From abokovoy at redhat.com Sun Jun 1 11:01:00 2014 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 1 Jun 2014 14:01:00 +0300 Subject: [Freeipa-users] Trust services In-Reply-To: References: <5388FADE.1030007@redhat.com> Message-ID: <20140601110100.GG23849@redhat.com> On Fri, 30 May 2014, tizo wrote: >On Fri, May 30, 2014 at 6:40 PM, Dmitri Pal wrote: > >> On 05/30/2014 05:00 PM, tizo wrote: >> >> >> From: Alexander Bokovoy >> To: Sumit Bose >> Cc: freeipa-users redhat com >> Subject: Re: [Freeipa-users] Trust services >> Date: Thu, 29 May 2014 02:47:38 -0400 (EDT) >> >> ----- Original Message ----- >> > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: >> > > I would like to know, if having configured trusts services between >> FreeIPA >> > > and Active Directory, allow AD users to authenticate in services that >> are >> > > only configured to authenticate against FreeIPA. >> > > >> > > For example, having configured the trusts, if I have a mail server >> that is >> > > using FreeIPA as its authentication method, can a user A from Active >> > > Directory, who does not exist in FreeIPA, authenticate in the mail >> server?. >> > >> > It depends a bit on how the users authenticate exactly because IPA >> > offers Kerberos and LDAP authentication. >> > >> > Kerberos should work out of the box because thats one of the trusts >> > components, trusting Kerberos tickets from the other domain/realm. >> > >> > For LDAP authentication you should be able to find the users from the >> > trusted domain in the compat tree below >> > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can >> > do a LDAP bind with the DN form the compat tree and the password used in >> > AD. >> Please note that the latter is valid only for FreeIPA 3.3 and later. >> FreeIPA 3.0 does not support authentication over LDAP in the compat tree. >> -- >> / Alexander Bokovoy >> >> Ok. I will definitively use Kerberos. But looking at the diagram of page >> 22 in >> http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf >> I see that SSSD in the GNU/Linux host is authenticating against both Active >> Directory and FreeIPA. Does the email server that I mentioned before, have >> to be configured in a similar way that SSSD in the GNU/Linux host of the >> example? Or is just enough that it is configured against the FreeIPA >> Kerberos and nothing else?. >> >> >> You configure client (SSSD) to point to IPA but it will discover that IPA >> is in trust relations and would know how to deal with tickets coming from >> AD side. >> This is why there are two arrows. They show communication. >> > >Ok. And what about a mail server?. We are planning to use Zimbra, and we >want that users from both FreeIPA and AD use it. Could we just configure it >to authenticate against FreeIPA Kerberos?. Or do we have to make something >else?. Here is the howto for Zimbra/FreeIPA LDAP integration: http://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA Note that Zimbra 8.0 does support Kerberos authentication through web interface but instructions outlined in Appendix B of the Zimbra Admin Guide only cover the case of using Active Directory to set up services and keytabs. It should be relatively simple to translate that one to use of FreeIPA; if someone does so, please extend the page on freeipa.org to cover Kerberos details. -- / Alexander Bokovoy From Johan.Petersson at sscspace.com Sun Jun 1 18:16:03 2014 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Sun, 1 Jun 2014 18:16:03 +0000 Subject: [Freeipa-users] IPA 3.3 with AD trust Samba File Sharing Message-ID: <558C15177F5E714F83334217C9A197DF016C528D8C@SSC-MBX2.ssc.internal> Hi, I found this thread from a year ago about Samba File Sharing in a IPA and AD trust setup and wonder if anything have changed regarding this kind of setup or is it still "uncharted territory"? https://www.redhat.com/archives/freeipa-users/2013-April/msg00248.html I wonder since i am evaluating RHEL 7 and have setup a trust between IPA (3.3.3-28) and a Windows Server 2012 AD. Having a Samba file server on the same VM as a IPA replica is not desirable for security as well as other reasons. What would be interesting is to be able to have Home Directories and other shared directories shared through both NFS 4 and Samba. AD users as well as IPA users could access the Home Directories and group shares through NFS 4 on Linux and through Samba if they log in on a Windows PC. Regards, Johan This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Mon Jun 2 07:55:23 2014 From: sbose at redhat.com (Sumit Bose) Date: Mon, 2 Jun 2014 09:55:23 +0200 Subject: [Freeipa-users] Trust services In-Reply-To: References: <5388FADE.1030007@redhat.com> Message-ID: <20140602075523.GT30381@localhost.localdomain> On Fri, May 30, 2014 at 09:23:58PM -0300, tizo wrote: > On Fri, May 30, 2014 at 6:40 PM, Dmitri Pal wrote: > > > On 05/30/2014 05:00 PM, tizo wrote: > > > > > > From: Alexander Bokovoy > > To: Sumit Bose > > Cc: freeipa-users redhat com > > Subject: Re: [Freeipa-users] Trust services > > Date: Thu, 29 May 2014 02:47:38 -0400 (EDT) > > > > ----- Original Message ----- > > > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: > > > > I would like to know, if having configured trusts services between > > FreeIPA > > > > and Active Directory, allow AD users to authenticate in services that > > are > > > > only configured to authenticate against FreeIPA. > > > > > > > > For example, having configured the trusts, if I have a mail server > > that is > > > > using FreeIPA as its authentication method, can a user A from Active > > > > Directory, who does not exist in FreeIPA, authenticate in the mail > > server?. > > > > > > It depends a bit on how the users authenticate exactly because IPA > > > offers Kerberos and LDAP authentication. > > > > > > Kerberos should work out of the box because thats one of the trusts > > > components, trusting Kerberos tickets from the other domain/realm. > > > > > > For LDAP authentication you should be able to find the users from the > > > trusted domain in the compat tree below > > > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can > > > do a LDAP bind with the DN form the compat tree and the password used in > > > AD. > > Please note that the latter is valid only for FreeIPA 3.3 and later. > > FreeIPA 3.0 does not support authentication over LDAP in the compat tree. > > -- > > / Alexander Bokovoy > > > > Ok. I will definitively use Kerberos. But looking at the diagram of page > > 22 in > > http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf > > I see that SSSD in the GNU/Linux host is authenticating against both Active > > Directory and FreeIPA. Does the email server that I mentioned before, have > > to be configured in a similar way that SSSD in the GNU/Linux host of the > > example? Or is just enough that it is configured against the FreeIPA > > Kerberos and nothing else?. > > > > > > You configure client (SSSD) to point to IPA but it will discover that IPA > > is in trust relations and would know how to deal with tickets coming from > > AD side. > > This is why there are two arrows. They show communication. > > > > Ok. And what about a mail server?. We are planning to use Zimbra, and we > want that users from both FreeIPA and AD use it. Could we just configure it > to authenticate against FreeIPA Kerberos?. Or do we have to make something > else?. If your question is about which domain the mail server shall join then in general you can choose either AD or IPA because of the trust relationship. Nevertheless I would recommend to join the IPA domain because currently the support for IPA users accessing services in the Active Directory domain is quite limited. If you question is about authentication users with their Kerberos password via SSSD you just have to configure the IPA domain in sssd.conf. As Dmitri said SSSD will figure out that there is a trust relationship and will direct authentication request of AD users to a AD DC. In general no additional configuration is needed. If you are seeing issues please note the following. AD user are authenticate directly against AD DC, the IPA server is not involved at all in the authentication process because AD is the only authoritative source to authenticate AD users. To be able find find an appropriate AD DC SSSD uses DNS SRV records, i.e. DNS on the client running SSSD must be configured to resolve records from the AD domains. By default SSSD on an IPA client use the IPA server as DNS server and hence the IPA server was able to create the trust it can be assumed that DNS on the IPA server is configured correctly. To just check DNS you can call dig SRV _ldap._tcp.AD.DOMAIN (where you replace AD.DOMAIN with your AD DNS domain name) on the IPA client. HTH bye, Sumit > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From tizone at gmail.com Mon Jun 2 11:47:01 2014 From: tizone at gmail.com (tizo) Date: Mon, 2 Jun 2014 08:47:01 -0300 Subject: [Freeipa-users] IPA 3.3 with AD trust Samba File Sharing In-Reply-To: <558C15177F5E714F83334217C9A197DF016C528D8C@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF016C528D8C@SSC-MBX2.ssc.internal> Message-ID: On Sun, Jun 1, 2014 at 3:16 PM, Johan Petersson < Johan.Petersson at sscspace.com> wrote: > Hi, > > I found this thread from a year ago about Samba File Sharing in a IPA > and AD trust setup and wonder if anything have changed regarding this kind > of setup or is it still "uncharted territory"? > > https://www.redhat.com/archives/freeipa-users/2013-April/msg00248.html > > I wonder since i am evaluating RHEL 7 and have setup a trust between IPA > (3.3.3-28) and a Windows Server 2012 AD. > > Having a Samba file server on the same VM as a IPA replica is not > desirable for security as well as other reasons. > > What would be interesting is to be able to have Home Directories and > other shared directories shared through both NFS 4 and Samba. AD users as > well as IPA users could access the Home Directories and group shares > through NFS 4 on Linux and through Samba if they log in on a Windows PC. > > I'm just starting to learn about FreeIPA, but I have exactly what you describe in production without it. The files are shared through Samba for AD users, and through NFS for users of the other authentication system, that is Kerberos + OpenLDAP. Despite some technical details about SID to UID mappings (because we have some users in both systems), it works greats. I am guessing here, but I think there would be no problem to implement the same thing but with FreeIPA. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tizone at gmail.com Mon Jun 2 12:26:41 2014 From: tizone at gmail.com (tizo) Date: Mon, 2 Jun 2014 09:26:41 -0300 Subject: [Freeipa-users] Trust services In-Reply-To: <20140602075523.GT30381@localhost.localdomain> References: <5388FADE.1030007@redhat.com> <20140602075523.GT30381@localhost.localdomain> Message-ID: On Mon, Jun 2, 2014 at 4:55 AM, Sumit Bose wrote: > On Fri, May 30, 2014 at 09:23:58PM -0300, tizo wrote: > > On Fri, May 30, 2014 at 6:40 PM, Dmitri Pal wrote: > > > > > On 05/30/2014 05:00 PM, tizo wrote: > > > > > > > > > From: Alexander Bokovoy > > > To: Sumit Bose > > > Cc: freeipa-users redhat com > > > Subject: Re: [Freeipa-users] Trust services > > > Date: Thu, 29 May 2014 02:47:38 -0400 (EDT) > > > > > > ----- Original Message ----- > > > > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: > > > > > I would like to know, if having configured trusts services between > > > FreeIPA > > > > > and Active Directory, allow AD users to authenticate in services > that > > > are > > > > > only configured to authenticate against FreeIPA. > > > > > > > > > > For example, having configured the trusts, if I have a mail server > > > that is > > > > > using FreeIPA as its authentication method, can a user A from > Active > > > > > Directory, who does not exist in FreeIPA, authenticate in the mail > > > server?. > > > > > > > > It depends a bit on how the users authenticate exactly because IPA > > > > offers Kerberos and LDAP authentication. > > > > > > > > Kerberos should work out of the box because thats one of the trusts > > > > components, trusting Kerberos tickets from the other domain/realm. > > > > > > > > For LDAP authentication you should be able to find the users from the > > > > trusted domain in the compat tree below > > > > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can > > > > do a LDAP bind with the DN form the compat tree and the password > used in > > > > AD. > > > Please note that the latter is valid only for FreeIPA 3.3 and later. > > > FreeIPA 3.0 does not support authentication over LDAP in the compat > tree. > > > -- > > > / Alexander Bokovoy > > > > > > Ok. I will definitively use Kerberos. But looking at the diagram of > page > > > 22 in > > > > http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf > > > I see that SSSD in the GNU/Linux host is authenticating against both > Active > > > Directory and FreeIPA. Does the email server that I mentioned before, > have > > > to be configured in a similar way that SSSD in the GNU/Linux host of > the > > > example? Or is just enough that it is configured against the FreeIPA > > > Kerberos and nothing else?. > > > > > > > > > You configure client (SSSD) to point to IPA but it will discover that > IPA > > > is in trust relations and would know how to deal with tickets coming > from > > > AD side. > > > This is why there are two arrows. They show communication. > > > > > > > Ok. And what about a mail server?. We are planning to use Zimbra, and we > > want that users from both FreeIPA and AD use it. Could we just configure > it > > to authenticate against FreeIPA Kerberos?. Or do we have to make > something > > else?. > > If your question is about which domain the mail server shall join then > in general you can choose either AD or IPA because of the trust > relationship. Nevertheless I would recommend to join the IPA domain > because currently the support for IPA users accessing services in the > Active Directory domain is quite limited. > > If you question is about authentication users with their Kerberos > password via SSSD you just have to configure the IPA domain in > sssd.conf. As Dmitri said SSSD will figure out that there is a trust > relationship and will direct authentication request of AD users to a AD > DC. In general no additional configuration is needed. If you are seeing > issues please note the following. AD user are authenticate directly > against AD DC, the IPA server is not involved at all in the > authentication process because AD is the only authoritative source to > authenticate AD users. To be able find find an appropriate AD DC SSSD > uses DNS SRV records, i.e. DNS on the client running SSSD must be > configured to resolve records from the AD domains. By default SSSD on an > IPA client use the IPA server as DNS server and hence the IPA server was > able to create the trust it can be assumed that DNS on the IPA server is > configured correctly. > > To just check DNS you can call > > dig SRV _ldap._tcp.AD.DOMAIN > > (where you replace AD.DOMAIN with your AD DNS domain name) on the IPA > client. > > HTH > > Yes, it does helps. Thanks you Sumit, Alexander and Dmitri. As for now, I just wanted to know about if there was possible for users from both systems to use the mail server. AFAICS from your responses, it can be possible. I will shortly start to test FreeIPA and to make some proofs of concept to demonstrate that our goals can be reached. At that time, I will probably come back here to ask some technical details. Again, thanks very much. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Jun 2 21:08:40 2014 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 2 Jun 2014 21:08:40 +0000 Subject: [Freeipa-users] Setting up IPA to log remotely In-Reply-To: References: <5388FADE.1030007@redhat.com> <20140602075523.GT30381@localhost.localdomain>, Message-ID: <1401743319921.59865@vuw.ac.nz> Is there a way to get IPA to send its logs remotely? regards Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 2 21:27:09 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 Jun 2014 17:27:09 -0400 Subject: [Freeipa-users] Setting up IPA to log remotely In-Reply-To: <1401743319921.59865@vuw.ac.nz> References: <5388FADE.1030007@redhat.com> <20140602075523.GT30381@localhost.localdomain>, <1401743319921.59865@vuw.ac.nz> Message-ID: <538CEC2D.6010401@redhat.com> Steven Jones wrote: > Is there a way to get IPA to send its logs remotely? We intend to do something like this with audit, most likely using the systemd journal, but it's a ways off. For now you'd need to do it manually on a per-service basis. I'd suggest looking at rsyslogd. You should be able to at least get the Apache and 389-ds logs using that. rob From Steven.Jones at vuw.ac.nz Tue Jun 3 00:42:32 2014 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 3 Jun 2014 00:42:32 +0000 Subject: [Freeipa-users] Setting up IPA to log remotely In-Reply-To: <538CEC2D.6010401@redhat.com> References: <5388FADE.1030007@redhat.com> <20140602075523.GT30381@localhost.localdomain>, <1401743319921.59865@vuw.ac.nz>,<538CEC2D.6010401@redhat.com> Message-ID: <1401756152366.35339@vuw.ac.nz> Hi, I'll raise a request for this to be added then. Its a bit of an enterprise requirement feature that is of use for us. Not having much luck with rsyslog and application logs at the moment, good and accurate docs seem lacking for RHEL6. regards Steven ________________________________________ From: Rob Crittenden Sent: Tuesday, 3 June 2014 9:27 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Setting up IPA to log remotely Steven Jones wrote: > Is there a way to get IPA to send its logs remotely? We intend to do something like this with audit, most likely using the systemd journal, but it's a ways off. For now you'd need to do it manually on a per-service basis. I'd suggest looking at rsyslogd. You should be able to at least get the Apache and 389-ds logs using that. rob From bpk678 at gmail.com Tue Jun 3 02:26:09 2014 From: bpk678 at gmail.com (Brendan Kearney) Date: Mon, 02 Jun 2014 22:26:09 -0400 Subject: [Freeipa-users] Setting up IPA to log remotely In-Reply-To: <1401756152366.35339@vuw.ac.nz> References: <5388FADE.1030007@redhat.com> <20140602075523.GT30381@localhost.localdomain> , <1401743319921.59865@vuw.ac.nz>,<538CEC2D.6010401@redhat.com> <1401756152366.35339@vuw.ac.nz> Message-ID: <1401762369.1053.7.camel@desktop.bpk2.com> On Tue, 2014-06-03 at 00:42 +0000, Steven Jones wrote: > Hi, > > I'll raise a request for this to be added then. > > Its a bit of an enterprise requirement feature that is of use for us. > > Not having much luck with rsyslog and application logs at the moment, good and accurate docs seem lacking for RHEL6. > > regards > > Steven > ________________________________________ > From: Rob Crittenden > Sent: Tuesday, 3 June 2014 9:27 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Setting up IPA to log remotely > > Steven Jones wrote: > > Is there a way to get IPA to send its logs remotely? > > We intend to do something like this with audit, most likely using the > systemd journal, but it's a ways off. > > For now you'd need to do it manually on a per-service basis. I'd suggest > looking at rsyslogd. You should be able to at least get the Apache and > 389-ds logs using that. > > rob > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users check out http://www.rsyslog.com/doc/master/index.html for good and accurate docs. i am using fedora 16 and 20 with RELP, fowarding syslog from everywhere to a central location, and then dumping the logs into mysql. phplogcon bolts on top of it for a web view of all the logs. on a sending source: $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $SystemLogRateLimitInterval 0 $IMUXSockRateLimitInterval 0 $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 # Provides RELP transmission $ModLoad omrelp *.* :omrelp:192.168.25.1:20514;RSYSLOG_ForwardFormat &~ on a receiving destination: $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $SystemLogRateLimitInterval 0 $IMUXSockRateLimitInterval 0 $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 # Provides RELP reception $ModLoad imrelp $InputRELPServerRun 20514 # Provides MySQL connectivity $ModLoad ommysql # MASSIVE INSERT RATE FOR DB / SCALED DB LOGGING $WorkDirectory /var/spool/rsyslog # default location for work (spool) files $ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName dbq # set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure # for PostgreSQL replace :ommysql: by :ompgsql: below: *.* :ommysql:server.domain.tld,Syslog,user,password From Duncan.Innes at virginmoney.com Tue Jun 3 08:37:58 2014 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 3 Jun 2014 09:37:58 +0100 Subject: [Freeipa-users] Setting up IPA to log remotely In-Reply-To: <1401762369.1053.7.camel@desktop.bpk2.com> References: <5388FADE.1030007@redhat.com><20140602075523.GT30381@localhost.localdomain>, <1401743319921.59865@vuw.ac.nz>, <538CEC2D.6010401@redhat.com><1401756152366.35339@vuw.ac.nz> <1401762369.1053.7.camel@desktop.bpk2.com> Message-ID: <56343345B145C043AE990701E3D193950478DE2E@EXVS2.nrplc.localnet> I'm starting to log IPA to a central point too. I'd hoped the A part of IPA would have arrived, but other functionality has pushed it down the priority list. Would be good to see it arrive as something integrated with systemd/journald with fully separated log fields instead of a simple log text line. For now, rsyslog does a decent job of sending the logs over the network and I'm using logstash to parse logs and pop them into elasticsearch for analysing via Kibana. I've had most trouble with the rsyslog side of things, but that's because I tried to get rsyslog to send in JSON format rather than plain text. Once I reigned in my ambition, it proved to be somewhat easier - All I've added to RHEL6 client is a file /etc/rsyslog.d/logstash.conf with contents: *.* @logstash.example.com:5544 and (firewalls permitting) my logs end up at the logstash server for parsing. Duncan > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Brendan Kearney > Sent: 03 June 2014 03:26 > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Setting up IPA to log remotely > > On Tue, 2014-06-03 at 00:42 +0000, Steven Jones wrote: > > Hi, > > > > I'll raise a request for this to be added then. > > > > Its a bit of an enterprise requirement feature that is of > use for us. > > > > Not having much luck with rsyslog and application logs at > the moment, good and accurate docs seem lacking for RHEL6. > > > > regards > > > > Steven > > ________________________________________ > > From: Rob Crittenden > > Sent: Tuesday, 3 June 2014 9:27 a.m. > > To: Steven Jones > > Cc: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] Setting up IPA to log remotely > > > > Steven Jones wrote: > > > Is there a way to get IPA to send its logs remotely? > > > > We intend to do something like this with audit, most likely > using the > > systemd journal, but it's a ways off. > > > > For now you'd need to do it manually on a per-service basis. I'd > > suggest looking at rsyslogd. You should be able to at least get the > > Apache and 389-ds logs using that. > > > > rob > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > check out http://www.rsyslog.com/doc/master/index.html for > good and accurate docs. i am using fedora 16 and 20 with > RELP, fowarding syslog from everywhere to a central location, > and then dumping the logs into mysql. phplogcon bolts on top > of it for a web view of all the logs. > > on a sending source: > $ModLoad imuxsock # provides support for local system logging > (e.g. via logger command) $SystemLogRateLimitInterval 0 > $IMUXSockRateLimitInterval 0 > > $ModLoad imklog # provides kernel logging support > (previously done by > rklogd) > #$ModLoad immark # provides --MARK-- message capability > > # Provides UDP syslog reception > $ModLoad imudp > $UDPServerRun 514 > > # Provides TCP syslog reception > $ModLoad imtcp > $InputTCPServerRun 514 > > # Provides RELP transmission > $ModLoad omrelp > *.* :omrelp:192.168.25.1:20514;RSYSLOG_ForwardFormat > &~ > > on a receiving destination: > $ModLoad imuxsock # provides support for local system logging > (e.g. via logger command) $SystemLogRateLimitInterval 0 > $IMUXSockRateLimitInterval 0 > > $ModLoad imklog # provides kernel logging support > (previously done by > rklogd) > #$ModLoad immark # provides --MARK-- message capability > > # Provides UDP syslog reception > $ModLoad imudp > $UDPServerRun 514 > > # Provides TCP syslog reception > $ModLoad imtcp > $InputTCPServerRun 514 > > # Provides RELP reception > $ModLoad imrelp > $InputRELPServerRun 20514 > > # Provides MySQL connectivity > $ModLoad ommysql > # MASSIVE INSERT RATE FOR DB / SCALED DB LOGGING > $WorkDirectory /var/spool/rsyslog # default location for work > (spool) files $ActionQueueType LinkedList # use asynchronous > processing > $ActionQueueFileName dbq # set file name, also enables disk mode > $ActionResumeRetryCount -1 # infinite retries on insert > failure # for PostgreSQL replace :ommysql: by :ompgsql: below: > *.* :ommysql:server.domain.tld,Syslog,user,password > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > This message has been checked for viruses and spam by the > Virgin Money email scanning system powered by Messagelabs. > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From jokajak at gmail.com Tue Jun 3 10:53:33 2014 From: jokajak at gmail.com (Josh) Date: Tue, 3 Jun 2014 06:53:33 -0400 Subject: [Freeipa-users] Setting up IPA to log remotely In-Reply-To: <56343345B145C043AE990701E3D193950478DE2E@EXVS2.nrplc.localnet> References: <5388FADE.1030007@redhat.com><20140602075523.GT30381@localhost.localdomain>, <1401743319921.59865@vuw.ac.nz>, <538CEC2D.6010401@redhat.com><1401756152366.35339@vuw.ac.nz> <1401762369.1053.7.camel@desktop.bpk2.com> <56343345B145C043AE990701E3D193950478DE2E@EXVS2.nrplc.localnet> Message-ID: On Jun 3, 2014, at 4:37 AM, Innes, Duncan wrote: > I'm starting to log IPA to a central point too. I'd hoped the A part of > IPA would have arrived, but other functionality has pushed it down the > priority list. Would be good to see it arrive as something integrated > with systemd/journald with fully separated log fields instead of a > simple log text line. > > For now, rsyslog does a decent job of sending the logs over the network > and I'm using logstash to parse logs and pop them into elasticsearch for > analysing via Kibana. I've had most trouble with the rsyslog side of > things, but that's because I tried to get rsyslog to send in JSON format > rather than plain text. Once I reigned in my ambition, it proved to be > somewhat easier - > Any chance you could share your kibana configuration? > All I've added to RHEL6 client is a file /etc/rsyslog.d/logstash.conf > with contents: > > *.* @logstash.example.com:5544 > > and (firewalls permitting) my logs end up at the logstash server for > parsing. > > Duncan -josh From Duncan.Innes at virginmoney.com Tue Jun 3 12:04:12 2014 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 3 Jun 2014 13:04:12 +0100 Subject: [Freeipa-users] Setting up IPA to log remotely In-Reply-To: References: <5388FADE.1030007@redhat.com><20140602075523.GT30381@localhost.localdomain>, <1401743319921.59865@vuw.ac.nz>, <538CEC2D.6010401@redhat.com><1401756152366.35339@vuw.ac.nz> <1401762369.1053.7.camel@desktop.bpk2.com> <56343345B145C043AE990701E3D193950478DE2E@EXVS2.nrplc.localnet> Message-ID: <56343345B145C043AE990701E3D193950478DE38@EXVS2.nrplc.localnet> Kibana just renders the data, so I have no specific configuration for that. My logstash config (mostly cribbed from logstash.net) is as follows: /etc/logstash/conf.d/syslog.conf Containing: input { syslog { type => syslog port => 5544 } udp { type => syslogjson port => 5500 codec => "json" } } filter { # This replaces the host field (UDP source) with the host that generated the message (sysloghost) if [sysloghost] { mutate { replace => [ "host", "%{sysloghost}" ] remove_field => "sysloghost" # prune the field after successfully replacing "host" } } } output { elasticsearch { protocol => node node_name => "Indexer01" } } This is my dev cluster which runs a logstash-1.4.1 RPM install connecting to an elasticsearch cluster running on 3 workstations and a laptop. The UDP connection is only used by a single client, so could be ignored. This is the JSON sending that I referred to previously. Not entirely successful so far. On my "prod" system I've also managed to write some grok filters: /etc/logstash.conf input { syslog { type => syslog port => 5544 } } filter { if [type] == "syslog" { grok { patterns_dir => "/opt/logstash/patterns" match => { "message" => "%{BESPOKFW}" } match => { "message" => "%{AUDITAVC}" } } } } output { elasticsearch { embedded => true template_overwrite => true manage_template => false } } With /opt/logstash/patterns/bespokfw containing NETFILTERMAC %{COMMONMAC:dst_mac}:%{COMMONMAC:src_mac}:%{ETHTYPE:ethtype} ETHTYPE (?:(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2})) IPTABLES1 (?:%{WORD:vmfw}: IN=(%{WORD:in_device})? OUT=(%{WORD:out_device})? (MAC=%{NETFILTERMAC})?.*SRC=%{IP:src_ip} DST=%{IP:dst_ip}.*PROTO=%{WORD:proto}?.*SPT=%{INT:src_port}?.*DPT=%{INT: dst_port}?.*) IPTABLES2 (?:%{WORD:vmfw}: IN=(%{WORD:in_device})? OUT=(%{WORD:out_device})? (MAC=%{NETFILTERMAC})?.*SRC=%{IP:src_ip} DST=%{IP:dst_ip}.*PROTO=%{INT:proto}?.*) BESPOKFW (?:%{IPTABLES1}|%{IPTABLES2}) And /opt/logstash/patterns/auditavc containing AVCDEV (%{NUMBER:devmaj}:%{NUMBER:devmin}) AUDITAVC (?:type=%{WORD:audit_type} audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): avc:\s*%{WORD:avc_action}\s*\{ %{WORD:avc_type} \} for\s*pid=(%{NUMBER:avc_pid})? comm=\"(%{WORD:avc_comm})?\" %{WORD:avc_class}=\"(%{NOTSPACE:avc_class_value})?\"( dev=(%{AVCDEV:avc_dev})? ino=(%{NUMBER:avc_ino})?)? scontext=(%{NOTSPACE:avc_scontext})? tcontext=(%{NOTSPACE:avc_tcontext})? tclass=(%{WORD:avc_tclass})?) This is running a tarball version of logstash (1.3.3 I think) with an embedded elasticsearch instance. Both work reasonably well. Am looking to bring more log data back at the moment (i.e. application specific logs). Cheers Duncan > -----Original Message----- > From: Josh [mailto:jokajak at gmail.com] > Sent: 03 June 2014 11:54 > To: Innes, Duncan > Cc: freeipa-users > Subject: Re: [Freeipa-users] Setting up IPA to log remotely > > > On Jun 3, 2014, at 4:37 AM, Innes, Duncan > wrote: > > > I'm starting to log IPA to a central point too. I'd hoped > the A part > > of IPA would have arrived, but other functionality has > pushed it down > > the priority list. Would be good to see it arrive as something > > integrated with systemd/journald with fully separated log fields > > instead of a simple log text line. > > > > For now, rsyslog does a decent job of sending the logs over the > > network and I'm using logstash to parse logs and pop them into > > elasticsearch for analysing via Kibana. I've had most trouble with > > the rsyslog side of things, but that's because I tried to > get rsyslog > > to send in JSON format rather than plain text. Once I > reigned in my > > ambition, it proved to be somewhat easier - > > > > Any chance you could share your kibana configuration? > > All I've added to RHEL6 client is a file > /etc/rsyslog.d/logstash.conf > > with contents: > > > > *.* @logstash.example.com:5544 > > > > and (firewalls permitting) my logs end up at the logstash > server for > > parsing. > > > > Duncan > > > -josh > > This message has been checked for viruses and spam by the > Virgin Money email scanning system powered by Messagelabs. > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From Johan.Petersson at sscspace.com Tue Jun 3 13:07:02 2014 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Tue, 3 Jun 2014 13:07:02 +0000 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue Message-ID: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo tests works as well as id. I can login fine through SSH and Shell with adtest at adexample.org The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner. Groups are no problem since AD groups can be mapped to Posix groups. Idmap.conf domain is set to the IPA Domain. Is there some way to get NFS working with the AD user as owner of his Home Directory? Thanks for any help. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. -------------- next part -------------- An HTML attachment was scrubbed... URL: From devans01 at gmail.com Tue Jun 3 13:44:10 2014 From: devans01 at gmail.com (Dylan Evans) Date: Tue, 3 Jun 2014 14:44:10 +0100 Subject: [Freeipa-users] Getting Samba3 and FreeIPAv3 working together In-Reply-To: <53831A34.9030109@redhat.com> References: <20140522121954.GJ4640@localhost.localdomain> <537DF94A.4000601@redhat.com> <53831A34.9030109@redhat.com> Message-ID: Hi Petr & Sumit, I've been trying to get further with my setup. 1. Thanks Petr, the groups.js plugin seems to work fine, it shows the correct info on the GUI screen and seems to be ok. 2. Sumit, I'm afraid that I'm having a few more problems after running " ipa-adtrust-install --add-sids". I cannot now add any users on the server (Fedora 20, ipa-server 3.3.5-1) via the command-line or GUI. I get the following error: GUI: IPA Error 4205 missing attribute: "sambaSID" required by object class "sambaSamAccount" Command-line: ipa user-add test1234 ..... ipa: ERROR: missing attribute "sambaSID" required by object class "sambaSamAccount" Also, when editing an existing user, there is no sambaSID field available to edit. If you have any ideas, please let me know. Thanks, Dylan. On 26 May 2014 11:40, Petr Vobornik wrote: > On 23.5.2014 16:31, Dylan Evans wrote: >> >> Hi Sumit and Petr, >> >> Thanks both of you for your replies, I've now got to go and try to >> implement all your suggestions but I have some more questions, sorry! >> The guide at techslaves was fine, I just got stuck with the changes in >> the JavaScript packages and the Samba server questions. >> >> 1. Petr, I put your samba.js plugin into >> /usr/share/ipa/ui/js/plugins/samba but you'll have to pardon my lack >> of JS knowledge, anything more than simple Bash scripts tends to leave >> me confused! Do I need to do anything else apart from restart the IPA >> service? I read your info at >> http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins which says the >> plugins have to be registered, but I couldn't work out if it's a >> manual process or if it's done by /usr/share/ipa/wsgi/plugins.py on >> restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py >> for the CLI as well. > > > Should be automatically handled by the plugin.py wsgi handler and related > logic in Web UI. Just make sure that the file and the directory have same > names (except the extension in file's case of course). > > >> >> 2. Sumit, thanks for the info on Samba, I'll have to leave that now >> and try it next week. BTW, the version of Samba I'm testing against is >> 3.6.9-168 on CentOS 6.5. >> >> Thanks again for your information and patience, >> >> Dylan. >> >> On 22 May 2014 14:19, Petr Vobornik wrote: >>> >>> On 22.5.2014 14:19, Sumit Bose wrote: >>>> >>>> >>>> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote: >>>>> >>>>> >>>>> Hello, >>>>> >>>>> I need some help with getting Samba and FreeIPA working together. >>>>> >>>>> I?ve been following the guide at >>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but >>>>> that seems quite out of date for IPAv3 and I need some help: >>>> >>>> >>>> >>>> yes, it is a bit outdated but still useful. Please note that we are >>>> currently working on making the integration of samba more easy. Recently >>>> I send a patch to the samba-technical mailing list with a library which >>>> would allow samba to use SSSD instead of winbind to look up users and >>>> SID-to-name mapping. Alexander is planning to go through the ipasam >>>> modules to see how to make integration with Samba file-servers more >>>> easy. >>>> >>>> But coming back to your questions. >>>> >>>>> >>>>> 1. The guide deals with setting a Samba server SID for one Samba >>>>> server, but as we have multiple stand-alone Samba3 servers, which SID >>>>> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I >>>>> have more than 1 plugin (seems unlikely)? >>>> >>>> >>>> >>>> 'net getlocalsid' returns the domain SID and since all you Samba >>>> file-servers are member of the IPA domain you can use a common SID here. >>>> >>>> With IPAv3 SID generation for users and groups is even more easy because >>>> you can get it for free by running ipa-adtrust-install (please use the >>>> option --add-sids) if you already have users and groups in your IPA >>>> server. This prepares the IPA server to be able to create trust >>>> relationships to Active Directory and one requirement here is that all >>>> users and groups have SID. >>>> >>>> 'ipa-adtrust-install' will also create a domain SID. 'ipa >>>> trustconfig-show' will show the domain SID together with the DNS domain >>>> name and the NetBIOS domain name. On your Samba server you should set >>>> 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA >>>> server after running ipa-adtrust-install for a config example). >>>> >>>> Additionally on your Samba servers you have to set the domain SID in >>>> /var/lib/samba/private/secrets.tdb with tdbtool. You will need 3 >>>> keys with the same SID >>>> >>>> SECRETS/SID/DOMNETBIOS <- NetBIOS domain name, workgroup in smb.conf >>>> SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in >>>> smb.conf >>>> SECRETS/SID/CLINETBIOS <- NetBIOS name of the client, 'netbios name' in >>>> smb.conf >>>> >>>> The SID has to be given in a special binary format. The easiest way to >>>> get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the >>>> IPA server after running ipa-adtrust-install. The domain SID will always >>>> start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence >>>> as data for the insert command of tdbtool. >>>> >>>> Now everything should be done with respect to SID handling. >>>> >>>>> >>>>> 2. There?s no ?/usr/share/ipa/ui/group.js? file to patch in >>>>> IPAv3. What do I need to patch instead? >>>>> >>>>> I?ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which >>>>> shows the need is there but I could do with getting it working ASAP. >>>> >>>> >>>> >>>> group.js is compliend with the other UI files in >>>> /usr/share/ipa/ui/js/freeipa/app.js (see >>>> install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources >>>> for details). For your convenience I copied some section here: >>>> >>>> "The compiled Web UI layer is located in >>>> `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from >>>> source git repository in `install/ui/src/freeipa/` directory to the >>>> `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js` >>>> file). By doing that, next reload of Web UI will use source files >>>> (clearing browser cache may be required). After that all JavaScript >>>> errors will contain proper source code name and line number." >>> >>> >>> >>> Better approach is to create a custom UI plugin which would add those >>> fields. Since it's only 3 fields, I create an example which works on >>> FreeIPA >>> 4.0 and theoretically it should work on 3.2 as well: >>> >>> http://pvoborni.fedorapeople.org/plugins/samba/samba.js >>> >>> put the file into `/usr/share/ipa/ui/js/plugins/samba` directory. >>> >>> I did not test it with backend (no labels + doesn't do anything). >>> >>> More about plugin development: >>> * http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf >>> * http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins >>> >>> Creating CLI plugin is IMO also better approach. >>> >>> >>>> >>>>> >>>>> I may be missing something obvious but some help would be greatly >>>>> appreciated! >>>> >>>> >>>> >>>> I hope my comments will help you. Feel free to ask for more help if >>>> needed. It would be nice to hear from any success as well. >>>> >>>> bye, >>>> Sumit >>>> >>>>> >>>>> Thanks, >>>>> >>>>> Dylan. >>>>> >>>>> Background: >>>>> >>>>> Brief: Need to expand from the current single-office-ish NIS/YP scheme >>>>> to a multi-location/multi-national auth scheme which FreeIPA seems >>>>> ideally suited for. >>>>> >>>>> >>>>> Requirement: To continue to provide console/SSH and GUI/X logins to >>>>> Linux hosts, access to home and project directories via NFS from the >>>>> Linux machines using autofs/automount and access to Samba file-shares >>>>> from Windows machines but not using AD creds as this is a totally >>>>> separate environment. Several locations will each have a FreeIPA >>>>> replica server, NFS/Samba fileserver and ?application? server. >>>>> Currently use 2 passwords for each user ? one for NIS, one for Samba ? >>>>> and need to consolidate to one password for everything. >>>>> >>>>> >>>>> Progress: Linux-based NFS stuff working fine ? automount of home and >>>>> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs >>>>> as a prototyping environment but will probably use RHEL/CentOS 7 when >>>>> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and >>>>> 3.3.5 on Fedora 20. >>>>> >>> -- >>> Petr Vobornik > > > > -- > Petr Vobornik From devans01 at gmail.com Tue Jun 3 14:37:05 2014 From: devans01 at gmail.com (Dylan Evans) Date: Tue, 3 Jun 2014 15:37:05 +0100 Subject: [Freeipa-users] Getting Samba3 and FreeIPAv3 working together In-Reply-To: References: <20140522121954.GJ4640@localhost.localdomain> <537DF94A.4000601@redhat.com> <53831A34.9030109@redhat.com> Message-ID: Hello again, Just realised by re-reading this thread that I still needed to create the DNA plugin. I've now done that and I can add users, sorry for being stupid... Dylan. On 3 June 2014 14:44, Dylan Evans wrote: > Hi Petr & Sumit, > > I've been trying to get further with my setup. > > 1. Thanks Petr, the groups.js plugin seems to work fine, it shows the > correct info on the GUI screen and seems to be ok. > > 2. Sumit, I'm afraid that I'm having a few more problems after running > " ipa-adtrust-install --add-sids". I cannot now add any users on the > server (Fedora 20, ipa-server 3.3.5-1) via the command-line or GUI. I > get the following error: > > GUI: > IPA Error 4205 > missing attribute: "sambaSID" required by object class "sambaSamAccount" > > Command-line: > ipa user-add test1234 ..... > ipa: ERROR: missing attribute "sambaSID" required by object class > "sambaSamAccount" > > Also, when editing an existing user, there is no sambaSID field > available to edit. > > If you have any ideas, please let me know. > > Thanks, > > Dylan. > > > On 26 May 2014 11:40, Petr Vobornik wrote: >> On 23.5.2014 16:31, Dylan Evans wrote: >>> >>> Hi Sumit and Petr, >>> >>> Thanks both of you for your replies, I've now got to go and try to >>> implement all your suggestions but I have some more questions, sorry! >>> The guide at techslaves was fine, I just got stuck with the changes in >>> the JavaScript packages and the Samba server questions. >>> >>> 1. Petr, I put your samba.js plugin into >>> /usr/share/ipa/ui/js/plugins/samba but you'll have to pardon my lack >>> of JS knowledge, anything more than simple Bash scripts tends to leave >>> me confused! Do I need to do anything else apart from restart the IPA >>> service? I read your info at >>> http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins which says the >>> plugins have to be registered, but I couldn't work out if it's a >>> manual process or if it's done by /usr/share/ipa/wsgi/plugins.py on >>> restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py >>> for the CLI as well. >> >> >> Should be automatically handled by the plugin.py wsgi handler and related >> logic in Web UI. Just make sure that the file and the directory have same >> names (except the extension in file's case of course). >> >> >>> >>> 2. Sumit, thanks for the info on Samba, I'll have to leave that now >>> and try it next week. BTW, the version of Samba I'm testing against is >>> 3.6.9-168 on CentOS 6.5. >>> >>> Thanks again for your information and patience, >>> >>> Dylan. >>> >>> On 22 May 2014 14:19, Petr Vobornik wrote: >>>> >>>> On 22.5.2014 14:19, Sumit Bose wrote: >>>>> >>>>> >>>>> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote: >>>>>> >>>>>> >>>>>> Hello, >>>>>> >>>>>> I need some help with getting Samba and FreeIPA working together. >>>>>> >>>>>> I?ve been following the guide at >>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but >>>>>> that seems quite out of date for IPAv3 and I need some help: >>>>> >>>>> >>>>> >>>>> yes, it is a bit outdated but still useful. Please note that we are >>>>> currently working on making the integration of samba more easy. Recently >>>>> I send a patch to the samba-technical mailing list with a library which >>>>> would allow samba to use SSSD instead of winbind to look up users and >>>>> SID-to-name mapping. Alexander is planning to go through the ipasam >>>>> modules to see how to make integration with Samba file-servers more >>>>> easy. >>>>> >>>>> But coming back to your questions. >>>>> >>>>>> >>>>>> 1. The guide deals with setting a Samba server SID for one Samba >>>>>> server, but as we have multiple stand-alone Samba3 servers, which SID >>>>>> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I >>>>>> have more than 1 plugin (seems unlikely)? >>>>> >>>>> >>>>> >>>>> 'net getlocalsid' returns the domain SID and since all you Samba >>>>> file-servers are member of the IPA domain you can use a common SID here. >>>>> >>>>> With IPAv3 SID generation for users and groups is even more easy because >>>>> you can get it for free by running ipa-adtrust-install (please use the >>>>> option --add-sids) if you already have users and groups in your IPA >>>>> server. This prepares the IPA server to be able to create trust >>>>> relationships to Active Directory and one requirement here is that all >>>>> users and groups have SID. >>>>> >>>>> 'ipa-adtrust-install' will also create a domain SID. 'ipa >>>>> trustconfig-show' will show the domain SID together with the DNS domain >>>>> name and the NetBIOS domain name. On your Samba server you should set >>>>> 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA >>>>> server after running ipa-adtrust-install for a config example). >>>>> >>>>> Additionally on your Samba servers you have to set the domain SID in >>>>> /var/lib/samba/private/secrets.tdb with tdbtool. You will need 3 >>>>> keys with the same SID >>>>> >>>>> SECRETS/SID/DOMNETBIOS <- NetBIOS domain name, workgroup in smb.conf >>>>> SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in >>>>> smb.conf >>>>> SECRETS/SID/CLINETBIOS <- NetBIOS name of the client, 'netbios name' in >>>>> smb.conf >>>>> >>>>> The SID has to be given in a special binary format. The easiest way to >>>>> get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the >>>>> IPA server after running ipa-adtrust-install. The domain SID will always >>>>> start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence >>>>> as data for the insert command of tdbtool. >>>>> >>>>> Now everything should be done with respect to SID handling. >>>>> >>>>>> >>>>>> 2. There?s no ?/usr/share/ipa/ui/group.js? file to patch in >>>>>> IPAv3. What do I need to patch instead? >>>>>> >>>>>> I?ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which >>>>>> shows the need is there but I could do with getting it working ASAP. >>>>> >>>>> >>>>> >>>>> group.js is compliend with the other UI files in >>>>> /usr/share/ipa/ui/js/freeipa/app.js (see >>>>> install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources >>>>> for details). For your convenience I copied some section here: >>>>> >>>>> "The compiled Web UI layer is located in >>>>> `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from >>>>> source git repository in `install/ui/src/freeipa/` directory to the >>>>> `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js` >>>>> file). By doing that, next reload of Web UI will use source files >>>>> (clearing browser cache may be required). After that all JavaScript >>>>> errors will contain proper source code name and line number." >>>> >>>> >>>> >>>> Better approach is to create a custom UI plugin which would add those >>>> fields. Since it's only 3 fields, I create an example which works on >>>> FreeIPA >>>> 4.0 and theoretically it should work on 3.2 as well: >>>> >>>> http://pvoborni.fedorapeople.org/plugins/samba/samba.js >>>> >>>> put the file into `/usr/share/ipa/ui/js/plugins/samba` directory. >>>> >>>> I did not test it with backend (no labels + doesn't do anything). >>>> >>>> More about plugin development: >>>> * http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf >>>> * http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins >>>> >>>> Creating CLI plugin is IMO also better approach. >>>> >>>> >>>>> >>>>>> >>>>>> I may be missing something obvious but some help would be greatly >>>>>> appreciated! >>>>> >>>>> >>>>> >>>>> I hope my comments will help you. Feel free to ask for more help if >>>>> needed. It would be nice to hear from any success as well. >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Dylan. >>>>>> >>>>>> Background: >>>>>> >>>>>> Brief: Need to expand from the current single-office-ish NIS/YP scheme >>>>>> to a multi-location/multi-national auth scheme which FreeIPA seems >>>>>> ideally suited for. >>>>>> >>>>>> >>>>>> Requirement: To continue to provide console/SSH and GUI/X logins to >>>>>> Linux hosts, access to home and project directories via NFS from the >>>>>> Linux machines using autofs/automount and access to Samba file-shares >>>>>> from Windows machines but not using AD creds as this is a totally >>>>>> separate environment. Several locations will each have a FreeIPA >>>>>> replica server, NFS/Samba fileserver and ?application? server. >>>>>> Currently use 2 passwords for each user ? one for NIS, one for Samba ? >>>>>> and need to consolidate to one password for everything. >>>>>> >>>>>> >>>>>> Progress: Linux-based NFS stuff working fine ? automount of home and >>>>>> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs >>>>>> as a prototyping environment but will probably use RHEL/CentOS 7 when >>>>>> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and >>>>>> 3.3.5 on Fedora 20. >>>>>> >>>> -- >>>> Petr Vobornik >> >> >> >> -- >> Petr Vobornik From dpal at redhat.com Tue Jun 3 16:47:43 2014 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 03 Jun 2014 12:47:43 -0400 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> Message-ID: <538DFC2F.3000703@redhat.com> On 06/03/2014 09:07 AM, Johan Petersson wrote: > > Hi, > > Environment: > > RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD > > RHEL 7 NFS Server > > RHEL 7 Client > > I have found one problem when using a NFS 4 shared Home Directory for > AD users logging in to IPA. > > I have created a NFS share /home/adexample.org and use autofs map in IPA. > > All wbinfo tests works as well as id. > > I can login fine through SSH and Shell with adtest at adexample.org > > The problem is that I can add the AD user as owner of his Home > Directory and if I log in to the NFS Server locally or through ssh > permissions are correct but when logging in to any other computer i > get "nobody" as owner. > Are those computers RHEL7 NFS clients with SSSD? Can you describe them in more details please? > Groups are no problem since AD groups can be mapped to Posix groups. > > Idmap.conf domain is set to the IPA Domain. > > Is there some way to get NFS working with the AD user as owner of his > Home Directory? > > Thanks for any help. > > /This e-mail is private and confidential between the sender and the > addressee. / > > /In the event of misdirection, the recipient is prohibited from using, > copying or / > > /disseminating it or any information in it. Please notify the above if > any misdirection./ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Wed Jun 4 09:33:03 2014 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Wed, 4 Jun 2014 17:33:03 +0800 Subject: [Freeipa-users] goddday wild card cert error Message-ID: Dear all: my host is abc.def.com I import a cert *.def.com of godaddy to dirsrv and warning / error prompt any idea? is it i cannot use *.def cert and must use a full host cert . abc.def.com??? Shutting down dirsrv: PKI-IPA... [ OK ] def-COM... [ OK ] Starting dirsrv: PKI-IPA... [ OK ] def-COM...[04/Jun/2014:17:23:28 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert *.def.com - GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer 's certificate issuer has been marked as not trusted by the user.) [ OK ] [root@(LIVE)~]$ service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Wed Jun 4 10:02:03 2014 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Wed, 4 Jun 2014 10:02:03 +0000 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <538DFC2F.3000703@redhat.com> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> Message-ID: <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. server.ad.home = AD Server share.linux.home = NFS Server ipa.linux.home = IPA Server client.linux.home = Client NFS with automounted krb5p Home Directories work for IPA users. sssd-1.11.2-65.el7.x86_64 id adtest at AD.HOME uid=497801107(adtest at ad.home) gid=497801107(adtest at ad.home) groups=497801107(adtest at ad.home),497800513(domain users at ad.home) getent passwd adtest at AD.HOME adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest: klist after kinit adtest at AD.HOME [root at client ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: adtest at AD.HOME Valid starting Expires Service principal 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/AD.HOME at AD.HOME renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 klist after ssh adtest at AD.HOME@ipa.linux.home klist Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB Default principal: adtest at AD.HOME Valid starting Expires Service principal 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME renew until 06/05/14 11:28:30 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/LINUX.HOME at AD.HOME renew until 06/05/14 11:28:30 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/AD.HOME at AD.HOME renew until 06/05/14 11:28:30 Home Directory gets mounted by autofs through sssd but user:group is both nobody. The Client's sssd.conf: [domain/linux.home] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linux.home id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.linux.home chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.linux.home ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default subdomains_provider = ipa [sssd] services = nss, pam, autofs, ssh config_file_version = 2 domains = linux.home [nss] [pam] [sudo] [autofs] [ssh] [pac] From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, June 03, 2014 6:48 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/03/2014 09:07 AM, Johan Petersson wrote: Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo tests works as well as id. I can login fine through SSH and Shell with adtest at adexample.org The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner. Are those computers RHEL7 NFS clients with SSSD? Can you describe them in more details please? Groups are no problem since AD groups can be mapped to Posix groups. Idmap.conf domain is set to the IPA Domain. Is there some way to get NFS working with the AD user as owner of his Home Directory? Thanks for any help. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Wed Jun 4 12:18:53 2014 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Wed, 4 Jun 2014 12:18:53 +0000 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> Message-ID: <558C15177F5E714F83334217C9A197DF016C5294AD@SSC-MBX2.ssc.internal> I found one clue to the issue and as i thought it has to do with m From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Johan Petersson Sent: Wednesday, June 04, 2014 12:02 PM To: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. server.ad.home = AD Server share.linux.home = NFS Server ipa.linux.home = IPA Server client.linux.home = Client NFS with automounted krb5p Home Directories work for IPA users. sssd-1.11.2-65.el7.x86_64 id adtest at AD.HOME uid=497801107(adtest at ad.home) gid=497801107(adtest at ad.home) groups=497801107(adtest at ad.home),497800513(domain users at ad.home) getent passwd adtest at AD.HOME adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest: klist after kinit adtest at AD.HOME [root at client ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: adtest at AD.HOME Valid starting Expires Service principal 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/AD.HOME at AD.HOME renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 klist after ssh adtest at AD.HOME@ipa.linux.home klist Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB Default principal: adtest at AD.HOME Valid starting Expires Service principal 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME renew until 06/05/14 11:28:30 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/LINUX.HOME at AD.HOME renew until 06/05/14 11:28:30 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/AD.HOME at AD.HOME renew until 06/05/14 11:28:30 Home Directory gets mounted by autofs through sssd but user:group is both nobody. The Client's sssd.conf: [domain/linux.home] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linux.home id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.linux.home chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.linux.home ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default subdomains_provider = ipa [sssd] services = nss, pam, autofs, ssh config_file_version = 2 domains = linux.home [nss] [pam] [sudo] [autofs] [ssh] [pac] From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, June 03, 2014 6:48 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/03/2014 09:07 AM, Johan Petersson wrote: Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo tests works as well as id. I can login fine through SSH and Shell with adtest at adexample.org The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner. Are those computers RHEL7 NFS clients with SSSD? Can you describe them in more details please? Groups are no problem since AD groups can be mapped to Posix groups. Idmap.conf domain is set to the IPA Domain. Is there some way to get NFS working with the AD user as owner of his Home Directory? Thanks for any help. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Wed Jun 4 12:24:11 2014 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Wed, 4 Jun 2014 12:24:11 +0000 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> Message-ID: <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> Mail got posted before I was finished sorry. I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. >From /var/log/messages: Nfsidmap[1696]: nss_getpwnam: name 'adtest at ad.home@linux.home,' does not map into domain 'linux.home,' From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Johan Petersson Sent: Wednesday, June 04, 2014 12:02 PM To: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. server.ad.home = AD Server share.linux.home = NFS Server ipa.linux.home = IPA Server client.linux.home = Client NFS with automounted krb5p Home Directories work for IPA users. sssd-1.11.2-65.el7.x86_64 id adtest at AD.HOME uid=497801107(adtest at ad.home) gid=497801107(adtest at ad.home) groups=497801107(adtest at ad.home),497800513(domain users at ad.home) getent passwd adtest at AD.HOME adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest: klist after kinit adtest at AD.HOME [root at client ~]# klist -e Ticket cache: KEYRING:persistent:0:0 Default principal: adtest at AD.HOME Valid starting Expires Service principal 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/AD.HOME at AD.HOME renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 klist after ssh adtest at AD.HOME@ipa.linux.home klist Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB Default principal: adtest at AD.HOME Valid starting Expires Service principal 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME renew until 06/05/14 11:28:30 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/LINUX.HOME at AD.HOME renew until 06/05/14 11:28:30 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/AD.HOME at AD.HOME renew until 06/05/14 11:28:30 Home Directory gets mounted by autofs through sssd but user:group is both nobody. The Client's sssd.conf: [domain/linux.home] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linux.home id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client.linux.home chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa.linux.home ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default subdomains_provider = ipa [sssd] services = nss, pam, autofs, ssh config_file_version = 2 domains = linux.home [nss] [pam] [sudo] [autofs] [ssh] [pac] From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, June 03, 2014 6:48 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/03/2014 09:07 AM, Johan Petersson wrote: Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo tests works as well as id. I can login fine through SSH and Shell with adtest at adexample.org The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner. Are those computers RHEL7 NFS clients with SSSD? Can you describe them in more details please? Groups are no problem since AD groups can be mapped to Posix groups. Idmap.conf domain is set to the IPA Domain. Is there some way to get NFS working with the AD user as owner of his Home Directory? Thanks for any help. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed Jun 4 12:40:39 2014 From: sbose at redhat.com (Sumit Bose) Date: Wed, 4 Jun 2014 14:40:39 +0200 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> Message-ID: <20140604124039.GD29982@localhost.localdomain> On Wed, Jun 04, 2014 at 12:24:11PM +0000, Johan Petersson wrote: > Mail got posted before I was finished sorry. > > I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. > > >From /var/log/messages: > > Nfsidmap[1696]: nss_getpwnam: name 'adtest at ad.home@linux.home,' does not map into domain 'linux.home,' Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? I'll check the nfsidmap code to see how/if it can handle trusted domains. bye, Sumit > > > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Johan Petersson > Sent: Wednesday, June 04, 2014 12:02 PM > To: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. > > > server.ad.home = AD Server > share.linux.home = NFS Server > ipa.linux.home = IPA Server > client.linux.home = Client > > NFS with automounted krb5p Home Directories work for IPA users. > > sssd-1.11.2-65.el7.x86_64 > > id adtest at AD.HOME > uid=497801107(adtest at ad.home) gid=497801107(adtest at ad.home) groups=497801107(adtest at ad.home),497800513(domain users at ad.home) > > getent passwd adtest at AD.HOME > adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest: > > klist after kinit adtest at AD.HOME > > [root at client ~]# klist -e > Ticket cache: KEYRING:persistent:0:0 > Default principal: adtest at AD.HOME > > Valid starting Expires Service principal > 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/AD.HOME at AD.HOME > renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > > klist after ssh adtest at AD.HOME@ipa.linux.home > > klist > Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB > Default principal: adtest at AD.HOME > > Valid starting Expires Service principal > 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME > renew until 06/05/14 11:28:30 > 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/LINUX.HOME at AD.HOME > renew until 06/05/14 11:28:30 > 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/AD.HOME at AD.HOME > renew until 06/05/14 11:28:30 > > Home Directory gets mounted by autofs through sssd but user:group is both nobody. > > The Client's sssd.conf: > > [domain/linux.home] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = linux.home > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = client.linux.home > chpass_provider = ipa > ipa_dyndns_update = True > ipa_server = _srv_, ipa.linux.home > ldap_tls_cacert = /etc/ipa/ca.crt > autofs_provider = ipa > ipa_automount_location = default > subdomains_provider = ipa > [sssd] > services = nss, pam, autofs, ssh > config_file_version = 2 > > domains = linux.home > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal > Sent: Tuesday, June 03, 2014 6:48 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > On 06/03/2014 09:07 AM, Johan Petersson wrote: > Hi, > > Environment: > > RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD > RHEL 7 NFS Server > RHEL 7 Client > > I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. > I have created a NFS share /home/adexample.org and use autofs map in IPA. > All wbinfo tests works as well as id. > I can login fine through SSH and Shell with adtest at adexample.org > The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner. > Are those computers RHEL7 NFS clients with SSSD? > Can you describe them in more details please? > > Groups are no problem since AD groups can be mapped to Posix groups. > > Idmap.conf domain is set to the IPA Domain. > > Is there some way to get NFS working with the AD user as owner of his Home Directory? > > Thanks for any help. > > > This e-mail is private and confidential between the sender and the addressee. > In the event of misdirection, the recipient is prohibited from using, copying or > disseminating it or any information in it. Please notify the above if any misdirection. > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Wed Jun 4 13:08:23 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Jun 2014 09:08:23 -0400 Subject: [Freeipa-users] goddday wild card cert error In-Reply-To: References: Message-ID: <538F1A47.1040407@redhat.com> barrykfl at gmail.com wrote: > Dear all: > > my host is abc.def.com > > I import a cert *.def.com of godaddy to dirsrv and > warning / error prompt any idea? > is it i cannot use *.def cert and must use a full host cert . > abc.def.com? ?? > > Shutting down dirsrv: > PKI-IPA... [ OK ] > def-COM... [ OK ] > Starting dirsrv: > PKI-IPA... [ OK ] > def-COM...[04/Jun/2014:17:23:28 +0800] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert *.def.com > - GoDaddy.com, Inc. of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - > Peer 's certificate issuer has been marked as not trusted by the user.) > [ OK ] > [root@(LIVE)~]$ service ipa status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING https://www.redhat.com/archives/freeipa-users/2014-March/msg00363.html rob From abokovoy at redhat.com Wed Jun 4 13:14:18 2014 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 4 Jun 2014 16:14:18 +0300 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> Message-ID: <20140604131418.GH2726@redhat.com> On Wed, 04 Jun 2014, Johan Petersson wrote: >Mail got posted before I was finished sorry. > >I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. > >>From /var/log/messages: > >Nfsidmap[1696]: nss_getpwnam: name 'adtest at ad.home@linux.home,' does not map into domain 'linux.home,' Are you sure the message is exactly like this, with a comma after linux.home? The reason I'm asking is because the code that prints the message looks like this: localname = strip_domain(name, domain); IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': " "resulting localname '%s'\n", name, domain, localname)); if (localname == NULL) { IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map " "into domain '%s'\n", name, domain ? domain : "")); goto err_free_buf; } note that it doesn't have comma anywhere in the string printed. Can you please increase the log level to 4 so that we can see the first string (nss_getpwnam: name '....' domain '...': resulting localname ...)? it would be [general] Verbosity = 4 in /etc/idmapd.conf > > >From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Johan Petersson >Sent: Wednesday, June 04, 2014 12:02 PM >To: dpal at redhat.com; freeipa-users at redhat.com >Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > >Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. > > >server.ad.home = AD Server >share.linux.home = NFS Server >ipa.linux.home = IPA Server >client.linux.home = Client > >NFS with automounted krb5p Home Directories work for IPA users. > >sssd-1.11.2-65.el7.x86_64 > >id adtest at AD.HOME >uid=497801107(adtest at ad.home) gid=497801107(adtest at ad.home) groups=497801107(adtest at ad.home),497800513(domain users at ad.home) > >getent passwd adtest at AD.HOME >adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest: > >klist after kinit adtest at AD.HOME > >[root at client ~]# klist -e >Ticket cache: KEYRING:persistent:0:0 >Default principal: adtest at AD.HOME > >Valid starting Expires Service principal >06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/AD.HOME at AD.HOME > renew until 06/05/14 11:28:30, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > >klist after ssh adtest at AD.HOME@ipa.linux.home > >klist >Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB >Default principal: adtest at AD.HOME > >Valid starting Expires Service principal >06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME > renew until 06/05/14 11:28:30 >06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/LINUX.HOME at AD.HOME > renew until 06/05/14 11:28:30 >06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/AD.HOME at AD.HOME > renew until 06/05/14 11:28:30 > >Home Directory gets mounted by autofs through sssd but user:group is both nobody. > >The Client's sssd.conf: > >[domain/linux.home] > >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = linux.home >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = client.linux.home >chpass_provider = ipa >ipa_dyndns_update = True >ipa_server = _srv_, ipa.linux.home >ldap_tls_cacert = /etc/ipa/ca.crt >autofs_provider = ipa >ipa_automount_location = default >subdomains_provider = ipa >[sssd] >services = nss, pam, autofs, ssh >config_file_version = 2 > >domains = linux.home >[nss] > >[pam] > >[sudo] > >[autofs] > >[ssh] > >[pac] > > >From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal >Sent: Tuesday, June 03, 2014 6:48 PM >To: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > >On 06/03/2014 09:07 AM, Johan Petersson wrote: >Hi, > >Environment: > >RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD >RHEL 7 NFS Server >RHEL 7 Client > >I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. >I have created a NFS share /home/adexample.org and use autofs map in IPA. >All wbinfo tests works as well as id. >I can login fine through SSH and Shell with adtest at adexample.org >The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner. >Are those computers RHEL7 NFS clients with SSSD? >Can you describe them in more details please? > >Groups are no problem since AD groups can be mapped to Posix groups. > >Idmap.conf domain is set to the IPA Domain. > >Is there some way to get NFS working with the AD user as owner of his Home Directory? > >Thanks for any help. > > >This e-mail is private and confidential between the sender and the addressee. >In the event of misdirection, the recipient is prohibited from using, copying or >disseminating it or any information in it. Please notify the above if any misdirection. > > > >_______________________________________________ > >Freeipa-users mailing list > >Freeipa-users at redhat.com > >https://www.redhat.com/mailman/listinfo/freeipa-users > > > >-- > >Thank you, > >Dmitri Pal > > > >Sr. Engineering Manager IdM portfolio > >Red Hat, Inc. >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy From sbose at redhat.com Wed Jun 4 13:47:56 2014 From: sbose at redhat.com (Sumit Bose) Date: Wed, 4 Jun 2014 15:47:56 +0200 Subject: [Freeipa-users] Getting Samba3 and FreeIPAv3 working together In-Reply-To: References: <20140522121954.GJ4640@localhost.localdomain> <537DF94A.4000601@redhat.com> <53831A34.9030109@redhat.com> Message-ID: <20140604134755.GF29982@localhost.localdomain> On Tue, Jun 03, 2014 at 03:37:05PM +0100, Dylan Evans wrote: > Hello again, > > Just realised by re-reading this thread that I still needed to create > the DNA plugin. > > I've now done that and I can add users, sorry for being stupid... I think the issue is on my side :-) I forgot that samba uses a hardcoded LDAP schema and requires specific objectclass and attribute names. By enabling the DNA plugin the needed values are added to the user object, but with the negative side effect that there are now two attributes containing a different SID, one create by the DNA plugin the other by a plugin activated by ipa-adtrust-install. I guess the proper solution would be to not enable the DNS plugin to create the SIDs in the user object but use the Schema Compatibility plugin from slapi-nis to create a compat tree where samba can find the needed data with the expected schema. But I'm afraid I am not aware of any howto about this. Even better would be to use ipasam instead of ldapsam in samba itself. But I cannot say how good or bad it will currently work because as mentioned below Alexander is planning to check it in summer. bye, Sumit > > Dylan. > > > > On 3 June 2014 14:44, Dylan Evans wrote: > > Hi Petr & Sumit, > > > > I've been trying to get further with my setup. > > > > 1. Thanks Petr, the groups.js plugin seems to work fine, it shows the > > correct info on the GUI screen and seems to be ok. > > > > 2. Sumit, I'm afraid that I'm having a few more problems after running > > " ipa-adtrust-install --add-sids". I cannot now add any users on the > > server (Fedora 20, ipa-server 3.3.5-1) via the command-line or GUI. I > > get the following error: > > > > GUI: > > IPA Error 4205 > > missing attribute: "sambaSID" required by object class "sambaSamAccount" > > > > Command-line: > > ipa user-add test1234 ..... > > ipa: ERROR: missing attribute "sambaSID" required by object class > > "sambaSamAccount" > > > > Also, when editing an existing user, there is no sambaSID field > > available to edit. > > > > If you have any ideas, please let me know. > > > > Thanks, > > > > Dylan. > > > > > > On 26 May 2014 11:40, Petr Vobornik wrote: > >> On 23.5.2014 16:31, Dylan Evans wrote: > >>> > >>> Hi Sumit and Petr, > >>> > >>> Thanks both of you for your replies, I've now got to go and try to > >>> implement all your suggestions but I have some more questions, sorry! > >>> The guide at techslaves was fine, I just got stuck with the changes in > >>> the JavaScript packages and the Samba server questions. > >>> > >>> 1. Petr, I put your samba.js plugin into > >>> /usr/share/ipa/ui/js/plugins/samba but you'll have to pardon my lack > >>> of JS knowledge, anything more than simple Bash scripts tends to leave > >>> me confused! Do I need to do anything else apart from restart the IPA > >>> service? I read your info at > >>> http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins which says the > >>> plugins have to be registered, but I couldn't work out if it's a > >>> manual process or if it's done by /usr/share/ipa/wsgi/plugins.py on > >>> restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py > >>> for the CLI as well. > >> > >> > >> Should be automatically handled by the plugin.py wsgi handler and related > >> logic in Web UI. Just make sure that the file and the directory have same > >> names (except the extension in file's case of course). > >> > >> > >>> > >>> 2. Sumit, thanks for the info on Samba, I'll have to leave that now > >>> and try it next week. BTW, the version of Samba I'm testing against is > >>> 3.6.9-168 on CentOS 6.5. > >>> > >>> Thanks again for your information and patience, > >>> > >>> Dylan. > >>> > >>> On 22 May 2014 14:19, Petr Vobornik wrote: > >>>> > >>>> On 22.5.2014 14:19, Sumit Bose wrote: > >>>>> > >>>>> > >>>>> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote: > >>>>>> > >>>>>> > >>>>>> Hello, > >>>>>> > >>>>>> I need some help with getting Samba and FreeIPA working together. > >>>>>> > >>>>>> I?ve been following the guide at > >>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but > >>>>>> that seems quite out of date for IPAv3 and I need some help: > >>>>> > >>>>> > >>>>> > >>>>> yes, it is a bit outdated but still useful. Please note that we are > >>>>> currently working on making the integration of samba more easy. Recently > >>>>> I send a patch to the samba-technical mailing list with a library which > >>>>> would allow samba to use SSSD instead of winbind to look up users and > >>>>> SID-to-name mapping. Alexander is planning to go through the ipasam > >>>>> modules to see how to make integration with Samba file-servers more > >>>>> easy. > >>>>> > >>>>> But coming back to your questions. > >>>>> > >>>>>> > >>>>>> 1. The guide deals with setting a Samba server SID for one Samba > >>>>>> server, but as we have multiple stand-alone Samba3 servers, which SID > >>>>>> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I > >>>>>> have more than 1 plugin (seems unlikely)? > >>>>> > >>>>> > >>>>> > >>>>> 'net getlocalsid' returns the domain SID and since all you Samba > >>>>> file-servers are member of the IPA domain you can use a common SID here. > >>>>> > >>>>> With IPAv3 SID generation for users and groups is even more easy because > >>>>> you can get it for free by running ipa-adtrust-install (please use the > >>>>> option --add-sids) if you already have users and groups in your IPA > >>>>> server. This prepares the IPA server to be able to create trust > >>>>> relationships to Active Directory and one requirement here is that all > >>>>> users and groups have SID. > >>>>> > >>>>> 'ipa-adtrust-install' will also create a domain SID. 'ipa > >>>>> trustconfig-show' will show the domain SID together with the DNS domain > >>>>> name and the NetBIOS domain name. On your Samba server you should set > >>>>> 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA > >>>>> server after running ipa-adtrust-install for a config example). > >>>>> > >>>>> Additionally on your Samba servers you have to set the domain SID in > >>>>> /var/lib/samba/private/secrets.tdb with tdbtool. You will need 3 > >>>>> keys with the same SID > >>>>> > >>>>> SECRETS/SID/DOMNETBIOS <- NetBIOS domain name, workgroup in smb.conf > >>>>> SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in > >>>>> smb.conf > >>>>> SECRETS/SID/CLINETBIOS <- NetBIOS name of the client, 'netbios name' in > >>>>> smb.conf > >>>>> > >>>>> The SID has to be given in a special binary format. The easiest way to > >>>>> get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the > >>>>> IPA server after running ipa-adtrust-install. The domain SID will always > >>>>> start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence > >>>>> as data for the insert command of tdbtool. > >>>>> > >>>>> Now everything should be done with respect to SID handling. > >>>>> > >>>>>> > >>>>>> 2. There?s no ?/usr/share/ipa/ui/group.js? file to patch in > >>>>>> IPAv3. What do I need to patch instead? > >>>>>> > >>>>>> I?ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which > >>>>>> shows the need is there but I could do with getting it working ASAP. > >>>>> > >>>>> > >>>>> > >>>>> group.js is compliend with the other UI files in > >>>>> /usr/share/ipa/ui/js/freeipa/app.js (see > >>>>> install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources > >>>>> for details). For your convenience I copied some section here: > >>>>> > >>>>> "The compiled Web UI layer is located in > >>>>> `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from > >>>>> source git repository in `install/ui/src/freeipa/` directory to the > >>>>> `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js` > >>>>> file). By doing that, next reload of Web UI will use source files > >>>>> (clearing browser cache may be required). After that all JavaScript > >>>>> errors will contain proper source code name and line number." > >>>> > >>>> > >>>> > >>>> Better approach is to create a custom UI plugin which would add those > >>>> fields. Since it's only 3 fields, I create an example which works on > >>>> FreeIPA > >>>> 4.0 and theoretically it should work on 3.2 as well: > >>>> > >>>> http://pvoborni.fedorapeople.org/plugins/samba/samba.js > >>>> > >>>> put the file into `/usr/share/ipa/ui/js/plugins/samba` directory. > >>>> > >>>> I did not test it with backend (no labels + doesn't do anything). > >>>> > >>>> More about plugin development: > >>>> * http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf > >>>> * http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins > >>>> > >>>> Creating CLI plugin is IMO also better approach. > >>>> > >>>> > >>>>> > >>>>>> > >>>>>> I may be missing something obvious but some help would be greatly > >>>>>> appreciated! > >>>>> > >>>>> > >>>>> > >>>>> I hope my comments will help you. Feel free to ask for more help if > >>>>> needed. It would be nice to hear from any success as well. > >>>>> > >>>>> bye, > >>>>> Sumit > >>>>> > >>>>>> > >>>>>> Thanks, > >>>>>> > >>>>>> Dylan. > >>>>>> > >>>>>> Background: > >>>>>> > >>>>>> Brief: Need to expand from the current single-office-ish NIS/YP scheme > >>>>>> to a multi-location/multi-national auth scheme which FreeIPA seems > >>>>>> ideally suited for. > >>>>>> > >>>>>> > >>>>>> Requirement: To continue to provide console/SSH and GUI/X logins to > >>>>>> Linux hosts, access to home and project directories via NFS from the > >>>>>> Linux machines using autofs/automount and access to Samba file-shares > >>>>>> from Windows machines but not using AD creds as this is a totally > >>>>>> separate environment. Several locations will each have a FreeIPA > >>>>>> replica server, NFS/Samba fileserver and ?application? server. > >>>>>> Currently use 2 passwords for each user ? one for NIS, one for Samba ? > >>>>>> and need to consolidate to one password for everything. > >>>>>> > >>>>>> > >>>>>> Progress: Linux-based NFS stuff working fine ? automount of home and > >>>>>> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs > >>>>>> as a prototyping environment but will probably use RHEL/CentOS 7 when > >>>>>> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and > >>>>>> 3.3.5 on Fedora 20. > >>>>>> > >>>> -- > >>>> Petr Vobornik > >> > >> > >> > >> -- > >> Petr Vobornik From Johan.Petersson at sscspace.com Wed Jun 4 13:57:11 2014 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Wed, 4 Jun 2014 13:57:11 +0000 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <20140604131418.GH2726@redhat.com> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> Message-ID: <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> Yes the message is exactly like that with commas, I double checked. To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? I did on all machines and got rid of that specific message but I still get user nobody unfortunately. Here are logs from when I did a su - adtest at AD.HOME@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. Client: Jun 4 15:30:13 client su: (to adtest at ad.home) linux on pts/0 Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adtest at ad.home@linux.home timeout 600 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0 Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0 NFS Server: Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch->uid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> name "adtest at ad.home@linux.home" Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch->gid_to_name Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0 Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0 Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> name "ad_users at linux.home" The group ad_users is a IPA group with external maps from AD Domain users. -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Wednesday, June 04, 2014 3:14 PM To: Johan Petersson Cc: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On Wed, 04 Jun 2014, Johan Petersson wrote: >Mail got posted before I was finished sorry. > >I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. > >>From /var/log/messages: > >Nfsidmap[1696]: nss_getpwnam: name 'adtest at ad.home@linux.home,' does not map into domain 'linux.home,' Are you sure the message is exactly like this, with a comma after linux.home? The reason I'm asking is because the code that prints the message looks like this: localname = strip_domain(name, domain); IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': " "resulting localname '%s'\n", name, domain, localname)); if (localname == NULL) { IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map " "into domain '%s'\n", name, domain ? domain : "")); goto err_free_buf; } note that it doesn't have comma anywhere in the string printed. Can you please increase the log level to 4 so that we can see the first string (nss_getpwnam: name '....' domain '...': resulting localname ...)? it would be [general] Verbosity = 4 in /etc/idmapd.conf > > >From: freeipa-users-bounces at redhat.com >[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Johan Petersson >Sent: Wednesday, June 04, 2014 12:02 PM >To: dpal at redhat.com; freeipa-users at redhat.com >Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > >Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. > > >server.ad.home = AD Server >share.linux.home = NFS Server >ipa.linux.home = IPA Server >client.linux.home = Client > >NFS with automounted krb5p Home Directories work for IPA users. > >sssd-1.11.2-65.el7.x86_64 > >id adtest at AD.HOME >uid=497801107(adtest at ad.home) >gid=497801107(adtest at ad.home) >groups=497801107(adtest at ad.home),497800513(domain),497800513(domain> users at ad.home) > >getent passwd adtest at AD.HOME >adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest: > >klist after kinit adtest at AD.HOME > >[root at client ~]# klist -e >Ticket cache: KEYRING:persistent:0:0 >Default principal: adtest at AD.HOME > >Valid starting Expires Service principal >06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/AD.HOME at AD.HOME > renew until 06/05/14 11:28:30, Etype (skey, tkt): >aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > >klist after ssh >adtest at AD.HOME@ipa.linux.home > >klist >Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB >Default principal: adtest at AD.HOME > >Valid starting Expires Service principal >06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME > renew until 06/05/14 11:28:30 >06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/LINUX.HOME at AD.HOME > renew until 06/05/14 11:28:30 >06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/AD.HOME at AD.HOME > renew until 06/05/14 11:28:30 > >Home Directory gets mounted by autofs through sssd but user:group is both nobody. > >The Client's sssd.conf: > >[domain/linux.home] > >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = linux.home >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = client.linux.home >chpass_provider = ipa >ipa_dyndns_update = True >ipa_server = _srv_, ipa.linux.home >ldap_tls_cacert = /etc/ipa/ca.crt >autofs_provider = ipa >ipa_automount_location = default >subdomains_provider = ipa >[sssd] >services = nss, pam, autofs, ssh >config_file_version = 2 > >domains = linux.home >[nss] > >[pam] > >[sudo] > >[autofs] > >[ssh] > >[pac] > > >From: >freeipa-users-bounces at redhat.comm> >[mailto:freeipa-users-bounces at redhat.com]bounces at redhat.com]> On Behalf Of Dmitri Pal >Sent: Tuesday, June 03, 2014 6:48 PM >To: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > >On 06/03/2014 09:07 AM, Johan Petersson wrote: >Hi, > >Environment: > >RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 >NFS Server RHEL 7 Client > >I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. >I have created a NFS share /home/adexample.org and use autofs map in IPA. >All wbinfo tests works as well as id. >I can login fine through SSH and Shell with >adtest at adexample.org >The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner. >Are those computers RHEL7 NFS clients with SSSD? >Can you describe them in more details please? > >Groups are no problem since AD groups can be mapped to Posix groups. > >Idmap.conf domain is set to the IPA Domain. > >Is there some way to get NFS working with the AD user as owner of his Home Directory? > >Thanks for any help. > > >This e-mail is private and confidential between the sender and the addressee. >In the event of misdirection, the recipient is prohibited from using, >copying or disseminating it or any information in it. Please notify the above if any misdirection. > > > >_______________________________________________ > >Freeipa-users mailing list > >Freeipa-users at redhat.com > >https://www.redhat.com/mailman/listinfo/freeipa-users > > > >-- > >Thank you, > >Dmitri Pal > > > >Sr. Engineering Manager IdM portfolio > >Red Hat, Inc. >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy From maleko42 at gmail.com Wed Jun 4 18:25:23 2014 From: maleko42 at gmail.com (Mark Gardner) Date: Wed, 4 Jun 2014 14:25:23 -0400 Subject: [Freeipa-users] FreeIPA Clients and Firewall rules Message-ID: Does all communication used for the FreeIPA client go between the FreeIPA client and the FreeIPA server? Or if we're using FreeIPA / AD Trusts, does some communication go to the AD Server? -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jun 4 18:40:32 2014 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 4 Jun 2014 21:40:32 +0300 Subject: [Freeipa-users] FreeIPA Clients and Firewall rules In-Reply-To: References: Message-ID: <20140604184032.GJ2726@redhat.com> On Wed, 04 Jun 2014, Mark Gardner wrote: >Does all communication used for the FreeIPA client go between the >FreeIPA client and the FreeIPA server? Or if we're using FreeIPA / AD >Trusts, does some communication go to the AD Server? Yes, an authentication exchange for AD users may happen between IPA client and AD DCs, initiated by IPA client side: - in case AD user credentials were delegated and SSSD was configured to renew Kerberos keys over time - in case AD user explicitly kinit itself In other cases authentication will be initiated by an AD client side towards IPA client. SSSD on IPA clients will be talking to IPA server in order to resolve AD users, it doesn't need to talk directly to AD for this purpose. -- / Alexander Bokovoy From mkosek at redhat.com Thu Jun 5 08:51:05 2014 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 05 Jun 2014 10:51:05 +0200 Subject: [Freeipa-users] FreeIPA public demo available Message-ID: <53902F79.4020100@redhat.com> Hello all FreeIPA users and enthusiasts! I would like to invite everyone to try our new public FreeIPA demo instance running on Red Hat OpenStack platform: http://www.freeipa.org/page/Demo The demo will always hold the latest stable version of FreeIPA or a Beta version of a next major release (e.g. when 4.0 Beta is available). The demo is great for: * Testing changes and enhancements in the most recent CLI/Web UI/API * Testing integration in the OS - FreeIPA clients can be enrolled * Testing web applications with LDAP/Kerberos authentication and advanced integration with FreeIPA You can read all the details in the page referred above. Feedback welcome! -- Martin Kosek Supervisor, Software Engineering - Identity Management Team Red Hat Inc. From lindblombr at ornl.gov Thu Jun 5 18:13:18 2014 From: lindblombr at ornl.gov (Lindblom, Brian R.) Date: Thu, 5 Jun 2014 18:13:18 +0000 Subject: [Freeipa-users] RSA Securid support Message-ID: <1401991998.14811.18.camel@lindblom-desktop.ccs.ornl.gov> I've been doing a bit of reading on integrating securid w/ ipa and am coming up a little short. Up-stream MIT kerberos has some mention of supporting it: http://k5wiki.kerberos.org/wiki/Projects/SecurID_SAM_support But I'm not sure if or how that translates to IPA support. Some clever pam rules could certainly be shoehorned-in as a sort of RSA "pre-auth" layer before getting into the krb5/sss bits, but that seems hackish at best. There was something on this mailing list talking about AuthHub support, circa 2012, but neither the topic or the AuthHub git repository seem to have been touched since. So, long story short, is this on the roadmap, an existing feature, a hidden feature, or has it been done before? Any insight would be greatly appreciated! I dearly miss my IPA setup from my previous gig, but a hard-n-fast securid requirement makes it difficult to offer up as a solution here without more info on how they can cooperate. Thanks, -- Brian R. Lindblom HPC Systems Administrator National Center for Computational Sciences Oak Ridge National Laboratory From simo at redhat.com Thu Jun 5 18:30:26 2014 From: simo at redhat.com (Simo Sorce) Date: Thu, 05 Jun 2014 14:30:26 -0400 Subject: [Freeipa-users] RSA Securid support In-Reply-To: <1401991998.14811.18.camel@lindblom-desktop.ccs.ornl.gov> References: <1401991998.14811.18.camel@lindblom-desktop.ccs.ornl.gov> Message-ID: <1401993026.26048.6.camel@willson.usersys.redhat.com> On Thu, 2014-06-05 at 18:13 +0000, Lindblom, Brian R. wrote: > I've been doing a bit of reading on integrating securid w/ ipa and am > coming up a little short. Up-stream MIT kerberos has some mention of > supporting it: > > http://k5wiki.kerberos.org/wiki/Projects/SecurID_SAM_support > > But I'm not sure if or how that translates to IPA support. Some clever > pam rules could certainly be shoehorned-in as a sort of RSA "pre-auth" > layer before getting into the krb5/sss bits, but that seems hackish at > best. There was something on this mailing list talking about AuthHub > support, circa 2012, but neither the topic or the AuthHub git repository > seem to have been touched since. > > So, long story short, is this on the roadmap, an existing feature, a > hidden feature, or has it been done before? Any insight would be > greatly appreciated! I dearly miss my IPA setup from my previous gig, > but a hard-n-fast securid requirement makes it difficult to offer up as > a solution here without more info on how they can cooperate. IPA 4.0 will come out with integrated OTP support. To use an external provider you will need to configure a radius server to which PIN+Code will be sent for verification. This is the project page: http://www.freeipa.org/page/V3/OTP Simo. -- Simo Sorce * Red Hat, Inc * New York From lindblombr at ornl.gov Thu Jun 5 18:42:55 2014 From: lindblombr at ornl.gov (Lindblom, Brian R.) Date: Thu, 5 Jun 2014 18:42:55 +0000 Subject: [Freeipa-users] RSA Securid support In-Reply-To: <1401993026.26048.6.camel@willson.usersys.redhat.com> References: <1401991998.14811.18.camel@lindblom-desktop.ccs.ornl.gov> <1401993026.26048.6.camel@willson.usersys.redhat.com> Message-ID: <1401993775.14811.22.camel@lindblom-desktop.ccs.ornl.gov> That's fantastic. Thanks for the link. Thanks, -Brian On Thu, 2014-06-05 at 14:30 -0400, Simo Sorce wrote: > On Thu, 2014-06-05 at 18:13 +0000, Lindblom, Brian R. wrote: > > I've been doing a bit of reading on integrating securid w/ ipa and am > > coming up a little short. Up-stream MIT kerberos has some mention of > > supporting it: > > > > http://k5wiki.kerberos.org/wiki/Projects/SecurID_SAM_support > > > > But I'm not sure if or how that translates to IPA support. Some clever > > pam rules could certainly be shoehorned-in as a sort of RSA "pre-auth" > > layer before getting into the krb5/sss bits, but that seems hackish at > > best. There was something on this mailing list talking about AuthHub > > support, circa 2012, but neither the topic or the AuthHub git repository > > seem to have been touched since. > > > > So, long story short, is this on the roadmap, an existing feature, a > > hidden feature, or has it been done before? Any insight would be > > greatly appreciated! I dearly miss my IPA setup from my previous gig, > > but a hard-n-fast securid requirement makes it difficult to offer up as > > a solution here without more info on how they can cooperate. > > IPA 4.0 will come out with integrated OTP support. To use an external > provider you will need to configure a radius server to which PIN+Code > will be sent for verification. > > This is the project page: http://www.freeipa.org/page/V3/OTP > > Simo. > -- Brian R. Lindblom HPC Systems Administrator National Center for Computational Sciences Oak Ridge National Laboratory From dpal at redhat.com Thu Jun 5 19:03:21 2014 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 05 Jun 2014 15:03:21 -0400 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> Message-ID: <5390BEF9.2040404@redhat.com> On 06/04/2014 09:57 AM, Johan Petersson wrote: > Yes the message is exactly like that with commas, I double checked. > > To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? > > I did on all machines and got rid of that specific message but I still get user nobody unfortunately. > > Here are logs from when I did a su - adtest at AD.HOME@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. > > Client: > Jun 4 15:30:13 client su: (to adtest at ad.home) linux on pts/0 > Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adtest at ad.home@linux.home timeout 600 > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned -22 > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22 > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0 > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0 Do we have a corresponding SSSD trace that shows the actual process of the resolution? > > NFS Server: > Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch->uid_to_name > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0 > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0 > Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> name "adtest at ad.home@linux.home" > Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch->gid_to_name > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0 > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0 > Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> name "ad_users at linux.home" > > The group ad_users is a IPA group with external maps from AD Domain users. > > -----Original Message----- > From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > Sent: Wednesday, June 04, 2014 3:14 PM > To: Johan Petersson > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > On Wed, 04 Jun 2014, Johan Petersson wrote: >> Mail got posted before I was finished sorry. >> >> I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. >> >> >From /var/log/messages: >> >> Nfsidmap[1696]: nss_getpwnam: name 'adtest at ad.home@linux.home,' does not map into domain 'linux.home,' > Are you sure the message is exactly like this, with a comma after linux.home? > > The reason I'm asking is because the code that prints the message looks like this: > > localname = strip_domain(name, domain); > IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': " > "resulting localname '%s'\n", name, domain, localname)); > if (localname == NULL) { > IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map " > "into domain '%s'\n", name, > domain ? domain : "")); > goto err_free_buf; > } > > note that it doesn't have comma anywhere in the string printed. > > Can you please increase the log level to 4 so that we can see the first string (nss_getpwnam: name '....' domain '...': resulting localname ...)? it would be > > [general] > Verbosity = 4 > > in /etc/idmapd.conf > > > >> >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Johan Petersson >> Sent: Wednesday, June 04, 2014 12:02 PM >> To: dpal at redhat.com; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue >> >> Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. >> >> >> server.ad.home = AD Server >> share.linux.home = NFS Server >> ipa.linux.home = IPA Server >> client.linux.home = Client >> >> NFS with automounted krb5p Home Directories work for IPA users. >> >> sssd-1.11.2-65.el7.x86_64 >> >> id adtest at AD.HOME >> uid=497801107(adtest at ad.home) >> gid=497801107(adtest at ad.home) >> groups=497801107(adtest at ad.home),497800513(domain> ),497800513(domain> users at ad.home) >> >> getent passwd adtest at AD.HOME >> adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest: >> >> klist after kinit adtest at AD.HOME >> >> [root at client ~]# klist -e >> Ticket cache: KEYRING:persistent:0:0 >> Default principal: adtest at AD.HOME >> >> Valid starting Expires Service principal >> 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/AD.HOME at AD.HOME >> renew until 06/05/14 11:28:30, Etype (skey, tkt): >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> >> klist after ssh >> adtest at AD.HOME@ipa.linux.home >> >> klist >> Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB >> Default principal: adtest at AD.HOME >> >> Valid starting Expires Service principal >> 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME >> renew until 06/05/14 11:28:30 >> 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/LINUX.HOME at AD.HOME >> renew until 06/05/14 11:28:30 >> 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/AD.HOME at AD.HOME >> renew until 06/05/14 11:28:30 >> >> Home Directory gets mounted by autofs through sssd but user:group is both nobody. >> >> The Client's sssd.conf: >> >> [domain/linux.home] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = linux.home >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = client.linux.home >> chpass_provider = ipa >> ipa_dyndns_update = True >> ipa_server = _srv_, ipa.linux.home >> ldap_tls_cacert = /etc/ipa/ca.crt >> autofs_provider = ipa >> ipa_automount_location = default >> subdomains_provider = ipa >> [sssd] >> services = nss, pam, autofs, ssh >> config_file_version = 2 >> >> domains = linux.home >> [nss] >> >> [pam] >> >> [sudo] >> >> [autofs] >> >> [ssh] >> >> [pac] >> >> >> From: >> freeipa-users-bounces at redhat.com> m> >> [mailto:freeipa-users-bounces at redhat.com]> bounces at redhat.com]> On Behalf Of Dmitri Pal >> Sent: Tuesday, June 03, 2014 6:48 PM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue >> >> On 06/03/2014 09:07 AM, Johan Petersson wrote: >> Hi, >> >> Environment: >> >> RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 >> NFS Server RHEL 7 Client >> >> I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. >> I have created a NFS share /home/adexample.org and use autofs map in IPA. >> All wbinfo tests works as well as id. >> I can login fine through SSH and Shell with >> adtest at adexample.org >> The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner. >> Are those computers RHEL7 NFS clients with SSSD? >> Can you describe them in more details please? >> >> Groups are no problem since AD groups can be mapped to Posix groups. >> >> Idmap.conf domain is set to the IPA Domain. >> >> Is there some way to get NFS working with the AD user as owner of his Home Directory? >> >> Thanks for any help. >> >> >> This e-mail is private and confidential between the sender and the addressee. >> In the event of misdirection, the recipient is prohibited from using, >> copying or disseminating it or any information in it. Please notify the above if any misdirection. >> >> >> >> _______________________________________________ >> >> Freeipa-users mailing list >> >> Freeipa-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> >> Thank you, >> >> Dmitri Pal >> >> >> >> Sr. Engineering Manager IdM portfolio >> >> Red Hat, Inc. >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > / Alexander Bokovoy -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Thu Jun 5 19:09:20 2014 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 05 Jun 2014 15:09:20 -0400 Subject: [Freeipa-users] RSA Securid support In-Reply-To: <1401993775.14811.22.camel@lindblom-desktop.ccs.ornl.gov> References: <1401991998.14811.18.camel@lindblom-desktop.ccs.ornl.gov> <1401993026.26048.6.camel@willson.usersys.redhat.com> <1401993775.14811.22.camel@lindblom-desktop.ccs.ornl.gov> Message-ID: <5390C060.8090404@redhat.com> On 06/05/2014 02:42 PM, Lindblom, Brian R. wrote: > That's fantastic. Thanks for the link. Here is a video: https://drive.google.com/#folders/0B3tfpNCVjJdCWFQxUk9NdkpHN2c If instead of using an IPA managed token you configure RADIUS proxy to your RSA Authentication Manager you would be able to accomplish a similar result as in the video. Do not forget configure the IPA server client in RSA Authentication Manager as a single transaction server to avoid new pin and next token code mode hurdles. We would appreciate a HowTo page if you make it work. http://www.freeipa.org/page/HowTos > > Thanks, > -Brian > > On Thu, 2014-06-05 at 14:30 -0400, Simo Sorce wrote: >> On Thu, 2014-06-05 at 18:13 +0000, Lindblom, Brian R. wrote: >>> I've been doing a bit of reading on integrating securid w/ ipa and am >>> coming up a little short. Up-stream MIT kerberos has some mention of >>> supporting it: >>> >>> http://k5wiki.kerberos.org/wiki/Projects/SecurID_SAM_support >>> >>> But I'm not sure if or how that translates to IPA support. Some clever >>> pam rules could certainly be shoehorned-in as a sort of RSA "pre-auth" >>> layer before getting into the krb5/sss bits, but that seems hackish at >>> best. There was something on this mailing list talking about AuthHub >>> support, circa 2012, but neither the topic or the AuthHub git repository >>> seem to have been touched since. >>> >>> So, long story short, is this on the roadmap, an existing feature, a >>> hidden feature, or has it been done before? Any insight would be >>> greatly appreciated! I dearly miss my IPA setup from my previous gig, >>> but a hard-n-fast securid requirement makes it difficult to offer up as >>> a solution here without more info on how they can cooperate. >> IPA 4.0 will come out with integrated OTP support. To use an external >> provider you will need to configure a radius server to which PIN+Code >> will be sent for verification. >> >> This is the project page: http://www.freeipa.org/page/V3/OTP >> >> Simo. >> -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From shreerajkarulkar at yahoo.com Thu Jun 5 19:26:10 2014 From: shreerajkarulkar at yahoo.com (Shree) Date: Thu, 5 Jun 2014 12:26:10 -0700 (PDT) Subject: [Freeipa-users] Chaning IP of IPA Server Message-ID: <1401996370.75087.YahooMailNeo@web160102.mail.bf1.yahoo.com> Version ipa-server-3.0.0-26.el6_4.4.x86_64 Hi I need to change the IP address of my server. Currently it syncs with a replica on a different subnet and has ACLs opened for this. What would be the best way to go about it? Will it affect the certificates, clients etc? ? Shreeraj ---------------------------------------------------------------------------------------- Change is the only Constant ! -------------- next part -------------- An HTML attachment was scrubbed... URL: From arpittolani at gmail.com Thu Jun 5 19:40:03 2014 From: arpittolani at gmail.com (Arpit Tolani) Date: Fri, 6 Jun 2014 01:10:03 +0530 Subject: [Freeipa-users] Chaning IP of IPA Server In-Reply-To: <1401996370.75087.YahooMailNeo@web160102.mail.bf1.yahoo.com> References: <1401996370.75087.YahooMailNeo@web160102.mail.bf1.yahoo.com> Message-ID: Hello Fix a record in /etc/hosts file on IPA servers, if the IPA server record is present there. Make changes to the dns entries for the ipa servers and change the SRV records. You may have to wait till TTL expires, or you can change the TTL to very low value such as 60 before changing the IP address. Change IPs and all DNS records. If everything works fine raise TTL to original value. Here we are talking about only changing IP Address, not hostname, Changing hostname will be too complex, I will suggest you to setup a replica, promote it as master & decommission the older master. Regards Arpit Tolani On Fri, Jun 6, 2014 at 12:56 AM, Shree wrote: > Version ipa-server-3.0.0-26.el6_4.4.x86_64 > Hi > I need to change the IP address of my server. Currently it syncs with a > replica on a different subnet and has ACLs opened for this. What would be > the best way to go about it? Will it affect the certificates, clients etc? > > Shreeraj > ---------------------------------------------------------------------------------------- > > Change is the only Constant ! > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thanks & Regards Arpit Tolani From sallen at theembassyvfx.com Thu Jun 5 20:47:44 2014 From: sallen at theembassyvfx.com (Scott Allen) Date: Thu, 5 Jun 2014 13:47:44 -0700 Subject: [Freeipa-users] Some computers cannot get Some users logged in. In-Reply-To: <20140530073512.GM30381@localhost.localdomain> References: <20140530073512.GM30381@localhost.localdomain> Message-ID: Hi, I didn't migrate the passwords. All users started with a new default on IPA. The new user foo doesn't exist on the AD system but can login successfully using IPA credentials on a migrated system. On Fri, May 30, 2014 at 12:35 AM, Sumit Bose wrote: > On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote: > > Hi, > > Having a particularly weird problem. We have moved from AD to freeIPA > > recently and while there have been some bumps, most of the CentOS 6.2 > boxes > > make the transition successfully. Some background. > > > > The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. > > When we moved from AD, boxes were not "removed" from AD, just disabled on > > the server side. We scripted the necessary bits since we were moving to a > > new subnet as well. The script runs "ipa-client-install -p admin > --password > > PASSWORD --enable-dns-updates -U" > > > > The machines were joined successfully to freeIPA and then added to > > allow_all_hosts Host Group. > > > > On a workstation that was migrated, all users can successfully log in. > > On a fresh install of CentOS6.2, only myself (admin_user) and a newly > > created user (foo) can successfully log in. > > > > On this fresh install, 'david' is blocked but new user 'foo' is allowed. > > > > May 29 09:20:29 embassy419 polkitd(authority=local): Registered > > Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 > > (system bus name :1.26 > [/usr/libexec/polkit-gnome-authentication-agent-1], > > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale > en_US.UTF-8) > > May 29 09:20:46 embassy419 pam: gdm-password[2910]: > > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > euid=0 > > tty=:0 ruser= rhost= user=david > > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > > tty=:0 ruser= rhost= user=david > > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > > user credentials) > > May 29 10:44:06 embassy419 polkitd(authority=local): Registered > > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > > (system bus name :1.88 > [/usr/libexec/polkit-gnome-authentication-agent-1], > > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale > en_US.UTF-8) > > May 29 10:44:13 embassy419 pam: gdm-password[3956]: > > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > euid=0 > > tty=:1 ruser= rhost= user=foo > > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > > pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 > > tty=:1 ruser= rhost= user=foo > > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > > pam_unix(gdm-password:session): session opened for user foo by (uid=0) > > May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered > > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > > (system bus name :1.88, object path > > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > > (disconnected from bus) > > > > But on this machine that was migrated. > > pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication > > failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david > > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > > tty=:1 ruser= rhost= user=david > > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > > user credentials) > > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > > pam_winbind(gdm-password:auth): getting password (0x00000010) > > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > > pam_winbind(gdm-password:auth): pam_get_item returned a password > > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > > pam_winbind(gdm-password:auth): user 'david' granted access > > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > > pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave > > WBC_ERR_DOMAIN_NOT_FOUND > > May 29 10:42:10 Embassy426 pam: gdm-password[14145]: > > pam_unix(gdm-password:session): session opened for user david by (uid=0) > > As Dmitri already said, on the migrated systems winbind is still used > and doing the authentication which is still talking ot AD. But you can > see the same error from pam_sss 'Preauthentication failed' which > typically is an indication that the password is wrong. > > How did you migrate the passwords from AD to IPA? > > bye, > Sumit > > > May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered > > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > > (system bus name :1.85, object path > > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > > (disconnected from bus) > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Scott Allen Head of IT The Embassy Visual Effects Inc. 4th Floor - 177 W 7th Avenue Vancouver, B.C. V5Y 1L8 604.696.6862 ext 241 -------------- next part -------------- An HTML attachment was scrubbed... URL: From shreerajkarulkar at yahoo.com Thu Jun 5 20:49:21 2014 From: shreerajkarulkar at yahoo.com (Shree) Date: Thu, 5 Jun 2014 13:49:21 -0700 (PDT) Subject: [Freeipa-users] Chaning IP of IPA Server In-Reply-To: References: <1401996370.75087.YahooMailNeo@web160102.mail.bf1.yahoo.com> Message-ID: <1402001361.54643.YahooMailNeo@web160103.mail.bf1.yahoo.com> Arpit So you are suggesting just make the changes we do while changing the IP address of any server, no IPA configuration will need to be changed? ? Shreeraj ---------------------------------------------------------------------------------------- Change is the only Constant ! On Thursday, June 5, 2014 12:40 PM, Arpit Tolani wrote: Hello Fix a record in /etc/hosts file on IPA servers, if the IPA server record is present there. Make changes to the dns entries for the ipa servers and change the SRV records. You may have to wait till TTL expires, or you can change the TTL to very low value such as 60 before changing the IP address. Change IPs and all DNS records. If everything works fine raise TTL to original value. Here we are talking about only changing IP Address, not hostname, Changing hostname will be too complex, I will suggest you to setup a replica, promote it as master & decommission the older master. Regards Arpit Tolani On Fri, Jun 6, 2014 at 12:56 AM, Shree wrote: > Version ipa-server-3.0.0-26.el6_4.4.x86_64 > Hi > I need to change the IP address of my server. Currently it syncs with a > replica on a different subnet and has ACLs opened for this. What would be > the best way to go about it? Will it affect the certificates, clients etc? > > Shreeraj > ---------------------------------------------------------------------------------------- > > Change is the only Constant ! > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thanks & Regards Arpit Tolani -------------- next part -------------- An HTML attachment was scrubbed... URL: From sallen at theembassyvfx.com Thu Jun 5 22:11:00 2014 From: sallen at theembassyvfx.com (Scott Allen) Date: Thu, 5 Jun 2014 15:11:00 -0700 Subject: [Freeipa-users] Some computers cannot get Some users logged in. In-Reply-To: References: <20140530073512.GM30381@localhost.localdomain> Message-ID: Found the problem. The users were added by a custom script that didn't prompt for passwords. As such, the user's were in IPA and enabled but not able to login as they never had a initial password set. So on migrated machines it fell through to winbind and somehow found the old AD server. On Thu, Jun 5, 2014 at 1:47 PM, Scott Allen wrote: > Hi, > I didn't migrate the passwords. All users started with a new default on > IPA. > The new user foo doesn't exist on the AD system but can login successfully > using IPA credentials on a migrated system. > > > On Fri, May 30, 2014 at 12:35 AM, Sumit Bose wrote: > >> On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote: >> > Hi, >> > Having a particularly weird problem. We have moved from AD to freeIPA >> > recently and while there have been some bumps, most of the CentOS 6.2 >> boxes >> > make the transition successfully. Some background. >> > >> > The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. >> > When we moved from AD, boxes were not "removed" from AD, just disabled >> on >> > the server side. We scripted the necessary bits since we were moving to >> a >> > new subnet as well. The script runs "ipa-client-install -p admin >> --password >> > PASSWORD --enable-dns-updates -U" >> > >> > The machines were joined successfully to freeIPA and then added to >> > allow_all_hosts Host Group. >> > >> > On a workstation that was migrated, all users can successfully log in. >> > On a fresh install of CentOS6.2, only myself (admin_user) and a newly >> > created user (foo) can successfully log in. >> > >> > On this fresh install, 'david' is blocked but new user 'foo' is allowed. >> > >> > May 29 09:20:29 embassy419 polkitd(authority=local): Registered >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 >> > (system bus name :1.26 >> [/usr/libexec/polkit-gnome-authentication-agent-1], >> > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale >> en_US.UTF-8) >> > May 29 09:20:46 embassy419 pam: gdm-password[2910]: >> > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 >> euid=0 >> > tty=:0 ruser= rhost= user=david >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: >> > pam_sss(gdm-password:auth): system info: [Preauthentication failed] >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: >> > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 >> euid=0 >> > tty=:0 ruser= rhost= user=david >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: >> > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting >> > user credentials) >> > May 29 10:44:06 embassy419 polkitd(authority=local): Registered >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 >> > (system bus name :1.88 >> [/usr/libexec/polkit-gnome-authentication-agent-1], >> > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale >> en_US.UTF-8) >> > May 29 10:44:13 embassy419 pam: gdm-password[3956]: >> > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 >> euid=0 >> > tty=:1 ruser= rhost= user=foo >> > May 29 10:44:14 embassy419 pam: gdm-password[3956]: >> > pam_sss(gdm-password:auth): authentication success; logname= uid=0 >> euid=0 >> > tty=:1 ruser= rhost= user=foo >> > May 29 10:44:14 embassy419 pam: gdm-password[3956]: >> > pam_unix(gdm-password:session): session opened for user foo by (uid=0) >> > May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 >> > (system bus name :1.88, object path >> > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) >> > (disconnected from bus) >> > >> > But on this machine that was migrated. >> > pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication >> > failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: >> > pam_sss(gdm-password:auth): system info: [Preauthentication failed] >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: >> > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 >> euid=0 >> > tty=:1 ruser= rhost= user=david >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: >> > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting >> > user credentials) >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: >> > pam_winbind(gdm-password:auth): getting password (0x00000010) >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: >> > pam_winbind(gdm-password:auth): pam_get_item returned a password >> > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: >> > pam_winbind(gdm-password:auth): user 'david' granted access >> > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: >> > pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave >> > WBC_ERR_DOMAIN_NOT_FOUND >> > May 29 10:42:10 Embassy426 pam: gdm-password[14145]: >> > pam_unix(gdm-password:session): session opened for user david by (uid=0) >> >> As Dmitri already said, on the migrated systems winbind is still used >> and doing the authentication which is still talking ot AD. But you can >> see the same error from pam_sss 'Preauthentication failed' which >> typically is an indication that the password is wrong. >> >> How did you migrate the passwords from AD to IPA? >> >> bye, >> Sumit >> >> > May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 >> > (system bus name :1.85, object path >> > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) >> > (disconnected from bus) >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > -- > Scott Allen > Head of IT > The Embassy Visual Effects Inc. > 4th Floor - 177 W 7th Avenue > Vancouver, B.C. > V5Y 1L8 > 604.696.6862 ext 241 > -- Scott Allen Head of IT The Embassy Visual Effects Inc. 4th Floor - 177 W 7th Avenue Vancouver, B.C. V5Y 1L8 604.696.6862 ext 241 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Duncan.Innes at virginmoney.com Fri Jun 6 07:55:08 2014 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Fri, 6 Jun 2014 08:55:08 +0100 Subject: [Freeipa-users] FreeIPA public demo available In-Reply-To: <53902F79.4020100@redhat.com> References: <53902F79.4020100@redhat.com> Message-ID: <56343345B145C043AE990701E3D193950478DE57@EXVS2.nrplc.localnet> This is good to see - sometimes difficult to be allowed to pop up another dev IPA server in a corporate network. Is it possible to determine the current running version of IPA from the Web interface? Never had to do this as I've always had console access to my servers, but I can't find anywhere that tells me the current version on this demo. Thanks Duncan > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Kosek > Sent: 05 June 2014 09:51 > To: freeipa-users at redhat.com; freeipa-interest at redhat.com; > sssd-users at lists.fedorahosted.org > Subject: [Freeipa-users] FreeIPA public demo available > > Hello all FreeIPA users and enthusiasts! > > I would like to invite everyone to try our new public FreeIPA > demo instance running on Red Hat OpenStack platform: > > http://www.freeipa.org/page/Demo > > The demo will always hold the latest stable version of > FreeIPA or a Beta version of a next major release (e.g. when > 4.0 Beta is available). > > The demo is great for: > * Testing changes and enhancements in the most recent CLI/Web UI/API > * Testing integration in the OS - FreeIPA clients can be enrolled > * Testing web applications with LDAP/Kerberos authentication > and advanced integration with FreeIPA > > You can read all the details in the page referred above. > > Feedback welcome! > > -- > Martin Kosek > Supervisor, Software Engineering - Identity Management Team > Red Hat Inc. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > This message has been checked for viruses and spam by the > Virgin Money email scanning system powered by Messagelabs. > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From mkosek at redhat.com Fri Jun 6 08:08:24 2014 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 06 Jun 2014 10:08:24 +0200 Subject: [Freeipa-users] FreeIPA public demo available In-Reply-To: <56343345B145C043AE990701E3D193950478DE57@EXVS2.nrplc.localnet> References: <53902F79.4020100@redhat.com> <56343345B145C043AE990701E3D193950478DE57@EXVS2.nrplc.localnet> Message-ID: <539176F8.2060600@redhat.com> Good question. Note that this server is just a sandbox, so if you need to store data persistently, own VM would a better choice. Current FreeIPA server demo is version 3.3.5, unfortunately you cannot find that out from current Web UI. FreeIPA 4.0 (in development) will have a dialog with version though. Do not worry, you will notice when 4.0 Beta is enrolled there as it's Web UI has been revisited and is awesome :-) Martin On 06/06/2014 09:55 AM, Innes, Duncan wrote: > This is good to see - sometimes difficult to be allowed to pop up > another dev IPA server in a corporate network. > > Is it possible to determine the current running version of IPA from the > Web interface? Never had to do this as I've always had console access > to my servers, but I can't find anywhere that tells me the current > version on this demo. > > Thanks > > Duncan > >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Kosek >> Sent: 05 June 2014 09:51 >> To: freeipa-users at redhat.com; freeipa-interest at redhat.com; >> sssd-users at lists.fedorahosted.org >> Subject: [Freeipa-users] FreeIPA public demo available >> >> Hello all FreeIPA users and enthusiasts! >> >> I would like to invite everyone to try our new public FreeIPA >> demo instance running on Red Hat OpenStack platform: >> >> http://www.freeipa.org/page/Demo >> >> The demo will always hold the latest stable version of >> FreeIPA or a Beta version of a next major release (e.g. when >> 4.0 Beta is available). >> >> The demo is great for: >> * Testing changes and enhancements in the most recent CLI/Web UI/API >> * Testing integration in the OS - FreeIPA clients can be enrolled >> * Testing web applications with LDAP/Kerberos authentication >> and advanced integration with FreeIPA >> >> You can read all the details in the page referred above. >> >> Feedback welcome! >> >> -- >> Martin Kosek >> Supervisor, Software Engineering - Identity Management Team >> Red Hat Inc. >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> This message has been checked for viruses and spam by the >> Virgin Money email scanning system powered by Messagelabs. >> > > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. > > This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. > > Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. > > The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). > > For further details of Virgin Money group companies please visit our website at virginmoney.com > From Duncan.Innes at virginmoney.com Fri Jun 6 09:05:08 2014 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Fri, 6 Jun 2014 10:05:08 +0100 Subject: [Freeipa-users] FreeIPA public demo available In-Reply-To: <539176F8.2060600@redhat.com> References: <53902F79.4020100@redhat.com> <56343345B145C043AE990701E3D193950478DE57@EXVS2.nrplc.localnet> <539176F8.2060600@redhat.com> Message-ID: <56343345B145C043AE990701E3D193950478DE5A@EXVS2.nrplc.localnet> I've already seen some screenshots - it's a *big* improvement! > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: 06 June 2014 09:08 > To: Innes, Duncan; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FreeIPA public demo available > > Good question. Note that this server is just a sandbox, so if > you need to store data persistently, own VM would a better choice. > > Current FreeIPA server demo is version 3.3.5, unfortunately > you cannot find that out from current Web UI. FreeIPA 4.0 (in > development) will have a dialog with version though. Do not > worry, you will notice when 4.0 Beta is enrolled there as > it's Web UI has been revisited and is awesome :-) > > Martin > > On 06/06/2014 09:55 AM, Innes, Duncan wrote: > > This is good to see - sometimes difficult to be allowed to pop up > > another dev IPA server in a corporate network. > > > > Is it possible to determine the current running version of IPA from > > the Web interface? Never had to do this as I've always had console > > access to my servers, but I can't find anywhere that tells me the > > current version on this demo. > > > > Thanks > > > > Duncan > > > >> -----Original Message----- > >> From: freeipa-users-bounces at redhat.com > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Kosek > >> Sent: 05 June 2014 09:51 > >> To: freeipa-users at redhat.com; freeipa-interest at redhat.com; > >> sssd-users at lists.fedorahosted.org > >> Subject: [Freeipa-users] FreeIPA public demo available > >> > >> Hello all FreeIPA users and enthusiasts! > >> > >> I would like to invite everyone to try our new public FreeIPA demo > >> instance running on Red Hat OpenStack platform: > >> > >> http://www.freeipa.org/page/Demo > >> > >> The demo will always hold the latest stable version of > FreeIPA or a > >> Beta version of a next major release (e.g. when 4.0 Beta is > >> available). > >> > >> The demo is great for: > >> * Testing changes and enhancements in the most recent > CLI/Web UI/API > >> * Testing integration in the OS - FreeIPA clients can be enrolled > >> * Testing web applications with LDAP/Kerberos authentication and > >> advanced integration with FreeIPA > >> > >> You can read all the details in the page referred above. > >> > >> Feedback welcome! > >> > >> -- > >> Martin Kosek > >> Supervisor, Software Engineering - Identity Management > Team Red Hat > >> Inc. > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > >> This message has been checked for viruses and spam by the Virgin > >> Money email scanning system powered by Messagelabs. > >> > > > > This message has been checked for viruses and spam by the > Virgin Money email scanning system powered by Messagelabs. > > > > This e-mail is intended to be confidential to the > recipient. If you receive a copy in error, please inform the > sender and then delete this message. > > > > Virgin Money plc - Registered in England and Wales (Company > no. 6952311). Registered office - Jubilee House, Gosforth, > Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised > by the Prudential Regulation Authority and regulated by the > Financial Conduct Authority and the Prudential Regulation Authority. > > > > The following companies also trade as Virgin Money. They > are both authorised and regulated by the Financial Conduct > Authority, are registered in England and Wales and have their > registered office at Jubilee House, Gosforth, Newcastle upon > Tyne NE3 4PL: Virgin Money Personal Financial Service Limited > (Company no. 3072766) and Virgin Money Unit Trust Managers > Limited (Company no. 3000482). > > > > For further details of Virgin Money group companies please > visit our > > website at virginmoney.com > > > > > This message has been checked for viruses and spam by the > Virgin Money email scanning system powered by Messagelabs. > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From sbose at redhat.com Fri Jun 6 09:12:47 2014 From: sbose at redhat.com (Sumit Bose) Date: Fri, 6 Jun 2014 11:12:47 +0200 Subject: [Freeipa-users] Some computers cannot get Some users logged in. In-Reply-To: References: <20140530073512.GM30381@localhost.localdomain> Message-ID: <20140606091247.GH5752@localhost.localdomain> On Thu, Jun 05, 2014 at 03:11:00PM -0700, Scott Allen wrote: > Found the problem. The users were added by a custom script that didn't > prompt for passwords. As such, the user's were in IPA and enabled but not > able to login as they never had a initial password set. So on migrated > machines it fell through to winbind and somehow found the old AD server. Great, thank you for the feedback. I would recommend to remove the winbind entries from PAM and NSS configuration after the migration is finished. bye, Sumit > > > On Thu, Jun 5, 2014 at 1:47 PM, Scott Allen > wrote: > > > Hi, > > I didn't migrate the passwords. All users started with a new default on > > IPA. > > The new user foo doesn't exist on the AD system but can login successfully > > using IPA credentials on a migrated system. > > > > > > On Fri, May 30, 2014 at 12:35 AM, Sumit Bose wrote: > > > >> On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote: > >> > Hi, > >> > Having a particularly weird problem. We have moved from AD to freeIPA > >> > recently and while there have been some bumps, most of the CentOS 6.2 > >> boxes > >> > make the transition successfully. Some background. > >> > > >> > The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. > >> > When we moved from AD, boxes were not "removed" from AD, just disabled > >> on > >> > the server side. We scripted the necessary bits since we were moving to > >> a > >> > new subnet as well. The script runs "ipa-client-install -p admin > >> --password > >> > PASSWORD --enable-dns-updates -U" > >> > > >> > The machines were joined successfully to freeIPA and then added to > >> > allow_all_hosts Host Group. > >> > > >> > On a workstation that was migrated, all users can successfully log in. > >> > On a fresh install of CentOS6.2, only myself (admin_user) and a newly > >> > created user (foo) can successfully log in. > >> > > >> > On this fresh install, 'david' is blocked but new user 'foo' is allowed. > >> > > >> > May 29 09:20:29 embassy419 polkitd(authority=local): Registered > >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 > >> > (system bus name :1.26 > >> [/usr/libexec/polkit-gnome-authentication-agent-1], > >> > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale > >> en_US.UTF-8) > >> > May 29 09:20:46 embassy419 pam: gdm-password[2910]: > >> > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > >> euid=0 > >> > tty=:0 ruser= rhost= user=david > >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > >> > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > >> > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 > >> euid=0 > >> > tty=:0 ruser= rhost= user=david > >> > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > >> > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > >> > user credentials) > >> > May 29 10:44:06 embassy419 polkitd(authority=local): Registered > >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > >> > (system bus name :1.88 > >> [/usr/libexec/polkit-gnome-authentication-agent-1], > >> > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale > >> en_US.UTF-8) > >> > May 29 10:44:13 embassy419 pam: gdm-password[3956]: > >> > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > >> euid=0 > >> > tty=:1 ruser= rhost= user=foo > >> > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > >> > pam_sss(gdm-password:auth): authentication success; logname= uid=0 > >> euid=0 > >> > tty=:1 ruser= rhost= user=foo > >> > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > >> > pam_unix(gdm-password:session): session opened for user foo by (uid=0) > >> > May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered > >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > >> > (system bus name :1.88, object path > >> > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > >> > (disconnected from bus) > >> > > >> > But on this machine that was migrated. > >> > pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication > >> > failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 > >> euid=0 > >> > tty=:1 ruser= rhost= user=david > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > >> > user credentials) > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_winbind(gdm-password:auth): getting password (0x00000010) > >> > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > >> > pam_winbind(gdm-password:auth): pam_get_item returned a password > >> > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > >> > pam_winbind(gdm-password:auth): user 'david' granted access > >> > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > >> > pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave > >> > WBC_ERR_DOMAIN_NOT_FOUND > >> > May 29 10:42:10 Embassy426 pam: gdm-password[14145]: > >> > pam_unix(gdm-password:session): session opened for user david by (uid=0) > >> > >> As Dmitri already said, on the migrated systems winbind is still used > >> and doing the authentication which is still talking ot AD. But you can > >> see the same error from pam_sss 'Preauthentication failed' which > >> typically is an indication that the password is wrong. > >> > >> How did you migrate the passwords from AD to IPA? > >> > >> bye, > >> Sumit > >> > >> > May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered > >> > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > >> > (system bus name :1.85, object path > >> > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > >> > (disconnected from bus) > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > > > > > > > > -- > > Scott Allen > > Head of IT > > The Embassy Visual Effects Inc. > > 4th Floor - 177 W 7th Avenue > > Vancouver, B.C. > > V5Y 1L8 > > 604.696.6862 ext 241 > > > > > > -- > Scott Allen > Head of IT > The Embassy Visual Effects Inc. > 4th Floor - 177 W 7th Avenue > Vancouver, B.C. > V5Y 1L8 > 604.696.6862 ext 241 > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From bnordgren at fs.fed.us Sat Jun 7 21:21:29 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Sat, 7 Jun 2014 21:21:29 +0000 Subject: [Freeipa-users] External collaboration edits In-Reply-To: <5373EA60.5010207@redhat.com> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6B00D0@001FSN2MPN1-044.001f.mgd2.msft.net> <5373EA60.5010207@redhat.com> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6D446D@001FSN2MPN1-044.001f.mgd2.msft.net> Dimitri, thanks for the reply! Pls forgive my lateness. I fear I am not currently up to fighting with MS Outlook to convince it to let me respond inline. It wants to block quote your entire message and if I type in the middle it keeps the "quoted" style. In any case: #1] Making small things work first and accumulating functionality is definitely the way to go. If it were simple and straightforward, everyone would be doing it already. #2] I looked at "views" (Ticket 3979 as well as http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust). I think I follow most of it (a default view which applies to the whole domain, custom views which may be applied to particular targets). +1 +1 +1. One concern I have is that the design page seems to be written around a single upstream source (trust with AD). What happens if there are many "upstreams"? All in all, though, it sounds like my current RFE is a duplicate of views. If we could add in my use case to the Views ticket/design, we can close mine out. #3] Kerberos based auto provisioning will fall apart if the authentication path cannot be walked by the client (not the FreeIPA server). When I'm sitting in my office, I can see my KDC as well as the collaboration environment, and I can walk the path. However, if I cannot convince my CIO to poke a hole in the firewall so that FreeIPA in the collaboration domain can get to the internal AD (to query attributes, etc), then an AD trust is not possible and a vanilla Kerberos trust is all that is available. Kerberos-trust based auto-provisioning may be able to handle situations that AD trusts can't. By and large, I need my boxes to know my username, and could care less if they know my givenName, sn, mail, telephoneNumber, etc. As long as FreeIPA can synthesize a uidNumber for me in the absence of an SID, the rest is gravy. #4] One user/Many Accounts. This is an unavoidable reality. Also, there's a namespace collision issue here. My Kerberos cname at crealm is bnordgren at DS.FS.FED.US as issued from my AD. My SAML uid is "bnordgren at fs" from https://www.eauth.usda.gov/Login/login.aspx. My Google OpenID is bnordgren from "wherever". There is also a "bnordgren" from a university out of SLC, Utah. I occasionally get mis-addressed email for him. Typically spam, but once from his mom. Fundamentally, whenever multiple domains are consolidated into a single namespace (as is already a use case for views), one typically tries to avoid username collisions just as vigilantly as they try to avoid uidNumber collisions. What is needed here is a method for the users to override the default collision avoidance such that they allow all of their accounts to be mapped onto their One True Username for the domain. In the spirit of point #1, implementing collision avoidance will be required for views, so it needs to happen now even without external collaboration. Figuring out how to let users override it can happen in the future. Bryce From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal Sent: Wednesday, May 14, 2014 4:13 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] External collaboration edits On 04/19/2014 07:46 PM, Nordgren, Bryce L -FS wrote: I've run out of time for today, but the external collaboration pages are slowly evolving. http://www.freeipa.org/page/External_Users_in_IPA Dimitri observed that my RFE page was too long. I observe it also has too much stuff unrelated to the actual meat of the RFE. So I factored out most of the Kerberos stuff into a different page. I also tried to focus the RFE to just creating entries in LDAP for external users so they can: a] participate in POSIX groups; and b] have locally-defined POSIX attributes. http://www.freeipa.org/page/Collaboration_with_Kerberos This is where all the Kerberos stuff went. I also added in "Option A" from Petr's email. Option B will come along later, when I pick this up again. Mechanism three has more to do with Ipsilon than IPA, and basic functions required of the Ipsilon gateway server are articulated there (regardless of the particular authentication method.) Send comments to the list. I really appreciate Option A! Send more stuff I didn't think of. Hello, I finally read the pages, sorry for the delay. great writeup! Here are some comments. 1) You are right that we need to have a record in IPA to be able to have a DN and take over some of the posix attributes. We already have this use case and this is a high priority. We call it views: https://fedorahosted.org/freeipa/ticket/3979 Once this is implemented we will have mechanism to have a local entry without credential for the external user. 2) The second issue is provisioning as automatic as possible. And this is where there will be some issues. If we want to leverage Kerberos trusts then two things should happen: a) the trust should first be established b) the home realm should be accessible for the KDC in the collaboration domain. This rises practical operational questions about what is the home domain. If the home domain is another collaboration domain then user is natively have been created in that domain and has his credential in that domain. Hm but that violates the idea that the collaboration domains have external "auto-provisioned users". If the home domain is the internal domain than most likely the cross forest trust can't be established because admin of the internal domain would not want to expose his domain to somebody's external domain on the internet. So IMO the kerberos based auto-provisioning falls apart. However if we use a gateway that would allow a person to self register and use technologies similar to OpenID then we would be able to create his own account. The gateway would check that the user is from some trusted source that is configured for that domain. We would have to figure that part out. But IMO this component is external to IPA. It is a similar gateway to Ipsilon. I suspect that as we move forward Ipsilon will transform from an IdP server to being a collection of "gateway services". One would be able to deploy IdP instances, Kerberos -> cert service, account registration service etc. This would rely on some of the functionality in IPA but can evolve independently. IMO if we go this path and you are interested in contributing to this effort we can start prototyping such service. We can start simple: create a service that allows one to authenticate using google or facebook and once user authenticated agains one of them call an ipa user-add against IPA. That would be a good first step towards what you want to accomplish. Then it can be enhanced to redirect to an external IdP (Ipsilon). Then the setup will be: * User connects to the self registration portal. * Portal reditrects him to the IdP that is configured for the portal * IdP performas an authentication against user home domain and creates assertion * Assertion is presented to the registration portal * The portal gets user infor from the assertion and adds a user It also seems that OpenID connect might be quite relevant here. So exploring how it can be used in in conjunction with registration portal would be another path. 3) The problem of the credential yet stays open. If the user can be created in different ways it might not be quite easy for the user to know or remember that he must use his kerberos/Google/facebook or other credential wit ha specific domain. May be we should consider creating a full user also with a password or OTP token to access the collaboration domain. Then user would always know that he needs to use his token. I wonder if actually just OTP would be a good option in this case. It can be provisioned to the freeOTP app at the moment of the user registration. Thanks Dmitri Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Jun 7 21:55:24 2014 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 07 Jun 2014 17:55:24 -0400 Subject: [Freeipa-users] External collaboration edits In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6D446D@001FSN2MPN1-044.001f.mgd2.msft.net> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6B00D0@001FSN2MPN1-044.001f.mgd2.msft.net> <5373EA60.5010207@redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6D446D@001FSN2MPN1-044.001f.mgd2.msft.net> Message-ID: <53938A4C.7020600@redhat.com> On 06/07/2014 05:21 PM, Nordgren, Bryce L -FS wrote: > > Dimitri, thanks for the reply! Pls forgive my lateness. > > I fear I am not currently up to fighting with MS Outlook to convince > it to let me respond inline. It wants to block quote your entire > message and if I type in the middle it keeps the "quoted" style. > > In any case: > > #1] Making small things work first and accumulating functionality is > definitely the way to go. If it were simple and straightforward, > everyone would be doing it already. > > #2] I looked at "views" (Ticket 3979 as well as > http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust). > I think I follow most of it (a default view which applies to the whole > domain, custom views which may be applied to particular targets). +1 > +1 +1. One concern I have is that the design page seems to be written > around a single upstream source (trust with AD). What happens if there > are many "upstreams"? All in all, though, it sounds like my current > RFE is a duplicate of views. If we could add in my use case to the > Views ticket/design, we can close mine out. > We start with AD views. When we get to IPA to IPA trusts we see how much of this applicable and or reusable. > #3] Kerberos based auto provisioning will fall apart if the > authentication path cannot be walked by the client (not the FreeIPA > server). When I'm sitting in my office, I can see my KDC as well as > the collaboration environment, and I can walk the path. However, if I > cannot convince my CIO to poke a hole in the firewall so that FreeIPA > in the collaboration domain can get to the internal AD (to query > attributes, etc), then an AD trust is not possible and a vanilla > Kerberos trust is all that is available. Kerberos-trust based > auto-provisioning may be able to handle situations that AD trusts > can't. By and large, I need my boxes to know my username, and could > care less if they know my givenName, sn, mail, telephoneNumber, etc. > As long as FreeIPA can synthesize a uidNumber for me in the absence of > an SID, the rest is gravy. > You might be able to convince him to do SAML federation and stand up an IdP. This is why we are working on Ipsilon. > #4] One user/Many Accounts. This is an unavoidable reality. Also, > there's a namespace collision issue here. My Kerberos cname at crealm is > bnordgren at DS.FS.FED.US as issued from > my AD. My SAML uid is "bnordgren at fs" from > https://www.eauth.usda.gov/Login/login.aspx. My Google OpenID is > bnordgren from "wherever". There is also a "bnordgren" from a > university out of SLC, Utah. I occasionally get mis-addressed email > for him. Typically spam, but once from his mom. Fundamentally, > whenever multiple domains are consolidated into a single namespace (as > is already a use case for views), one typically tries to avoid > username collisions just as vigilantly as they try to avoid uidNumber > collisions. What is needed here is a method for the users to override > the default collision avoidance such that they allow all of their > accounts to be mapped onto their One True Username for the domain. In > the spirit of point #1, implementing collision avoidance will be > required for views, so it needs to happen now even without external > collaboration. Figuring out how to let users override it can happen in > the future. > This is a standard problem of identity mapping. It is not solvable in general and has to be solved in the context of every namespace. In our case we use FQ names so we are pretty much guaranteed to have unique names. With Kerberos trusts one can just let external principal be and wonder around. If you do SAML you would have to create local principal and probably assign his external name that came from SAML as an alias. Kerberos supports aliases so it is the question of implementing it. I think we are going into the right direction with our efforts, it is just the question of time and demand. As time goes more and more interoperable solutions would be needed so the demand for identity "collaboration" will become more urgent. Right now we have many fishes to fry and cats to skin. Stay tuned. > Bryce > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Dmitri Pal > *Sent:* Wednesday, May 14, 2014 4:13 PM > *To:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] External collaboration edits > > On 04/19/2014 07:46 PM, Nordgren, Bryce L -FS wrote: > > I've run out of time for today, but the external collaboration > pages are slowly evolving. > > http://www.freeipa.org/page/External_Users_in_IPA > > Dimitri observed that my RFE page was too long. I observe it also > has too much stuff unrelated to the actual meat of the RFE. So I > factored out most of the Kerberos stuff into a different page. I > also tried to focus the RFE to just creating entries in LDAP for > external users so they can: a] participate in POSIX groups; and b] > have locally-defined POSIX attributes. > > http://www.freeipa.org/page/Collaboration_with_Kerberos > > This is where all the Kerberos stuff went. I also added in > "Option A" from Petr's email. Option B will come along later, when > I pick this up again. Mechanism three has more to do with Ipsilon > than IPA, and basic functions required of the Ipsilon gateway > server are articulated there (regardless of the particular > authentication method.) > > Send comments to the list. I really appreciate Option A! Send more > stuff I didn't think of. > > > Hello, > > > I finally read the pages, sorry for the delay. great writeup! > > Here are some comments. > > 1) You are right that we need to have a record in IPA to be able to > have a DN and take over some of the posix attributes. We already have > this use case and this is a high priority. We call it views: > https://fedorahosted.org/freeipa/ticket/3979 > Once this is implemented we will have mechanism to have a local entry > without credential for the external user. > 2) The second issue is provisioning as automatic as possible. And this > is where there will be some issues. > If we want to leverage Kerberos trusts then two things should happen: > a) the trust should first be established > b) the home realm should be accessible for the KDC in the > collaboration domain. > This rises practical operational questions about what is the home > domain. If the home domain is another collaboration domain then user > is natively have been created in that domain and has his credential in > that domain. Hm but that violates the idea that the collaboration > domains have external "auto-provisioned users". If the home domain is > the internal domain than most likely the cross forest trust can't be > established because admin of the internal domain would not want to > expose his domain to somebody's external domain on the internet. > So IMO the kerberos based auto-provisioning falls apart. > > However if we use a gateway that would allow a person to self register > and use technologies similar to OpenID then we would be able to create > his own account. The gateway would check that the user is from some > trusted source that is configured for that domain. We would have to > figure that part out. But IMO this component is external to IPA. It is > a similar gateway to Ipsilon. I suspect that as we move forward > Ipsilon will transform from an IdP server to being a collection of > "gateway services". One would be able to deploy IdP instances, > Kerberos -> cert service, account registration service etc. > > This would rely on some of the functionality in IPA but can evolve > independently. > IMO if we go this path and you are interested in contributing to this > effort we can start prototyping such service. > We can start simple: create a service that allows one to authenticate > using google or facebook and once user authenticated agains one of > them call an ipa user-add against IPA. > That would be a good first step towards what you want to accomplish. > Then it can be enhanced to redirect to an external IdP (Ipsilon). Then > the setup will be: > > * User connects to the self registration portal. > * Portal reditrects him to the IdP that is configured for the portal > * IdP performas an authentication against user home domain and creates > assertion > * Assertion is presented to the registration portal > * The portal gets user infor from the assertion and adds a user > > It also seems that OpenID connect might be quite relevant here. > So exploring how it can be used in in conjunction with registration > portal would be another path. > > 3) The problem of the credential yet stays open. If the user can be > created in different ways it might not be quite easy for the user to > know or remember that he must use his kerberos/Google/facebook or > other credential wit ha specific domain. May be we should consider > creating a full user also with a password or OTP token to access the > collaboration domain. Then user would always know that he needs to use > his token. I wonder if actually just OTP would be a good option in > this case. It can be provisioned to the freeOTP app at the moment of > the user registration. > > > > Thanks > Dmitri > > > Bryce > > > > > > This electronic message contains information generated by the USDA > solely for the intended recipients. Any unauthorized interception of > this message or the use or disclosure of the information it contains > may violate the law and subject the violator to civil or criminal > penalties. If you believe you have received this message in error, > please notify the sender and delete the email immediately. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Mon Jun 9 10:16:55 2014 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 9 Jun 2014 12:16:55 +0200 Subject: [Freeipa-users] Automount WebDav share Message-ID: Hi All, Is it possible in some way to automount a WebDav share to a Ubuntu Client when a user logings in on the commandline ? I'm only able to use WebDav on these machines. I hope this is solvable. Cheers, Matt From natxo.asenjo at gmail.com Mon Jun 9 10:24:34 2014 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Mon, 9 Jun 2014 12:24:34 +0200 Subject: [Freeipa-users] Automount WebDav share In-Reply-To: References: Message-ID: On Mon, Jun 9, 2014 at 12:16 PM, Matt . wrote: > Hi All, > > Is it possible in some way to automount a WebDav share to a Ubuntu > Client when a user logings in on the commandline ? > > I'm only able to use WebDav on these machines. > autofs should work with webdav, and googling shows this: http://www.matrix44.net/blog/?p=1048 no experience with it. Let us know how it goes. -- groet, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Mon Jun 9 10:35:05 2014 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 9 Jun 2014 12:35:05 +0200 Subject: [Freeipa-users] Automount WebDav share In-Reply-To: References: Message-ID: Hi, Thanks for that quick search, I wasn't searching on autofs. I will let you know! Cheers, Matt 2014-06-09 12:24 GMT+02:00 Natxo Asenjo : > > On Mon, Jun 9, 2014 at 12:16 PM, Matt . wrote: >> >> Hi All, >> >> Is it possible in some way to automount a WebDav share to a Ubuntu >> Client when a user logings in on the commandline ? >> >> I'm only able to use WebDav on these machines. > > > autofs should work with webdav, and googling shows this: > > http://www.matrix44.net/blog/?p=1048 > > no experience with it. Let us know how it goes. > > -- > groet, > natxo > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From yamakasi.014 at gmail.com Mon Jun 9 10:41:43 2014 From: yamakasi.014 at gmail.com (Matt .) Date: Mon, 9 Jun 2014 12:41:43 +0200 Subject: [Freeipa-users] Automount WebDav share In-Reply-To: References: Message-ID: Hi, I'm only concerned about how to pass the password in this one... it seesm to be hardcoded and I would like to have it used by ldap/freeipa. Cheers, Matt 2014-06-09 12:35 GMT+02:00 Matt . : > Hi, > > Thanks for that quick search, I wasn't searching on autofs. > > I will let you know! > > Cheers, > > Matt > > 2014-06-09 12:24 GMT+02:00 Natxo Asenjo : >> >> On Mon, Jun 9, 2014 at 12:16 PM, Matt . wrote: >>> >>> Hi All, >>> >>> Is it possible in some way to automount a WebDav share to a Ubuntu >>> Client when a user logings in on the commandline ? >>> >>> I'm only able to use WebDav on these machines. >> >> >> autofs should work with webdav, and googling shows this: >> >> http://www.matrix44.net/blog/?p=1048 >> >> no experience with it. Let us know how it goes. >> >> -- >> groet, >> natxo >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From natxo.asenjo at gmail.com Mon Jun 9 11:16:06 2014 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Mon, 9 Jun 2014 13:16:06 +0200 Subject: [Freeipa-users] Automount WebDav share In-Reply-To: References: Message-ID: On Mon, Jun 9, 2014 at 12:41 PM, Matt . wrote: > Hi, > > I'm only concerned about how to pass the password in this one... it > seesm to be hardcoded and I would like to have it used by > ldap/freeipa. > > ideally the webdav server would accept gssapi/kerberos, then you would not need any passwords. Sorry, I have no webdav server to play with handy and my home lab is pretty reduced nowadays. -- regards, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Tue Jun 10 09:10:21 2014 From: yamakasi.014 at gmail.com (Matt .) Date: Tue, 10 Jun 2014 11:10:21 +0200 Subject: [Freeipa-users] Automount WebDav share In-Reply-To: References: Message-ID: Hi, Yes this is happening, or should with: share -fstype=davfs,user,rw,dir_mode=0777,file_mode=0666 http://webdavserver//webdav But it doesn't connect, or I don't see any logs about it. Ab on IRC tested this and it should work, but I'm missing something I think. Cheers, Matt 2014-06-09 13:16 GMT+02:00 Natxo Asenjo : > > > On Mon, Jun 9, 2014 at 12:41 PM, Matt . wrote: >> >> Hi, >> >> I'm only concerned about how to pass the password in this one... it >> seesm to be hardcoded and I would like to have it used by >> ldap/freeipa. >> > > ideally the webdav server would accept gssapi/kerberos, then you would not > need any passwords. > > Sorry, I have no webdav server to play with handy and my home lab is pretty > reduced nowadays. > > -- > regards, > natxo > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From arthur at deus.pro Tue Jun 10 11:27:40 2014 From: arthur at deus.pro (Arthur Fayzullin) Date: Tue, 10 Jun 2014 17:27:40 +0600 Subject: [Freeipa-users] IPA-server and conrainers Message-ID: <5396EBAC.20707@deus.pro> HI! Alexandr, I've seen Your presentation at RedHat forum. Very good presentation! :) I've got a question about FreeIPA from that presentation. Of course question is not only for You. So, the question: Are there any plans for integration freeipa-server with containers? * working freeipa as a single container; * working freeipa as a bunch of containers (ldap-containers, dns-containers, dogtag-containers and other components containers). -- ? ?????????, ????? ????????? From jpazdziora at redhat.com Tue Jun 10 12:10:28 2014 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 10 Jun 2014 14:10:28 +0200 Subject: [Freeipa-users] IPA-server and conrainers In-Reply-To: <5396EBAC.20707@deus.pro> References: <5396EBAC.20707@deus.pro> Message-ID: <20140610121028.GS1482@redhat.com> On Tue, Jun 10, 2014 at 05:27:40PM +0600, Arthur Fayzullin wrote: > HI! > Alexandr, I've seen Your presentation at RedHat forum. Very good > presentation! :) > I've got a question about FreeIPA from that presentation. Of course > question is not only for You. > So, the question: > Are there any plans for integration freeipa-server with containers? > * working freeipa as a single container; We have testing FreeIPA in Fedora 20 container at https://registry.hub.docker.com/u/adelton/fedora20-freeipa-server/ However, at this point the size of that image is over 1.2 GB so we were not announcing it yet as we try to find ways to make the image smaller and thus more easily consumable. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat From yamakasi.014 at gmail.com Tue Jun 10 20:03:08 2014 From: yamakasi.014 at gmail.com (Matt .) Date: Tue, 10 Jun 2014 22:03:08 +0200 Subject: [Freeipa-users] Automount WebDav share In-Reply-To: References: Message-ID: OK, it seems that GSSAPI is key here, now I need to find out if I need something extra for GSSAPI on the WebDav Server. 2014-06-10 11:10 GMT+02:00 Matt . : > Hi, > > Yes this is happening, or should with: > > share -fstype=davfs,user,rw,dir_mode=0777,file_mode=0666 > http://webdavserver//webdav > > But it doesn't connect, or I don't see any logs about it. > > Ab on IRC tested this and it should work, but I'm missing something I think. > > Cheers, > > Matt > > 2014-06-09 13:16 GMT+02:00 Natxo Asenjo : >> >> >> On Mon, Jun 9, 2014 at 12:41 PM, Matt . wrote: >>> >>> Hi, >>> >>> I'm only concerned about how to pass the password in this one... it >>> seesm to be hardcoded and I would like to have it used by >>> ldap/freeipa. >>> >> >> ideally the webdav server would accept gssapi/kerberos, then you would not >> need any passwords. >> >> Sorry, I have no webdav server to play with handy and my home lab is pretty >> reduced nowadays. >> >> -- >> regards, >> natxo >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From walid.shaari at gmail.com Tue Jun 10 21:02:52 2014 From: walid.shaari at gmail.com (Walid) Date: Wed, 11 Jun 2014 00:02:52 +0300 Subject: [Freeipa-users] IPA-server and conrainers In-Reply-To: <20140610121028.GS1482@redhat.com> References: <5396EBAC.20707@deus.pro> <20140610121028.GS1482@redhat.com> Message-ID: Hi, Could you share the presentation with us. regards Walid On 10 June 2014 15:10, Jan Pazdziora wrote: > On Tue, Jun 10, 2014 at 05:27:40PM +0600, Arthur Fayzullin wrote: > > HI! > > Alexandr, I've seen Your presentation at RedHat forum. Very good > > presentation! :) > > I've got a question about FreeIPA from that presentation. Of course > > question is not only for You. > > So, the question: > > Are there any plans for integration freeipa-server with containers? > > * working freeipa as a single container; > > We have testing FreeIPA in Fedora 20 container at > > https://registry.hub.docker.com/u/adelton/fedora20-freeipa-server/ > > However, at this point the size of that image is over 1.2 GB so we > were not announcing it yet as we try to find ways to make the image > smaller and thus more easily consumable. > > -- > Jan Pazdziora > Principal Software Engineer, Identity Management Engineering, Red Hat > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From arthur at deus.pro Wed Jun 11 01:41:11 2014 From: arthur at deus.pro (Arthur Fayzullin) Date: Wed, 11 Jun 2014 07:41:11 +0600 Subject: [Freeipa-users] IPA-server and conrainers In-Reply-To: <20140610121028.GS1482@redhat.com> References: <5396EBAC.20707@deus.pro> <20140610121028.GS1482@redhat.com> Message-ID: <5397B3B7.5020807@deus.pro> Running IPA as a bunch of containers can reduce size of each one. Of course then total size will be much greater. 10.06.2014 18:10, Jan Pazdziora ?????: > On Tue, Jun 10, 2014 at 05:27:40PM +0600, Arthur Fayzullin wrote: >> HI! >> Alexandr, I've seen Your presentation at RedHat forum. Very good >> presentation! :) >> I've got a question about FreeIPA from that presentation. Of course >> question is not only for You. >> So, the question: >> Are there any plans for integration freeipa-server with containers? >> * working freeipa as a single container; > We have testing FreeIPA in Fedora 20 container at > > https://registry.hub.docker.com/u/adelton/fedora20-freeipa-server/ > > However, at this point the size of that image is over 1.2 GB so we > were not announcing it yet as we try to find ways to make the image > smaller and thus more easily consumable. > From dpal at redhat.com Wed Jun 11 04:39:03 2014 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 11 Jun 2014 00:39:03 -0400 Subject: [Freeipa-users] IPA-server and conrainers In-Reply-To: <5397B3B7.5020807@deus.pro> References: <5396EBAC.20707@deus.pro> <20140610121028.GS1482@redhat.com> <5397B3B7.5020807@deus.pro> Message-ID: <5397DD67.1040907@redhat.com> On 06/10/2014 09:41 PM, Arthur Fayzullin wrote: > Running IPA as a bunch of containers can reduce size of each one. Of > course then total size will be much greater. IPA does not yet render itself to be run as several containers. And actually having it split into several might have a higher total footprint as some of the shared dependencies would have to be installed into several containers. > > 10.06.2014 18:10, Jan Pazdziora ?????: >> On Tue, Jun 10, 2014 at 05:27:40PM +0600, Arthur Fayzullin wrote: >>> HI! >>> Alexandr, I've seen Your presentation at RedHat forum. Very good >>> presentation! :) >>> I've got a question about FreeIPA from that presentation. Of course >>> question is not only for You. >>> So, the question: >>> Are there any plans for integration freeipa-server with containers? >>> * working freeipa as a single container; >> We have testing FreeIPA in Fedora 20 container at >> >> https://registry.hub.docker.com/u/adelton/fedora20-freeipa-server/ >> >> However, at this point the size of that image is over 1.2 GB so we >> were not announcing it yet as we try to find ways to make the image >> smaller and thus more easily consumable. >> > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From jpazdziora at redhat.com Wed Jun 11 07:00:48 2014 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 11 Jun 2014 09:00:48 +0200 Subject: [Freeipa-users] IPA-server and conrainers In-Reply-To: <5397B3B7.5020807@deus.pro> References: <5396EBAC.20707@deus.pro> <20140610121028.GS1482@redhat.com> <5397B3B7.5020807@deus.pro> Message-ID: <20140611070048.GV1482@redhat.com> On Wed, Jun 11, 2014 at 07:41:11AM +0600, Arthur Fayzullin wrote: > Running IPA as a bunch of containers can reduce size of each one. Of Possibly. But FreeIPA is currently configured using ipa-server-install and there is no support in the installer for having / assuming the individual components on different hosts (be it containters or true hosts). That's why the initial effort goes into moving what we have with ipa-server-install to container as one block. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat From sbose at redhat.com Wed Jun 11 08:51:31 2014 From: sbose at redhat.com (Sumit Bose) Date: Wed, 11 Jun 2014 10:51:31 +0200 Subject: [Freeipa-users] External collaboration edits In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6D446D@001FSN2MPN1-044.001f.mgd2.msft.net> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6B00D0@001FSN2MPN1-044.001f.mgd2.msft.net> <5373EA60.5010207@redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6D446D@001FSN2MPN1-044.001f.mgd2.msft.net> Message-ID: <20140611085131.GS5752@localhost.localdomain> On Sat, Jun 07, 2014 at 09:21:29PM +0000, Nordgren, Bryce L -FS wrote: > Dimitri, thanks for the reply! Pls forgive my lateness. > > I fear I am not currently up to fighting with MS Outlook to convince it to let me respond inline. It wants to block quote your entire message and if I type in the middle it keeps the "quoted" style. > > In any case: > > #1] Making small things work first and accumulating functionality is definitely the way to go. If it were simple and straightforward, everyone would be doing it already. > > #2] I looked at "views" (Ticket 3979 as well as http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust). I think I follow most of it (a default view which applies to the whole domain, custom views which may be applied to particular targets). +1 +1 +1. One concern I have is that the design page seems to be written around a single upstream source (trust with AD). What happens if there are many "upstreams"? All in all, though, it sounds like my current RFE is a duplicate of views. If we could add in my use case to the Views ticket/design, we can close mine out. It's not only about AD, but use-case and examples in the design page currently all refer to AD. The key is to find a unique reference to the upstream object which in the AD case is obviously the SID. In a previous version of the page there were a bit more details who the original/upstream objects can be referenced, e.g. it can a fully qualified name or Kerberos principal. bye, Sumit > > #3] Kerberos based auto provisioning will fall apart if the authentication path cannot be walked by the client (not the FreeIPA server). When I'm sitting in my office, I can see my KDC as well as the collaboration environment, and I can walk the path. However, if I cannot convince my CIO to poke a hole in the firewall so that FreeIPA in the collaboration domain can get to the internal AD (to query attributes, etc), then an AD trust is not possible and a vanilla Kerberos trust is all that is available. Kerberos-trust based auto-provisioning may be able to handle situations that AD trusts can't. By and large, I need my boxes to know my username, and could care less if they know my givenName, sn, mail, telephoneNumber, etc. As long as FreeIPA can synthesize a uidNumber for me in the absence of an SID, the rest is gravy. > > #4] One user/Many Accounts. This is an unavoidable reality. Also, there's a namespace collision issue here. My Kerberos cname at crealm is bnordgren at DS.FS.FED.US as issued from my AD. My SAML uid is "bnordgren at fs" from https://www.eauth.usda.gov/Login/login.aspx. My Google OpenID is bnordgren from "wherever". There is also a "bnordgren" from a university out of SLC, Utah. I occasionally get mis-addressed email for him. Typically spam, but once from his mom. Fundamentally, whenever multiple domains are consolidated into a single namespace (as is already a use case for views), one typically tries to avoid username collisions just as vigilantly as they try to avoid uidNumber collisions. What is needed here is a method for the users to override the default collision avoidance such that they allow all of their accounts to be mapped onto their One True Username for the domain. In the spirit of point #1, implementing collision avoidance will be required for views, so it needs to happen now even without external collaboration. Figuring out how to let users override it can happen in the future. > > > Bryce > > > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal > Sent: Wednesday, May 14, 2014 4:13 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] External collaboration edits > > On 04/19/2014 07:46 PM, Nordgren, Bryce L -FS wrote: > I've run out of time for today, but the external collaboration pages are slowly evolving. > > > http://www.freeipa.org/page/External_Users_in_IPA > > Dimitri observed that my RFE page was too long. I observe it also has too much stuff unrelated to the actual meat of the RFE. So I factored out most of the Kerberos stuff into a different page. I also tried to focus the RFE to just creating entries in LDAP for external users so they can: a] participate in POSIX groups; and b] have locally-defined POSIX attributes. > > http://www.freeipa.org/page/Collaboration_with_Kerberos > > This is where all the Kerberos stuff went. I also added in "Option A" from Petr's email. Option B will come along later, when I pick this up again. Mechanism three has more to do with Ipsilon than IPA, and basic functions required of the Ipsilon gateway server are articulated there (regardless of the particular authentication method.) > > Send comments to the list. I really appreciate Option A! Send more stuff I didn't think of. > > Hello, > > > I finally read the pages, sorry for the delay. great writeup! > > Here are some comments. > > 1) You are right that we need to have a record in IPA to be able to have a DN and take over some of the posix attributes. We already have this use case and this is a high priority. We call it views: https://fedorahosted.org/freeipa/ticket/3979 > Once this is implemented we will have mechanism to have a local entry without credential for the external user. > 2) The second issue is provisioning as automatic as possible. And this is where there will be some issues. > If we want to leverage Kerberos trusts then two things should happen: > a) the trust should first be established > b) the home realm should be accessible for the KDC in the collaboration domain. > This rises practical operational questions about what is the home domain. If the home domain is another collaboration domain then user is natively have been created in that domain and has his credential in that domain. Hm but that violates the idea that the collaboration domains have external "auto-provisioned users". If the home domain is the internal domain than most likely the cross forest trust can't be established because admin of the internal domain would not want to expose his domain to somebody's external domain on the internet. > So IMO the kerberos based auto-provisioning falls apart. > > However if we use a gateway that would allow a person to self register and use technologies similar to OpenID then we would be able to create his own account. The gateway would check that the user is from some trusted source that is configured for that domain. We would have to figure that part out. But IMO this component is external to IPA. It is a similar gateway to Ipsilon. I suspect that as we move forward Ipsilon will transform from an IdP server to being a collection of "gateway services". One would be able to deploy IdP instances, Kerberos -> cert service, account registration service etc. > > This would rely on some of the functionality in IPA but can evolve independently. > IMO if we go this path and you are interested in contributing to this effort we can start prototyping such service. > We can start simple: create a service that allows one to authenticate using google or facebook and once user authenticated agains one of them call an ipa user-add against IPA. > That would be a good first step towards what you want to accomplish. > Then it can be enhanced to redirect to an external IdP (Ipsilon). Then the setup will be: > > * User connects to the self registration portal. > * Portal reditrects him to the IdP that is configured for the portal > * IdP performas an authentication against user home domain and creates assertion > * Assertion is presented to the registration portal > * The portal gets user infor from the assertion and adds a user > > It also seems that OpenID connect might be quite relevant here. > So exploring how it can be used in in conjunction with registration portal would be another path. > > 3) The problem of the credential yet stays open. If the user can be created in different ways it might not be quite easy for the user to know or remember that he must use his kerberos/Google/facebook or other credential wit ha specific domain. May be we should consider creating a full user also with a password or OTP token to access the collaboration domain. Then user would always know that he needs to use his token. I wonder if actually just OTP would be a good option in this case. It can be provisioned to the freeOTP app at the moment of the user registration. > > > > Thanks > Dmitri > > > > Bryce > > > > > This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From devans01 at gmail.com Wed Jun 11 10:08:11 2014 From: devans01 at gmail.com (Dylan Evans) Date: Wed, 11 Jun 2014 11:08:11 +0100 Subject: [Freeipa-users] Getting Samba3 and FreeIPAv3 working together In-Reply-To: <20140604134755.GF29982@localhost.localdomain> References: <20140522121954.GJ4640@localhost.localdomain> <537DF94A.4000601@redhat.com> <53831A34.9030109@redhat.com> <20140604134755.GF29982@localhost.localdomain> Message-ID: Hi Sumit, Thanks for your reply. I shall await the fruits of Alexander's labour over the summer with interest. It seems that it's all so close to working and would be great for an organisation in our situation with a mixed Samba/NFS Linux/Windows environment. Do you think the work on compatibility will be for Samba 3, 4 or both? I need to look at the slapi-nis functionality anyway as the current feeling is that we need to get the NFS side of things working with as little user pain as possible and that Samba will have to go onto the back-burner for now. I'll come back with anything new I find. As RHEL7 has just been released I'm going to have to rebuild my test environment anyway... Thanks for your help so far, Dylan. On 4 June 2014 14:47, Sumit Bose wrote: > On Tue, Jun 03, 2014 at 03:37:05PM +0100, Dylan Evans wrote: >> Hello again, >> >> Just realised by re-reading this thread that I still needed to create >> the DNA plugin. >> >> I've now done that and I can add users, sorry for being stupid... > > I think the issue is on my side :-) I forgot that samba uses a hardcoded > LDAP schema and requires specific objectclass and attribute names. > > By enabling the DNA plugin the needed values are added to the user > object, but with the negative side effect that there are now two > attributes containing a different SID, one create by the DNA plugin the > other by a plugin activated by ipa-adtrust-install. > > I guess the proper solution would be to not enable the DNS plugin to > create the SIDs in the user object but use the Schema Compatibility > plugin from slapi-nis to create a compat tree where samba can find the > needed data with the expected schema. But I'm afraid I am not aware of > any howto about this. > > Even better would be to use ipasam instead of ldapsam in samba itself. > But I cannot say how good or bad it will currently work because as > mentioned below Alexander is planning to check it in summer. > > bye, > Sumit > >> >> Dylan. >> >> >> >> On 3 June 2014 14:44, Dylan Evans wrote: >> > Hi Petr & Sumit, >> > >> > I've been trying to get further with my setup. >> > >> > 1. Thanks Petr, the groups.js plugin seems to work fine, it shows the >> > correct info on the GUI screen and seems to be ok. >> > >> > 2. Sumit, I'm afraid that I'm having a few more problems after running >> > " ipa-adtrust-install --add-sids". I cannot now add any users on the >> > server (Fedora 20, ipa-server 3.3.5-1) via the command-line or GUI. I >> > get the following error: >> > >> > GUI: >> > IPA Error 4205 >> > missing attribute: "sambaSID" required by object class "sambaSamAccount" >> > >> > Command-line: >> > ipa user-add test1234 ..... >> > ipa: ERROR: missing attribute "sambaSID" required by object class >> > "sambaSamAccount" >> > >> > Also, when editing an existing user, there is no sambaSID field >> > available to edit. >> > >> > If you have any ideas, please let me know. >> > >> > Thanks, >> > >> > Dylan. >> > >> > >> > On 26 May 2014 11:40, Petr Vobornik wrote: >> >> On 23.5.2014 16:31, Dylan Evans wrote: >> >>> >> >>> Hi Sumit and Petr, >> >>> >> >>> Thanks both of you for your replies, I've now got to go and try to >> >>> implement all your suggestions but I have some more questions, sorry! >> >>> The guide at techslaves was fine, I just got stuck with the changes in >> >>> the JavaScript packages and the Samba server questions. >> >>> >> >>> 1. Petr, I put your samba.js plugin into >> >>> /usr/share/ipa/ui/js/plugins/samba but you'll have to pardon my lack >> >>> of JS knowledge, anything more than simple Bash scripts tends to leave >> >>> me confused! Do I need to do anything else apart from restart the IPA >> >>> service? I read your info at >> >>> http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins which says the >> >>> plugins have to be registered, but I couldn't work out if it's a >> >>> manual process or if it's done by /usr/share/ipa/wsgi/plugins.py on >> >>> restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py >> >>> for the CLI as well. >> >> >> >> >> >> Should be automatically handled by the plugin.py wsgi handler and related >> >> logic in Web UI. Just make sure that the file and the directory have same >> >> names (except the extension in file's case of course). >> >> >> >> >> >>> >> >>> 2. Sumit, thanks for the info on Samba, I'll have to leave that now >> >>> and try it next week. BTW, the version of Samba I'm testing against is >> >>> 3.6.9-168 on CentOS 6.5. >> >>> >> >>> Thanks again for your information and patience, >> >>> >> >>> Dylan. >> >>> >> >>> On 22 May 2014 14:19, Petr Vobornik wrote: >> >>>> >> >>>> On 22.5.2014 14:19, Sumit Bose wrote: >> >>>>> >> >>>>> >> >>>>> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote: >> >>>>>> >> >>>>>> >> >>>>>> Hello, >> >>>>>> >> >>>>>> I need some help with getting Samba and FreeIPA working together. >> >>>>>> >> >>>>>> I?ve been following the guide at >> >>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but >> >>>>>> that seems quite out of date for IPAv3 and I need some help: >> >>>>> >> >>>>> >> >>>>> >> >>>>> yes, it is a bit outdated but still useful. Please note that we are >> >>>>> currently working on making the integration of samba more easy. Recently >> >>>>> I send a patch to the samba-technical mailing list with a library which >> >>>>> would allow samba to use SSSD instead of winbind to look up users and >> >>>>> SID-to-name mapping. Alexander is planning to go through the ipasam >> >>>>> modules to see how to make integration with Samba file-servers more >> >>>>> easy. >> >>>>> >> >>>>> But coming back to your questions. >> >>>>> >> >>>>>> >> >>>>>> 1. The guide deals with setting a Samba server SID for one Samba >> >>>>>> server, but as we have multiple stand-alone Samba3 servers, which SID >> >>>>>> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I >> >>>>>> have more than 1 plugin (seems unlikely)? >> >>>>> >> >>>>> >> >>>>> >> >>>>> 'net getlocalsid' returns the domain SID and since all you Samba >> >>>>> file-servers are member of the IPA domain you can use a common SID here. >> >>>>> >> >>>>> With IPAv3 SID generation for users and groups is even more easy because >> >>>>> you can get it for free by running ipa-adtrust-install (please use the >> >>>>> option --add-sids) if you already have users and groups in your IPA >> >>>>> server. This prepares the IPA server to be able to create trust >> >>>>> relationships to Active Directory and one requirement here is that all >> >>>>> users and groups have SID. >> >>>>> >> >>>>> 'ipa-adtrust-install' will also create a domain SID. 'ipa >> >>>>> trustconfig-show' will show the domain SID together with the DNS domain >> >>>>> name and the NetBIOS domain name. On your Samba server you should set >> >>>>> 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA >> >>>>> server after running ipa-adtrust-install for a config example). >> >>>>> >> >>>>> Additionally on your Samba servers you have to set the domain SID in >> >>>>> /var/lib/samba/private/secrets.tdb with tdbtool. You will need 3 >> >>>>> keys with the same SID >> >>>>> >> >>>>> SECRETS/SID/DOMNETBIOS <- NetBIOS domain name, workgroup in smb.conf >> >>>>> SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in >> >>>>> smb.conf >> >>>>> SECRETS/SID/CLINETBIOS <- NetBIOS name of the client, 'netbios name' in >> >>>>> smb.conf >> >>>>> >> >>>>> The SID has to be given in a special binary format. The easiest way to >> >>>>> get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the >> >>>>> IPA server after running ipa-adtrust-install. The domain SID will always >> >>>>> start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence >> >>>>> as data for the insert command of tdbtool. >> >>>>> >> >>>>> Now everything should be done with respect to SID handling. >> >>>>> >> >>>>>> >> >>>>>> 2. There?s no ?/usr/share/ipa/ui/group.js? file to patch in >> >>>>>> IPAv3. What do I need to patch instead? >> >>>>>> >> >>>>>> I?ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which >> >>>>>> shows the need is there but I could do with getting it working ASAP. >> >>>>> >> >>>>> >> >>>>> >> >>>>> group.js is compliend with the other UI files in >> >>>>> /usr/share/ipa/ui/js/freeipa/app.js (see >> >>>>> install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources >> >>>>> for details). For your convenience I copied some section here: >> >>>>> >> >>>>> "The compiled Web UI layer is located in >> >>>>> `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from >> >>>>> source git repository in `install/ui/src/freeipa/` directory to the >> >>>>> `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js` >> >>>>> file). By doing that, next reload of Web UI will use source files >> >>>>> (clearing browser cache may be required). After that all JavaScript >> >>>>> errors will contain proper source code name and line number." >> >>>> >> >>>> >> >>>> >> >>>> Better approach is to create a custom UI plugin which would add those >> >>>> fields. Since it's only 3 fields, I create an example which works on >> >>>> FreeIPA >> >>>> 4.0 and theoretically it should work on 3.2 as well: >> >>>> >> >>>> http://pvoborni.fedorapeople.org/plugins/samba/samba.js >> >>>> >> >>>> put the file into `/usr/share/ipa/ui/js/plugins/samba` directory. >> >>>> >> >>>> I did not test it with backend (no labels + doesn't do anything). >> >>>> >> >>>> More about plugin development: >> >>>> * http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf >> >>>> * http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins >> >>>> >> >>>> Creating CLI plugin is IMO also better approach. >> >>>> >> >>>> >> >>>>> >> >>>>>> >> >>>>>> I may be missing something obvious but some help would be greatly >> >>>>>> appreciated! >> >>>>> >> >>>>> >> >>>>> >> >>>>> I hope my comments will help you. Feel free to ask for more help if >> >>>>> needed. It would be nice to hear from any success as well. >> >>>>> >> >>>>> bye, >> >>>>> Sumit >> >>>>> >> >>>>>> >> >>>>>> Thanks, >> >>>>>> >> >>>>>> Dylan. >> >>>>>> >> >>>>>> Background: >> >>>>>> >> >>>>>> Brief: Need to expand from the current single-office-ish NIS/YP scheme >> >>>>>> to a multi-location/multi-national auth scheme which FreeIPA seems >> >>>>>> ideally suited for. >> >>>>>> >> >>>>>> >> >>>>>> Requirement: To continue to provide console/SSH and GUI/X logins to >> >>>>>> Linux hosts, access to home and project directories via NFS from the >> >>>>>> Linux machines using autofs/automount and access to Samba file-shares >> >>>>>> from Windows machines but not using AD creds as this is a totally >> >>>>>> separate environment. Several locations will each have a FreeIPA >> >>>>>> replica server, NFS/Samba fileserver and ?application? server. >> >>>>>> Currently use 2 passwords for each user ? one for NIS, one for Samba ? >> >>>>>> and need to consolidate to one password for everything. >> >>>>>> >> >>>>>> >> >>>>>> Progress: Linux-based NFS stuff working fine ? automount of home and >> >>>>>> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs >> >>>>>> as a prototyping environment but will probably use RHEL/CentOS 7 when >> >>>>>> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and >> >>>>>> 3.3.5 on Fedora 20. >> >>>>>> >> >>>> -- >> >>>> Petr Vobornik >> >> >> >> >> >> >> >> -- >> >> Petr Vobornik From abokovoy at redhat.com Wed Jun 11 11:41:01 2014 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 11 Jun 2014 14:41:01 +0300 Subject: [Freeipa-users] IPA-server and conrainers In-Reply-To: References: <5396EBAC.20707@deus.pro> <20140610121028.GS1482@redhat.com> Message-ID: <20140611114101.GB9057@redhat.com> Walid, On Wed, 11 Jun 2014, Walid wrote: >Hi, > >Could you share the presentation with us. In Europe Red Hat is running series of events called 'Red Hat Forum EMEA', http://redhat-forum.com/en/home. You are welcome to come to the closest one and listen to my colleagues giving the same talk "Road to Red Hat Enterprise Linux 7: Rethink your Enterprise OS" among others, quite interesting, presentations. Hopefully, the material will be available after the tour. At least, recording of Moscow event supposed to go online after June 26th. I did my talk in Russian so it is probably not so useful for people without knowledge of Russian language. Hope this helps. > >regards > >Walid > > >On 10 June 2014 15:10, Jan Pazdziora wrote: > >> On Tue, Jun 10, 2014 at 05:27:40PM +0600, Arthur Fayzullin wrote: >> > HI! >> > Alexandr, I've seen Your presentation at RedHat forum. Very good >> > presentation! :) >> > I've got a question about FreeIPA from that presentation. Of course >> > question is not only for You. >> > So, the question: >> > Are there any plans for integration freeipa-server with containers? >> > * working freeipa as a single container; >> >> We have testing FreeIPA in Fedora 20 container at >> >> https://registry.hub.docker.com/u/adelton/fedora20-freeipa-server/ >> >> However, at this point the size of that image is over 1.2 GB so we >> were not announcing it yet as we try to find ways to make the image >> smaller and thus more easily consumable. >> >> -- >> Jan Pazdziora >> Principal Software Engineer, Identity Management Engineering, Red Hat >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy From dimitris.tsompanidis at comeon.com Thu Jun 12 12:59:01 2014 From: dimitris.tsompanidis at comeon.com (Dimitris Tsompanidis) Date: Thu, 12 Jun 2014 14:59:01 +0200 Subject: [Freeipa-users] Upgrading from 2.1.4 to 3.3.5 Message-ID: <5399A415.4030805@comeon.com> Hi everybody, I need to plan an upgrade procedure for our 3x FreeIPA 2.1.4 instances to something more recent. I was thinking of setting up v3.3.5 on a new VM and then get the replication going but apparently this procedure has only been tested officially for v2.2.0 and onwards. The result is that I'm quite hesitant to start with this. Is there anything safer I can check or should I just bite the bullet? Thanks, -- Dimitris Tsompanidis From kenmiller316 at gmail.com Thu Jun 12 17:20:16 2014 From: kenmiller316 at gmail.com (Ken Miller) Date: Thu, 12 Jun 2014 13:20:16 -0400 Subject: [Freeipa-users] (no subject) Message-ID: Hello, I'm new to IPA, and was simply trying to "change" all the LDAP/Directory Manager password(s). In following URL http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password I successfully changed the password used when running 'kinit admin' and 'ldapsearch -p 7389 -D "cn=Directory Manager"' but I cannot seem to get the simple "bind ldap" password to change (e.g. when running 'ldapsearch -p 389 -D "cn=Directory Manager"') . I *suspect* it involves doing something wth cacert.p12 but I didn't know where to put it ;( What do I need to do to change the LDAP bind password? Thanks in advance, == k+ == From rmeggins at redhat.com Thu Jun 12 17:44:49 2014 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 12 Jun 2014 11:44:49 -0600 Subject: [Freeipa-users] (no subject) In-Reply-To: References: Message-ID: <5399E711.8000309@redhat.com> On 06/12/2014 11:20 AM, Ken Miller wrote: > Hello, > > I'm new to IPA, and was simply trying to "change" all the > LDAP/Directory Manager password(s). In following URL > > http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password > > I successfully changed the password used when running 'kinit admin' > and 'ldapsearch -p 7389 -D "cn=Directory Manager"' but I cannot seem > to get the simple "bind ldap" password to change (e.g. when running > 'ldapsearch -p 389 -D "cn=Directory Manager"') . I *suspect* it > involves doing something wth cacert.p12 but I didn't know where to put > it ;( > > What do I need to do to change the LDAP bind password? http://port389.org/wiki/Howto:ResetDirMgrPassword > > Thanks in advance, > > == k+ == > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From barrykfl at gmail.com Mon Jun 16 04:20:00 2014 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Mon, 16 Jun 2014 12:20:00 +0800 Subject: [Freeipa-users] convert krbExtraData password to plain text Message-ID: dear all: Is it possible to quiry freeipa 's account password and displan in plain txt ? or convert krbExtraData to plaintxt. rather than reset it. Regards barry -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Jun 16 04:28:09 2014 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 16 Jun 2014 00:28:09 -0400 Subject: [Freeipa-users] convert krbExtraData password to plain text In-Reply-To: References: Message-ID: <539E7259.5000108@redhat.com> On 06/16/2014 12:20 AM, barrykfl at gmail.com wrote: > dear all: > > Is it possible to quiry freeipa 's account password and displan in > plain txt ? > > or convert krbExtraData to plaintxt. rather than reset it. > > Regards > > barry > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users No. IPA passwords are not reversible by design. In general it is a very bad security practice to make password reversible. Password reset is the way to go. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas.raehalme at codecenter.fi Mon Jun 16 07:41:11 2014 From: thomas.raehalme at codecenter.fi (Thomas Raehalme) Date: Mon, 16 Jun 2014 10:41:11 +0300 Subject: [Freeipa-users] named's LDAP connection hangs Message-ID: Hi, We have a problem with IPA going out of service every now and then. There seems to be two kinds of situations: 1) The connection between named and dirsrv fails. Named can resolve external names but the domain managed by IPA does not resolve any names. named cannot be stopped. After killing the process and restarting the issue is resolved. 2) Sometimes the situation is more severe and also dirsrv is unresponsive. The solution then seems to be restarting both named and dirsrv (individually or through the 'ipa' service). Regarding #1 the file /var/log/messages contains the following: Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' Jun 16 03:22:23 ipa named[7295]: loading configuration from '/etc/named.conf' Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error The reload is triggered by logrotate. For some reason authentication fails, and the IPA domain is no longer resolvable. I haven't discovered a pattern how often these problems occur. Maybe once a week or two. FreeIPA master running on CentOS 6.5 has been configured with the default settings. In addition a single replica has been added. Any ideas where I should look for the source of the problem? Thank you in advance! Best regards, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Mon Jun 16 07:42:11 2014 From: sbose at redhat.com (Sumit Bose) Date: Mon, 16 Jun 2014 09:42:11 +0200 Subject: [Freeipa-users] convert krbExtraData password to plain text In-Reply-To: <539E7259.5000108@redhat.com> References: <539E7259.5000108@redhat.com> Message-ID: <20140616074211.GB2770@localhost.localdomain> On Mon, Jun 16, 2014 at 12:28:09AM -0400, Dmitri Pal wrote: > On 06/16/2014 12:20 AM, barrykfl at gmail.com wrote: > >dear all: > > > >Is it possible to quiry freeipa 's account password and displan in plain > >txt ? > > > >or convert krbExtraData to plaintxt. rather than reset it. > > > >Regards > > > >barry > > > > > > > > > >_______________________________________________ > >Freeipa-users mailing list > >Freeipa-users at redhat.com > >https://www.redhat.com/mailman/listinfo/freeipa-users > > No. IPA passwords are not reversible by design. > In general it is a very bad security practice to make password reversible. > Password reset is the way to go. Additionally krbExtraData does not contain the password only data needed by the kdc which does not have a specific LDAP attribute. iirc the data in krbExtraData is mostly ASN.1 coded. bye, Sumit > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From pspacek at redhat.com Mon Jun 16 10:54:18 2014 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 16 Jun 2014 12:54:18 +0200 Subject: [Freeipa-users] named's LDAP connection hangs In-Reply-To: References: Message-ID: <539ECCDA.6040908@redhat.com> On 16.6.2014 09:41, Thomas Raehalme wrote: > Hi, > > We have a problem with IPA going out of service every now and then. There > seems to be two kinds of situations: > > 1) The connection between named and dirsrv fails. Named can resolve > external names but the domain managed by IPA does not resolve any names. > named cannot be stopped. After killing the process and restarting the issue > is resolved. > > 2) Sometimes the situation is more severe and also dirsrv is unresponsive. > The solution then seems to be restarting both named and dirsrv > (individually or through the 'ipa' service). > > Regarding #1 the file /var/log/messages contains the following: > > Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' > Jun 16 03:22:23 ipa named[7295]: loading configuration from > '/etc/named.conf' > Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, > 65535] > Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, > 65535] > Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones > Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Ticket expired) > Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error > > The reload is triggered by logrotate. For some reason authentication fails, > and the IPA domain is no longer resolvable. > > I haven't discovered a pattern how often these problems occur. Maybe once a > week or two. > > FreeIPA master running on CentOS 6.5 has been configured with the default > settings. In addition a single replica has been added. > > Any ideas where I should look for the source of the problem? I have heard about this problem but nobody managed to reproduce the problem. Please: - configure KRB5_TRACE variable as described on https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1.Gathersymptoms - restart named - send me logs when it happens again. Thank you! -- Petr^2 Spacek From simo at redhat.com Mon Jun 16 12:02:23 2014 From: simo at redhat.com (Simo Sorce) Date: Mon, 16 Jun 2014 08:02:23 -0400 Subject: [Freeipa-users] convert krbExtraData password to plain text In-Reply-To: References: Message-ID: <1402920143.22737.99.camel@willson.usersys.redhat.com> On Mon, 2014-06-16 at 12:20 +0800, barrykfl at gmail.com wrote: > dear all: > > Is it possible to quiry freeipa 's account password and displan in plain > txt ? > > or convert krbExtraData to plaintxt. rather than reset it. FWIW, krbExtraData does not contain passwords. Simo. -- Simo Sorce * Red Hat, Inc * New York From bnordgren at fs.fed.us Mon Jun 16 19:41:08 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Mon, 16 Jun 2014 19:41:08 +0000 Subject: [Freeipa-users] External collaboration edits In-Reply-To: <20140611085131.GS5752@localhost.localdomain> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6B00D0@001FSN2MPN1-044.001f.mgd2.msft.net> <5373EA60.5010207@redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6D446D@001FSN2MPN1-044.001f.mgd2.msft.net> <20140611085131.GS5752@localhost.localdomain> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6D6F3A@001FSN2MPN1-044.001f.mgd2.msft.net> [...talking about views...] > It's not only about AD, but use-case and examples in the design page > currently all refer to AD. The key is to find a unique reference to the > upstream object which in the AD case is obviously the SID. In a previous > version of the page there were a bit more details who the original/upstream > objects can be referenced, e.g. it can a fully qualified name or Kerberos > principal. Can views handle the case when there is no upstream object? Or when the upstream attribute store is not published as a searchable database (which is almost "no upstream object")? I'd very much like to see these as explicit use cases for views. Case one would represent vanilla Kerberos trusts, or the quite likely scenario where an external collaboration domain is separated from corporate AD by a firewall. (e.g., institutional AD can provide authentication via trust for users on the corporate network, but not attributes). Case two would represent authentication sources such as SAML. Views would need to be the mechanism by which the gateway caches attributes in FreeIPA (after inspecting SAML assertions). Finally, one functional requirement for views may be that the view needs to support a many-to-one "authentication method" to "identity attributes" mapping. For instance, an employee sitting at their desk may log into their server in the collaboration network via SSO (hence, their AD account). Soon this same user may also walk over to the console on the collaboration network and need to use some other Ipsilon-gateway-enabled credentials. These two credentials may need to be mapped to a single user identity. This may not be functionality which needs to be implemented first, but it does perhaps suggest that krbPrincipal may not always be single valued. This may be something which deserves an honorable mention on the RFE page as it impacts the assumptions coders can make. Thanks, Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. From john.moyer at digitalreasoning.com Mon Jun 16 20:20:13 2014 From: john.moyer at digitalreasoning.com (John Moyer) Date: Mon, 16 Jun 2014 16:20:13 -0400 Subject: [Freeipa-users] Problem finding new users via command line Message-ID: <539F517D.8010501@digitalreasoning.com> Hello All, I'm having a problem querying new users. I can create the user from the webpage no problem, and I can see them afterwards via the webpage. I can then see those users via ipa user-find, as well as a LOCAL ldapsearch, even remotely from apache directory studio. However, if I go to another linux box and do an ldapsearch the new user (only the new user) is not seen in the search. Users created before today work great. Now I did change stuff, I did a yum upgrade last weekend and this was not a problem before I did this. Any help or guidance to make a remove ldapsearch work on new users would be greatly appreciated! Thanks, ------------------------------------------------------------------------ John Moyer -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas.raehalme at codecenter.fi Mon Jun 16 20:30:33 2014 From: thomas.raehalme at codecenter.fi (Thomas Raehalme) Date: Mon, 16 Jun 2014 23:30:33 +0300 Subject: [Freeipa-users] named's LDAP connection hangs In-Reply-To: <539ECCDA.6040908@redhat.com> References: <539ECCDA.6040908@redhat.com> Message-ID: Hi! Thanks for the instructions. I have configured KRB5_TRACE as described. I will send logs as soon as we encounter the problem again. Could take a week or two though. Thank you for your help! Best regards, Thomas On Mon, Jun 16, 2014 at 1:54 PM, Petr Spacek wrote: > On 16.6.2014 09:41, Thomas Raehalme wrote: > >> Hi, >> >> We have a problem with IPA going out of service every now and then. There >> seems to be two kinds of situations: >> >> 1) The connection between named and dirsrv fails. Named can resolve >> external names but the domain managed by IPA does not resolve any names. >> named cannot be stopped. After killing the process and restarting the >> issue >> is resolved. >> >> 2) Sometimes the situation is more severe and also dirsrv is unresponsive. >> The solution then seems to be restarting both named and dirsrv >> (individually or through the 'ipa' service). >> >> Regarding #1 the file /var/log/messages contains the following: >> >> Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' >> Jun 16 03:22:23 ipa named[7295]: loading configuration from >> '/etc/named.conf' >> Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, >> 65535] >> Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, >> 65535] >> Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones >> Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (Ticket expired) >> Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error >> >> The reload is triggered by logrotate. For some reason authentication >> fails, >> and the IPA domain is no longer resolvable. >> >> I haven't discovered a pattern how often these problems occur. Maybe once >> a >> week or two. >> >> FreeIPA master running on CentOS 6.5 has been configured with the default >> settings. In addition a single replica has been added. >> >> Any ideas where I should look for the source of the problem? >> > > I have heard about this problem but nobody managed to reproduce the > problem. > > Please: > - configure KRB5_TRACE variable as described on > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1. > Gathersymptoms > - restart named > - send me logs when it happens again. > > Thank you! > > -- > Petr^2 Spacek > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- *Thomas Raehalme* *CTO, teknologiajohtaja* Mobile +358 40 545 0605 *Codecenter Oy* V?in?nkatu 26 A, 4th Floor 40100 JYV?SKYL?, Finland Tel. +358 10 322 0040 www.codecenter.fi *Codecenter - Tietoj?rjestelmi? ymm?rrett?v?sti* -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Jun 16 22:10:59 2014 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 16 Jun 2014 18:10:59 -0400 Subject: [Freeipa-users] Problem finding new users via command line In-Reply-To: <539F517D.8010501@digitalreasoning.com> References: <539F517D.8010501@digitalreasoning.com> Message-ID: <539F6B73.8020802@redhat.com> On 06/16/2014 04:20 PM, John Moyer wrote: > Hello All, > > I'm having a problem querying new users. > > I can create the user from the webpage no problem, and I can see > them afterwards via the webpage. I can then see those users via ipa > user-find, as well as a LOCAL ldapsearch, even remotely from apache > directory studio. However, if I go to another linux box and do an > ldapsearch the new user (only the new user) is not seen in the > search. Users created before today work great. Now I did change > stuff, I did a yum upgrade last weekend and this was not a problem > before I did this. Any help or guidance to make a remove ldapsearch > work on new users would be greatly appreciated! We really need more than that to help. Please give more details about the client and versions you use. May be you have different replicas and the communication is broken between them and the client access the other replica? > > > Thanks, > ------------------------------------------------------------------------ > John Moyer > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 16 22:22:15 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Jun 2014 18:22:15 -0400 Subject: [Freeipa-users] Problem finding new users via command line In-Reply-To: <539F517D.8010501@digitalreasoning.com> References: <539F517D.8010501@digitalreasoning.com> Message-ID: <539F6E17.4030204@redhat.com> John Moyer wrote: > Hello All, > > I'm having a problem querying new users. > > I can create the user from the webpage no problem, and I can see > them afterwards via the webpage. I can then see those users via ipa > user-find, as well as a LOCAL ldapsearch, even remotely from apache > directory studio. However, if I go to another linux box and do an > ldapsearch the new user (only the new user) is not seen in the search. > Users created before today work great. Now I did change stuff, I did a > yum upgrade last weekend and this was not a problem before I did this. > Any help or guidance to make a remove ldapsearch work on new users would > be greatly appreciated! What command-line are you using? What rpm version is [free]ipa-python? Do you have multiple masters or is this a single IPA server? rob From barrykfl at gmail.com Tue Jun 17 01:39:01 2014 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Tue, 17 Jun 2014 09:39:01 +0800 Subject: [Freeipa-users] Error comes out at command prompt after add Godaddy cert Message-ID: Now cannot use ipa command line like ipa passwd, any missing ? need reimport back the ipa cert? ipa: ERROR: did not receive Kerberos credentials certutil -d /etc/dirsrv/slapd-ABC-COM -L Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,, Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C *.abc.com - GoDaddy.com, Inc. u,u,u -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Jun 17 07:35:34 2014 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 17 Jun 2014 09:35:34 +0200 Subject: [Freeipa-users] Error comes out at command prompt after add Godaddy cert In-Reply-To: References: Message-ID: <539FEFC6.1030705@redhat.com> On 06/17/2014 03:39 AM, barrykfl at gmail.com wrote: > Now cannot use ipa command line like ipa passwd, any missing ? need > reimport back the ipa cert? > > > ipa: ERROR: did not receive Kerberos credentials > > > certutil -d /etc/dirsrv/slapd-ABC-COM -L > > Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,, > Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C > *.abc.com - GoDaddy.com, Inc. u,u,u Hello, I would recommend following this page: http://www.freeipa.org/page/Troubleshooting#Authentication.2FKerberos ... and providing more information so that people on the list can help. Martin From mkosek at redhat.com Tue Jun 17 08:04:27 2014 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 17 Jun 2014 10:04:27 +0200 Subject: [Freeipa-users] Error comes out at command prompt after add Godaddy cert - SOLVED In-Reply-To: <539FEFC6.1030705@redhat.com> References: <539FEFC6.1030705@redhat.com> Message-ID: <539FF68B.1010700@redhat.com> On 06/17/2014 09:35 AM, Martin Kosek wrote: > On 06/17/2014 03:39 AM, barrykfl at gmail.com wrote: >> Now cannot use ipa command line like ipa passwd, any missing ? need >> reimport back the ipa cert? >> >> >> ipa: ERROR: did not receive Kerberos credentials >> >> >> certutil -d /etc/dirsrv/slapd-ABC-COM -L >> >> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,, >> Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C >> *.abc.com - GoDaddy.com, Inc. u,u,u > > Hello, > > I would recommend following this page: > > http://www.freeipa.org/page/Troubleshooting#Authentication.2FKerberos > > ... and providing more information so that people on the list can help. > > Martin > Resending private mail from barrykfl to close this thread: -------- Original Message -------- Subject: Re: [Freeipa-users] Error comes out at command prompt after add Godaddy cert Date: Tue, 17 Jun 2014 15:39:31 +0800 From: barrykfl at gmail.com To: Martin Kosek solved ... add goddaddy cert in nssdb it it a bit complicated if using external cert From sbose at redhat.com Tue Jun 17 09:27:25 2014 From: sbose at redhat.com (Sumit Bose) Date: Tue, 17 Jun 2014 11:27:25 +0200 Subject: [Freeipa-users] External collaboration edits In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6D6F3A@001FSN2MPN1-044.001f.mgd2.msft.net> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6B00D0@001FSN2MPN1-044.001f.mgd2.msft.net> <5373EA60.5010207@redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6D446D@001FSN2MPN1-044.001f.mgd2.msft.net> <20140611085131.GS5752@localhost.localdomain> <82E7C9A01FD0764CACDD35D10F5DFB6E6D6F3A@001FSN2MPN1-044.001f.mgd2.msft.net> Message-ID: <20140617092725.GD2770@localhost.localdomain> On Mon, Jun 16, 2014 at 07:41:08PM +0000, Nordgren, Bryce L -FS wrote: > [...talking about views...] > > > It's not only about AD, but use-case and examples in the design page > > currently all refer to AD. The key is to find a unique reference to the > > upstream object which in the AD case is obviously the SID. In a previous > > version of the page there were a bit more details who the original/upstream > > objects can be referenced, e.g. it can a fully qualified name or Kerberos > > principal. > > Can views handle the case when there is no upstream object? Or when the upstream attribute store is not published as a searchable database (which is almost "no upstream object")? I'd very much like to see these as explicit use cases for views. > > Case one would represent vanilla Kerberos trusts, or the quite likely scenario where an external collaboration domain is separated from corporate AD by a firewall. (e.g., institutional AD can provide authentication via trust for users on the corporate network, but not attributes). I think this can be done. It is about how the reference key is evaluated. E.g. if the key is ':KRB5:user at EXAMPLE.COM' in the default view SSSD can create a user object in its cache with the data given in the view and where the user name is equal to the Kerberos principal name (so far we said that we do not want to allow to overwrite the user name in views to avoid confusion). Since the object is now in the SSSD cache it is available in the IPA server, on IPA clients with SSSD via extdom plugin and to legacy clients via the compat tree. > > Case two would represent authentication sources such as SAML. Views would need to be the mechanism by which the gateway caches attributes in FreeIPA (after inspecting SAML assertions). I think we are already doing similar things with the MS-PAC. If configured SSSD will intercept the PAC, decode it and store data from the PAC in the cache. This currently happens during authentication on the client hence this data is directly available on the IPA client and is not distributed by the IPA server. Would this work for you use case or do you need the data on IPA clients where the user never authenticated as well? > > Finally, one functional requirement for views may be that the view needs to support a many-to-one "authentication method" to "identity attributes" mapping. For instance, an employee sitting at their desk may log into their server in the collaboration network via SSO (hence, their AD account). Soon this same user may also walk over to the console on the collaboration network and need to use some other Ipsilon-gateway-enabled credentials. These two credentials may need to be mapped to a single user identity. This may not be functionality which needs to be implemented first, but it does perhaps suggest that krbPrincipal may not always be single valued. This may be something which deserves an honorable mention on the RFE page as it impacts the assumptions coders can make. I wonder if you mean that the reference in the user views may not always be single valued ? Thank you very much for your input. I plan to update the design page during the next days. I hope you don't mind if I add your suggestions in a 'Next step/Future Enhancements' section because I would prefer to get the AD use case implemented and included in the IPA and SSSD trees first. bye, Sumit > > Thanks, > Bryce > > > > > This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. From john.moyer at digitalreasoning.com Tue Jun 17 12:30:16 2014 From: john.moyer at digitalreasoning.com (John Moyer) Date: Tue, 17 Jun 2014 08:30:16 -0400 Subject: [Freeipa-users] Problem finding new users via command line In-Reply-To: <539F6E17.4030204@redhat.com> References: <539F517D.8010501@digitalreasoning.com> <539F6E17.4030204@redhat.com> Message-ID: <53A034D8.4090408@digitalreasoning.com> I'm using ldapsearch. The command I was using was like the one below (edited to protect creds/users). ldapsearch -x -h ipa.digitalreasoning.com -ZZ -b "dc=digitalreasoning,dc=com" -D "uid=adminuser,cn=users,cn=accounts,dc=digitalreasoning,dc=com" -w 'password' uid=first.last # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=first.last # requesting: ALL # # search result search: 3 result: 0 Success # numResponses: 1 Any help is much appreciated! Thanks, John On 6/16/14, 6:22 PM, Rob Crittenden wrote: > John Moyer wrote: >> Hello All, >> >> I'm having a problem querying new users. >> >> I can create the user from the webpage no problem, and I can see >> them afterwards via the webpage. I can then see those users via ipa >> user-find, as well as a LOCAL ldapsearch, even remotely from apache >> directory studio. However, if I go to another linux box and do an >> ldapsearch the new user (only the new user) is not seen in the search. >> Users created before today work great. Now I did change stuff, I did a >> yum upgrade last weekend and this was not a problem before I did this. >> Any help or guidance to make a remove ldapsearch work on new users would >> be greatly appreciated! > What command-line are you using? What rpm version is [free]ipa-python? > Do you have multiple masters or is this a single IPA server? > > rob > Thanks, ------------------------------------------------------------------------ John Moyer -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.moyer at digitalreasoning.com Tue Jun 17 12:39:21 2014 From: john.moyer at digitalreasoning.com (John Moyer) Date: Tue, 17 Jun 2014 08:39:21 -0400 Subject: [Freeipa-users] Problem finding new users via command line In-Reply-To: <53A034D8.4090408@digitalreasoning.com> References: <539F517D.8010501@digitalreasoning.com> <539F6E17.4030204@redhat.com> <53A034D8.4090408@digitalreasoning.com> Message-ID: <53A036F9.9030007@digitalreasoning.com> Sorry forgot the second part of your question: rpm -qa | grep ipa libipa_hbac-1.9.2-129.el6_5.4.x86_64 ipa-server-3.0.0-37.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 ipa-admintools-3.0.0-37.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-37.el6.x86_64 John On 6/17/14, 8:30 AM, John Moyer wrote: > I'm using ldapsearch. The command I was using was like the one below > (edited to protect creds/users). > > ldapsearch -x -h ipa.digitalreasoning.com -ZZ -b > "dc=digitalreasoning,dc=com" -D > "uid=adminuser,cn=users,cn=accounts,dc=digitalreasoning,dc=com" -w > 'password' uid=first.last > > > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: uid=first.last > # requesting: ALL > # > > # search result > search: 3 > result: 0 Success > > # numResponses: 1 > > > Any help is much appreciated! > > Thanks, > > John > > > > On 6/16/14, 6:22 PM, Rob Crittenden wrote: >> John Moyer wrote: >>> Hello All, >>> >>> I'm having a problem querying new users. >>> >>> I can create the user from the webpage no problem, and I can see >>> them afterwards via the webpage. I can then see those users via ipa >>> user-find, as well as a LOCAL ldapsearch, even remotely from apache >>> directory studio. However, if I go to another linux box and do an >>> ldapsearch the new user (only the new user) is not seen in the search. >>> Users created before today work great. Now I did change stuff, I did a >>> yum upgrade last weekend and this was not a problem before I did this. >>> Any help or guidance to make a remove ldapsearch work on new users would >>> be greatly appreciated! >> What command-line are you using? What rpm version is [free]ipa-python? >> Do you have multiple masters or is this a single IPA server? >> >> rob >> > > > > > Thanks, > ------------------------------------------------------------------------ > John Moyer > Thanks, ------------------------------------------------------------------------ John Moyer Director, IT Operations 901 N. Stuart St. STE 904A Arlington,VA 22203 703.678.2311 Office 240.460.0023 Cell 703.678.2312 Fax -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 17 15:26:52 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 Jun 2014 11:26:52 -0400 Subject: [Freeipa-users] Problem finding new users via command line In-Reply-To: <53A036F9.9030007@digitalreasoning.com> References: <539F517D.8010501@digitalreasoning.com> <539F6E17.4030204@redhat.com> <53A034D8.4090408@digitalreasoning.com> <53A036F9.9030007@digitalreasoning.com> Message-ID: <53A05E3C.3000005@redhat.com> John Moyer wrote: > Sorry forgot the second part of your question: > > rpm -qa | grep ipa > libipa_hbac-1.9.2-129.el6_5.4.x86_64 > ipa-server-3.0.0-37.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > python-iniparse-0.3.1-2.1.el6.noarch > libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 > ipa-python-3.0.0-37.el6.x86_64 > ipa-client-3.0.0-37.el6.x86_64 > ipa-admintools-3.0.0-37.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-server-selinux-3.0.0-37.el6.x86_64 It's important that we're comparing apples to apples. Is this a search against the same IPA server or do you have multiple masters? I assume that SSSD isn't seeing these new users either which is what lead you to ldapsearch? You might want to do the same search on a working and non-working box and compare the 389-ds access logs to see if there is anything noticeable. rob > > > John > > On 6/17/14, 8:30 AM, John Moyer wrote: >> I'm using ldapsearch. The command I was using was like the one below >> (edited to protect creds/users). >> >> ldapsearch -x -h ipa.digitalreasoning.com -ZZ -b >> "dc=digitalreasoning,dc=com" -D >> "uid=adminuser,cn=users,cn=accounts,dc=digitalreasoning,dc=com" -w >> 'password' uid=first.last >> >> >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: uid=first.last >> # requesting: ALL >> # >> >> # search result >> search: 3 >> result: 0 Success >> >> # numResponses: 1 >> >> >> Any help is much appreciated! >> >> Thanks, >> >> John >> >> >> >> On 6/16/14, 6:22 PM, Rob Crittenden wrote: >>> John Moyer wrote: >>>> Hello All, >>>> >>>> I'm having a problem querying new users. >>>> >>>> I can create the user from the webpage no problem, and I can see >>>> them afterwards via the webpage. I can then see those users via ipa >>>> user-find, as well as a LOCAL ldapsearch, even remotely from apache >>>> directory studio. However, if I go to another linux box and do an >>>> ldapsearch the new user (only the new user) is not seen in the search. >>>> Users created before today work great. Now I did change stuff, I did a >>>> yum upgrade last weekend and this was not a problem before I did this. >>>> Any help or guidance to make a remove ldapsearch work on new users would >>>> be greatly appreciated! >>> What command-line are you using? What rpm version is [free]ipa-python? >>> Do you have multiple masters or is this a single IPA server? >>> >>> rob >>> >> >> >> >> >> Thanks, >> ------------------------------------------------------------------------ >> John Moyer >> > > > > > Thanks, > ------------------------------------------------------------------------ > John Moyer > Director, IT Operations > 901 N. Stuart St. STE 904A > Arlington,VA 22203 > 703.678.2311 Office > 240.460.0023 Cell > 703.678.2312 Fax From Duncan.Innes at virginmoney.com Tue Jun 17 15:58:22 2014 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 17 Jun 2014 16:58:22 +0100 Subject: [Freeipa-users] Standard Logging In-Reply-To: <53A05E3C.3000005@redhat.com> References: <539F517D.8010501@digitalreasoning.com><539F6E17.4030204@redhat.com><53A034D8.4090408@digitalreasoning.com><53A036F9.9030007@digitalreasoning.com> <53A05E3C.3000005@redhat.com> Message-ID: <56343345B145C043AE990701E3D193950478DED1@EXVS2.nrplc.localnet> Hi folks, Is there any movement towards getting FreeIPA to use more standard logging tools? Journald or rsyslog. Wondering because at the moment, the rotation of logs is non standard compared to most of the rest of our estate. It would be a boost for us to know that rsyslog/journald are handling the logging (enabling us to get the log files sent over the network) and logrotate is rotating the logs and can compress logs if we want (which we do). Cheers Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From rcritten at redhat.com Tue Jun 17 16:06:56 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 Jun 2014 12:06:56 -0400 Subject: [Freeipa-users] Standard Logging In-Reply-To: <56343345B145C043AE990701E3D193950478DED1@EXVS2.nrplc.localnet> References: <539F517D.8010501@digitalreasoning.com><539F6E17.4030204@redhat.com><53A034D8.4090408@digitalreasoning.com><53A036F9.9030007@digitalreasoning.com> <53A05E3C.3000005@redhat.com> <56343345B145C043AE990701E3D193950478DED1@EXVS2.nrplc.localnet> Message-ID: <53A067A0.8050200@redhat.com> Innes, Duncan wrote: > Hi folks, > > Is there any movement towards getting FreeIPA to use more standard > logging tools? Journald or rsyslog. I wouldn't exactly call servers logging to their own files as non-standard. You can theoretically configure most services to use at least rsyslogd now. I says theoretically because we haven't tried in the context of IPA but I doubt you'd be plowing any new ground by configuring it. > Wondering because at the moment, the rotation of logs is non standard > compared to most of the rest of our estate. It would be a boost for us > to know that rsyslog/journald are handling the logging (enabling us to > get the log files sent over the network) and logrotate is rotating the > logs and can compress logs if we want (which we do). There is a long-term ticket to use journald, https://fedorahosted.org/freeipa/ticket/4296 rob From Duncan.Innes at virginmoney.com Tue Jun 17 16:38:15 2014 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 17 Jun 2014 17:38:15 +0100 Subject: [Freeipa-users] Standard Logging In-Reply-To: <53A067A0.8050200@redhat.com> References: <539F517D.8010501@digitalreasoning.com><539F6E17.4030204@redhat.com><53A034D8.4090408@digitalreasoning.com><53A036F9.9030007@digitalreasoning.com> <53A05E3C.3000005@redhat.com> <56343345B145C043AE990701E3D193950478DED1@EXVS2.nrplc.localnet> <53A067A0.8050200@redhat.com> Message-ID: <56343345B145C043AE990701E3D193950478DED2@EXVS2.nrplc.localnet> Fair call Rob, I should have put "standard" in quotes. I think I meant to. I know applications doing their own logging is pretty wide spread too. It's just that moving to a more unified tool that performed the logging, remote shipping, rotation, compression etc (where required) would be great. Whilst I like journald a lot, it still misses native log shipping. I think it's being worked on though. As an IdM user, I figure I'll have to wait around quite a while to get any such features. I'll have a poke around with using rsyslog for some IPA logs just now. Cheers Duncan > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: 17 June 2014 17:07 > To: Innes, Duncan; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Standard Logging > > Innes, Duncan wrote: > > Hi folks, > > > > Is there any movement towards getting FreeIPA to use more standard > > logging tools? Journald or rsyslog. > > I wouldn't exactly call servers logging to their own files as > non-standard. > > You can theoretically configure most services to use at least > rsyslogd now. I says theoretically because we haven't tried > in the context of IPA but I doubt you'd be plowing any new > ground by configuring it. > > > Wondering because at the moment, the rotation of logs is > non standard > > compared to most of the rest of our estate. It would be a > boost for > > us to know that rsyslog/journald are handling the logging > (enabling us > > to get the log files sent over the network) and logrotate > is rotating > > the logs and can compress logs if we want (which we do). > > There is a long-term ticket to use journald, > https://fedorahosted.org/freeipa/ticket/4296 > > rob > > This message has been checked for viruses and spam by the > Virgin Money email scanning system powered by Messagelabs. > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com From abokovoy at redhat.com Tue Jun 17 16:51:26 2014 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 17 Jun 2014 19:51:26 +0300 Subject: [Freeipa-users] Standard Logging In-Reply-To: <56343345B145C043AE990701E3D193950478DED2@EXVS2.nrplc.localnet> References: <539F517D.8010501@digitalreasoning.com> <539F6E17.4030204@redhat.com> <53A034D8.4090408@digitalreasoning.com> <53A036F9.9030007@digitalreasoning.com> <53A05E3C.3000005@redhat.com> <56343345B145C043AE990701E3D193950478DED1@EXVS2.nrplc.localnet> <53A067A0.8050200@redhat.com> <56343345B145C043AE990701E3D193950478DED2@EXVS2.nrplc.localnet> Message-ID: <20140617165126.GC28182@redhat.com> On Tue, 17 Jun 2014, Innes, Duncan wrote: >Fair call Rob, I should have put "standard" in quotes. I think I meant >to. > >I know applications doing their own logging is pretty wide spread too. >It's just that moving to a more unified tool that performed the logging, >remote shipping, rotation, compression etc (where required) would be >great. > >Whilst I like journald a lot, it still misses native log shipping. I >think it's being worked on though. Yes, it is being worked on. > >As an IdM user, I figure I'll have to wait around quite a while to get >any such features. > >I'll have a poke around with using rsyslog for some IPA logs just now. Note that rsyslog can take journal messages and forward them to another host's journal without loosing journal-specific fields. -- / Alexander Bokovoy From rcritten at redhat.com Tue Jun 17 17:24:48 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 Jun 2014 13:24:48 -0400 Subject: [Freeipa-users] Standard Logging In-Reply-To: <56343345B145C043AE990701E3D193950478DED2@EXVS2.nrplc.localnet> References: <539F517D.8010501@digitalreasoning.com><539F6E17.4030204@redhat.com><53A034D8.4090408@digitalreasoning.com><53A036F9.9030007@digitalreasoning.com> <53A05E3C.3000005@redhat.com> <56343345B145C043AE990701E3D193950478DED1@EXVS2.nrplc.localnet> <53A067A0.8050200@redhat.com> <56343345B145C043AE990701E3D193950478DED2@EXVS2.nrplc.localnet> Message-ID: <53A079E0.7030000@redhat.com> Innes, Duncan wrote: > Fair call Rob, I should have put "standard" in quotes. I think I meant > to. > > I know applications doing their own logging is pretty wide spread too. > It's just that moving to a more unified tool that performed the logging, > remote shipping, rotation, compression etc (where required) would be > great. > > Whilst I like journald a lot, it still misses native log shipping. I > think it's being worked on though. > > As an IdM user, I figure I'll have to wait around quite a while to get > any such features. Yeah, sorry about that. Audit is one of those things where the word "just" comes up a lot which usually means trouble :-) > > I'll have a poke around with using rsyslog for some IPA logs just now. That would be great. Please share the things you learn. regards rob > > Cheers > > Duncan > >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: 17 June 2014 17:07 >> To: Innes, Duncan; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Standard Logging >> >> Innes, Duncan wrote: >>> Hi folks, >>> >>> Is there any movement towards getting FreeIPA to use more standard >>> logging tools? Journald or rsyslog. >> >> I wouldn't exactly call servers logging to their own files as >> non-standard. >> >> You can theoretically configure most services to use at least >> rsyslogd now. I says theoretically because we haven't tried >> in the context of IPA but I doubt you'd be plowing any new >> ground by configuring it. >> >>> Wondering because at the moment, the rotation of logs is >> non standard >>> compared to most of the rest of our estate. It would be a >> boost for >>> us to know that rsyslog/journald are handling the logging >> (enabling us >>> to get the log files sent over the network) and logrotate >> is rotating >>> the logs and can compress logs if we want (which we do). >> >> There is a long-term ticket to use journald, >> https://fedorahosted.org/freeipa/ticket/4296 >> >> rob >> >> This message has been checked for viruses and spam by the >> Virgin Money email scanning system powered by Messagelabs. >> > > This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. > > This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. > > Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. > > The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). > > For further details of Virgin Money group companies please visit our website at virginmoney.com > From bnordgren at fs.fed.us Tue Jun 17 19:03:55 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Tue, 17 Jun 2014 19:03:55 +0000 Subject: [Freeipa-users] External collaboration edits In-Reply-To: <20140617092725.GD2770@localhost.localdomain> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6B00D0@001FSN2MPN1-044.001f.mgd2.msft.net> <5373EA60.5010207@redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6D446D@001FSN2MPN1-044.001f.mgd2.msft.net> <20140611085131.GS5752@localhost.localdomain> <82E7C9A01FD0764CACDD35D10F5DFB6E6D6F3A@001FSN2MPN1-044.001f.mgd2.msft.net> <20140617092725.GD2770@localhost.localdomain> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6D72E0@001FSN2MPN1-044.001f.mgd2.msft.net> > -----Original Message----- > From: Sumit Bose [mailto:sbose at redhat.com] > Sent: Tuesday, June 17, 2014 3:27 AM > > Case one would represent vanilla Kerberos trusts, or the quite likely > scenario where an external collaboration domain is separated from corporate > AD by a firewall. (e.g., institutional AD can provide authentication via trust for > users on the corporate network, but not attributes). > > I think this can be done. It is about how the reference key is evaluated. E.g. if > the key is ':KRB5:user at EXAMPLE.COM' in the default view SSSD can create a > user object in its cache with the data given in the view and where the user > name is equal to the Kerberos principal name (so far we said that we do not > want to allow to overwrite the user name in views to avoid confusion). Since > the object is now in the SSSD cache it is available in the IPA server, on IPA > clients with SSSD via extdom plugin and to legacy clients via the compat tree. I hate to appear too stupid, but google isn't getting me where I need to be fast enough. What's the extdom plugin? Also I think I'm losing track of the flow. Is the above talking about SSSD on one of the domain clients, or on the FreeIPA server? I'm not sure I understand how an object in the (client's?) SSSD cache becomes available to FreeIPA, and hence to all domain clients... I think you may have to allow overwriting the username in views, unless there is some other mechanism to allow the domain admin to resolve username collisions. I don't think views should ever touch the user's real name fields, or email, or things which actually apply to the human behind the identity. However, I'm thinking of views as the means by which an externally defined identity is adapted to the local computational environment. Overriding username, uidNumber, group membership, and other stuff relevant to using the remote identity in the local context is all fair game. Individual cross-realm principals may be the norm for onsey-twosy logins from foreign domains where its impractical to establish trusts. These will have the form: USER/EXTERNAL.ORG at EXAMPLE.COM Which in my case would be: bnordgren/DS.FS.FED.US at FIRELAB.ORG That's awful long, and the slash in the middle means that the home directory can't just be the username. Principals from foreign technologies may be longer, and also full of stuff that can't be in a directory name. We don't know what those will look like yet, but the username may have three components and contain a URL. Say this is the Kerberos version of my SAML principal: bnordgren at fs/SAMLv2.0/https://www.eauth.usda.gov/Login/login.aspx at FIRELAB.ORG Long story short, don't worry about how the nasty principals get generated, but do assume that they are too ugly for words. Please please please overwrite my username. :) > > Case two would represent authentication sources such as SAML. Views > would need to be the mechanism by which the gateway caches attributes in > FreeIPA (after inspecting SAML assertions). > > I think we are already doing similar things with the MS-PAC. If configured > SSSD will intercept the PAC, decode it and store data from the PAC in the > cache. This currently happens during authentication on the client hence this > data is directly available on the IPA client and is not distributed by the IPA > server. Would this work for you use case or do you need the data on IPA > clients where the user never authenticated as well? I think that if FreeIPA intends to provide infrastructure which offers clients the option setting up file sharing via nfsv3 or v4 using host-based auth, the uidNumbers all have to be the same for all domain clients. I'd vote for supporting filesharing. NFSv4 with Kerberos auth may tolerate the uidNumbers being different, at the cost of making sssd manage the idmapper. If there's no file sharing (users log into isolated workstations and touch only local files or scp/sftp/sshfs files back and forth), then each machine needs to allocate a persistent identifier which lasts from session to session. Is the SSSD cache persistent between logins? However, this won't recognize that me logging in via Kerberos is the same as me logging in via SAML. (see below) So I guess this is a very longwinded "no, it won't work for me". Sorry. :) Needs to be consistent in the domain. > > Finally, one functional requirement for views may be that the view needs > to support a many-to-one "authentication method" to "identity attributes" > mapping. For instance, an employee sitting at their desk may log into their > server in the collaboration network via SSO (hence, their AD account). Soon > this same user may also walk over to the console on the collaboration > network and need to use some other Ipsilon-gateway-enabled credentials. > These two credentials may need to be mapped to a single user identity. This > may not be functionality which needs to be implemented first, but it does > perhaps suggest that krbPrincipal may not always be single valued. This may > be something which deserves an honorable mention on the RFE page as it > impacts the assumptions coders can make. > > I wonder if you mean that the reference in the user views may not always be > single valued ? Potentially. I'm unfamiliar with the implementation details, so let me start talking "end user visible" features. I want one user profile for me in the domain. All domain clients recognize this profile. I want my username to be short and sweet. I want to have the option of authenticating using a variety of methods (Kerberos, saml, openid connect), but I do not want these to be completely separate accounts. I want to connect my authentication sources to my profile so that it doesn't matter where I log in from/how I log in. Again, long story short, don't worry about the details of how these various authentication sources are bridged into Kerberos. Assume they are (or will be). The view should be thought of as a domain-wide user profile which is attachable (under user control) to multiple authentication principals. > Thank you very much for your input. I plan to update the design page during > the next days. I hope you don't mind if I add your suggestions in a 'Next > step/Future Enhancements' section because I would prefer to get the AD > use case implemented and included in the IPA and SSSD trees first. I think overwriting the username and other machine specific attributes has to go in at first, even with just AD. Not doing that assumes you're either dealing with a single foreign AD domain, or foreign AD domains which are somehow coordinated to eliminate username/uid collisions. Certain names may be more problematic than others. Jsmith may be more likely to collide than bnordgren, for instance. And large directories have a greater potential for collision than small ones. Everything else can definitely be a future thing. Thanks for your work! Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. From bnordgren at fs.fed.us Tue Jun 17 23:14:09 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Tue, 17 Jun 2014 23:14:09 +0000 Subject: [Freeipa-users] Ipsilon and WebAthena Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6D735D@001FSN2MPN1-044.001f.mgd2.msft.net> When thinking about gateways and what Ipsilon may do, I came across this thesis: https://davidben.net/thesis.pdf and source https://github.com/davidben/webathena His approach to unifying web and non-web technologies was to build gateways for non-web services such that browser based clients could be written without changing the server side. I'm not sold on that approach. However, the source repository includes a browser-based javascript implementation of the Kerberos protocol and a python gateway to a KDC. Users can kinit from the browser the way Kerberos intended (password does not go over the wire). Is it possible to do a pure-javascript, all browser based kinit/spnego so that users don't have to pop out to the command line to kinit? One still would not have the ability to ssh into a console after doing an in-browser kinit, but all the websites in the target domain should recognize the credentials. Worthwhile or dumb? Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Jun 18 01:24:04 2014 From: simo at redhat.com (Simo Sorce) Date: Tue, 17 Jun 2014 21:24:04 -0400 Subject: [Freeipa-users] Ipsilon and WebAthena In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6D735D@001FSN2MPN1-044.001f.mgd2.msft.net> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6D735D@001FSN2MPN1-044.001f.mgd2.msft.net> Message-ID: <1403054644.12884.35.camel@willson.usersys.redhat.com> On Tue, 2014-06-17 at 23:14 +0000, Nordgren, Bryce L -FS wrote: > When thinking about gateways and what Ipsilon may do, I came across this thesis: > > https://davidben.net/thesis.pdf > > and source > > https://github.com/davidben/webathena > > His approach to unifying web and non-web technologies was to build > gateways for non-web services such that browser based clients could be > written without changing the server side. > > I'm not sold on that approach. However, the source repository includes > a browser-based javascript implementation of the Kerberos protocol and > a python gateway to a KDC. Users can kinit from the browser the way > Kerberos intended (password does not go over the wire). > > Is it possible to do a pure-javascript, all browser based kinit/spnego > so that users don't have to pop out to the command line to kinit? One > still would not have the ability to ssh into a console after doing an > in-browser kinit, but all the websites in the target domain should > recognize the credentials. > > Worthwhile or dumb? Where does the javascript come from ? How do you trust it is not going to send your password somewhere ? How do you trust another bug in the browser will not allow another "tab" top read the memory of the browser including your password or TGT ? There is a good reason crypto and keys on one side and javascript on the other should not come in contact, IMO. Simo. -- Simo Sorce * Red Hat, Inc * New York From pspacek at redhat.com Wed Jun 18 07:14:36 2014 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 18 Jun 2014 09:14:36 +0200 Subject: [Freeipa-users] Standard Logging In-Reply-To: <53A079E0.7030000@redhat.com> References: <539F517D.8010501@digitalreasoning.com><539F6E17.4030204@redhat.com><53A034D8.4090408@digitalreasoning.com><53A036F9.9030007@digitalreasoning.com> <53A05E3C.3000005@redhat.com> <56343345B145C043AE990701E3D193950478DED1@EXVS2.nrplc.localnet> <53A067A0.8050200@redhat.com> <56343345B145C043AE990701E3D193950478DED2@EXVS2.nrplc.localnet> <53A079E0.7030000@redhat.com> Message-ID: <53A13C5C.3070102@redhat.com> On 17.6.2014 19:24, Rob Crittenden wrote: > Innes, Duncan wrote: >> Fair call Rob, I should have put "standard" in quotes. I think I meant >> to. >> >> I know applications doing their own logging is pretty wide spread too. >> It's just that moving to a more unified tool that performed the logging, >> remote shipping, rotation, compression etc (where required) would be >> great. >> >> Whilst I like journald a lot, it still misses native log shipping. I >> think it's being worked on though. >> >> As an IdM user, I figure I'll have to wait around quite a while to get >> any such features. > > Yeah, sorry about that. Audit is one of those things where the word > "just" comes up a lot which usually means trouble :-) >> >> I'll have a poke around with using rsyslog for some IPA logs just now. > > That would be great. Please share the things you learn. Feel free to create wiki page, e.g. http://www.freeipa.org/page/Howto/Logging_to_syslog Your ordinary Fedora account will allow you to log-in and create the page. Thank you for your time! Petr^2 Spacek > > regards > > rob > >> >> Cheers >> >> Duncan >> >>> -----Original Message----- >>> From: Rob Crittenden [mailto:rcritten at redhat.com] >>> Sent: 17 June 2014 17:07 >>> To: Innes, Duncan; freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Standard Logging >>> >>> Innes, Duncan wrote: >>>> Hi folks, >>>> >>>> Is there any movement towards getting FreeIPA to use more standard >>>> logging tools? Journald or rsyslog. >>> >>> I wouldn't exactly call servers logging to their own files as >>> non-standard. >>> >>> You can theoretically configure most services to use at least >>> rsyslogd now. I says theoretically because we haven't tried >>> in the context of IPA but I doubt you'd be plowing any new >>> ground by configuring it. >>> >>>> Wondering because at the moment, the rotation of logs is >>> non standard >>>> compared to most of the rest of our estate. It would be a >>> boost for >>>> us to know that rsyslog/journald are handling the logging >>> (enabling us >>>> to get the log files sent over the network) and logrotate >>> is rotating >>>> the logs and can compress logs if we want (which we do). >>> >>> There is a long-term ticket to use journald, >>> https://fedorahosted.org/freeipa/ticket/4296 From pspacek at redhat.com Wed Jun 18 07:30:59 2014 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 18 Jun 2014 09:30:59 +0200 Subject: [Freeipa-users] Links in mailing-list footer Message-ID: <53A14033.6080000@redhat.com> Hello list, I wonder if we could improve mailing list footer for freeipa-users. It can be configured in mailig list administration in section "Non-digest options". Currently the footer looks like: "_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users" What about something more useful? "-- Freeipa-users at redhat.com mailing list https://www.redhat.com/mailman/listinfo/freeipa-users http://www.freeipa.org/page/Documentation | http://www.freeipa.org/page/Demo" The most important change is replacing "_______________________________________________" with "-- " "-- " is usually interpreted by e-mail clients as "beginning of signature" and automatically stripped from replies. It would prevent mailing list signatures from cumulating in replies like this: > [blah blah] Good idea. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Other links in proposed signature were picked almost randomly :-) -- Petr^2 Spacek From simo at redhat.com Wed Jun 18 12:52:07 2014 From: simo at redhat.com (Simo Sorce) Date: Wed, 18 Jun 2014 08:52:07 -0400 Subject: [Freeipa-users] Links in mailing-list footer In-Reply-To: <53A14033.6080000@redhat.com> References: <53A14033.6080000@redhat.com> Message-ID: <1403095927.12884.38.camel@willson.usersys.redhat.com> On Wed, 2014-06-18 at 09:30 +0200, Petr Spacek wrote: > Hello list, > > I wonder if we could improve mailing list footer for freeipa-users. > > It can be configured in mailig list administration in section "Non-digest > options". > > Currently the footer looks like: > "_______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users" > > > What about something more useful? > > "-- > Freeipa-users at redhat.com mailing list > https://www.redhat.com/mailman/listinfo/freeipa-users > http://www.freeipa.org/page/Documentation | http://www.freeipa.org/page/Demo" > > The most important change is replacing > "_______________________________________________" > with > "-- " > > "-- " is usually interpreted by e-mail clients as "beginning of signature" and > automatically stripped from replies. > > It would prevent mailing list signatures from cumulating in replies like this: Good idea, I change the footer, and made it more sober, let me know if you like it when you see it. Simo. > > [blah blah] > Good idea. > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Other links in proposed signature were picked almost randomly :-) > -- Simo Sorce * Red Hat, Inc * New York From john.moyer at digitalreasoning.com Wed Jun 18 13:02:06 2014 From: john.moyer at digitalreasoning.com (John Moyer) Date: Wed, 18 Jun 2014 09:02:06 -0400 Subject: [Freeipa-users] Problem finding new users via command line In-Reply-To: <53A05E3C.3000005@redhat.com> References: <539F517D.8010501@digitalreasoning.com> <539F6E17.4030204@redhat.com> <53A034D8.4090408@digitalreasoning.com> <53A036F9.9030007@digitalreasoning.com> <53A05E3C.3000005@redhat.com> Message-ID: <53A18DCE.4050003@digitalreasoning.com> Rob, That is correct, I just put my ssh key in for that new user and was unable to ssh to one of the nodes registered with IPA. I also logged in as myself (which did work) and then ran getent password new.user and that yielded nothing, but getent password john.moyer yielded all of my information. On 6/17/14, 11:26 AM, Rob Crittenden wrote: > John Moyer wrote: >> Sorry forgot the second part of your question: >> >> rpm -qa | grep ipa >> libipa_hbac-1.9.2-129.el6_5.4.x86_64 >> ipa-server-3.0.0-37.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> python-iniparse-0.3.1-2.1.el6.noarch >> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 >> ipa-python-3.0.0-37.el6.x86_64 >> ipa-client-3.0.0-37.el6.x86_64 >> ipa-admintools-3.0.0-37.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> ipa-server-selinux-3.0.0-37.el6.x86_64 > It's important that we're comparing apples to apples. Is this a search > against the same IPA server or do you have multiple masters? > > I assume that SSSD isn't seeing these new users either which is what > lead you to ldapsearch? > > You might want to do the same search on a working and non-working box > and compare the 389-ds access logs to see if there is anything noticeable. > > rob > >> >> John >> >> On 6/17/14, 8:30 AM, John Moyer wrote: >>> I'm using ldapsearch. The command I was using was like the one below >>> (edited to protect creds/users). >>> >>> ldapsearch -x -h ipa.digitalreasoning.com -ZZ -b >>> "dc=digitalreasoning,dc=com" -D >>> "uid=adminuser,cn=users,cn=accounts,dc=digitalreasoning,dc=com" -w >>> 'password' uid=first.last >>> >>> >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree >>> # filter: uid=first.last >>> # requesting: ALL >>> # >>> >>> # search result >>> search: 3 >>> result: 0 Success >>> >>> # numResponses: 1 >>> >>> >>> Any help is much appreciated! >>> >>> Thanks, >>> >>> John >>> >>> >>> >>> On 6/16/14, 6:22 PM, Rob Crittenden wrote: >>>> John Moyer wrote: >>>>> Hello All, >>>>> >>>>> I'm having a problem querying new users. >>>>> >>>>> I can create the user from the webpage no problem, and I can see >>>>> them afterwards via the webpage. I can then see those users via ipa >>>>> user-find, as well as a LOCAL ldapsearch, even remotely from apache >>>>> directory studio. However, if I go to another linux box and do an >>>>> ldapsearch the new user (only the new user) is not seen in the search. >>>>> Users created before today work great. Now I did change stuff, I did a >>>>> yum upgrade last weekend and this was not a problem before I did this. >>>>> Any help or guidance to make a remove ldapsearch work on new users would >>>>> be greatly appreciated! >>>> What command-line are you using? What rpm version is [free]ipa-python? >>>> Do you have multiple masters or is this a single IPA server? >>>> >>>> rob >>>> >>> >>> >>> >>> Thanks, >>> ------------------------------------------------------------------------ >>> John Moyer >>> >> >> >> >> Thanks, >> ------------------------------------------------------------------------ >> John Moyer >> Director, IT Operations >> 901 N. Stuart St. STE 904A >> Arlington,VA 22203 >> 703.678.2311 Office >> 240.460.0023 Cell >> 703.678.2312 Fax Thanks, ------------------------------------------------------------------------ John Moyer Director, IT Operations 901 N. Stuart St. STE 904A Arlington,VA 22203 703.678.2311 Office 240.460.0023 Cell 703.678.2312 Fax -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.moyer at digitalreasoning.com Wed Jun 18 14:35:48 2014 From: john.moyer at digitalreasoning.com (John Moyer) Date: Wed, 18 Jun 2014 10:35:48 -0400 Subject: [Freeipa-users] Problem finding new users via command line In-Reply-To: <53A18DCE.4050003@digitalreasoning.com> References: <539F517D.8010501@digitalreasoning.com> <539F6E17.4030204@redhat.com> <53A034D8.4090408@digitalreasoning.com> <53A036F9.9030007@digitalreasoning.com> <53A05E3C.3000005@redhat.com> <53A18DCE.4050003@digitalreasoning.com> Message-ID: <53A1A3C4.2000708@digitalreasoning.com> Please ignore this problem, I found the problem, embarrassing as this is, a host file was in place where I didn't expect it, the user was not created in the correct system. John On 6/18/14, 9:02 AM, John Moyer wrote: > Rob, > > That is correct, I just put my ssh key in for that new user and > was unable to ssh to one of the nodes registered with IPA. I also > logged in as myself (which did work) and then ran getent password > new.user and that yielded nothing, but getent password john.moyer > yielded all of my information. > > > > On 6/17/14, 11:26 AM, Rob Crittenden wrote: >> John Moyer wrote: >>> Sorry forgot the second part of your question: >>> >>> rpm -qa | grep ipa >>> libipa_hbac-1.9.2-129.el6_5.4.x86_64 >>> ipa-server-3.0.0-37.el6.x86_64 >>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>> python-iniparse-0.3.1-2.1.el6.noarch >>> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 >>> ipa-python-3.0.0-37.el6.x86_64 >>> ipa-client-3.0.0-37.el6.x86_64 >>> ipa-admintools-3.0.0-37.el6.x86_64 >>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>> ipa-server-selinux-3.0.0-37.el6.x86_64 >> It's important that we're comparing apples to apples. Is this a search >> against the same IPA server or do you have multiple masters? >> >> I assume that SSSD isn't seeing these new users either which is what >> lead you to ldapsearch? >> >> You might want to do the same search on a working and non-working box >> and compare the 389-ds access logs to see if there is anything noticeable. >> >> rob >> >>> John >>> >>> On 6/17/14, 8:30 AM, John Moyer wrote: >>>> I'm using ldapsearch. The command I was using was like the one below >>>> (edited to protect creds/users). >>>> >>>> ldapsearch -x -h ipa.digitalreasoning.com -ZZ -b >>>> "dc=digitalreasoning,dc=com" -D >>>> "uid=adminuser,cn=users,cn=accounts,dc=digitalreasoning,dc=com" -w >>>> 'password' uid=first.last >>>> >>>> >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base with scope subtree >>>> # filter: uid=first.last >>>> # requesting: ALL >>>> # >>>> >>>> # search result >>>> search: 3 >>>> result: 0 Success >>>> >>>> # numResponses: 1 >>>> >>>> >>>> Any help is much appreciated! >>>> >>>> Thanks, >>>> >>>> John >>>> >>>> >>>> >>>> On 6/16/14, 6:22 PM, Rob Crittenden wrote: >>>>> John Moyer wrote: >>>>>> Hello All, >>>>>> >>>>>> I'm having a problem querying new users. >>>>>> >>>>>> I can create the user from the webpage no problem, and I can see >>>>>> them afterwards via the webpage. I can then see those users via ipa >>>>>> user-find, as well as a LOCAL ldapsearch, even remotely from apache >>>>>> directory studio. However, if I go to another linux box and do an >>>>>> ldapsearch the new user (only the new user) is not seen in the search. >>>>>> Users created before today work great. Now I did change stuff, I did a >>>>>> yum upgrade last weekend and this was not a problem before I did this. >>>>>> Any help or guidance to make a remove ldapsearch work on new users would >>>>>> be greatly appreciated! >>>>> What command-line are you using? What rpm version is [free]ipa-python? >>>>> Do you have multiple masters or is this a single IPA server? >>>>> >>>>> rob >>>>> >>>> >>>> >>>> Thanks, >>>> ------------------------------------------------------------------------ >>>> John Moyer >>>> >>> >>> >>> Thanks, >>> ------------------------------------------------------------------------ >>> John Moyer >>> Director, IT Operations >>> 901 N. Stuart St. STE 904A >>> Arlington,VA 22203 >>> 703.678.2311 Office >>> 240.460.0023 Cell >>> 703.678.2312 Fax > > > > > Thanks, > ------------------------------------------------------------------------ > John Moyer > Director, IT Operations > 901 N. Stuart St. STE 904A > Arlington,VA 22203 > 703.678.2311 Office > 240.460.0023 Cell > 703.678.2312 Fax Thanks, ------------------------------------------------------------------------ John Moyer Director, IT Operations 901 N. Stuart St. STE 904A Arlington,VA 22203 703.678.2311 Office 240.460.0023 Cell 703.678.2312 Fax -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Jun 18 17:32:58 2014 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 18 Jun 2014 13:32:58 -0400 Subject: [Freeipa-users] Ipsilon and WebAthena In-Reply-To: <1403054644.12884.35.camel@willson.usersys.redhat.com> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6D735D@001FSN2MPN1-044.001f.mgd2.msft.net> <1403054644.12884.35.camel@willson.usersys.redhat.com> Message-ID: <53A1CD4A.1070005@redhat.com> On 06/17/2014 09:24 PM, Simo Sorce wrote: > On Tue, 2014-06-17 at 23:14 +0000, Nordgren, Bryce L -FS wrote: >> When thinking about gateways and what Ipsilon may do, I came across this thesis: >> >> https://davidben.net/thesis.pdf >> >> and source >> >> https://github.com/davidben/webathena >> >> His approach to unifying web and non-web technologies was to build >> gateways for non-web services such that browser based clients could be >> written without changing the server side. >> >> I'm not sold on that approach. However, the source repository includes >> a browser-based javascript implementation of the Kerberos protocol and >> a python gateway to a KDC. Users can kinit from the browser the way >> Kerberos intended (password does not go over the wire). >> >> Is it possible to do a pure-javascript, all browser based kinit/spnego >> so that users don't have to pop out to the command line to kinit? One >> still would not have the ability to ssh into a console after doing an >> in-browser kinit, but all the websites in the target domain should >> recognize the credentials. >> >> Worthwhile or dumb? > Where does the javascript come from ? > How do you trust it is not going to send your password somewhere ? > How do you trust another bug in the browser will not allow another "tab" > top read the memory of the browser including your password or TGT ? > > There is a good reason crypto and keys on one side and javascript on the > other should not come in contact, IMO. > > Simo. > I have seen this project presented at the MIT Kerberos Consortium board of directors and it gave me goose bumps. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From bnordgren at fs.fed.us Wed Jun 18 17:40:13 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Wed, 18 Jun 2014 17:40:13 +0000 Subject: [Freeipa-users] Ipsilon and WebAthena In-Reply-To: <1403054644.12884.35.camel@willson.usersys.redhat.com> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6D735D@001FSN2MPN1-044.001f.mgd2.msft.net> <1403054644.12884.35.camel@willson.usersys.redhat.com> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6D7606@001FSN2MPN1-044.001f.mgd2.msft.net> > Where does the javascript come from ? > How do you trust it is not going to send your password somewhere ? > How do you trust another bug in the browser will not allow another "tab" > top read the memory of the browser including your password or TGT ? > > There is a good reason crypto and keys on one side and javascript on the > other should not come in contact, IMO. Clearly there are potential problems. The question is, are they bigger problems than sending your password across the net? The first two questions are not specific to javascript, you should have the same concerns with any web password prompt, particularly those technologies which redirect browsers all over the internet. The last one is common to any session token you might have after authenticating. These are all high-visibility, well exercised regions of code which should get fixed quickly when a problem is detected. How do you know openssl doesn't have another heartbleed bug in it? Relevant question are: Given that a http basic auth challenge and the Kerberos javascript both would be protected/authenticated by the same SSL connection, is there a benefit to sending Kerberos exchanges instead of your password? Would implementing this strategy help reduce the number of websites which require their own user database, reducing user's exposure to ill-managed systems? (and if we assume they use the same password in more than one place: reduce the system manager's exposure to having someone else's compromised system plague my machines?) This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. From bnordgren at fs.fed.us Wed Jun 18 18:17:22 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Wed, 18 Jun 2014 18:17:22 +0000 Subject: [Freeipa-users] Add'tl use case for views Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6D763E@001FSN2MPN1-044.001f.mgd2.msft.net> Inconsistently managed AD user entries. Many accounts in my AD are posixAccounts, but I encountered one today (created in 2013) which had no posix information whatsoever. This crumpled my assumption that I could leverage posix information from the institutional source. Under my current system, I had to create an external account for him. With views, I could've provided the missing attributes. Dunno why just is. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Jun 18 19:35:26 2014 From: simo at redhat.com (Simo Sorce) Date: Wed, 18 Jun 2014 15:35:26 -0400 Subject: [Freeipa-users] Ipsilon and WebAthena In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6D7606@001FSN2MPN1-044.001f.mgd2.msft.net> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6D735D@001FSN2MPN1-044.001f.mgd2.msft.net> <1403054644.12884.35.camel@willson.usersys.redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6D7606@001FSN2MPN1-044.001f.mgd2.msft.net> Message-ID: <1403120126.12884.72.camel@willson.usersys.redhat.com> On Wed, 2014-06-18 at 17:40 +0000, Nordgren, Bryce L -FS wrote: > > Where does the javascript come from ? > > How do you trust it is not going to send your password somewhere ? > > How do you trust another bug in the browser will not allow another "tab" > > top read the memory of the browser including your password or TGT ? > > > > There is a good reason crypto and keys on one side and javascript on the > > other should not come in contact, IMO. > > Clearly there are potential problems. The question is, are they bigger > problems than sending your password across the net? No, but why should you ? It is quite simple to just call gssapi_acquire_cred_with_password(), it would require only a simple change in the browser to show you a prompt like it is done with Basic Auth, and then you are future proof and use the system cred store. > The first two questions are not specific to javascript, you should > have the same concerns with any web password prompt, particularly > those technologies which redirect browsers all over the internet. The > last one is common to any session token you might have after > authenticating. These are all high-visibility, well exercised regions > of code which should get fixed quickly when a problem is detected. It's all easy except when it is not :-) > How do you know openssl doesn't have another heartbleed bug in it? I don't but at least I know exactly when it changes and what version it is running. How do you know if the thing showing you a prompt is valid ? how do you know it is not a hidden frame trying to steal your credentials ? How do you know it is an up to date version with fixed vulnerabilities ? Although poorly implemented today, at least Basic Auth could be built so that a trusted path is used and a properly trained user could not be induced to give their credentials to an impostor fake dialog in a website. > Relevant question are: Given that a http basic auth challenge and the > Kerberos javascript both would be protected/authenticated by the same > SSL connection, is there a benefit to sending Kerberos exchanges > instead of your password? There may be some advantages but I see a lot of downsides too. > Would implementing this strategy help reduce the number of websites > which require their own user database, reducing user's exposure to > ill-managed systems? Probably not. > (and if we assume they use the same password in more than one place: > reduce the system manager's exposure to having someone else's > compromised system plague my machines?) I think that if these are your concerns it would be more effective to use OTPs where possible. Simo. -- Simo Sorce * Red Hat, Inc * New York From bnordgren at fs.fed.us Wed Jun 18 20:45:39 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Wed, 18 Jun 2014 20:45:39 +0000 Subject: [Freeipa-users] Ipsilon and WebAthena In-Reply-To: <1403120126.12884.72.camel@willson.usersys.redhat.com> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6D735D@001FSN2MPN1-044.001f.mgd2.msft.net> <1403054644.12884.35.camel@willson.usersys.redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6D7606@001FSN2MPN1-044.001f.mgd2.msft.net> <1403120126.12884.72.camel@willson.usersys.redhat.com> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6D76CE@001FSN2MPN1-044.001f.mgd2.msft.net> > -----Original Message----- > From: Simo Sorce [mailto:simo at redhat.com] > Sent: Wednesday, June 18, 2014 1:35 PM > > Clearly there are potential problems. The question is, are they bigger > > problems than sending your password across the net? > > No, but why should you ? > It is quite simple to just call gssapi_acquire_cred_with_password(), it would > require only a simple change in the browser to show you a prompt like it is > done with Basic Auth, and then you are future proof and use the system cred > store. Wholeheartedly agree. However, when I previously suggested having the browser interact with the system cred store, there was fierce resistance. I believe the objections expressed on this list at the time was the need to change the client side. JS eliminates that need, which is the reason I brought it up. > > (and if we assume they use the same password in more than one place: > > reduce the system manager's exposure to having someone else's > > compromised system plague my machines?) > > I think that if these are your concerns it would be more effective to use OTPs > where possible. I don't know enough about OTPs to understand how they apply to external users, federation, and allowing "institutional" users to connect from outside the firewall. Not even the name sounds very user friendly. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. From barrykfl at gmail.com Thu Jun 19 02:01:30 2014 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Thu, 19 Jun 2014 10:01:30 +0800 Subject: [Freeipa-users] user forget passowrd how to make them able to reset Message-ID: Hi: Any token method through email can allow user authorize by rest password their own if password cannot retriveal? What response attribute should be use ? I tried use pwm ( password manager ) to ask the fereep ipa by generate a token to it ,. but no idea how freeipa accept the token and allow to reset and give direct link to user. Regards Barry -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Thu Jun 19 06:26:33 2014 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Thu, 19 Jun 2014 14:26:33 +0800 Subject: [Freeipa-users] Matser master not syn some user account cannot be deleted Message-ID: Hi: FOund master 1 and 2 not sysn, some acocunts not syn but try to delete those account cannot be recreate as it pompt that the posix private group present and i found there is not ipa-group del coomands at my version freeipa 3 in centos any idea ? barry -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Jun 19 07:38:43 2014 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 19 Jun 2014 09:38:43 +0200 Subject: [Freeipa-users] Links in mailing-list footer In-Reply-To: <1403095927.12884.38.camel@willson.usersys.redhat.com> References: <53A14033.6080000@redhat.com> <1403095927.12884.38.camel@willson.usersys.redhat.com> Message-ID: <53A29383.9000106@redhat.com> On 18.6.2014 14:52, Simo Sorce wrote: > On Wed, 2014-06-18 at 09:30 +0200, Petr Spacek wrote: >> Hello list, >> >> I wonder if we could improve mailing list footer for freeipa-users. >> >> It can be configured in mailig list administration in section "Non-digest >> options". >> >> Currently the footer looks like: >> "_______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users" >> >> >> What about something more useful? >> >> "-- >> Freeipa-users at redhat.com mailing list >> https://www.redhat.com/mailman/listinfo/freeipa-users >> http://www.freeipa.org/page/Documentation | http://www.freeipa.org/page/Demo" >> >> The most important change is replacing >> "_______________________________________________" >> with >> "--" >> >> "-- " is usually interpreted by e-mail clients as "beginning of signature" and >> automatically stripped from replies. >> >> It would prevent mailing list signatures from cumulating in replies like this: > > Good idea, I change the footer, and made it more sober, let me know if > you like it when you see it. The text seems good but the signature is not perfect. It contains only "--" instead of "-- ". The space is important, e-mail clients will not cut the signature if the trailing space is missing. -- Petr^2 Spacek From sbose at redhat.com Thu Jun 19 07:45:52 2014 From: sbose at redhat.com (Sumit Bose) Date: Thu, 19 Jun 2014 09:45:52 +0200 Subject: [Freeipa-users] Add'tl use case for views In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6D763E@001FSN2MPN1-044.001f.mgd2.msft.net> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6D763E@001FSN2MPN1-044.001f.mgd2.msft.net> Message-ID: <20140619074552.GJ16782@localhost.localdomain> On Wed, Jun 18, 2014 at 06:17:22PM +0000, Nordgren, Bryce L -FS wrote: > Inconsistently managed AD user entries. > > Many accounts in my AD are posixAccounts, but I encountered one today (created in 2013) which had no posix information whatsoever. This crumpled my assumption that I could leverage posix information from the institutional source. Under my current system, I had to create an external account for him. With views, I could've provided the missing attributes. Thank you. This is one of the main use-cases for views we had in mind. In general IPA can generate the needed POSIX data on the fly for AD users. But currently you have to decide if you want to use the POSIX attributes from AD and as a consequence only the user with these attributes set will be available. Or POSIX attribute will be created on the fly for all AD users and POSIX attributes set in AD will be ignored. Currently we do not support to have both at once because it is easy to run into trouble with no real way out. With views we can get around this and it would be possible to support both schemes. I you come across other use cases for view please share them here on the list. bye, Sumit > > Dunno why just is. > > Bryce > > > > > This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From simo at redhat.com Thu Jun 19 12:42:03 2014 From: simo at redhat.com (Simo Sorce) Date: Thu, 19 Jun 2014 08:42:03 -0400 Subject: [Freeipa-users] Links in mailing-list footer In-Reply-To: <53A29383.9000106@redhat.com> References: <53A14033.6080000@redhat.com> <1403095927.12884.38.camel@willson.usersys.redhat.com> <53A29383.9000106@redhat.com> Message-ID: <1403181723.12884.79.camel@willson.usersys.redhat.com> On Thu, 2014-06-19 at 09:38 +0200, Petr Spacek wrote: > On 18.6.2014 14:52, Simo Sorce wrote: > > On Wed, 2014-06-18 at 09:30 +0200, Petr Spacek wrote: > >> Hello list, > >> > >> I wonder if we could improve mailing list footer for freeipa-users. > >> > >> It can be configured in mailig list administration in section "Non-digest > >> options". > >> > >> Currently the footer looks like: > >> "_______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users" > >> > >> > >> What about something more useful? > >> > >> "-- > >> Freeipa-users at redhat.com mailing list > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> http://www.freeipa.org/page/Documentation | http://www.freeipa.org/page/Demo" > >> > >> The most important change is replacing > >> "_______________________________________________" > >> with > >> "--" > >> > >> "-- " is usually interpreted by e-mail clients as "beginning of signature" and > >> automatically stripped from replies. > >> > >> It would prevent mailing list signatures from cumulating in replies like this: > > > > Good idea, I change the footer, and made it more sober, let me know if > > you like it when you see it. > > The text seems good but the signature is not perfect. It contains only "--" > instead of "-- ". The space is important, e-mail clients will not cut the > signature if the trailing space is missing. > Hopefully fixed now. Simo. -- Simo Sorce * Red Hat, Inc * New York From barrykfl at gmail.com Fri Jun 20 02:18:51 2014 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Fri, 20 Jun 2014 10:18:51 +0800 Subject: [Freeipa-users] Rebuild agrrenment of cluster 1 and 2 Message-ID: Now node1 can show ipa-replica-manage list 1.abc.com: master 2.abc.com: master But at node 2 type ipa-replica-manage list Can't contact LDAP server It seem break on one side nod2 any method to rebuild? the server trust build in self ca cert before but then it change to godaddy cert. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jun 20 13:25:44 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Jun 2014 09:25:44 -0400 Subject: [Freeipa-users] Rebuild agrrenment of cluster 1 and 2 In-Reply-To: References: Message-ID: <53A43658.1000601@redhat.com> barrykfl at gmail.com wrote: > Now > > node1 can show ipa-replica-manage list > > 1.abc.com : master > 2.abc.com : master > > But at node 2 type ipa-replica-manage list > Can't contact LDAP server > > It seem break on one side nod2 any method to rebuild? > the server trust build in self ca cert before but then it change to > godaddy cert. Note that the command only contacts the *local* LDAP server so I'd start by diagnosing why the connection fails on node2. This is unrelated to replication. The 389-ds access log may have some details. If you add a hostname on the list command it will show the replication status so I'd try that at least on node 1 to see if replication to node 2 is happening. rob From rob.verduijn at gmail.com Fri Jun 20 16:02:17 2014 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Fri, 20 Jun 2014 18:02:17 +0200 Subject: [Freeipa-users] issues with nfs4 privileges. Message-ID: Hello, I'm a bit at loss with my freeipa kerberized nfs4 shares. the nfs4 shares mount fine and users can read and write their files. However pulse audio does not work properly, and some programs fail to start. When logging in with a local account using a local homedrive pulseaudio works, and the programs also work. Also oddjob is not capable of creating a home dir for a new user. root is not allowed to write in the home mount on the client (mkdir test and touch test get a Permission denied) I don't think its selinux, because setenforce 0 on the nfs-server and setenforce 0 on the nfs client did not help. freeipa policies seem to be working fine, sudo rules are applied the way I expect them. Logging in on all the machines works, automounting works like a charm, except for the situations described above. server details are below Anybody who can tell me what I've missed ? Rob the freeipa server is a dedicated fedora20 x86_64 machine with the latest updates applied the nfs-server is a fedora20 x86_64 machine with the latest updates applied these booleans have been applied on the nfs server nfs_export_all_ro --> on nfs_export_all_rw --> on The exports are : /exports *(rw,no_root_squash,crossmnt,fsid=0,sec=krb5p) /exports/homes *(rw,no_root_squash,no_subtree_check,sec=krb5p) /exports/homes is a bind mount from : /data3/homes selinux contexts of the dirs: ls -dalsZ /data3/homes drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /data3/homes ls -dalsZ /exports/homes drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /exports/homes /exportes/homes is automounted by systemd using this unit file: cat /etc/systemd/system/exports-homes.automount [Unit] Description=/exports/homes Directory Automount Point Wants=network.target statd.service After=network.target statd.service [Automount] Where=/exports/homes [Install] WantedBy=multi-user.target and the matching unit mount: cat /etc/systemd/system/exports-homes.mount [Unit] Description=Exports Homes Directory Wants=network.target statd.service After=network.target statd.service [Mount] What=/data3/homes Where=/exports/homes Type=none Options=bind DirectoryMode=0755 the nfs client is a fedora20 x86_64 machine with al the latest patches applied This boolean has been set: use_nfs_home_dirs --> on ls -dalsZ /home/ drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /home/ the home folder is automounted by systemd using this unit file : cat /etc/systemd/system/home.automount [Unit] Description=Home Directory Automount Point Wants=network.target statd.service After=network.target statd.service [Automount] Where=/home [Install] WantedBy=multi-user.target and the matching unit mount cat /etc/systemd/system/home.mount [Unit] Description=Home Directory Wants=network.target statd.service After=network.target statd.service [Mount] What=172.16.1.1:/homes Where=/home Type=nfs4 Options=timeo=14,noatime,timeo=14,soft,sec=krb5p,context=system_u:object_r:user_home_t:s0 DirectoryMode=0750 From simo at redhat.com Fri Jun 20 16:27:32 2014 From: simo at redhat.com (Simo Sorce) Date: Fri, 20 Jun 2014 12:27:32 -0400 Subject: [Freeipa-users] issues with nfs4 privileges. In-Reply-To: References: Message-ID: <1403281652.12884.144.camel@willson.usersys.redhat.com> On Fri, 2014-06-20 at 18:02 +0200, Rob Verduijn wrote: > Hello, > > I'm a bit at loss with my freeipa kerberized nfs4 shares. > > the nfs4 shares mount fine and users can read and write their files. > However pulse audio does not work properly, and some programs fail to start. > When logging in with a local account using a local homedrive > pulseaudio works, and the programs also work. > Also oddjob is not capable of creating a home dir for a new user. > > root is not allowed to write in the home mount on the client (mkdir > test and touch test get a Permission denied) > > I don't think its selinux, because setenforce 0 on the nfs-server and > setenforce 0 on the nfs client did not help. Indeed it is not selinux nor anything client related, when you use kerberized NFSv4 *all* accesses including root must be authenticated. When your "local" root user tries to access the mount point, either it cannot authenticate or it uses the system keytab to authenticate, in both cases, w/o further configuration on the server these accesses are mapped to the nobody user or refused outright. If you really want to trust *every* client to have full *root* access on your server then you need to make sure the client is using the host keytab when acting as root (default unless you pass -n to rpc.gssd) then you need to map explicitly the client's hosts keys to the root account on the server. add: host/client.host.name at YOUR.REALM = root in the [static] section of idmapd.conf See idmapd.conf(5) for details. > freeipa policies seem to be working fine, sudo rules are applied the > way I expect them. > Logging in on all the machines works, automounting works like a charm, > except for the situations described above. > > server details are below > > Anybody who can tell me what I've missed ? What you've missed is simply that clients are not allowed to act as root on NFS mounts by default, it's a security issue, because a compromised client can then do what it want's with all NFS shared data regardless of user permissions. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From rob.verduijn at gmail.com Fri Jun 20 16:57:13 2014 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Fri, 20 Jun 2014 18:57:13 +0200 Subject: [Freeipa-users] issues with nfs4 privileges. In-Reply-To: <1403281652.12884.144.camel@willson.usersys.redhat.com> References: <1403281652.12884.144.camel@willson.usersys.redhat.com> Message-ID: Hi Simo, Thanx for the quick answer, i will consider the root implications. However, what about pulse audio not working ? The logs complain about that one not beeing able to write in home as well. Rob 2014-06-20 18:27 GMT+02:00 Simo Sorce : > On Fri, 2014-06-20 at 18:02 +0200, Rob Verduijn wrote: >> Hello, >> >> I'm a bit at loss with my freeipa kerberized nfs4 shares. >> >> the nfs4 shares mount fine and users can read and write their files. >> However pulse audio does not work properly, and some programs fail to start. >> When logging in with a local account using a local homedrive >> pulseaudio works, and the programs also work. >> Also oddjob is not capable of creating a home dir for a new user. >> >> root is not allowed to write in the home mount on the client (mkdir >> test and touch test get a Permission denied) >> >> I don't think its selinux, because setenforce 0 on the nfs-server and >> setenforce 0 on the nfs client did not help. > > Indeed it is not selinux nor anything client related, when you use > kerberized NFSv4 *all* accesses including root must be authenticated. > > When your "local" root user tries to access the mount point, either it > cannot authenticate or it uses the system keytab to authenticate, in > both cases, w/o further configuration on the server these accesses are > mapped to the nobody user or refused outright. > > If you really want to trust *every* client to have full *root* access on > your server then you need to make sure the client is using the host > keytab when acting as root (default unless you pass -n to rpc.gssd) then > you need to map explicitly the client's hosts keys to the root account > on the server. > add: > host/client.host.name at YOUR.REALM = root > in the [static] section of idmapd.conf > > See idmapd.conf(5) for details. > >> freeipa policies seem to be working fine, sudo rules are applied the >> way I expect them. >> Logging in on all the machines works, automounting works like a charm, >> except for the situations described above. >> >> server details are below >> >> Anybody who can tell me what I've missed ? > > What you've missed is simply that clients are not allowed to act as root > on NFS mounts by default, it's a security issue, because a compromised > client can then do what it want's with all NFS shared data regardless of > user permissions. > > HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > From simo at redhat.com Fri Jun 20 17:14:53 2014 From: simo at redhat.com (Simo Sorce) Date: Fri, 20 Jun 2014 13:14:53 -0400 Subject: [Freeipa-users] issues with nfs4 privileges. In-Reply-To: References: <1403281652.12884.144.camel@willson.usersys.redhat.com> Message-ID: <1403284493.12884.148.camel@willson.usersys.redhat.com> On Fri, 2014-06-20 at 18:57 +0200, Rob Verduijn wrote: > Hi Simo, > > Thanx for the quick answer, i will consider the root implications. > However, what about pulse audio not working ? > The logs complain about that one not beeing able to write in home as well. Is it running as the "pulse" user ? If so it would be the same issue, but I thought pulseaudio runs as the user by default, have you changed its configuration to run one instance per system by chance ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rob.verduijn at gmail.com Fri Jun 20 17:27:01 2014 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Fri, 20 Jun 2014 19:27:01 +0200 Subject: [Freeipa-users] issues with nfs4 privileges. In-Reply-To: <1403284493.12884.148.camel@willson.usersys.redhat.com> References: <1403281652.12884.144.camel@willson.usersys.redhat.com> <1403284493.12884.148.camel@willson.usersys.redhat.com> Message-ID: Hi, I have not touched pulse audio configuration, it's set to default, I can see in the logs the pulseaudio daemon assumes the user id. rtkit-daemon[697]: Successfully made thread 3299 of process 3299 (/usr/bin/pulseaudio) owned by '47000001' high priority at nice level -11. rtkit-daemon[697]: Supervising 5 threads of 2 processes of 2 users. pulseaudio[3299]: [pulseaudio] core-util.c: Failed to create secure directory (/home/rob/.config/pulse): Permission denied The directory already exists, I tried removing it, which did not help. Rob 2014-06-20 19:14 GMT+02:00 Simo Sorce : > On Fri, 2014-06-20 at 18:57 +0200, Rob Verduijn wrote: >> Hi Simo, >> >> Thanx for the quick answer, i will consider the root implications. >> However, what about pulse audio not working ? >> The logs complain about that one not beeing able to write in home as well. > > Is it running as the "pulse" user ? > If so it would be the same issue, but I thought pulseaudio runs as the > user by default, have you changed its configuration to run one instance > per system by chance ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > From rob.verduijn at gmail.com Fri Jun 20 17:51:52 2014 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Fri, 20 Jun 2014 19:51:52 +0200 Subject: [Freeipa-users] issues with nfs4 privileges. In-Reply-To: <1403281652.12884.144.camel@willson.usersys.redhat.com> References: <1403281652.12884.144.camel@willson.usersys.redhat.com> Message-ID: Considering the root immplications. Handing out root to all nfs clients is indeed something that is undesirable. However personally I believe manually creating homedirs to be a procedure from the previous millenium. Can I get freeipa to do this automatically the right way ? (respecting security) Rob From simo at redhat.com Fri Jun 20 18:05:29 2014 From: simo at redhat.com (Simo Sorce) Date: Fri, 20 Jun 2014 14:05:29 -0400 Subject: [Freeipa-users] issues with nfs4 privileges. In-Reply-To: References: <1403281652.12884.144.camel@willson.usersys.redhat.com> Message-ID: <1403287529.12884.155.camel@willson.usersys.redhat.com> On Fri, 2014-06-20 at 19:51 +0200, Rob Verduijn wrote: > Considering the root immplications. > > Handing out root to all nfs clients is indeed something that is undesirable. > However personally I believe manually creating homedirs to be a > procedure from the previous millenium. > > Can I get freeipa to do this automatically the right way ? (respecting security) Not yet, because it is complicated, the problem is that the FreeIPA server doesn't necessarily know "where" the home directories are. We assume the user want's to provide them from a dedicated NAS or other NFS Server. We are tracking the desire to perform operations (like home directory creation) when a user is created here: https://fedorahosted.org/freeipa/ticket/2156 In the meanwhile I can suggest using some script in a cronjob on the NFS Server that fetches the users list from ldap and proceed to create a home directory from the homeDirectory attribute, if it is missing. Simo. -- Simo Sorce * Red Hat, Inc * New York From thomas.raehalme at codecenter.fi Sun Jun 22 12:29:19 2014 From: thomas.raehalme at codecenter.fi (Thomas Raehalme) Date: Sun, 22 Jun 2014 15:29:19 +0300 Subject: [Freeipa-users] named's LDAP connection hangs In-Reply-To: <539ECCDA.6040908@redhat.com> References: <539ECCDA.6040908@redhat.com> Message-ID: Hi! Today it finally happened again - named is not resolving names under the IPA domain, pvnet.cc. Killing the named process and restarting it solves the problem (until it happens again). Petr, I'll send you the logs directly so I don't have to leave anything out. I hope that's okay. Thank you for the help! Best regards, Thomas On Mon, Jun 16, 2014 at 1:54 PM, Petr Spacek wrote: > On 16.6.2014 09:41, Thomas Raehalme wrote: > >> Hi, >> >> We have a problem with IPA going out of service every now and then. There >> seems to be two kinds of situations: >> >> 1) The connection between named and dirsrv fails. Named can resolve >> external names but the domain managed by IPA does not resolve any names. >> named cannot be stopped. After killing the process and restarting the >> issue >> is resolved. >> >> 2) Sometimes the situation is more severe and also dirsrv is unresponsive. >> The solution then seems to be restarting both named and dirsrv >> (individually or through the 'ipa' service). >> >> Regarding #1 the file /var/log/messages contains the following: >> >> Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' >> Jun 16 03:22:23 ipa named[7295]: loading configuration from >> '/etc/named.conf' >> Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, >> 65535] >> Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, >> 65535] >> Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones >> Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (Ticket expired) >> Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error >> >> The reload is triggered by logrotate. For some reason authentication >> fails, >> and the IPA domain is no longer resolvable. >> >> I haven't discovered a pattern how often these problems occur. Maybe once >> a >> week or two. >> >> FreeIPA master running on CentOS 6.5 has been configured with the default >> settings. In addition a single replica has been added. >> >> Any ideas where I should look for the source of the problem? >> > > I have heard about this problem but nobody managed to reproduce the > problem. > > Please: > - configure KRB5_TRACE variable as described on > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1. > Gathersymptoms > - restart named > - send me logs when it happens again. > > Thank you! > > -- > Petr^2 Spacek > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- *Thomas Raehalme* *CTO, teknologiajohtaja* Mobile +358 40 545 0605 *Codecenter Oy* V?in?nkatu 26 A, 4th Floor 40100 JYV?SKYL?, Finland Tel. +358 10 322 0040 www.codecenter.fi *Codecenter - Tietoj?rjestelmi? ymm?rrett?v?sti* -------------- next part -------------- An HTML attachment was scrubbed... URL: From dgonzalezh at gmail.com Sun Jun 22 16:41:36 2014 From: dgonzalezh at gmail.com (Dave Gonzalez) Date: Sun, 22 Jun 2014 11:41:36 -0500 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP Message-ID: <53A70740.7080409@gmail.com> Hello there everyone David here, I'm big time Red Hat fan, I work for a company where we have a small 20+ people directory, I'm currently using Samba4 to offer authentication to Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch ebcause samba is a hassle to setup and whenever replication breaks it's nearly impossible to rebuild, anyways, My current environment is Proxmox VE 3 as virtualization platform and many CentOS/RedHat Servers holding my services. Please excuse me if this was already answered but after I went trhough the archives I coulnd't find anyone facing the same issue, please bear with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing something or doing it wrong but after a week struggling with this setup I decided to call for the help of the experts. My environment: FreeIPA Server CentOS 6.5 x86_64 Mail Server CentOS 6.5 postfix-2.6.6-6.el6_5.x86_64 dovecot-2.0.9-7.el6.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.x86_64 libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 I've followed these posts from Dale McCartney, whom I've also read his posts around here https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ http://www.freeipa.org/page/Dovecot_Integration None of them seem to work at the moment when using Thunderbird with the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that "The kerberos/GSSAPI ticket was not accepted by the IMAP server david at domain.com. Please chack that you're logged in to the Kerberos/GSSAPI realm" with Dovecot I'm getting this Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth attempts): rip=1.1.1.1, lip=217.1.2.3 I tried manual telnet and use a authenticate gssapi which retuns "+" which means module is indeed loading and the server is gssapi ready for the challenge. If anyone of you could point me into the right direction I'd really value that. Thanks --- Regards David G. -------------- next part -------------- An HTML attachment was scrubbed... URL: From craig.mcniel at pearson.com Mon Jun 23 15:18:49 2014 From: craig.mcniel at pearson.com (McNiel, Craig) Date: Mon, 23 Jun 2014 10:18:49 -0500 Subject: [Freeipa-users] IPA client default authentication domain/realm different than member domain/realm. Message-ID: I am trying to integrate an IPA domain with a windows domain and I would like to be able to have the users authenticated to the windows domain as a default without having to append the realm to the login credentials as we will not be using user authentication from the IPA domain. The main reason for this is the Windows domain is a corporate run domain that has an integrated joiners and leavers process for users and groups and we don't want to have to duplicate that effort locally however I also don't want my users to have to type logon: username at WIN.DOMAIN.COM I would instead like for them to just input the username and have the REALM/Domain assumed to be WIN.DOMAIN.COM instead of IPA.DOMAIN.COM I'm not certain how to configure the client for this configuration. Example. **************************************** * Win Domain (Users and Groups)* **************************************** | | ****************** *********** * IPA Domain * <-----> *Clients * ****************** *********** Thanks ! - Craig -------------- next part -------------- An HTML attachment was scrubbed... URL: From dgonzalezh at gmail.com Mon Jun 23 22:26:13 2014 From: dgonzalezh at gmail.com (Dave Gonzalez) Date: Mon, 23 Jun 2014 17:26:13 -0500 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <20140623141202.2ddf7cac@ita-bones-t530> References: <53A70740.7080409@gmail.com> <20140623141202.2ddf7cac@ita-bones-t530> Message-ID: <53A8A985.7020206@gmail.com> Hi again martin, Followed your advise with no luck either, I tried testsaslauthd -u david at domain.com -p pass saslauthd[18405] :rel_accept_lock : released accept lock saslauthd[18407] :get_accept_lock : acquired accept lock saslauthd[18405] :do_auth : auth failure: [user=david at domain.com] [service=imap] [realm=] [mech=ldap] [reason=Unknown] saslauthd[18405] :do_request : response: NO 0: NO "authentication failed" Postfix doesn't even how any autrhentication attempts, but what I see as a weird things is that "service=imap" I appreciate your help and prompt response, I've tried with ldap_table instructions from postfix site but no joy, also it's important to mention to all that this is a brand new install of CentOS so no tweaks or any weird thing. Thanks everyone. On 6/23/2014 8:12 AM, Martin Boese wrote: > On Sun, 22 Jun 2014 11:41:36 -0500 > Dave Gonzalez wrote: > >> Hello there everyone David here, >> >> I'm big time Red Hat fan, I work for a company where we have a small >> 20+ people directory, I'm currently using Samba4 to offer >> authentication to Openfire, Postfix, Dovecot (using GroupOffice); but >> I want to switch ebcause samba is a hassle to setup and whenever >> replication breaks it's nearly impossible to rebuild, anyways, My >> current environment is Proxmox VE 3 as virtualization platform and >> many CentOS/RedHat Servers holding my services. >> >> Please excuse me if this was already answered but after I went >> trhough the archives I coulnd't find anyone facing the same issue, >> please bear with me as I'm a newbie to FreeIPA and LDAP. I know I'm >> missing something or doing it wrong but after a week struggling with >> this setup I decided to call for the help of the experts. >> >> My environment: >> FreeIPA Server >> CentOS 6.5 x86_64 >> >> Mail Server >> CentOS 6.5 >> postfix-2.6.6-6.el6_5.x86_64 >> dovecot-2.0.9-7.el6.x86_64 >> ipa-python-3.0.0-37.el6.x86_64 >> ipa-client-3.0.0-37.el6.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> libipa_hbac-1.9.2-129.el6_5.4.x86_64 >> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 >> >> I've followed these posts from Dale McCartney, whom I've also read >> his posts around here >> >> https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ >> >> http://www.freeipa.org/page/Dovecot_Integration >> >> None of them seem to work at the moment when using Thunderbird with >> the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also >> reports that >> >> >> "The kerberos/GSSAPI ticket was not accepted by the IMAP server >> david at domain.com. Please chack that you're logged in to the >> Kerberos/GSSAPI realm" >> >> >> with Dovecot I'm getting this >> >> >> Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth >> attempts): rip=1.1.1.1, lip=217.1.2.3 >> >> >> I tried manual telnet and use a authenticate gssapi which retuns "+" >> which means module is indeed loading and the server is gssapi ready >> for the challenge. >> >> If anyone of you could point me into the right direction I'd really >> value that. >> >> Thanks >> >> --- Regards David G. > I think the right direction is to just use LDAP for these things.. > > Here's my LDAP+SASL on debian for Postfix. Seems like Dovecot can also > authenticate against SASL. > > Create an unprivileged user for ldap-bind > > ** /etc/postfix/main.cf > > ...snip... > smtpd_sasl_auth_enable = yes > smtpd_sasl_path = smtpd > smtpd_sasl_local_domain = yourdomain.com > > ...add to: > smtpd_recipient_restrictions = > permit_sasl_authenticated > > ** /etc/postfix/sasl/smtpd.conf > pwcheck_method: saslauthd > mech_list: PLAIN LOGIN > > ** /etc/saslauth.conf > ldap_servers: ldap://your.ipa.server > ldap_search_base: cn=users,cn=accounts,dc=yourdomain,dc=com > ldap_filter: (|(uid=%u)(mail=%u)) > ldap_bind_dn:uid=your-unpriviledged-user,cn=users,cn=accounts,dc=yourdomain,dc=com > ldap_bind_pw: password-of-the-user > > Martin > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Tue Jun 24 10:29:02 2014 From: yamakasi.014 at gmail.com (Matt .) Date: Tue, 24 Jun 2014 12:29:02 +0200 Subject: [Freeipa-users] Automount WebDav share In-Reply-To: References: Message-ID: Anyone some news on this ? I'm kinda stuck with the normal webdav mount howto's I find. 2014-06-10 22:03 GMT+02:00 Matt . : > OK, it seems that GSSAPI is key here, now I need to find out if I need > something extra for GSSAPI on the WebDav Server. > > 2014-06-10 11:10 GMT+02:00 Matt . : >> Hi, >> >> Yes this is happening, or should with: >> >> share -fstype=davfs,user,rw,dir_mode=0777,file_mode=0666 >> http://webdavserver//webdav >> >> But it doesn't connect, or I don't see any logs about it. >> >> Ab on IRC tested this and it should work, but I'm missing something I think. >> >> Cheers, >> >> Matt >> >> 2014-06-09 13:16 GMT+02:00 Natxo Asenjo : >>> >>> >>> On Mon, Jun 9, 2014 at 12:41 PM, Matt . wrote: >>>> >>>> Hi, >>>> >>>> I'm only concerned about how to pass the password in this one... it >>>> seesm to be hardcoded and I would like to have it used by >>>> ldap/freeipa. >>>> >>> >>> ideally the webdav server would accept gssapi/kerberos, then you would not >>> need any passwords. >>> >>> Sorry, I have no webdav server to play with handy and my home lab is pretty >>> reduced nowadays. >>> >>> -- >>> regards, >>> natxo >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Tue Jun 24 11:20:07 2014 From: simo at redhat.com (Simo Sorce) Date: Tue, 24 Jun 2014 07:20:07 -0400 Subject: [Freeipa-users] IPA client default authentication domain/realm different than member domain/realm. In-Reply-To: References: Message-ID: <1403608807.19579.20.camel@willson.usersys.redhat.com> On Mon, 2014-06-23 at 10:18 -0500, McNiel, Craig wrote: > I am trying to integrate an IPA domain with a windows domain and I would > like to be able to have the users authenticated to the windows domain as a > default without having to append the realm to the login credentials as we > will not be using user authentication from the IPA domain. > > > The main reason for this is the Windows domain is a corporate run domain > that has an integrated joiners and leavers process for users and groups and > we don't want to have to duplicate that effort locally however I also don't > want my users to have to type > > > logon: username at WIN.DOMAIN.COM > > > I would instead like for them to just input the username and have the > REALM/Domain assumed to be WIN.DOMAIN.COM instead of IPA.DOMAIN.COM > > > I'm not certain how to configure the client for this configuration. Look at the default_domain_suffix config option in sssd.conf Simo. > Example. > > > > **************************************** > > * Win Domain (Users and Groups)* > > **************************************** > > | > > | > > ****************** *********** > > * IPA Domain * <-----> *Clients * > > ****************** *********** > > > > Thanks ! > > > > - Craig -- Simo Sorce * Red Hat, Inc * New York From ckhoury at vt.edu Tue Jun 24 15:46:18 2014 From: ckhoury at vt.edu (Chase Khoury) Date: Tue, 24 Jun 2014 11:46:18 -0400 Subject: [Freeipa-users] ipa user-del not deleting the ldap entry Message-ID: Hello, I am having issues with deleting an ipa user. When I do an 'ipa user-del foo' there still remains reminisces of the user that are causing issues. I have a freeIPA server setup with 3 replica servers set up. When I did an ipa user-del foo it did not fully delete the user. if I do an ipa user-add foo after the delete I get an "ipa ERROR: user with the name "foo" already exists" If I do a ipa user-show foo I get "ipa ERROR: foo: user not found" if I do an ipa user-find foo it returns an entry. -------------- 1 user matched -------------- User login: foo First name: foo Last name: bar Home directory: /home/foo login shell: /bin/bash Email address: foo at bar.com UID: 5021 GID: 5021 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 1 ---------------------------- If I do an ldapsearch for the user it still has a user entry. When trying to do an ldapdelete I get the error "Server is unwilling to perform (53)" Does anyone know why this happened or how to clean up the server so I can get it into a state when I can successful do an ipa-user-add foo? From rmeggins at redhat.com Tue Jun 24 16:30:22 2014 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 24 Jun 2014 10:30:22 -0600 Subject: [Freeipa-users] ipa user-del not deleting the ldap entry In-Reply-To: References: Message-ID: <53A9A79E.9070106@redhat.com> On 06/24/2014 09:46 AM, Chase Khoury wrote: > Hello, > I am having issues with deleting an ipa user. When I do an 'ipa > user-del foo' there still remains reminisces of the user that are > causing issues. > I have a freeIPA server setup with 3 replica servers set up. > When I did an ipa user-del foo it did not fully delete the user. > if I do an ipa user-add foo after the delete I get an "ipa ERROR: user > with the name "foo" already exists" > If I do a ipa user-show foo I get "ipa ERROR: foo: user not found" > if I do an ipa user-find foo it returns an entry. > -------------- > 1 user matched > -------------- > User login: foo > First name: foo > Last name: bar > Home directory: /home/foo > login shell: /bin/bash > Email address: foo at bar.com > UID: 5021 > GID: 5021 > Account disabled: False > Password: True > Kerberos keys available: True > ---------------------------- > Number of entries returned 1 > ---------------------------- > > If I do an ldapsearch for the user it still has a user entry. > When trying to do an ldapdelete I get the error "Server is unwilling > to perform (53)" > > Does anyone know why this happened or how to clean up the server so I > can get it into a state when I can successful do an ipa-user-add foo? What version of ipa are you using? What version of 389? rpm -qa|grep ipa rpm -qa|grep 389 Can you provide excerpts from your 389 errors log /var/log/dirsrv/slapd-DOMAIN/errors from around the time of the problems mentioned above? From caperry at spherecube.io Tue Jun 24 16:41:13 2014 From: caperry at spherecube.io (Carl Perry) Date: Tue, 24 Jun 2014 11:41:13 -0500 Subject: [Freeipa-users] Having difficulty installing on Fedora 20 Message-ID: <53A9AA29.3060804@spherecube.io> Greetings - I'm trying to install FreeIPA on a fresh minimal install of Fedora 20. The yum transaction completed, and I added the bind and bind ldap backend packages as well. When I attempt to run the ipa-server-install command, it seems to get most of the way through and then error out when attempting to restart the ipa.service. Below are the results of the command, as well as the systemd journal entries. Does anyone have any suggestions? -Carl [root at freeipa ~]# ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Do you want to configure integrated DNS (BIND)? [no]: yes Existing BIND configuration detected, overwrite? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [freeipa.v201.aus1.tx.us.spherecu.be]: Warning: skipping DNS resolution of host freeipa.v201.aus1.tx.us.spherecu.be The domain name has been determined based on the host name. Please confirm the domain name [v201.aus1.tx.us.spherecu.be]: spherecu.be The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [SPHERECU.BE]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Do you want to configure DNS forwarders? [yes]: no No DNS forwarders configured Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [18.16.172.in-addr.arpa.]: Using reverse zone 18.16.172.in-addr.arpa. The IPA Master Server will be configured with: Hostname: freeipa.v201.aus1.tx.us.spherecu.be IP address: 172.16.18.8 Domain name: spherecu.be Realm name: SPHERECU.BE BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone: 18.16.172.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/22]: creating certificate server user [2/22]: configuring certificate server instance [3/22]: stopping certificate server instance to update CS.cfg [4/22]: disabling nonces [5/22]: set up CRL publishing [6/22]: starting certificate server instance [7/22]: creating RA agent certificate database [8/22]: importing CA chain to RA certificate database [9/22]: fixing RA database permissions [10/22]: setting up signing cert profile [11/22]: set certificate subject base [12/22]: enabling Subject Key Identifier [13/22]: enabling CRL and OCSP extensions for certificates [14/22]: setting audit signing renewal to 2 years [15/22]: configuring certificate server to start on boot [16/22]: restarting certificate server [17/22]: requesting RA certificate from CA [18/22]: issuing RA agent certificate [19/22]: adding RA agent as a trusted user [20/22]: configure certificate renewals [21/22]: configure Server-Cert certificate renewal [22/22]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd): Estimated time 1 minute [1/13]: setting mod_nss port to 443 [2/13]: setting mod_nss password file [3/13]: enabling mod_nss renegotiate [4/13]: adding URL rewriting rules [5/13]: configuring httpd [6/13]: setting up ssl [7/13]: setting up browser autoconfig [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Restarting the certificate server Configuring DNS (named) [1/11]: adding DNS container [2/11]: setting up our zone [3/11]: setting up reverse zone [4/11]: setting up our own record [5/11]: setting up records for other masters [6/11]: setting up CA record [7/11]: setting up kerberos principal [8/11]: setting up named.conf [9/11]: restarting named named service failed to start [10/11]: configuring named to start on boot [11/11]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 [root at freeipa ~]# journalctl -xn -- Logs begin at Tue 2014-06-24 02:24:37 UTC, end at Tue 2014-06-24 16:30:00 UTC. -- Jun 24 16:30:00 freeipa.v201.aus1.tx.us.spherecu.be systemd[1]: Stopping 389 Directory Server. -- Subject: Unit dirsrv.target has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit dirsrv.target has begun shutting down. Jun 24 16:30:00 freeipa.v201.aus1.tx.us.spherecu.be systemd[1]: Stopped target 389 Directory Server. -- Subject: Unit dirsrv.target has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit dirsrv.target has finished shutting down. Jun 24 16:30:00 freeipa.v201.aus1.tx.us.spherecu.be ipactl[18515]: Aborting ipactl Jun 24 16:30:00 freeipa.v201.aus1.tx.us.spherecu.be ipactl[18515]: Starting Directory Service Jun 24 16:30:00 freeipa.v201.aus1.tx.us.spherecu.be ipactl[18515]: Starting krb5kdc Service Jun 24 16:30:00 freeipa.v201.aus1.tx.us.spherecu.be ipactl[18515]: Starting kadmin Service Jun 24 16:30:00 freeipa.v201.aus1.tx.us.spherecu.be ipactl[18515]: Starting named Service Jun 24 16:30:00 freeipa.v201.aus1.tx.us.spherecu.be systemd[1]: ipa.service: main process exited, code=exited, status=1/F Jun 24 16:30:00 freeipa.v201.aus1.tx.us.spherecu.be systemd[1]: Failed to start Identity, Policy, Audit. -- Subject: Unit ipa.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit ipa.service has failed. -- -- The result is failed. Jun 24 16:30:00 freeipa.v201.aus1.tx.us.spherecu.be systemd[1]: Unit ipa.service entered failed state. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From pspacek at redhat.com Tue Jun 24 17:11:44 2014 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 24 Jun 2014 19:11:44 +0200 Subject: [Freeipa-users] Having difficulty installing on Fedora 20 In-Reply-To: <53A9AA29.3060804@spherecube.io> References: <53A9AA29.3060804@spherecube.io> Message-ID: <53A9B150.3010206@redhat.com> Hello! That is interesting. Do you have latest updates? Please see http://www.freeipa.org/page/Troubleshooting On 24.6.2014 18:41, Carl Perry wrote: > Unexpected error - see /var/log/ipaserver-install.log for details: If the web page doesn't cover your case please send us the log file mentioned in the the error message. Have a nice day! -- Petr^2 Spacek From rob.verduijn at gmail.com Tue Jun 24 19:12:34 2014 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Tue, 24 Jun 2014 21:12:34 +0200 Subject: [Freeipa-users] Having difficulty installing on Fedora 20 In-Reply-To: <53A9B150.3010206@redhat.com> References: <53A9AA29.3060804@spherecube.io> <53A9B150.3010206@redhat.com> Message-ID: I saw this in your log : Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Did you install bind and bind-dyndb-ldap ? http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica Just meddling around with ipa myself Rob 2014-06-24 19:11 GMT+02:00 Petr Spacek : > Hello! > > That is interesting. Do you have latest updates? > > Please see > http://www.freeipa.org/page/Troubleshooting > > > > On 24.6.2014 18:41, Carl Perry wrote: >> Unexpected error - see /var/log/ipaserver-install.log for details: > > If the web page doesn't cover your case please send us the log file > mentioned in the the error message. > > Have a nice day! > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From rob.verduijn at gmail.com Tue Jun 24 19:13:53 2014 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Tue, 24 Jun 2014 21:13:53 +0200 Subject: [Freeipa-users] Having difficulty installing on Fedora 20 In-Reply-To: References: <53A9AA29.3060804@spherecube.io> <53A9B150.3010206@redhat.com> Message-ID: err http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation ofcourse Rob 2014-06-24 21:12 GMT+02:00 Rob Verduijn : > I saw this in your log : > > > Global DNS configuration in LDAP server is empty > You can use 'dnsconfig-mod' command to set global DNS options that > would override settings in local named.conf files > > > Did you install bind and bind-dyndb-ldap ? > http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica > > Just meddling around with ipa myself > Rob > > 2014-06-24 19:11 GMT+02:00 Petr Spacek : >> Hello! >> >> That is interesting. Do you have latest updates? >> >> Please see >> http://www.freeipa.org/page/Troubleshooting >> >> >> >> On 24.6.2014 18:41, Carl Perry wrote: >>> Unexpected error - see /var/log/ipaserver-install.log for details: >> >> If the web page doesn't cover your case please send us the log file >> mentioned in the the error message. >> >> Have a nice day! >> >> -- >> Petr^2 Spacek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project From caperry at spherecube.io Tue Jun 24 19:40:41 2014 From: caperry at spherecube.io (Carl Perry) Date: Tue, 24 Jun 2014 14:40:41 -0500 Subject: [Freeipa-users] Having difficulty installing on Fedora 20 In-Reply-To: References: <53A9AA29.3060804@spherecube.io> <53A9B150.3010206@redhat.com> Message-ID: <53A9D439.5050302@spherecube.io> Whoops, let me send replies to the list. Sorry about that! It appears the problem is with named not starting. I did install the required packages, but it looks like SELinux is getting in the way: [root at freeipa named]# named -f -d 255 isc_file_isplainfile 'data/named.run' failed: permission denied [root at freeipa named]# It took some time digging through logs and startup scripts to find the exact issue. -Carl On 06/24/2014 02:13 PM, Rob Verduijn wrote: > err > http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation > ofcourse > > Rob > > 2014-06-24 21:12 GMT+02:00 Rob Verduijn : >> I saw this in your log : >> >> >> Global DNS configuration in LDAP server is empty >> You can use 'dnsconfig-mod' command to set global DNS options that >> would override settings in local named.conf files >> >> >> Did you install bind and bind-dyndb-ldap ? >> http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica >> >> Just meddling around with ipa myself >> Rob >> >> 2014-06-24 19:11 GMT+02:00 Petr Spacek : >>> Hello! >>> >>> That is interesting. Do you have latest updates? >>> >>> Please see >>> http://www.freeipa.org/page/Troubleshooting >>> >>> >>> >>> On 24.6.2014 18:41, Carl Perry wrote: >>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>> If the web page doesn't cover your case please send us the log file >>> mentioned in the the error message. >>> >>> Have a nice day! >>> >>> -- >>> Petr^2 Spacek >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the project -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From pspacek at redhat.com Wed Jun 25 08:07:26 2014 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 25 Jun 2014 10:07:26 +0200 Subject: [Freeipa-users] Having difficulty installing on Fedora 20 In-Reply-To: <53A9D439.5050302@spherecube.io> References: <53A9AA29.3060804@spherecube.io> <53A9B150.3010206@redhat.com> <53A9D439.5050302@spherecube.io> Message-ID: <53AA833E.6030300@redhat.com> On 24.6.2014 21:40, Carl Perry wrote: > Whoops, let me send replies to the list. Sorry about that! > > It appears the problem is with named not starting. I did install the > required packages, but it looks like SELinux is getting in the way: > > [root at freeipa named]# named -f -d 255 > isc_file_isplainfile 'data/named.run' failed: permission denied > [root at freeipa named]# > > It took some time digging through logs and startup scripts to find the > exact issue. Interesting. First of all, try to start named with "named -g -u named" and look for error messages. IMHO SELinux correctly prevents it from running under root account as it is undesirable. Also, it would be valuable to see error messages or AVCs from /var/log/audit/audit.log . Did you find any error in /var/log/ipaserver-install.log ? Petr^2 Spacek > -Carl > > On 06/24/2014 02:13 PM, Rob Verduijn wrote: >> err >> http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation >> ofcourse >> >> Rob >> >> 2014-06-24 21:12 GMT+02:00 Rob Verduijn : >>> I saw this in your log : >>> >>> >>> Global DNS configuration in LDAP server is empty >>> You can use 'dnsconfig-mod' command to set global DNS options that >>> would override settings in local named.conf files >>> >>> >>> Did you install bind and bind-dyndb-ldap ? >>> http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica >>> >>> Just meddling around with ipa myself >>> Rob >>> >>> 2014-06-24 19:11 GMT+02:00 Petr Spacek : >>>> Hello! >>>> >>>> That is interesting. Do you have latest updates? >>>> >>>> Please see >>>> http://www.freeipa.org/page/Troubleshooting >>>> >>>> >>>> >>>> On 24.6.2014 18:41, Carl Perry wrote: >>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>> If the web page doesn't cover your case please send us the log file >>>> mentioned in the the error message. From maleko42 at gmail.com Wed Jun 25 12:36:49 2014 From: maleko42 at gmail.com (Mark Gardner) Date: Wed, 25 Jun 2014 08:36:49 -0400 Subject: [Freeipa-users] IPA + AD Integration - Auditor wants verification of integration Message-ID: Since this information isn't in the Web Interface. How do I find query the ipa ldap server to proof that IPA is talking to our AD server in order to get identity and authorization information. Yes we know we've established a trust for our linux subdomain. But theres nothing that I can find that says it's our ad server. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jun 25 12:53:44 2014 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 25 Jun 2014 08:53:44 -0400 (EDT) Subject: [Freeipa-users] IPA + AD Integration - Auditor wants verification of integration In-Reply-To: References: Message-ID: <2012838403.40652393.1403700824793.JavaMail.zimbra@redhat.com> It is in the Web interface, switch to IPA Server tab and look under Trusts menu item. There you can press on the trust name and will see parameters of it, including Security Identifier of the root domain of the AD forest. I'm attaching a screenshot from RHEL 7-based IPA server ----- Original Message ----- > Since this information isn't in the Web Interface. > How do I find query the ipa ldap server to proof that IPA is talking to our > AD server in order to get identity and authorization information. > Yes we know we've established a trust for our linux subdomain. But theres > nothing that I can find that says it's our ad server. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: undefined Type: image/png Size: 109999 bytes Desc: not available URL: From sbose at redhat.com Wed Jun 25 13:01:50 2014 From: sbose at redhat.com (Sumit Bose) Date: Wed, 25 Jun 2014 15:01:50 +0200 Subject: [Freeipa-users] IPA + AD Integration - Auditor wants verification of integration In-Reply-To: References: Message-ID: <20140625130149.GD16782@localhost.localdomain> On Wed, Jun 25, 2014 at 08:36:49AM -0400, Mark Gardner wrote: > Since this information isn't in the Web Interface. > How do I find query the ipa ldap server to proof that IPA is talking to > our AD server in order to get identity and authorization information. > > Yes we know we've established a trust for our linux subdomain. But theres > nothing that I can find that says it's our ad server. Trust is not about trusting a server but trusting the whole forest. So we are not connection to a specific AD server but use DNS SRV records to find all the DCs in your forest/domain and pick one. This is why you only see information about the trusted domain and not about AD servers in the Web UI. To verify to which AD server SSSD is talking (SSSD is used by recent version of IPA to get the user and group data from AD) you can e.g. call netstat -danpt | grep sssd As an alternative you can run SSSD with debug_level 7 or higher and look for 'New LDAP connection to' messages in the logs. HTH bye, Sumit > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From dgonzalezh at gmail.com Wed Jun 25 13:03:40 2014 From: dgonzalezh at gmail.com (Dave Gonzalez) Date: Wed, 25 Jun 2014 08:03:40 -0500 Subject: [Freeipa-users] FreeIPA Psotfix+Dovecot Message-ID: <53AAC8AC.1000501@gmail.com> Hey again guys, I know and understand there are topics that draw more interest and attention than others but I'd really need to insist on a *working* FreeIPA+Postfix+Dovecto tutorial tested by any members of the community?. I'd like to deploy this setup for my company so that some 20+ users can authenticate OTP-style or SSO-style to Services on my current setup which include Openfire, Asterisk. I'd really appreciate a bit more attention to something that many users will like me thank and appreciate. --Regards DavidG -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Jun 25 13:17:58 2014 From: simo at redhat.com (Simo Sorce) Date: Wed, 25 Jun 2014 09:17:58 -0400 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <53A70740.7080409@gmail.com> References: <53A70740.7080409@gmail.com> Message-ID: <1403702278.19579.38.camel@willson.usersys.redhat.com> On Sun, 2014-06-22 at 11:41 -0500, Dave Gonzalez wrote: > Hello there everyone David here, > > I'm big time Red Hat fan, I work for a company where we have a small 20+ > people directory, I'm currently using Samba4 to offer authentication to > Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch > ebcause samba is a hassle to setup and whenever replication breaks it's > nearly impossible to rebuild, anyways, My current environment is Proxmox > VE 3 as virtualization platform and many CentOS/RedHat Servers holding > my services. > > Please excuse me if this was already answered but after I went trhough > the archives I coulnd't find anyone facing the same issue, please bear > with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing > something or doing it wrong but after a week struggling with this setup > I decided to call for the help of the experts. > > My environment: > FreeIPA Server > CentOS 6.5 x86_64 > > Mail Server > CentOS 6.5 > postfix-2.6.6-6.el6_5.x86_64 > dovecot-2.0.9-7.el6.x86_64 > ipa-python-3.0.0-37.el6.x86_64 > ipa-client-3.0.0-37.el6.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > libipa_hbac-1.9.2-129.el6_5.4.x86_64 > libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 > > I've followed these posts from Dale McCartney, whom I've also read his > posts around here > > https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ > > http://www.freeipa.org/page/Dovecot_Integration > > None of them seem to work at the moment when using Thunderbird with the > server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that > > > "The kerberos/GSSAPI ticket was not accepted by the IMAP server > david at domain.com. Please chack that you're logged in to the > Kerberos/GSSAPI realm" > Need more details here. What is the imap server name ? Check the KDC logs do you see the client asking for a ticket ? Is it successful ? Withouth any data I am using my crystal ball and thinking the most probably cause is that you are using a different name in the client than what you configured your IMAP server's keytab with. > with Dovecot I'm getting this > > > Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth > attempts): rip=1.1.1.1, lip=217.1.2.3 > This is because I guess the client copuldn't get a ticket so it didn't even attempt authentication. > I tried manual telnet and use a authenticate gssapi which retuns "+" > which means module is indeed loading and the server is gssapi ready for > the challenge. > > If anyone of you could point me into the right direction I'd really > value that. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From andrew.tranquada at rackspace.com Wed Jun 25 13:30:05 2014 From: andrew.tranquada at rackspace.com (Andrew Tranquada) Date: Wed, 25 Jun 2014 13:30:05 +0000 Subject: [Freeipa-users] named's LDAP connection hangs In-Reply-To: References: <539ECCDA.6040908@redhat.com>, Message-ID: If there is a resolution to this, we would love to know. We have been experiencing the same issues. ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Thomas Raehalme [thomas.raehalme at codecenter.fi] Sent: Sunday, June 22, 2014 8:29 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] named's LDAP connection hangs Hi! Today it finally happened again - named is not resolving names under the IPA domain, pvnet.cc. Killing the named process and restarting it solves the problem (until it happens again). Petr, I'll send you the logs directly so I don't have to leave anything out. I hope that's okay. Thank you for the help! Best regards, Thomas On Mon, Jun 16, 2014 at 1:54 PM, Petr Spacek > wrote: On 16.6.2014 09:41, Thomas Raehalme wrote: Hi, We have a problem with IPA going out of service every now and then. There seems to be two kinds of situations: 1) The connection between named and dirsrv fails. Named can resolve external names but the domain managed by IPA does not resolve any names. named cannot be stopped. After killing the process and restarting the issue is resolved. 2) Sometimes the situation is more severe and also dirsrv is unresponsive. The solution then seems to be restarting both named and dirsrv (individually or through the 'ipa' service). Regarding #1 the file /var/log/messages contains the following: Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' Jun 16 03:22:23 ipa named[7295]: loading configuration from '/etc/named.conf' Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error The reload is triggered by logrotate. For some reason authentication fails, and the IPA domain is no longer resolvable. I haven't discovered a pattern how often these problems occur. Maybe once a week or two. FreeIPA master running on CentOS 6.5 has been configured with the default settings. In addition a single replica has been added. Any ideas where I should look for the source of the problem? I have heard about this problem but nobody managed to reproduce the problem. Please: - configure KRB5_TRACE variable as described on https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1.Gathersymptoms - restart named - send me logs when it happens again. Thank you! -- Petr^2 Spacek _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thomas Raehalme CTO, teknologiajohtaja Mobile +358 40 545 0605 Codecenter Oy V?in?nkatu 26 A, 4th Floor 40100 JYV?SKYL?, Finland Tel. +358 10 322 0040 www.codecenter.fi Codecenter - Tietoj?rjestelmi? ymm?rrett?v?sti -------------- next part -------------- An HTML attachment was scrubbed... URL: From dgonzalezh at gmail.com Wed Jun 25 14:52:16 2014 From: dgonzalezh at gmail.com (Dave Gonzalez) Date: Wed, 25 Jun 2014 09:52:16 -0500 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <1403702278.19579.38.camel@willson.usersys.redhat.com> References: <53A70740.7080409@gmail.com> <1403702278.19579.38.camel@willson.usersys.redhat.com> Message-ID: <53AAE220.5070805@gmail.com> inline quote follows On 6/25/2014 8:17 AM, Simo Sorce wrote: > On Sun, 2014-06-22 at 11:41 -0500, Dave Gonzalez wrote: >> Hello there everyone David here, >> >> I'm big time Red Hat fan, I work for a company where we have a small 20+ >> people directory, I'm currently using Samba4 to offer authentication to >> Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch >> ebcause samba is a hassle to setup and whenever replication breaks it's >> nearly impossible to rebuild, anyways, My current environment is Proxmox >> VE 3 as virtualization platform and many CentOS/RedHat Servers holding >> my services. >> >> Please excuse me if this was already answered but after I went trhough >> the archives I coulnd't find anyone facing the same issue, please bear >> with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing >> something or doing it wrong but after a week struggling with this setup >> I decided to call for the help of the experts. >> >> My environment: >> FreeIPA Server >> CentOS 6.5 x86_64 >> >> Mail Server >> CentOS 6.5 >> postfix-2.6.6-6.el6_5.x86_64 >> dovecot-2.0.9-7.el6.x86_64 >> ipa-python-3.0.0-37.el6.x86_64 >> ipa-client-3.0.0-37.el6.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> libipa_hbac-1.9.2-129.el6_5.4.x86_64 >> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 >> >> I've followed these posts from Dale McCartney, whom I've also read his >> posts around here >> >> https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ >> >> http://www.freeipa.org/page/Dovecot_Integration >> >> None of them seem to work at the moment when using Thunderbird with the >> server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that >> >> >> "The kerberos/GSSAPI ticket was not accepted by the IMAP server >> david at domain.com. Please chack that you're logged in to the >> Kerberos/GSSAPI realm" >> > > Need more details here. > > What is the imap server name ? Dovecot and Postfix running on the same server which I alread added with ipa service-add mail.domain.net, downloaded the keytabs, set up everything as per the howtos mentioned on my first post > Check the KDC logs do you see the client asking for a ticket ? Is it > successful ? Yes -- the ipa server is indeed showing some tickets, here's the /var/log/krb5kdc.log 6 23}) 217.23.15.26: NEEDED_PREAUTH: smtp/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET, Additional pre-authentication required Jun 25 08:30:01 ipa.domain.net krb5kdc[25103](info): AS_REQ (4 etypes {18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH: host/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET, Additional pre-authentication required Jun 25 08:30:01 ipa.domain.net krb5kdc[25102](info): AS_REQ (4 etypes {18 17 16 23}) 217.23.15.26: ISSUE: authtime 1403703001, etypes {rep=18 tkt=18 ses=18}, host/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET Jun 25 08:30:01 ipa.domain.net krb5kdc[25105](info): TGS_REQ (4 etypes {18 17 16 23}) 217.23.15.26: ISSUE: authtime 1403703001, etypes {rep=18 tkt=18 ses=18}, host/mail.domain.net at DOMAIN.NET for ldap/ipa.domain.net at DOMAIN.NET Jun 25 08:30:01 ipa.domain.net krb5kdc[25105](info): AS_REQ (4 etypes {18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH: smtp/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET, Additional pre-authentication required Jun 25 08:31:01 ipa.domain.net krb5kdc[25104](info): AS_REQ (4 etypes {18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH: smtp/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET, Additional pre-authentication required Jun 25 08:32:01 ipa.domain.net krb5kdc[25104](info): AS_REQ (4 etypes {18 17 16 23}) 217.23.15.26: NEEDED_PREAUTH: smtp/mail.domain.net at DOMAIN.NET for krbtgt/DOMAIN.NET at DOMAIN.NET, Additional pre-authentication required > Withouth any data I am using my crystal ball and thinking the most > probably cause is that you are using a different name in the client than > what you configured your IMAP server's keytab with. I did this: ipa-client-install -U -p admin -w mysecretpassword auth_mechanisms = gssapi auth_gssapi_hostname = mail01.example.com auth_krb5_keytab = /etc/dovecot/krb5.keytab auth_realms = example.com auth_default_realm = example.com # kinit admin Password for admin at EXAMPLE.COM: # ipa service-add imap/mail01.example.com # ipa-getkeytab -s ds01.example.com -p imap/mail01.example.com -k /etc/dovecot/krb5.keytab With my own values of course. Now as an update to the progress on my research I installed the MIT Kerberos Windwos Client and I'm gettinga prompt to enter my david at DOMAIN.NET and password, then after enabling Dovecot's IMAP logs Jun 25 09:39:13 mail dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Jun 25 09:39:13 mail dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libmech_gssapi.so Jun 25 09:39:13 mail dovecot: auth: Debug: auth client connected (pid=4576) Jun 25 09:39:14 mail dovecot: auth: Debug: client in: AUTH#0111#011GSSAPI#011service=imap#011secured#011lip=217.23.15.26#011rip=181.140.146.136#011lport=143#011rport=64275 Jun 25 09:39:14 mail dovecot: auth: Debug: gssapi(?,181.140.146.136): Obtaining credentials for imap at mail.domain.net Jun 25 09:39:14 mail dovecot: auth: Debug: client out: CONT#0111#011 Jun 25 09:39:14 mail dovecot: auth: Debug: client in: CONT#0111#011YIICbQYJKoZIhvcSAQICAQBuggJcMIICWKADAgEFoQMCAQ6iBwMFACAAAACjggFvYYIBazCCAWegAwIBBaEOGwxQQVlNVU5ETy5ORVSiJDAioAMCAQOhGzAZGwRpbWFwGxFtYWlsLnBheW11bmRvLm5ldKOCASgwggEkoAMCARKhAwIBA6KCARYEggESURD7IYGOw0RjKSrRT.....x1j6YNFQiORWEY5InF1HB7Thgi+DMMyZLSQ/7qMQ7d.....qSH/BQVlm7G2gRvfT4DW2O6Sq0j4+AqZDF+EJhIE9jiZmoBSdkVECKnurcsLNgEEDp+mX..........6X1qV0oXwLmiRw9k50/F4fkO7JC+6f1OutHALQwT72K1b0ZYHhp8vPAihiDX3ZKaPOJOlS7GIf2THufWzqf5lskJihkwcN6LAPOK........hwekM0WmY2rDWm2I8/jBYPlu4Yp4j1+8lE2y10f1iBIxkAgnMyG3ZbIqQUT7lE5qSBzzCBzKADAgESooHEBIHBRg+jmt1e3f7jnTegfWoiaBzIli3s/L1ZstEPq6hiwW4T8kUfZyuf6WTZKq/k0e4jz76lP4nCK5MHwV/OM0a+rBhUGeHU2mN7MQt63eLRlf+XAKT3FlmQArcqWzKCtjsIdTxtJj9dt9EhHUNU+PgjiTNAA9LeFxHNxN8l9xPDawy60j96wAka1QI4g== Jun 25 09:39:14 mail dovecot: auth: Debug: gssapi(david at DOMAIN.NET,181.140.146.136): security context state completed. Jun 25 09:39:14 mail dovecot: auth: Debug: client out: CONT#0111#011YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+ieq1mPuNUjd7eq2zRkDb8B0Im1Z5lPSxRL+Gn9Ljy7VOtJsQYq+EWgDlP+kPGWxVA6DtASk4hO+sD3jZTAd Jun 25 09:39:14 mail dovecot: auth: Debug: client in: CONT#0111#011 Jun 25 09:39:14 mail dovecot: auth: Debug: gssapi(david at DOMAIN.NET,181.140.146.136): Negotiated security layer Jun 25 09:39:14 mail dovecot: auth: Debug: client out: CONT#0111#011QF/wAMAAAQ2yTAH///8hlXwCrWScU= Jun 25 09:39:15 mail dovecot: auth: Debug: client in: CONT#0111#011BQQE/wAMAAAEAAABkYXZpZFin/xrUh3Faw/W0IA== Jun 25 09:39:15 mail dovecot: auth: Debug: client out: OK#0111#011user=david at domain.net Jun 25 09:39:15 mail dovecot: auth: Debug: master in: REQUEST#0113104702465#0114576#0111#011d8d0053151d33c802 Jun 25 09:39:15 mail dovecot: auth: Debug: master out: USER#0113104702465#011david at domain.net#011uid=97#011gid=97#011home=/var/spool/mail/david at domain.net Jun 25 09:39:15 mail dovecot: imap-login: Login: user=, method=GSSAPI, rip=181.140.146.136, lip=217.23.15.26, mpid=4579, TLS Jun 25 09:39:15 mail dovecot: imap(david at domain.net): Error: user david at domain.net: Couldn't drop privileges: Mail access for users with UID 97 not permitted (see first_valid_uid in config file). Jun 25 09:39:15 mail dovecot: imap(david at domain.net): Error: Internal error occurred. Refer to server log for more information. Now the latter part regarding the first_valid_uid issue is never mentioned on the online howtos, so there's another new issue, but at least now I see the system and Thunderbird trying to authenticate HTH, if you need any more info please let me know. Thank you very much for taking the time to reply to my question. > >> with Dovecot I'm getting this >> >> >> Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth >> attempts): rip=1.1.1.1, lip=217.1.2.3 >> > This is because I guess the client copuldn't get a ticket so it didn't > even attempt authentication. I don't know if the fact that the server is already enrolled as smtp/mail.domain.net make dovecot not request any ticket as imap/mail.domain.net as I don't see any entries for that system on the KDC log >> I tried manual telnet and use a authenticate gssapi which retuns "+" >> which means module is indeed loading and the server is gssapi ready for >> the challenge. >> >> If anyone of you could point me into the right direction I'd really >> value that. > HTH, > Simo. > From ckhoury at vt.edu Wed Jun 25 15:19:23 2014 From: ckhoury at vt.edu (Chase Khoury) Date: Wed, 25 Jun 2014 11:19:23 -0400 Subject: [Freeipa-users] ipa user-del not deleting the ldap entry In-Reply-To: References: <53A9A79E.9070106@redhat.com> Message-ID: rpm -qa|grep ipa ipa-server-3.0.0-37.el6.x86_64 rpm -qa|grep 389 389-ds-base-1.2.11.15-29.el6.x86_64 389-ds-base-libs.1.2.11.15-29.el6.x86_64 ======================================= /var/log/dirsrv/slapd-DOMAIN/errors ======================================= [23/Jun/214:11:34:27-0400] referint-plugin - _update_all_per_mod: entry cn=667a2b330ee4c889c6dadcd66c086dc,ou=tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com: deleting "member: uid=foo,cn=users,cn=accounts,dc=example,dc=com" failed (16) [23/Jun/2014:11:34:27-0400]referint-plugin - _update_all_per_mod: entry cn=enabled_users,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com: deleting "member: uid=foo,cn=users,cn=accounts,dc=example,dc=com" failed (16) [23/Jun/2014:11:34:27-0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com: deleting "member:uid=foo,cn=users,cn=accounts,dc=example,dc=com" failed (16) [23/Jun/2014:11:34:43-0400] ipalockout_preop - [file ipa_lockout.c, line 722]: Failed to retrieve entry "uid=rhospadmin,cn=users,cn=accounts,dc=example,dc=com": 32 [23/Jun/2014:11:34:43-0400]ipalockout_postop - [file ipa_lockout.c, line 473]: Failed to retrieve entry "uid=rhospadmin,cn=users,cn=accounts,dc=example,dc=com": 32 [23/Jun/2014:11:35:39-0400] referint-plugin - _update_all_per_mod: entry cn=enabled_tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com: deleting "member: uid=tenants,cn=users,cn=accounts,dc=example,dc=com" failed (16) [23/Jun/2014:11:35:39-0400] referint-plugin - _update_all_per_mod: entry cn=enabled_tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com: deleting "member: uid=openstack,cn=users,cn=accounts,dc=example,dc=com" failed (16) [23/Jun/2014:11:35:41-0400] ldbm_back_modify -Attempt to modify a tombstone entry nsuiqueid=d2138508-faeb11e3-89c8890f-56b4c812,cn=Manage OpenStack,cn=privileges,cn=pbac,dc=example,dc=com ======================================= On 6/24/14, Rich Megginson wrote: > On 06/24/2014 09:46 AM, Chase Khoury wrote: >> Hello, >> I am having issues with deleting an ipa user. When I do an 'ipa >> user-del foo' there still remains reminisces of the user that are >> causing issues. >> I have a freeIPA server setup with 3 replica servers set up. >> When I did an ipa user-del foo it did not fully delete the user. >> if I do an ipa user-add foo after the delete I get an "ipa ERROR: user >> with the name "foo" already exists" >> If I do a ipa user-show foo I get "ipa ERROR: foo: user not found" >> if I do an ipa user-find foo it returns an entry. >> -------------- >> 1 user matched >> -------------- >> User login: foo >> First name: foo >> Last name: bar >> Home directory: /home/foo >> login shell: /bin/bash >> Email address: foo at bar.com >> UID: 5021 >> GID: 5021 >> Account disabled: False >> Password: True >> Kerberos keys available: True >> ---------------------------- >> Number of entries returned 1 >> ---------------------------- >> >> If I do an ldapsearch for the user it still has a user entry. >> When trying to do an ldapdelete I get the error "Server is unwilling >> to perform (53)" >> >> Does anyone know why this happened or how to clean up the server so I >> can get it into a state when I can successful do an ipa-user-add foo? > What version of ipa are you using? What version of 389? > rpm -qa|grep ipa > rpm -qa|grep 389 > > Can you provide excerpts from your 389 errors log > /var/log/dirsrv/slapd-DOMAIN/errors from around the time of the problems > mentioned above? > > From simo at redhat.com Wed Jun 25 15:25:00 2014 From: simo at redhat.com (Simo Sorce) Date: Wed, 25 Jun 2014 11:25:00 -0400 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <53AAE220.5070805@gmail.com> References: <53A70740.7080409@gmail.com> <1403702278.19579.38.camel@willson.usersys.redhat.com> <53AAE220.5070805@gmail.com> Message-ID: <1403709900.11352.9.camel@willson.usersys.redhat.com> On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote: > I don't know if the fact that the server is already enrolled as > smtp/mail.domain.net make dovecot not request any ticket as > imap/mail.domain.net as I don't see any entries for that system on > the > KDC log Dovecot does not require any ticket, it's your clients that do, and you showed me no logs of clients. If you are configuring your client to talk to mail.domain.net, then you *must* have a keys for imap/mail.domain.net on your IMAP server. Keys for imap/mail01.example.net will be useless as the client won't be looking for that ticket. When a client is configured to talk to mail.domain.net it will ask the KDC for a ticket for the principal named imap/mail.domain.net. The client also may need to be told what KDC to contact for the domain.net domain if it really is a different domain from your main one. You used example.com and domain.net both, so unless it is a bad substitution, it means you may want to check the documentation for setting up a correct domain_realm section in your krb5.conf (note that modern IPA clients that use SSSD do not need manual configuration as long as you configure the domains list in the ipa server). You can, of course, have multiple keys if you advertise your service under multiple names to different clients. Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Wed Jun 25 15:54:48 2014 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 25 Jun 2014 18:54:48 +0300 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <53A70740.7080409@gmail.com> References: <53A70740.7080409@gmail.com> Message-ID: <20140625155448.GJ7233@redhat.com> On Sun, 22 Jun 2014, Dave Gonzalez wrote: >Hello there everyone David here, > >I'm big time Red Hat fan, I work for a company where we have a small >20+ people directory, I'm currently using Samba4 to offer >authentication to Openfire, Postfix, Dovecot (using GroupOffice); but >I want to switch ebcause samba is a hassle to setup and whenever >replication breaks it's nearly impossible to rebuild, anyways, My >current environment is Proxmox VE 3 as virtualization platform and >many CentOS/RedHat Servers holding my services. > >Please excuse me if this was already answered but after I went trhough >the archives I coulnd't find anyone facing the same issue, please bear >with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing >something or doing it wrong but after a week struggling with this >setup I decided to call for the help of the experts. > >My environment: >FreeIPA Server >CentOS 6.5 x86_64 > >Mail Server >CentOS 6.5 >postfix-2.6.6-6.el6_5.x86_64 >dovecot-2.0.9-7.el6.x86_64 >ipa-python-3.0.0-37.el6.x86_64 >ipa-client-3.0.0-37.el6.x86_64 >python-iniparse-0.3.1-2.1.el6.noarch >libipa_hbac-1.9.2-129.el6_5.4.x86_64 >libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 > >I've followed these posts from Dale McCartney, whom I've also read his >posts around here > >https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ > >http://www.freeipa.org/page/Dovecot_Integration > >None of them seem to work at the moment when using Thunderbird with >the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also >reports that > > >"The kerberos/GSSAPI ticket was not accepted by the IMAP server >david at domain.com. Please chack that you're logged in to the >Kerberos/GSSAPI realm" > > >with Dovecot I'm getting this > > >Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth >attempts): rip=1.1.1.1, lip=217.1.2.3 > > >I tried manual telnet and use a authenticate gssapi which retuns "+" >which means module is indeed loading and the server is gssapi ready >for the challenge. > >If anyone of you could point me into the right direction I'd really >value that. Following configuration works for me (generated with 'dovecot -n' from my actual config files): # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.14.4-200.fc20.x86_64 x86_64 Fedora release 20 (Heisenbug) auth_default_realm = VDA.LI auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = gssapi auth_realms = VDA.LI base_dir = /var/run/dovecot/ mail_location = maildir:~/Maildir mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } userdb { driver = passwd } ssl = required ssl_cert = References: <53A70740.7080409@gmail.com> <1403702278.19579.38.camel@willson.usersys.redhat.com> <53AAE220.5070805@gmail.com> <1403709900.11352.9.camel@willson.usersys.redhat.com> Message-ID: <53AAF6E7.6070508@gmail.com> On 6/25/2014 10:25 AM, Simo Sorce wrote: > On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote: >> I don't know if the fact that the server is already enrolled as >> smtp/mail.domain.net make dovecot not request any ticket as >> imap/mail.domain.net as I don't see any entries for that system on >> the >> KDC log > Dovecot does not require any ticket, it's your clients that do, and you > showed me no logs of clients. Sorry about the client logs, I don't really know where does Thunderbird stores those but it's Good to understand that, I thought there was some issue with the IMAP server, now it's clear. I'm getting further and further with the setup as I told you after I installed the MIT Kerberos Windwos 8 client and check the DNS records I'm getting the Principal/password prompt, now it's apparently some missing files and wrong permissions from Dovecot thta I need to figure out too: Jun 25 10:32:35 mail dovecot: imap-login: Login: user=, method=GSSAPI, rip=181.140.146.136, lip=217.23.15.26, mpid=5253, TLS Jun 25 10:32:36 mail dovecot: imap(david at domain.net): Error: open(/var/mail/david at domain.net) failed: Permission denied (euid=97(dovecot) egid=31800003(mailusers) missing +w perm: /var/mail, euid is not dir owner) Jun 25 10:32:36 mail dovecot: imap(david at domain.net): Error: Opening INBOX failed: Mailbox doesn't exist: INBOX Jun 25 10:34:49 mail dovecot: imap(david at domain.net): Error: open(/var/mail/david at domain.net) failed: Permission denied (euid=97(dovecot) egid=31800003(mailusers) missing +w perm: /var/mail, euid is not dir owner) > If you are configuring your client to talk to mail.domain.net, then you > *must* have a keys for imap/mail.domain.net on your IMAP server. > Keys for imap/mail01.example.net will be useless as the client won't be > looking for that ticket. Yuo -- I see that from the Kerberos client I see david at DOMAIN.NEY krbtgt/DOMAIN.NET at DOMAIN.NET imap/mail.domain.net@ imap/mail.domain.net at DOMAIN.NET With their respective remaining times > When a client is configured to talk to mail.domain.net it will ask the > KDC for a ticket for the principal named imap/mail.domain.net. > The client also may need to be told what KDC to contact for the > domain.net domain if it really is a different domain from your main one. > You used example.com and domain.net both, so unless it is a bad > substitution, it means you may want to check the documentation for > setting up a correct domain_realm section in your krb5.conf (note that > modern IPA clients that use SSSD do not need manual configuration as > long as you configure the domains list in the ipa server). Sorry about that example.com / domain.net typo, I just copied the wording form the howto, but as substition for my real domain which I need to substitute for obvious reasons, I do have everything to my correct domain name. > You can, of course, have multiple keys if you advertise your service > under multiple names to different clients. > > Simo. Thank you very much for such helpful information you've provided Simo. I know I need to do much much more reading to get this all done. Now, after I get the permission stuff sorted out I need to delve into Postfix as I haven't yet found any clear info on setting it uo with IPA Server. --Regards David G From dgonzalezh at gmail.com Wed Jun 25 16:41:20 2014 From: dgonzalezh at gmail.com (Dave Gonzalez) Date: Wed, 25 Jun 2014 11:41:20 -0500 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <20140625155448.GJ7233@redhat.com> References: <53A70740.7080409@gmail.com> <20140625155448.GJ7233@redhat.com> Message-ID: <53AAFBB0.2010600@gmail.com> Alexander, thank you very much for your config sample, I took some time and compared to mine and they're pretty much the same, I want to move mailboxes to Maildir style because the system I'm planning to migrate to this IPA deployment does use Maildir style mailboxes. Thanks and cheers. On 6/25/2014 10:54 AM, Alexander Bokovoy wrote: > On Sun, 22 Jun 2014, Dave Gonzalez wrote: >> Hello there everyone David here, >> >> I'm big time Red Hat fan, I work for a company where we have a small >> 20+ people directory, I'm currently using Samba4 to offer >> authentication to Openfire, Postfix, Dovecot (using GroupOffice); but >> I want to switch ebcause samba is a hassle to setup and whenever >> replication breaks it's nearly impossible to rebuild, anyways, My >> current environment is Proxmox VE 3 as virtualization platform and >> many CentOS/RedHat Servers holding my services. >> >> Please excuse me if this was already answered but after I went >> trhough the archives I coulnd't find anyone facing the same issue, >> please bear with me as I'm a newbie to FreeIPA and LDAP. I know I'm >> missing something or doing it wrong but after a week struggling with >> this setup I decided to call for the help of the experts. >> >> My environment: >> FreeIPA Server >> CentOS 6.5 x86_64 >> >> Mail Server >> CentOS 6.5 >> postfix-2.6.6-6.el6_5.x86_64 >> dovecot-2.0.9-7.el6.x86_64 >> ipa-python-3.0.0-37.el6.x86_64 >> ipa-client-3.0.0-37.el6.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> libipa_hbac-1.9.2-129.el6_5.4.x86_64 >> libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 >> >> I've followed these posts from Dale McCartney, whom I've also read >> his posts around here >> >> https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ >> >> >> http://www.freeipa.org/page/Dovecot_Integration >> >> None of them seem to work at the moment when using Thunderbird with >> the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also >> reports that >> >> >> "The kerberos/GSSAPI ticket was not accepted by the IMAP server >> david at domain.com. Please chack that you're logged in to the >> Kerberos/GSSAPI realm" >> >> >> with Dovecot I'm getting this >> >> >> Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth >> attempts): rip=1.1.1.1, lip=217.1.2.3 >> >> >> I tried manual telnet and use a authenticate gssapi which retuns "+" >> which means module is indeed loading and the server is gssapi ready >> for the challenge. >> >> If anyone of you could point me into the right direction I'd really >> value that. > Following configuration works for me (generated with 'dovecot -n' from > my actual config files): > > # 2.2.13: /etc/dovecot/dovecot.conf > # OS: Linux 3.14.4-200.fc20.x86_64 x86_64 Fedora release 20 > (Heisenbug) auth_default_realm = VDA.LI > auth_krb5_keytab = /etc/dovecot/dovecot.keytab > auth_mechanisms = gssapi > auth_realms = VDA.LI > base_dir = /var/run/dovecot/ > mail_location = maildir:~/Maildir > mbox_write_locks = fcntl > namespace inbox { > inbox = yes > location = mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix = } > passdb { > driver = pam > } > userdb { > driver = passwd > } > ssl = required > ssl_cert = ssl_key = > > The /etc/dovecot/dovecot.keytab contains the keytab, obtained with > # kinit admin > # ipa-getkeytab -s `hostname` -p imap/`hostname` -k > /etc/dovecot/dovecot.keytab > # chown dovecot /etc/dovecot/dovecot.keytab > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jun 25 18:26:04 2014 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 25 Jun 2014 21:26:04 +0300 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <53AAFBB0.2010600@gmail.com> References: <53A70740.7080409@gmail.com> <20140625155448.GJ7233@redhat.com> <53AAFBB0.2010600@gmail.com> Message-ID: <20140625182604.GB31602@redhat.com> On Wed, 25 Jun 2014, Dave Gonzalez wrote: >Alexander, thank you very much for your config sample, I took some >time and compared to mine and they're pretty much the same, I want to >move mailboxes to Maildir style because the system I'm planning to >migrate to this IPA deployment does use Maildir style mailboxes. I would still suggest you to check if plain IPA setup is working, i.e. if you can successfuly use GSSAPI against Dovecot from a Linux client with Thunderbird or mutt. Once that is working, you can be sure that your server side is in order and start looking at how to integrate Windows machines. Read also http://www.freeipa.org/page/Windows_authentication_against_FreeIPA -- / Alexander Bokovoy From dgonzalezh at gmail.com Wed Jun 25 18:28:31 2014 From: dgonzalezh at gmail.com (Dave Gonzalez) Date: Wed, 25 Jun 2014 13:28:31 -0500 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <1403709900.11352.9.camel@willson.usersys.redhat.com> References: <53A70740.7080409@gmail.com> <1403702278.19579.38.camel@willson.usersys.redhat.com> <53AAE220.5070805@gmail.com> <1403709900.11352.9.camel@willson.usersys.redhat.com> Message-ID: <53AB14CF.3080006@gmail.com> So with more reading I've gotten even further, things never mentioned on those howtos: * You must have some means to authenticate to the Kerberos realm for your domain, in my case the MIT Kerberos client for windows 8 I've got Dovecot working as expected authenticating using teh GSSAPI authentication mechanism which is great. Postfix is also talking to SASL Auth daemon but I'm getting some auth errors like this: Jun 25 13:09:46 mail postfix/smtpd[8616]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () While Thunderbird reports this: Sending of message failed. The Kerberos/GSSAPI ticket was not accepted by the SMTP server mail.domain.net. Please check that you are logged in to the Kerberos/GSSAPI realm. I'm in fact logged in to the realm from what I can see in the MIT Kerberos client interface: I hope the attachment can be seen by the list: So, as you can see both smtp/mail.domain.net and imap/mail.domain.net are there, so whatever is causing the issue has to do with SASL but I haven't been able to find any useful debug commands for it apart from testsaslauthd whic yells [root at mail ~]# testsaslauthd -u david at domain.net -p pass 0: NO "authentication failed" I don't know if I need the /etc/saslauthd.conf file as described on some postfix+LDAP documents I tested that with no luck, here's a sample of what I tried. [root at mail ~]# cat saslauthd.conf ldap_servers: ldap://ipa.domain.net ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net ldap_filter: (|(uid=%u)(mail=%u)) ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net ldap_bind_pw: pass Any advise from you will be greatly appreciated. Then again, Thanks In Advance guys. --Regards DavidG On 6/25/2014 10:25 AM, Simo Sorce wrote: > On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote: >> I don't know if the fact that the server is already enrolled as >> smtp/mail.domain.net make dovecot not request any ticket as >> imap/mail.domain.net as I don't see any entries for that system on >> the >> KDC log > Dovecot does not require any ticket, it's your clients that do, and you > showed me no logs of clients. > > If you are configuring your client to talk to mail.domain.net, then you > *must* have a keys for imap/mail.domain.net on your IMAP server. > Keys for imap/mail01.example.net will be useless as the client won't be > looking for that ticket. > > When a client is configured to talk to mail.domain.net it will ask the > KDC for a ticket for the principal named imap/mail.domain.net. > The client also may need to be told what KDC to contact for the > domain.net domain if it really is a different domain from your main one. > You used example.com and domain.net both, so unless it is a bad > substitution, it means you may want to check the documentation for > setting up a correct domain_realm section in your krb5.conf (note that > modern IPA clients that use SSSD do not need manual configuration as > long as you configure the domains list in the ipa server). > > You can, of course, have multiple keys if you advertise your service > under multiple names to different clients. > > Simo. > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: chhigicb.png Type: image/png Size: 27835 bytes Desc: not available URL: From simo at redhat.com Wed Jun 25 18:51:00 2014 From: simo at redhat.com (Simo Sorce) Date: Wed, 25 Jun 2014 14:51:00 -0400 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <53AB14CF.3080006@gmail.com> References: <53A70740.7080409@gmail.com> <1403702278.19579.38.camel@willson.usersys.redhat.com> <53AAE220.5070805@gmail.com> <1403709900.11352.9.camel@willson.usersys.redhat.com> <53AB14CF.3080006@gmail.com> Message-ID: <1403722260.11352.27.camel@willson.usersys.redhat.com> On Wed, 2014-06-25 at 13:28 -0500, Dave Gonzalez wrote: > [root at mail ~]# cat saslauthd.conf > ldap_servers: ldap://ipa.domain.net > ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net > ldap_filter: (|(uid=%u)(mail=%u)) > ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net > ldap_bind_pw: pass This configuration is for password based authentication tested against an LDAP server. Has really nothing to do with GSSAPI. This guide should help you configure postfix with GSSAPI authentication: https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/ Simo. -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Wed Jun 25 19:25:33 2014 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Jun 2014 13:25:33 -0600 Subject: [Freeipa-users] ipa user-del not deleting the ldap entry In-Reply-To: References: <53A9A79E.9070106@redhat.com> Message-ID: <53AB222D.60307@redhat.com> On 06/25/2014 09:19 AM, Chase Khoury wrote: > rpm -qa|grep ipa > ipa-server-3.0.0-37.el6.x86_64 > > rpm -qa|grep 389 > 389-ds-base-1.2.11.15-29.el6.x86_64 > 389-ds-base-libs.1.2.11.15-29.el6.x86_64 > > ======================================= > /var/log/dirsrv/slapd-DOMAIN/errors > ======================================= > [23/Jun/214:11:34:27-0400] referint-plugin - _update_all_per_mod: > entry cn=667a2b330ee4c889c6dadcd66c086dc,ou=tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com: > deleting "member: uid=foo,cn=users,cn=accounts,dc=example,dc=com" > failed (16) > [23/Jun/2014:11:34:27-0400]referint-plugin - _update_all_per_mod: > entry cn=enabled_users,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com: > deleting "member: uid=foo,cn=users,cn=accounts,dc=example,dc=com" > failed (16) > [23/Jun/2014:11:34:27-0400] referint-plugin - _update_all_per_mod: > entry cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com: deleting > "member:uid=foo,cn=users,cn=accounts,dc=example,dc=com" failed (16) > [23/Jun/2014:11:34:43-0400] ipalockout_preop - [file ipa_lockout.c, > line 722]: Failed to retrieve entry > "uid=rhospadmin,cn=users,cn=accounts,dc=example,dc=com": 32 > [23/Jun/2014:11:34:43-0400]ipalockout_postop - [file ipa_lockout.c, > line 473]: Failed to retrieve entry > "uid=rhospadmin,cn=users,cn=accounts,dc=example,dc=com": 32 > [23/Jun/2014:11:35:39-0400] referint-plugin - _update_all_per_mod: > entry cn=enabled_tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com: > deleting "member: uid=tenants,cn=users,cn=accounts,dc=example,dc=com" > failed (16) > [23/Jun/2014:11:35:39-0400] referint-plugin - _update_all_per_mod: > entry cn=enabled_tenants,cn=openstack+nsuniqueid=6ff1b881-d48811e3-89c8890f-56b4c812,dc=example,dc=com: > deleting "member: > uid=openstack,cn=users,cn=accounts,dc=example,dc=com" failed (16) > [23/Jun/2014:11:35:41-0400] ldbm_back_modify -Attempt to modify a > tombstone entry > nsuiqueid=d2138508-faeb11e3-89c8890f-56b4c812,cn=Manage > OpenStack,cn=privileges,cn=pbac,dc=example,dc=com > ======================================= Not sure what the problem is. Please open a ticket. https://fedorahosted.org/freeipa/newticket > > > On 6/24/14, Rich Megginson wrote: >> On 06/24/2014 09:46 AM, Chase Khoury wrote: >>> Hello, >>> I am having issues with deleting an ipa user. When I do an 'ipa >>> user-del foo' there still remains reminisces of the user that are >>> causing issues. >>> I have a freeIPA server setup with 3 replica servers set up. >>> When I did an ipa user-del foo it did not fully delete the user. >>> if I do an ipa user-add foo after the delete I get an "ipa ERROR: user >>> with the name "foo" already exists" >>> If I do a ipa user-show foo I get "ipa ERROR: foo: user not found" >>> if I do an ipa user-find foo it returns an entry. >>> -------------- >>> 1 user matched >>> -------------- >>> User login: foo >>> First name: foo >>> Last name: bar >>> Home directory: /home/foo >>> login shell: /bin/bash >>> Email address: foo at bar.com >>> UID: 5021 >>> GID: 5021 >>> Account disabled: False >>> Password: True >>> Kerberos keys available: True >>> ---------------------------- >>> Number of entries returned 1 >>> ---------------------------- >>> >>> If I do an ldapsearch for the user it still has a user entry. >>> When trying to do an ldapdelete I get the error "Server is unwilling >>> to perform (53)" >>> >>> Does anyone know why this happened or how to clean up the server so I >>> can get it into a state when I can successful do an ipa-user-add foo? >> What version of ipa are you using? What version of 389? >> rpm -qa|grep ipa >> rpm -qa|grep 389 >> >> Can you provide excerpts from your 389 errors log >> /var/log/dirsrv/slapd-DOMAIN/errors from around the time of the problems >> mentioned above? >> >> From caperry at spherecube.io Wed Jun 25 20:12:34 2014 From: caperry at spherecube.io (Carl Perry) Date: Wed, 25 Jun 2014 15:12:34 -0500 Subject: [Freeipa-users] Having difficulty installing on Fedora 20 In-Reply-To: <53AA833E.6030300@redhat.com> References: <53A9AA29.3060804@spherecube.io> <53A9B150.3010206@redhat.com> <53A9D439.5050302@spherecube.io> <53AA833E.6030300@redhat.com> Message-ID: <53AB2D32.40206@spherecube.io> After some more digging, I've discovered that the error message was a red herring. The SELinux stuff is working fine, the error message seems to be saying that BIND cannot talk to LDAP. It's been difficult to track down the exact error because BIND doesn't seem to be logging at all. I found a link in the troubleshooting guide about debugging named not starting [ https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart ] and adding options to enable debugging but those do produce any logs either. Launching named using the command you gave does cause named to launch, but it cannot connect to the KDC or LDAP. This isn't surprising since ipactl turns off all those services if named fails to start. The only errors I could find in the massive ipa-install.log were that BIND failed to start at the end of the process. Everything else looked normal. Since I tried some commands with SELinux in Permissive mode, I wiped and re-installed the VM from scratch with Fedora 19 and then again with Fedora 20. Both yield the same results. I was going to try Centos 6.5, but the FreeIPA version that shipped with that was older than I wanted to use. When I did the re-install, I even reduced the size of the directory admin password and the kdc admin password from 24chr to 18chr to see if that would make a difference. I'm kind of at a loss how to debug at this point, since even the debug logs either don't exist or have no data in them. Any suggestions would be appreciated. I'm also willing to upload log files someplace if someone with more experience than I would like to look at them. -Carl On 06/25/2014 03:07 AM, Petr Spacek wrote: > On 24.6.2014 21:40, Carl Perry wrote: >> Whoops, let me send replies to the list. Sorry about that! >> >> It appears the problem is with named not starting. I did install the >> required packages, but it looks like SELinux is getting in the way: >> >> [root at freeipa named]# named -f -d 255 >> isc_file_isplainfile 'data/named.run' failed: permission denied >> [root at freeipa named]# >> >> It took some time digging through logs and startup scripts to find the >> exact issue. > > Interesting. > > First of all, try to start named with "named -g -u named" and look for > error messages. IMHO SELinux correctly prevents it from running under > root account as it is undesirable. > > Also, it would be valuable to see error messages or AVCs from > /var/log/audit/audit.log . > > Did you find any error in /var/log/ipaserver-install.log ? > > Petr^2 Spacek > >> -Carl >> >> On 06/24/2014 02:13 PM, Rob Verduijn wrote: >>> err >>> http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation >>> >>> ofcourse >>> >>> Rob >>> >>> 2014-06-24 21:12 GMT+02:00 Rob Verduijn : >>>> I saw this in your log : >>>> >>>> >>>> Global DNS configuration in LDAP server is empty >>>> You can use 'dnsconfig-mod' command to set global DNS options that >>>> would override settings in local named.conf files >>>> >>>> >>>> Did you install bind and bind-dyndb-ldap ? >>>> http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica >>>> >>>> >>>> Just meddling around with ipa myself >>>> Rob >>>> >>>> 2014-06-24 19:11 GMT+02:00 Petr Spacek : >>>>> Hello! >>>>> >>>>> That is interesting. Do you have latest updates? >>>>> >>>>> Please see >>>>> http://www.freeipa.org/page/Troubleshooting >>>>> >>>>> >>>>> >>>>> On 24.6.2014 18:41, Carl Perry wrote: >>>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>>> If the web page doesn't cover your case please send us the log file >>>>> mentioned in the the error message. > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From dgonzalezh at gmail.com Thu Jun 26 00:03:12 2014 From: dgonzalezh at gmail.com (Dave Gonzalez) Date: Wed, 25 Jun 2014 19:03:12 -0500 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <1403722260.11352.27.camel@willson.usersys.redhat.com> References: <53A70740.7080409@gmail.com> <1403702278.19579.38.camel@willson.usersys.redhat.com> <53AAE220.5070805@gmail.com> <1403709900.11352.9.camel@willson.usersys.redhat.com> <53AB14CF.3080006@gmail.com> <1403722260.11352.27.camel@willson.usersys.redhat.com> Message-ID: <53AB6340.5080205@gmail.com> Thanks Simo, I've already seen that pot but I didn't use it because it involves two servers a master and a relayhost, do I need that?. Cheers --DavidG. On 6/25/2014 1:51 PM, Simo Sorce wrote: > On Wed, 2014-06-25 at 13:28 -0500, Dave Gonzalez wrote: >> [root at mail ~]# cat saslauthd.conf >> ldap_servers: ldap://ipa.domain.net >> ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net >> ldap_filter: (|(uid=%u)(mail=%u)) >> ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net >> ldap_bind_pw: pass > This configuration is for password based authentication tested against > an LDAP server. Has really nothing to do with GSSAPI. > > This guide should help you configure postfix with GSSAPI authentication: > https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/ > > Simo. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Jun 26 07:17:52 2014 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 26 Jun 2014 09:17:52 +0200 Subject: [Freeipa-users] FreeIPA Psotfix+Dovecot In-Reply-To: <53AAC8AC.1000501@gmail.com> References: <53AAC8AC.1000501@gmail.com> Message-ID: <53ABC920.3020001@redhat.com> On 25.6.2014 15:03, Dave Gonzalez wrote: > Hey again guys, > > I know and understand there are topics that draw more interest and attention > than others but I'd really need to insist on a *working* > FreeIPA+Postfix+Dovecto tutorial tested by any members of the community?. > > I'd like to deploy this setup for my company so that some 20+ users can > authenticate OTP-style or SSO-style to Services on my current setup which > include Openfire, Asterisk. > > I'd really appreciate a bit more attention to something that many users will > like me thank and appreciate. Hello, Do you have any particular problem with how-tos in Mail Services section? http://www.freeipa.org/page/HowTos#Mail_Services The wiki is open to anyone with Fedora account so feel free to fix any bugs you find in the how-tos when you try them. If you encounter some hard problem then please report which versions you use, what you did, what doesn't work etc. so we can help you. Have a nice day! -- Petr^2 Spacek From pspacek at redhat.com Thu Jun 26 07:24:50 2014 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 26 Jun 2014 09:24:50 +0200 Subject: [Freeipa-users] named's LDAP connection hangs In-Reply-To: References: <539ECCDA.6040908@redhat.com>, Message-ID: <53ABCAC2.1030702@redhat.com> Hello, we are still debugging it, I can't reproduce the problem locally. If you are willing to help with it please modify named.conf and the script which reloads named periodically (logrotate or something like that): - If you don't have rndc configured, please configure it first: $ rndc-confgen -a $ chown named: /etc/rndc.key - named.conf should contain logging section like this: logging { channel default_debug { file "data/named.run"; severity dynamic; print-time yes; }; }; // (please note line "print-time") After named.conf modification please don't forget to reload it. - As a last step, please modify logrotate/(your own reload script) to call 'rndc trace 4' right before named reload (SIGHUP signal). This will force named to log more information about reload to /var/named/data/named.run. Then we need to wait until it happens again. After that, please send me log lines related to the problem (let's say 10 minutes before and after named reload). I'm particularly interested in: /var/named/data/named.run /var/log/krb5kdc.log Also, please attach information what timezone is configured on the server which exhibits the problem and attach output from command "ipa krbtpolicy-show". Feel free to send me logs privately. Have a nice day! Petr^2 Spacek On 25.6.2014 15:30, Andrew Tranquada wrote: > If there is a resolution to this, we would love to know. We have been experiencing the same issues. > > ________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Thomas Raehalme [thomas.raehalme at codecenter.fi] > Sent: Sunday, June 22, 2014 8:29 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] named's LDAP connection hangs > > Hi! > > Today it finally happened again - named is not resolving names under the IPA domain, pvnet.cc. Killing the named process and restarting it solves the problem (until it happens again). > > Petr, I'll send you the logs directly so I don't have to leave anything out. I hope that's okay. > > Thank you for the help! > > Best regards, > Thomas > > > On Mon, Jun 16, 2014 at 1:54 PM, Petr Spacek > wrote: > On 16.6.2014 09:41, Thomas Raehalme wrote: > Hi, > > We have a problem with IPA going out of service every now and then. There > seems to be two kinds of situations: > > 1) The connection between named and dirsrv fails. Named can resolve > external names but the domain managed by IPA does not resolve any names. > named cannot be stopped. After killing the process and restarting the issue > is resolved. > > 2) Sometimes the situation is more severe and also dirsrv is unresponsive. > The solution then seems to be restarting both named and dirsrv > (individually or through the 'ipa' service). > > Regarding #1 the file /var/log/messages contains the following: > > Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' > Jun 16 03:22:23 ipa named[7295]: loading configuration from > '/etc/named.conf' > Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, > 65535] > Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, > 65535] > Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones > Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Ticket expired) > Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error > > The reload is triggered by logrotate. For some reason authentication fails, > and the IPA domain is no longer resolvable. > > I haven't discovered a pattern how often these problems occur. Maybe once a > week or two. > > FreeIPA master running on CentOS 6.5 has been configured with the default > settings. In addition a single replica has been added. > > Any ideas where I should look for the source of the problem? > > I have heard about this problem but nobody managed to reproduce the problem. > > Please: > - configure KRB5_TRACE variable as described on > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1.Gathersymptoms > - restart named > - send me logs when it happens again. From pspacek at redhat.com Thu Jun 26 07:36:36 2014 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 26 Jun 2014 09:36:36 +0200 Subject: [Freeipa-users] Having difficulty installing on Fedora 20 In-Reply-To: <53AB2D32.40206@spherecube.io> References: <53A9AA29.3060804@spherecube.io> <53A9B150.3010206@redhat.com> <53A9D439.5050302@spherecube.io> <53AA833E.6030300@redhat.com> <53AB2D32.40206@spherecube.io> Message-ID: <53ABCD84.2000408@redhat.com> On 25.6.2014 22:12, Carl Perry wrote: > After some more digging, I've discovered that the error message was a > red herring. The SELinux stuff is working fine, the error message seems > to be saying that BIND cannot talk to LDAP. It's been difficult to track > down the exact error because BIND doesn't seem to be logging at all. I > found a link in the troubleshooting guide about debugging named not > starting [ > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart ] > and adding options to enable debugging but those do produce any logs either. > > Launching named using the command you gave does cause named to launch, > but it cannot connect to the KDC or LDAP. This isn't surprising since > ipactl turns off all those services if named fails to start. The only I would recommend you to use $ ipactl -d start and see what exactly failed. Then you can manually copy & paste "systemctl" commands issued by ipactl one by one and start LDAP server, KDC and so on until you reach "named". Then you can use tricks from https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart to see where the problem is. Maybe you have encountered https://fedorahosted.org/freeipa/ticket/4210 , in that case it will help to run command $ /usr/libexec/generate-rndc-key.sh manually. This particular problem is fixed in upcoming 4.0 release. Feel free to send me logs privately if you need further assistance. Have a nice day! Petr^2 Spacek > errors I could find in the massive ipa-install.log were that BIND failed > to start at the end of the process. Everything else looked normal. > > Since I tried some commands with SELinux in Permissive mode, I wiped and > re-installed the VM from scratch with Fedora 19 and then again with > Fedora 20. Both yield the same results. I was going to try Centos 6.5, > but the FreeIPA version that shipped with that was older than I wanted > to use. When I did the re-install, I even reduced the size of the > directory admin password and the kdc admin password from 24chr to 18chr > to see if that would make a difference. I'm kind of at a loss how to > debug at this point, since even the debug logs either don't exist or > have no data in them. Any suggestions would be appreciated. I'm also > willing to upload log files someplace if someone with more experience > than I would like to look at them. > > -Carl > > On 06/25/2014 03:07 AM, Petr Spacek wrote: >> On 24.6.2014 21:40, Carl Perry wrote: >>> Whoops, let me send replies to the list. Sorry about that! >>> >>> It appears the problem is with named not starting. I did install the >>> required packages, but it looks like SELinux is getting in the way: >>> >>> [root at freeipa named]# named -f -d 255 >>> isc_file_isplainfile 'data/named.run' failed: permission denied >>> [root at freeipa named]# >>> >>> It took some time digging through logs and startup scripts to find the >>> exact issue. >> >> Interesting. >> >> First of all, try to start named with "named -g -u named" and look for >> error messages. IMHO SELinux correctly prevents it from running under >> root account as it is undesirable. >> >> Also, it would be valuable to see error messages or AVCs from >> /var/log/audit/audit.log . >> >> Did you find any error in /var/log/ipaserver-install.log ? >> >> Petr^2 Spacek >> >>> -Carl >>> >>> On 06/24/2014 02:13 PM, Rob Verduijn wrote: >>>> err >>>> http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation >>>> >>>> ofcourse >>>> >>>> Rob >>>> >>>> 2014-06-24 21:12 GMT+02:00 Rob Verduijn : >>>>> I saw this in your log : >>>>> >>>>> >>>>> Global DNS configuration in LDAP server is empty >>>>> You can use 'dnsconfig-mod' command to set global DNS options that >>>>> would override settings in local named.conf files >>>>> >>>>> >>>>> Did you install bind and bind-dyndb-ldap ? >>>>> http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica >>>>> >>>>> >>>>> Just meddling around with ipa myself >>>>> Rob >>>>> >>>>> 2014-06-24 19:11 GMT+02:00 Petr Spacek : >>>>>> Hello! >>>>>> >>>>>> That is interesting. Do you have latest updates? >>>>>> >>>>>> Please see >>>>>> http://www.freeipa.org/page/Troubleshooting >>>>>> >>>>>> >>>>>> >>>>>> On 24.6.2014 18:41, Carl Perry wrote: >>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>>>> If the web page doesn't cover your case please send us the log file >>>>>> mentioned in the the error message. From pspacek at redhat.com Thu Jun 26 10:02:07 2014 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 26 Jun 2014 12:02:07 +0200 Subject: [Freeipa-users] [Freeipa-interest] Announcing bind-dyndb-ldap version 5.0 Message-ID: <53ABEF9F.7050303@redhat.com> The FreeIPA team is proud to announce bind-dyndb-ldap version 5.0. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora 20 and and is on its way to updates-testing: https://admin.fedoraproject.org/updates/bind-dyndb-ldap-5.0-1.fc20 Release to Fedora 'updates' repo will be coordinated with FreeIPA 4.0 release to prevent breakages. == Changes in 5.0 == [1] Support for DNSSEC in-line signing was added. Now any LDAP zone can be signed with keys provided by user. [2] DNSKEY, RRSIG, NSEC and NSEC3 records are automatically managed by BIND+bind-dyndb-ldap. Respective attributes in LDAP are ignored. [3] Forwarder semantic was changed to match BIND's semantics: - idnsZone object always represents master zone - idnsForwardZone object (new) always represents forward zone [4] Master root zone can be stored in LDAP. == Upgrading == A server can be upgraded by installing updated RPM. BIND has to be restarted manually after the RPM installation. !!! CAUTION !!! idnsZone object class changed it's semantics. Please read https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README and update idnsForwarders and idnsForward policy attributes in your DNS zones accordingly. Transition from idnsZone to idnsForwardZone object class can be made seamless if you change data in LDAP before you upgrade to version 5.x. All bind-dyndb-ldap versions >= 3.0 support the idnsForwardZone object class. Users of FreeIPA < 4.0 should be careful when upgrading bind-dyndb-ldap to version >= 5.0 (if they do not upgrade to FreeIPA 4.x at the same time). Configuration semantics related to conditional (per-zone) forwarding has changed and FreeIPA < 4.0 doesn't have appropriate user interface and API. It is safe to upgrade if you use *only* global forwarders (shown by 'ipa dnsconfig-show') and *do not* use per-zone forwarders (shown by 'ipa dnszone-show'). Don't hesitate to ask freeipa-users mailing list if you need help with upgrade. !!! CAUTION !!! Downgrading back to any 4.x version is supported. == Feedback == Please provide comments, report bugs and send any other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Spacek @ Red Hat From info at dghvoip.com Thu Jun 26 00:00:13 2014 From: info at dghvoip.com (David Gonzalez Herrera - [DGHVoIP]) Date: Wed, 25 Jun 2014 19:00:13 -0500 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <1403722260.11352.27.camel@willson.usersys.redhat.com> References: <53A70740.7080409@gmail.com> <1403702278.19579.38.camel@willson.usersys.redhat.com> <53AAE220.5070805@gmail.com> <1403709900.11352.9.camel@willson.usersys.redhat.com> <53AB14CF.3080006@gmail.com> <1403722260.11352.27.camel@willson.usersys.redhat.com> Message-ID: <53AB628D.1000707@dghvoip.com> Thanks Simo, I'm testing that but I have no relay host, do I need one?. Cheers. --Regards DavidG On 6/25/2014 1:51 PM, Simo Sorce wrote: > On Wed, 2014-06-25 at 13:28 -0500, Dave Gonzalez wrote: >> [root at mail ~]# cat saslauthd.conf >> ldap_servers: ldap://ipa.domain.net >> ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net >> ldap_filter: (|(uid=%u)(mail=%u)) >> ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net >> ldap_bind_pw: pass > This configuration is for password based authentication tested against > an LDAP server. Has really nothing to do with GSSAPI. > > This guide should help you configure postfix with GSSAPI authentication: > https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/ > > Simo. > -- /?The best things in life are never rationed. Friendship, loyalty, love do not require coupons.?/ *Atentamente / Kind Regards / Met vriendelijke groet, * *David Gonzalez* BLOG: http://www.davidgonzalez.co/ G+: http://google.com/+DavidGonzalezH/ DGHVoIP Expert IT Services. USA: +1.213.632.8479 x101 MOBILE: +1.646.559.6200 COL: +57.1.382.6718 x101 COL: +57.4.247.0985 x101 URL: www.dghvoip.com Skype: davidgonzalezh -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Thu Jun 26 13:54:48 2014 From: simo at redhat.com (Simo Sorce) Date: Thu, 26 Jun 2014 09:54:48 -0400 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <53AB628D.1000707@dghvoip.com> References: <53A70740.7080409@gmail.com> <1403702278.19579.38.camel@willson.usersys.redhat.com> <53AAE220.5070805@gmail.com> <1403709900.11352.9.camel@willson.usersys.redhat.com> <53AB14CF.3080006@gmail.com> <1403722260.11352.27.camel@willson.usersys.redhat.com> <53AB628D.1000707@dghvoip.com> Message-ID: <1403790888.11352.38.camel@willson.usersys.redhat.com> On Wed, 2014-06-25 at 19:00 -0500, David Gonzalez Herrera - [DGHVoIP] wrote: > Thanks Simo, I'm testing that but I have no relay host, do I need one?. A relay host is the mail server your MUA contacts to send email. So instructions should apply just as well for your mail server, from the GSSAPI PoV at least. Simo. > Cheers. > > --Regards DavidG > On 6/25/2014 1:51 PM, Simo Sorce wrote: > > On Wed, 2014-06-25 at 13:28 -0500, Dave Gonzalez wrote: > >> [root at mail ~]# cat saslauthd.conf > >> ldap_servers: ldap://ipa.domain.net > >> ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net > >> ldap_filter: (|(uid=%u)(mail=%u)) > >> ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net > >> ldap_bind_pw: pass > > This configuration is for password based authentication tested against > > an LDAP server. Has really nothing to do with GSSAPI. > > > > This guide should help you configure postfix with GSSAPI authentication: > > https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/ > > > > Simo. > > > -- Simo Sorce * Red Hat, Inc * New York From caperry at spherecube.io Thu Jun 26 14:14:33 2014 From: caperry at spherecube.io (Carl Perry) Date: Thu, 26 Jun 2014 09:14:33 -0500 Subject: [Freeipa-users] Having difficulty installing on Fedora 20 In-Reply-To: <53ABCD84.2000408@redhat.com> References: <53A9AA29.3060804@spherecube.io> <53A9B150.3010206@redhat.com> <53A9D439.5050302@spherecube.io> <53AA833E.6030300@redhat.com> <53AB2D32.40206@spherecube.io> <53ABCD84.2000408@redhat.com> Message-ID: <53AC2AC9.9050105@spherecube.io> Bug 4210 was the problem, generating the key outside of the systemd script solved the problem. This explains why the logs were empty, it never got to that far :) -Carl On 06/26/2014 02:36 AM, Petr Spacek wrote: > On 25.6.2014 22:12, Carl Perry wrote: >> After some more digging, I've discovered that the error message was a >> red herring. The SELinux stuff is working fine, the error message seems >> to be saying that BIND cannot talk to LDAP. It's been difficult to track >> down the exact error because BIND doesn't seem to be logging at all. I >> found a link in the troubleshooting guide about debugging named not >> starting [ >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart ] >> and adding options to enable debugging but those do produce any logs >> either. >> >> Launching named using the command you gave does cause named to launch, >> but it cannot connect to the KDC or LDAP. This isn't surprising since >> ipactl turns off all those services if named fails to start. The only > I would recommend you to use > $ ipactl -d start > and see what exactly failed. > > Then you can manually copy & paste "systemctl" commands issued by > ipactl one by one and start LDAP server, KDC and so on until you reach > "named". Then you can use tricks from > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart > to see where the problem is. > > Maybe you have encountered > https://fedorahosted.org/freeipa/ticket/4210 , in that case it will > help to run command > $ /usr/libexec/generate-rndc-key.sh > manually. > > This particular problem is fixed in upcoming 4.0 release. > > Feel free to send me logs privately if you need further assistance. > Have a nice day! > > Petr^2 Spacek > >> errors I could find in the massive ipa-install.log were that BIND failed >> to start at the end of the process. Everything else looked normal. >> >> Since I tried some commands with SELinux in Permissive mode, I wiped and >> re-installed the VM from scratch with Fedora 19 and then again with >> Fedora 20. Both yield the same results. I was going to try Centos 6.5, >> but the FreeIPA version that shipped with that was older than I wanted >> to use. When I did the re-install, I even reduced the size of the >> directory admin password and the kdc admin password from 24chr to 18chr >> to see if that would make a difference. I'm kind of at a loss how to >> debug at this point, since even the debug logs either don't exist or >> have no data in them. Any suggestions would be appreciated. I'm also >> willing to upload log files someplace if someone with more experience >> than I would like to look at them. >> >> -Carl >> >> On 06/25/2014 03:07 AM, Petr Spacek wrote: >>> On 24.6.2014 21:40, Carl Perry wrote: >>>> Whoops, let me send replies to the list. Sorry about that! >>>> >>>> It appears the problem is with named not starting. I did install the >>>> required packages, but it looks like SELinux is getting in the way: >>>> >>>> [root at freeipa named]# named -f -d 255 >>>> isc_file_isplainfile 'data/named.run' failed: permission denied >>>> [root at freeipa named]# >>>> >>>> It took some time digging through logs and startup scripts to find the >>>> exact issue. >>> >>> Interesting. >>> >>> First of all, try to start named with "named -g -u named" and look for >>> error messages. IMHO SELinux correctly prevents it from running under >>> root account as it is undesirable. >>> >>> Also, it would be valuable to see error messages or AVCs from >>> /var/log/audit/audit.log . >>> >>> Did you find any error in /var/log/ipaserver-install.log ? >>> >>> Petr^2 Spacek >>> >>>> -Carl >>>> >>>> On 06/24/2014 02:13 PM, Rob Verduijn wrote: >>>>> err >>>>> http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation >>>>> >>>>> >>>>> ofcourse >>>>> >>>>> Rob >>>>> >>>>> 2014-06-24 21:12 GMT+02:00 Rob Verduijn : >>>>>> I saw this in your log : >>>>>> >>>>>> >>>>>> Global DNS configuration in LDAP server is empty >>>>>> You can use 'dnsconfig-mod' command to set global DNS options that >>>>>> would override settings in local named.conf files >>>>>> >>>>>> >>>>>> Did you install bind and bind-dyndb-ldap ? >>>>>> http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica >>>>>> >>>>>> >>>>>> >>>>>> Just meddling around with ipa myself >>>>>> Rob >>>>>> >>>>>> 2014-06-24 19:11 GMT+02:00 Petr Spacek : >>>>>>> Hello! >>>>>>> >>>>>>> That is interesting. Do you have latest updates? >>>>>>> >>>>>>> Please see >>>>>>> http://www.freeipa.org/page/Troubleshooting >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 24.6.2014 18:41, Carl Perry wrote: >>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>>>>> If the web page doesn't cover your case please send us the log file >>>>>>> mentioned in the the error message. > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From dgonzalezh at gmail.com Thu Jun 26 15:19:41 2014 From: dgonzalezh at gmail.com (Dave Gonzalez) Date: Thu, 26 Jun 2014 10:19:41 -0500 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <20140625182604.GB31602@redhat.com> References: <53A70740.7080409@gmail.com> <20140625155448.GJ7233@redhat.com> <53AAFBB0.2010600@gmail.com> <20140625182604.GB31602@redhat.com> Message-ID: <53AC3A0D.9000606@gmail.com> On 6/25/2014 1:26 PM, Alexander Bokovoy wrote: > On Wed, 25 Jun 2014, Dave Gonzalez wrote: >> Alexander, thank you very much for your config sample, I took some >> time and compared to mine and they're pretty much the same, I want to >> move mailboxes to Maildir style because the system I'm planning to >> migrate to this IPA deployment does use Maildir style mailboxes. > I would still suggest you to check if plain IPA setup is working, i.e. > if you can successfuly use GSSAPI against Dovecot from a Linux client > with Thunderbird or mutt. I got Thunderbird successfully connecting and getting mail, I did have to authenticate *but* using the MIT Kerberos client software I've talked to you about. > Once that is working, you can be sure that your server side is in order > and start looking at how to integrate Windows machines. I added mine but nothing happened, I tried looking at the IPA logs to see if my Windows 8 cent is even trying to authenticate to the KDC after checking /var/log/krb5kdc.log I don't see any attempt from the machine > Read also > http://www.freeipa.org/page/Windows_authentication_against_FreeIPA I tried this but it was not successful at all, I didn't see any prompt or user/password combo box to login, information is there but it'\s not as complete as one would expect, knowing that a WIKI is community effort I can't ask for much, but it was a good guide though. I'll keep on reading and trying until I get it ready, because this need to go production in some months. Thanks for all of your replies and helpful info. --Regards DavidG From dgonzalezh at gmail.com Thu Jun 26 15:41:36 2014 From: dgonzalezh at gmail.com (Dave Gonzalez) Date: Thu, 26 Jun 2014 10:41:36 -0500 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <1403790888.11352.38.camel@willson.usersys.redhat.com> References: <53A70740.7080409@gmail.com> <1403702278.19579.38.camel@willson.usersys.redhat.com> <53AAE220.5070805@gmail.com> <1403709900.11352.9.camel@willson.usersys.redhat.com> <53AB14CF.3080006@gmail.com> <1403722260.11352.27.camel@willson.usersys.redhat.com> <53AB628D.1000707@dghvoip.com> <1403790888.11352.38.camel@willson.usersys.redhat.com> Message-ID: <53AC3F30.9080702@gmail.com> Hi Simo, On 6/26/2014 8:54 AM, Simo Sorce wrote: > On Wed, 2014-06-25 at 19:00 -0500, David Gonzalez Herrera - [DGHVoIP] > wrote: >> Thanks Simo, I'm testing that but I have no relay host, do I need one?. > A relay host is the mail server your MUA contacts to send email. > So instructions should apply just as well for your mail server, from the > GSSAPI PoV at least. Great, but before I try it and see if it does the trick should I remove the section form teh Post fix+Dovecot Integration from Dale MaCarney's howto?. My current main.cf conf looks like this: [root at mail ~]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab KRB5CCNAME=FILE:${queue_directory}/kerberos/krb5_ccache inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailbox_command = mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = domain.net myhostname = mail.domain.net myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_mechanism_filter = plain, login smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt smtp_tls_cert_file = /etc/postfix/smtp.crt smtp_tls_key_file = /etc/postfix/smtp.key smtp_tls_mandatory_ciphers = high smtp_tls_security_level = secure smtp_tls_session_cache_database = btree:${data_directory}/smtp_tls_session_cache smtp_use_tls = yes smtpd_client_restrictions = permit_sasl_authenticated, permit smtpd_recipient_restrictions = permit_sasl_authenticated, permit smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sender_restrictions = permit_sasl_authenticated, permit smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/certs/smtp.crt smtpd_tls_key_file = /etc/postfix/certs/smtp.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_domains = domain.net virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf The other very serious issue is that I keep getting Access Denied when external servers try to send mail to my "domain.net" address Like this: Jun 26 10:35:51 mail postfix/smtpd[20398]: warning: 255.23.15.115: hostname customer.worldstream.nl verification failed: Name or service not known Jun 26 10:35:51 mail postfix/smtpd[20398]: connect from unknown[255.23.15.115] Jun 26 10:35:51 mail postfix/smtpd[20398]: NOQUEUE: reject: RCPT from unknown[255.23.15.115]: 554 5.7.1 : Client host rejected: Access denied; from= to= proto=ESMTP helo= Jun 26 10:35:51 mail postfix/smtpd[20398]: disconnect from unknown[255.23.15.115] I see there's no reference on any howto nor any other doc so I don't really know where to start debugging this because outbound mail was working now it doesn't, it's just all of it being deferered, I guess it's certificate issue,, but even before the TLS issues I always got the Hos Rejected: Access Denied Also, though not related there are many SSL issues, but again those are postfix related and I can fifgure out. Jun 26 10:22:24 mail postfix/smtp[20176]: certificate verification failed for alt1.gmail-smtp-in.l.google.com[74.125.25.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority Jun 26 10:22:24 mail postfix/smtp[20176]: 0371321045: Server certificate not trusted If anyone can tell me where to go from here. As I've said all along, you guys have gotten me very close with every answer I was at at point where I had nothing now all of your help has helped me get to a near-finished point for this project. I'm planning a Youtube video or a blog post on my personal blog with the right setup. Thank you all --Regards DavidG > > Simo. > >> Cheers. >> >> --Regards DavidG >> On 6/25/2014 1:51 PM, Simo Sorce wrote: >>> On Wed, 2014-06-25 at 13:28 -0500, Dave Gonzalez wrote: >>>> [root at mail ~]# cat saslauthd.conf >>>> ldap_servers: ldap://ipa.domain.net >>>> ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net >>>> ldap_filter: (|(uid=%u)(mail=%u)) >>>> ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net >>>> ldap_bind_pw: pass >>> This configuration is for password based authentication tested against >>> an LDAP server. Has really nothing to do with GSSAPI. >>> >>> This guide should help you configure postfix with GSSAPI authentication: >>> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/ >>> >>> Simo. >>> > From dgonzalezh at gmail.com Thu Jun 26 15:55:36 2014 From: dgonzalezh at gmail.com (Dave Gonzalez) Date: Thu, 26 Jun 2014 10:55:36 -0500 Subject: [Freeipa-users] FreeIPA Psotfix+Dovecot In-Reply-To: <53ABC920.3020001@redhat.com> References: <53AAC8AC.1000501@gmail.com> <53ABC920.3020001@redhat.com> Message-ID: <53AC4278.8090301@gmail.com> Hello Mr. freeipa-users On 6/26/2014 2:17 AM, Petr Spacek wrote: > On 25.6.2014 15:03, Dave Gonzalez wrote: >> Hey again guys, >> >> I know and understand there are topics that draw more interest and >> attention >> than others but I'd really need to insist on a *working* >> FreeIPA+Postfix+Dovecto tutorial tested by any members of the >> community?. >> >> I'd like to deploy this setup for my company so that some 20+ users can >> authenticate OTP-style or SSO-style to Services on my current setup >> which >> include Openfire, Asterisk. >> >> I'd really appreciate a bit more attention to something that many >> users will >> like me thank and appreciate. > > Hello, > > Do you have any particular problem with how-tos in Mail Services section? > http://www.freeipa.org/page/HowTos#Mail_Services It's a very very valuable effort which has helped me greatly, so I'm not complaining. There's more like misleading information and at some points incomplete. For instance. I could point out that from the Dovecot part the author is using the "protocols" statement which is now obsolete. (http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On) quote Edit /etc/dovecot/dovecot.conf to allow imap Find #protocols = imap pop3 lmtp and replace with protocols = imap end quote Another is where you add the "mailusers" group and the corresponding user, they never mention that you need to get a new ticket with "kinit admin" quote Create new IPA group for mailbox access From your IPA server, create a new group for your users to store their mailbox [root at ds01 ~]# ipa group-add Group name: mailusers Description: Mail User Group -------------------- Added group "mailusers" -------------------- Group name: mailusers Description: Mail User Group GID: 1427200003 [root at ds01 ~]# end quote For many people that'd be no problem as some of the users are more experienced than others, but for me it was apain to try to debug the ticket issue because though I've been a Linux user for a long time am a total n00b when it comes to Kerberos, IPA and LDAP. I promise that when I get my setup done, I've taken notes that I'll add to the wiki to help others, I've been struggling to get this setup working for two weeks now and the problem is that I need to iumplement this for my company to replace existing email system. Kind regards. -- Cheers DavidG > > The wiki is open to anyone with Fedora account so feel free to fix any > bugs you find in the how-tos when you try them. > > If you encounter some hard problem then please report which versions > you use, what you did, what doesn't work etc. so we can help you. > > Have a nice day! > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Thu Jun 26 21:04:41 2014 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Thu, 26 Jun 2014 21:04:41 +0000 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <5390BEF9.2040404@redhat.com> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal>, <5390BEF9.2040404@redhat.com> Message-ID: <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> Hi, First i wish to thank everybody that helped me out trying to solve this issue and i also wish to inform that NFS 4 does not work with AD users through an AD and IPA trust at the moment for RHEL 6 and 7. The reason is that rpcidmapd` does not parse fully-qualified usernames so"adtest at AD.EXAMPLE.ORG@IPA.EXAMPLE.ORG" does not work. The client-side code is stripping the domain off based on the location of the first "@" character in the value returned by the server. This results in UID/GID mappings failing and resulting in ownership on the clients of "nobody". Regards, Johan From: Dmitri Pal [dpal at redhat.com] Sent: Thursday, June 05, 2014 21:03 To: Johan Petersson; Alexander Bokovoy Cc: Sumit Bose; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/04/2014 09:57 AM, Johan Petersson wrote: > Yes the message is exactly like that with commas, I double checked. > > To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? > > I did on all machines and got rid of that specific message but I still get user nobody unfortunately. > > Here are logs from when I did a su - adtest at AD.HOME@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. > > Client: > Jun 4 15:30:13 client su: (to adtest at ad.home) linux on pts/0 > Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adtest at ad.home@linux.home timeout 600 > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned -22 > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22 > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0 > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0 Do we have a corresponding SSSD trace that shows the actual process of the resolution? > > NFS Server: > Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch->uid_to_name > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0 > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0 > Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> name "adtest at ad.home@linux.home" > Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch->gid_to_name > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0 > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0 > Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> name "ad_users at linux.home" > > The group ad_users is a IPA group with external maps from AD Domain users. > > -----Original Message----- > From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > Sent: Wednesday, June 04, 2014 3:14 PM > To: Johan Petersson > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > On Wed, 04 Jun 2014, Johan Petersson wrote: >> Mail got posted before I was finished sorry. >> >> I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. >> >> >From /var/log/messages: >> >> Nfsidmap[1696]: nss_getpwnam: name 'adtest at ad.home@linux.home,' does not map into domain 'linux.home,' > Are you sure the message is exactly like this, with a comma after linux.home? > > The reason I'm asking is because the code that prints the message looks like this: > > localname = strip_domain(name, domain); > IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': " > "resulting localname '%s'\n", name, domain, localname)); > if (localname == NULL) { > IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map " > "into domain '%s'\n", name, > domain ? domain : "")); > goto err_free_buf; > } > > note that it doesn't have comma anywhere in the string printed. > > Can you please increase the log level to 4 so that we can see the first string (nss_getpwnam: name '....' domain '...': resulting localname ...)? it would be > > [general] > Verbosity = 4 > > in /etc/idmapd.conf > > > >> >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Johan Petersson >> Sent: Wednesday, June 04, 2014 12:02 PM >> To: dpal at redhat.com; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue >> >> Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. >> >> >> server.ad.home = AD Server >> share.linux.home = NFS Server >> ipa.linux.home = IPA Server >> client.linux.home = Client >> >> NFS with automounted krb5p Home Directories work for IPA users. >> >> sssd-1.11.2-65.el7.x86_64 >> >> id adtest at AD.HOME >> uid=497801107(adtest at ad.home) >> gid=497801107(adtest at ad.home) >> groups=497801107(adtest at ad.home),497800513(domain> ),497800513(domain> users at ad.home) >> >> getent passwd adtest at AD.HOME >> adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest: >> >> klist after kinit adtest at AD.HOME >> >> [root at client ~]# klist -e >> Ticket cache: KEYRING:persistent:0:0 >> Default principal: adtest at AD.HOME >> >> Valid starting Expires Service principal >> 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/AD.HOME at AD.HOME >> renew until 06/05/14 11:28:30, Etype (skey, tkt): >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> >> klist after ssh >> adtest at AD.HOME@ipa.linux.home >> >> klist >> Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB >> Default principal: adtest at AD.HOME >> >> Valid starting Expires Service principal >> 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME >> renew until 06/05/14 11:28:30 >> 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/LINUX.HOME at AD.HOME >> renew until 06/05/14 11:28:30 >> 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/AD.HOME at AD.HOME >> renew until 06/05/14 11:28:30 >> >> Home Directory gets mounted by autofs through sssd but user:group is both nobody. >> >> The Client's sssd.conf: >> >> [domain/linux.home] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = linux.home >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = client.linux.home >> chpass_provider = ipa >> ipa_dyndns_update = True >> ipa_server = _srv_, ipa.linux.home >> ldap_tls_cacert = /etc/ipa/ca.crt >> autofs_provider = ipa >> ipa_automount_location = default >> subdomains_provider = ipa >> [sssd] >> services = nss, pam, autofs, ssh >> config_file_version = 2 >> >> domains = linux.home >> [nss] >> >> [pam] >> >> [sudo] >> >> [autofs] >> >> [ssh] >> >> [pac] >> >> >> From: >> freeipa-users-bounces at redhat.com> m> >> [mailto:freeipa-users-bounces at redhat.com]> bounces at redhat.com]> On Behalf Of Dmitri Pal >> Sent: Tuesday, June 03, 2014 6:48 PM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue >> >> On 06/03/2014 09:07 AM, Johan Petersson wrote: >> Hi, >> >> Environment: >> >> RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 >> NFS Server RHEL 7 Client >> >> I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. >> I have created a NFS share /home/adexample.org and use autofs map in IPA. >> All wbinfo tests works as well as id. >> I can login fine through SSH and Shell with >> adtest at adexample.org >> The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner. >> Are those computers RHEL7 NFS clients with SSSD? >> Can you describe them in more details please? >> >> Groups are no problem since AD groups can be mapped to Posix groups. >> >> Idmap.conf domain is set to the IPA Domain. >> >> Is there some way to get NFS working with the AD user as owner of his Home Directory? >> >> Thanks for any help. >> >> >> This e-mail is private and confidential between the sender and the addressee. >> In the event of misdirection, the recipient is prohibited from using, >> copying or disseminating it or any information in it. Please notify the above if any misdirection. >> >> >> >> _______________________________________________ >> >> Freeipa-users mailing list >> >> Freeipa-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> >> Thank you, >> >> Dmitri Pal >> >> >> >> Sr. Engineering Manager IdM portfolio >> >> Red Hat, Inc. >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > / Alexander Bokovoy -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From bnordgren at fs.fed.us Thu Jun 26 22:02:47 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Thu, 26 Jun 2014 22:02:47 +0000 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal>, <5390BEF9.2040404@redhat.com> <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6DEC96@001FSN2MPN1-046.001f.mgd2.msft.net> > The reason is that rpcidmapd` does not parse fully-qualified usernames > so"adtest at AD.EXAMPLE.ORG@IPA.EXAMPLE.ORG" does not work. If someone can educate me as to why there are two @ signs in the above, I can fix the wiki page (http://www.freeipa.org/page/Collaboration_with_Kerberos#Mechanism_1:_Kerberos_cross-realm_trusts) I know about individual cross-realm principals, adtest/AD.EXAMPLE.ORG at IPA.EXAMPLE.ORG And I know about cross-realm trust principals: krbtgt/AD.EXAMPLE.ORG at IPA.EXAMPLE.ORG But I was under the impression that if a user traversed a trust, their client principal name would still be adtest at AD.EXAMPLE.ORG . I am not aware of any circumstances which would produce a client principal with two "@" signs in it. Pls fix my ignorance. Thanks, Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. From simo at redhat.com Thu Jun 26 22:42:37 2014 From: simo at redhat.com (Simo Sorce) Date: Thu, 26 Jun 2014 18:42:37 -0400 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6DEC96@001FSN2MPN1-046.001f.mgd2.msft.net> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> , <5390BEF9.2040404@redhat.com> <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> <82E7C9A01FD0764CACDD35D10F5DFB6E6DEC96@001FSN2MPN1-046.001f.mgd2.msft.net> Message-ID: <1403822557.9460.19.camel@willson.usersys.redhat.com> On Thu, 2014-06-26 at 22:02 +0000, Nordgren, Bryce L -FS wrote: > > The reason is that rpcidmapd` does not parse fully-qualified usernames > > so"adtest at AD.EXAMPLE.ORG@IPA.EXAMPLE.ORG" does not work. > > If someone can educate me as to why there are two @ signs in the above, I can fix the wiki page (http://www.freeipa.org/page/Collaboration_with_Kerberos#Mechanism_1:_Kerberos_cross-realm_trusts) > > I know about individual cross-realm principals, > > adtest/AD.EXAMPLE.ORG at IPA.EXAMPLE.ORG > > And I know about cross-realm trust principals: > > krbtgt/AD.EXAMPLE.ORG at IPA.EXAMPLE.ORG > > But I was under the impression that if a user traversed a trust, their client principal name would still be adtest at AD.EXAMPLE.ORG . I am not aware of any circumstances which would produce a client principal with two "@" signs in it. Pls fix my ignorance. The second @ is not provided by kerberos, it is rpcimapd making false assumptions, it does a getpwuid and gets back adtest at ad.example.org as the username, to which it decides to slap on the local REALM name with an @ sign in between. I think this is something that may be handled with imapd.conf configuration. Simo. -- Simo Sorce * Red Hat, Inc * New York From bnordgren at fs.fed.us Thu Jun 26 23:21:08 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Thu, 26 Jun 2014 23:21:08 +0000 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <1403822557.9460.19.camel@willson.usersys.redhat.com> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> , <5390BEF9.2040404@redhat.com> <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> <82E7C9A01FD0764CACDD35D10F5DFB6E6DEC96@001FSN2MPN1-046.001f.mgd2.msft.net> <1403822557.9460.19.camel@willson.usersys.redhat.com> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6DECF9@001FSN2MPN1-046.001f.mgd2.msft.net> > The second @ is not provided by kerberos, it is rpcimapd making false > assumptions, it does a getpwuid and gets back adtest at ad.example.org as > the username, to which it decides to slap on the local REALM name with an @ > sign in between. > > I think this is something that may be handled with imapd.conf configuration. Muchas gracias. This makes sense. Found an old presentation on the topic [1]. Slide 15 is particularly relevant. Slide 4, however, taught me something I didn't know: NFS wants to deal with NFSv4 domain names (slide 3), which can be different than GSS principal names (Kerberos principals). There is only one NFS domain, but there can be multiple security realms and multiple DNS domains (slide 2). The crux of this is on slide 14: "Need to add posixAccount with GSSAuthName for UID/GID mapping of remote user". Is this another use case for views? What I'm not quite clear on is the interaction between idmapd and ldap (slides 15,16,18). Does idmapd want to see this "NFSv4RemoteUser" schema on the LDAP server? Is this schema something that FreeIPA would have to support for NFS to work with cross-realm trusts? Or has the landscape changed since this 2005 presentation? Bryce [1] http://www.citi.umich.edu/projects/nfsv4/crossrealm/ASC_NFSv4_WKSHP_X_DOMAIN_N2ID.pdf This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. From dgonzalezh at gmail.com Thu Jun 26 23:35:43 2014 From: dgonzalezh at gmail.com (Dave Gonzalez) Date: Thu, 26 Jun 2014 18:35:43 -0500 Subject: [Freeipa-users] Introduction and question regarding SMTP/IMAP In-Reply-To: <1403790888.11352.38.camel@willson.usersys.redhat.com> References: <53A70740.7080409@gmail.com> <1403702278.19579.38.camel@willson.usersys.redhat.com> <53AAE220.5070805@gmail.com> <1403709900.11352.9.camel@willson.usersys.redhat.com> <53AB14CF.3080006@gmail.com> <1403722260.11352.27.camel@willson.usersys.redhat.com> <53AB628D.1000707@dghvoip.com> <1403790888.11352.38.camel@willson.usersys.redhat.com> Message-ID: <53ACAE4F.4080105@gmail.com> So guys for anyone interested, I'm still facing issues when trying to send mail to/from my postfix, I restarted from scratch using the Postfix howto and after I enabled debug on the salsuthd I get this de user does exist, but mail is just nb [root at mail postfix]# postmap -q david at domain.net ldap:/etc/postfix/ldap_aliases.cf postmap: dict_ldap_debug: ldap_create postmap: dict_ldap_debug: ldap_url_parse_ext(ldap://ipa.domain.net:389) postmap: dict_ldap_debug: ldap_sasl_bind postmap: dict_ldap_debug: ldap_send_initial_request postmap: dict_ldap_debug: ldap_new_connection 1 1 0 postmap: dict_ldap_debug: ldap_int_open_connection postmap: dict_ldap_debug: ldap_connect_to_host: TCP ipa.domain.net:389 postmap: dict_ldap_debug: ldap_new_socket: 4 postmap: dict_ldap_debug: ldap_prepare_socket: 4 postmap: dict_ldap_debug: ldap_connect_to_host: Trying 109.236.86.65:389 postmap: dict_ldap_debug: ldap_pvt_connect: fd: 4 tm: 10 async: 0 postmap: dict_ldap_debug: ldap_ndelay_on: 4 postmap: dict_ldap_debug: ldap_int_poll: fd: 4 tm: 10 postmap: dict_ldap_debug: ldap_is_sock_ready: 4 postmap: dict_ldap_debug: ldap_ndelay_off: 4 postmap: dict_ldap_debug: ldap_pvt_connect: 0 postmap: dict_ldap_debug: ldap_open_defconn: successful postmap: dict_ldap_debug: ldap_send_server_request postmap: dict_ldap_debug: ber_scanf fmt ({it) ber: postmap: dict_ldap_debug: ber_scanf fmt ({i) ber: postmap: dict_ldap_debug: ber_flush2: 72 bytes to sd 4 postmap: dict_ldap_debug: ldap_result ld 0x7f0de46005d0 msgid 1 postmap: dict_ldap_debug: wait4msg ld 0x7f0de46005d0 msgid 1 (timeout 10000000 usec) postmap: dict_ldap_debug: wait4msg continue ld 0x7f0de46005d0 msgid 1 all 1 postmap: dict_ldap_debug: ** ld 0x7f0de46005d0 Connections: postmap: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) postmap: dict_ldap_debug: refcnt: 2 status: Connected postmap: dict_ldap_debug: last used: Thu Jun 26 18:24:39 2014 postmap: dict_ldap_debug: postmap: dict_ldap_debug: ** ld 0x7f0de46005d0 Outstanding Requests: postmap: dict_ldap_debug: * msgid 1, origid 1, status InProgress postmap: dict_ldap_debug: outstanding referrals 0, parent count 0 postmap: dict_ldap_debug: ld 0x7f0de46005d0 request count 1 (abandoned 0) postmap: dict_ldap_debug: ** ld 0x7f0de46005d0 Response Queue: postmap: dict_ldap_debug: Empty postmap: dict_ldap_debug: ld 0x7f0de46005d0 response count 0 postmap: dict_ldap_debug: ldap_chkResponseList ld 0x7f0de46005d0 msgid 1 all 1 postmap: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f0de46005d0 NULL postmap: dict_ldap_debug: ldap_int_select postmap: dict_ldap_debug: read1msg: ld 0x7f0de46005d0 msgid 1 all 1 postmap: dict_ldap_debug: ber_get_next postmap: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents: postmap: dict_ldap_debug: read1msg: ld 0x7f0de46005d0 msgid 1 message type bind postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber: postmap: dict_ldap_debug: read1msg: ld 0x7f0de46005d0 0 new referrals postmap: dict_ldap_debug: read1msg: mark request completed, ld 0x7f0de46005d0 msgid 1 postmap: dict_ldap_debug: request done: ld 0x7f0de46005d0 msgid 1 postmap: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <> postmap: dict_ldap_debug: ldap_free_request (origid 1, msgid 1) postmap: dict_ldap_debug: ldap_parse_sasl_bind_result postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber: postmap: dict_ldap_debug: ldap_msgfree postmap: dict_ldap_debug: ldap_search_ext postmap: dict_ldap_debug: put_filter: "(mail=david at domain.net)" postmap: dict_ldap_debug: put_filter: simple postmap: dict_ldap_debug: put_simple_filter: "mail=david at domain.net" postmap: dict_ldap_debug: ldap_send_initial_request postmap: dict_ldap_debug: ldap_send_server_request postmap: dict_ldap_debug: ber_scanf fmt ({it) ber: postmap: dict_ldap_debug: ber_scanf fmt ({) ber: postmap: dict_ldap_debug: ber_flush2: 99 bytes to sd 4 postmap: dict_ldap_debug: ldap_result ld 0x7f0de46005d0 msgid 2 postmap: dict_ldap_debug: wait4msg ld 0x7f0de46005d0 msgid 2 (timeout 10000000 usec) postmap: dict_ldap_debug: wait4msg continue ld 0x7f0de46005d0 msgid 2 all 1 postmap: dict_ldap_debug: ** ld 0x7f0de46005d0 Connections: postmap: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) postmap: dict_ldap_debug: refcnt: 2 status: Connected postmap: dict_ldap_debug: last used: Thu Jun 26 18:24:39 2014 postmap: dict_ldap_debug: postmap: dict_ldap_debug: ** ld 0x7f0de46005d0 Outstanding Requests: postmap: dict_ldap_debug: * msgid 2, origid 2, status InProgress postmap: dict_ldap_debug: outstanding referrals 0, parent count 0 postmap: dict_ldap_debug: ld 0x7f0de46005d0 request count 1 (abandoned 0) postmap: dict_ldap_debug: ** ld 0x7f0de46005d0 Response Queue: postmap: dict_ldap_debug: Empty postmap: dict_ldap_debug: ld 0x7f0de46005d0 response count 0 postmap: dict_ldap_debug: ldap_chkResponseList ld 0x7f0de46005d0 msgid 2 all 1 postmap: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f0de46005d0 NULL postmap: dict_ldap_debug: ldap_int_select postmap: dict_ldap_debug: read1msg: ld 0x7f0de46005d0 msgid 2 all 1 postmap: dict_ldap_debug: ber_get_next postmap: dict_ldap_debug: ber_get_next: tag 0x30 len 88 contents: postmap: dict_ldap_debug: read1msg: ld 0x7f0de46005d0 msgid 2 message type search-entry postmap: dict_ldap_debug: wait4msg ld 0x7f0de46005d0 9 s 997671 us to go postmap: dict_ldap_debug: wait4msg continue ld 0x7f0de46005d0 msgid 2 all 1 postmap: dict_ldap_debug: ** ld 0x7f0de46005d0 Connections: postmap: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) postmap: dict_ldap_debug: refcnt: 2 status: Connected postmap: dict_ldap_debug: last used: Thu Jun 26 18:24:39 2014 postmap: dict_ldap_debug: postmap: dict_ldap_debug: ** ld 0x7f0de46005d0 Outstanding Requests: postmap: dict_ldap_debug: * msgid 2, origid 2, status InProgress postmap: dict_ldap_debug: outstanding referrals 0, parent count 0 postmap: dict_ldap_debug: ld 0x7f0de46005d0 request count 1 (abandoned 0) postmap: dict_ldap_debug: ** ld 0x7f0de46005d0 Response Queue: postmap: dict_ldap_debug: * msgid 2, type 100 postmap: dict_ldap_debug: ld 0x7f0de46005d0 response count 1 postmap: dict_ldap_debug: ldap_chkResponseList ld 0x7f0de46005d0 msgid 2 all 1 postmap: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f0de46005d0 NULL postmap: dict_ldap_debug: ldap_int_select postmap: dict_ldap_debug: read1msg: ld 0x7f0de46005d0 msgid 2 all 1 postmap: dict_ldap_debug: ber_get_next postmap: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents: postmap: dict_ldap_debug: read1msg: ld 0x7f0de46005d0 msgid 2 message type search-result postmap: dict_ldap_debug: ber_scanf fmt ({eAA) ber: postmap: dict_ldap_debug: read1msg: ld 0x7f0de46005d0 0 new referrals postmap: dict_ldap_debug: read1msg: mark request completed, ld 0x7f0de46005d0 msgid 2 postmap: dict_ldap_debug: request done: ld 0x7f0de46005d0 msgid 2 postmap: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <> postmap: dict_ldap_debug: ldap_free_request (origid 2, msgid 2) postmap: dict_ldap_debug: adding response ld 0x7f0de46005d0 msgid 2 type 101: postmap: dict_ldap_debug: ldap_parse_result postmap: dict_ldap_debug: ber_scanf fmt ({iAA) ber: postmap: dict_ldap_debug: ber_scanf fmt (}) ber: postmap: dict_ldap_debug: ldap_first_attribute postmap: dict_ldap_debug: ber_scanf fmt ({xl{) ber: postmap: dict_ldap_debug: ber_scanf fmt ({ax}) ber: postmap: dict_ldap_debug: ldap_get_values_len postmap: dict_ldap_debug: ber_scanf fmt ({x{{a) ber: postmap: dict_ldap_debug: ber_scanf fmt ([V]) ber: postmap: dict_ldap_debug: ldap_next_attribute postmap: dict_ldap_debug: ldap_msgfree david at domain.net postmap: dict_ldap_debug: ldap_free_connection 1 1 postmap: dict_ldap_debug: ldap_send_unbind postmap: dict_ldap_debug: ber_flush2: 7 bytes to sd 4 postmap: dict_ldap_debug: ldap_free_connection: actually freed Postfix is rejecting the email when trying to send it from external doamins Here's the debug log when I try to send mail from another domain: Jun 26 18:29:02 mail postfix/smtpd[24579]: connect from hosted.davidgonzalez.co[217.23.11.226] Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_search_ext Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: put_filter: "(mail=david at domain.net)" Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: put_filter: simple Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: put_simple_filter: "mail=david at domain.net" Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_send_initial_request Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_send_server_request Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_scanf fmt ({it) ber: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_scanf fmt ({) ber: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_flush2: 99 bytes to sd 16 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_result ld 0x7f39d766a4f0 msgid 3 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: wait4msg ld 0x7f39d766a4f0 msgid 3 (timeout 10000000 usec) Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: wait4msg continue ld 0x7f39d766a4f0 msgid 3 all 1 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ** ld 0x7f39d766a4f0 Connections: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: refcnt: 2 status: Connected Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: last used: Thu Jun 26 18:29:02 2014 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ** ld 0x7f39d766a4f0 Outstanding Requests: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: * msgid 3, origid 3, status InProgress Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: outstanding referrals 0, parent count 0 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ld 0x7f39d766a4f0 request count 1 (abandoned 0) Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ** ld 0x7f39d766a4f0 Response Queue: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: Empty Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ld 0x7f39d766a4f0 response count 0 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_chkResponseList ld 0x7f39d766a4f0 msgid 3 all 1 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f39d766a4f0 NULL Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_int_select Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: read1msg: ld 0x7f39d766a4f0 msgid 3 all 1 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_get_next Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_get_next: tag 0x30 len 88 contents: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: read1msg: ld 0x7f39d766a4f0 msgid 3 message type search-entry Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: wait4msg ld 0x7f39d766a4f0 9 s 998520 us to go Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: wait4msg continue ld 0x7f39d766a4f0 msgid 3 all 1 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ** ld 0x7f39d766a4f0 Connections: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: refcnt: 2 status: Connected Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: last used: Thu Jun 26 18:29:02 2014 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ** ld 0x7f39d766a4f0 Outstanding Requests: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: * msgid 3, origid 3, status InProgress Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: outstanding referrals 0, parent count 0 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ld 0x7f39d766a4f0 request count 1 (abandoned 0) Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ** ld 0x7f39d766a4f0 Response Queue: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: * msgid 3, type 100 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ld 0x7f39d766a4f0 response count 1 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_chkResponseList ld 0x7f39d766a4f0 msgid 3 all 1 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f39d766a4f0 NULL Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_int_select Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: read1msg: ld 0x7f39d766a4f0 msgid 3 all 1 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_get_next Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: read1msg: ld 0x7f39d766a4f0 msgid 3 message type search-result Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_scanf fmt ({eAA) ber: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: read1msg: ld 0x7f39d766a4f0 0 new referrals Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: read1msg: mark request completed, ld 0x7f39d766a4f0 msgid 3 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: request done: ld 0x7f39d766a4f0 msgid 3 Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <> Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_free_request (origid 3, msgid 3) Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: adding response ld 0x7f39d766a4f0 msgid 3 type 101: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_parse_result Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_scanf fmt ({iAA) ber: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_scanf fmt (}) ber: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_first_attribute Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_scanf fmt ({xl{) ber: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_scanf fmt ({ax}) ber: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_get_values_len Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_scanf fmt ({x{{a) ber: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ber_scanf fmt ([V]) ber: Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_next_attribute Jun 26 18:29:02 mail postfix/smtpd[24579]: dict_ldap_debug: ldap_msgfree Jun 26 18:29:02 mail postfix/smtpd[24579]: 9FE0D2104E: client=hosted.davidgonzalez.co[217.23.11.226] Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_search_ext Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: put_filter: "(mail=david at domain.net)" Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: put_filter: simple Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: put_simple_filter: "mail=david at domain.net" Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_send_initial_request Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_send_server_request Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({it) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_flush2: 99 bytes to sd 14 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_result ld 0x7f5a72ef94c0 msgid 5 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: wait4msg ld 0x7f5a72ef94c0 msgid 5 (timeout 10000000 usec) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: wait4msg continue ld 0x7f5a72ef94c0 msgid 5 all 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ** ld 0x7f5a72ef94c0 Connections: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: refcnt: 2 status: Connected Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: last used: Thu Jun 26 18:29:02 2014 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ** ld 0x7f5a72ef94c0 Outstanding Requests: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: * msgid 5, origid 5, status InProgress Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: outstanding referrals 0, parent count 0 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ld 0x7f5a72ef94c0 request count 1 (abandoned 0) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ** ld 0x7f5a72ef94c0 Response Queue: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: Empty Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ld 0x7f5a72ef94c0 response count 0 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_chkResponseList ld 0x7f5a72ef94c0 msgid 5 all 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f5a72ef94c0 NULL Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_int_select Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: ld 0x7f5a72ef94c0 msgid 5 all 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_get_next Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_get_next: tag 0x30 len 88 contents: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: ld 0x7f5a72ef94c0 msgid 5 message type search-entry Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: wait4msg ld 0x7f5a72ef94c0 9 s 998752 us to go Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: wait4msg continue ld 0x7f5a72ef94c0 msgid 5 all 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ** ld 0x7f5a72ef94c0 Connections: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: refcnt: 2 status: Connected Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: last used: Thu Jun 26 18:29:02 2014 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ** ld 0x7f5a72ef94c0 Outstanding Requests: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: * msgid 5, origid 5, status InProgress Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: outstanding referrals 0, parent count 0 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ld 0x7f5a72ef94c0 request count 1 (abandoned 0) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ** ld 0x7f5a72ef94c0 Response Queue: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: * msgid 5, type 100 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ld 0x7f5a72ef94c0 response count 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_chkResponseList ld 0x7f5a72ef94c0 msgid 5 all 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f5a72ef94c0 NULL Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_int_select Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: ld 0x7f5a72ef94c0 msgid 5 all 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_get_next Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: ld 0x7f5a72ef94c0 msgid 5 message type search-result Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({eAA) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: ld 0x7f5a72ef94c0 0 new referrals Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: mark request completed, ld 0x7f5a72ef94c0 msgid 5 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: request done: ld 0x7f5a72ef94c0 msgid 5 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <> Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_free_request (origid 5, msgid 5) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: adding response ld 0x7f5a72ef94c0 msgid 5 type 101: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_parse_result Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({iAA) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt (}) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_first_attribute Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({xl{) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({ax}) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_get_values_len Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({x{{a) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ([V]) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_next_attribute Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_msgfree Jun 26 18:29:02 mail postfix/cleanup[24583]: 9FE0D2104E: message-id=<53ACACB7.1060006 at example.com> Jun 26 18:29:02 mail postfix/qmgr[24400]: 9FE0D2104E: from=, size=5248, nrcpt=1 (queue active) Jun 26 18:29:02 mail postfix/smtpd[24579]: disconnect from hosted.davidgonzalez.co[217.23.11.226] Jun 26 18:29:02 mail postfix/error[24584]: 9FE0D2104E: to=, relay=none, delay=0.14, delays=0.1/0/0/0.03, dsn=5.0.0, status=bounced (User unknown in virtual alias table) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_search_ext Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: put_filter: "(mail=info at example.com)" Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: put_filter: simple Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: put_simple_filter: "mail=info at example.com" Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_send_initial_request Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_send_server_request Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({it) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_flush2: 97 bytes to sd 14 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_result ld 0x7f5a72ef94c0 msgid 6 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: wait4msg ld 0x7f5a72ef94c0 msgid 6 (timeout 10000000 usec) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: wait4msg continue ld 0x7f5a72ef94c0 msgid 6 all 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ** ld 0x7f5a72ef94c0 Connections: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: refcnt: 2 status: Connected Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: last used: Thu Jun 26 18:29:02 2014 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ** ld 0x7f5a72ef94c0 Outstanding Requests: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: * msgid 6, origid 6, status InProgress Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: outstanding referrals 0, parent count 0 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ld 0x7f5a72ef94c0 request count 1 (abandoned 0) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ** ld 0x7f5a72ef94c0 Response Queue: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: Empty Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ld 0x7f5a72ef94c0 response count 0 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_chkResponseList ld 0x7f5a72ef94c0 msgid 6 all 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f5a72ef94c0 NULL Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_int_select Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: ld 0x7f5a72ef94c0 msgid 6 all 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_get_next Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: ld 0x7f5a72ef94c0 msgid 6 message type search-result Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({eAA) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: ld 0x7f5a72ef94c0 0 new referrals Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: mark request completed, ld 0x7f5a72ef94c0 msgid 6 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: request done: ld 0x7f5a72ef94c0 msgid 6 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <> Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_free_request (origid 6, msgid 6) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_parse_result Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({iAA) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt (}) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_msgfree Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_search_ext Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: put_filter: "(mail=@example.com)" Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: put_filter: simple Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: put_simple_filter: "mail=@example.com" Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_send_initial_request Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_send_server_request Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({it) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_flush2: 93 bytes to sd 14 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_result ld 0x7f5a72ef94c0 msgid 7 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: wait4msg ld 0x7f5a72ef94c0 msgid 7 (timeout 10000000 usec) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: wait4msg continue ld 0x7f5a72ef94c0 msgid 7 all 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ** ld 0x7f5a72ef94c0 Connections: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: refcnt: 2 status: Connected Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: last used: Thu Jun 26 18:29:02 2014 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ** ld 0x7f5a72ef94c0 Outstanding Requests: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: * msgid 7, origid 7, status InProgress Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: outstanding referrals 0, parent count 0 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ld 0x7f5a72ef94c0 request count 1 (abandoned 0) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ** ld 0x7f5a72ef94c0 Response Queue: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: Empty Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ld 0x7f5a72ef94c0 response count 0 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_chkResponseList ld 0x7f5a72ef94c0 msgid 7 all 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f5a72ef94c0 NULL Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_int_select Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: ld 0x7f5a72ef94c0 msgid 7 all 1 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_get_next Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: ld 0x7f5a72ef94c0 msgid 7 message type search-result Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({eAA) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: ld 0x7f5a72ef94c0 0 new referrals Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: read1msg: mark request completed, ld 0x7f5a72ef94c0 msgid 7 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: request done: ld 0x7f5a72ef94c0 msgid 7 Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <> Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_free_request (origid 7, msgid 7) Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_parse_result Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt ({iAA) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ber_scanf fmt (}) ber: Jun 26 18:29:02 mail postfix/cleanup[24583]: dict_ldap_debug: ldap_msgfree Jun 26 18:29:02 mail postfix/cleanup[24583]: C0EFD21050: message-id=<20140626232902.C0EFD21050 at mail.domain.net> Jun 26 18:29:02 mail postfix/qmgr[24400]: C0EFD21050: from=<>, size=7105, nrcpt=1 (queue active) Jun 26 18:29:02 mail postfix/bounce[24585]: 9FE0D2104E: sender non-delivery notification: C0EFD21050 Jun 26 18:29:02 mail postfix/qmgr[24400]: 9FE0D2104E: removed Jun 26 18:29:02 mail postfix/smtp[24587]: C0EFD21050: to=, relay=mail.example.com[217.23.11.226]:25, delay=0.18, delays=0.03/0/0.03/0.12, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CF45B21974) Jun 26 18:29:02 mail postfix/qmgr[24400]: C0EFD21050: removed I don't really know where to go from here, not even this siple test from localhost (on the mailserver) succeeds [root at mail postfix]# echo Hello | mail -s Hello david at domain.net Jun 26 18:31:45 mail postfix/pickup[24399]: 39B962104F: uid=0 from= Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_create Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_url_parse_ext(ldap://ipa.domain.net:389) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_sasl_bind Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_send_initial_request Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_new_connection 1 1 0 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_int_open_connection Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_connect_to_host: TCP ipa.domain.net:389 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_new_socket: 14 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_prepare_socket: 14 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_connect_to_host: Trying 109.236.86.65:389 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_pvt_connect: fd: 14 tm: 10 async: 0 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_ndelay_on: 14 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_int_poll: fd: 14 tm: 10 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_is_sock_ready: 14 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_ndelay_off: 14 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_pvt_connect: 0 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_open_defconn: successful Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_send_server_request Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({it) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({i) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_flush2: 72 bytes to sd 14 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_result ld 0x7f416b369bb0 msgid 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: wait4msg ld 0x7f416b369bb0 msgid 1 (timeout 10000000 usec) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: wait4msg continue ld 0x7f416b369bb0 msgid 1 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Connections: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: refcnt: 2 status: Connected Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: last used: Thu Jun 26 18:31:45 2014 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Outstanding Requests: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: * msgid 1, origid 1, status InProgress Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: outstanding referrals 0, parent count 0 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ld 0x7f416b369bb0 request count 1 (abandoned 0) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Response Queue: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: Empty Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ld 0x7f416b369bb0 response count 0 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_chkResponseList ld 0x7f416b369bb0 msgid 1 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f416b369bb0 NULL Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_int_select Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 msgid 1 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_get_next Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 msgid 1 message type bind Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({eAA) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 0 new referrals Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: mark request completed, ld 0x7f416b369bb0 msgid 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: request done: ld 0x7f416b369bb0 msgid 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <> Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_free_request (origid 1, msgid 1) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_parse_sasl_bind_result Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({eAA) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_msgfree Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_search_ext Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: put_filter: "(mail=david at domain.net)" Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: put_filter: simple Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: put_simple_filter: "mail=david at domain.net" Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_send_initial_request Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_send_server_request Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({it) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_flush2: 99 bytes to sd 14 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_result ld 0x7f416b369bb0 msgid 2 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: wait4msg ld 0x7f416b369bb0 msgid 2 (timeout 10000000 usec) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: wait4msg continue ld 0x7f416b369bb0 msgid 2 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Connections: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: refcnt: 2 status: Connected Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: last used: Thu Jun 26 18:31:45 2014 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Outstanding Requests: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: * msgid 2, origid 2, status InProgress Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: outstanding referrals 0, parent count 0 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ld 0x7f416b369bb0 request count 1 (abandoned 0) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Response Queue: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: Empty Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ld 0x7f416b369bb0 response count 0 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_chkResponseList ld 0x7f416b369bb0 msgid 2 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f416b369bb0 NULL Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_int_select Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 msgid 2 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_get_next Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_get_next: tag 0x30 len 88 contents: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 msgid 2 message type search-entry Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: wait4msg ld 0x7f416b369bb0 9 s 998832 us to go Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: wait4msg continue ld 0x7f416b369bb0 msgid 2 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Connections: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: refcnt: 2 status: Connected Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: last used: Thu Jun 26 18:31:45 2014 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Outstanding Requests: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: * msgid 2, origid 2, status InProgress Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: outstanding referrals 0, parent count 0 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ld 0x7f416b369bb0 request count 1 (abandoned 0) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Response Queue: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: * msgid 2, type 100 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ld 0x7f416b369bb0 response count 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_chkResponseList ld 0x7f416b369bb0 msgid 2 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f416b369bb0 NULL Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_int_select Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 msgid 2 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_get_next Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 msgid 2 message type search-result Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({eAA) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 0 new referrals Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: mark request completed, ld 0x7f416b369bb0 msgid 2 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: request done: ld 0x7f416b369bb0 msgid 2 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <> Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_free_request (origid 2, msgid 2) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: adding response ld 0x7f416b369bb0 msgid 2 type 101: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_parse_result Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({iAA) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt (}) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_first_attribute Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({xl{) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({ax}) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_get_values_len Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({x{{a) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ([V]) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_next_attribute Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_msgfree Jun 26 18:31:45 mail postfix/cleanup[24603]: 39B962104F: message-id=<20140626233145.39B962104F at mail.domain.net> Jun 26 18:31:45 mail postfix/qmgr[24400]: 39B962104F: from=, size=428, nrcpt=1 (queue active) Jun 26 18:31:45 mail postfix/error[24605]: 39B962104F: to=, relay=none, delay=0.17, delays=0.12/0.01/0/0.04, dsn=5.0.0, status=bounced (User unknown in virtual alias table) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_search_ext Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: put_filter: "(mail=root at domain.net)" Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: put_filter: simple Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: put_simple_filter: "mail=root at domain.net" Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_send_initial_request Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_send_server_request Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({it) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_flush2: 98 bytes to sd 14 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_result ld 0x7f416b369bb0 msgid 3 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: wait4msg ld 0x7f416b369bb0 msgid 3 (timeout 10000000 usec) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: wait4msg continue ld 0x7f416b369bb0 msgid 3 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Connections: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: refcnt: 2 status: Connected Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: last used: Thu Jun 26 18:31:45 2014 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Outstanding Requests: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: * msgid 3, origid 3, status InProgress Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: outstanding referrals 0, parent count 0 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ld 0x7f416b369bb0 request count 1 (abandoned 0) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Response Queue: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: Empty Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ld 0x7f416b369bb0 response count 0 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_chkResponseList ld 0x7f416b369bb0 msgid 3 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f416b369bb0 NULL Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_int_select Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 msgid 3 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_get_next Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 msgid 3 message type search-result Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({eAA) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 0 new referrals Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: mark request completed, ld 0x7f416b369bb0 msgid 3 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: request done: ld 0x7f416b369bb0 msgid 3 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <> Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_free_request (origid 3, msgid 3) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_parse_result Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({iAA) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt (}) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_msgfree Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_search_ext Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: put_filter: "(mail=root)" Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: put_filter: simple Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: put_simple_filter: "mail=root" Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_send_initial_request Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_send_server_request Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({it) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_flush2: 85 bytes to sd 14 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_result ld 0x7f416b369bb0 msgid 4 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: wait4msg ld 0x7f416b369bb0 msgid 4 (timeout 10000000 usec) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: wait4msg continue ld 0x7f416b369bb0 msgid 4 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Connections: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: * host: ipa.domain.net port: 389 (default) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: refcnt: 2 status: Connected Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: last used: Thu Jun 26 18:31:45 2014 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Outstanding Requests: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: * msgid 4, origid 4, status InProgress Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: outstanding referrals 0, parent count 0 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ld 0x7f416b369bb0 request count 1 (abandoned 0) Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ** ld 0x7f416b369bb0 Response Queue: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: Empty Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ld 0x7f416b369bb0 response count 0 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_chkResponseList ld 0x7f416b369bb0 msgid 4 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_chkResponseList returns ld 0x7f416b369bb0 NULL Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ldap_int_select Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 msgid 4 all 1 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_get_next Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_get_next: tag 0x30 len 12 contents: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 msgid 4 message type search-result Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: ber_scanf fmt ({eAA) ber: Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: ld 0x7f416b369bb0 0 new referrals Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: read1msg: mark request completed, ld 0x7f416b369bb0 msgid 4 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: request done: ld 0x7f416b369bb0 msgid 4 Jun 26 18:31:45 mail postfix/cleanup[24603]: dict_ldap_debug: res_errno: 0, res_error: <>, res_matched: <> Jun 26 18:31:45 mail postfix/qmgr[24400]: 5594A21050: from=<>, size=2175, nrcpt=1 (queue active) Jun 26 18:31:45 mail postfix/bounce[24606]: 39B962104F: sender non-delivery notification: 5594A21050 Jun 26 18:31:45 mail postfix/qmgr[24400]: 39B962104F: removed Jun 26 18:31:45 mail postfix/error[24605]: 5594A21050: to=, relay=none, delay=0.07, delays=0.04/0/0/0.02, dsn=5.0.0, status=bounced (User unknown in virtual alias table) Jun 26 18:31:45 mail postfix/qmgr[24400]: 5594A21050: removed If anyone could enlighten me on this part I'd reaaly thank you. Cheers --- Regards DavidG On 6/26/2014 8:54 AM, Simo Sorce wrote: > On Wed, 2014-06-25 at 19:00 -0500, David Gonzalez Herrera - [DGHVoIP] > wrote: >> Thanks Simo, I'm testing that but I have no relay host, do I need one?. > A relay host is the mail server your MUA contacts to send email. > So instructions should apply just as well for your mail server, from the > GSSAPI PoV at least. > > Simo. > >> Cheers. >> >> --Regards DavidG >> On 6/25/2014 1:51 PM, Simo Sorce wrote: >>> On Wed, 2014-06-25 at 13:28 -0500, Dave Gonzalez wrote: >>>> [root at mail ~]# cat saslauthd.conf >>>> ldap_servers: ldap://ipa.domain.net >>>> ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net >>>> ldap_filter: (|(uid=%u)(mail=%u)) >>>> ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net >>>> ldap_bind_pw: pass >>> This configuration is for password based authentication tested against >>> an LDAP server. Has really nothing to do with GSSAPI. >>> >>> This guide should help you configure postfix with GSSAPI authentication: >>> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/ >>> >>> Simo. >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bnordgren at fs.fed.us Fri Jun 27 00:10:53 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Fri, 27 Jun 2014 00:10:53 +0000 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6DECF9@001FSN2MPN1-046.001f.mgd2.msft.net> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> , <5390BEF9.2040404@redhat.com> <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> <82E7C9A01FD0764CACDD35D10F5DFB6E6DEC96@001FSN2MPN1-046.001f.mgd2.msft.net> <1403822557.9460.19.camel@willson.usersys.redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6DECF9@001FSN2MPN1-046.001f.mgd2.msft.net> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6DED1A@001FSN2MPN1-046.001f.mgd2.msft.net> Also: http://tools.ietf.org/html/draft-adamson-nfsv4-multi-domain-access-04 Never became an RFC, but cites Simo's I-D on a Kerberos PAC. I like the CITI approach better (also approach 2 of section 6 in the above I-D). I have no use for the groups defined in my active directory. Also, for the external collaboration case, my AD may not be accessible to an NFS server outside the firewall. However, if (?) support for an NFSRemoteUser schema is lacking in FreeIPA, and if AD is accessible to both client and server, it seems that approach 3 of section 6 above would be the answer? Somehow configure idmap.conf (on NFS clients and servers) to directly query AD? Does that seem correct? Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. From jhrozek at redhat.com Fri Jun 27 07:42:32 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 27 Jun 2014 09:42:32 +0200 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <1403822557.9460.19.camel@willson.usersys.redhat.com> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> <5390BEF9.2040404@redhat.com> <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> <82E7C9A01FD0764CACDD35D10F5DFB6E6DEC96@001FSN2MPN1-046.001f.mgd2.msft.net> <1403822557.9460.19.camel@willson.usersys.redhat.com> Message-ID: <20140627074232.GA18083@hendrix.redhat.com> On Thu, Jun 26, 2014 at 06:42:37PM -0400, Simo Sorce wrote: > On Thu, 2014-06-26 at 22:02 +0000, Nordgren, Bryce L -FS wrote: > > > The reason is that rpcidmapd` does not parse fully-qualified usernames > > > so"adtest at AD.EXAMPLE.ORG@IPA.EXAMPLE.ORG" does not work. > > > > If someone can educate me as to why there are two @ signs in the above, I can fix the wiki page (http://www.freeipa.org/page/Collaboration_with_Kerberos#Mechanism_1:_Kerberos_cross-realm_trusts) > > > > I know about individual cross-realm principals, > > > > adtest/AD.EXAMPLE.ORG at IPA.EXAMPLE.ORG > > > > And I know about cross-realm trust principals: > > > > krbtgt/AD.EXAMPLE.ORG at IPA.EXAMPLE.ORG > > > > But I was under the impression that if a user traversed a trust, their client principal name would still be adtest at AD.EXAMPLE.ORG . I am not aware of any circumstances which would produce a client principal with two "@" signs in it. Pls fix my ignorance. > > The second @ is not provided by kerberos, it is rpcimapd making false > assumptions, it does a getpwuid and gets back adtest at ad.example.org as > the username, to which it decides to slap on the local REALM name with > an @ sign in between. > > I think this is something that may be handled with imapd.conf > configuration. > > Simo. Would the idmap sss module we have on the list pending review help here? From sbose at redhat.com Fri Jun 27 08:00:39 2014 From: sbose at redhat.com (Sumit Bose) Date: Fri, 27 Jun 2014 10:00:39 +0200 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> <5390BEF9.2040404@redhat.com> <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> Message-ID: <20140627080039.GA18931@localhost.localdomain> On Thu, Jun 26, 2014 at 09:04:41PM +0000, Johan Petersson wrote: > Hi, > > First i wish to thank everybody that helped me out trying to solve this issue and i also wish to inform that NFS 4 does not work with AD users through an AD and IPA trust at the moment for RHEL 6 and 7. > > The reason is that rpcidmapd` does not parse fully-qualified usernames so"adtest at AD.EXAMPLE.ORG@IPA.EXAMPLE.ORG" does not work. > The client-side code is stripping the domain off based on the location of the first "@" character in the value returned by the server. This results in UID/GID mappings failing and resulting in ownership on the clients of "nobody". Thank you for the feedback. FYI there is a rpc.idmapd plugin for SSSD (https://fedorahosted.org/sssd/wiki/DesignDocs/rpc.idmapd%20plugin) currently under review (https://lists.fedorahosted.org/pipermail/sssd-devel/2014-June/020384.html) I'll try to find some time early next week to test if this will help with your use-case. bye, Sumit > > Regards, > Johan > > From: Dmitri Pal [dpal at redhat.com] > Sent: Thursday, June 05, 2014 21:03 > To: Johan Petersson; Alexander Bokovoy > Cc: Sumit Bose; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > On 06/04/2014 09:57 AM, Johan Petersson wrote: > > Yes the message is exactly like that with commas, I double checked. > > > > To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to Local-Realms in idmap.conf might help? > > > > I did on all machines and got rid of that specific message but I still get user nobody unfortunately. > > > > Here are logs from when I did a su - adtest at AD.HOME@linux.home with both AD.HOME and LINUX.HOME added to Local_realms in idmap.conf. > > > > Client: > > Jun 4 15:30:13 client su: (to adtest at ad.home) linux on pts/0 > > Jun 4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: adtest at ad.home@linux.home timeout 600 > > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid > > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned -22 > > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is -22 > > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling nsswitch->name_to_gid > > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0 > > Jun 4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0 > > Do we have a corresponding SSSD trace that shows the actual process of > the resolution? > > > > > > NFS Server: > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling nsswitch->uid_to_name > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0 > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0 > > Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (user) id "497801107" -> name "adtest at ad.home@linux.home" > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling nsswitch->gid_to_name > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0 > > Jun 4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0 > > Jun 4 15:33:48 share rpc.idmapd[1908]: Server : (group) id "1120000005" -> name "ad_users at linux.home" > > > > The group ad_users is a IPA group with external maps from AD Domain users. > > > > -----Original Message----- > > From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > > Sent: Wednesday, June 04, 2014 3:14 PM > > To: Johan Petersson > > Cc: dpal at redhat.com; freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > > > On Wed, 04 Jun 2014, Johan Petersson wrote: > >> Mail got posted before I was finished sorry. > >> > >> I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. > >> > >> >From /var/log/messages: > >> > >> Nfsidmap[1696]: nss_getpwnam: name 'adtest at ad.home@linux.home,' does not map into domain 'linux.home,' > > Are you sure the message is exactly like this, with a comma after linux.home? > > > > The reason I'm asking is because the code that prints the message looks like this: > > > > localname = strip_domain(name, domain); > > IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': " > > "resulting localname '%s'\n", name, domain, localname)); > > if (localname == NULL) { > > IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map " > > "into domain '%s'\n", name, > > domain ? domain : "")); > > goto err_free_buf; > > } > > > > note that it doesn't have comma anywhere in the string printed. > > > > Can you please increase the log level to 4 so that we can see the first string (nss_getpwnam: name '....' domain '...': resulting localname ...)? it would be > > > > [general] > > Verbosity = 4 > > > > in /etc/idmapd.conf > > > > > > > >> > >> From: freeipa-users-bounces at redhat.com > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Johan Petersson > >> Sent: Wednesday, June 04, 2014 12:02 PM > >> To: dpal at redhat.com; freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > >> > >> Yes Client is default RHEL 7 and both IPA and NFS Server is aswell. > >> > >> > >> server.ad.home = AD Server > >> share.linux.home = NFS Server > >> ipa.linux.home = IPA Server > >> client.linux.home = Client > >> > >> NFS with automounted krb5p Home Directories work for IPA users. > >> > >> sssd-1.11.2-65.el7.x86_64 > >> > >> id adtest at AD.HOME > >> uid=497801107(adtest at ad.home) > >> gid=497801107(adtest at ad.home) > >> groups=497801107(adtest at ad.home),497800513(domain >> ),497800513(domain> users at ad.home) > >> > >> getent passwd adtest at AD.HOME > >> adtest at ad.home:*:497801107:497801107::/home/ad.home/adtest: > >> > >> klist after kinit adtest at AD.HOME > >> > >> [root at client ~]# klist -e > >> Ticket cache: KEYRING:persistent:0:0 > >> Default principal: adtest at AD.HOME > >> > >> Valid starting Expires Service principal > >> 06/04/14 11:28:35 06/04/14 21:28:35 krbtgt/AD.HOME at AD.HOME > >> renew until 06/05/14 11:28:30, Etype (skey, tkt): > >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > >> > >> klist after ssh > >> adtest at AD.HOME@ipa.linux.home > >> > >> klist > >> Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB > >> Default principal: adtest at AD.HOME > >> > >> Valid starting Expires Service principal > >> 06/04/14 11:35:16 06/04/14 21:35:16 nfs/share.linux.home at LINUX.HOME > >> renew until 06/05/14 11:28:30 > >> 06/04/14 11:35:16 06/04/14 21:35:16 krbtgt/LINUX.HOME at AD.HOME > >> renew until 06/05/14 11:28:30 > >> 06/04/14 11:28:35 06/04/14 21:35:16 krbtgt/AD.HOME at AD.HOME > >> renew until 06/05/14 11:28:30 > >> > >> Home Directory gets mounted by autofs through sssd but user:group is both nobody. > >> > >> The Client's sssd.conf: > >> > >> [domain/linux.home] > >> > >> cache_credentials = True > >> krb5_store_password_if_offline = True > >> ipa_domain = linux.home > >> id_provider = ipa > >> auth_provider = ipa > >> access_provider = ipa > >> ipa_hostname = client.linux.home > >> chpass_provider = ipa > >> ipa_dyndns_update = True > >> ipa_server = _srv_, ipa.linux.home > >> ldap_tls_cacert = /etc/ipa/ca.crt > >> autofs_provider = ipa > >> ipa_automount_location = default > >> subdomains_provider = ipa > >> [sssd] > >> services = nss, pam, autofs, ssh > >> config_file_version = 2 > >> > >> domains = linux.home > >> [nss] > >> > >> [pam] > >> > >> [sudo] > >> > >> [autofs] > >> > >> [ssh] > >> > >> [pac] > >> > >> > >> From: > >> freeipa-users-bounces at redhat.com >> m> > >> [mailto:freeipa-users-bounces at redhat.com] >> bounces at redhat.com]> On Behalf Of Dmitri Pal > >> Sent: Tuesday, June 03, 2014 6:48 PM > >> To: freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > >> > >> On 06/03/2014 09:07 AM, Johan Petersson wrote: > >> Hi, > >> > >> Environment: > >> > >> RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 > >> NFS Server RHEL 7 Client > >> > >> I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. > >> I have created a NFS share /home/adexample.org and use autofs map in IPA. > >> All wbinfo tests works as well as id. > >> I can login fine through SSH and Shell with > >> adtest at adexample.org > >> The problem is that I can add the AD user as owner of his Home Directory and if I log in to the NFS Server locally or through ssh permissions are correct but when logging in to any other computer i get "nobody" as owner. > >> Are those computers RHEL7 NFS clients with SSSD? > >> Can you describe them in more details please? > >> > >> Groups are no problem since AD groups can be mapped to Posix groups. > >> > >> Idmap.conf domain is set to the IPA Domain. > >> > >> Is there some way to get NFS working with the AD user as owner of his Home Directory? > >> > >> Thanks for any help. > >> > >> > >> This e-mail is private and confidential between the sender and the addressee. > >> In the event of misdirection, the recipient is prohibited from using, > >> copying or disseminating it or any information in it. Please notify the above if any misdirection. > >> > >> > >> > >> _______________________________________________ > >> > >> Freeipa-users mailing list > >> > >> Freeipa-users at redhat.com > >> > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > >> > >> > >> -- > >> > >> Thank you, > >> > >> Dmitri Pal > >> > >> > >> > >> Sr. Engineering Manager IdM portfolio > >> > >> Red Hat, Inc. > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > > / Alexander Bokovoy > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > From simo at redhat.com Fri Jun 27 13:36:14 2014 From: simo at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2014 09:36:14 -0400 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6DED1A@001FSN2MPN1-046.001f.mgd2.msft.net> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> , <5390BEF9.2040404@redhat.com> <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> <82E7C9A01FD0764CACDD35D10F5DFB6E6DEC96@001FSN2MPN1-046.001f.mgd2.msft.net> <1403822557.9460.19.camel@willson.usersys.redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6DECF9@001FSN2MPN1-046.001f.mgd2.msft.net> <82E7C9A01FD0764CACDD35D10F5DFB6E6DED1A@001FSN2MPN1-046.001f.mgd2.msft.net> Message-ID: <1403876174.3551.9.camel@willson.usersys.redhat.com> On Fri, 2014-06-27 at 00:10 +0000, Nordgren, Bryce L -FS wrote: > Also: > http://tools.ietf.org/html/draft-adamson-nfsv4-multi-domain-access-04 > > Never became an RFC, but cites Simo's I-D on a Kerberos PAC. > > I like the CITI approach better (also approach 2 of section 6 in the > above I-D). I have no use for the groups defined in my active > directory. Also, for the external collaboration case, my AD may not be > accessible to an NFS server outside the firewall. > > However, if (?) support for an NFSRemoteUser schema is lacking in > FreeIPA, and if AD is accessible to both client and server, it seems > that approach 3 of section 6 above would be the answer? Somehow > configure idmap.conf (on NFS clients and servers) to directly query > AD? Does that seem correct? I honestly think (and gave this feedback to the authors in the past) that trying to standardize on LDAP in an NFS document is wrong, it should be implementation specific. I think NFS should define roughly how a mapping service should behave, but should not try to dictate how Directory services can/should be used, the variation and modes of use is just too big in the real world, and keeps changing. Moreover it is already incorrect to believe all identities can be resolved by contacting a single LDAP server (AD trusted forests as an example), and that the LDAP server can actually fully resolve group memberships (again AD, and even FreeIPA when trusting AD forests) without using custom operations possible only fully correct when run by the KDC (or other RPC service, again see AD). In the FreeIPA case for example we do not (normally) convey AD groups to the service and instead map (some of) them into FreeIPA external groups, a client that tries to query directly the AD service (assuming you have direct access which is often not true) would not get cross-realm group memberships as defined in the IPA server and would therefore cause issues. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Fri Jun 27 13:41:19 2014 From: simo at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2014 09:41:19 -0400 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6DECF9@001FSN2MPN1-046.001f.mgd2.msft.net> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> , <5390BEF9.2040404@redhat.com> <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> <82E7C9A01FD0764CACDD35D10F5DFB6E6DEC96@001FSN2MPN1-046.001f.mgd2.msft.net> <1403822557.9460.19.camel@willson.usersys.redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6DECF9@001FSN2MPN1-046.001f.mgd2.msft.net> Message-ID: <1403876479.3551.11.camel@willson.usersys.redhat.com> On Thu, 2014-06-26 at 23:21 +0000, Nordgren, Bryce L -FS wrote: > > The second @ is not provided by kerberos, it is rpcimapd making false > > assumptions, it does a getpwuid and gets back adtest at ad.example.org as > > the username, to which it decides to slap on the local REALM name with an @ > > sign in between. > > > > I think this is something that may be handled with imapd.conf configuration. > > Muchas gracias. This makes sense. > > Found an old presentation on the topic [1]. Slide 15 is particularly > relevant. Slide 4, however, taught me something I didn't know: NFS > wants to deal with NFSv4 domain names (slide 3), which can be > different than GSS principal names (Kerberos principals). There is > only one NFS domain, but there can be multiple security realms and > multiple DNS domains (slide 2). > > The crux of this is on slide 14: "Need to add posixAccount with > GSSAuthName for UID/GID mapping of remote user". Is this another use > case for views? Yes, it *may* be. > What I'm not quite clear on is the interaction between idmapd and ldap > (slides 15,16,18). Does idmapd want to see this "NFSv4RemoteUser" > schema on the LDAP server? Is this schema something that FreeIPA would > have to support for NFS to work with cross-realm trusts? Or has the > landscape changed since this 2005 presentation? The landscape has changed and evolved, and I never really saw adoption of this CITI proposal myself. It may have happened somewhere I guess, but I do not think it is prevalent. Simo. -- Simo Sorce * Red Hat, Inc * New York From davis.goodman at digital-district.ca Fri Jun 27 17:23:43 2014 From: davis.goodman at digital-district.ca (Davis Goodman) Date: Fri, 27 Jun 2014 13:23:43 -0400 Subject: [Freeipa-users] [SOLVED] Re: FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing. In-Reply-To: <1397685965.19767.471.camel@willson.li.ssimo.org> References: <1397568653.19767.289.camel@willson.li.ssimo.org> <1397685965.19767.471.camel@willson.li.ssimo.org> Message-ID: Hi Fredy, We have integrated our Mac Worstations (Mountain Lion and Maverick) with FreeIPA with good success except for password change. Does your method allows users to change their password through the OSX interface for example when a new user is created and logs in for the first time? For now we need to have our users go through the web interface of a different workstation to change their newly created account password. At this point that is the only thing that still doesn?t work for us. Davis Davis Goodman Directeur Informatique??|? IT Manager 5605 Avenue de Gasp?, Suite 408 ?|??Montr?al,?QC?H2T 2A4? From:?Simo Sorce simo at redhat.com Reply:?Simo Sorce simo at redhat.com Date:?April 16, 2014 at 18:06:27 To:?Fredy Sanchez fredy.sanchez at modmed.com Cc:?Guillermo Fuentes guillermo.fuentes at modernizingmedicine.com, freeipa-users at redhat.com freeipa-users at redhat.com Subject:? [Freeipa-users] [SOLVED] Re: FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing. Good! And thanks for letting us know, it may help other users too. Simo. On Wed, 2014-04-16 at 17:58 -0400, Fredy Sanchez wrote: > Hi Simo, > > Thanks for your reply. Good old Google pointed me to > https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/open-ldap_bind_script/Mac_OpenLDAP_bind_script.sh, > which gave me the idea of > updating the RealName mapping to displayName. This solved the problem, I'll > have to recreate the permissions for every share, but the user names now > show up, and stick. No more UIDs. > > > On Tue, Apr 15, 2014 at 9:30 AM, Simo Sorce wrote: > > > On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote: > > > Hi all, > > > > > > We asked this same question at discussions.apple.com, but figured we'd > > have > > > better luck here. I apologize in advance if this is the wrong forum. > > > > > > We are switching from Synology (DSM 5) to Mavericks server (v3.1.1. > > running > > > in Mavericks 10.9.2) for File Sharing. We use a FreeIPA > > (ipa-server.x86_64 > > > 3.0.0-37.el6) backend for SSO, and the Mac server seems correctly > > > bound to it. Unfortunately, although we can add usernames to the shares > > for > > > the initial config, the usernames transform to UIDs after (only for SSO > > > accounts; local accounts are not affected). That is, when we go to edit > > the > > > permissions for a share, all we see are UIDs. We can always figure out > > the > > > username from the UID, but this is an extra step we don't want to have. > > > We've tried reinstalling the Mac server app from scratch, re-binding to > > the > > > FreeIPA backend, changing mappings in Directory Utility (for example, > > > mapping GeneratedUID to uid, which is the username), recreating the > > shares > > > and permissions, etc. Here are more details about the binding: > > > > > > * The binding happens thru a custom package we created based primarily on > > > > > http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 > > > * Sys Prefs, Users & Groups, Login Options show the server bound to the > > > FreeIPA backend with the green dot > > > * The following mappings are in place in Directory Utility, Services, > > > LDAPv3, FreeIPA backend > > > > > > Users: inetOrgPerson > > > AuthenticationAuthority: uid > > > GeneratedUID: random number in uppercase > > > HomeDirectory: #/Users/$uid$ > > > NFSHomeDirectory: #/Users/$uid$ > > > OriginalHomeDirectory: #/Users/$uid$ > > > PrimaryGroupID: gidNumber > > > RealName: cn > > > RecordName: uid > > > UniqueID: uidNumber > > > UserShell: loginShell > > > Groups: posixgroup > > > PrimaryGroupID: gidNumber > > > RecordName: cn > > > > > > The search bases are correct > > > > > > * Directory Utility, Directory Editor shows the right info for the users. > > > * $ id $USERNAME shows the right information for the user > > > > > > FreeIPA is working beautifully for our Mac / Linux environment. We > > provide > > > directory services to about 300 hosts, and 200 employees using it; and > > > haven't had any problems LDAP wise until now. So we think we are missing > > a > > > mapping here. Any ideas? > > > > Fredy, > > I quickly tried to check for some documentation on how to configure this > > stuff, but found only useless superficial guides on how to find the > > pointy/clicky buttons to push to enable the service. > > > > I am not a Mac expert by a long shot so I cannot help you much here. > > > > Is there any guide available on how to use this service with other LDAP > > servers, like openLDAP or Active Directory ? We can probably draw some > > conclusions from there. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: logo_dd_small.png Type: image/png Size: 7313 bytes Desc: not available URL: From maleko42 at gmail.com Fri Jun 27 18:23:47 2014 From: maleko42 at gmail.com (Mark Gardner) Date: Fri, 27 Jun 2014 14:23:47 -0400 Subject: [Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline Message-ID: Was trying to add an external ad group to IPA, it kept failing with unable to connect to server. Figured I'd reboot to clear things up. Oops. Now wbinfo --online-status shows are AD as offline. wbinfo -u shows blank wbinfo -n 'DOMAIN\user' gives the following message: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND could not lookup 'Domain\user' I saw a similar post in the freeipa-users archive about adding client min protocol = CORE client max protocol = SMB2_02 to the samba config; restarted winbind and still getting errors FreeIPA 3.0 Windows 2008 R2. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Johan.Petersson at sscspace.com Fri Jun 27 18:57:25 2014 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Fri, 27 Jun 2014 18:57:25 +0000 Subject: [Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline In-Reply-To: References: Message-ID: <558C15177F5E714F83334217C9A197DF016C560712@SSC-MBX2.ssc.internal> Hi, Probably there are better ways to solve this issue but the way that works for me is to validate the trust from the AD side after a reboot of the IPA Server - it always shows as offline for me too. On 2012 Server you can do this through Active Directory Domains and Trusts - properties on your domain and go to trust tab - properties again. Next you press validate on the General tab. AD will ask for authentication but that can be skipped. AD Trust will be back online right away and you can check it through wbinfo --online-status. Probably the procedure are similar on Server 2008. Johan ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Mark Gardner [maleko42 at gmail.com] Sent: Friday, June 27, 2014 20:23 To: freeipa-users Subject: [Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline Was trying to add an external ad group to IPA, it kept failing with unable to connect to server. Figured I'd reboot to clear things up. Oops. Now wbinfo --online-status shows are AD as offline. wbinfo -u shows blank wbinfo -n 'DOMAIN\user' gives the following message: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND could not lookup 'Domain\user' I saw a similar post in the freeipa-users archive about adding client min protocol = CORE client max protocol = SMB2_02 to the samba config; restarted winbind and still getting errors FreeIPA 3.0 Windows 2008 R2. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bnordgren at fs.fed.us Fri Jun 27 20:22:29 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Fri, 27 Jun 2014 20:22:29 +0000 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <20140627074232.GA18083@hendrix.redhat.com> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> <5390BEF9.2040404@redhat.com> <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> <82E7C9A01FD0764CACDD35D10F5DFB6E6DEC96@001FSN2MPN1-046.001f.mgd2.msft.net> <1403822557.9460.19.camel@willson.usersys.redhat.com> <20140627074232.GA18083@hendrix.redhat.com> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6DEF17@001FSN2MPN1-046.001f.mgd2.msft.net> > Would the idmap sss module we have on the list pending review help here? My read of the design page suggests that the plugin is 66% of a solution. There are three types of identities which need to be related: * local machine accounts/identities (meaningful to the filesystem) * security principals (Kerberos or pki) * NFSv4 identities (the user at example.com string NFS sends over the wire) I see the first two represented on the design, but not the last. I suspect that this means that the plugin regards security principals and NFSv4 identities as the same thing, which may mean it won't work for multiple domains? Let me turn the question on its head: according to the OP, the NFS server and client is in Kerberos realm FREEIPA.EXAMPLE.ORG, and the user principals are from realm AD.EXAMPLE.ORG. Would your plugin work? What happens to your plugin if either the client or the server (but only one) moves to AD.EXAMPLE.ORG? Can the plugin consistently map security principals to NFS principals regardless of where it is running? I have a more basic confusion though: I can't tell from the design page whether rpc.idmapd is using sssd to get ids or vice versa... Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. From bnordgren at fs.fed.us Fri Jun 27 20:28:50 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Fri, 27 Jun 2014 20:28:50 +0000 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <1403876479.3551.11.camel@willson.usersys.redhat.com> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> , <5390BEF9.2040404@redhat.com> <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> <82E7C9A01FD0764CACDD35D10F5DFB6E6DEC96@001FSN2MPN1-046.001f.mgd2.msft.net> <1403822557.9460.19.camel@willson.usersys.redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6DECF9@001FSN2MPN1-046.001f.mgd2.msft.net> <1403876479.3551.11.camel@willson.usersys.redhat.com> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6DEF2C@001FSN2MPN1-046.001f.mgd2.msft.net> > -----Original Message----- > > What I'm not quite clear on is the interaction between idmapd and ldap > > (slides 15,16,18). Does idmapd want to see this "NFSv4RemoteUser" > > schema on the LDAP server? Is this schema something that FreeIPA would > > have to support for NFS to work with cross-realm trusts? Or has the > > landscape changed since this 2005 presentation? > > The landscape has changed and evolved, and I never really saw adoption of > this CITI proposal myself. It may have happened somewhere I guess, but I do > not think it is prevalent. Poking a little more, I'm seeing something pretty similar to this proposal in the UMICH_SCHEMA section here: http://linux.die.net/man/5/idmapd.conf This appears to be the same man page which ships with Fedora 20. It looks like it's configurable, with the defaults being more or less the attributes mentioned in the 2005 powerpoint... If views were to support these attributes, external security principals could have a nice centralized mapping to NFS for the freeipa managed linux environment... Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. From jhrozek at redhat.com Sun Jun 29 10:01:06 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 29 Jun 2014 12:01:06 +0200 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6DEF17@001FSN2MPN1-046.001f.mgd2.msft.net> References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> <5390BEF9.2040404@redhat.com> <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> <82E7C9A01FD0764CACDD35D10F5DFB6E6DEC96@001FSN2MPN1-046.001f.mgd2.msft.net> <1403822557.9460.19.camel@willson.usersys.redhat.com> <20140627074232.GA18083@hendrix.redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6DEF17@001FSN2MPN1-046.001f.mgd2.msft.net> Message-ID: On 27 Jun 2014, at 22:22, Nordgren, Bryce L -FS wrote: > >> Would the idmap sss module we have on the list pending review help here? > > My read of the design page suggests that the plugin is 66% of a solution. There are three types of identities which need to be related: > > * local machine accounts/identities (meaningful to the filesystem) > * security principals (Kerberos or pki) > * NFSv4 identities (the user at example.com string NFS sends over the wire) > > I see the first two represented on the design, but not the last. I suspect that this means that the plugin regards security principals and NFSv4 identities as the same thing, which may mean it won't work for multiple domains? Let me turn the question on its head: according to the OP, the NFS server and client is in Kerberos realm FREEIPA.EXAMPLE.ORG, and the user principals are from realm AD.EXAMPLE.ORG. Would your plugin work? I haven?t tested this scenario yet, but I assume it would as long as sssd was able to resolve username at AD.EXAMPLE.ORG and there was a trust relationship between FREEIPA.EXAMPLE.ORG and AD.EXAMPLE.ORG. But again, this is something that needs more testing. > What happens to your plugin if either the client or the server (but only one) moves to AD.EXAMPLE.ORG? Can the plugin consistently map security principals to NFS principals regardless of where it is running? > > I have a more basic confusion though: I can't tell from the design page whether rpc.idmapd is using sssd to get ids or vice versa? > yes, rpc.idmapd is calling an sssd plugin to resolve identities. > Bryce > > > > > This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. From bnordgren at fs.fed.us Sun Jun 29 20:51:35 2014 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Sun, 29 Jun 2014 20:51:35 +0000 Subject: [Freeipa-users] IPA+AD trust and NFS nobody issue In-Reply-To: References: <558C15177F5E714F83334217C9A197DF016C529177@SSC-MBX2.ssc.internal> <538DFC2F.3000703@redhat.com> <558C15177F5E714F83334217C9A197DF016C529446@SSC-MBX2.ssc.internal> <558C15177F5E714F83334217C9A197DF016C5294BB@SSC-MBX2.ssc.internal> <20140604131418.GH2726@redhat.com> <558C15177F5E714F83334217C9A197DF016C529537@SSC-MBX2.ssc.internal> <5390BEF9.2040404@redhat.com> <558C15177F5E714F83334217C9A197DF016C5604B0@SSC-MBX2.ssc.internal> <82E7C9A01FD0764CACDD35D10F5DFB6E6DEC96@001FSN2MPN1-046.001f.mgd2.msft.net> <1403822557.9460.19.camel@willson.usersys.redhat.com> <20140627074232.GA18083@hendrix.redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E6DEF17@001FSN2MPN1-046.001f.mgd2.msft.net> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6DF146@001FSN2MPN1-046.001f.mgd2.msft.net> > > I see the first two represented on the design, but not the last. I suspect > that this means that the plugin regards security principals and NFSv4 > identities as the same thing, which may mean it won't work for multiple > domains? Let me turn the question on its head: according to the OP, the NFS > server and client is in Kerberos realm FREEIPA.EXAMPLE.ORG, and the user > principals are from realm AD.EXAMPLE.ORG. Would your plugin work? > > I haven't tested this scenario yet, but I assume it would as long as sssd was > able to resolve username at AD.EXAMPLE.ORG and there was a trust > relationship between FREEIPA.EXAMPLE.ORG and AD.EXAMPLE.ORG. But > again, this is something that needs more testing. The OP said the reason for the failure was that the principal was "username at AD.EXAMPLE.ORG@FREEIPA.EXAMPLE.ORG", which Simo said was due to rpc.idmapd constructing the principal incorrectly. Does your plugin have the ability to alter how rpc.idmapd constructs principals? This may be the key. > yes, rpc.idmapd is calling an sssd plugin to resolve identities. As I understand it, the NFS identities sent over the wire serve much the same purpose as a Kerberos NT_Enterprise name. That is, NFS ids over the wire should all be "username at example.org" regardless of whether the user is defined in FREEIPA.EXAMPLE.ORG or AD.EXAMPLE.ORG. This makes rpc.idmapd responsible for two things: 1] Mapping username at example.org to UID/GID and vice versa; 2] Mapping username at example.org to the exact Kerberos security principal used for authentication (username at AD.EXAMPLE.ORG) (and vice versa). SSSD can do #1. Can it do #2? Can it do #2 if there's no connection to the domain in which the user is defined? I suspect there is some value in endowing sssd with capability #2 which reaches well beyond NFS. For instance, people would no longer need to type their username as "username at AD.EXAMPLE.ORG" at login prompts (web or ssh). The people I deal with don't know their Kerberos principal name. OTOH, if the "plugin" went the other direction, allowing sssd to resolve ids using an rpc.idmapd configured to point to a local ldap server with a passable facsimile of the umich schema, that might add the most functionality with the least new code. The local mappings bind an external security principal to a local username/uid/gid, and give the local admins a tool to manage/resolve conflicts with externally managed domains. This removes the need to contact a foreign realm which may be protected by a firewall. Local conflict resolution and not contacting servers you don't control are probably the biggest reasons to add these mappings to freeipa once views are up. It helps me to remember that a trust and connectivity are not the same thing. From within my firewall, I can kinit (@AD.EXAMPLE.ORG), walk an authentication path which terminates outside my firewall, and obtain a ticket for a "collaboration" server (@FREEIPA.EXAMPLE.ORG). This may exclude using sssd, since it seems predicated on configuring contactable domains. It does not exclude using a future umich-schema-view-enabled freeipa. Thinking out loud, In the near term, a viable solution for manual conflict management may be to stand up a separate ldap server to contain just the umich schema elements for external users + those defined in freeipa. Poor man's views. :) Or just put it somewhere in the 389ds dit that freeipa will ignore... I may have to try this if I can work it in.... Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. From kliu at alumni.warwick.ac.uk Mon Jun 30 04:31:15 2014 From: kliu at alumni.warwick.ac.uk (Barry) Date: Mon, 30 Jun 2014 12:31:15 +0800 Subject: [Freeipa-users] ipa-replica-manage list fail on server 2 Message-ID: Hi: Server 1 and Sever 2 is cluster master master orginally , but server 2 fail to connect server1 ,. ipa-replica-manage list shown Can't contact LDAP server But as server1 it is ok master server1 master server2 , It seem affect if update on server 1 then it syn to server2 no problem but sometimes if modfy in server2 if fail to update server1. Any idea to rebuild mutual relationship.? thks barry -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Mon Jun 30 08:43:34 2014 From: sbose at redhat.com (Sumit Bose) Date: Mon, 30 Jun 2014 10:43:34 +0200 Subject: [Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline In-Reply-To: References: Message-ID: <20140630084334.GI18931@localhost.localdomain> On Fri, Jun 27, 2014 at 02:23:47PM -0400, Mark Gardner wrote: > Was trying to add an external ad group to IPA, it kept failing with unable > to connect to server. > > Figured I'd reboot to clear things up. Oops. > > Now wbinfo --online-status shows are AD as offline. > wbinfo -u shows blank > > wbinfo -n 'DOMAIN\user' gives the following message: > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > could not lookup 'Domain\user' There might be various reasons for this issue. To debug this winbindd logs are needed. Please - call "net conf setparm global 'log level' 10" on the command lien - stop smbd and winbindd - remove (or save at a different location) the log files in /var/log/samba - start smbd and winbindd - run "wbinfo -n 'DOMAIN\user'" again - check /var/log/samba/wb-ADDOMAIN for errors Feel free to send the log to the list or directly to me if you think the file is too large for a mailing-list or if it might contain sensitive information. bye, Sumit > > I saw a similar post in the freeipa-users archive about adding > client min protocol = CORE > client max protocol = SMB2_02 > to the samba config; restarted winbind and still getting errors > > FreeIPA 3.0 > Windows 2008 R2. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project From alex at gitinsky.com Mon Jun 30 12:40:25 2014 From: alex at gitinsky.com (Alex Chistyakov) Date: Mon, 30 Jun 2014 12:40:25 +0000 (GMT) Subject: [Freeipa-users] =?utf-8?q?Can=27t_change_password_of_FreeIPA_admi?= =?utf-8?q?n_-_=E2=80=9CCurrent_password=27s_minimum_life_has_not_expired?= =?utf-8?b?4oCd?= In-Reply-To: <923046100.3434.1404132005660.JavaMail.zimbra@gitinsky.com> Message-ID: <2086592516.3435.1404132025587.JavaMail.zimbra@gitinsky.com> Hello, We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails: sashka at cellar ~ ssh admin at ipa.xxxxxxxxxx.com admin at ipa.goodwix.com's password: Password expired. Change your password now. Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on ssh:notty There were 6071 failed login attempts since the last successful login. Last login: Wed Apr 16 19:28:54 2014 WARNING: Your password has expired. You must change your password now and login again! Changing password for user admin. Current Password: New password: Retype new password: Password change failed. Server message: Current password's minimum life has not expired Password not changed. passwd: Authentication token manipulation error Connection to ipa.xxxxxxxxxx.com closed. If we try to change the password using passwd it fails too with the same error message: [admin at ipa ~]$ passwd Changing password for user admin. Current Password: New password: Retype new password: Password change failed. Server message: Current password's minimum life has not expired Password not changed. passwd: Authentication token manipulation error [admin at ipa ~]$ What should we do to resolve this situation? Thank you! -- SY, Alexander Chistyakov, Senior Cloud Engineer, Git in Sky From rcritten at redhat.com Mon Jun 30 12:59:00 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 30 Jun 2014 08:59:00 -0400 Subject: [Freeipa-users] ipa-replica-manage list fail on server 2 In-Reply-To: References: Message-ID: <53B15F14.6000108@redhat.com> Barry wrote: > Hi: > > Server 1 and Sever 2 is cluster master master orginally , but server 2 > fail to connect server1 ,. > > ipa-replica-manage list shown Can't contact LDAP server > > But as server1 it is ok master server1 master server2 , > > It seem affect if update on server 1 then it syn to server2 no problem > but sometimes if modfy in server2 if fail to update server1. > > Any idea to rebuild mutual relationship.? The first step is to diagnose what is wrong. I've already suggested a few things, https://www.redhat.com/archives/freeipa-users/2014-June/msg00105.html rob From rcritten at redhat.com Mon Jun 30 13:03:46 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 30 Jun 2014 09:03:46 -0400 Subject: [Freeipa-users] =?windows-1252?q?Can=27t_change_password_of_FreeI?= =?windows-1252?q?PA_admin_-_=93Current_password=27s_minimum_life_has_not_?= =?windows-1252?q?expired=94?= In-Reply-To: <2086592516.3435.1404132025587.JavaMail.zimbra@gitinsky.com> References: <2086592516.3435.1404132025587.JavaMail.zimbra@gitinsky.com> Message-ID: <53B16032.6010103@redhat.com> Alex Chistyakov wrote: > Hello, > > We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails: > > sashka at cellar ~ ssh admin at ipa.xxxxxxxxxx.com > admin at ipa.goodwix.com's password: > Password expired. Change your password now. > Last failed login: Mon Jun 30 15:38:21 MSK 2014 from 116.10.191.195 on ssh:notty > There were 6071 failed login attempts since the last successful login. > Last login: Wed Apr 16 19:28:54 2014 > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user admin. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Current password's minimum life has not expired > > Password not changed. > passwd: Authentication token manipulation error > Connection to ipa.xxxxxxxxxx.com closed. > > If we try to change the password using passwd it fails too with the same error message: > > [admin at ipa ~]$ passwd > Changing password for user admin. > Current Password: > New password: > Retype new password: > Password change failed. Server message: Current password's minimum life has not expired > > Password not changed. > passwd: Authentication token manipulation error > [admin at ipa ~]$ > > What should we do to resolve this situation? I'd eventually look at your password policy to see what the min/max values are. To force a password change and avoid password policy you need to bind as the Directory Manager. Using ldappasswd will help with that: $ ldappasswd -x -D 'cn=Directory Manager' -W uid=admin,cn=users,cn=accounts,dc=example,dc=com -A -S Old password: Re-enter old password: New password: Re-enter new password: Enter LDAP Password: I'd run this on the IPA master for easeo-of-use. It should havea pre-configured ldap.conf which sets the host and enables TLS. Otherwise you'll need to add a -h and -Z to the command. rob From fredy.sanchez at modmed.com Mon Jun 30 23:09:44 2014 From: fredy.sanchez at modmed.com (Fredy Sanchez) Date: Mon, 30 Jun 2014 19:09:44 -0400 Subject: [Freeipa-users] [SOLVED] Re: FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing. In-Reply-To: References: <1397568653.19767.289.camel@willson.li.ssimo.org> <1397685965.19767.471.camel@willson.li.ssimo.org> Message-ID: Hi Davis, We tried to get this working for a couple of days, but gave up. It is actually better for us to have our users reset their FreeIPA passwords only from the web interface. On Fri, Jun 27, 2014 at 1:23 PM, Davis Goodman < davis.goodman at digital-district.ca> wrote: > Hi Fredy, > > We have integrated our Mac Worstations (Mountain Lion and Maverick) with > FreeIPA with good success except for password change. > > Does your method allows users to change their password through the OSX > interface for example when a new user is created and logs in for the first > time? For now we need to have our users go through the web interface of a > different workstation to change their newly created account password. > > At this point that is the only thing that still doesn?t work for us. > > Davis > > Davis Goodman > Directeur Informatique | IT Manager > [image: Digital-District] 5605 Avenue > de Gasp?, Suite 408 | Montr?al, QC H2T 2A4 > > > > > From: Simo Sorce simo at redhat.com > Reply: Simo Sorce simo at redhat.com > Date: April 16, 2014 at 18:06:27 > To: Fredy Sanchez fredy.sanchez at modmed.com > Cc: Guillermo Fuentes guillermo.fuentes at modernizingmedicine.com, > freeipa-users at redhat.com freeipa-users at redhat.com > Subject: [Freeipa-users] [SOLVED] Re: FreeIPA backend. Mavericks server > shows UIDs instead of usernames in File Sharing. > > Good! > And thanks for letting us know, it may help other users too. > > Simo. > > On Wed, 2014-04-16 at 17:58 -0400, Fredy Sanchez wrote: > > Hi Simo, > > > > Thanks for your reply. Good old Google pointed me to > > > https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/open-ldap_bind_script/Mac_OpenLDAP_bind_script.sh, > > > which gave me the idea of > > updating the RealName mapping to displayName. This solved the problem, > I'll > > have to recreate the permissions for every share, but the user names now > > show up, and stick. No more UIDs. > > > > > > On Tue, Apr 15, 2014 at 9:30 AM, Simo Sorce wrote: > > > > > On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote: > > > > Hi all, > > > > > > > > We asked this same question at discussions.apple.com, but figured > we'd > > > have > > > > better luck here. I apologize in advance if this is the wrong forum. > > > > > > > > We are switching from Synology (DSM 5) to Mavericks server (v3.1.1. > > > running > > > > in Mavericks 10.9.2) for File Sharing. We use a FreeIPA > > > (ipa-server.x86_64 > > > > 3.0.0-37.el6) backend for SSO, and the Mac server seems correctly > > > > bound to it. Unfortunately, although we can add usernames to the > shares > > > for > > > > the initial config, the usernames transform to UIDs after (only for > SSO > > > > accounts; local accounts are not affected). That is, when we go to > edit > > > the > > > > permissions for a share, all we see are UIDs. We can always figure > out > > > the > > > > username from the UID, but this is an extra step we don't want to > have. > > > > We've tried reinstalling the Mac server app from scratch, re-binding > to > > > the > > > > FreeIPA backend, changing mappings in Directory Utility (for > example, > > > > mapping GeneratedUID to uid, which is the username), recreating the > > > shares > > > > and permissions, etc. Here are more details about the binding: > > > > > > > > * The binding happens thru a custom package we created based > primarily on > > > > > > > > http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 > > > > * Sys Prefs, Users & Groups, Login Options show the server bound to > the > > > > FreeIPA backend with the green dot > > > > * The following mappings are in place in Directory Utility, > Services, > > > > LDAPv3, FreeIPA backend > > > > > > > > Users: inetOrgPerson > > > > AuthenticationAuthority: uid > > > > GeneratedUID: random number in uppercase > > > > HomeDirectory: #/Users/$uid$ > > > > NFSHomeDirectory: #/Users/$uid$ > > > > OriginalHomeDirectory: #/Users/$uid$ > > > > PrimaryGroupID: gidNumber > > > > RealName: cn > > > > RecordName: uid > > > > UniqueID: uidNumber > > > > UserShell: loginShell > > > > Groups: posixgroup > > > > PrimaryGroupID: gidNumber > > > > RecordName: cn > > > > > > > > The search bases are correct > > > > > > > > * Directory Utility, Directory Editor shows the right info for the > users. > > > > * $ id $USERNAME shows the right information for the user > > > > > > > > FreeIPA is working beautifully for our Mac / Linux environment. We > > > provide > > > > directory services to about 300 hosts, and 200 employees using it; > and > > > > haven't had any problems LDAP wise until now. So we think we are > missing > > > a > > > > mapping here. Any ideas? > > > > > > Fredy, > > > I quickly tried to check for some documentation on how to configure > this > > > stuff, but found only useless superficial guides on how to find the > > > pointy/clicky buttons to push to enable the service. > > > > > > I am not a Mac expert by a long shot so I cannot help you much here. > > > > > > Is there any guide available on how to use this service with other > LDAP > > > servers, like openLDAP or Active Directory ? We can probably draw some > > > conclusions from there. > > > > > > Simo. > > > > > > -- > > > Simo Sorce * Red Hat, Inc * New York > > > > > > > > > > > > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Cheers, Fredy Sanchez IT Manager @ Modernizing Medicine 561-880-2998 x237 fredy.sanchez at modmed.com Need IT support? Visit https://mmit.zendesk.com - - -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: logo_dd_small.png Type: image/png Size: 7313 bytes Desc: not available URL: