Re: [Freeipa-users] Problem in ipa-server-install - uninstall - install

2012-02-15 Thread Marco Pizzoli 
On Tue, Feb 14, 2012 at 8:25 PM, Rob Crittenden rcrit...@redhat.com wrote:

 Marco Pizzoli wrote:



 On Tue, Feb 14, 2012 at 3:24 PM, Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com wrote:

Marco Pizzoli wrote:

Hi guys,
I'm running freeipa-server-2.1.4-5.fc16.__**x86_64.


Following the documentation I can see that to uninstall and
reinstall a
freeipa system it is sufficient to:

  ipa-server-install parameters
  ipa-server-install --uninstall
  ipa-server-install parameters

Well, when re-installing the system, I get this error on the
console:
[cut]
done configuring named.
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install
--on-master --unattended --domain unix.mydomain.it
http://unix.mydomain.it
http://unix.mydomain.it --server freeipa01.unix.mydomain.it

 http://freeipa01.unix.**mydomain.ithttp://freeipa01.unix.mydomain.it
 
http://freeipa01.unix.__mydom**ain.it http://mydomain.it


 http://freeipa01.unix.**mydomain.ithttp://freeipa01.unix.mydomain.it
 --realm UNIX.MYDOMAIN.IT
http://UNIX.MYDOMAIN.IT
http://UNIX.MYDOMAIN.IT --hostname freeipa01.unix.mydomain.it

 http://freeipa01.unix.**mydomain.ithttp://freeipa01.unix.mydomain.it
 
http://freeipa01.unix.__mydom**ain.it http://mydomain.it


 http://freeipa01.unix.**mydomain.ithttp://freeipa01.unix.mydomain.it'
 returned non-zero exit
status 1


I had a look to /var/log/ipaclient-install.log and I saw these
 lines

[cut]
2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt

 http://freeipa01.unix.__mydoma**in.it/ipa/config/ca.crthttp://mydomain.it/ipa/config/ca.crt


 http://freeipa01.unix.**mydomain.it/ipa/config/ca.crthttp://freeipa01.unix.mydomain.it/ipa/config/ca.crt
 
2012-02-14 09:53:39,435 DEBUG stdout=
2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39--

 http://freeipa01.unix.__mydoma**in.it/ipa/config/ca.crthttp://mydomain.it/ipa/config/ca.crt


 http://freeipa01.unix.**mydomain.it/ipa/config/ca.crthttp://freeipa01.unix.mydomain.it/ipa/config/ca.crt
 
Resolving freeipa01.unix.mydomain.it... 192.168.146.131
Connecting to freeipa01.unix.mydomain.it

 http://freeipa01.unix.**mydomain.ithttp://freeipa01.unix.mydomain.it
 
http://freeipa01.unix.__mydom**ain.it http://mydomain.it

 http://freeipa01.unix.**mydomain.ithttp://freeipa01.unix.mydomain.it
 |192.168.146.131|**:__80...

connected.

HTTP request sent, awaiting response... 200 OK
Length: 1325 (1.3K) [application/x-x509-ca-cert]
Saving to: E2809C/etc/ipa/ca.crt__**E2809D


  0K .
100%  270M=0s

2012-02-14 09:53:39 (270 MB/s) -
E2809C/etc/ipa/ca.crt__**E2809D

saved [1325/1325]


2012-02-14 09:53:39,436 DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2012-02-14 09:53:39,463 DEBUG Saving Index File to
'/var/lib/ipa-client/__**sysrestore/sysrestore.index'

2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it
http://unix.csebo.it
http://unix.csebo.it is already configured in existing SSSD
config,

creating a new one.
2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d
/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2012-02-14 09:53:39,643 DEBUG stdout=
2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain
certificate from file: You are attempting to import a cert with
the same
issuer/serial as an existing cert, but that is not the same cert.


So I tried a new ipa-server-install --uninstall and checked
the file
/etc/ipa/ca.crt. And it remained there.
What is the problem?


The problem isn't the existence of the file, it is the existence of
the cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d
/etc/pki/nsdb


 [root@freeipa01 ~]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb/
 certutil: could not find certificate named IPA CA: security library:
 bad database.


 Well that's strange. Can you run: certutil -L -d /etc/pki/nssdb ?


More strange... I re-did a freeipa-install and it worked...
Thanks anyway
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Solaris kerberos - fail

2012-02-15 Thread Sigbjorn Lie 

Hi,

I see that the documentation for configuring kerberos on Solaris has 
changed since the last time I looked.


http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10

kclient fails if I pre-create the account in IPA, and attempt to kclient 
configure the client. If I don't, it successfully retreives a keytab for 
the host, but I'm unable to add the host as a host in IPA as the 
kerberos principal is already used.


I suppose there is a LDAP ACL preventing me from doing this?

Can I work around this somehow, having the host account in IPA and using 
kclient to configure Solaris hosts at the same time?





I have edited /var/kerberos/krb5kdc/kadm5.acl :
--
*/ad...@ix.test.com   *
--



--
# kclient

Starting client setup

---
Do you want to use DNS for kerberos lookups ? [y/n]: n
No action performed.
Enter the Kerberos realm: IX.TEST.COM
Specify the KDC hostname for the above realm: ipa01.ix.test.com
ipa01.ix.test.com

Note, this system and the KDC's time must be within 5 minutes of each 
other for Kerberos to function.  Both systems should run some form of 
time synchronization system like Network Time Protocol (NTP).


Setting up /etc/krb5/krb5.conf.

Enter the krb5 administrative principal to be used: soladmin
Obtaining TGT for soladmin/admin ...
Password for soladmin/ad...@ix.test.com:

Do you have multiple DNS domains spanning the Kerberos realm 
IX.NIXTRA.COM ? [y/n]: n

No action performed.

Do you plan on doing Kerberized nfs ? [y/n]: n
No action performed.

host/server2.ix.nixtra.com entry already exists in KDC database.
Authenticating as principal soladmin/ad...@ix.nixtra.com with existing 
credentials.
kadmin: Insufficient access to perform requested operation while 
changing host/server2.ix.nixtra.com's key


Administration credentials NOT DESTROYED.

kadmin: ktadd of host/server2.ix.test.com failed, exiting.
---
Setup FAILED.
--


From /var/log/kadmind.log:
--
Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request: 
kadm5_init, soladmin/ad...@ix.test.com, success, 
client=soladmin/ad...@ix.test.com, 
service=kadmin/ipa01.ix.test@ix.test.com, addr=192.168.1.238, 
vers=2, flavor=6
Feb 15 19:56:49 ipa01.ix.test.com kadmind[22727](Notice): Request: 
kadm5_randkey_principal, host/server2.ix.test@ix.test.com, User 
modification failed: Insufficient access, 
client=soladmin/ad...@ix.test.com, 
service=kadmin/ipa01.ix.test@ix.test.com, addr=192.168.1.238

--

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Solaris kerberos - fail

2012-02-15 Thread Rob Crittenden 

Sigbjorn Lie wrote:

On 02/15/2012 09:06 PM, Rob Crittenden wrote:

You might try adding soladmin to the Host Administrators role and see
if it works then. If it does you'll probably want to create a new role
with more limited permissions.

I would imagine that a host added this way would not appear as an
IPA-managed host (though adding the host first and using this to just
add the key should be ok).

rob

The version is: freeipa-server-2.1.3-2.fc15.x86_64

The kclient script only accepts a parameter -a adminuser, which it
translates into adminuser/admin. How can I add this to a IPA role?

If I attempt to work around that by using kadmin directly instead of the
wrapper kclient script on the Solaris host, and specifying the IPA
default admin account, the same message occur:


# kadmin -p admin -q ktadd -k /etc/krb5/krb5.keytab
host/server2.ix.test@ix.test.com
Authenticating as principal admin with password.
Password for ad...@ix.test.com:
kadmin: Insufficient access to perform requested operation while
changing host/server2.ix.test@ix.test.com's key


/var/kerberos/krb5kdc/kadm5.acl:
ad...@ix.test.com *


/var/log/kadmind.log:
Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request:
kadm5_init, ad...@ix.test.com, success, client=ad...@ix.test.com,
service=kadmin/ipa01.ix.test@ix.test.com, addr=192.168.1.238,
vers=2, flavor=6
Feb 15 21:18:41 ipa01.ix.test.com kadmind[22727](Notice): Request:
kadm5_randkey_principal, host/server2.ix.test@ix.test.com, User
modification failed: Insufficient access, client=ad...@ix.test.com,
service=kadmin/ipa01.ix.test@ix.test.com, addr=192.168.1.238


To be honest, the whole section about kclient, kadmin, etc is new to me 
as well. I don't know when that was added. We'll investigate that, sorry 
about the confusion.


These problems are likely related to the fact that kadmin assumes a 
different DIT than IPA. We don't recommend kadmin be used.


We recommend using ipa-getkeytab on a Linux box and retrieving the 
keytab that way. Yes, this is less than convenient.


On Solaris 10 you may have a fighting chance of building ipa-getkeytab 
natively. I seem to recall a bunch of optional packages to add various 
LDAP and compiler parts you'd need but it is less than ideal. I had 
absolutely no luck on Solaris 9 without having to compile everything myself.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Solaris kerberos - fail

2012-02-15 Thread Simo Sorce 
On Wed, 2012-02-15 at 22:55 +0100, Sigbjorn Lie wrote:
 On 02/15/2012 09:32 PM, Simo Sorce wrote:
  On Wed, 2012-02-15 at 20:49 +0100, Sigbjorn Lie wrote:
  Hi,
 
  I see that the documentation for configuring kerberos on Solaris has
  changed since the last time I looked.
 
  http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
 
  kclient fails if I pre-create the account in IPA, and attempt to kclient
  configure the client. If I don't, it successfully retreives a keytab for
  the host, but I'm unable to add the host as a host in IPA as the
  kerberos principal is already used.
 
  I suppose there is a LDAP ACL preventing me from doing this?
 
  Can I work around this somehow, having the host account in IPA and using
  kclient to configure Solaris hosts at the same time?
 
  Sigbjorn,
  running kadmind in FreeIPA  2.2 is completely unsupported and there are
  ACLs that explicitly prevent it from changing data in LDAP.
 
  I will investigate about those instructions and correct them as
  necessary, they appear incorrect.
 
 Yes, I was a bit surprised when I noticed this in the documentation 
 given other postings on the list where use of kadmin and kadmin.local is 
 advised to be not supported.
 
 Does something change in 2.2 and upwards to support the use of kadmin ?

Yes and no.

In 2.2 we have our own kdb backend and we decided to retire ipa_kpasswd
and use kadmind instead.
But I still prevent kadmin from doing a lot of operations, because
kadmind has no clue how to properly create an ipa computer object or an
ipa user.

In time we may teach kadmin how to properly handle some of the
principals, but for now I am simply preventing it from messing up the
tree by crating bare principals in the wrong place, with the wrong (or
missing) data attached to it.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replicas in a state of confusion

2012-02-15 Thread Rich Megginson 

On 02/10/2012 01:00 PM, Ian Levesque wrote:

On Feb 10, 2012, at 1:36 PM, Rich Megginson wrote:


This may be related to https://fedorahosted.org/389/ticket/273 and
https://fedorahosted.org/389/ticket/274 which have been fixed in
1.2.10

In this case Ian please open a bugzilla, it looks like we need to
address this in RHEL6.

I'll confess that I don't fully understand what tombstone is... Regardless, I'm 
not sure that either of those tickets apply to the issue at hand. As I 
understand it, Ticket 273 outlines an issue with searching for tombstone 
entries after successfully setting up a replica (which as far as I'm hearing, 
we haven't done). And ticket 274 concerns indexing the tombstone entries. I am 
able to search for tombstone entries (http://pastebin.com/raw.php?i=a4ytYZvt) 
and don't see the errors specified in ticket 274.

in 1.2.9.9 the ruv tombstone entry was indexed correctly, so that's why you see 
it.

For ticket 274, you would only see those errors if you actually attempt to 
reindex the entryrdn index.


That said, perhaps there's some bug with tombstone re: the automountmap entries 
in my LDAP instance. Do you think that would be sufficient to cause the 
replication issues I'm seeing?

It could be.  Taken together, both of those tickets resolve problems with 
tombstone indexes.  At any rate, I would like to know if you can reproduce your 
issues with 1.2.10.rc1

To confirm, the first step would be to examine your entryrdn index to see what 
the problematic entries look like e.g.

dbscan -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 | grep -C 2 
automountmapname=auto.direct

Here's the output from the primary:

139:cn=global_policy
   ID: 139; RDN: cn=global_policy; NRDN: cn=global_policy
13:nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct
   ID: 13; RDN: 
nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct; NRDN: 
nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct
141:krbprincipalname=ldap/sbgrid-directory.in.hw...@sbgrid.org
   ID: 141; RDN: krbprincipalname=ldap/sbgrid-directory.in.hw...@sbgrid.org; NRDN: 
krbprincipalname=ldap/sbgrid-directory.in.hw...@sbgrid.org
--
450:nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master
   ID: 450; RDN: 
nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master; NRDN: 
nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master
451:nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct
   ID: 451; RDN: 
nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct; NRDN: 
nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct
452:nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- auto.direct
   ID: 452; RDN: nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- 
auto.direct; NRDN: nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- 
auto.direct
--
466:automountmapname=auto.master
   ID: 466; RDN: automountmapname=auto.master; NRDN: 
automountmapname=auto.master
467:automountmapname=auto.direct
   ID: 467; RDN: automountmapname=auto.direct; NRDN: 
automountmapname=auto.direct
468:description=/- auto.direct
   ID: 468; RDN: description=/- auto.direct; NRDN: description=/- 
auto.direct
--
   ID: 12; RDN: 
nsuniqueid=3c37a106-eadf11e0-b9798103-f403dc04,automountmapname=auto.master; NRDN: 
nsuniqueid=3c37a106-eadf11e0-b9798103-f403dc04,automountmapname=auto.master
C11:cn=default
   ID: 13; RDN: 
nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct; NRDN: 
nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct
C11:cn=default
   ID: 261; RDN: 
nsuniqueid=ee37db01-ee0511e0-b8f78103-f403dc04,automountMapName=auto_master; NRDN: 
nsuniqueid=ee37db01-ee0511e0-b8f78103-f403dc04,automountmapname=auto_master
--
   ID: 450; RDN: 
nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master; NRDN: 
nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master
C449:cn=test
   ID: 451; RDN: 
nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct; NRDN: 
nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct
C449:cn=test
   ID: 456; RDN: 
nsuniqueid=7bdfdb01-371311e1-80c28103-f403dc04,automountmapname=auto_nfs; NRDN: 
nsuniqueid=7bdfdb01-371311e1-80c28103-f403dc04,automountmapname=auto_nfs
--
   ID: 464; RDN: nsuniqueid=bdbd5105-371411e1-80c28103-f403dc04,description=home; NRDN: 
nsuniqueid=bdbd5105-371411e1-80c28103-f403dc04,description=home
C465:cn=default
   ID: 467; RDN: automountmapname=auto.direct; NRDN: 
automountmapname=auto.direct
C465:cn=default
   ID: 466; RDN: automountmapname=auto.master; NRDN: 
automountmapname=auto.master
--
P139:cn=global_policy
   ID: 132; RDN: cn=SBGRID.ORG; NRDN: cn=sbgrid.org
P13:nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct
   ID: 11; RDN: cn=default; NRDN:

Re: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED)

2012-02-15 Thread Craig T 
On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote:
 Simo Sorce wrote:
 On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote:
 Hi,
 
 Server:
 RHEL6.2
 
 
 Spec:
 ipa-admintools-2.1.3-9.el6.x86_64
 ipa-client-2.1.3-9.el6.x86_64
 ipa-pki-ca-theme-9.0.3-7.el6.noarch
 ipa-pki-common-theme-9.0.3-7.el6.noarch
 ipa-python-2.1.3-9.el6.x86_64
 ipa-server-2.1.3-9.el6.x86_64
 ipa-server-selinux-2.1.3-9.el6.x86_64
 libipa_hbac-1.5.1-66.el6_2.3.x86_64
 libipa_hbac-python-1.5.1-66.el6_2.3.x86_64
 python-iniparse-0.3.1-2.1.el6.noarch
 
 
 Error:
 I had this working on Friday night, came in Monday and then this error 
 appeared?
 
 kinit -V craig
 Using default cache: /tmp/krb5cc_0
 Using principal: cr...@example.com
 kinit: Generic error (see e-text) while getting initial credentials
 
 Server Side Error:  (File: /var/log/krb5kdc.log)
 Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 
 23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for 
 krbtgt/example@example.com, unable to decode stored principal key data 
 (ASN.1 encoding ended unexpectedly)
 
 
 Usual Questions:
 Should I simply reset the password?
 
 It seem like the only option to quickly recover access to your user.
 
 Is it a bug?
 
 It may be. Did you do anything special with this user ? Did this happen
 immediately after a password change ? Or immediately after a FreeIPA or
 krb5kdc upgrade ?
 Can you give a little more context around this ?
Issue Solved!
I worked out that my LDAP Browser was changing the attribtues of 
krbPrincipalKey entry just be simply clicking on the attribute entry!! Not a 
good idea. 

Have a look at the before and after;
BEFORE:
krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK
 ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ
 /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p
 5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI
 drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK
 E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s
 GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX
 qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE=

AFTER:
krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE=
---

 
 Also could you ldapsearch this user entry before you change your
 password using 'cn=Directory Manager' as user in order to retrieve the
 key attribute and send the ldif to me in private ? I want to see if the
 key blob at least looks normal (do not worry about your password, the
 key material is itself encrypted).
 
 It might also be handy to see who last updated this entry before you
 reset the password (if it isn't too late): modifyTimestamp
 lastModifiedBy
 
 
 Anyone else seen this error?
 
 Haven't seen any report, and haven't ever occurred in my testing.
 
 Simo,
 
 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA deployment questions (Open Directory)

2012-02-15 Thread Brian Topping 
Hi Rob, thanks for your responses!

On Feb 15, 2012, at 12:16 AM, Rob Crittenden wrote:

 389-ds is our LDAP server so we generally support what it can do. AFAIK it 
 does not do replication with OD. What is it you want to replicate, what 
 direction, etc?

It seems like users and groups are going to need to be synchronized, but I 
don't really know. OD has 'apple-user' and 'apple-group' schemas which have 
zero mandatory attributes.  FreeIPA has ipaObject which has the ipaUniqueid 
mandatory attribute.  

This is the first time I'm trying these things with LDAP, but it seems that the 
if an object is created on FreeIPA, could it be replicated to OD?  apple-user 
and apple-group have no mandatory attributes, and once it is replicated to OD, 
an admin could run Workgroup Manager and use the migrate from legacy tool on 
the object to create the OD attributes.  

So I guess that means I am replicating from FreeIPA to OD, but once changes are 
made on OD, can I replicate back with the additional attributes that are added? 
 If not, changes that are made on FreeIPA would seem to overwrite the new 
attributes added in OD.  Or is there a common way to do this?

Is this a reasonable approach or am I overcomplicating things?

 I've never used the Apache studio but others have reported success. It is 
 probably just a matter of getting your basedn right (e.g. dc=example,dc=com) 
 and perhaps providing a bind user (cn=Directory Manager). Are you getting 
 specific error messages, that might help troubleshoot things.

Ok, for others who may follow, here's what worked for me on connecting with 
Apache DS:

1. Note that the Directory Manager dn is literally cn=Directory Manager, not 
cn=Directory Manager, dc=example, dc=com.  

2. If SSL is desired, be sure to remember to use port 636 instead of 389.  

This is probably covered in the docs, but alas.  :-)

Cheers, Brian

p.s. Rob, sorry I responded to you directly before, I didn't notice that this 
list uses reply-to of the sender and not the list.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA documentation comment

2012-02-15 Thread Rob Crittenden 

Steven Jones wrote:

Hi,

Sort of minor but I find the following a bit inconsistent,

I am looking at section 9.3.1, item no 3

I think it should say,

3. Generate the nfs service keytab, there are two methods,

i) On the NFS server, with this command etc etc

ii) On a different machine do a)b)...c)...d)


The distinction is really whether the machine has ipa-getkeytab or 
not. The NFS server could be a Solaris machine in which case you'd have 
to do all this elsewhere.


I think this is trying to say if your NFS server is a Linux machine you 
can directly update /etc/krb5.keytab with these keys and be done with it.


Perhaps a little more language about this distinction would help.



for your b) You say Copy over to the NFS host machine where earlier you said NFS 
server, you repeat this in d)   for consistency it should be server it certainly slows 
my understanding down when I see such things being mixed up


Yup, I agree.



I also see under 6.5.1 point 6 that there is a ipa-getkeytab command but as per 
NFS is that run on the server that is providing the service? or on the IPA 
server, I find it unclear...thinking about it its on the target server 
offering the service I think you are saying, but by then Ive lost my train of 
thought


ipa-getkeytab can be run anywhere for any service. It is just more 
convenient to run it on the target machine because then you don't have 
to move around keytabs (and do the nasty work in 9.3.1.3 d).


Thanks for the feedback, I opened a doc bug, 
https://bugzilla.redhat.com/show_bug.cgi?id=791077 Feel free to add more 
details if I've missed something.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED)

2012-02-15 Thread Simo Sorce 
On Thu, 2012-02-16 at 12:27 +1100, Craig T wrote:
 On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote:
  Simo Sorce wrote:
  On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote:
  Hi,
  
  Server:
  RHEL6.2
  
  
  Spec:
  ipa-admintools-2.1.3-9.el6.x86_64
  ipa-client-2.1.3-9.el6.x86_64
  ipa-pki-ca-theme-9.0.3-7.el6.noarch
  ipa-pki-common-theme-9.0.3-7.el6.noarch
  ipa-python-2.1.3-9.el6.x86_64
  ipa-server-2.1.3-9.el6.x86_64
  ipa-server-selinux-2.1.3-9.el6.x86_64
  libipa_hbac-1.5.1-66.el6_2.3.x86_64
  libipa_hbac-python-1.5.1-66.el6_2.3.x86_64
  python-iniparse-0.3.1-2.1.el6.noarch
  
  
  Error:
  I had this working on Friday night, came in Monday and then this error 
  appeared?
  
  kinit -V craig
  Using default cache: /tmp/krb5cc_0
  Using principal: cr...@example.com
  kinit: Generic error (see e-text) while getting initial credentials
  
  Server Side Error:  (File: /var/log/krb5kdc.log)
  Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 
  23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for 
  krbtgt/example@example.com, unable to decode stored principal key 
  data (ASN.1 encoding ended unexpectedly)
  
  
  Usual Questions:
  Should I simply reset the password?
  
  It seem like the only option to quickly recover access to your user.
  
  Is it a bug?
  
  It may be. Did you do anything special with this user ? Did this happen
  immediately after a password change ? Or immediately after a FreeIPA or
  krb5kdc upgrade ?
  Can you give a little more context around this ?
 Issue Solved!
 I worked out that my LDAP Browser was changing the attribtues of 
 krbPrincipalKey entry just be simply clicking on the attribute entry!! Not 
 a good idea. 
 
 Have a look at the before and after;
 BEFORE:
 krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK
  ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ
  /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p
  5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI
  drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK
  E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s
  GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX
  qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE=
 
 AFTER:
 krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE=
 ---

Thanks a lot for getting back to us with the cause.
Glad it wasn't our fault :-)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] BIND Views?

2012-02-15 Thread Brian Topping 
Hi all,

Are configuration and management of BIND views a under consideration for any 
future releases?  I tested that wrapping the dynamic-db element provided by 
bind-sdb could be wrapped by a view 'test' scope and it works fine, so it 
seems that it could be hacked together by just creating different views 
pointing to different parts of the DIT.  

But presumably, the UI would not be able to edit these different views.  

I searched the archives and the web for any references to using views on 
FreeIPA and didn't come up with anything, have others requested this 
functionality?

Thanks, Brian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] BIND Views?

2012-02-15 Thread Simo Sorce 
On Thu, 2012-02-16 at 00:34 -0500, Brian Topping wrote:
 Hi all,
 
 Are configuration and management of BIND views a under consideration
 for any future releases?  I tested that wrapping the dynamic-db
 element provided by bind-sdb could be wrapped by a view 'test' scope
 and it works fine, so it seems that it could be hacked together by
 just creating different views pointing to different parts of the
 DIT.  
 
 But presumably, the UI would not be able to edit these different
 views.  

It probably wouldn't, it may actually get quite confuse if it finds
multiple zones with the same name.

 I searched the archives and the web for any references to using views
 on FreeIPA and didn't come up with anything, have others requested
 this functionality?

We haven't planned on adding this functionality at this stage.
But it is something we may want to look at in the future.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users