[Freeipa-users] Freeipa-users Digest, Vol 46, Issue 10
Dmitri Pal
dpal at redhat.com
Wed May 2 21:37:37 UTC 2012
On 05/02/2012 04:59 PM, Steven Bernstein wrote:
> Free IPA List peeps,
>
> I'm looking to set up FreeIPA on a Fedora 14 or 15 server I'm setting
> up at home. I came across a reference at one point dealing with smart
> cards being associated with the user's that hold them.
>
> I can't find the reference at this point and was wondering if there
> might be a list on the Wiki or someplace that details the errors that
> come back when trying to initialize or register a smart card with the
> server?
>
Smart card support has been on our road map for some time but it is not
implemented yet.
May be you are confusing us with Dogtag project that we leverage for the
certificate management. It supports SC management and provisioning for
end users.
IPA can handle certs for hosts and services only for the the time being.
HTH
Dmitri
> Thanks so much!
>
> Steven
>
> On Wed, May 2, 2012 at 1:57 PM, <freeipa-users-request at redhat.com
> <mailto:freeipa-users-request at redhat.com>> wrote:
>
> Send Freeipa-users mailing list submissions to
> freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/freeipa-users
> or, via email, send a message with subject or body 'help' to
> freeipa-users-request at redhat.com
> <mailto:freeipa-users-request at redhat.com>
>
> You can reach the person managing the list at
> freeipa-users-owner at redhat.com
> <mailto:freeipa-users-owner at redhat.com>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeipa-users digest..."
>
>
> Today's Topics:
>
> 1. Re: red hat 5 and red hat 6 compatability (Matthew Davidson)
> 2. Re: red hat 5 and red hat 6 compatability (Dmitri Pal)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 2 May 2012 14:50:06 -0400
> From: Matthew Davidson <matt at mldserviceslex.com
> <mailto:matt at mldserviceslex.com>>
> To: <dpal at redhat.com <mailto:dpal at redhat.com>>,
> <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> Message-ID: <SNT104-W395AFEBCC767D220CA34AAA32E0 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> Dmitri,1) Do you have admin account on IPA side?
> Yes. And judging by the command below admin does log in, or am I
> mistaken?
> [root at rhel5 ~]# kinit adminPassword for admin at EXAMPLE.COM
> <mailto:admin at EXAMPLE.COM>:
> [root at rhel5 ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default
> principal: admin at EXAMPLE.COM <mailto:admin at EXAMPLE.COM>
> Valid starting Expires Service principal05/02/12
> 14:47:40 05/03/12 14:47:36 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> <mailto:EXAMPLE.COM at EXAMPLE.COM>
> Kerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached
> 2) Is there a firewall between client and server? Is LDAP and
> LDAPS allowed via the FW?
> No firewall. shut those down at the first sign of trouble.
>
> ThanksMatt
> Date: Wed, 2 May 2012 13:51:15 -0400
> From: dpal at redhat.com <mailto:dpal at redhat.com>
> To: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
>
>
>
>
>
>
>
> On 05/02/2012 12:43 PM, Matthew Davidson wrote:
>
>
>
> Hi Rob
>
>
>
> [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
> <http://EXAMPLE.COM>
> --server=rhel6.example.com <http://rhel6.example.com>
> DNS domain 'example.com <http://example.com>' is not
> configured for automatic
> KDC address lookup.
> KDC address will be set to fixed value.
>
>
>
> Discovery was successful!
> Hostname: rhel6.example.com <http://rhel6.example.com>
> Realm: EXAMPLE.COM <http://EXAMPLE.COM>
> DNS Domain: EXAMPLE.COM <http://EXAMPLE.COM>
> IPA Server: rhel6.example.com <http://rhel6.example.com>
> BaseDN: dc=example,dc=com
>
>
>
> Continue to configure the system with these values? [no]:
> yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at EXAMPLE.COM <mailto:admin at EXAMPLE.COM>:
>
>
>
> Enrolled in IPA realm EXAMPLE.COM <http://EXAMPLE.COM>
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
> <http://EXAMPLE.COM>
> SSSD enabled
> Unable to find 'admin' user with 'getent passwd admin'!
>
>
>
>
> 1) Do you have admin account on IPA side?
>
> 2) Is there a firewall between client and server? Is LDAP and LDAPS
> allowed via the FW?
>
>
>
>
>
> Recognized configuration: SSSD
> Changed configuration of /etc/ldap.conf to use hardcoded
> server name: rhel6.example.com <http://rhel6.example.com>
> NTP enabled
> Client configuration complete.
>
>
>
> /var/log/secure
> May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson
> from 192.168.1.5
> May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request:
> invalid user mdavidson
> May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth):
> check pass; user unknown
> May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=rhel6.example.com <http://rhel6.example.com>
> May 2 12:31:19 rhel5 sshd[3250]:
> pam_succeed_if(sshd:auth): error retrieving information about
> user mdavidson
> May 2 12:31:21 rhel5 sshd[3250]: Failed password for
> invalid user mdavidson from 192.168.1.5 port 52511 ssh2
>
>
>
> /var/log/sssd/ldap_child.log
> (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client not found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client not found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client not found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client not found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client not found in Kerberos database
> (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]]
> [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client not found in Kerberos database
>
>
>
> /var/log/sssd/sssd.log
> (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0):
> Monitor received Terminated: terminating children
> (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0):
> Monitor received Terminated: terminating children
>
>
>
> thanks for helping!
> Matt
>
>
> > Date: Wed, 2 May 2012 11:30:52 -0400
>
> > From: rcritten at redhat.com <mailto:rcritten at redhat.com>
>
> > To: matt at mldserviceslex.com
> <mailto:matt at mldserviceslex.com>
>
> > CC: freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
>
> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6
> compatability
>
> >
>
> > Matthew Davidson wrote:
>
> > > To clarify one point.
>
> > >
>
> > > I used the current redhat documents to setup the two
> systems.
>
> > >
>
> > >
>
> Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US
>
> > >
>
> > >
> Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US
>
> > >
>
> > > SSH does not seem to be discussed and that is when I
> started web surfing
>
> > > in an attempt to fix my problem before reaching out
> for help.
>
> >
>
> > A host service principal is created during enrollment so
> no additional
>
> > work should be needed for SSH to work. The problem you're
> having is
>
> > related to the fact that user lookup services are
> failing.
>
> >
>
> > Can you look in /var/log/secure and/or /var/log/sssd/* to
> see if there
>
> > are any errors reported regarding sssd?
>
> >
>
> > What options did you pass to ipa-client-install?
>
> >
>
> > rob
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 02 May 2012 14:57:24 -0400
> From: Dmitri Pal <dpal at redhat.com <mailto:dpal at redhat.com>>
> To: Matthew Davidson <matt at mldserviceslex.com
> <mailto:matt at mldserviceslex.com>>
> Cc: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> Message-ID: <4FA18394.7080507 at redhat.com
> <mailto:4FA18394.7080507 at redhat.com>>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On 05/02/2012 02:50 PM, Matthew Davidson wrote:
> > Dmitri,
> > 1) Do you have admin account on IPA side?
> >
> > Yes. And judging by the command below admin does log in, or am I
> mistaken?
> >
> > [root at rhel5 ~]# kinit admin
> > Password for admin at EXAMPLE.COM <mailto:admin at EXAMPLE.COM>:
> >
> > [root at rhel5 ~]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: admin at EXAMPLE.COM <mailto:admin at EXAMPLE.COM>
> >
> > Valid starting Expires Service principal
> > 05/02/12 14:47:40 05/03/12 14:47:36
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> >
>
> Is this from the client or from the server? I bet on the server.
> Rob might be right that the client fails to find the right
> authentication server due to the DNS configuration.
>
> > 2) Is there a firewall between client and server? Is LDAP and LDAPS
> > allowed via the FW?
> >
> > No firewall. shut those down at the first sign of trouble.
> >
> > Thanks
> > Matt
> >
> >
> ------------------------------------------------------------------------
> > Date: Wed, 2 May 2012 13:51:15 -0400
> > From: dpal at redhat.com <mailto:dpal at redhat.com>
> > To: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> >
> > On 05/02/2012 12:43 PM, Matthew Davidson wrote:
> >
> > Hi Rob
> >
> > [root at rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
> <http://EXAMPLE.COM>
> > --server=rhel6.example.com <http://rhel6.example.com>
> > DNS domain 'example.com <http://example.com>' is not
> configured for automatic KDC
> > address lookup.
> > KDC address will be set to fixed value.
> >
> > Discovery was successful!
> > Hostname: rhel6.example.com <http://rhel6.example.com>
> > Realm: EXAMPLE.COM <http://EXAMPLE.COM>
> > DNS Domain: EXAMPLE.COM <http://EXAMPLE.COM>
> > IPA Server: rhel6.example.com <http://rhel6.example.com>
> > BaseDN: dc=example,dc=com
> >
> > Continue to configure the system with these values? [no]: yes
> > User authorized to enroll computers: admin
> > Synchronizing time with KDC...
> > Password for admin at EXAMPLE.COM <mailto:admin at EXAMPLE.COM>:
> <mailto:admin at EXAMPLE.COM <mailto:admin at EXAMPLE.COM>:>
> >
> > Enrolled in IPA realm EXAMPLE.COM <http://EXAMPLE.COM>
> > Created /etc/ipa/default.conf
> > Configured /etc/sssd/sssd.conf
> > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
> <http://EXAMPLE.COM>
> > SSSD enabled
> > *Unable to find 'admin' user with 'getent passwd admin'!*
> >
> >
> > 1) Do you have admin account on IPA side?
> > 2) Is there a firewall between client and server? Is LDAP and LDAPS
> > allowed via the FW?
> >
> > Recognized configuration: SSSD
> > Changed configuration of /etc/ldap.conf to use hardcoded server
> > name: rhel6.example.com <http://rhel6.example.com>
> > NTP enabled
> > Client configuration complete.
> >
> > /var/log/secure
> > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from
> > 192.168.1.5
> > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request:
> invalid
> > user mdavidson
> > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check
> pass;
> > user unknown
> > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth):
> > authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=rhel6.example.com <http://rhel6.example.com>
> > May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth):
> error
> > retrieving information about user mdavidson
> > May 2 12:31:21 rhel5 sshd[3250]: Failed password for
> invalid user
> > mdavidson from 192.168.1.5 port 52511 ssh2
> >
> > /var/log/sssd/ldap_child.log
> > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]]
> > [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client
> > not found in Kerberos database
> > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]]
> > [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client
> > not found in Kerberos database
> > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]]
> > [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client
> > not found in Kerberos database
> > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]]
> > [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client
> > not found in Kerberos database
> > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]]
> > [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client
> > not found in Kerberos database
> > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]]
> > [ldap_child_get_tgt_sync] (0): Failed to init credentials:
> Client
> > not found in Kerberos database
> >
> > /var/log/sssd/sssd.log
> > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor
> > received Terminated: terminating children
> > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor
> > received Terminated: terminating children
> >
> > thanks for helping!
> > Matt
> >
> > > Date: Wed, 2 May 2012 11:30:52 -0400
> > > From: rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> > > To: matt at mldserviceslex.com
> <mailto:matt at mldserviceslex.com> <mailto:matt at mldserviceslex.com
> <mailto:matt at mldserviceslex.com>>
> > > CC: freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com> <mailto:freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>>
> > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6
> compatability
> > >
> > > Matthew Davidson wrote:
> > > > To clarify one point.
> > > >
> > > > I used the current redhat documents to setup the two
> systems.
> > > >
> > > >
> Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US
> > > >
> > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US
> > > >
> > > > SSH does not seem to be discussed and that is when I started
> > web surfing
> > > > in an attempt to fix my problem before reaching out for
> help.
> > >
> > > A host service principal is created during enrollment so no
> > additional
> > > work should be needed for SSH to work. The problem you're
> having is
> > > related to the fact that user lookup services are failing.
> > >
> > > Can you look in /var/log/secure and/or /var/log/sssd/* to
> see if
> > there
> > > are any errors reported regarding sssd?
> > >
> > > What options did you pass to ipa-client-install?
> > >
> > > rob
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IPA project,
> > Red Hat Inc.
> >
> >
> > -------------------------------
> > Looking to carve out IT costs?
> > www.redhat.com/carveoutcosts/
> <http://www.redhat.com/carveoutcosts/>
> <http://www.redhat.com/carveoutcosts/>
> >
> >
> >
> > _______________________________________________ Freeipa-users
> mailing
> > list Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://www.redhat.com/archives/freeipa-users/attachments/20120502/cea8af43/attachment.html>
>
> ------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> End of Freeipa-users Digest, Vol 46, Issue 10
> *********************************************
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120502/63e33433/attachment.htm>
More information about the Freeipa-users
mailing list