Re: [Freeipa-users] HBAC Test - web vs command line - returns different results
On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: On 08/31/2012 09:33 AM, Michael Mercier wrote: Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not know whether this issue was resolved. Hope it was on the IRC or in some other way. The problem above is related to the from host I believe. Please do not use the from host. The whole concept is a bit broken and not reliable. I don't seem to be able to *not* select a 'from host' with the web console, I get: Input form contains invalid of missing values. Missing values: Source host. Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server:172.16.112.5 Address: 172.16.112.5#53 Name: ipaserver.mpls.local Address: 172.16.112.5
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-10, at 4:35 AM, Petr Spacek wrote: On 09/08/2012 05:03 PM, Dmitri Pal wrote: On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver
Re: [Freeipa-users] HBAC Test - web vs command line - returns different results
On 09/17/2012 09:47 AM, Michael Mercier wrote: On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: On 08/31/2012 09:33 AM, Michael Mercier wrote: Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not know whether this issue was resolved. Hope it was on the IRC or in some other way. The problem above is related to the from host I believe. Please do not use the from host. The whole concept is a bit broken and not reliable. I don't seem to be able to *not* select a 'from host' with the web console, I get: Input form contains invalid of missing values. Missing values: Source host. You need to choose all option to ignore the values from this field. Thanks, Mike -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC Test - web vs command line - returns different results
Michael Mercier wrote: On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: On 08/31/2012 09:33 AM, Michael Mercier wrote: Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not know whether this issue was resolved. Hope it was on the IRC or in some other way. The problem above is related to the from host I believe. Please do not use the from host. The whole concept is a bit broken and not reliable. I don't seem to be able to *not* select a 'from host' with the web console, I get: Input form contains invalid of missing values. Missing values: Source host. I believe this value is ignored anyway. This is very strange as the same backend is used to evaluate both the web and cli rules. It might be helpful to crank up debugging to get more details on what is being passed in. Perhaps there is some subtle difference. If you want to give this a go, edit /etc/ipa/default.conf and add debug = True and restart the httpd service, then try your commands again. You should get a bit more detail in /var/log/httpd/error_log about the request sent in and the response. You probably don't want to leave this enabled for too long. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC Test - web vs command line - returns different results
On 2012-09-17, at 10:33 AM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-08, at 11:08 AM, Dmitri Pal wrote: On 08/31/2012 09:33 AM, Michael Mercier wrote: Hello, I seem to be having a problem with the HBAC test: Versions: [root@ipaserver ipatest]# rpm -qa|grep ^ipa ipa-server-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 On the web console: Browse to HBAC TEST Who: mike Accessing: pix.beta.local Via service: tac_plus From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect) Rules: tacacs Run Test - Access Granted with matched rules showing tacacs On the command line: ipa hbactest User name: mike Target Host: pix.beta.local Service: tac_plus - Access granted: False - Not matched rules: tacacs tacacs rule: General: Enabled Who: user group: ciscoadmin - mike is a member accessing: cisco-devices - pix.beta.local is a member Via Service: tac_plus From: any host NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present) Any ideas? Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not know whether this issue was resolved. Hope it was on the IRC or in some other way. The problem above is related to the from host I believe. Please do not use the from host. The whole concept is a bit broken and not reliable. I don't seem to be able to *not* select a 'from host' with the web console, I get: Input form contains invalid of missing values. Missing values: Source host. I believe this value is ignored anyway. This is very strange as the same backend is used to evaluate both the web and cli rules. It might be helpful to crank up debugging to get more details on what is being passed in. Perhaps there is some subtle difference. If you want to give this a go, edit /etc/ipa/default.conf and add debug = True Hello, I setup default.conf with debug = True, and I am unable to reproduce the different results? Removed the debug statement and restart httpd, both interfaces produce the same result (success). Thanks, Mike and restart the httpd service, then try your commands again. You should get a bit more detail in /var/log/httpd/error_log about the request sent in and the response. You probably don't want to leave this enabled for too long. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] NFS on Mac
Hello all, I have IPA server and NFS server set up on a computer running centos 6.3. Is there a way to set up a mac laptop to access the data on the NFS server? The laptop does not have a static IP. DNS is not configured with IPA. If yes, how do I config the mac? Thanks, George___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 09/17/2012 10:27 AM, Michael Mercier wrote: On 2012-09-10, at 4:35 AM, Petr Spacek wrote: On 09/08/2012 05:03 PM, Dmitri Pal wrote: On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver
Re: [Freeipa-users] NFS on Mac
On 09/17/2012 11:07 AM, george he wrote: Hello all, I have IPA server and NFS server set up on a computer running centos 6.3. Is there a way to set up a mac laptop to access the data on the NFS server? The laptop does not have a static IP. DNS is not configured with IPA. If yes, how do I config the mac? Is this what you are looking for? http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 09/17/2012 10:14 AM, Michael Mercier wrote: On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address: 172.16.112.5#53 Name: ipaserver.mpls.local Address: 172.16.112.5
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-17, at 11:27 AM, Dmitri Pal wrote: On 09/17/2012 10:14 AM, Michael Mercier wrote: On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address: 172.16.112.5#53
Re: [Freeipa-users] NFS on Mac
sounds to me the link may work for nfs version 3 only. Now with IPA and NFS4, there got to be something more. George From: Dmitri Pal d...@redhat.com To: freeipa-users@redhat.com Sent: Monday, September 17, 2012 11:20 AM Subject: Re: [Freeipa-users] NFS on Mac On 09/17/2012 11:07 AM, george he wrote: Hello all, I have IPA server and NFS server set up on a computer running centos 6.3. Is there a way to set up a mac laptop to access the data on the NFS server? The laptop does not have a static IP. DNS is not configured with IPA. If yes, how do I config the mac? Is this what you are looking for? http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NFS on Mac
On 09/17/2012 02:21 PM, george he wrote: sounds to me the link may work for nfs version 3 only. Now with IPA and NFS4, there got to be something more. George I do not know the exact steps on mac because the is no ipa-client on Mac so you would have to configure the machine to be an IPA client manually. This would mean that you need to authenticate with kerberos and then make the nfs part use the credential cache of the logged in user (if you are planning to use it for users mounting shares). This is what needs to happen conceptually. I know that people have done in the past but I do not think there are instructions. Once you manged to do it please see the presentation how to setup secure NFS on Linux http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf May be it will give you some hints and pointers. The only known problem with this slide deck is that on slide 18 after kinit admin and before ipa-getkeytab you need to add service for the NFS server ipa service-add nfs/`hostname`@EXAMPLE HTH *From:* Dmitri Pal d...@redhat.com *To:* freeipa-users@redhat.com *Sent:* Monday, September 17, 2012 11:20 AM *Subject:* Re: [Freeipa-users] NFS on Mac On 09/17/2012 11:07 AM, george he wrote: Hello all, I have IPA server and NFS server set up on a computer running centos 6.3. Is there a way to set up a mac laptop to access the data on the NFS server? The laptop does not have a static IP. DNS is not configured with IPA. If yes, how do I config the mac? Is this what you are looking for? http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NFS on Mac
If anyone has MAC instructions' I'd love a copy pls. regards regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 18 September 2012 6:47 a.m. To: george he Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] NFS on Mac On 09/17/2012 02:21 PM, george he wrote: sounds to me the link may work for nfs version 3 only. Now with IPA and NFS4, there got to be something more. George I do not know the exact steps on mac because the is no ipa-client on Mac so you would have to configure the machine to be an IPA client manually. This would mean that you need to authenticate with kerberos and then make the nfs part use the credential cache of the logged in user (if you are planning to use it for users mounting shares). This is what needs to happen conceptually. I know that people have done in the past but I do not think there are instructions. Once you manged to do it please see the presentation how to setup secure NFS on Linux http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf May be it will give you some hints and pointers. The only known problem with this slide deck is that on slide 18 after kinit admin and before ipa-getkeytab you need to add service for the NFS server ipa service-add nfs/`hostname`@EXAMPLE HTH From: Dmitri Pal d...@redhat.commailto:d...@redhat.com To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Sent: Monday, September 17, 2012 11:20 AM Subject: Re: [Freeipa-users] NFS on Mac On 09/17/2012 11:07 AM, george he wrote: Hello all, I have IPA server and NFS server set up on a computer running centos 6.3. Is there a way to set up a mac laptop to access the data on the NFS server? The laptop does not have a static IP. DNS is not configured with IPA. If yes, how do I config the mac? Is this what you are looking for? http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreements, mostly one way.
On 09/17/2012 04:55 PM, Steven Jones wrote: In section 8.4.5 it talks about making an agreement one way...which is mostly what I want, so everything incl password changes from AD to IPA. except I want account disabled / enabled to flow both ways. So if I do a ldapmodify -x -D cn=directory manager -w password -p 389 -h ipaserver.example.com dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify add: oneWaySync oneWaySync: fromWindows Does this effect bi-directional disabling? I assume it does... So then I have to do a, ldapmodify -x -D cn=directory manager -w password -p 389 -h ipaserver.example.com dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify ipaWinSyncAcctDisable: both is that syntax right? Winsyc plugin used in IPA comes originally from DS. In the context of IPA it can be only one way so changing this configuration is not something we expect or would work in IPA. In the DS context you can have two way sync of users and groups. AFAIK (Rich please correct me) we do not replicate the enabled/disabled status from IPA to AD. Conceptually we think of the AD as authoritative source for the information. Allowing user to be disabled by IPA admin and then replicate this status back violates this model and would sound really dangerous for AD side. Are you sure that even if that would have been allowed your AD admins would actually permit you to do that? Anyways so far it is one of the limitations of the current product. You can definitely explain the use case in a bit more details and file an RFE. If the use case is compelling we will consider it for the later release. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreements, mostly one way.
Hi, Im confused as section 8.4.5 page 182 first para of the Red Hat admin guide for IPA says this (its bi-directional).so that section needs updating? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 18 September 2012 9:22 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreements, mostly one way. On 09/17/2012 04:55 PM, Steven Jones wrote: In section 8.4.5 it talks about making an agreement one way...which is mostly what I want, so everything incl password changes from AD to IPA. except I want account disabled / enabled to flow both ways. So if I do a ldapmodify -x -D cn=directory manager -w password -p 389 -h ipaserver.example.com dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify add: oneWaySync oneWaySync: fromWindows Does this effect bi-directional disabling? I assume it does... So then I have to do a, ldapmodify -x -D cn=directory manager -w password -p 389 -h ipaserver.example.com dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify ipaWinSyncAcctDisable: both is that syntax right? Winsyc plugin used in IPA comes originally from DS. In the context of IPA it can be only one way so changing this configuration is not something we expect or would work in IPA. In the DS context you can have two way sync of users and groups. AFAIK (Rich please correct me) we do not replicate the enabled/disabled status from IPA to AD. Conceptually we think of the AD as authoritative source for the information. Allowing user to be disabled by IPA admin and then replicate this status back violates this model and would sound really dangerous for AD side. Are you sure that even if that would have been allowed your AD admins would actually permit you to do that? Anyways so far it is one of the limitations of the current product. You can definitely explain the use case in a bit more details and file an RFE. If the use case is compelling we will consider it for the later release. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreements, mostly one way.
On 09/17/2012 03:34 PM, Steven Jones wrote: Hi, Im confused as section 8.4.5 page 182 first para of the Red Hat admin guide for IPA says this (its bi-directional).so that section needs updating? In IPA, adding users is uni-directional, from AD to IPA. However, once the users are in sync, updates are bi-directional. This includes account disable, which syncs both directions. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] *Sent:* Tuesday, 18 September 2012 9:22 a.m. *To:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] winsync agreements, mostly one way. On 09/17/2012 04:55 PM, Steven Jones wrote: In section 8.4.5 it talks about making an agreement one way...which is mostly what I want, so everything incl password changes from AD to IPA. except I want account disabled / enabled to flow both ways. So if I do a ldapmodify -x -D cn=directory manager -w password -p 389 -h ipaserver.example.com dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify add: oneWaySync oneWaySync: fromWindows Does this effect bi-directional disabling? I assume it does... So then I have to do a, ldapmodify -x -D cn=directory manager -w password -p 389 -h ipaserver.example.com dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify ipaWinSyncAcctDisable: both is that syntax right? Winsyc plugin used in IPA comes originally from DS. In the context of IPA it can be only one way so changing this configuration is not something we expect or would work in IPA. In the DS context you can have two way sync of users and groups. AFAIK (Rich please correct me) we do not replicate the enabled/disabled status from IPA to AD. Conceptually we think of the AD as authoritative source for the information. Allowing user to be disabled by IPA admin and then replicate this status back violates this model and would sound really dangerous for AD side. Are you sure that even if that would have been allowed your AD admins would actually permit you to do that? Anyways so far it is one of the limitations of the current product. You can definitely explain the use case in a bit more details and file an RFE. If the use case is compelling we will consider it for the later release. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreements, mostly one way.
Hi, So cool, I think that is what I wantbut I think the documentation so be updated with thsi cooemnt as it makes it a lot clearer. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, 18 September 2012 9:43 a.m. To: Steven Jones Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreements, mostly one way. On 09/17/2012 03:34 PM, Steven Jones wrote: Hi, Im confused as section 8.4.5 page 182 first para of the Red Hat admin guide for IPA says this (its bi-directional).so that section needs updating? In IPA, adding users is uni-directional, from AD to IPA. However, once the users are in sync, updates are bi-directional. This includes account disable, which syncs both directions. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] winsync agreement wipes IPA users
Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. While doing the actual update does this get verbosly logged anywhere as opposed to update in progress dumped to the screen? Something went badly wrong, I just dont know what. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement wipes IPA users
On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to update in progress dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement wipes IPA users
Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, 18 September 2012 11:37 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to update in progress dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement wipes IPA users
On 09/17/2012 06:17 PM, Steven Jones wrote: Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree cn=mystaff,cn=staff,dc=example,dc=com winsync will still search starting from dc=example,dc=com and will hit ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Tuesday, 18 September 2012 11:37 a.m. *To:* Steven Jones *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to update in progress dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement wipes IPA users
Hi, I understand that I'll lose users that are cn=Staff_Admins,dc=etc So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc This I dont understand I have the -v already, anyway to make it very verbose? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, 18 September 2012 12:47 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 06:17 PM, Steven Jones wrote: Hi, The first time missed the --win-subtree settings so I wiped the admins in the IPA admin group and users as they were not in cn=users as per the bug. The second time as far as I can tell I specified the correct cn via win-subtree flag but I still appear to have lost the users in IPA.now I expected to lose the admins but the loss of users as well confounds me. I did a ldapsearch as per checking and its seems to be saying the right folder/ou/cn but IPA is empty. Hence I was wondering if there was a log recording what the update was doing so I could try and figure out the mistake. Ive tried greping cant find any indication. I will re-try with -v, verbose. It is not clear from the manuals, but no matter what -win-subtree you specify, winsync will search AD starting from the dc=domain suffix. So, for example, if you have cn=mystaff,cn=staff,dc=example,dc=com and you specify --win-subtree cn=mystaff,cn=staff,dc=example,dc=com winsync will still search starting from dc=example,dc=com and will hit ticket/355https://fedorahosted.org/389/ticket/355 if there are any users outside of cn=mystaff,cn=staff,dc=example,dc=com that have the same username as a user in IPA. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com] Sent: Tuesday, 18 September 2012 11:37 a.m. To: Steven Jones Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/17/2012 04:17 PM, Steven Jones wrote: Hi, I just tried to do a winsync agreement with specifying the AD point as cn=VUW_Staff,dc=staff,dc=vuw,dc=vuw,dc=ac,dc=nz as my users are not in the users folder but the VUW_Staff folder (at the same level) and it wiped all IPA users that are also in AD. Yes, this is what happens with https://fedorahosted.org/389/ticket/355 #355 winsync should not delete entry that appears to be out of scope While doing the actual update does this get verbosly logged anywhere as opposed to update in progress dumped to the screen? Something went badly wrong, I just dont know what. You are seeing something different than #355? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Password requirements too stringent
Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get Based on a dictionary word for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why C679V375 was too simple when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 user1 i feel like im being punked Jul 12 14:12:40 user1 it is based on a dictionary word Jul 12 14:12:43 user1 it is too short Jul 12 14:12:49 user1 is does not have enough unique letters Jul 12 14:12:51 user1 etc ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password Expiration Grace Limit
latetotheparty There seems to be nothing in the documentation about a user being able to initiate a password change dialogue after their password has expired https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Using_SSH_for_Password_Authentication.html /latetotheparty Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password requirements too stringent
Maybe its the local system having requirements and not IPA? In my secure logs I see pam is quering first locally and then the sss daemonmaybe its failing you on the default rh setup of the OS? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Tim Hildred [thild...@redhat.com] Sent: Tuesday, 18 September 2012 1:25 p.m. To: freeipa-users Subject: [Freeipa-users] Password requirements too stringent Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get Based on a dictionary word for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why C679V375 was too simple when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 user1 i feel like im being punked Jul 12 14:12:40 user1 it is based on a dictionary word Jul 12 14:12:43 user1 it is too short Jul 12 14:12:49 user1 is does not have enough unique letters Jul 12 14:12:51 user1 etc ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password requirements too stringent
Tim, please check your /etc/pam.d/system-auth with the password block. If you see passwordrequisite pam_cracklib.so, then this is why you are having a problem. $ man pam_cracklib It is a local security library for enforcing strong password practices from the unix cli. ProTip: If you don't need this, you can remove it from pam If you want to work around this, set your password from the IPA webui or via the cli: ipa passwd username Hope this info helps! Keeping your head in the cloud ~ JR Aquino Senior Information Security Specialist, Technical Operations T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester jr.aqu...@citrix.commailto:jr.aqu...@citrix.com [cid:image002.jpg@01CD4A37.5451DC00] Powering mobile workstyles and cloud services On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get Based on a dictionary word for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why C679V375 was too simple when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 user1 i feel like im being punked Jul 12 14:12:40 user1 it is based on a dictionary word Jul 12 14:12:43 user1 it is too short Jul 12 14:12:49 user1 is does not have enough unique letters Jul 12 14:12:51 user1 etc ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users inline: image002.jpg___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password requirements too stringent
JR I had that line. I commented it out. Thank you. Now, what do I have to restart? Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred - Original Message - From: JR Aquino jr.aqu...@citrix.com To: Tim Hildred thild...@redhat.com Cc: freeipa-users freeipa-users@redhat.com Sent: Tuesday, September 18, 2012 12:37:48 PM Subject: Re: [Freeipa-users] Password requirements too stringent Tim, please check your /etc/pam.d/system-auth with the password block. If you see passwordrequisite pam_cracklib.so, then this is why you are having a problem. $ man pam_cracklib It is a local security library for enforcing strong password practices from the unix cli. ProTip: If you don't need this, you can remove it from pam If you want to work around this, set your password from the IPA webui or via the cli: ipa passwd username Hope this info helps! Keeping your head in the cloud ~ JR Aquino Senior Information Security Specialist, Technical Operations T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester jr.aqu...@citrix.commailto:jr.aqu...@citrix.com [cid:image002.jpg@01CD4A37.5451DC00] Powering mobile workstyles and cloud services On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get Based on a dictionary word for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why C679V375 was too simple when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 user1 i feel like im being punked Jul 12 14:12:40 user1 it is based on a dictionary word Jul 12 14:12:43 user1 it is too short Jul 12 14:12:49 user1 is does not have enough unique letters Jul 12 14:12:51 user1 etc ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password requirements too stringent
On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: JR I had that line. I commented it out. Thank you. Now, what do I have to restart? I believe it should take effect in real time, but you may need to test to be sure. If it is still happening, you may need to double check that some other pam cfg doesn't also have it present: $ cd /etc/pam.d/ grep pam_cracklib * If you have removed it from everything and it is still giving you the same error, then I would try a reboot... perhaps getty needs to reinitialize or something. But I'd try those steps before a reboot! ;) Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred - Original Message - From: JR Aquino jr.aqu...@citrix.com To: Tim Hildred thild...@redhat.com Cc: freeipa-users freeipa-users@redhat.com Sent: Tuesday, September 18, 2012 12:37:48 PM Subject: Re: [Freeipa-users] Password requirements too stringent Tim, please check your /etc/pam.d/system-auth with the password block. If you see passwordrequisite pam_cracklib.so, then this is why you are having a problem. $ man pam_cracklib It is a local security library for enforcing strong password practices from the unix cli. ProTip: If you don't need this, you can remove it from pam If you want to work around this, set your password from the IPA webui or via the cli: ipa passwd username Hope this info helps! Keeping your head in the cloud ~ JR Aquino Senior Information Security Specialist, Technical Operations T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC Certified Incident Handler | GIAC WebApplication Penetration Tester jr.aqu...@citrix.commailto:jr.aqu...@citrix.com [cid:image002.jpg@01CD4A37.5451DC00] Powering mobile workstyles and cloud services On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote: Hey all; I'm running IPA internally to control access to our cloud environment. I must admit, I do not understand the password requirements. I have had them set to the defaults. I read this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/user-pwdpolicy.html I have the minimum character classes set to 0. When people use SSH to change their passwords, they get Based on a dictionary word for passwords that have nothing to do with dictionary words. I can't find anywhere in the documentation a break down of what makes an unacceptable versus acceptable password. Can anyone help me figure out what to tell my users? I think people would get a lot less frustrated if they knew why C679V375 was too simple when the password policy has 0 required classes. Tim Hildred, RHCE Content Author II - Engineering Content Services, Red Hat, Inc. Brisbane, Australia Email: thild...@redhat.com Internal: 8588287 Mobile: +61 4 666 25242 IRC: thildred ps: funny exchange with user: Jul 12 14:12:33 user1 i feel like im being punked Jul 12 14:12:40 user1 it is based on a dictionary word Jul 12 14:12:43 user1 it is too short Jul 12 14:12:49 user1 is does not have enough unique letters Jul 12 14:12:51 user1 etc ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users