Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart
And, using the ipa command is only possible on ipa clients. Although our Satellite server is an IPA client, I am (as of yet) unable to execute ipa commands from any ipa client prior to the re-install request from Satellite. There is, afaik, no such thing as a pre-reinstall hook or anything like that. As for the ipa-host-mod --password=foo thing. You can first run the command ipa disable-host fqdn and _then_ run ipa host-mod fqdn --password=foo Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open Source Services* * Consultant* *(vrijdags afwezig)* *VX Company IT Services B.V.* *T* (035) 539 09 50 mobiel (06) 41 68 28 48 *F* (035) 539 09 08 *E* fvzwie...@vxcompany.com *I* www.vxcompany.com On Fri, Jan 25, 2013 at 3:40 AM, Simo Sorce s...@redhat.com wrote: On Thu, 2013-01-24 at 21:36 -0500, Matthew Barr wrote: On Jan 24, 2013, at 6:53 PM, Dmitri Pal d...@redhat.com wrote: Yes you can set it again. This is how we envisioned the feature to be used. If it does not work it is a bug. ipa-server-2.2.0-16.el6.x86_64, Centos 6.3 [mbarr@ipa ~]$ ipa host-mod wiki01.ayisnap.com --password=foo ipa: ERROR: invalid 'password': Password cannot be set on enrolled host. Matthew this is indeed the correct behavior, previous information from Dmitri was not correct. Once a host is enrolled you cannot reset the OTP password as that would effectively mean destroying the hosts credentials while the host is enrolled. Currently the IPA workflow expects you unenroll the client first. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trouble with ipa-server-install in Fedora 18
Can you confirm that using a password without % or ( in it resolves the issue? On Thu, 2013-01-24 at 16:32 -0500, Rob Crittenden wrote: 小龙 陈 wrote: Hi everyone, I have been having trouble getting FreeIPA set up on Fedora 18. ipa-server-install keeps failing at the [2/20]: configuring certificate server instance stage. This is on a fresh Fedora 18 virtual machine. I never had any issues on any of the Fedora 18 prereleases. ipa-server-install output: http://paste.kde.org/655916/raw/ rpm -qa | grep freeipa | sort: http://paste.kde.org/655928/raw/ /var/log/ipaserver-install.log: http://ompldr.org/vaDdsOA/ipaserver-install.log If I copy the pkispawn configuration from the log to /tmp/tmpZmif5T and run the failed command, I get: http://paste.kde.org/655940/raw/ Does anyone know what could be the problem? I can't seem to find anything about that error. Looks like a bug in pki-core: 2013-01-24T20:18:55Z DEBUG stderr=Traceback (most recent call last): File /usr/sbin/pkispawn, line 220, in module main(sys.argv) File /usr/sbin/pkispawn, line 158, in main rv = parser.read_pki_configuration_file() File /usr/lib/python2.7/site-packages/pki/deployment/pkiparser.py, line 229, in read_pki_configuration_file config.pki_subsystem_dict = dict(self.pki_config.items('CA')) File /usr/lib64/python2.7/ConfigParser.py, line 655, in items for option in options] File /usr/lib64/python2.7/ConfigParser.py, line 691, in _interpolate self._interpolate_some(option, L, rawval, section, vars, 1) File /usr/lib64/python2.7/ConfigParser.py, line 732, in _interpolate_some '%%' must be followed by '%%' or '(', found: %r % (rest,)) ConfigParser.InterpolationSyntaxError: '%' must be followed by '%' or '(', found: '%' If you are using % or ( in your DM password you might try a different password as a workaround. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Adding an IPA user that can't SSH?
I need to add a few users that can authenticate with IPA (LDAP, in some cases, kerberos in others), but can't SSH into hosts. I'm guessing the best option is to use some sort of group restriction on the SSH /host side, vs anything else in IPA? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart
On 01/25/2013 03:35 AM, Fred van Zwieten wrote: And, using the ipa command is only possible on ipa clients. Although our Satellite server is an IPA client, I am (as of yet) unable to execute ipa commands from any ipa client prior to the re-install request from Satellite. There is, afaik, no such thing as a pre-reinstall hook or anything like that. Can you please file an RFE against Satellite and pass it to us? It would be much easier for us to have a conversation with Satellite/Spacewalk community. As for the ipa-host-mod --password=foo thing. You can first run the command ipa disable-host fqdn and _then_ run ipa host-mod fqdn --password=foo Yes this is what I meant. Sorry for confusion. Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open Source Services* * Consultant* /(vrijdags afwezig)/ *VX Company IT Services B.V.* *T* (035) 539 09 50 mobiel (06) 41 68 28 48 *F* (035) 539 09 08 *E* fvzwie...@vxcompany.com mailto:fvzwie...@vxcompany.com *I* www.vxcompany.com http://www.vxcompany.com/ On Fri, Jan 25, 2013 at 3:40 AM, Simo Sorce s...@redhat.com mailto:s...@redhat.com wrote: On Thu, 2013-01-24 at 21:36 -0500, Matthew Barr wrote: On Jan 24, 2013, at 6:53 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: Yes you can set it again. This is how we envisioned the feature to be used. If it does not work it is a bug. ipa-server-2.2.0-16.el6.x86_64, Centos 6.3 [mbarr@ipa ~]$ ipa host-mod wiki01.ayisnap.com http://wiki01.ayisnap.com --password=foo ipa: ERROR: invalid 'password': Password cannot be set on enrolled host. Matthew this is indeed the correct behavior, previous information from Dmitri was not correct. Once a host is enrolled you cannot reset the OTP password as that would effectively mean destroying the hosts credentials while the host is enrolled. Currently the IPA workflow expects you unenroll the client first. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding an IPA user that can't SSH?
On Fri, Jan 25, 2013 at 10:43 AM, Dmitri Pal d...@redhat.com wrote: AFAIK there is also some kind of no shell capability in SSH which might be useful in this case but I am not a specialist in this area. You can do this a few ways, but the easiest (IMO) is something like this in sshd_config: Match User limited-user ForceCommand echo 'This is a non-interactive account' This will cause that message to display if someone tries to log in with that account. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart
Hi Matthew, Yes, as said earlier ipa disable-host fqdn; ipa host-mod fqdn --password=foo works flawlessly. The issue lies with attempting to reuse foo as the password, the IPA sever prevents that (and rightly so) which complicates automation hence the RFE. Charlie. On Thu, Jan 24, 2013 at 4:34 PM, Matthew Barr mb...@snap-interactive.comwrote: Just reading this over, and the RFE, I've got another possible option. Our standard build uses a key tab of a user with permission to add a host, and that sets the OTP for the kickstart to use. Is it possible to reset the state of the host record to the state where it can use the same install command on an existing host record? Basically, set the OTP again? If i could run a single command to reset the state to allow the OTP to work it would work fairly well.. for example: ipa host-mod wiki01.ayisnap.com --password=foo Background: We've got IPA puppet. I have to purge the IPA host record the puppet SSL keys, in order to regenerate them both. Satellite/Spacewalk allows for a rebuild command, but I'm not sure what Katello foreman will do in the future. Matthew Barr Technical Architect E: mb...@snap-interactive.com AIM: matthewbarr1 c: (646) 727-0535 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart
Hi Fred Little unsure about what you mean here. What is it you're trying to do exactly? Do you mean you can't run IPA commands on your satellite server? Do you just need to install ipa-admin-tools? Do you mean IPA commands don't work on a IPA client until the client is enrolled? That would make sense as how else would the server authenticate the commands? Jay On Fri, Jan 25, 2013 at 8:35 AM, Fred van Zwieten fvzwie...@vxcompany.comwrote: And, using the ipa command is only possible on ipa clients. Although our Satellite server is an IPA client, I am (as of yet) unable to execute ipa commands from any ipa client prior to the re-install request from Satellite. There is, afaik, no such thing as a pre-reinstall hook or anything like that. As for the ipa-host-mod --password=foo thing. You can first run the command ipa disable-host fqdn and _then_ run ipa host-mod fqdn --password=foo Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open Source Services* * Consultant* *(vrijdags afwezig)* *VX Company IT Services B.V.* *T* (035) 539 09 50 mobiel (06) 41 68 28 48 *F* (035) 539 09 08 *E* fvzwie...@vxcompany.com *I* www.vxcompany.com On Fri, Jan 25, 2013 at 3:40 AM, Simo Sorce s...@redhat.com wrote: On Thu, 2013-01-24 at 21:36 -0500, Matthew Barr wrote: On Jan 24, 2013, at 6:53 PM, Dmitri Pal d...@redhat.com wrote: Yes you can set it again. This is how we envisioned the feature to be used. If it does not work it is a bug. ipa-server-2.2.0-16.el6.x86_64, Centos 6.3 [mbarr@ipa ~]$ ipa host-mod wiki01.ayisnap.com --password=foo ipa: ERROR: invalid 'password': Password cannot be set on enrolled host. Matthew this is indeed the correct behavior, previous information from Dmitri was not correct. Once a host is enrolled you cannot reset the OTP password as that would effectively mean destroying the hosts credentials while the host is enrolled. Currently the IPA workflow expects you unenroll the client first. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart
On Sat, Jan 26, 2013 at 2:13 AM, Charlie Derwent shelltoesupers...@gmail.com wrote: Hi Fred Little unsure about what you mean here. What is it you're trying to do exactly? Do you mean you can't run IPA commands on your satellite server? Do you just need to install ipa-admin-tools? Do you mean IPA commands don't work on a IPA client until the client is enrolled? That would make sense as how else would the server authenticate the commands? First of all, the RFE solves my problem. The discussion was how it might be solved without the RFE in my use case. We redeploy systems using Satellite Web UI. What Satellite basically does when requesting a re-install is scheduling a remote command on the system. This remote command is koan (kickstart-over-a-network). Koanhttp://linux.die.net/man/1/koan will prep the system so it will re-install at the next reboot using the correct kickstart profile, usually through PXE. Now, this to-be-redeployed system is also an IPA-client. In the kickstart file for this system we have ipa-client-install -w password --unattend etc for unattended enrolledment. The part that is missing is the unattended un-enrollment prior to the systems re-install. I am trying to find a place in the workflow up untill the reboot-before-reinstall sequence to have a script started that does this. Koan would be the ideal candidate, but it does not give this possibility. The RFE solves this problem. I can save the keytab before re-installation and get it back afterwards. Then I can call ipa-client-install with the old keytab to enroll the client, revoke the old keytab and get a new one in one go. I have already also asked about this on the satellite-user mailing-list. Fred On Fri, Jan 25, 2013 at 8:35 AM, Fred van Zwieten fvzwie...@vxcompany.com wrote: And, using the ipa command is only possible on ipa clients. Although our Satellite server is an IPA client, I am (as of yet) unable to execute ipa commands from any ipa client prior to the re-install request from Satellite. There is, afaik, no such thing as a pre-reinstall hook or anything like that. As for the ipa-host-mod --password=foo thing. You can first run the command ipa disable-host fqdn and _then_ run ipa host-mod fqdn --password=foo Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open Source Services* * Consultant* *(vrijdags afwezig)* *VX Company IT Services B.V.* *T* (035) 539 09 50 mobiel (06) 41 68 28 48 *F* (035) 539 09 08 *E* fvzwie...@vxcompany.com *I* www.vxcompany.com On Fri, Jan 25, 2013 at 3:40 AM, Simo Sorce s...@redhat.com wrote: On Thu, 2013-01-24 at 21:36 -0500, Matthew Barr wrote: On Jan 24, 2013, at 6:53 PM, Dmitri Pal d...@redhat.com wrote: Yes you can set it again. This is how we envisioned the feature to be used. If it does not work it is a bug. ipa-server-2.2.0-16.el6.x86_64, Centos 6.3 [mbarr@ipa ~]$ ipa host-mod wiki01.ayisnap.com --password=foo ipa: ERROR: invalid 'password': Password cannot be set on enrolled host. Matthew this is indeed the correct behavior, previous information from Dmitri was not correct. Once a host is enrolled you cannot reset the OTP password as that would effectively mean destroying the hosts credentials while the host is enrolled. Currently the IPA workflow expects you unenroll the client first. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows XP Client problem
Hi, On Thu, Jan 24, 2013 at 01:36:04PM -0800, Eric Chennells wrote: [windows kerberos client] Is anyone aware of if there is an LDAP related configuration needed? It seems like only setting up the kerberos authentication is not enough. The only working way with unmodified [1] Windows as client is for Windows to use Kerberos from IPA for authentication. Instead of LDAP the user data has to be created locally. So you bevore doing the Ker- beros configuration you have to be able to log into the account. After the Kerb. configuration you can authenticate with the IPA password. Christian [1] So no pgina etc. used, just native Windows ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users