Re: [Freeipa-users] Different domain enrollment
Hello! On 08/11/2015 01:43 PM, Alexander Bokovoy wrote: On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: Hello! I'm having problem with different hostname with primary domain on ipa server. For example, my primary domain is mydomain.co.id, and then if the server hostname using mydomain.co.id, the dns discover was sucessfully. The problem come if the client hostname using different domain, for example anotherdomain.com, the dns discovery was failed. Is there any way to solve it? Should I enter it manually? Details of autodiscovery and suggestions how to configure are explained in the man page for ipa-client-install, section on DNS autodiscovery. Thanks for your hints, but I have another question after read the man pages. The best practice register client to ipa server is using --domain or add similar DNS record? I've tried to create new record on anotherdomain.com. (eg. original dns record was _ldap._tcp.mydomain.co.id, and IP create new record for _ldap._tcp.anotherdomain.com). New dns record on anotherdomain.com is _ldap._tcp, _ntp._udp, _kpasswd._udp, _kpasswd._tcp, _kerberos._udp, _kerberos._tcp, _kerberos-master._udp, _kerberos-master._tcp. anotherdomain.com $ ipa-client-install Discovery was successful! Hostname: spectre.anotherdomain.com Realm: MYDOMAIN.CO.ID DNS Domain: anotherdomain.com IPA Server: ipa.anotherdomain.com BaseDN: dc=merahciptamedia,dc=co,dc=id Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: admin Password for ad...@merahciptamedia.co.id: Unable to download CA cert from LDAP. Do you want to download the CA cert from http://ipa.anotherdomain.com/ipa/config/ca.crt? (this is INSECURE) [no]: Is it safe? Or just use --domain parameter? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Concerning the krb5.conf
Wow thank you Alexander for this information ! Best regards. Gwenael Le Barzic Le 11 août 2015 08:45, Alexander Bokovoy aboko...@redhat.com a écrit : On Mon, 10 Aug 2015, bahan w wrote: Hello. I don't know if you receive my previous mail, but thank you for your answer. I have two additionnal question then : - Concerning the master_kdc line, is it better to put here the physical machine or even to remove it if it is optional ? I don't think it ever matters as it only used for fallback reasons. - Do you know how I can check which one of these three servers is currently used per server with this krb5.conf ? I need to check how I can resynchronize the last server. set KRB5_TRACE=/dev/stderr in the execution environment and all Kerberos code will start explaining what it does. For example, KRB5_TRACE=/dev/stderr kinit will show which server kinit will contact. Best regards. Bahan On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 07 Aug 2015, bahan w wrote: Hello ! We are using freeipa version 3 and we are encountering a problem in our environment. We have one master kdc and two replicas. On the different linux servers on our environment, we have the following krb5.conf (I modified the hostname for NDA) : ### #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MYREALM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] MYREALM = { kdc = host1.mydomain:88 kdc = host2.mydomain:88 kdc = host3.mydomain:88 master_kdc = host2.mydomain:88 admin_server = host2.mydomain:749 default_domain mydomain pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mydomain = MYREALM mydomain = MYREALM .myrealm = MYREALM myrealm = MYREALM ### host1 is a physical machine host2 and host3 are VM. So I have some questions : Q1 - Does it make sense to put the line master_kdc and admin_server to the host2, which is a VM instead of the host1 which is a physical machine ? According to manual page of 'krb5.conf', --- master_kdc: Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the master KDC, in case the user's password has just been changed, and the updated database has not been propagated to the slave servers yet. --- 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day actions in IPA. Q2 - When I try to connect to the UI of host1, I can enter my login/password and it works. When I try to connect to the UI of host2, I have an error message saying my password is incorrect. When I try to connect to the UI of host3, it works. Does it mean host1 and host3 are synchronized but host2 is not ? Most likely, yes. Q3. Does the two last lines make sense ? I mean what is the exact usage of the paragraph [domain_realm] ? Does it mean : if I try to connect to a server with the domain listed in this list, then I will try to contact the realm associated ? Since you disabled DNS discovery of realm based on the DNS domain, Kerberos library will perform some logic to find out which realm corresponds to the domain. domain_realm section helps here. krb5.conf manual page has clear explanation how the section is designed to work. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Different domain enrollment
On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: Hello! I'm having problem with different hostname with primary domain on ipa server. For example, my primary domain is mydomain.co.id, and then if the server hostname using mydomain.co.id, the dns discover was sucessfully. The problem come if the client hostname using different domain, for example anotherdomain.com, the dns discovery was failed. Is there any way to solve it? Should I enter it manually? Details of autodiscovery and suggestions how to configure are explained in the man page for ipa-client-install, section on DNS autodiscovery. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problem with sudo -r
Hello, i configured Freeipa server and sudo client is ok but now i want deny users to launch command passwd and sudo -r . My configuration provide that all commands are enable . I can not configure specific commands because users must manage many services such as postfix, apache, mysql etc and they must have access to different folders with different users and groups . Do you have any recommendations ? Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Different domain enrollment
On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: Hello! On 08/11/2015 01:43 PM, Alexander Bokovoy wrote: On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: Hello! I'm having problem with different hostname with primary domain on ipa server. For example, my primary domain is mydomain.co.id, and then if the server hostname using mydomain.co.id, the dns discover was sucessfully. The problem come if the client hostname using different domain, for example anotherdomain.com, the dns discovery was failed. Is there any way to solve it? Should I enter it manually? Details of autodiscovery and suggestions how to configure are explained in the man page for ipa-client-install, section on DNS autodiscovery. Thanks for your hints, but I have another question after read the man pages. The best practice register client to ipa server is using --domain or add similar DNS record? You still would need _kerberos TXT record for runtime Kerberos realm detection unless your krb5.conf would contain domain_realms entry for your DNS domain. Using --domain option is, of course, easy. I've tried to create new record on anotherdomain.com. (eg. original dns record was _ldap._tcp.mydomain.co.id, and IP create new record for _ldap._tcp.anotherdomain.com). New dns record on anotherdomain.com is _ldap._tcp, _ntp._udp, _kpasswd._udp, _kpasswd._tcp, _kerberos._udp, _kerberos._tcp, _kerberos-master._udp, _kerberos-master._tcp. anotherdomain.com $ ipa-client-install Discovery was successful! Hostname: spectre.anotherdomain.com Realm: MYDOMAIN.CO.ID DNS Domain: anotherdomain.com IPA Server: ipa.anotherdomain.com BaseDN: dc=merahciptamedia,dc=co,dc=id Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: admin Password for ad...@merahciptamedia.co.id: Unable to download CA cert from LDAP. Do you want to download the CA cert from http://ipa.anotherdomain.com/ipa/config/ca.crt? (this is INSECURE) [no]: Is it safe? Or just use --domain parameter? I don't think 'Unable to download CA cert from LDAP' is connected to the problem you have but you should be able to see what was the issue in /var/log/ipaclient-install.log. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with sudo -r
On Tue, Aug 11, 2015 at 01:08:31PM +0200, Roberto Lucarelli wrote: Hello, i configured Freeipa server and sudo client is ok but now i want deny users to launch command passwd and sudo -r . My configuration provide that all commands are enable . I can not configure specific commands because users must manage many services such as postfix, apache, mysql etc and they must have access to different folders with different users and groups . Do you have any recommendations ? I'm not sure this is possible with the ipa CLI. Also keep in mind that allowing specific commands is generally preferable. Denying specific commands and allowing the rest calls for trouble IMO.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IDM/ipa slow login
On Tue, Aug 11, 2015 at 10:37:16AM +0200, seli irithyl wrote: Hi, I inherited a server (the guy that built it left) running centos 7 and Identity Management (Kerberos, 389DS, ...) with NFS. Everything concerning login (with network accounts) is very slow ( several seconds) I already solved a lot of problems on this server(DNS, NTP, firewall, ...), but I am neither a sysadmin nor a linux guru and I don't know where and what to look for ? Kerberos ? 389DS ? NFS ? SElinux ? sssd ? ... Can you define slow better? Can you estimate how big is your environment? I would start by comparing the time it takes to search the entry in LDAP or kinit with login through GDM or SSH. Then, if the times differ, look into SSSD. Some pointers are here: https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Error while Enrolling Client
Hi Team, While registering to IPA Server we are getting below error. Any suggestion Please. [root@client ~]# ipa-client-install --mkhomedir --no-ntp Discovery was successful! Hostname: client.domain.int Realm: domain.INT DNS Domain: domain.int IPA Server: ldap.domain.int BaseDN: dc=domain,dc=int Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for ad...@domain.int: Enrolled in IPA realm domain.INT Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm domain.INT trying https://ldap.domain.int/ipa/xml Forwarding 'env' to server u'https://ldap.domain.int/ipa/xml' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2567, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2553, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2346, in install remote_env = api.Command['env'](server=True)['result'] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 438, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 1076, in run return self.forward(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 772, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 731, in forward raise error(message=e.faultString) ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error while Enrolling Client
Yes Jakub...That was the issue. We have fixed it and update to List. Thanks Jakub. Would like to have one suggestion. We have implemented sudo, but every time we need to restart sssd to take the changes. We have try implementing the cache timeout also, but not working as expected. Any other config changes required? *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Tue, Aug 11, 2015 at 9:21 PM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Aug 11, 2015 at 08:43:49PM +0530, Yogesh Sharma wrote: Hi Team, While registering to IPA Server we are getting below error. Any suggestion Please. [root@client ~]# ipa-client-install --mkhomedir --no-ntp Discovery was successful! Hostname: client.domain.int Realm: domain.INT DNS Domain: domain.int IPA Server: ldap.domain.int BaseDN: dc=domain,dc=int Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for ad...@domain.int: Enrolled in IPA realm domain.INT Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm domain.INT trying https://ldap.domain.int/ipa/xml Forwarding 'env' to server u'https://ldap.domain.int/ipa/xml' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2567, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2553, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2346, in install remote_env = api.Command['env'](server=True)['result'] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 438, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 1076, in run return self.forward(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 772, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 731, in forward raise error(message=e.faultString) ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) Check the time on your machines.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error while Enrolling Client
On Tue, Aug 11, 2015 at 09:29:46PM +0530, Yogesh Sharma wrote: Yes Jakub...That was the issue. We have fixed it and update to List. Thanks Jakub. Would like to have one suggestion. We have implemented sudo, but every time we need to restart sssd to take the changes. We have try implementing the cache timeout also, but not working as expected. Any other config changes required? No, this is not expected. Can you get logs after you've added the sudo rule but before the client is restarted in order to capture the issue? It would be best to add debug_level=7 to sudo, nss and domain sections. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Kerberized NFS with Synology NAS
Hi, I am trying to use a Synology NAS station in my FreeIPA domain to host automounted home directories (not created automatically for now). I got almost everything working, but I seem to have a problem with kerberized nfs. The NAS logs in the LDAP domain and seems happy with the kerberos principal that I uploaded. * If I use plain nfs4 without krb5 - /etc/exports - /volume1/shared_homes 192.168.0.0/24(rw,async,no_wdelay,all_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100) then I can mount it and use it (it even works with automount). But only using all_squash. Not useful: * If I use krb5 - /etc/exports - /volume1/shared_homes 192.168.0.0/24(rw,async,no_wdelay,no_root_squash,insecure_locks,sec=krb5,anonuid=1025,anongid=100) then I can kinit with an LDAP user, mount it with sec=krb5, but I get nobody as file owner. This is done from a FC22 client, perfectly enrolled in freeIPA. The client's log contains several of such errors: gssproxy[807]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Any tip to help me understand what the problem is? Roberto -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project