Re: [Freeipa-users] Troubleshooting SSO
Hi, Dne 30.3.2015 v 19:42 Gould, Joshua napsal(a): On 3/30/15, 11:56 AM, Dmitri Pal d...@redhat.com wrote: # auth_to_local = RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ auth_to_local = RULE:[1:$1 $0](^ * TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ If you use the plugin then this RULE should not be needed. Have you tried commenting it out and restarting SSSD? I commented out those lines and restarted SSSD. I still was not able to get in with SSO. Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: fd 5 is not O_NONBLOCK Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug1: Forked child 13750. Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: send_rexec_state: entering fd = 8 config len 899 Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: ssh_msg_send: type 0 Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: send_rexec_state: done Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: oom_adjust_restore Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: Set /proc/self/oom_score_adj to 0 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: inetd sockets after dupping: 3, 3 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: Connection from 10.80.5.239 port 65333 on 10.127.26.73 port 22 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: Client protocol version 2.0; client software version PuTTY_Release_0.64 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: no match: PuTTY_Release_0.64 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: Enabling compatibility mode for protocol 2.0 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: fd 3 setting O_NONBLOCK Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: ssh_sandbox_init: preparing rlimit sandbox Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: Network child is on pid 13751 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: preauth child monitor started Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: SELinux support enabled [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: ssh_selinux_change_context: setting context from 'system_u:system_r:sshd_t:s0-s0:c0.c1023' to 'system_u: system_r:sshd_net_t:s0-s0:c0.c1023' [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: privsep user:group 74:74 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: permanently_set_uid: 74/74 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: SSH2_MSG_KEXINIT sent [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: SSH2_MSG_KEXINIT received [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha 2-nistp521 ,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,di ffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c om,aes256- g...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish- cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [prea uth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c om,aes256- g...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish- cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [prea uth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-e t...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-etm @ope nssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-s ha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-9 6,hm ac-md5-96 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-e t...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-etm @ope nssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-s ha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-9 6,hm ac-md5-96 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: none,z...@openssh.com [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: none,z...@openssh.com [preauth] Mar
Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
On 30.3.2015 14:58, Gokulnath wrote: Thanks for the update. The reason for weigh in the Kerberos option is to have that as an option to disable if needed, security is more important. I had to say this because there was a question on why I would disable it. I would argue that by using plain LDAP with user+password combination or certificate-based login (private key) you are actually making things worse for scenarios where attacker can have access to memory from time to time. Password and private key are long-term secrets, i.e. are highly sensitive and in described case used for every authentication. In case of Kerberos, long-term secret is used only once to obtain session key (TGT or other ticket) and this session key has limited lifetime so stolen session key gives the attacker access only for a limited time. Anyway, this is just an academic discussion. Do not use cloud services if you are worried about this kind of attacks. Petr^2 Spacek I agree that the otp should definitely provide some additional layer of security. Let me test and reply back. Thanks again. Gokul Sent from iPhone On Mar 30, 2015, at 7:48 AM, Dmitri Pal d...@redhat.com wrote: On 03/29/2015 10:27 PM, Gokulnath wrote: Thanks for getting back. 1. As security Kerberos can ticket and in memory can be taken and that session key Can be used to gain access every where. Primarily this because the plan is to use the solution in cloud. You can use Kerberos in the cloud. It is not worse of better than certs. If you can read memory of a machine you can (potentially) read its keys. But this is the general risk that you take going into the cloud regardless whether you use PKI or Kerberos. In general you do not want to store long term keys in the images but rather add them on the fly when the system is instantiated. The ipa-client-install with OTP registration code provides this capability. It seems that you are trying to overcomplicate things with no obvious reason. If you need help with picking a better approach lest us know what exactly you are trying to accomplish. 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key rotation and pki ? 3. As during the install, DNS and Kerberos are getting installed and configured. I would really appreciate if you can get back. Thank you Gokul Sent from iPhone On Mar 29, 2015, at 8:44 PM, Dmitri Pal d...@redhat.com wrote: On 03/29/2015 11:50 AM, Gokul wrote: Hi, I am tried to run some of my user cases with FreeIPA. Have FreeIPA to do only SSH key management in LDAP and PKI management. The understand that every request is kerberized and it has the DNS is must configuration. Can I have FreeIPA to run only SSH Key management with LDAP and a PKI server with dogtag? Thank you Gokul You can't turn off Kerberos. You would need Kerberos for administration. But other clients can take advantage of LDAP and SSH only. However you are significantly limiting your functionality and capabilities. Kerberos is really the key of the solution. What is the reason you try to avoid using it? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
On 30.3.2015 11:23, Yogesh Sharma wrote: Hi Jakub: FreeIPA package is not available in Amazon Linux running on EC2 Instance. We tried to install individually packages but it is breaking at many place. BTW if you want FreeIPA support in Amazon Linux then please contact Amazon support and tell them about your request. It will make life easier for you and everyone else too (in long-term). Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup
On 30.3.2015 18:00, Dmitri Pal wrote: On 03/30/2015 11:12 AM, Srdjan Dutina wrote: Hi, I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists. I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add trust to AD domains and trusts. But after initial setup, can FreeIPA-AD trust continue to function with IPA access to RODC only? Should work. Will Kerberos authentication of AD users on IPA domain hosts work? In this case, FreeIPA server should have DNS forward zone configured with RODC as a forwarder to AD? It should not matter as long as the forwarder knows how to resolve all the DNS names. General advice is to pick nearest server if you have access to it and add couple other servers to enable fail-over (if the nearest server fails for some reason). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
Yes Petr. Support Case has already been opened with them. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Tue, Mar 31, 2015 at 12:20 PM, Petr Spacek pspa...@redhat.com wrote: On 30.3.2015 11:23, Yogesh Sharma wrote: Hi Jakub: FreeIPA package is not available in Amazon Linux running on EC2 Instance. We tried to install individually packages but it is breaking at many place. BTW if you want FreeIPA support in Amazon Linux then please contact Amazon support and tell them about your request. It will make life easier for you and everyone else too (in long-term). Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup
On Tue, 31 Mar 2015, Petr Spacek wrote: On 30.3.2015 18:00, Dmitri Pal wrote: On 03/30/2015 11:12 AM, Srdjan Dutina wrote: Hi, I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists. I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add trust to AD domains and trusts. But after initial setup, can FreeIPA-AD trust continue to function with IPA access to RODC only? Should work. Will Kerberos authentication of AD users on IPA domain hosts work? In this case, FreeIPA server should have DNS forward zone configured with RODC as a forwarder to AD? It should not matter as long as the forwarder knows how to resolve all the DNS names. General advice is to pick nearest server if you have access to it and add couple other servers to enable fail-over (if the nearest server fails for some reason). In general, user identity lookup for trusted AD users happens via IPA masters -- each IPA client would delegate lookup to IPA master and that one would use closest site discovered in AD to do the lookup. With authentication we are in a bit more complex situation. GSSAPI authentication assumes your Windows client comes already with a service ticket to an IPA client's service. The ticket is obtained by Windows client by first obtaining cross-realm TGT from AD DC and then using this TGT to ask for a service ticket from IPA master (KDC). The latter ticket is then presented to an IPA client's service. When AD user attempts to use their password directly, IPA client will be talking to a discovered AD DC to validate the password and authenticate the user. At this step discovery of AD DC for Kerberos purposes is not done based on site locality, SSSD still has some open ticket to do that if I remember correctly. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Understanding the migration mode
The idea is that you tel lall the users to either login via migration page or via SSSD. If your server is in a migration mode the migration page should be available and SSSD should detect that server is in migration mode. In this case any authentication via SSSD will end up creating proper hashes for Kerberos. I suspect this is when the conversion of the LDAP hashes happens too. You suggested that this is not the case but I am not sure that the test was 100 correct. Please try: - check that migration mode is on - check that user does not have kerberos password only LDAP hash from NIS migration - ssh into a box that runs SSSD with such user, authenticate As a result you should see Kerberos hash created for this user and I suspect the LDAP hash is converted at the same time. I verified all the steps, and I can confirm that SSSD does not migrate users automatically. I see the following in /var/log/secure, which confirms that sssd is indeed authenticating the user Mar 31 03:50:47 ipaserver sshd[23531]: Accepted password for testuser2 from ip port 43622 ssh2 Mar 31 03:50:47 ipaserver sshd[23531]: pam_unix(sshd:session): session opened for user testuser2 by (uid=0) ipa user-show testuser2 still shows Kerberos keys available: False sssd's logs also show successful authentication. I think this sounds reasonable (and possibly intentional?) since the alternative would make staged migration impossible. As soon as one client is migrated, all other clients would lose the ability to authenticate with NIS. The way it is behaving right now is actually preferable. i.e. No automatic migration until done explicitly by user/admin. Coming back to the original issue, I deleted those accidentally migrated users and added them again, and I haven't seen any anomalous behaviour since. i.e Their cypt hashes are visible to NIS clients. I can only guess that whatever triggered it in the first place was a one-off event. Could yum update be responsible ? All the free ipa packages were updated last week to the latest point release. In any case, I think it is behaving well for now, and hope it stays that way. Minor question: Our NIS maps had separate shadow maps originally, which provided some mild security since they can't be accessed by unprivileged users/ports. Is it possible to do that with the NIS plugin in IPA ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?
On my client I still see: 03/31/2015 11:00:08 04/01/2015 11:00:07 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL 03/31/2015 11:00:09 04/01/2015 11:00:07 HTTP/ldap-01.domain.local@DOMAIN.LOCAL Should ldap-01 not be ldap as I go through my loadbalancer ? Do I need to merge keytabs or so ? 2015-03-31 7:54 GMT+02:00 Matt . yamakasi@gmail.com: Hi, I tried to trace some stuff but this doesn't give me much more info. What I see at the moment in the /var/log/httpd/acces_log is exactly what happens but without the info I need to get a better view: 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 258 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 259 https://ldap.domain.local/ipa/json; - 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 401 1469 10.10.0.121 - - [30/Mar/2015:22:22:59 +0200] POST /ipa/json HTTP/1.1 401 1469 2015-03-30 15:03 GMT+02:00 Sumit Bose sb...@redhat.com: On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: Hi, I just tot home and typing from my cell so i'm suite short in words Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos ticket error now I don't kinit anymore so re-use my existing ticket and curl against ldap-01.domain and I'm accepted and can execute stuff. My ssl is OK, ticket also it seems. Maybe the output of KRB5_TRACE=/dev/sdtout curl -v might help to see what is going on? bye, Sumit Thanks M. Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com: On 03/29/2015 04:47 AM, Matt . wrote: Hi Guys, Now my Certification issues are solved for using a loadbalancer in front of my ipa servers I get the following: Unable to verify your Kerberos credentials and in my logs: Additional pre-authentication required. This happens when I connect throught my loadbalancers, I see my server coming ni with the right IP. When I access my ipa server directly, not using the loadbalancer IP between it, my kerberos Ticket is valid. I get the feeling that when I use my loadbalancers and because of that I get a 301 redirect it needs a preauth. I see some issues on mailinglists but it doesn't fit my situation. Why wants it the preauth when I already have a valid ticket and my redirect is followed by CURL and posted the right way ? Can you describe the sequence? What do you do? From the client you try IPA CLI and this is where you see the problem even with the valid ticket or is the flow different? I hope someone has an idea. Thanks, Matt -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubleshooting SSO
On Tue, Mar 31, 2015 at 07:56:53AM +0200, Jan Cholasta wrote: Hi, Dne 30.3.2015 v 19:42 Gould, Joshua napsal(a): On 3/30/15, 11:56 AM, Dmitri Pal d...@redhat.com wrote: # auth_to_local = RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ auth_to_local = RULE:[1:$1 $0](^ * TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ If you use the plugin then this RULE should not be needed. Have you tried commenting it out and restarting SSSD? I commented out those lines and restarted SSSD. I still was not able to get in with SSO. Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: fd 5 is not O_NONBLOCK Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug1: Forked child 13750. Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: send_rexec_state: entering fd = 8 config len 899 Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: ssh_msg_send: type 0 Mar 30 13:33:35 mid-ipa-vp01 sshd[12789]: debug3: send_rexec_state: done Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: oom_adjust_restore Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: Set /proc/self/oom_score_adj to 0 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: inetd sockets after dupping: 3, 3 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: Connection from 10.80.5.239 port 65333 on 10.127.26.73 port 22 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: Client protocol version 2.0; client software version PuTTY_Release_0.64 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: no match: PuTTY_Release_0.64 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: Enabling compatibility mode for protocol 2.0 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: fd 3 setting O_NONBLOCK Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: ssh_sandbox_init: preparing rlimit sandbox Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: Network child is on pid 13751 Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: preauth child monitor started Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: SELinux support enabled [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: ssh_selinux_change_context: setting context from 'system_u:system_r:sshd_t:s0-s0:c0.c1023' to 'system_u: system_r:sshd_net_t:s0-s0:c0.c1023' [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug3: privsep user:group 74:74 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: permanently_set_uid: 74/74 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: SSH2_MSG_KEXINIT sent [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug1: SSH2_MSG_KEXINIT received [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha 2-nistp521 ,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,di ffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c om,aes256- g...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish- cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [prea uth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.c om,aes256- g...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish- cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [prea uth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-e t...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-etm @ope nssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-s ha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-9 6,hm ac-md5-96 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]: debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-e t...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-etm @ope nssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-s ha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-9 6,hm ac-md5-96 [preauth] Mar 30 13:33:35 mid-ipa-vp01 sshd[13750]:
Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?
On Tue, Mar 31, 2015 at 11:02:24AM +0200, Matt . wrote: On my client I still see: 03/31/2015 11:00:08 04/01/2015 11:00:07 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL 03/31/2015 11:00:09 04/01/2015 11:00:07 HTTP/ldap-01.domain.local@DOMAIN.LOCAL Should ldap-01 not be ldap as I go through my loadbalancer ? I guess not, because your loadbalancer just redirects the traffic and the authentication is done with ldap-01. bye, Sumit Do I need to merge keytabs or so ? 2015-03-31 7:54 GMT+02:00 Matt . yamakasi@gmail.com: Hi, I tried to trace some stuff but this doesn't give me much more info. What I see at the moment in the /var/log/httpd/acces_log is exactly what happens but without the info I need to get a better view: 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 258 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 259 https://ldap.domain.local/ipa/json; - 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 401 1469 10.10.0.121 - - [30/Mar/2015:22:22:59 +0200] POST /ipa/json HTTP/1.1 401 1469 2015-03-30 15:03 GMT+02:00 Sumit Bose sb...@redhat.com: On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: Hi, I just tot home and typing from my cell so i'm suite short in words Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos ticket error now I don't kinit anymore so re-use my existing ticket and curl against ldap-01.domain and I'm accepted and can execute stuff. My ssl is OK, ticket also it seems. Maybe the output of KRB5_TRACE=/dev/sdtout curl -v might help to see what is going on? bye, Sumit Thanks M. Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com: On 03/29/2015 04:47 AM, Matt . wrote: Hi Guys, Now my Certification issues are solved for using a loadbalancer in front of my ipa servers I get the following: Unable to verify your Kerberos credentials and in my logs: Additional pre-authentication required. This happens when I connect throught my loadbalancers, I see my server coming ni with the right IP. When I access my ipa server directly, not using the loadbalancer IP between it, my kerberos Ticket is valid. I get the feeling that when I use my loadbalancers and because of that I get a 301 redirect it needs a preauth. I see some issues on mailinglists but it doesn't fit my situation. Why wants it the preauth when I already have a valid ticket and my redirect is followed by CURL and posted the right way ? Can you describe the sequence? What do you do? From the client you try IPA CLI and this is where you see the problem even with the valid ticket or is the flow different? I hope someone has an idea. Thanks, Matt -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?
Yes I would assume too, but it's just kicking out possibilities what could make it not working. I cannot figure out why it only logs the 401 after the known 301's in the access_log and nothing further, apache really blocks, so kerberos should be in the way for sure, but how. 2015-03-31 11:09 GMT+02:00 Sumit Bose sb...@redhat.com: On Tue, Mar 31, 2015 at 11:02:24AM +0200, Matt . wrote: On my client I still see: 03/31/2015 11:00:08 04/01/2015 11:00:07 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL 03/31/2015 11:00:09 04/01/2015 11:00:07 HTTP/ldap-01.domain.local@DOMAIN.LOCAL Should ldap-01 not be ldap as I go through my loadbalancer ? I guess not, because your loadbalancer just redirects the traffic and the authentication is done with ldap-01. bye, Sumit Do I need to merge keytabs or so ? 2015-03-31 7:54 GMT+02:00 Matt . yamakasi@gmail.com: Hi, I tried to trace some stuff but this doesn't give me much more info. What I see at the moment in the /var/log/httpd/acces_log is exactly what happens but without the info I need to get a better view: 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 258 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 259 https://ldap.domain.local/ipa/json; - 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 401 1469 10.10.0.121 - - [30/Mar/2015:22:22:59 +0200] POST /ipa/json HTTP/1.1 401 1469 2015-03-30 15:03 GMT+02:00 Sumit Bose sb...@redhat.com: On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: Hi, I just tot home and typing from my cell so i'm suite short in words Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos ticket error now I don't kinit anymore so re-use my existing ticket and curl against ldap-01.domain and I'm accepted and can execute stuff. My ssl is OK, ticket also it seems. Maybe the output of KRB5_TRACE=/dev/sdtout curl -v might help to see what is going on? bye, Sumit Thanks M. Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com: On 03/29/2015 04:47 AM, Matt . wrote: Hi Guys, Now my Certification issues are solved for using a loadbalancer in front of my ipa servers I get the following: Unable to verify your Kerberos credentials and in my logs: Additional pre-authentication required. This happens when I connect throught my loadbalancers, I see my server coming ni with the right IP. When I access my ipa server directly, not using the loadbalancer IP between it, my kerberos Ticket is valid. I get the feeling that when I use my loadbalancers and because of that I get a 301 redirect it needs a preauth. I see some issues on mailinglists but it doesn't fit my situation. Why wants it the preauth when I already have a valid ticket and my redirect is followed by CURL and posted the right way ? Can you describe the sequence? What do you do? From the client you try IPA CLI and this is where you see the problem even with the valid ticket or is the flow different? I hope someone has an idea. Thanks, Matt -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?
Here some extra logging from the kerberos log: Mar 31 11:34:51 ldap-01.domain.local krb5kdc[2764](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.10.0.121: NEEDED_PREAUTH: kinituser@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL, Additional pre-authentication required Mar 31 11:34:51 ldap-01.domain.local krb5kdc[2764](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.10.0.121: ISSUE: authtime 1427794491, etypes {rep=18 tkt=18 ses=18}, kinituser@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL Mar 31 11:34:51 ldap-01.domain.local krb5kdc[2764](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.10.0.121: ISSUE: authtime 1427794491, etypes {rep=18 tkt=18 ses=18}, kinituser@DOMAIN.LOCAL for HTTP/ldap-01.domain.local@DOMAIN.LOCAL I don't get the preauth needed, does it have anything todo with the 301 redirect which I follow with CURL ? 2015-03-31 11:15 GMT+02:00 Matt . yamakasi@gmail.com: Yes I would assume too, but it's just kicking out possibilities what could make it not working. I cannot figure out why it only logs the 401 after the known 301's in the access_log and nothing further, apache really blocks, so kerberos should be in the way for sure, but how. 2015-03-31 11:09 GMT+02:00 Sumit Bose sb...@redhat.com: On Tue, Mar 31, 2015 at 11:02:24AM +0200, Matt . wrote: On my client I still see: 03/31/2015 11:00:08 04/01/2015 11:00:07 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL 03/31/2015 11:00:09 04/01/2015 11:00:07 HTTP/ldap-01.domain.local@DOMAIN.LOCAL Should ldap-01 not be ldap as I go through my loadbalancer ? I guess not, because your loadbalancer just redirects the traffic and the authentication is done with ldap-01. bye, Sumit Do I need to merge keytabs or so ? 2015-03-31 7:54 GMT+02:00 Matt . yamakasi@gmail.com: Hi, I tried to trace some stuff but this doesn't give me much more info. What I see at the moment in the /var/log/httpd/acces_log is exactly what happens but without the info I need to get a better view: 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 258 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 259 https://ldap.domain.local/ipa/json; - 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 401 1469 10.10.0.121 - - [30/Mar/2015:22:22:59 +0200] POST /ipa/json HTTP/1.1 401 1469 2015-03-30 15:03 GMT+02:00 Sumit Bose sb...@redhat.com: On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: Hi, I just tot home and typing from my cell so i'm suite short in words Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos ticket error now I don't kinit anymore so re-use my existing ticket and curl against ldap-01.domain and I'm accepted and can execute stuff. My ssl is OK, ticket also it seems. Maybe the output of KRB5_TRACE=/dev/sdtout curl -v might help to see what is going on? bye, Sumit Thanks M. Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com: On 03/29/2015 04:47 AM, Matt . wrote: Hi Guys, Now my Certification issues are solved for using a loadbalancer in front of my ipa servers I get the following: Unable to verify your Kerberos credentials and in my logs: Additional pre-authentication required. This happens when I connect throught my loadbalancers, I see my server coming ni with the right IP. When I access my ipa server directly, not using the loadbalancer IP between it, my kerberos Ticket is valid. I get the feeling that when I use my loadbalancers and because of that I get a 301 redirect it needs a preauth. I see some issues on mailinglists but it doesn't fit my situation. Why wants it the preauth when I already have a valid ticket and my redirect is followed by CURL and posted the right way ? Can you describe the sequence? What do you do? From the client you try IPA CLI and this is where you see the problem even with the valid ticket or is the flow different? I hope someone has an idea. Thanks, Matt -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?
On Tue, Mar 31, 2015 at 11:38:30AM +0200, Matt . wrote: Here some extra logging from the kerberos log: Mar 31 11:34:51 ldap-01.domain.local krb5kdc[2764](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.10.0.121: NEEDED_PREAUTH: kinituser@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL, Additional pre-authentication required Mar 31 11:34:51 ldap-01.domain.local krb5kdc[2764](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.10.0.121: ISSUE: authtime 1427794491, etypes {rep=18 tkt=18 ses=18}, kinituser@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL Mar 31 11:34:51 ldap-01.domain.local krb5kdc[2764](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.10.0.121: ISSUE: authtime 1427794491, etypes {rep=18 tkt=18 ses=18}, kinituser@DOMAIN.LOCAL for HTTP/ldap-01.domain.local@DOMAIN.LOCAL I don't get the preauth needed, does it have anything todo with the 301 redirect which I follow with CURL ? no, this is part of the AS_REQ (request to get a TGT) and will always happen. Since the Kerberos client cannot know what kind of pre-auth schemes are supported or required in the server side it first send a request without pre-auth data. The server sends back a list of supported schemes with a special NEEDED_PREAUTH error code if pre-auth is required. And with IPA pre-auth is required otherwise e.g. replay attacks would be easy. HTH bye, Sumit 2015-03-31 11:15 GMT+02:00 Matt . yamakasi@gmail.com: Yes I would assume too, but it's just kicking out possibilities what could make it not working. I cannot figure out why it only logs the 401 after the known 301's in the access_log and nothing further, apache really blocks, so kerberos should be in the way for sure, but how. 2015-03-31 11:09 GMT+02:00 Sumit Bose sb...@redhat.com: On Tue, Mar 31, 2015 at 11:02:24AM +0200, Matt . wrote: On my client I still see: 03/31/2015 11:00:08 04/01/2015 11:00:07 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL 03/31/2015 11:00:09 04/01/2015 11:00:07 HTTP/ldap-01.domain.local@DOMAIN.LOCAL Should ldap-01 not be ldap as I go through my loadbalancer ? I guess not, because your loadbalancer just redirects the traffic and the authentication is done with ldap-01. bye, Sumit Do I need to merge keytabs or so ? 2015-03-31 7:54 GMT+02:00 Matt . yamakasi@gmail.com: Hi, I tried to trace some stuff but this doesn't give me much more info. What I see at the moment in the /var/log/httpd/acces_log is exactly what happens but without the info I need to get a better view: 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 258 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 259 https://ldap.domain.local/ipa/json; - 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 401 1469 10.10.0.121 - - [30/Mar/2015:22:22:59 +0200] POST /ipa/json HTTP/1.1 401 1469 2015-03-30 15:03 GMT+02:00 Sumit Bose sb...@redhat.com: On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: Hi, I just tot home and typing from my cell so i'm suite short in words Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos ticket error now I don't kinit anymore so re-use my existing ticket and curl against ldap-01.domain and I'm accepted and can execute stuff. My ssl is OK, ticket also it seems. Maybe the output of KRB5_TRACE=/dev/sdtout curl -v might help to see what is going on? bye, Sumit Thanks M. Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com: On 03/29/2015 04:47 AM, Matt . wrote: Hi Guys, Now my Certification issues are solved for using a loadbalancer in front of my ipa servers I get the following: Unable to verify your Kerberos credentials and in my logs: Additional pre-authentication required. This happens when I connect throught my loadbalancers, I see my server coming ni with the right IP. When I access my ipa server directly, not using the loadbalancer IP between it, my kerberos Ticket is valid. I get the feeling that when I use my loadbalancers and because of that I get a 301 redirect it needs a preauth. I see some issues on mailinglists but it doesn't fit my situation. Why wants it the preauth when I already have a valid ticket and my redirect is followed by CURL and posted the right way ? Can you describe the sequence? What do you do? From the client you try IPA CLI and this is where you see the problem even with the valid ticket or is the flow different? I hope someone has an idea. Thanks, Matt -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage
[Freeipa-users] generic failure: GSSAPI Error: Unspecified GSS failure
hi, I try to set the sudo password but I get a message : GSSAPI Error What's mean this kind of message ? ldappasswd -Y GSSAPI -S -h my_server uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com New password: Re-enter new password: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?
OK, also understood. Next item why I don't get any logging or it's not working as espected. I'm actually out of options to be honest. 2015-03-31 11:54 GMT+02:00 Sumit Bose sb...@redhat.com: On Tue, Mar 31, 2015 at 11:38:30AM +0200, Matt . wrote: Here some extra logging from the kerberos log: Mar 31 11:34:51 ldap-01.domain.local krb5kdc[2764](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.10.0.121: NEEDED_PREAUTH: kinituser@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL, Additional pre-authentication required Mar 31 11:34:51 ldap-01.domain.local krb5kdc[2764](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.10.0.121: ISSUE: authtime 1427794491, etypes {rep=18 tkt=18 ses=18}, kinituser@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL Mar 31 11:34:51 ldap-01.domain.local krb5kdc[2764](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.10.0.121: ISSUE: authtime 1427794491, etypes {rep=18 tkt=18 ses=18}, kinituser@DOMAIN.LOCAL for HTTP/ldap-01.domain.local@DOMAIN.LOCAL I don't get the preauth needed, does it have anything todo with the 301 redirect which I follow with CURL ? no, this is part of the AS_REQ (request to get a TGT) and will always happen. Since the Kerberos client cannot know what kind of pre-auth schemes are supported or required in the server side it first send a request without pre-auth data. The server sends back a list of supported schemes with a special NEEDED_PREAUTH error code if pre-auth is required. And with IPA pre-auth is required otherwise e.g. replay attacks would be easy. HTH bye, Sumit 2015-03-31 11:15 GMT+02:00 Matt . yamakasi@gmail.com: Yes I would assume too, but it's just kicking out possibilities what could make it not working. I cannot figure out why it only logs the 401 after the known 301's in the access_log and nothing further, apache really blocks, so kerberos should be in the way for sure, but how. 2015-03-31 11:09 GMT+02:00 Sumit Bose sb...@redhat.com: On Tue, Mar 31, 2015 at 11:02:24AM +0200, Matt . wrote: On my client I still see: 03/31/2015 11:00:08 04/01/2015 11:00:07 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL 03/31/2015 11:00:09 04/01/2015 11:00:07 HTTP/ldap-01.domain.local@DOMAIN.LOCAL Should ldap-01 not be ldap as I go through my loadbalancer ? I guess not, because your loadbalancer just redirects the traffic and the authentication is done with ldap-01. bye, Sumit Do I need to merge keytabs or so ? 2015-03-31 7:54 GMT+02:00 Matt . yamakasi@gmail.com: Hi, I tried to trace some stuff but this doesn't give me much more info. What I see at the moment in the /var/log/httpd/acces_log is exactly what happens but without the info I need to get a better view: 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 258 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 259 https://ldap.domain.local/ipa/json; - 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 401 1469 10.10.0.121 - - [30/Mar/2015:22:22:59 +0200] POST /ipa/json HTTP/1.1 401 1469 2015-03-30 15:03 GMT+02:00 Sumit Bose sb...@redhat.com: On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: Hi, I just tot home and typing from my cell so i'm suite short in words Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos ticket error now I don't kinit anymore so re-use my existing ticket and curl against ldap-01.domain and I'm accepted and can execute stuff. My ssl is OK, ticket also it seems. Maybe the output of KRB5_TRACE=/dev/sdtout curl -v might help to see what is going on? bye, Sumit Thanks M. Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com: On 03/29/2015 04:47 AM, Matt . wrote: Hi Guys, Now my Certification issues are solved for using a loadbalancer in front of my ipa servers I get the following: Unable to verify your Kerberos credentials and in my logs: Additional pre-authentication required. This happens when I connect throught my loadbalancers, I see my server coming ni with the right IP. When I access my ipa server directly, not using the loadbalancer IP between it, my kerberos Ticket is valid. I get the feeling that when I use my loadbalancers and because of that I get a 301 redirect it needs a preauth. I see some issues on mailinglists but it doesn't fit my situation. Why wants it the preauth when I already have a valid ticket and my redirect is followed by CURL and posted the right way ? Can you describe the sequence? What do you do? From the client you try IPA CLI and this is where you see the problem even with the valid ticket or is the flow
Re: [Freeipa-users] generic failure: GSSAPI Error: Unspecified GSS failure
On Tue, Mar 31, 2015 at 11:26:53AM +0200, Benoit Rousselle wrote: hi, I try to set the sudo password but I get a message : GSSAPI Error What's mean this kind of message ? ldappasswd -Y GSSAPI -S -h my_server uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com New password: Re-enter new password: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) 'Ticket expired', so you either have to call kinit again to get a fresh TGT or there is some severe time mismatch between the client and the server. HTH bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Well, I still do not understand the use case. What are your clients? Are you using 'ipa' command to do something? Or some other clients? Usually the best thing is to use DNS SRV records because it works even with geographically distributed clusters and does not have single point of failure (the load balancer). This requires clients with support for DNS SRV but if your machines are using SSSD then you do not need to change anything and it should just work. That is why I'm asking for the use case :-) Petr^2 Spacek 2015-03-31 14:21 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:02, Matt . wrote: HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? I would recommend you to step back and describe use-case you have in mind. It is important for us to understand to your use-case to propose optimal solution. Petr^2 Spacek Cheers, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com: Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? Cheers, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com: Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On 31.3.2015 14:02, Matt . wrote: HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? I would recommend you to step back and describe use-case you have in mind. It is important for us to understand to your use-case to propose optimal solution. Petr^2 Spacek Cheers, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com: Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] freeipa behind a load balancer
Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Cheers, Matt 2015-03-31 14:21 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:02, Matt . wrote: HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? I would recommend you to step back and describe use-case you have in mind. It is important for us to understand to your use-case to propose optimal solution. Petr^2 Spacek Cheers, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com: Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] nsAccountLock attribute
Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying to implement a SSH key lookup sshd authorized key command script. Based on this attribute the user will be allowed to login. I need this to be anonymously readable. Tried setting the permissions but it does not work. Any other ideas on this ? Thanks for your help. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] where to disable components?
Janelle wrote: Hello again... Looking around, but probably just not in the right place. I would like to be able to disable httpd on all but a pair of servers, so we kind of force all updates to come from a master and slave pair. Just trying to keep updates defined to 2 servers rather than all of them in an 8 server configuration. Where might I find that? Or is it possible? Will it break anything? thank you ~J Not sure the complete reasoning behind that but... The safest route would be to just firewall ports 80 and 443 off. There is a way to tell ipactl to not start a service but I haven't thought through the implications. The CA interfaces on those machines will also be inaccessible. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] where to disable components?
Hello again... Looking around, but probably just not in the right place. I would like to be able to disable httpd on all but a pair of servers, so we kind of force all updates to come from a master and slave pair. Just trying to keep updates defined to 2 servers rather than all of them in an 8 server configuration. Where might I find that? Or is it possible? Will it break anything? thank you ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
True, but we have some extra later between which does the cli command not usable (at least for the moment) I already know how to share the key's among all servers, that works fine, IPA/Apache/Kerberos only doesn't like the other hostname (loadbalancer), or the client doesn't understand it. So fixing this saves me really much more time than doing the another way. Thanks! Matt 2015-03-31 16:24 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 16:10, Matt . wrote: HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted returns. There was also some security issue which came up. I would be very interested in the security reason. If you see any problem with 'ipa' command or FreeIPA API please send me a private e-mail or contact secal...@redhat.com directly. I could ask you, why does IPA json itself ? if you see what it posts and what it gets back as result it makes it much more clear in development. I do not understand the question, sorry. If you want to see what 'ipa' command does run it with '-vv' parameter: $ ipa -vv user-find It will print JSON request and reply: ipa: INFO: Request: { id: 0, method: user_find, params: [ [ null ], { all: false, no_members: false, pkey_only: false, raw: false, version: 2.115, whoami: false } ] } ipa: INFO: Response: { error: null, id: 0, principal: admin@IPA.EXAMPLE, result: { count: 2, result: [ { dn: uid=admin,cn=users,cn=accounts,dc=ipa,dc=example, gidnumber: [ 138100 ], ... HTTP loadbalancing is not difficult at all, as we post to the webserver I need to have that part only auth right. We do more very specific loadbalancing stuff and this is the most easy one as it's only webserver forward, but IPA/Kerberos has an issue with the principal it seems... it cannot be hard to make that accepted I would say. If you insist on Kerberos servers behind a load balancer... you will need to somehow share the Kerberos key among all servers. I will defer that to Kerberos experts here. I'm still looking for solutions :) Sure, but you will save a lot of time and nerves if you simply call 'ipa' command :-) Have a nice day! Petr^2 Spacek Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 15:23, Matt . wrote: Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Yes. If you have seen the previous discussion then you know that it will be pretty difficult to do this kind of load balancing. Why are you not using 'ipa' command or Python API we have instead? Why to use CURL and make things more complex? Petr^2 Spacek 2015-03-31 15:03 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Well, I still do not understand the use case. What are your clients? Are you using 'ipa' command to do something? Or some other clients? Usually the best thing is to use DNS SRV records because it works even with geographically distributed clusters and does not have single point of failure (the load balancer). This requires clients with support for DNS SRV but if your machines are using SSSD then you do not need to change anything and it should just work. That is why I'm asking for the use case :-) Petr^2 Spacek 2015-03-31 14:21 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:02, Matt . wrote: HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? I would recommend you to step back and describe use-case you have in mind. It is important for us to understand to your use-case to propose optimal solution. Petr^2 Spacek Cheers, Matt
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote: On 03/31/2015 10:38 AM, Matt . wrote: True, but we have some extra later between which does the cli command not usable (at least for the moment) I already know how to share the key's among all servers, that works fine, IPA/Apache/Kerberos only doesn't like the other hostname (loadbalancer), or the client doesn't understand it. So fixing this saves me really much more time than doing the another way. Kerberos is not load balancer friendly. It is something that is a known property of Kerberos. I remember MIT mentioning something that they did or might do to help with that so it might make sense to ask this question on the MIT Kerberos user list. Thanks! Matt 2015-03-31 16:24 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 16:10, Matt . wrote: HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted returns. There was also some security issue which came up. I would be very interested in the security reason. If you see any problem with 'ipa' command or FreeIPA API please send me a private e-mail or contact secal...@redhat.com directly. I could ask you, why does IPA json itself ? if you see what it posts and what it gets back as result it makes it much more clear in development. I do not understand the question, sorry. If you want to see what 'ipa' command does run it with '-vv' parameter: $ ipa -vv user-find It will print JSON request and reply: ipa: INFO: Request: { id: 0, method: user_find, params: [ [ null ], { all: false, no_members: false, pkey_only: false, raw: false, version: 2.115, whoami: false } ] } ipa: INFO: Response: { error: null, id: 0, principal: admin@IPA.EXAMPLE, result: { count: 2, result: [ { dn: uid=admin,cn=users,cn=accounts,dc=ipa,dc=example, gidnumber: [ 138100 ], ... HTTP loadbalancing is not difficult at all, as we post to the webserver I need to have that part only auth right. We do more very specific loadbalancing stuff and this is the most easy one as it's only webserver forward, but IPA/Kerberos has an issue with the principal it seems... it cannot be hard to make that accepted I would say. If you insist on Kerberos servers behind a load balancer... you will need to somehow share the Kerberos key among all servers. I will defer that to Kerberos experts here. I'm still looking for solutions :) Sure, but you will save a lot of time and nerves if you simply call 'ipa' command :-) Have a nice day! Petr^2 Spacek Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 15:23, Matt . wrote: Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Yes. If you have seen the previous discussion then you know that it will be pretty difficult to do this kind of load balancing. Why are you not using 'ipa' command or Python API we have instead? Why to use CURL and make things more complex? Petr^2 Spacek 2015-03-31 15:03 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Well, I still do not understand the use case. What are your clients? Are you using 'ipa' command to do something? Or some other clients? Usually the best thing is to use DNS SRV records because it works even with geographically distributed clusters and does not have single point of failure (the load balancer). This requires clients with support for DNS SRV but if your machines are using SSSD then you do not need to change anything and it should just work.
Re: [Freeipa-users] freeipa behind a load balancer
Just the web UI. Thanks. --Prashant On Mar 31, 2015 5:32 PM, Matt . yamakasi@gmail.com wrote: HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? Cheers, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com: Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubleshooting SSO
On Tue, Mar 31, 2015 at 10:02:37AM -0400, Gould, Joshua wrote: Klist in Windows showed one ticket for the IPA domain. #0 Client: adm-faru03 @ test.osuwmc Server: krbtgt/UNIX.TEST.OSUWMC @ TEST.OSUWMC KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a4 - forward able renewable pre_authent ok_as_delegate Start Time: 3/31/2015: 9:29:25 (local) End Time: 3/31/2015: 15:28:22 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 The means that you do not have a ticket for the IPA client. Please make sure you use 'mid-ipa-vp01.unix.test.osuwmc' as hostname with putty. Since the AD DC gave you the cross-realm TGT (the ticket you've shown above) I would expect that you Windows client has issues resolving a KDC in the IPA domain. Please check on the Windows client with the nslookup utility you DNS SRV records like _kerberos._tcp.dc._msdcs.unix.test.osuwmc and _kerberos._tcp.unix.test.osuwmc can be resolved. IPA and SSSD are: ipa-server.x86_64 4.1.0-18.el7_1.3 sssd.x86_64 1.12.2-58.el7_1.6.1 Kinit adm-faru03@TEST.OSUWMC was telling. Once it reported ³kinit: KDC reply did not match expectations while getting initial credentials². We waited a minute or two (were discussing results) and tried again just adding the -V flag and it worked. Kvno host/mid-ipa-vp01.unix.test.osu...@unix.test.OSUWMC = 2 Verbose logging in putty gave the following error: Which errors do you see when using ssh in the IPA client after calling kinit? Or is it working in this case? bye, Sumit On 3/31/15, 3:30 AM, Sumit Bose sb...@redhat.com wrote: Can you do the follwoing checks: Can you check by calling klist in a Windows Command window if you got a proper host/... ticket for the IPA host? What version of IPA and SSSD are you using. Can you check if the following works on a IPA host: kinit adm-faru03@TEST.OSUWMC kvno host/name.of.the.ipa-client.to.login@IPA.REALM ssh -v -l adm-faru03@test.osuwmc name.of.the.ipa-client.to.login -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted returns. There was also some security issue which came up. I could ask you, why does IPA json itself ? if you see what it posts and what it gets back as result it makes it much more clear in development. HTTP loadbalancing is not difficult at all, as we post to the webserver I need to have that part only auth right. We do more very specific loadbalancing stuff and this is the most easy one as it's only webserver forward, but IPA/Kerberos has an issue with the principal it seems... it cannot be hard to make that accepted I would say. I'm still looking for solutions :) Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 15:23, Matt . wrote: Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Yes. If you have seen the previous discussion then you know that it will be pretty difficult to do this kind of load balancing. Why are you not using 'ipa' command or Python API we have instead? Why to use CURL and make things more complex? Petr^2 Spacek 2015-03-31 15:03 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Well, I still do not understand the use case. What are your clients? Are you using 'ipa' command to do something? Or some other clients? Usually the best thing is to use DNS SRV records because it works even with geographically distributed clusters and does not have single point of failure (the load balancer). This requires clients with support for DNS SRV but if your machines are using SSSD then you do not need to change anything and it should just work. That is why I'm asking for the use case :-) Petr^2 Spacek 2015-03-31 14:21 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:02, Matt . wrote: HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? I would recommend you to step back and describe use-case you have in mind. It is important for us to understand to your use-case to propose optimal solution. Petr^2 Spacek Cheers, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com: Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On 31.3.2015 16:10, Matt . wrote: HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted returns. There was also some security issue which came up. I would be very interested in the security reason. If you see any problem with 'ipa' command or FreeIPA API please send me a private e-mail or contact secal...@redhat.com directly. I could ask you, why does IPA json itself ? if you see what it posts and what it gets back as result it makes it much more clear in development. I do not understand the question, sorry. If you want to see what 'ipa' command does run it with '-vv' parameter: $ ipa -vv user-find It will print JSON request and reply: ipa: INFO: Request: { id: 0, method: user_find, params: [ [ null ], { all: false, no_members: false, pkey_only: false, raw: false, version: 2.115, whoami: false } ] } ipa: INFO: Response: { error: null, id: 0, principal: admin@IPA.EXAMPLE, result: { count: 2, result: [ { dn: uid=admin,cn=users,cn=accounts,dc=ipa,dc=example, gidnumber: [ 138100 ], ... HTTP loadbalancing is not difficult at all, as we post to the webserver I need to have that part only auth right. We do more very specific loadbalancing stuff and this is the most easy one as it's only webserver forward, but IPA/Kerberos has an issue with the principal it seems... it cannot be hard to make that accepted I would say. If you insist on Kerberos servers behind a load balancer... you will need to somehow share the Kerberos key among all servers. I will defer that to Kerberos experts here. I'm still looking for solutions :) Sure, but you will save a lot of time and nerves if you simply call 'ipa' command :-) Have a nice day! Petr^2 Spacek Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 15:23, Matt . wrote: Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Yes. If you have seen the previous discussion then you know that it will be pretty difficult to do this kind of load balancing. Why are you not using 'ipa' command or Python API we have instead? Why to use CURL and make things more complex? Petr^2 Spacek 2015-03-31 15:03 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Well, I still do not understand the use case. What are your clients? Are you using 'ipa' command to do something? Or some other clients? Usually the best thing is to use DNS SRV records because it works even with geographically distributed clusters and does not have single point of failure (the load balancer). This requires clients with support for DNS SRV but if your machines are using SSSD then you do not need to change anything and it should just work. That is why I'm asking for the use case :-) Petr^2 Spacek 2015-03-31 14:21 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:02, Matt . wrote: HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? I would recommend you to step back and describe use-case you have in mind. It is important for us to understand to your use-case to propose optimal solution. Petr^2 Spacek Cheers, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com: Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org
Re: [Freeipa-users] Troubleshooting SSO
Putty error was: Event Log: GSSAPI authentication initialisation failed Event Log: No authority could be contacted for authentication.The domain name of the authenticating party could be wrong, the domain could be unreachable, or there might have been a trust relationship failure. On 3/31/15, 10:02 AM, Gould, Joshua joshua.go...@osumc.edu wrote: Klist in Windows showed one ticket for the IPA domain. #0Client: adm-faru03 @ test.osuwmc Server: krbtgt/UNIX.TEST.OSUWMC @ TEST.OSUWMC KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a4 - forward able renewable pre_authent ok_as_delegate Start Time: 3/31/2015: 9:29:25 (local) End Time: 3/31/2015: 15:28:22 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 IPA and SSSD are: ipa-server.x86_64 4.1.0-18.el7_1.3 sssd.x86_64 1.12.2-58.el7_1.6.1 Kinit adm-faru03@TEST.OSUWMC was telling. Once it reported ³kinit: KDC reply did not match expectations while getting initial credentials². We waited a minute or two (were discussing results) and tried again just adding the -V flag and it worked. Kvno host/mid-ipa-vp01.unix.test.osu...@unix.test.OSUWMC = 2 Verbose logging in putty gave the following error: On 3/31/15, 3:30 AM, Sumit Bose sb...@redhat.com wrote: Can you do the follwoing checks: Can you check by calling klist in a Windows Command window if you got a proper host/... ticket for the IPA host? What version of IPA and SSSD are you using. Can you check if the following works on a IPA host: kinit adm-faru03@TEST.OSUWMC kvno host/name.of.the.ipa-client.to.login@IPA.REALM ssh -v -l adm-faru03@test.osuwmc name.of.the.ipa-client.to.login -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration mode fun and confusion
Dmitri Pal wrote: On 03/31/2015 09:38 AM, Janelle wrote: Hello again, Is this a feature or a bug? Migration mode - works fine the first time. However, if you need to run it a second time because someone added either new users or groups to your LDAP config and you want to bring those over, if you re-run migration, it indeed brings all the new users over, but NOT their secondary groups, only primary. And even if you have overwrite of the GID option set. Would this be expected for some reason that I may be missing, or is it a bug? Thank you ~J Let be know if I get you right. Setup: - Old LDAP server - IPA Users are migrated from LDAP to IPA using migrate-ds. Everything works as expected Now you add users to LDAP and put them into some groups (that were already been migrated the first time, right?) You run migrate-ds again and the new users are migrated but group membership is lost. Is this the scenario? If yes, looks like a bug. I agree. IIRC it only looks at new entries, not at changes to existing entries (this is migration after all, not sync). Changes in group membership are overlooked. Bringing in new users and looking up their groups probably wouldn't be a big deal. Re-syncing all group memberships would likely be VERY expensive. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On 03/31/2015 10:38 AM, Matt . wrote: True, but we have some extra later between which does the cli command not usable (at least for the moment) I already know how to share the key's among all servers, that works fine, IPA/Apache/Kerberos only doesn't like the other hostname (loadbalancer), or the client doesn't understand it. So fixing this saves me really much more time than doing the another way. Kerberos is not load balancer friendly. It is something that is a known property of Kerberos. I remember MIT mentioning something that they did or might do to help with that so it might make sense to ask this question on the MIT Kerberos user list. Thanks! Matt 2015-03-31 16:24 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 16:10, Matt . wrote: HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted returns. There was also some security issue which came up. I would be very interested in the security reason. If you see any problem with 'ipa' command or FreeIPA API please send me a private e-mail or contact secal...@redhat.com directly. I could ask you, why does IPA json itself ? if you see what it posts and what it gets back as result it makes it much more clear in development. I do not understand the question, sorry. If you want to see what 'ipa' command does run it with '-vv' parameter: $ ipa -vv user-find It will print JSON request and reply: ipa: INFO: Request: { id: 0, method: user_find, params: [ [ null ], { all: false, no_members: false, pkey_only: false, raw: false, version: 2.115, whoami: false } ] } ipa: INFO: Response: { error: null, id: 0, principal: admin@IPA.EXAMPLE, result: { count: 2, result: [ { dn: uid=admin,cn=users,cn=accounts,dc=ipa,dc=example, gidnumber: [ 138100 ], ... HTTP loadbalancing is not difficult at all, as we post to the webserver I need to have that part only auth right. We do more very specific loadbalancing stuff and this is the most easy one as it's only webserver forward, but IPA/Kerberos has an issue with the principal it seems... it cannot be hard to make that accepted I would say. If you insist on Kerberos servers behind a load balancer... you will need to somehow share the Kerberos key among all servers. I will defer that to Kerberos experts here. I'm still looking for solutions :) Sure, but you will save a lot of time and nerves if you simply call 'ipa' command :-) Have a nice day! Petr^2 Spacek Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 15:23, Matt . wrote: Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Yes. If you have seen the previous discussion then you know that it will be pretty difficult to do this kind of load balancing. Why are you not using 'ipa' command or Python API we have instead? Why to use CURL and make things more complex? Petr^2 Spacek 2015-03-31 15:03 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Well, I still do not understand the use case. What are your clients? Are you using 'ipa' command to do something? Or some other clients? Usually the best thing is to use DNS SRV records because it works even with geographically distributed clusters and does not have single point of failure (the load balancer). This requires clients with support for DNS SRV but if your machines are using SSSD then you do not need to change anything and it should just work. That is why I'm asking for the use case :-) Petr^2 Spacek 2015-03-31 14:21 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:02, Matt . wrote: HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the
Re: [Freeipa-users] Migration mode fun and confusion
On 03/31/2015 10:50 AM, Janelle wrote: On 3/31/15 6:49 AM, Dmitri Pal wrote: On 03/31/2015 09:38 AM, Janelle wrote: Hello again, Is this a feature or a bug? Migration mode - works fine the first time. However, if you need to run it a second time because someone added either new users or groups to your LDAP config and you want to bring those over, if you re-run migration, it indeed brings all the new users over, but NOT their secondary groups, only primary. And even if you have overwrite of the GID option set. Would this be expected for some reason that I may be missing, or is it a bug? Thank you ~J Let be know if I get you right. That's it exactly. Ok - Bug. Looks like it. You know what to do :-) :-) Setup: - Old LDAP server - IPA Users are migrated from LDAP to IPA using migrate-ds. Everything works as expected Now you add users to LDAP and put them into some groups (that were already been migrated the first time, right?) You run migrate-ds again and the new users are migrated but group membership is lost. Is this the scenario? If yes, looks like a bug. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa 4.x packages for RHEL?
FreeIPA 4 is currently available in RHEL 7.1. Josh From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steve Neuharth Sent: Tuesday, March 31, 2015 10:02 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] freeipa 4.x packages for RHEL? Hello, We're currently running RHEL in production and would love to be using all the goodness that is FreeIPA 4 including certmonger for certificate management. I don't see any mention of 4.x packages available for RHEL in the mailing lists and I have run into problems using the 3.3 client packages on a 4.x realm. When will 4.x packages be available for RHEL? --steve -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] nsAccountLock attribute
Hi, Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a): Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying to implement a SSH key lookup sshd authorized key command script. Based on this attribute the user will be allowed to login. I need this to be anonymously readable. Tried setting the permissions but it does not work. Any other ideas on this ? If your SSH server is a properly configured IPA host (i.e. you had run ipa-client-install or ipa-server-install on it), rejecting locked user login should work automatically, without having to configure anything. Thanks for your help. --Prashant -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] bind-dyndb-ldap vs DLZ
Hmm, that might be a challenge. bind-dyndb-ldap code implicitly assumes that there is 1:1 mapping between DNS name-LDAP DN. This makes implementation of dynamic updates much easier. Well, you weren't wrong there. :) I did try a few different solutions, first letting ARecord/NSRecord trickle in after SOA setup is done. But that did not fit well with some of the checks. (diff tests of SOA updates need to be tuples etc, SOA is handled much more strictly), you can't just re-register/update a zone as easily as records.. and so on. In the end, I went for the change where, before calling update_zone(), I query DLZ for the additional information needed for the SOA record. ARecord/NSRecord etc, then tag those onto the entry-attrs list. This fits better with bind-dyndb-ldap existing framework, and only makes it worse for DLZ users. In addition to creating src/schema.h - to define the name of the common ldap attributes based on WITH_DLZ_SCHEMA. Annoyingly, DLZ Schema reuses the generic DNSData for a lot of things, so one large search just overwrote previous attributes - sigh. So, I was forced to do single individual ldapqueries for each ARecord/NSRecord/... type, then call finally update_zone(). Some additional mapping for update_record() as well, to map things like DNSIPAddr - ARecord was needed. 01-Apr-2015 12:09:13.601 ldap_entry_create dn is 'DNSRecord=SOA,DNSHostName=@,DNSZoneName=example.com,ou=dns,dc=test,dc=jp' 01-Apr-2015 12:09:13.601 Attempting to pre-populate zone: dn DNSHostName=@,DNSZoneName=example.com,ou=dns,dc=test,dc=jp 01-Apr-2015 12:09:13.602 Adding 'DNSData' - 'NSRecord' mapping here 01-Apr-2015 12:09:13.603 Adding 'DNSIPAddr' - 'ARecord' mapping here 01-Apr-2015 12:09:13.606 fakesoa is 'hostmaster.example.com dns01.example.com. 20081028 3600 300 360 600 ' 01-Apr-2015 12:09:13.606 DLZ attrib scam map 'soa' + 'DNSPrimaryNS' 01-Apr-2015 12:09:13.606 dns_rdatatype_fromtext GOOD attr 'NSRecord' 01-Apr-2015 12:09:13.606 Matched 'DNSPrimaryNS' to 'dns01.example.com.' 01-Apr-2015 12:09:13.606 DLZ attrib scam map 'soa' + 'ARecord' 01-Apr-2015 12:09:13.606 ldap_entry_nextrdtype: checking 'ARecord' on dn DNSRecord=SOA,DNSHostName=@,DNSZoneName=example.com,ou=dns,dc=test,dc=jp 01-Apr-2015 12:09:13.606 dns_rdatatype_fromtext GOOD attr 'ARecord' 01-Apr-2015 12:09:13.606 leaving ldap_parse_rrentry 01-Apr-2015 12:09:13.606 make sure we have NS record here? 01-Apr-2015 12:09:13.606 diff.c:185: unexpected error: 01-Apr-2015 12:09:13.606 unexpected non-minimal diff 01-Apr-2015 12:09:13.606 ldap_entry_create dn is 'DNSRecord=A,DNSHostName=pop,DNSZoneName=example.com,ou=dns,dc=test,dc=jp' 01-Apr-2015 12:09:13.607 DLZ attrib scam map 'A' + 'DNSIPAddr' 01-Apr-2015 12:09:13.607 dns_rdatatype_fromtext GOOD attr 'ARecord' 01-Apr-2015 12:09:13.607 Matched 'DNSIPAddr' to '210.157.5.28' 01-Apr-2015 12:09:13.607 zone example.com/IN: loaded serial 1427857753 # dig -p5353 @0 example.com any ; DiG 9.6-ESV-R8 -p5353 @0 example.com any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 22383 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;example.com. IN ANY ;; ANSWER SECTION: example.com.600 IN A 210.157.5.35 example.com.600 IN NS dns01.example.com. example.com.600 IN SOA hostmaster.example.com.example.com. dns01.example.com. 1427857753 3600 300 360 600 Not entirely sure why I trip on the unexpected non-minimal diff INSIST. I had to comment it out. Obviously still very much hack'n'slash, to get a feel for what is involved. We could also change the schema of course, at least long term. Lund -- Jorgen Lundman | lund...@lundman.net Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo| +81 (0)90-5578-8500 (cell) Japan| +81 (0)3 -3375-1767 (home) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 17:51 +0200, Matt . wrote: Hi Brendan, Yes thanks for your great explanation, I have done that indeed. But in some strange way, with only a 401 in access_log of apache I get a Non valid ticket when I connect through my loadbalancer. I don't go by my loadbalancer but through it (NAT) or should it go by/next to it ? I think we can get this fixed :) Thanks! Matt 2015-03-31 17:41 GMT+02:00 Brendan Kearney bpk...@gmail.com: On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote: On 03/31/2015 10:38 AM, Matt . wrote: True, but we have some extra later between which does the cli command not usable (at least for the moment) I already know how to share the key's among all servers, that works fine, IPA/Apache/Kerberos only doesn't like the other hostname (loadbalancer), or the client doesn't understand it. So fixing this saves me really much more time than doing the another way. Kerberos is not load balancer friendly. It is something that is a known property of Kerberos. I remember MIT mentioning something that they did or might do to help with that so it might make sense to ask this question on the MIT Kerberos user list. Thanks! Matt 2015-03-31 16:24 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 16:10, Matt . wrote: HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted returns. There was also some security issue which came up. I would be very interested in the security reason. If you see any problem with 'ipa' command or FreeIPA API please send me a private e-mail or contact secal...@redhat.com directly. I could ask you, why does IPA json itself ? if you see what it posts and what it gets back as result it makes it much more clear in development. I do not understand the question, sorry. If you want to see what 'ipa' command does run it with '-vv' parameter: $ ipa -vv user-find It will print JSON request and reply: ipa: INFO: Request: { id: 0, method: user_find, params: [ [ null ], { all: false, no_members: false, pkey_only: false, raw: false, version: 2.115, whoami: false } ] } ipa: INFO: Response: { error: null, id: 0, principal: admin@IPA.EXAMPLE, result: { count: 2, result: [ { dn: uid=admin,cn=users,cn=accounts,dc=ipa,dc=example, gidnumber: [ 138100 ], ... HTTP loadbalancing is not difficult at all, as we post to the webserver I need to have that part only auth right. We do more very specific loadbalancing stuff and this is the most easy one as it's only webserver forward, but IPA/Kerberos has an issue with the principal it seems... it cannot be hard to make that accepted I would say. If you insist on Kerberos servers behind a load balancer... you will need to somehow share the Kerberos key among all servers. I will defer that to Kerberos experts here. I'm still looking for solutions :) Sure, but you will save a lot of time and nerves if you simply call 'ipa' command :-) Have a nice day! Petr^2 Spacek Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 15:23, Matt . wrote: Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Yes. If you have seen the previous discussion then you know that it will be pretty difficult to do this kind of load balancing. Why are you not using 'ipa' command or Python API we have instead? Why to use CURL and make things more complex? Petr^2 Spacek 2015-03-31 15:03 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to
Re: [Freeipa-users] Understanding the migration mode
I've figured it out. You are right. SSSD triggers key generation. For migrated clients though, since ypbind still runs and the NIS-plugin serves maps, they authenticate first using NIS before SSSD. If ypbind is stopped, it is forced to use SSSD, and then it triggers the migration. Thanks for persisting with this. It's pretty clear how it works now. On Tue, Mar 31, 2015 at 11:32 AM, Prasun Gera prasun.g...@gmail.com wrote: ? SSSD does not seem to be involved as user is found in the /etc/passwd and this SSSD should not do anything. It's not a local user. There's no entry in /etc/passwd. Here's the relevant sssd log sssd_ssh (Tue Mar 31 03:50:41 2015) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'testuser2' matched without domain, user is testuser2 (Tue Mar 31 03:50:41 2015) [sssd[ssh]] [client_recv] (0x0200): Client disconnected! (Tue Mar 31 03:53:17 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. sssd_pam (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: ipadomain (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): user: testuser2 (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: host_ip (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 23983 (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: testuser2 (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][ipadomain] (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 27 (Tue Mar 31 03:53:54 2015) [sssd[pam]] [client_recv] (0x0200): Client disconnected! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 11:41 -0400, Brendan Kearney wrote: On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote: On 03/31/2015 10:38 AM, Matt . wrote: True, but we have some extra later between which does the cli command not usable (at least for the moment) I already know how to share the key's among all servers, that works fine, IPA/Apache/Kerberos only doesn't like the other hostname (loadbalancer), or the client doesn't understand it. So fixing this saves me really much more time than doing the another way. Kerberos is not load balancer friendly. It is something that is a known property of Kerberos. I remember MIT mentioning something that they did or might do to help with that so it might make sense to ask this question on the MIT Kerberos user list. Thanks! Matt 2015-03-31 16:24 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 16:10, Matt . wrote: HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted returns. There was also some security issue which came up. I would be very interested in the security reason. If you see any problem with 'ipa' command or FreeIPA API please send me a private e-mail or contact secal...@redhat.com directly. I could ask you, why does IPA json itself ? if you see what it posts and what it gets back as result it makes it much more clear in development. I do not understand the question, sorry. If you want to see what 'ipa' command does run it with '-vv' parameter: $ ipa -vv user-find It will print JSON request and reply: ipa: INFO: Request: { id: 0, method: user_find, params: [ [ null ], { all: false, no_members: false, pkey_only: false, raw: false, version: 2.115, whoami: false } ] } ipa: INFO: Response: { error: null, id: 0, principal: admin@IPA.EXAMPLE, result: { count: 2, result: [ { dn: uid=admin,cn=users,cn=accounts,dc=ipa,dc=example, gidnumber: [ 138100 ], ... HTTP loadbalancing is not difficult at all, as we post to the webserver I need to have that part only auth right. We do more very specific loadbalancing stuff and this is the most easy one as it's only webserver forward, but IPA/Kerberos has an issue with the principal it seems... it cannot be hard to make that accepted I would say. If you insist on Kerberos servers behind a load balancer... you will need to somehow share the Kerberos key among all servers. I will defer that to Kerberos experts here. I'm still looking for solutions :) Sure, but you will save a lot of time and nerves if you simply call 'ipa' command :-) Have a nice day! Petr^2 Spacek Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 15:23, Matt . wrote: Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Yes. If you have seen the previous discussion then you know that it will be pretty difficult to do this kind of load balancing. Why are you not using 'ipa' command or Python API we have instead? Why to use CURL and make things more complex? Petr^2 Spacek 2015-03-31 15:03 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Well, I still do not understand the use case. What are your clients? Are you using 'ipa' command to do something? Or some other clients? Usually the best thing is to use DNS SRV records because it works even with geographically distributed clusters and
Re: [Freeipa-users] freeipa behind a load balancer
Hi Brendan, Yes thanks for your great explanation, I have done that indeed. But in some strange way, with only a 401 in access_log of apache I get a Non valid ticket when I connect through my loadbalancer. I don't go by my loadbalancer but through it (NAT) or should it go by/next to it ? I think we can get this fixed :) Thanks! Matt 2015-03-31 17:41 GMT+02:00 Brendan Kearney bpk...@gmail.com: On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote: On 03/31/2015 10:38 AM, Matt . wrote: True, but we have some extra later between which does the cli command not usable (at least for the moment) I already know how to share the key's among all servers, that works fine, IPA/Apache/Kerberos only doesn't like the other hostname (loadbalancer), or the client doesn't understand it. So fixing this saves me really much more time than doing the another way. Kerberos is not load balancer friendly. It is something that is a known property of Kerberos. I remember MIT mentioning something that they did or might do to help with that so it might make sense to ask this question on the MIT Kerberos user list. Thanks! Matt 2015-03-31 16:24 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 16:10, Matt . wrote: HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted returns. There was also some security issue which came up. I would be very interested in the security reason. If you see any problem with 'ipa' command or FreeIPA API please send me a private e-mail or contact secal...@redhat.com directly. I could ask you, why does IPA json itself ? if you see what it posts and what it gets back as result it makes it much more clear in development. I do not understand the question, sorry. If you want to see what 'ipa' command does run it with '-vv' parameter: $ ipa -vv user-find It will print JSON request and reply: ipa: INFO: Request: { id: 0, method: user_find, params: [ [ null ], { all: false, no_members: false, pkey_only: false, raw: false, version: 2.115, whoami: false } ] } ipa: INFO: Response: { error: null, id: 0, principal: admin@IPA.EXAMPLE, result: { count: 2, result: [ { dn: uid=admin,cn=users,cn=accounts,dc=ipa,dc=example, gidnumber: [ 138100 ], ... HTTP loadbalancing is not difficult at all, as we post to the webserver I need to have that part only auth right. We do more very specific loadbalancing stuff and this is the most easy one as it's only webserver forward, but IPA/Kerberos has an issue with the principal it seems... it cannot be hard to make that accepted I would say. If you insist on Kerberos servers behind a load balancer... you will need to somehow share the Kerberos key among all servers. I will defer that to Kerberos experts here. I'm still looking for solutions :) Sure, but you will save a lot of time and nerves if you simply call 'ipa' command :-) Have a nice day! Petr^2 Spacek Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 15:23, Matt . wrote: Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Yes. If you have seen the previous discussion then you know that it will be pretty difficult to do this kind of load balancing. Why are you not using 'ipa' command or Python API we have instead? Why to use CURL and make things more complex? Petr^2 Spacek 2015-03-31 15:03 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Well, I still do not understand the use case. What are your clients? Are you using 'ipa'
Re: [Freeipa-users] freeipa behind a load balancer
OK, that makes it even more clear. an ldapwhoami might be an issue. As this client is known on a different ldap server and I kinit to another ldap server. There is a reason for this as we have out office network and our deployment network. Users that manage are in the office ldap, user that are in deployment are in the deployment ldap. I do my kinit username@deployment.domain which works ok when I run my commands at ipa-01.deployment.domain. But when I want to do a ldapwhoami it tries to connect to the office ldap server which is not working of course. (I get a connection error atm, need to investigate as that server is running fine). Get the idea ? Thanks again! Matt 2015-03-31 17:58 GMT+02:00 Brendan Kearney bpk...@gmail.com: On Tue, 2015-03-31 at 17:51 +0200, Matt . wrote: Hi Brendan, Yes thanks for your great explanation, I have done that indeed. But in some strange way, with only a 401 in access_log of apache I get a Non valid ticket when I connect through my loadbalancer. I don't go by my loadbalancer but through it (NAT) or should it go by/next to it ? I think we can get this fixed :) Thanks! Matt 2015-03-31 17:41 GMT+02:00 Brendan Kearney bpk...@gmail.com: On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote: On 03/31/2015 10:38 AM, Matt . wrote: True, but we have some extra later between which does the cli command not usable (at least for the moment) I already know how to share the key's among all servers, that works fine, IPA/Apache/Kerberos only doesn't like the other hostname (loadbalancer), or the client doesn't understand it. So fixing this saves me really much more time than doing the another way. Kerberos is not load balancer friendly. It is something that is a known property of Kerberos. I remember MIT mentioning something that they did or might do to help with that so it might make sense to ask this question on the MIT Kerberos user list. Thanks! Matt 2015-03-31 16:24 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 16:10, Matt . wrote: HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted returns. There was also some security issue which came up. I would be very interested in the security reason. If you see any problem with 'ipa' command or FreeIPA API please send me a private e-mail or contact secal...@redhat.com directly. I could ask you, why does IPA json itself ? if you see what it posts and what it gets back as result it makes it much more clear in development. I do not understand the question, sorry. If you want to see what 'ipa' command does run it with '-vv' parameter: $ ipa -vv user-find It will print JSON request and reply: ipa: INFO: Request: { id: 0, method: user_find, params: [ [ null ], { all: false, no_members: false, pkey_only: false, raw: false, version: 2.115, whoami: false } ] } ipa: INFO: Response: { error: null, id: 0, principal: admin@IPA.EXAMPLE, result: { count: 2, result: [ { dn: uid=admin,cn=users,cn=accounts,dc=ipa,dc=example, gidnumber: [ 138100 ], ... HTTP loadbalancing is not difficult at all, as we post to the webserver I need to have that part only auth right. We do more very specific loadbalancing stuff and this is the most easy one as it's only webserver forward, but IPA/Kerberos has an issue with the principal it seems... it cannot be hard to make that accepted I would say. If you insist on Kerberos servers behind a load balancer... you will need to somehow share the Kerberos key among all servers. I will defer that to Kerberos experts here. I'm still looking for solutions :) Sure, but you will save a lot of time and nerves if you simply call 'ipa' command :-) Have a nice day! Petr^2 Spacek Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 15:23, Matt . wrote: Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Yes. If you have seen the previous discussion then you know that it will be pretty difficult to do this kind of load balancing. Why are you not using 'ipa' command or Python API we have instead? Why to use CURL and make things more complex? Petr^2 Spacek 2015-03-31 15:03
Re: [Freeipa-users] Migration mode fun and confusion
On 03/31/2015 09:38 AM, Janelle wrote: Hello again, Is this a feature or a bug? Migration mode - works fine the first time. However, if you need to run it a second time because someone added either new users or groups to your LDAP config and you want to bring those over, if you re-run migration, it indeed brings all the new users over, but NOT their secondary groups, only primary. And even if you have overwrite of the GID option set. Would this be expected for some reason that I may be missing, or is it a bug? Thank you ~J Let be know if I get you right. Setup: - Old LDAP server - IPA Users are migrated from LDAP to IPA using migrate-ds. Everything works as expected Now you add users to LDAP and put them into some groups (that were already been migrated the first time, right?) You run migrate-ds again and the new users are migrated but group membership is lost. Is this the scenario? If yes, looks like a bug. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Troubleshooting SSO
Klist in Windows showed one ticket for the IPA domain. #0 Client: adm-faru03 @ test.osuwmc Server: krbtgt/UNIX.TEST.OSUWMC @ TEST.OSUWMC KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a4 - forward able renewable pre_authent ok_as_delegate Start Time: 3/31/2015: 9:29:25 (local) End Time: 3/31/2015: 15:28:22 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 IPA and SSSD are: ipa-server.x86_64 4.1.0-18.el7_1.3 sssd.x86_64 1.12.2-58.el7_1.6.1 Kinit adm-faru03@TEST.OSUWMC was telling. Once it reported ³kinit: KDC reply did not match expectations while getting initial credentials². We waited a minute or two (were discussing results) and tried again just adding the -V flag and it worked. Kvno host/mid-ipa-vp01.unix.test.osu...@unix.test.OSUWMC = 2 Verbose logging in putty gave the following error: On 3/31/15, 3:30 AM, Sumit Bose sb...@redhat.com wrote: Can you do the follwoing checks: Can you check by calling klist in a Windows Command window if you got a proper host/... ticket for the IPA host? What version of IPA and SSSD are you using. Can you check if the following works on a IPA host: kinit adm-faru03@TEST.OSUWMC kvno host/name.of.the.ipa-client.to.login@IPA.REALM ssh -v -l adm-faru03@test.osuwmc name.of.the.ipa-client.to.login -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] freeipa 4.x packages for RHEL?
Hello, We're currently running RHEL in production and would love to be using all the goodness that is FreeIPA 4 including certmonger for certificate management. I don't see any mention of 4.x packages available for RHEL in the mailing lists and I have run into problems using the 3.3 client packages on a 4.x realm. When will 4.x packages be available for RHEL? --steve -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa 4.x packages for RHEL?
On Tue, 31 Mar 2015, Steve Neuharth wrote: Hello, We're currently running RHEL in production and would love to be using all the goodness that is FreeIPA 4 including certmonger for certificate management. I don't see any mention of 4.x packages available for RHEL in the mailing lists and I have run into problems using the 3.3 client packages on a 4.x realm. When will 4.x packages be available for RHEL? They are already available, starting with RHEL7.1. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] generic failure: GSSAPI Error: Unspecified GSS failure
I try to set the sudo password but I get a message : GSSAPI Error What's mean this kind of message ? ldappasswd -Y GSSAPI -S -h my_server uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com New password: Re-enter new password: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Your kerberos ticket has expired. You need to get a new ticket using kinit and then try using gssapi. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
OK, but we need to do this using IPA or (as IPA does some things different it seems). Anyone testing this perhaps ? (/me is multitasking atm) 2015-03-31 20:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Brendan Kearney wrote: On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: But IPA is more complex and some operations will be performed directly against the specific server name, so you need to keep 2 sets of keys (one for the server name and one for the load balancer name), but that does not work right now. One experiment that can be done is to remove all per-server HTTP services for the IPA server, and instead add their name as aliases on the common load-balancer name. This would mean that all IPA servers would have just one key in their HTTP keytab, but the KDC would release tickets readable by that key for any name the clients may ask for. It is a bit tricky, every time you build a replica you want to load-balance you'll have to go back and remove the service and switch keytabs, but it may be an option. Of course if you brick IPA then you get to keep the pieces :-) Simo. careful there, as kerberos balks at CNAME records. i think you need to use A records. i ran into a couple odd issues and decided to only use A/PTR records for my stuff and never went exploring for options/alternatives. Not DNS aliases, Kerberos principal alises. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
OK, but as I say, without the loadbalancer, same domain it works. My IPA server also sees the client name and ptr as I do nat. So you create a keytab for your host you are doing the commands from ? I was using a user keytab and run my commands as that user, that works to ipa-01 It's getting something more clear. 2015-03-31 19:29 GMT+02:00 Brendan Kearney bpk...@gmail.com: On Tue, 2015-03-31 at 18:18 +0200, Matt . wrote: OK, that makes it even more clear. an ldapwhoami might be an issue. As this client is known on a different ldap server and I kinit to another ldap server. There is a reason for this as we have out office network and our deployment network. Users that manage are in the office ldap, user that are in deployment are in the deployment ldap. I do my kinit username@deployment.domain which works ok when I run my commands at ipa-01.deployment.domain. But when I want to do a ldapwhoami it tries to connect to the office ldap server which is not working of course. (I get a connection error atm, need to investigate as that server is running fine). Get the idea ? Thanks again! Matt 2015-03-31 17:58 GMT+02:00 Brendan Kearney bpk...@gmail.com: On Tue, 2015-03-31 at 17:51 +0200, Matt . wrote: Hi Brendan, Yes thanks for your great explanation, I have done that indeed. But in some strange way, with only a 401 in access_log of apache I get a Non valid ticket when I connect through my loadbalancer. I don't go by my loadbalancer but through it (NAT) or should it go by/next to it ? I think we can get this fixed :) Thanks! Matt 2015-03-31 17:41 GMT+02:00 Brendan Kearney bpk...@gmail.com: On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote: On 03/31/2015 10:38 AM, Matt . wrote: True, but we have some extra later between which does the cli command not usable (at least for the moment) I already know how to share the key's among all servers, that works fine, IPA/Apache/Kerberos only doesn't like the other hostname (loadbalancer), or the client doesn't understand it. So fixing this saves me really much more time than doing the another way. Kerberos is not load balancer friendly. It is something that is a known property of Kerberos. I remember MIT mentioning something that they did or might do to help with that so it might make sense to ask this question on the MIT Kerberos user list. Thanks! Matt 2015-03-31 16:24 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 16:10, Matt . wrote: HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted returns. There was also some security issue which came up. I would be very interested in the security reason. If you see any problem with 'ipa' command or FreeIPA API please send me a private e-mail or contact secal...@redhat.com directly. I could ask you, why does IPA json itself ? if you see what it posts and what it gets back as result it makes it much more clear in development. I do not understand the question, sorry. If you want to see what 'ipa' command does run it with '-vv' parameter: $ ipa -vv user-find It will print JSON request and reply: ipa: INFO: Request: { id: 0, method: user_find, params: [ [ null ], { all: false, no_members: false, pkey_only: false, raw: false, version: 2.115, whoami: false } ] } ipa: INFO: Response: { error: null, id: 0, principal: admin@IPA.EXAMPLE, result: { count: 2, result: [ { dn: uid=admin,cn=users,cn=accounts,dc=ipa,dc=example, gidnumber: [ 138100 ], ... HTTP loadbalancing is not difficult at all, as we post to the webserver I need to have that part only auth right. We do more very specific loadbalancing stuff and this is the most easy one as it's only webserver forward, but IPA/Kerberos has an issue with the principal it seems... it cannot be hard to make that accepted I would say. If you insist on Kerberos servers behind a load balancer... you will need to somehow share the Kerberos key among all servers. I will defer that to Kerberos experts here. I'm still looking for solutions :) Sure, but you will save a lot of time and nerves if you simply call 'ipa' command :-) Have a nice day! Petr^2 Spacek Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 15:23, Matt . wrote: Hi Petr, We
Re: [Freeipa-users] Setup of freeipa 4.1.3 failed
On 03/31/2015 01:54 PM, Markus Roth wrote: Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 223, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG File /usr/lib/python2.7/site- packages/ipaserver/install/installutils.py, line 642, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1183, in main ca_signing_algorithm=options.ca_signing_algorithm) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 520, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 223, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) 2015-03-31T17:39:36Z DEBUG The ipa-server-install command failed,
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: But IPA is more complex and some operations will be performed directly against the specific server name, so you need to keep 2 sets of keys (one for the server name and one for the load balancer name), but that does not work right now. One experiment that can be done is to remove all per-server HTTP services for the IPA server, and instead add their name as aliases on the common load-balancer name. This would mean that all IPA servers would have just one key in their HTTP keytab, but the KDC would release tickets readable by that key for any name the clients may ask for. It is a bit tricky, every time you build a replica you want to load-balance you'll have to go back and remove the service and switch keytabs, but it may be an option. Of course if you brick IPA then you get to keep the pieces :-) Simo. careful there, as kerberos balks at CNAME records. i think you need to use A records. i ran into a couple odd issues and decided to only use A/PTR records for my stuff and never went exploring for options/alternatives. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
Simo, Yes that was where I was thinking of also, so you say faking by DNS ? @Brendan, cnames are not that nice in networks indeed. 2015-03-31 20:10 GMT+02:00 Brendan Kearney bpk...@gmail.com: On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: But IPA is more complex and some operations will be performed directly against the specific server name, so you need to keep 2 sets of keys (one for the server name and one for the load balancer name), but that does not work right now. One experiment that can be done is to remove all per-server HTTP services for the IPA server, and instead add their name as aliases on the common load-balancer name. This would mean that all IPA servers would have just one key in their HTTP keytab, but the KDC would release tickets readable by that key for any name the clients may ask for. It is a bit tricky, every time you build a replica you want to load-balance you'll have to go back and remove the service and switch keytabs, but it may be an option. Of course if you brick IPA then you get to keep the pieces :-) Simo. careful there, as kerberos balks at CNAME records. i think you need to use A records. i ran into a couple odd issues and decided to only use A/PTR records for my stuff and never went exploring for options/alternatives. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: But IPA is more complex and some operations will be performed directly against the specific server name, so you need to keep 2 sets of keys (one for the server name and one for the load balancer name), but that does not work right now. One experiment that can be done is to remove all per-server HTTP services for the IPA server, and instead add their name as aliases on the common load-balancer name. This would mean that all IPA servers would have just one key in their HTTP keytab, but the KDC would release tickets readable by that key for any name the clients may ask for. It is a bit tricky, every time you build a replica you want to load-balance you'll have to go back and remove the service and switch keytabs, but it may be an option. Of course if you brick IPA then you get to keep the pieces :-) Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Setup of freeipa 4.1.3 failed
Hi all, I want setup freeipa 4.1.3 on a fresh installed fedora 21. The ipa-server-install shows the following output: configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [error] RuntimeError: CA did not start in 300.0s CA did not start in 300.0s The ipa server install log shows this: 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 223, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in 300.0s 2015-03-31T17:39:36Z DEBUG File /usr/lib/python2.7/site- packages/ipaserver/install/installutils.py, line 642, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1183, in main ca_signing_algorithm=options.ca_signing_algorithm) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 520, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 526, in __start self.start() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 279, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 229, in start self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 223, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) 2015-03-31T17:39:36Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA did not start in 300.0s I uninstalled the ipa server completely several times and
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 13:21 -0400, Brendan Kearney wrote: On Tue, 2015-03-31 at 12:53 -0400, Simo Sorce wrote: On Tue, 2015-03-31 at 11:41 -0400, Brendan Kearney wrote: On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote: On 03/31/2015 10:38 AM, Matt . wrote: True, but we have some extra later between which does the cli command not usable (at least for the moment) I already know how to share the key's among all servers, that works fine, IPA/Apache/Kerberos only doesn't like the other hostname (loadbalancer), or the client doesn't understand it. So fixing this saves me really much more time than doing the another way. Kerberos is not load balancer friendly. It is something that is a known property of Kerberos. I remember MIT mentioning something that they did or might do to help with that so it might make sense to ask this question on the MIT Kerberos user list. Thanks! Matt 2015-03-31 16:24 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 16:10, Matt . wrote: HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted returns. There was also some security issue which came up. I would be very interested in the security reason. If you see any problem with 'ipa' command or FreeIPA API please send me a private e-mail or contact secal...@redhat.com directly. I could ask you, why does IPA json itself ? if you see what it posts and what it gets back as result it makes it much more clear in development. I do not understand the question, sorry. If you want to see what 'ipa' command does run it with '-vv' parameter: $ ipa -vv user-find It will print JSON request and reply: ipa: INFO: Request: { id: 0, method: user_find, params: [ [ null ], { all: false, no_members: false, pkey_only: false, raw: false, version: 2.115, whoami: false } ] } ipa: INFO: Response: { error: null, id: 0, principal: admin@IPA.EXAMPLE, result: { count: 2, result: [ { dn: uid=admin,cn=users,cn=accounts,dc=ipa,dc=example, gidnumber: [ 138100 ], ... HTTP loadbalancing is not difficult at all, as we post to the webserver I need to have that part only auth right. We do more very specific loadbalancing stuff and this is the most easy one as it's only webserver forward, but IPA/Kerberos has an issue with the principal it seems... it cannot be hard to make that accepted I would say. If you insist on Kerberos servers behind a load balancer... you will need to somehow share the Kerberos key among all servers. I will defer that to Kerberos experts here. I'm still looking for solutions :) Sure, but you will save a lot of time and nerves if you simply call 'ipa' command :-) Have a nice day! Petr^2 Spacek Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 15:23, Matt . wrote: Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Yes. If you have seen the previous discussion then you know that it will be pretty difficult to do this kind of load balancing. Why are you not using 'ipa' command or Python API we have instead? Why to use CURL and make things more complex? Petr^2 Spacek 2015-03-31 15:03 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 19:36 +0200, Matt . wrote: OK, but as I say, without the loadbalancer, same domain it works. All the more reason to capture the session and review it in wireshark. My IPA server also sees the client name and ptr as I do nat. So you create a keytab for your host you are doing the commands from ? all of my hosts get a host principal and have it put in /etc/krb5.keytab. i run kadmin to generate them. freeipa likely has utilities for this, but am not sure what they are. I was using a user keytab and run my commands as that user, that works to ipa-01 It's getting something more clear. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On 31.3.2015 15:23, Matt . wrote: Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Yes. If you have seen the previous discussion then you know that it will be pretty difficult to do this kind of load balancing. Why are you not using 'ipa' command or Python API we have instead? Why to use CURL and make things more complex? Petr^2 Spacek 2015-03-31 15:03 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Well, I still do not understand the use case. What are your clients? Are you using 'ipa' command to do something? Or some other clients? Usually the best thing is to use DNS SRV records because it works even with geographically distributed clusters and does not have single point of failure (the load balancer). This requires clients with support for DNS SRV but if your machines are using SSSD then you do not need to change anything and it should just work. That is why I'm asking for the use case :-) Petr^2 Spacek 2015-03-31 14:21 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:02, Matt . wrote: HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? I would recommend you to step back and describe use-case you have in mind. It is important for us to understand to your use-case to propose optimal solution. Petr^2 Spacek Cheers, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com: Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration mode fun and confusion
On 3/31/15 6:49 AM, Dmitri Pal wrote: On 03/31/2015 09:38 AM, Janelle wrote: Hello again, Is this a feature or a bug? Migration mode - works fine the first time. However, if you need to run it a second time because someone added either new users or groups to your LDAP config and you want to bring those over, if you re-run migration, it indeed brings all the new users over, but NOT their secondary groups, only primary. And even if you have overwrite of the GID option set. Would this be expected for some reason that I may be missing, or is it a bug? Thank you ~J Let be know if I get you right. That's it exactly. Ok - Bug. :-) Setup: - Old LDAP server - IPA Users are migrated from LDAP to IPA using migrate-ds. Everything works as expected Now you add users to LDAP and put them into some groups (that were already been migrated the first time, right?) You run migrate-ds again and the new users are migrated but group membership is lost. Is this the scenario? If yes, looks like a bug. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Cheers, Matt 2015-03-31 15:03 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite simple. I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Well, I still do not understand the use case. What are your clients? Are you using 'ipa' command to do something? Or some other clients? Usually the best thing is to use DNS SRV records because it works even with geographically distributed clusters and does not have single point of failure (the load balancer). This requires clients with support for DNS SRV but if your machines are using SSSD then you do not need to change anything and it should just work. That is why I'm asking for the use case :-) Petr^2 Spacek 2015-03-31 14:21 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:02, Matt . wrote: HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? I would recommend you to step back and describe use-case you have in mind. It is important for us to understand to your use-case to propose optimal solution. Petr^2 Spacek Cheers, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com: Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Migration mode fun and confusion
Hello again, Is this a feature or a bug? Migration mode - works fine the first time. However, if you need to run it a second time because someone added either new users or groups to your LDAP config and you want to bring those over, if you re-run migration, it indeed brings all the new users over, but NOT their secondary groups, only primary. And even if you have overwrite of the GID option set. Would this be expected for some reason that I may be missing, or is it a bug? Thank you ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] OTP integrations
Hello FreeIPA people, I must say that FreeIPA v4 looks very pretty and I am looking forward to trying out the new features. I'm wondering what application and tools can be used to authenticate with the OTP in freeipa. For instance, if we wanted to set up a VPN that uses it how might we go about that? Is there a common library that I should look out for? Thanks, Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP integrations
On 03/31/2015 05:30 PM, Andrew Holway wrote: Hello FreeIPA people, I must say that FreeIPA v4 looks very pretty and I am looking forward to trying out the new features. I'm wondering what application and tools can be used to authenticate with the OTP in freeipa. For instance, if we wanted to set up a VPN that uses it how might we go about that? Is there a common library that I should look out for? With VPN you usually do the following: a) Pick a VPN of your choice based on features and needs you have b) Make sure the VPN server supports different authentication methods. You need at least RADIUS which is the most popular option and I would be surprise to find VPN server that does not talk RADIUS to actually do the authentication. c) Setup freeRADIUS server on Fedora 21/RHEL 7.1/Centos 7.1 (when it happens) box , configure it to do kinit authentication or pam authentication via SSSD against IPA, see freeRADIUS manuals for more details d) Connect VPN server to the RADIUS server e) Provision tokens (or hook IPA to existing OTP solution using another RADIUS server) f) Profit If you have an application that can use RADIUS in such setup you can use FreeIPA 2FA. Also see http://www.freeipa.org/page/Web_App_Authentication how to enable any web application to take advantage of the IPA authentication including 2FA. Thanks, Andrew -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project