<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><pre>Hi all, I need help to migrate NIS server to freeipa. What is the way to import ldif file to freeipa? Thanks. </pre> --- El lun 10-nov-08, freeipa-users-request@redhat.com <freeipa-users-request@redhat.com> escribió: <blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;">De: freeipa-users-request@redhat.com <freeipa-users-request@redhat.com> Asunto: Freeipa-users Digest, Vol 4, Issue 6 A: freeipa-users@redhat.com Fecha: lunes, 10 noviembre, 2008, 5:00 pm <pre>Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-request@redhat.com You can reach the person managing the list at freeipa-users-owner@redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Re: Freeipa-users Digest, Vol 4, Issue 5 (luis lugo) 2. GSSAPI Failure (Konstantin Kozlov) ---------------------------------------------------------------------- Message: 1 Date: Sun, 9 Nov 2008 18:01:04 -0800 (PST) From: luis lugo <luis_lugo74@yahoo.com> Subject: [Freeipa-users] Re: Freeipa-users Digest, Vol 4, Issue 5 To: freeipa-users@redhat.com Message-ID: <100913.40731.qm@web38601.mail.mud.yahoo.com> Content-Type: text/plain; charset="utf-8" Hi all, I need help to migrate NIS server to freeipa. What is the way to import ldif file to freeipa? Thanks. --- El vie 7-nov-08, freeipa-users-request@redhat.com <freeipa-users-request@redhat.com> escribió: De: freeipa-users-request@redhat.com <freeipa-users-request@redhat.com> Asunto: Freeipa-users Digest, Vol 4, Issue 5 A: freeipa-users@redhat.com Fecha: viernes, 7 noviembre, 2008, 5:00 pm Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-request@redhat.com You can reach the person managing the list at freeipa-users-owner@redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Re: Need help with Solaris Host Based access control (Christian Horn) 2. Re: Windows clients problem (Konstantin Kozlov) 3. Re: Windows clients problem (Konstantin Kozlov) 4. Re: [Freeipa-devel] Re: [Freeipa-users] Need help with Solaris Host Based access control (Dmitri Pal) ---------------------------------------------------------------------- Message: 1 Date: Fri, 7 Nov 2008 09:13:30 +0100 From: Christian Horn <chorn@fluxcoil.net> Subject: Re: [Freeipa-users] Need help with Solaris Host Based access control To: Dmitri Pal <dpal@redhat.com> Cc: freeipa-devel <freeipa-devel@redhat.com>, freeipa-users@redhat.com Message-ID: <20081107081330.GA13820@fluxcoil.net> Content-Type: text/plain; charset=us-ascii Mornings, On Wed, Nov 05, 2008 at 03:49:07PM -0500, Dmitri Pal wrote: > > The instructions are based on the ability of the pam_access PAM module > to check the access control rules specified in the access.conf. > The group information can be retrieved from the IPA server via nss_ldap. > > We tried to find similar functionality on other OS's. We spotted PAM > modules on HP-UX and AIX that are responsible for the similar > authorization checks. > > But we are stuck with Solaris. All our investigations about similar > functionality in Solaris bear no fruits. We saw pam_roles and > pam_unix_account on Solaris but they do not seem to accomplish what we > are trying to do. > > We are looking for some help and advice from Solaris experts on this > functionality. Checked with solaris-guys, this is in use for pure ldap-authentication/ authorization. Apparently just after hooking up a solaris-box to an ldap no user is allowed to login. The permissions to login are handled by this: a) entries in /etc/passwd, containing names of NIS-netgroups whose members are allowed to log in, i.e. +@netgroup1:::::: b) entries in /etc/shadow, containing names of NIS-netgroups whose members are allowed to log in, i.e. +@netgroup1:::::::: (thats 8 colons vs. 6 on the /etcx/passwd-entries) c) entries in /etc/nsswitch.conf for this to work: passwd: compat passwd_compat: ldap [NOTFOUND=return] I dont use this myself on Solaris-boxen but should be enough to see the Solaris-way to handle those login-authorizations. Christian ------------------------------ Message: 2 Date: Fri, 07 Nov 2008 14:32:04 +0300 From: Konstantin Kozlov <kozlov@spbcas.ru> Subject: Re: [Freeipa-users] Windows clients problem To: freeipa-users@redhat.com Message-ID: <49142734.4000008@spbcas.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Hello, Johan Venter wrote: > Konstantin Kozlov wrote: >> WinXP machine asks to login to Kerberos realm at login screen, but >> doesn't let me in. The krb5 log file on IPA server shows that ticket >> was issued. I can get ticket with MIT Kerberos from WinXP machine but >> I can't access samba share. > > I had to add -e des-cbc-crc to the ipa-getkeytab command line I used to > generate the Windows host principal and set the password before Windows > login to the Kerberos realm would work. > > Windows XP/Server 2003 doesn't support useful encryption mechanisms. > I did that also and that didn't work. Do I need to install the keytab on WinXP machine? If yes, how? Thank you, -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 ------------------------------ Message: 3 Date: Fri, 07 Nov 2008 14:54:34 +0300 From: Konstantin Kozlov <kozlov@spbcas.ru> Subject: Re: [Freeipa-users] Windows clients problem To: freeipa-users@redhat.com Message-ID: <49142C7A.5010508@spbcas.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Thank you for the help! After another round of googling I've found that XP uses rc4-hmac...I'll try that next day. Johan Venter wrote: > Konstantin Kozlov wrote: >> Hello, >> >> Johan Venter wrote: >>> Konstantin Kozlov wrote: >>>> WinXP machine asks to login to Kerberos realm at login screen, but >>>> doesn't let me in. The krb5 log file on IPA server shows that ticket >>>> was issued. I can get ticket with MIT Kerberos from WinXP machine >>>> but I can't access samba share. >>> >>> I had to add -e des-cbc-crc to the ipa-getkeytab command line I used >>> to generate the Windows host principal and set the password before >>> Windows login to the Kerberos realm would work. >>> >>> Windows XP/Server 2003 doesn't support useful encryption mechanisms. >>> >> >> I did that also and that didn't work. Do I need to install the keytab >> on WinXP machine? If yes, how? >> > > Hmm .. I had to use the latest version of ipa-getkeytab (which supported > the password option - I compiled my own RPMs for CentOS) and between > that, then -e option and ksetup /setcomputerpassword it finally worked > on my Windows Server 2003 machines. > > Maybe there is something different with XP machines, all I can suggest > is try the different encryption types and see what works (DES generally, > no AES or SHA hashes). > > Johan > -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 ------------------------------ Message: 4 Date: Fri, 07 Nov 2008 09:27:00 -0500 From: Dmitri Pal <dpal@redhat.com> Subject: Re: [Freeipa-devel] Re: [Freeipa-users] Need help with Solaris Host Based access control To: Christian Horn <chorn@fluxcoil.net> Cc: freeipa-devel <freeipa-devel@redhat.com>, freeipa-users@redhat.com Message-ID: <49145034.8030409@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Thank you Christian! I will dig more into it. Dmitri Christian Horn wrote: > Mornings, > > On Wed, Nov 05, 2008 at 03:49:07PM -0500, Dmitri Pal wrote: > >> The instructions are based on the ability of the pam_access PAM module >> to check the access control rules specified in the access.conf. >> The group information can be retrieved from the IPA server via nss_ldap. >> >> We tried to find similar functionality on other OS's. We spotted PAM >> modules on HP-UX and AIX that are responsible for the similar >> authorization checks. >> >> But we are stuck with Solaris. All our investigations about similar >> functionality in Solaris bear no fruits. We saw pam_roles and >> pam_unix_account on Solaris but they do not seem to accomplish what we >> are trying to do. >> >> We are looking for some help and advice from Solaris experts on this >> functionality. >> > > Checked with solaris-guys, this is in use for pure ldap-authentication/ > authorization. > Apparently just after hooking up a solaris-box to an ldap no user > is allowed to login. > > The permissions to login are handled by this: > > a) entries in /etc/passwd, containing names of NIS-netgroups > whose members are allowed to log in, i.e. > > +@netgroup1:::::: > > b) entries in /etc/shadow, containing names of NIS-netgroups > whose members are allowed to log in, i.e. > > +@netgroup1:::::::: > (thats 8 colons vs. 6 on the /etcx/passwd-entries) > > c) entries in /etc/nsswitch.conf for this to work: > > passwd: compat > passwd_compat: ldap [NOTFOUND=return] > > > I dont use this myself on Solaris-boxen but should be enough to see > the Solaris-way to handle those login-authorizations. > > > Christian > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > ------------------------------ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 4, Issue 5 ******************************************* ____________________________________________________________________________________ ¡Todo sobre Amor y Sexo! La guía completa para tu vida en Mujer de Hoy. http://mujerdehoy.telemundo.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/freeipa-users/attachments/20081109/2e5fc195/attachment.html ------------------------------ Message: 2 Date: Mon, 10 Nov 2008 16:53:08 +0300 From: Konstantin Kozlov <kozlov@spbcas.ru> Subject: [Freeipa-users] GSSAPI Failure To: freeipa-users@redhat.com Message-ID: <49183CC4.6070209@spbcas.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Hello, I have the following problem. On the ipaserver after reboot I get the following error: # kinit admin # ipa-finduser admin Connection to database failed: Invalid credentials: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context However it is possible to login to ipaclient with ipauser. Before reboot it worked. Does anybody have any ideas what is wrong? Thank you in advance, -- Konstantin Kozlov Department of Computational Biology, Center for Advanced Studies, SPb State Polytechnical University, 195251, Polytechnicheskaya ul., 29, bld 4, office 204, St.Petersburg, Russia. Tel./fax: +7 812 596 2831 ------------------------------ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 4, Issue 6 ******************************************* </pre></blockquote></td></tr></table> <hr size=1> Premios MTV 2008 ¡En exclusiva! Fotos, nominados, videos, y mucho más!br>Mira aquí http://mtvla.yahoo.com/