Re: [Freeipa-users] Accessing IPA servers on no-standard port
Ticket created : Ticket #3955 -- http://about.me/chandank On Fri, Sep 27, 2013 at 12:40 AM, Petr Spacek pspa...@redhat.com wrote: On 27.9.2013 07:23, Chandan Kumar wrote: Hi Rob, Thanks for the info. Sure I will create the ticket and will certainly try to pick the low-hanging fruit :-) -- http://about.me/chandank On Thu, Sep 26, 2013 at 7:51 PM, Rob Crittenden rcrit...@redhat.com wrote: Chandan Kumar wrote: Hello, I have basic configuration question, my apologies if it has already been discussed. I have ipa-server-3 server installed with default parameters with replication. We have Linux machines across different geo location and I would like to integrate them into IPA server, however, I don't want external clients to connect the server on standard port. For example, during ipa-client registration it requires all IPA services to be running on default port. Such as : trying https://ipa01.my.net/ipa/xml kdc = ipa01.my.net:88 http://ipa01.my.net:88 master_kdc = ipa01.my.net:88 http://ipa01.my.net:88 admin_server = ipa01.my.net:749 http://ipa01.my.net:749 Is there any way in ipa-client-install or sssd file to instruct IPA client to connect to IPA server on no-standard ports such as trying https://ipa01.my.net:8080/ipa/xmlhttps://ipa01.my.net:8080/ipa/**xml https://ipa01.my.net:**8080/ipa/xmlhttps://ipa01.my.net:8080/ipa/xml This way I don't have to allocate a separate IP or additional web server to redirect the requests a simple NAT at firewall will do such as external 8080 - internal 443 Currently there is no way to do this. I'd have sworn we had a ticket to add this but a quick search didn't turn it up. If you'd like this supported feel free to open a ticket at https://fedorahosted.org/ freeipa/newticket https://fedorahosted.org/**freeipa/newticket https://**fedorahosted.org/freeipa/**newtickethttps://fedorahosted.org/freeipa/newticket I don't think this would be tremendously difficult to do, the trick would be communicating the port to clients somehow while they are trying to enroll. A command-line option would probably be the shortest path. This may be decent low-hanging fruit if you're interested in being a contributor to IPA. Speaking specifically about Kerberos, LDAP and NTP - it should be possible to change port number in SRV records in DNS and that is it. I'm not sure if client libraries really support this, but you can try it. HTTP and HTTPS will be more problematic because there there are no SRV records for them. -- Petr^2 Spacek __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Accessing IPA servers on no-standard port
Hello, I have basic configuration question, my apologies if it has already been discussed. I have ipa-server-3 server installed with default parameters with replication. We have Linux machines across different geo location and I would like to integrate them into IPA server, however, I don't want external clients to connect the server on standard port. For example, during ipa-client registration it requires all IPA services to be running on default port. Such as : trying https://ipa01.my.net/ipa/xml kdc = ipa01.my.net:88 master_kdc = ipa01.my.net:88 admin_server = ipa01.my.net:749 Is there any way in ipa-client-install or sssd file to instruct IPA client to connect to IPA server on no-standard ports such as trying https://ipa01.my.net:8080/ipa/xml This way I don't have to allocate a separate IP or additional web server to redirect the requests a simple NAT at firewall will do such as external 8080 - internal 443 Thanks -- http://about.me/chandank ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Accessing IPA servers on no-standard port
Hi Rob, Thanks for the info. Sure I will create the ticket and will certainly try to pick the low-hanging fruit :-) -- http://about.me/chandank On Thu, Sep 26, 2013 at 7:51 PM, Rob Crittenden rcrit...@redhat.com wrote: Chandan Kumar wrote: Hello, I have basic configuration question, my apologies if it has already been discussed. I have ipa-server-3 server installed with default parameters with replication. We have Linux machines across different geo location and I would like to integrate them into IPA server, however, I don't want external clients to connect the server on standard port. For example, during ipa-client registration it requires all IPA services to be running on default port. Such as : trying https://ipa01.my.net/ipa/xml kdc = ipa01.my.net:88 http://ipa01.my.net:88 master_kdc = ipa01.my.net:88 http://ipa01.my.net:88 admin_server = ipa01.my.net:749 http://ipa01.my.net:749 Is there any way in ipa-client-install or sssd file to instruct IPA client to connect to IPA server on no-standard ports such as trying https://ipa01.my.net:8080/ipa/**xmlhttps://ipa01.my.net:8080/ipa/xml This way I don't have to allocate a separate IP or additional web server to redirect the requests a simple NAT at firewall will do such as external 8080 - internal 443 Currently there is no way to do this. I'd have sworn we had a ticket to add this but a quick search didn't turn it up. If you'd like this supported feel free to open a ticket at https://fedorahosted.org/**freeipa/newtickethttps://fedorahosted.org/freeipa/newticket I don't think this would be tremendously difficult to do, the trick would be communicating the port to clients somehow while they are trying to enroll. A command-line option would probably be the shortest path. This may be decent low-hanging fruit if you're interested in being a contributor to IPA. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Limiting Host access by UID/GID
Sorry for late reply. Thanks for helping out. Yes after deleting the sssd cache from /var/lib it does not allow user groups outside min/max_id. Thanks Chandan On Tuesday, June 4, 2013, Jakub Hrozek wrote: On Fri, May 31, 2013 at 08:50:29AM -0700, Chandan Kumar wrote: As far as my understanding goes it does not stop even if I disable cache credentials. I set following parameters in sssd.conf but still UID 2 is able to login. Sorry, there was some terminology confusion. I didn't ask for disabling cache credentials, but removing the on-disk cache and starting afresh. The cache is stored in /var/lib/sss/db/cache_$domname.ldb, so you can mv or rm it and check again if the IDs are still allowed. cache_credentials = False krb5_store_password_if_offline = False min_id=5000 max_id=5010 enumerate = False entry_cache_timeout=3 Package Info: Client; sssd-client-1.9.2-82.7.el6_4.x86_64 Server: ipa-server-2.2.0-16.el6.x86_64 Thanks Chandan On Friday, May 31, 2013, Jakub Hrozek wrote: On Fri, May 31, 2013 at 09:26:40AM -0400, Simo Sorce wrote: On Fri, 2013-05-31 at 11:55 +0200, Jakub Hrozek wrote: On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote: On 05/30/2013 06:52 PM, Chandan Kumar wrote: Hello, As part of migration from passwd/shadow to IPA, I want to roll out IPA/SSSD based password first for a small number of users and then for all. (same goes with host. first small number of host and then all). I was trying to limit it using max_id/min_id parameters in sssd but it does not seems to work the way I expected. --- min_id = 5000 max_id = 5100 -- So there is a user kchandan with UID/GID 2 -- [root@tipa1 ~]# id kchandan uid=2(kchandan) gid=2 groups=2 --- But It is allowing me to login with that ID with only error showing GID 2 not found. --- ssh 10.2.3.105 -l kchandan kchandan@10.2.3.105 mailto:kchandan@10.2.3.105's password: id: cannot find name for group ID 2 - Is there any way to achieve this? So you want to allow only a subset of users with a specific range to log into the systems controlled by SSSD before you open it to a broader public? I would defer to SSSD gurus but the hack that comes to mind is to configure a simple access provider to limit the access to just the users you care about (man sssd-simple) or configure ldap access provider based on a filter (man sssd-ldap). Hi, The user shouldn't be even saved to cache if it's filtered out of range. But looking at the current NSS code, the entry would have been returned if it was saved *before* you changed the min_id/max_id parameters. Could that be the case? Can you check if after removing the cache the entry still shows up? I think that the fact that the entry is returned from cache even if it should be filtered out is a bug: https://fedorahosted.org/sssd/ticket/1954 So far we always maintained that if you consistently change configuration (and a change of ranges is a big change) then it's on the admin to wipe the cache file. Yes, that's why the ticket is minor. But mostly I don't like the inconsistency where some requests check the ranges even in the responder and some don't. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- -- http://about.me/chandank ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Limiting Host access by UID/GID
As far as my understanding goes it does not stop even if I disable cache credentials. I set following parameters in sssd.conf but still UID 2 is able to login. cache_credentials = False krb5_store_password_if_offline = False min_id=5000 max_id=5010 enumerate = False entry_cache_timeout=3 Package Info: Client; sssd-client-1.9.2-82.7.el6_4.x86_64 Server: ipa-server-2.2.0-16.el6.x86_64 Thanks Chandan On Friday, May 31, 2013, Jakub Hrozek wrote: On Fri, May 31, 2013 at 09:26:40AM -0400, Simo Sorce wrote: On Fri, 2013-05-31 at 11:55 +0200, Jakub Hrozek wrote: On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote: On 05/30/2013 06:52 PM, Chandan Kumar wrote: Hello, As part of migration from passwd/shadow to IPA, I want to roll out IPA/SSSD based password first for a small number of users and then for all. (same goes with host. first small number of host and then all). I was trying to limit it using max_id/min_id parameters in sssd but it does not seems to work the way I expected. --- min_id = 5000 max_id = 5100 -- So there is a user kchandan with UID/GID 2 -- [root@tipa1 ~]# id kchandan uid=2(kchandan) gid=2 groups=2 --- But It is allowing me to login with that ID with only error showing GID 2 not found. --- ssh 10.2.3.105 -l kchandan kchandan@10.2.3.105 mailto:kchandan@10.2.3.105's password: id: cannot find name for group ID 2 - Is there any way to achieve this? So you want to allow only a subset of users with a specific range to log into the systems controlled by SSSD before you open it to a broader public? I would defer to SSSD gurus but the hack that comes to mind is to configure a simple access provider to limit the access to just the users you care about (man sssd-simple) or configure ldap access provider based on a filter (man sssd-ldap). Hi, The user shouldn't be even saved to cache if it's filtered out of range. But looking at the current NSS code, the entry would have been returned if it was saved *before* you changed the min_id/max_id parameters. Could that be the case? Can you check if after removing the cache the entry still shows up? I think that the fact that the entry is returned from cache even if it should be filtered out is a bug: https://fedorahosted.org/sssd/ticket/1954 So far we always maintained that if you consistently change configuration (and a change of ranges is a big change) then it's on the admin to wipe the cache file. Yes, that's why the ticket is minor. But mostly I don't like the inconsistency where some requests check the ranges even in the responder and some don't. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- -- http://about.me/chandank ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] User Roles and access in GUI
I think controlling Visibility of tabs would be the best option, if possible, based on Roles as mentioned by Rob. As long as other entries are not visible in UI, even though they have read only access with command line, should be enough. On Monday, April 15, 2013, Alexander Bokovoy wrote: On Mon, 15 Apr 2013, Petr Spacek wrote: On 15.4.2013 15:39, Rob Crittenden wrote: There is no easy way to do this. We start with granting all authenticated users read access to the tree with the exception of certain attributes (like passwords). You'd have to start by removing that, then one by one granting read access to the various containers based on, well, something. Would it be possible to create a new role to allow current 'read-all access' and add this role to all users by default? It could be much simpler to change the behaviour with this role, or not? :-) It would affect service accounts (include host/fqdn@REALM) since roles cannot be applied to them, if I remember correctly. We would need to make an exclusive ACI that allows all services to gain read only access... -- / Alexander Bokovoy __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- -- http://about.me/chandank ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] User Roles and access in GUI
I agree it won't be a security feature nor you are doing wrong by not adding it. However, it might come as nice to have feature. Let me explain you my condition. We host web application where lot of DNS entries (Public and Internal) are created for different kind of requests and features. Now we already have a separate DNS server, Separate Manual Linux User/Access Control management by puppet. Linux users ACL have no relationship with the web application user (which is internal to the web app). So FreeIPA can help me to centralize the Linux user-management as well as (Public and Internal) DNS. However, the problem is : traditionally the access levels were different for DNS users (support guys) and user management (sysadmins). Now bring both system together even the Host based access control, sudoers rule everything becomes visible to non-sysadmin group. You are right that every user could query all entries from command line and hence it won't help to secure the system, but not having it on GUI may help to avoid obvious visibility of the whole directory. I believe similar GUI views could be applied for discussion http://osdir.com/ml/freeipa-users/2013-03/msg00218.html where geographically separate Organization units may share the same directory with limited visibility on other branches. Having said that, I am not sure how feasible/logical my view is owing to my limited knowledge in 389 directory server and IPA. Thanks Chandan On Monday, April 15, 2013, Dmitri Pal wrote: On 04/15/2013 11:11 AM, Chandan Kumar wrote: I think controlling Visibility of tabs would be the best option, if possible, based on Roles as mentioned by Rob. As long as other entries are not visible in UI, even though they have read only access with command line, should be enough. It would not be a security feature though. Just a convenience because the same admin would be able to bind directly to ldap and run a search. This is why we did not go this route. Yes we can hide panels but it would not mean that the user can't easily get that info. So is there really a value in hiding? So far we did not see any this is why we did not do it, but may be you have some arguments that might convince us that we are wrong. Can you please share these arguments with us? On Monday, April 15, 2013, Alexander Bokovoy wrote: On Mon, 15 Apr 2013, Petr Spacek wrote: On 15.4.2013 15:39, Rob Crittenden wrote: There is no easy way to do this. We start with granting all authenticated users read access to the tree with the exception of certain attributes (like passwords). You'd have to start by removing that, then one by one granting read access to the various containers based on, well, something. Would it be possible to create a new role to allow current 'read-all access' and add this role to all users by default? It could be much simpler to change the behaviour with this role, or not? :-) It would affect service accounts (include host/fqdn@REALM) since roles cannot be applied to them, if I remember correctly. We would need to make an exclusive ACI that allows all services to gain read only access... -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- -- http://about.me/chandank ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ -- -- http://about.me/chandank ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User Roles and access in GUI
Thanks for the response. The way we can turn off the anonymous bind in 389 Server. using nsslapd-allow-anonymous-access: off. Is there any way to limit the read access of user to only to the DNS entries? In that way I can create a user who could/will be able to see/edit DNS entries only. Thanks, Chandan On Friday, April 12, 2013, Dmitri Pal wrote: On 04/12/2013 02:23 AM, Martin Kosek wrote: On 04/12/2013 01:07 AM, Chandan Kumar wrote: Hello, I have a question regarding Uer Roles and Access in GUI. What I have found that irrespective of Role assigned to a user, he gets read only access across the directory. For example, I created one user say dnsadmin with only Roles related to DNS such as DNS Servers, DNS Administrator. Now that user has read only access to entire directory. Is there any way of controlling it? Thanks, Chandan Hello Chandan, If you create a new role, assign DNS Administrators privilege to it, and assign that role to user dnsadmin, that user will have write access to DNS tree and configuration. Beyond that tree, dnsadmin will have read-only access just like all other non-admin users. If you want dnsadmin to have write access also to other entries, you would need to assign more privileges/roles to it. HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com javascript:; https://www.redhat.com/mailman/listinfo/freeipa-users If you are worried about the read access the LDAP data is traditionally readable by any authenticated user. In the past is was even possible to read the tree as anonymous user which is a bad security practice and not recommended. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com javascript:; https://www.redhat.com/mailman/listinfo/freeipa-users -- -- http://about.me/chandank ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] User Roles and access in GUI
Hello, I have a question regarding Uer Roles and Access in GUI. What I have found that irrespective of Role assigned to a user, he gets read only access across the directory. For example, I created one user say dnsadmin with only Roles related to DNS such as DNS Servers, DNS Administrator. Now that user has read only access to entire directory. Is there any way of controlling it? Thanks, Chandan -- -- http://about.me/chandank ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Shadow/Unix Password Import/Migrate
Hello, I am setting up IPA server for our all Linux Machines mostly CentOS 5/6. As of now all user shadow passwords are managed by puppet. And as part of moving to IPA I could not find a way to import all passwords to IPA without forcing users to reset the password. Thanks Chandan -- -- http://about.me/chandank ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Issue while setting up Replication
Hello, I am new to FreeIPA so far I have setup the Server and few test clients, all went really smooth. However, I am having hard time in setting up the replication and any help will great!. I am using CentOS 6.4. Package Info ipa-server-3.0.0-26.el6_4.2.x86_64 389-ds-base-1.2.11.15-12.el6_4.x86_64 I followed the steps mentioned in http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/chap-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication.html When I try to setup the replica with the replica prepare file from the master with --skip-conneccheck (because krb is not running on UDP ports) ipa-replica-install /var/lib/ipa/replica-info-ipa02.ma.net.gpg --skip-conncheck. At the end I get below error - [22/31]: setting up initial replication Starting replication, please wait until this has completed. [ipa01.ma.net] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication --- On the log file --- 2013-04-01T16:25:53Z DEBUG retrieving schema for SchemaCache url=ldaps:// ipa01.ma.net:636 conn =ldap.ldapobject.SimpleLDAPObject instance at 0x392c830 2013-04-01T16:25:54Z INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installut ils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 473, in main ds = install_replica_ds(config) File /usr/sbin/ipa-replica-install, line 150, in install_replica_ds pkcs12_info) File /usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py, line 300, in create_replica self.start_creation(runtime=60) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() : File /usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py, line 313, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.6/site-packages/ipaserver/install/replication.py, line 865, in setup_replication raise RuntimeError(Failed to start replication) 2013-04-01T16:25:54Z INFO The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication I also find similar error reported while setting up ipa on Fedora 18 at https://www.redhat.com/archives/freeipa-users/2013-February/msg00440.html But could not find its resolution. I am able to connect to the 389/636 port from the slave. Firewall is off on both ends and hostnames resolves properly. Thanks -- -- http://about.me/chandank ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Help regarding Basic FreeIPA setup
Hi, I am running the default Firefox that comes with centos 6.2 . I guess that Whatever time I do kinit it just does not working for me even for single time. Also it shows as that I am logged in as u...@freeipa.org In the main back ground web page. Not sure whether it's relevant with this error. On Monday, 14 May 2012, Steven Jones wrote: Hi, I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont connect but thats a safari issue Im sure. After running kinit admin I find the kerberos ticket expires about 24 hours later so you have to renew? What you can do if it simply wont work is get IPA to fall back to asking for a password, which is what I have had to set for Windows 7 firefox users. It might depend on which version of firefox, 3 and 10 do work..I think RH say firefox 10 is the long term supported version for them so I'd run that at least. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -- *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Chandan Kumar [chandank.ku...@gmail.com] *Sent:* Tuesday, 15 May 2012 9:25 a.m. *To:* d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Help regarding Basic FreeIPA setup System: Centos 6.2 IPA version : ipa-server-2.1.3-9.el6.x86_64 Thanks Chandan On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal d...@redhat.com wrote: ** On 05/14/2012 05:09 PM, Chandan Kumar wrote: I am a newbie in IPA and was experimenting it on my couple of VMs before considering it for production level. Installation went fine, however, I am getting the kerberos key expiration error at firefox. I am running firefox on the same machine where I have installed/configured ipa-server. On googling and some help in IRC I checked documentation to trouble shoot it as this appear to be a known problem. Moreover, I did follow http://freeipa.org/page/InstallAndDeploy http://freeipa.org/page/TroubleshootingGuide Fire fox logs 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] -1977841888[7fc789f5b040]: using REQ_DELEGATE -1977841888[7fc789f5b040]: service = ipaserver.example.com -1977841888[7fc789f5b040]: using negotiate-gss -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] [root@ds var]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting ExpiresService principal 05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/example@example.com 05/14/12 13:53:58 05/15/12 13:50:30 HTTP/ ipaserver.example@example.com 05/14/12 13:54:13 05/15/12 13:50:30 ldap/ ipaserver.example@example.com [root@ds var]# Output of ldapsearch -Y GSSAPI -b dc=example,dc=com uid=admin at http://fpaste.org/9hXX/ I am not sure what I am missing though. Appreciate any help. Thanks Chandan Are you running FF on windows? Which version of IPA are you using? ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my iPad ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Help regarding Basic FreeIPA setup
The kinit does show that the keys are there. [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting ExpiresService principal 05/15/12 09:13:35 05/16/12 09:13:32 krbtgt/example@example.com Thanks Chandan On Tue, May 15, 2012 at 7:35 AM, Chandan Kumar chandank.ku...@gmail.comwrote: Hi, I am running the default Firefox that comes with centos 6.2 . I guess that Whatever time I do kinit it just does not working for me even for single time. Also it shows as that I am logged in as u...@freeipa.org In the main back ground web page. Not sure whether it's relevant with this error. On Monday, 14 May 2012, Steven Jones wrote: Hi, I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont connect but thats a safari issue Im sure. After running kinit admin I find the kerberos ticket expires about 24 hours later so you have to renew? What you can do if it simply wont work is get IPA to fall back to asking for a password, which is what I have had to set for Windows 7 firefox users. It might depend on which version of firefox, 3 and 10 do work..I think RH say firefox 10 is the long term supported version for them so I'd run that at least. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -- *From:* freeipa-users-boun...@redhat.com [ freeipa-users-boun...@redhat.com] on behalf of Chandan Kumar [ chandank.ku...@gmail.com] *Sent:* Tuesday, 15 May 2012 9:25 a.m. *To:* d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Help regarding Basic FreeIPA setup System: Centos 6.2 IPA version : ipa-server-2.1.3-9.el6.x86_64 Thanks Chandan On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal d...@redhat.com wrote: ** On 05/14/2012 05:09 PM, Chandan Kumar wrote: I am a newbie in IPA and was experimenting it on my couple of VMs before considering it for production level. Installation went fine, however, I am getting the kerberos key expiration error at firefox. I am running firefox on the same machine where I have installed/configured ipa-server. On googling and some help in IRC I checked documentation to trouble shoot it as this appear to be a known problem. Moreover, I did follow http://freeipa.org/page/InstallAndDeploy http://freeipa.org/page/TroubleshootingGuide Fire fox logs 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] -1977841888[7fc789f5b040]: using REQ_DELEGATE -1977841888[7fc789f5b040]: service = ipaserver.example.com -1977841888[7fc789f5b040]: using negotiate-gss -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] [root@ds var]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting ExpiresService principal 05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/example@example.com 05/14/12 13:53:58 05/15/12 13:50:30 HTTP/ ipaserver.example@example.com 05/14/12 13:54:13 05/15/12 13:50:30 ldap/ ipaserver.example@example.com [root@ds var]# Output of ldapsearch -Y GSSAPI -b dc=example,dc=com uid=admin at http://fpaste.org/9hXX/ I am not sure what I am missing though. Appreciate any help. Thanks Chandan Are you running FF on windows? Which version of IPA are you using? ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my iPad ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Help regarding Basic FreeIPA setup
System: Centos 6.2 IPA version : ipa-server-2.1.3-9.el6.x86_64 Thanks Chandan On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal d...@redhat.com wrote: ** On 05/14/2012 05:09 PM, Chandan Kumar wrote: I am a newbie in IPA and was experimenting it on my couple of VMs before considering it for production level. Installation went fine, however, I am getting the kerberos key expiration error at firefox. I am running firefox on the same machine where I have installed/configured ipa-server. On googling and some help in IRC I checked documentation to trouble shoot it as this appear to be a known problem. Moreover, I did follow http://freeipa.org/page/InstallAndDeploy http://freeipa.org/page/TroubleshootingGuide Fire fox logs 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] -1977841888[7fc789f5b040]: using REQ_DELEGATE -1977841888[7fc789f5b040]: service = ipaserver.example.com -1977841888[7fc789f5b040]: using negotiate-gss -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] [root@ds var]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting ExpiresService principal 05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/example@example.com 05/14/12 13:53:58 05/15/12 13:50:30 HTTP/ ipaserver.example@example.com 05/14/12 13:54:13 05/15/12 13:50:30 ldap/ ipaserver.example@example.com [root@ds var]# Output of ldapsearch -Y GSSAPI -b dc=example,dc=com uid=admin at http://fpaste.org/9hXX/ I am not sure what I am missing though. Appreciate any help. Thanks Chandan Are you running FF on windows? Which version of IPA are you using? ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and others
Thanks John for reply. Ok. So basically it integrate various subsystems required to have a full fledged AAA system and give the end user a single controlling interface to control various components. So will its webgui enable to control 389, Krb and Radius configurations too? Because if I see each of these components individually each needs to be setup separately with lot of pain. Thanks Chandan On Fri, May 11, 2012 at 12:23 PM, John Dennis jden...@redhat.com wrote: On 05/11/2012 02:18 PM, Chandan Kumar wrote: Hi All, I was considering different centralized authentication/authorization services such as FreeIPA, 389 and Open ldap to deploy into our network in order to have a good centralized user authentication/authorization machanism. I was wondering what are they key that FreeIPA provides as compared to other directory servies in terms of extra feature, ease of deployment and use etc. FreeIPA is an integrated solution that includes DNS, kerberos SSO, host management, HBAC, role based authorization, integration with SSSD, sophisticated group management, sudo support, certificate management, can replace NIS and netgroups, supports replication for redundant servers, etc. It supports both a scriptable command line utility set as well as a web based GUI. The next version will include support for cross realm trusts allowing for powerful integration with Active Directory. FreeIPA is built on top of 389 DS, MIT Kerberos KDC and the Dogtag certificate management system. Openldap is well, just an LDAP server (some assembly required). The whole idea of FreeIPA is to take the basic primitive services supplied by an LDAP server but make it vastly more powerful by layering a lot of sophisticated functionality on top it which is fully integrated and easy to use. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and others
Thanks for the info. Now I will start working on to setup FreeIPA, hopefully it heals rather than aggravating the pains :-) Thanks Chandan On Fri, May 11, 2012 at 1:16 PM, John Dennis jden...@redhat.com wrote: On 05/11/2012 03:51 PM, Chandan Kumar wrote: Thanks John for reply. Ok. So basically it integrate various subsystems required to have a full fledged AAA system and give the end user a single controlling interface to control various components. Excellent summary. So will its webgui enable to control 389, Krb and Radius configurations too? The web gui controls 389 and KRB configuration and the data those services operate on. We currently do not support radius, however it's on the roadmap. A fundamental problem with radius is many of the authentication protocols used in radius require access to a cleartext password or hash. So far we've been assiduous in not storing and exposing this material for security reasons. There are possible solutions but we've decided there are more import features to address first. Because if I see each of these components individually each needs to be setup separately with lot of pain. Absolutely, the pain threshold of setting those component up and getting them to play together is high. One of the primary design goals of FreeIPA is to eliminate those pain points so you can focus on administrating your user base. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users