Free IPA List peeps, I'm looking to set up FreeIPA on a Fedora 14 or 15 server I'm setting up at home. I came across a reference at one point dealing with smart cards being associated with the user's that hold them.
I can't find the reference at this point and was wondering if there might be a list on the Wiki or someplace that details the errors that come back when trying to initialize or register a smart card with the server? Thanks so much! Steven On Wed, May 2, 2012 at 1:57 PM, <[email protected]> wrote: > Send Freeipa-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: red hat 5 and red hat 6 compatability (Matthew Davidson) > 2. Re: red hat 5 and red hat 6 compatability (Dmitri Pal) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 2 May 2012 14:50:06 -0400 > From: Matthew Davidson <[email protected]> > To: <[email protected]>, <[email protected]> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > > Dmitri,1) Do you have admin account on IPA side? > Yes. And judging by the command below admin does log in, or am I mistaken? > [root@rhel5 ~]# kinit adminPassword for [email protected]: > [root@rhel5 ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: > [email protected] > Valid starting Expires Service principal05/02/12 14:47:40 > 05/03/12 14:47:36 krbtgt/[email protected] > Kerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached > 2) Is there a firewall between client and server? Is LDAP and LDAPS > allowed via the FW? > No firewall. shut those down at the first sign of trouble. > > ThanksMatt > Date: Wed, 2 May 2012 13:51:15 -0400 > From: [email protected] > To: [email protected] > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > > > > > On 05/02/2012 12:43 PM, Matthew Davidson wrote: > > > > Hi Rob > > > > [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > --server=rhel6.example.com > DNS domain 'example.com' is not configured for automatic > KDC address lookup. > KDC address will be set to fixed value. > > > > Discovery was successful! > Hostname: rhel6.example.com > Realm: EXAMPLE.COM > DNS Domain: EXAMPLE.COM > IPA Server: rhel6.example.com > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: > yes > User authorized to enroll computers: admin > Synchronizing time with KDC... > Password for [email protected]: > > > > Enrolled in IPA realm EXAMPLE.COM > Created /etc/ipa/default.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > SSSD enabled > Unable to find 'admin' user with 'getent passwd admin'! > > > > > 1) Do you have admin account on IPA side? > > 2) Is there a firewall between client and server? Is LDAP and LDAPS > allowed via the FW? > > > > > > Recognized configuration: SSSD > Changed configuration of /etc/ldap.conf to use hardcoded > server name: rhel6.example.com > NTP enabled > Client configuration complete. > > > > /var/log/secure > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson > from 192.168.1.5 > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: > invalid user mdavidson > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > check pass; user unknown > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=rhel6.example.com > May 2 12:31:19 rhel5 sshd[3250]: > pam_succeed_if(sshd:auth): error retrieving information about > user mdavidson > May 2 12:31:21 rhel5 sshd[3250]: Failed password for > invalid user mdavidson from 192.168.1.5 port 52511 ssh2 > > > > /var/log/sssd/ldap_child.log > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > [ldap_child_get_tgt_sync] (0): Failed to init credentials: > Client not found in Kerberos database > > > > /var/log/sssd/sssd.log > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): > Monitor received Terminated: terminating children > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): > Monitor received Terminated: terminating children > > > > thanks for helping! > Matt > > > > Date: Wed, 2 May 2012 11:30:52 -0400 > > > From: [email protected] > > > To: [email protected] > > > CC: [email protected] > > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 > compatability > > > > > > Matthew Davidson wrote: > > > > To clarify one point. > > > > > > > > I used the current redhat documents to setup the two > systems. > > > > > > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > > > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > > > > > SSH does not seem to be discussed and that is when I > started web surfing > > > > in an attempt to fix my problem before reaching out > for help. > > > > > > A host service principal is created during enrollment so > no additional > > > work should be needed for SSH to work. The problem you're > having is > > > related to the fact that user lookup services are > failing. > > > > > > Can you look in /var/log/secure and/or /var/log/sssd/* to > see if there > > > are any errors reported regarding sssd? > > > > > > What options did you pass to ipa-client-install? > > > > > > rob > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html > > > > ------------------------------ > > Message: 2 > Date: Wed, 02 May 2012 14:57:24 -0400 > From: Dmitri Pal <[email protected]> > To: Matthew Davidson <[email protected]> > Cc: [email protected] > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > On 05/02/2012 02:50 PM, Matthew Davidson wrote: > > Dmitri, > > 1) Do you have admin account on IPA side? > > > > Yes. And judging by the command below admin does log in, or am I > mistaken? > > > > [root@rhel5 ~]# kinit admin > > Password for [email protected]: > > > > [root@rhel5 ~]# klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: [email protected] > > > > Valid starting Expires Service principal > > 05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/[email protected] > > > > Kerberos 4 ticket cache: /tmp/tkt0 > > klist: You have no tickets cached > > > > Is this from the client or from the server? I bet on the server. > Rob might be right that the client fails to find the right > authentication server due to the DNS configuration. > > > 2) Is there a firewall between client and server? Is LDAP and LDAPS > > allowed via the FW? > > > > No firewall. shut those down at the first sign of trouble. > > > > Thanks > > Matt > > > > ------------------------------------------------------------------------ > > Date: Wed, 2 May 2012 13:51:15 -0400 > > From: [email protected] > > To: [email protected] > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > On 05/02/2012 12:43 PM, Matthew Davidson wrote: > > > > Hi Rob > > > > [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM > > --server=rhel6.example.com > > DNS domain 'example.com' is not configured for automatic KDC > > address lookup. > > KDC address will be set to fixed value. > > > > Discovery was successful! > > Hostname: rhel6.example.com > > Realm: EXAMPLE.COM > > DNS Domain: EXAMPLE.COM > > IPA Server: rhel6.example.com > > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: yes > > User authorized to enroll computers: admin > > Synchronizing time with KDC... > > Password for [email protected]: <mailto:[email protected]:> > > > > Enrolled in IPA realm EXAMPLE.COM > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > > SSSD enabled > > *Unable to find 'admin' user with 'getent passwd admin'!* > > > > > > 1) Do you have admin account on IPA side? > > 2) Is there a firewall between client and server? Is LDAP and LDAPS > > allowed via the FW? > > > > Recognized configuration: SSSD > > Changed configuration of /etc/ldap.conf to use hardcoded server > > name: rhel6.example.com > > NTP enabled > > Client configuration complete. > > > > /var/log/secure > > May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from > > 192.168.1.5 > > May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid > > user mdavidson > > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; > > user unknown > > May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > > rhost=rhel6.example.com > > May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error > > retrieving information about user mdavidson > > May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user > > mdavidson from 192.168.1.5 port 52511 ssh2 > > > > /var/log/sssd/ldap_child.log > > (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > > not found in Kerberos database > > (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256]]]] > > [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client > > not found in Kerberos database > > > > /var/log/sssd/sssd.log > > (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor > > received Terminated: terminating children > > (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor > > received Terminated: terminating children > > > > thanks for helping! > > Matt > > > > > Date: Wed, 2 May 2012 11:30:52 -0400 > > > From: [email protected] <mailto:[email protected]> > > > To: [email protected] <mailto:[email protected]> > > > CC: [email protected] <mailto:[email protected]> > > > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability > > > > > > Matthew Davidson wrote: > > > > To clarify one point. > > > > > > > > I used the current redhat documents to setup the two systems. > > > > > > > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US > > > > > > > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US > > > > > > > > SSH does not seem to be discussed and that is when I started > > web surfing > > > > in an attempt to fix my problem before reaching out for help. > > > > > > A host service principal is created during enrollment so no > > additional > > > work should be needed for SSH to work. The problem you're having is > > > related to the fact that user lookup services are failing. > > > > > > Can you look in /var/log/secure and/or /var/log/sssd/* to see if > > there > > > are any errors reported regarding sssd? > > > > > > What options did you pass to ipa-client-install? > > > > > > rob > > > > > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] <mailto:[email protected]> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IPA project, > > Red Hat Inc. > > > > > > ------------------------------- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > > > > > _______________________________________________ Freeipa-users mailing > > list [email protected] > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://www.redhat.com/archives/freeipa-users/attachments/20120502/cea8af43/attachment.html > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 46, Issue 10 > ********************************************* >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
