[Freeipa-users] Configuration backup (before Samba integration)
Hi. I have a working network with IdM (FreeIPA). I'd like to integrate it with Samba, according to http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ What's the recommended way to backup current IPA settings and configurations, so in case that the Samba integration won't go well I'd be able to revert back to my current situation? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA - Samba / Redmine / Disable Kerberos?
Thanks! That helps. I have few suggestions that would be great if you test: 1) Can we point Redmine to search users directly in the users container? I.e. cn=users,cn=accounts,dc=example,dc=com instead of just dc=example,dc=com. It will narrow down the LDAP search. 2) Can you search over LDAPS? Just to make sure that the bind and user password do not get in plain text over the wire. 3) Does the On-the-fly user creation goes well? In current configuration it would seem to me that some of the attributes that FreeIPA keeps for each user are not utilized. Would something like: On-the-fly user creation = yes Attributes Login = uid Firstname = givenName Lastname = sn Email = mail provide better results in on the fly user creation? Martin On 03/26/2014 09:32 PM, צביקה הרמתי wrote: Wow. That was much easier that my previous attempt... Here is the HowTo I wrote: http://www.freeipa.org/page/HowTo/Authenticating_Redmine_with_IPA I'll be glad if you review it. Regarding Samba, that page looks a bit intimidating... Thanks for the help. 2014-03-26 14:29 GMT+02:00 Martin Kosek mko...@redhat.com: On 03/26/2014 12:42 PM, צביקה הרמתי wrote: Thanks for the prompt reply. I tried to just bind Redmine, and failed; so I assumed that it's not possible. Now, with that information, I'm encouraged to try again... According to [1], you should be able to create a system account for redmine in FreeIPA LDAP (example in [2]) and pass the DN to Account option and fill it's password. Then it should be pretty straightforward to configure Redmine to bind users against FreeIPA LDAP by filling the Base DN and the right user attributes. BTW as Petr already said, when you make your setup working it would be indeed very welcome and helpful for FreeIPA community if you create a howto on our wiki [3]. Martin [1] http://www.redmine.org/projects/redmine/wiki/RedmineLDAP [2] ejabberd account creation in https://www.dalemacartney.com/2012/07/05/configuring-ejabberd-to-authenticate-freeipa-users-using-ldap-group-memberships/ [3] http://www.freeipa.org/page/HowTos ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuration backup (before Samba integration)
On Thu, Mar 27, 2014 at 7:37 AM, צביקה הרמתי haramaty.zv...@gmail.comwrote: Hi. I have a working network with IdM (FreeIPA). I'd like to integrate it with Samba, according to http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ What's the recommended way to backup current IPA settings and configurations, so in case that the Samba integration won't go well I'd be able to revert back to my current situation? I would test this first in a couple of vm's first. If you have a spare pc newer than 4 years old chances are it is powerful enough to run a hypervisor. You can isolate a full test network there. Once you are satifsfied with your testing and you have documented all the steps, run them in production ;-) -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Any coomand can extract the private of the freeipa domain
i want to extract the private key of the self sign cert ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Backup / Restore
Hello, I am being tasked with setting up freeipa for an organisation. A replica will be created but they also require a backup / restore strategy. Has anyone implemented backup restore? Ideas? Recommendations? Dragons? Thanks, Andrew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Backup / Restore
On 03/27/2014 01:09 PM, Andrew Holway wrote: Hello, I am being tasked with setting up freeipa for an organisation. A replica will be created but they also require a backup / restore strategy. Has anyone implemented backup restore? Ideas? Recommendations? Dragons? Thanks, Andrew Good topic! I would be really interested in experience from FreeIPA users. I can only provide information from FreeIPA development team member point of view. Our thoughts on topic of Backup and restore: http://www.freeipa.org/page/Backup_and_Restore Original design of backup and restore scripts: http://www.freeipa.org/page/V3/Backup_and_Restore As you can read in the first document, we are not yet convinced that backuprestore scripts is the right thing to do + we also do not have enough information from the field. If these scripts is what admin wants, if yes - do they work for them? If you check open Backup and Restore tickest, there are really not many of them: https://fedorahosted.org/freeipa/query?status=assignedstatus=newstatus=reopenedcomponent=Backuporder=prioritycol=idcol=summarycol=statuscol=typecol=prioritycol=milestonecol=componentgroup=milestone Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Badly corrupted IPA
My IPA corruption continues and I'm afraid I'm going to have to recreate it from scratch since no reasonable means of backup exists (which I understand -- that's not my complaint). Here's what I'm facing: # script -c 'ipa host-find mw79.damascusgrp.com' Script started, file is typescript -- 1 host matched -- Host name: mw79.damascusgrp.com Principal name: host/mw79.damascusgrp@damascusgrp.com Password: False Member of host-groups: allow_all_hosts Indirect Member of HBAC rule: allow_all_users_services Keytab: False SSH public key fingerprint: [snip] (ssh-dss) Number of entries returned 1 Script done, file is typescript # script -c 'ipa host-del mw79.damascusgrp.com' Script started, file is typescript ipa: ERROR: mw79.damascusgrp.com: host not found Script done, file is typescript # I had unenrolled this host and was attempting to re-enroll it, and this is preventing its re-enrollment. Any ideas of how to force deletion of this host entry? I'm not LDAP savvy enough to just go in and start whacking LDAP entries myself, and given that my IPA database has gotten corrupted enough that no IPA CLI command can run without being wrapped in "script" or "strace" or similar, I'm hesitant to go too far. This machine, however, is my program manager's workstation, so it's pretty important to get back up and running. Thanks, -- Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Badly corrupted IPA
BTW, this also fails when using the web UI -- I can see the entry but not delete it. On 03/27/2014 09:02 AM, Bret Wortman wrote: My IPA corruption continues and I'm afraid I'm going to have to recreate it from scratch since no reasonable means of backup exists (which I understand -- that's not my complaint). Here's what I'm facing: # script -c 'ipa host-find mw79.damascusgrp.com' Script started, file is typescript -- 1 host matched -- Host name: mw79.damascusgrp.com Principal name: host/mw79.damascusgrp@damascusgrp.com Password: False Member of host-groups: allow_all_hosts Indirect Member of HBAC rule: allow_all_users_services Keytab: False SSH public key fingerprint: [snip] (ssh-dss) Number of entries returned 1 Script done, file is typescript # script -c 'ipa host-del mw79.damascusgrp.com' Script started, file is typescript ipa: ERROR: mw79.damascusgrp.com: host not found Script done, file is typescript # I had unenrolled this host and was attempting to re-enroll it, and this is preventing its re-enrollment. Any ideas of how to force deletion of this host entry? I'm not LDAP savvy enough to just go in and start whacking LDAP entries myself, and given that my IPA database has gotten corrupted enough that no IPA CLI command can run without being wrapped in "script" or "strace" or similar, I'm hesitant to go too far. This machine, however, is my program manager's workstation, so it's pretty important to get back up and running. Thanks, -- Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Backup / Restore
Martin, Did the backup/restore scripts reach more than experimental status? Looks like they were released in FreeIPA 3.2. It's a problem for me that this kind of functionallity hasn't yet moved into RHEL. Backup/restore from some corporate use perspectives, cannot rely on system snapshotting. Whilst a snapshot may make an easier recovery procedure for an admin, it is a take-it-or-leave-it approach. I cannot, for example, restore missing data that was deleted by mistake without loosing other edits that have happened in the interim. A VM snapshot is certainly a valid last-stop method of backing up IPA, but it doesn't cover some of the use cases that most companies find themselves having to deal with. Thanks Duncan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Kosek Sent: 27 March 2014 12:31 To: Andrew Holway; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Backup / Restore On 03/27/2014 01:09 PM, Andrew Holway wrote: Hello, I am being tasked with setting up freeipa for an organisation. A replica will be created but they also require a backup / restore strategy. Has anyone implemented backup restore? Ideas? Recommendations? Dragons? Thanks, Andrew Good topic! I would be really interested in experience from FreeIPA users. I can only provide information from FreeIPA development team member point of view. Our thoughts on topic of Backup and restore: http://www.freeipa.org/page/Backup_and_Restore Original design of backup and restore scripts: http://www.freeipa.org/page/V3/Backup_and_Restore As you can read in the first document, we are not yet convinced that backuprestore scripts is the right thing to do + we also do not have enough information from the field. If these scripts is what admin wants, if yes - do they work for them? If you check open Backup and Restore tickest, there are really not many of them: https://fedorahosted.org/freeipa/query?status=assignedstatus= newstatus=reopenedcomponent=Backuporder=prioritycol=idcol=summaryc ol=statuscol=typecol=prioritycol=milestonecol=componentgrou p=milestone Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] authenticate samba 3 or 4 with freeipa
Hello, what is the best practice to authenticate samba file sharing with freeipa as auth service. Either version 3 or 4 of samba is fine, as we are looking for this only for filesharing and not domain service. Our ipa service is hosted on CentOS 6.5. The samba service is preferred to be hosted on Ubuntu Precise (12.04), later the new LTS. Found 3 methods, but all seem to have their issues. 1. LDAP, ldapsam passdb backend. - needs ldap schema modification to include fields (sambaSAMAccount, sambaGroupMapping, samabaSID) and have IPA populate those with dna plugin 2. IPA, ipasam passdb backend - did not find a working version from ipasam.so for ubuntu, mostly i did not find any 3. KRB, keytab - seemed a bit messy, also needs ldap schema modification Sándor Juhász System Administrator ChemAxon Ltd . Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Backup / Restore
Innes, Duncan wrote: Martin, Did the backup/restore scripts reach more than experimental status? Looks like they were released in FreeIPA 3.2. The problem is few people have experimented with it. We need feedback to know whether it works or not. It worked for me in my contrived environment over a couple of days but that isn't exactly definitive. Playing with this should be relatively easy and pain free. A backup doesn't do anything operationally except bring down the servers (for sanity sake). You can do live backups but those aren't recommended, and only backs up the data (not all the other configuration, etc). Then you can try doing a full restore in an isolated VM as a test, and see how things look. It's a problem for me that this kind of functionallity hasn't yet moved into RHEL. Backup/restore from some corporate use perspectives, cannot rely on system snapshotting. Whilst a snapshot may make an easier recovery procedure for an admin, it is a take-it-or-leave-it approach. I cannot, for example, restore missing data that was deleted by mistake without loosing other edits that have happened in the interim. And that is still not dealt with in the current backup/restore. To do that requires some sort of LDIF browser where entries can be selected and restored/entries replaced. No such system already exists and represents a large chunk of work. It is a recognized shortcoming of the current support. A VM snapshot is certainly a valid last-stop method of backing up IPA, but it doesn't cover some of the use cases that most companies find themselves having to deal with. Agreed. rob Thanks Duncan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Kosek Sent: 27 March 2014 12:31 To: Andrew Holway; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Backup / Restore On 03/27/2014 01:09 PM, Andrew Holway wrote: Hello, I am being tasked with setting up freeipa for an organisation. A replica will be created but they also require a backup / restore strategy. Has anyone implemented backup restore? Ideas? Recommendations? Dragons? Thanks, Andrew Good topic! I would be really interested in experience from FreeIPA users. I can only provide information from FreeIPA development team member point of view. Our thoughts on topic of Backup and restore: http://www.freeipa.org/page/Backup_and_Restore Original design of backup and restore scripts: http://www.freeipa.org/page/V3/Backup_and_Restore As you can read in the first document, we are not yet convinced that backuprestore scripts is the right thing to do + we also do not have enough information from the field. If these scripts is what admin wants, if yes - do they work for them? If you check open Backup and Restore tickest, there are really not many of them: https://fedorahosted.org/freeipa/query?status=assignedstatus= newstatus=reopenedcomponent=Backuporder=prioritycol=idcol=summaryc ol=statuscol=typecol=prioritycol=milestonecol=componentgrou p=milestone Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA - Samba / Redmine / Disable Kerberos?
I have updated the HowTo with suggestions 1 2 (after checking them, of course...) Regarding suggestion 3 - I'm not sure I understand it. Isn't that the difference I wrote between Basic and Full configurations? 2014-03-27 9:15 GMT+02:00 Martin Kosek mko...@redhat.com: Thanks! That helps. I have few suggestions that would be great if you test: 1) Can we point Redmine to search users directly in the users container? I.e. cn=users,cn=accounts,dc=example,dc=com instead of just dc=example,dc=com. It will narrow down the LDAP search. 2) Can you search over LDAPS? Just to make sure that the bind and user password do not get in plain text over the wire. 3) Does the On-the-fly user creation goes well? In current configuration it would seem to me that some of the attributes that FreeIPA keeps for each user are not utilized. Would something like: On-the-fly user creation = yes Attributes Login = uid Firstname = givenName Lastname = sn Email = mail provide better results in on the fly user creation? Martin On 03/26/2014 09:32 PM, צביקה הרמתי wrote: Wow. That was much easier that my previous attempt... Here is the HowTo I wrote: http://www.freeipa.org/page/HowTo/Authenticating_Redmine_with_IPA I'll be glad if you review it. Regarding Samba, that page looks a bit intimidating... Thanks for the help. 2014-03-26 14:29 GMT+02:00 Martin Kosek mko...@redhat.com: On 03/26/2014 12:42 PM, צביקה הרמתי wrote: Thanks for the prompt reply. I tried to just bind Redmine, and failed; so I assumed that it's not possible. Now, with that information, I'm encouraged to try again... According to [1], you should be able to create a system account for redmine in FreeIPA LDAP (example in [2]) and pass the DN to Account option and fill it's password. Then it should be pretty straightforward to configure Redmine to bind users against FreeIPA LDAP by filling the Base DN and the right user attributes. BTW as Petr already said, when you make your setup working it would be indeed very welcome and helpful for FreeIPA community if you create a howto on our wiki [3]. Martin [1] http://www.redmine.org/projects/redmine/wiki/RedmineLDAP [2] ejabberd account creation in https://www.dalemacartney.com/2012/07/05/configuring-ejabberd-to-authenticate-freeipa-users-using-ldap-group-memberships/ [3] http://www.freeipa.org/page/HowTos ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Badly corrupted IPA
Bret Wortman wrote: BTW, this also fails when using the web UI -- I can see the entry but not delete it. It sounds like you have a replication conflict entry. Try this search: $ ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=example,dc=com fdqdn=myhost.example.com You'll probably get something with a dn that includes a nsuniqueid in it. That is the conflict entry. IPA can find the host because it searches by fqdn too, but it deletes by generating the direct DN and since it doesn't match, no delete. You can delete the wayward entry using ldapdelete. rob On 03/27/2014 09:02 AM, Bret Wortman wrote: My IPA corruption continues and I'm afraid I'm going to have to recreate it from scratch since no reasonable means of backup exists (which I understand -- that's not my complaint). Here's what I'm facing: # script -c 'ipa host-find mw79.damascusgrp.com' Script started, file is typescript -- 1 host matched -- Host name: mw79.damascusgrp.com Principal name: host/mw79.damascusgrp@damascusgrp.com Password: False Member of host-groups: allow_all_hosts Indirect Member of HBAC rule: allow_all_users_services Keytab: False SSH public key fingerprint: [snip] (ssh-dss) Number of entries returned 1 Script done, file is typescript # script -c 'ipa host-del mw79.damascusgrp.com' Script started, file is typescript ipa: ERROR: mw79.damascusgrp.com: host not found Script done, file is typescript # I had unenrolled this host and was attempting to re-enroll it, and this is preventing its re-enrollment. Any ideas of how to force deletion of this host entry? I'm not LDAP savvy enough to just go in and start whacking LDAP entries myself, and given that my IPA database has gotten corrupted enough that no IPA CLI command can run without being wrapped in script or strace or similar, I'm hesitant to go too far. This machine, however, is my program manager's workstation, so it's pretty important to get back up and running. Thanks, -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Badly corrupted IPA
That worked like a champ. As always. Thanks, Rob. Bret On 03/27/2014 10:08 AM, Rob Crittenden wrote: Bret Wortman wrote: BTW, this also fails when using the web UI -- I can see the entry but not delete it. It sounds like you have a replication conflict entry. Try this search: $ ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=example,dc=com fdqdn=myhost.example.com You'll probably get something with a dn that includes a nsuniqueid in it. That is the conflict entry. IPA can find the host because it searches by fqdn too, but it deletes by generating the direct DN and since it doesn't match, no delete. You can delete the wayward entry using ldapdelete. rob On 03/27/2014 09:02 AM, Bret Wortman wrote: My IPA corruption continues and I'm afraid I'm going to have to recreate it from scratch since no reasonable means of backup exists (which I understand -- that's not my complaint). Here's what I'm facing: # script -c 'ipa host-find mw79.damascusgrp.com' Script started, file is typescript -- 1 host matched -- Host name: mw79.damascusgrp.com Principal name: host/mw79.damascusgrp@damascusgrp.com Password: False Member of host-groups: allow_all_hosts Indirect Member of HBAC rule: allow_all_users_services Keytab: False SSH public key fingerprint: [snip] (ssh-dss) Number of entries returned 1 Script done, file is typescript # script -c 'ipa host-del mw79.damascusgrp.com' Script started, file is typescript ipa: ERROR: mw79.damascusgrp.com: host not found Script done, file is typescript # I had unenrolled this host and was attempting to re-enroll it, and this is preventing its re-enrollment. Any ideas of how to force deletion of this host entry? I'm not LDAP savvy enough to just go in and start whacking LDAP entries myself, and given that my IPA database has gotten corrupted enough that no IPA CLI command can run without being wrapped in script or strace or similar, I'm hesitant to go too far. This machine, however, is my program manager's workstation, so it's pretty important to get back up and running. Thanks, -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA - Samba / Redmine / Disable Kerberos?
On 03/27/2014 03:09 PM, צביקה הרמתי wrote: I have updated the HowTo with suggestions 1 2 (after checking them, of course...) Good! Regarding suggestion 3 - I'm not sure I understand it. Isn't that the difference I wrote between Basic and Full configurations? Ah, I see - you are right. I updated your article and fixed few minor issues I saw and linked it to http://www.freeipa.org/page/HowTos Thank you, Martin 2014-03-27 9:15 GMT+02:00 Martin Kosek mko...@redhat.com: Thanks! That helps. I have few suggestions that would be great if you test: 1) Can we point Redmine to search users directly in the users container? I.e. cn=users,cn=accounts,dc=example,dc=com instead of just dc=example,dc=com. It will narrow down the LDAP search. 2) Can you search over LDAPS? Just to make sure that the bind and user password do not get in plain text over the wire. 3) Does the On-the-fly user creation goes well? In current configuration it would seem to me that some of the attributes that FreeIPA keeps for each user are not utilized. Would something like: On-the-fly user creation = yes Attributes Login = uid Firstname = givenName Lastname = sn Email = mail provide better results in on the fly user creation? Martin On 03/26/2014 09:32 PM, צביקה הרמתי wrote: Wow. That was much easier that my previous attempt... Here is the HowTo I wrote: http://www.freeipa.org/page/HowTo/Authenticating_Redmine_with_IPA I'll be glad if you review it. Regarding Samba, that page looks a bit intimidating... Thanks for the help. 2014-03-26 14:29 GMT+02:00 Martin Kosek mko...@redhat.com: On 03/26/2014 12:42 PM, צביקה הרמתי wrote: Thanks for the prompt reply. I tried to just bind Redmine, and failed; so I assumed that it's not possible. Now, with that information, I'm encouraged to try again... According to [1], you should be able to create a system account for redmine in FreeIPA LDAP (example in [2]) and pass the DN to Account option and fill it's password. Then it should be pretty straightforward to configure Redmine to bind users against FreeIPA LDAP by filling the Base DN and the right user attributes. BTW as Petr already said, when you make your setup working it would be indeed very welcome and helpful for FreeIPA community if you create a howto on our wiki [3]. Martin [1] http://www.redmine.org/projects/redmine/wiki/RedmineLDAP [2] ejabberd account creation in https://www.dalemacartney.com/2012/07/05/configuring-ejabberd-to-authenticate-freeipa-users-using-ldap-group-memberships/ [3] http://www.freeipa.org/page/HowTos ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] UNSUBSCRIBE
--- LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN http://www.LMAX.com/ 2013 #15 Fastest Growing Tech Company in the UK - Sunday Times Tech Track 100 2013 Best Margin Sector Platform - Profit Loss Readers' Choice Awards 2013 Best FX Trading Platform - ECN/MTF - WSL Institutional Trading Awards 2011 Best Trading System - Financial Sector Technology Awards 2011 Oracle's Duke's Choice Innovative Programming Framework Award --- FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved. The information on this email is not directed at residents of the United States of America, Canada (although we may deal with Canadian residents who meet the Permitted Client criteria), Singapore or any other jurisdiction where FX trading and/or CFD trading is restricted or prohibited by local laws or regulations. The information in this email and any attachment is confidential and is intended only for the named recipient(s). The email may not be disclosed or used by any person other than the addressee, nor may it be copied in any way. If you are not the intended recipient please notify the sender immediately and delete any copies of this message. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. LMAX Limited is regulated by the Financial Conduct Authority under the UK laws, which differ from Australian law. We are exempt from the requirement to hold an Australian financial services licence under the Corporations Act 2001 (Cth) (Act) in respect of the financial services we offer to you. We only offer our services to Australian clients who are wholesale clients as defined under the Act. We may provide services in Canada as an exempt international advisor. Consequently we may only provide such services to clients who meet the Permitted Client criteria. We are not a dealer in Canada. LMAX Limited operates a multilateral trading facility. LMAX Limited is authorised and regulated by the Financial Conduct Authority (firm registration number 509778) and is a company registered in England and Wales (number 6505809). Our registered address is Yellow Building, 1A Nicholas Road, London, W11 4AN.___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa
On 27.3.2014 14:36, Sandor Juhasz wrote: Hello, what is the best practice to authenticate samba file sharing with freeipa as auth service. Either version 3 or 4 of samba is fine, as we are looking for this only for filesharing and not domain service. Our ipa service is hosted on CentOS 6.5. The samba service is preferred to be hosted on Ubuntu Precise (12.04), later the new LTS. Found 3 methods, but all seem to have their issues. 1. LDAP, ldapsam passdb backend. - needs ldap schema modification to include fields (sambaSAMAccount, sambaGroupMapping, samabaSID) and have IPA populate those with dna plugin 2. IPA, ipasam passdb backend - did not find a working version from ipasam.so for ubuntu, mostly i did not find any The only how-to I'm aware of is: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ If you insist on Ubuntu you need to get ipasam somewhere, most likely to compile it yourself. Let us know if you are going to compile it, we can provide you some guidance. See the thread 'IPA - Samba / Redmine / Disable Kerberos?'. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] HELP
My Master IPA server has been lost, My replica is still up and functioning. what is the best way to proceed? Do I rebuild my master and add it has a replica? how do I get my master back in line with my IPA env? the Master needs to be rebuilt from scratch red hat 6.5 latest version of IPA ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HELP
On Thu, Mar 27, 2014 at 7:58 PM, Todd Maugh tma...@boingo.com wrote: My Master IPA server has been lost, My replica is still up and functioning. what is the best way to proceed? Do I rebuild my master and add it has a replica? how do I get my master back in line with my IPA env? the Master needs to be rebuilt from scratch red hat 6.5 latest version of IPA Just a quick question: is this a production network with real business in risk? Or is this a test lab? To answer your questions: I guess that it depends on whether the 2nd master (in ipa all domain controllers are multimaster) has a copy of the CA too. If it does then yes, you can rebuild it and create a replica. If the domain controller does not have a copy of the CA, well, I am not really sure at this point. -- regards, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HELP
Todd Maugh wrote: My Master IPA server has been lost, My replica is still up and functioning. what is the best way to proceed? Do I rebuild my master and add it has a replica? how do I get my master back in line with my IPA env? the Master needs to be rebuilt from scratch red hat 6.5 latest version of IPA Is the replica running the CA? If not things will get very complicated. See http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master The replica has a replication agreement with the master that is now gone so you'll want to delete that agreement using ipa-replica-manage. But yes, once the new host is ready, create it as a new replica. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] writing IPA plugin
hi all, i'm trying to write my own FreeIPA plugin (for frontend cli usage), and so far so good, but i'm stuck on 2 issues: - is it possible to have the plugin use a dedicated or additional log file? i can manipulate the log manager, but maybe there's a proper API in freeipa for it; similar to the log_file_name in ipapython.admin.AdminTool classes - i want to exit the plugin on certain error conditions and want to exit with non-zero exitcode. how can this be done? many thanks, stijn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] writing IPA plugin
Stijn De Weirdt wrote: hi all, i'm trying to write my own FreeIPA plugin (for frontend cli usage), and so far so good, but i'm stuck on 2 issues: - is it possible to have the plugin use a dedicated or additional log file? i can manipulate the log manager, but maybe there's a proper API in freeipa for it; similar to the log_file_name in ipapython.admin.AdminTool classes - i want to exit the plugin on certain error conditions and want to exit with non-zero exitcode. how can this be done? Which side do you want to do the logging on, the server or client side? The return value is controlled by the exception raised. There is an rval attribute defined in the exception. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberized vsftpd login problem
2014-03-23 19:45 GMT-04:00 Dmitri Pal d...@redhat.com 2014-03-23 9:01 GMT+01:00 John Obaterspok john.obaters...@gmail.com: Hello, How do I get vsftpd login to work with an existing ticket? I've added ftp as an identity service (ftp/ipaserver.my@my.lan) Is there anything else I need to do to allow ftp login to vsftpd? What ftp client and server are you using? Do you know whether they are actually supporting Kerberos? May be consider other tools like scp instead? I'm using vsftpd with default settings in Fedora 20 + ftp client from krb5-appl-clients. vsftpd is linked to pam, gssapi_krb5, and more. /etc/pam.d/vsftpd looks like this: #%PAM-1.0 sessionoptional pam_keyinit.soforce revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth accountinclude password-auth sessionrequired pam_loginuid.so sessioninclude password-auth Perhaps I need to change something in the pam file in order to allow sso? -- john ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] writing IPA plugin
hi rob, i'm trying to write my own FreeIPA plugin (for frontend cli usage), and so far so good, but i'm stuck on 2 issues: - is it possible to have the plugin use a dedicated or additional log file? i can manipulate the log manager, but maybe there's a proper API in freeipa for it; similar to the log_file_name in ipapython.admin.AdminTool classes - i want to exit the plugin on certain error conditions and want to exit with non-zero exitcode. how can this be done? Which side do you want to do the logging on, the server or client side? the client side The return value is controlled by the exception raised. There is an rval attribute defined in the exception. thanks! stijn rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] change min and max lifetime of random password
hi alexander, ity would be good anyway to have a script that checks all hosts that have not enrolled yet how old the issued password is (even after expiration). very useful to spot the state of ongoing deployments and to spot problems. how can one obtain the creation time of the password? fetch the timestamp from LDAP or is there a nice ipa API for it? Since host object is a Kerberos principal, it has krbLastSuccessfulAuth and krbLastPwdChange attributes. ipa host-show host.name --all --raw will give you their values. # ipa host-show `hostname` --all --raw |grep krbLast krbLastPwdChange: 20140213123016Z krbLastSuccessfulAuth: 20140325073031Z this does not seem to work on a host that has the random password set (or set a few times), but no keytab was created or other form of authentication: ipa host-show test.test --all --raw |grep -E 'krb|has_' has_password: True has_keytab: False krbExtraData: AAI3mDRTcm9vdC9hZG1pbkB krbPrincipalName: host/test.test@TEST objectClass: krbprincipalaux objectClass: krbprincipal (this is freeipa 3.3.3 on rhel7 beta) stijn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] change min and max lifetime of random password
Stijn De Weirdt wrote: hi alexander, ity would be good anyway to have a script that checks all hosts that have not enrolled yet how old the issued password is (even after expiration). very useful to spot the state of ongoing deployments and to spot problems. how can one obtain the creation time of the password? fetch the timestamp from LDAP or is there a nice ipa API for it? Since host object is a Kerberos principal, it has krbLastSuccessfulAuth and krbLastPwdChange attributes. ipa host-show host.name --all --raw will give you their values. # ipa host-show `hostname` --all --raw |grep krbLast krbLastPwdChange: 20140213123016Z krbLastSuccessfulAuth: 20140325073031Z this does not seem to work on a host that has the random password set (or set a few times), but no keytab was created or other form of authentication: ipa host-show test.test --all --raw |grep -E 'krb|has_' has_password: True has_keytab: False krbExtraData: AAI3mDRTcm9vdC9hZG1pbkB krbPrincipalName: host/test.test@TEST objectClass: krbprincipalaux objectClass: krbprincipal (this is freeipa 3.3.3 on rhel7 beta) Right, because it doesn't have Kerberos credentials yet, just a password. We apparently don't set any dates when setting only the host password. Which also means password policy probably wouldn't apply correctly even if you were able to set one. And I guess the question is, should we? If so we'd need to always add the krbPrincipalAux objectclass and set this value in the password plugin. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberized vsftpd login problem
On 03/27/2014 04:47 PM, John Obaterspok wrote: 2014-03-23 19:45 GMT-04:00 Dmitri Pald...@redhat.com 2014-03-23 9:01 GMT+01:00 John Obaterspokjohn.obaters...@gmail.com: Hello, How do I get vsftpd login to work with an existing ticket? I've added ftp as an identity service (ftp/ipaserver.my@my.lan) Is there anything else I need to do to allow ftp login to vsftpd? What ftp client and server are you using? Do you know whether they are actually supporting Kerberos? May be consider other tools like scp instead? I'm using vsftpd with default settings in Fedora 20 + ftp client from krb5-appl-clients. vsftpd is linked to pam, gssapi_krb5, and more. /etc/pam.d/vsftpd looks like this: #%PAM-1.0 sessionoptional pam_keyinit.soforce revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth accountinclude password-auth sessionrequired pam_loginuid.so sessioninclude password-auth Perhaps I need to change something in the pam file in order to allow sso? -- john If you want SSO the ftp server should be configured to use GSSAPI and not use PAM (or fail over to PAM if client does not have a ticket). A search of the man pages for vsftpd did not render such option. I suspect it is either undocumented or some other Kerberos enables ftp server needs to be used. Does krb-appl package provide one? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberized vsftpd login problem
I may be wrong on this but I don't remember an option invsftps.conf to specify a keytab file which is a good indication that its not supported there is a kerberized ftp server in the krb5 applications rpm however its not widely used and is more likely than not lacking features and may have bugs.-- Sent from my HP Pre3On Mar 27, 2014 22:13, Dmitri Pal d...@redhat.com wrote: On 03/27/2014 04:47 PM, John Obaterspok wrote: 2014-03-23 19:45 GMT-04:00 Dmitri Pald...@redhat.com 2014-03-23 9:01 GMT+01:00 John Obaterspokjohn.obaters...@gmail.com: Hello, How do I get vsftpd login to work with an existing ticket? I've added ftp as an identity service (ftp/ipaserver.my@my.lan) Is there anything else I need to do to allow ftp login to vsftpd? What ftp client and server are you using? Do you know whether they are actually supporting Kerberos? May be consider other tools like scp instead? I'm using vsftpd with default settings in Fedora 20 + ftp client from krb5-appl-clients. vsftpd is linked to pam, gssapi_krb5, and more. /etc/pam.d/vsftpd looks like this: #%PAM-1.0 sessionoptional pam_keyinit.soforce revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers _onerr_=succeed auth required pam_shells.so auth include password-auth accountinclude password-auth sessionrequired pam_loginuid.so sessioninclude password-auth Perhaps I need to change something in the pam file in order to allow sso? -- john If you want SSO the ftp server should be configured to use GSSAPI and not use PAM (or fail over to PAM if client does not have a ticket). A search of the man pages for vsftpd did not render such option. I suspect it is either undocumented or some other Kerberos enables ftp server needs to be used. Does krb-appl package provide one? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] change min and max lifetime of random password
Found a error today. when browse the cert serices ..is it realte to dog tag system ...how to restart ? Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users