov 15 20:55:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 15 Nov 2011 15:55:55 -0500 Subject: [Freeipa-users] Selinux and FreeIPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4049C21E57@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4049C21E57@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4EC2D1DB.20001@redhat.com> Steven Jones wrote: > > Hi, > > I cant find anything obvious that says the recommended mode for SElinux, I take it it is enforcing? Yes, we do all development and testing in enforcing mode. rob From g17jimmy at gmail.com Tue Nov 15 21:01:40 2011 From: g17jimmy at gmail.com (Jimmy) Date: Tue, 15 Nov 2011 16:01:40 -0500 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: I know the Windows systems don't have full integration with FreeIPA, but I have Windows systems authenticating to FreeIPA the same as they would to a regular MIT Kerberos system. The are not using the same config that is posted on the FreeIPA website where the IPA users are mapped to a single workstation user. Jimmy On Tue, Nov 15, 2011 at 3:40 PM, Steven Jones wrote: > Hi, > > I dont think there is much realistic hope of getting windows to > authenticate to freeIPA......the others should be able to and the fedora > docs on the freeipa documentation web page list a specific method for macs > for one (but I have not tried it yet, but I will be)....ubuntu has been > mentioned before....I have to try/do that as well.... > > Siggi sent me some notes a while back, > > ============= > > Ubuntu client install > > > https://help.ubuntu.com/10.04/serverguide/C/kerberos.html > > > sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config > > > maybe also need libpam-ldap libnss-ldap > > > Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, and > copy this to /etc/krb5.keytab on the Ubuntu client. > > [root at ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/ > ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab > > If you prefer you can use something like CFengine to automate the whole > process. > > ============= > > Hope that helps............. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of Boris Epstein [borepstein at gmail.com] > Sent: Wednesday, 16 November 2011 9:03 a.m. > To: freeipa-users at redhat.com > Subject: [Freeipa-users] LDAP authentication into FreeIPA > > Hello all, > > This may be my general LDAP illiteracy - I only dealth with it briefly > years ago - but I am trying to set up a FreeIPA server on Fedora 16 to have > my Macs and Ubuntu Linux machines as well as a couple of Windows boxes to > authenticate to - and seem not to be making much forward progress. Is there > a step-by-step writeup on how to do that sort of thing? > > Thanks for any and all help. > > Boris. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Tue Nov 15 21:06:45 2011 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 15 Nov 2011 22:06:45 +0100 Subject: [Freeipa-users] Reinstalling a host without deleting In-Reply-To: <1321364312.30630.9.camel@willson.li.ssimo.org> References: <1321364312.30630.9.camel@willson.li.ssimo.org> Message-ID: On Tue, Nov 15, 2011 at 2:38 PM, Simo Sorce wrote: > On Tue, 2011-11-15 at 08:33 -0500, Dan Scott wrote: >> Hi, >> >> On Tue, Nov 15, 2011 at 07:07, Natxo Asenjo wrote: >> > On Tue, Nov 15, 2011 at 12:40 AM, Dan Scott wrote: >> >> Hi, >> >> >> >> Is there a 'nice' way to reinstall a host? i.e. The host has already >> >> been installed in FreeIPA and for whatever reason I need to reinstall >> >> the OS, so I have a clean system and the host is already enrolled on >> >> the server. >> >> >> >> ipa-client-install fails with "Host already enrolled" and I have to >> >> connect to an enrolled client, remove the host, and then return to >> >> install the client. >> >> >> >> Would it be possible to have a '--reinstall' option to >> >> ipa-client-install? It wouldn't have to add the host into IPA, just >> >> configure the files and get the keytab. >> > >> > If I understand it correctly, this could overwrite hosts passwords >> > which is probably not what you want with a kerberos realm. >> >> So *getting* a new keytab would overwrite host passwords? Why wouldn't >> I want that, if I'm reinstalling a host? >> >> > You should manually remove the host first from the realm and then rejoin it. > > No, actually if the host offers services you probably prefer rejoining > in a way that keeps the original keys in the keytab and the new keys get > a new kvno. This way clients that obtained a ticket before the > re-install can still use them. I understand your point but ..., is there not a risk that any new installed host could so supplant another one? I mean, if I boostrap a new host with the name of an existing host, it would then in fact become that host and that may not be what I want to do. This would also replace the dns A record to the host, obviously. Or am I missing something (probably :-) )? At least in my experience with AD one has to delete the computer account when re-installing a host or you get warnings about duplicate computer names and failures to joing the domain. -- natxo From sigbjorn at nixtra.com Tue Nov 15 21:28:41 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 15 Nov 2011 22:28:41 +0100 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: <1321390443.2315.48.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> <1321390443.2315.48.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: <4EC2D989.5050602@nixtra.com> On 11/15/2011 09:54 PM, Stephen Gallagher wrote: > On Tue, 2011-11-15 at 20:40 +0000, Steven Jones wrote: >> Hi, >> >> I dont think there is much realistic hope of getting windows to >> authenticate to freeIPA......the others should be able to and the >> fedora docs on the freeipa documentation web page list a specific >> method for macs for one (but I have not tried it yet, but I will >> be)....ubuntu has been mentioned before....I have to try/do that as >> well.... >> >> Siggi sent me some notes a while back, >> >> ============= >> >> Ubuntu client install > > I don't have all of the details handy right now, but I know Timo > Aaltonen was working on porting SSSD and ipa-client to Ubuntu in order > to support the enhanced client enrollment available with those two > packages. > > The SSSD and its dependencies are available in his PPA here: > https://launchpad.net/~tjaalton/+archive/ppa > Just tried to install sssd from the above repo. There's only packages for the old 10.04 lucid and 10.10 maverick, nothing for 11.04 natty or 11.11 oneiric. I tried to install on natty using packages from maverick, but it depends on packages no longer available in the natty package tree. :( However for oneric sssd 1.5.13 seem to have made it into the universe package tree: http://packages.ubuntu.com/oneiric/sssd Rgds, Siggi From borepstein at gmail.com Tue Nov 15 21:37:13 2011 From: borepstein at gmail.com (Boris Epstein) Date: Tue, 15 Nov 2011 16:37:13 -0500 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: <4EC2D989.5050602@nixtra.com> References: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> <1321390443.2315.48.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <4EC2D989.5050602@nixtra.com> Message-ID: On Tue, Nov 15, 2011 at 4:28 PM, Sigbjorn Lie wrote: > On 11/15/2011 09:54 PM, Stephen Gallagher wrote: > >> On Tue, 2011-11-15 at 20:40 +0000, Steven Jones wrote: >> >>> Hi, >>> >>> I dont think there is much realistic hope of getting windows to >>> authenticate to freeIPA......the others should be able to and the >>> fedora docs on the freeipa documentation web page list a specific >>> method for macs for one (but I have not tried it yet, but I will >>> be)....ubuntu has been mentioned before....I have to try/do that as >>> well.... >>> >>> Siggi sent me some notes a while back, >>> >>> ============= >>> >>> Ubuntu client install >>> >> >> I don't have all of the details handy right now, but I know Timo >> Aaltonen was working on porting SSSD and ipa-client to Ubuntu in order >> to support the enhanced client enrollment available with those two >> packages. >> >> The SSSD and its dependencies are available in his PPA here: >> https://launchpad.net/~**tjaalton/+archive/ppa >> >> > Just tried to install sssd from the above repo. > > There's only packages for the old 10.04 lucid and 10.10 maverick, nothing > for 11.04 natty or 11.11 oneiric. I tried to install on natty using > packages from maverick, but it depends on packages no longer available in > the natty package tree. :( > > However for oneric sssd 1.5.13 seem to have made it into the universe > package tree: > http://packages.ubuntu.com/**oneiric/sssd > > > > Rgds, > Siggi Siggi, Thanks, but why would I want sssd on my client machine? Or - why would the current LDAP client that Ubuntu at least claims to have not work? Boris. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From borepstein at gmail.com Tue Nov 15 21:24:20 2011 From: borepstein at gmail.com (Boris Epstein) Date: Tue, 15 Nov 2011 16:24:20 -0500 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: Jimmy, Thanks! I thought this way myself - FreeIPA provides a proper LDAP implementation, no reason Windows should be unable to use it. Now if only I could find a better documentation on how to make this happen... Boris. On Tue, Nov 15, 2011 at 4:01 PM, Jimmy wrote: > I know the Windows systems don't have full integration with FreeIPA, but I > have Windows systems authenticating to FreeIPA the same as they would to a > regular MIT Kerberos system. The are not using the same config that is > posted on the FreeIPA website where the IPA users are mapped to a single > workstation user. > > Jimmy > > On Tue, Nov 15, 2011 at 3:40 PM, Steven Jones wrote: > >> Hi, >> >> I dont think there is much realistic hope of getting windows to >> authenticate to freeIPA......the others should be able to and the fedora >> docs on the freeipa documentation web page list a specific method for macs >> for one (but I have not tried it yet, but I will be)....ubuntu has been >> mentioned before....I have to try/do that as well.... >> >> Siggi sent me some notes a while back, >> >> ============= >> >> Ubuntu client install >> >> >> https://help.ubuntu.com/10.04/serverguide/C/kerberos.html >> >> >> sudo apt-get install krb5-user libpam-krb5 libpam-ccreds >> auth-client-config >> >> >> maybe also need libpam-ldap libnss-ldap >> >> >> Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, >> and copy this to /etc/krb5.keytab on the Ubuntu client. >> >> [root at ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/ >> ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab >> >> If you prefer you can use something like CFengine to automate the whole >> process. >> >> ============= >> >> Hope that helps............. >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] >> on behalf of Boris Epstein [borepstein at gmail.com] >> Sent: Wednesday, 16 November 2011 9:03 a.m. >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] LDAP authentication into FreeIPA >> >> Hello all, >> >> This may be my general LDAP illiteracy - I only dealth with it briefly >> years ago - but I am trying to set up a FreeIPA server on Fedora 16 to have >> my Macs and Ubuntu Linux machines as well as a couple of Windows boxes to >> authenticate to - and seem not to be making much forward progress. Is there >> a step-by-step writeup on how to do that sort of thing? >> >> Thanks for any and all help. >> >> Boris. >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Tue Nov 15 21:44:00 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 15 Nov 2011 16:44:00 -0500 Subject: [Freeipa-users] Reinstalling a host without deleting In-Reply-To: References: <1321364312.30630.9.camel@willson.li.ssimo.org> Message-ID: On Tue, Nov 15, 2011 at 16:06, Natxo Asenjo wrote: > On Tue, Nov 15, 2011 at 2:38 PM, Simo Sorce wrote: >> On Tue, 2011-11-15 at 08:33 -0500, Dan Scott wrote: >>> Hi, >>> >>> On Tue, Nov 15, 2011 at 07:07, Natxo Asenjo wrote: >>> > On Tue, Nov 15, 2011 at 12:40 AM, Dan Scott wrote: >>> >> Hi, >>> >> >>> >> Is there a 'nice' way to reinstall a host? i.e. The host has already >>> >> been installed in FreeIPA and for whatever reason I need to reinstall >>> >> the OS, so I have a clean system and the host is already enrolled on >>> >> the server. >>> >> >>> >> ipa-client-install fails with "Host already enrolled" and I have to >>> >> connect to an enrolled client, remove the host, and then return to >>> >> install the client. >>> >> >>> >> Would it be possible to have a '--reinstall' option to >>> >> ipa-client-install? It wouldn't have to add the host into IPA, just >>> >> configure the files and get the keytab. >>> > >>> > If I understand it correctly, this could overwrite hosts passwords >>> > which is probably not what you want with a kerberos realm. >>> >>> So *getting* a new keytab would overwrite host passwords? Why wouldn't >>> I want that, if I'm reinstalling a host? >>> >>> > You should manually remove the host first from the realm and then rejoin it. >> >> No, actually if the host offers services you probably prefer rejoining >> in a way that keeps the original keys in the keytab and the new keys get >> a new kvno. This way clients that obtained a ticket before the >> re-install can still use them. > > I understand your point but ..., is there not a risk that any new > installed host could so supplant another one? I mean, if I boostrap a > new host with the name of an existing host, it would then in fact > become that host and that may not be what I want to do. This would > also replace the dns A record to the host, obviously. There is that risk, but isn't there also the same risk of incorrectly removing an existing host? Why would it have to replace the DNS record? I guess that could be an option too, but I'm really after an option to re-configure a server with the same IP. The IP address check can also be used to help prevent the error you mentioned. I would agree with you that if you're adding a server with the same hostname but different IP then that really should be a 'remove and re-install' rather than the reconfigure that I'm after. > At least in my experience with AD one has to delete the computer > account when re-installing a host or you get warnings about duplicate > computer names and failures to joing the domain. FreeIPA currently gives those warnings. This would just be a new option which says "I know that this server already exists, I want to re-configure it". Thanks, Dan > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From sigbjorn at nixtra.com Tue Nov 15 21:49:05 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 15 Nov 2011 22:49:05 +0100 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> <1321390443.2315.48.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <4EC2D989.5050602@nixtra.com> Message-ID: <4EC2DE51.1080400@nixtra.com> On 11/15/2011 10:37 PM, Boris Epstein wrote: > > > On Tue, Nov 15, 2011 at 4:28 PM, Sigbjorn Lie > wrote: > > On 11/15/2011 09:54 PM, Stephen Gallagher wrote: > > On Tue, 2011-11-15 at 20:40 +0000, Steven Jones wrote: > > Hi, > > I dont think there is much realistic hope of getting > windows to > authenticate to freeIPA......the others should be able to > and the > fedora docs on the freeipa documentation web page list a > specific > method for macs for one (but I have not tried it yet, but > I will > be)....ubuntu has been mentioned before....I have to > try/do that as > well.... > > Siggi sent me some notes a while back, > > ============= > > Ubuntu client install > > > I don't have all of the details handy right now, but I know Timo > Aaltonen was working on porting SSSD and ipa-client to Ubuntu > in order > to support the enhanced client enrollment available with those two > packages. > > The SSSD and its dependencies are available in his PPA here: > https://launchpad.net/~tjaalton/+archive/ppa > > > > Just tried to install sssd from the above repo. > > There's only packages for the old 10.04 lucid and 10.10 maverick, > nothing for 11.04 natty or 11.11 oneiric. I tried to install on > natty using packages from maverick, but it depends on packages no > longer available in the natty package tree. :( > > However for oneric sssd 1.5.13 seem to have made it into the > universe package tree: > http://packages.ubuntu.com/oneiric/sssd > > > > Rgds, > Siggi > > > Siggi, > > Thanks, but why would I want sssd on my client machine? > > Or - why would the current LDAP client that Ubuntu at least claims to > have not work? > The reasons I've found so far is: * Lack of support for the host based access control rules found in IPA * Need to have the config file with a username/password for the system to bind to the ldap directory readable by everyone... (not secure) * SSSD uses the kerberos host key to talk to LDAP (secure) * No daemon keeping track of available ldap servers, e.g. in a failover situation you'll keep asking the server that's down, delaying your client response. * No offline caching of credentials (very handy if you have laptops). I'm sure the SSSD developers can give you lots more. :) Rgds, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From borepstein at gmail.com Tue Nov 15 21:51:56 2011 From: borepstein at gmail.com (Boris Epstein) Date: Tue, 15 Nov 2011 16:51:56 -0500 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: <4EC2DE51.1080400@nixtra.com> References: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> <1321390443.2315.48.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <4EC2D989.5050602@nixtra.com> <4EC2DE51.1080400@nixtra.com> Message-ID: > > >>> >>> >> Just tried to install sssd from the above repo. >> >> There's only packages for the old 10.04 lucid and 10.10 maverick, nothing >> for 11.04 natty or 11.11 oneiric. I tried to install on natty using >> packages from maverick, but it depends on packages no longer available in >> the natty package tree. :( >> >> However for oneric sssd 1.5.13 seem to have made it into the universe >> package tree: >> http://packages.ubuntu.com/oneiric/sssd >> >> >> >> Rgds, >> Siggi > > > Siggi, > > Thanks, but why would I want sssd on my client machine? > > Or - why would the current LDAP client that Ubuntu at least claims to > have not work? > > > The reasons I've found so far is: > > * Lack of support for the host based access control rules found in IPA > * Need to have the config file with a username/password for the system to > bind to the ldap directory readable by everyone... (not secure) > * SSSD uses the kerberos host key to talk to LDAP (secure) > * No daemon keeping track of available ldap servers, e.g. in a failover > situation you'll keep asking the server that's down, delaying your client > response. > * No offline caching of credentials (very handy if you have laptops). > > I'm sure the SSSD developers can give you lots more. :) > > > Rgds, > Siggi > Siggi, Thanks, all of those are valid. I just installed sssd on an Ubuntu machine here, may end up using it. But from what you are saying it still sounds like the existing LDAP client on Ubuntu ought to still work, even if in a less than secure fashion. And it doesn't seem to. Boris. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Nov 15 23:32:00 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 15 Nov 2011 18:32:00 -0500 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4EC2F670.8020702@redhat.com> On 11/15/2011 04:01 PM, Jimmy wrote: > I know the Windows systems don't have full integration with FreeIPA, > but I have Windows systems authenticating to FreeIPA the same as they > would to a regular MIT Kerberos system. The are not using the same > config that is posted on the FreeIPA website where the IPA users are > mapped to a single workstation user. > Would you mind sharing your configuration and steps with us? Thank you Dmitri > Jimmy > > On Tue, Nov 15, 2011 at 3:40 PM, Steven Jones > wrote: > > Hi, > > I dont think there is much realistic hope of getting windows to > authenticate to freeIPA......the others should be able to and the > fedora docs on the freeipa documentation web page list a specific > method for macs for one (but I have not tried it yet, but I will > be)....ubuntu has been mentioned before....I have to try/do that > as well.... > > Siggi sent me some notes a while back, > > ============= > > Ubuntu client install > > > https://help.ubuntu.com/10.04/serverguide/C/kerberos.html > > > sudo apt-get install krb5-user libpam-krb5 libpam-ccreds > auth-client-config > > > maybe also need libpam-ldap libnss-ldap > > > Use ipa-getkeytab on a IPA server to retrieve the keytab for the > host, and copy this to /etc/krb5.keytab on the Ubuntu client. > > [root at ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com > -p host/ubuntu-client.ix.test.com > -k /tmp/buntuclient_krb5.keytab > > If you prefer you can use something like CFengine to automate the > whole process. > > ============= > > Hope that helps............. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________ > From: freeipa-users-bounces at redhat.com > > [freeipa-users-bounces at redhat.com > ] on behalf of Boris > Epstein [borepstein at gmail.com ] > Sent: Wednesday, 16 November 2011 9:03 a.m. > To: freeipa-users at redhat.com > Subject: [Freeipa-users] LDAP authentication into FreeIPA > > Hello all, > > This may be my general LDAP illiteracy - I only dealth with it > briefly years ago - but I am trying to set up a FreeIPA server on > Fedora 16 to have my Macs and Ubuntu Linux machines as well as a > couple of Windows boxes to authenticate to - and seem not to be > making much forward progress. Is there a step-by-step writeup on > how to do that sort of thing? > > Thanks for any and all help. > > Boris. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From g17jimmy at gmail.com Wed Nov 16 01:44:47 2011 From: g17jimmy at gmail.com (Jimmy) Date: Tue, 15 Nov 2011 20:44:47 -0500 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: <4EC2F670.8020702@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> <4EC2F670.8020702@redhat.com> Message-ID: I did supply this to the list at the middle of September, but will re-send. I know things get lost in the flow of emails/lists. ==============IPA and ksetup steps================= I can't find the technet article right now, but here's what I did that makes Win7(and xp, but xp doesn't need the gpedit step) work. One note about this, I kept getting strange errors with any encryption besides rc4-hmac. For my situation I think it is suitable(a static environment once the systems are deployed,) but if others want to spend more time hacking on the system MS messed up, go for it ;). On FreeIPA: i. create the host principal in the web interface ii. create IPA users to correspond to windows users iii. reset the user's IPA password to a known password using the web interface, the user will be prompted to change at first log in. (is there a default password or is this random? sorry if that's somewhere else in docs and I missed it) iv. on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] -P` (enter the password that will be used in the `ksetup /secomputerpassword` below) configure windows ksetup: i. ksetup /setdomain [REALM NAME] ii. ksetup /addkdc [REALM NAME] [kdc DNS name] iii. ksetup /addkpassword [REALM NAME] [kdc DNS name] iv. ksetup /setcomputerpassword [PASSWORD] v. ksetup /mapuser * * vi. Run gpedit.msc. Under >Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called ?Network Security: Configure encryption types allowed for Kerberos? unselect everything except RC4_HMAC_MD5 vii. *** REBOOT *** viii. log in as [user]@[REALM] with the initial password, you will be prompted to change the password then logged in. On Tue, Nov 15, 2011 at 6:32 PM, Dmitri Pal wrote: > ** > On 11/15/2011 04:01 PM, Jimmy wrote: > > I know the Windows systems don't have full integration with FreeIPA, but I > have Windows systems authenticating to FreeIPA the same as they would to a > regular MIT Kerberos system. The are not using the same config that is > posted on the FreeIPA website where the IPA users are mapped to a single > workstation user. > > > Would you mind sharing your configuration and steps with us? > > > Thank you > Dmitri > > > Jimmy > > On Tue, Nov 15, 2011 at 3:40 PM, Steven Jones wrote: > >> Hi, >> >> I dont think there is much realistic hope of getting windows to >> authenticate to freeIPA......the others should be able to and the fedora >> docs on the freeipa documentation web page list a specific method for macs >> for one (but I have not tried it yet, but I will be)....ubuntu has been >> mentioned before....I have to try/do that as well.... >> >> Siggi sent me some notes a while back, >> >> ============= >> >> Ubuntu client install >> >> >> https://help.ubuntu.com/10.04/serverguide/C/kerberos.html >> >> >> sudo apt-get install krb5-user libpam-krb5 libpam-ccreds >> auth-client-config >> >> >> maybe also need libpam-ldap libnss-ldap >> >> >> Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, >> and copy this to /etc/krb5.keytab on the Ubuntu client. >> >> [root at ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/ >> ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab >> >> If you prefer you can use something like CFengine to automate the whole >> process. >> >> ============= >> >> Hope that helps............. >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] >> on behalf of Boris Epstein [borepstein at gmail.com] >> Sent: Wednesday, 16 November 2011 9:03 a.m. >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] LDAP authentication into FreeIPA >> >> Hello all, >> >> This may be my general LDAP illiteracy - I only dealth with it briefly >> years ago - but I am trying to set up a FreeIPA server on Fedora 16 to have >> my Macs and Ubuntu Linux machines as well as a couple of Windows boxes to >> authenticate to - and seem not to be making much forward progress. Is there >> a step-by-step writeup on how to do that sort of thing? >> >> Thanks for any and all help. >> >> Boris. >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Wed Nov 16 12:09:41 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 16 Nov 2011 07:09:41 -0500 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> <1321390443.2315.48.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <4EC2D989.5050602@nixtra.com> <4EC2DE51.1080400@nixtra.com> Message-ID: <1321445381.2315.57.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> On Tue, 2011-11-15 at 16:51 -0500, Boris Epstein wrote: > > > > > > > > > > Just tried to install sssd from the above repo. > > > > There's only packages for the old 10.04 lucid and > > 10.10 maverick, nothing for 11.04 natty or 11.11 > > oneiric. I tried to install on natty using packages > > from maverick, but it depends on packages no longer > > available in the natty package tree. :( > > > > However for oneric sssd 1.5.13 seem to have made it > > into the universe package tree: > > http://packages.ubuntu.com/oneiric/sssd > > > > > > > > Rgds, > > Siggi > > > > > > Siggi, > > > > > > Thanks, but why would I want sssd on my client machine? > > > > > > Or - why would the current LDAP client that Ubuntu at least > > claims to have not work? > > > > > > > The reasons I've found so far is: > > * Lack of support for the host based access control rules > found in IPA > * Need to have the config file with a username/password for > the system to bind to the ldap directory readable by > everyone... (not secure) > * SSSD uses the kerberos host key to talk to LDAP (secure) > * No daemon keeping track of available ldap servers, e.g. in a > failover situation you'll keep asking the server that's down, > delaying your client response. > * No offline caching of credentials (very handy if you have > laptops). > > I'm sure the SSSD developers can give you lots more. :) I think you've hit most of the major points. The less-obvious one is that at it reduces load on the LDAP server as well, since all communications come from a single connection in the SSSD, whereas with traditional nss_ldap, each client application would be holding its own connection. > > Siggi, > > > Thanks, all of those are valid. I just installed sssd on an Ubuntu > machine here, may end up using it. > > > But from what you are saying it still sounds like the existing LDAP > client on Ubuntu ought to still work, even if in a less than secure > fashion. And it doesn't seem to. I've seen people successfully configure pam_ldap and pam_krb5 on Ubuntu before, so I know it's possible. I assume you have a configuration bug. I don't know where Ubuntu keeps its config, so I can't easily help you there. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From t.sailer at alumni.ethz.ch Wed Nov 16 14:07:46 2011 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Wed, 16 Nov 2011 15:07:46 +0100 Subject: [Freeipa-users] installing freeipa v2 server fails at "configuring certificate server instance" Message-ID: <4EC3C3B2.4040801@alumni.ethz.ch> Hi, Installing a v2 freeipa server failed for me at the stage "configuring certificate server instance" The machine is an updated (and now fully up2date) fedora16 x64 machine. Here's the command line output: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'server.xxxxx.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-HxuF_T' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'rgN1Coi9yfnvOUlxsUUw' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=AXSEM.COM' '-ldap_host' server.xxxxx.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=XXXXX.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=XXXXX.COM' '-ca_server_cert_subject_name' 'CN=axextserver1.hq.axsem.com,O=XXXXX.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=XXXXX.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=XXXXX.COM' '-external' 'false' '-clone' 'false'' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed I got it working once I removed the (link local IMO) IPv6 address from the ethernet interface. Otherwise, the pki ports (such as 9445) were only bound to IPv6 addresses. Strange. Tom From abokovoy at redhat.com Wed Nov 16 14:14:53 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 16 Nov 2011 16:14:53 +0200 Subject: [Freeipa-users] installing freeipa v2 server fails at "configuring certificate server instance" In-Reply-To: <4EC3C3B2.4040801@alumni.ethz.ch> References: <4EC3C3B2.4040801@alumni.ethz.ch> Message-ID: <20111116141452.GC11138@redhat.com> On Wed, 16 Nov 2011, Thomas Sailer wrote: > Hi, > > Installing a v2 freeipa server failed for me at the stage > "configuring certificate server instance" > > The machine is an updated (and now fully up2date) fedora16 x64 machine. > > Here's the command line output: > Configuring certificate server: Estimated time 3 minutes 30 seconds > [1/17]: creating certificate server user > [2/17]: creating pki-ca instance > [3/17]: configuring certificate server instance > root : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' > 'server.xxxxx.com' '-cs_port' '9445' '-client_certdb_dir' > '/tmp/tmp-HxuF_T' '-client_certdb_pwd' XXXXXXXX '-preop_pin' > 'rgN1Coi9yfnvOUlxsUUw' '-domain_name' 'IPA' '-admin_user' 'admin' > '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX > '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' > '-agent_key_type' 'rsa' '-agent_cert_subject' > 'CN=ipa-ca-agent,O=AXSEM.COM' '-ldap_host' server.xxxxx.com' > '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' > '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' > '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' > 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX > '-subsystem_name' 'pki-cad' '-token_name' 'internal' > '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=XXXXX.COM' > '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=XXXXX.COM' > '-ca_server_cert_subject_name' > 'CN=axextserver1.hq.axsem.com,O=XXXXX.COM' > '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=XXXXX.COM' > '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=XXXXX.COM' > '-external' 'false' '-clone' 'false'' returned non-zero exit status > 255 > Unexpected error - see ipaserver-install.log for details: > Configuration of CA failed > > I got it working once I removed the (link local IMO) IPv6 address > from the ethernet interface. Otherwise, the pki ports (such as 9445) > were only bound to IPv6 addresses. Strange. maybe that's because server.xxxx.com resolves to IPv6 address? We pass FQDN of the server to pkisilent, and then it tries to set up and start CA. -- / Alexander Bokovoy From t.sailer at alumni.ethz.ch Wed Nov 16 14:22:48 2011 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Wed, 16 Nov 2011 15:22:48 +0100 Subject: [Freeipa-users] installing freeipa v2 server fails at "configuring certificate server instance" In-Reply-To: <20111116141452.GC11138@redhat.com> References: <4EC3C3B2.4040801@alumni.ethz.ch> <20111116141452.GC11138@redhat.com> Message-ID: <4EC3C738.4090606@alumni.ethz.ch> On 11/16/2011 03:14 PM, Alexander Bokovoy wrote: > maybe that's because server.xxxx.com resolves to IPv6 address? We pass > FQDN of the server to pkisilent, and then it tries to set up and start > CA. It doesn't: # dig server.xxxx.com ; <<>> DiG 9.8.1-RedHat-9.8.1-2.fc16 <<>> server.xxxx.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21488 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;server.xxxx.com. IN A ;; ANSWER SECTION: server.xxxx.com. 86400 IN A 192.168.1.2 ;; AUTHORITY SECTION: xxxxx.com. 86400 IN NS xxxxx.com. ;; ADDITIONAL SECTION: xxxxx.com. 86400 IN A 192.168.1.2 ;; Query time: 0 msec ;; SERVER: 192.168.1.2#53(192.168.1.2) ;; WHEN: Wed Nov 16 15:21:35 2011 ;; MSG SIZE rcvd: 89 From rcritten at redhat.com Wed Nov 16 14:23:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Nov 2011 09:23:16 -0500 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: References: Message-ID: <4EC3C754.6020803@redhat.com> Dan Scott wrote: > Hi, > > I receive the following error when I try to remove a host from IPA: > > djscott at pc35:~$ ipa host-del pc60 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > I'm running a Fedora 16 (freeipa-server-2.1.3-5.fc16.x86_64) server > replicated with a Fedora 15 (freeipa-server-2.1.3-2.fc15.i686) server. > > I've looked at this: > > https://fedorahosted.org/freeipa/ticket/1889 > > But it looks like it was fixed in 2.1.2 or 2.1.3. Any ideas for what I > need to do? > > Thanks, > > Dan This would suggest that dogtag isn't running. Is dogtag and its LDAP instance up? rob From simo at redhat.com Wed Nov 16 14:25:50 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 16 Nov 2011 09:25:50 -0500 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> <4EC2F670.8020702@redhat.com> Message-ID: <1321453550.30630.75.camel@willson.li.ssimo.org> On Tue, 2011-11-15 at 20:44 -0500, Jimmy wrote: > I did supply this to the list at the middle of September, but will > re-send. I know things get lost in the flow of emails/lists. > > ==============IPA and ksetup steps================= > I can't find the technet article right now, but here's what I did > that makes Win7(and xp, but xp doesn't need the gpedit step) work. > > > One note about this, I kept getting strange errors with any encryption > besides rc4-hmac. For my situation I think it is suitable(a static > environment once the systems are deployed,) but if others want to > spend more time hacking on the system MS messed up, go for it ;). > > On FreeIPA: > > i. create the host principal in the web interface > ii. create IPA users to correspond to windows users > iii. reset the user's IPA password to a known password using the web > interface, the user will be prompted to change at first log in. > (is there a default password or is this random? sorry if that's > somewhere else in docs and I missed it) > iv. on the IPA server run `ipa-getkeytab -s [kdc DNS name] > -p host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] > -P` (enter the password that will be used in the > `ksetup /secomputerpassword` below) > > configure windows ksetup: > > i. ksetup /setdomain [REALM NAME] > ii. ksetup /addkdc [REALM NAME] [kdc DNS name] > iii. ksetup /addkpassword [REALM NAME] [kdc DNS name] > iv. ksetup /setcomputerpassword [PASSWORD] > v. ksetup /mapuser * * > vi. Run gpedit.msc. Under >Computer Configuration\Windows Settings > \Security Settings\Local Policies\Security Options open the key called > ?Network Security: Configure encryption types allowed for Kerberos? > unselect everything except RC4_HMAC_MD5 Hi Jimmy and all, at this year Kerberos Conference interop we found out what was causing issues with AES and we have a patch in the master tree. This step will hopefully not be necessary anymore quite soon. Simo. > vii. *** REBOOT *** > viii. log in as [user]@[REALM] with the initial password, you will be > prompted to change the password then logged in. > -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Wed Nov 16 14:57:11 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 16 Nov 2011 16:57:11 +0200 Subject: [Freeipa-users] installing freeipa v2 server fails at "configuring certificate server instance" In-Reply-To: <4EC3C738.4090606@alumni.ethz.ch> References: <4EC3C3B2.4040801@alumni.ethz.ch> <20111116141452.GC11138@redhat.com> <4EC3C738.4090606@alumni.ethz.ch> Message-ID: <20111116145705.GD11138@redhat.com> On Wed, 16 Nov 2011, Thomas Sailer wrote: > On 11/16/2011 03:14 PM, Alexander Bokovoy wrote: > >maybe that's because server.xxxx.com resolves to IPv6 address? We > >pass FQDN of the server to pkisilent, and then it tries to set up > >and start CA. > It doesn't: > # dig server.xxxx.com and 'getent hosts server.xxxx.com' gives the same? What was in the /etc/hosts as well? In my case F16 install works fine with IPv6 address assigned by default to eth0, I didn't need to change anything there. What's more important, CA listens on all interfaces, without binding to a specific address. I've upgraded to current updates repo and no difference is noted. Could you please file a bug with all details on pki-silent? -- / Alexander Bokovoy From danieljamesscott at gmail.com Wed Nov 16 15:27:38 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 16 Nov 2011 10:27:38 -0500 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: <4EC3C754.6020803@redhat.com> References: <4EC3C754.6020803@redhat.com> Message-ID: On Wed, Nov 16, 2011 at 09:23, Rob Crittenden wrote: > Dan Scott wrote: >> >> Hi, >> >> I receive the following error when I try to remove a host from IPA: >> >> djscott at pc35:~$ ipa host-del pc60 >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found) >> >> I'm running a Fedora 16 (freeipa-server-2.1.3-5.fc16.x86_64) server >> replicated with a Fedora 15 (freeipa-server-2.1.3-2.fc15.i686) server. >> >> I've looked at this: >> >> https://fedorahosted.org/freeipa/ticket/1889 >> >> But it looks like it was fixed in 2.1.2 or 2.1.3. Any ideas for what I >> need to do? >> >> Thanks, >> >> Dan > > This would suggest that dogtag isn't running. Is dogtag and its LDAP > instance up? It seems to be, there are 2 entries 'loaded active running' for the dirsrv@ instances. I don't see any errors in the /var/log/dirsrv/slapd-PKI-IPA/errors file. Tomcat is running too. Dan From rcritten at redhat.com Wed Nov 16 15:39:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Nov 2011 10:39:53 -0500 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: References: <4EC3C754.6020803@redhat.com> Message-ID: <4EC3D949.60700@redhat.com> Dan Scott wrote: > On Wed, Nov 16, 2011 at 09:23, Rob Crittenden wrote: >> Dan Scott wrote: >>> >>> Hi, >>> >>> I receive the following error when I try to remove a host from IPA: >>> >>> djscott at pc35:~$ ipa host-del pc60 >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (Not Found) >>> >>> I'm running a Fedora 16 (freeipa-server-2.1.3-5.fc16.x86_64) server >>> replicated with a Fedora 15 (freeipa-server-2.1.3-2.fc15.i686) server. >>> >>> I've looked at this: >>> >>> https://fedorahosted.org/freeipa/ticket/1889 >>> >>> But it looks like it was fixed in 2.1.2 or 2.1.3. Any ideas for what I >>> need to do? >>> >>> Thanks, >>> >>> Dan >> >> This would suggest that dogtag isn't running. Is dogtag and its LDAP >> instance up? > > It seems to be, there are 2 entries 'loaded active running' for the > dirsrv@ instances. I don't see any errors in the > /var/log/dirsrv/slapd-PKI-IPA/errors file. > > Tomcat is running too. > > Dan Hmm, ok, lets see if we can talk to the cert system at all. $ ipa cert-show 1 I picked the serial number out of blue sky but for a default install it should be ok. You can also use openssl to dump /etc/ipa/ca.crt to get that serial number to be sure you are getting one that exists. If this works it means we can communicate with CMS. Then I'd do: $ ipa host-show pc60 Note the serial number and try showing it directly with cert-show. rob From borepstein at gmail.com Wed Nov 16 15:42:15 2011 From: borepstein at gmail.com (Boris Epstein) Date: Wed, 16 Nov 2011 10:42:15 -0500 Subject: [Freeipa-users] authenticating Macs to FreeIPA on Fedora 16 Message-ID: Hello all, OK, I've got this Mac OS X 10.7.2 machine and it just refuses to do NIS so I need to authenticate it via LDAP. Any guidance on how to do that will be greatly appreciated. Thanks. Boris. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Nov 16 15:53:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Nov 2011 10:53:44 -0500 Subject: [Freeipa-users] authenticating Macs to FreeIPA on Fedora 16 In-Reply-To: References: Message-ID: <4EC3DC88.1090802@redhat.com> Boris Epstein wrote: > Hello all, > > OK, I've got this Mac OS X 10.7.2 machine and it just refuses to do NIS > so I need to authenticate it via LDAP. Any guidance on how to do that > will be greatly appreciated. > This is a little out of date but is a starting point http://freeipa.org/page/ConfiguringMacintoshClients From danieljamesscott at gmail.com Wed Nov 16 18:27:11 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 16 Nov 2011 13:27:11 -0500 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: References: <4EC3C754.6020803@redhat.com> <4EC3D949.60700@redhat.com> Message-ID: Sorry, forgot to copy the list. On Wed, Nov 16, 2011 at 12:17, Dan Scott wrote: > On Wed, Nov 16, 2011 at 10:39, Rob Crittenden wrote: >> Dan Scott wrote: >>> >>> On Wed, Nov 16, 2011 at 09:23, Rob Crittenden ?wrote: >>>> >>>> Dan Scott wrote: >>>>> >>>>> Hi, >>>>> >>>>> I receive the following error when I try to remove a host from IPA: >>>>> >>>>> djscott at pc35:~$ ipa host-del pc60 >>>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>>> communicate with CMS (Not Found) >>>>> >>>>> I'm running a Fedora 16 (freeipa-server-2.1.3-5.fc16.x86_64) server >>>>> replicated with a Fedora 15 (freeipa-server-2.1.3-2.fc15.i686) server. >>>>> >>>>> I've looked at this: >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/1889 >>>>> >>>>> But it looks like it was fixed in 2.1.2 or 2.1.3. Any ideas for what I >>>>> need to do? >>>>> >>>>> Thanks, >>>>> >>>>> Dan >>>> >>>> This would suggest that dogtag isn't running. Is dogtag and its LDAP >>>> instance up? >>> >>> It seems to be, there are 2 entries 'loaded active running' for the >>> dirsrv@ instances. I don't see any errors in the >>> /var/log/dirsrv/slapd-PKI-IPA/errors file. >>> >>> Tomcat is running too. >>> >>> Dan >> >> Hmm, ok, lets see if we can talk to the cert system at all. >> >> $ ipa cert-show 1 > > fileserver1 is the IPA server with PKI-IPA running: > > [root at fileserver1 ~]# ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > SELinux is my normal culprit when things don't work. It may be so in > this case. My /var/log/audit/audit.log hasn't changed since 11th > November..... > > Unfortunately, temporarily disabling it doesn't seem to help: > > [root at fileserver1 ~]# setenforce Permissive > [root at fileserver1 ~]# ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > What processes should be running for the certificate server? I have > the ns-slapd process and tomcat6 running. The tomcat logs are empty. Huh, also found the following: [root at fileserver1 ~]# package-cleanup --orphans dogtag-pki-ca-theme-9.0.9-1.fc15.noarch dogtag-pki-common-theme-9.0.9-1.fc15.noarch Dan From t.sailer at alumni.ethz.ch Wed Nov 16 19:07:41 2011 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Wed, 16 Nov 2011 20:07:41 +0100 Subject: [Freeipa-users] secure NFSv4 failure after IPA server upgrade Message-ID: <4EC409FD.8050808@alumni.ethz.ch> After upgrading FreeIPA from FC14/FreeIPAv1 to FC16/FreeIPAv2, secure NFSv4 mounts do not work anymore. V2 is basically a reinstalled FreeIPA server with user data migrated from v1, and host keys etc. recreated. I get the following when trying to mount: # mount -t nfs4 -o soft,intr,rsize=8192,wsize=8192,rw,sec=krb5p server.xxxxx.com:/yyyyy z mount.nfs4: access denied by server while mounting server.xxxxx.com:/yyyyy On the client, rpc.gssd reports: Warning: rpcsec_gss library does not support setting debug level beginning poll dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 dir_notify_handler: sig 37 si 0x7fff5f5f1570 data 0x7fff5f5f1440 dir_notify_handler: sig 37 si 0x7fff5f5f0df0 data 0x7fff5f5f0cc0 handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt3a) handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt3a) process_krb5_upcall: service is '' Full hostname for 'server.xxxxx.com' is 'server.xxxxx.com' Full hostname for 'client.xxxxx.com' is 'client.xxxxx.com' No key table entry found for CLIENT.XXXXX.COM$@XXXXX.COM while getting keytab entry for 'CLIENT.XXXXX.COM$@XXXXX.COM' No key table entry found for root/client.xxxxx.com at XXXXX.COM while getting keytab entry for 'root/client.xxxxx.com at XXXXX.COM' Success getting keytab entry for 'nfs/client.xxxxx.com at XXXXX.COM' Successfully obtained machine credentials for principal 'nfs/client.xxxxx.com at XXXXX.COM' stored in ccache 'FILE:/tmp/krb5cc_machine_XXXXX.COM' INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXXX.COM' are good until 1321556514 using FILE:/tmp/krb5cc_machine_XXXXX.COM as credentials cache for machine creds using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_XXXXX.COM creating context using fsuid 0 (save_uid 0) creating tcp client for server server.xxxxx.com DEBUG: port already set to 2049 creating context with server nfs at server.xxxxx.com WARNING: Failed to create krb5 context for user with uid 0 for server server.xxxxx.com WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_XXXXX.COM for server server.xxxxx.com WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server server.xxxxx.com Full hostname for 'server.xxxxx.com' is 'server.xxxxx.com' Full hostname for 'client.xxxxx.com' is 'client.xxxxx.com' No key table entry found for CLIENT.XXXXX.COM$@XXXXX.COM while getting keytab entry for 'CLIENT.XXXXX.COM$@XXXXX.COM' No key table entry found for root/client.xxxxx.com at XXXXX.COM while getting keytab entry for 'root/client.xxxxx.com at XXXXX.COM' Success getting keytab entry for 'nfs/client.xxxxx.com at XXXXX.COM' INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXXX.COM' are good until 1321556514 INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXXX.COM' are good until 1321556514 using FILE:/tmp/krb5cc_machine_XXXXX.COM as credentials cache for machine creds using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_XXXXX.COM creating context using fsuid 0 (save_uid 0) creating tcp client for server server.xxxxx.com DEBUG: port already set to 2049 creating context with server nfs at server.xxxxx.com WARNING: Failed to create krb5 context for user with uid 0 for server server.xxxxx.com WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_XXXXX.COM for server server.xxxxx.com WARNING: Failed to create machine krb5 context with any credentials cache for server server.xxxxx.com doing error downcall dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt3b destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt3a And on the server, rpc.svcgssd reports: leaving poll handling null request svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from defaults sname = nfs/client.xxxxx.com at XXXXX.COM DEBUG: serialize_krb5_ctx: lucid version! prepare_krb5_rfc4121_buffer: protocol 1 prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 doing downcall mech: krb5, hndl len: 4, ctx len 52, timeout: 1321556514 (86400 from now), clnt: nfs at client.xxxxx.com, uid: -1, gid: -1, num aux grps: 0: sending null reply writing message: \x \x6082....\x6081.... entering poll leaving poll handling null request svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from defaults sname = nfs/client.xxxxx.com at XXXXX.COM DEBUG: serialize_krb5_ctx: lucid version! prepare_krb5_rfc4121_buffer: protocol 1 prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 doing downcall mech: krb5, hndl len: 4, ctx len 52, timeout: 1321556514 (86400 from now), clnt: nfs at client.xxxxx.com, uid: -1, gid: -1, num aux grps: 0: sending null reply writing message: \x \x6082.... 1321470174 0 0 \x02000000 \x6081.... finished handling null request entering poll Does anyone have an idea what went wrong? The client is also FC16, and it worked against the FC14/FreeIPAv1 server. Tom From rcritten at redhat.com Wed Nov 16 19:27:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Nov 2011 14:27:15 -0500 Subject: [Freeipa-users] secure NFSv4 failure after IPA server upgrade In-Reply-To: <4EC409FD.8050808@alumni.ethz.ch> References: <4EC409FD.8050808@alumni.ethz.ch> Message-ID: <4EC40E93.3000604@redhat.com> Thomas Sailer wrote: > After upgrading FreeIPA from FC14/FreeIPAv1 to FC16/FreeIPAv2, secure > NFSv4 mounts do not work anymore. V2 is basically a reinstalled FreeIPA > server with user data migrated from v1, and host keys etc. recreated. > > I get the following when trying to mount: > # mount -t nfs4 -o soft,intr,rsize=8192,wsize=8192,rw,sec=krb5p > server.xxxxx.com:/yyyyy z > mount.nfs4: access denied by server while mounting server.xxxxx.com:/yyyyy > > On the client, rpc.gssd reports: > Warning: rpcsec_gss library does not support setting debug level > beginning poll > dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 > dir_notify_handler: sig 37 si 0x7fff5f5f1570 data 0x7fff5f5f1440 > dir_notify_handler: sig 37 si 0x7fff5f5f0df0 data 0x7fff5f5f0cc0 > handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt3a) > handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' > handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt3a) > process_krb5_upcall: service is '' > Full hostname for 'server.xxxxx.com' is 'server.xxxxx.com' > Full hostname for 'client.xxxxx.com' is 'client.xxxxx.com' > No key table entry found for CLIENT.XXXXX.COM$@XXXXX.COM while getting > keytab entry for 'CLIENT.XXXXX.COM$@XXXXX.COM' > No key table entry found for root/client.xxxxx.com at XXXXX.COM while > getting keytab entry for 'root/client.xxxxx.com at XXXXX.COM' > Success getting keytab entry for 'nfs/client.xxxxx.com at XXXXX.COM' > Successfully obtained machine credentials for principal > 'nfs/client.xxxxx.com at XXXXX.COM' stored in ccache > 'FILE:/tmp/krb5cc_machine_XXXXX.COM' > INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXXX.COM' are good > until 1321556514 > using FILE:/tmp/krb5cc_machine_XXXXX.COM as credentials cache for > machine creds > using environment variable to select krb5 ccache > FILE:/tmp/krb5cc_machine_XXXXX.COM > creating context using fsuid 0 (save_uid 0) > creating tcp client for server server.xxxxx.com > DEBUG: port already set to 2049 > creating context with server nfs at server.xxxxx.com > WARNING: Failed to create krb5 context for user with uid 0 for server > server.xxxxx.com > WARNING: Failed to create machine krb5 context with credentials cache > FILE:/tmp/krb5cc_machine_XXXXX.COM for server server.xxxxx.com > WARNING: Machine cache is prematurely expired or corrupted trying to > recreate cache for server server.xxxxx.com > Full hostname for 'server.xxxxx.com' is 'server.xxxxx.com' > Full hostname for 'client.xxxxx.com' is 'client.xxxxx.com' > No key table entry found for CLIENT.XXXXX.COM$@XXXXX.COM while getting > keytab entry for 'CLIENT.XXXXX.COM$@XXXXX.COM' > No key table entry found for root/client.xxxxx.com at XXXXX.COM while > getting keytab entry for 'root/client.xxxxx.com at XXXXX.COM' > Success getting keytab entry for 'nfs/client.xxxxx.com at XXXXX.COM' > INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXXX.COM' are good > until 1321556514 > INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_XXXXX.COM' are good > until 1321556514 > using FILE:/tmp/krb5cc_machine_XXXXX.COM as credentials cache for > machine creds > using environment variable to select krb5 ccache > FILE:/tmp/krb5cc_machine_XXXXX.COM > creating context using fsuid 0 (save_uid 0) > creating tcp client for server server.xxxxx.com > DEBUG: port already set to 2049 > creating context with server nfs at server.xxxxx.com > WARNING: Failed to create krb5 context for user with uid 0 for server > server.xxxxx.com > WARNING: Failed to create machine krb5 context with credentials cache > FILE:/tmp/krb5cc_machine_XXXXX.COM for server server.xxxxx.com > WARNING: Failed to create machine krb5 context with any credentials > cache for server server.xxxxx.com > doing error downcall > dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 > dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 > dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 > dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 > dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 > dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 > dir_notify_handler: sig 37 si 0x7fff5f5f5d30 data 0x7fff5f5f5c00 > destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt3b > destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt3a > > And on the server, rpc.svcgssd reports: > leaving poll > handling null request > svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 > enctypes from defaults > sname = nfs/client.xxxxx.com at XXXXX.COM > DEBUG: serialize_krb5_ctx: lucid version! > prepare_krb5_rfc4121_buffer: protocol 1 > prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 > doing downcall > mech: krb5, hndl len: 4, ctx len 52, timeout: 1321556514 (86400 from > now), clnt: nfs at client.xxxxx.com, uid: -1, gid: -1, num aux grps: 0: > sending null reply > writing message: \x \x6082....\x6081.... > entering poll > leaving poll > handling null request > svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 > enctypes from defaults > sname = nfs/client.xxxxx.com at XXXXX.COM > DEBUG: serialize_krb5_ctx: lucid version! > prepare_krb5_rfc4121_buffer: protocol 1 > prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 > doing downcall > mech: krb5, hndl len: 4, ctx len 52, timeout: 1321556514 (86400 from > now), clnt: nfs at client.xxxxx.com, uid: -1, gid: -1, num aux grps: 0: > sending null reply > writing message: \x \x6082.... 1321470174 0 0 \x02000000 \x6081.... > finished handling null request > entering poll > > Does anyone have an idea what went wrong? The client is also FC16, and > it worked against the FC14/FreeIPAv1 server. > > Tom Looks like https://bugzilla.redhat.com/show_bug.cgi?id=652273 rob From simo at redhat.com Wed Nov 16 19:40:04 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 16 Nov 2011 14:40:04 -0500 Subject: [Freeipa-users] secure NFSv4 failure after IPA server upgrade In-Reply-To: <4EC409FD.8050808@alumni.ethz.ch> References: <4EC409FD.8050808@alumni.ethz.ch> Message-ID: <1321472404.30630.99.camel@willson.li.ssimo.org> On Wed, 2011-11-16 at 20:07 +0100, Thomas Sailer wrote: > After upgrading FreeIPA from FC14/FreeIPAv1 to FC16/FreeIPAv2, secure > NFSv4 mounts do not work anymore. V2 is basically a reinstalled > FreeIPA > server with user data migrated from v1, and host keys etc. recreated. Are you using DES keys ? In that case you probably need to allow weak crypto on both server and client. Note that if all your server/clients are FC16 and you have no old ones < FC14 or < RHEL 6 then you do not need to force the creation of the nfs/ principal to use only DES keys. Simo. > -- Simo Sorce * Red Hat, Inc * New York From t.sailer at alumni.ethz.ch Wed Nov 16 19:44:09 2011 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Wed, 16 Nov 2011 20:44:09 +0100 Subject: [Freeipa-users] secure NFSv4 failure after IPA server upgrade In-Reply-To: <1321472404.30630.99.camel@willson.li.ssimo.org> References: <4EC409FD.8050808@alumni.ethz.ch> <1321472404.30630.99.camel@willson.li.ssimo.org> Message-ID: <4EC41289.8010008@alumni.ethz.ch> On 11/16/2011 08:40 PM, Simo Sorce wrote: > Are you using DES keys ? In that case you probably need to allow weak > crypto on both server and client. Note that if all your server/clients > are FC16 and you have no old ones < FC14 or < RHEL 6 then you do not > need to force the creation of the nfs/ principal to use only DES keys. > Simo. No. I did not use any -e parameter to ipa-getkeytab, so I got aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1 and arcfour-hmac. Also, enctype 18 is AFAIK not weak. I also tried enabling weak crypto, and to use only des keys, but that didn't help either. Tom From t.sailer at alumni.ethz.ch Wed Nov 16 19:47:51 2011 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Wed, 16 Nov 2011 20:47:51 +0100 Subject: [Freeipa-users] secure NFSv4 failure after IPA server upgrade In-Reply-To: <4EC40E93.3000604@redhat.com> References: <4EC409FD.8050808@alumni.ethz.ch> <4EC40E93.3000604@redhat.com> Message-ID: <4EC41367.6070608@alumni.ethz.ch> On 11/16/2011 08:27 PM, Rob Crittenden wrote: > Looks like https://bugzilla.redhat.com/show_bug.cgi?id=652273 Yes. For some reasons I always seem to end up with NFS problems... The fix I used at that time IMO is no longer applicable... mozldap isn't even installed anymore Tom From simo at redhat.com Wed Nov 16 19:48:26 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 16 Nov 2011 14:48:26 -0500 Subject: [Freeipa-users] secure NFSv4 failure after IPA server upgrade In-Reply-To: <4EC41289.8010008@alumni.ethz.ch> References: <4EC409FD.8050808@alumni.ethz.ch> <1321472404.30630.99.camel@willson.li.ssimo.org> <4EC41289.8010008@alumni.ethz.ch> Message-ID: <1321472906.30630.104.camel@willson.li.ssimo.org> On Wed, 2011-11-16 at 20:44 +0100, Thomas Sailer wrote: > On 11/16/2011 08:40 PM, Simo Sorce wrote: > > Are you using DES keys ? In that case you probably need to allow weak > > crypto on both server and client. Note that if all your server/clients > > are FC16 and you have no old ones < FC14 or < RHEL 6 then you do not > > need to force the creation of the nfs/ principal to use only DES keys. > > Simo. > > No. I did not use any -e parameter to ipa-getkeytab, so I got > aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1 and > arcfour-hmac. Also, enctype 18 is AFAIK not weak. > > I also tried enabling weak crypto, and to use only des keys, but that > didn't help either. If you did this on both server and client, then it looks like it is a nfsd bug, and not a freeipa one. Simo. -- Simo Sorce * Red Hat, Inc * New York From t.sailer at alumni.ethz.ch Wed Nov 16 19:59:11 2011 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Wed, 16 Nov 2011 20:59:11 +0100 Subject: [Freeipa-users] secure NFSv4 failure after IPA server upgrade In-Reply-To: <1321472906.30630.104.camel@willson.li.ssimo.org> References: <4EC409FD.8050808@alumni.ethz.ch> <1321472404.30630.99.camel@willson.li.ssimo.org> <4EC41289.8010008@alumni.ethz.ch> <1321472906.30630.104.camel@willson.li.ssimo.org> Message-ID: <4EC4160F.1070401@alumni.ethz.ch> On 11/16/2011 08:48 PM, Simo Sorce wrote: > If you did this on both server and client, then it looks like it is a > nfsd bug, and not a freeipa one. So I filed a bug report against nfs-utils: https://bugzilla.redhat.com/show_bug.cgi?id=754552 I hope Steve Dickson has some ideas... Thanks, Tom From t.sailer at alumni.ethz.ch Wed Nov 16 22:37:15 2011 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Wed, 16 Nov 2011 23:37:15 +0100 Subject: [Freeipa-users] secure NFSv4 failure after IPA server upgrade In-Reply-To: <4EC4160F.1070401@alumni.ethz.ch> References: <4EC409FD.8050808@alumni.ethz.ch> <1321472404.30630.99.camel@willson.li.ssimo.org> <4EC41289.8010008@alumni.ethz.ch> <1321472906.30630.104.camel@willson.li.ssimo.org> <4EC4160F.1070401@alumni.ethz.ch> Message-ID: <4EC43B1B.8080602@alumni.ethz.ch> On 11/16/2011 08:59 PM, Thomas Sailer wrote: > On 11/16/2011 08:48 PM, Simo Sorce wrote: >> If you did this on both server and client, then it looks like it is a >> nfsd bug, and not a freeipa one. > So I filed a bug report against nfs-utils: > https://bugzilla.redhat.com/show_bug.cgi?id=754552 Or maybe even a kernel bug. It can be cured by modprobe rpcsec_gss_krb5 on the server. Now there is code in the kernel to autoload that module, but that does not seem to work. Tom From simo at redhat.com Wed Nov 16 23:14:49 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 16 Nov 2011 18:14:49 -0500 Subject: [Freeipa-users] secure NFSv4 failure after IPA server upgrade In-Reply-To: <4EC43B1B.8080602@alumni.ethz.ch> References: <4EC409FD.8050808@alumni.ethz.ch> <1321472404.30630.99.camel@willson.li.ssimo.org> <4EC41289.8010008@alumni.ethz.ch> <1321472906.30630.104.camel@willson.li.ssimo.org> <4EC4160F.1070401@alumni.ethz.ch> <4EC43B1B.8080602@alumni.ethz.ch> Message-ID: <1321485289.30630.131.camel@willson.li.ssimo.org> On Wed, 2011-11-16 at 23:37 +0100, Thomas Sailer wrote: > On 11/16/2011 08:59 PM, Thomas Sailer wrote: > > On 11/16/2011 08:48 PM, Simo Sorce wrote: > >> If you did this on both server and client, then it looks like it is a > >> nfsd bug, and not a freeipa one. > > So I filed a bug report against nfs-utils: > > https://bugzilla.redhat.com/show_bug.cgi?id=754552 > > Or maybe even a kernel bug. > > It can be cured by modprobe rpcsec_gss_krb5 on the server. Now there is > code in the kernel to autoload that module, but that does not seem to work. Is it possibly a bug in the conversion to systemd ? I think the init script for rpcgssd used to load some modules earlier. Simo. -- Simo Sorce * Red Hat, Inc * New York From t.sailer at alumni.ethz.ch Wed Nov 16 23:46:56 2011 From: t.sailer at alumni.ethz.ch (Thomas Sailer) Date: Thu, 17 Nov 2011 00:46:56 +0100 Subject: [Freeipa-users] secure NFSv4 failure after IPA server upgrade In-Reply-To: <1321485289.30630.131.camel@willson.li.ssimo.org> References: <4EC409FD.8050808@alumni.ethz.ch> <1321472404.30630.99.camel@willson.li.ssimo.org> <4EC41289.8010008@alumni.ethz.ch> <1321472906.30630.104.camel@willson.li.ssimo.org> <4EC4160F.1070401@alumni.ethz.ch> <4EC43B1B.8080602@alumni.ethz.ch> <1321485289.30630.131.camel@willson.li.ssimo.org> Message-ID: <4EC44B70.3080700@alumni.ethz.ch> On 11/17/11 00:14, Simo Sorce wrote: > Is it possibly a bug in the conversion to systemd ? > I think the init script for rpcgssd used to load some modules earlier. It's even stranger than that. I upgraded the machine with preupgrade. Preupgrade and anaconda have a history of not updating the boot loader, so I accidentally ended up running an old kernel. New kernels (all fc16) have code to autoload the module. So if you don't run old kernels it should be ok. It would IMO still be a good idea to do an explicit modprobe for another fedora release, so it doesn't break for people running older kernels. Tom From SteveD at redhat.com Thu Nov 17 12:31:06 2011 From: SteveD at redhat.com (Steve Dickson) Date: Thu, 17 Nov 2011 07:31:06 -0500 Subject: [Freeipa-users] secure NFSv4 failure after IPA server upgrade In-Reply-To: <4EC44B70.3080700@alumni.ethz.ch> References: <4EC409FD.8050808@alumni.ethz.ch> <1321472404.30630.99.camel@willson.li.ssimo.org> <4EC41289.8010008@alumni.ethz.ch> <1321472906.30630.104.camel@willson.li.ssimo.org> <4EC4160F.1070401@alumni.ethz.ch> <4EC43B1B.8080602@alumni.ethz.ch> <1321485289.30630.131.camel@willson.li.ssimo.org> <4EC44B70.3080700@alumni.ethz.ch> Message-ID: <4EC4FE8A.7010805@RedHat.com> On 11/16/2011 06:46 PM, Thomas Sailer wrote: > On 11/17/11 00:14, Simo Sorce wrote: > >> Is it possibly a bug in the conversion to systemd ? >> I think the init script for rpcgssd used to load some modules earlier. > > It's even stranger than that. I upgraded the machine with preupgrade. Preupgrade and anaconda have a history of not updating the boot loader, so I accidentally ended up running an old kernel. New kernels (all fc16) have code to autoload the module. > > So if you don't run old kernels it should be ok. It would IMO still be a good idea to do an explicit modprobe for another fedora release, so it doesn't break for people running older kernels. > I'll look into doing this today... steved. From danieljamesscott at gmail.com Thu Nov 17 15:58:38 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 17 Nov 2011 10:58:38 -0500 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: <4EC40883.6060809@redhat.com> References: <4EC3C754.6020803@redhat.com> <4EC3D949.60700@redhat.com> <4EC40883.6060809@redhat.com> Message-ID: On Wed, Nov 16, 2011 at 14:01, Rob Crittenden wrote: > Dan Scott wrote: >> >> On Wed, Nov 16, 2011 at 10:39, Rob Crittenden ?wrote: >>> >>> Dan Scott wrote: >>>> >>>> On Wed, Nov 16, 2011 at 09:23, Rob Crittenden >>>> ?wrote: >>>>> >>>>> Dan Scott wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I receive the following error when I try to remove a host from IPA: >>>>>> >>>>>> djscott at pc35:~$ ipa host-del pc60 >>>>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>>>> communicate with CMS (Not Found) >>>>>> >>>>>> I'm running a Fedora 16 (freeipa-server-2.1.3-5.fc16.x86_64) server >>>>>> replicated with a Fedora 15 (freeipa-server-2.1.3-2.fc15.i686) server. >>>>>> >>>>>> I've looked at this: >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/1889 >>>>>> >>>>>> But it looks like it was fixed in 2.1.2 or 2.1.3. Any ideas for what I >>>>>> need to do? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Dan >>>>> >>>>> This would suggest that dogtag isn't running. Is dogtag and its LDAP >>>>> instance up? >>>> >>>> It seems to be, there are 2 entries 'loaded active running' for the >>>> dirsrv@ instances. I don't see any errors in the >>>> /var/log/dirsrv/slapd-PKI-IPA/errors file. >>>> >>>> Tomcat is running too. >>>> >>>> Dan >>> >>> Hmm, ok, lets see if we can talk to the cert system at all. >>> >>> $ ipa cert-show 1 >> >> fileserver1 is the IPA server with PKI-IPA running: >> >> [root at fileserver1 ~]# ipa cert-show 1 >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found) >> >> SELinux is my normal culprit when things don't work. It may be so in >> this case. My /var/log/audit/audit.log hasn't changed since 11th >> November..... >> >> Unfortunately, temporarily disabling it doesn't seem to help: >> >> [root at fileserver1 ~]# setenforce Permissive >> [root at fileserver1 ~]# ipa cert-show 1 >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found) >> >> What processes should be running for the certificate server? I have >> the ns-slapd process and tomcat6 running. The tomcat logs are empty. >> >> Dan > > It sounds like you have the right processes running. > > The dogtag logs are in /var/log/pki-ca. debug is rather verbose and where I > usually start looking for issues. The /var/log/pki-ca/debug file hasn't been updated since the 11th November. I've attached an extract from catalina.out which contains some pretty severe errors. To summarise, the errors are: SEVERE: Error initializing socket factory java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]] java.io.IOException: Failed to access resource /WEB-INF/lib/osutil.jar I'd guess that this means I'm missing a package? I'm having trouble figuring out which one contains the code I'm missing. Maybe I need to reinstall one? Thanks, Dan -------------- next part -------------- A non-text attachment was scrubbed... Name: catalina.out Type: application/octet-stream Size: 19226 bytes Desc: not available URL: From ayoung at redhat.com Thu Nov 17 16:25:09 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 17 Nov 2011 11:25:09 -0500 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: References: <4EC3C754.6020803@redhat.com> <4EC3D949.60700@redhat.com> <4EC40883.6060809@redhat.com> Message-ID: <4EC53565.7060604@redhat.com> On 11/17/2011 10:58 AM, Dan Scott wrote: > On Wed, Nov 16, 2011 at 14:01, Rob Crittenden wrote: >> Dan Scott wrote: >>> On Wed, Nov 16, 2011 at 10:39, Rob Crittenden wrote: >>>> Dan Scott wrote: >>>>> On Wed, Nov 16, 2011 at 09:23, Rob Crittenden >>>>> wrote: >>>>>> Dan Scott wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I receive the following error when I try to remove a host from IPA: >>>>>>> >>>>>>> djscott at pc35:~$ ipa host-del pc60 >>>>>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>>>>> communicate with CMS (Not Found) >>>>>>> >>>>>>> I'm running a Fedora 16 (freeipa-server-2.1.3-5.fc16.x86_64) server >>>>>>> replicated with a Fedora 15 (freeipa-server-2.1.3-2.fc15.i686) server. >>>>>>> >>>>>>> I've looked at this: >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/1889 >>>>>>> >>>>>>> But it looks like it was fixed in 2.1.2 or 2.1.3. Any ideas for what I >>>>>>> need to do? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Dan >>>>>> This would suggest that dogtag isn't running. Is dogtag and its LDAP >>>>>> instance up? >>>>> It seems to be, there are 2 entries 'loaded active running' for the >>>>> dirsrv@ instances. I don't see any errors in the >>>>> /var/log/dirsrv/slapd-PKI-IPA/errors file. >>>>> >>>>> Tomcat is running too. >>>>> >>>>> Dan >>>> Hmm, ok, lets see if we can talk to the cert system at all. >>>> >>>> $ ipa cert-show 1 >>> fileserver1 is the IPA server with PKI-IPA running: >>> >>> [root at fileserver1 ~]# ipa cert-show 1 >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (Not Found) >>> >>> SELinux is my normal culprit when things don't work. It may be so in >>> this case. My /var/log/audit/audit.log hasn't changed since 11th >>> November..... >>> >>> Unfortunately, temporarily disabling it doesn't seem to help: >>> >>> [root at fileserver1 ~]# setenforce Permissive >>> [root at fileserver1 ~]# ipa cert-show 1 >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (Not Found) >>> >>> What processes should be running for the certificate server? I have >>> the ns-slapd process and tomcat6 running. The tomcat logs are empty. >>> >>> Dan >> It sounds like you have the right processes running. >> >> The dogtag logs are in /var/log/pki-ca. debug is rather verbose and where I >> usually start looking for issues. > The /var/log/pki-ca/debug file hasn't been updated since the 11th > November. I've attached an extract from catalina.out which contains > some pretty severe errors. > > To summarise, the errors are: > SEVERE: Error initializing socket factory > java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]] > java.io.IOException: Failed to access resource /WEB-INF/lib/osutil.jar > > I'd guess that this means I'm missing a package? I'm having trouble > figuring out which one contains the code I'm missing. Maybe I need to > reinstall one? > > Thanks, > > Dan > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Is this on F16? It might be that the package is there but not being picked up. JSS and osutils are a JNI packages, and you should find them in /usr/lib64/java/jss4.jar and osutil.jar, but they might end up in /usr/lib/java/jss4.jar and osutil,jar -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Thu Nov 17 16:34:55 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 17 Nov 2011 11:34:55 -0500 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: <4EC53565.7060604@redhat.com> References: <4EC3C754.6020803@redhat.com> <4EC3D949.60700@redhat.com> <4EC40883.6060809@redhat.com> <4EC53565.7060604@redhat.com> Message-ID: On Thu, Nov 17, 2011 at 11:25, Adam Young wrote: > On 11/17/2011 10:58 AM, Dan Scott wrote: > > On Wed, Nov 16, 2011 at 14:01, Rob Crittenden wrote: > > Dan Scott wrote: > > On Wed, Nov 16, 2011 at 10:39, Rob Crittenden ?wrote: > > Dan Scott wrote: > > On Wed, Nov 16, 2011 at 09:23, Rob Crittenden > ?wrote: > > Dan Scott wrote: > > Hi, > > I receive the following error when I try to remove a host from IPA: > > djscott at pc35:~$ ipa host-del pc60 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > I'm running a Fedora 16 (freeipa-server-2.1.3-5.fc16.x86_64) server > replicated with a Fedora 15 (freeipa-server-2.1.3-2.fc15.i686) server. > > I've looked at this: > > https://fedorahosted.org/freeipa/ticket/1889 > > But it looks like it was fixed in 2.1.2 or 2.1.3. Any ideas for what I > need to do? > > Thanks, > > Dan > > This would suggest that dogtag isn't running. Is dogtag and its LDAP > instance up? > > It seems to be, there are 2 entries 'loaded active running' for the > dirsrv@ instances. I don't see any errors in the > /var/log/dirsrv/slapd-PKI-IPA/errors file. > > Tomcat is running too. > > Dan > > Hmm, ok, lets see if we can talk to the cert system at all. > > $ ipa cert-show 1 > > fileserver1 is the IPA server with PKI-IPA running: > > [root at fileserver1 ~]# ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > SELinux is my normal culprit when things don't work. It may be so in > this case. My /var/log/audit/audit.log hasn't changed since 11th > November..... > > Unfortunately, temporarily disabling it doesn't seem to help: > > [root at fileserver1 ~]# setenforce Permissive > [root at fileserver1 ~]# ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > What processes should be running for the certificate server? I have > the ns-slapd process and tomcat6 running. The tomcat logs are empty. > > Dan > > It sounds like you have the right processes running. > > The dogtag logs are in /var/log/pki-ca. debug is rather verbose and where I > usually start looking for issues. > > The /var/log/pki-ca/debug file hasn't been updated since the 11th > November. I've attached an extract from catalina.out which contains > some pretty severe errors. > > To summarise, the errors are: > SEVERE: Error initializing socket factory > java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]] > java.io.IOException: Failed to access resource /WEB-INF/lib/osutil.jar > > I'd guess that this means I'm missing a package? I'm having trouble > figuring out which one contains the code I'm missing. Maybe I need to > reinstall one? > > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > Is this on F16?? It might be that the package is there but not being picked > up. > > > JSS? and osutils are a JNI packages,? and you should find them in > /usr/lib64/java/jss4.jar? and osutil.jar, but they might end up in > /usr/lib/java/jss4.jar and osutil,jar Both of those files exist, in the lib64 directory: [root at fileserver1 ~]# ls -l /usr/lib64/java/ total 700 -rw-r--r--. 1 root root 698429 Oct 5 22:14 jss4.jar -rw-r--r--. 1 root root 9390 Oct 5 23:11 osutil.jar -rw-r--r--. 1 root root 1858 Oct 7 23:06 symkey.jar I'm not sure which of the pki* and dogtag* packages should be installed. The dogtag packages that I have installed have older version numbers than the pki packages. [root at fileserver1 ~]# rpm -qa|grep pki pki-silent-9.0.15-1.fc16.noarch pki-symkey-9.0.15-1.fc16.x86_64 pki-java-tools-9.0.15-1.fc16.noarch dogtag-pki-common-theme-9.0.9-1.fc15.noarch krb5-pkinit-openssl-1.9.1-18.fc16.x86_64 pki-common-9.0.15-1.fc16.noarch pki-native-tools-9.0.15-1.fc16.x86_64 pki-selinux-9.0.15-1.fc16.noarch pki-util-9.0.15-1.fc16.noarch pki-setup-9.0.15-1.fc16.noarch pki-ca-9.0.15-1.fc16.noarch dogtag-pki-ca-theme-9.0.9-1.fc15.noarch And I have the following 'orphans': [root at fileserver1 ~]# package-cleanup --orphans dogtag-pki-ca-theme-9.0.9-1.fc15.noarch dogtag-pki-common-theme-9.0.9-1.fc15.noarch Do you know which versions should be installed? Thanks, Dan From jdennis at redhat.com Thu Nov 17 16:35:37 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 17 Nov 2011 11:35:37 -0500 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: <4EC53565.7060604@redhat.com> References: <4EC3C754.6020803@redhat.com> <4EC3D949.60700@redhat.com> <4EC40883.6060809@redhat.com> <4EC53565.7060604@redhat.com> Message-ID: <4EC537D9.9070409@redhat.com> On 11/17/2011 11:25 AM, Adam Young wrote: >> To summarise, the errors are: >> SEVERE: Error initializing socket factory >> java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]] >> java.io.IOException: Failed to access resource /WEB-INF/lib/osutil.jar >> >> I'd guess that this means I'm missing a package? I'm having trouble >> figuring out which one contains the code I'm missing. Maybe I need to >> reinstall one? > Is this on F16? It might be that the package is there but not being > picked up. > > JSS and osutils are a JNI packages, and you should find them in > /usr/lib64/java/jss4.jar and osutil.jar, but they might end up in > /usr/lib/java/jss4.jar and osutil,jar My guess is this is due to the fact these jars changed their location. The symlinks to the jars are established by pkicreate. We have a bug open to enchance pkicreate (or add a new tool) which will adjust the links after an upgrade (sorry don't recall the bz number off the top of my head, could did it up if necessary). You can cd to /var/lib/pki-ca and do an ls -l on common/lib and webapps/ca/WEB-INF/lib/ and inspect the symbolic links to see if any are dangling. If so adjust the link to point to it's new location. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From danieljamesscott at gmail.com Thu Nov 17 16:46:25 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 17 Nov 2011 11:46:25 -0500 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: <4EC537D9.9070409@redhat.com> References: <4EC3C754.6020803@redhat.com> <4EC3D949.60700@redhat.com> <4EC40883.6060809@redhat.com> <4EC53565.7060604@redhat.com> <4EC537D9.9070409@redhat.com> Message-ID: On Thu, Nov 17, 2011 at 11:35, John Dennis wrote: > On 11/17/2011 11:25 AM, Adam Young wrote: >>> >>> To summarise, the errors are: >>> SEVERE: Error initializing socket factory >>> java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >>> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]] >>> java.io.IOException: Failed to access resource /WEB-INF/lib/osutil.jar >>> >>> I'd guess that this means I'm missing a package? I'm having trouble >>> figuring out which one contains the code I'm missing. Maybe I need to >>> reinstall one? > >> Is this on F16? It might be that the package is there but not being >> picked up. >> >> JSS and osutils are a JNI packages, and you should find them in >> /usr/lib64/java/jss4.jar and osutil.jar, but they might end up in >> /usr/lib/java/jss4.jar and osutil,jar > > My guess is this is due to the fact these jars changed their location. The > symlinks to the jars are established by pkicreate. We have a bug open to > enchance pkicreate (or add a new tool) which will adjust the links after an > upgrade (sorry don't recall the bz number off the top of my head, could did > it up if necessary). > > You can cd to /var/lib/pki-ca > > and do an ls -l on > > common/lib > > and > > webapps/ca/WEB-INF/lib/ > > and inspect the symbolic links to see if any are dangling. If so adjust the > link to point to it's new location. Success! Thanks so much. /var/lib/pki-ca/common/lib/jss4.jar /var/lib/pki-ca/webapps/ca/WEB-INF/lib/osutil.jar /var/lib/pki-ca/webapps/ca/WEB-INF/lib/symkey.jar Were all broken, pointing into /usr/lib/. Changing them to link to /usr/lib64 allowed pki to start properly and I can make changes to the host entry. It sounds like you have a fix for this in progress, or do I need to file a bug? Thanks, Dan From jdennis at redhat.com Thu Nov 17 18:25:28 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 17 Nov 2011 13:25:28 -0500 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: References: <4EC3C754.6020803@redhat.com> <4EC3D949.60700@redhat.com> <4EC40883.6060809@redhat.com> <4EC53565.7060604@redhat.com> <4EC537D9.9070409@redhat.com> Message-ID: <4EC55198.5040206@redhat.com> On 11/17/2011 11:46 AM, Dan Scott wrote: > On Thu, Nov 17, 2011 at 11:35, John Dennis wrote: >> On 11/17/2011 11:25 AM, Adam Young wrote: >>>> >>>> To summarise, the errors are: >>>> SEVERE: Error initializing socket factory >>>> java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >>>> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]] >>>> java.io.IOException: Failed to access resource /WEB-INF/lib/osutil.jar >>>> >>>> I'd guess that this means I'm missing a package? I'm having trouble >>>> figuring out which one contains the code I'm missing. Maybe I need to >>>> reinstall one? >> >>> Is this on F16? It might be that the package is there but not being >>> picked up. >>> >>> JSS and osutils are a JNI packages, and you should find them in >>> /usr/lib64/java/jss4.jar and osutil.jar, but they might end up in >>> /usr/lib/java/jss4.jar and osutil,jar >> >> My guess is this is due to the fact these jars changed their location. The >> symlinks to the jars are established by pkicreate. We have a bug open to >> enchance pkicreate (or add a new tool) which will adjust the links after an >> upgrade (sorry don't recall the bz number off the top of my head, could did >> it up if necessary). >> >> You can cd to /var/lib/pki-ca >> >> and do an ls -l on >> >> common/lib >> >> and >> >> webapps/ca/WEB-INF/lib/ >> >> and inspect the symbolic links to see if any are dangling. If so adjust the >> link to point to it's new location. > > Success! > > Thanks so much. > > /var/lib/pki-ca/common/lib/jss4.jar > /var/lib/pki-ca/webapps/ca/WEB-INF/lib/osutil.jar > /var/lib/pki-ca/webapps/ca/WEB-INF/lib/symkey.jar > > Were all broken, pointing into /usr/lib/. Changing them to link to > /usr/lib64 allowed pki to start properly and I can make changes to the > host entry. > > It sounds like you have a fix for this in progress, or do I need to file a bug? Found the bugzilla, it's https://bugzilla.redhat.com/show_bug.cgi?id=728598 It's filed against Red Hat Certificate System in RHEL, not dogtag in Fedora. Adam do you want to clone it into Fedora? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From abokovoy at redhat.com Thu Nov 17 18:40:59 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 17 Nov 2011 20:40:59 +0200 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: <4EC55198.5040206@redhat.com> References: <4EC3C754.6020803@redhat.com> <4EC3D949.60700@redhat.com> <4EC40883.6060809@redhat.com> <4EC53565.7060604@redhat.com> <4EC537D9.9070409@redhat.com> <4EC55198.5040206@redhat.com> Message-ID: <20111117184059.GI16561@redhat.com> On Thu, 17 Nov 2011, John Dennis wrote: > >>My guess is this is due to the fact these jars changed their location. The > >>symlinks to the jars are established by pkicreate. We have a bug open to > >>enchance pkicreate (or add a new tool) which will adjust the links after an > >>upgrade (sorry don't recall the bz number off the top of my head, could did > >>it up if necessary). > >> > >>You can cd to /var/lib/pki-ca > >> > >>and do an ls -l on > >> > >>common/lib > >> > >>and > >> > >>webapps/ca/WEB-INF/lib/ > >> > >>and inspect the symbolic links to see if any are dangling. If so adjust the > >>link to point to it's new location. > > > >Success! > > > >Thanks so much. > > > >/var/lib/pki-ca/common/lib/jss4.jar > >/var/lib/pki-ca/webapps/ca/WEB-INF/lib/osutil.jar > >/var/lib/pki-ca/webapps/ca/WEB-INF/lib/symkey.jar > > > >Were all broken, pointing into /usr/lib/. Changing them to link to > >/usr/lib64 allowed pki to start properly and I can make changes to the > >host entry. > > > >It sounds like you have a fix for this in progress, or do I need to file a bug? > > Found the bugzilla, it's > > https://bugzilla.redhat.com/show_bug.cgi?id=728598 > > It's filed against Red Hat Certificate System in RHEL, not dogtag in > Fedora. Adam do you want to clone it into Fedora? I'll add symlinks update into freeipa F15->F16 upgrade script. At worst, if 728598 will be fixed in Fedora as well, that part of the code will do nothing. Tickets 2103 and 2117 in upstream FreeIPA are for tracking that. -- / Alexander Bokovoy From jdennis at redhat.com Thu Nov 17 18:56:35 2011 From: jdennis at redhat.com (John Dennis) Date: Thu, 17 Nov 2011 13:56:35 -0500 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: <20111117184059.GI16561@redhat.com> References: <4EC3C754.6020803@redhat.com> <4EC3D949.60700@redhat.com> <4EC40883.6060809@redhat.com> <4EC53565.7060604@redhat.com> <4EC537D9.9070409@redhat.com> <4EC55198.5040206@redhat.com> <20111117184059.GI16561@redhat.com> Message-ID: <4EC558E3.3090300@redhat.com> On 11/17/2011 01:40 PM, Alexander Bokovoy wrote: > On Thu, 17 Nov 2011, John Dennis wrote: >>>> My guess is this is due to the fact these jars changed their location. The >>>> symlinks to the jars are established by pkicreate. We have a bug open to >>>> enchance pkicreate (or add a new tool) which will adjust the links after an >>>> upgrade (sorry don't recall the bz number off the top of my head, could did >>>> it up if necessary). >>>> >>>> You can cd to /var/lib/pki-ca >>>> >>>> and do an ls -l on >>>> >>>> common/lib >>>> >>>> and >>>> >>>> webapps/ca/WEB-INF/lib/ >>>> >>>> and inspect the symbolic links to see if any are dangling. If so adjust the >>>> link to point to it's new location. >>> >>> Success! >>> >>> Thanks so much. >>> >>> /var/lib/pki-ca/common/lib/jss4.jar >>> /var/lib/pki-ca/webapps/ca/WEB-INF/lib/osutil.jar >>> /var/lib/pki-ca/webapps/ca/WEB-INF/lib/symkey.jar >>> >>> Were all broken, pointing into /usr/lib/. Changing them to link to >>> /usr/lib64 allowed pki to start properly and I can make changes to the >>> host entry. >>> >>> It sounds like you have a fix for this in progress, or do I need to file a bug? >> >> Found the bugzilla, it's >> >> https://bugzilla.redhat.com/show_bug.cgi?id=728598 >> >> It's filed against Red Hat Certificate System in RHEL, not dogtag in >> Fedora. Adam do you want to clone it into Fedora? > I'll add symlinks update into freeipa F15->F16 upgrade script. At > worst, if 728598 will be fixed in Fedora as well, that part of the > code will do nothing. > > Tickets 2103 and 2117 in upstream FreeIPA are for tracking that. Just one thing to be careful of, you want to make sure the link points to the preferred entry in the filesystem. What do I mean by that? There are unversioned names in /lib which are links to the versioned entry, the preferred name is the unversioned link name. There may be similar redirection occurring for mulit-lib, see below. Where am I going with this? A few months ago there was a lot of back and forth discussion over where and how jni jars (those which have arch specific components) would be named and located to accmodate multi-lib. I don't recall how the Fedora java-sig folks finally resolved this issue, mharmsen (Matt) would probably know as he responsible for the packaging of these components and is the person who moved them, the aforementioned bz is also assigned to Matt. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From abokovoy at redhat.com Thu Nov 17 19:00:21 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 17 Nov 2011 21:00:21 +0200 Subject: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found) In-Reply-To: <4EC558E3.3090300@redhat.com> References: <4EC3D949.60700@redhat.com> <4EC40883.6060809@redhat.com> <4EC53565.7060604@redhat.com> <4EC537D9.9070409@redhat.com> <4EC55198.5040206@redhat.com> <20111117184059.GI16561@redhat.com> <4EC558E3.3090300@redhat.com> Message-ID: <20111117190020.GJ16561@redhat.com> On Thu, 17 Nov 2011, John Dennis wrote: > >>https://bugzilla.redhat.com/show_bug.cgi?id=728598 > >> > >>It's filed against Red Hat Certificate System in RHEL, not dogtag in > >>Fedora. Adam do you want to clone it into Fedora? > >I'll add symlinks update into freeipa F15->F16 upgrade script. At > >worst, if 728598 will be fixed in Fedora as well, that part of the > >code will do nothing. > > > >Tickets 2103 and 2117 in upstream FreeIPA are for tracking that. > > Just one thing to be careful of, you want to make sure the link > points to the preferred entry in the filesystem. What do I mean by > that? There are unversioned names in /lib which are links to the > versioned entry, the preferred name is the unversioned link name. > There may be similar redirection occurring for mulit-lib, see below. > > Where am I going with this? A few months ago there was a lot of back > and forth discussion over where and how jni jars (those which have > arch specific components) would be named and located to accmodate > multi-lib. I don't recall how the Fedora java-sig folks finally > resolved this issue, mharmsen (Matt) would probably know as he > responsible for the packaging of these components and is the person > who moved them, the aforementioned bz is also assigned to Matt. Understood. Thanks for the explanation, will take that into account. -- / Alexander Bokovoy From sigbjorn at nixtra.com Thu Nov 17 21:47:54 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 17 Nov 2011 22:47:54 +0100 Subject: [Freeipa-users] LDAP authentication into FreeIPA In-Reply-To: <1321445381.2315.57.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4049C20E20@STAWINCOX10MBX1.staff.vuw.ac.nz> <1321390443.2315.48.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> <4EC2D989.5050602@nixtra.com> <4EC2DE51.1080400@nixtra.com> <1321445381.2315.57.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: <4EC5810A.1000500@nixtra.com> On 11/16/2011 01:09 PM, Stephen Gallagher wrote: > On Tue, 2011-11-15 at 16:51 -0500, Boris Epstein wrote: >> > >> > >> > >> > >> > Just tried to install sssd from the above repo. >> > >> > There's only packages for the old 10.04 lucid and >> > 10.10 maverick, nothing for 11.04 natty or 11.11 >> > oneiric. I tried to install on natty using packages >> > from maverick, but it depends on packages no longer >> > available in the natty package tree. :( >> > >> > However for oneric sssd 1.5.13 seem to have made it >> > into the universe package tree: >> > http://packages.ubuntu.com/oneiric/sssd >> > >> > >> > >> > Rgds, >> > Siggi >> > >> > >> > Siggi, >> > >> > >> > Thanks, but why would I want sssd on my client machine? >> > >> > >> > Or - why would the current LDAP client that Ubuntu at least >> > claims to have not work? >> > >> > >> >> >> The reasons I've found so far is: >> >> * Lack of support for the host based access control rules >> found in IPA >> * Need to have the config file with a username/password for >> the system to bind to the ldap directory readable by >> everyone... (not secure) >> * SSSD uses the kerberos host key to talk to LDAP (secure) >> * No daemon keeping track of available ldap servers, e.g. in a >> failover situation you'll keep asking the server that's down, >> delaying your client response. >> * No offline caching of credentials (very handy if you have >> laptops). >> >> I'm sure the SSSD developers can give you lots more. :) > > I think you've hit most of the major points. The less-obvious one is > that at it reduces load on the LDAP server as well, since all > communications come from a single connection in the SSSD, whereas with > traditional nss_ldap, each client application would be holding its own > connection. > > >> Siggi, >> >> >> Thanks, all of those are valid. I just installed sssd on an Ubuntu >> machine here, may end up using it. >> >> >> But from what you are saying it still sounds like the existing LDAP >> client on Ubuntu ought to still work, even if in a less than secure >> fashion. And it doesn't seem to. > I've seen people successfully configure pam_ldap and pam_krb5 on Ubuntu > before, so I know it's possible. I assume you have a configuration bug. > I don't know where Ubuntu keeps its config, so I can't easily help you > there. > See my previous postings to the list for details. Below is what should be a complete list of files that need modifications. They are self explanatory, with syntax provided in the default file. Various LDAP config files. I've symlinked all these config files into /etc/ldap.conf and set all settings there. /etc/ldap.conf /etc/ldap/ldap.conf /etc/libnss-ldap.conf /etc/pam_ldap.conf /etc/sudo-ldap.conf Kerberos: /etc/krb5.conf automount : /etc/autofs_ldap_auth.conf /etc/default/autofs If you want nfs4+krb5, you'll need to edit these as well: /etc/default/nfs-common /etc/idmapd.conf For making some apps such as thunderbird not crash with nss_ldap, install nscd. /etc/nscd.conf Modify sshd_config and ssh_config to use GSSAPI, and to delegate credentials to hosts on your network: /etc/ssh/sshd_config /etc/ssh/ssh_config ntp: /etc/ntp.conf Remember to make a copy of /etc/ipa/ca.crt from the IPA server to the Ubuntu machine to make SSL connections to the LDAP server. And that should be all the files you need to edit (besides nsswitch.conf and perhaps resolv.conf). If you want the automount to work fully, you'll have to do a workaround for fixing the race condition that often occur at bootup, as the network is not always up when the automounter starts. Rgds, Siggi From sbingram at gmail.com Fri Nov 18 19:44:55 2011 From: sbingram at gmail.com (Stephen Ingram) Date: Fri, 18 Nov 2011 11:44:55 -0800 Subject: [Freeipa-users] another 2.x release Message-ID: I notice there is a 2.1.4 shown in Trac. There have been several updates since 2.1.3. Will there be another 2.x release before the 3.0 pre-releases? Steve From dpal at redhat.com Fri Nov 18 21:20:59 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 18 Nov 2011 16:20:59 -0500 Subject: [Freeipa-users] another 2.x release In-Reply-To: References: Message-ID: <4EC6CC3B.4060801@redhat.com> On 11/18/2011 02:44 PM, Stephen Ingram wrote: > I notice there is a 2.1.4 shown in Trac. There have been several > updates since 2.1.3. Will there be another 2.x release before the 3.0 > pre-releases? > > Steve > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > This is a bucket for the bug fixes that we need to address as errata. So yes there will be at some point an errata but it will target specific issues. There is no active development on that milestone at the moment. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Sun Nov 20 23:38:24 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 20 Nov 2011 23:38:24 +0000 Subject: [Freeipa-users] FreeIPA's "DNS" Message-ID: <833D8E48405E064EBC54C84EC6B36E404C403CA5@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I am trying to get my head around making DNS and IPA work in an existing microsft AD / DNS site. Initially I am setting up a proof of concept.......I will be delegating the unix.vuw.ac.nz as a sub-zone from vuw.ac.nz, this will hold all the Linux/unix servers. IPA's DNS is forwarded to the main DNS servers. My problem is the reverse zones....the remote AD masters hold the reverse zones so IPA has to query these if it needs to do a reverse lookup....this doesnt seem to be happening ie running "host 10.1.1.5" on the IPA master fails...I assume I need this to work...so whats the best way? Set the IPA DNS service as a slave of the microsoft AD reverse zones? If so how do I set this up? as per normal ie edit the named.conf directly? or do I do that from inside IPA? (cant see how just yet) or is there a better method? or does it matter if reverse lookups wont work? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Sun Nov 20 23:52:37 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 20 Nov 2011 23:52:37 +0000 Subject: [Freeipa-users] FreeIPA's "DNS" In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C403CA5@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C403CA5@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C403CB6@STAWINCOX10MBX1.staff.vuw.ac.nz> In the DNS tab there is a "add" So if I wanted a slave reverse zone that is in the range 10.2.1.0 but looked after by a remote host I would click on the reverse zone IP network radio button put in the zone name of 0.1.2.10.in-addr-arpa For the authoritative nameserver put in the two remote AD DNS server's IPs 10.2.1.5 10.2.1.6 (space delimited? comma delimited? can I put only one?) and hit add? um.....I think the DNS section is a little light on using it..... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Monday, 21 November 2011 12:38 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] FreeIPA's "DNS" Hi, I am trying to get my head around making DNS and IPA work in an existing microsft AD / DNS site. Initially I am setting up a proof of concept.......I will be delegating the unix.vuw.ac.nz as a sub-zone from vuw.ac.nz, this will hold all the Linux/unix servers. IPA's DNS is forwarded to the main DNS servers. My problem is the reverse zones....the remote AD masters hold the reverse zones so IPA has to query these if it needs to do a reverse lookup....this doesnt seem to be happening ie running "host 10.1.1.5" on the IPA master fails...I assume I need this to work...so whats the best way? Set the IPA DNS service as a slave of the microsoft AD reverse zones? If so how do I set this up? as per normal ie edit the named.conf directly? or do I do that from inside IPA? (cant see how just yet) or is there a better method? or does it matter if reverse lookups wont work? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Sun Nov 20 23:56:00 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 20 Nov 2011 23:56:00 +0000 Subject: [Freeipa-users] FreeIPA's "DNS" In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C403CB6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C403CA5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C403CB6@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C403CD2@STAWINCOX10MBX1.staff.vuw.ac.nz> nope wont work.....I cant seem to specify the remote AD nameservers.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Monday, 21 November 2011 12:52 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA's "DNS" In the DNS tab there is a "add" So if I wanted a slave reverse zone that is in the range 10.2.1.0 but looked after by a remote host I would click on the reverse zone IP network radio button put in the zone name of 0.1.2.10.in-addr-arpa For the authoritative nameserver put in the two remote AD DNS server's IPs 10.2.1.5 10.2.1.6 (space delimited? comma delimited? can I put only one?) and hit add? um.....I think the DNS section is a little light on using it..... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Monday, 21 November 2011 12:38 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] FreeIPA's "DNS" Hi, I am trying to get my head around making DNS and IPA work in an existing microsft AD / DNS site. Initially I am setting up a proof of concept.......I will be delegating the unix.vuw.ac.nz as a sub-zone from vuw.ac.nz, this will hold all the Linux/unix servers. IPA's DNS is forwarded to the main DNS servers. My problem is the reverse zones....the remote AD masters hold the reverse zones so IPA has to query these if it needs to do a reverse lookup....this doesnt seem to be happening ie running "host 10.1.1.5" on the IPA master fails...I assume I need this to work...so whats the best way? Set the IPA DNS service as a slave of the microsoft AD reverse zones? If so how do I set this up? as per normal ie edit the named.conf directly? or do I do that from inside IPA? (cant see how just yet) or is there a better method? or does it matter if reverse lookups wont work? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Mon Nov 21 10:29:58 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 21 Nov 2011 11:29:58 +0100 (CET) Subject: [Freeipa-users] FreeIPA's 'DNS' In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C403CD2@STAWINCOX10MBX1.staff.vuw.ac .nz> References: <833D8E48405E064EBC54C84EC6B36E404C403CA5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C403CB6@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C403CD2@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <27641.213.225.75.97.1321871398.squirrel@www.nixtra.com> Hi, Why not use a forwarders statement in the named.conf? Works for me. zone "11.168.192.in-addr.arpa." in { type forward; forwarders { 192.168.1.1; 192.168.1.2; }; }; Rgds, Siggi On Mon, November 21, 2011 00:56, Steven Jones wrote: > nope wont work.....I cant seem to specify the remote AD nameservers.... > > > regards > > Steven Jones > > > Technical Specialist - Linux RHCE > > > Victoria University, Wellington, NZ > > > 0064 4 463 6272 > > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven > Jones [Steven.Jones at vuw.ac.nz] > Sent: Monday, 21 November 2011 12:52 p.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FreeIPA's "DNS" > > > In the DNS tab there is a "add" > > > So if I wanted a slave reverse zone that is in the range 10.2.1.0 but looked after by a remote > host > > I would > > > click on the reverse zone IP network radio button > > put in the zone name of 0.1.2.10.in-addr-arpa > > For the authoritative nameserver put in the two remote AD DNS server's IPs 10.2.1.5 10.2.1.6 > (space delimited? comma delimited? can I put only one?) > > > and hit add? > > um.....I think the DNS section is a little light on using it..... > > > regards > > Steven Jones > > > Technical Specialist - Linux RHCE > > > Victoria University, Wellington, NZ > > > 0064 4 463 6272 > > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven > Jones [Steven.Jones at vuw.ac.nz] > Sent: Monday, 21 November 2011 12:38 p.m. > To: freeipa-users at redhat.com > Subject: [Freeipa-users] FreeIPA's "DNS" > > > Hi, > > > I am trying to get my head around making DNS and IPA work in an existing microsft AD / DNS site. > > > Initially I am setting up a proof of concept.......I will be delegating the unix.vuw.ac.nz as a > sub-zone from vuw.ac.nz, this will hold all the Linux/unix servers. IPA's DNS is forwarded to > the main DNS servers. My problem is the reverse zones....the remote AD masters hold the > reverse zones so IPA has to query these if it needs to do a reverse lookup....this doesnt seem to > be happening ie running "host 10.1.1.5" on the IPA master fails...I assume I need this to > work...so whats the best way? > > Set the IPA DNS service as a slave of the microsoft AD reverse zones? If so how do I set this up? > as per normal ie edit the named.conf directly? or do I do that from inside IPA? (cant see how > just yet) > > or is there a better method? > > or does it matter if reverse lookups wont work? > > regards > > Steven Jones > > > Technical Specialist - Linux RHCE > > > Victoria University, Wellington, NZ > > > 0064 4 463 6272 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From djuran at redhat.com Mon Nov 21 16:48:05 2011 From: djuran at redhat.com (David Juran) Date: Mon, 21 Nov 2011 17:48:05 +0100 Subject: [Freeipa-users] nisNet groups in AD Message-ID: <1321894085.3674.46.camel@localhost.localdomain> Hello. I have a customer who is using nisNetgroups in microsoft Active Directory to keep track of which users are allowed to access which services. I've understood that IPA today does not sync this information from AD, is this correct? What about the future, once we can have trust towards an AD? Would that allow us to use the nisNet groups in AD for HBAC and sudo? -- David Juran Sr. Consultant Red Hat +46-725-345801 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From dpal at redhat.com Mon Nov 21 16:50:54 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 21 Nov 2011 11:50:54 -0500 Subject: [Freeipa-users] FreeIPA's 'DNS' In-Reply-To: <27641.213.225.75.97.1321871398.squirrel@www.nixtra.com> References: <833D8E48405E064EBC54C84EC6B36E404C403CA5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C403CB6@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C403CD2@STAWINCOX10MBX1.staff.vuw.ac.nz> <27641.213.225.75.97.1321871398.squirrel@www.nixtra.com> Message-ID: <4ECA816E.8010609@redhat.com> On 11/21/2011 05:29 AM, Sigbjorn Lie wrote: > Hi, > > Why not use a forwarders statement in the named.conf? Works for me. > > > zone "11.168.192.in-addr.arpa." in { > type forward; > forwarders { 192.168.1.1; 192.168.1.2; }; > }; > Steven, Can you please confirm that it works for you? In short term we should document this so if it works can you pleas ope a doc ticket or BZ? Long term we should probably extend LDAP driver and store this information in the LDAP and allow it to be configured via IPA UI/CLI. If this makes sense let us open a ticket for that too. Thanks Dmitri > > > Rgds, > Siggi > > > > On Mon, November 21, 2011 00:56, Steven Jones wrote: >> nope wont work.....I cant seem to specify the remote AD nameservers.... >> >> >> regards >> >> Steven Jones >> >> >> Technical Specialist - Linux RHCE >> >> >> Victoria University, Wellington, NZ >> >> >> 0064 4 463 6272 >> >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven >> Jones [Steven.Jones at vuw.ac.nz] >> Sent: Monday, 21 November 2011 12:52 p.m. >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] FreeIPA's "DNS" >> >> >> In the DNS tab there is a "add" >> >> >> So if I wanted a slave reverse zone that is in the range 10.2.1.0 but looked after by a remote >> host >> >> I would >> >> >> click on the reverse zone IP network radio button >> >> put in the zone name of 0.1.2.10.in-addr-arpa >> >> For the authoritative nameserver put in the two remote AD DNS server's IPs 10.2.1.5 10.2.1.6 >> (space delimited? comma delimited? can I put only one?) >> >> >> and hit add? >> >> um.....I think the DNS section is a little light on using it..... >> >> >> regards >> >> Steven Jones >> >> >> Technical Specialist - Linux RHCE >> >> >> Victoria University, Wellington, NZ >> >> >> 0064 4 463 6272 >> >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven >> Jones [Steven.Jones at vuw.ac.nz] >> Sent: Monday, 21 November 2011 12:38 p.m. >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] FreeIPA's "DNS" >> >> >> Hi, >> >> >> I am trying to get my head around making DNS and IPA work in an existing microsft AD / DNS site. >> >> >> Initially I am setting up a proof of concept.......I will be delegating the unix.vuw.ac.nz as a >> sub-zone from vuw.ac.nz, this will hold all the Linux/unix servers. IPA's DNS is forwarded to >> the main DNS servers. My problem is the reverse zones....the remote AD masters hold the >> reverse zones so IPA has to query these if it needs to do a reverse lookup....this doesnt seem to >> be happening ie running "host 10.1.1.5" on the IPA master fails...I assume I need this to >> work...so whats the best way? >> >> Set the IPA DNS service as a slave of the microsoft AD reverse zones? If so how do I set this up? >> as per normal ie edit the named.conf directly? or do I do that from inside IPA? (cant see how >> just yet) >> >> or is there a better method? >> >> or does it matter if reverse lookups wont work? >> >> regards >> >> Steven Jones >> >> >> Technical Specialist - Linux RHCE >> >> >> Victoria University, Wellington, NZ >> >> >> 0064 4 463 6272 >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Nov 21 16:55:54 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 21 Nov 2011 11:55:54 -0500 Subject: [Freeipa-users] nisNet groups in AD In-Reply-To: <1321894085.3674.46.camel@localhost.localdomain> References: <1321894085.3674.46.camel@localhost.localdomain> Message-ID: <4ECA829A.30700@redhat.com> On 11/21/2011 11:48 AM, David Juran wrote: > Hello. > > I have a customer who is using nisNetgroups in microsoft Active > Directory to keep track of which users are allowed to access which > services. I've understood that IPA today does not sync this information > from AD, is this correct? > > What about the future, once we can have trust towards an AD? Would that > allow us to use the nisNet groups in AD for HBAC and sudo? Trusts would not help with netgroups. I wonder if it is something that can be done via a client configuration. But also why not move netgroups into IPA? Dumping the data into LDIF, creating a script to convert it to IPA internal netgroups format and loading it is not a huge effort. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Nov 21 19:02:20 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 21 Nov 2011 21:02:20 +0200 Subject: [Freeipa-users] [[Freeipa-devel] [WIP] FreeIPA extensibility guide] Message-ID: <20111121190138.GA32406@redhat.com> Forwarding to freeipa-users@ as well. ----- Forwarded message from Alexander Bokovoy ----- > Date: Sun, 20 Nov 2011 19:21:13 +0200 > From: Alexander Bokovoy > To: freeipa-devel at redhat.com > Subject: [Freeipa-devel] [WIP] FreeIPA extensibility guide > > Hi, > > Since I've joined FreeIPA project in summer 2011, I tried to > understand the framework and its interworkings. Unfortunately, > there is always not enough documentation on the code and it is far > easier to write the code than to document it all along the way. > > The result is the following draft -- far from being finished, > perhaps far from being correct. > > I'd love to hear constructive critics to improve the guide. > Whole chapters in plain English would be awesome contribution! > Examples are a bit stupid ones that is I know, but they serve purpose > of intentionally distracting from thinking about the framework only in > "LDAP management tool" direction. > > I have generated two versions, one for online reading, another for > printing, if anyone is like me and consumes information from dead > trees better than from LCD/LED/eInk. > > http://abbra.fedorapeople.org/freeipa-extensibility.html > http://abbra.fedorapeople.org/freeipa-extensibility.pdf > > -- > / Alexander Bokovoy > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ----- End forwarded message ----- -- / Alexander Bokovoy From Steven.Jones at vuw.ac.nz Mon Nov 21 19:15:32 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 21 Nov 2011 19:15:32 +0000 Subject: [Freeipa-users] FreeIPA's 'DNS' In-Reply-To: <4ECA816E.8010609@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404C403CA5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C403CB6@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C403CD2@STAWINCOX10MBX1.staff.vuw.ac.nz> <27641.213.225.75.97.1321871398.squirrel@www.nixtra.com>, <4ECA816E.8010609@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C404033@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I am trying a few things, after packet sniffing I can see that the Windows AD is refusing to answer the IPA server's queries but just for that particular reverse zone.....so I have a change control / fault ticket into our control system for our MS operations ppl to look at and fix that.... I did consider just putting such a setting in named.conf, but was concerned that it was not the "right way". At the moment I have created a reverse zone inside IPA.....when I get the above config/fault issue fixed...moving forward I would like to do as much as possible inside the FreeIPA gui because the thought of letting our Windows ppl near a CLI gives me the shivers.... I have no idea how to do a doc ticket? but I do think the DNS section of the FreeIPA doc needs expanding. Also some use cases, my one could well be typical of the hoops a customer has to jump through to make IPA work with an existing AD setup/site....Im not sure if what I am doing is the best way.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, 22 November 2011 5:50 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA's 'DNS' On 11/21/2011 05:29 AM, Sigbjorn Lie wrote: > Hi, > > Why not use a forwarders statement in the named.conf? Works for me. > > > zone "11.168.192.in-addr.arpa." in { > type forward; > forwarders { 192.168.1.1; 192.168.1.2; }; > }; > Steven, Can you please confirm that it works for you? In short term we should document this so if it works can you pleas ope a doc ticket or BZ? Long term we should probably extend LDAP driver and store this information in the LDAP and allow it to be configured via IPA UI/CLI. If this makes sense let us open a ticket for that too. Thanks Dmitri > > > Rgds, > Siggi > > > > On Mon, November 21, 2011 00:56, Steven Jones wrote: >> nope wont work.....I cant seem to specify the remote AD nameservers.... >> >> >> regards >> >> Steven Jones >> >> >> Technical Specialist - Linux RHCE >> >> >> Victoria University, Wellington, NZ >> >> >> 0064 4 463 6272 >> >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven >> Jones [Steven.Jones at vuw.ac.nz] >> Sent: Monday, 21 November 2011 12:52 p.m. >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] FreeIPA's "DNS" >> >> >> In the DNS tab there is a "add" >> >> >> So if I wanted a slave reverse zone that is in the range 10.2.1.0 but looked after by a remote >> host >> >> I would >> >> >> click on the reverse zone IP network radio button >> >> put in the zone name of 0.1.2.10.in-addr-arpa >> >> For the authoritative nameserver put in the two remote AD DNS server's IPs 10.2.1.5 10.2.1.6 >> (space delimited? comma delimited? can I put only one?) >> >> >> and hit add? >> >> um.....I think the DNS section is a little light on using it..... >> >> >> regards >> >> Steven Jones >> >> >> Technical Specialist - Linux RHCE >> >> >> Victoria University, Wellington, NZ >> >> >> 0064 4 463 6272 >> >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven >> Jones [Steven.Jones at vuw.ac.nz] >> Sent: Monday, 21 November 2011 12:38 p.m. >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] FreeIPA's "DNS" >> >> >> Hi, >> >> >> I am trying to get my head around making DNS and IPA work in an existing microsft AD / DNS site. >> >> >> Initially I am setting up a proof of concept.......I will be delegating the unix.vuw.ac.nz as a >> sub-zone from vuw.ac.nz, this will hold all the Linux/unix servers. IPA's DNS is forwarded to >> the main DNS servers. My problem is the reverse zones....the remote AD masters hold the >> reverse zones so IPA has to query these if it needs to do a reverse lookup....this doesnt seem to >> be happening ie running "host 10.1.1.5" on the IPA master fails...I assume I need this to >> work...so whats the best way? >> >> Set the IPA DNS service as a slave of the microsoft AD reverse zones? If so how do I set this up? >> as per normal ie edit the named.conf directly? or do I do that from inside IPA? (cant see how >> just yet) >> >> or is there a better method? >> >> or does it matter if reverse lookups wont work? >> >> regards >> >> Steven Jones >> >> >> Technical Specialist - Linux RHCE >> >> >> Victoria University, Wellington, NZ >> >> >> 0064 4 463 6272 >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Mon Nov 21 19:44:50 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 21 Nov 2011 14:44:50 -0500 Subject: [Freeipa-users] FreeIPA's 'DNS' In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C404033@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C403CA5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C403CB6@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C403CD2@STAWINCOX10MBX1.staff.vuw.ac.nz> <27641.213.225.75.97.1321871398.squirrel@www.nixtra.com>, <4ECA816E.8010609@redhat.com> <833D8E48405E064EBC54C84EC6B36E404C404033@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4ECAAA32.6000405@redhat.com> On 11/21/2011 02:15 PM, Steven Jones wrote: > Hi, > > I am trying a few things, after packet sniffing I can see that the Windows AD is refusing to answer the IPA server's queries but just for that particular reverse zone.....so I have a change control / fault ticket into our control system for our MS operations ppl to look at and fix that.... > > I did consider just putting such a setting in named.conf, but was concerned that it was not the "right way". At the moment I have created a reverse zone inside IPA.....when I get the above config/fault issue fixed...moving forward I would like to do as much as possible inside the FreeIPA gui because the thought of letting our Windows ppl near a CLI gives me the shivers.... > > I have no idea how to do a doc ticket? but I do think the DNS section of the FreeIPA doc needs expanding. > You can open a BZ bug against IPA or log a ticket against freeIPA here https://fedorahosted.org/freeipa/ See the link it actually has all the instructions on how to report a bug right on the home page. > Also some use cases, my one could well be typical of the hoops a customer has to jump through to make IPA work with an existing AD setup/site....Im not sure if what I am doing is the best way.... > > Would be great if you could find some time to record these hoops and what you had to deal with in a step by step list. That would help us to find it a good place in the docs or wiki. Thank you Dmitri > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Tuesday, 22 November 2011 5:50 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FreeIPA's 'DNS' > > On 11/21/2011 05:29 AM, Sigbjorn Lie wrote: >> Hi, >> >> Why not use a forwarders statement in the named.conf? Works for me. >> >> >> zone "11.168.192.in-addr.arpa." in { >> type forward; >> forwarders { 192.168.1.1; 192.168.1.2; }; >> }; >> > Steven, > > Can you please confirm that it works for you? > In short term we should document this so if it works can you pleas ope a > doc ticket or BZ? > > > Long term we should probably extend LDAP driver and store this > information in the LDAP and allow it to be configured via IPA UI/CLI. > If this makes sense let us open a ticket for that too. > > Thanks > Dmitri > >> >> Rgds, >> Siggi >> >> >> >> On Mon, November 21, 2011 00:56, Steven Jones wrote: >>> nope wont work.....I cant seem to specify the remote AD nameservers.... >>> >>> >>> regards >>> >>> Steven Jones >>> >>> >>> Technical Specialist - Linux RHCE >>> >>> >>> Victoria University, Wellington, NZ >>> >>> >>> 0064 4 463 6272 >>> >>> >>> ________________________________________ >>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven >>> Jones [Steven.Jones at vuw.ac.nz] >>> Sent: Monday, 21 November 2011 12:52 p.m. >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] FreeIPA's "DNS" >>> >>> >>> In the DNS tab there is a "add" >>> >>> >>> So if I wanted a slave reverse zone that is in the range 10.2.1.0 but looked after by a remote >>> host >>> >>> I would >>> >>> >>> click on the reverse zone IP network radio button >>> >>> put in the zone name of 0.1.2.10.in-addr-arpa >>> >>> For the authoritative nameserver put in the two remote AD DNS server's IPs 10.2.1.5 10.2.1.6 >>> (space delimited? comma delimited? can I put only one?) >>> >>> >>> and hit add? >>> >>> um.....I think the DNS section is a little light on using it..... >>> >>> >>> regards >>> >>> Steven Jones >>> >>> >>> Technical Specialist - Linux RHCE >>> >>> >>> Victoria University, Wellington, NZ >>> >>> >>> 0064 4 463 6272 >>> >>> >>> ________________________________________ >>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven >>> Jones [Steven.Jones at vuw.ac.nz] >>> Sent: Monday, 21 November 2011 12:38 p.m. >>> To: freeipa-users at redhat.com >>> Subject: [Freeipa-users] FreeIPA's "DNS" >>> >>> >>> Hi, >>> >>> >>> I am trying to get my head around making DNS and IPA work in an existing microsft AD / DNS site. >>> >>> >>> Initially I am setting up a proof of concept.......I will be delegating the unix.vuw.ac.nz as a >>> sub-zone from vuw.ac.nz, this will hold all the Linux/unix servers. IPA's DNS is forwarded to >>> the main DNS servers. My problem is the reverse zones....the remote AD masters hold the >>> reverse zones so IPA has to query these if it needs to do a reverse lookup....this doesnt seem to >>> be happening ie running "host 10.1.1.5" on the IPA master fails...I assume I need this to >>> work...so whats the best way? >>> >>> Set the IPA DNS service as a slave of the microsoft AD reverse zones? If so how do I set this up? >>> as per normal ie edit the named.conf directly? or do I do that from inside IPA? (cant see how >>> just yet) >>> >>> or is there a better method? >>> >>> or does it matter if reverse lookups wont work? >>> >>> regards >>> >>> Steven Jones >>> >>> >>> Technical Specialist - Linux RHCE >>> >>> >>> Victoria University, Wellington, NZ >>> >>> >>> 0064 4 463 6272 >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Mon Nov 21 19:50:25 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 21 Nov 2011 19:50:25 +0000 Subject: [Freeipa-users] FreeIPA's 'DNS' In-Reply-To: <4ECAAA32.6000405@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404C403CA5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C403CB6@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C403CD2@STAWINCOX10MBX1.staff.vuw.ac.nz> <27641.213.225.75.97.1321871398.squirrel@www.nixtra.com>, <4ECA816E.8010609@redhat.com> <833D8E48405E064EBC54C84EC6B36E404C404033@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECAAA32.6000405@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C404058@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi "Would be great if you could find some time to record these hoops and what you had to deal with in a step by step list. That would help us to find it a good place in the docs or wiki." I have to write an as-built for this....it cant be released as is as it might contain sensitive setup info but I can send it "cleaned" to "someone" to use in a wiki or something. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From sigbjorn at nixtra.com Mon Nov 21 20:41:47 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 21 Nov 2011 21:41:47 +0100 Subject: [Freeipa-users] Adding hosts Message-ID: <4ECAB78B.6050806@nixtra.com> Hi, I want to integrate a kickstart tool written in PHP to add hosts to an IPA server. I found the IpaApi, but there does not seem to be a host_add function: http://freeipa.org/page/IpaApi What would be the best way to do this? From rcritten at redhat.com Mon Nov 21 21:21:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Nov 2011 16:21:44 -0500 Subject: [Freeipa-users] Adding hosts In-Reply-To: <4ECAB78B.6050806@nixtra.com> References: <4ECAB78B.6050806@nixtra.com> Message-ID: <4ECAC0E8.30407@redhat.com> Sigbjorn Lie wrote: > Hi, > > I want to integrate a kickstart tool written in PHP to add hosts to an > IPA server. > > I found the IpaApi, but there does not seem to be a host_add function: > http://freeipa.org/page/IpaApi > > What would be the best way to do this? Sorry, this we missed this page when we sought out all the v1 pages a while back. Pretty much all functions now have the same format. The first argument is an array of positional arguments. The second is a struct representing the options. An easy way to see how data is passed to a given command is to pass -vv to the ipa command: $ ipa -vv host-add test.example.com This will show the XML-RPC request we make. In the case of a host you can probably get away with just positional arguments, I believe all options are, ahem, optional :-) rob From Steven.Jones at vuw.ac.nz Mon Nov 21 21:35:35 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 21 Nov 2011 21:35:35 +0000 Subject: [Freeipa-users] Annoying issue with Firefox and kerberos ticket Message-ID: <833D8E48405E064EBC54C84EC6B36E404C404384@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I got Firefox on the IPA server (RHEL6.2beta 64bit) working yesterday, today the Kerberos ticket had expired, so re-run kinit admin and hit re-try but I still have to re-configure Firefox.....this seems odd....is this a known bug or am I doing something wrong? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From JR.Aquino at citrix.com Mon Nov 21 21:59:58 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 21 Nov 2011 21:59:58 +0000 Subject: [Freeipa-users] Firefox on Windows + FreeIPA WebUI Message-ID: <19A69C37-424E-4BE1-965F-3B4F75DAE6AB@citrixonline.com> Has anyone got this working? I've installed MIT Kerb on my windows system and configured Firefox, but I've yet to get them all to play nicely together... If someone else has managed to figure this out, could you please hit me with the clue stick? I'd prefer to fix Kerb SSO rather than adventure down the path of enabling Basic Auth on my FreeIPA Server. Thanks! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino, GCIH, GWAPT | Sr. Information Security Specialist Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aquino at citrixonline.com http://www.citrixonline.com [cid:image001.jpg at 01CB2FE6.2B7BFA80] Access Your PC or Mac From Anywhere: www.gotomypc.com Online Meetings Made Easy: www.gotomeeting.com Web Events Made Easy: www.gotowebinar.com Remote Support Made Easy: www.gotoassist.com -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 3720 bytes Desc: image001.jpg URL: From rcritten at redhat.com Mon Nov 21 22:10:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Nov 2011 17:10:15 -0500 Subject: [Freeipa-users] Annoying issue with Firefox and kerberos ticket In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C404384@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C404384@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4ECACC47.4050502@redhat.com> Steven Jones wrote: > Hi, > > I got Firefox on the IPA server (RHEL6.2beta 64bit) working yesterday, today the Kerberos ticket had expired, so re-run kinit admin and hit re-try but I still have to re-configure Firefox.....this seems odd....is this a known bug or am I doing something wrong? How did you reconfigure it? The button again? Did you look to see if it was already configured? Did you try a restart of FF? Firefox in the past, 3.x-era, tended to be a bit flaky with tickets, especially renewing them. I can't recall any problems since 3.6. rob From sigbjorn at nixtra.com Mon Nov 21 22:22:37 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 21 Nov 2011 23:22:37 +0100 Subject: [Freeipa-users] Adding hosts In-Reply-To: <4ECAC82D.7030602@redhat.com> References: <4ECAB78B.6050806@nixtra.com> <4ECAC0E8.30407@redhat.com> <4ECAC429.6090002@nixtra.com> <4ECAC82D.7030602@redhat.com> Message-ID: <4ECACF2D.5060605@nixtra.com> On 11/21/2011 10:52 PM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> On 11/21/2011 10:21 PM, Rob Crittenden wrote: >>> Sigbjorn Lie wrote: >>>> Hi, >>>> >>>> I want to integrate a kickstart tool written in PHP to add hosts to an >>>> IPA server. >>>> >>>> I found the IpaApi, but there does not seem to be a host_add function: >>>> http://freeipa.org/page/IpaApi >>>> >>>> What would be the best way to do this? >>> >>> Sorry, this we missed this page when we sought out all the v1 pages a >>> while back. >>> >>> Pretty much all functions now have the same format. The first argument >>> is an array of positional arguments. The second is a struct >>> representing the options. >>> >>> An easy way to see how data is passed to a given command is to pass >>> -vv to the ipa command: >>> >>> $ ipa -vv host-add test.example.com >>> >>> This will show the XML-RPC request we make. >>> >>> In the case of a host you can probably get away with just positional >>> arguments, I believe all options are, ahem, optional :-) >> >> Right, that wasn't horrible to read...at all... :) >> >> How do you suggest doing the authentication towards towards the XML-RPC >> instance? If the user is authenticated to the apache server running the >> kickstart tool using kerberos from IPA, can I re-use these credentials >> and forward them to the IPA server? Having a pre-req that the kerberos >> user must have access to add hosts in the IPA instance... > > The user's TGT will be in the ccache in KRB5CCNAME in the local > environment. You'll need to use that to make requests. I'm not sure of > the GSSAPI capabilities of PHP though. > > You need to get a service ticket for the HTTP service, then stuff that > into an Authorization header when you make a request. It will look like: > > Authorization: negotiate > > Do a POST to /ipa/xml Ok, Thanks, I will give it a shot. From Steven.Jones at vuw.ac.nz Mon Nov 21 23:11:56 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 21 Nov 2011 23:11:56 +0000 Subject: [Freeipa-users] Annoying issue with Firefox and kerberos ticket In-Reply-To: <4ECACC47.4050502@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404C404384@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECACC47.4050502@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C4043F2@STAWINCOX10MBX1.staff.vuw.ac.nz> I followed the prompt that comes up in Firefox... I have 3.6.24-3.el6 64bit.... No i didnt restart FF, it didnt say I needed to. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Tuesday, 22 November 2011 11:10 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Annoying issue with Firefox and kerberos ticket Steven Jones wrote: > Hi, > > I got Firefox on the IPA server (RHEL6.2beta 64bit) working yesterday, today the Kerberos ticket had expired, so re-run kinit admin and hit re-try but I still have to re-configure Firefox.....this seems odd....is this a known bug or am I doing something wrong? How did you reconfigure it? The button again? Did you look to see if it was already configured? Did you try a restart of FF? Firefox in the past, 3.x-era, tended to be a bit flaky with tickets, especially renewing them. I can't recall any problems since 3.6. rob From Steven.Jones at vuw.ac.nz Mon Nov 21 23:30:03 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 21 Nov 2011 23:30:03 +0000 Subject: [Freeipa-users] setting up replication Message-ID: <833D8E48405E064EBC54C84EC6B36E404C40441A@STAWINCOX10MBX1.staff.vuw.ac.nz> I just tried to setup replication for the second time and find I have to use the --skip-conncheck parameter..... What is conncheck doing? ie how do i determine whats wrong with it? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From dpal at redhat.com Tue Nov 22 00:37:59 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 21 Nov 2011 19:37:59 -0500 Subject: [Freeipa-users] FreeIPA's 'DNS' In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C404058@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C403CA5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C403CB6@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C403CD2@STAWINCOX10MBX1.staff.vuw.ac.nz> <27641.213.225.75.97.1321871398.squirrel@www.nixtra.com>, <4ECA816E.8010609@redhat.com> <833D8E48405E064EBC54C84EC6B36E404C404033@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECAAA32.6000405@redhat.com> <833D8E48405E064EBC54C84EC6B36E404C404058@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4ECAEEE7.2090003@redhat.com> On 11/21/2011 02:50 PM, Steven Jones wrote: > Hi > > "Would be great if you could find some time to record these hoops and > what you had to deal with in a step by step list. That would help us to > find it a good place in the docs or wiki." > > I have to write an as-built for this....it cant be released as is as it might contain sensitive setup info but I can send it "cleaned" to "someone" to use in a wiki or something. Sure. Thanks! > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Tue Nov 22 00:42:17 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 21 Nov 2011 19:42:17 -0500 Subject: [Freeipa-users] Annoying issue with Firefox and kerberos ticket In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C4043F2@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C404384@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECACC47.4050502@redhat.com> <833D8E48405E064EBC54C84EC6B36E404C4043F2@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4ECAEFE9.8050207@redhat.com> On 11/21/2011 06:11 PM, Steven Jones wrote: > I followed the prompt that comes up in Firefox... > > I have 3.6.24-3.el6 64bit.... > > No i didnt restart FF, it didnt say I needed to. > I had some problem with Kerberos tickets on RHEL5. I filed a bug about that and it was fixed. Never had problems since then. The bug was that FF was holding to expired ticket and not rereading a new one when it is available. But I have 3.6.23 on RHEL6 at the moment... > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Tuesday, 22 November 2011 11:10 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Annoying issue with Firefox and kerberos ticket > > Steven Jones wrote: >> Hi, >> >> I got Firefox on the IPA server (RHEL6.2beta 64bit) working yesterday, today the Kerberos ticket had expired, so re-run kinit admin and hit re-try but I still have to re-configure Firefox.....this seems odd....is this a known bug or am I doing something wrong? > How did you reconfigure it? The button again? Did you look to see if it > was already configured? Did you try a restart of FF? > > Firefox in the past, 3.x-era, tended to be a bit flaky with tickets, > especially renewing them. I can't recall any problems since 3.6. > > rob > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Tue Nov 22 00:44:36 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 21 Nov 2011 19:44:36 -0500 Subject: [Freeipa-users] setting up replication In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C40441A@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40441A@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4ECAF074.7030107@redhat.com> On 11/21/2011 06:30 PM, Steven Jones wrote: > I just tried to setup replication for the second time and find I have to use the --skip-conncheck parameter..... > > What is conncheck doing? ie how do i determine whats wrong with it? > It is used to make sure that both sides of the agreement can reach each other during the extablishement of the agreement. It is to detect if the firewall is properly set for servers to see each other. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Tue Nov 22 00:56:06 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 22 Nov 2011 00:56:06 +0000 Subject: [Freeipa-users] setting up replication In-Reply-To: <4ECAF074.7030107@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404C40441A@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECAF074.7030107@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C40444F@STAWINCOX10MBX1.staff.vuw.ac.nz> K, Thanks.....Ive setup user on the read/write master and done a ipa user-find on the read only master and these are replicated, so it looks like I have a functional 2 node freeIPA setup. :D So now for clients. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, 22 November 2011 1:44 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] setting up replication On 11/21/2011 06:30 PM, Steven Jones wrote: > I just tried to setup replication for the second time and find I have to use the --skip-conncheck parameter..... > > What is conncheck doing? ie how do i determine whats wrong with it? > It is used to make sure that both sides of the agreement can reach each other during the extablishement of the agreement. It is to detect if the firewall is properly set for servers to see each other. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From ayoung at redhat.com Tue Nov 22 02:20:14 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 21 Nov 2011 21:20:14 -0500 Subject: [Freeipa-users] Annoying issue with Firefox and kerberos ticket In-Reply-To: <4ECACC47.4050502@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404C404384@STAWINCOX10MBX1.staff.vuw.ac.nz> <4ECACC47.4050502@redhat.com> Message-ID: <4ECB06DE.7050402@redhat.com> On 11/21/2011 05:10 PM, Rob Crittenden wrote: > Steven Jones wrote: >> Hi, >> >> I got Firefox on the IPA server (RHEL6.2beta 64bit) working >> yesterday, today the Kerberos ticket had expired, so re-run kinit >> admin and hit re-try but I still have to re-configure >> Firefox.....this seems odd....is this a known bug or am I doing >> something wrong? > > How did you reconfigure it? The button again? Did you look to see if > it was already configured? Did you try a restart of FF? > > Firefox in the past, 3.x-era, tended to be a bit flaky with tickets, > especially renewing them. I can't recall any problems since 3.6. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users YOu should not have need to reconfigure it. A Reload of the page should have been all it took. From Steven.Jones at vuw.ac.nz Tue Nov 22 02:37:14 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 22 Nov 2011 02:37:14 +0000 Subject: [Freeipa-users] Annoying issue with Firefox and kerberos ticket In-Reply-To: <4ECB06DE.7050402@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404C404384@STAWINCOX10MBX1.staff.vuw.ac.nz> <4ECACC47.4050502@redhat.com>,<4ECB06DE.7050402@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C4054AD@STAWINCOX10MBX1.staff.vuw.ac.nz> Ok, It will expire again I expect.....I will try reloading it. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Adam Young [ayoung at redhat.com] Sent: Tuesday, 22 November 2011 3:20 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Annoying issue with Firefox and kerberos ticket On 11/21/2011 05:10 PM, Rob Crittenden wrote: > Steven Jones wrote: >> Hi, >> >> I got Firefox on the IPA server (RHEL6.2beta 64bit) working >> yesterday, today the Kerberos ticket had expired, so re-run kinit >> admin and hit re-try but I still have to re-configure >> Firefox.....this seems odd....is this a known bug or am I doing >> something wrong? > > How did you reconfigure it? The button again? Did you look to see if > it was already configured? Did you try a restart of FF? > > Firefox in the past, 3.x-era, tended to be a bit flaky with tickets, > especially renewing them. I can't recall any problems since 3.6. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users YOu should not have need to reconfigure it. A Reload of the page should have been all it took. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From djuran at redhat.com Tue Nov 22 13:45:12 2011 From: djuran at redhat.com (David Juran) Date: Tue, 22 Nov 2011 14:45:12 +0100 Subject: [Freeipa-users] nisNet groups in AD In-Reply-To: <4ECA829A.30700@redhat.com> References: <1321894085.3674.46.camel@localhost.localdomain> <4ECA829A.30700@redhat.com> Message-ID: <1321969512.3674.75.camel@localhost.localdomain> On Mon, 2011-11-21 at 11:55 -0500, Dmitri Pal wrote: > On 11/21/2011 11:48 AM, David Juran wrote: > > Hello. > > > > I have a customer who is using nisNetgroups in microsoft Active > > Directory to keep track of which users are allowed to access which > > services. I've understood that IPA today does not sync this information > > from AD, is this correct? > > > > What about the future, once we can have trust towards an AD? Would that > > allow us to use the nisNet groups in AD for HBAC and sudo? > > Trusts would not help with netgroups. > I wonder if it is something that can be done via a client > configuration. > > But also why not move netgroups into IPA? Dumping the data into LDIF, > creating a script to convert it to IPA internal netgroups format and > loading it is not a huge effort. That is certainly the approach I will recommend but I suspect part of the problem is that the internal tool that the customer uses for the approval process (i.e. the process where someone approves that user foo should get added to group bar) knows how to communicate with AD but not how to talk to IPA. But if it comes to this, I guess it would be possible to do a regular sync, i.e. dump the LDIF from AD and import it into IPA on a regular basis. In any case, thank you for the answer. -- David Juran Sr. Consultant Red Hat +46-725-345801 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From dpal at redhat.com Tue Nov 22 14:02:52 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 22 Nov 2011 09:02:52 -0500 Subject: [Freeipa-users] nisNet groups in AD In-Reply-To: <1321969512.3674.75.camel@localhost.localdomain> References: <1321894085.3674.46.camel@localhost.localdomain> <4ECA829A.30700@redhat.com> <1321969512.3674.75.camel@localhost.localdomain> Message-ID: <4ECBAB8C.3030806@redhat.com> On 11/22/2011 08:45 AM, David Juran wrote: > On Mon, 2011-11-21 at 11:55 -0500, Dmitri Pal wrote: >> On 11/21/2011 11:48 AM, David Juran wrote: >>> Hello. >>> >>> I have a customer who is using nisNetgroups in microsoft Active >>> Directory to keep track of which users are allowed to access which >>> services. I've understood that IPA today does not sync this information >>> from AD, is this correct? >>> >>> What about the future, once we can have trust towards an AD? Would that >>> allow us to use the nisNet groups in AD for HBAC and sudo? >> Trusts would not help with netgroups. >> I wonder if it is something that can be done via a client >> configuration. >> >> But also why not move netgroups into IPA? Dumping the data into LDIF, >> creating a script to convert it to IPA internal netgroups format and >> loading it is not a huge effort. > That is certainly the approach I will recommend but I suspect part of > the problem is that the internal tool that the customer uses for the > approval process (i.e. the process where someone approves that user foo > should get added to group bar) knows how to communicate with AD but not > how to talk to IPA. But if it comes to this, I guess it would be > possible to do a regular sync, i.e. dump the LDIF from AD and import it > into IPA on a regular basis. > > In any case, thank you for the answer. I doubt that there is something specific. Netgroup schema is a standard 2307. I suspect that AD uses this schema and the client software just uses LDAP client connection to get this info. So in general case it should be the question of pointing the LDAP search to a different server. Of cause if the client software has some AD related assumptions like base DN hardcoded then there will be a problem but app developers learned this lesson more than 10 years ago so I hope this is not the case. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Tue Nov 22 19:46:04 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 22 Nov 2011 20:46:04 +0100 Subject: [Freeipa-users] Automount kerberos errors Message-ID: <4ECBFBFC.2030500@nixtra.com> Hi, I have configured automount to use the hosts' kerberos keytab to speak GSSAPI with the IPA server, using the following as /etc/autofs_ldap_auth.conf: I get the following error messages in the log, once a day. It seem like the ticket expires before it's renewed. Has anyone else seen this? Or perhaps I should file a bug report on the automounter? I don't get this error message on Red Hat 6 clients. I also get the error where automount says sss is not a supported automount source, even though the ipa-client-install script configured nsswitch to look up automount in sss. I get this error message on both Red Hat 5 and Red Hat 6 machines. What's going on? Nov 20 15:49:15 redhat5 automount[26234]: ignored unsupported autofs nsswitch source "sss" Nov 20 15:49:15 redhat5 automount[26234]: sasl_log_func:100: No worthy mechs found Nov 20 15:49:15 redhat5 automount[26234]: sasl_log_func:100: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Nov 20 16:05:33 redhat5 automount[26234]: ignored unsupported autofs nsswitch source "sss" Nov 20 16:05:33 redhat5 automount[26234]: sasl_log_func:100: No worthy mechs found Nov 20 16:05:33 redhat5 automount[26234]: sasl_log_func:100: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Nov 20 16:20:17 redhat5 automount[26234]: ignored unsupported autofs nsswitch source "sss" Nov 20 16:20:17 redhat5 automount[26234]: sasl_log_func:100: No worthy mechs found Nov 20 16:20:18 redhat5 automount[26234]: sasl_log_func:100: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Nov 20 16:43:44 redhat5 automount[26234]: ignored unsupported autofs nsswitch source "sss" Nov 20 16:43:44 redhat5 automount[26234]: sasl_log_func:100: No worthy mechs found Nov 20 16:43:44 redhat5 automount[26234]: sasl_log_func:100: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Nov 20 20:13:28 redhat5 automount[26234]: sasl_log_func:100: No worthy mechs found Nov 20 20:13:28 redhat5 automount[26234]: sasl_log_func:100: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Nov 21 22:01:47 redhat5 automount[26234]: sasl_log_func:100: No worthy mechs found Nov 21 22:01:48 redhat5 automount[26234]: sasl_log_func:100: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Nov 21 22:51:57 redhat5 automount[26234]: sasl_log_func:100: No worthy mechs found Nov 21 22:51:58 redhat5 automount[26234]: sasl_log_func:100: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Nov 21 23:14:30 redhat5 automount[26234]: sasl_log_func:100: No worthy mechs found Nov 21 23:14:30 redhat5 automount[26234]: sasl_log_func:100: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Nov 22 20:36:34 redhat5 automount[26234]: sasl_log_func:100: No worthy mechs found Nov 22 20:36:34 redhat5 automount[26234]: sasl_log_func:100: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Rgds, Siggi From Steven.Jones at vuw.ac.nz Tue Nov 22 19:58:50 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 22 Nov 2011 19:58:50 +0000 Subject: [Freeipa-users] Improvement to documentaion needed for firewalling pls. Message-ID: <833D8E48405E064EBC54C84EC6B36E404C405D4C@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, 2.1.3.4 page 10 lists ports but not what happens with them... For instance I am now in a very secure environment and find when I do a ipa-client-install the client connects to port 80 and retrieves a ca.crt........now I have to wait 3 days to get port 80 opened up...to the IPA server(s). If I had better docs then I can make the request before hand.... This of course is the first failure.....if say I find that the ipa-client-install script uses 443 next I will have to wait another 3 days......if I find there are 4 un-documented port calls to get an client install to work......well its a week to 2 weeks wait.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From dpal at redhat.com Tue Nov 22 20:01:12 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 22 Nov 2011 15:01:12 -0500 Subject: [Freeipa-users] Automount kerberos errors In-Reply-To: <4ECBFBFC.2030500@nixtra.com> References: <4ECBFBFC.2030500@nixtra.com> Message-ID: <4ECBFF88.90701@redhat.com> On 11/22/2011 02:46 PM, Sigbjorn Lie wrote: > Hi, > > I have configured automount to use the hosts' kerberos keytab to speak > GSSAPI with the IPA server, using the following as > /etc/autofs_ldap_auth.conf: > > > > usetls="no" > tlsrequired="no" > authrequired="autodetect" > authtype="GSSAPI" > clientprinc="host/redhat5.ix.test.com at IX.TEST.COM" > /> > > > I get the following error messages in the log, once a day. It seem > like the ticket expires before it's renewed. Has anyone else seen > this? Or perhaps I should file a bug report on the automounter? I > don't get this error message on Red Hat 6 clients. > > I also get the error where automount says sss is not a supported > automount source, even though the ipa-client-install script configured > nsswitch to look up automount in sss. I get this error message on both > Red Hat 5 and Red Hat 6 machines. What's going on? > > > > > Nov 20 15:49:15 redhat5 automount[26234]: ignored unsupported autofs > nsswitch source "sss" SSSD does not support automount integration yet. > Nov 20 15:49:15 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 20 15:49:15 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired) > Nov 20 16:05:33 redhat5 automount[26234]: ignored unsupported autofs > nsswitch source "sss" > Nov 20 16:05:33 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 20 16:05:33 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired) > Nov 20 16:20:17 redhat5 automount[26234]: ignored unsupported autofs > nsswitch source "sss" > Nov 20 16:20:17 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 20 16:20:18 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired) > Nov 20 16:43:44 redhat5 automount[26234]: ignored unsupported autofs > nsswitch source "sss" > Nov 20 16:43:44 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 20 16:43:44 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired) > Nov 20 20:13:28 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 20 20:13:28 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired) > Nov 21 22:01:47 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 21 22:01:48 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired) > Nov 21 22:51:57 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 21 22:51:58 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired) > Nov 21 23:14:30 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 21 23:14:30 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired) > Nov 22 20:36:34 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 22 20:36:34 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (Ticket expired) > > > Rgds, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Tue Nov 22 20:04:29 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 22 Nov 2011 15:04:29 -0500 Subject: [Freeipa-users] Improvement to documentaion needed for firewalling pls. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C405D4C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C405D4C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4ECC004D.5000901@redhat.com> On 11/22/2011 02:58 PM, Steven Jones wrote: > Hi, > > 2.1.3.4 page 10 lists ports but not what happens with them... > > For instance I am now in a very secure environment and find when I do a ipa-client-install the client connects to port 80 and retrieves a ca.crt........now I have to wait 3 days to get port 80 opened up...to the IPA server(s). > > If I had better docs then I can make the request before hand.... > > This of course is the first failure.....if say I find that the ipa-client-install script uses 443 next I will have to wait another 3 days......if I find there are 4 un-documented port calls to get an client install to work......well its a week to 2 weeks wait.... > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users When you install IPA the output of the installation lists all the ports that you need to open and for what service: DNS, Kerberos, LDAP etc. Is this not enough? What level of details you are looking for? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Tue Nov 22 20:24:18 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 22 Nov 2011 20:24:18 +0000 Subject: [Freeipa-users] Improvement to documentaion needed for firewalling pls. In-Reply-To: <4ECC004D.5000901@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404C405D4C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECC004D.5000901@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C405D7B@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I dont find out until I run the script.....its a bit late. I then have to raise more change controls and wait. Also for any application deployment I have to do a [security] design and say what is opened, why and if any sensitive data is transmitted, so I really need this info before I touch a server at all. For instance a user id and password is classed as sensitive, so it has to be encrypted.....by some acceptable standard method and it has to be adequately encrypted.... So the security portion of the design can take weeks to get signed off.....if I've missed anything serious I may have to re-write and submit.. We end up doing this frequently.....sometimes we even reject a vendor's product because we find it has a fundamental security flaw....like its transmitting plain text passwords or even storing/caching them locally in plain text....not that un-common.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Wednesday, 23 November 2011 9:04 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls. On 11/22/2011 02:58 PM, Steven Jones wrote: > Hi, > > 2.1.3.4 page 10 lists ports but not what happens with them... > > For instance I am now in a very secure environment and find when I do a ipa-client-install the client connects to port 80 and retrieves a ca.crt........now I have to wait 3 days to get port 80 opened up...to the IPA server(s). > > If I had better docs then I can make the request before hand.... > > This of course is the first failure.....if say I find that the ipa-client-install script uses 443 next I will have to wait another 3 days......if I find there are 4 un-documented port calls to get an client install to work......well its a week to 2 weeks wait.... > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users When you install IPA the output of the installation lists all the ports that you need to open and for what service: DNS, Kerberos, LDAP etc. Is this not enough? What level of details you are looking for? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Nov 22 20:35:51 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 22 Nov 2011 20:35:51 +0000 Subject: [Freeipa-users] Improvement to documentaion needed for firewalling pls. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C405D7B@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C405D4C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECC004D.5000901@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404C405D7B@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C405DBB@STAWINCOX10MBX1.staff.vuw.ac.nz> Now the ipa-client-install script is on 443 and I have no firewall engineer today....and maybe not until Monday.... :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Wednesday, 23 November 2011 9:24 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls. Hi, I dont find out until I run the script.....its a bit late. I then have to raise more change controls and wait. Also for any application deployment I have to do a [security] design and say what is opened, why and if any sensitive data is transmitted, so I really need this info before I touch a server at all. For instance a user id and password is classed as sensitive, so it has to be encrypted.....by some acceptable standard method and it has to be adequately encrypted.... So the security portion of the design can take weeks to get signed off.....if I've missed anything serious I may have to re-write and submit.. We end up doing this frequently.....sometimes we even reject a vendor's product because we find it has a fundamental security flaw....like its transmitting plain text passwords or even storing/caching them locally in plain text....not that un-common.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Wednesday, 23 November 2011 9:04 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls. On 11/22/2011 02:58 PM, Steven Jones wrote: > Hi, > > 2.1.3.4 page 10 lists ports but not what happens with them... > > For instance I am now in a very secure environment and find when I do a ipa-client-install the client connects to port 80 and retrieves a ca.crt........now I have to wait 3 days to get port 80 opened up...to the IPA server(s). > > If I had better docs then I can make the request before hand.... > > This of course is the first failure.....if say I find that the ipa-client-install script uses 443 next I will have to wait another 3 days......if I find there are 4 un-documented port calls to get an client install to work......well its a week to 2 weeks wait.... > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users When you install IPA the output of the installation lists all the ports that you need to open and for what service: DNS, Kerberos, LDAP etc. Is this not enough? What level of details you are looking for? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Tue Nov 22 20:49:10 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 22 Nov 2011 15:49:10 -0500 Subject: [Freeipa-users] Improvement to documentaion needed for firewalling pls. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C405D7B@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C405D4C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECC004D.5000901@redhat.com> <833D8E48405E064EBC54C84EC6B36E404C405D7B@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4ECC0AC6.1070005@redhat.com> On 11/22/2011 03:24 PM, Steven Jones wrote: > Hi, > > I dont find out until I run the script.....its a bit late. I then have to raise more change controls and wait. Also for any application deployment I have to do a [security] design and say what is opened, why and if any sensitive data is transmitted, so I really need this info before I touch a server at all. For instance a user id and password is classed as sensitive, so it has to be encrypted.....by some acceptable standard method and it has to be adequately encrypted.... So the security portion of the design can take weeks to get signed off.....if I've missed anything serious I may have to re-write and submit.. We end up doing this frequently.....sometimes we even reject a vendor's product because we find it has a fundamental security flaw.... What would be helpful is to turn this into Q&A. Can you formulate a set of questions a little bit more granular than "Which ports I need to open when and why"? > like its transmitting plain text passwords or even storing/caching them locally in plain text....not that un-common.... > True. But we do not do that except AFAIK one case - password for the CA DS instance which is stored locally in the config file available to root only. But I may be wrong. Is there anything else? Anyone knows? > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Wednesday, 23 November 2011 9:04 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls. > > On 11/22/2011 02:58 PM, Steven Jones wrote: >> Hi, >> >> 2.1.3.4 page 10 lists ports but not what happens with them... >> >> For instance I am now in a very secure environment and find when I do a ipa-client-install the client connects to port 80 and retrieves a ca.crt........now I have to wait 3 days to get port 80 opened up...to the IPA server(s). >> >> If I had better docs then I can make the request before hand.... >> >> This of course is the first failure.....if say I find that the ipa-client-install script uses 443 next I will have to wait another 3 days......if I find there are 4 un-documented port calls to get an client install to work......well its a week to 2 weeks wait.... >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > When you install IPA the output of the installation lists all the ports > that you need to open and for what service: DNS, Kerberos, LDAP etc. > Is this not enough? What level of details you are looking for? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Tue Nov 22 20:59:44 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 22 Nov 2011 15:59:44 -0500 Subject: [Freeipa-users] Improvement to documentaion needed for firewalling pls. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C405DBB@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C405D4C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECC004D.5000901@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404C405D7B@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C405DBB@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4ECC0D40.1060009@redhat.com> On 11/22/2011 03:35 PM, Steven Jones wrote: > Now the ipa-client-install script is on 443 and I have no firewall engineer today....and maybe not until Monday.... Feel free to add more to it. https://bugzilla.redhat.com/show_bug.cgi?id=756163 > :( > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Wednesday, 23 November 2011 9:24 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls. > > Hi, > > I dont find out until I run the script.....its a bit late. I then have to raise more change controls and wait. Also for any application deployment I have to do a [security] design and say what is opened, why and if any sensitive data is transmitted, so I really need this info before I touch a server at all. For instance a user id and password is classed as sensitive, so it has to be encrypted.....by some acceptable standard method and it has to be adequately encrypted.... So the security portion of the design can take weeks to get signed off.....if I've missed anything serious I may have to re-write and submit.. We end up doing this frequently.....sometimes we even reject a vendor's product because we find it has a fundamental security flaw....like its transmitting plain text passwords or even storing/caching them locally in plain text....not that un-common.... > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Wednesday, 23 November 2011 9:04 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls. > > On 11/22/2011 02:58 PM, Steven Jones wrote: >> Hi, >> >> 2.1.3.4 page 10 lists ports but not what happens with them... >> >> For instance I am now in a very secure environment and find when I do a ipa-client-install the client connects to port 80 and retrieves a ca.crt........now I have to wait 3 days to get port 80 opened up...to the IPA server(s). >> >> If I had better docs then I can make the request before hand.... >> >> This of course is the first failure.....if say I find that the ipa-client-install script uses 443 next I will have to wait another 3 days......if I find there are 4 un-documented port calls to get an client install to work......well its a week to 2 weeks wait.... >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > When you install IPA the output of the installation lists all the ports > that you need to open and for what service: DNS, Kerberos, LDAP etc. > Is this not enough? What level of details you are looking for? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sgallagh at redhat.com Tue Nov 22 21:01:25 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 22 Nov 2011 16:01:25 -0500 Subject: [Freeipa-users] Automount kerberos errors In-Reply-To: <4ECBFF88.90701@redhat.com> References: <4ECBFBFC.2030500@nixtra.com> <4ECBFF88.90701@redhat.com> Message-ID: <1321995685.2288.27.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> On Tue, 2011-11-22 at 15:01 -0500, Dmitri Pal wrote: > On 11/22/2011 02:46 PM, Sigbjorn Lie wrote: ... > > I get the following error messages in the log, once a day. It seem > > like the ticket expires before it's renewed. Has anyone else seen > > this? Or perhaps I should file a bug report on the automounter? I > > don't get this error message on Red Hat 6 clients. > > > > I also get the error where automount says sss is not a supported > > automount source, even though the ipa-client-install script configured > > nsswitch to look up automount in sss. I get this error message on both > > Red Hat 5 and Red Hat 6 machines. What's going on? > > > > > > > > > > Nov 20 15:49:15 redhat5 automount[26234]: ignored unsupported autofs > > nsswitch source "sss" > > > SSSD does not support automount integration yet. We are working on adding support for automount in SSSD. See the following bug for details: https://bugzilla.redhat.com/show_bug.cgi?id=683523 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From Steven.Jones at vuw.ac.nz Tue Nov 22 21:24:07 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 22 Nov 2011 21:24:07 +0000 Subject: [Freeipa-users] Improvement to documentaion needed for firewalling pls. In-Reply-To: <4ECC0AC6.1070005@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404C405D4C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECC004D.5000901@redhat.com> <833D8E48405E064EBC54C84EC6B36E404C405D7B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECC0AC6.1070005@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C405DF7@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I suppose we can break this down into sections based on the components. For instance the inter-IPA server port communication is covered off well....it needs 7389 for day to day communication, but needs ports 9443 to 9445 for the setup....So I can do a task for that aspect, (which I did). However that isnt on page 10...its deeper into the doc. I dont like repeating info in a doc multiple times so I'd suggest page 10 mentions the above and tells you where to look. I would suggest that something similar is needed for client to server.......for instance is 9446? as well as 80 and 443? needed? What actual ports will a IPA enabled client use to talk to IPA? ie does it need 389, 636 and 88 and 464? or does it just use 636 and 464? (say) Non-IPA client what do they use? So if Im RedHat only IPA enabled only I open up less ports......the second I want Ubuntu and Mac I have to open up more. Looks like we have or can imply enough info for server to external services/communications....so we need DNS and NTP to be open....from page 10 Admin use.....so ssh, and 443, 80?.......when you run kinit admin that talks over what ports? 88? and 464? Is 9445 used for admin? It maybe better to have a "visio" diagram(s). A protocal diagram is in the asbuilt I sent you section 4.1. NB I also write a IPTABLES ruleset before I build the server/workstation and that gets carried over via Kickstart/Satellitte and activated on build. So once its built I then find that oh I missed one..... I use subversion to hold each server's iptables firewall, I have to go back and edit that file so in a DR or OR situation its all up to date.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Wednesday, 23 November 2011 9:49 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls. On 11/22/2011 03:24 PM, Steven Jones wrote: > Hi, > > I dont find out until I run the script.....its a bit late. I then have to raise more change controls and wait. Also for any application deployment I have to do a [security] design and say what is opened, why and if any sensitive data is transmitted, so I really need this info before I touch a server at all. For instance a user id and password is classed as sensitive, so it has to be encrypted.....by some acceptable standard method and it has to be adequately encrypted.... So the security portion of the design can take weeks to get signed off.....if I've missed anything serious I may have to re-write and submit.. We end up doing this frequently.....sometimes we even reject a vendor's product because we find it has a fundamental security flaw.... What would be helpful is to turn this into Q&A. Can you formulate a set of questions a little bit more granular than "Which ports I need to open when and why"? > like its transmitting plain text passwords or even storing/caching them locally in plain text....not that un-common.... > True. But we do not do that except AFAIK one case - password for the CA DS instance which is stored locally in the config file available to root only. But I may be wrong. Is there anything else? Anyone knows? > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Wednesday, 23 November 2011 9:04 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls. > > On 11/22/2011 02:58 PM, Steven Jones wrote: >> Hi, >> >> 2.1.3.4 page 10 lists ports but not what happens with them... >> >> For instance I am now in a very secure environment and find when I do a ipa-client-install the client connects to port 80 and retrieves a ca.crt........now I have to wait 3 days to get port 80 opened up...to the IPA server(s). >> >> If I had better docs then I can make the request before hand.... >> >> This of course is the first failure.....if say I find that the ipa-client-install script uses 443 next I will have to wait another 3 days......if I find there are 4 un-documented port calls to get an client install to work......well its a week to 2 weeks wait.... >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > When you install IPA the output of the installation lists all the ports > that you need to open and for what service: DNS, Kerberos, LDAP etc. > Is this not enough? What level of details you are looking for? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Tue Nov 22 22:05:46 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 22 Nov 2011 17:05:46 -0500 Subject: [Freeipa-users] Improvement to documentaion needed for firewalling pls. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C405DF7@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C405D4C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECC004D.5000901@redhat.com> <833D8E48405E064EBC54C84EC6B36E404C405D7B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECC0AC6.1070005@redhat.com> <833D8E48405E064EBC54C84EC6B36E404C405DF7@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4ECC1CBA.4020007@redhat.com> On 11/22/2011 04:24 PM, Steven Jones wrote: > Hi, > > I suppose we can break this down into sections based on the components. > > For instance the inter-IPA server port communication is covered off well....it needs 7389 for day to day communication, but needs ports 9443 to 9445 for the setup....So I can do a task for that aspect, (which I did). However that isnt on page 10...its deeper into the doc. I dont like repeating info in a doc multiple times so I'd suggest page 10 mentions the above and tells you where to look. > > I would suggest that something similar is needed for client to server.......for instance is 9446? as well as 80 and 443? needed? What actual ports will a IPA enabled client use to talk to IPA? ie does it need 389, 636 and 88 and 464? or does it just use 636 and 464? (say) Non-IPA client what do they use? So if Im RedHat only IPA enabled only I open up less ports......the second I want Ubuntu and Mac I have to open up more. > > Looks like we have or can imply enough info for server to external services/communications....so we need DNS and NTP to be open....from page 10 > > Admin use.....so ssh, and 443, 80?.......when you run kinit admin that talks over what ports? 88? and 464? Is 9445 used for admin? > > It maybe better to have a "visio" diagram(s). A protocal diagram is in the asbuilt I sent you section 4.1. > > NB I also write a IPTABLES ruleset before I build the server/workstation and that gets carried over via Kickstart/Satellitte and activated on build. So once its built I then find that oh I missed one..... I use subversion to hold each server's iptables firewall, I have to go back and edit that file so in a DR or OR situation its all up to date.... > Added pointer to your mail to the bug. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Wednesday, 23 November 2011 9:49 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls. > > On 11/22/2011 03:24 PM, Steven Jones wrote: >> Hi, >> >> I dont find out until I run the script.....its a bit late. I then have to raise more change controls and wait. Also for any application deployment I have to do a [security] design and say what is opened, why and if any sensitive data is transmitted, so I really need this info before I touch a server at all. For instance a user id and password is classed as sensitive, so it has to be encrypted.....by some acceptable standard method and it has to be adequately encrypted.... So the security portion of the design can take weeks to get signed off.....if I've missed anything serious I may have to re-write and submit.. We end up doing this frequently.....sometimes we even reject a vendor's product because we find it has a fundamental security flaw.... > What would be helpful is to turn this into Q&A. Can you formulate a set > of questions a little bit more granular than "Which ports I need to open > when and why"? > > >> like its transmitting plain text passwords or even storing/caching them locally in plain text....not that un-common.... >> > True. But we do not do that except AFAIK one case - password for the CA > DS instance which is stored locally in the config file available to root > only. > But I may be wrong. Is there anything else? Anyone knows? > >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] >> Sent: Wednesday, 23 November 2011 9:04 a.m. >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Improvement to documentaion needed for firewalling pls. >> >> On 11/22/2011 02:58 PM, Steven Jones wrote: >>> Hi, >>> >>> 2.1.3.4 page 10 lists ports but not what happens with them... >>> >>> For instance I am now in a very secure environment and find when I do a ipa-client-install the client connects to port 80 and retrieves a ca.crt........now I have to wait 3 days to get port 80 opened up...to the IPA server(s). >>> >>> If I had better docs then I can make the request before hand.... >>> >>> This of course is the first failure.....if say I find that the ipa-client-install script uses 443 next I will have to wait another 3 days......if I find there are 4 un-documented port calls to get an client install to work......well its a week to 2 weeks wait.... >>> >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> When you install IPA the output of the installation lists all the ports >> that you need to open and for what service: DNS, Kerberos, LDAP etc. >> Is this not enough? What level of details you are looking for? >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sigbjorn at nixtra.com Tue Nov 22 22:11:00 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 22 Nov 2011 23:11:00 +0100 Subject: [Freeipa-users] Automount kerberos errors In-Reply-To: <1321995685.2288.27.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> References: <4ECBFBFC.2030500@nixtra.com> <4ECBFF88.90701@redhat.com> <1321995685.2288.27.camel@sgallagh520.ipa.sgallagh.bos.redhat.com> Message-ID: <4ECC1DF4.4050506@nixtra.com> On 11/22/2011 10:01 PM, Stephen Gallagher wrote: > On Tue, 2011-11-22 at 15:01 -0500, Dmitri Pal wrote: >> On 11/22/2011 02:46 PM, Sigbjorn Lie wrote: > ... >>> I get the following error messages in the log, once a day. It seem >>> like the ticket expires before it's renewed. Has anyone else seen >>> this? Or perhaps I should file a bug report on the automounter? I >>> don't get this error message on Red Hat 6 clients. >>> >>> I also get the error where automount says sss is not a supported >>> automount source, even though the ipa-client-install script configured >>> nsswitch to look up automount in sss. I get this error message on both >>> Red Hat 5 and Red Hat 6 machines. What's going on? >>> >>> >>> >>> >>> Nov 20 15:49:15 redhat5 automount[26234]: ignored unsupported autofs >>> nsswitch source "sss" >> >> SSSD does not support automount integration yet. > We are working on adding support for automount in SSSD. See the > following bug for details: > https://bugzilla.redhat.com/show_bug.cgi?id=683523 > Ok, great stuff. I was so sure ipa-client-install configured automount in nsswitch.conf to use sss, which is the nsswitch.conf file I copied into CFengine for distribution. I must have been mistaken. :) Regards, Siggi From mkosek at redhat.com Wed Nov 23 14:18:35 2011 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 23 Nov 2011 15:18:35 +0100 Subject: [Freeipa-users] FreeIPA's 'DNS' In-Reply-To: <4ECA816E.8010609@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404C403CA5@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E404C403CB6@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C403CD2@STAWINCOX10MBX1.staff.vuw.ac.nz> <27641.213.225.75.97.1321871398.squirrel@www.nixtra.com> <4ECA816E.8010609@redhat.com> Message-ID: <1322057915.27504.15.camel@balmora.brq.redhat.com> On Mon, 2011-11-21 at 11:50 -0500, Dmitri Pal wrote: > On 11/21/2011 05:29 AM, Sigbjorn Lie wrote: > > Hi, > > > > Why not use a forwarders statement in the named.conf? Works for me. > > > > > > zone "11.168.192.in-addr.arpa." in { > > type forward; > > forwarders { 192.168.1.1; 192.168.1.2; }; > > }; > > > > Steven, > > Can you please confirm that it works for you? > In short term we should document this so if it works can you pleas ope a > doc ticket or BZ? > > > Long term we should probably extend LDAP driver and store this > information in the LDAP and allow it to be configured via IPA UI/CLI. > If this makes sense let us open a ticket for that too. > > Thanks > Dmitri There is already a BZ request for storing global/zone forwarders in LDAP: https://bugzilla.redhat.com/show_bug.cgi?id=754433 I consulted this with bind-dyndb-ldap plugin owner and we agreed on implementing it. Martin From borepstein at gmail.com Wed Nov 23 17:07:28 2011 From: borepstein at gmail.com (Boris Epstein) Date: Wed, 23 Nov 2011 12:07:28 -0500 Subject: [Freeipa-users] LDAP testing/tuning tools Message-ID: Hello listamtes, What would you recommend for a tool to connect to my FreeIPA server via LDAP and test the connection, tune it, etc? Thanks. Boris. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Nov 23 18:48:50 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 23 Nov 2011 13:48:50 -0500 Subject: [Freeipa-users] LDAP testing/tuning tools In-Reply-To: References: Message-ID: <1322074130.6750.91.camel@willson.li.ssimo.org> I would follow this guide: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/index.html The console is not included in ipa only the core of directory server, but guide includes command line commands to use. You can use either the mozldap tools if available on your client or the openldap clients, although cmdline options may slightly differ between the 2 toolsets, so it may be a bit confusing. HTH, Simo. On Wed, 2011-11-23 at 12:07 -0500, Boris Epstein wrote: > Hello listamtes, > > > What would you recommend for a tool to connect to my FreeIPA server > via LDAP and test the connection, tune it, etc? > > > Thanks. > > > Boris. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Wed Nov 23 20:19:40 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 23 Nov 2011 22:19:40 +0200 Subject: [Freeipa-users] Warning: use of ipa-devel repo would prevent upgrades from F15 to F16 Message-ID: <20111123201940.GA14772@redhat.com> Hi, this is mostly actual for developers but I'm including freeipa-users@ just in case. If you are not using ipa-devel, you can ignore this message. Development repository for FreeIPA-related packages, ipa-devel, does not have pki-ca package built for Fedora 16. This means that after upgrade from Fedora 15 to Fedora 16, a pki-ca package installed from ipa-devel repo will not be updated to Fedora 16-specific pki-ca package from fedora-updates: # rpm -q pki-ca pki-ca-9.0.16-1.20111122T0545z.fc15.noarch # yum install pki-ca-9.0.16-1.fc16 Setting up Install Process Package matching pki-ca-9.0.16-1.fc16.noarch already installed. Checking for update. Nothing to do As result, pki-ca will not have systemd support and FreeIPA in Fedora 16 will not work with integrated Certificate Authority. I've filed ticket 61 for pki: https://fedorahosted.org/pki/ticket/61, but person responsible for the repository is not available until Monday so if you are planning to upgrade from Fedora 15 to Fedora 16 and are using ipa-devel repo, please postpone the upgrade until next week. Additionaly, please be aware that ipa-devel repo is for development and early testing purposes only. No guarantees are given out for packages installed from ipa-devel. Of course, if you are participating in FreeIPA/Dogtag/389-ds development, you already know that. -- / Alexander Bokovoy From Steven.Jones at vuw.ac.nz Wed Nov 23 23:23:30 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 23 Nov 2011 23:23:30 +0000 Subject: [Freeipa-users] HBAC rules not working Message-ID: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host group....I have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login.... If I enable the allow_all HBAC I can.... So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Thu Nov 24 00:06:37 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 24 Nov 2011 00:06:37 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz> I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works..... So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-devel at redhat.com; freeipa-users at redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host group....I have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login.... If I enable the allow_all HBAC I can.... So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Nov 24 01:02:13 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 24 Nov 2011 01:02:13 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz> I have deleted the hosts and re-added.....made a new hosts group. However when I try to make a new HBAC rule for the new hosts group, the hosts group is not in the list of available host groups to allow me to pick it. :/ It is under the host group tabs....but its invisible elsewhere.....currently I am rebooting the IPA server to see if that fixes the log jam. :/ Kind of worried that I seem to be having rather simple terminal problems when its 2 weeks from release.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 1:06 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works..... So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-devel at redhat.com; freeipa-users at redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host group....I have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login.... If I enable the allow_all HBAC I can.... So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Nov 24 01:06:40 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 24 Nov 2011 01:06:40 +0000 Subject: [Freeipa-users] Annoying issue with Firefox and kerberos ticket In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C4043F2@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C404384@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECACC47.4050502@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404C4043F2@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C4067E8@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I am still having this issue....a restart doesnt fix it..... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 22 November 2011 12:11 p.m. To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Annoying issue with Firefox and kerberos ticket I followed the prompt that comes up in Firefox... I have 3.6.24-3.el6 64bit.... No i didnt restart FF, it didnt say I needed to. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Tuesday, 22 November 2011 11:10 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Annoying issue with Firefox and kerberos ticket Steven Jones wrote: > Hi, > > I got Firefox on the IPA server (RHEL6.2beta 64bit) working yesterday, today the Kerberos ticket had expired, so re-run kinit admin and hit re-try but I still have to re-configure Firefox.....this seems odd....is this a known bug or am I doing something wrong? How did you reconfigure it? The button again? Did you look to see if it was already configured? Did you try a restart of FF? Firefox in the past, 3.x-era, tended to be a bit flaky with tickets, especially renewing them. I can't recall any problems since 3.6. rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Nov 24 01:08:20 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 24 Nov 2011 01:08:20 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Even a reboot doesnt fix the ghost host group issue... Can it be dont via the cli? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:02 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have deleted the hosts and re-added.....made a new hosts group. However when I try to make a new HBAC rule for the new hosts group, the hosts group is not in the list of available host groups to allow me to pick it. :/ It is under the host group tabs....but its invisible elsewhere.....currently I am rebooting the IPA server to see if that fixes the log jam. :/ Kind of worried that I seem to be having rather simple terminal problems when its 2 weeks from release.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 1:06 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works..... So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-devel at redhat.com; freeipa-users at redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host group....I have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login.... If I enable the allow_all HBAC I can.... So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Nov 24 01:27:53 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 24 Nov 2011 01:27:53 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz> Redoing the user groups and host groups yet again with new names makes no difference........ Redoing this and Im suspicious that the gui might show the hosts group exists in the hosts group tab but it may not be in the LDAP backend....certainly in the HBAC window the host group fails to appear....and I cant login. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:08 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Hi, Even a reboot doesnt fix the ghost host group issue... Can it be dont via the cli? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:02 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have deleted the hosts and re-added.....made a new hosts group. However when I try to make a new HBAC rule for the new hosts group, the hosts group is not in the list of available host groups to allow me to pick it. :/ It is under the host group tabs....but its invisible elsewhere.....currently I am rebooting the IPA server to see if that fixes the log jam. :/ Kind of worried that I seem to be having rather simple terminal problems when its 2 weeks from release.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 1:06 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works..... So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-devel at redhat.com; freeipa-users at redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host group....I have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login.... If I enable the allow_all HBAC I can.... So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Nov 24 01:35:41 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 24 Nov 2011 01:35:41 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C406819@STAWINCOX10MBX1.staff.vuw.ac.nz> When I go to the host group and pick the group I want, then go to the HBAC tab the hbac rule I have written doesnt appear as an enrol choice, but other rules do..... This is just wierd.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:27 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Redoing the user groups and host groups yet again with new names makes no difference........ Redoing this and Im suspicious that the gui might show the hosts group exists in the hosts group tab but it may not be in the LDAP backend....certainly in the HBAC window the host group fails to appear....and I cant login. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:08 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Hi, Even a reboot doesnt fix the ghost host group issue... Can it be dont via the cli? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:02 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have deleted the hosts and re-added.....made a new hosts group. However when I try to make a new HBAC rule for the new hosts group, the hosts group is not in the list of available host groups to allow me to pick it. :/ It is under the host group tabs....but its invisible elsewhere.....currently I am rebooting the IPA server to see if that fixes the log jam. :/ Kind of worried that I seem to be having rather simple terminal problems when its 2 weeks from release.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 1:06 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works..... So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-devel at redhat.com; freeipa-users at redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host group....I have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login.... If I enable the allow_all HBAC I can.... So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Nov 24 01:38:31 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 24 Nov 2011 01:38:31 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C406819@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406819@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C406827@STAWINCOX10MBX1.staff.vuw.ac.nz> When I go to a different existing HBAC rule and add the host group I can login..... confused.....cant see what Im doing wrong.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:35 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working When I go to the host group and pick the group I want, then go to the HBAC tab the hbac rule I have written doesnt appear as an enrol choice, but other rules do..... This is just wierd.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:27 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Redoing the user groups and host groups yet again with new names makes no difference........ Redoing this and Im suspicious that the gui might show the hosts group exists in the hosts group tab but it may not be in the LDAP backend....certainly in the HBAC window the host group fails to appear....and I cant login. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:08 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Hi, Even a reboot doesnt fix the ghost host group issue... Can it be dont via the cli? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:02 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have deleted the hosts and re-added.....made a new hosts group. However when I try to make a new HBAC rule for the new hosts group, the hosts group is not in the list of available host groups to allow me to pick it. :/ It is under the host group tabs....but its invisible elsewhere.....currently I am rebooting the IPA server to see if that fixes the log jam. :/ Kind of worried that I seem to be having rather simple terminal problems when its 2 weeks from release.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 1:06 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works..... So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-devel at redhat.com; freeipa-users at redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host group....I have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login.... If I enable the allow_all HBAC I can.... So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Nov 24 01:41:30 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 24 Nov 2011 01:41:30 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C406827@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406819@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406827@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C40683B@STAWINCOX10MBX1.staff.vuw.ac.nz> When I add a host to the hbac rule and not a host group I can login.... Something is wrong with the host group(s).....damned if I can see what. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:38 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working When I go to a different existing HBAC rule and add the host group I can login..... confused.....cant see what Im doing wrong.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:35 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working When I go to the host group and pick the group I want, then go to the HBAC tab the hbac rule I have written doesnt appear as an enrol choice, but other rules do..... This is just wierd.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:27 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Redoing the user groups and host groups yet again with new names makes no difference........ Redoing this and Im suspicious that the gui might show the hosts group exists in the hosts group tab but it may not be in the LDAP backend....certainly in the HBAC window the host group fails to appear....and I cant login. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:08 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Hi, Even a reboot doesnt fix the ghost host group issue... Can it be dont via the cli? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 2:02 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have deleted the hosts and re-added.....made a new hosts group. However when I try to make a new HBAC rule for the new hosts group, the hosts group is not in the list of available host groups to allow me to pick it. :/ It is under the host group tabs....but its invisible elsewhere.....currently I am rebooting the IPA server to see if that fixes the log jam. :/ Kind of worried that I seem to be having rather simple terminal problems when its 2 weeks from release.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 1:06 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works..... So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-devel at redhat.com; freeipa-users at redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host group....I have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login.... If I enable the allow_all HBAC I can.... So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From JR.Aquino at citrix.com Thu Nov 24 03:02:42 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 24 Nov 2011 03:02:42 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C40683B@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406819@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406827@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C40683B@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <0631B7CD-A7EB-43F6-BCA8-8A0EF3FE33C8@citrixonline.com> On Nov 23, 2011, at 5:41 PM, Steven Jones wrote: > Hi, > > Even a reboot doesnt fix the ghost host group issue... > > Can it be dont via the cli? ipa hbacrule-add-host --hostgroups=hostgroup_name hbacrule_name Also you may be running into a problem with source hosts... You do need to specify from which hosts you are allowing ssh if I recall correctly. Assuming that you want to permit _from_ any source host: ipa hbacrule-mod --srchostcat=all hbacrule_name From ayoung at redhat.com Thu Nov 24 03:59:23 2011 From: ayoung at redhat.com (Adam Young) Date: Wed, 23 Nov 2011 22:59:23 -0500 (EST) Subject: [Freeipa-users] Annoying issue with Firefox and kerberos ticket In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C4067E8@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: So let me get this straight: A system that works fine one day does not work the next. You have a Kerberos TIcket, it expires. The webUI doesn't work. You then do a kinit and reload the browser, and it does not work. THen you go through the initialization steps, including configuring the browser, and then the webUI does work? I can't see how that is possible. All that the browser config does is sets a couple of values in the properties that allows the browser forward the Kerberos TGT to the FreeIPA site. Are those values are somehow getting unset? There is something else going on. THe next time, before you re-init the tgt or anything, go through the steps here: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html and check the values for network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris ----- Original Message ----- From: "Steven Jones" Cc: freeipa-users at redhat.com Sent: Wednesday, November 23, 2011 8:06:40 PM Subject: Re: [Freeipa-users] Annoying issue with Firefox and kerberos ticket Hi, I am still having this issue....a restart doesnt fix it..... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 22 November 2011 12:11 p.m. To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Annoying issue with Firefox and kerberos ticket I followed the prompt that comes up in Firefox... I have 3.6.24-3.el6 64bit.... No i didnt restart FF, it didnt say I needed to. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Tuesday, 22 November 2011 11:10 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Annoying issue with Firefox and kerberos ticket Steven Jones wrote: > Hi, > > I got Firefox on the IPA server (RHEL6.2beta 64bit) working yesterday, today the Kerberos ticket had expired, so re-run kinit admin and hit re-try but I still have to re-configure Firefox.....this seems odd....is this a known bug or am I doing something wrong? How did you reconfigure it? The button again? Did you look to see if it was already configured? Did you try a restart of FF? Firefox in the past, 3.x-era, tended to be a bit flaky with tickets, especially renewing them. I can't recall any problems since 3.6. rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Thu Nov 24 05:42:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 24 Nov 2011 00:42:14 -0500 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C40683B@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406819@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406827@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C40683B@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4ECDD936.2080800@redhat.com> Steven Jones wrote: > When I add a host to the hbac rule and not a host group I can login.... > > Something is wrong with the host group(s).....damned if I can see what. I'd bump up debugging in sssd (sssd.conf (5)) on the server you're logging into. It should tell you the evaluation it is making and why it is failing. You'll need to restart sssd after adding debug_level. rob From Steven.Jones at vuw.ac.nz Thu Nov 24 19:24:35 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 24 Nov 2011 19:24:35 +0000 Subject: [Freeipa-users] Annoying issue with Firefox and kerberos ticket In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404C4067E8@STAWINCOX10MBX1.staff.vuw.ac.nz>, Message-ID: <833D8E48405E064EBC54C84EC6B36E404C407B2E@STAWINCOX10MBX1.staff.vuw.ac.nz> Yes. Check - OK, it hasnt expired yet this morning.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Adam Young [ayoung at redhat.com] Sent: Thursday, 24 November 2011 4:59 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Annoying issue with Firefox and kerberos ticket So let me get this straight: A system that works fine one day does not work the next. You have a Kerberos TIcket, it expires. The webUI doesn't work. You then do a kinit and reload the browser, and it does not work. THen you go through the initialization steps, including configuring the browser, and then the webUI does work? I can't see how that is possible. All that the browser config does is sets a couple of values in the properties that allows the browser forward the Kerberos TGT to the FreeIPA site. Are those values are somehow getting unset? There is something else going on. THe next time, before you re-init the tgt or anything, go through the steps here: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html and check the values for network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris From Steven.Jones at vuw.ac.nz Thu Nov 24 19:44:12 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 24 Nov 2011 19:44:12 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <0631B7CD-A7EB-43F6-BCA8-8A0EF3FE33C8@citrixonline.com> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406819@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406827@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C40683B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <0631B7CD-A7EB-43F6-BCA8-8A0EF3FE33C8@citrixonline.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C407B41@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Yes I got there already, but thanks.... I made a new rule and per host works fine, not if I try and use a host group via CLI, so its not the gui I think......I can see one difference I'm testing that theory now. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: JR Aquino [JR.Aquino at citrix.com] Sent: Thursday, 24 November 2011 4:02 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working On Nov 23, 2011, at 5:41 PM, Steven Jones wrote: > Hi, > > Even a reboot doesnt fix the ghost host group issue... > > Can it be dont via the cli? ipa hbacrule-add-host --hostgroups=hostgroup_name hbacrule_name Also you may be running into a problem with source hosts... You do need to specify from which hosts you are allowing ssh if I recall correctly. Assuming that you want to permit _from_ any source host: ipa hbacrule-mod --srchostcat=all hbacrule_name From Steven.Jones at vuw.ac.nz Thu Nov 24 20:21:18 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 24 Nov 2011 20:21:18 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <4ECDD936.2080800@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406819@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406827@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C40683B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECDD936.2080800@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C407B73@STAWINCOX10MBX1.staff.vuw.ac.nz> I went debug_level 3 I am getting access denied by hbac rules Screenshot from the log incl. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 24 November 2011 6:42 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Steven Jones wrote: > When I add a host to the hbac rule and not a host group I can login.... > > Something is wrong with the host group(s).....damned if I can see what. I'd bump up debugging in sssd (sssd.conf (5)) on the server you're logging into. It should tell you the evaluation it is making and why it is failing. You'll need to restart sssd after adding debug_level. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-hbac-error-01.jpeg Type: image/jpeg Size: 41332 bytes Desc: ipa-hbac-error-01.jpeg URL: From Steven.Jones at vuw.ac.nz Thu Nov 24 22:34:21 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 24 Nov 2011 22:34:21 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C407B73@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406819@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404C406827@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C40683B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4ECDD936.2080800@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404C407B73@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C407D56@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have created a brand new workstation, brand new user group and brand new host group.....when I go to create a HBAC rule the user group fails to appear...... So it looks like the ipa setup is broken.....terminally.....? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 25 November 2011 9:21 a.m. To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I went debug_level 3 I am getting access denied by hbac rules Screenshot from the log incl. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 24 November 2011 6:42 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Steven Jones wrote: > When I add a host to the hbac rule and not a host group I can login.... > > Something is wrong with the host group(s).....damned if I can see what. I'd bump up debugging in sssd (sssd.conf (5)) on the server you're logging into. It should tell you the evaluation it is making and why it is failing. You'll need to restart sssd after adding debug_level. rob From freeipa at noboost.org Fri Nov 25 00:04:37 2011 From: freeipa at noboost.org (Craig T) Date: Fri, 25 Nov 2011 11:04:37 +1100 Subject: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" Message-ID: <20111125000437.GB4353@noboost.org> Hi, Did anyone end up finding a solution to this issue? ----------------------------------------------------------------------- $ sudo ipa-client-install Discovery was successful! Hostname: testpc.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: testvm-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes Enrollment principal: admin Password for admin at EXAMPLE.COM: Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. ------------------------------------------------------------------------ Specs: Server: Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) ipa-server-selinux-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-client-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 ipa-python-2.1.1-4.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-admintools-2.1.1-4.el6.x86_64 Client: Scientific Linux release 6.1 (Carbon) ipa-client-2.0.0-23.el6.x86_64 ipa-python-2.0.0-23.el6.x86_64 Regards, Craig From Steven.Jones at vuw.ac.nz Fri Nov 25 01:38:25 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 25 Nov 2011 01:38:25 +0000 Subject: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" In-Reply-To: <20111125000437.GB4353@noboost.org> References: <20111125000437.GB4353@noboost.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C408E27@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Have you tried installing the later rhel client rpm on the scientific linux machine? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Craig T [freeipa at noboost.org] Sent: Friday, 25 November 2011 1:04 p.m. To: FreeIPAUsers Subject: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" Hi, Did anyone end up finding a solution to this issue? ----------------------------------------------------------------------- $ sudo ipa-client-install Discovery was successful! Hostname: testpc.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: testvm-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes Enrollment principal: admin Password for admin at EXAMPLE.COM: Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. ------------------------------------------------------------------------ Specs: Server: Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) ipa-server-selinux-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-client-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 ipa-python-2.1.1-4.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-admintools-2.1.1-4.el6.x86_64 Client: Scientific Linux release 6.1 (Carbon) ipa-client-2.0.0-23.el6.x86_64 ipa-python-2.0.0-23.el6.x86_64 Regards, Craig _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Fri Nov 25 01:42:06 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 25 Nov 2011 01:42:06 +0000 Subject: [Freeipa-users] Sun Solar SAN, Bluecoat proxy and Bluearc NAS connections to IPA Message-ID: <833D8E48405E064EBC54C84EC6B36E404C408E31@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I need to get the above hardware to talk to IPA, I have had no joy at all. So who in Red Hat can I get the above hardware vendors to talk to to get me howtos? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Fri Nov 25 03:10:27 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 25 Nov 2011 03:10:27 +0000 Subject: [Freeipa-users] Sun Solar SAN, Bluecoat proxy and Bluearc NAS connections to IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C408E31@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C408E31@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C4090C8@STAWINCOX10MBX1.staff.vuw.ac.nz> Bluecoat, "Generally the user attribute type is "cn" for common name" is this correct for IPA? I have created a user group "internet-access" I want users in here have Internet access.. cn=internet-access,dc=groups,dc=unix,dc=vuw,dc=ac,dc=nz ? I also I assume need to create a user with sufficient privileges to query this user-group.....I assume an anonymous bind wont do it? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 25 November 2011 2:42 p.m. To: FreeIPAUsers Subject: [Freeipa-users] Sun Solar SAN, Bluecoat proxy and Bluearc NAS connections to IPA Hi, I need to get the above hardware to talk to IPA, I have had no joy at all. So who in Red Hat can I get the above hardware vendors to talk to to get me howtos? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From jhrozek at redhat.com Fri Nov 25 04:37:01 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 25 Nov 2011 05:37:01 +0100 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C40683B@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C406819@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C406827@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C40683B@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20111125043701.GA7033@hendrix.redhat.com> On Thu, Nov 24, 2011 at 01:41:30AM +0000, Steven Jones wrote: > When I add a host to the hbac rule and not a host group I can login.... > > Something is wrong with the host group(s).....damned if I can see what. > > regards > > Steven Jones > Which SSSD version is that? There was a bug (#741751) in the HBAC host group processing that got fixed in sssd-1.5.1-53 From abokovoy at redhat.com Fri Nov 25 04:50:10 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 25 Nov 2011 06:50:10 +0200 Subject: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" In-Reply-To: <20111125000437.GB4353@noboost.org> References: <20111125000437.GB4353@noboost.org> Message-ID: <20111125045009.GA22739@redhat.com> On Fri, 25 Nov 2011, Craig T wrote: > Did anyone end up finding a solution to this issue? > > ----------------------------------------------------------------------- > $ sudo ipa-client-install > Discovery was successful! > Hostname: testpc.example.com > Realm: EXAMPLE.COM > DNS Domain: example.com > IPA Server: testvm-389.example.com > BaseDN: dc=example,dc=com > > Continue to configure the system with these values? [no]: yes > Enrollment principal: admin > Password for admin at EXAMPLE.COM: > > Joining realm failed because of failing XML-RPC request. > This error may be caused by incompatible server/client major versions. > ------------------------------------------------------------------------ Check /var/log/ipaclient-install.log for details. -- / Alexander Bokovoy From freeipa at noboost.org Fri Nov 25 04:54:31 2011 From: freeipa at noboost.org (Craig T) Date: Fri, 25 Nov 2011 15:54:31 +1100 Subject: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" In-Reply-To: <20111125045009.GA22739@redhat.com> References: <20111125000437.GB4353@noboost.org> <20111125045009.GA22739@redhat.com> Message-ID: <20111125045431.GA5048@noboost.org> Hi Alexander, I took "Steven Jones's advice" and updated the IPA client to ipa-client-2.1.1-4.el6.x86_64 and the client started working perfectly! cya Craig On Fri, Nov 25, 2011 at 06:50:10AM +0200, Alexander Bokovoy wrote: > On Fri, 25 Nov 2011, Craig T wrote: > > Did anyone end up finding a solution to this issue? > > > > ----------------------------------------------------------------------- > > $ sudo ipa-client-install > > Discovery was successful! > > Hostname: testpc.example.com > > Realm: EXAMPLE.COM > > DNS Domain: example.com > > IPA Server: testvm-389.example.com > > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: yes > > Enrollment principal: admin > > Password for admin at EXAMPLE.COM: > > > > Joining realm failed because of failing XML-RPC request. > > This error may be caused by incompatible server/client major versions. > > ------------------------------------------------------------------------ > Check /var/log/ipaclient-install.log for details. > > -- > / Alexander Bokovoy From abokovoy at redhat.com Fri Nov 25 06:49:43 2011 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 25 Nov 2011 08:49:43 +0200 Subject: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" In-Reply-To: <20111125045431.GA5048@noboost.org> References: <20111125000437.GB4353@noboost.org> <20111125045009.GA22739@redhat.com> <20111125045431.GA5048@noboost.org> Message-ID: <20111125064942.GA23419@redhat.com> On Fri, 25 Nov 2011, Craig T wrote: > Hi Alexander, > > I took "Steven Jones's advice" and updated the IPA client to > ipa-client-2.1.1-4.el6.x86_64 and the client started working > perfectly! Ok, great! -- / Alexander Bokovoy From sigbjorn at nixtra.com Sun Nov 27 17:53:02 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 27 Nov 2011 18:53:02 +0100 Subject: [Freeipa-users] Replica and CA mess Message-ID: <4ED278FE.2010705@nixtra.com> I had an odd performing IPA replica server, it had no knowledge to any other services besides dirsrv, DNS and CA, lots of GSSAPI errors in the dirsrv logs, etc, so I decided to re-configure the IPA replica. # ipactl status Directory Service: RUNNING DNS Service: RUNNING CA Service: RUNNING I removed the IPA instance on the host as per the document below. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/Uninstalling_IPA_Servers.html I prepared a new replica package for the host using ipa-replica-prepare on ipa01. And started ipa-replica-install on ipa03. This gave unexpected results. # ipa-replica-install --setup-dns --forwarder=192.168.1.1 --forwarder=192.168.1.2 /var/lib/ipa/replica-info-ipa03.ix.test.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ipa01.ix.test.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at IX.TEST.COM password: Execute check on remote master Check connection from master to remote replica 'ipa03.ix.test.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK Connection from master to replica is OK. Connection check OK The host ipa03.ix.test.com already exists on the master server. Depending on your configuration, you may perform the following: Remove the replication agreement, if any: % ipa-replica-manage del ipa03.ix.test.com Remove the host entry: % ipa host-del ipa03.ix.test.com So I went back to ipa01 to remove the replica: # ipa-replica-manage del ipa03.ix.test.com Unable to delete replica ipa03.ix.test.com: {'desc': "Can't contact LDAP server"} Hm, ok, I tried to force removal. ]# ipa-replica-manage del -f ipa03.ix.test.com Unable to connect to replica ipa03.ix.test.com, forcing removal Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact LDAP server"} Forcing removal on 'ipa01.ix.test.com' Failed to get data from 'ipa02.ix.test.com': {'info': 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm for numeric host address)', 'desc': 'Local error'} Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact LDAP server"} Not a complete success? However I was now able to install my replica. But I no now longer have a CA instance on the replica: # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING HTTP Service: RUNNING Perhaps an opertunity for improvements here? My suggestions: * First off, add to the documentation to remove the replica on another IPA server before uninstalling the IPA replica? * Why not automatically delete the replication agreement when uninstalling the replica? * Where did the CA instance go? I see nothing in the documentation about this, but I found a ipa-ca-install command. ipa-ca-install yelded the error below. Same error occour if I attempt to --setup-ca while doing the ipa-replica-install: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: configuring certificate server instance root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa03.ix.test.com' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-GyGkkW' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'BZiIPv9BeXIPIKs7hJrv' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=IX.TEST.COM' '-ldap_host' 'ipa03.ix.test.com' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=IX.TEST.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=IX.TEST.COM' '-ca_server_cert_subject_name' 'CN=ipa03.ix.test.com,O=IX.TEST.COM' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=IX.TEST.COM' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=IX.TEST.COM' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' XXXXXXXX '-sd_hostname' 'ipa01.ix.test.com' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' '-clone_uri' 'https://ipa01.ix.test.com:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Running ipa-ca-install on a IPv6 enabled host is even worse off: root : DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg' gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/pubring.gpg' created gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected root : DEBUG args=tar xf /tmp/tmpQ_4Prsipa/files.tar -C /tmp/tmpQ_4Prsipa root : DEBUG stdout= root : DEBUG stderr= creation of replica failed: The network address 2001:db8:abab:2::21 does not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com root : DEBUG The network address 2001:db8:abab:2::21 does not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com File "/usr/sbin/ipa-ca-install", line 156, in main() File "/usr/sbin/ipa-ca-install", line 121, in main host = get_host_name(options.no_host_dns) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 540, in get_host_name verify_fqdn(hostname, no_host_dns) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 201, in verify_fqdn verify_dns_records(host_name, rs, resaddr, 'ipv6') File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 113, in verify_dns_records raise RuntimeError("The network address %s does not match the DNS lookup %s. Check /etc/hosts and ensure that %s is the IP address for %s" % (dns_addr.format(), resaddr, dns_addr.format(), host_name)) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Both A and AAAA records are configure for both hosts, as well as ipv4 and ipv6 reverse addresses. All addresses, forward and reverse, are resolvable from both IPA hosts. As a sidenote: The ipa-replica-install scripts works sucessfully on the IPv6 enabled hosts, and I use IPv6 from Linux and Solaris clients for LDAPS and kerberos without any issues. Regards, Siggi From Steven.Jones at vuw.ac.nz Sun Nov 27 19:11:59 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 27 Nov 2011 19:11:59 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <20111125043701.GA7033@hendrix.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C406819@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C406827@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C40683B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20111125043701.GA7033@hendrix.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C41DC1B@STAWINCOX10MBX4.staff.vuw.ac.nz> Hi, sssd is 1.5.1.52, but its what ships in RHEL6.2beta. I assume I have to wait 2 weeks for 6.2 GA? Megga annoying if so....I have a $1.5million bluearc toy :D arriving this week to connect to it... :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com] Sent: Friday, 25 November 2011 5:37 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working On Thu, Nov 24, 2011 at 01:41:30AM +0000, Steven Jones wrote: > When I add a host to the hbac rule and not a host group I can login.... > > Something is wrong with the host group(s).....damned if I can see what. > > regards > > Steven Jones > Which SSSD version is that? There was a bug (#741751) in the HBAC host group processing that got fixed in sssd-1.5.1-53 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From ondrejv at s3group.com Wed Nov 23 07:44:05 2011 From: ondrejv at s3group.com (ondrejv at s3group.com) Date: Wed, 23 Nov 2011 07:44:05 -0000 (UTC) Subject: [Freeipa-users] Automount kerberos errors In-Reply-To: <4ECBFBFC.2030500@nixtra.com> References: <4ECBFBFC.2030500@nixtra.com> Message-ID: <49437.212.24.152.82.1322034245.squirrel@webmail.s3group.com> I have to say I am experiencing a similar behaviour - it does not seem to affect the functionality though. I also expect you have something like this in /etc/nsswitch.conf: automount: files sss ldap So it is obvious that sss is no option there yet but it should work with ldap though. If this issue is not critical to you, I would recommend you wait until we add automount support to sssd - I guess none would use the ldap autofs backend after that.... Ondrej > Hi, > > I have configured automount to use the hosts' kerberos keytab to speak > GSSAPI with the IPA server, using the following as > /etc/autofs_ldap_auth.conf: > > > > usetls="no" > tlsrequired="no" > authrequired="autodetect" > authtype="GSSAPI" > clientprinc="host/redhat5.ix.test.com at IX.TEST.COM" > /> > > > I get the following error messages in the log, once a day. It seem like > the ticket expires before it's renewed. Has anyone else seen this? Or > perhaps I should file a bug report on the automounter? I don't get this > error message on Red Hat 6 clients. > > I also get the error where automount says sss is not a supported > automount source, even though the ipa-client-install script configured > nsswitch to look up automount in sss. I get this error message on both > Red Hat 5 and Red Hat 6 machines. What's going on? > > > > > Nov 20 15:49:15 redhat5 automount[26234]: ignored unsupported autofs > nsswitch source "sss" > Nov 20 15:49:15 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 20 15:49:15 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Ticket expired) > Nov 20 16:05:33 redhat5 automount[26234]: ignored unsupported autofs > nsswitch source "sss" > Nov 20 16:05:33 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 20 16:05:33 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Ticket expired) > Nov 20 16:20:17 redhat5 automount[26234]: ignored unsupported autofs > nsswitch source "sss" > Nov 20 16:20:17 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 20 16:20:18 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Ticket expired) > Nov 20 16:43:44 redhat5 automount[26234]: ignored unsupported autofs > nsswitch source "sss" > Nov 20 16:43:44 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 20 16:43:44 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Ticket expired) > Nov 20 20:13:28 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 20 20:13:28 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Ticket expired) > Nov 21 22:01:47 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 21 22:01:48 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Ticket expired) > Nov 21 22:51:57 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 21 22:51:58 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Ticket expired) > Nov 21 23:14:30 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 21 23:14:30 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Ticket expired) > Nov 22 20:36:34 redhat5 automount[26234]: sasl_log_func:100: No worthy > mechs found > Nov 22 20:36:34 redhat5 automount[26234]: sasl_log_func:100: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Ticket expired) > > > Rgds, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 From simo at redhat.com Mon Nov 28 14:11:48 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 28 Nov 2011 09:11:48 -0500 Subject: [Freeipa-users] Replica and CA mess In-Reply-To: <4ED278FE.2010705@nixtra.com> References: <4ED278FE.2010705@nixtra.com> Message-ID: <1322489508.2613.10.camel@willson.li.ssimo.org> On Sun, 2011-11-27 at 18:53 +0100, Sigbjorn Lie wrote: > Perhaps an opertunity for improvements here? My suggestions: > > * First off, add to the documentation to remove the replica on > another > IPA server before uninstalling the IPA replica? We should probably do this, can you open a doc bug ? > * Why not automatically delete the replication agreement when > uninstalling the replica? We haven't done this so far as it requires admin or DM credentials to do so. > * Where did the CA instance go? I see nothing in the documentation > about > this, but I found a ipa-ca-install command. The CA component is always optional on replicas. You do not necessarily want to have a CA replica in every single FreeIPA replica. Usually a few CA instance (perhaps one or two per geography will suffice). So you should either pass --setup-ca at ipa-replica-install time or call ipa-ca-install later. > ipa-ca-install yelded the > error below. I will let Adam chime on the errors, they should not happen of course. Simo. > > -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Nov 28 14:26:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Nov 2011 09:26:15 -0500 Subject: [Freeipa-users] Replica and CA mess In-Reply-To: <4ED278FE.2010705@nixtra.com> References: <4ED278FE.2010705@nixtra.com> Message-ID: <4ED39A07.1090006@redhat.com> Sigbjorn Lie wrote: > I had an odd performing IPA replica server, it had no knowledge to any > other services besides dirsrv, DNS and CA, lots of GSSAPI errors in the > dirsrv logs, etc, so I decided to re-configure the IPA replica. > > # ipactl status > Directory Service: RUNNING > DNS Service: RUNNING > CA Service: RUNNING > > > I removed the IPA instance on the host as per the document below. > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/Uninstalling_IPA_Servers.html > > > > I prepared a new replica package for the host using ipa-replica-prepare > on ipa01. And started ipa-replica-install on ipa03. This gave unexpected > results. > > # ipa-replica-install --setup-dns --forwarder=192.168.1.1 > --forwarder=192.168.1.2 /var/lib/ipa/replica-info-ipa03.ix.test.com.gpg > Directory Manager (existing master) password: > > Run connection check to master > Check connection from replica to remote master 'ipa01.ix.test.com': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos KDC: UDP (88): OK > Kerberos Kpasswd: TCP (464): OK > Kerberos Kpasswd: UDP (464): OK > HTTP Server: port 80 (80): OK > HTTP Server: port 443(https) (443): OK > > Connection from replica to master is OK. > Start listening on required ports for remote master check > Get credentials to log in to remote master > admin at IX.TEST.COM password: > > Execute check on remote master > Check connection from master to remote replica 'ipa03.ix.test.com': > Directory Service: Unsecure port (389): OK > Directory Service: Secure port (636): OK > Kerberos KDC: TCP (88): OK > Kerberos KDC: UDP (88): OK > Kerberos Kpasswd: TCP (464): OK > Kerberos Kpasswd: UDP (464): OK > HTTP Server: port 80 (80): OK > HTTP Server: port 443(https) (443): OK > > Connection from master to replica is OK. > > Connection check OK > The host ipa03.ix.test.com already exists on the master server. > Depending on your configuration, you may perform the following: > > Remove the replication agreement, if any: > % ipa-replica-manage del ipa03.ix.test.com > Remove the host entry: > % ipa host-del ipa03.ix.test.com > > So I went back to ipa01 to remove the replica: > > # ipa-replica-manage del ipa03.ix.test.com > Unable to delete replica ipa03.ix.test.com: {'desc': "Can't contact LDAP > server"} > > Hm, ok, I tried to force removal. > > ]# ipa-replica-manage del -f ipa03.ix.test.com > Unable to connect to replica ipa03.ix.test.com, forcing removal > Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact > LDAP server"} > Forcing removal on 'ipa01.ix.test.com' > Failed to get data from 'ipa02.ix.test.com': {'info': 'SASL(-1): generic > failure: GSSAPI Error: An invalid name was supplied (Cannot determine > realm for numeric host address)', 'desc': 'Local error'} > Failed to get data from 'ipa03.ix.test.com': {'desc': "Can't contact > LDAP server"} > > > Not a complete success? However I was now able to install my replica. > But I no now longer have a CA instance on the replica: > > # ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > DNS Service: RUNNING > HTTP Service: RUNNING > > > Perhaps an opertunity for improvements here? My suggestions: > > * First off, add to the documentation to remove the replica on another > IPA server before uninstalling the IPA replica? > * Why not automatically delete the replication agreement when > uninstalling the replica? > * Where did the CA instance go? I see nothing in the documentation about > this, but I found a ipa-ca-install command. ipa-ca-install yelded the > error below. Same error occour if I attempt to --setup-ca while doing > the ipa-replica-install: > > Configuring certificate server: Estimated time 3 minutes 30 seconds > [1/11]: creating certificate server user > [2/11]: creating pki-ca instance > [3/11]: configuring certificate server instance > root : CRITICAL failed to configure ca instance Command '/usr/bin/perl > /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa03.ix.test.com' > '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-GyGkkW' > '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'BZiIPv9BeXIPIKs7hJrv' > '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' > 'root at localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' > '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' > 'CN=ipa-ca-agent,O=IX.TEST.COM' '-ldap_host' 'ipa03.ix.test.com' > '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' > XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' > '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' > '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' > 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA > Subsystem,O=IX.TEST.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP > Subsystem,O=IX.TEST.COM' '-ca_server_cert_subject_name' > 'CN=ipa03.ix.test.com,O=IX.TEST.COM' > '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=IX.TEST.COM' > '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=IX.TEST.COM' > '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' > '-clone_p12_password' XXXXXXXX '-sd_hostname' 'ipa01.ix.test.com' > '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' > XXXXXXXX '-clone_start_tls' 'true' '-clone_uri' > 'https://ipa01.ix.test.com:443'' returned non-zero exit status 255 > creation of replica failed: Configuration of CA failed More details on the install failure may be in /var/log/ipareplica-ca-install.log and /var/log/pki-ca/debug. I wonder if they are related to the DNS errors you are seeing. > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > Running ipa-ca-install on a IPv6 enabled host is even worse off: > > root : DEBUG stderr=gpg: WARNING: unsafe permissions on homedir > `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg' > gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/secring.gpg' created > gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/pubring.gpg' created > gpg: CAST5 encrypted data > gpg: encrypted with 1 passphrase > gpg: WARNING: message was not integrity protected > > root : DEBUG args=tar xf /tmp/tmpQ_4Prsipa/files.tar -C /tmp/tmpQ_4Prsipa > root : DEBUG stdout= > root : DEBUG stderr= > creation of replica failed: The network address 2001:db8:abab:2::21 does > not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that > 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com > root : DEBUG The network address 2001:db8:abab:2::21 does not match the > DNS lookup 192.168.1.21. Check /etc/hosts and ensure that > 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com > File "/usr/sbin/ipa-ca-install", line 156, in Are these IPs pointing to the right hostnames? rob From sigbjorn at nixtra.com Mon Nov 28 18:02:47 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 28 Nov 2011 19:02:47 +0100 Subject: [Freeipa-users] Replica and CA mess In-Reply-To: <4ED39A07.1090006@redhat.com> References: <4ED278FE.2010705@nixtra.com> <4ED39A07.1090006@redhat.com> Message-ID: <4ED3CCC7.6020905@nixtra.com> >> * Where did the CA instance go? I see nothing in the documentation about >> this, but I found a ipa-ca-install command. ipa-ca-install yelded the >> error below. Same error occour if I attempt to --setup-ca while doing >> the ipa-replica-install: >> >> Configuring certificate server: Estimated time 3 minutes 30 seconds >> [1/11]: creating certificate server user >> [2/11]: creating pki-ca instance >> [3/11]: configuring certificate server instance >> root : CRITICAL failed to configure ca instance Command '/usr/bin/perl >> /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa03.ix.test.com' >> '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-GyGkkW' >> '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'BZiIPv9BeXIPIKs7hJrv' >> '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' >> 'root at localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' >> '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' >> 'CN=ipa-ca-agent,O=IX.TEST.COM' '-ldap_host' 'ipa03.ix.test.com' >> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' >> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' >> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' >> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' >> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA >> Subsystem,O=IX.TEST.COM' '-ca_ocsp_cert_subject_name' 'CN=OCSP >> Subsystem,O=IX.TEST.COM' '-ca_server_cert_subject_name' >> 'CN=ipa03.ix.test.com,O=IX.TEST.COM' >> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=IX.TEST.COM' >> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=IX.TEST.COM' >> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' >> '-clone_p12_password' XXXXXXXX '-sd_hostname' 'ipa01.ix.test.com' >> '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' >> XXXXXXXX '-clone_start_tls' 'true' '-clone_uri' >> 'https://ipa01.ix.test.com:443'' returned non-zero exit status 255 >> creation of replica failed: Configuration of CA failed > > More details on the install failure may be in > /var/log/ipareplica-ca-install.log and /var/log/pki-ca/debug. I wonder > if they are related to the DNS errors you are seeing. I'll send you these in private. > >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> >> Running ipa-ca-install on a IPv6 enabled host is even worse off: >> >> root : DEBUG stderr=gpg: WARNING: unsafe permissions on homedir >> `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg' >> gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/secring.gpg' created >> gpg: keyring `/tmp/tmpQ_4Prsipa/ipa-oymjll/.gnupg/pubring.gpg' created >> gpg: CAST5 encrypted data >> gpg: encrypted with 1 passphrase >> gpg: WARNING: message was not integrity protected >> >> root : DEBUG args=tar xf /tmp/tmpQ_4Prsipa/files.tar -C >> /tmp/tmpQ_4Prsipa >> root : DEBUG stdout= >> root : DEBUG stderr= >> creation of replica failed: The network address 2001:db8:abab:2::21 does >> not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that >> 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com >> root : DEBUG The network address 2001:db8:abab:2::21 does not match the >> DNS lookup 192.168.1.21. Check /etc/hosts and ensure that >> 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com >> File "/usr/sbin/ipa-ca-install", line 156, in > > Are these IPs pointing to the right hostnames? I posted scrambeled IP's to the list, but they are configured correctly, yes. And they work for any other traffic. Rgds, Siggi From sigbjorn at nixtra.com Mon Nov 28 17:54:23 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 28 Nov 2011 18:54:23 +0100 Subject: [Freeipa-users] Replica and CA mess In-Reply-To: <1322489508.2613.10.camel@willson.li.ssimo.org> References: <4ED278FE.2010705@nixtra.com> <1322489508.2613.10.camel@willson.li.ssimo.org> Message-ID: <4ED3CACF.1080208@nixtra.com> On 11/28/2011 03:11 PM, Simo Sorce wrote: > On Sun, 2011-11-27 at 18:53 +0100, Sigbjorn Lie wrote: >> Perhaps an opertunity for improvements here? My suggestions: >> >> * First off, add to the documentation to remove the replica on >> another >> IPA server before uninstalling the IPA replica? > We should probably do this, can you open a doc bug ? > Ok. https://bugzilla.redhat.com/show_bug.cgi?id=757798 From sigbjorn at nixtra.com Mon Nov 28 18:23:27 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 28 Nov 2011 19:23:27 +0100 Subject: [Freeipa-users] Replica and CA mess In-Reply-To: <4ED39A07.1090006@redhat.com> References: <4ED278FE.2010705@nixtra.com> <4ED39A07.1090006@redhat.com> Message-ID: <4ED3D19F.6040409@nixtra.com> >> root : DEBUG args=tar xf /tmp/tmpQ_4Prsipa/files.tar -C >> /tmp/tmpQ_4Prsipa >> root : DEBUG stdout= >> root : DEBUG stderr= >> creation of replica failed: The network address 2001:db8:abab:2::21 does >> not match the DNS lookup 192.168.1.21. Check /etc/hosts and ensure that >> 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com >> root : DEBUG The network address 2001:db8:abab:2::21 does not match the >> DNS lookup 192.168.1.21. Check /etc/hosts and ensure that >> 2001:db8:abab:2::21 is the IP address for ipa02.ix.test.com >> File "/usr/sbin/ipa-ca-install", line 156, in > > Are these IPs pointing to the right hostnames? > Sidenote: The "ipa-repl-conncheck --replica=" script fails when IPv6 addresses is listed as name server in /etc/resolv.conf, which is the default configuration of resolv.conf after running ipa-replica-install on a host with an IPv6 global address. Port 464 fails when both the master and the replica have IPv6 enabled: Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): FAILED Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK All ports except 389 fails when the master is IPv6 enabled, but the replica is only IPv4 enabled. Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): FAILED Kerberos KDC: TCP (88): FAILED Kerberos KDC: UDP (88): FAILED Kerberos Kpasswd: TCP (464): FAILED Kerberos Kpasswd: UDP (464): FAILED HTTP Server: port 80 (80): FAILED HTTP Server: port 443(https) (443): FAILED Switching to IPv4 only addresses in resolv.conf resolves the issue. From Steven.Jones at vuw.ac.nz Mon Nov 28 21:16:30 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 28 Nov 2011 21:16:30 +0000 Subject: [Freeipa-users] Some feature requests Message-ID: <833D8E48405E064EBC54C84EC6B36E404C4284ED@STAWINCOX10MBX4.staff.vuw.ac.nz> Hi, a) Auto setup in RH satellite to allow auto joining to freeIPA from a baremetal kickstart. b) Setup/config (info etc) to allow a gluster system to join to IPA. Since these are all RH...shouldn't be too hard. ;] regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From ayoung at redhat.com Mon Nov 28 21:32:03 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 28 Nov 2011 16:32:03 -0500 Subject: [Freeipa-users] Some feature requests In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C4284ED@STAWINCOX10MBX4.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C4284ED@STAWINCOX10MBX4.staff.vuw.ac.nz> Message-ID: <4ED3FDD3.6090809@redhat.com> On 11/28/2011 04:16 PM, Steven Jones wrote: > Hi, > > a) Auto setup in RH satellite to allow auto joining to freeIPA from a baremetal kickstart. That is a Satellite, not FreeIPA, request. > > b) Setup/config (info etc) to allow a gluster system to join to IPA. What would a gluster system require that we do not already provide? > > Since these are all RH...shouldn't be too hard. > > ;] > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Mon Nov 28 21:36:27 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 28 Nov 2011 21:36:27 +0000 Subject: [Freeipa-users] Some feature requests In-Reply-To: <4ED3FDD3.6090809@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404C4284ED@STAWINCOX10MBX4.staff.vuw.ac.nz>, <4ED3FDD3.6090809@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C428565@STAWINCOX10MBX4.staff.vuw.ac.nz> I cant see anything in the glster admin guide on connecting it to a IPA setup... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Adam Young [ayoung at redhat.com] Sent: Tuesday, 29 November 2011 10:32 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Some feature requests On 11/28/2011 04:16 PM, Steven Jones wrote: > Hi, > > a) Auto setup in RH satellite to allow auto joining to freeIPA from a baremetal kickstart. That is a Satellite, not FreeIPA, request. > > b) Setup/config (info etc) to allow a gluster system to join to IPA. What would a gluster system require that we do not already provide? > > Since these are all RH...shouldn't be too hard. > > ;] > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From freeipa at noboost.org Tue Nov 29 00:52:25 2011 From: freeipa at noboost.org (Craig T) Date: Tue, 29 Nov 2011 11:52:25 +1100 Subject: [Freeipa-users] ipa-client stall on "args=getent passwd admin" Message-ID: <20111129005225.GA20808@noboost.org> Hi, I was getting a lot of errors with the default ipa-client for Centos 6.0, so I've upgraded Centos 6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but seems to stall right at the end of the ipa-client-install command. Current Spec; Server: RHEL 6.2 Beta ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 ipa-server-selinux-2.1.1-4.el6.x86_64 Client: Centos 6.0 x64 ipa-client-2.1.1-4.el6.x86_64 Just an odd error during the "ipa-client-install" command, the installer seems to pause on kerberos; [root at server-centos-6 ~]# ipa-client-install Discovery was successful! Hostname: server-centos-6.example.com Realm: example.com DNS Domain: example.com IPA Server: server-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for admin at example.com: Enrolled in IPA realm example.com Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm example.com SSSD enabled Kerberos 5 enabled When run in debug mode it shows this; Kerberos 5 enabled root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG stderr= Advice anyone? Cya Craig From sigbjorn at nixtra.com Tue Nov 29 11:23:52 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 29 Nov 2011 12:23:52 +0100 (CET) Subject: [Freeipa-users] ipa-client stall on 'args=getent passwd admin' In-Reply-To: <20111129005225.GA20808@noboost.org> References: <20111129005225.GA20808@noboost.org> Message-ID: <57502.213.225.75.97.1322565832.squirrel@www.nixtra.com> On Tue, November 29, 2011 01:52, Craig T wrote: > Hi, > > > I was getting a lot of errors with the default ipa-client for Centos 6.0, so I've upgraded Centos > 6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but seems to stall > right at the end of the ipa-client-install command. > > Current Spec; > Server: > RHEL 6.2 Beta > ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 > ipa-server-selinux-2.1.1-4.el6.x86_64 > > Client: > Centos 6.0 x64 > ipa-client-2.1.1-4.el6.x86_64 > > > Just an odd error during the "ipa-client-install" command, the installer seems to pause on > kerberos; [root at server-centos-6 ~]# ipa-client-install > Discovery was successful! > Hostname: server-centos-6.example.com > Realm: example.com > DNS Domain: example.com > IPA Server: server-389.example.com > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admin > Password for admin at example.com: > > > Enrolled in IPA realm example.com > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm example.com > SSSD enabled > Kerberos 5 enabled > > > > When run in debug mode it shows this; > Kerberos 5 enabled > root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG > stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : > DEBUG stderr= > root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG > stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root : > DEBUG stderr= > > > > Advice anyone? > > I found CentOS to be too far behind, so I started using Scientific Linux 6.1 with latest packages from RHEL 6.2 beta for clients instead. I found the IPA server was easiest to test using Fedora 15. For production, wait for RHEL 6.2. It's not far away now. :) Regards, Siggi From freeipa at noboost.org Tue Nov 29 12:00:28 2011 From: freeipa at noboost.org (Craig T) Date: Tue, 29 Nov 2011 23:00:28 +1100 Subject: [Freeipa-users] ipa-client stall on 'args=getent passwd admin' In-Reply-To: <57502.213.225.75.97.1322565832.squirrel@www.nixtra.com> References: <20111129005225.GA20808@noboost.org> <57502.213.225.75.97.1322565832.squirrel@www.nixtra.com> Message-ID: <20111129120027.GA21495@noboost.org> I can really see how you came to that conclusion, I'm not sure if I'll get the luxury of choice, due to the servers in our environment. Centos 6.1 could be updated enough, so we might just have to wait for that. cya Craig On Tue, Nov 29, 2011 at 12:23:52PM +0100, Sigbjorn Lie wrote: > On Tue, November 29, 2011 01:52, Craig T wrote: > > Hi, > > > > > > I was getting a lot of errors with the default ipa-client for Centos 6.0, so I've upgraded Centos > > 6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but seems to stall > > right at the end of the ipa-client-install command. > > > > Current Spec; > > Server: > > RHEL 6.2 Beta > > ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch > > ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 > > ipa-server-selinux-2.1.1-4.el6.x86_64 > > > > Client: > > Centos 6.0 x64 > > ipa-client-2.1.1-4.el6.x86_64 > > > > > > Just an odd error during the "ipa-client-install" command, the installer seems to pause on > > kerberos; [root at server-centos-6 ~]# ipa-client-install > > Discovery was successful! > > Hostname: server-centos-6.example.com > > Realm: example.com > > DNS Domain: example.com > > IPA Server: server-389.example.com > > BaseDN: dc=example,dc=com > > > > > > > > Continue to configure the system with these values? [no]: yes > > User authorized to enroll computers: admin > > Password for admin at example.com: > > > > > > Enrolled in IPA realm example.com > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm example.com > > SSSD enabled > > Kerberos 5 enabled > > > > > > > > When run in debug mode it shows this; > > Kerberos 5 enabled > > root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG > > stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root > : > > DEBUG stderr= > > root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG > > stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root > : > > DEBUG stderr= > > > > > > > > Advice anyone? > > > > > > I found CentOS to be too far behind, so I started using Scientific Linux 6.1 with latest packages > from RHEL 6.2 beta for clients instead. > > I found the IPA server was easiest to test using Fedora 15. > > For production, wait for RHEL 6.2. It's not far away now. :) > > > Regards, > Siggi > > From rcritten at redhat.com Tue Nov 29 15:01:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Nov 2011 10:01:52 -0500 Subject: [Freeipa-users] ipa-client stall on 'args=getent passwd admin' In-Reply-To: <20111129120027.GA21495@noboost.org> References: <20111129005225.GA20808@noboost.org> <57502.213.225.75.97.1322565832.squirrel@www.nixtra.com> <20111129120027.GA21495@noboost.org> Message-ID: <4ED4F3E0.2060709@redhat.com> Craig T wrote: > I can really see how you came to that conclusion, I'm not sure if I'll get the luxury of choice, due to the servers in our environment. Centos 6.1 could be updated enough, so we might just have to wait for that. I would think the version you have would work fine. What it is doing is testing to be sure that nss is working as expected. It can take some time for sssd to come up, connect to the IPA server, etc, so we loop and try several times (IIRC 5 in your version) to look up a known remote user (admin). If it never does successfully get the admin user you should get an error that nss_ldap can't be configured (yeah, I know, we're using sssd. We fixed this). If you aren't getting this message and the client otherwise seems to be installing ok then things are fine. rob > > > cya > > Craig > > On Tue, Nov 29, 2011 at 12:23:52PM +0100, Sigbjorn Lie wrote: >> On Tue, November 29, 2011 01:52, Craig T wrote: >>> Hi, >>> >>> >>> I was getting a lot of errors with the default ipa-client for Centos 6.0, so I've upgraded Centos >>> 6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but seems to stall >>> right at the end of the ipa-client-install command. >>> >>> Current Spec; >>> Server: >>> RHEL 6.2 Beta >>> ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch >>> ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 >>> ipa-server-selinux-2.1.1-4.el6.x86_64 >>> >>> Client: >>> Centos 6.0 x64 >>> ipa-client-2.1.1-4.el6.x86_64 >>> >>> >>> Just an odd error during the "ipa-client-install" command, the installer seems to pause on >>> kerberos; [root at server-centos-6 ~]# ipa-client-install >>> Discovery was successful! >>> Hostname: server-centos-6.example.com >>> Realm: example.com >>> DNS Domain: example.com >>> IPA Server: server-389.example.com >>> BaseDN: dc=example,dc=com >>> >>> >>> >>> Continue to configure the system with these values? [no]: yes >>> User authorized to enroll computers: admin >>> Password for admin at example.com: >>> >>> >>> Enrolled in IPA realm example.com >>> Created /etc/ipa/default.conf >>> Configured /etc/sssd/sssd.conf >>> Configured /etc/krb5.conf for IPA realm example.com >>> SSSD enabled >>> Kerberos 5 enabled >>> >>> >>> >>> When run in debug mode it shows this; >>> Kerberos 5 enabled >>> root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG >>> stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root >> : >>> DEBUG stderr= >>> root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG >>> stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root >> : >>> DEBUG stderr= >>> >>> >>> >>> Advice anyone? >>> >>> >> >> I found CentOS to be too far behind, so I started using Scientific Linux 6.1 with latest packages >> from RHEL 6.2 beta for clients instead. >> >> I found the IPA server was easiest to test using Fedora 15. >> >> For production, wait for RHEL 6.2. It's not far away now. :) >> >> >> Regards, >> Siggi >> >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From freeipa at noboost.org Wed Nov 30 00:17:30 2011 From: freeipa at noboost.org (Craig T) Date: Wed, 30 Nov 2011 11:17:30 +1100 Subject: [Freeipa-users] ipa-client stall on 'args=getent passwd admin' In-Reply-To: <4ED4F3E0.2060709@redhat.com> References: <20111129005225.GA20808@noboost.org> <57502.213.225.75.97.1322565832.squirrel@www.nixtra.com> <20111129120027.GA21495@noboost.org> <4ED4F3E0.2060709@redhat.com> Message-ID: <20111130001730.GA23165@noboost.org> Hi, I tried letting the client install go and it does eventually finish, however SSSD_NSS queries don't work. See errors below; ---------------------------------------------------------------------- [root at chtvm-centos-6 /]# ipa-client-install Discovery was successful! Hostname: chtvm-centos-6.example.com Realm: example.com DNS Domain: example.com IPA Server: chtvm-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for admin at example.com: Enrolled in IPA realm example.com Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm example.com SSSD enabled Kerberos 5 enabled Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD NTP enabled Client configuration complete. ------------------------------------------------------------------------------------------------------------------------- File: /var/log/sssd/sssd_nss.log (Wed Nov 30 10:34:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:34:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. ------------------------------------------------------------------------------------------------------------------------- File: /var/log/sssd/sssd_pam.log (Wed Nov 30 10:34:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:34:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. ------------------------------------------------------------------------------------------------------------------------- Debug Version: File: /var/log/sssd/sssd_nss.log (Wed Nov 30 10:47:09 2011) [sssd[nss]] [sbus_dispatch] (6): SBUS is reconnecting. Deferring. (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 0 (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_dispatch] (6): SBUS is reconnecting. Deferring. (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_reconnect] (3): Making reconnection attempt 3 to [unix:path=/var/lib/sss/pipes/ private/sbus-dp_example.com] (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_reconnect] (1): Failed to open connection: name=org.freedesktop.DBus.Error. NoServer, message=Failed to connect to socket /var/lib/sss/pipes/private/sbus-dp_example.com: Connection refused (Wed Nov 30 10:47:10 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. ------------------------------------------------------------------------------------------------------------------------- "getent passwd admin" returns no result at all. Regards, Craig On Tue, Nov 29, 2011 at 10:01:52AM -0500, Rob Crittenden wrote: > Craig T wrote: > >I can really see how you came to that conclusion, I'm not sure if I'll get the luxury of choice, due to the servers in our environment. Centos 6.1 could be updated enough, so we might just have to wait for that. > > I would think the version you have would work fine. > > What it is doing is testing to be sure that nss is working as > expected. It can take some time for sssd to come up, connect to the > IPA server, etc, so we loop and try several times (IIRC 5 in your > version) to look up a known remote user (admin). > > If it never does successfully get the admin user you should get an > error that nss_ldap can't be configured (yeah, I know, we're using > sssd. We fixed this). If you aren't getting this message and the > client otherwise seems to be installing ok then things are fine. > > rob > > > > > > >cya > > > >Craig > > > >On Tue, Nov 29, 2011 at 12:23:52PM +0100, Sigbjorn Lie wrote: > >>On Tue, November 29, 2011 01:52, Craig T wrote: > >>>Hi, > >>> > >>> > >>>I was getting a lot of errors with the default ipa-client for Centos 6.0, so I've upgraded Centos > >>>6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but seems to stall > >>>right at the end of the ipa-client-install command. > >>> > >>>Current Spec; > >>>Server: > >>>RHEL 6.2 Beta > >>>ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch > >>>ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 > >>> ipa-server-selinux-2.1.1-4.el6.x86_64 > >>> > >>>Client: > >>>Centos 6.0 x64 > >>>ipa-client-2.1.1-4.el6.x86_64 > >>> > >>> > >>>Just an odd error during the "ipa-client-install" command, the installer seems to pause on > >>>kerberos; [root at server-centos-6 ~]# ipa-client-install > >>>Discovery was successful! > >>>Hostname: server-centos-6.example.com > >>>Realm: example.com > >>>DNS Domain: example.com > >>>IPA Server: server-389.example.com > >>>BaseDN: dc=example,dc=com > >>> > >>> > >>> > >>>Continue to configure the system with these values? [no]: yes > >>>User authorized to enroll computers: admin > >>>Password for admin at example.com: > >>> > >>> > >>>Enrolled in IPA realm example.com > >>>Created /etc/ipa/default.conf > >>>Configured /etc/sssd/sssd.conf > >>>Configured /etc/krb5.conf for IPA realm example.com > >>>SSSD enabled > >>>Kerberos 5 enabled > >>> > >>> > >>> > >>>When run in debug mode it shows this; > >>>Kerberos 5 enabled > >>>root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG > >>>stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root > >> : > >>>DEBUG stderr= > >>>root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG > >>>stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root > >> : > >>>DEBUG stderr= > >>> > >>> > >>> > >>>Advice anyone? > >>> > >>> > >> > >>I found CentOS to be too far behind, so I started using Scientific Linux 6.1 with latest packages > >>from RHEL 6.2 beta for clients instead. > >> > >>I found the IPA server was easiest to test using Fedora 15. > >> > >>For production, wait for RHEL 6.2. It's not far away now. :) > >> > >> > >>Regards, > >>Siggi > >> > >> > > > >_______________________________________________ > >Freeipa-users mailing list > >Freeipa-users at redhat.com > >https://www.redhat.com/mailman/listinfo/freeipa-users > From rcritten at redhat.com Wed Nov 30 02:43:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Nov 2011 21:43:55 -0500 Subject: [Freeipa-users] ipa-client stall on 'args=getent passwd admin' In-Reply-To: <20111130001730.GA23165@noboost.org> References: <20111129005225.GA20808@noboost.org> <57502.213.225.75.97.1322565832.squirrel@www.nixtra.com> <20111129120027.GA21495@noboost.org> <4ED4F3E0.2060709@redhat.com> <20111130001730.GA23165@noboost.org> Message-ID: <4ED5986B.8030301@redhat.com> Craig T wrote: > Hi, > > I tried letting the client install go and it does eventually finish, however SSSD_NSS queries don't work. > See errors below; > > ---------------------------------------------------------------------- > [root at chtvm-centos-6 /]# ipa-client-install > Discovery was successful! > Hostname: chtvm-centos-6.example.com > Realm: example.com > DNS Domain: example.com > IPA Server: chtvm-389.example.com > BaseDN: dc=example,dc=com > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admin > Password for admin at example.com: > > Enrolled in IPA realm example.com > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm example.com > SSSD enabled > Kerberos 5 enabled > Unable to find 'admin' user with 'getent passwd admin'! > Recognized configuration: SSSD > NTP enabled > Client configuration complete. > > ------------------------------------------------------------------------------------------------------------------------- > File: /var/log/sssd/sssd_nss.log > (Wed Nov 30 10:34:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > (Wed Nov 30 10:34:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > (Wed Nov 30 10:35:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > (Wed Nov 30 10:35:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > ------------------------------------------------------------------------------------------------------------------------- > File: /var/log/sssd/sssd_pam.log > (Wed Nov 30 10:34:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. > (Wed Nov 30 10:34:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. > (Wed Nov 30 10:35:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. > (Wed Nov 30 10:35:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. > ------------------------------------------------------------------------------------------------------------------------- > Debug Version: > File: /var/log/sssd/sssd_nss.log > (Wed Nov 30 10:47:09 2011) [sssd[nss]] [sbus_dispatch] (6): SBUS is reconnecting. Deferring. > (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 0 > (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_dispatch] (6): SBUS is reconnecting. Deferring. > (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_reconnect] (3): Making reconnection attempt 3 to [unix:path=/var/lib/sss/pipes/ private/sbus-dp_example.com] > (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_reconnect] (1): Failed to open connection: name=org.freedesktop.DBus.Error. NoServer, message=Failed to connect to socket /var/lib/sss/pipes/private/sbus-dp_example.com: Connection refused > (Wed Nov 30 10:47:10 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > ------------------------------------------------------------------------------------------------------------------------- Can you see if there are any SELinux AVCs (/var/log/audit/audit.log)? Is the messagebus service running? > > > "getent passwd admin" returns no result at all. That is expected if sssd can't connect. rob > > > Regards, > > Craig > > On Tue, Nov 29, 2011 at 10:01:52AM -0500, Rob Crittenden wrote: >> Craig T wrote: >>> I can really see how you came to that conclusion, I'm not sure if I'll get the luxury of choice, due to the servers in our environment. Centos 6.1 could be updated enough, so we might just have to wait for that. >> >> I would think the version you have would work fine. >> >> What it is doing is testing to be sure that nss is working as >> expected. It can take some time for sssd to come up, connect to the >> IPA server, etc, so we loop and try several times (IIRC 5 in your >> version) to look up a known remote user (admin). >> >> If it never does successfully get the admin user you should get an >> error that nss_ldap can't be configured (yeah, I know, we're using >> sssd. We fixed this). If you aren't getting this message and the >> client otherwise seems to be installing ok then things are fine. >> >> rob >> >>> >>> >>> cya >>> >>> Craig >>> >>> On Tue, Nov 29, 2011 at 12:23:52PM +0100, Sigbjorn Lie wrote: >>>> On Tue, November 29, 2011 01:52, Craig T wrote: >>>>> Hi, >>>>> >>>>> >>>>> I was getting a lot of errors with the default ipa-client for Centos 6.0, so I've upgraded Centos >>>>> 6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but seems to stall >>>>> right at the end of the ipa-client-install command. >>>>> >>>>> Current Spec; >>>>> Server: >>>>> RHEL 6.2 Beta >>>>> ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 >>>>> ipa-server-selinux-2.1.1-4.el6.x86_64 >>>>> >>>>> Client: >>>>> Centos 6.0 x64 >>>>> ipa-client-2.1.1-4.el6.x86_64 >>>>> >>>>> >>>>> Just an odd error during the "ipa-client-install" command, the installer seems to pause on >>>>> kerberos; [root at server-centos-6 ~]# ipa-client-install >>>>> Discovery was successful! >>>>> Hostname: server-centos-6.example.com >>>>> Realm: example.com >>>>> DNS Domain: example.com >>>>> IPA Server: server-389.example.com >>>>> BaseDN: dc=example,dc=com >>>>> >>>>> >>>>> >>>>> Continue to configure the system with these values? [no]: yes >>>>> User authorized to enroll computers: admin >>>>> Password for admin at example.com: >>>>> >>>>> >>>>> Enrolled in IPA realm example.com >>>>> Created /etc/ipa/default.conf >>>>> Configured /etc/sssd/sssd.conf >>>>> Configured /etc/krb5.conf for IPA realm example.com >>>>> SSSD enabled >>>>> Kerberos 5 enabled >>>>> >>>>> >>>>> >>>>> When run in debug mode it shows this; >>>>> Kerberos 5 enabled >>>>> root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG >>>>> stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root >>>> : >>>>> DEBUG stderr= >>>>> root : DEBUG args=getent passwd admin root : DEBUG stdout= root : DEBUG >>>>> stderr= root : DEBUG args=getent passwd admin root : DEBUG stdout= root >>>> : >>>>> DEBUG stderr= >>>>> >>>>> >>>>> >>>>> Advice anyone? >>>>> >>>>> >>>> >>>> I found CentOS to be too far behind, so I started using Scientific Linux 6.1 with latest packages >>> >from RHEL 6.2 beta for clients instead. >>>> >>>> I found the IPA server was easiest to test using Fedora 15. >>>> >>>> For production, wait for RHEL 6.2. It's not far away now. :) >>>> >>>> >>>> Regards, >>>> Siggi >>>> >>>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> From Steven.Jones at vuw.ac.nz Wed Nov 30 02:51:26 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 30 Nov 2011 02:51:26 +0000 Subject: [Freeipa-users] HBAC rules not working In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C41DC1B@STAWINCOX10MBX4.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404C40677D@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C4067A9@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C4067DA@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C4067F4@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C406807@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C406819@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C406827@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404C40683B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20111125043701.GA7033@hendrix.redhat.com>, <833D8E48405E064EBC54C84EC6B36E404C41DC1B@STAWINCOX10MBX4.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C42B135@STAWINCOX10MBX4.staff.vuw.ac.nz> Hi, Can I get confirmation this is fixed when 6.2 goes GA please? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Monday, 28 November 2011 8:11 a.m. To: Jakub Hrozek; freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Hi, sssd is 1.5.1.52, but its what ships in RHEL6.2beta. I assume I have to wait 2 weeks for 6.2 GA? Megga annoying if so....I have a $1.5million bluearc toy :D arriving this week to connect to it... :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com] Sent: Friday, 25 November 2011 5:37 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HBAC rules not working On Thu, Nov 24, 2011 at 01:41:30AM +0000, Steven Jones wrote: > When I add a host to the hbac rule and not a host group I can login.... > > Something is wrong with the host group(s).....damned if I can see what. > > regards > > Steven Jones > Which SSSD version is that? There was a bug (#741751) in the HBAC host group processing that got fixed in sssd-1.5.1-53 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From lassi.polonen at iki.fi Wed Nov 30 11:18:46 2011 From: lassi.polonen at iki.fi (=?UTF-8?B?TGFzc2kgUMO2bMO2bmVu?=) Date: Wed, 30 Nov 2011 13:18:46 +0200 Subject: [Freeipa-users] Limiting group/user visibility Message-ID: <4ED61116.1020206@iki.fi> Hi, I'm looking for implementing FreeIPA in an environment where there are multiple customers in multiple organizations and a single organization that manages the users, sets the access rights etc. We don't have a centralized system currently so I will be starting from the scratch in that sense. The first concern I've had so far is that we don't want different customers to be able to find information about each other. Currently in my test setup any user can find out every user in a group if they know the group name and all the groups for each user if they know the username. In some cases this might reveal information the customer is not willing to share. So are there ways to limit that e.g certain hosts/hostgroups or users/usergroups see some defined subset of the directory? Or are there some other suggested approaches? As the current setup relies on local authentication, users naturally are able to find users/groups only on servers they are able to log in and that is the level of confidentiality we are looking for if possible -Lassi P?l?nen From jhrozek at redhat.com Wed Nov 30 11:39:38 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 30 Nov 2011 12:39:38 +0100 Subject: [Freeipa-users] ipa-client stall on 'args=getent passwd admin' In-Reply-To: <4ED5986B.8030301@redhat.com> References: <20111129005225.GA20808@noboost.org> <57502.213.225.75.97.1322565832.squirrel@www.nixtra.com> <20111129120027.GA21495@noboost.org> <4ED4F3E0.2060709@redhat.com> <20111130001730.GA23165@noboost.org> <4ED5986B.8030301@redhat.com> Message-ID: <20111130113938.GB20662@zeppelin.brq.redhat.com> On Tue, Nov 29, 2011 at 09:43:55PM -0500, Rob Crittenden wrote: > Craig T wrote: > >Hi, > > > >I tried letting the client install go and it does eventually finish, however SSSD_NSS queries don't work. > >See errors below; > > > >---------------------------------------------------------------------- > >[root at chtvm-centos-6 /]# ipa-client-install > >Discovery was successful! > >Hostname: chtvm-centos-6.example.com > >Realm: example.com > >DNS Domain: example.com > >IPA Server: chtvm-389.example.com > >BaseDN: dc=example,dc=com > > > >Continue to configure the system with these values? [no]: yes > >User authorized to enroll computers: admin > >Password for admin at example.com: > > > >Enrolled in IPA realm example.com > >Created /etc/ipa/default.conf > >Configured /etc/sssd/sssd.conf > >Configured /etc/krb5.conf for IPA realm example.com > >SSSD enabled > >Kerberos 5 enabled > >Unable to find 'admin' user with 'getent passwd admin'! > >Recognized configuration: SSSD > >NTP enabled > >Client configuration complete. > > > >------------------------------------------------------------------------------------------------------------------------- > >File: /var/log/sssd/sssd_nss.log > >(Wed Nov 30 10:34:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > >(Wed Nov 30 10:34:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > >(Wed Nov 30 10:35:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > >(Wed Nov 30 10:35:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > >------------------------------------------------------------------------------------------------------------------------- > >File: /var/log/sssd/sssd_pam.log > >(Wed Nov 30 10:34:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. > >(Wed Nov 30 10:34:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. > >(Wed Nov 30 10:35:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. > >(Wed Nov 30 10:35:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. > >------------------------------------------------------------------------------------------------------------------------- Also the {nss,pam}_dp_reconnect_init functions are only called when the back end crashes and the other processes are reconnecting to a new back end instance. Can you check logs (/var/log/messages should have the info) if there are any messages indicating a crash? From Steven.Jones at vuw.ac.nz Wed Nov 30 19:01:44 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 30 Nov 2011 19:01:44 +0000 Subject: [Freeipa-users] Limiting group/user visibility In-Reply-To: <4ED61116.1020206@iki.fi> References: <4ED61116.1020206@iki.fi> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C432662@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I would have thought this was a case/design of separate realm's. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Lassi P?l?nen [lassi.polonen at iki.fi] Sent: Thursday, 1 December 2011 12:18 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Limiting group/user visibility Hi, I'm looking for implementing FreeIPA in an environment where there are multiple customers in multiple organizations and a single organization that manages the users, sets the access rights etc. We don't have a centralized system currently so I will be starting from the scratch in that sense. The first concern I've had so far is that we don't want different customers to be able to find information about each other. Currently in my test setup any user can find out every user in a group if they know the group name and all the groups for each user if they know the username. In some cases this might reveal information the customer is not willing to share. So are there ways to limit that e.g certain hosts/hostgroups or users/usergroups see some defined subset of the directory? Or are there some other suggested approaches? As the current setup relies on local authentication, users naturally are able to find users/groups only on servers they are able to log in and that is the level of confidentiality we are looking for if possible -Lassi P?l?nen _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From sbingram at gmail.com Wed Nov 30 19:36:37 2011 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 30 Nov 2011 11:36:37 -0800 Subject: [Freeipa-users] manual client join Message-ID: Looking at section 3.1 of the documentation I see the process for what happens during a client setup. In cases where there is no ipa-client support, this is likely the best option. Is there any more specific documentation that details the exact procedure (i.e. how to import the CA certificate, obtain services principals) of what happens during the ipa-join process? I seem to remember this from version 1 and even earlier versions of 2.x, but I can't find anywhere now. Steve From sbingram at gmail.com Wed Nov 30 19:44:26 2011 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 30 Nov 2011 11:44:26 -0800 Subject: [Freeipa-users] Limiting group/user visibility In-Reply-To: <4ED61116.1020206@iki.fi> References: <4ED61116.1020206@iki.fi> Message-ID: Lassi On Wed, Nov 30, 2011 at 3:18 AM, Lassi P?l?nen wrote: > I'm looking for implementing FreeIPA in an environment where there are > multiple customers in multiple organizations and a single organization > that manages the users, sets the access rights etc. > > We don't have a centralized system currently so I will be starting from > the scratch in that sense. The first concern I've had so far is that we > don't want different customers to be able to find information about each > other. Currently in my test setup any user can find out every user in a > group if they know the group name and all the groups for each user if > they know the username. In some cases this might reveal information the > customer is not willing to share. > > So are there ways to limit that e.g certain hosts/hostgroups or > users/usergroups see some defined subset of the directory? Or are there > some other suggested approaches? As the current setup relies on local > authentication, users naturally are able to find users/groups only on > servers they are able to log in and that is the level of confidentiality > we are looking for if possible I asked a similar question earlier (https://www.redhat.com/archives/freeipa-users/2011-September/msg00197.html). As Adam says, since the directory allows visibility of all users, it is a logical step to allow a similar view in the UI. I suspect that you would have to adjust the ACIs in your directory such that users could only see users in their own group. However, this might cause issues with other processes which expect to see users without any restrictions. I haven't had the chance to prove or disprove this yet. Steve From lassi.polonen at iki.fi Wed Nov 30 19:46:21 2011 From: lassi.polonen at iki.fi (=?ISO-8859-1?Q?Lassi_P=F6l=F6nen?=) Date: Wed, 30 Nov 2011 21:46:21 +0200 Subject: [Freeipa-users] Limiting group/user visibility In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404C432662@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4ED61116.1020206@iki.fi> <833D8E48405E064EBC54C84EC6B36E404C432662@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4ED6880D.9090801@iki.fi> Hi, that could be one option as well, not completely ruled out. But in some cases it is a bit too much overhead though. If there are multiple small organizations with only a handful of account and servers, setting up a dedicated HA instance for each one doesn't feel very cost effective as it would mean tens of those. Currently a single installation can't handle multiple realms, am I right? -Lassi P?l?nen On 30.11.2011 21:01, Steven Jones wrote: > Hi, > > I would have thought this was a case/design of separate realm's. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Lassi P?l?nen [lassi.polonen at iki.fi] > Sent: Thursday, 1 December 2011 12:18 a.m. > To: freeipa-users at redhat.com > Subject: [Freeipa-users] Limiting group/user visibility > > Hi, > > I'm looking for implementing FreeIPA in an environment where there are > multiple customers in multiple organizations and a single organization > that manages the users, sets the access rights etc. > > We don't have a centralized system currently so I will be starting from > the scratch in that sense. The first concern I've had so far is that we > don't want different customers to be able to find information about each > other. Currently in my test setup any user can find out every user in a > group if they know the group name and all the groups for each user if > they know the username. In some cases this might reveal information the > customer is not willing to share. > > So are there ways to limit that e.g certain hosts/hostgroups or > users/usergroups see some defined subset of the directory? Or are there > some other suggested approaches? As the current setup relies on local > authentication, users naturally are able to find users/groups only on > servers they are able to log in and that is the level of confidentiality > we are looking for if possible > > > -Lassi P?l?nen > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Wed Nov 30 20:04:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Nov 2011 15:04:26 -0500 Subject: [Freeipa-users] manual client join In-Reply-To: References: Message-ID: <4ED68C4A.2090500@redhat.com> Stephen Ingram wrote: > Looking at section 3.1 of the documentation I see the process for what > happens during a client setup. In cases where there is no ipa-client > support, this is likely the best option. Is there any more specific > documentation that details the exact procedure (i.e. how to import the > CA certificate, obtain services principals) of what happens during the > ipa-join process? I seem to remember this from version 1 and even > earlier versions of 2.x, but I can't find anywhere now. Retrieve the CA certificate for the FreeIPA CA. # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt Create a separate Kerberos configuration to test the provided credentials. This enables a Kerberos connection to the FreeIPA XML-RPC server, necessary to join the FreeIPA client to the FreeIPA domain. This Kerberos configuration is ultimately discarded. - Basically just copy a working krb5.conf to /etc/krb5.conf and set up sssd or nss_ldap as documented. # kinit admin # ipa-join -s ipa.example.com -b dc=example,dc=com Or if using a one-time password you can skip the kinit and do # ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123 ipa-join lets IPA know a host is enrolled and retrieves a host principal and stores it into /etc/krb5.keytab. Enable certmonger, retrieve an SSL server certificate, and install the certificate in /etc/pki/nssdb. # service messagebus start # service certmonger start # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt # ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate - client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K host/client.example.com at EXAMPLE.COM Disable the nscd daemon. # service nscd stop # chkconfig nscd off rob From sbingram at gmail.com Wed Nov 30 20:20:31 2011 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 30 Nov 2011 12:20:31 -0800 Subject: [Freeipa-users] manual client join In-Reply-To: <4ED68C4A.2090500@redhat.com> References: <4ED68C4A.2090500@redhat.com> Message-ID: Rob- On Wed, Nov 30, 2011 at 12:04 PM, Rob Crittenden wrote: > Retrieve the CA certificate for the FreeIPA CA. > > # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt > > Create a separate Kerberos configuration to test the provided credentials. > This enables a Kerberos connection to the FreeIPA XML-RPC server, necessary > to join the FreeIPA client to the FreeIPA domain. This Kerberos > configuration is ultimately discarded. > > - Basically just copy a working krb5.conf to /etc/krb5.conf and set up sssd > or nss_ldap as documented. > > # kinit admin > # ipa-join -s ipa.example.com -b dc=example,dc=com > > Or if using a one-time password you can skip the kinit and do > > # ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123 > > ipa-join lets IPA know a host is enrolled and retrieves a host principal and > stores it into /etc/krb5.keytab. > > Enable certmonger, retrieve an SSL server certificate, and install the > certificate in /etc/pki/nssdb. > > # service messagebus start > # service certmonger start > # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt > # ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate - > client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K > host/client.example.com at EXAMPLE.COM > > Disable the nscd daemon. > > # service nscd stop > # chkconfig nscd off Thanks, but aren't some of these steps assuming that ipa-client has been installed on the system? For instance, instead of "# ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123", can't I instead use kadmin to retrieve the keytab and then securely copy it over to the client system? And, in the case of the ca.crt, if there if IPA itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I realize that I will lose functionality by not having ipa-client, but just trying to build a case for supporting legacy systems that I would never want to take the time to adapt ipa-client for. Steve From rcritten at redhat.com Wed Nov 30 20:59:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Nov 2011 15:59:35 -0500 Subject: [Freeipa-users] manual client join In-Reply-To: References: <4ED68C4A.2090500@redhat.com> Message-ID: <4ED69937.80003@redhat.com> Stephen Ingram wrote: > Rob- > > On Wed, Nov 30, 2011 at 12:04 PM, Rob Crittenden wrote: >> Retrieve the CA certificate for the FreeIPA CA. >> >> # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt >> >> Create a separate Kerberos configuration to test the provided credentials. >> This enables a Kerberos connection to the FreeIPA XML-RPC server, necessary >> to join the FreeIPA client to the FreeIPA domain. This Kerberos >> configuration is ultimately discarded. >> >> - Basically just copy a working krb5.conf to /etc/krb5.conf and set up sssd >> or nss_ldap as documented. >> >> # kinit admin >> # ipa-join -s ipa.example.com -b dc=example,dc=com >> >> Or if using a one-time password you can skip the kinit and do >> >> # ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123 >> >> ipa-join lets IPA know a host is enrolled and retrieves a host principal and >> stores it into /etc/krb5.keytab. >> >> Enable certmonger, retrieve an SSL server certificate, and install the >> certificate in /etc/pki/nssdb. >> >> # service messagebus start >> # service certmonger start >> # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt >> # ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate - >> client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K >> host/client.example.com at EXAMPLE.COM >> >> Disable the nscd daemon. >> >> # service nscd stop >> # chkconfig nscd off > > Thanks, but aren't some of these steps assuming that ipa-client has > been installed on the system? For instance, instead of "# ipa-join -s > ipa.example.com -b dc=example,dc=com -w Secret123", can't I instead > use kadmin to retrieve the keytab and then securely copy it over to > the client system? And, in the case of the ca.crt, if there if IPA > itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I > realize that I will lose functionality by not having ipa-client, but > just trying to build a case for supporting legacy systems that I would > never want to take the time to adapt ipa-client for. > > Steve The only part assuming that is ipa-join itself. IPA does not support the direct use of kadmin or kadmin.local. On a supported platform you'd run: # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p host/remote.example.com Then ship /tmp/remote.keytab to the machine and either use ktutil to combine it with /etc/krb5.keytab or replace krb5.keytab with it (and fix owner and permissions, and potentially SELinux context). certmonger gets its IPA configuration from /etc/ipa/default.conf. If you don't want or have certmonger then you can skip the CA bit altogether. Otherwise you'll need to copy in a working config. rob From agajania at cs.newpaltz.edu Wed Nov 30 21:21:58 2011 From: agajania at cs.newpaltz.edu (Aram J. Agajanian) Date: Wed, 30 Nov 2011 16:21:58 -0500 Subject: [Freeipa-users] winsync: only synchronize existing user accounts? Message-ID: <20111130162158.11c50615@frogn.cs.newpaltz.edu> Is is possible to configure an AD synchronization with IPA but only for existing IPA accounts? Our AD has a lot of user accounts that the IPA won't need for now. I don't want to automatically add all of the additional user accounts to IPA. I can set up new IPA user accounts with the "ipa user-add" command. I would like to synchronize passwords from AD to IPA. I am setting up RHEV 3 for Desktops and would like to try IPA for authentication. -- Aram J. Agajanian Computer Science/UNIX Support Academic Computing State University of New York at New Paltz Support the Free Software Foundation - www.fsf.org From Steven.Jones at vuw.ac.nz Wed Nov 30 21:29:27 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 30 Nov 2011 21:29:27 +0000 Subject: [Freeipa-users] winsync: only synchronize existing user accounts? In-Reply-To: <20111130162158.11c50615@frogn.cs.newpaltz.edu> References: <20111130162158.11c50615@frogn.cs.newpaltz.edu> Message-ID: <833D8E48405E064EBC54C84EC6B36E404C43DC3D@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, interesting.....I thought I read it would only sync for new accounts created after the winsync was active?...I'd like to bring the lot across in my case....but have them disabled....but Im buggered at the moment until the groups problem with sssd is fixed.... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Aram J. Agajanian [agajania at cs.newpaltz.edu] Sent: Thursday, 1 December 2011 10:21 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] winsync: only synchronize existing user accounts? Is is possible to configure an AD synchronization with IPA but only for existing IPA accounts? Our AD has a lot of user accounts that the IPA won't need for now. I don't want to automatically add all of the additional user accounts to IPA. I can set up new IPA user accounts with the "ipa user-add" command. I would like to synchronize passwords from AD to IPA. I am setting up RHEV 3 for Desktops and would like to try IPA for authentication. -- Aram J. Agajanian Computer Science/UNIX Support Academic Computing State University of New York at New Paltz Support the Free Software Foundation - www.fsf.org _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From freeipa at noboost.org Wed Nov 30 23:20:37 2011 From: freeipa at noboost.org (Craig T) Date: Thu, 1 Dec 2011 10:20:37 +1100 Subject: [Freeipa-users] ipa-client stall on 'args=getent passwd admin' In-Reply-To: <20111130113938.GB20662@zeppelin.brq.redhat.com> References: <20111129005225.GA20808@noboost.org> <57502.213.225.75.97.1322565832.squirrel@www.nixtra.com> <20111129120027.GA21495@noboost.org> <4ED4F3E0.2060709@redhat.com> <20111130001730.GA23165@noboost.org> <4ED5986B.8030301@redhat.com> <20111130113938.GB20662@zeppelin.brq.redhat.com> Message-ID: <20111130232037.GA25644@noboost.org> brilliant! I checked /var/log/messages and found; Nov 30 10:33:58 chtvm-centos-6 sssd[be[teratext.saic.com.au]]: Starting up Nov 30 10:33:58 chtvm-centos-6 kernel: sssd_be[1516]: segfault at 10 ip 0000003a12a13eee sp 00007fffdb5e3b60 error 4 in libldap-2.4.so.2.5.2[3a12a00000+43000] Nov 30 10:33:58 chtvm-centos-6 kernel: abrt-hook-ccpp[1598]: segfault at 0 ip 00000039fea800d2 sp 00007fff4a1fc5f8 error 4 in libc-2.12.so[39fea00000+175000] Nov 30 10:33:58 chtvm-centos-6 kernel: Process 1598(abrt-hook-ccpp) has RLIMIT_CORE set to 1 Nov 30 10:33:58 chtvm-centos-6 kernel: Aborting core I then upgraded openldap to openldap-2.4.23-19.el6.x86_64 and now the ipa-client-install script works perfectly ;) Regards, Craig On Wed, Nov 30, 2011 at 12:39:38PM +0100, Jakub Hrozek wrote: > On Tue, Nov 29, 2011 at 09:43:55PM -0500, Rob Crittenden wrote: > > Craig T wrote: > > >Hi, > > > > > >I tried letting the client install go and it does eventually finish, however SSSD_NSS queries don't work. > > >See errors below; > > > > > >---------------------------------------------------------------------- > > >[root at chtvm-centos-6 /]# ipa-client-install > > >Discovery was successful! > > >Hostname: chtvm-centos-6.example.com > > >Realm: example.com > > >DNS Domain: example.com > > >IPA Server: chtvm-389.example.com > > >BaseDN: dc=example,dc=com > > > > > >Continue to configure the system with these values? [no]: yes > > >User authorized to enroll computers: admin > > >Password for admin at example.com: > > > > > >Enrolled in IPA realm example.com > > >Created /etc/ipa/default.conf > > >Configured /etc/sssd/sssd.conf > > >Configured /etc/krb5.conf for IPA realm example.com > > >SSSD enabled > > >Kerberos 5 enabled > > >Unable to find 'admin' user with 'getent passwd admin'! > > >Recognized configuration: SSSD > > >NTP enabled > > >Client configuration complete. > > > > > >------------------------------------------------------------------------------------------------------------------------- > > >File: /var/log/sssd/sssd_nss.log > > >(Wed Nov 30 10:34:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > > >(Wed Nov 30 10:34:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > > >(Wed Nov 30 10:35:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > > >(Wed Nov 30 10:35:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. > > >------------------------------------------------------------------------------------------------------------------------- > > >File: /var/log/sssd/sssd_pam.log > > >(Wed Nov 30 10:34:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. > > >(Wed Nov 30 10:34:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. > > >(Wed Nov 30 10:35:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. > > >(Wed Nov 30 10:35:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. > > >------------------------------------------------------------------------------------------------------------------------- > > Also the {nss,pam}_dp_reconnect_init functions are only called when the > back end crashes and the other processes are reconnecting to a new back > end instance. > > Can you check logs (/var/log/messages should have the info) if there are > any messages indicating a crash? > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users