Re: [Freeipa-users] FreeIPA 2, adding Samba attributes

2011-06-09 Thread Adam Young 

On 06/09/2011 03:37 PM, John S. Skogtvedt wrote:

Den 09. juni 2011 14:31, skrev Simo Sorce:

You probably want to use the DNA plugin to generate the sambaSid for you
once you have a domain SID, it's not too difficult and will be much less
error prone.

Simo.


Thanks. The solution outlined at
http://www.mail-archive.com/freeipa-users@redhat.com/msg00111.html works
for me, at least for user objects (didn't try the group part yet).


It should be relatively trivial to add support in the WebUI for Samba, 
but nothing would be broken without it. All that would happen is that 
the WebUI would lack fields for the Samba specific attributes.  Assuming 
that ipa user-add works, you would want to add the field as an attribute 
in user.py.  To add it after groupID:


Int('gidnumber?',
label=_('GID'),
doc=_('Group ID Number'),
default_from=lambda uid: uid,
Int('sambasid?',
label=_('SAMBA SID'),
doc=_('Samba SID Number')

I have to admit I'm not sure what the rules would be for default values 
for sambaSID.


  Once you have ipa user-add working, if you want to extend the web UI, 
the file to modify is /usr/share/ipa/ui/user.js.  What you would want to 
do is to add in a filed sambaSID.  I'd be prone to put it under the  
section  with the name: 'account'.  It should  be a text field, so you 
just need to add an entry for sambasid.  I'd put it under 'gidnumber'.  
That looks like this:



{
name: 'account',
fields: [
{ factory: IPA.user_status_widget, name: 
'nsaccountlock' },

'uid',
{ factory: IPA.user_password_widget, name: 
'userpassword' },

'uidnumber',
'gidnumber',
'sambasid',
'loginshell',
'homedirectory'
]
},



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Connecting Ubuntu to IPA - one last important step!

2011-06-09 Thread Steven Jones 
Hi,

thanks, this should help a lot.

When I sudo to root I can use the ipa password so Im fairly close...

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Friday, 10 June 2011 5:38 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Connecting Ubuntu to IPA - one last important step!

Sorry, forgot one last, very important thing. Use ipa-getkeytab on a IPA server 
to retrieve the keytab for the host, and copy this to /etc/krb5.keytab on the 
Ubuntu client.

[root@ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p 
host/ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab

If you prefer you can use something like CFengine to automate the whole process.


Rgds,
Siggi.

On 06/09/2011 07:21 PM, Sigbjorn Lie wrote:
Hi,

I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 11.04. 
NFS4+KRB successfully in 10.10 and 11.04.

Install the packages below, substitute libpam-ldap for libpam-ldapd if you 
prefer PADL's ldap liberary which can use groups within groups for user 
accounts. ldapld can't, however it offers a daemon which connect to a LDAP 
server, and workaround for such as issues with Thunderbird crashing, etc. I 
have not been able to get the sssd that comes with Ubuntu to work.

Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the Ubuntu host.

Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make /etc/ldap/ldap.conf 
a symlink to /etc/ldap.conf), /etc/idmapd.conf (nfs4), /etc/nslcd.conf, 
/etc/default/autofs, /etc/nsswitch.conf, /etc/default/nfs-common. See attached 
files for examples.

Add the following to /etc/ssh/sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

And the following to /etc/ssh/ssh_config:
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Run this command to make sure ldap+krb has been configured in PAM after the 
packages has been installed: $ /usr/sbin/pam-auth-update --package --force

This gives you a Ubuntu system configured for IPA with autofs and nfs4+krb5, 
and ssh krb ticket forwarding. Looking forward to when SSSD comes in version 
1.5.x in Ubuntu! :)

I've set the ldap timeouts very low so you might need tweaking for this to work 
over a WAN/slow link, but it makes the client much more responsive if your 
first listed IPA/LDAP server becomes unavailable.


Packages:
autofs5 action=install
autofs5-ldapaction=install
krb5-user   action=install
krb5-clientsaction=install
nfs-client  action=install
nfs4-acl-tools  action=install
ldap-auth-configaction=install
ldap-utils  action=install
#libpam-ldapaction=install
libpam-ldapdaction=install
libpam-krb5 action=install
libpam-ccreds   action=install
libpam-foreground   action=install
libnss-ldap action=install
nscdaction=install
ntp action=install



Rgds,
Siggi



On 06/09/2011 02:43 AM, Steven Jones wrote:
Hi,

I am still tryig to figure getting ubuntu connected

So to get a non-rhel client computer into freeipa the first thing I have to do 
is make a client computer instance in freepia first? or doesnt it matter? ie 
can a non rhel client only do authentication or can it be acted upon fully as 
per a rhel client?

Are there certificates for ssl or something that have to be copied over to the 
client(s)?

I dont have it working yet beyond I can do a kinit and admin and give a 
password and then do klist etc

:/

Its proving very painful

regards

Steven


8><

Maybe this article could be a good jumping-off point?
http://www.aput.net/~jheiss/krbldap/howto.html

It's pretty old, but seems to bring together many things and overview them 
well, with enough static examples to give you a feel for what you're getting 
into.

8><---

thanks, its helping.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Inconsistant first login behaviour

2011-06-09 Thread Steven Jones 
Hi,

In which case I would expect it should happen across all clients in the same 
way and not some...

regards


From: Simo Sorce [s...@redhat.com]
Sent: Thursday, 9 June 2011 11:55 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Inconsistant first login behaviour

On Wed, 2011-06-08 at 23:08 +, Steven Jones wrote:
> Hi,
>
> Nope.password1 was set on buildit hasnt been changed by root or the 
> user at all.

I think this will apply then:
http://www.freeipa.org/page/NewPasswordsExpired

Simo.

--
Simo Sorce * Red Hat, Inc * New York


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 2, adding Samba attributes

2011-06-09 Thread John S. Skogtvedt 
Den 09. juni 2011 17:05, skrev Dmitri Pal:
> Once in the past the DS was fixed to be able to be a back end for the
> Samba4 server so I suspect it should provide all the functionality you need.
> A plugin can be written to provide cli and UI management of Samba
> attributes.
> Are you interested in writing such a plugin?  
> What is your end goal and time line?
> 

I just need the minimal samba LDAP attributes set in order to be able to
use Samba 3 together with FreeIPA. Fortunately it seems that that's
possible after all without any coding (see my other email).

John.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 2, adding Samba attributes

2011-06-09 Thread John S. Skogtvedt 
Den 09. juni 2011 14:31, skrev Simo Sorce:
> You probably want to use the DNA plugin to generate the sambaSid for you
> once you have a domain SID, it's not too difficult and will be much less
> error prone.
> 
> Simo.
> 

Thanks. The solution outlined at
http://www.mail-archive.com/freeipa-users@redhat.com/msg00111.html works
for me, at least for user objects (didn't try the group part yet).

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Connecting Ubuntu to IPA - one last important step!

2011-06-09 Thread Sigbjorn Lie 
Sorry, forgot one last, very important thing. Use ipa-getkeytab on a IPA 
server to retrieve the keytab for the host, and copy this to 
/etc/krb5.keytab on the Ubuntu client.


[root@ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p 
host/ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab


If you prefer you can use something like CFengine to automate the whole 
process.



Rgds,
Siggi.

On 06/09/2011 07:21 PM, Sigbjorn Lie wrote:

Hi,

I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 
11.04. NFS4+KRB successfully in 10.10 and 11.04.


Install the packages below, substitute libpam-ldap for libpam-ldapd if 
you prefer PADL's ldap liberary which can use groups within groups for 
user accounts. ldapld can't, however it offers a daemon which connect 
to a LDAP server, and workaround for such as issues with Thunderbird 
crashing, etc. I have not been able to get the sssd that comes with 
Ubuntu to work.


Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the 
Ubuntu host.


Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make 
/etc/ldap/ldap.conf a symlink to /etc/ldap.conf), /etc/idmapd.conf 
(nfs4), /etc/nslcd.conf, /etc/default/autofs, /etc/nsswitch.conf, 
/etc/default/nfs-common. See attached files for examples.


Add the following to /etc/ssh/sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

And the following to /etc/ssh/ssh_config:
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Run this command to make sure ldap+krb has been configured in PAM 
after the packages has been installed: $ /usr/sbin/pam-auth-update 
--package --force


This gives you a Ubuntu system configured for IPA with autofs and 
nfs4+krb5, and ssh krb ticket forwarding. Looking forward to when SSSD 
comes in version 1.5.x in Ubuntu! :)


I've set the ldap timeouts very low so you might need tweaking for 
this to work over a WAN/slow link, but it makes the client much more 
responsive if your first listed IPA/LDAP server becomes unavailable.



Packages:
autofs5 action=install
autofs5-ldapaction=install
krb5-user   action=install
krb5-clientsaction=install
nfs-client  action=install
nfs4-acl-tools  action=install
ldap-auth-configaction=install
ldap-utils  action=install
#libpam-ldapaction=install
libpam-ldapdaction=install
libpam-krb5 action=install
libpam-ccreds   action=install
libpam-foreground   action=install
libnss-ldap action=install
nscdaction=install
ntp action=install



Rgds,
Siggi



On 06/09/2011 02:43 AM, Steven Jones wrote:

Hi,

I am still tryig to figure getting ubuntu connected

So to get a non-rhel client computer into freeipa the first thing I 
have to do is make a client computer instance in freepia first? or 
doesnt it matter? ie can a non rhel client only do authentication or 
can it be acted upon fully as per a rhel client?


Are there certificates for ssl or something that have to be copied 
over to the client(s)?


I dont have it working yet beyond I can do a kinit and admin and give 
a password and then do klist etc


:/

Its proving very painful

regards

Steven


8><

Maybe this article could be a good jumping-off point?
http://www.aput.net/~jheiss/krbldap/howto.html

It's pretty old, but seems to bring together many things and overview 
them well, with enough static examples to give you a feel for what 
you're getting into.


8><---

thanks, its helping.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Connecting Ubuntu to IPA

2011-06-09 Thread Sigbjorn Lie 

Hi,

I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 
11.04. NFS4+KRB successfully in 10.10 and 11.04.


Install the packages below, substitute libpam-ldap for libpam-ldapd if 
you prefer PADL's ldap liberary which can use groups within groups for 
user accounts. ldapld can't, however it offers a daemon which connect to 
a LDAP server, and workaround for such as issues with Thunderbird 
crashing, etc. I have not been able to get the sssd that comes with 
Ubuntu to work.


Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the Ubuntu 
host.


Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make 
/etc/ldap/ldap.conf a symlink to /etc/ldap.conf), /etc/idmapd.conf 
(nfs4), /etc/nslcd.conf, /etc/default/autofs, /etc/nsswitch.conf, 
/etc/default/nfs-common. See attached files for examples.


Add the following to /etc/ssh/sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

And the following to /etc/ssh/ssh_config:
Host *
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Run this command to make sure ldap+krb has been configured in PAM after 
the packages has been installed: $ /usr/sbin/pam-auth-update --package 
--force


This gives you a Ubuntu system configured for IPA with autofs and 
nfs4+krb5, and ssh krb ticket forwarding. Looking forward to when SSSD 
comes in version 1.5.x in Ubuntu! :)


I've set the ldap timeouts very low so you might need tweaking for this 
to work over a WAN/slow link, but it makes the client much more 
responsive if your first listed IPA/LDAP server becomes unavailable.



Packages:
autofs5 action=install
autofs5-ldapaction=install
krb5-user   action=install
krb5-clientsaction=install
nfs-client  action=install
nfs4-acl-tools  action=install
ldap-auth-configaction=install
ldap-utils  action=install
#libpam-ldapaction=install
libpam-ldapdaction=install
libpam-krb5 action=install
libpam-ccreds   action=install
libpam-foreground   action=install
libnss-ldap action=install
nscdaction=install
ntp action=install



Rgds,
Siggi



On 06/09/2011 02:43 AM, Steven Jones wrote:

Hi,

I am still tryig to figure getting ubuntu connected

So to get a non-rhel client computer into freeipa the first thing I have to do 
is make a client computer instance in freepia first? or doesnt it matter? ie 
can a non rhel client only do authentication or can it be acted upon fully as 
per a rhel client?

Are there certificates for ssl or something that have to be copied over to the 
client(s)?

I dont have it working yet beyond I can do a kinit and admin and give a 
password and then do klist etc

:/

Its proving very painful

regards

Steven


8><

Maybe this article could be a good jumping-off point?
http://www.aput.net/~jheiss/krbldap/howto.html

It's pretty old, but seems to bring together many things and overview them 
well, with enough static examples to give you a feel for what you're getting 
into.

8><---

thanks, its helping.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


#
# Define default options for autofs.
#
# MASTER_MAP_NAME - default map name for the master map.
#
MASTER_MAP_NAME="/etc/auto.master"
#
# TIMEOUT - set the default mount timeout (default 600).
#
TIMEOUT=300
#
# NEGATIVE_TIMEOUT - set the default negative timeout for
#failed mount attempts (default 60).
#
#NEGATIVE_TIMEOUT=60
#
# MOUNT_WAIT - time to wait for a response from umount(8).
#  Setting this timeout can cause problems when
#  mount would otherwise wait for a server that
#  is temporarily unavailable, such as when it's
#  restarting. The defailt of waiting for mount(8)
#  usually results in a wait of around 3 minutes.
#
#MOUNT_WAIT=-1
#
# UMOUNT_WAIT - time to wait for a response from umount(8).
#
#UMOUNT_WAIT=12
#
# BROWSE_MODE - maps are browsable by default.
#
BROWSE_MODE="yes"
#
# MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by
#  mount.nfs(8). Since we can't identify
#  the default automatically we need to
#  set it in our configuration. This will
#  only make a difference for replicated
#  map entries as availability probing isn't
#  used for single host map entries.
#
#MOUNT_NFS_DEFAULT_PROTOCOL=3
MOUNT_NFS_DEFAULT_PROTOCOL=4
#
# APPEND_OPTIONS - append to global options instead of replace.
#
#APPEND_OPTIONS="yes"
#
# LOGGING - set default log level

Re: [Freeipa-users] FreeIPA 2, adding Samba attributes

2011-06-09 Thread Dmitri Pal 
On 06/09/2011 08:31 AM, Simo Sorce wrote:
> On Thu, 2011-06-09 at 12:44 +0200, John S. Skogtvedt wrote:
>> Hello,
>>
>> has anybody tried to integrate Samba with FreeIPA 2? I searched and
>> found a mailing list post from 2009 with a solution using the 389 DNA
>> plugin, but later posts indicated that the solution outlined wasn't
>> correct (and probably out of date).
>>
>> My impression from what I've read is that there is no way of doing it
>> other than configuring FreeIPA to add samba object classes, and
>> specifying the required attributes when adding a user. The problem then
>> is that adding users won't be possible from the web interface, because
>> of required samba attributes (unless one instead later adds the
>> necessary object classes and attributes).
>>
>> Is this correct?
> You can modify the UI behavior wrt what classes and attribute to store.
>
>> If so, I wonder how much work it might be to either add a small hack to
>> the web interface to add the necessary attributes, or to write a web
>> interface plugin which adds a user with the necessary attributes. Any
>> pointers would be appreciated (I know python).
>> I think it'd be useful to be able to add template values as well as
>> objectclasses in ipaConfig, e.g. something like:
>> ipaUserAttrs: sambaSid: ...-$uid, where $uid is expanded when the user
>> is created.
> You probably want to use the DNA plugin to generate the sambaSid for you
> once you have a domain SID, it's not too difficult and will be much less
> error prone.
>
> Simo.
>
Once in the past the DS was fixed to be able to be a back end for the
Samba4 server so I suspect it should provide all the functionality you need.
A plugin can be written to provide cli and UI management of Samba
attributes.
Are you interested in writing such a plugin?  
What is your end goal and time line?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Kerberos problem with account with changed attributes

2011-06-09 Thread Rob Crittenden 
tomasz.napier...@allegro.pl wrote:
> Hi,
> 
> Due to a bug in one of our maintanace scripts, I had to manually change some 
> attributes for one of the users, e.g.: uid and uidNumber. I did it using
> /usr/sbin/ipa-moduser --setattr="uid=username" --setattr="uidNumber=1221" 1221
> 
> (yeah, last argument is really user's uid ;)
> 
> After that user canno use any of the ipa-* scripts, he's getting:
> "Connection to database failed: Invalid credentials: SASL(-14): authorization 
> failure:"
> 
> I suppose is a problem with inconsistency in ldap and Kerberos database 
> (probably Kerberos still has old data)
> 
> My question is how to fix that without generating new user (I really have to 
> avoid that due to fact that this environment has some compliance restictions)
> 
> Regards,

Hmm, this is strange. It looks like you changed the uid properly.

Let's remove the ipa admin tools from the picture. Can the user try this
using your LDAP search basedn?

ldapsearch -Y GSSAPI -b dc=example,dc=com uid=1221

They may also want to try a kdestroy/kinit if it fails, though I don't
know why the principal wouldn't be accepted.

When binding in LDAP we need to map the Kerberos principal to a user
account. It may be that this mapping is failing. The ldapsearch command
may give us a more specific error message.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Inconsistant first login behaviour

2011-06-09 Thread Dmitri Pal 
On 06/08/2011 07:48 PM, Steven Jones wrote:
> Hi,
>
> nsswitch atatched.
>
> Which pam files?

The pam configuration files.
On my RHEL6 it is in /etc/pam.d/system-auth which is usually a link to a
file in the same directory.
I think in 5.6 is it similar. I do not have 5.6 machine handy to check.
 
> regards
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Dmitri Pal [d...@redhat.com]
> Sent: Thursday, 9 June 2011 11:32 a.m.
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> On 06/08/2011 06:57 PM, Steven Jones wrote:
>
> Attached are F15 adnd RHEL5.6 conf scripts.
>
>
> You have not attached pam configurations and nsswitch for 5.6.
>
> regards
> 
> From: 
> freeipa-users-boun...@redhat.com 
> [freeipa-users-boun...@redhat.com] 
> on behalf of Steven Jones 
> [steven.jo...@vuw.ac.nz]
> Sent: Thursday, 9 June 2011 10:31 a.m.
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> Hi,
>
> These files/clients have all been configured by the ipa-client-install 
> script, so any settings are standard, I have modified nothing.
>
> So when I built all 3 client/workstations I made a default user jonesst1 at 
> build time with password 1 and its the same across all three.
>
> So in the freeipa server I set password2 for jonesst1 which is different so I 
> know that I am getting a centralised loginreally basic stuff.
>
> So then using the ipa-client-install script I joined them each in turn to 
> IPAfor F15 and 6.1 clients they now accept the IPA password2 without an 
> issue...for RHEL 5.6 it initially asked to reset the passwordand I only 
> had 1 hour..later logins are fine.
>
> So my use case is nothing more than a simple centralised login..
>
> regards
>
> 
> From: 
> freeipa-users-boun...@redhat.com 
> [freeipa-users-boun...@redhat.com] 
> on behalf of Dmitri Pal [d...@redhat.com]
> Sent: Thursday, 9 June 2011 8:56 a.m.
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> On 06/08/2011 04:04 PM, Steven Jones wrote:
>
>
> Hi,
>
> Can you fix 5.6 so it runs the ipa-client-install script the same way then 
> please? because running the same command giving differing results seems 
> strangeunless you are telling me its simply the way rhel5.6 will work?
>
>
> Well the problem is that SSSD is not in 5.6 by default. ipa-client on
> 5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is
> configured. In 5.7 there will be a new ipa-client that will act in the
> same way as in RHEL 6 or Fedora.
>
> But the expectation is that they should act in the same way now. But
> apparently there is some difference.
>
> We need to understand exactly what is your use case.
> What is configured in your nsswitch and pam config on RHEL and Fedora?
> And if in one case it is SSSD and not in the other we need to see SSSD
> configuration and LDAP and Kerberos configuration files.
>
>
>
>
> regards
>
> Steven
> 
> From: 
> freeipa-users-boun...@redhat.com 
> [freeipa-users-boun...@redhat.com] 
> on behalf of Dmitri Pal [d...@redhat.com]
> Sent: Thursday, 9 June 2011 5:00 a.m.
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> On 06/07/2011 10:36 PM, Steven Jones wrote:
>
>
> Logging into the F15 client and I just login with the ldap password...
>
> If I try the same thing with RHEL5.6 I get told I have one hour to password 
> expiry
>
> I'd like it to do one or other across platformsand be able to set this 
> behaviour, per useror not at all.
>
>
>
> This is probably because in one case you log using LDAP password and in
> another as Kerberos credential. The underlying password string is the
> same but other properties like expiration are different as you see.
> To have the consistent experience configure both systems to use same
> type of the credential.
>
>
>
>
> regards
>
> Steven
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/

Re: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server

2011-06-09 Thread Dmitri Pal 
On 06/08/2011 08:43 PM, Steven Jones wrote:
> Hi,
>
> I am still tryig to figure getting ubuntu connected
>
> So to get a non-rhel client computer into freeipa the first thing I have to 
> do is make a client computer instance in freepia first? or doesnt it matter? 
> ie can a non rhel client only do authentication or can it be acted upon fully 
> as per a rhel client?
>
Unless you want to have the client use Kerberos to protect your ldap
connection from host to IPA you do not need to have the host principal
in the server.
For not RHEL machines or machines that do not use SSSD you need to
configure only PAM and NSS.
For PAM you can use kerberos or ldap.
For NSS you need to use ldap.
Effectively you need to manually do what ipa-client on rhel 5.6 does for
you.
It is covered in the Freeipa v1 client config guides. Nothing changed there.
http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/

Hope this helps.

> Are there certificates for ssl or something that have to be copied over to 
> the client(s)?
>
> I dont have it working yet beyond I can do a kinit and admin and give a 
> password and then do klist etc
>
> :/
>
> Its proving very painful
>
> regards
>
> Steven
>
>
> 8><
>
> Maybe this article could be a good jumping-off point?
> http://www.aput.net/~jheiss/krbldap/howto.html
>
> It's pretty old, but seems to bring together many things and overview them 
> well, with enough static examples to give you a feel for what you're getting 
> into.
>
> 8><---
>
> thanks, its helping.
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] New user first login behaviour (Fedora 15)

2011-06-09 Thread Simo Sorce 
On Thu, 2011-06-09 at 09:41 -0400, Stephen Gallagher wrote:
> On Thu, 2011-06-09 at 08:26 -0400, Simo Sorce wrote:
> > On Thu, 2011-06-09 at 04:20 +, Steven Jones wrote:
> > > Hi,
> > > 
> > > hmmm..I can login to the workstation via ssh using the ipa
> > > password for thingbut no home directory has been created...
> > 
> > You need to configure pam_mkhomedir if you want that done.
> > 
> > We cannot do that from ipa-client-install because we have no data on how
> > you are going to set up your home directories. We have no idea if you
> > want local ones or if you are going to setup a NFS mountpoint on /home
> > or if you are going to use automonut/autofs or whatever .
> > 
> > You can run the authconfig gui (or CLI) and select the option of
> > creating home directories at login if they are not available yet.
> > 
> > Simo.
> > 
> 
> You can also pass --mkhomedir to ipa-client-install when you're
> initially setting the client up. This will configure pam_mkhomedir (or
> oddjob_mkhomedir, if available) to automatically create home directories
> when users first log in.

Thanks Stephen, I had forgotten we had that option.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] New user first login behaviour (Fedora 15)

2011-06-09 Thread Stephen Gallagher 
On Thu, 2011-06-09 at 08:26 -0400, Simo Sorce wrote:
> On Thu, 2011-06-09 at 04:20 +, Steven Jones wrote:
> > Hi,
> > 
> > hmmm..I can login to the workstation via ssh using the ipa
> > password for thingbut no home directory has been created...
> 
> You need to configure pam_mkhomedir if you want that done.
> 
> We cannot do that from ipa-client-install because we have no data on how
> you are going to set up your home directories. We have no idea if you
> want local ones or if you are going to setup a NFS mountpoint on /home
> or if you are going to use automonut/autofs or whatever .
> 
> You can run the authconfig gui (or CLI) and select the option of
> creating home directories at login if they are not available yet.
> 
> Simo.
> 

You can also pass --mkhomedir to ipa-client-install when you're
initially setting the client up. This will configure pam_mkhomedir (or
oddjob_mkhomedir, if available) to automatically create home directories
when users first log in.


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] disable account behavior

2011-06-09 Thread Rob Crittenden 

Martin Kosek wrote:

On Wed, 2011-06-08 at 17:55 -0700, Stephen Ingram wrote:

I've disabled an account in FreeIPA using the UI and I don't see any
changes in the directory. Are there supposed to be changes there or is
this something that is accomplished in Kerberos? I was hoping to be
able to search the directory for disabled accounts.

Steve



When an account is disabled, nsaccountlock attribute is set to True. I
would suggest a following LDAP search:

# ldapsearch -h localhost -Y GSSAPI -b cn=users,cn=accounts,$SUFFIX -s one 
nsaccountlock
SASL/GSSAPI authentication started
SASL username: ad...@idm.lab.bos.redhat.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base  with scope 
oneLevel
# filter: (objectclass=*)
# requesting: nsaccountlock
#

# admin, users, accounts, idm.lab.bos.redhat.com
dn: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
nsaccountlock: False

# fbar, users, accounts, idm.lab.bos.redhat.com
dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
nsaccountlock: True


User "fbar" was disabled via CLI.


To add to this, nsaccountlock is an LDAP operational attribute so you 
have to specifically ask for it for it to be displayed.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 2, adding Samba attributes

2011-06-09 Thread Simo Sorce 
On Thu, 2011-06-09 at 12:44 +0200, John S. Skogtvedt wrote:
> Hello,
> 
> has anybody tried to integrate Samba with FreeIPA 2? I searched and
> found a mailing list post from 2009 with a solution using the 389 DNA
> plugin, but later posts indicated that the solution outlined wasn't
> correct (and probably out of date).
> 
> My impression from what I've read is that there is no way of doing it
> other than configuring FreeIPA to add samba object classes, and
> specifying the required attributes when adding a user. The problem then
> is that adding users won't be possible from the web interface, because
> of required samba attributes (unless one instead later adds the
> necessary object classes and attributes).
> 
> Is this correct?

You can modify the UI behavior wrt what classes and attribute to store.

> If so, I wonder how much work it might be to either add a small hack to
> the web interface to add the necessary attributes, or to write a web
> interface plugin which adds a user with the necessary attributes. Any
> pointers would be appreciated (I know python).
> I think it'd be useful to be able to add template values as well as
> objectclasses in ipaConfig, e.g. something like:
> ipaUserAttrs: sambaSid: ...-$uid, where $uid is expanded when the user
> is created.

You probably want to use the DNA plugin to generate the sambaSid for you
once you have a domain SID, it's not too difficult and will be much less
error prone.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Kerberos problem with account with changed attributes

2011-06-09 Thread Simo Sorce 
On Thu, 2011-06-09 at 13:04 +0200, tomasz.napier...@allegro.pl wrote:
> Hi,
> 
> Due to a bug in one of our maintanace scripts, I had to manually change some 
> attributes for one of the users, e.g.: uid and uidNumber. I did it using
> /usr/sbin/ipa-moduser --setattr="uid=username" --setattr="uidNumber=1221" 1221
> 
> (yeah, last argument is really user's uid ;)
> 
> After that user canno use any of the ipa-* scripts, he's getting:
> "Connection to database failed: Invalid credentials: SASL(-14): authorization 
> failure:"
> 
> I suppose is a problem with inconsistency in ldap and Kerberos database 
> (probably Kerberos still has old data)
> 
> My question is how to fix that without generating new user (I really have to 
> avoid that due to fact that this environment has some compliance restictions)

Use ldapsearch to check what is the DN, it is probably still something
like: cn=1211,cn=users,cn=accounts, ...

then use ldapmodrdn -r cn=1211,cn=users,cn=acc. cn=username

This will rename the user properly and a plugin will take care of
renaming also the kerberos principal.

Local client caches may need some purging to properly pick up the new
value.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] New user first login behaviour (Fedora 15)

2011-06-09 Thread Simo Sorce 
On Thu, 2011-06-09 at 04:20 +, Steven Jones wrote:
> Hi,
> 
> hmmm..I can login to the workstation via ssh using the ipa
> password for thingbut no home directory has been created...

You need to configure pam_mkhomedir if you want that done.

We cannot do that from ipa-client-install because we have no data on how
you are going to set up your home directories. We have no idea if you
want local ones or if you are going to setup a NFS mountpoint on /home
or if you are going to use automonut/autofs or whatever .

You can run the authconfig gui (or CLI) and select the option of
creating home directories at login if they are not available yet.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Inconsistant first login behaviour

2011-06-09 Thread Simo Sorce 
On Thu, 2011-06-09 at 03:36 +, Steven Jones wrote:
> It is also not at just the first loginif I change the password in IPA the 
> next login to rhel5.6 requires a password change.
> 
> yet to F15 does not.

What matters is *how* you change this password. But see my other mail
the explain what happens if you change a user password as an
administrator.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA 2, adding Samba attributes

2011-06-09 Thread John S. Skogtvedt 
Hello,

has anybody tried to integrate Samba with FreeIPA 2? I searched and
found a mailing list post from 2009 with a solution using the 389 DNA
plugin, but later posts indicated that the solution outlined wasn't
correct (and probably out of date).

My impression from what I've read is that there is no way of doing it
other than configuring FreeIPA to add samba object classes, and
specifying the required attributes when adding a user. The problem then
is that adding users won't be possible from the web interface, because
of required samba attributes (unless one instead later adds the
necessary object classes and attributes).

Is this correct?

If so, I wonder how much work it might be to either add a small hack to
the web interface to add the necessary attributes, or to write a web
interface plugin which adds a user with the necessary attributes. Any
pointers would be appreciated (I know python).
I think it'd be useful to be able to add template values as well as
objectclasses in ipaConfig, e.g. something like:
ipaUserAttrs: sambaSid: ...-$uid, where $uid is expanded when the user
is created.


Thank you,

John.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Inconsistant first login behaviour

2011-06-09 Thread Simo Sorce 
On Wed, 2011-06-08 at 23:08 +, Steven Jones wrote:
> Hi,
> 
> Nope.password1 was set on buildit hasnt been changed by root or the 
> user at all. 

I think this will apply then:
http://www.freeipa.org/page/NewPasswordsExpired

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Kerberos problem with account with changed attributes

2011-06-09 Thread tomasz.napier...@allegro.pl 
Hi,

Due to a bug in one of our maintanace scripts, I had to manually change some 
attributes for one of the users, e.g.: uid and uidNumber. I did it using
/usr/sbin/ipa-moduser --setattr="uid=username" --setattr="uidNumber=1221" 1221

(yeah, last argument is really user's uid ;)

After that user canno use any of the ipa-* scripts, he's getting:
"Connection to database failed: Invalid credentials: SASL(-14): authorization 
failure:"

I suppose is a problem with inconsistency in ldap and Kerberos database 
(probably Kerberos still has old data)

My question is how to fix that without generating new user (I really have to 
avoid that due to fact that this environment has some compliance restictions)

Regards,
-- 
Tomasz Z. Napierała
Systems Architecture Engineer,
IT Infrastructure Department
Allegro Team
http://www.allegro.pl/

Grupa Allegro Sp. z o.o. z siedzibą w Poznaniu, 60-324 Poznań, przy ul. 
Marcelińskiej 90, wpisana do rejestru przedsiębiorców prowadzonego przez Sąd 
Rejonowy Poznań - Nowe Miasto i Wilda, Wydział VIII Gospodarczy Krajowego 
Rejestru Sądowego pod numerem KRS 268796, o kapitale zakładowym w wysokości 
33 474 500 zł, posiadająca numer identyfikacji podatkowej NIP: 5272525995.



smime.p7s
Description: S/MIME cryptographic signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] disable account behavior

2011-06-09 Thread Martin Kosek 
On Wed, 2011-06-08 at 17:55 -0700, Stephen Ingram wrote:
> I've disabled an account in FreeIPA using the UI and I don't see any
> changes in the directory. Are there supposed to be changes there or is
> this something that is accomplished in Kerberos? I was hoping to be
> able to search the directory for disabled accounts.
> 
> Steve
> 

When an account is disabled, nsaccountlock attribute is set to True. I
would suggest a following LDAP search:

# ldapsearch -h localhost -Y GSSAPI -b cn=users,cn=accounts,$SUFFIX -s one 
nsaccountlock
SASL/GSSAPI authentication started
SASL username: ad...@idm.lab.bos.redhat.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base  with scope 
oneLevel
# filter: (objectclass=*)
# requesting: nsaccountlock 
#

# admin, users, accounts, idm.lab.bos.redhat.com
dn: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
nsaccountlock: False

# fbar, users, accounts, idm.lab.bos.redhat.com
dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
nsaccountlock: True


User "fbar" was disabled via CLI.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users