Re: [Freeipa-users] v1 to v2 migration problem: unknown object class "radiusprofile" and attribute "memberofindirect" not allowed
Dan Scott wrote: Hi, On Tue, May 31, 2011 at 13:41, Rob Crittenden wrote: Dmitri Pal wrote: On 05/31/2011 10:45 AM, tomasz.napier...@allegro.pl wrote: Hi, I'm trying to migrate data form our current FreeIPA install (v1) and I'm having problems with nonexistant objectClass in v2, which seems to be by default present in v1: ipa migrate-ds --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accountsldap://ipaserverv1:389 Failed user: username: unknown object class "radiusprofile" Also groups that are memboers of other groups are having problems too: groupname: attribute "memberofindirect" not allowed Is there any way to avoid this errors during migration? I do not think we tried this migration. Do you have any radius data populated in the v1? It seems that this is in come way getting in the way. The second issue is more worrying. We will see what can be done. Please file two tickets and we will try to look at them. The second problem is fixed upstream. The objectclass problem is a bit trickier. We don't currently offer e mechanism for adding/dropping objectclasses on-the-fly. The best fix would be to remove the OC from all users in the v1 server then do the migration. This is assuming you aren't using radius in v1. An alternative fix would be to drop the file 60radius.ldif into the v2 schema directory and restart dirsrv: On your v1 server it is in /etc/dirsrv/slapd-INSTANCE/schema. Copy this to the equivalent location on the v2 server. Sorry to jump on this so late. Do you know if the fix for "groupname: attribute "memberofindirect" not allowed" has been released yet? I'm running Fedora 15 with the latest updates from updates-testing and trying to migrate from FreeIPA 1.2. I've fixed the Radius issue by adding the 60radius.ldif file to the FreeIPA 2.0 schema as suggested. Now, I'm getting "groupname: attribute "memberofindirect" not allowed" for all of my members. The groups all appear to migrate successfully. Thanks, Dan Not released yet. I had wanted to release another 2.0.x dot release and update the tarball in Fedora. We're close to releasing 2.1 so I wonder if we'd be better off waiting for that (few more weeks). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automounter maps
On 06/30/2011 12:04 PM, Ondrej Valousek wrote: > Hmm, > To me, these instructions are very vague - for example it completely > omits LDAP security configuration for the automounter (stored in > /etc/autofs_ldap_auth.conf). How does the automounter bind to the ldap > server? Anonymously? > I would not recommend it. > > I would recommend to configure automounter to use the host/ principal > in the local Kerberos system database and bind using SASL/GSSAPI > instead. It is more secure and elegant solution. > Sure but the point is to give you an example of how to do it with IPA. I .e. to demonstrate the IPA specific context which is the "location". We do not control the autofs on the client side so the configuration of it is out of scope of the IPA documentation. Good description on how to set up the autofs with GSSAPI or using other security mechanisms is always welcome but it has no specifics to IPA (unless I am missing something). It is nothing different from any other kerberos enabled LDAP server so any generic guidelines documented in autofs (I assume they exist) should apply. Thanks Dmitri > Ondrej > > > On 30.06.2011 17:26, Adam Young wrote: >> Good point. >> >> Take a look at the test day instructions, I found them very useful >> for setting up both SUDO and automount. >> >> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount >> >> >> On 06/30/2011 11:08 AM, Ondrej Valousek wrote: >>> >>> >>> On 30.06.2011 16:55, Rob Crittenden wrote: Look at the output of this for details: ipa help automount >>> >>> I see, thanks! >>> It would be nice to update man pages like: >>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html >>> to say something like: >>> LDAP_URI="ldap:///dc=example,dc=com"; >>> SEARCH_BASE="cn=,cn=automount,dc=example,dc=com" >>> So people know more automounter's ability to locate ldap server via >>> DNS SRV >>> >>> Thanks! >>> Ondrej >>> >>> >>> ___ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automounter maps
Hmm, To me, these instructions are very vague - for example it completely omits LDAP security configuration for the automounter (stored in /etc/autofs_ldap_auth.conf). How does the automounter bind to the ldap server? Anonymously? I would not recommend it. I would recommend to configure automounter to use the host/ principal in the local Kerberos system database and bind using SASL/GSSAPI instead. It is more secure and elegant solution. Ondrej On 30.06.2011 17:26, Adam Young wrote: Good point. Take a look at the test day instructions, I found them very useful for setting up both SUDO and automount. https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount On 06/30/2011 11:08 AM, Ondrej Valousek wrote: On 30.06.2011 16:55, Rob Crittenden wrote: Look at the output of this for details: ipa help automount I see, thanks! It would be nice to update man pages like: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html to say something like: LDAP_URI="ldap:///dc=example,dc=com"; SEARCH_BASE="cn=,cn=automount,dc=example,dc=com" So people know more automounter's ability to locate ldap server via DNS SRV Thanks! Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automounter maps
On 06/30/2011 11:08 AM, Ondrej Valousek wrote: > > > On 30.06.2011 16:55, Rob Crittenden wrote: >> Look at the output of this for details: ipa help automount > > I see, thanks! > It would be nice to update man pages like: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html > to say something like: > LDAP_URI="ldap:///dc=example,dc=com"; > SEARCH_BASE="cn=,cn=automount,dc=example,dc=com" > So people know more automounter's ability to locate ldap server via > DNS SRV > Can you please rephrase? Do you mean that instead of documenting what we already have or in addition to it, we should also document how to configure automount with DNS? Does DNS allow specifying the search base? Can you please point on any doc/man page that describes how to configure DNS for automount. We might add it as a reference into the doc. Is this what you are looking for? > Thanks! > Ondrej > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automounter maps
Good point. Take a look at the test day instructions, I found them very useful for setting up both SUDO and automount. https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount On 06/30/2011 11:08 AM, Ondrej Valousek wrote: On 30.06.2011 16:55, Rob Crittenden wrote: Look at the output of this for details: ipa help automount I see, thanks! It would be nice to update man pages like: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html to say something like: LDAP_URI="ldap:///dc=example,dc=com"; SEARCH_BASE="cn=,cn=automount,dc=example,dc=com" So people know more automounter's ability to locate ldap server via DNS SRV Thanks! Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automounter maps
On 30.06.2011 16:55, Rob Crittenden wrote: Look at the output of this for details: ipa help automount I see, thanks! It would be nice to update man pages like: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html to say something like: LDAP_URI="ldap:///dc=example,dc=com"; SEARCH_BASE="cn=,cn=automount,dc=example,dc=com" So people know more automounter's ability to locate ldap server via DNS SRV Thanks! Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automounter maps
Ondrej Valousek wrote: Hi List, I am just wondering what's the situation regarding storing automounter maps in IPA? I see support for it on the roadmap but I am wondering how it is going to be done, because: 1. sssd can not do it, and I think it is going to take a long time before it will (due to the libc NSS limitations) 2. automounter has its own ldap support Ian has recently added DNS SRV support for the automounter and I have verified that I can store maps in Active Directory (accessing via ldap/gssapi) so I am thinking the same should be possible right now even with IPA, just a small DS schema extension would be needed. Does anyone know? Thanks, IPA v2 supports managing and storing automount maps in its LDAP server. Look at the output of this for details: ipa help automount rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Automounter maps
Hi List, I am just wondering what's the situation regarding storing automounter maps in IPA? I see support for it on the roadmap but I am wondering how it is going to be done, because: 1. sssd can not do it, and I think it is going to take a long time before it will (due to the libc NSS limitations) 2. automounter has its own ldap support Ian has recently added DNS SRV support for the automounter and I have verified that I can store maps in Active Directory (accessing via ldap/gssapi) so I am thinking the same should be possible right now even with IPA, just a small DS schema extension would be needed. Does anyone know? Thanks, Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect
On 30.06.2011 16:22, Simo Sorce wrote: We are actively working on trying to never depend on reverse lookups. Unfortunately there are still some bugs and limitations in various libraries but we are working on fixing them. Ok, thanks for explanation. I have also seen similar errors when talking to AD based KDC - I take it I have experienced the similar dependency - probably in MIT libraries, right? But it would be just perfect if this dependency is gone, that's true. Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect
On Thu, 2011-06-30 at 15:52 +0200, Ondrej Valousek wrote: > > > The KDC is just trying to look up a service that was requested, it > > was the client that requested this host. Note that the host name > > used is the detected IPA server. This can often be wrong if there is > > another server in your network with SRV records (such as AD). > Apparently not the KDC. I had to fix the resolv.conf on the client in > order to resolve the problem. Problem was in reverse records - company > DNS server returned polaris.prague.s3group.com (this rendered the > error on KDC) for the IP of the IPA server whereas the correct one > should be polaris.example.com (as per the DNS server running on the > IPA server). When the clients resolv.conf pointed to the company DNS, > it did not work. I had to fix resolv.conf manually to make it working. > > > > The resolver is a bit of a chicken and egg problem. Hard to look > > anything up if you don't have one configured. > > > > The installer should prompt that the detected settings are ok. Were > > they ok and we still went to the wrong place? > > > Ok let me explain it more. The machine I was running the > ipa-client-install was using company DNS server. On that DNS server I > made a forward rule for 'example.com' domain. Therefore, once I ran > > # ipa-client-install --domain=example.com > > .. the tool was able to detect everything correctly, BUT the wrong DNS > server (which was left behind in /etc/resolv.conf) returned wrong > names from its reverse zone. > > I believe it should be fairly easy for the installer to do few sanity > checks to see whether the reverse DNS lookup works well... We are actively working on trying to never depend on reverse lookups. Unfortunately there are still some bugs and limitations in various libraries but we are working on fixing them. That said if you want to use your main DNS for client, you can simply fix issues by adding reverse records into it at least for IPA servers. Or give the IPA machine a subnet and forward requests for that subnet too. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect
The KDC is just trying to look up a service that was requested, it was the client that requested this host. Note that the host name used is the detected IPA server. This can often be wrong if there is another server in your network with SRV records (such as AD). Apparently not the KDC. I had to fix the resolv.conf on the *client* in order to resolve the problem. Problem was in reverse records - company DNS server returned /polaris.prague.s3group.com/ (this rendered the error on KDC) for the IP of the IPA server whereas the correct one should be /polaris.example.com /(as per the DNS server running on the IPA server). When the clients resolv.conf pointed to the company DNS, it did not work. I had to fix resolv.conf manually to make it working. The resolver is a bit of a chicken and egg problem. Hard to look anything up if you don't have one configured. The installer should prompt that the detected settings are ok. Were they ok and we still went to the wrong place? Ok let me explain it more. The machine I was running the ipa-client-install was using company DNS server. On that DNS server I made a forward rule for 'example.com' domain. Therefore, once I ran # ipa-client-install --domain=example.com .. the tool was able to detect everything correctly, BUT the wrong DNS server (which was left behind in /etc/resolv.conf) returned wrong names from its reverse zone. I believe it should be fairly easy for the installer to do few sanity checks to see whether the reverse DNS lookup works well... Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect
Ondrej Valousek wrote: Hi List, I have just noticed that the ipa-client-install fails miserably if the clients /etc/resolv.conf points to some foreign DNS server. The symptoms are that KDC (on the IPA server) fails to locate self in Kerberos database: The KDC is just trying to look up a service that was requested, it was the client that requested this host. Note that the host name used is the detected IPA server. This can often be wrong if there is another server in your network with SRV records (such as AD). Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: NEEDED_PREAUTH: ad...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: ISSUE: authtime 1309425108, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for krbtgt/example@example.com Jun 30 11:11:49 polaris krb5kdc[1279](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: UNKNOWN_SERVER: authtime 0, ad...@example.com for HTTP/polaris.prague.s3group@example.com, Server not found in Kerberos database Question: Should probably try to autoconfigure /etc/resolv.conf as well or at least warn user that join might fail? The resolver is a bit of a chicken and egg problem. Hard to look anything up if you don't have one configured. The installer should prompt that the detected settings are ok. Were they ok and we still went to the wrong place? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect
Hi List, I have just noticed that the ipa-client-install fails miserably if the clients /etc/resolv.conf points to some foreign DNS server. The symptoms are that KDC (on the IPA server) fails to locate self in Kerberos database: Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: NEEDED_PREAUTH: ad...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: ISSUE: authtime 1309425108, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for krbtgt/example@example.com Jun 30 11:11:49 polaris krb5kdc[1279](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: UNKNOWN_SERVER: authtime 0, ad...@example.com for HTTP/*polaris.prague.s3group.com*@EXAMPLE.COM, *Server not found in Kerberos database* Question: Should probably try to autoconfigure /etc/resolv.conf as well or at least warn user that join might fail? Thanks, Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp
On Thu, Jun 30, 2011 at 01:58:32PM +0700, Muhammad Naufal wrote: > Now it can authenticate against IPA server but no ticket generated when i > type klist in XP cmd prompt. > As a result i can not access IPA web ui. IIRC there can multiple ticket caches be used there. Maybe the MIT windows kerberos tools show a bit more, found them quite helpful to debug windows kerberos auth. http://web.mit.edu/Kerberos/dist/index.html#kfw-3.2 Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users