[Freeipa-users] Trouble with ipa-server-install in Fedora 18
Hi everyone, I have been having trouble getting FreeIPA set up on Fedora 18. ipa-server-install keeps failing at the [2/20]: configuring certificate server instance stage. This is on a fresh Fedora 18 virtual machine. I never had any issues on any of the Fedora 18 prereleases. ipa-server-install output: http://paste.kde.org/655916/raw/ rpm -qa | grep freeipa | sort: http://paste.kde.org/655928/raw/ /var/log/ipaserver-install.log: http://ompldr.org/vaDdsOA/ipaserver-install.log If I copy the pkispawn configuration from the log to /tmp/tmpZmif5T and run the failed command, I get: http://paste.kde.org/655940/raw/ Does anyone know what could be the problem? I can't seem to find anything about that error. Thanks in advance! Xiao-Long Chen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA Client Setup in Windows 7 Ubuntu
Date: Wed, 23 Jan 2013 08:28:57 +0100 From: d.sastre.med...@gmail.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA Client Setup in Windows 7 Ubuntu On Mon, Jan 21, 2013 at 07:37:39AM -0500, Dmitri Pal wrote: On 01/21/2013 04:45 AM, Vijay Thakur wrote: Guide me about Ubuntu 12.04 as FreeIPA Client setting. I know there have been work done for Ubuntu but we unfortunately I do not have information on the state of this work. Regarding Ubuntu, you can check, for example: http://packages.ubuntu.com/search?suite=allarch=anysearchon=nameskeywords=freeipa http://packages.ubuntu.com/search?suite=allsection=allarch=anykeywords=389searchon=names http://packages.ubuntu.com/search?suite=allsection=allarch=anykeywords=sssdsearchon=names -- Primary key fingerprint: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56 ___ The current version of sssd in any version of Ubuntu is broken. The packaging needs to pass '--datadir=/usr/share' or '$(prefix)' will show up in some python files. Bug report: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1079938 Unfortunately, it still hasn't been fixed. Xiao-Long Chen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA manual PAM setup help
Date: Thu, 29 Nov 2012 10:26:00 -0500 From: rcrit...@redhat.com To: chillermillerl...@hotmail.com CC: freeipa-users@redhat.com; tjaal...@ubuntu.com Subject: Re: [Freeipa-users] FreeIPA manual PAM setup help 小龙 陈 wrote: Hi, I've been working on porting the FreeIPA client to Arch Linux lately and I'm now to the last step of the puzzle. Everything works the way it should, except for PAM, which I don't know how to setup. I must admit that I'm very confused my the PAM configuration (which PAM module does what, the order of the modules, etc). What I'm trying to find out is where the pam_sss.so lines should go. Here's a copy of the /etc/pam.d/ directory in Arch Linux: http://ompldr.org/vZ2hxcw/pam.d.tar.bz2 I'd greatly appreciate it if someone could help me out :) Thanks! I gather that this is due to a lack of authconfig. Timo Aaltonen has been working on ipa-client (and server!) for Ubuntu and he ran into similar problems but I'm not sure what solution he came up with. I'll find someone with more PAM experience to try to give you more practical help. rob Hi Rob, Thanks a lot for your reply! You;re right that this is due to the lack or authconfig (or any other tool to manage the PAM settings). I took a look at Ubuntu's packaging and it seems that Ubuntu's PAM is similar to Fedora's. Fedora uses a common /etc/pam.d/system-auth file and Ubuntu uses a common /etc/pam.d/common-auth file. Arch doesn't have a common PAM configuration file, so I'll need to change every file for every service that I want to authenticate with sssd. I didn't know that ipa-server is now working in Ubuntu. That's really great news! Best regards, Xiao-Long Chen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA manual PAM setup help
Date: Thu, 29 Nov 2012 16:56:08 +0100 From: jhro...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA manual PAM setup help On Thu, Nov 29, 2012 at 10:26:00AM -0500, Rob Crittenden wrote: 小龙 陈 wrote: Hi, I've been working on porting the FreeIPA client to Arch Linux lately and I'm now to the last step of the puzzle. Everything works the way it should, except for PAM, which I don't know how to setup. I must admit that I'm very confused my the PAM configuration (which PAM module does what, the order of the modules, etc). What I'm trying to find out is where the pam_sss.so lines should go. Here's a copy of the /etc/pam.d/ directory in Arch Linux: http://ompldr.org/vZ2hxcw/pam.d.tar.bz2 I'd greatly appreciate it if someone could help me out :) Thanks! I gather that this is due to a lack of authconfig. Timo Aaltonen has been working on ipa-client (and server!) for Ubuntu and he ran into similar problems but I'm not sure what solution he came up with. I'll find someone with more PAM experience to try to give you more practical help. rob Hi, the PAM config files on Arch Linux are a little bit different than what Fedora/RHEL uses. It seems that the per-service config files (such as /etc/pam.d/su for logging in with su) directly include the PAM modules, in your case pam_unix.so only. On Fedora/RHEL, the per-service files usually include a more generic file called something like system-auth. Either way works, but if you'd like to configure more services in a similar way, then including a common file might save you some edits. This document is a little outdated but provides a nice intro into configuring PAM: http://tldp.org/HOWTO/User-Authentication-HOWTO/x115.html In general you there are fours stacks in PAM, each of them controls one step in the auth process. I think you'll want to use both pam_unix and pam_sss in all the stacks -- pam_sss is needed for users coming in from the SSSD to log in and you'll also want to keep pam_unix around so that local users (at least root) can log in too. Here is what my PAM config on Fedora 18 looks like: authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 1000 quiet_success authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordoptional pam_pwquality.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so If Arch Linux ships the same modules as Fedora, the you should be able to simply copy and use the PAM config we use.. I've put Honza to CC, I know he runs Arch Linux as well and might have some insights into how PAM is configured on Arch. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hi, Thanks a lot for your reply! I'll be sure to read up on the link. The per-service config files are a bit annoying in Arch. I'm not sure if it's possible, but maybe I can create a /etc/pam.d/sssd that can be included in the other files? I'm guessing that the order of the PAM modules matters, so I'm not sure that that would work. I'll try adding pam_sss to each file, based on Fedora's system-auth, and see how that goes. Best Regards, Xiao-Long Chen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA status on Debian Ubuntu (was: Re: FreeIPA manual PAM setup help)
Date: Thu, 29 Nov 2012 23:41:03 +0200 From: tjaal...@ubuntu.com To: jhro...@redhat.com CC: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA status on Debian Ubuntu (was: Re: FreeIPA manual PAM setup help) 29.11.2012 21:30, Jakub Hrozek kirjoitti: On Thu, Nov 29, 2012 at 01:56:24PM -0500, 小龙 陈 wrote: I didn't know that ipa-server is now working in Ubuntu. That's really great news! Best regards, Xiao-Long Chen I could be wrong, but I don't think the IPA server is working in Ubuntu..I know the client bits are and there was an effort to package the server as well, but I don't think it's finished yet. right, the server isn't ready, client is limping along though not seen an update in a while. Timo would know better, though. here's a short summary: - 389ds is packaged and included in Debian Ubuntu - Dogtag 9 is packaged in git and worked the last time I tried, not pushed to either distros, since.. - Dogtag 10 is close(?) and I'd rather skip the transition if possible, then again.. - D10 needs RESTEasy, which in turn depends on nearly 50 new bits of software that needs to be packaged, mostly java/maven based (and there's a helper that should automate most of the packaging, haven't tried it yet though) - IPA server still needs the platform code rework, and I still need to rework the first patch to meet the review notes so not quite there yet :) t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Could you post a link to the git repo (if it's public)? I'd like to test out the work in progress :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA on a dual boot system
Hi fellow FreeIPA users! I just got my FreeIPA set up perfectly and I was wondering if it's possible to set it up in the other OS in a dual boot configuration. Since I'm still on the same computer (therefore, the same MAC address), ipa-client-install fails saying that I'm already joined to the domain. Is there anything I can do allow the dual booted OS to join? Do I need to change my network configuration? Thanks in advance! Xiao-Long Chen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users