Re: [Freeipa-users] ipa-dns-install on a remote host?
On 5.7.2013 17:59, Schmitt, Christian wrote: Yeah i know that feature, but when i have a View i need to declare two zonefiles (i need to create one by hand and the other will getting created by the ipa-dns) thats not exactly what i'm looking for since some sites shall be the same on both sites, like domain.tld and www.domain.tld are the same on both sites. but domain.tld is also a freeipa domain and intra.domain.tld should only be routed through clients but stash.domain.tld and jira.domain.tld should have both so that it is accessible through the internet but the local clients should use the local ips. isn't there a delegate like feature? or even a feature in freeipa that lets me delegate some entries only to internal hosts. 2013/7/5 Anthony Messina amess...@messinet.com On Friday, July 05, 2013 04:18:37 PM Schmitt, Christian wrote: Btw. are there any tips by having a second nameserver (public) that just gives out the important/public hosts? Or is there a good way in having a domain configured twice? like the internal ip for ipa-users and the external ip for the people outside of the internal firewall? Unrelated to FreeIPA, BIND has support for views, which may accomplish this task for you: http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2591409 Hello, FreeIPA doesn't support BIND views. The simplest way how to serve some records only to internal network but not to the public Internet is this: 1. create public zone example.com, fill it with shared (public + internal) records 2. create internal zone 'in.example.com', configure zone delegation from example.com (NS+A records), add 'internal only' records 3. configure internal zone 'in.example.com' to accept queries only from internal network ($ ipa dnszone-mod in.example.com --allow-query='192.0.2.0/24;') I believe that this solves the basic use case. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Virtual Machines??
Hello, is there currently a good way to install FreeIPA or IdM in virtual machines? Currently we having some Windows Hyper-V Hypervisors since we are planning to buy some Dell Hardware that can't run Linux yet, the Dell VRTX. Also we want to reuse our Windows Server Datacenter Licenses. Is there a good way to do it? At the moment I tried it, but I get a lot of problems when trying to login, i think that happens cause of the ntp server. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replicate on Servers with diffrent Version (Minor)
Stephen Ingram wrote: On Sun, Jul 7, 2013 at 2:11 PM, Schmitt, Christian c.schm...@briefdomain.de mailto:c.schm...@briefdomain.de wrote: Hello is it possible to replicate FreeIPA Server with diffrent Minor versions? Currently we are running a FreeIPA Server on Fedora 19 since CentOS/RHEL only has a FreeIPA 2.X Server and we wanted the features of FreeIPA 3.X. Would it be possible to replicate that Server to a Red Hat Enterprise Linux 7 FreeIPA Server when it's arrive, when the minor version is diffrent and it is a 3.X Server? or does the Major, Minor needs to be completly the same? Actually RHEL 6.4 has version 3.0.x of IPA. I was told that after the release of RHEL 7, there will be a RHEL 6.x version of IPA (3.0.?) that will support replication up to RHEL 7 (most likely version 3.2.x, 3.3.x or wherever they get to before RHEL 7 release). I'm not sure about replication from a Fedora IPA release to a RHEL release. That is correct. Replication between versions is a way to bridge from one release to another. One can create an agreement from a lower to a higher version, but not the other way around. It is expected that users will quickly migrate all masters from the old version to the new one (days or weeks, not months). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Virtual Machines??
On Mon, Jul 08, 2013 at 03:49:03PM +0200, Schmitt, Christian wrote: Hello, is there currently a good way to install FreeIPA or IdM in virtual machines? Currently we having some Windows Hyper-V Hypervisors since we are planning to buy some Dell Hardware that can't run Linux yet, the Dell VRTX. Also we want to reuse our Windows Server Datacenter Licenses. Is there a good way to do it? At the moment I tried it, but I get a lot of problems when trying to login, i think that happens cause of the ntp server. Can you post the errors you are seeing? In general yes, you want to have the servers and clients synchronized (although recent Kerberos releases are more forgiving in this respect) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
We've just discovered that AIX does not honor HBAC rules with telnet. ssh is fine. [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com --service=sshd - Access granted: False - There was no telnet service by default, I created one (but I'm not sure I did so correctly.) [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com --service=telnet - Access granted: False - [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com Service: any - Access granted: False - [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com --service=login - Access granted: False - But: [jebalicki@mo0033802 ~]$ telnet sla765q1 Trying 10.200.5.137... Connected to sla765q1. Escape character is '^]'. telnet (sla765q1.unix.magellanhealth.com) [login banner and blank lines removed] AIX Version 6 Copyright IBM Corporation, 1982, 2011. login: testuser testuser's Password: -bash-3.2$ logout Connection closed by foreign host. AIX was configured with standard authentication at first: r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent Standard Aix But I changed that to add kerberos: r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent Kerberos 5 Standard Aix However, all that does is cause kerberos to timeout on the invalid user and then fall back to allowing the user in anyway. I'm still investigating to see if this is an implementation problem, or if AIX is just incapable of this. I continue to lobby for turning off telnet, but there is political pressure to keep it open. Anyone have any ideas for things I could try? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
KodaK wrote: We've just discovered that AIX does not honor HBAC rules with telnet. ssh is fine. [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=sla765q1.unix.magellanhealth.com http://sla765q1.unix.magellanhealth.com --service=sshd - Access granted: False - There was no telnet service by default, I created one (but I'm not sure I did so correctly.) [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=sla765q1.unix.magellanhealth.com http://sla765q1.unix.magellanhealth.com --service=telnet - Access granted: False - [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=sla765q1.unix.magellanhealth.com http://sla765q1.unix.magellanhealth.com Service: any - Access granted: False - [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=sla765q1.unix.magellanhealth.com http://sla765q1.unix.magellanhealth.com --service=login - Access granted: False - But: [jebalicki@mo0033802 ~]$ telnet sla765q1 Trying 10.200.5.137... Connected to sla765q1. Escape character is '^]'. telnet (sla765q1.unix.magellanhealth.com http://sla765q1.unix.magellanhealth.com) [login banner and blank lines removed] AIX Version 6 Copyright IBM Corporation, 1982, 2011. login: testuser testuser's Password: -bash-3.2$ logout Connection closed by foreign host. AIX was configured with standard authentication at first: r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent Standard Aix But I changed that to add kerberos: r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent Kerberos 5 Standard Aix However, all that does is cause kerberos to timeout on the invalid user and then fall back to allowing the user in anyway. I'm still investigating to see if this is an implementation problem, or if AIX is just incapable of this. I continue to lobby for turning off telnet, but there is political pressure to keep it open. Anyone have any ideas for things I could try? HBAC is enforced by sssd, so no sssd, no HBAC. I think you need to use pam_access to limit users in AIX. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] What happened to my {cacert,kdc}.pem files?
We had to shut down our FREEIPA server and move it. When I brought it back up again today (all same IPs, network, etc), it failed to come up. I see lots of various forms of the following messages when trying to start the ipa, named, and other services: Failed to init credentials (Cannot contact any KDC for realm ... startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory. startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory. krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial credentials From what I can surmise after seeing these, something in kerberos is messed up. I don't know for sure if it is related, but I see that the files referenced in /var/kerberos/krb5kdc/kdc.conf are not there. In particular, pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I go about recovering them? I've tried (with fingers crossed) yum reinstall freeipa-server and yum update freeipa-server hoping that they'd see the need to fix this. They didn't. Still get the same errors. Is there some backdoor way to recreate these files from elsewhere in the install? Perhaps buried in the 389 directory server's database and accessible using db4.4_dump or some other tools? If there is no way to recreate them, is there a way to reassert new keys without having to start all over? And if I have to start all over, is there anyway to extract some of the records from the dir DB so I can reload them with a new server? Thanks for any suggestions/guidance, Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users