Re: [Freeipa-users] Insufficient access during winsync agreement
On 20/06/11 16:37, Attila Bogár wrote: I'm trying to set up the AD-FreeIPA sync agreement and I'm always getting this error: # ipa-replica-manage connect --winsync --binddn cn=IPA Sync,cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert /root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v This is solved now. Directory Manager password was missing from the command line. (-p). admin user's privileges via kerberos are insufficient to set up a replica agreement as I see. Could you please add this to the documentation example in the docs, I think upcoming users would appreciate this. http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server Thanks, Attila ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Insufficient access during winsync agreement
On Tue, 2011-06-21 at 10:01 +0100, Attila Bogár wrote: On 20/06/11 16:37, Attila Bogár wrote: I'm trying to set up the AD-FreeIPA sync agreement and I'm always getting this error: # ipa-replica-manage connect --winsync --binddn cn=IPA Sync,cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert /root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v This is solved now. Directory Manager password was missing from the command line. (-p). admin user's privileges via kerberos are insufficient to set up a replica agreement as I see. Could you please add this to the documentation example in the docs, I think upcoming users would appreciate this. http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server If the command didn't give you an error it is a bug, can you please open a ticket ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS zone transfers
On Tue, 2011-06-21 at 12:12 +0200, Adam Tkac wrote: On 06/16/2011 09:38 PM, Loris Santamaria wrote: El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribió: On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote: Hi, I would like to use my freeIPA v2 server as my master name server and have other normal (non ldap based) bind servers as caching / secondary name servers. Ideally the clients would query only the secondary servers and the secondary name servers would perform regular zone transfers from the master server. So I'm trying to setup zone transfer in my IPA based name server. First of all I see that the attribute idnsAllowTransfer referenced in the bind-dyndb-ldap documentation is not really supported in the schema installed in IPA. Next, using a global allow-transfer in named.conf doesn't work also. A global allow-transfer should work, have you restarted named after setting it ? If it doesn't work we may have a bug. I'm adding to named.conf options section: allow-transfer { 127.0.0.1; }; then I restart named and try a zone transfer on the same host: # host -l ipa.corpfbk. 127.0.0.1 ; Transfer failed. Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: Host ipa.corpfbk not found: 9(NOTAUTH) ; Transfer failed. In the logs I get: Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH) Hello Loris, the bind-dyndb-ldap plugin currently doesn't support zone transfers but you should receive SERVFAIL error in this case, not NOTAUTH. Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk zone? Can you please post output of dig @127.0.0.1 ipa.corpfbk SOA here? Adam, Thanks for the reply. Loris, sorry for the confusion, I mistakenly thought we already implemented this feature. The implementation is not particularly difficult, and we plan to have support for zone transfers in one of the next 2.x releases, as soon as UI changes can be made and tested. Follow future release announcements, we will have this feature listed when it is ready. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] syncing custom attributes from AD
Dear List, I'd like to sync extra attributes from AD - FreeIPA. These are namely: employeeNumber and employeeType. The following .ldif is always adding value unknown instead of syncing the value in AD. -- 8 -- dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify add: ipaWinSyncUserAttr ipaWinSyncUserAttr: employeeType unknown -- 8 -- I'd like to use the value unknown if no such employeeType is defined in AD. What's the correct form for ipaWinSyncUserAttr? Thanks, Attila ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS zone transfers
On 06/21/2011 03:51 PM, Loris Santamaria wrote: El mar, 21-06-2011 a las 12:12 +0200, Adam Tkac escribió: On 06/16/2011 09:38 PM, Loris Santamaria wrote: El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribió: On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote: Hi, I would like to use my freeIPA v2 server as my master name server and have other normal (non ldap based) bind servers as caching / secondary name servers. Ideally the clients would query only the secondary servers and the secondary name servers would perform regular zone transfers from the master server. So I'm trying to setup zone transfer in my IPA based name server. First of all I see that the attribute idnsAllowTransfer referenced in the bind-dyndb-ldap documentation is not really supported in the schema installed in IPA. Next, using a global allow-transfer in named.conf doesn't work also. A global allow-transfer should work, have you restarted named after setting it ? If it doesn't work we may have a bug. I'm adding to named.conf options section: allow-transfer { 127.0.0.1; }; then I restart named and try a zone transfer on the same host: # host -l ipa.corpfbk. 127.0.0.1 ; Transfer failed. Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: Host ipa.corpfbk not found: 9(NOTAUTH) ; Transfer failed. In the logs I get: Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH) Hello Loris, the bind-dyndb-ldap plugin currently doesn't support zone transfers but you should receive SERVFAIL error in this case, not NOTAUTH. Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk zone? Can you please post output of dig @127.0.0.1 ipa.corpfbk SOA here? The zone's SOA seems right to me: [root@ipa01 ~]# dig @127.0.0.1 ipa.corpfbk SOA ; DiG 9.8.0-P1-RedHat-9.8.0-3.P1.fc15 @127.0.0.1 ipa.corpfbk SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 43430 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;ipa.corpfbk. IN SOA ;; ANSWER SECTION: ipa.corpfbk. 86400 IN SOA ipa01.central.corpfbk. soporte.tiendaskioto.com. 2011020601 3600 900 1209600 3600 ;; AUTHORITY SECTION: ipa.corpfbk. 86400 IN NS ipa01.central.corpfbk. ;; ADDITIONAL SECTION: ipa01.central.corpfbk.86400 IN A 192.168.3.6 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jun 21 09:15:43 2011 ;; MSG SIZE rcvd: 133 That's weird if server still returns NOTAUTH. Are you sure you perform zone transfer from 192.168.3.6? (i.e. you execute host utility on machine with IP 192.168.3.6). Regards, Adam ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-winsync account disable
Dear List, winsync is working between AD and FreeIPA. If I disable a user in FreeIPA, it automatically disables on the AD side. Though, if I disable on the AD side, nothing happens on the FreeIPA side. Moreover, if I get a kerberos ticket for the disabled (only in AD) user from freeipa, then it automatically enables the user on the AD side. Settings for ipa-winsync are: # ipa-winsync, plugins, config dn: cn=ipa-winsync,cn=plugins,cn=config ipawinsyncacctdisable: both Is this the expected behaviour? Thanks, Attila ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: Hi, I'm still running a FreeIPA 1.2 server but have started installing Fedora 15 clients and am trying to figure out how to manually setup the Krb/LDAP configuration. I've run the 'authconfig-tui' command and manually setup Krb authentication and LDAP authorisation, using DNS discovery for the servers. The authentication is working correctly, but when I run 'id $USERNAME' I don't receive the correct groups, so I believe that Kerberos is working, but the LDAP configuration is wrong. I've turned the sssd loglevel up to 100, but I can't figure out why I'm not getting the correct groups My system has a variety of files and I'm not sure which are still in use: /etc/krb5.conf /etc/pam_ldap.conf /etc/sssd/sssd.conf On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - this is not present on F15. Can anyone help me figure out how to get the group lookups working? Probably you need to add ldap_schema=rfc2307bis into the [domain/default] section of /etc/sssd/sssd.conf. If you just set authconfig up as an LDAP server, it defaults to ldap_schema = rfc2307, which uses a different attribute on the server to contain group memberships. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: Hi, On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: Hi, I'm still running a FreeIPA 1.2 server but have started installing Fedora 15 clients and am trying to figure out how to manually setup the Krb/LDAP configuration. I've run the 'authconfig-tui' command and manually setup Krb authentication and LDAP authorisation, using DNS discovery for the servers. The authentication is working correctly, but when I run 'id $USERNAME' I don't receive the correct groups, so I believe that Kerberos is working, but the LDAP configuration is wrong. I've turned the sssd loglevel up to 100, but I can't figure out why I'm not getting the correct groups My system has a variety of files and I'm not sure which are still in use: /etc/krb5.conf /etc/pam_ldap.conf /etc/sssd/sssd.conf On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - this is not present on F15. Can anyone help me figure out how to get the group lookups working? Probably you need to add ldap_schema=rfc2307bis into the [domain/default] section of /etc/sssd/sssd.conf. If you just set authconfig up as an LDAP server, it defaults to ldap_schema = rfc2307, which uses a different attribute on the server to contain group memberships. Thanks, but I've tried both of those entries - it doesn't appear to make any difference. Dan Could you attach your (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth? signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: Hi, On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: Hi, I'm still running a FreeIPA 1.2 server but have started installing Fedora 15 clients and am trying to figure out how to manually setup the Krb/LDAP configuration. I've run the 'authconfig-tui' command and manually setup Krb authentication and LDAP authorisation, using DNS discovery for the servers. The authentication is working correctly, but when I run 'id $USERNAME' I don't receive the correct groups, so I believe that Kerberos is working, but the LDAP configuration is wrong. I've turned the sssd loglevel up to 100, but I can't figure out why I'm not getting the correct groups My system has a variety of files and I'm not sure which are still in use: /etc/krb5.conf /etc/pam_ldap.conf /etc/sssd/sssd.conf On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - this is not present on F15. Can anyone help me figure out how to get the group lookups working? Probably you need to add ldap_schema=rfc2307bis into the [domain/default] section of /etc/sssd/sssd.conf. If you just set authconfig up as an LDAP server, it defaults to ldap_schema = rfc2307, which uses a different attribute on the server to contain group memberships. Thanks, but I've tried both of those entries - it doesn't appear to make any difference. Dan Could you attach your (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth? Attached, thanks. The only changes are domain names and 'dc=*' entries. One thing that I just noticed, the system-auth file has pam_krb5.so entries, previously, these were pam_sss.so - I've tried using both, but neither appears to work. Thanks, Dan nsswitch.conf Description: Binary data system-auth Description: Binary data krb5.conf Description: Binary data sssd.conf Description: Binary data ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] syncing custom attributes from AD
On 06/21/2011 07:24 AM, Attila Bogár wrote: Dear List, I'd like to sync extra attributes from AD - FreeIPA. These are namely: employeeNumber and employeeType. The following .ldif is always adding value unknown instead of syncing the value in AD. -- 8 -- dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify add: ipaWinSyncUserAttr ipaWinSyncUserAttr: employeeType unknown -- 8 -- I'd like to use the value unknown if no such employeeType is defined in AD. What's the correct form for ipaWinSyncUserAttr? You have it correct. Looking at the code, it is supposed to work as you expect. Looks like it may be a bug. Can you enable REPL and PLUGIN error logging level and reproduce the problem? I would like to see the errors log. See http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting for more information. Thanks, Attila ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-winsync account disable
On 06/21/2011 09:17 AM, Attila Bogár wrote: Dear List, winsync is working between AD and FreeIPA. If I disable a user in FreeIPA, it automatically disables on the AD side. Though, if I disable on the AD side, nothing happens on the FreeIPA side. Sounds like a bug. Moreover, if I get a kerberos ticket for the disabled (only in AD) user from freeipa, then it automatically enables the user on the AD side. Getting a kerberos ticket may involve internal modify operations in freeipa - these ops will trigger the code that checks account disable sync. Since the user is enabled in freeipa, it will attempt to sync this state to AD. This is as expected, but since it appears disable sync is not working from AD to ipa, it re-enables the user in AD. Settings for ipa-winsync are: # ipa-winsync, plugins, config dn: cn=ipa-winsync,cn=plugins,cn=config ipawinsyncacctdisable: both Is this the expected behaviour? What version of Windows? 32-bit or 64-bit? Can you run with the REPL and PLUGIN log levels on? That may reveal some useful clue. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting Thanks, Attila ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote: On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: Hi, On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: Hi, I'm still running a FreeIPA 1.2 server but have started installing Fedora 15 clients and am trying to figure out how to manually setup the Krb/LDAP configuration. I've run the 'authconfig-tui' command and manually setup Krb authentication and LDAP authorisation, using DNS discovery for the servers. The authentication is working correctly, but when I run 'id $USERNAME' I don't receive the correct groups, so I believe that Kerberos is working, but the LDAP configuration is wrong. I've turned the sssd loglevel up to 100, but I can't figure out why I'm not getting the correct groups My system has a variety of files and I'm not sure which are still in use: /etc/krb5.conf /etc/pam_ldap.conf /etc/sssd/sssd.conf On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - this is not present on F15. Can anyone help me figure out how to get the group lookups working? Probably you need to add ldap_schema=rfc2307bis into the [domain/default] section of /etc/sssd/sssd.conf. If you just set authconfig up as an LDAP server, it defaults to ldap_schema = rfc2307, which uses a different attribute on the server to contain group memberships. Thanks, but I've tried both of those entries - it doesn't appear to make any difference. Dan Could you attach your (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth? Attached, thanks. The only changes are domain names and 'dc=*' entries. One thing that I just noticed, the system-auth file has pam_krb5.so entries, previously, these were pam_sss.so - I've tried using both, but neither appears to work. Thanks, Dan Your /etc/nsswitch.conf is wrong. I just noticed that you were using authconfig-tui which is deprecated upstream and does not properly set up SSSD. Only 'authconfig' (command-line) or 'authconfig-gtk' (GUI) works properly. Feel free to file a bug against authconfig. /etc/nsswitch.conf needs to specify 'sss' instead of 'ldap' to use SSSD. Similarly system-auth needs to use pam_sss.so, not pam_krb5.so. If you run 'authconfig --enablesssd --enablesssdauth --update' you should be fine. This will update the config files with the correct SSSD-related settings. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, Jun 21, 2011 at 14:19, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote: On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: Hi, On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher sgall...@redhat.com wrote: On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: Hi, I'm still running a FreeIPA 1.2 server but have started installing Fedora 15 clients and am trying to figure out how to manually setup the Krb/LDAP configuration. I've run the 'authconfig-tui' command and manually setup Krb authentication and LDAP authorisation, using DNS discovery for the servers. The authentication is working correctly, but when I run 'id $USERNAME' I don't receive the correct groups, so I believe that Kerberos is working, but the LDAP configuration is wrong. I've turned the sssd loglevel up to 100, but I can't figure out why I'm not getting the correct groups My system has a variety of files and I'm not sure which are still in use: /etc/krb5.conf /etc/pam_ldap.conf /etc/sssd/sssd.conf On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - this is not present on F15. Can anyone help me figure out how to get the group lookups working? Probably you need to add ldap_schema=rfc2307bis into the [domain/default] section of /etc/sssd/sssd.conf. If you just set authconfig up as an LDAP server, it defaults to ldap_schema = rfc2307, which uses a different attribute on the server to contain group memberships. Thanks, but I've tried both of those entries - it doesn't appear to make any difference. Dan Could you attach your (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth? Attached, thanks. The only changes are domain names and 'dc=*' entries. One thing that I just noticed, the system-auth file has pam_krb5.so entries, previously, these were pam_sss.so - I've tried using both, but neither appears to work. Thanks, Dan Your /etc/nsswitch.conf is wrong. I just noticed that you were using authconfig-tui which is deprecated upstream and does not properly set up SSSD. Only 'authconfig' (command-line) or 'authconfig-gtk' (GUI) works properly. Feel free to file a bug against authconfig. /etc/nsswitch.conf needs to specify 'sss' instead of 'ldap' to use SSSD. Similarly system-auth needs to use pam_sss.so, not pam_krb5.so. If you run 'authconfig --enablesssd --enablesssdauth --update' you should be fine. This will update the config files with the correct SSSD-related settings. Excellent! Thanks - that makes much more sense. I've been using authconfig-tui all this time and had no idea that it was doing things incorrectly. One small issue that I found, if I switch on the Use DNS to resolve hosts to realms option, then the krb5_realm (in sssd.conf) and default_realm (in krb5.conf) are removed and my authentication fails. I'm pretty sure that I have DNS correctly configured (_kerberos IN TXT EXAMPLE.COM). Does the sssd client look for different DNS records for realm discovery? Thanks for your help, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
On Tue, 2011-06-21 at 14:41 -0400, Dan Scott wrote: Excellent! Thanks - that makes much more sense. I've been using authconfig-tui all this time and had no idea that it was doing things incorrectly. One small issue that I found, if I switch on the Use DNS to resolve hosts to realms option, then the krb5_realm (in sssd.conf) and default_realm (in krb5.conf) are removed and my authentication fails. I'm pretty sure that I have DNS correctly configured (_kerberos IN TXT EXAMPLE.COM). Does the sssd client look for different DNS records for realm discovery? Actually, we don't currently support *realm* discovery. We only support KDC discovery (using ._kerberos._tcp IN SRV EXAMPLE.COM) Feel free to open an RFE at https://fedorahosted.org/sssd (Fedora Account required to open tickets) for support of detecting the realm by TXT record. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users