Free IPA List peeps, I'm looking to set up FreeIPA on a Fedora 14 or 15 server I'm setting up at home. I came across a reference at one point dealing with smart cards being associated with the user's that hold them. I can't find the reference at this point and was wondering if there might be a list on the Wiki or someplace that details the errors that come back when trying to initialize or register a smart card with the server? Thanks so much! Steven <div class="gmail_quote">On Wed, May 2, 2012 at 1:57 PM, <<a href="mailto:freeipa-users-request@redhat.com" target="_blank">freeipa-users-request@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Freeipa-users mailing list submissions to <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> To subscribe or unsubscribe via the World Wide Web, visit <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> or, via email, send a message with subject or body 'help' to <a href="mailto:freeipa-users-request@redhat.com">freeipa-users-request@redhat.com</a> You can reach the person managing the list at <a href="mailto:freeipa-users-owner@redhat.com">freeipa-users-owner@redhat.com</a> When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Re: red hat 5 and red hat 6 compatability (Matthew Davidson) 2. Re: red hat 5 and red hat 6 compatability (Dmitri Pal) ---------------------------------------------------------------------- Message: 1 Date: Wed, 2 May 2012 14:50:06 -0400 From: Matthew Davidson <<a href="mailto:matt@mldserviceslex.com">matt@mldserviceslex.com</a>> To: <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>>, <<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability Message-ID: <SNT104-W395AFEBCC767D220CA34AAA32E0@phx.gbl> Content-Type: text/plain; charset="iso-8859-1" Dmitri,1) Do you have admin account on IPA side? Yes. And judging by the command below admin does log in, or am I mistaken? [root@rhel5 ~]# kinit adminPassword for <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>: [root@rhel5 ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> Valid starting Expires Service principal05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/<a href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a> Kerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? No firewall. shut those down at the first sign of trouble. ThanksMatt Date: Wed, 2 May 2012 13:51:15 -0400 From: <a href="mailto:dpal@redhat.com">dpal@redhat.com</a> To: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability On 05/02/2012 12:43 PM, Matthew Davidson wrote: Hi Rob [root@rhel5 ~]# ipa-client-install --domain=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> --server=<a href="http://rhel6.example.com" target="_blank">rhel6.example.com</a> DNS domain '<a href="http://example.com" target="_blank">example.com</a>' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: <a href="http://rhel6.example.com" target="_blank">rhel6.example.com</a> Realm: <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> DNS Domain: <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> IPA Server: <a href="http://rhel6.example.com" target="_blank">rhel6.example.com</a> BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>: Enrolled in IPA realm <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> SSSD enabled Unable to find 'admin' user with 'getent passwd admin'! 1) Do you have admin account on IPA side? 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? Recognized configuration: SSSD Changed configuration of /etc/ldap.conf to use hardcoded server name: <a href="http://rhel6.example.com" target="_blank">rhel6.example.com</a> NTP enabled Client configuration complete. /var/log/secure May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5 May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user mdavidson May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user unknown May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<a href="http://rhel6.example.com" target="_blank">rhel6.example.com</a> May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user mdavidson from 192.168.1.5 port 52511 ssh2 /var/log/sssd/ldap_child.log (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database /var/log/sssd/sssd.log (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children thanks for helping! Matt > Date: Wed, 2 May 2012 11:30:52 -0400 > From: <a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> > To: <a href="mailto:matt@mldserviceslex.com">matt@mldserviceslex.com</a> > CC: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > Matthew Davidson wrote: > > To clarify one point. > > > > I used the current redhat documents to setup the two systems. > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > SSH does not seem to be discussed and that is when I started web surfing > > in an attempt to fix my problem before reaching out for help. > > A host service principal is created during enrollment so no additional > work should be needed for SSH to work. The problem you're having is > related to the fact that user lookup services are failing. > > Can you look in /var/log/secure and/or /var/log/sssd/* to see if there > are any errors reported regarding sssd? > > What options did you pass to ipa-client-install? > > rob _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> -------------- next part -------------- An HTML attachment was scrubbed... URL: <<a href="https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html" target="_blank">https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html</a>> ------------------------------ Message: 2 Date: Wed, 02 May 2012 14:57:24 -0400 From: Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>> To: Matthew Davidson <<a href="mailto:matt@mldserviceslex.com">matt@mldserviceslex.com</a>> Cc: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability Message-ID: <<a href="mailto:4FA18394.7080507@redhat.com">4FA18394.7080507@redhat.com</a>> Content-Type: text/plain; charset="iso-8859-1" On 05/02/2012 02:50 PM, Matthew Davidson wrote: > Dmitri, > 1) Do you have admin account on IPA side? > > Yes. And judging by the command below admin does log in, or am I mistaken? > > [root@rhel5 ~]# kinit admin > Password for <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>: > > [root@rhel5 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a> > > Valid starting Expires Service principal > 05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/<a href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a> > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > Is this from the client or from the server? I bet on the server. Rob might be right that the client fails to find the right authentication server due to the DNS configuration. > 2) Is there a firewall between client and server? Is LDAP and LDAPS > allowed via the FW? > > No firewall. shut those down at the first sign of trouble. > > Thanks > Matt > > ------------------------------------------------------------------------ > Date: Wed, 2 May 2012 13:51:15 -0400 > From: <a href="mailto:dpal@redhat.com">dpal@redhat.com</a> > To: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > On 05/02/2012 12:43 PM, Matthew Davidson wrote: > > Hi Rob > > [root@rhel5 ~]# ipa-client-install --domain=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> > --server=<a href="http://rhel6.example.com" target="_blank">rhel6.example.com</a> > DNS domain '<a href="http://example.com" target="_blank">example.com</a>' is not configured for automatic KDC > address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: <a href="http://rhel6.example.com" target="_blank">rhel6.example.com</a> > Realm: <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> > DNS Domain: <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> > IPA Server: <a href="http://rhel6.example.com" target="_blank">rhel6.example.com</a> > BaseDN: dc=example,dc=com > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admin > Synchronizing time with KDC... > Password for <a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>: <mailto:<a href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a>:> > > Enrolled in IPA realm <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> > SSSD enabled > *Unable to find 'admin' user with 'getent passwd admin'!* > > > 1) Do you have admin account on IPA side? > 2) Is there a firewall between client and server? Is LDAP and LDAPS > allowed via the FW? > > Recognized configuration: SSSD > Changed configuration of /etc/ldap.conf to use hardcoded server > name: <a href="http://rhel6.example.com" target="_blank">rhel6.example.com</a> > NTP enabled > Client configuration complete. > > /var/log/secure > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from > 192.168.1.5 > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid > user mdavidson > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; > user unknown > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=<a href="http://rhel6.example.com" target="_blank">rhel6.example.com</a> > May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error > retrieving information about user mdavidson > May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user > mdavidson from 192.168.1.5 port 52511 ssh2 > > /var/log/sssd/ldap_child.log > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > not found in Kerberos database > > /var/log/sssd/sssd.log > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor > received Terminated: terminating children > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor > received Terminated: terminating children > > thanks for helping! > Matt > > > Date: Wed, 2 May 2012 11:30:52 -0400 > > From: <a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> > > To: <a href="mailto:matt@mldserviceslex.com">matt@mldserviceslex.com</a> <mailto:<a href="mailto:matt@mldserviceslex.com">matt@mldserviceslex.com</a>> > > CC: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > Matthew Davidson wrote: > > > To clarify one point. > > > > > > I used the current redhat documents to setup the two systems. > > > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > > > SSH does not seem to be discussed and that is when I started > web surfing > > > in an attempt to fix my problem before reaching out for help. > > > > A host service principal is created during enrollment so no > additional > > work should be needed for SSH to work. The problem you're having is > > related to the fact that user lookup services are failing. > > > > Can you look in /var/log/secure and/or /var/log/sssd/* to see if > there > > are any errors reported regarding sssd? > > > > What options did you pass to ipa-client-install? > > > > rob > > > _______________________________________________ > Freeipa-users mailing list > <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> <<a href="http://www.redhat.com/carveoutcosts/" target="_blank">http://www.redhat.com/carveoutcosts/</a>> > > > > _______________________________________________ Freeipa-users mailing > list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> -------------- next part -------------- An HTML attachment was scrubbed... URL: <<a href="https://www.redhat.com/archives/freeipa-users/attachments/20120502/cea8af43/attachment.html" target="_blank">https://www.redhat.com/archives/freeipa-users/attachments/20120502/cea8af43/attachment.html</a>> ------------------------------ _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> End of Freeipa-users Digest, Vol 46, Issue 10 ********************************************* </blockquote></div>