Re: [Freeipa-users] Using DHCPD with IPA
On Tue, 2012-01-24 at 20:11 -0600, ~Stack~ wrote: You can manage to have machines still fetch data from IPA, but they can't be full fledged clients if you can't preserve the keytab and some other configuration. As long as I can have a user log into the box and run a process, I don't really care if they are a full client or not. Theses systems are never logged into directly, but through a ssh connection so if the users can still authenticate into them I might be good on this. How do I configure this? You can set the clients up as pure LDAP+KRB5 clients in SSSD, but the catch is that you lose the ability to configure them with HBAC rules. (You need to do more traditional forms of access-control logic in that case). Only fully-enrolled clients will honor HBAC rules at this time. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] A couple of issues found with ipa-2.1.3-9 during setup/early use
Hi I've been testing our potential new IPA server before roll out and while setting up a replica with ipa-server-2.1.3-9 I encountered the following issues during installation [root@ipa2 ~]# ipa-replica-install --setup-dns --no-forwarders --no-ntp /var/lib/ipa/replica-info-ipa2.test.net.gpg Directory Manager (existing master) password: ** ** Run connection check to master Check connection from replica to remote master 'ipa1.test.net': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: port 80 (80): OK HTTP Server: port 443(https) (443): OK ** ** Connection from replica to master is OK. Start listening on required ports for remote master check Exception in thread Thread-2: Traceback (most recent call last): File /usr/lib64/python2.6/threading.py, line 532, in __bootstrap_inner** ** self.run() File /usr/sbin/ipa-replica-conncheck, line 238, in run self.socket_timeout, responder_data=FreeIPA) File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 1134, in bind_port_responder raise e error: [Errno 97] Address family not supported by protocol The same error runs across all threads. Turning on debug I can see that it happens when this command is passed to the server ipa-replica-conncheck --master ipa1.test.net --auto-master-check --realm TEST.NET --principal admin --hostname ipa2.test.net I got round that by running --skip-conncheck during the replica-install but was suprised I've heard no-one else has mentioned the issue is there anyway I can get some lower level debug info to find out the root cause of the issue? The other thing I noticed is when hosts enroll no timestamp appears in the Enrolled? column on the webui, it's not a major problem but my guys quite liked using it as a visual aid to work though the servers they had configured. I've looked at the 2.1.4 change log and nothing was mentioned regarding fixes for either issue. Cheers, Charlie ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] consulting?
Found the reason for the ldap search not working- when I created the AD certificate role, I accidentally entered a new sub-domain so in stead of the FQDN in the cert being csp-ad.pdh.csp it came out csp-ad.cspad.pdh.csp. I updated DNS and now the ldap search seems to work- ldif output-- http://fpaste.org/xbOC/ debug- http://fpaste.org/6g8q/ I guess I need to redo the sync agreement to fix the server DNS name. I will be traveling for work for the next couple days but should still be working on this issue some. I'll take VM's of the servers on my laptop to be able to keep working. -Jimmy On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.com wrote: ** On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync. Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. What have you tried, and what problems have you run into? It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better if you asked what exactly do you need. I'm not an AD expert, but a couple tips: If you are looking for cross-domain (cross-realm) trust, then you might be a bit disappointed, it is still in development, so it probably won't be 100% functional at this moment. If you are looking for something else, could you be a little more specific what it is? I also recommend starting with reading some doc: http://freeipa.org/page/DocumentationPortal Thanks Jan ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] consulting?
On 01/25/2012 12:07 PM, Jimmy wrote: Found the reason for the ldap search not working- when I created the AD certificate role, I accidentally entered a new sub-domain so in stead of the FQDN in the cert being csp-ad.pdh.csp it came out csp-ad.cspad.pdh.csp. I updated DNS and now the ldap search seems to work- ldif output-- http://fpaste.org/xbOC/ debug- http://fpaste.org/6g8q/ I guess I need to redo the sync agreement to fix the server DNS name. Yep. When using TLS/SSL you have to pay close attention to hostnames. I will be traveling for work for the next couple days but should still be working on this issue some. I'll take VM's of the servers on my laptop to be able to keep working. -Jimmy On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/19/2012 02:59 PM, Jimmy wrote: ok. I started from scratch this week on this and I think I've got the right doc and understand better where this is going. My problem now is that when configuring SSL on the AD server (step c in this url: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service ) I get this error: certreq -submit request.req certnew.cer Active Directory Enrollment Policy {25DDA1E7-3A99-4893-BA32-9955AC9EAC42} ldap: RequestId: 3 RequestId: 3 Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The request contains no certificate template information. 0x80094801 (-2146875391 tel:%28-2146875391) Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391 tel:%28-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. The RH doc says to use the browser if an error occurs and IIS is running but I'm not running IIS. I researched that error but didn't find anything that helps with FreeIPA and passsync. Hmm - try installing Microsoft Certificate Authority in Enterprise Root CA mode - it will usually automatically create and install the AD server cert. http://directory.fedoraproject.org/wiki/Howto:WindowsSync Jimmy On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: On 01/11/2012 11:22 AM, Jimmy wrote: We need to be able to replicate user/pass between Windows 2008 AD and FreeIPA. That's what IPA Windows Sync is supposed to do. I have followed many different documents and posted here about it and from what I've read and procedures I've followed we are unable to accomplish this. What have you tried, and what problems have you run into? It doesn't need to be a full trust. Thanks On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený jzel...@redhat.com mailto:jzel...@redhat.com wrote: Just wondering if there was anyone listening on the list that might be available for little work integrating FreeIPA with Active Directory (preferrably in the south east US.) I hope this isn't against the list rules, I just thought one of you guys could help or point me in the right direction. If you want some help, it is certainly not against list rules ;-) But in that case, it would be much better if you asked what exactly do you need. I'm not an AD expert, but a couple tips: If you are looking for cross-domain (cross-realm) trust, then you might be a bit disappointed, it is still in development, so it probably won't be 100% functional at this moment. If you are looking for something else, could you be a little more specific what it is? I also recommend starting with reading some doc: http://freeipa.org/page/DocumentationPortal Thanks Jan ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Aix client configuration
2012/1/25 Rob Crittenden rcrit...@redhat.com Sylvain Angers wrote: Hello In our lab, we are testing latest ipa on redhat and we are now configuring/testing an IBM/AIX client 6.1 Here is the ipa server command that we used *ipa-server-install -a ipa123 --hostname=mtl-ipa01d.cnppd.**lab -n cnppd.lab -p ldap123 -r CNPPD.LAB * We are following your documentation for AIX client and have some issue getting through the step we had to install these fileset and we still fight modcrypt lslpp -L | grep idsldap idsldap.clt32bit61.rte6.1.0.34C FDirectory Server - 32 bit idsldap.clt64bit61.rte6.1.0.34C FDirectory Server - 64 bit idsldap.cltbase61.adt 6.1.0.34C FDirectory Server - Base Client idsldap.cltbase61.rte 6.1.0.34C FDirectory Server - Base Client lslpp -L | grep krb krb5.client.rte1.5.0.2C FNetwork Authentication Service krb5.client.samples1.5.0.2C FNetwork Authentication Service krb5.doc.en_US.html1.5.0.2C FNetwork Auth Service HTML krb5.doc.en_US.pdf 1.5.0.2C FNetwork Auth Service PDF krb5.lic 1.5.0.2C FNetwork Authentication Service krb5.msg.en_US.client.rte 1.5.0.2C FNetwork Auth Service Client krb5.server.rte1.5.0.2C FNetwork Authentication Service ww did run the mksecldap command, as follow *mksecldap -c -h mtl-ipa01d.cnppd.lab -d cn=accounts,dc=cnppd,dc=lab -a uid=nss,cn=sysaccounts,cn=etc,**dc=cnppd,dc=lab -p abc123* and we got : Invalid bind DN or bind passwd. Client presetup check failed. Do we need to customize further this command if so, what are we missing? also as we have not yet succeed to make modcrypt works on our AIX 6.1, we wonder if we will need (temporary) to do some ldapmodify on the ipa server to disable ssl? Thank you for your assistance! Did you create the entry uid=nss,cn=sysaccounts,cn=etc,**... ? You can test that the password is correct independently with ldapsearch and the 389-ds access log may have additional information on the bind failure. rob Hello Rob, All I see at the moment is uid=sudo,cn=sysaccounts,cn=etc,dc=cnppd,dc=lab uid=kdc,cn=sysaccounts,cn=etc,dc=cnppd,dc=lab whenever I create new users, it get under uid=nss,cn=users,cn=accounts,dc=cnppd,dc=lab How do we create uid=nss,cn=sysaccounts,cn=etc,**dc=cnppd,dc=lab ? is this something we have to manually do via ldapadd? about the nss password will the ldapadd be part of the command? Thanks -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using DHCPD with IPA
On 01/25/2012 02:30 AM, ~Stack~ wrote: 2) How do I get dhcpd to update DNS? Since I can't find the place to add rndc-keys to BIND, right now I have to add every host manually in the web interface because dhcpd isn't updating named. This is time consuming and a pain when dealing with large amounts of systems. If I could figure out where the named zones are stored in IPA I should be able to add my rndc-key and be OK, but that gets back into question 1. My /etc/dhcp/dhcpd.conf file is pretty basic but all the PXE clients have host entries to match their MAC with the group that allows PXE booting (ex: host pxe001.project.local{hardware ethernet 00:16:17:AB:E9:88; fixed-address 172.31.203.1}). Unless I mange both this file and the IPA interface, the nodes have issues figuring out their name. One or the other and the node has issues; both and it works. I would really prefer not to manage two locations for all these nodes. The normal way for dhcpd to talk to BIND(named) is by having a rndc-key. However, me fighting with named.conf was the big part of my problems before so I am hoping there is a simple way of doing this inside IPA. Any ideas? This is what I have done to work around issues similar to yours. Over a few years I have developed a pxe boot toolbox called OneClickKick. OCK manages DHCPD by generating config files based upon information looked up from naming sources such as Mysql, NIS, or LDAP (IPA). It also creates the PXE boot files in tftpboot/pxelinux.cfg, and serves kickstart files when PXE booting clients. I have integrated OCK with IPA to make IPA keep records of the MAC address, and base my DHCP config upon the information I get from IPA. For your configuration, the steps for adding a new client would be the following: 1. Add the host to IPA, specify an IP address so that forward and reverse DNS records are created for the host 2. The host will appear in OneClickKick, select modify, add the MAC address (this is being written to the host object in IPA), and select it for PXE boot / kickstart. This will generate the DHCP config file, reload dhcpd, and create the required files in the tftpboot/pxelinux.cfg directory (if you enabled it for PXE booting). 3. PXE boot the client. By doing this you eliminate the need for dhcpd to update the DNS server, because the records are already there. The MAC addresses stored in IPA can also be used by normal Linux and Solaris (Jumpstart) clients by utilizing their ethers table in nsswitch.conf. Have a look at the link below to read more and download if you think OneClickKick could suit your environment. http://sourceforge.net/projects/oneclickkick/ Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using DHCPD with IPA
On 01/25/2012 05:18 PM, Sigbjorn Lie wrote: On 01/25/2012 02:30 AM, ~Stack~ wrote: 2) How do I get dhcpd to update DNS? Since I can't find the place to add rndc-keys to BIND, right now I have to add every host manually in the web interface because dhcpd isn't updating named. This is time consuming and a pain when dealing with large amounts of systems. If I could figure out where the named zones are stored in IPA I should be able to add my rndc-key and be OK, but that gets back into question 1. My /etc/dhcp/dhcpd.conf file is pretty basic but all the PXE clients have host entries to match their MAC with the group that allows PXE booting (ex: host pxe001.project.local{hardware ethernet 00:16:17:AB:E9:88; fixed-address 172.31.203.1}). Unless I mange both this file and the IPA interface, the nodes have issues figuring out their name. One or the other and the node has issues; both and it works. I would really prefer not to manage two locations for all these nodes. The normal way for dhcpd to talk to BIND(named) is by having a rndc-key. However, me fighting with named.conf was the big part of my problems before so I am hoping there is a simple way of doing this inside IPA. Any ideas? This is what I have done to work around issues similar to yours. Over a few years I have developed a pxe boot toolbox called OneClickKick. OCK manages DHCPD by generating config files based upon information looked up from naming sources such as Mysql, NIS, or LDAP (IPA). It also creates the PXE boot files in tftpboot/pxelinux.cfg, and serves kickstart files when PXE booting clients. I have integrated OCK with IPA to make IPA keep records of the MAC address, and base my DHCP config upon the information I get from IPA. For your configuration, the steps for adding a new client would be the following: 1. Add the host to IPA, specify an IP address so that forward and reverse DNS records are created for the host 2. The host will appear in OneClickKick, select modify, add the MAC address (this is being written to the host object in IPA), and select it for PXE boot / kickstart. This will generate the DHCP config file, reload dhcpd, and create the required files in the tftpboot/pxelinux.cfg directory (if you enabled it for PXE booting). 3. PXE boot the client. By doing this you eliminate the need for dhcpd to update the DNS server, because the records are already there. The MAC addresses stored in IPA can also be used by normal Linux and Solaris (Jumpstart) clients by utilizing their ethers table in nsswitch.conf. Have a look at the link below to read more and download if you think OneClickKick could suit your environment. http://sourceforge.net/projects/oneclickkick/ Thank you! I will take a look at it tomorrow. ~Stack~ signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users