Re: [Freeipa-users] Freeipa-users Digest, Vol 54, Issue 42
On Monday 21 January 2013 10:30 PM, freeipa-users-requ...@redhat.com wrote: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. FreeIPA Client Setup in Windows 7 Ubuntu (Vijay Thakur) 2. Re: FreeIPA Client Setup in Windows 7 Ubuntu (Dmitri Pal) -- Message: 1 Date: Mon, 21 Jan 2013 15:15:00 +0530 From: Vijay Thakurvijay.tha...@loopmethods.com To:freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA Client Setup in Windows 7 Ubuntu Message-ID:50fd0e1c.1080...@loopmethods.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed Dear All List Members, I have installed and configured FreeIPA Server 2.2.1 in Fedora 17. All is working very fine at server end. I have successfully configure my Centos 6.0 Box as FreeIPA Client. Now i have to set up FreeIPA clients of Ubuntu 12.04 and windows 7. There is no available documentation for Windows 7 and Ubuntu 12.04. During the first login of Windows 7 as FreeIPA Client, i have followed the following steps: (1) Login asus...@xyz.com and Password: 12345678 (2) Message Your Password has expired and must be changed. (3) Changed the Password to new one successfully. (4) Again login with new credentials. (5) Windows 7 giving message The User Name or Password is incorrect. I have already stopped the Windows 7 firewall. Guide me about Ubuntu 12.04 as FreeIPA Client setting. With Warm Wishes, Vijay Thakur Here is the logs of server side: an 22 16:21:02 ds.example.com krb5kdc[1376](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.51.16: NEEDED_PREAUTH: ad...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jan 22 16:21:02 ds.example.com krb5kdc[1376](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.51.16: ISSUE: authtime 1358851862, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for krbtgt/example@example.com Jan 22 16:21:02 ds.example.com krb5kdc[1376](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.51.16: ISSUE: authtime 1358851862, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for ldap/ds.example@example.com Jan 22 16:34:10 ds.example.com krb5kdc[1376](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.51.17: CLIENT KEY EXPIRED: vi...@example.com for krbtgt/example@example.com, Password has expired Jan 22 16:34:25 ds.example.com krb5kdc[1376](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.51.17: NEEDED_PREAUTH: vi...@example.com for kadmin/chang...@example.com, Additional pre-authentication required Jan 22 16:34:25 ds.example.com krb5kdc[1376](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.51.17: ISSUE: authtime 1358852665, etypes {rep=18 tkt=18 ses=18}, vi...@example.com for kadmin/chang...@example.com Jan 22 16:34:25 ds.example.com krb5kdc[1376](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.51.17: NEEDED_PREAUTH: vi...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jan 22 16:34:25 ds.example.com krb5kdc[1376](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.51.17: ISSUE: authtime 1358852665, etypes {rep=18 tkt=18 ses=18}, vi...@example.com for krbtgt/example@example.com Jan 22 16:34:25 ds.example.com krb5kdc[1376](info): TGS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.51.17: ISSUE: authtime 1358852665, etypes {rep=18 tkt=18 ses=18}, vi...@example.com for vi...@example.com Jan 22 16:34:29 ds.example.com krb5kdc[1376](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.51.17: NEEDED_PREAUTH: vi...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jan 22 16:34:29 ds.example.com krb5kdc[1376](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.51.17: ISSUE: authtime 1358852669, etypes {rep=18 tkt=18 ses=18}, vi...@example.com for krbtgt/example@example.com Jan 22 16:34:29 ds.example.com krb5kdc[1376](info): TGS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.51.17: UNKNOWN_SERVER: authtime 0, vi...@example.com for host/w...@example.com, Server not found in Kerberos database Jan 22 16:34:54 ds.example.com krb5kdc[1376](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.51.17: NEEDED_PREAUTH: vi...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jan 22 16:34:54 ds.example.com krb5kdc[1376](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed Jan 22 16:34:54 ds.example.com krb5kdc[1376](info): AS_REQ (7 etypes {18 17 23 3 1 24
Re: [Freeipa-users] Error: Fedora 18 client to IPA Server 2.2.0?
free...@noboost.org wrote: Hi, Has anyone had success with installing the IPA client on Fedora 18 (with SeLinux disabled)? Server: Red Hat Enterprise Linux Server release 6.3 (Santiago) * ipa-server-2.2.0-16.el6.x86_64 Client: Fedora release 18 (Spherical Cow) * freeipa-client-3.1.0-2.fc18.x86_64 Error: I installed with the debug flags and it is technically a complete install, however uid and gid's don't look up correctly. e.g. getent passwd username - comes back blank #Instead of working out the uid/gid, it just shows the number. [root@craigvm-fedora18 home]# ls -la | grep craig drwx-- 45 365 132 16384 Jan 22 13:16 craig Only Errors during the install I could find: 2013-01-22T02:42:13Z INFO Configured /etc/krb5.conf for IPA realm EXAMPLE.COM 2013-01-22T02:42:13Z DEBUG Starting external process 2013-01-22T02:42:13Z DEBUG args=keyctl search @s user ipa_session_cookie:host/craigvm-fedora18.example@example.com 2013-01-22T02:42:13Z DEBUG Process finished, return code=1 2013-01-22T02:42:13Z DEBUG stdout= 2013-01-22T02:42:13Z DEBUG stderr=keyctl_search: Required key not available --- 2013-01-22T02:42:13Z DEBUG Caught fault 3008 from server https://sysvm-ipa.example.com/ipa/xml: invalid 'sshpubkey': must be binary data 2013-01-22T02:42:13Z INFO host_mod: invalid 'sshpubkey': must be binary data 2013-01-22T02:42:13Z WARNING Failed to upload host SSH public keys. It sounds like sssd isn't communicating with ipa. One of the last steps of the client install is to use getent to look up the admin user. This should also be in the client install log. Did that succeed? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa-users Digest, Vol 54, Issue 42
Vijay Thakur wrote: On Monday 21 January 2013 10:30 PM, freeipa-users-requ...@redhat.com wrote: Vijay Thakur Here is the logs of server side: an 22 16:21:02 ds.example.com krb5kdc[1376](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.51.16: NEEDED_PREAUTH: ad...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jan 22 16:21:02 ds.example.com krb5kdc[1376](info): AS_REQ (4 etypes {18 [ snip ] Kindly tell me the location of kerberose log file in windows 7? I don't believe there are any logs on the windows side. What is it you're trying to do from Windows 7? Are you trying to log in using IPA credentials? What configuration did you perform? Are you using the MIT Kerberos client? IPA is not an AD replacement, you can't do domain logins without a fair bit of configuration. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error: Fedora 18 client to IPA Server 2.2.0?
On Tue, Jan 22, 2013 at 11:02:39AM -0500, Rob Crittenden wrote: free...@noboost.org wrote: Hi, Has anyone had success with installing the IPA client on Fedora 18 (with SeLinux disabled)? Server: Red Hat Enterprise Linux Server release 6.3 (Santiago) * ipa-server-2.2.0-16.el6.x86_64 Client: Fedora release 18 (Spherical Cow) * freeipa-client-3.1.0-2.fc18.x86_64 Error: I installed with the debug flags and it is technically a complete install, however uid and gid's don't look up correctly. e.g. getent passwd username - comes back blank #Instead of working out the uid/gid, it just shows the number. [root@craigvm-fedora18 home]# ls -la | grep craig drwx-- 45 365 132 16384 Jan 22 13:16 craig Only Errors during the install I could find: 2013-01-22T02:42:13Z INFO Configured /etc/krb5.conf for IPA realm EXAMPLE.COM 2013-01-22T02:42:13Z DEBUG Starting external process 2013-01-22T02:42:13Z DEBUG args=keyctl search @s user ipa_session_cookie:host/craigvm-fedora18.example@example.com 2013-01-22T02:42:13Z DEBUG Process finished, return code=1 2013-01-22T02:42:13Z DEBUG stdout= 2013-01-22T02:42:13Z DEBUG stderr=keyctl_search: Required key not available --- 2013-01-22T02:42:13Z DEBUG Caught fault 3008 from server https://sysvm-ipa.example.com/ipa/xml: invalid 'sshpubkey': must be binary data 2013-01-22T02:42:13Z INFO host_mod: invalid 'sshpubkey': must be binary data 2013-01-22T02:42:13Z WARNING Failed to upload host SSH public keys. It sounds like sssd isn't communicating with ipa. One of the last steps of the client install is to use getent to look up the admin user. This should also be in the client install log. Did that succeed? rob I think Rob is correct. Is there anything relevant in syslog? If not, you may want to raise sssd debugging, restart the SSSD and retry the lookup. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA Client Setup in Windows 7 Ubuntu
On 22.1.2013 17:04, Rob Crittenden wrote: Vijay Thakur wrote: On Monday 21 January 2013 10:30 PM, freeipa-users-requ...@redhat.com wrote: Vijay Thakur Here is the logs of server side: an 22 16:21:02 ds.example.com krb5kdc[1376](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.51.16: NEEDED_PREAUTH: ad...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jan 22 16:21:02 ds.example.com krb5kdc[1376](info): AS_REQ (4 etypes {18 [ snip ] Kindly tell me the location of kerberose log file in windows 7? I don't believe there are any logs on the windows side. Personally I use tcpdump/wireshark. Built-in parser translates Kerberos errors to human readable form. It often helps a lot. What is it you're trying to do from Windows 7? Are you trying to log in using IPA credentials? What configuration did you perform? Are you using the MIT Kerberos client? IPA is not an AD replacement, you can't do domain logins without a fair bit of configuration. Go for Samba 4 if you are adventurer :-) -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] OneWaySync Issues
Hello, I'm trying to configure the oneWaySync option for IPA so only the Windows AD can replicate changes to IPA. When I use the command that I listed below it says it works but when I delete a user form IPA it will then delete the user in Active Directory. Is my command listed below correct? Anyone able to help? Parameters: Server = rhserver Domain = redhat.ca Password = 12345678 Contents of /tmp/unisync; dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: oneWaySync oneWaySync: From Windows So I enter the following command; ldapmodify -x -D dc=redhat,dc=ca -w 12345678 -h rhserver.redhat.ca -f /tmp/unisync Thanks, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] OneWaySync Issues
Joseph, Matthew (EXP) wrote: Hello, I’m trying to configure the oneWaySync option for IPA so only the Windows AD can replicate changes to IPA. When I use the command that I listed below it says it works but when I delete a user form IPA it will then delete the user in Active Directory. Is my command listed below correct? Anyone able to help? Parameters: Server = rhserver Domain = redhat.ca Password = 12345678 Contents of /tmp/unisync; dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: oneWaySync oneWaySync: From Windows So I enter the following command; *ldapmodify -x -D dc=redhat,dc=ca -w 12345678 –h rhserver.redhat.ca -f /tmp/unisync* There should be no space in oneWaySync, it should be fromWindows. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] OneWaySync Issues
On 01/22/2013 11:46 AM, Rob Crittenden wrote: Joseph, Matthew (EXP) wrote: Hello, I’m trying to configure the oneWaySync option for IPA so only the Windows AD can replicate changes to IPA. When I use the command that I listed below it says it works but when I delete a user form IPA it will then delete the user in Active Directory. Is my command listed below correct? Anyone able to help? Parameters: Server = rhserver Domain = redhat.ca Password = 12345678 Contents of /tmp/unisync; dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: oneWaySync oneWaySync: From Windows So I enter the following command; *ldapmodify -x -D dc=redhat,dc=ca -w 12345678 –h rhserver.redhat.ca -f /tmp/unisync* There should be no space in oneWaySync, it should be fromWindows. I thought the oneWaySync attribute was in the replication/sync agreement entry, not in the ipa-winsync plugin config entry? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: OneWaySync Issues
Hey Rob, According to the Red Hat Identity Management documentation provided by Red hat it says to do it with the ldapmodify command. They don't mention any options during the replicator/sync agreement process about uni-directional sync. Matt -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, January 22, 2013 3:04 PM To: Rob Crittenden Cc: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] OneWaySync Issues On 01/22/2013 11:46 AM, Rob Crittenden wrote: Joseph, Matthew (EXP) wrote: Hello, I'm trying to configure the oneWaySync option for IPA so only the Windows AD can replicate changes to IPA. When I use the command that I listed below it says it works but when I delete a user form IPA it will then delete the user in Active Directory. Is my command listed below correct? Anyone able to help? Parameters: Server = rhserver Domain = redhat.ca Password = 12345678 Contents of /tmp/unisync; dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: oneWaySync oneWaySync: From Windows So I enter the following command; *ldapmodify -x -D dc=redhat,dc=ca -w 12345678 -h rhserver.redhat.ca -f /tmp/unisync* There should be no space in oneWaySync, it should be fromWindows. I thought the oneWaySync attribute was in the replication/sync agreement entry, not in the ipa-winsync plugin config entry? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: OneWaySync Issues
Hello Rob, Sorry typo on my part. The command I put in is actually fromWindows Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, January 22, 2013 2:47 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] OneWaySync Issues Joseph, Matthew (EXP) wrote: Hello, I'm trying to configure the oneWaySync option for IPA so only the Windows AD can replicate changes to IPA. When I use the command that I listed below it says it works but when I delete a user form IPA it will then delete the user in Active Directory. Is my command listed below correct? Anyone able to help? Parameters: Server = rhserver Domain = redhat.ca Password = 12345678 Contents of /tmp/unisync; dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: oneWaySync oneWaySync: From Windows So I enter the following command; *ldapmodify -x -D dc=redhat,dc=ca -w 12345678 -h rhserver.redhat.ca -f /tmp/unisync* There should be no space in oneWaySync, it should be fromWindows. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fedora 18 - FreeIPA + AD
On 1/21/13 9:44 AM, Sumit Bose wrote: This is not related to AD because it is still the step before establishing the trust as Marco said below. The message Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket indicate that we failed to connect to the local LDAP server. Maybe a ticket should be filed to mention the local LDAP server in the message? Marco, have you tried to run ipa-adtrust-install without the -a option? Can you try access your local LDAP server with: # kinit admin # ldapsearch -H ldap://ipa-server.matrix.local -Y GSSAPI -b \ 'dc=matrix,dc=local' -s base bye, Sumit I tried to run ipa-adtrust-install without the -a option - it asks for the password - then I get the same error. ldapsearch works fine (as long as I have a valid ticket) : snip___ Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket [root@ipa-server user]# klist Ticket cache: DIR::/run/user/1000/krb5cc_508afa59f766b611435821eb50fee5d0/tktALmOIY Default principal: admin@MATRIX.LOCAL Valid starting ExpiresService principal 01/22/13 20:20:56 01/23/13 20:20:56 krbtgt/MATRIX.LOCAL@MATRIX.LOCAL [root@ipa-server user]# ldapsearch -H ldap://ipa-server.matrix.local -Y GSSAPI -b \ 'dc=matrix,dc=local' -s base SASL/GSSAPI authentication started SASL username: admin@MATRIX.LOCAL SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=matrix,dc=local with scope baseObject # filter: (objectclass=*) # requesting: ALL # # matrix.local dn: dc=matrix,dc=local objectClass: top objectClass: domain objectClass: pilotObject objectClass: domainRelatedObject objectClass: nisDomainObject dc: matrix info: IPA V2.0 nisDomain: matrix.local associatedDomain: matrix.local # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 ___snip I will file a bug report ... Thanks for the help so far. On Sun, Jan 20, 2013 at 02:24:36PM -0500, Dmitri Pal wrote: On 01/20/2013 05:01 AM, MaSch wrote: On 1/19/13 8:16 PM, Dmitri Pal wrote: What is the situation with the time on that box? Was the time and time zone set correctly? Is it a VM? Can it be that the time drifted in some way? The time zone is correct for my region (Europe/Berlin) as is the current time. It is a VM - running inside VMware Fusion 4 on OSX. I doubt that time drifted in between somehow in an unsual manner. I just tried again and checked : [root@ipa-server user]# klist Ticket cache: DIR::/run/user/1000/krb5cc_1f3f8ebeec8d053aa0a2f46e50fbb20c/tkt5LELnl Default principal: admin@MATRIX.LOCAL Valid starting ExpiresService principal 01/20/13 10:47:56 01/21/13 10:47:56 krbtgt/MATRIX.LOCAL@MATRIX.LOCAL [root@ipa-server user]# date Sun Jan 20 10:51:07 CET 2013 [root@ipa-server user]# ipa-adtrust-install --netbios-name=MATRIX -a mypassword1 ... Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket [root@ipa-server user]# date Sun Jan 20 10:51:12 CET 2013 So the ipa-adtrust-install is issued while the krbtgt is valid. However as before kdestroy and subsequent kinit don't help. Then it might be that the tgt is actually missing something that AD 2012 is now expecting and it is triggering a wrong message. Please file a ticket or BZ. On 1/19/13 10:44 PM, Dale Macartney wrote: Critical pre-req is definitely make sure DNS resolution is working in advance. Its always a killer. If you use IPA managed DNS, use the following. Thanks for the pointer Dale, but I don't even get that far to do the actual trust. And as far as I can tell, DNS is setup correct locally. The resolv.conf points to the IPA server itself (this is automatically changed during installation), atm no forwarding is done and dns resolution of the ipa-server and ipa-domain work on the ipa-server itself. Regards Marco On 01/19/2013 01:25 PM, MaSch wrote: Hello all, I'm trying to setup FreeIPA on Fedora 18 (Final) with AD integration on a test server. However I do not even get past the initial (local) steps described in : http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain The last step of the section Install and configure IPA server gives me the following error : Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket However kdestroy followed by a consequent kinit admin does not help, I get the error again when trying to ipa-adtrust-install The ipaserver-install.log says : 2013-01-19T17:19:56Z DEBUG stderr= 2013-01-19T17:19:56Z DEBUG will use ip_address: 172.16.135.141 2013-01-19T17:19:56Z DEBUG Starting external process 2013-01-19T17:19:56Z DEBUG args=kinit admin 2013-01-19T17:19:57Z DEBUG Process finished, return code=0 2013-01-19T17:19:57Z DEBUG stdout=Password for admin@MATRIX.LOCAL: 2013-01-19T17:19:57Z DEBUG stderr= 2013-01-19T17:19:57Z INFO File
[Freeipa-users] Starting from scratch migrating users?
We've got a freeipa system installed, but it's experiencing some bugs. I suspect some of it came from adding removing a replica, as well as upgrading from prior versions. (we're on centos 6.3 now) We're about to do a datacenter rebuild move, and I'd like to start from scratch, yet still import the users their passwords.I suspect we can just do a clean build in the new site, and just do a migrate of the users via the ldap method. Thoughts? I don't anticipate moving any hardware that's enrolled from site to site, so certs the like shouldn't be a factor. Matthew Barr Technical Architect E: mb...@snap-interactive.com AIM: matthewbarr1 c: (646) 727-0535 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Some interrogations about the freeipa deployment
Hi *, I plan to review the network architecture of my office. 10 Windows/Linux desktops and 2 Linux servers will be deployed on the network. I want to install freeipa on the first server to act like an AD DS. I want to authenticate users on the server and controlling what can be done or not by them on the network. 10 other linux web servers should be accessible (console) by specific users and without the need to authenticating again (single sign on). On these web servers, users can issue specific commands like /etc/init.d/httpd restart. Is it possible to achive this with freeipa ? Do you have some articles ? Thanks in advance, Bob ! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some interrogations about the freeipa deployment
Hi, I have all done this, so from what you write I think IPA would be a good fit for what you want, except that is the single sign on bit I have not looked to see if that can be done. For http restart you control that via sudo in IPA so its centrally managed, I have this working for one such server though I use the reload option instead. I would also not run one instance of IPA myself but with such a small site that's your call. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Bob Sauvage [bob.sauv...@gmx.fr] Sent: Wednesday, 23 January 2013 9:51 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Some interrogations about the freeipa deployment Hi *, I plan to review the network architecture of my office. 10 Windows/Linux desktops and 2 Linux servers will be deployed on the network. I want to install freeipa on the first server to act like an AD DS. I want to authenticate users on the server and controlling what can be done or not by them on the network. 10 other linux web servers should be accessible (console) by specific users and without the need to authenticating again (single sign on). On these web servers, users can issue specific commands like /etc/init.d/httpd restart. Is it possible to achive this with freeipa ? Do you have some articles ? Thanks in advance, Bob ! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some interrogations about the freeipa deployment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/22/2013 09:51 PM, Steven Jones wrote: Hi, I have all done this, so from what you write I think IPA would be a good fit for what you want, except that is the single sign on bit I have not looked to see if that can be done. For http restart you control that via sudo in IPA so its centrally managed, I have this working for one such server though I use the reload option instead. to enable SSO with SSH from a ipa workstation, just edit /etc/ssh/sshd_config and make sure the line below is set to yes GSSAPIAuthentication yes If you've just made the change, it won't take effect until SSH is restarted. So do the usual service sshd restart. I would also not run one instance of IPA myself but with such a small site that's your call. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 - *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Bob Sauvage [bob.sauv...@gmx.fr] *Sent:* Wednesday, 23 January 2013 9:51 a.m. *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Some interrogations about the freeipa deployment Hi *, I plan to review the network architecture of my office. 10 Windows/Linux desktops and 2 Linux servers will be deployed on the network. I want to install freeipa on the first server to act like an AD DS. I want to authenticate users on the server and controlling what can be done or not by them on the network. 10 other linux web servers should be accessible (console) by specific users and without the need to authenticating again (single sign on). On these web servers, users can issue specific commands like /etc/init.d/httpd restart. Is it possible to achive this with freeipa ? Do you have some articles ? Thanks in advance, Bob ! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ/w8VAAoJEAJsWS61tB+q2+8P/0voaYOSa/ZnwiQmvrqLsaPE oYm4j/m88STSXvDdhDsgNQJZJFY9XDv7y3njnuSWElqHD0yGBEbJvc+pmoi8uZf0 8EORIarUQhCf6awI4RIHxg6+nOOwVkllx/FDVSJldGnKlv3OSvOrln+tTK9gITkg ZzsMvtFTYIjrF4nMSEtTCGfFi7lnmCrvXhXijKSCRjUfZI51t78SamI5ldKzV6Zy RE4ofJQexUpWhCXnDyWg5I/fDY6EQc9UAjeiVjmC462Sp32Rso5bQBYUwrQtD8uG d1b1sfOW3v+oExmnOfSeGwzssl8SzYk1jr9kak9JU1DctPIgp5aCjpKYtRTnh5GB 44bNMXATFHRWVU21QlaTYwmQue12cb1BaehMUjZfvHTvNcK171RF9DfAhxS+U1Z4 ZCyv8mUGDB28xWKx0fH5639CGjPYCZxltOOF/053W7ZyrrRN38O2AD7LUkYdH3kb ci04L/tB8znXcP6OQaTeDzJHY12bkspJz+tBNvM/KeFhJQxw/FQqtFi55KrhlKMN XCsHdj3fqEzV/h6+3wu0Na7Y4hDt5mf0i3i1UTO9nj941QIr2BYKrQLzKSKLu/Md Z+E04ZgiQWgzb+Yw4bFv6I8g4y6nrUFVvDxt970bqgbk9cbfAGLEMjd6xRm6QDgq CJUkZcaWqi3SYPeGHx0x =fTHE -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Starting from scratch migrating users?
On 01/22/2013 03:39 PM, Matthew Barr wrote: We've got a freeipa system installed, but it's experiencing some bugs. I suspect some of it came from adding removing a replica, as well as upgrading from prior versions. (we're on centos 6.3 now) We're about to do a datacenter rebuild move, and I'd like to start from scratch, yet still import the users their passwords.I suspect we can just do a clean build in the new site, and just do a migrate of the users via the ldap method. Which exactly LDAP method? ldif dump and load? This would not work well unless you also manage to move certs and kerberos master key over which is really hard. Thoughts? I don't anticipate moving any hardware that's enrolled from site to site, so certs the like shouldn't be a factor. If you are instead of dump and load will install a new IPA server it will not have any old data and will have new certs and kerberos keys. You would have to re-enroll all your clients once again. Users would have to deal with the password change after you read in users using ipa migrate-ds. Other information also would have be precreated using ipa commands but this can be scripted by taking an LDIF and creating a series of ipa commands to add data into the new instance. Matthew Barr Technical Architect E: mb...@snap-interactive.com mailto:mb...@snap-interactive.com AIM: matthewbarr1 c: (646) 727-0535 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Starting from scratch migrating users?
On Jan 22, 2013, at 5:15 PM, Dmitri Pal d...@redhat.com wrote: Which exactly LDAP method? ldif dump and load? This would not work well unless you also manage to move certs and kerberos master key over which is really hard. I was assuming the ipa migrate-ds. Thoughts? I don't anticipate moving any hardware that's enrolled from site to site, so certs the like shouldn't be a factor. If you are instead of dump and load will install a new IPA server it will not have any old data and will have new certs and kerberos keys. You would have to re-enroll all your clients once again. Users would have to deal with the password change after you read in users using ipa migrate-ds. Other information also would have be precreated using ipa commands but this can be scripted by taking an LDIF and creating a series of ipa commands to add data into the new instance. I intend to re-enroll all clients. Only clients in the new site will be in the system. Most of my users (25 users) use linux, and sssd will take care of most of the kerberos hashes. The rest - 10 -15 users - can be told to login to the migrate LDAP page, later on in the migration. We've got very little other information in IPA, so it's not a huge issue. I thought this might be easier than trying to clean up old crud, and moving the master IPA server. There doesn't seem to be a very good process for moving all the components to a new master easily. Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Starting from scratch migrating users?
On 01/22/2013 06:28 PM, Matthew Barr wrote: On Jan 22, 2013, at 5:15 PM, Dmitri Pal d...@redhat.com wrote: Which exactly LDAP method? ldif dump and load? This would not work well unless you also manage to move certs and kerberos master key over which is really hard. I was assuming the ipa migrate-ds. Thoughts? I don't anticipate moving any hardware that's enrolled from site to site, so certs the like shouldn't be a factor. If you are instead of dump and load will install a new IPA server it will not have any old data and will have new certs and kerberos keys. You would have to re-enroll all your clients once again. Users would have to deal with the password change after you read in users using ipa migrate-ds. Other information also would have be precreated using ipa commands but this can be scripted by taking an LDIF and creating a series of ipa commands to add data into the new instance. I intend to re-enroll all clients. Only clients in the new site will be in the system. Most of my users (25 users) use linux, and sssd will take care of most of the kerberos hashes. The rest - 10 -15 users - can be told to login to the migrate LDAP page, later on in the migration. We've got very little other information in IPA, so it's not a huge issue. I thought this might be easier than trying to clean up old crud, and moving the master IPA server. There doesn't seem to be a very good process for moving all the components to a new master easily. Thanks! You are correct. There is no good process to move data over but it seems that you thought through things very well. You described the same sequence as I would recommend at the moment to anyone who wants to move from one IPA instance into a completely new one. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Managing jboss through sudo
On Wed, Jan 16, 2013 at 08:18:12PM -0500, Dmitri Pal wrote: On 01/16/2013 07:30 PM, William Muriithi wrote: Hello I am trying to set up dev systems and want to only allow developers to modify the jboss directory tree, shutdown and restarting jboss. This is mainly so that they dev system don't deviate from the qa and production machines. The directory permissions are fine, but I am having a problem with stopping and restarting jboss. (We are running jboss on port 80, so they would need root permission for it to bind on port 80). My other problem is that the jboss directory path is not the same across servers. Wouldn't it be easier to have an init script for JBoss? This way, all you'd need is a sudo rule to allow devs to: $ sudo service jboss (start|stop|status) -- Primary key fingerprint: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56 signature.asc Description: Digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA Client Setup in Windows 7 Ubuntu
On Mon, Jan 21, 2013 at 07:37:39AM -0500, Dmitri Pal wrote: On 01/21/2013 04:45 AM, Vijay Thakur wrote: Guide me about Ubuntu 12.04 as FreeIPA Client setting. I know there have been work done for Ubuntu but we unfortunately I do not have information on the state of this work. Regarding Ubuntu, you can check, for example: http://packages.ubuntu.com/search?suite=allarch=anysearchon=nameskeywords=freeipa http://packages.ubuntu.com/search?suite=allsection=allarch=anykeywords=389searchon=names http://packages.ubuntu.com/search?suite=allsection=allarch=anykeywords=sssdsearchon=names -- Primary key fingerprint: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56 signature.asc Description: Digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA Client Setup in Windows 7 Ubuntu
Date: Wed, 23 Jan 2013 08:28:57 +0100 From: d.sastre.med...@gmail.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA Client Setup in Windows 7 Ubuntu On Mon, Jan 21, 2013 at 07:37:39AM -0500, Dmitri Pal wrote: On 01/21/2013 04:45 AM, Vijay Thakur wrote: Guide me about Ubuntu 12.04 as FreeIPA Client setting. I know there have been work done for Ubuntu but we unfortunately I do not have information on the state of this work. Regarding Ubuntu, you can check, for example: http://packages.ubuntu.com/search?suite=allarch=anysearchon=nameskeywords=freeipa http://packages.ubuntu.com/search?suite=allsection=allarch=anykeywords=389searchon=names http://packages.ubuntu.com/search?suite=allsection=allarch=anykeywords=sssdsearchon=names -- Primary key fingerprint: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56 ___ The current version of sssd in any version of Ubuntu is broken. The packaging needs to pass '--datadir=/usr/share' or '$(prefix)' will show up in some python files. Bug report: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1079938 Unfortunately, it still hasn't been fixed. Xiao-Long Chen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users