Re: [Freeipa-users] Using DHCPD with IPA
On Tue, 2012-01-24 at 20:11 -0600, ~Stack~ wrote: You can manage to have machines still fetch data from IPA, but they can't be full fledged clients if you can't preserve the keytab and some other configuration. As long as I can have a user log into the box and run a process, I don't really care if they are a full client or not. Theses systems are never logged into directly, but through a ssh connection so if the users can still authenticate into them I might be good on this. How do I configure this? You can set the clients up as pure LDAP+KRB5 clients in SSSD, but the catch is that you lose the ability to configure them with HBAC rules. (You need to do more traditional forms of access-control logic in that case). Only fully-enrolled clients will honor HBAC rules at this time. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] A couple of issues found with ipa-2.1.3-9 during setup/early use
Hi I've been testing our potential new IPA server before roll out and while setting up a replica with ipa-server-2.1.3-9 I encountered the following issues during installation [root@ipa2 ~]# ipa-replica-install --setup-dns --no-forwarders --no-ntp /var/lib/ipa/replica-info-ipa2.test.net.gpg Directory Manager (existing master) password: ** ** Run connection check to master Check connection from replica to remote master 'ipa1.test.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK ** ** Connection from replica to master is OK. Start listening on required ports for remote master check Exception in thread Thread-2: Traceback (most recent call last): File /usr/lib64/python2.6/threading.py, line 532, in __bootstrap_inner** ** self.run() File /usr/sbin/ipa-replica-conncheck, line 238, in run self.socket_timeout, responder_data=FreeIPA) File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 1134, in bind_port_responder raise e error: [Errno 97] Address family not supported by protocol The same error runs across all threads. Turning on debug I can see that it happens when this command is passed to the server ipa-replica-conncheck --master ipa1.test.net --auto-master-check --realm TEST.NET --principal admin --hostname ipa2.test.net I got round that by running --skip-conncheck during the replica-install but was suprised I've heard no-one else has mentioned the issue is there anyway I can get some lower level debug info to find out the root cause of the issue? The other thing I noticed is when hosts enroll no timestamp appears in the Enrolled? column on the webui, it's not a major problem but my guys quite liked using it as a visual aid to work though the servers they had configured. I've looked at the 2.1.4 change log and nothing was mentioned regarding fixes for either issue. Cheers, Charlie ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] consulting?
Found the reason for the ldap search not working- when I created the AD
certificate role, I accidentally entered a new sub-domain so in stead of
the FQDN in the cert being csp-ad.pdh.csp it came out csp-ad.cspad.pdh.csp.
I updated DNS and now the ldap search seems to work-
ldif output-- http://fpaste.org/xbOC/
debug- http://fpaste.org/6g8q/
I guess I need to redo the sync agreement to fix the server DNS name.
I will be traveling for work for the next couple days but should still be
working on this issue some. I'll take VM's of the servers on my laptop to
be able to keep working.
-Jimmy
On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.com wrote:
**
On 01/19/2012 02:59 PM, Jimmy wrote:
ok. I started from scratch this week on this and I think I've got the
right doc and understand better where this is going. My problem now is that
when configuring SSL on the AD server (step c in this url:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
)
I get this error:
certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
{25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
ldap:
RequestId: 3
RequestId: 3
Certificate not issued (Denied) Denied by Policy Module 0x80094801, The
request does not contain a certificate template extension or the
CertificateTemplate request attribute.
The request contains no certificate template information. 0x80094801
(-2146875391)
Certificate Request Processor: The request contains no certificate
template information. 0x80094801 (-2146875391)
Denied by Policy Module 0x80094801, The request does not contain a
certificate template extension or the CertificateTemplate request attribute.
The RH doc says to use the browser if an error occurs and IIS is running
but I'm not running IIS. I researched that error but didn't find anything
that helps with FreeIPA and passsync.
Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA
mode - it will usually automatically create and install the AD server
cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync
Jimmy
On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.comwrote:
On 01/11/2012 11:22 AM, Jimmy wrote:
We need to be able to replicate user/pass between Windows 2008 AD and
FreeIPA.
That's what IPA Windows Sync is supposed to do.
I have followed many different documents and posted here about it and
from what I've read and procedures I've followed we are unable to
accomplish this.
What have you tried, and what problems have you run into?
It doesn't need to be a full trust.
Thanks
On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com wrote:
Just wondering if there was anyone listening on the list that might
be
available for little work integrating FreeIPA with Active Directory
(preferrably in the south east US.) I hope this isn't against the list
rules, I just thought one of you guys could help or point me in the
right
direction.
If you want some help, it is certainly not against list rules ;-) But
in that
case, it would be much better if you asked what exactly do you need.
I'm not an AD expert, but a couple tips: If you are looking for
cross-domain
(cross-realm) trust, then you might be a bit disappointed, it is still in
development, so it probably won't be 100% functional at this moment.
If you are looking for something else, could you be a little more
specific what
it is?
I also recommend starting with reading some doc:
http://freeipa.org/page/DocumentationPortal
Thanks
Jan
___
Freeipa-users mailing
listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] consulting?
On 01/25/2012 12:07 PM, Jimmy wrote:
Found the reason for the ldap search not working- when I created the
AD certificate role, I accidentally entered a new sub-domain so in
stead of the FQDN in the cert being csp-ad.pdh.csp it came out
csp-ad.cspad.pdh.csp. I updated DNS and now the ldap search seems to
work-
ldif output-- http://fpaste.org/xbOC/
debug- http://fpaste.org/6g8q/
I guess I need to redo the sync agreement to fix the server DNS name.
Yep. When using TLS/SSL you have to pay close attention to hostnames.
I will be traveling for work for the next couple days but should still
be working on this issue some. I'll take VM's of the servers on my
laptop to be able to keep working.
-Jimmy
On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.com
mailto:rmegg...@redhat.com wrote:
On 01/19/2012 02:59 PM, Jimmy wrote:
ok. I started from scratch this week on this and I think I've got
the right doc and understand better where this is going. My
problem now is that when configuring SSL on the AD server (step c
in this url:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service
)
I get this error:
certreq -submit request.req certnew.cer
Active Directory Enrollment Policy
{25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
ldap:
RequestId: 3
RequestId: 3
Certificate not issued (Denied) Denied by Policy Module
0x80094801, The request does not contain a certificate template
extension or the CertificateTemplate request attribute.
The request contains no certificate template information.
0x80094801 (-2146875391 tel:%28-2146875391)
Certificate Request Processor: The request contains no
certificate template information. 0x80094801 (-2146875391
tel:%28-2146875391)
Denied by Policy Module 0x80094801, The request does not contain
a certificate template extension or the CertificateTemplate
request attribute.
The RH doc says to use the browser if an error occurs and IIS is
running but I'm not running IIS. I researched that error but
didn't find anything that helps with FreeIPA and passsync.
Hmm - try installing Microsoft Certificate Authority in Enterprise
Root CA mode - it will usually automatically create and install
the AD server cert.
http://directory.fedoraproject.org/wiki/Howto:WindowsSync
Jimmy
On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson
rmegg...@redhat.com mailto:rmegg...@redhat.com wrote:
On 01/11/2012 11:22 AM, Jimmy wrote:
We need to be able to replicate user/pass between Windows
2008 AD and FreeIPA.
That's what IPA Windows Sync is supposed to do.
I have followed many different documents and posted here
about it and from what I've read and procedures I've
followed we are unable to accomplish this.
What have you tried, and what problems have you run into?
It doesn't need to be a full trust.
Thanks
On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený
jzel...@redhat.com mailto:jzel...@redhat.com wrote:
Just wondering if there was anyone listening on the
list that might be
available for little work integrating FreeIPA with
Active Directory
(preferrably in the south east US.) I hope this isn't
against the list
rules, I just thought one of you guys could help or
point me in the right
direction.
If you want some help, it is certainly not against list
rules ;-) But in that
case, it would be much better if you asked what exactly
do you need.
I'm not an AD expert, but a couple tips: If you are
looking for cross-domain
(cross-realm) trust, then you might be a bit
disappointed, it is still in
development, so it probably won't be 100% functional at
this moment.
If you are looking for something else, could you be a
little more specific what
it is?
I also recommend starting with reading some doc:
http://freeipa.org/page/DocumentationPortal
Thanks
Jan
___
Freeipa-users mailing list
Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Aix client configuration
2012/1/25 Rob Crittenden rcrit...@redhat.com Sylvain Angers wrote: Hello In our lab, we are testing latest ipa on redhat and we are now configuring/testing an IBM/AIX client 6.1 Here is the ipa server command that we used *ipa-server-install -a ipa123 --hostname=mtl-ipa01d.cnppd.**lab -n cnppd.lab -p ldap123 -r CNPPD.LAB * We are following your documentation for AIX client and have some issue getting through the step we had to install these fileset and we still fight modcrypt lslpp -L | grep idsldap idsldap.clt32bit61.rte6.1.0.34C FDirectory Server - 32 bit idsldap.clt64bit61.rte6.1.0.34C FDirectory Server - 64 bit idsldap.cltbase61.adt 6.1.0.34C FDirectory Server - Base Client idsldap.cltbase61.rte 6.1.0.34C FDirectory Server - Base Client lslpp -L | grep krb krb5.client.rte1.5.0.2C FNetwork Authentication Service krb5.client.samples1.5.0.2C FNetwork Authentication Service krb5.doc.en_US.html1.5.0.2C FNetwork Auth Service HTML krb5.doc.en_US.pdf 1.5.0.2C FNetwork Auth Service PDF krb5.lic 1.5.0.2C FNetwork Authentication Service krb5.msg.en_US.client.rte 1.5.0.2C FNetwork Auth Service Client krb5.server.rte1.5.0.2C FNetwork Authentication Service ww did run the mksecldap command, as follow *mksecldap -c -h mtl-ipa01d.cnppd.lab -d cn=accounts,dc=cnppd,dc=lab -a uid=nss,cn=sysaccounts,cn=etc,**dc=cnppd,dc=lab -p abc123* and we got : Invalid bind DN or bind passwd. Client presetup check failed. Do we need to customize further this command if so, what are we missing? also as we have not yet succeed to make modcrypt works on our AIX 6.1, we wonder if we will need (temporary) to do some ldapmodify on the ipa server to disable ssl? Thank you for your assistance! Did you create the entry uid=nss,cn=sysaccounts,cn=etc,**... ? You can test that the password is correct independently with ldapsearch and the 389-ds access log may have additional information on the bind failure. rob Hello Rob, All I see at the moment is uid=sudo,cn=sysaccounts,cn=etc,dc=cnppd,dc=lab uid=kdc,cn=sysaccounts,cn=etc,dc=cnppd,dc=lab whenever I create new users, it get under uid=nss,cn=users,cn=accounts,dc=cnppd,dc=lab How do we create uid=nss,cn=sysaccounts,cn=etc,**dc=cnppd,dc=lab ? is this something we have to manually do via ldapadd? about the nss password will the ldapadd be part of the command? Thanks -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using DHCPD with IPA
On 01/25/2012 02:30 AM, ~Stack~ wrote:
2) How do I get dhcpd to update DNS?
Since I can't find the place to add rndc-keys to BIND, right now I have
to add every host manually in the web interface because dhcpd isn't
updating named. This is time consuming and a pain when dealing with
large amounts of systems. If I could figure out where the named zones
are stored in IPA I should be able to add my rndc-key and be OK, but
that gets back into question 1.
My /etc/dhcp/dhcpd.conf file is pretty basic but all the PXE clients
have host entries to match their MAC with the group that allows PXE
booting (ex: host pxe001.project.local{hardware ethernet
00:16:17:AB:E9:88; fixed-address 172.31.203.1}). Unless I mange both
this file and the IPA interface, the nodes have issues figuring out
their name. One or the other and the node has issues; both and it works.
I would really prefer not to manage two locations for all these nodes.
The normal way for dhcpd to talk to BIND(named) is by having a rndc-key.
However, me fighting with named.conf was the big part of my problems
before so I am hoping there is a simple way of doing this inside IPA.
Any ideas?
This is what I have done to work around issues similar to yours.
Over a few years I have developed a pxe boot toolbox called
OneClickKick. OCK manages DHCPD by generating config files based upon
information looked up from naming sources such as Mysql, NIS, or LDAP
(IPA). It also creates the PXE boot files in tftpboot/pxelinux.cfg, and
serves kickstart files when PXE booting clients.
I have integrated OCK with IPA to make IPA keep records of the MAC
address, and base my DHCP config upon the information I get from IPA.
For your configuration, the steps for adding a new client would be the
following:
1. Add the host to IPA, specify an IP address so that forward and
reverse DNS records are created for the host
2. The host will appear in OneClickKick, select modify, add the MAC
address (this is being written to the host object in IPA), and select it
for PXE boot / kickstart. This will generate the DHCP config file,
reload dhcpd, and create the required files in the tftpboot/pxelinux.cfg
directory (if you enabled it for PXE booting).
3. PXE boot the client.
By doing this you eliminate the need for dhcpd to update the DNS server,
because the records are already there.
The MAC addresses stored in IPA can also be used by normal Linux and
Solaris (Jumpstart) clients by utilizing their ethers table in
nsswitch.conf.
Have a look at the link below to read more and download if you think
OneClickKick could suit your environment.
http://sourceforge.net/projects/oneclickkick/
Regards,
Siggi
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using DHCPD with IPA
On 01/25/2012 05:18 PM, Sigbjorn Lie wrote:
On 01/25/2012 02:30 AM, ~Stack~ wrote:
2) How do I get dhcpd to update DNS?
Since I can't find the place to add rndc-keys to BIND, right now I have
to add every host manually in the web interface because dhcpd isn't
updating named. This is time consuming and a pain when dealing with
large amounts of systems. If I could figure out where the named zones
are stored in IPA I should be able to add my rndc-key and be OK, but
that gets back into question 1.
My /etc/dhcp/dhcpd.conf file is pretty basic but all the PXE clients
have host entries to match their MAC with the group that allows PXE
booting (ex: host pxe001.project.local{hardware ethernet
00:16:17:AB:E9:88; fixed-address 172.31.203.1}). Unless I mange both
this file and the IPA interface, the nodes have issues figuring out
their name. One or the other and the node has issues; both and it works.
I would really prefer not to manage two locations for all these nodes.
The normal way for dhcpd to talk to BIND(named) is by having a rndc-key.
However, me fighting with named.conf was the big part of my problems
before so I am hoping there is a simple way of doing this inside IPA.
Any ideas?
This is what I have done to work around issues similar to yours.
Over a few years I have developed a pxe boot toolbox called
OneClickKick. OCK manages DHCPD by generating config files based upon
information looked up from naming sources such as Mysql, NIS, or LDAP
(IPA). It also creates the PXE boot files in tftpboot/pxelinux.cfg, and
serves kickstart files when PXE booting clients.
I have integrated OCK with IPA to make IPA keep records of the MAC
address, and base my DHCP config upon the information I get from IPA.
For your configuration, the steps for adding a new client would be the
following:
1. Add the host to IPA, specify an IP address so that forward and
reverse DNS records are created for the host
2. The host will appear in OneClickKick, select modify, add the MAC
address (this is being written to the host object in IPA), and select it
for PXE boot / kickstart. This will generate the DHCP config file,
reload dhcpd, and create the required files in the tftpboot/pxelinux.cfg
directory (if you enabled it for PXE booting).
3. PXE boot the client.
By doing this you eliminate the need for dhcpd to update the DNS server,
because the records are already there.
The MAC addresses stored in IPA can also be used by normal Linux and
Solaris (Jumpstart) clients by utilizing their ethers table in
nsswitch.conf.
Have a look at the link below to read more and download if you think
OneClickKick could suit your environment.
http://sourceforge.net/projects/oneclickkick/
Thank you! I will take a look at it tomorrow.
~Stack~
signature.asc
Description: OpenPGP digital signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
