[Freeipa-users] Need LDAP access for host not in IPA domain
Hello, i need a simple, plain LDAP bind for authentication for a host, which is not part of my IPA domain. Something like this is working in the domain: ldapsearch -vx -H ldaps://xxx.yyy.intern -b "cn=accounts,dc=yyy,dc=intern" My problem is, it is only working with the hostname xxx.yyy.intern which is part of my domain yyy.intern. But outside of the domain i have to use the IP address or something like xxx.yyy.zzz.de . But than i have this error message: ldap_initialize( ldaps://xxx.yyy.zzz.de:636/??base ) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Any idea what i can do? Thank you! Detlev P.S.: I have the same problem in the domain, when i am not using xxx.yyy.intern. IP address for example is also not working. -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Unspecified GSS failure: No credentials cache found
Hi all, based on the Red Hat docs i setup a Kerberized NFS Server with IPA and i course a lot of clients. The IPA services are running on an own host. The servers are running Scientic Linux and the clients Fedora. Samba and NFS is running well - i think. I see no problems. But i see a lot of this messages on the server and also on the clients: Sep 29 10:50:34 sorix gssproxy: gssproxy[1013]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Sep 29 10:50:34 sorix gssproxy: gssproxy[1013]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Sep 29 10:50:34 sorix gssproxy: gssproxy[1013]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found Sep 29 10:50:34 sorix gssproxy: gssproxy[1013]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found What is wrong? Thank you for any help! Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problems with mount and user logins
Hi all, i am setting up IPA the first time for real life and have now some big problems. First for testing i setup an IPA-Server, a NFS server and up to 3 clients. The server are running Scientic Linux and the clients Federo 24 (setup via Cobbler server). The setup is based on the Red Hat Linux 7 IPA Docs. This was running well over several weeks. I can reinstall my clients via cobbler and everything was good.But mostly with one user (me). Now i was adding 20 hosts and the first time big problems are coming. First, one problem has nothing to do with IPA: I found bug reports about new autofs problems with Fedora 24. autofs is starting at the wrong time and sssd too. Second, my problem has to do with mounting or accessing directories: When i login in a host, sometimes mounting directories is not allowed and sometimes it is possible. And there is no system, sometimes it works, sometimes it works not. Well, important: i am login at several hosts at the same time! Mostly with one user! Me! I install the clients with ipa-client-install and ipa-client-automount (first time by hand, for reinstall with kickstart). I do not something with the user .-files like .cshrc or change any other dot-file. I read now at some MIT-Docs, it is a good idea to add kdestroy in dot-files for logout. I can’t expect big help with my poor report here, but i have now two questions: Have i to setup the users dot-files in some way? Is there any good documentation for a users home directory setup? Is login in several clients at the same time with the same shared home directory a problem? Thank you for any help! Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA, Samba and how can a Windows client access it
Thank you, i found an old post from you with this smb.conf: security = user passdb backend = ldapsam:ldap://ldap.my.example.com ldap suffix = dc=my,dc=example,dc=com ldap admin dn = cn=Directory Manager ldap ssl = off Is this still working with Samba 4.x und IPA 4.x? I will try it soon. Will "ipa-adtrust-install --add-sids" do all the config i need for this? I think, your hint with techslaves is good, but not uptodate. Detlev P.S.: Yes, i want the same, this clients are not a member of a domain ... -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- Am 16.06.2016 um 12:52 schrieb Christopher Lamb <christopher.l...@ch.ibm.com>: > Hi Detlev > > If I have understood you correctly, you want to let Windows users access > Samba "shares" using their IPA username/passwords? > > If so it is possible. We have both Windows and OSX workstations accessing > unix fileshares like that. > > We did it more or less along the lines described here: > http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ > > If you search the archives of this forum with FreeIPA Samba Lamb you will > find some previous threads on this topic. > > Chris > > Detlev Habicht ---06/16/2016 10:49:49---Hi, first i thought, it > is an awkward question, but my smart colleague here also > > From: Detlev Habicht <detlev.habi...@ims.uni-hannover.de> > To: freeipa-users@redhat.com > Date: 06/16/2016 10:49 > Subject: [Freeipa-users] IPA, Samba and how can a Windows client access it > Sent by: freeipa-users-boun...@redhat.com > > > > > Hi, > > first i thought, it is an awkward question, but my smart colleague here also > cannot help me, so i try it: > > I read this and i have installed it: > > "Howto/Integrating a Samba File Server With IPA" > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > This is working as described. But this works only for Linux so far. > > We are not able to find a configuration, so a single Windows client have > access > to the Samba Server. Only with his IPA account (username and password)! > I don’t want to use something like trusted AD. As i said, for the Windows > clients > i want only to use an username and password for Samba, using IPA. > > Well, this is the configuration as described in the docu: > > [global] > workgroup = MY > realm = MY.REALM > dedicated keytab file = FILE:/etc/samba/samba.keytab > kerberos method = dedicated keytab > log file = /var/log/samba/log.%m > security = ads > > Any idea what i can do for my wishes? > > Thank you! > > Detlev > > > -- > Detlev | Institut fuer Mikroelektronische Systeme > Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de > + Handy +49 172 5415752 --- > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA, Samba and how can a Windows client access it
Hi, first i thought, it is an awkward question, but my smart colleague here also cannot help me, so i try it: I read this and i have installed it: "Howto/Integrating a Samba File Server With IPA" http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA This is working as described. But this works only for Linux so far. We are not able to find a configuration, so a single Windows client have access to the Samba Server. Only with his IPA account (username and password)! I don’t want to use something like trusted AD. As i said, for the Windows clients i want only to use an username and password for Samba, using IPA. Well, this is the configuration as described in the docu: [global] workgroup = MY realm = MY.REALM dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m security = ads Any idea what i can do for my wishes? Thank you! Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Dynamic DNS Questions
Thank you, this is it. This entry was already in sssd.conf (with the wrong interface). But i was looking for an IP number … Ignoring interfaces. Stupid, my fault. Thank you again Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- Am 08.06.2016 um 13:17 schrieb Martin Štefany <mar...@stefany.eu>: > Hello Detlev, > > FreeIPA/SSSD client use IP address of interface/vlan/subnet which is use to > communicate (LDAP) with FreeIPA server. > > However, if you have dyndns_update set to True in sssd.conf, you can also set > dyndns_iface to point to correct interface which IP addresses will be > dynamically updated in DNS, see: > > $ man sssd-ipa > [stripped] > dyndns_iface (string) > Optional. Applicable only when dyndns_update is true. Choose the > interface or a list of interfaces whose IP addresses should be used for > dynamic DNS updates. Special value “*” implies that IPs from all interfaces > should be used. > > NOTE: While it is still possible to use the old ipa_dyndns_iface > option, users should migrate to using dyndns_iface in their config file. > > Default: Use the IP addresses of the interface which is used for > IPA LDAP connection > > Example: dyndns_iface = em1, vnet1, vnet2 > [stripped] > > Kind regards, > Martin > > > > On 6/8/2016 1:00 PM, Detlev Habicht wrote: >> Hi all, >> >> well, i am really a beginner with IPA and just trying to setup some >> test systems. In the moment one IPA server, one NFS/Samba server and a >> fedora CLient. I am running IPA 4.2, Scientific Linux 7.2 and Fedora 23. >> >> The most important things are running now. >> >> But i have a problem with DNS entries left. Maybe while installing >> IPA i make mistakes with the NFS Server. On this NFS server i have 5 >> interfaces. 4 >> of them now as bond interface. So i am running two IPs now: nn.16 and >> nn.33. >> >> But while installing IPA (with DNS) it takes the wrong one (16): >> >> 2016-05-26T14:08:12Z DEBUG Writing nsupdate commands to >> /etc/ipa/.dns_update.txt: >> 2016-05-26T14:08:12Z DEBUG debug >> update delete nnnix.nnn.intern. IN A >> show >> send >> update delete nnnix.nnn.intern. IN >> show >> send >> update add nnnix.nnn.intern. 1200 IN A nnn.nn.nn.16 >> show >> send >> 2016-05-26T14:08:12Z DEBUG Starting external process >> 2016-05-26T14:08:12Z DEBUG args='/usr/bin/nsupdate' '-g' >> '/etc/ipa/.dns_update.txt' >> >> >> I can change the DNS entry on the IPA server to nn.33 at runtime. Then >> everything >> is ok. But when i boot the NFS server, it is changing the DNS entry on >> the IPA Server to nn.16. >> >> What can i do so the IPA client (here my NFS Server) is using the right IP? >> I don’t find any conf-File … Is there any point where i can change this IP? >> >> Thanx for any help! >> >> Detlev >> >> >> -- >> Detlev | Institut fuer Mikroelektronische Systeme >> Habicht | D-30167 Hannover +49 511 >> 76219662 habi...@ims.uni-hannover.de <mailto:habi...@ims.uni-hannover.de> >> + Handy+49 172 5415752 --- >> >> >> >> >> > > -- > -- > Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] private groups
Thank you for your help! Well, my problem is a beginner problem. Not reading enough. :-} And i used a LDAP browser and saw error messages i misinterpreted. Sorry for the noise here. At least i found my answer here: https://fedorahosted.org/freeipa/ticket/3949 But i found also, that many other people have the same problem understanding this behavior. But i have one suggestion: It would be nice using the GUI creating new users to have the opportunity also to insert GID and UID. I know, i can edit it later, but why i have to use this small window with very few entries, when i can’t really use it and have to go to the big one. Maybe it is also a good idea to resign this small window or to have a switch in the configuration to stop this small window. (But, of course, this is not a really big problem.) Greetings Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- Am 20.08.2015 um 15:48 schrieb Rob Crittenden rcrit...@redhat.com: Martin Kosek wrote: On 08/20/2015 11:57 AM, Detlev Habicht wrote: Hi all, i am new using IPA and learning IPA i am also learning some other things new for me. Migrating our system to IPA i found some problems with private groups. We don’t used it up to now. Trying to disable this feature with ipa-managed-entries -e „UPG Definition“ -p xxx disable crashed my database. By crashed, you mean that Directory Server process crashed? If yes, it would be really interesting to get a stack trace, steps in http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debug_crashes This would allow 389-DS developers to fix the bug. I don’t know why. After this i can’t create new users. IIRC, you would need to turn the default ipausers group into POSIX group (group-mod --posix), to let it be used it instead of the user private groups. But this depends on the error you are getting. For this problem i have no more information. But i have a question: Can i delete a private group after creating an user? How can i do this? You can use group-detach command and then group-del on the detached managed group. And can i later create a private group again for this user? How? Hmm... You could do group-add command with the right GID, I do not know about single command doing that. There is no way to create the same kind of UPG for an existing user as can be done for a new user. The managed entries plugin manages the linkage between the user and group and IPA currently doesn't provide a way to create a linkage after the fact. You can create a group with the same gid with : ipa group-add myuser --gid uid-of-user, but this isn't exactly private. A private group doesn't allow members. One of the other features of UPG is that when the user is deleted, the group is also deleted. This would not happen in the case of manually created private groups. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] private groups
Hi all, i am new using IPA and learning IPA i am also learning some other things new for me. Migrating our system to IPA i found some problems with private groups. We don’t used it up to now. Trying to disable this feature with ipa-managed-entries -e „UPG Definition“ -p xxx disable crashed my database. I don’t know why. After this i can’t create new users. For this problem i have no more information. But i have a question: Can i delete a private group after creating an user? How can i do this? And can i later create a private group again for this user? How? Thanx for any help! Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] private groups
Well, it is not really a server crash … the server is running, but i cannot create new users. But i will try it again and will send the results. Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- Am 20.08.2015 um 12:54 schrieb Martin Kosek mko...@redhat.com: On 08/20/2015 11:57 AM, Detlev Habicht wrote: Hi all, i am new using IPA and learning IPA i am also learning some other things new for me. Migrating our system to IPA i found some problems with private groups. We don’t used it up to now. Trying to disable this feature with ipa-managed-entries -e „UPG Definition“ -p xxx disable crashed my database. By crashed, you mean that Directory Server process crashed? If yes, it would be really interesting to get a stack trace, steps in http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debug_crashes This would allow 389-DS developers to fix the bug. I don’t know why. After this i can’t create new users. IIRC, you would need to turn the default ipausers group into POSIX group (group-mod --posix), to let it be used it instead of the user private groups. But this depends on the error you are getting. For this problem i have no more information. But i have a question: Can i delete a private group after creating an user? How can i do this? You can use group-detach command and then group-del on the detached managed group. And can i later create a private group again for this user? How? Hmm... You could do group-add command with the right GID, I do not know about single command doing that. Thanx for any help! Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Questions to compat LDAP suffix
Hi all, i am very new using and testing IPA and i have some questions, which are not really IPA topics. But perhaps someone can help me and send me a link, where i can read and learn such things: I see in the LDAP tree a suffix like this: cn=users,cn=compat,dc=ims,dc=intern And of course this: cn=users,cn=accounts,dc=ims,dc=intern I don’t understand the reason for „cn=compat“. Where do i find some infos to understand this concept? Thanx. Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de + Handy+49 172 5415752 --- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project