Re: [Freeipa-users] Can't add AD user group to IPA group
On Fri, Mar 06, 2015 at 08:24:28PM +, Craig White wrote: Seems the initial/default setup for IPA server is to put in an 'allow_all' rule. Thus you can actively manage HBAC but out of the box, it is essentially turned off by that rule. Yes. The default was the opposite very long time ago, you had to explicitly enable access to the box. But it was causing too many user issues. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i configure solaris10 as freeIPA 4.1.2 client
On Sun, Mar 08, 2015 at 08:54:22AM +0300, Ben .T.George wrote: Hi list i have working IPA server were AD users can login to IPA server how can i configure solaris 10 as IPA 4.1.2 client.? i saw many tutorials in IPA domain and got confused . Which one i need to follow currently i am trying with X86 version of solaris and later i need to try on SPARC based. Regards, Ben I haven't configured a Solaris client in some time, but IIRC this page is authoritative: http://www.freeipa.org/page/ConfiguringUnixClients -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i configure solaris10 as freeIPA 4.1.2 client
Jakub Hrozek wrote: On Sun, Mar 08, 2015 at 08:54:22AM +0300, Ben .T.George wrote: Hi list i have working IPA server were AD users can login to IPA server how can i configure solaris 10 as IPA 4.1.2 client.? i saw many tutorials in IPA domain and got confused . Which one i need to follow currently i am trying with X86 version of solaris and later i need to try on SPARC based. Regards, Ben I haven't configured a Solaris client in some time, but IIRC this page is authoritative: http://www.freeipa.org/page/ConfiguringUnixClients I'd suggest starting with the freeipa-users mailing list archives. There are a number of threads asking the same question. There are also a couple of closed bugs on bugzilla.redhat.com related to Solaris configuration, contributed by a FreeIPA user. Those are excellent sources of information, including a fairly complete authenticated and secure DUA profile which includes a lot more than just users and groups. The IPA team has moved away from trying to provide direct support /documentation for non-Linux platforms since we don't have the in-house expertise. The documents you'll find on the wiki provide a minimalist configuration that worked for us at one time. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
this is the error mesage i am getting on httpd/error_log [Sun Mar 08 13:02:02.965470 2015] [auth_kerb:error] [pid 2922] [client 172.16.107 .250:60005] gss_accept_sec_context() failed: An unsupported mechanism was request ed (, Unknown error), referer: https://kwtpocpbis01.solaris.local/ipa/ui/ On Sun, Mar 8, 2015 at 12:48 PM, Ben .T.George bentech4...@gmail.com wrote: Hi i checked the services and below is my output [root@kwtpocpbis01 ipa_memcached]# ps -ef | grep ipa_memcached apache2079 1 0 11:11 ?00:00:00 /usr/bin/memcached -d -s /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P /var/run/ipa_memcached/ipa_memcached.pid root 2801 2504 0 12:48 pts/000:00:00 grep --color=auto ipa_memcached [root@kwtpocpbis01 ipa_memcached]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful On Sun, Mar 8, 2015 at 10:54 AM, Ben .T.George bentech4...@gmail.com wrote: HI i have free IPA 4.1.2 installed. my web ui always giving Your session has expired. Please re-login. even i tried from different computer.different browsers.. how can i fix this.? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
Hi i checked the services and below is my output [root@kwtpocpbis01 ipa_memcached]# ps -ef | grep ipa_memcached apache2079 1 0 11:11 ?00:00:00 /usr/bin/memcached -d -s /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P /var/run/ipa_memcached/ipa_memcached.pid root 2801 2504 0 12:48 pts/000:00:00 grep --color=auto ipa_memcached [root@kwtpocpbis01 ipa_memcached]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful On Sun, Mar 8, 2015 at 10:54 AM, Ben .T.George bentech4...@gmail.com wrote: HI i have free IPA 4.1.2 installed. my web ui always giving Your session has expired. Please re-login. even i tried from different computer.different browsers.. how can i fix this.? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
I enabled debugging mode on default.conf and this is what i am getting on error_log [Sun Mar 08 13:16:18.204363 2015] [auth_kerb:error] [pid 3065] [client 172.16.107.250:60088] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://kwtpocpbis01.solaris.local/ipa/ui/ [Sun Mar 08 13:16:29.849339 2015] [:error] [pid 3004] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sun Mar 08 13:16:29.849458 2015] [:error] [pid 3004] ipa: DEBUG: WSGI login_password.__call__: [Sun Mar 08 13:16:29.849683 2015] [:error] [pid 3004] ipa: DEBUG: Obtaining armor ccache: principal=HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL keytab=/etc/httpd/conf/ipa.keytab ccache=/var/run/ipa_memcached/krbcc_A_admin [Sun Mar 08 13:16:29.849830 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.849923 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kinit' '-kt' '/etc/httpd/conf/ipa.keytab' 'HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL' [Sun Mar 08 13:16:29.868747 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.868858 2015] [:error] [pid 3004] ipa: DEBUG: stdout= [Sun Mar 08 13:16:29.868955 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.869120 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.869204 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kinit' 'admin@SOLARIS.LOCAL' '-T' '/var/run/ipa_memcached/krbcc_A_admin' [Sun Mar 08 13:16:29.902181 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.902269 2015] [:error] [pid 3004] ipa: DEBUG: stdout=Password for admin@SOLARIS.LOCAL: [Sun Mar 08 13:16:29.902278 2015] [:error] [pid 3004] [Sun Mar 08 13:16:29.902328 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.902427 2015] [:error] [pid 3004] ipa: DEBUG: kinit: principal=admin@SOLARIS.LOCAL returncode=0, stderr= [Sun Mar 08 13:16:29.902483 2015] [:error] [pid 3004] ipa: DEBUG: Cleanup the armor ccache [Sun Mar 08 13:16:29.902560 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.902621 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_admin' [Sun Mar 08 13:16:29.908045 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.908121 2015] [:error] [pid 3004] ipa: DEBUG: stdout= [Sun Mar 08 13:16:29.908173 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.908348 2015] [:error] [pid 3004] ipa: DEBUG: found session cookie_id = 4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908647 2015] [:error] [pid 3004] ipa: DEBUG: found session data in cache with id=4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908728 2015] [:error] [pid 3004] ipa: DEBUG: finalize_kerberos_acquisition: login_password ccache_name=FILE:/var/run/ipa_memcached/krbcc_3004 session_id=4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908824 2015] [:error] [pid 3004] ipa: DEBUG: reading ccache data from file /var/run/ipa_memcached/krbcc_3004 [Sun Mar 08 13:16:29.909319 2015] [:error] [pid 3004] ipa: DEBUG: get_credential_times: principal=krbtgt/SOLARIS.LOCAL@SOLARIS.LOCAL, authtime=03/08/15 13:16:29, starttime=03/08/15 13:16:29, endtime=03/09/15 13:16:29, renew_till=01/01/70 03:00:00 [Sun Mar 08 13:16:29.909415 2015] [:error] [pid 3004] ipa: DEBUG: KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_3004 endtime=1425896189 (03/09/15 13:16:29) [Sun Mar 08 13:16:29.909538 2015] [:error] [pid 3004] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1425895889 expiration=1425810989.91 (2015-03-08T13:36:29) [Sun Mar 08 13:16:29.909637 2015] [:error] [pid 3004] ipa: DEBUG: store session: session_id=4803e184cecb42f2e326391dbb09443d start_timestamp=2015-03-08T13:15:12 access_timestamp=2015-03-08T13:16:29 expiration_timestamp=2015-03-08T13:36:29 [Sun Mar 08 13:16:29.910004 2015] [:error] [pid 3004] ipa: DEBUG: release_ipa_ccache: KRB5CCNAME environment variable not set [Sun Mar 08 13:16:29.921259 2015] [:error] [pid 3003] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sun Mar 08 13:16:29.921351 2015] [:error] [pid 3003] ipa: DEBUG: WSGI jsonserver_session.__call__: [Sun Mar 08 13:16:29.921519 2015] [:error] [pid 3003] ipa: DEBUG: found session cookie_id = 4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.921731 2015] [:error] [pid 3003] ipa: DEBUG: no session data in cache with id=4803e184cecb42f2e326391dbb09443d, generating empty session data [Sun Mar 08 13:16:29.921875 2015] [:error] [pid 3003] ipa: DEBUG: store session: session_id=4803e184cecb42f2e326391dbb09443d start_timestamp=2015-03-08T13:16:29 access_timestamp=2015-03-08T13:16:29 expiration_timestamp=1970-01-01T03:00:00 [Sun Mar 08 13:16:29.922125 2015] [:error] [pid 3003] ipa: DEBUG: jsonserver_session.__call__: session_id=4803e184cecb42f2e326391dbb09443d start_timestamp=2015-03-08T13:16:29
[Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
HI i have free IPA 4.1.2 installed. my web ui always giving Your session has expired. Please re-login. even i tried from different computer.different browsers.. how can i fix this.? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
On 03/08/2015 03:54 AM, Ben .T.George wrote: HI i have free IPA 4.1.2 installed. my web ui always giving Your session has expired. Please re-login. even i tried from different computer.different browsers.. how can i fix this.? There was the issue with the same error message couple days ago and the problem was that IPA server network was not properly set up. Please check archives from the last week, may be it will give you some hints. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i configure solaris10 as freeIPA 4.1.2 client
On 03/08/2015 05:25 PM, Jakub Hrozek wrote: On Sun, Mar 08, 2015 at 04:51:08PM -0400, Rob Crittenden wrote: The IPA team has moved away from trying to provide direct support /documentation for non-Linux platforms since we don't have the in-house expertise. The documents you'll find on the wiki provide a minimalist configuration that worked for us at one time. Thanks; I wasn't aware of that. Should we document that the page might not be accurate and searching freeipa-users might be a better choice on that wiki page, then? We should probably add links to archived threads abd BZ to the wiki page. This would be the minimal effort. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] verified certificates both sides of a TLS channel
On Fri, Mar 06, 2015 at 10:32:16AM +0100, Martin Kosek wrote: On 03/06/2015 09:34 AM, Andrew Holway wrote: Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of our acmq connections to be authenticated and encrypted. I'm looking for appropriate documentation or some friendly guidance of how server to server SSL authentication is done with freeipa and if indeed this is the best way to ensure privacy in such scenarios. These are the best documentation sources I could find: Creating certs for FreeIPA hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-certificates.html Creating certs for FreeIPA hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html Service certificates issued as per above are usable for TLS client certificate authentication. If communications are between two host/service principals, then TLS client authentication is possible as long as the server and client software support it. It would appear that RabbitMQ supports TLS client certificate authentication: http://www.rabbitmq.com/ssl.html TLS is the best way to ensure privacy for these connections, and it also achieves authentication. Whether it is the *best* way to authenticate clients depends on what other options there are, how easy client and server are to configure the methods for, and whether it also accomplishes authorization (certificate authentication does not, at least not directly). With these certificates, you would need to manually configure SSL-based authentication with mod_ssl/mod_nss. Partially related user howto is http://www.freeipa.org/page/Apache_SNI_With_Kerberos I wonder if RabbitMQ has GSSAPI support, that would be more easy to configure with FreeIPA than SSL certs. There seems to be some unofficial Kerberos (not GSSAPI) support: http://comments.gmane.org/gmane.comp.networking.rabbitmq.general/23249 Maybe there is good support for GSSAPI but I did not see it in my quick search. Btw FreeIPA 4.2 plans to have much better support for different cert profiles or sub-CAs that you may later use for purposes like this one. This is highly desirable, and it is coming. FreeIPA currently issues all certificates directly from a single CA, and any certificate issued by the CA will be considered valid (as long as it is not expired, revoked, etc). At this time, application- or TLS termination-layer logic is needed to make authorisation decisions. Ticket: https://fedorahosted.org/freeipa/ticket/57 CCing Fraser from Dogtag team for reference. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
i was inspecting the page and got below response. http://s21.postimg.org/itv5hf0h3/asdasd.jpg http://s3.postimg.org/f6knomt1f/Capture.jpg please anyone help me to solve this issue. i just want to create one local user in IPA On Sun, Mar 8, 2015 at 1:17 PM, Ben .T.George bentech4...@gmail.com wrote: I enabled debugging mode on default.conf and this is what i am getting on error_log [Sun Mar 08 13:16:18.204363 2015] [auth_kerb:error] [pid 3065] [client 172.16.107.250:60088] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://kwtpocpbis01.solaris.local/ipa/ui/ [Sun Mar 08 13:16:29.849339 2015] [:error] [pid 3004] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sun Mar 08 13:16:29.849458 2015] [:error] [pid 3004] ipa: DEBUG: WSGI login_password.__call__: [Sun Mar 08 13:16:29.849683 2015] [:error] [pid 3004] ipa: DEBUG: Obtaining armor ccache: principal=HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL keytab=/etc/httpd/conf/ipa.keytab ccache=/var/run/ipa_memcached/krbcc_A_admin [Sun Mar 08 13:16:29.849830 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.849923 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kinit' '-kt' '/etc/httpd/conf/ipa.keytab' 'HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL' [Sun Mar 08 13:16:29.868747 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.868858 2015] [:error] [pid 3004] ipa: DEBUG: stdout= [Sun Mar 08 13:16:29.868955 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.869120 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.869204 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kinit' 'admin@SOLARIS.LOCAL' '-T' '/var/run/ipa_memcached/krbcc_A_admin' [Sun Mar 08 13:16:29.902181 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.902269 2015] [:error] [pid 3004] ipa: DEBUG: stdout=Password for admin@SOLARIS.LOCAL: [Sun Mar 08 13:16:29.902278 2015] [:error] [pid 3004] [Sun Mar 08 13:16:29.902328 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.902427 2015] [:error] [pid 3004] ipa: DEBUG: kinit: principal=admin@SOLARIS.LOCAL returncode=0, stderr= [Sun Mar 08 13:16:29.902483 2015] [:error] [pid 3004] ipa: DEBUG: Cleanup the armor ccache [Sun Mar 08 13:16:29.902560 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.902621 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_admin' [Sun Mar 08 13:16:29.908045 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.908121 2015] [:error] [pid 3004] ipa: DEBUG: stdout= [Sun Mar 08 13:16:29.908173 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.908348 2015] [:error] [pid 3004] ipa: DEBUG: found session cookie_id = 4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908647 2015] [:error] [pid 3004] ipa: DEBUG: found session data in cache with id=4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908728 2015] [:error] [pid 3004] ipa: DEBUG: finalize_kerberos_acquisition: login_password ccache_name=FILE:/var/run/ipa_memcached/krbcc_3004 session_id=4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908824 2015] [:error] [pid 3004] ipa: DEBUG: reading ccache data from file /var/run/ipa_memcached/krbcc_3004 [Sun Mar 08 13:16:29.909319 2015] [:error] [pid 3004] ipa: DEBUG: get_credential_times: principal=krbtgt/SOLARIS.LOCAL@SOLARIS.LOCAL, authtime=03/08/15 13:16:29, starttime=03/08/15 13:16:29, endtime=03/09/15 13:16:29, renew_till=01/01/70 03:00:00 [Sun Mar 08 13:16:29.909415 2015] [:error] [pid 3004] ipa: DEBUG: KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_3004 endtime=1425896189 (03/09/15 13:16:29) [Sun Mar 08 13:16:29.909538 2015] [:error] [pid 3004] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1425895889 expiration=1425810989.91 (2015-03-08T13:36:29) [Sun Mar 08 13:16:29.909637 2015] [:error] [pid 3004] ipa: DEBUG: store session: session_id=4803e184cecb42f2e326391dbb09443d start_timestamp=2015-03-08T13:15:12 access_timestamp=2015-03-08T13:16:29 expiration_timestamp=2015-03-08T13:36:29 [Sun Mar 08 13:16:29.910004 2015] [:error] [pid 3004] ipa: DEBUG: release_ipa_ccache: KRB5CCNAME environment variable not set [Sun Mar 08 13:16:29.921259 2015] [:error] [pid 3003] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sun Mar 08 13:16:29.921351 2015] [:error] [pid 3003] ipa: DEBUG: WSGI jsonserver_session.__call__: [Sun Mar 08 13:16:29.921519 2015] [:error] [pid 3003] ipa: DEBUG: found session cookie_id = 4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.921731 2015] [:error] [pid 3003] ipa: DEBUG: no session data in cache with id=4803e184cecb42f2e326391dbb09443d, generating empty session data [Sun Mar 08 13:16:29.921875 2015]
Re: [Freeipa-users] subjectAlternitiveName for webservice
I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn. But the question remains, how? 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com: Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth himself using his ldap credentials, if so, this kinit exec is fired and I do some CURL stuff to the IPA server. That's why I wanted a loadbalancer, the loadbalancer sees if a server is down and doesn't even try to direct any of the commands to it... I'm not sure if the SRV will handle this well when doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. OK, this makes things much more clear. Thanks for the explanation. Rob. What is our failover logic for API? For CLI we use a negotiation and then we store a cookie so as long as the whole conversation goes to the same server you should be fine. I do not think you need to re-encrypt the traffic at load balancer and thus have a cert there then if you can enforce the use of the same server in this case. The issue I anticipate is with Kerberos. I think you should not load balance the Kerberos traffic, only the API commands starting with the negotiation. Rob does that make sense for you? Thanks! Cheers, Matt 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If you send a ticket that is destined to service A instead to service B it would not work unless they share the same keys and identity. Sharinf same keys and identities between the servers just would not work with IPA. Keep in mind that IPA clients and server need to work and fail over if you do not have any load balancers and this is the common case. You are trying to add one where it is really not needed creating overhead for yourself. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers are geographically distributed/in different networks and does not have single point of failure (the load balancer). As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. I'm talking about keytabs on the FreeIPA servers - services running on IPA server have their own keytabs too. Every service on every server has own keytab with different key. You need to talk with Simo or some other Kerberos guru about possibility of sharing keytabs between IPA services. Does this make it more clear ? I'm still not sure if you want to have human users too or just API clients. Petr^2 Spacek 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please? Petr^2 Spacek 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm
