Re: [Freeipa-users] krb5 and nfsv4 not working right

[Bjarne Blichfeldt]

Try inserting this in /etc/gssproxy/gssproxy.conf:
cred_store = ccache:FILE:/tmp/krb5cc_%U  


/etc/gssproxy/gssproxy.conf:
[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/tmp/krb5cc_%U  
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0


Regards,
Bjarne Blichfeldt


-Original Message-
From: Tony Brian Albers [mailto:t...@statsbiblioteket.dk] 
Sent: 15. november 2016 13:18
To: freeipa-users@redhat.com
Subject: [Freeipa-users] krb5 and nfsv4 not working right

Hi guys,

I've followed every guide I can find on this subject. What I'm trying to is to 
get our home directories which are shared via NFS from the FreeIPA server 
mounted via autofs on the clients.

The client is kact-man-001 and the FreeIPA server is kact-adm-001

/etc/exports:


I've done the ipa-client-install and the ipa-client-automount

However, when I log in, my homedir is mounted as expected but what I get in the 
messages log is:

Nov 15 12:52:25 kact-man-001 gssproxy: gssproxy[770]: (OID: { 1 2 840
113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more 
information, No credentials cache found

A lot!

/etc/krb5.conf is default from the FreeIPA installation:

   default_ccache_name = KEYRING:persistent:%{uid}


The autofs setup looks like this:

-

[root@kact-adm-001 log]# ipa automountmap-find
Location: default

3 automount maps matched

   Map: auto.direct

   Map: auto.home

   Map: auto.master

Number of entries returned 3

[root@kact-adm-001 log]#



[root@kact-adm-001 log]# ipa automountkey-find
Location: default
Map: auto.home
---
1 automount key matched
---
   Key: *
   Mount information: -fstype=nfs4,rw,sec=krb5,rsize=8192,wsize=8192
kact-adm-001.kact.sblokalnet:/data/home/&

Number of entries returned 1

[root@kact-adm-001 log]#

-

Now, the BAD thing is, trying to copy a large file to the automounted dir on 
the client just hangs:

[tba@pc588 images]$ scp NAS4Free-x64-LiveUSB-10.3.0.3.2987.img.gz
tba...@kact-man-001.kact.sblokalnet:.
tba...@kact-man-001.kact.sblokalnet's password:
NAS4Free-x64-LiveUSB-10.3.0.3.2987.img.gz 
100%  281MB  93.6MB/s
00:03
[hangs]

And my logged in session on the client hangs if I try to do ls in my
homedir:
[tba@pc588 ~]$ ssh tba...@kact-man-001.kact.sblokalnet
tba...@kact-man-001.kact.sblokalnet's password:
Last login: Tue Nov 15 13:07:12 2016 from pc588.sb.statsbiblioteket.dk -sh-4.2$ 
-sh-4.2$ -sh-4.2$ pwd /home/tba-sb -sh-4.2$ hostname
kact-man-001
-sh-4.2$
-sh-4.2$ ls
[hangs]


And I see a huge amount of the GSS failures in the messages file on the 
client.


Any suggestions?

TIA




-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anyone else getting porn spam pretending to be replies to freeipa-users threads?

[Troels Hansen]

- On Nov 15, 2016, at 5:32 PM, Chris Dagdigian d...@sonsorol.org wrote:

> Got a porn spam today that had a subject header of:
> 
>> Re: [Freeipa-users] URL is changing on the browser
> 
> Have to admit that got through my spam filter and got me to open the email.
> 
> It's clear that it was not a list message; looks like something may be
> mining the public list archives to pull email addresses and plausible
> sounding subject lines.
> 
> Mildly interested if anyone else got an email like this?
> 

Yep, received such one as well.
Subject looks like its a reply to the message you just sent.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anyone else getting porn spam pretending to be replies to freeipa-users threads?

[Tony Brian Albers]

Hehe, just you wait Lachlan ;)

/tony

On 11/16/2016 01:56 AM, Lachlan Musicman wrote:
> Gah, just happened to me. Wasn't porn, but was someone called Kimi and
> the only content was "Heeey Lachlan, how's it going?"
>
> L.
>
> --
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
> On 16 November 2016 at 04:02, Martin Basti  > wrote:
>
>
>
> On 15.11.2016 17:32, Chris Dagdigian wrote:
>
>
>
> Got a porn spam today that had a subject header of:
>
> Re: [Freeipa-users] URL is changing on the browser
>
>
> Have to admit that got through my spam filter and got me to open
> the email.
>
> It's clear that it was not a list message; looks like something
> may be mining the public list archives to pull email addresses
> and plausible sounding subject lines.
>
> Mildly interested if anyone else got an email like this?
>
> -Chris
>
>
>  We are receiving those emails as well (different subjects, domains,
> but the same content)
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> Go to http://freeipa.org for more info on the project
>
>
>
>

-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

[Sean Hogan]

Hello,


   I am starting to see some issues with a few RHEL7 boxes I have been
enrolling to my RHEL 6 IPA server regarding encryption.


RHEL 7 client
Red Hat Enterprise Linux Server release 7.1 (Maipo)
sssd-ipa-1.12.2-58.el7_1.18.x86_64
ipa-client-4.1.0-18.el7_1.4.x86_64

RHEL 6 Server
Red Hat Enterprise Linux Server release 6.8 (Santiago)
sssd-ipa-1.13.3-22.el6_8.4.x86_64
ipa-server-3.0.0-50.el6.1.x86_64


The RHEL 7 client shows this in messages

Nov 15 21:13:02 server1 [sssd[ldap_child[26640]]]: Program lacks support
for encryption type
Nov 15 18:08:51 server1 [sssd[ldap_child[7774]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check
failed. Unable to create GSSAPI-encrypted LDAP connection.

I am also not seeing host certs for them on the ipa server but I do see
them on the local box.

[root@server1 pam.d]# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
 
-
   11 host/server1.ipa.local@IPA.LOCAL
   21 host/server1.ipa.local@IPA.LOCAL
   31 host/server1.ipa.local@IPA.LOCAL
   41 host/server1.ipa.local@IPA.LOCAL
ktutil:


I have one RHEL 7 box with no issues as it was just enrolled (missing host
certs in IPA though)  and I compared and IPA ID login with a box not
working
Work
type=USER_AUTH msg=audit(1479259242.032:23532): pid=25040 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:authentication grantors=? acct="janedoe" exe="/usr/sbin/sshd"
hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh res=failed'

vs

Works
type=USER_ACCT msg=audit(1479259478.378:709): pid=4721 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe"
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'

Its almost as if the pam files are not being read?



Sean Hogan






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anyone else getting porn spam pretending to be replies to freeipa-users threads?

[Lachlan Musicman]

Gah, just happened to me. Wasn't porn, but was someone called Kimi and the
only content was "Heeey Lachlan, how's it going?"

L.

--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 16 November 2016 at 04:02, Martin Basti  wrote:

>
>
> On 15.11.2016 17:32, Chris Dagdigian wrote:
>
>>
>>
>> Got a porn spam today that had a subject header of:
>>
>> Re: [Freeipa-users] URL is changing on the browser
>>>
>>
>> Have to admit that got through my spam filter and got me to open the
>> email.
>>
>> It's clear that it was not a list message; looks like something may be
>> mining the public list archives to pull email addresses and plausible
>> sounding subject lines.
>>
>> Mildly interested if anyone else got an email like this?
>>
>> -Chris
>>
>>
>>  We are receiving those emails as well (different subjects, domains, but
> the same content)
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Shadow Utils appears in sssd.conf

[Lachlan Musicman]

I don't know what I've done wrong, but when I use ipa-client-install on a
new host to add to my one way trust domain, I now have a
[domain/shadowutils] stanza.

This first happened a couple of weeks ago, I saw this bug and thought "it
will be solved soon".

https://bugzilla.redhat.com/show_bug.cgi?id=1369118

The report says it's been resolved in a recent advisory but I'm still
seeing the error.

Is it because I'm using sssd 1.14.2-1 from COPR instead of the centrally
supplied sssd?

cheers
L.


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anyone else getting porn spam pretending to be replies to freeipa-users threads?

[Martin Basti]

On 15.11.2016 17:32, Chris Dagdigian wrote:



Got a porn spam today that had a subject header of:


Re: [Freeipa-users] URL is changing on the browser


Have to admit that got through my spam filter and got me to open the 
email.


It's clear that it was not a list message; looks like something may be 
mining the public list archives to pull email addresses and plausible 
sounding subject lines.


Mildly interested if anyone else got an email like this?

-Chris


 We are receiving those emails as well (different subjects, domains, 
but the same content)


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] anyone else getting porn spam pretending to be replies to freeipa-users threads?

[Chris Dagdigian]

Got a porn spam today that had a subject header of:


Re: [Freeipa-users] URL is changing on the browser


Have to admit that got through my spam filter and got me to open the email.

It's clear that it was not a list message; looks like something may be 
mining the public list archives to pull email addresses and plausible 
sounding subject lines.


Mildly interested if anyone else got an email like this?

-Chris


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Wrong timestamp on ipaclient-install.log file and authentication problem

[Martin Babinsky]

On 11/15/2016 03:45 PM, Tamer Ataol wrote:

Hi,

I am trying to make ipa-client-install work on Ubuntu 14.04.5.
Everything works except it doesn't get ldap users from IPA Master. I dig
issue a little bit and found out that ipaclient-install.log under
/var/log/ directory uses wrong timestamp. Ubuntu's date is correct, it
is set to Istanbul time. But in the log file UTC is used. 3 hours behind
the servers time. I am thinking this issue is the cause of not getting
the ldap users from the FreeIPA Master. IPA client cannot synchronize
with the master because it uses UTC. I couldn't find any other issue.

What can make FreeIPA Client use a different time than the server's?
Java and Python gives Istanbul time in the server. So they are correct.
Also I restarted rsyslogd. Nothing changed.

Another thing I want to mention is that I installed Ubuntu form netboot
image and installed ubuntu-desktop, freeipa-client and ssh on top of
that. And Ubuntu is set to Turkish. Strangely when I install Ubuntu from
Live CD in English this issue never happens and FreeIPA Client works
perfectly. But I need to use netboot and Turkish as I need to install
many computers for Turkish users.

Thanks.





IIRC the IPA logs always have UTC timestamps because it makes debugging 
issues across different timezones easier. Also the timestamp format used 
in the logging module should not influence the client function.


If you suspect that timesync is an issue you need to compare the client 
and server time directly, not based on logs. If your master has NTP 
running and is configured as NTP server (that should be always the case 
unless you gave '--no-ntp' option during master install), the client 
will use it as a source of time.


I would inspect ipaclient-install logs for errors and also look into 
https://fedorahosted.org/sssd/wiki/Troubleshooting because user lookup 
on the client is mainly done by sssd unless configured otherwise.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-server-install & certificates

[Leo Baltus]

Op 15/11/2016 om 15:57:59 +0100, schreef Tomas Krizek:
> On 11/15/2016 01:47 PM, Leo Baltus wrote:
> > Hi,
> > 
> > (first time user, firts post on this ML)
> > 
> > I am setting up ipa-server on a fresh CentOS-7 system.
> > 
> > After running:
> > 
> > /usr/sbin/ipa-server-install -U --realm XXXY.NL --domain xxxy.nl \
> > --admin-password foobarxy --ds-password foobarxy \
> > --idstart 5000 \
> > --no-ntp
> > 
> > Connecting my Chrome browser to this machine results in a 'Your
> > connection is not private' errorpage. And no option to go the
> > insecure way.
> > 
> > Now I have my own CA, created a certifcate keypair with it and I would
> > like to import this keypair together with my CA to add trust.
> > 
> > Following 
> > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
> > 
> > ipa-cacert-manage -p foobarxy -n NICKNAME -t C,, install myca.crt
> > ipa-certupdate
> > ipa-server-certinstall -w -d mysite.key mysite.crt
> > 
> > after running ipa-certupdate again I get:
> > 
> > trying https://lab-k1.xxxy.nl/ipa/json
> > Forwarding 'ca_is_enabled' to json server 
> > 'https://lab-k1.xxxy.nl/ipa/json'
> > cert validation failed for "CN=Object Signing Cert,O=XXXY.NL" 
> > ((SEC_ERROR_INADEQUATE_KEY_USAGE) Certificate key usage inadequate for 
> > attempted operation.)
> > 
> > On other attempts I get a timeout on ipa-certupdate:
> > Resubmitting certmonger request '20161115122715' timed out, please check 
> > the request manually
> > 
> > Any idea what is going on? Am I using the right docs?
> > 
> > versions:
> > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> > krb5-libs-1.13.2-12.el7_2.x86_64
> > krb5-pkinit-1.13.2-12.el7_2.x86_64
> > krb5-server-1.13.2-12.el7_2.x86_64
> > krb5-workstation-1.13.2-12.el7_2.x86_64
> > libsss_nss_idmap-1.13.0-40.el7_2.12.x86_64
> > mod_nss-1.0.11-6.el7.x86_64
> > nss-3.21.0-9.el7_2.x86_64
> > nss-softokn-3.16.2.3-14.2.el7_2.x86_64
> > nss-softokn-freebl-3.16.2.3-14.2.el7_2.x86_64
> > nss-sysinit-3.21.0-9.el7_2.x86_64
> > nss-tools-3.21.0-9.el7_2.x86_64
> > nss-util-3.21.0-2.2.el7_2.x86_64
> > nss_compat_ossl-0.9.6-8.el7.x86_64
> > openssl-1.0.1e-51.el7_2.7.x86_64
> > openssl-libs-1.0.1e-51.el7_2.7.x86_64
> > pam_krb5-2.4.8-4.el7.x86_64
> > pki-base-10.2.5-10.el7_2.noarch
> > pki-ca-10.2.5-10.el7_2.noarch
> > pki-kra-10.2.5-10.el7_2.noarch
> > pki-server-10.2.5-10.el7_2.noarch
> > pki-tools-10.2.5-10.el7_2.x86_64
> > python-nss-0.16.0-3.el7.x86_64
> > sssd-krb5-1.13.0-40.el7_2.12.x86_64
> > sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> > 
> Hi,
> 
> can you check if your certificate can be used for an SSL server? You can use
> the following command
> 
> openssl x509 -purpose -in mysite.crt
> 

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No


-- 
Leo Baltus, internetbeheerder
NPO ICT Internet Services
Bart de Graaffweg 2, 1217 ZL Hilversum
serviced...@omroep.nl, 035-6773555

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-server-install & certificates

[Tomas Krizek]

On 11/15/2016 01:47 PM, Leo Baltus wrote:

Hi,

(first time user, firts post on this ML)

I am setting up ipa-server on a fresh CentOS-7 system.

After running:

/usr/sbin/ipa-server-install -U --realm XXXY.NL --domain xxxy.nl \
--admin-password foobarxy --ds-password foobarxy \
--idstart 5000 \
--no-ntp

Connecting my Chrome browser to this machine results in a 'Your
connection is not private' errorpage. And no option to go the
insecure way.

Now I have my own CA, created a certifcate keypair with it and I would
like to import this keypair together with my CA to add trust.

Following http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

ipa-cacert-manage -p foobarxy -n NICKNAME -t C,, install myca.crt
ipa-certupdate
ipa-server-certinstall -w -d mysite.key mysite.crt

after running ipa-certupdate again I get:

trying https://lab-k1.xxxy.nl/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://lab-k1.xxxy.nl/ipa/json'
cert validation failed for "CN=Object Signing Cert,O=XXXY.NL" 
((SEC_ERROR_INADEQUATE_KEY_USAGE) Certificate key usage inadequate for attempted 
operation.)

On other attempts I get a timeout on ipa-certupdate:
Resubmitting certmonger request '20161115122715' timed out, please check the 
request manually

Any idea what is going on? Am I using the right docs?

versions:
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
krb5-libs-1.13.2-12.el7_2.x86_64
krb5-pkinit-1.13.2-12.el7_2.x86_64
krb5-server-1.13.2-12.el7_2.x86_64
krb5-workstation-1.13.2-12.el7_2.x86_64
libsss_nss_idmap-1.13.0-40.el7_2.12.x86_64
mod_nss-1.0.11-6.el7.x86_64
nss-3.21.0-9.el7_2.x86_64
nss-softokn-3.16.2.3-14.2.el7_2.x86_64
nss-softokn-freebl-3.16.2.3-14.2.el7_2.x86_64
nss-sysinit-3.21.0-9.el7_2.x86_64
nss-tools-3.21.0-9.el7_2.x86_64
nss-util-3.21.0-2.2.el7_2.x86_64
nss_compat_ossl-0.9.6-8.el7.x86_64
openssl-1.0.1e-51.el7_2.7.x86_64
openssl-libs-1.0.1e-51.el7_2.7.x86_64
pam_krb5-2.4.8-4.el7.x86_64
pki-base-10.2.5-10.el7_2.noarch
pki-ca-10.2.5-10.el7_2.noarch
pki-kra-10.2.5-10.el7_2.noarch
pki-server-10.2.5-10.el7_2.noarch
pki-tools-10.2.5-10.el7_2.x86_64
python-nss-0.16.0-3.el7.x86_64
sssd-krb5-1.13.0-40.el7_2.12.x86_64
sssd-krb5-common-1.13.0-40.el7_2.12.x86_64


Hi,

can you check if your certificate can be used for an SSL server? You can 
use the following command


openssl x509 -purpose -in mysite.crt

--
Tomas Krizek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Wrong timestamp on ipaclient-install.log file and authentication problem

[Tamer Ataol]

Hi,

I am trying to make ipa-client-install work on Ubuntu 14.04.5. Everything
works except it doesn't get ldap users from IPA Master. I dig issue a
little bit and found out that ipaclient-install.log under /var/log/
directory uses wrong timestamp. Ubuntu's date is correct, it is set to
Istanbul time. But in the log file UTC is used. 3 hours behind the servers
time. I am thinking this issue is the cause of not getting the ldap users
from the FreeIPA Master. IPA client cannot synchronize with the master
because it uses UTC. I couldn't find any other issue.

What can make FreeIPA Client use a different time than the server's? Java
and Python gives Istanbul time in the server. So they are correct. Also I
restarted rsyslogd. Nothing changed.

Another thing I want to mention is that I installed Ubuntu form netboot
image and installed ubuntu-desktop, freeipa-client and ssh on top of that.
And Ubuntu is set to Turkish. Strangely when I install Ubuntu from Live CD
in English this issue never happens and FreeIPA Client works perfectly. But
I need to use netboot and Turkish as I need to install many computers for
Turkish users.

Thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Differences between "ipa-replica-manage connect --winsync..." and ipa-adtrust-install ... ipa trust-add...

[Martin Basti]

On 15.11.2016 15:33, James Harrison wrote:

Hello,
Are there any differences between establishing a Replication Agreement 
using "ipa-replica-manage connect --winsync"  and establishing an AD 
Trust Relationship using the commands ipa-adtrust-install ...  ipa 
trust-add ...


Are they used together or are they different methods to accomplish the 
same goal: to get AD user accounts? Which one is preferred?


Best regards,
James Harrison




Hello, you may find answers here
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/introduction.html

AD Trust method is preferred

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Differences between "ipa-replica-manage connect --winsync..." and ipa-adtrust-install ... ipa trust-add...

[James Harrison]

Hello,Are there any differences between establishing a Replication Agreement 
using "ipa-replica-manage connect --winsync"  and establishing an AD Trust 
Relationship using the commands  ipa-adtrust-install ...  ipa trust-add ...
Are they used together or are they different methods to accomplish the same 
goal: to get AD user accounts? Which one is preferred?

Best regards,James Harrison
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] State of External Users feature

[Christoph Hösler]

The documentation about "External Users in FreeIPA" (
http://www.freeipa.org/page/External_Users_in_IPA) has not been updated for
quite some time. What is the current state of this feature? Is it still on
the roadmap?

Best regards, Christoph
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-server-install & certificates

[Leo Baltus]

Hi,

(first time user, firts post on this ML)

I am setting up ipa-server on a fresh CentOS-7 system.

After running:

/usr/sbin/ipa-server-install -U --realm XXXY.NL --domain xxxy.nl \
   --admin-password foobarxy --ds-password foobarxy \
   --idstart 5000 \
   --no-ntp

Connecting my Chrome browser to this machine results in a 'Your
connection is not private' errorpage. And no option to go the
insecure way.

Now I have my own CA, created a certifcate keypair with it and I would
like to import this keypair together with my CA to add trust.

Following http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

ipa-cacert-manage -p foobarxy -n NICKNAME -t C,, install myca.crt
ipa-certupdate
ipa-server-certinstall -w -d mysite.key mysite.crt

after running ipa-certupdate again I get:

trying https://lab-k1.xxxy.nl/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://lab-k1.xxxy.nl/ipa/json'
cert validation failed for "CN=Object Signing Cert,O=XXXY.NL" 
((SEC_ERROR_INADEQUATE_KEY_USAGE) Certificate key usage inadequate for 
attempted operation.)

On other attempts I get a timeout on ipa-certupdate:
Resubmitting certmonger request '20161115122715' timed out, please check the 
request manually

Any idea what is going on? Am I using the right docs?

versions:
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
krb5-libs-1.13.2-12.el7_2.x86_64
krb5-pkinit-1.13.2-12.el7_2.x86_64
krb5-server-1.13.2-12.el7_2.x86_64
krb5-workstation-1.13.2-12.el7_2.x86_64
libsss_nss_idmap-1.13.0-40.el7_2.12.x86_64
mod_nss-1.0.11-6.el7.x86_64
nss-3.21.0-9.el7_2.x86_64
nss-softokn-3.16.2.3-14.2.el7_2.x86_64
nss-softokn-freebl-3.16.2.3-14.2.el7_2.x86_64
nss-sysinit-3.21.0-9.el7_2.x86_64
nss-tools-3.21.0-9.el7_2.x86_64
nss-util-3.21.0-2.2.el7_2.x86_64
nss_compat_ossl-0.9.6-8.el7.x86_64
openssl-1.0.1e-51.el7_2.7.x86_64
openssl-libs-1.0.1e-51.el7_2.7.x86_64
pam_krb5-2.4.8-4.el7.x86_64
pki-base-10.2.5-10.el7_2.noarch
pki-ca-10.2.5-10.el7_2.noarch
pki-kra-10.2.5-10.el7_2.noarch
pki-server-10.2.5-10.el7_2.noarch
pki-tools-10.2.5-10.el7_2.x86_64
python-nss-0.16.0-3.el7.x86_64
sssd-krb5-1.13.0-40.el7_2.12.x86_64
sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

-- 
Leo Baltus

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] krb5 and nfsv4 not working right

[Tony Brian Albers]

Hi guys,

I've followed every guide I can find on this subject. What I'm trying to 
is to get our home directories which are shared via NFS from the FreeIPA 
server mounted via autofs on the clients.

The client is kact-man-001 and the FreeIPA server is kact-adm-001

/etc/exports:


I've done the ipa-client-install and the ipa-client-automount

However, when I log in, my homedir is mounted as expected but what I get 
in the messages log is:

Nov 15 12:52:25 kact-man-001 gssproxy: gssproxy[770]: (OID: { 1 2 840 
113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more 
information, No credentials cache found

A lot!

/etc/krb5.conf is default from the FreeIPA installation:

   default_ccache_name = KEYRING:persistent:%{uid}


The autofs setup looks like this:

-

[root@kact-adm-001 log]# ipa automountmap-find
Location: default

3 automount maps matched

   Map: auto.direct

   Map: auto.home

   Map: auto.master

Number of entries returned 3

[root@kact-adm-001 log]#



[root@kact-adm-001 log]# ipa automountkey-find
Location: default
Map: auto.home
---
1 automount key matched
---
   Key: *
   Mount information: -fstype=nfs4,rw,sec=krb5,rsize=8192,wsize=8192 
kact-adm-001.kact.sblokalnet:/data/home/&

Number of entries returned 1

[root@kact-adm-001 log]#

-

Now, the BAD thing is, trying to copy a large file to the automounted 
dir on the client just hangs:

[tba@pc588 images]$ scp NAS4Free-x64-LiveUSB-10.3.0.3.2987.img.gz 
tba...@kact-man-001.kact.sblokalnet:.
tba...@kact-man-001.kact.sblokalnet's password:
NAS4Free-x64-LiveUSB-10.3.0.3.2987.img.gz 
100%  281MB  93.6MB/s 
00:03
[hangs]

And my logged in session on the client hangs if I try to do ls in my 
homedir:
[tba@pc588 ~]$ ssh tba...@kact-man-001.kact.sblokalnet
tba...@kact-man-001.kact.sblokalnet's password:
Last login: Tue Nov 15 13:07:12 2016 from pc588.sb.statsbiblioteket.dk
-sh-4.2$
-sh-4.2$
-sh-4.2$ pwd
/home/tba-sb
-sh-4.2$ hostname
kact-man-001
-sh-4.2$
-sh-4.2$ ls
[hangs]


And I see a huge amount of the GSS failures in the messages file on the 
client.


Any suggestions?

TIA




-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to verify user with proxy server

[Petr Vobornik]

On 11/15/2016 09:38 AM, 郑磊 wrote:
> Thanks for your reply. I may not have described clearly. My use case is that 
> I 
> have a freeipa user that uses password auth type by default, and I want to 
> use 
> radius auth tpye to verify user according to 3rd-party radius server.

FreeIPA is able to use 3rd-pardy RADIUS server for authentication.

This is covered in:
*
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/otp.html#migrating-proprietary-otp
* http://www.freeipa.org/page/V4/OTP

> 
> 
> 
> 
> 
> --
> 祝：
>  工作顺利！生活愉快！
> --
> 长沙研发中心 郑磊
> 电话：18684703229
> 邮箱：zheng...@kylinos.cn
> 公司：天津麒麟信息技术有限公司
> 地址：湖南长沙市开福区三一大道工美大厦十四楼
> -- Original --
> *From: * "Petr Vobornik";
> *Date: * Mon, Nov 14, 2016 07:08 PM
> *To: * "郑磊"; "freeipa-users";
> *Subject: * Re: [Freeipa-users] How to verify user with proxy server
> On 11/14/2016 04:09 AM, 郑磊 wrote:
>  > Hello everyone,
>  >
>  > I had already successfully verified user with otp. But I don't know how to
>  > verify user with proxy server, is there anyone know about it? There is no a
>  > complete solution on the website.
>  >
>  > Thanks!
>  >
> 
> Could you describe your use case in more details?
> 
> If you are asking about how to access IPA behind proxy, then checkout:
>https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
> https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy
> 
> Or other proxy threads on this list.
> -- 
> Petr Vobornik
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to verify user with proxy server

[郑磊]

Thanks for your reply. I may not have described clearly. My use case is  that I 
have a freeipa user that uses password auth type by default, and I  want to use 
radius auth tpye to verify user according to 3rd-party  radius server.





--
祝：
工作顺利！生活愉快！
--
长沙研发中心 郑磊 
电话：18684703229
邮箱：zheng...@kylinos.cn
公司：天津麒麟信息技术有限公司
地址：湖南长沙市开福区三一大道工美大厦十四楼
 

 
 
 
-- Original --
From:  "Petr Vobornik";
Date:  Mon, Nov 14, 2016 07:08 PM
To:  "郑磊"; "freeipa-users"; 

Subject:  Re: [Freeipa-users] How to verify user with proxy server

 
On 11/14/2016 04:09 AM, 郑磊 wrote:
> Hello everyone,
> 
> I had already successfully verified user with otp. But I don't know how to 
> verify user with proxy server, is there anyone know about it? There is no a 
> complete solution on the website.
> 
> Thanks!
> 

Could you describe your use case in more details?

If you are asking about how to access IPA behind proxy, then checkout:
  https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy

Or other proxy threads on this list.
-- 
Petr Vobornik-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project