[Freeipa-users] Freeipa-users Digest, Vol 46, Issue 10
Steven Bernstein
sbernst at gmail.com
Wed May 2 20:59:56 UTC 2012
Free IPA List peeps,
I'm looking to set up FreeIPA on a Fedora 14 or 15 server I'm setting up at
home. I came across a reference at one point dealing with smart cards
being associated with the user's that hold them.
I can't find the reference at this point and was wondering if there might
be a list on the Wiki or someplace that details the errors that come back
when trying to initialize or register a smart card with the server?
Thanks so much!
Steven
On Wed, May 2, 2012 at 1:57 PM, <freeipa-users-request at redhat.com> wrote:
> Send Freeipa-users mailing list submissions to
> freeipa-users at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/freeipa-users
> or, via email, send a message with subject or body 'help' to
> freeipa-users-request at redhat.com
>
> You can reach the person managing the list at
> freeipa-users-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeipa-users digest..."
>
>
> Today's Topics:
>
> 1. Re: red hat 5 and red hat 6 compatability (Matthew Davidson)
> 2. Re: red hat 5 and red hat 6 compatability (Dmitri Pal)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 2 May 2012 14:50:06 -0400
> From: Matthew Davidson <matt at mldserviceslex.com>
> To: <dpal at redhat.com>, <freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> Message-ID: <SNT104-W395AFEBCC767D220CA34AAA32E0 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> Dmitri,1) Do you have admin account on IPA side?
> Yes. And judging by the command below admin does log in, or am I mistaken?
> [root at rhel5 ~]# kinit adminPassword for admin at EXAMPLE.COM:
> [root at rhel5 ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal:
> admin at EXAMPLE.COM
> Valid starting Expires Service principal05/02/12 14:47:40
> 05/03/12 14:47:36 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> Kerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached
> 2) Is there a firewall between client and server? Is LDAP and LDAPS
> allowed via the FW?
> No firewall. shut those down at the first sign of trouble.
>
> ThanksMatt
> Date: Wed, 2 May 2012 13:51:15 -0400
> From: dpal at redhat.com
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
>
>
>
>
>
>
>
> On 05/02/2012 12:43 PM, Matthew Davidson wrote:
>
>
>
> Hi Rob
>
>
>
> [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
> --server=rhel6.example.com
> DNS domain 'example.com' is not configured for automatic
> KDC address lookup.
> KDC address will be set to fixed value.
>
>
>
> Discovery was successful!
> Hostname: rhel6.example.com
> Realm: EXAMPLE.COM
> DNS Domain: EXAMPLE.COM
> IPA Server: rhel6.example.com
> BaseDN: dc=example,dc=com
>
>
>
> Continue to configure the system with these values? [no]:
> yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at EXAMPLE.COM:
>
>
>
> Enrolled in IPA realm EXAMPLE.COM
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
> SSSD enabled
> Unable to find 'admin' user with 'getent passwd admin'!
>
>
>
>
> 1) Do you have admin account on IPA side?
>
> 2) Is there a firewall between client and server? Is LDAP and LDAPS
> allowed via the FW?
>
>
>
>
>
> Recognized configuration: SSSD
> Changed configuration of /etc/ldap.conf to use hardcoded
> server name: rhel6.example.com
> NTP enabled
> Client configuration complete.
>
>
>
> /var/log/secure
> May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson
> from 192.168.1.5
> May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request:
> invalid user mdavidson
> May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth):
> check pass; user unknown
> May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=rhel6.example.com
> May 2 12:31:19 rhel5 sshd[3250]:
> pam_succeed_if(sshd:auth): error retrieving information about
> user mdavidson
> May 2 12:31:21 rhel5 sshd[3250]: Failed password for
> invalid user mdavidson from 192.168.1.5 port 52511 ssh2
>
>
>
> /var/log/sssd/ldap_child.log
> (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client not found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client not found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client not found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client not found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client not found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client not found in Kerberos database
>
>
>
> /var/log/sssd/sssd.log
> (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0):
> Monitor received Terminated: terminating children
> (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0):
> Monitor received Terminated: terminating children
>
>
>
> thanks for helping!
> Matt
>
>
> > Date: Wed, 2 May 2012 11:30:52 -0400
>
> > From: rcritten at redhat.com
>
> > To: matt at mldserviceslex.com
>
> > CC: freeipa-users at redhat.com
>
> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6
> compatability
>
> >
>
> > Matthew Davidson wrote:
>
> > > To clarify one point.
>
> > >
>
> > > I used the current redhat documents to setup the two
> systems.
>
> > >
>
> > >
> Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US
>
> > >
>
> > >
> Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US
>
> > >
>
> > > SSH does not seem to be discussed and that is when I
> started web surfing
>
> > > in an attempt to fix my problem before reaching out
> for help.
>
> >
>
> > A host service principal is created during enrollment so
> no additional
>
> > work should be needed for SSH to work. The problem you're
> having is
>
> > related to the fact that user lookup services are
> failing.
>
> >
>
> > Can you look in /var/log/secure and/or /var/log/sssd/* to
> see if there
>
> > are any errors reported regarding sssd?
>
> >
>
> > What options did you pass to ipa-client-install?
>
> >
>
> > rob
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Wed, 02 May 2012 14:57:24 -0400
> From: Dmitri Pal <dpal at redhat.com>
> To: Matthew Davidson <matt at mldserviceslex.com>
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> Message-ID: <4FA18394.7080507 at redhat.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On 05/02/2012 02:50 PM, Matthew Davidson wrote:
> > Dmitri,
> > 1) Do you have admin account on IPA side?
> >
> > Yes. And judging by the command below admin does log in, or am I
> mistaken?
> >
> > [root at rhel5 ~]# kinit admin
> > Password for admin at EXAMPLE.COM:
> >
> > [root at rhel5 ~]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: admin at EXAMPLE.COM
> >
> > Valid starting Expires Service principal
> > 05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> >
>
> Is this from the client or from the server? I bet on the server.
> Rob might be right that the client fails to find the right
> authentication server due to the DNS configuration.
>
> > 2) Is there a firewall between client and server? Is LDAP and LDAPS
> > allowed via the FW?
> >
> > No firewall. shut those down at the first sign of trouble.
> >
> > Thanks
> > Matt
> >
> > ------------------------------------------------------------------------
> > Date: Wed, 2 May 2012 13:51:15 -0400
> > From: dpal at redhat.com
> > To: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> >
> > On 05/02/2012 12:43 PM, Matthew Davidson wrote:
> >
> > Hi Rob
> >
> > [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
> > --server=rhel6.example.com
> > DNS domain 'example.com' is not configured for automatic KDC
> > address lookup.
> > KDC address will be set to fixed value.
> >
> > Discovery was successful!
> > Hostname: rhel6.example.com
> > Realm: EXAMPLE.COM
> > DNS Domain: EXAMPLE.COM
> > IPA Server: rhel6.example.com
> > BaseDN: dc=example,dc=com
> >
> > Continue to configure the system with these values? [no]: yes
> > User authorized to enroll computers: admin
> > Synchronizing time with KDC...
> > Password for admin at EXAMPLE.COM: <mailto:admin at EXAMPLE.COM:>
> >
> > Enrolled in IPA realm EXAMPLE.COM
> > Created /etc/ipa/default.conf
> > Configured /etc/sssd/sssd.conf
> > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
> > SSSD enabled
> > *Unable to find 'admin' user with 'getent passwd admin'!*
> >
> >
> > 1) Do you have admin account on IPA side?
> > 2) Is there a firewall between client and server? Is LDAP and LDAPS
> > allowed via the FW?
> >
> > Recognized configuration: SSSD
> > Changed configuration of /etc/ldap.conf to use hardcoded server
> > name: rhel6.example.com
> > NTP enabled
> > Client configuration complete.
> >
> > /var/log/secure
> > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from
> > 192.168.1.5
> > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid
> > user mdavidson
> > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass;
> > user unknown
> > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth):
> > authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=rhel6.example.com
> > May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error
> > retrieving information about user mdavidson
> > May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user
> > mdavidson from 192.168.1.5 port 52511 ssh2
> >
> > /var/log/sssd/ldap_child.log
> > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]]
> > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
> > not found in Kerberos database
> > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]]
> > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
> > not found in Kerberos database
> > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]]
> > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
> > not found in Kerberos database
> > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]]
> > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
> > not found in Kerberos database
> > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]]
> > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
> > not found in Kerberos database
> > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]]
> > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
> > not found in Kerberos database
> >
> > /var/log/sssd/sssd.log
> > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor
> > received Terminated: terminating children
> > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor
> > received Terminated: terminating children
> >
> > thanks for helping!
> > Matt
> >
> > > Date: Wed, 2 May 2012 11:30:52 -0400
> > > From: rcritten at redhat.com <mailto:rcritten at redhat.com>
> > > To: matt at mldserviceslex.com <mailto:matt at mldserviceslex.com>
> > > CC: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> > >
> > > Matthew Davidson wrote:
> > > > To clarify one point.
> > > >
> > > > I used the current redhat documents to setup the two systems.
> > > >
> > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US
> > > >
> > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US
> > > >
> > > > SSH does not seem to be discussed and that is when I started
> > web surfing
> > > > in an attempt to fix my problem before reaching out for help.
> > >
> > > A host service principal is created during enrollment so no
> > additional
> > > work should be needed for SSH to work. The problem you're having is
> > > related to the fact that user lookup services are failing.
> > >
> > > Can you look in /var/log/secure and/or /var/log/sssd/* to see if
> > there
> > > are any errors reported regarding sssd?
> > >
> > > What options did you pass to ipa-client-install?
> > >
> > > rob
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IPA project,
> > Red Hat Inc.
> >
> >
> > -------------------------------
> > Looking to carve out IT costs?
> > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
> >
> >
> >
> > _______________________________________________ Freeipa-users mailing
> > list Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://www.redhat.com/archives/freeipa-users/attachments/20120502/cea8af43/attachment.html
> >
>
> ------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> End of Freeipa-users Digest, Vol 46, Issue 10
> *********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120502/9dc67bbe/attachment.htm>
More information about the Freeipa-users
mailing list