Re: [Freeipa-users] Auto create kerberos/ldap SRV records on subdomain

[Matt .]

I have tested this but the hosts don't get an enrolled status. I have
tried _kerberos TXT "MYREAL.DOMAIN.TLD" and without the quotes. I
can't see any logging about it. Any idea ?

Thanks!

Matt

2017-04-04 20:50 GMT+02:00 Matt . <yamakasi@gmail.com>:
> Hi Alexander,
>
> Superb, thanks a lot for this quick fix!
>
> Matt
>
> 2017-04-04 20:48 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:
>> On ti, 04 huhti 2017, Matt . wrote:
>>>
>>> Hi guys,
>>>
>>> Is it possible to create in a simple way the SRV domains for kerberos
>>> on subdomains ? it's a pain to add them all manually when you have a
>>> lot of subdomains.
>>>
>>> I hope someone has a solution.
>>
>> Create TXT record _kerberos.sub.domain.tld that contains name of your
>> Kerberos realm in upper case. For MIT Kerberos clients this is enough to
>> discover their proper Kerberos realm and DNS domain for SRV record
>> discovery.
>>
>> --
>> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Ldap only as Client on different IPA server

[Matt .]

The issue you get here is that the IPA client is not enrolled anymore
when you did an uninstall of the client before the IPA install on that
"previous" client which needs to be client again after the IPA install
on it.

This sounds messy but could be ideal for some situations of useraccess
on systems.

2017-04-07 23:24 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
> Matt . wrote:
>> Nope, I provision my servers and they are added to my FreeIPA
>> environment which auths my systeadmins. But on a server I provisioned
>> I need to install FreeIPA as well, but without dns and ca, so it's
>> doing ldap only actually.
>>
>> When I want to install FreeIPA server on this IPA client it tells me
>> (which is logical):
>>
>> ipa.ipapython.install.cli.install_tool(Server): ERRORIPA client is
>> already configured on this system.
>> Please uninstall it before configuring the IPA server, using
>> 'ipa-client-install --uninstall'
>>
>> So what I want to do is install FreeIPA server on it but using local
>> system accounts to be auth against the former IPA server the client
>> was assigned to.
>>
>> So:
>>
>> IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed
>> with FreeIPA (no dns and CA) as well but I want to have local
>> sysaccounts that login to cli and such auth against IPA01 after it's
>> installed with FreeIPA and the clientconfig for sssd is not there
>> anymore because of the 'ipa-client-install --uninstall'
>
> Still very confusing. LDAP has nothing to do with this. IPA is always at
> least LDAP + Kerberos + Apache + a few other minor services. So it's
> better to just say no DNS and no CA, though that isn't really relevant
> since those are always optional.
>
> It sounds like what you want to do is, on the same box, install IPA
> server and configure the local machine to point to a DIFFERENT IPA
> server for user/group lookups?
>
> You might be able to do it via sssd but it would be an unsupportable
> nightmare.
>
> rob
>
>>
>> 2017-04-07 23:11 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
>>> Matt . wrote:
>>>> When I have a full ipa setup and I want to add a host to it that is
>>>> installed or needs to be installed as IPA LDAP server only, is that
>>>> possible ?
>>>
>>> If you're asking if only 389-ds can be configured on an IPA server, no,
>>> not using any IPA tools in any case.
>>>
>>>> Of course the ipa-server-install complains that the agent is already
>>>> configured on the host but there might be a way ? Or just copy the
>>>> config back faster the IPA LDAP only server is installed ?
>>>
>>> I don't understand. Seeing the error message and commands might help.
>>>
>>> rob
>>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Ldap only as Client on different IPA server

[Matt .]

You are almost right, the box only needs to lookup users/groups from
another IPA server for environment admins. The "LDAP Only" on this IPA
server (and client) won't do anything on the whole network layer, only
some webapp is talking to it and use users don't have anything todo
with the network at all but I think it's nice when I don't have to
maintain my local users there to login to the box for maintenance so I
thought it would be nice when SSSD checked my default IPA-environment
server for that.

2017-04-07 23:24 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
> Matt . wrote:
>> Nope, I provision my servers and they are added to my FreeIPA
>> environment which auths my systeadmins. But on a server I provisioned
>> I need to install FreeIPA as well, but without dns and ca, so it's
>> doing ldap only actually.
>>
>> When I want to install FreeIPA server on this IPA client it tells me
>> (which is logical):
>>
>> ipa.ipapython.install.cli.install_tool(Server): ERRORIPA client is
>> already configured on this system.
>> Please uninstall it before configuring the IPA server, using
>> 'ipa-client-install --uninstall'
>>
>> So what I want to do is install FreeIPA server on it but using local
>> system accounts to be auth against the former IPA server the client
>> was assigned to.
>>
>> So:
>>
>> IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed
>> with FreeIPA (no dns and CA) as well but I want to have local
>> sysaccounts that login to cli and such auth against IPA01 after it's
>> installed with FreeIPA and the clientconfig for sssd is not there
>> anymore because of the 'ipa-client-install --uninstall'
>
> Still very confusing. LDAP has nothing to do with this. IPA is always at
> least LDAP + Kerberos + Apache + a few other minor services. So it's
> better to just say no DNS and no CA, though that isn't really relevant
> since those are always optional.
>
> It sounds like what you want to do is, on the same box, install IPA
> server and configure the local machine to point to a DIFFERENT IPA
> server for user/group lookups?
>
> You might be able to do it via sssd but it would be an unsupportable
> nightmare.
>
> rob
>
>>
>> 2017-04-07 23:11 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
>>> Matt . wrote:
>>>> When I have a full ipa setup and I want to add a host to it that is
>>>> installed or needs to be installed as IPA LDAP server only, is that
>>>> possible ?
>>>
>>> If you're asking if only 389-ds can be configured on an IPA server, no,
>>> not using any IPA tools in any case.
>>>
>>>> Of course the ipa-server-install complains that the agent is already
>>>> configured on the host but there might be a way ? Or just copy the
>>>> config back faster the IPA LDAP only server is installed ?
>>>
>>> I don't understand. Seeing the error message and commands might help.
>>>
>>> rob
>>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Ldap only as Client on different IPA server

[Matt .]

Nope, I provision my servers and they are added to my FreeIPA
environment which auths my systeadmins. But on a server I provisioned
I need to install FreeIPA as well, but without dns and ca, so it's
doing ldap only actually.

When I want to install FreeIPA server on this IPA client it tells me
(which is logical):

ipa.ipapython.install.cli.install_tool(Server): ERRORIPA client is
already configured on this system.
Please uninstall it before configuring the IPA server, using
'ipa-client-install --uninstall'

So what I want to do is install FreeIPA server on it but using local
system accounts to be auth against the former IPA server the client
was assigned to.

So:

IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed
with FreeIPA (no dns and CA) as well but I want to have local
sysaccounts that login to cli and such auth against IPA01 after it's
installed with FreeIPA and the clientconfig for sssd is not there
anymore because of the 'ipa-client-install --uninstall'

2017-04-07 23:11 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
> Matt . wrote:
>> When I have a full ipa setup and I want to add a host to it that is
>> installed or needs to be installed as IPA LDAP server only, is that
>> possible ?
>
> If you're asking if only 389-ds can be configured on an IPA server, no,
> not using any IPA tools in any case.
>
>> Of course the ipa-server-install complains that the agent is already
>> configured on the host but there might be a way ? Or just copy the
>> config back faster the IPA LDAP only server is installed ?
>
> I don't understand. Seeing the error message and commands might help.
>
> rob
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Ldap only as Client on different IPA server

[Matt .]

When I have a full ipa setup and I want to add a host to it that is
installed or needs to be installed as IPA LDAP server only, is that
possible ?

Of course the ipa-server-install complains that the agent is already
configured on the host but there might be a way ? Or just copy the
config back faster the IPA LDAP only server is installed ?

Thanks,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Auto create kerberos/ldap SRV records on subdomain

[Matt .]

Hi Alexander,

Superb, thanks a lot for this quick fix!

Matt

2017-04-04 20:48 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:
> On ti, 04 huhti 2017, Matt . wrote:
>>
>> Hi guys,
>>
>> Is it possible to create in a simple way the SRV domains for kerberos
>> on subdomains ? it's a pain to add them all manually when you have a
>> lot of subdomains.
>>
>> I hope someone has a solution.
>
> Create TXT record _kerberos.sub.domain.tld that contains name of your
> Kerberos realm in upper case. For MIT Kerberos clients this is enough to
> discover their proper Kerberos realm and DNS domain for SRV record
> discovery.
>
> --
> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Auto create kerberos/ldap SRV records on subdomain

[Matt .]

Hi guys,

Is it possible to create in a simple way the SRV domains for kerberos
on subdomains ? it's a pain to add them all manually when you have a
lot of subdomains.

I hope someone has a solution.

Thanks!

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

[Matt .]

Hi Rob,

I have this solved, I think it was an issue in the foreman-proxy.

The reason why there are two users in the role was to test other
usernames, as you cannot use foreman-proxy for this for an example.

I need to update the Foreman ticket about it.

Thanks for helping out.

Cheers,

Matt

2017-03-14 19:51 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> Matt . wrote:
>> Hi Rob,
>>
>> Thanks for the update, the same error happens when I add a new host,
>> so I'm lost, the same for the Foreman devs.
>>
>> What can I check/test further ?
>
> See what 389-ds is logging in its access log.
>
> You may need to enable ACI summary debugging. See the 389-ds FAQ for
> instructions on how.
>
> I find it curious that there are 2 similarly named foreman users in the
> role.
>
> rob
>
>>
>> Thanks,
>>
>> Matt
>>
>> 2017-03-10 21:20 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
>>> Matt . wrote:
>>>> Hi Rob,
>>>>
>>>> Thanks, but what do you mean here ? The Foreman has a script which
>>>> should be OK for it:
>>>>
>>>> https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm
>>>>
>>>> Can you check this maybe ?
>>>
>>> Like I said, it's wrong.
>>>
>>> add grants the ability to add new entries, not updating existing ones.
>>>
>>> The right needs to be "write".
>>>
>>> rob
>>>
>>>>
>>>> Thanks,
>>>>
>>>> Matt
>>>>
>>>> 2017-03-10 17:21 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
>>>>> Matt . wrote:
>>>>>> I'm trying to add a host using Foreman to the FreeIPA realm but this
>>>>>> doesn't work, all things seem to be fine and some other tests from
>>>>>> people are working:
>>>>>>
>>>>>> The issue is reported here: http://projects.theforeman.org/issues/18850
>>>>>>
>>>>>>
>>>>>> My settings are like this:
>>>>>>
>>>>>>
>>>>>> [root@ipa-01 ~]# ipa role-find
>>>>>> ---
>>>>>> 6 roles matched
>>>>>> ---
>>>>>>   Role name: helpdesk
>>>>>>   Description: Helpdesk
>>>>>>
>>>>>>   Role name: IT Security Specialist
>>>>>>   Description: IT Security Specialist
>>>>>>
>>>>>>   Role name: IT Specialist
>>>>>>   Description: IT Specialist
>>>>>>
>>>>>>   Role name: Security Architect
>>>>>>   Description: Security Architect
>>>>>>
>>>>>>   Role name: Smart Proxy Host Manager
>>>>>>   Description: Smart Proxy management
>>>>>>
>>>>>>   Role name: User Administrator
>>>>>>   Description: Responsible for creating Users and Groups
>>>>>> 
>>>>>> Number of entries returned 6
>>>>>> 
>>>>>> [root@ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
>>>>>>   Role name: Smart Proxy Host Manager
>>>>>>   Description: Smart Proxy management
>>>>>>   Member users: foreman-proxy, foreman-realm-proxy
>>>>>>   Privileges: Smart Proxy Host Management
>>>>>> [root@ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
>>>>>>   Privilege name: Smart Proxy Host Management
>>>>>>   Description: Smart Proxy Host Management
>>>>>>   Permissions: Retrieve Certificates from the CA, System: Add DNS
>>>>>> Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
>>>>>> Update DNS
>>>>>>Entries, System: Manage Host Certificates, System:
>>>>>> Manage Host Enrollment Password, System: Manage Host Keytab, System:
>>>>>> Modify Hosts,
>>>>>>System: Remove Hosts, System: Manage Service Keytab,
>>>>>> System: Modify Services, Add Host Enrollment Password
>>>>>>   Granting privilege to roles: Smart Proxy Host Manager
>>>>>> [root@ipa-01 ~]#
>>>>>> [root@ipa-01 ~]# ipa permission-find "Add Host"
>>>>>> ---

Re: [Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

[Matt .]

Hi Rob,

Thanks for the update, the same error happens when I add a new host,
so I'm lost, the same for the Foreman devs.

What can I check/test further ?

Thanks,

Matt

2017-03-10 21:20 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> Matt . wrote:
>> Hi Rob,
>>
>> Thanks, but what do you mean here ? The Foreman has a script which
>> should be OK for it:
>>
>> https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm
>>
>> Can you check this maybe ?
>
> Like I said, it's wrong.
>
> add grants the ability to add new entries, not updating existing ones.
>
> The right needs to be "write".
>
> rob
>
>>
>> Thanks,
>>
>> Matt
>>
>> 2017-03-10 17:21 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
>>> Matt . wrote:
>>>> I'm trying to add a host using Foreman to the FreeIPA realm but this
>>>> doesn't work, all things seem to be fine and some other tests from
>>>> people are working:
>>>>
>>>> The issue is reported here: http://projects.theforeman.org/issues/18850
>>>>
>>>>
>>>> My settings are like this:
>>>>
>>>>
>>>> [root@ipa-01 ~]# ipa role-find
>>>> ---
>>>> 6 roles matched
>>>> ---
>>>>   Role name: helpdesk
>>>>   Description: Helpdesk
>>>>
>>>>   Role name: IT Security Specialist
>>>>   Description: IT Security Specialist
>>>>
>>>>   Role name: IT Specialist
>>>>   Description: IT Specialist
>>>>
>>>>   Role name: Security Architect
>>>>   Description: Security Architect
>>>>
>>>>   Role name: Smart Proxy Host Manager
>>>>   Description: Smart Proxy management
>>>>
>>>>   Role name: User Administrator
>>>>   Description: Responsible for creating Users and Groups
>>>> 
>>>> Number of entries returned 6
>>>> 
>>>> [root@ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
>>>>   Role name: Smart Proxy Host Manager
>>>>   Description: Smart Proxy management
>>>>   Member users: foreman-proxy, foreman-realm-proxy
>>>>   Privileges: Smart Proxy Host Management
>>>> [root@ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
>>>>   Privilege name: Smart Proxy Host Management
>>>>   Description: Smart Proxy Host Management
>>>>   Permissions: Retrieve Certificates from the CA, System: Add DNS
>>>> Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
>>>> Update DNS
>>>>Entries, System: Manage Host Certificates, System:
>>>> Manage Host Enrollment Password, System: Manage Host Keytab, System:
>>>> Modify Hosts,
>>>>System: Remove Hosts, System: Manage Service Keytab,
>>>> System: Modify Services, Add Host Enrollment Password
>>>>   Granting privilege to roles: Smart Proxy Host Manager
>>>> [root@ipa-01 ~]#
>>>> [root@ipa-01 ~]# ipa permission-find "Add Host"
>>>> -
>>>> 3 permissions matched
>>>> -
>>>>   Permission name: Add Host Enrollment Password
>>>>   Granted rights: add
>>>>   Effective attributes: userpassword
>>>>   Bind rule type: permission
>>>>   Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>>   Type: host
>>>>   Permission flags: V2, SYSTEM
>>>>
>>>>   Permission name: System: Add Hostgroups
>>>>   Granted rights: add
>>>>   Bind rule type: permission
>>>>   Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>>   Type: hostgroup
>>>>   Permission flags: V2, MANAGED, SYSTEM
>>>>
>>>>   Permission name: System: Add Hosts
>>>>   Granted rights: add
>>>>   Bind rule type: permission
>>>>   Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>>   Type: host
>>>>   Permission flags: V2, MANAGED, SYSTEM
>>>> 
>>>> Number of entries returned 3
>>>> 
>>>>
>>>>
>>>> Can anyone help me out as I'm unsure where this goes wrong.
>>>>
>>>
>>> For 'Add Host Enrollment Password' the granted rights should be write
>>> not add.
>>>
>>> add is for adding entries, not writing attributes.
>>>
>>> rob
>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

[Matt .]

Hi Rob,

Thanks, but what do you mean here ? The Foreman has a script which
should be OK for it:

https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm

Can you check this maybe ?

Thanks,

Matt

2017-03-10 17:21 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> Matt . wrote:
>> I'm trying to add a host using Foreman to the FreeIPA realm but this
>> doesn't work, all things seem to be fine and some other tests from
>> people are working:
>>
>> The issue is reported here: http://projects.theforeman.org/issues/18850
>>
>>
>> My settings are like this:
>>
>>
>> [root@ipa-01 ~]# ipa role-find
>> ---
>> 6 roles matched
>> ---
>>   Role name: helpdesk
>>   Description: Helpdesk
>>
>>   Role name: IT Security Specialist
>>   Description: IT Security Specialist
>>
>>   Role name: IT Specialist
>>   Description: IT Specialist
>>
>>   Role name: Security Architect
>>   Description: Security Architect
>>
>>   Role name: Smart Proxy Host Manager
>>   Description: Smart Proxy management
>>
>>   Role name: User Administrator
>>   Description: Responsible for creating Users and Groups
>> 
>> Number of entries returned 6
>> 
>> [root@ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
>>   Role name: Smart Proxy Host Manager
>>   Description: Smart Proxy management
>>   Member users: foreman-proxy, foreman-realm-proxy
>>   Privileges: Smart Proxy Host Management
>> [root@ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
>>   Privilege name: Smart Proxy Host Management
>>   Description: Smart Proxy Host Management
>>   Permissions: Retrieve Certificates from the CA, System: Add DNS
>> Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
>> Update DNS
>>Entries, System: Manage Host Certificates, System:
>> Manage Host Enrollment Password, System: Manage Host Keytab, System:
>> Modify Hosts,
>>System: Remove Hosts, System: Manage Service Keytab,
>> System: Modify Services, Add Host Enrollment Password
>>   Granting privilege to roles: Smart Proxy Host Manager
>> [root@ipa-01 ~]#
>> [root@ipa-01 ~]# ipa permission-find "Add Host"
>> -
>> 3 permissions matched
>> -
>>   Permission name: Add Host Enrollment Password
>>   Granted rights: add
>>   Effective attributes: userpassword
>>   Bind rule type: permission
>>   Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>   Type: host
>>   Permission flags: V2, SYSTEM
>>
>>   Permission name: System: Add Hostgroups
>>   Granted rights: add
>>   Bind rule type: permission
>>   Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>   Type: hostgroup
>>   Permission flags: V2, MANAGED, SYSTEM
>>
>>   Permission name: System: Add Hosts
>>   Granted rights: add
>>   Bind rule type: permission
>>   Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>   Type: host
>>   Permission flags: V2, MANAGED, SYSTEM
>> 
>> Number of entries returned 3
>> 
>>
>>
>> Can anyone help me out as I'm unsure where this goes wrong.
>>
>
> For 'Add Host Enrollment Password' the granted rights should be write
> not add.
>
> add is for adding entries, not writing attributes.
>
> rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

[Matt .]

I'm trying to add a host using Foreman to the FreeIPA realm but this
doesn't work, all things seem to be fine and some other tests from
people are working:

The issue is reported here: http://projects.theforeman.org/issues/18850


My settings are like this:


[root@ipa-01 ~]# ipa role-find
---
6 roles matched
---
  Role name: helpdesk
  Description: Helpdesk

  Role name: IT Security Specialist
  Description: IT Security Specialist

  Role name: IT Specialist
  Description: IT Specialist

  Role name: Security Architect
  Description: Security Architect

  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management

  Role name: User Administrator
  Description: Responsible for creating Users and Groups

Number of entries returned 6

[root@ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management
  Member users: foreman-proxy, foreman-realm-proxy
  Privileges: Smart Proxy Host Management
[root@ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
  Privilege name: Smart Proxy Host Management
  Description: Smart Proxy Host Management
  Permissions: Retrieve Certificates from the CA, System: Add DNS
Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
Update DNS
   Entries, System: Manage Host Certificates, System:
Manage Host Enrollment Password, System: Manage Host Keytab, System:
Modify Hosts,
   System: Remove Hosts, System: Manage Service Keytab,
System: Modify Services, Add Host Enrollment Password
  Granting privilege to roles: Smart Proxy Host Manager
[root@ipa-01 ~]#
[root@ipa-01 ~]# ipa permission-find "Add Host"
-
3 permissions matched
-
  Permission name: Add Host Enrollment Password
  Granted rights: add
  Effective attributes: userpassword
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
  Type: host
  Permission flags: V2, SYSTEM

  Permission name: System: Add Hostgroups
  Granted rights: add
  Bind rule type: permission
  Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
  Type: hostgroup
  Permission flags: V2, MANAGED, SYSTEM

  Permission name: System: Add Hosts
  Granted rights: add
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
  Type: host
  Permission flags: V2, MANAGED, SYSTEM

Number of entries returned 3



Can anyone help me out as I'm unsure where this goes wrong.


Thanks so far!

Regards,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA 4.4 CA Replications

[Matt Wells]

Thank you for the response Martin.  Server1 had no flags upon install
however CA, DNS were selected during the installation.  Server2 was joined
and then the 'ipa-replica-install --skip-conn-check' used to join it.
Manual tests of the ports showed all was good but not in the installation
so I had to use the '--skip-conn-check'.
Server1 -
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: lci.devdomain.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=LCI.DEVDOMAIN.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order:
guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC
  IPA masters: server1.lci.devdomain.com, server2.lci.devdomain.com
  IPA CA servers: server1.lci.devdomain.com
  IPA NTP servers: server1.lci.devdomain.com, server2.lci.devdomain.com
  IPA CA renewal master: server1.lci.devdomain.com



On Thu, Mar 2, 2017 at 12:39 AM Martin Basti <mba...@redhat.com> wrote:

>
>
> On 01.03.2017 22:00, Matt Wells wrote:
>
> I have two new IPA 4.4 servers on CentOS7 installed in a lab.  I built the
> first, joined the second and promoted it to be a master.  Thus far all went
> well.
>
> I then ran the ipa-ca-install and when I log back in I see that it has
> "domain,CA" attached to it.  However when I hit the main IPA page it
> informs me I only have one server in the CA role.
>  Drilling down into server2 I see it does not have that role assigned.
> I'm certain I missed an easy step but I've been unable to locate it.
>
> Any guidance would be greatly appreciated.
>
>
>
> Hello,
>
> can you provide more info? How did you install servers (options used), on
> which server you ran ipa-ca-install ?
>
>
> Martin
>
-- 
*Matt Wells*
*Lead Systems Architect*
<https://www.redhat.com/rhtapps/certification/badge/verify/V3WMPVPAQ6I67AJBGN6FZU6N2YAEQU3CUPSQX2KSDXT6RW46LQ3U7PJCSIXUILAFHEDCMJS26CYXW4U5NQYTCNA62RUWOCM34WWBUYQ=>
<https://www.bridgevine.com/>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA 4.4 CA Replications

[Matt Wells]

I have two new IPA 4.4 servers on CentOS7 installed in a lab.  I built the
first, joined the second and promoted it to be a master.  Thus far all went
well.

I then ran the ipa-ca-install and when I log back in I see that it has
"domain,CA" attached to it.  However when I hit the main IPA page it
informs me I only have one server in the CA role.
 Drilling down into server2 I see it does not have that role assigned.
I'm certain I missed an easy step but I've been unable to locate it.

Any guidance would be greatly appreciated.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

[Matt .]

Hi Flo,

Yes it does! Thanks for that. Is it not possible to remove a
certificate fully as it always syncs this way ? Or remove it from
/etc/httpd/alias, then from ldap and then sync again ?

Cheers,

Matt

2017-02-21 9:03 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
> On 02/20/2017 04:09 PM, Matt . wrote:
>>
>> Hi Rob,
>>
>> Yes it does, I understood that there was some reason the duplicate
>> might exist, but I wonder more why does the RootCA show up when I
>> removed it and comes back after adding the two intermediates ?
>>
> Hi Matt,
>
> when ipa-cacert-manage install is run, it adds an LDAP entry for the new CA
> certificate below cn=certificates,cn=ipa,cn=etc,$BASEDN.
> When ipa-certupdate is run, it adds all the certificates found in
> cn=certificates,cn=ipa,cn=etc,$BASEDN to /etc/httpd/alias.
> So even if you remove one certificate from /etc/httpd/alias, the next
> ipa-certupdate command will re-add this CA cert if it is still present in
> LDAP.
>
> Hope this clarifies,
> Flo.
>
>
>
>> Thanks
>>
>> Matt
>>
>>
>> 2017-02-20 15:20 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
>>>
>>> Matt . wrote:
>>>>
>>>> Hi,
>>>>
>>>> The install seems to be OK this way, but I'm still confused about the
>>>> duplicated and the RootCA.
>>>
>>>
>>> What does this show?
>>>
>>> #3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA
>>>
>>> I'm guessing it will show two certs with different serial numbers, which
>>> means this is a-ok.
>>>
>>> rob
>>>
>>>>
>>>> 2017-02-18 14:47 GMT+01:00 Matt . <yamakasi@gmail.com>:
>>>>>
>>>>> Hi Florance,
>>>>>
>>>>>
>>>>> I'm actually stil investigating this as the following occurs.
>>>>>
>>>>> I have removed all unneeded certs and installed the 2 intermediates
>>>>> for Comodo and did an ipa-certupdate which results in this:
>>>>>
>>>>> #certutil -L -d /etc/httpd/alias
>>>>>
>>>>> Certificate Nickname Trust
>>>>> Attributes
>>>>>
>>>>> SSL,S/MIME,JAR/XPI
>>>>>
>>>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>>>>> AddTrustExternalCARoot   C,,
>>>>> ipaCert  u,u,u
>>>>> COMODORSAAddTrustCA  C,,
>>>>> COMODORSAAddTrustCA  C,,
>>>>> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>>>>>
>>>>>
>>>>> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
>>>>> both and start over they are duplicated again. Also the
>>>>> AddTrustExternalCARoot comes back again even when this was not
>>>>> installed anymore as it's not needed.
>>>>>
>>>>> I'm able to install my cert after the update:
>>>>>
>>>>>
>>>>> #certutil -L -d /etc/httpd/alias
>>>>>
>>>>> Certificate Nickname Trust
>>>>> Attributes
>>>>>
>>>>> SSL,S/MIME,JAR/XPI
>>>>>
>>>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>>>>> AddTrustExternalCARoot   C,,
>>>>> ipaCert  u,u,u
>>>>> COMODORSAAddTrustCA  C,,
>>>>> COMODORSAAddTrustCA  C,,
>>>>> IPA.MYDOMAIN.TLD IPA CA     CT,C,C
>>>>> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control
>>>>> Validated u,u,u
>>>>>
>>>>>
>>>>>
>>>>> Now this works great for the WebGui which uses the right Certificate
>>>>> for the ssl connection but ldaps on port 636 seems to use:
>>>>>
>>>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>>>> Limited,L=Salford,ST=Greater Manchest

Re: [Freeipa-users] sysaccounts max length

[Matt .]

Oh sorry, I thought I did, must have been some conceptmail then :)



2017-02-20 21:21 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> Matt . wrote:
>> Hi All,
>>
>> Yes as I stated I see software, multiple, having issues with usernames
>> larger then 28 characters.
>
> You didn't say you had issues you just asked what the max length is.
>
> rob
>
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-20 15:53 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
>>> David Kupka wrote:
>>>> On Sat, Feb 18, 2017 at 03:06:21PM +0100, Matt . wrote:
>>>>> Hi Guys,
>>>>>
>>>>> Does anyone know what the max length is for a sysaccount username is ?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Matt
>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>> Hello!
>>>>
>>>> From man 8 useradd:
>>>>
>>>> Usernames may only be up to 32 characters long.
>>>
>>> This is a sysaccount so it has no login capabilities.
>>>
>>> I'm not aware of any RFC-specific maximum length for attributes. There
>>> may be implementation-specific limitations.
>>>
>>> Why do you ask? Is something not working?
>>>
>>> rob
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sysaccounts max length

[Matt .]

Hi All,

Yes as I stated I see software, multiple, having issues with usernames
larger then 28 characters.

Cheers,

Matt

2017-02-20 15:53 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> David Kupka wrote:
>> On Sat, Feb 18, 2017 at 03:06:21PM +0100, Matt . wrote:
>>> Hi Guys,
>>>
>>> Does anyone know what the max length is for a sysaccount username is ?
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>> Hello!
>>
>> From man 8 useradd:
>>
>> Usernames may only be up to 32 characters long.
>
> This is a sysaccount so it has no login capabilities.
>
> I'm not aware of any RFC-specific maximum length for attributes. There
> may be implementation-specific limitations.
>
> Why do you ask? Is something not working?
>
> rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

[Matt .]

Hi Rob,

Yes it does, I understood that there was some reason the duplicate
might exist, but I wonder more why does the RootCA show up when I
removed it and comes back after adding the two intermediates ?

Thanks

Matt


2017-02-20 15:20 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> Matt . wrote:
>> Hi,
>>
>> The install seems to be OK this way, but I'm still confused about the
>> duplicated and the RootCA.
>
> What does this show?
>
> #3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA
>
> I'm guessing it will show two certs with different serial numbers, which
> means this is a-ok.
>
> rob
>
>>
>> 2017-02-18 14:47 GMT+01:00 Matt . <yamakasi@gmail.com>:
>>> Hi Florance,
>>>
>>>
>>> I'm actually stil investigating this as the following occurs.
>>>
>>> I have removed all unneeded certs and installed the 2 intermediates
>>> for Comodo and did an ipa-certupdate which results in this:
>>>
>>> #certutil -L -d /etc/httpd/alias
>>>
>>> Certificate Nickname Trust 
>>> Attributes
>>>  
>>> SSL,S/MIME,JAR/XPI
>>>
>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>>> AddTrustExternalCARoot   C,,
>>> ipaCert  u,u,u
>>> COMODORSAAddTrustCA  C,,
>>> COMODORSAAddTrustCA  C,,
>>> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>>>
>>>
>>> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
>>> both and start over they are duplicated again. Also the
>>> AddTrustExternalCARoot comes back again even when this was not
>>> installed anymore as it's not needed.
>>>
>>> I'm able to install my cert after the update:
>>>
>>>
>>> #certutil -L -d /etc/httpd/alias
>>>
>>> Certificate Nickname Trust 
>>> Attributes
>>>  
>>> SSL,S/MIME,JAR/XPI
>>>
>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>>> AddTrustExternalCARoot   C,,
>>> ipaCert  u,u,u
>>> COMODORSAAddTrustCA  C,,
>>> COMODORSAAddTrustCA  C,,
>>> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>>> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated 
>>> u,u,u
>>>
>>>
>>>
>>> Now this works great for the WebGui which uses the right Certificate
>>> for the ssl connection but ldaps on port 636 seems to use:
>>>
>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>> Limited,L=Salford,ST=Greater Manchester,C=GB
>>>
>>>
>>> Do you have any clue about this ?
>>>
>>> I'm also curious about what IPA syncs between all hosts, it seems to
>>> be only the Intermediate certs and not the install domains
>>> certificate, this needs to be installed manually after a local
>>> #ipa-certupdate on each node ?
>>>
>>> I hope you can clearify this out.
>>>
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>>
>>> 2017-02-17 0:15 GMT+01:00 Matt . <yamakasi@gmail.com>:
>>>> Hi Flo,
>>>>
>>>> Sure I can, I will look through the steps closely tomorrow and will
>>>> create some lineup here.
>>>>
>>>> Cheers,
>>>>
>>>> Matt
>>>>
>>>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
>>>>> On 02/16/2017 09:55 PM, Matt . wrote:
>>>>>>
>>>>>> Hi Flo! (if I may call you like that, saves some characters in typing
>>>>>> but with this extra line it doesn't anymore :))
>>>>>>
>>>>>> This works perfectly, thank you very much.
>>>>>>
>>>>> Hi Matt,
>>>>>
>>>>> glad I could help. What did you do differently that could explain the
>>>>> failure, though? Maybe the cert installation needs some hardening.
>>>>>
>>>>> Flo.
>>>>>
>>>>>> No questions further actually :)
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
>>>>>>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

[Matt .]

Hi,

The install seems to be OK this way, but I'm still confused about the
duplicated and the RootCA.

Cheers,

Matt

2017-02-18 14:47 GMT+01:00 Matt . <yamakasi@gmail.com>:
> Hi Florance,
>
>
> I'm actually stil investigating this as the following occurs.
>
> I have removed all unneeded certs and installed the 2 intermediates
> for Comodo and did an ipa-certupdate which results in this:
>
> #certutil -L -d /etc/httpd/alias
>
> Certificate Nickname Trust Attributes
>  
> SSL,S/MIME,JAR/XPI
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
> AddTrustExternalCARoot   C,,
> ipaCert  u,u,u
> COMODORSAAddTrustCA  C,,
> COMODORSAAddTrustCA  C,,
> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>
>
> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
> both and start over they are duplicated again. Also the
> AddTrustExternalCARoot comes back again even when this was not
> installed anymore as it's not needed.
>
> I'm able to install my cert after the update:
>
>
> #certutil -L -d /etc/httpd/alias
>
> Certificate Nickname Trust Attributes
>  
> SSL,S/MIME,JAR/XPI
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
> AddTrustExternalCARoot   C,,
> ipaCert  u,u,u
> COMODORSAAddTrustCA  C,,
> COMODORSAAddTrustCA  C,,
> IPA.MYDOMAIN.TLD IPA CA CT,C,C
> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated 
> u,u,u
>
>
>
> Now this works great for the WebGui which uses the right Certificate
> for the ssl connection but ldaps on port 636 seems to use:
>
> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB
>
>
> Do you have any clue about this ?
>
> I'm also curious about what IPA syncs between all hosts, it seems to
> be only the Intermediate certs and not the install domains
> certificate, this needs to be installed manually after a local
> #ipa-certupdate on each node ?
>
> I hope you can clearify this out.
>
>
> Thanks,
>
> Matt
>
>
> 2017-02-17 0:15 GMT+01:00 Matt . <yamakasi@gmail.com>:
>> Hi Flo,
>>
>> Sure I can, I will look through the steps closely tomorrow and will
>> create some lineup here.
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
>>> On 02/16/2017 09:55 PM, Matt . wrote:
>>>>
>>>> Hi Flo! (if I may call you like that, saves some characters in typing
>>>> but with this extra line it doesn't anymore :))
>>>>
>>>> This works perfectly, thank you very much.
>>>>
>>> Hi Matt,
>>>
>>> glad I could help. What did you do differently that could explain the
>>> failure, though? Maybe the cert installation needs some hardening.
>>>
>>> Flo.
>>>
>>>> No questions further actually :)
>>>>
>>>> Cheers,
>>>>
>>>> Matt
>>>>
>>>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
>>>>>
>>>>> On 02/15/2017 05:40 PM, Matt . wrote:
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Is there any update on this ? I need to install 3 other instances but
>>>>>> I would like to know upfront if it might be a bug.
>>>>>>
>>>>> Hi Matt,
>>>>>
>>>>> I was not able to reproduce your issue. Here were my steps:
>>>>>
>>>>> Install FreeIPA with self-signed cert:
>>>>> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>>>>>
>>>>> The certificate chain is ca1 -> subca -> server.
>>>>> Install the root CA:
>>>>> kinit admin
>>>>> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
>>>>> ipa-certupdate
>

[Freeipa-users] sysaccounts max length

[Matt .]

Hi Guys,

Does anyone know what the max length is for a sysaccount username is ?

Thanks,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

[Matt .]

Hi Flo,

Sure I can, I will look through the steps closely tomorrow and will
create some lineup here.

Cheers,

Matt

2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
> On 02/16/2017 09:55 PM, Matt . wrote:
>>
>> Hi Flo! (if I may call you like that, saves some characters in typing
>> but with this extra line it doesn't anymore :))
>>
>> This works perfectly, thank you very much.
>>
> Hi Matt,
>
> glad I could help. What did you do differently that could explain the
> failure, though? Maybe the cert installation needs some hardening.
>
> Flo.
>
>> No questions further actually :)
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
>>>
>>> On 02/15/2017 05:40 PM, Matt . wrote:
>>>>
>>>>
>>>> Hi,
>>>>
>>>> Is there any update on this ? I need to install 3 other instances but
>>>> I would like to know upfront if it might be a bug.
>>>>
>>> Hi Matt,
>>>
>>> I was not able to reproduce your issue. Here were my steps:
>>>
>>> Install FreeIPA with self-signed cert:
>>> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>>>
>>> The certificate chain is ca1 -> subca -> server.
>>> Install the root CA:
>>> kinit admin
>>> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
>>> ipa-certupdate
>>>
>>> Install the subca:
>>> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
>>> ipa-certupdate
>>>
>>> Install the server cert:
>>> ipa-server-certinstall -d -w server.pem key.pem
>>>
>>> ipa-certupdate basically retrieves the certificates from LDAP (below
>>> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias
>>> but
>>> I don't remember it removing certs.
>>>
>>> Can you check the content of your LDAP server?
>>> kinit admin
>>> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
>>> cn=certificates,cn=ipa,cn=etc,$BASEDN
>>>
>>> It should contain one entry for each CA that you added.
>>>
>>> Flo.
>>>
>>>> Thanks,
>>>>
>>>> Matt
>>>>
>>>> 2017-02-14 17:59 GMT+01:00 Matt . <yamakasi@gmail.com>:
>>>>>
>>>>>
>>>>> Hi Florance,
>>>>>
>>>>> Sure I can, here you go:
>>>>>
>>>>> Fedora 24
>>>>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>>>>>
>>>>> I installed this server as self-signed CA
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Matt
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
>>>>>>
>>>>>>
>>>>>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Hi Florance,
>>>>>>>
>>>>>>> Thanks for your update, good to see some good into about it. For
>>>>>>> Comodo I have install all these:
>>>>>>>
>>>>>>> AddTrustExternalCARoot.crt
>>>>>>> COMODORSAAddTrustCA.crt
>>>>>>> COMODORSADomainValidationSecureServerCA.crt
>>>>>>>
>>>>>>>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>>>>>> far as I know but the same issues still exist, the Server-Cert is
>>>>>>> removed again on ipa-certupdate and fails.
>>>>>>>
>>>>>>> I have tried this with setenforce 0
>>>>>>>
>>>>>> Hi Matt,
>>>>>>
>>>>>> can you provide more info in order to reproduce the issue?
>>>>>> - which OS are you using
>>>>>> - IPA version
>>>>>> - how did you install ipa server (CA-less or with self-signed CA or
>>>>>> with
>>>>>> externally-signed CA?)
>>>>>>
>>>>>> Thanks,
>>>>>> Flo.
>>>>>>
>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>

Re: [Freeipa-users] Cannot install 3rd party certificate

[Matt .]

Hi Flo! (if I may call you like that, saves some characters in typing
but with this extra line it doesn't anymore :))

This works perfectly, thank you very much.

No questions further actually :)

Cheers,

Matt

2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
> On 02/15/2017 05:40 PM, Matt . wrote:
>>
>> Hi,
>>
>> Is there any update on this ? I need to install 3 other instances but
>> I would like to know upfront if it might be a bug.
>>
> Hi Matt,
>
> I was not able to reproduce your issue. Here were my steps:
>
> Install FreeIPA with self-signed cert:
> ipa-server-install -n $DOMAIN -r $REALM -p $PASSWORD -a $PASSWORD
>
> The certificate chain is ca1 -> subca -> server.
> Install the root CA:
> kinit admin
> ipa-cacert-manage -p $PASSWORD -n ca1 -t C,, install ca1.pem
> ipa-certupdate
>
> Install the subca:
> ipa-cacert-manage -p $PASSWORD -n subca -t C,, install subca.pem
> ipa-certupdate
>
> Install the server cert:
> ipa-server-certinstall -d -w server.pem key.pem
>
> ipa-certupdate basically retrieves the certificates from LDAP (below
> cn=certificates,cn=ipa,cn=etc,$BASEDN) and puts them in /etc/httpd/alias but
> I don't remember it removing certs.
>
> Can you check the content of your LDAP server?
> kinit admin
> ldapsearch -h `hostname` -p 389 -Y GSSAPI -b
> cn=certificates,cn=ipa,cn=etc,$BASEDN
>
> It should contain one entry for each CA that you added.
>
> Flo.
>
>> Thanks,
>>
>> Matt
>>
>> 2017-02-14 17:59 GMT+01:00 Matt . <yamakasi@gmail.com>:
>>>
>>> Hi Florance,
>>>
>>> Sure I can, here you go:
>>>
>>> Fedora 24
>>> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>>>
>>> I installed this server as self-signed CA
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>>
>>>
>>>
>>> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
>>>>
>>>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>>>
>>>>>
>>>>> Hi Florance,
>>>>>
>>>>> Thanks for your update, good to see some good into about it. For
>>>>> Comodo I have install all these:
>>>>>
>>>>> AddTrustExternalCARoot.crt
>>>>> COMODORSAAddTrustCA.crt
>>>>> COMODORSADomainValidationSecureServerCA.crt
>>>>>
>>>>>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>>>> far as I know but the same issues still exist, the Server-Cert is
>>>>> removed again on ipa-certupdate and fails.
>>>>>
>>>>> I have tried this with setenforce 0
>>>>>
>>>> Hi Matt,
>>>>
>>>> can you provide more info in order to reproduce the issue?
>>>> - which OS are you using
>>>> - IPA version
>>>> - how did you install ipa server (CA-less or with self-signed CA or with
>>>> externally-signed CA?)
>>>>
>>>> Thanks,
>>>> Flo.
>>>>
>>>>
>>>>> Cheers,
>>>>>
>>>>> Matt
>>>>>
>>>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
>>>>>>
>>>>>>
>>>>>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Certs are valid, I will check what you mentioned.
>>>>>>>
>>>>>>> I'm also no fan of bundles, more the seperate files but this doesn't
>>>>>>> seem to work always. At least for the CAroot a bundle was required.
>>>>>>>
>>>>>> Hi Matt,
>>>>>>
>>>>>> if your certificate was provided by an intermediate CA, you need to
>>>>>> add
>>>>>> each
>>>>>> CA before running ipa-server-certinstall (start from the top-level CA
>>>>>> with
>>>>>> ipa-cacert-manage install, then run ipa-certupdate, then the
>>>>>> intermediate
>>>>>> CA
>>>>>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>>>>>
>>>>>> There is also a known issue with ipa-certupdate and SELinux in
>>>>>> enforcing
>>>>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>>>>>
>>>>>> Flo

Re: [Freeipa-users] Cannot install 3rd party certificate

[Matt .]

Hi,

Is there any update on this ? I need to install 3 other instances but
I would like to know upfront if it might be a bug.

Thanks,

Matt

2017-02-14 17:59 GMT+01:00 Matt . <yamakasi@gmail.com>:
> Hi Florance,
>
> Sure I can, here you go:
>
> Fedora 24
> Freeipa VERSION: 4.4.2, API_VERSION: 2.215
>
> I installed this server as self-signed CA
>
> Cheers,
>
> Matt
>
>
>
>
> 2017-02-14 17:54 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
>> On 02/14/2017 05:43 PM, Matt . wrote:
>>>
>>> Hi Florance,
>>>
>>> Thanks for your update, good to see some good into about it. For
>>> Comodo I have install all these:
>>>
>>> AddTrustExternalCARoot.crt
>>> COMODORSAAddTrustCA.crt
>>> COMODORSADomainValidationSecureServerCA.crt
>>>
>>>  Where COMODORSADomainValidationSecureServerCA.crt is not needed as
>>> far as I know but the same issues still exist, the Server-Cert is
>>> removed again on ipa-certupdate and fails.
>>>
>>> I have tried this with setenforce 0
>>>
>> Hi Matt,
>>
>> can you provide more info in order to reproduce the issue?
>> - which OS are you using
>> - IPA version
>> - how did you install ipa server (CA-less or with self-signed CA or with
>> externally-signed CA?)
>>
>> Thanks,
>> Flo.
>>
>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2017-02-14 17:24 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>:
>>>>
>>>> On 02/14/2017 02:54 PM, Matt . wrote:
>>>>>
>>>>>
>>>>> Certs are valid, I will check what you mentioned.
>>>>>
>>>>> I'm also no fan of bundles, more the seperate files but this doesn't
>>>>> seem to work always. At least for the CAroot a bundle was required.
>>>>>
>>>> Hi Matt,
>>>>
>>>> if your certificate was provided by an intermediate CA, you need to add
>>>> each
>>>> CA before running ipa-server-certinstall (start from the top-level CA
>>>> with
>>>> ipa-cacert-manage install, then run ipa-certupdate, then the intermediate
>>>> CA
>>>> with ipa-cacert-manage install, then ipa-certupdate etc...)
>>>>
>>>> There is also a known issue with ipa-certupdate and SELinux in enforcing
>>>> mode (https://bugzilla.redhat.com/show_bug.cgi?id=1349024).
>>>>
>>>> Flo.
>>>>
>>>>
>>>>> Matt
>>>>>
>>>>> 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI]
>>>>> <dsulliv...@bsd.uchicago.edu>:
>>>>>>
>>>>>>
>>>>>> Have you validated the cert (and dumped the contents) from the command
>>>>>> line using the openssl tools?  I’ve seen the message you are seeing
>>>>>> before,
>>>>>> for some reason I seem to remember that it has to do with either a
>>>>>> missing
>>>>>> or an extra - at either the -BEGIN CERTIFICATE or -END
>>>>>> CERTIFICATE (an error from copy and pasting and not copying the
>>>>>> actual
>>>>>> file).
>>>>>>
>>>>>> I’ve never used certupdate so if what is described above doesn’t help
>>>>>> somebody else will have to chime in.
>>>>>>
>>>>>> Dan
>>>>>>
>>>>>>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi@gmail.com> wrote:
>>>>>>>
>>>>>>> Hi Dan,
>>>>>>>
>>>>>>> Ues i have tried that and I get the message that it misses the full
>>>>>>> chain for the certificate.
>>>>>>>
>>>>>>> My issue is more, why is the Server-Cert being removed on a certupdate
>>>>>>> ?
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI]
>>>>>>> <dsulliv...@bsd.uchicago.edu>:
>>>>>>>>
>>>>>>>>
>>>>>>>> Is the chain in mydomain_com_bundle.crt?  Have you tried it with the
>>>>>>>> cert only (disclaimer: I’ve never done this).
>>>>>>>>
>>>>>>>> Dan
>>>>>>>>
>>>>>>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> Hi Guys,
>>>>>>>>>
>>>>>>>>> I'm trying to install a 3rd party certificate using:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>>>>>>
>>>>>>>>> When I run the install command for the certificate itself:
>>>>>>>>>
>>>>>>>>> ]# ipa-server-certinstall -w -d mydomain_com.key
>>>>>>>>> mydomain_com_bundle.crt
>>>>>>>>> Directory Manager password:
>>>>>>>>>
>>>>>>>>> Enter private key unlock password:
>>>>>>>>>
>>>>>>>>> list index out of range
>>>>>>>>> The ipa-server-certinstall command failed.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>>>>>>> /etc/httpd/alias and the install fails because of this.
>>>>>>>>>
>>>>>>>>> What can I do to solve this ?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Matt
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

[Matt .]

Certs are valid, I will check what you mentioned.

I'm also no fan of bundles, more the seperate files but this doesn't
seem to work always. At least for the CAroot a bundle was required.

Matt

2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI] <dsulliv...@bsd.uchicago.edu>:
> Have you validated the cert (and dumped the contents) from the command line 
> using the openssl tools?  I’ve seen the message you are seeing before, for 
> some reason I seem to remember that it has to do with either a missing or an 
> extra - at either the -BEGIN CERTIFICATE or -END CERTIFICATE 
> (an error from copy and pasting and not copying the actual file).
>
> I’ve never used certupdate so if what is described above doesn’t help 
> somebody else will have to chime in.
>
> Dan
>
>> On Feb 14, 2017, at 2:18 AM, Matt . <yamakasi@gmail.com> wrote:
>>
>> Hi Dan,
>>
>> Ues i have tried that and I get the message that it misses the full
>> chain for the certificate.
>>
>> My issue is more, why is the Server-Cert being removed on a certupdate ?
>>
>> Cheers,
>>
>> Matt
>>
>> 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] 
>> <dsulliv...@bsd.uchicago.edu>:
>>> Is the chain in mydomain_com_bundle.crt?  Have you tried it with the cert 
>>> only (disclaimer: I’ve never done this).
>>>
>>> Dan
>>>
>>>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi@gmail.com> wrote:
>>>>
>>>> Hi Guys,
>>>>
>>>> I'm trying to install a 3rd party certificate using:
>>>>
>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>>>
>>>> When I run the install command for the certificate itself:
>>>>
>>>> ]# ipa-server-certinstall -w -d mydomain_com.key mydomain_com_bundle.crt
>>>> Directory Manager password:
>>>>
>>>> Enter private key unlock password:
>>>>
>>>> list index out of range
>>>> The ipa-server-certinstall command failed.
>>>>
>>>>
>>>> If I do a #ipa-certupdate the Server-Cert is removed from
>>>> /etc/httpd/alias and the install fails because of this.
>>>>
>>>> What can I do to solve this ?
>>>>
>>>> Thanks,
>>>>
>>>> Matt
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

[Matt .]

Hi Dan,

Ues i have tried that and I get the message that it misses the full
chain for the certificate.

My issue is more, why is the Server-Cert being removed on a certupdate ?

Cheers,

Matt

2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] <dsulliv...@bsd.uchicago.edu>:
> Is the chain in mydomain_com_bundle.crt?  Have you tried it with the cert 
> only (disclaimer: I’ve never done this).
>
> Dan
>
>> On Feb 13, 2017, at 4:08 PM, Matt . <yamakasi@gmail.com> wrote:
>>
>> Hi Guys,
>>
>> I'm trying to install a 3rd party certificate using:
>>
>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA
>>
>> When I run the install command for the certificate itself:
>>
>> ]# ipa-server-certinstall -w -d mydomain_com.key mydomain_com_bundle.crt
>> Directory Manager password:
>>
>> Enter private key unlock password:
>>
>> list index out of range
>> The ipa-server-certinstall command failed.
>>
>>
>> If I do a #ipa-certupdate the Server-Cert is removed from
>> /etc/httpd/alias and the install fails because of this.
>>
>> What can I do to solve this ?
>>
>> Thanks,
>>
>> Matt
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Cannot install 3rd party certificate

[Matt .]

Hi Guys,

I'm trying to install a 3rd party certificate using:

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_current_IPA

When I run the install command for the certificate itself:

]# ipa-server-certinstall -w -d mydomain_com.key mydomain_com_bundle.crt
Directory Manager password:

Enter private key unlock password:

list index out of range
The ipa-server-certinstall command failed.


If I do a #ipa-certupdate the Server-Cert is removed from
/etc/httpd/alias and the install fails because of this.

What can I do to solve this ?

Thanks,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] User with rights for only adding hosts

[Matt .]

Hi,

Is it possible to create a user that can/is allowed (to) only add
hosts using the ipa-client-install ?

Would be nice to know.

Cheers,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Sync (some) users between IPA servers

[Matt .]

Hi,

I wonder, upfront to the maybe future of IPA trusts, is there a way to
sync some users between some IPA environments ?

I have 3 IPA systems,

- office (All services)
- production (DNS and serverauth only)
- customer auth, ldap only.

Between office and production I would like to have some synced users
so they can login on both environments (servers).

Would there be some way to accomplish this ?

Thanks,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to make email as mandatory field before user creation

[Matt .]

Doesn't get the user a default mailaddress when you add him under the
REALM domain ?

2017-01-02 17:50 GMT+01:00 Petr Vobornik :
> On 01/02/2017 05:00 PM, nirajkumar.si...@accenture.com wrote:
>> Hi Team,
>>
>> Is there any way to make email as mandatory field before creating any user 
>> from
>> WEBUI or Console?
>>
>> Thanks & Regards,
>>
>> Niraj Kumar Singh
>>
>
> Hello Niraj,
>
> FreeIPA doesn't support such configuration out of the box.
>
> It is theoretically possible to implement IPA server side plugin to mark
> the field as required. It may not be straightforward though.
>
> --
> Petr Vobornik
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

[Matt .]

Hi Martin,

Indeed strange as another master where I did the upgrade on went fine.

It is/was a master with CA and Externally Signed CA, which was
perfectly sychned to the other master.

I finally uninstalled the ipa server and did a new replica install on
it with dns and CA and all went smooth and fine. I also had some weird
DNS error and bind didn't want to start anymore because of expecting a
; I thought this had something todo with a forwarder which wasn't.

For now I'm good, but do you want extra info ?

Thanks,

Matt

2016-10-18 7:49 GMT+02:00 Martin Babinsky <mbabi...@redhat.com>:
> On 10/18/2016 12:30 AM, Matt . wrote:
>>
>> Hi Guys,
>>
>> I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24
>>
>> I already checked some info and:
>>
>> ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
>>
>> Gives me TU instead of MII as expected.
>>
>> Any suggestions further ?
>>
>> Thanks,
>>
>> Matt
>>
>>
>> 2016-10-17T22:19:10Z DEBUG Starting external process
>> 2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a
>> 2016-10-17T22:19:10Z DEBUG Process finished, return code=255
>> 2016-10-17T22:19:10Z DEBUG stdout=
>> 2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert:
>> Server-Cert
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>> 2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>> 2016-10-17T22:19:11Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172,
>> in execute
>> return_value = self.run()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 46, in run
>> server.upgrade()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1867, in upgrade
>> upgrade_configuration()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1770, in upgrade_configuration
>> certificate_renewal_update(ca, ds, http),
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1027, in certificate_renewal_update
>> ds.start_tracking_certificates(serverid)
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
>> line 996, in start_tracking_certificates
>> 'restart_dirsrv %s' % serverid)
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 307, in track_server_cert
>> nsscert = x509.load_certificate(cert, dbdir=self.secdir)
>>   File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in
>> load_certificate
>> return nss.Certificate(buffer(data))  # pylint: disable=buffer-builtin
>>
>>
>> 016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed,
>> exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE)
>> security library failure.
>> 2016-10-17T22:19:11Z ERROR Unexpected error - see
>> /var/log/ipaupgrade.log for details:
>> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>> 2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See
>> /var/log/ipaupgrade.log for more information
>>
>
> Hmmm strange,
>
> looks like your DS certificate got lost or has some strange nickname in your
> directory server's NSS database.
>
> Is this CA-less install, externally signed CA or 'self-signed' CA? Master or
> replica?
>
> --
> Martin^3 Babinsky
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

[Matt .]

Hi Guys,

I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24

I already checked some info and:

ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX

Gives me TU instead of MII as expected.

Any suggestions further ?

Thanks,

Matt


2016-10-17T22:19:10Z DEBUG Starting external process
2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a
2016-10-17T22:19:10Z DEBUG Process finished, return code=255
2016-10-17T22:19:10Z DEBUG stdout=
2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found

2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-10-17T22:19:11Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172,
in execute
return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1867, in upgrade
upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1770, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1027, in certificate_renewal_update
ds.start_tracking_certificates(serverid)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 996, in start_tracking_certificates
'restart_dirsrv %s' % serverid)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 307, in track_server_cert
nsscert = x509.load_certificate(cert, dbdir=self.secdir)
  File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in
load_certificate
return nss.Certificate(buffer(data))  # pylint: disable=buffer-builtin


016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed,
exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE)
security library failure.
2016-10-17T22:19:11Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] External CA: Peer's certificate issuer has been marked as not trusted by the user

[Matt .]

Hi,

No-one has any idea here ? My Root Cert is installed OK.

# certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
COMODOExternalCARoot C,C,C
COMODORSADomainValidationSecureServerCA  C,C,C
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-caCTu,Cu,Cu
COMODORSAAddTrustCA  C,C,C

I hope this helps.

Cheers,

Matt

2016-10-01 17:04 GMT+02:00 Matt . <yamakasi@gmail.com>:
> Hi guys,
>
> I have installed successfully an external CA Certificate for
> https/LDAP but now I get this on my ipa-commands:
>
> ipa domainlevel-get
>
> ipa: ERROR: cert validation failed for
> "CN=*.mysubdomain.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain
> Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
> issuer has been marked as not trusted by the user.)
>
> What can cause this ?
>
> I'm on FreeIPA, version: 4.4.1
>
> I hope we can sort this out.
>
> Thanks,
>
> Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] External CA: Peer's certificate issuer has been marked as not trusted by the user

[Matt .]

Hi guys,

I have installed successfully an external CA Certificate for
https/LDAP but now I get this on my ipa-commands:

ipa domainlevel-get

ipa: ERROR: cert validation failed for
"CN=*.mysubdomain.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain
Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate
issuer has been marked as not trusted by the user.)

What can cause this ?

I'm on FreeIPA, version: 4.4.1

I hope we can sort this out.

Thanks,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] cleanallruv - no replica's :(

[Matt Wells]

Hey all I hoped anyone may be able to assist.  I had 2 dead replica's and
use the cleanallruv.pl as they refused to leave otherwise.
` /usr/sbin/cleanallruv.pl -v -D "cn=directory manager" -w - -b
'dc=mosaic451,dc=com' -r 17 `
17 being the bad guy.  Well it ran `woohoo` but deleted all of my
replica's.  The state it's in now is I can make changes on Box1 ( the one I
ran it on ) and they replicate to Box2 but never come back.
If I delete it on Box2 it never get's to Box1 however Box2 say's he has
that happy replication agreement.
So it's almost a split brain scenario.  I hoped someone may be able to
assist.
Can I just re-cut the replication agreement from Box2 and run it on Box1;
he's a full grown IPA so if I did that wouldn't I need to --uninstall him?

What do you guys think?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA as CA for your own internal webservices

[Matt .]

Hi Guys,

I'm wondering how it's possible to use FreeIPA as your own CA for
apache vhosts and such.

I need to many certificates for subdomains (wildcards) that its
undoable and I would like to use my FreeIAP installs for this.

I installed the root certificate on windows from my IPA install and
that works, FreeIPA itself is now trusted. But how to do this for
other webservices no matter what software I use ?

I hope someone can give me direction here.

Thanks!

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Two Factor auth and Windows desktop

[Matt Wells]

Hi all!
I had a question about something that I'm sure has been covered.  I promise
that I'm trying to find those articles but thus far I've found some pieces
but nothing 100%; however I'm still looking.
I have two networks

   - ad.example.com ( active directory )
   - linux.example.com ( IPA )

All of my linux systems Auth against IPA and it's perfect.  AD and IPA
replicate users ( this currently is how we're doing it and are looking at
external users to see if that works better for us ).  I'm trying to find
how to force my IPA two factor to the desktops that auth to AD.  As a whole
we're trying to enforce this everywhere and I don't want to go to Duo when
we have the capability in house.

My IPA is at 4.2
AD is on MS 2012

Any direction would be great and as I mentioned I'm certainly going over
the archives to research.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

[Matt .]

And then allow the ip of the ipa server for update or tranfser on the slave ?

Because I don't see anything coming in.

2016-08-23 12:47 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
> On 23.8.2016 12:43, Matt . wrote:
>> OK, but what kind of records are you talking about then ?
>
> I'm not sure what else should I say.
>
> NS records: the ones added by
>
> $ ipa record-add  @ --ns-rec=.
> (please note the trailing period)
>
> Does it answer your question?
>
> Petr^2 Spacek
>
>>
>> 2016-08-23 12:25 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
>>> On 23.8.2016 09:07, Martin Basti wrote:
>>>>
>>>>
>>>> On 23.08.2016 02:08, Matt . wrote:
>>>>> Hi Guys,
>>>>>
>>>>> What is the way to notify or update a Bind slave which is not an IPA 
>>>>> server ?
>>>>>
>>>>> Do I need to manuallu add an also-notify to the /etc/bind.conf on the
>>>>> IPA master or is there a different way how to accomplish this ?
>>>>>
>>>>> I hope this is possible and anyone can explain me how.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Matt
>>>>>
>>>>
>>>> Hi,
>>>>
>>>> some info about transfers can be found here:
>>>> http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG
>>>>
>>>> Yes you need manually update named.conf with also-notify
>>>
>>> Well, the also-notify might not (always) work, it is not directly supported 
>>> by
>>> bind-dyndb-ldap.
>>>
>>> It should work automatically if you list your slave servers in NS records,
>>> BIND will automatically send notify messages to all servers listed in NS 
>>> records.
>>>
>>> --
>>> Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

[Matt .]

OK, but what kind of records are you talking about then ?

2016-08-23 12:25 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
> On 23.8.2016 09:07, Martin Basti wrote:
>>
>>
>> On 23.08.2016 02:08, Matt . wrote:
>>> Hi Guys,
>>>
>>> What is the way to notify or update a Bind slave which is not an IPA server 
>>> ?
>>>
>>> Do I need to manuallu add an also-notify to the /etc/bind.conf on the
>>> IPA master or is there a different way how to accomplish this ?
>>>
>>> I hope this is possible and anyone can explain me how.
>>>
>>> Thanks!
>>>
>>> Matt
>>>
>>
>> Hi,
>>
>> some info about transfers can be found here:
>> http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG
>>
>> Yes you need manually update named.conf with also-notify
>
> Well, the also-notify might not (always) work, it is not directly supported by
> bind-dyndb-ldap.
>
> It should work automatically if you list your slave servers in NS records,
> BIND will automatically send notify messages to all servers listed in NS 
> records.
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

[Matt .]

Hi Guys,

What is the way to notify or update a Bind slave which is not an IPA server ?

Do I need to manuallu add an also-notify to the /etc/bind.conf on the
IPA master or is there a different way how to accomplish this ?

I hope this is possible and anyone can explain me how.

Thanks!

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Active directory integration with FreeIPA domain

[Matt Comben]

Hi all,

TLDR - Is it possible to sync users FROM FreeIPA TO 'AD'

I've started introducing FreeIPA into our network (which is currently LDAP with 
linux clients) and migration client servers to authenticate against FreeIPA 
(which has been working great).

In the past couple of weeks, we were forced to setup a couple of Windows 
servers, so AD seemed like a good improvement (for getting centralised 
authentication against our Windows workstations).

I have read tonnes of information about setting up Trusts between FreeIPA and 
AD (and got a Trust itself working) and winsync using ipa-replica-manage, which 
said it was working.
Although from all this testing, I cannot seem to get a solution working for 
user synchronisation (or trusting) for authentication on Windows clients for 
FreeIPA users. Either having users synced from FreeIPA to AD to have them 
authenticate through the AD through a Forest Trust.
FWIW, I'm using CentOS 7 with FreeIPA 4  (tried Ubuntu 16.04, but couldn't get 
Trust established at all) and Server 2012 for AD.
I also can't see anyone else doing it this way round... is what I'm trying to 
do impossible?

Thanks in advanced for any help

Thanks
Matt
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-server-upgrade fails on PKI CentOS 7.2

[Matt .]

Hi,

I have some issue with the ipa-server-upgrade command where PKI fails.

This seems to be a known issue but I'm unsure where to report it as
it's fixed in FC

https://bugzilla.redhat.com/show_bug.cgi?id=1328522

Does someone have a clue how to get around this ?

Thanks!

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Users directory Browsing -

[Matt Wells]

A really good point however I'm fortunate enough that the only items
authentication are applications.  I agree with you also that it's a bit of
a Pandoras box; I've decided that it's best to leave the systems in default
state and use a tool like PWM for this self service component.

On Wed, Mar 9, 2016 at 12:37 AM Petr Spacek <pspa...@redhat.com> wrote:

> On 8.3.2016 15:29, Matt Wells wrote:
> > For my use case it is.  Essentially the system will be application auth
> for
> > separate groups that have no need to know of one another, almost a
> > multi-tenant mode.  I wanted to expose a 'self service' url.  I've found
> a
> > community ipa portal for password resets and perhaps that with slight
> > changes can resolve this.  I understand why it's that way but had hoped
> to
> > be able to apply a bit more of an ACI; I've been able to ratchet the
> > accounts down to just this one item thus far by restricting access to
> > attributes.  I appreciate the response and if / when I find a solution
> I'll
> > post it for anyone else that would require it.
>
> Be sure you fully think though your use cases and understand the
> implications.
>
> E.g. if the LDAP is used by unix clients, locking it down to one user or
> group
> may prevent clients from translating UIDs to names and vice-versa, prevent
> resolving group membership etc. That would certainly break things.
>
> In this case you might want to craft ACI which exposes POSIX attributes
> only
> and nothing else or so.
>
> Again, think about it :-)
>
> Petr^2 Spacek
>
> > On Mon, Mar 7, 2016 at 11:05 PM, Prashant Bapat <prash...@apigee.com>
> wrote:
> >
> >> A user will be able to list all other users and be able to read their
> >> attributes. But will not be able to change anything.
> >>
> >> Is that an issue ? I mean on a Linux box you can read /etc/passwd file
> >> which has info about all users on that box. This doesn't cause issues.
> >>
> >> On 8 March 2016 at 03:03, Matt Wells <matt.we...@mosaic451.com> wrote:
> >>
> >>> Hi all, I had a quick question.  I swear I had this before but that
> could
> >>> be the voices telling me it's true
> >>> A normal user is logging into IPA (4.2.0) and filling in their phone
> >>> number and info no problem.  However when that user clicks on accounts
> >>> above they are then able to peruse the entire directory and all the
> other
> >>> user accounts.
> >>> I'm trying to remove that but for the life of me can't recall the ACI
> or
> >>> where that may be.
> >>>
> >>> I really appreciate it, I'll continue to search through the previous
> >>> questions and if I find it before a reply will mark this closed with
> the
> >>> link.
> >>> Thank you all -
> >>> Wells
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Matt Wells
Chief Systems Architect
RHCA, RHCVA - #110-000-353
(702) 808-0424
matt.we...@mosaic451.com
 Las Vegas | Phoenix | Portland Mosaic451.com
CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or
may otherwise be privileged. If you are not intended recipient, you are
hereby notified that you have received this transmittal in error and that
any review, dissemination, distribution or copying of this transmittal is
strictly prohibited. If you have received this communication in error,
please notify this office, and immediately delete this message and all its
attachments, if any.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Users directory Browsing -

[Matt Wells]

For my use case it is.  Essentially the system will be application auth for
separate groups that have no need to know of one another, almost a
multi-tenant mode.  I wanted to expose a 'self service' url.  I've found a
community ipa portal for password resets and perhaps that with slight
changes can resolve this.  I understand why it's that way but had hoped to
be able to apply a bit more of an ACI; I've been able to ratchet the
accounts down to just this one item thus far by restricting access to
attributes.  I appreciate the response and if / when I find a solution I'll
post it for anyone else that would require it.

On Mon, Mar 7, 2016 at 11:05 PM, Prashant Bapat <prash...@apigee.com> wrote:

> A user will be able to list all other users and be able to read their
> attributes. But will not be able to change anything.
>
> Is that an issue ? I mean on a Linux box you can read /etc/passwd file
> which has info about all users on that box. This doesn't cause issues.
>
> On 8 March 2016 at 03:03, Matt Wells <matt.we...@mosaic451.com> wrote:
>
>> Hi all, I had a quick question.  I swear I had this before but that could
>> be the voices telling me it's true
>> A normal user is logging into IPA (4.2.0) and filling in their phone
>> number and info no problem.  However when that user clicks on accounts
>> above they are then able to peruse the entire directory and all the other
>> user accounts.
>> I'm trying to remove that but for the life of me can't recall the ACI or
>> where that may be.
>>
>> I really appreciate it, I'll continue to search through the previous
>> questions and if I find it before a reply will mark this closed with the
>> link.
>> Thank you all -
>> Wells
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>


-- 
Matt Wells
Chief Systems Architect
RHCA, RHCVA - #110-000-353
(702) 808-0424
matt.we...@mosaic451.com
 Las Vegas | Phoenix | Portland Mosaic451.com
CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or
may otherwise be privileged. If you are not intended recipient, you are
hereby notified that you have received this transmittal in error and that
any review, dissemination, distribution or copying of this transmittal is
strictly prohibited. If you have received this communication in error,
please notify this office, and immediately delete this message and all its
attachments, if any.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Users directory Browsing -

[Matt Wells]

Hi all, I had a quick question.  I swear I had this before but that could
be the voices telling me it's true
A normal user is logging into IPA (4.2.0) and filling in their phone number
and info no problem.  However when that user clicks on accounts above they
are then able to peruse the entire directory and all the other user
accounts.
I'm trying to remove that but for the life of me can't recall the ACI or
where that may be.

I really appreciate it, I'll continue to search through the previous
questions and if I find it before a reply will mark this closed with the
link.
Thank you all -
Wells
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Split backup actions in stop - backup - start commands

[Matt .]

Hi guys,

As I'm using burp for backup I get the feeling it fails obt eh
ipa-backup proces itself when runned as a pre_script. I think it waits
for some exitcode or already gets it before the real backup of IPA has
been finished.

I'm checking this out as burp also outputs messages as errors because
it just does it that way.



2016-02-18 16:08 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> David Kupka wrote:
>> On 17/02/16 10:47, Matt . wrote:
>>> Hi David,
>>>
>>> I have tested your way out and it seems to be OK.
>>>
>>> The reason why I need this was is so I can perform a stop and
>>> ipa-backup before I start my backup to my backupserver. (pre-command).
>>>
>>> If I use ipa-backup directly it errors between the stop of ipa and the
>>> actual ipa backup. I need to check that out further.
>>>
>>> An ipactl start is not needed it seems as the ipa-backup command seems
>>> to start ipa at any time again.
>>>
>>> Do you understand/agree here ?
>>
>> Hello Matt,
>>
>> unfortunately I don't understand. The backup procedure AFAIK should work
>> like this:
>>
>> # ipa-backup && rsync -r /var/lib/ipa/backup/ backup.example.test:/ipa/
>>
>> You ca run it manually or place it into the crontab or use it in your
>> orchestration system.
>> It will backup the ipa server with necessary stop and start and then
>> copy the new backup to the backup server.
>>
>> Still I don't see the need for stopping the server manually.
>>
>> ipa-backup calls "ipactl start" [0]. If you remove the else branch it
>> will not start the server.
>>
>> [0
>> ]https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316
>
> I've also been wondering about the request to remove the stop/start. The
> stop should be idempotent. Is an error being thrown?
>
> rob
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Split backup actions in stop - backup - start commands

[Matt .]

Hi David,

I have tested your way out and it seems to be OK.

The reason why I need this was is so I can perform a stop and
ipa-backup before I start my backup to my backupserver. (pre-command).

If I use ipa-backup directly it errors between the stop of ipa and the
actual ipa backup. I need to check that out further.

An ipactl start is not needed it seems as the ipa-backup command seems
to start ipa at any time again.

Do you understand/agree here ?



2016-02-17 8:00 GMT+01:00 David Kupka <dku...@redhat.com>:
> On 16/02/16 20:26, Matt . wrote:
>>
>> Hi,
>>
>> I'm fugiring out if it's possible to strip the ipa start and stop from
>> the backup method and actually do a fullbackup manually started.
>>
>> Any idea ?
>>
>> Thanks!
>>
>> Matt
>>
>
> Hello Matt,
> you can perform data only backup where freeipa server is still running
> (ipa-backup --data --online).
> But IIUC you want full backup with stopped freeipa sever only want to
> manually run sequence ipactl stop ; ipa-backup ; ipactl start
>
> Could you please explain why do you need such behavior? Honestly, I'm unable
> to find use for this.
>
> There's no way how to do it without touching the code. If you don't mind
> editing code just remove two else branches starting on lines 293[0] and
> 316[1] in ipaserver/install/ipa_backup.py (on recent Fedoras located in
> /usr/lib/python2.7/site-packages/).
>
> With this change full backup will be performed on running server unless you
> stopped it before. It can result in inconsistent data in backup archive.
>
> [0]
> https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n293
> [1]
> https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316
>
> --
> David Kupka

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Split backup actions in stop - backup - start commands

[Matt .]

Hi,

I'm fugiring out if it's possible to strip the ipa start and stop from
the backup method and actually do a fullbackup manually started.

Any idea ?

Thanks!

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] User Lockout even with special password Policy

[Matt .]

Hi Guys,

I'm having an issue that a user which I use for the API is getting
locked out from time to time.

I have created a specific password policy for this user with:

Lockout duration (seconds) 0

But this doesn't help much.

Anyone an idea how I can make sure a user is not locked out in any way
by lots of logins or tries, etc and be able to test it functions
allright ?

Thanks.

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User Lockout even with special password Policy

[Matt .]

OK, this looks good, but keeps the user locked from time to time:

# ipa pwpolicy-show --user kinit-user
  Group: service_accounts
  Max lifetime (days): 1024
  Min lifetime (hours): 0
  Lockout duration: 0



Can we make sure we apply a policy to the sysaccounts users or is that
undoable ?

2016-01-14 16:58 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> Matt . wrote:
>> OK, nice,but this user failed on kinit but is in the group where the
>> policy is set to 0.
>>
>> Can I check on the commandline if it applies to that setting by
>> querying ldap in some way ? It could be that some other group
>> overrules in some way ?
>
> $ ipa pwpolicy-show --user 
>
>> What about sysaccounts ? They seem to be locked also with too many
>> logins, and this concerns me as they are not POSIX.
>
> They may be getting the global policy applied.
>
> rob
>
>>
>>
>>
>> 2016-01-14 15:16 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
>>> Matt . wrote:
>>>> Hi Guys,
>>>>
>>>> I'm having an issue that a user which I use for the API is getting
>>>> locked out from time to time.
>>>>
>>>> I have created a specific password policy for this user with:
>>>>
>>>> Lockout duration (seconds) 0
>>>>
>>>> But this doesn't help much.
>>>>
>>>> Anyone an idea how I can make sure a user is not locked out in any way
>>>> by lots of logins or tries, etc and be able to test it functions
>>>> allright ?
>>>
>>> Setting maxfail to 0 should do it. As for testing, be creative, but be
>>> sure to test both LDAP bind and kinit.
>>>
>>> rob
>>>
>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User Lockout even with special password Policy

[Matt .]

My fault from the maxfail, I was referencing some doc from
side_control and mixed it up.

For the sysaccount part sounds doable. I will report back for that!
thanks a lot!

2016-01-14 19:06 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> Matt . wrote:
>> OK, this looks good, but keeps the user locked from time to time:
>>
>> # ipa pwpolicy-show --user kinit-user
>>   Group: service_accounts
>>   Max lifetime (days): 1024
>>   Min lifetime (hours): 0
>>   Lockout duration: 0
>
> As I said before, you need maxfail = 0 to disable lockout.
>
>> Can we make sure we apply a policy to the sysaccounts users or is that
>> undoable ?
>
> You'd have to set krbPwdPolicyReference to the dn of the policy you want
> to use for that sysaccount user. That requires the objectclass
> krbPrincipalAux.
>
> rob
>
>>
>> 2016-01-14 16:58 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
>>> Matt . wrote:
>>>> OK, nice,but this user failed on kinit but is in the group where the
>>>> policy is set to 0.
>>>>
>>>> Can I check on the commandline if it applies to that setting by
>>>> querying ldap in some way ? It could be that some other group
>>>> overrules in some way ?
>>>
>>> $ ipa pwpolicy-show --user 
>>>
>>>> What about sysaccounts ? They seem to be locked also with too many
>>>> logins, and this concerns me as they are not POSIX.
>>>
>>> They may be getting the global policy applied.
>>>
>>> rob
>>>
>>>>
>>>>
>>>>
>>>> 2016-01-14 15:16 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
>>>>> Matt . wrote:
>>>>>> Hi Guys,
>>>>>>
>>>>>> I'm having an issue that a user which I use for the API is getting
>>>>>> locked out from time to time.
>>>>>>
>>>>>> I have created a specific password policy for this user with:
>>>>>>
>>>>>> Lockout duration (seconds) 0
>>>>>>
>>>>>> But this doesn't help much.
>>>>>>
>>>>>> Anyone an idea how I can make sure a user is not locked out in any way
>>>>>> by lots of logins or tries, etc and be able to test it functions
>>>>>> allright ?
>>>>>
>>>>> Setting maxfail to 0 should do it. As for testing, be creative, but be
>>>>> sure to test both LDAP bind and kinit.
>>>>>
>>>>> rob
>>>>>
>>>>
>>>
>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User Lockout even with special password Policy

[Matt .]

OK, nice,but this user failed on kinit but is in the group where the
policy is set to 0.

Can I check on the commandline if it applies to that setting by
querying ldap in some way ? It could be that some other group
overrules in some way ?

What about sysaccounts ? They seem to be locked also with too many
logins, and this concerns me as they are not POSIX.



2016-01-14 15:16 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> Matt . wrote:
>> Hi Guys,
>>
>> I'm having an issue that a user which I use for the API is getting
>> locked out from time to time.
>>
>> I have created a specific password policy for this user with:
>>
>> Lockout duration (seconds) 0
>>
>> But this doesn't help much.
>>
>> Anyone an idea how I can make sure a user is not locked out in any way
>> by lots of logins or tries, etc and be able to test it functions
>> allright ?
>
> Setting maxfail to 0 should do it. As for testing, be creative, but be
> sure to test both LDAP bind and kinit.
>
> rob
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Authentication progres

[Matt .]

He Alexander!

I saw your post some time form some time ago on your G+ page and I see
you guys are really making a lot of progres, there is a lot todo, but
it's great, really!

What you say is right, but I thought this was fixed by the newer SSSD
package from 1.12.2+ or so, need to check that out.

For the moment I cannot move to CentOS for this machine, I can
actually add another VM for Samba with CentOS, but also here I had an
issue in the past, CentOS 7 and IPA 4.

Which version should be working, so Distro (I prefer CentOS), IPA,
SSSD and Samba ?

If I know those, I can fire another test in minutes :)

Thanks and have a great new year ! (With MIT!)

Matt

2015-12-30 16:38 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>:
> On Wed, 30 Dec 2015, Matt . wrote:
>>
>> Hi John,
>>
>> With which OS, package version and config ? On Ubuntu 15.10 I'm not
>> able it seems.
>
> That is purely issue of Ubuntu packaging:
> - Samba in Ubuntu 15.10 is built provide and use libwbclient.so.0.11
> - SSSD in Ubuntu 15.10 is built to provide libwbclient.so.0.12
>   -8<-8<-8<-
> root@u1510:~# ls -la /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11
> -rw-r--r-- 1 root root 43216 Nov 12 18:08
> /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11
> root@u1510:~# ls -la
> /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 -rw-r--r-- 1
> root root 35032 Sep  7 13:50
> /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0
>   ->8->8->8-
> - There are no alternatives configured to switch libwbclient to use
>   SSSD's version (Ubuntu packaging of Samba doesn't really know that
>   there could be an alternative implementation of libwbclient)
>
> So you Samba wouldn't be able to use the libwbclient provided by SSSD
> directly without special tricks or rebuilding.
>
> Furthermore, - Samba in Ubuntu 15.10 is built with Heimdal Kerberos, SSSD is
> built
>   with MIT Kerberos. When you enroll Ubuntu 15.10 client into FreeIPA,
>   it configures /etc/krb5.conf according to use of MIT Kerberos,
>   including default ccache location to be in the kernel keyring:
>   -8<-8<-8<-
> root@u1510:~# cat /etc/krb5.conf|grep default_ccache_name
>  default_ccache_name = KEYRING:persistent:%{uid}
>   ->8->8->8-
>
> This means that Samba will not be able to see default credentials cache
> as set up by SSSD for the user. Also, if you change default_ccache_name
> to be somewhere on file system, like FILE:/tmp/krb5cc_%{uid}, MIT
> Kerberos has some differences in the internal format of the credentials
> cache and applications compiled against Heimdal kerberos library will
> not be able to see some of the extended details in that ccache. While
> Heimdal and MIT Kerberos are mostly compatible on the wire, there are no
> promises of compatibility here for the credentials caches beyond the
> basics.
>
> Also, libldap is built against Heimdal in Ubuntu 15.10. This means that
> whenever SSSD starts using some advanced features provided by MIT
> Kerberos, LDAP libraries might fail to pick them up for SASL GSSAPI
> authentication. In most cases this would probably work fine but for
> cases like using kernel keyring it would fail miserably as well.
>
> So, really, there are issues with packaging that you might overcome by
> doing manual work of symlinking proper libraries like we did in Fedora
> in coordination between Samba and SSSD packages, but things still might
> not work unless you downgrade a common base to features supported by
> both Heimdal and MIT Kerberos. There are also practical issues of SSSD's
> ldap helper loading both MIT and Heimdal Kerberos code in the same
> process instance -- which is a disaster to happen when a function with
> the same name from one library is called on a structure allocated by
> another library.
>
> A proper solution would be to get Canonical more involved into the work
> we do with move of Samba to use MIT Kerberos for Samba AD as lack of MIT
> Kerberos support in Samba AD is what forces Debian and Ubuntu to stick
> to Heimdal (and Fedora to abstain from packaging Samba AD flavor for
> several years to avoid using Heimdal instead of MIT Kerberos). Until
> that happens, using Fedora/CentOS/RHEL is a better choice.
>
> --
> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Authentication progres

[Matt .]

Hi John,

With which OS, package version and config ? On Ubuntu 15.10 I'm not
able it seems.

Thanks!

2015-12-30 9:43 GMT+01:00 John Obaterspok <john.obaters...@gmail.com>:
> Hi Matt,
>
> It already works fine to use kerberos ticket to access samba shares.
>
> -- john
>
> 2015-12-28 14:01 GMT+01:00 Matt . <yamakasi@gmail.com>:
>>
>> Hi guys,
>>
>>
>> How is the progres on the Samba (Share) Authentication for FreeIpa ?
>>
>> I hope we already have some work around to use the FreeIPA credentials
>> for authing network shares.
>>
>> Matt
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Samba Authentication progres

[Matt .]

Hi guys,


How is the progres on the Samba (Share) Authentication for FreeIpa ?

I hope we already have some work around to use the FreeIPA credentials
for authing network shares.

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Json Selfsigned certificate

[Matt .]

Hi guys,

I'm testing out some installation and want to update my docs.

I'm using a self signed cert and need to talk to the json/api.

Which certs do I need to combine for my request, as I need an issuer too.

The /etc/ipa/ca.crt combined with an export of the webcert ?

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Trust Issues W/ Logins on Windows Desktops

[Matt Wells]

Hi all, I hoped I may glean some brilliance from the group.
I have a Freeipa Server sitting atop a Fedora 21 server.  The initial plan
was to replicate users+passwords with Windows 2012R2 server but following
some of the information in the other posts and docs we've moved to a
trust.  The trust has been setup using the documentation and in short it's
worked without issue.  I'm able to get principles from the Windows realm (
marvel.comics.com).  So what I'm attempting and failing to do is
authenticating my IPA users to the Windows 8 desktops.  Ideally I don't
want any users in AD, it's simply there to deliver a GPO and in the next
year it will be phased out and we'll be replacing Windows 8 with linux
desktops.

So
marvel.comics.com = windows
dc.comics.com = freeipa

# rpm -qi freeipa-server
Name: freeipa-server
Version : 4.1.4
Release : 1.fc21
Architecture: x86_64
Install Date: Tue 25 Aug 2015 08:17:56 PM UTC
Group   : System Environment/Base
Size: 4521059
License : GPLv3+
Signature   : RSA/SHA256, Thu 26 Mar 2015 10:58:02 PM UTC, Key ID
89ad4e8795a43f54
Source RPM  : freeipa-4.1.4-1.fc21.src.rpm
Build Date  : Thu 26 Mar 2015 03:16:19 PM UTC
Build Host  : buildhw-07.phx2.fedoraproject.org
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# uname -a
Linux freeipaServer.dc.comics.com 4.1.6-100.fc21.x86_64 #1 SMP Mon Aug 17
22:20:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@freeipaServer slapd-DEV-MOSAIC451-COM]# cat /etc/redhat-release
Fedora release 21 (Twenty One)

To cut to the chase here's me logging into a Windows 8 desktop system.  I
try to login 3 different ways; this system is a member of the marvel
domain.  Time is extremely close, close enough that I feel really good
about ruling it out.  Any light you all could shed on this would be
outstanding.  Thank you all for your time on this, I really appreciate all
the time and effort this team puts into reading these posts.

Username: dc/greenlantern
Password: 

[root@freeipaServer slapd-DC-COMICS-COM]# tail -f * | egrep --color -i
greenlantern
[30/Sep/2015:17:55:33 +] conn=1172 op=46 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc
)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"

Username: greenlanter@dc
Password: 


[30/Sep/2015:17:59:48 +] conn=1172 op=86 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern@dc
)(krbPrincipalName=greenlantern@dc)))" attrs="krbPrincipalName
krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
objectClass"


Username: greenlan...@dc.comics.com
Password: 

[30/Sep/2015:17:59:35 +] conn=1172 op=84 SRCH
base="dc=dc,dc=comics,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=greenlantern\5...@dc.comics.com
@DC.COMICS.COM 
)(krbPrincipalName=greenlantern\5...@dc.comics.com@DC.COMICS.COM
)))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"


>From what I can tell, everything looks good to wbinfo; we see the domain
and he see's us.  In the AD trust I can go under the trust and validate the
trust with no issues.
[root@freeipaServer slapd-MARVEL-COMICS-COM]#  wbinfo --online-status
BUILTIN : online
DC : online
MARVEL : online
[root@freeipaServer slapd-MARVEL-COMICS-COM]# wbinfo --domain-info

[Freeipa-users] What todo when a company/domain name should be changed ?

[Matt .]

Hi All,

I'm investigating what the possibillities are when you have a existing
domain/realm and the company name is changed, so the domain should be
also. I came on this idea because of I wanted to know how flexible the
integration is here.

As we use in my opinion a very simple and dumb node setup, we are very
able to move around as we want, but how is this done at other
companies ?

To start with DNS I would setup a new IPA server with the new domain
and forward this domain from te old ipa server and start moving over
servers and create a new hostkey for them. As loadbalancers are in
place in lost of setups this very easy todo witout downtime.

I'm more wondered about how the users and their related groups an be
moved over, or would this be done using migrate-ds or something ? As
the domain changes, so the dc= string too... the reference of the
groups is missing.

I hope someone can make this more clear as I think this is good
knowledge to have upfront anything and any case.

Thanks!

matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Guys,

Please keep this topic updated as many people seem to have this question.

What's the status at your side ?

Cheers,

Matt

2015-09-04 15:27 GMT+02:00 Matt . <yamakasi@gmail.com>:
> Hi,
>
> Does everyone have this working or gived up on it ?
>
> Chers,
>
> Matt
>
> 2015-08-26 20:07 GMT+02:00 Matt . <yamakasi@gmail.com>:
>> Chris,
>>
>> How far are you on this ? I'm stuck atm :(
>>
>> I hope you have some reference notes to follow and check out.
>>
>> Thanks!
>>
>> Matt
>>
>> 2015-08-20 22:15 GMT+02:00 Matt . <yamakasi@gmail.com>:
>>> Hi Chris,
>>>
>>> Would be great to see!
>>>
>>> If I have it working and we have 2-3 testcases I think we can add it
>>> to the IPA docs!
>>>
>>> Keep me updated!
>>>
>>> Thanks
>>>
>>> Matt
>>>
>>> 2015-08-20 8:49 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com>:
>>>> Matt
>>>>
>>>> Once I got Samba and FreeIPA integrated (by the "good old extensions"
>>>> path), I always use FreeIPA to administer users. I have never tried the
>>>> samba tools like smbpasswd.
>>>>
>>>> I still have a wiki how-to in the works, but I had to focus on some other
>>>> issues for a while.
>>>>
>>>> Chris
>>>>
>>>>
>>>>
>>>> From:   "Matt ." <yamakasi@gmail.com>
>>>> To: Youenn PIOLET <piole...@gmail.com>
>>>> Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
>>>> "freeipa-users@redhat.com" <freeipa-users@redhat.com>
>>>> Date:   20.08.2015 08:12
>>>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
>>>>
>>>>
>>>>
>>>> HI Guys,
>>>>
>>>> Anyone still a working clue/test here ?
>>>>
>>>> I didn't came further as it seems there need to be some domain join /
>>>> match following the freeipa devs.
>>>>
>>>> Thanks!
>>>>
>>>> Matt
>>>>
>>>> 2015-08-13 13:09 GMT+02:00 Matt . <yamakasi@gmail.com>:
>>>>> Hi,
>>>>>
>>>>> I might have found somthing which I already seen in the logs.
>>>>>
>>>>> I did a smbpasswd my username on the samba server, it connects to ldap
>>>>> very well. I give my new password and get the following:
>>>>>
>>>>> smbldap_search_ext: base => [dc=my,dc=domain], filter =>
>>>>> [(&(objectClass=ipaNTGroupAttrs)(|
>>>> (ipaNTSecurityIdentifier=S-1my--sid---)))],
>>>>> scope => [2]
>>>>> Attribute [displayName] not found.
>>>>> Could not retrieve 'displayName' attribute from cn=Default SMB
>>>>> Group,cn=groups,cn=accounts,dc=my,dc=domain
>>>>> Sid S-1my--sid--- -> MYDOMAIN\Default SMB Group(2)
>>>>>
>>>>> So something is missing!
>>>>>
>>>>> Thanks so far guys!
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Matt
>>>>>
>>>>> 2015-08-13 12:02 GMT+02:00 Matt . <yamakasi@gmail.com>:
>>>>>> Hi Youenn,
>>>>>>
>>>>>> OK thanks! this takes me a little but futher now and I see some good
>>>>>> stuff in my logging.
>>>>>>
>>>>>> I'm testing on a Windows 10 Machine which is not member of an AD or
>>>>>> so, so that might be my issue for now ?
>>>>>>
>>>>>> When testing on the samba box itself as my user I get:
>>>>>>
>>>>>>
>>>>>> [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares
>>>>>>
>>>>>> ...
>>>>>> Checking NTLMSSP password for MSP\myusername failed:
>>>> NT_STATUS_WRONG_PASSWORD
>>>>>> ...
>>>>>> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
>>>>>>
>>>>>>
>>>>>> Maybe I have an issue with encrypted passwords ?
>>>>>>
>>>>>>
>>>>>> When we have this all working, I think we have a howto :D
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Matt
>>>&

Re: [Freeipa-users] AD Trust Issues

[Matt Wells]

Is the fix in CentOS or RHEL yet?

On Fri, Sep 11, 2015 at 1:34 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Fri, 11 Sep 2015, Matt Wells wrote:
>
>> I've been working on an AD trust with our freeipa servers but have run
>> into
>> some of the same issues others have had.
>> It's well documented here however I feel I've mitigated these -
>> https://bugzilla.redhat.com/show_bug.cgi?id=1219832
>>
>> Freeipa Servers are Fedora 22 / freeipa-server-4.2.0
>> The Samba version i'm on is well past the patched version.  It seems the
>> patch is in samba-4.2.1-7.fc22 and I'm on samba-4.2.3-0 (assuming the
>> patch
>> is in this version).
>>
>> I run
>> # echo Password123 | ipa trust-add --type=ad ad.example.com
>> --trust-secret
>> ipa: ERROR: CIFS server configuration does not allow access to
>> \\pipe\lsarpc
>>
> This was looking like a partial fix. The full fix is in Fedora 23 with
> FreeIPA 4.2.1 release (we didn't yet officially announced it).
>
> We were all busy at FreeIPA/SSSD gathering in Brno this week so there
> wasn't really time to do Fedora 22 backport of the fixes yet.
>
> --
> / Alexander Bokovoy
>



-- 
Matt Wells
Chief Systems Architect
RHCA, RHCVA - #110-000-353
(702) 808-0424
matt.we...@mosaic451.com
 Las Vegas | Phoenix | Portland Mosaic451.com
CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or
may otherwise be privileged. If you are not intended recipient, you are
hereby notified that you have received this transmittal in error and that
any review, dissemination, distribution or copying of this transmittal is
strictly prohibited. If you have received this communication in error,
please notify this office, and immediately delete this message and all its
attachments, if any.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi,

Does everyone have this working or gived up on it ?

Chers,

Matt

2015-08-26 20:07 GMT+02:00 Matt . <yamakasi@gmail.com>:
> Chris,
>
> How far are you on this ? I'm stuck atm :(
>
> I hope you have some reference notes to follow and check out.
>
> Thanks!
>
> Matt
>
> 2015-08-20 22:15 GMT+02:00 Matt . <yamakasi@gmail.com>:
>> Hi Chris,
>>
>> Would be great to see!
>>
>> If I have it working and we have 2-3 testcases I think we can add it
>> to the IPA docs!
>>
>> Keep me updated!
>>
>> Thanks
>>
>> Matt
>>
>> 2015-08-20 8:49 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com>:
>>> Matt
>>>
>>> Once I got Samba and FreeIPA integrated (by the "good old extensions"
>>> path), I always use FreeIPA to administer users. I have never tried the
>>> samba tools like smbpasswd.
>>>
>>> I still have a wiki how-to in the works, but I had to focus on some other
>>> issues for a while.
>>>
>>> Chris
>>>
>>>
>>>
>>> From:   "Matt ." <yamakasi@gmail.com>
>>> To: Youenn PIOLET <piole...@gmail.com>
>>> Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
>>> "freeipa-users@redhat.com" <freeipa-users@redhat.com>
>>> Date:   20.08.2015 08:12
>>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
>>>
>>>
>>>
>>> HI Guys,
>>>
>>> Anyone still a working clue/test here ?
>>>
>>> I didn't came further as it seems there need to be some domain join /
>>> match following the freeipa devs.
>>>
>>> Thanks!
>>>
>>> Matt
>>>
>>> 2015-08-13 13:09 GMT+02:00 Matt . <yamakasi@gmail.com>:
>>>> Hi,
>>>>
>>>> I might have found somthing which I already seen in the logs.
>>>>
>>>> I did a smbpasswd my username on the samba server, it connects to ldap
>>>> very well. I give my new password and get the following:
>>>>
>>>> smbldap_search_ext: base => [dc=my,dc=domain], filter =>
>>>> [(&(objectClass=ipaNTGroupAttrs)(|
>>> (ipaNTSecurityIdentifier=S-1my--sid---)))],
>>>> scope => [2]
>>>> Attribute [displayName] not found.
>>>> Could not retrieve 'displayName' attribute from cn=Default SMB
>>>> Group,cn=groups,cn=accounts,dc=my,dc=domain
>>>> Sid S-1my--sid--- -> MYDOMAIN\Default SMB Group(2)
>>>>
>>>> So something is missing!
>>>>
>>>> Thanks so far guys!
>>>>
>>>> Cheers,
>>>>
>>>> Matt
>>>>
>>>> 2015-08-13 12:02 GMT+02:00 Matt . <yamakasi@gmail.com>:
>>>>> Hi Youenn,
>>>>>
>>>>> OK thanks! this takes me a little but futher now and I see some good
>>>>> stuff in my logging.
>>>>>
>>>>> I'm testing on a Windows 10 Machine which is not member of an AD or
>>>>> so, so that might be my issue for now ?
>>>>>
>>>>> When testing on the samba box itself as my user I get:
>>>>>
>>>>>
>>>>> [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares
>>>>>
>>>>> ...
>>>>> Checking NTLMSSP password for MSP\myusername failed:
>>> NT_STATUS_WRONG_PASSWORD
>>>>> ...
>>>>> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
>>>>>
>>>>>
>>>>> Maybe I have an issue with encrypted passwords ?
>>>>>
>>>>>
>>>>> When we have this all working, I think we have a howto :D
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Matt
>>>>>
>>>>> 2015-08-13 10:53 GMT+02:00 Youenn PIOLET <piole...@gmail.com>:
>>>>>> Hi Matt
>>>>>>
>>>>>> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly?
>>>>>> sambaSamAccount is not needed anymore that way.
>>>>>> - Default IPA Way : won't work if your Windows is not part of a domain
>>>>>> controller. DOMAIN\username may work for some users using Windows 7 -
>>> not 8
>>>>>> nor 10 (it did for me but I was the only one at the office... quite
>>> useless)
>>>>>>

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Chris,

How far are you on this ? I'm stuck atm :(

I hope you have some reference notes to follow and check out.

Thanks!

Matt

2015-08-20 22:15 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi Chris,

 Would be great to see!

 If I have it working and we have 2-3 testcases I think we can add it
 to the IPA docs!

 Keep me updated!

 Thanks

 Matt

 2015-08-20 8:49 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Matt

 Once I got Samba and FreeIPA integrated (by the good old extensions
 path), I always use FreeIPA to administer users. I have never tried the
 samba tools like smbpasswd.

 I still have a wiki how-to in the works, but I had to focus on some other
 issues for a while.

 Chris



 From:   Matt . yamakasi@gmail.com
 To: Youenn PIOLET piole...@gmail.com
 Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   20.08.2015 08:12
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 HI Guys,

 Anyone still a working clue/test here ?

 I didn't came further as it seems there need to be some domain join /
 match following the freeipa devs.

 Thanks!

 Matt

 2015-08-13 13:09 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi,

 I might have found somthing which I already seen in the logs.

 I did a smbpasswd my username on the samba server, it connects to ldap
 very well. I give my new password and get the following:

 smbldap_search_ext: base = [dc=my,dc=domain], filter =
 [((objectClass=ipaNTGroupAttrs)(|
 (ipaNTSecurityIdentifier=S-1my--sid---)))],
 scope = [2]
 Attribute [displayName] not found.
 Could not retrieve 'displayName' attribute from cn=Default SMB
 Group,cn=groups,cn=accounts,dc=my,dc=domain
 Sid S-1my--sid--- - MYDOMAIN\Default SMB Group(2)

 So something is missing!

 Thanks so far guys!

 Cheers,

 Matt

 2015-08-13 12:02 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi Youenn,

 OK thanks! this takes me a little but futher now and I see some good
 stuff in my logging.

 I'm testing on a Windows 10 Machine which is not member of an AD or
 so, so that might be my issue for now ?

 When testing on the samba box itself as my user I get:


 [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares

 ...
 Checking NTLMSSP password for MSP\myusername failed:
 NT_STATUS_WRONG_PASSWORD
 ...
 SPNEGO login failed: NT_STATUS_WRONG_PASSWORD


 Maybe I have an issue with encrypted passwords ?


 When we have this all working, I think we have a howto :D

 Thanks!

 Matt

 2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com:
 Hi Matt

 - CentOS : Did you copy ipasam.so and change your smb.conf accordingly?
 sambaSamAccount is not needed anymore that way.
 - Default IPA Way : won't work if your Windows is not part of a domain
 controller. DOMAIN\username may work for some users using Windows 7 -
 not 8
 nor 10 (it did for me but I was the only one at the office... quite
 useless)

 This config may work on your CentOS (for the ipasam way):
 workgroup = TEST
 realm = TEST.NET
 kerberos method = dedicated keytab
 dedicated keytab file = FILE:/./samba.keytab
 create krb5 conf = no
 security = user
 encrypt passwords = true
 passdb backend = ipasam:ldaps://youripa.test.net
 ldapsam:trusted = yes
 ldapsuffix = test.net
 ldap user suffix = cn=users,cn=accounts
 ldap group suffix = cn=groups,cn=accounts


 --
 Youenn Piolet
 piole...@gmail.com


 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com:

 Hi,

 OK the default IPA way works great actually when testing it as
 described
 here:


 http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

 On the samba server I can auth and see my share where I want to
 connect
 to.

 The issue is, on Windows I cannot auth, even when I do DOMAIN\username
 as username

 So, the IPA way should work.

 Any comments here ?

 Cheers,

 Matt

 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com:
  HI GUys,
 
  I'm testing this out and I think I almost setup, this on a CentOS
 samba
  server.
 
  I'm using the ipa-adtrust way of Youeen but it seems we still need
 to
  add (objectclass=sambaSamAccount)) ?
 
  Info is welcome!
 
  I will report back when I have it working.
 
  Thanks!
 
  Matt
 
  2015-08-10 11:16 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  The next route I will try - is the one Youeen took, using
 ipa-adtrust
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   10.08.2015 10:03
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth
 against
  IPA
 
 
 
  Hi Chris,
 
  Okay this is good to hear.
 
  But don't we want a IPA managed Scheme ?
 
  When I did a ipa-adtrust-install --add-sids it also wanted a
 local
  installed Samba and I wonder why.
 
  Good that we make some progres on making it all clear.
 
  Cheers,
 
  Matt
 
  2015-08-10 6:12 GMT+02:00 Christopher Lamb

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

HI Guys,

Anyone still a working clue/test here ?

I didn't came further as it seems there need to be some domain join /
match following the freeipa devs.

Thanks!

Matt

2015-08-13 13:09 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi,

 I might have found somthing which I already seen in the logs.

 I did a smbpasswd my username on the samba server, it connects to ldap
 very well. I give my new password and get the following:

 smbldap_search_ext: base = [dc=my,dc=domain], filter =
 [((objectClass=ipaNTGroupAttrs)(|(ipaNTSecurityIdentifier=S-1my--sid---)))],
 scope = [2]
 Attribute [displayName] not found.
 Could not retrieve 'displayName' attribute from cn=Default SMB
 Group,cn=groups,cn=accounts,dc=my,dc=domain
 Sid S-1my--sid--- - MYDOMAIN\Default SMB Group(2)

 So something is missing!

 Thanks so far guys!

 Cheers,

 Matt

 2015-08-13 12:02 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi Youenn,

 OK thanks! this takes me a little but futher now and I see some good
 stuff in my logging.

 I'm testing on a Windows 10 Machine which is not member of an AD or
 so, so that might be my issue for now ?

 When testing on the samba box itself as my user I get:


 [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares

 ...
 Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD
 ...
 SPNEGO login failed: NT_STATUS_WRONG_PASSWORD


 Maybe I have an issue with encrypted passwords ?


 When we have this all working, I think we have a howto :D

 Thanks!

 Matt

 2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com:
 Hi Matt

 - CentOS : Did you copy ipasam.so and change your smb.conf accordingly?
 sambaSamAccount is not needed anymore that way.
 - Default IPA Way : won't work if your Windows is not part of a domain
 controller. DOMAIN\username may work for some users using Windows 7 - not 8
 nor 10 (it did for me but I was the only one at the office... quite useless)

 This config may work on your CentOS (for the ipasam way):
 workgroup = TEST
 realm = TEST.NET
 kerberos method = dedicated keytab
 dedicated keytab file = FILE:/./samba.keytab
 create krb5 conf = no
 security = user
 encrypt passwords = true
 passdb backend = ipasam:ldaps://youripa.test.net
 ldapsam:trusted = yes
 ldapsuffix = test.net
 ldap user suffix = cn=users,cn=accounts
 ldap group suffix = cn=groups,cn=accounts


 --
 Youenn Piolet
 piole...@gmail.com


 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com:

 Hi,

 OK the default IPA way works great actually when testing it as described
 here:

 http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

 On the samba server I can auth and see my share where I want to connect
 to.

 The issue is, on Windows I cannot auth, even when I do DOMAIN\username
 as username

 So, the IPA way should work.

 Any comments here ?

 Cheers,

 Matt

 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com:
  HI GUys,
 
  I'm testing this out and I think I almost setup, this on a CentOS samba
  server.
 
  I'm using the ipa-adtrust way of Youeen but it seems we still need to
  add (objectclass=sambaSamAccount)) ?
 
  Info is welcome!
 
  I will report back when I have it working.
 
  Thanks!
 
  Matt
 
  2015-08-10 11:16 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  The next route I will try - is the one Youeen took, using ipa-adtrust
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   10.08.2015 10:03
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
  IPA
 
 
 
  Hi Chris,
 
  Okay this is good to hear.
 
  But don't we want a IPA managed Scheme ?
 
  When I did a ipa-adtrust-install --add-sids it also wanted a local
  installed Samba and I wonder why.
 
  Good that we make some progres on making it all clear.
 
  Cheers,
 
  Matt
 
  2015-08-10 6:12 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  ldapsam + the samba extensions, pretty much as described in the
  Techslaves
  article. Once I have a draft for the wiki page, I will mail you.
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   09.08.2015 21:17
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
  IPA
 
 
 
  Hi,
 
  Yes I know about anything but which way did you use now ?
 
 
 
  2015-08-09 20:56 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  Hi Matt
 
  I am on OEL 7.1. - so anything that works on that should be good for
  RHEL
  and Centos 7.x
 
  I intend to add a how-to to the FreeIPA Wiki over the next few days.
  As
  we
  have suggested earlier, we will likely end up with several, one for
  each
  of
  the possible integration paths.
 
  Chris
 
 
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Chris,

Would be great to see!

If I have it working and we have 2-3 testcases I think we can add it
to the IPA docs!

Keep me updated!

Thanks

Matt

2015-08-20 8:49 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Matt

 Once I got Samba and FreeIPA integrated (by the good old extensions
 path), I always use FreeIPA to administer users. I have never tried the
 samba tools like smbpasswd.

 I still have a wiki how-to in the works, but I had to focus on some other
 issues for a while.

 Chris



 From:   Matt . yamakasi@gmail.com
 To: Youenn PIOLET piole...@gmail.com
 Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   20.08.2015 08:12
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 HI Guys,

 Anyone still a working clue/test here ?

 I didn't came further as it seems there need to be some domain join /
 match following the freeipa devs.

 Thanks!

 Matt

 2015-08-13 13:09 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi,

 I might have found somthing which I already seen in the logs.

 I did a smbpasswd my username on the samba server, it connects to ldap
 very well. I give my new password and get the following:

 smbldap_search_ext: base = [dc=my,dc=domain], filter =
 [((objectClass=ipaNTGroupAttrs)(|
 (ipaNTSecurityIdentifier=S-1my--sid---)))],
 scope = [2]
 Attribute [displayName] not found.
 Could not retrieve 'displayName' attribute from cn=Default SMB
 Group,cn=groups,cn=accounts,dc=my,dc=domain
 Sid S-1my--sid--- - MYDOMAIN\Default SMB Group(2)

 So something is missing!

 Thanks so far guys!

 Cheers,

 Matt

 2015-08-13 12:02 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi Youenn,

 OK thanks! this takes me a little but futher now and I see some good
 stuff in my logging.

 I'm testing on a Windows 10 Machine which is not member of an AD or
 so, so that might be my issue for now ?

 When testing on the samba box itself as my user I get:


 [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares

 ...
 Checking NTLMSSP password for MSP\myusername failed:
 NT_STATUS_WRONG_PASSWORD
 ...
 SPNEGO login failed: NT_STATUS_WRONG_PASSWORD


 Maybe I have an issue with encrypted passwords ?


 When we have this all working, I think we have a howto :D

 Thanks!

 Matt

 2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com:
 Hi Matt

 - CentOS : Did you copy ipasam.so and change your smb.conf accordingly?
 sambaSamAccount is not needed anymore that way.
 - Default IPA Way : won't work if your Windows is not part of a domain
 controller. DOMAIN\username may work for some users using Windows 7 -
 not 8
 nor 10 (it did for me but I was the only one at the office... quite
 useless)

 This config may work on your CentOS (for the ipasam way):
 workgroup = TEST
 realm = TEST.NET
 kerberos method = dedicated keytab
 dedicated keytab file = FILE:/./samba.keytab
 create krb5 conf = no
 security = user
 encrypt passwords = true
 passdb backend = ipasam:ldaps://youripa.test.net
 ldapsam:trusted = yes
 ldapsuffix = test.net
 ldap user suffix = cn=users,cn=accounts
 ldap group suffix = cn=groups,cn=accounts


 --
 Youenn Piolet
 piole...@gmail.com


 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com:

 Hi,

 OK the default IPA way works great actually when testing it as
 described
 here:


 http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

 On the samba server I can auth and see my share where I want to
 connect
 to.

 The issue is, on Windows I cannot auth, even when I do DOMAIN\username
 as username

 So, the IPA way should work.

 Any comments here ?

 Cheers,

 Matt

 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com:
  HI GUys,
 
  I'm testing this out and I think I almost setup, this on a CentOS
 samba
  server.
 
  I'm using the ipa-adtrust way of Youeen but it seems we still need
 to
  add (objectclass=sambaSamAccount)) ?
 
  Info is welcome!
 
  I will report back when I have it working.
 
  Thanks!
 
  Matt
 
  2015-08-10 11:16 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  The next route I will try - is the one Youeen took, using
 ipa-adtrust
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   10.08.2015 10:03
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth
 against
  IPA
 
 
 
  Hi Chris,
 
  Okay this is good to hear.
 
  But don't we want a IPA managed Scheme ?
 
  When I did a ipa-adtrust-install --add-sids it also wanted a
 local
  installed Samba and I wonder why.
 
  Good that we make some progres on making it all clear.
 
  Cheers,
 
  Matt
 
  2015-08-10 6:12 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  ldapsam + the samba extensions, pretty much as described in the
  Techslaves
  article. Once I have a draft for the wiki page, I will mail you.
 
 
 
  From:   Matt

[Freeipa-users] Windows users, Samba Shares - FreeIPA

[Matt .]

Hi People,

In reference to my earlier thread about Samba Shares - IPA Auth for
whatever user I'm kinda confused what out options are now (for Windows
users)

I have tried all kinds of things and can't get teh right feeling about
how to auth shares for mixed environments.

So to start a fresh discussion about what's best, What's best ?

The ksetup as known on the IPA pages doesn't let me login on Windows
10, so if people can share their working ways for the current version
with would be great!

Thanks,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Youenn,

OK thanks! this takes me a little but futher now and I see some good
stuff in my logging.

I'm testing on a Windows 10 Machine which is not member of an AD or
so, so that might be my issue for now ?

When testing on the samba box itself as my user I get:


[myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares

...
Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD
...
SPNEGO login failed: NT_STATUS_WRONG_PASSWORD


Maybe I have an issue with encrypted passwords ?


When we have this all working, I think we have a howto :D

Thanks!

Matt

2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com:
 Hi Matt

 - CentOS : Did you copy ipasam.so and change your smb.conf accordingly?
 sambaSamAccount is not needed anymore that way.
 - Default IPA Way : won't work if your Windows is not part of a domain
 controller. DOMAIN\username may work for some users using Windows 7 - not 8
 nor 10 (it did for me but I was the only one at the office... quite useless)

 This config may work on your CentOS (for the ipasam way):
 workgroup = TEST
 realm = TEST.NET
 kerberos method = dedicated keytab
 dedicated keytab file = FILE:/./samba.keytab
 create krb5 conf = no
 security = user
 encrypt passwords = true
 passdb backend = ipasam:ldaps://youripa.test.net
 ldapsam:trusted = yes
 ldapsuffix = test.net
 ldap user suffix = cn=users,cn=accounts
 ldap group suffix = cn=groups,cn=accounts


 --
 Youenn Piolet
 piole...@gmail.com


 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com:

 Hi,

 OK the default IPA way works great actually when testing it as described
 here:

 http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

 On the samba server I can auth and see my share where I want to connect
 to.

 The issue is, on Windows I cannot auth, even when I do DOMAIN\username
 as username

 So, the IPA way should work.

 Any comments here ?

 Cheers,

 Matt

 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com:
  HI GUys,
 
  I'm testing this out and I think I almost setup, this on a CentOS samba
  server.
 
  I'm using the ipa-adtrust way of Youeen but it seems we still need to
  add (objectclass=sambaSamAccount)) ?
 
  Info is welcome!
 
  I will report back when I have it working.
 
  Thanks!
 
  Matt
 
  2015-08-10 11:16 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  The next route I will try - is the one Youeen took, using ipa-adtrust
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   10.08.2015 10:03
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
  IPA
 
 
 
  Hi Chris,
 
  Okay this is good to hear.
 
  But don't we want a IPA managed Scheme ?
 
  When I did a ipa-adtrust-install --add-sids it also wanted a local
  installed Samba and I wonder why.
 
  Good that we make some progres on making it all clear.
 
  Cheers,
 
  Matt
 
  2015-08-10 6:12 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  ldapsam + the samba extensions, pretty much as described in the
  Techslaves
  article. Once I have a draft for the wiki page, I will mail you.
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   09.08.2015 21:17
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
  IPA
 
 
 
  Hi,
 
  Yes I know about anything but which way did you use now ?
 
 
 
  2015-08-09 20:56 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  Hi Matt
 
  I am on OEL 7.1. - so anything that works on that should be good for
  RHEL
  and Centos 7.x
 
  I intend to add a how-to to the FreeIPA Wiki over the next few days.
  As
  we
  have suggested earlier, we will likely end up with several, one for
  each
  of
  the possible integration paths.
 
  Chris
 
 
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   09.08.2015 16:45
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
  IPA
 
 
 
  Hi Chris,
 
  This sounds great!
 
  What are you using now, both CentOS ? So Samba and FreeIPA ?
 
  Maybe it's good to explain which way you used now in steps too, so we
  can combine or create multiple howto's ?
 
  At least we are going somewhere!
 
  Thanks,
 
  Matt
 
  2015-08-09 14:54 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  Hi Matt
 
  My test integration of FreeIPA 4.x and Samba 4.x with the good old
  Samba
  Schema extensions) is up and working, almost flawlessly.
 
  I can add users and groups via the FreeIPA CLI, and they get the
  correct
  ObjectClasses / attributes required for Samba.
 
  So far I have not yet bothered to try the extensions to the WebUI,
  because
  it is currently giving me the classic Your session has

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi,

I might have found somthing which I already seen in the logs.

I did a smbpasswd my username on the samba server, it connects to ldap
very well. I give my new password and get the following:

smbldap_search_ext: base = [dc=my,dc=domain], filter =
[((objectClass=ipaNTGroupAttrs)(|(ipaNTSecurityIdentifier=S-1my--sid---)))],
scope = [2]
Attribute [displayName] not found.
Could not retrieve 'displayName' attribute from cn=Default SMB
Group,cn=groups,cn=accounts,dc=my,dc=domain
Sid S-1my--sid--- - MYDOMAIN\Default SMB Group(2)

So something is missing!

Thanks so far guys!

Cheers,

Matt

2015-08-13 12:02 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi Youenn,

 OK thanks! this takes me a little but futher now and I see some good
 stuff in my logging.

 I'm testing on a Windows 10 Machine which is not member of an AD or
 so, so that might be my issue for now ?

 When testing on the samba box itself as my user I get:


 [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares

 ...
 Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD
 ...
 SPNEGO login failed: NT_STATUS_WRONG_PASSWORD


 Maybe I have an issue with encrypted passwords ?


 When we have this all working, I think we have a howto :D

 Thanks!

 Matt

 2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com:
 Hi Matt

 - CentOS : Did you copy ipasam.so and change your smb.conf accordingly?
 sambaSamAccount is not needed anymore that way.
 - Default IPA Way : won't work if your Windows is not part of a domain
 controller. DOMAIN\username may work for some users using Windows 7 - not 8
 nor 10 (it did for me but I was the only one at the office... quite useless)

 This config may work on your CentOS (for the ipasam way):
 workgroup = TEST
 realm = TEST.NET
 kerberos method = dedicated keytab
 dedicated keytab file = FILE:/./samba.keytab
 create krb5 conf = no
 security = user
 encrypt passwords = true
 passdb backend = ipasam:ldaps://youripa.test.net
 ldapsam:trusted = yes
 ldapsuffix = test.net
 ldap user suffix = cn=users,cn=accounts
 ldap group suffix = cn=groups,cn=accounts


 --
 Youenn Piolet
 piole...@gmail.com


 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com:

 Hi,

 OK the default IPA way works great actually when testing it as described
 here:

 http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

 On the samba server I can auth and see my share where I want to connect
 to.

 The issue is, on Windows I cannot auth, even when I do DOMAIN\username
 as username

 So, the IPA way should work.

 Any comments here ?

 Cheers,

 Matt

 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com:
  HI GUys,
 
  I'm testing this out and I think I almost setup, this on a CentOS samba
  server.
 
  I'm using the ipa-adtrust way of Youeen but it seems we still need to
  add (objectclass=sambaSamAccount)) ?
 
  Info is welcome!
 
  I will report back when I have it working.
 
  Thanks!
 
  Matt
 
  2015-08-10 11:16 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  The next route I will try - is the one Youeen took, using ipa-adtrust
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   10.08.2015 10:03
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
  IPA
 
 
 
  Hi Chris,
 
  Okay this is good to hear.
 
  But don't we want a IPA managed Scheme ?
 
  When I did a ipa-adtrust-install --add-sids it also wanted a local
  installed Samba and I wonder why.
 
  Good that we make some progres on making it all clear.
 
  Cheers,
 
  Matt
 
  2015-08-10 6:12 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  ldapsam + the samba extensions, pretty much as described in the
  Techslaves
  article. Once I have a draft for the wiki page, I will mail you.
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   09.08.2015 21:17
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
  IPA
 
 
 
  Hi,
 
  Yes I know about anything but which way did you use now ?
 
 
 
  2015-08-09 20:56 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  Hi Matt
 
  I am on OEL 7.1. - so anything that works on that should be good for
  RHEL
  and Centos 7.x
 
  I intend to add a how-to to the FreeIPA Wiki over the next few days.
  As
  we
  have suggested earlier, we will likely end up with several, one for
  each
  of
  the possible integration paths.
 
  Chris
 
 
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   09.08.2015 16:45
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
  IPA
 
 
 
  Hi Chris,
 
  This sounds great!
 
  What are you using now, both CentOS ? So Samba

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi,

OK the default IPA way works great actually when testing it as described here:

http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

On the samba server I can auth and see my share where I want to connect to.

The issue is, on Windows I cannot auth, even when I do DOMAIN\username
as username

So, the IPA way should work.

Any comments here ?

Cheers,

Matt

2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com:
 HI GUys,

 I'm testing this out and I think I almost setup, this on a CentOS samba 
 server.

 I'm using the ipa-adtrust way of Youeen but it seems we still need to
 add (objectclass=sambaSamAccount)) ?

 Info is welcome!

 I will report back when I have it working.

 Thanks!

 Matt

 2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 The next route I will try - is the one Youeen took, using ipa-adtrust



 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   10.08.2015 10:03
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi Chris,

 Okay this is good to hear.

 But don't we want a IPA managed Scheme ?

 When I did a ipa-adtrust-install --add-sids it also wanted a local
 installed Samba and I wonder why.

 Good that we make some progres on making it all clear.

 Cheers,

 Matt

 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 ldapsam + the samba extensions, pretty much as described in the
 Techslaves
 article. Once I have a draft for the wiki page, I will mail you.



 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   09.08.2015 21:17
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi,

 Yes I know about anything but which way did you use now ?



 2015-08-09 20:56 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi Matt

 I am on OEL 7.1. - so anything that works on that should be good for
 RHEL
 and Centos 7.x

 I intend to add a how-to to the FreeIPA Wiki over the next few days. As
 we
 have suggested earlier, we will likely end up with several, one for each
 of
 the possible integration paths.

 Chris





 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   09.08.2015 16:45
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi Chris,

 This sounds great!

 What are you using now, both CentOS ? So Samba and FreeIPA ?

 Maybe it's good to explain which way you used now in steps too, so we
 can combine or create multiple howto's ?

 At least we are going somewhere!

 Thanks,

 Matt

 2015-08-09 14:54 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi Matt

 My test integration of FreeIPA 4.x and Samba 4.x with the good old
 Samba
 Schema extensions) is up and working, almost flawlessly.

 I can add users and groups via the FreeIPA CLI, and they get the
 correct
 ObjectClasses / attributes required for Samba.

 So far I have not yet bothered to try the extensions to the WebUI,
 because
 it is currently giving me the classic Your session has expired. Please
 re-login. error which renders the WebUI useless.

 The only problem I have so far encountered managing Samba / FreeIPA
 users
 via FreeIPA CLI commands is with the handling of the attribute
 sambaPwdLastSet. This is the subject of an existing thread, also
 updated
 today.

 There is also an existing alternative to hacking group.py, using Class
 of
 Service (Cos) documented in this thread from February 2015

 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html
 .
 I have not yet tried it, but it sounds reasonable.

 Chris





 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Youenn
 PIOLET piole...@gmail.com
 Date:   06.08.2015 16:19
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
 IPA



 Hi Chris,

 OK, than we might create two different versions of the wiki, I think
 this is nice.

 I'm still figuring out why I get that:

 IPA Error 4205: ObjectclassViolation

 missing attribute sambaGroupType required by object class
 sambaGroupMapping

 Matt

 2015-08-06 16:09 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi Matt

 As far as I can make out, there are at least 2 viable Samba / FreeIPA
 integration paths.

 The route I took is suited where there is no Active Directory
 involved:
 In
 my case all the Windows, OSX and Linux clients are islands that sit on
 the
 same network.

 The route that Youenn has taken (unless I have got completely the
 wrong
 end
 of the stick) requires Active Directory in the architecture.

 Chris



 From:   Matt . yamakasi@gmail.com
 To: Youenn

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi,

Yes that is known for SSSD, but there must be another way maybe ?

I wonder what the future is there, as it seems there is non when this
is not changed I guess.



2015-08-09 9:11 GMT+02:00 Jakub Hrozek jhro...@redhat.com:
 On Fri, Aug 07, 2015 at 11:49:24PM +0200, Matt . wrote:
 Hi Alexander,

 Yes I'm on the same path, but for now I would like to get it working
 on Ubuntu for the time being.

 Are you sure Ubuntu is no MIT ? We have discusses that some time ago
 on IRC and it seemed to be that Ubuntu was build against MIT.

 I talked to the Ubuntu maintainer last week and he said that:
 * SSSD is built against MIT.
 * Samba against Heimdal.

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Chris,

This sounds great!

What are you using now, both CentOS ? So Samba and FreeIPA ?

Maybe it's good to explain which way you used now in steps too, so we
can combine or create multiple howto's ?

At least we are going somewhere!

Thanks,

Matt

2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba
 Schema extensions) is up and working, almost flawlessly.

 I can add users and groups via the FreeIPA CLI, and they get the correct
 ObjectClasses / attributes required for Samba.

 So far I have not yet bothered to try the extensions to the WebUI, because
 it is currently giving me the classic Your session has expired. Please
 re-login. error which renders the WebUI useless.

 The only problem I have so far encountered managing Samba / FreeIPA users
 via FreeIPA CLI commands is with the handling of the attribute
 sambaPwdLastSet. This is the subject of an existing thread, also updated
 today.

 There is also an existing alternative to hacking group.py, using Class of
 Service (Cos) documented in this thread from February 2015
 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html.
 I have not yet tried it, but it sounds reasonable.

 Chris





 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Youenn
 PIOLET piole...@gmail.com
 Date:   06.08.2015 16:19
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi Chris,

 OK, than we might create two different versions of the wiki, I think
 this is nice.

 I'm still figuring out why I get that:

 IPA Error 4205: ObjectclassViolation

 missing attribute sambaGroupType required by object class
 sambaGroupMapping

 Matt

 2015-08-06 16:09 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 As far as I can make out, there are at least 2 viable Samba / FreeIPA
 integration paths.

 The route I took is suited where there is no Active Directory involved:
 In
 my case all the Windows, OSX and Linux clients are islands that sit on
 the
 same network.

 The route that Youenn has taken (unless I have got completely the wrong
 end
 of the stick) requires Active Directory in the architecture.

 Chris



 From:   Matt . yamakasi@gmail.com
 To: Youenn PIOLET piole...@gmail.com
 Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   06.08.2015 14:42
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi,

 OK, this sounds already quite logical, but I'm still refering to the
 old howto we found earlier, does that one still apply somewhere or not
 at all ?

 Thanks,

 Matt



 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com:
 Hey guys,

 I'll try to make a tutorial soon, sorry I'm quite in a rush these
 days :)

 General idea:

 On FreeIPA (4.1)
 - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier
 attribude, also known as SID)
 - regenerate each user password to build ipaNTHash attribute, not here
 by
 default on users
 - use your ldap browser to check ipaNTHash values are here on user
 objects
 - create a CIFS service for your samba server
 - Create user roles/permissions as described here:


 http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa


 so that CIFS service will be able to read ipaNTsecurityidentifier and
 ipaNTHash attributes in LDAP (ACI)
 - SCP ipasam.so module to your cifs server (this is the magic trick) :
 scp
 /usr/lib64/samba/pdb/ipasam.so
 root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to
 recompile
 it.

 On SAMBA Server side (CentOS 7...)
 - Install server keytab file for CIFS
 - check ipasam.so is here.
 - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI
 uid=admin ipaNTHash` thanks to kerberos
 - make your smb.conf following the linked thread and restart service

 I don't know if it works in Ubuntu. I know sssd has evolved quickly and
 ipasam may use quite recent functionalities, the best is to just try.
 You
 can read in previous thread : If you insist on Ubuntu you need to get
 ipasam somewhere, most likely to compile it yourself.

 Make sure your user has ipaNTHash attribute :)

 You may want to debug authentication on samba server, I usually do this:
 `tail -f /var/log/samba/log* | grep username

 Cheers
 --
 Youenn Piolet
 piole...@gmail.com


 2015-08-05 17:40 GMT+02:00 Matt . yamakasi@gmail.com:

 Hi,

 This sounds great to me too, but a howto would help to make it more
 clear about what you have done here. The thread confuses me a little
 bit.

 Can you paste your commands so we can test out too and report back ?

 Thanks!

 Matt

 2015-08-05 15:18 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
  Hi Youenn
 
  Good news that you have got an integration working

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi,

Yes I know about anything but which way did you use now ?



2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 I am on OEL 7.1. - so anything that works on that should be good for RHEL
 and Centos 7.x

 I intend to add a how-to to the FreeIPA Wiki over the next few days. As we
 have suggested earlier, we will likely end up with several, one for each of
 the possible integration paths.

 Chris





 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   09.08.2015 16:45
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi Chris,

 This sounds great!

 What are you using now, both CentOS ? So Samba and FreeIPA ?

 Maybe it's good to explain which way you used now in steps too, so we
 can combine or create multiple howto's ?

 At least we are going somewhere!

 Thanks,

 Matt

 2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba
 Schema extensions) is up and working, almost flawlessly.

 I can add users and groups via the FreeIPA CLI, and they get the correct
 ObjectClasses / attributes required for Samba.

 So far I have not yet bothered to try the extensions to the WebUI,
 because
 it is currently giving me the classic Your session has expired. Please
 re-login. error which renders the WebUI useless.

 The only problem I have so far encountered managing Samba / FreeIPA users
 via FreeIPA CLI commands is with the handling of the attribute
 sambaPwdLastSet. This is the subject of an existing thread, also updated
 today.

 There is also an existing alternative to hacking group.py, using Class
 of
 Service (Cos) documented in this thread from February 2015
 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html
 .
 I have not yet tried it, but it sounds reasonable.

 Chris





 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Youenn
 PIOLET piole...@gmail.com
 Date:   06.08.2015 16:19
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi Chris,

 OK, than we might create two different versions of the wiki, I think
 this is nice.

 I'm still figuring out why I get that:

 IPA Error 4205: ObjectclassViolation

 missing attribute sambaGroupType required by object class
 sambaGroupMapping

 Matt

 2015-08-06 16:09 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi Matt

 As far as I can make out, there are at least 2 viable Samba / FreeIPA
 integration paths.

 The route I took is suited where there is no Active Directory involved:
 In
 my case all the Windows, OSX and Linux clients are islands that sit on
 the
 same network.

 The route that Youenn has taken (unless I have got completely the wrong
 end
 of the stick) requires Active Directory in the architecture.

 Chris



 From:   Matt . yamakasi@gmail.com
 To: Youenn PIOLET piole...@gmail.com
 Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   06.08.2015 14:42
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi,

 OK, this sounds already quite logical, but I'm still refering to the
 old howto we found earlier, does that one still apply somewhere or not
 at all ?

 Thanks,

 Matt



 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com:
 Hey guys,

 I'll try to make a tutorial soon, sorry I'm quite in a rush these
 days :)

 General idea:

 On FreeIPA (4.1)
 - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier
 attribude, also known as SID)
 - regenerate each user password to build ipaNTHash attribute, not here
 by
 default on users
 - use your ldap browser to check ipaNTHash values are here on user
 objects
 - create a CIFS service for your samba server
 - Create user roles/permissions as described here:



 http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa



 so that CIFS service will be able to read ipaNTsecurityidentifier and
 ipaNTHash attributes in LDAP (ACI)
 - SCP ipasam.so module to your cifs server (this is the magic trick) :
 scp
 /usr/lib64/samba/pdb/ipasam.so
 root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to
 recompile
 it.

 On SAMBA Server side (CentOS 7...)
 - Install server keytab file for CIFS
 - check ipasam.so is here.
 - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI
 uid=admin ipaNTHash` thanks to kerberos
 - make your smb.conf following the linked thread and restart service

 I don't know if it works in Ubuntu. I know sssd has evolved quickly and
 ipasam may use quite recent functionalities, the best is to just try.
 You
 can read in previous thread : If you insist on Ubuntu you need to get
 ipasam

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Alexander,

Yes this is know, but it's not usable yet, at least not on an Ubuntu
Samba server as far as I know ?

If so, maybe you can help us out here to clear this up how to do it.

Thanks!

Matt

2015-08-07 23:09 GMT+02:00 Alexander Bokovoy aboko...@redhat.com:
 On Thu, 06 Aug 2015, Christopher Lamb wrote:

 Hi Matt

 As far as I can make out, there are at least 2 viable Samba / FreeIPA
 integration paths.

 The route I took is suited where there is no Active Directory involved: In
 my case all the Windows, OSX and Linux clients are islands that sit on the
 same network.

 The route that Youenn has taken (unless I have got completely the wrong
 end
 of the stick) requires Active Directory in the architecture.

 Yes, you are at the wrong end of the stick. You don't need AD in the
 architecture here. You can reuse IPA design for AD integration via trust
 for normal Samba integration but use ipasam.so instead of ldapsam.so.
 This is what Youenn did. The only way we don't support it (yet) is
 because we think doing a longer term solution via SSSD and NTLMSSP
 support is better scalability vise -- your SSSD client is already having
 LDAP connection and is already holding identity mappings in the cache so
 there is no need to run separate LDAP connection in smbd/winbindd for
 that and cache the same data in a different way.

 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Alexander,

Yes I'm on the same path, but for now I would like to get it working
on Ubuntu for the time being.

Are you sure Ubuntu is no MIT ? We have discusses that some time ago
on IRC and it seemed to be that Ubuntu was build against MIT.

Cheers,

Matt

2015-08-07 23:37 GMT+02:00 Alexander Bokovoy aboko...@redhat.com:
 On Fri, 07 Aug 2015, Matt . wrote:

 Hi Alexander,

 Yes this is know, but it's not usable yet, at least not on an Ubuntu
 Samba server as far as I know ?

 If so, maybe you can help us out here to clear this up how to do it.

 Sorry, I cannot help you with Ubuntu setup, you need to figure it out
 yourself. I did write original instructions Youenn referred to, so I
 know they work well and Youenn's configuration just proves that.

 Ubuntu's Samba build is done with Heimdal and you cannot build ipasam.so
 against Heimdal, only MIT Kerberos. So you cannot use Ubuntu-provided
 Samba build this way.

 Anything you would do, you'd be out of supported way -- either when you
 modify IPA LDAP schema or when build Samba in Ubuntu with MIT Kerberos.
 I don't want to spend time on digging up unsupported configuration
 details when the same time could be spent on improving FreeIPA 4.2 and
 bringing SSSD+Samba setup closer to where we want to have it. Maybe it
 sounds harsh but we have to decide what battles we think are more
 important and to me this one is more important even considering my spare
 time.

 Thanks!

 Matt

 2015-08-07 23:09 GMT+02:00 Alexander Bokovoy aboko...@redhat.com:

 On Thu, 06 Aug 2015, Christopher Lamb wrote:


 Hi Matt

 As far as I can make out, there are at least 2 viable Samba / FreeIPA
 integration paths.

 The route I took is suited where there is no Active Directory involved:
 In
 my case all the Windows, OSX and Linux clients are islands that sit on
 the
 same network.

 The route that Youenn has taken (unless I have got completely the wrong
 end
 of the stick) requires Active Directory in the architecture.


 Yes, you are at the wrong end of the stick. You don't need AD in the
 architecture here. You can reuse IPA design for AD integration via trust
 for normal Samba integration but use ipasam.so instead of ldapsam.so.
 This is what Youenn did. The only way we don't support it (yet) is
 because we think doing a longer term solution via SSSD and NTLMSSP
 support is better scalability vise -- your SSSD client is already having
 LDAP connection and is already holding identity mappings in the cache so
 there is no need to run separate LDAP connection in smbd/winbindd for
 that and cache the same data in a different way.

 --
 / Alexander Bokovoy


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project


 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Chris,

OK, than we might create two different versions of the wiki, I think
this is nice.

I'm still figuring out why I get that:

IPA Error 4205: ObjectclassViolation

missing attribute sambaGroupType required by object class sambaGroupMapping

Matt

2015-08-06 16:09 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 As far as I can make out, there are at least 2 viable Samba / FreeIPA
 integration paths.

 The route I took is suited where there is no Active Directory involved: In
 my case all the Windows, OSX and Linux clients are islands that sit on the
 same network.

 The route that Youenn has taken (unless I have got completely the wrong end
 of the stick) requires Active Directory in the architecture.

 Chris



 From:   Matt . yamakasi@gmail.com
 To: Youenn PIOLET piole...@gmail.com
 Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   06.08.2015 14:42
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi,

 OK, this sounds already quite logical, but I'm still refering to the
 old howto we found earlier, does that one still apply somewhere or not
 at all ?

 Thanks,

 Matt



 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com:
 Hey guys,

 I'll try to make a tutorial soon, sorry I'm quite in a rush these days :)

 General idea:

 On FreeIPA (4.1)
 - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier
 attribude, also known as SID)
 - regenerate each user password to build ipaNTHash attribute, not here by
 default on users
 - use your ldap browser to check ipaNTHash values are here on user
 objects
 - create a CIFS service for your samba server
 - Create user roles/permissions as described here:

 http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa

 so that CIFS service will be able to read ipaNTsecurityidentifier and
 ipaNTHash attributes in LDAP (ACI)
 - SCP ipasam.so module to your cifs server (this is the magic trick) :
 scp
 /usr/lib64/samba/pdb/ipasam.so
 root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to
 recompile
 it.

 On SAMBA Server side (CentOS 7...)
 - Install server keytab file for CIFS
 - check ipasam.so is here.
 - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI
 uid=admin ipaNTHash` thanks to kerberos
 - make your smb.conf following the linked thread and restart service

 I don't know if it works in Ubuntu. I know sssd has evolved quickly and
 ipasam may use quite recent functionalities, the best is to just try. You
 can read in previous thread : If you insist on Ubuntu you need to get
 ipasam somewhere, most likely to compile it yourself.

 Make sure your user has ipaNTHash attribute :)

 You may want to debug authentication on samba server, I usually do this:
 `tail -f /var/log/samba/log* | grep username

 Cheers
 --
 Youenn Piolet
 piole...@gmail.com


 2015-08-05 17:40 GMT+02:00 Matt . yamakasi@gmail.com:

 Hi,

 This sounds great to me too, but a howto would help to make it more
 clear about what you have done here. The thread confuses me a little
 bit.

 Can you paste your commands so we can test out too and report back ?

 Thanks!

 Matt

 2015-08-05 15:18 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
  Hi Youenn
 
  Good news that you have got an integration working
 
  Now you have got it going, and the solution is fresh in your mind, how
  about adding a How-to page on this solution to the FreeIPA wiki?
 
  Chris
 
 
 
  From:   Youenn PIOLET piole...@gmail.com
  To: Matt . yamakasi@gmail.com
  Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   05.08.2015 14:51
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
 IPA
 
 
 
  Hi guys,
 
  Thank you so much your previous answers.
  I realised my SID were stored in ipaNTsecurityidentifier, thanks to
  ipa-adtrust-install --add-sids
 
  I found an other way to configure smb here:
 
 
 http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa

  It works perfectly.
 
  I'm using module ipasam.so I have manually scp to the samba server,
  Samba is set to use kerberos + ldapsam via this ipasam module.
  Following the instructions, I created a user role allowing service
  principal to read ipaNTHash value from the LDAP.
  ipaNTHash are generated each time a user changes his password.
  Authentication works perfectly on Windows 7, 8 and 10.
 
  For more details, the previously linked thread is quite clear.
 
  Cheers
 
  --
  Youenn Piolet
  piole...@gmail.com
 
 
  2015-08-05 11:10 GMT+02:00 Matt . yamakasi@gmail.com:
Hi Chris.
 
Yes, Apache Studio did that but I was not sure why it complained it
was already there.
 
I'm still getting:
 
IPA Error 4205: ObjectclassViolation
 
missing attribute sambaGroupType required by object class

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi,

OK, this sounds already quite logical, but I'm still refering to the
old howto we found earlier, does that one still apply somewhere or not
at all ?

Thanks,

Matt



2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com:
 Hey guys,

 I'll try to make a tutorial soon, sorry I'm quite in a rush these days :)

 General idea:

 On FreeIPA (4.1)
 - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier
 attribude, also known as SID)
 - regenerate each user password to build ipaNTHash attribute, not here by
 default on users
 - use your ldap browser to check ipaNTHash values are here on user objects
 - create a CIFS service for your samba server
 - Create user roles/permissions as described here:
 http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
 so that CIFS service will be able to read ipaNTsecurityidentifier and
 ipaNTHash attributes in LDAP (ACI)
 - SCP ipasam.so module to your cifs server (this is the magic trick) : scp
 /usr/lib64/samba/pdb/ipasam.so
 root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile
 it.

 On SAMBA Server side (CentOS 7...)
 - Install server keytab file for CIFS
 - check ipasam.so is here.
 - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI
 uid=admin ipaNTHash` thanks to kerberos
 - make your smb.conf following the linked thread and restart service

 I don't know if it works in Ubuntu. I know sssd has evolved quickly and
 ipasam may use quite recent functionalities, the best is to just try. You
 can read in previous thread : If you insist on Ubuntu you need to get
 ipasam somewhere, most likely to compile it yourself.

 Make sure your user has ipaNTHash attribute :)

 You may want to debug authentication on samba server, I usually do this:
 `tail -f /var/log/samba/log* | grep username

 Cheers
 --
 Youenn Piolet
 piole...@gmail.com


 2015-08-05 17:40 GMT+02:00 Matt . yamakasi@gmail.com:

 Hi,

 This sounds great to me too, but a howto would help to make it more
 clear about what you have done here. The thread confuses me a little
 bit.

 Can you paste your commands so we can test out too and report back ?

 Thanks!

 Matt

 2015-08-05 15:18 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
  Hi Youenn
 
  Good news that you have got an integration working
 
  Now you have got it going, and the solution is fresh in your mind, how
  about adding a How-to page on this solution to the FreeIPA wiki?
 
  Chris
 
 
 
  From:   Youenn PIOLET piole...@gmail.com
  To: Matt . yamakasi@gmail.com
  Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   05.08.2015 14:51
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 
 
 
  Hi guys,
 
  Thank you so much your previous answers.
  I realised my SID were stored in ipaNTsecurityidentifier, thanks to
  ipa-adtrust-install --add-sids
 
  I found an other way to configure smb here:
 
  http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
  It works perfectly.
 
  I'm using module ipasam.so I have manually scp to the samba server,
  Samba is set to use kerberos + ldapsam via this ipasam module.
  Following the instructions, I created a user role allowing service
  principal to read ipaNTHash value from the LDAP.
  ipaNTHash are generated each time a user changes his password.
  Authentication works perfectly on Windows 7, 8 and 10.
 
  For more details, the previously linked thread is quite clear.
 
  Cheers
 
  --
  Youenn Piolet
  piole...@gmail.com
 
 
  2015-08-05 11:10 GMT+02:00 Matt . yamakasi@gmail.com:
Hi Chris.
 
Yes, Apache Studio did that but I was not sure why it complained it
was already there.
 
I'm still getting:
 
IPA Error 4205: ObjectclassViolation
 
missing attribute sambaGroupType required by object class
sambaGroupMapping
 
When adding a user.
 
I also see class as fielname under my Last name, this is not OK
  also.
 
 
 
We sure need to make some howto, I think we can nail this down :)
 
Thanks for the heads up!
 
Matthijs
 
2015-08-05 7:51 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
 Hi Matt

 If I use Apache Directory Studio to add an attribute ipaCustomFields
  to
 cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown
below:

 #!RESULT OK
 #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy
 #!DATE 2015-08-05T05:45:04.608
 dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
 changetype: modify
 add: ipaCustomFields
 ipaCustomFields: Samba Group Type,sambagrouptype,true

 After that I then have a visible attribute ipaCustomFields as
  expected.

 When adding the attribute, the wizard offered me ipaCustomFields
  as
 attribute type in a drop down list.

 Once we get this cracked, we really must write a how

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Chris.

Yes, Apache Studio did that but I was not sure why it complained it
was already there.

I'm still getting:

IPA Error 4205: ObjectclassViolation

missing attribute sambaGroupType required by object class sambaGroupMapping

When adding a user.

I also see class as fielname under my Last name, this is not OK also.



We sure need to make some howto, I think we can nail this down :)

Thanks for the heads up!

Matthijs

2015-08-05 7:51 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 If I use Apache Directory Studio to add an attribute ipaCustomFields to
 cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown below:

 #!RESULT OK
 #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy
 #!DATE 2015-08-05T05:45:04.608
 dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
 changetype: modify
 add: ipaCustomFields
 ipaCustomFields: Samba Group Type,sambagrouptype,true

 After that I then have a visible attribute ipaCustomFields as expected.

 When adding the attribute, the wizard offered me ipaCustomFields as
 attribute type in a drop down list.

 Once we get this cracked, we really must write a how-to on the FreeIPA
 Wiki.

 Chris



 From:   Christopher Lamb/Switzerland/IBM@IBMCH
 To: Matt . yamakasi@gmail.com
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   05.08.2015 07:31
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 Sent by:freeipa-users-boun...@redhat.com



 Hi Matt

 I also got the same result at that step, but can see nothing in Apache
 Directory Studio.

 As I am using existing Samba / FreeIPA groups migrated across, they
 probably were migrated with all the required attributes.

 Looking more closely at that LDIF: I wonder should it not be:

 ldapmodify -Y GSSAPI EOF
 dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
 changetype: modify
 add: ipaCustomFields
 ipaCustomFields: Samba Group Type,sambagrouptype,true
 EOF

 i.e. changetype: modify, instead of changetype add ?

 I don't want to play around with my prod directory - I will setup an EL 7.1
 VM and install FreeIPA 4.x and Samba 4.x That will allow me to play around
 more destructively.

 Chris





 From:Matt . yamakasi@gmail.com
 To:  Christopher Lamb/Switzerland/IBM@IBMCH
 Cc:  Youenn PIOLET piole...@gmail.com, 
 freeipa-users@redhat.com
 freeipa-users@redhat.com
 Date:05.08.2015 01:01
 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against 
 IPA



 Hi Chris,

 I'm at the right path, but my issue is that:

 ldapmodify -Y GSSAPI EOF
 dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
 changetype: add
 add: ipaCustomFields
 ipaCustomFields: Samba Group Type,sambagrouptype,true
 EOF

 Does say it exists, my ldap explorer doesn't show it, and when I add
 it manually as an attribute it still fails when I add a user on this
 sambagrouptype as it's needed by the other attributes

 So that is my issue I think so far.

 Any clue about that ?

 No problem you don't know something or are no guru we are all
 learning! :)

 Cheers,

 Matt


 2015-08-04 21:22 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt, Youeen

 Just to set the background properly, I did not invent this process. I
 know
 only a little about FreeIPA, and almost nothing about Samba, but I guess
 I
 was lucky enough to get the integration working on a Sunday afternoon. (I
 did have an older FreeIPA 3.x / Samba 3.x installation as a reference).

 It sounds like we need to step back, and look at the test user and group
 in
 the FreeIPA LDAP tree. I find using an LDAP browser makes this much
 easier.

 My FreeIPA / Samba Users have the following Samba extensions in FreeIPA
 (cn=accounts, cn=users):

 * objectClass: sambasamaccount

 * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet

 My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA
 (cn=accounts, cn=groups):

 * objectClass: sambaGroupMapping

 * Attributes: sambaGroupType, sambaSID

 The Users must belong to one or more of the samba groups that you have
 setup.

 If you don't have something similar to the above (which sounds like it is
 the case), then something went wrong applying the extensions. It would be
 worth testing comparing a new user / group created post adding the
 extensions to a previous existing user.

 i.e.
 are the extensions missing on existing users / groups?
 are the extensions missing on new users / groups?

 Cheers

 Chris





 From:   Youenn PIOLET piole...@gmail.com
 To: Matt . yamakasi@gmail.com
 Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   04.08.2015 18:56
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi there,

 I have difficulties to follow you at this point :)
 Here is what I've done and what I've understood:

 ## SMB Side
 - Testparm OK
 - I've got the same

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi,

This sounds great to me too, but a howto would help to make it more
clear about what you have done here. The thread confuses me a little
bit.

Can you paste your commands so we can test out too and report back ?

Thanks!

Matt

2015-08-05 15:18 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Youenn

 Good news that you have got an integration working

 Now you have got it going, and the solution is fresh in your mind, how
 about adding a How-to page on this solution to the FreeIPA wiki?

 Chris



 From:   Youenn PIOLET piole...@gmail.com
 To: Matt . yamakasi@gmail.com
 Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   05.08.2015 14:51
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi guys,

 Thank you so much your previous answers.
 I realised my SID were stored in ipaNTsecurityidentifier, thanks to
 ipa-adtrust-install --add-sids

 I found an other way to configure smb here:
 http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
 It works perfectly.

 I'm using module ipasam.so I have manually scp to the samba server,
 Samba is set to use kerberos + ldapsam via this ipasam module.
 Following the instructions, I created a user role allowing service
 principal to read ipaNTHash value from the LDAP.
 ipaNTHash are generated each time a user changes his password.
 Authentication works perfectly on Windows 7, 8 and 10.

 For more details, the previously linked thread is quite clear.

 Cheers

 --
 Youenn Piolet
 piole...@gmail.com


 2015-08-05 11:10 GMT+02:00 Matt . yamakasi@gmail.com:
   Hi Chris.

   Yes, Apache Studio did that but I was not sure why it complained it
   was already there.

   I'm still getting:

   IPA Error 4205: ObjectclassViolation

   missing attribute sambaGroupType required by object class
   sambaGroupMapping

   When adding a user.

   I also see class as fielname under my Last name, this is not OK also.



   We sure need to make some howto, I think we can nail this down :)

   Thanks for the heads up!

   Matthijs

   2015-08-05 7:51 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
Hi Matt
   
If I use Apache Directory Studio to add an attribute ipaCustomFields to
cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown
   below:
   
#!RESULT OK
#!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy
#!DATE 2015-08-05T05:45:04.608
dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
changetype: modify
add: ipaCustomFields
ipaCustomFields: Samba Group Type,sambagrouptype,true
   
After that I then have a visible attribute ipaCustomFields as expected.
   
When adding the attribute, the wizard offered me ipaCustomFields as
attribute type in a drop down list.
   
Once we get this cracked, we really must write a how-to on the FreeIPA
Wiki.
   
Chris
   
   
   
From:   Christopher Lamb/Switzerland/IBM@IBMCH
To: Matt . yamakasi@gmail.com
Cc: freeipa-users@redhat.com freeipa-users@redhat.com
Date:   05.08.2015 07:31
Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
   IPA
Sent by:freeipa-users-boun...@redhat.com
   
   
   
Hi Matt
   
I also got the same result at that step, but can see nothing in Apache
Directory Studio.
   
As I am using existing Samba / FreeIPA groups migrated across, they
probably were migrated with all the required attributes.
   
Looking more closely at that LDIF: I wonder should it not be:
   
ldapmodify -Y GSSAPI EOF
dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
changetype: modify
add: ipaCustomFields
ipaCustomFields: Samba Group Type,sambagrouptype,true
EOF
   
i.e. changetype: modify, instead of changetype add ?
   
I don't want to play around with my prod directory - I will setup an EL
   7.1
VM and install FreeIPA 4.x and Samba 4.x That will allow me to play
   around
more destructively.
   
Chris
   
   
   
   
   
From:Matt . yamakasi@gmail.com
To:  Christopher Lamb/Switzerland/IBM@IBMCH
Cc:  Youenn PIOLET piole...@gmail.com, 
   freeipa-users@redhat.com
freeipa-users@redhat.com
Date:05.08.2015 01:01
Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth
   against IPA
   
   
   
Hi Chris,
   
I'm at the right path, but my issue is that:
   
ldapmodify -Y GSSAPI EOF
dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
changetype: add
add: ipaCustomFields
ipaCustomFields: Samba Group Type,sambagrouptype,true
EOF
   
Does say it exists, my ldap explorer doesn't show it, and when I add
it manually as an attribute it still fails when I add a user on this
sambagrouptype as it's needed by the other attributes
   
So that is my issue I think so far

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Chris,

A puppet run added another passdb backend, that was causing my issue.

What I still experience is:


[2015/08/04 15:29:45.477783,  3]
../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'username' in passdb.
[2015/08/04 15:29:45.478026,  2]
../source3/auth/auth.c:288(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [username] -
[username] FAILED with error NT_STATUS_NO_SUCH_USER


I also wonder if I shall still sync the users local, or is it needed ?

Thanks again,

Matt

2015-08-04 14:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 From our smb.conf file:

 [global]
security = user
passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com
ldap suffix = dc=my,dc=silly,dc=example,dc=com
ldap admin dn = cn=Directory Manager

 So yes, we use Directory Manager, it works for us. I have not tried with a
 less powerful user, but it is conceivable that a lesser user may not see
 all the required attributes, resulting in no such user errors.

 Chris




 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   04.08.2015 13:32
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi Chris,

 Thanks for the heads up, indeed local is 4 I see now when I add a
 group from the GUI, great thanks!

 But do you use Directory Manager as ldap admin user or some other
 admin account ?

 I'm not sure id DM is needed and it should get that deep into IPA.
 Also when starting samba it cannot find such user as that sounds
 quite known as it has no UID.

 From your config I see you use DM, this should work ?

 Thanks!


 Matt

 2015-08-04 13:15 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi Chris,

 Thanks for the heads up, indeed local is 4 I see now when I add a
 group from the GUI, great thanks!

 But do you use Directory Manager as ldap admin user or some other
 admin account ?

 I'm not sure id DM is needed and it should get that deep into IPA.
 Also when starting samba it cannot find such user as that sounds
 quite known as it has no UID.

 From your config I see you use DM, this should work ?

 Thanks!

 Matt

 2015-08-03 17:17 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi Matt

 It sounds like you now have prepared FreeIPA for Samba

 I assume you have already configured Samba to authenticate via FreeIPA
 (changes to the [global] section of your smb.conf file, secrets.tdb etc.

 Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups,
 with SambaGroupType = 4)

 For example:

 In FreeIPA under cn=accounts, cn=users we have a group called
 smb-junit.

 This group has (among others) the attribute SambaGroupType = 4

 We can then use the name of the group in the smb.conf file

 [junit]
 comment = JUnit Share
 path = /samba/junit
 browseable = no
 valid users = @smb-junit
  write list = @smb-junit
  force group = smb-junit
 create mask = 0770


 Ciao

 Chris



 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Petr
 Vobornik pvobo...@redhat.com
 Date:   03.08.2015 16:03
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi,

 OK, I have a Samba Group Type now in my groups details list and also
 in the groups settings tab.

 I'm not 100% how this is managed. I have Grouptype 4, in the groups
 overview it's still empty. But how to manage this between samba and
 ipa ? What should be the reference between the group(names) ?

 Thanks again!

 Matt

 2015-08-03 13:20 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 HI Matt

 It looks like I skipped that step ... (And as we already had samba
 groups
 in place, did not need to make new ones via the WebUI).

 However a quick google trawled up this old thread that has a possible
 answer from Peter. (I have not tested it yet myself).

 https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html

 Chris



 From:   Matt . yamakasi@gmail.com
 To:
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   03.08.2015 12:45
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
 IPA
 Sent by:freeipa-users-boun...@redhat.com



 In my previous reply, I ment no group.js at all .


 2015-08-03 12:17 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi Chris,

 Thanks for that verification!

 It seems that:

 /usr/share/ipa/ui/group.js

 Is not there on IPA.4.1, also there is no .js at all on the whole
 system.

 Any idea there ?

 Thanks again!

 Matt

 2015-08-03 9:53 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi Matt

 Thankfully I saved the output from those ldapmodify commands (against
 FreeIPA 4.1) and was able to find it again!

 In our case sambagrouptype also seems to have

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Chris,

I'm at the right path, but my issue is that:

ldapmodify -Y GSSAPI EOF
dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
changetype: add
add: ipaCustomFields
ipaCustomFields: Samba Group Type,sambagrouptype,true
EOF

Does say it exists, my ldap explorer doesn't show it, and when I add
it manually as an attribute it still fails when I add a user on this
sambagrouptype as it's needed by the other attributes

So that is my issue I think so far.

Any clue about that ?

No problem you don't know something or are no guru we are all learning! :)

Cheers,

Matt


2015-08-04 21:22 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt, Youeen

 Just to set the background properly, I did not invent this process. I know
 only a little about FreeIPA, and almost nothing about Samba, but I guess I
 was lucky enough to get the integration working on a Sunday afternoon. (I
 did have an older FreeIPA 3.x / Samba 3.x installation as a reference).

 It sounds like we need to step back, and look at the test user and group in
 the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier.

 My FreeIPA / Samba Users have the following Samba extensions in FreeIPA
 (cn=accounts, cn=users):

 * objectClass: sambasamaccount

 * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet

 My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA
 (cn=accounts, cn=groups):

 * objectClass: sambaGroupMapping

 * Attributes: sambaGroupType, sambaSID

 The Users must belong to one or more of the samba groups that you have
 setup.

 If you don't have something similar to the above (which sounds like it is
 the case), then something went wrong applying the extensions. It would be
 worth testing comparing a new user / group created post adding the
 extensions to a previous existing user.

 i.e.
 are the extensions missing on existing users / groups?
 are the extensions missing on new users / groups?

 Cheers

 Chris





 From:   Youenn PIOLET piole...@gmail.com
 To: Matt . yamakasi@gmail.com
 Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   04.08.2015 18:56
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi there,

 I have difficulties to follow you at this point :)
 Here is what I've done and what I've understood:

 ## SMB Side
 - Testparm OK
 - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect.
 - pdbedit -Lv output is all successfull but I can see there is a filter :
 ((uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have
 sambaSamAccount.

 ## LDAP / FreeIPA side
 - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA
 server to get samba LDAP extensions.
 - I can see samba classes exist in LDAP but are not used on my group
 objects nor my user objects
 - I have add sambaSamAccount in FreeIPA default user classes,
 and sambaGroupMapping to default group classes. In that state I can't
 create user nor groups anymore, as new samba attributes are needed for
 instantiation.
 - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true'
 but I don't get what it does.
 - I tried to add the samba.js plugin. It works, and adds the local option
 when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2
 (domain). It doesn't work and tells that sambagrouptype attribute doesn't
 exist (but it should now I put sambaGroupType class by default...)

 ## Questions
 0) Can I ask samba not to search sambaSamAccount and use unix / posix
 instead? I guess no.
 1) How to generate the user/group SIDs ? They are requested to add
 sambaSamAccount classes.
 This article doesn't seem relevant since we don't use domain controller
 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html
 and netgetlocalsid returns an error.
 2) How to fix samba.js plugin?
 3) I guess an equivalent of samba.js is needed for user creation, where can
 I find it?
 4) Is your setup working with Windows 8 / Windows 10 and not only Windows
 7?

 Thanks a lot for your previous and future answers

 --
 Youenn Piolet
 piole...@gmail.com


 2015-08-04 17:55 GMT+02:00 Matt . yamakasi@gmail.com:
   Hi,

   Yes, log is anonymised.

   It's strange, my user doesn't have a SambaPwdLastSet, also when I
   change it's password it doesn't get it in ldap.

   There must be something going wrong I guess.

   Matt

   2015-08-04 17:45 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com
   :
Hi Matt
   
I assume [username] is a real username, identical to that in the
   FreeIPA
cn=accounts, cn=users tree? (i.e. you anonymised the log extract).
   
You user should be a member of the appropriate samba groups that you
   setup
in FreeIPA.
   
You should check that the user attribute SambaPwdLastSet is set to a
positive value (e.g. 1). If not you get an error in the Samba logs - I
would need to play around again with a test user

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi,

Yes, log is anonymised.

It's strange, my user doesn't have a SambaPwdLastSet, also when I
change it's password it doesn't get it in ldap.

There must be something going wrong I guess.

Matt

2015-08-04 17:45 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 I assume [username] is a real username, identical to that in the FreeIPA
 cn=accounts, cn=users tree? (i.e. you anonymised the log extract).

 You user should be a member of the appropriate samba groups that you setup
 in FreeIPA.

 You should check that the user attribute SambaPwdLastSet is set to a
 positive value (e.g. 1). If not you get an error in the Samba logs - I
 would need to play around again with a test user to find out the exact
 error.

 I don't understand what you mean about syncing the users local, but we did
 not need to do anything like that.

 Chris




 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   04.08.2015 15:33
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi Chris,

 A puppet run added another passdb backend, that was causing my issue.

 What I still experience is:


 [2015/08/04 15:29:45.477783,  3]
 ../source3/auth/check_samsec.c:399(check_sam_security)
   check_sam_security: Couldn't find user 'username' in passdb.
 [2015/08/04 15:29:45.478026,  2]
 ../source3/auth/auth.c:288(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [username] -
 [username] FAILED with error NT_STATUS_NO_SUCH_USER


 I also wonder if I shall still sync the users local, or is it needed ?

 Thanks again,

 Matt

 2015-08-04 14:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 From our smb.conf file:

 [global]
security = user
passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com
ldap suffix = dc=my,dc=silly,dc=example,dc=com
ldap admin dn = cn=Directory Manager

 So yes, we use Directory Manager, it works for us. I have not tried with
 a
 less powerful user, but it is conceivable that a lesser user may not see
 all the required attributes, resulting in no such user errors.

 Chris




 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   04.08.2015 13:32
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



 Hi Chris,

 Thanks for the heads up, indeed local is 4 I see now when I add a
 group from the GUI, great thanks!

 But do you use Directory Manager as ldap admin user or some other
 admin account ?

 I'm not sure id DM is needed and it should get that deep into IPA.
 Also when starting samba it cannot find such user as that sounds
 quite known as it has no UID.

 From your config I see you use DM, this should work ?

 Thanks!


 Matt

 2015-08-04 13:15 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi Chris,

 Thanks for the heads up, indeed local is 4 I see now when I add a
 group from the GUI, great thanks!

 But do you use Directory Manager as ldap admin user or some other
 admin account ?

 I'm not sure id DM is needed and it should get that deep into IPA.
 Also when starting samba it cannot find such user as that sounds
 quite known as it has no UID.

 From your config I see you use DM, this should work ?

 Thanks!

 Matt

 2015-08-03 17:17 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi Matt

 It sounds like you now have prepared FreeIPA for Samba

 I assume you have already configured Samba to authenticate via FreeIPA
 (changes to the [global] section of your smb.conf file, secrets.tdb
 etc.

 Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups,
 with SambaGroupType = 4)

 For example:

 In FreeIPA under cn=accounts, cn=users we have a group called
 smb-junit.

 This group has (among others) the attribute SambaGroupType = 4

 We can then use the name of the group in the smb.conf file

 [junit]
 comment = JUnit Share
 path = /samba/junit
 browseable = no
 valid users = @smb-junit
  write list = @smb-junit
  force group = smb-junit
 create mask = 0770


 Ciao

 Chris



 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Petr
 Vobornik pvobo...@redhat.com
 Date:   03.08.2015 16:03
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
 IPA



 Hi,

 OK, I have a Samba Group Type now in my groups details list and also
 in the groups settings tab.

 I'm not 100% how this is managed. I have Grouptype 4, in the groups
 overview it's still empty. But how to manage this between samba and
 ipa ? What should be the reference between the group(names) ?

 Thanks again!

 Matt

 2015-08-03 13:20 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 HI Matt

 It looks like I skipped that step

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

In my previous reply, I ment no group.js at all .


2015-08-03 12:17 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi Chris,

 Thanks for that verification!

 It seems that:

 /usr/share/ipa/ui/group.js

 Is not there on IPA.4.1, also there is no .js at all on the whole system.

 Any idea there ?

 Thanks again!

 Matt

 2015-08-03 9:53 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 Thankfully I saved the output from those ldapmodify commands (against
 FreeIPA 4.1) and was able to find it again!

 In our case sambagrouptype also seems to have already been present, so that
 should not hurt.

 [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI EOF
 dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
 changetype: add
 add: ipaCustomFields
 ipaCustomFields: Samba Group Type,sambagrouptype,true
 EOF
 SASL/GSSAPI authentication started
 SASL username: l...@my.silly.example.com
 SASL SSF: 56
 SASL data security layer installed.
 adding new entry cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
 ldap_add: Already exists (68)

 Chris




 From:   Matt . yamakasi@gmail.com
 To:
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   02.08.2015 13:33
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 Sent by:freeipa-users-boun...@redhat.com



 Chris,

 Are you doing this on 3.x or also 4.x ?

 As the following already exists:

 ldapmodify -Y GSSAPI EOF
 dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
 changetype: add
 add: ipaCustomFields
 ipaCustomFields: Samba Group Type,sambagrouptype,true
 EOF


 And I'm unsure about the pyton files are they are sligtly different on 4.1


 Thanks!


 2015-08-01 19:51 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi,

 Yes I found that earlier, that looks good and even better when you
 confirm this as really usable.

 For Samba 4 the IPA devs are very busy but I wonder indeed what
 happends when we need to move because integration has been improved.

 I try to keep IPA as native as I can.

 So this is the best way to go for now, even when this thread is such
 old ?

 Thanks!

 Matt


 2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 For a how to of Samba FreeIPA integration using schema extensions, see
 this previous thread

 https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html

 That should point to this techslaves article with the detailed
 instructions
 that we followed:

 http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/

 The main reason we went that way is that we have no AD domain, which
 seems
 to be required by other integration paths.

 Note we are running FreeIPA and Samba on OEL servers (first 6.x, now
 7.x).
 So things may be different on Ubuntu.

 As always, when changing the LDAP schema, an LDAP browser like Apache
 Directory Studio is very useful to visualise what is going on and to
 verify
 if your changes are present! (and is sometime easier to manually change
 attributes rather than by LDAPMODIFY script)

 There is another ongoing thread in this mailing list about problems with
 the attribute SambaPwdLastSet.

 Chris



 From:   Matt . yamakasi@gmail.com
 To:
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   31.07.2015 16:58
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 Sent by:freeipa-users-boun...@redhat.com



 Hi,

 This is nice to have confirmed.

 Is it possible for you to descrive what you do ? It might be handy to
 add this to the IPA documentation also with some explanation why...

 Cheers,

 Matt

 2015-07-31 16:55 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi

 We use the Samba extensions for FreeIPA. Windows 7 users connect to the
 shares using their FreeIPA credentials. The only password mgmt
 problem
 that we have is, that the users get no notice of password expiry until
 suddenly their Samba user (really the FreeIPA user) password is not
 accepted when trying to connect to a share. Once the password is reset
 (via
 CLI or FreeIPA WebUi), they can access the shares again.

 Chris



 From:   Youenn PIOLET piole...@gmail.com
 To: Matt . yamakasi@gmail.com
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   31.07.2015 16:21
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
 IPA
 Sent by:freeipa-users-boun...@redhat.com



 Hi,
 I asked the very same question a few weeks ago, but no answer yet.
 http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174

 The only method I see is to install samba extensions in FreeIPA's LDAP
 directory, and bind samba with LDAP. There may be a lot of difficulties
 with password management doing this, that's why I'd like to get a
 better
 solution :)

 Anyone?


 --
 Youenn Piolet
 piole...@gmail.com


 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com:
   Hi Guys,

   I'm really struggeling getting a NON AD Samba server authing against
 a
   FreeIPA server

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Chris,

Thanks for that verification!

It seems that:

/usr/share/ipa/ui/group.js

Is not there on IPA.4.1, also there is no .js at all on the whole system.

Any idea there ?

Thanks again!

Matt

2015-08-03 9:53 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 Thankfully I saved the output from those ldapmodify commands (against
 FreeIPA 4.1) and was able to find it again!

 In our case sambagrouptype also seems to have already been present, so that
 should not hurt.

 [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI EOF
 dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
 changetype: add
 add: ipaCustomFields
 ipaCustomFields: Samba Group Type,sambagrouptype,true
 EOF
 SASL/GSSAPI authentication started
 SASL username: l...@my.silly.example.com
 SASL SSF: 56
 SASL data security layer installed.
 adding new entry cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
 ldap_add: Already exists (68)

 Chris




 From:   Matt . yamakasi@gmail.com
 To:
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   02.08.2015 13:33
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 Sent by:freeipa-users-boun...@redhat.com



 Chris,

 Are you doing this on 3.x or also 4.x ?

 As the following already exists:

 ldapmodify -Y GSSAPI EOF
 dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
 changetype: add
 add: ipaCustomFields
 ipaCustomFields: Samba Group Type,sambagrouptype,true
 EOF


 And I'm unsure about the pyton files are they are sligtly different on 4.1


 Thanks!


 2015-08-01 19:51 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi,

 Yes I found that earlier, that looks good and even better when you
 confirm this as really usable.

 For Samba 4 the IPA devs are very busy but I wonder indeed what
 happends when we need to move because integration has been improved.

 I try to keep IPA as native as I can.

 So this is the best way to go for now, even when this thread is such
 old ?

 Thanks!

 Matt


 2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 For a how to of Samba FreeIPA integration using schema extensions, see
 this previous thread

 https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html

 That should point to this techslaves article with the detailed
 instructions
 that we followed:

 http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/

 The main reason we went that way is that we have no AD domain, which
 seems
 to be required by other integration paths.

 Note we are running FreeIPA and Samba on OEL servers (first 6.x, now
 7.x).
 So things may be different on Ubuntu.

 As always, when changing the LDAP schema, an LDAP browser like Apache
 Directory Studio is very useful to visualise what is going on and to
 verify
 if your changes are present! (and is sometime easier to manually change
 attributes rather than by LDAPMODIFY script)

 There is another ongoing thread in this mailing list about problems with
 the attribute SambaPwdLastSet.

 Chris



 From:   Matt . yamakasi@gmail.com
 To:
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   31.07.2015 16:58
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 Sent by:freeipa-users-boun...@redhat.com



 Hi,

 This is nice to have confirmed.

 Is it possible for you to descrive what you do ? It might be handy to
 add this to the IPA documentation also with some explanation why...

 Cheers,

 Matt

 2015-07-31 16:55 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi

 We use the Samba extensions for FreeIPA. Windows 7 users connect to the
 shares using their FreeIPA credentials. The only password mgmt
 problem
 that we have is, that the users get no notice of password expiry until
 suddenly their Samba user (really the FreeIPA user) password is not
 accepted when trying to connect to a share. Once the password is reset
 (via
 CLI or FreeIPA WebUi), they can access the shares again.

 Chris



 From:   Youenn PIOLET piole...@gmail.com
 To: Matt . yamakasi@gmail.com
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   31.07.2015 16:21
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
 IPA
 Sent by:freeipa-users-boun...@redhat.com



 Hi,
 I asked the very same question a few weeks ago, but no answer yet.
 http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174

 The only method I see is to install samba extensions in FreeIPA's LDAP
 directory, and bind samba with LDAP. There may be a lot of difficulties
 with password management doing this, that's why I'd like to get a
 better
 solution :)

 Anyone?


 --
 Youenn Piolet
 piole...@gmail.com


 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com:
   Hi Guys,

   I'm really struggeling getting a NON AD Samba server authing against
 a
   FreeIPA server:

   Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5
   CentOS 7.1 - FreeIPA 4.1

   Now this seems to be the way:



 https

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi,

OK, I have a Samba Group Type now in my groups details list and also
in the groups settings tab.

I'm not 100% how this is managed. I have Grouptype 4, in the groups
overview it's still empty. But how to manage this between samba and
ipa ? What should be the reference between the group(names) ?

Thanks again!

Matt

2015-08-03 13:20 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 HI Matt

 It looks like I skipped that step ... (And as we already had samba groups
 in place, did not need to make new ones via the WebUI).

 However a quick google trawled up this old thread that has a possible
 answer from Peter. (I have not tested it yet myself).

 https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html

 Chris



 From:   Matt . yamakasi@gmail.com
 To:
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   03.08.2015 12:45
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 Sent by:freeipa-users-boun...@redhat.com



 In my previous reply, I ment no group.js at all .


 2015-08-03 12:17 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi Chris,

 Thanks for that verification!

 It seems that:

 /usr/share/ipa/ui/group.js

 Is not there on IPA.4.1, also there is no .js at all on the whole system.

 Any idea there ?

 Thanks again!

 Matt

 2015-08-03 9:53 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 Thankfully I saved the output from those ldapmodify commands (against
 FreeIPA 4.1) and was able to find it again!

 In our case sambagrouptype also seems to have already been present, so
 that
 should not hurt.

 [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI EOF
 dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
 changetype: add
 add: ipaCustomFields
 ipaCustomFields: Samba Group Type,sambagrouptype,true
 EOF
 SASL/GSSAPI authentication started
 SASL username: l...@my.silly.example.com
 SASL SSF: 56
 SASL data security layer installed.
 adding new entry cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
 ldap_add: Already exists (68)

 Chris




 From:   Matt . yamakasi@gmail.com
 To:
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   02.08.2015 13:33
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 Sent by:freeipa-users-boun...@redhat.com



 Chris,

 Are you doing this on 3.x or also 4.x ?

 As the following already exists:

 ldapmodify -Y GSSAPI EOF
 dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
 changetype: add
 add: ipaCustomFields
 ipaCustomFields: Samba Group Type,sambagrouptype,true
 EOF


 And I'm unsure about the pyton files are they are sligtly different on
 4.1


 Thanks!


 2015-08-01 19:51 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi,

 Yes I found that earlier, that looks good and even better when you
 confirm this as really usable.

 For Samba 4 the IPA devs are very busy but I wonder indeed what
 happends when we need to move because integration has been improved.

 I try to keep IPA as native as I can.

 So this is the best way to go for now, even when this thread is such
 old ?

 Thanks!

 Matt


 2015-08-01 9:48 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi Matt

 For a how to of Samba FreeIPA integration using schema extensions,
 see
 this previous thread

 https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html

 That should point to this techslaves article with the detailed
 instructions
 that we followed:

 http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/

 The main reason we went that way is that we have no AD domain, which
 seems
 to be required by other integration paths.

 Note we are running FreeIPA and Samba on OEL servers (first 6.x, now
 7.x).
 So things may be different on Ubuntu.

 As always, when changing the LDAP schema, an LDAP browser like Apache
 Directory Studio is very useful to visualise what is going on and to
 verify
 if your changes are present! (and is sometime easier to manually
 change
 attributes rather than by LDAPMODIFY script)

 There is another ongoing thread in this mailing list about problems
 with
 the attribute SambaPwdLastSet.

 Chris



 From:   Matt . yamakasi@gmail.com
 To:
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   31.07.2015 16:58
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
 IPA
 Sent by:freeipa-users-boun...@redhat.com



 Hi,

 This is nice to have confirmed.

 Is it possible for you to descrive what you do ? It might be handy to
 add this to the IPA documentation also with some explanation why...

 Cheers,

 Matt

 2015-07-31 16:55 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi

 We use the Samba extensions for FreeIPA. Windows 7 users connect to
 the
 shares using their FreeIPA credentials. The only password mgmt
 problem
 that we have is, that the users get no notice of password expiry
 until
 suddenly their Samba user (really the FreeIPA user) password is not
 accepted when

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Chris,

Are you doing this on 3.x or also 4.x ?

As the following already exists:

ldapmodify -Y GSSAPI EOF
dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
changetype: add
add: ipaCustomFields
ipaCustomFields: Samba Group Type,sambagrouptype,true
EOF


And I'm unsure about the pyton files are they are sligtly different on 4.1


Thanks!


2015-08-01 19:51 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi,

 Yes I found that earlier, that looks good and even better when you
 confirm this as really usable.

 For Samba 4 the IPA devs are very busy but I wonder indeed what
 happends when we need to move because integration has been improved.

 I try to keep IPA as native as I can.

 So this is the best way to go for now, even when this thread is such old ?

 Thanks!

 Matt


 2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 For a how to of Samba FreeIPA integration using schema extensions, see
 this previous thread

 https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html

 That should point to this techslaves article with the detailed instructions
 that we followed:

 http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/

 The main reason we went that way is that we have no AD domain, which seems
 to be required by other integration paths.

 Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x).
 So things may be different on Ubuntu.

 As always, when changing the LDAP schema, an LDAP browser like Apache
 Directory Studio is very useful to visualise what is going on and to verify
 if your changes are present! (and is sometime easier to manually change
 attributes rather than by LDAPMODIFY script)

 There is another ongoing thread in this mailing list about problems with
 the attribute SambaPwdLastSet.

 Chris



 From:   Matt . yamakasi@gmail.com
 To:
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   31.07.2015 16:58
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 Sent by:freeipa-users-boun...@redhat.com



 Hi,

 This is nice to have confirmed.

 Is it possible for you to descrive what you do ? It might be handy to
 add this to the IPA documentation also with some explanation why...

 Cheers,

 Matt

 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi

 We use the Samba extensions for FreeIPA. Windows 7 users connect to the
 shares using their FreeIPA credentials. The only password mgmt problem
 that we have is, that the users get no notice of password expiry until
 suddenly their Samba user (really the FreeIPA user) password is not
 accepted when trying to connect to a share. Once the password is reset
 (via
 CLI or FreeIPA WebUi), they can access the shares again.

 Chris



 From:   Youenn PIOLET piole...@gmail.com
 To: Matt . yamakasi@gmail.com
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   31.07.2015 16:21
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 Sent by:freeipa-users-boun...@redhat.com



 Hi,
 I asked the very same question a few weeks ago, but no answer yet.
 http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174

 The only method I see is to install samba extensions in FreeIPA's LDAP
 directory, and bind samba with LDAP. There may be a lot of difficulties
 with password management doing this, that's why I'd like to get a better
 solution :)

 Anyone?


 --
 Youenn Piolet
 piole...@gmail.com


 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com:
   Hi Guys,

   I'm really struggeling getting a NON AD Samba server authing against a
   FreeIPA server:

   Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5
   CentOS 7.1 - FreeIPA 4.1

   Now this seems to be the way:


 https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA


   But as this, which I also found on the mailinglists:

   NOTE: Only Kerberos authentication will work when accessing Samba
   shares using this method. This means that Windows clients not joined
   to Active Directory forest trusted by IPA would not be able to access
   the shares. This is related to SSSD not yet being able to handle
   NTLMSSP authentication.

   It might not be that easy to have a Samba Shares only server.

   Any idea here how to accomplish ?

   Cheers,

   Matt

   --
   Manage your subscription for the Freeipa-users mailing list:
   https://www.redhat.com/mailman/listinfo/freeipa-users
   Go to http://freeipa.org for more info on the project
 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project



 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi,

Yes I found that earlier, that looks good and even better when you
confirm this as really usable.

For Samba 4 the IPA devs are very busy but I wonder indeed what
happends when we need to move because integration has been improved.

I try to keep IPA as native as I can.

So this is the best way to go for now, even when this thread is such old ?

Thanks!

Matt


2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi Matt

 For a how to of Samba FreeIPA integration using schema extensions, see
 this previous thread

 https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html

 That should point to this techslaves article with the detailed instructions
 that we followed:

 http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/

 The main reason we went that way is that we have no AD domain, which seems
 to be required by other integration paths.

 Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x).
 So things may be different on Ubuntu.

 As always, when changing the LDAP schema, an LDAP browser like Apache
 Directory Studio is very useful to visualise what is going on and to verify
 if your changes are present! (and is sometime easier to manually change
 attributes rather than by LDAPMODIFY script)

 There is another ongoing thread in this mailing list about problems with
 the attribute SambaPwdLastSet.

 Chris



 From:   Matt . yamakasi@gmail.com
 To:
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   31.07.2015 16:58
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 Sent by:freeipa-users-boun...@redhat.com



 Hi,

 This is nice to have confirmed.

 Is it possible for you to descrive what you do ? It might be handy to
 add this to the IPA documentation also with some explanation why...

 Cheers,

 Matt

 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi

 We use the Samba extensions for FreeIPA. Windows 7 users connect to the
 shares using their FreeIPA credentials. The only password mgmt problem
 that we have is, that the users get no notice of password expiry until
 suddenly their Samba user (really the FreeIPA user) password is not
 accepted when trying to connect to a share. Once the password is reset
 (via
 CLI or FreeIPA WebUi), they can access the shares again.

 Chris



 From:   Youenn PIOLET piole...@gmail.com
 To: Matt . yamakasi@gmail.com
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   31.07.2015 16:21
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 Sent by:freeipa-users-boun...@redhat.com



 Hi,
 I asked the very same question a few weeks ago, but no answer yet.
 http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174

 The only method I see is to install samba extensions in FreeIPA's LDAP
 directory, and bind samba with LDAP. There may be a lot of difficulties
 with password management doing this, that's why I'd like to get a better
 solution :)

 Anyone?


 --
 Youenn Piolet
 piole...@gmail.com


 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com:
   Hi Guys,

   I'm really struggeling getting a NON AD Samba server authing against a
   FreeIPA server:

   Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5
   CentOS 7.1 - FreeIPA 4.1

   Now this seems to be the way:


 https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA


   But as this, which I also found on the mailinglists:

   NOTE: Only Kerberos authentication will work when accessing Samba
   shares using this method. This means that Windows clients not joined
   to Active Directory forest trusted by IPA would not be able to access
   the shares. This is related to SSSD not yet being able to handle
   NTLMSSP authentication.

   It might not be that easy to have a Samba Shares only server.

   Any idea here how to accomplish ?

   Cheers,

   Matt

   --
   Manage your subscription for the Freeipa-users mailing list:
   https://www.redhat.com/mailman/listinfo/freeipa-users
   Go to http://freeipa.org for more info on the project
 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project



 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Admin password not accepted during replica install

[Matt .]

Hi Guys,

I'm doing a replica install there my admin password for the SSH check
to the master is not accepted.

The password is not expired, I can use it on the GUI and even changing
it in the GUI doesn't fix this.

What can I check ?

Cheers,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Admin password not accepted during replica install

[Matt .]

Hi,

This didn't fix it yet.

I wonder if there are any checks I can do as in the very past I was
able to do a simple replica without any issues.

Matt

2015-08-01 21:34 GMT+02:00 Janelle janellenicol...@gmail.com:
 Double check you do not have AllowGroups set in your /etc/ssh/sshd_config
 file. If you do, add the admins group.

 Also, make sure on the master, that the /etc/nsswitch.conf was properly
 updated. Several server installs I have done, have left off the sss for
 passwd, group and shadow.

 passwd: files sss
 shadow: files sss
 group:  files sss

 I bet one of those will fix your problem. Restart sssd and/of sshd if you
 have to make changes.

 ~Janelle




 On 8/1/15 10:13 AM, Matt . wrote:

 Hi Guys,

 I'm doing a replica install there my admin password for the SSH check
 to the master is not accepted.

 The password is not expired, I can use it on the GUI and even changing
 it in the GUI doesn't fix this.

 What can I check ?

 Cheers,

 Matt



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Admin password not accepted during replica install

[Matt .]

kinit admin works perfectly, that is such strange.

2015-08-01 22:15 GMT+02:00 Janelle janellenicol...@gmail.com:
 lastly -- on the master - do you get the same error if you kinit admin?
 ~J


 On 8/1/15 1:05 PM, Matt . wrote:

 This actually the most important part, and the GSS Failure concerns me:

 debug1: SSH2_MSG_SERVICE_ACCEPT received
 debug2: key: /root/.ssh/id_rsa ((nil)),
 debug2: key: /root/.ssh/id_dsa ((nil)),
 debug2: key: /root/.ssh/id_ecdsa ((nil)),
 debug2: key: /root/.ssh/id_ed25519 ((nil)),
 debug1: Authentications that can continue:
 publickey,gssapi-keyex,gssapi-with-mic,password
 debug3: start over, passed a different list
 publickey,gssapi-keyex,gssapi-with-mic,password
 debug3: preferred
 gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
 debug3: authmethod_lookup gssapi-keyex
 debug3: remaining preferred:
 gssapi-with-mic,publickey,keyboard-interactive,password
 debug3: authmethod_is_enabled gssapi-keyex
 debug1: Next authentication method: gssapi-keyex
 debug1: No valid Key exchange context
 debug2: we did not send a packet, disable method
 debug3: authmethod_lookup gssapi-with-mic
 debug3: remaining preferred: publickey,keyboard-interactive,password
 debug3: authmethod_is_enabled gssapi-with-mic
 debug1: Next authentication method: gssapi-with-mic
 debug1: Unspecified GSS failure.  Minor code may provide more information
 No Kerberos credentials available

 debug1: Unspecified GSS failure.  Minor code may provide more information
 No Kerberos credentials available

 debug1: Unspecified GSS failure.  Minor code may provide more information


 debug1: Unspecified GSS failure.  Minor code may provide more information
 No Kerberos credentials available

 debug2: we did not send a packet, disable method
 debug3: authmethod_lookup publickey
 debug3: remaining preferred: keyboard-interactive,password
 debug3: authmethod_is_enabled publickey
 debug1: Next authentication method: publickey
 debug1: Trying private key: /root/.ssh/id_rsa
 debug3: no such identity: /root/.ssh/id_rsa: No such file or directory
 debug1: Trying private key: /root/.ssh/id_dsa
 debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
 debug1: Trying private key: /root/.ssh/id_ecdsa
 debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
 debug1: Trying private key: /root/.ssh/id_ed25519
 debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory
 debug2: we did not send a packet, disable method
 debug3: authmethod_lookup password
 debug3: remaining preferred: ,password
 debug3: authmethod_is_enabled password
 debug1: Next authentication method: password
 admin@ipa-01.domain.local's password:
 debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64)
 debug2: we sent a password packet, wait for reply
 debug1: Authentications that can continue:
 publickey,gssapi-keyex,gssapi-with-mic,password
 Permission denied, please try again.

 2015-08-01 22:02 GMT+02:00 Janelle janellenicol...@gmail.com:

 What is in the logs on the machine that is failing? Can you login to
 admin
 from anywhere?  Logs are you best friend.
 Also, a simply ssh -vvv will help.

 ~J


 On 8/1/15 12:51 PM, Matt . wrote:

 Hi,

 This didn't fix it yet.

 I wonder if there are any checks I can do as in the very past I was
 able to do a simple replica without any issues.

 Matt

 2015-08-01 21:34 GMT+02:00 Janelle janellenicol...@gmail.com:

 Double check you do not have AllowGroups set in your
 /etc/ssh/sshd_config
 file. If you do, add the admins group.

 Also, make sure on the master, that the /etc/nsswitch.conf was properly
 updated. Several server installs I have done, have left off the sss
 for
 passwd, group and shadow.

 passwd: files sss
 shadow: files sss
 group:  files sss

 I bet one of those will fix your problem. Restart sssd and/of sshd if
 you
 have to make changes.

 ~Janelle




 On 8/1/15 10:13 AM, Matt . wrote:

 Hi Guys,

 I'm doing a replica install there my admin password for the SSH check
 to the master is not accepted.

 The password is not expired, I can use it on the GUI and even changing
 it in the GUI doesn't fix this.

 What can I check ?

 Cheers,

 Matt



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Admin password not accepted during replica install

[Matt .]

I even checked working version (IPA clusters) and they don't even have
this AllowGroups.

Am I missing something ?

2015-08-01 22:52 GMT+02:00 Janelle janellenicol...@gmail.com:
 which points to the configuration of sssd.conf and/or nsswitch.conf
 It is in there. If you say there are no AllowGroups in sshd, it has to be in
 one of those 2 places.

 ~J


 On 8/1/15 1:26 PM, Matt . wrote:

 kinit admin works perfectly, that is such strange.

 2015-08-01 22:15 GMT+02:00 Janelle janellenicol...@gmail.com:

 lastly -- on the master - do you get the same error if you kinit admin?
 ~J


 On 8/1/15 1:05 PM, Matt . wrote:

 This actually the most important part, and the GSS Failure concerns me:

 debug1: SSH2_MSG_SERVICE_ACCEPT received
 debug2: key: /root/.ssh/id_rsa ((nil)),
 debug2: key: /root/.ssh/id_dsa ((nil)),
 debug2: key: /root/.ssh/id_ecdsa ((nil)),
 debug2: key: /root/.ssh/id_ed25519 ((nil)),
 debug1: Authentications that can continue:
 publickey,gssapi-keyex,gssapi-with-mic,password
 debug3: start over, passed a different list
 publickey,gssapi-keyex,gssapi-with-mic,password
 debug3: preferred
 gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
 debug3: authmethod_lookup gssapi-keyex
 debug3: remaining preferred:
 gssapi-with-mic,publickey,keyboard-interactive,password
 debug3: authmethod_is_enabled gssapi-keyex
 debug1: Next authentication method: gssapi-keyex
 debug1: No valid Key exchange context
 debug2: we did not send a packet, disable method
 debug3: authmethod_lookup gssapi-with-mic
 debug3: remaining preferred: publickey,keyboard-interactive,password
 debug3: authmethod_is_enabled gssapi-with-mic
 debug1: Next authentication method: gssapi-with-mic
 debug1: Unspecified GSS failure.  Minor code may provide more
 information
 No Kerberos credentials available

 debug1: Unspecified GSS failure.  Minor code may provide more
 information
 No Kerberos credentials available

 debug1: Unspecified GSS failure.  Minor code may provide more
 information


 debug1: Unspecified GSS failure.  Minor code may provide more
 information
 No Kerberos credentials available

 debug2: we did not send a packet, disable method
 debug3: authmethod_lookup publickey
 debug3: remaining preferred: keyboard-interactive,password
 debug3: authmethod_is_enabled publickey
 debug1: Next authentication method: publickey
 debug1: Trying private key: /root/.ssh/id_rsa
 debug3: no such identity: /root/.ssh/id_rsa: No such file or directory
 debug1: Trying private key: /root/.ssh/id_dsa
 debug3: no such identity: /root/.ssh/id_dsa: No such file or directory
 debug1: Trying private key: /root/.ssh/id_ecdsa
 debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory
 debug1: Trying private key: /root/.ssh/id_ed25519
 debug3: no such identity: /root/.ssh/id_ed25519: No such file or
 directory
 debug2: we did not send a packet, disable method
 debug3: authmethod_lookup password
 debug3: remaining preferred: ,password
 debug3: authmethod_is_enabled password
 debug1: Next authentication method: password
 admin@ipa-01.domain.local's password:
 debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64)
 debug2: we sent a password packet, wait for reply
 debug1: Authentications that can continue:
 publickey,gssapi-keyex,gssapi-with-mic,password
 Permission denied, please try again.

 2015-08-01 22:02 GMT+02:00 Janelle janellenicol...@gmail.com:

 What is in the logs on the machine that is failing? Can you login to
 admin
 from anywhere?  Logs are you best friend.
 Also, a simply ssh -vvv will help.

 ~J


 On 8/1/15 12:51 PM, Matt . wrote:

 Hi,

 This didn't fix it yet.

 I wonder if there are any checks I can do as in the very past I was
 able to do a simple replica without any issues.

 Matt

 2015-08-01 21:34 GMT+02:00 Janelle janellenicol...@gmail.com:

 Double check you do not have AllowGroups set in your
 /etc/ssh/sshd_config
 file. If you do, add the admins group.

 Also, make sure on the master, that the /etc/nsswitch.conf was
 properly
 updated. Several server installs I have done, have left off the sss
 for
 passwd, group and shadow.

 passwd: files sss
 shadow: files sss
 group:  files sss

 I bet one of those will fix your problem. Restart sssd and/of sshd if
 you
 have to make changes.

 ~Janelle




 On 8/1/15 10:13 AM, Matt . wrote:

 Hi Guys,

 I'm doing a replica install there my admin password for the SSH
 check
 to the master is not accepted.

 The password is not expired, I can use it on the GUI and even
 changing
 it in the GUI doesn't fix this.

 What can I check ?

 Cheers,

 Matt



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Guys,

I'm really struggeling getting a NON AD Samba server authing against a
FreeIPA server:

Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5
CentOS 7.1 - FreeIPA 4.1

Now this seems to be the way:

https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

But as this, which I also found on the mailinglists:

NOTE: Only Kerberos authentication will work when accessing Samba
shares using this method. This means that Windows clients not joined
to Active Directory forest trusted by IPA would not be able to access
the shares. This is related to SSSD not yet being able to handle
NTLMSSP authentication.

It might not be that easy to have a Samba Shares only server.

Any idea here how to accomplish ?

Cheers,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi,

This is nice to have confirmed.

Is it possible for you to descrive what you do ? It might be handy to
add this to the IPA documentation also with some explanation why...

Cheers,

Matt

2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 Hi

 We use the Samba extensions for FreeIPA. Windows 7 users connect to the
 shares using their FreeIPA credentials. The only password mgmt problem
 that we have is, that the users get no notice of password expiry until
 suddenly their Samba user (really the FreeIPA user) password is not
 accepted when trying to connect to a share. Once the password is reset (via
 CLI or FreeIPA WebUi), they can access the shares again.

 Chris



 From:   Youenn PIOLET piole...@gmail.com
 To: Matt . yamakasi@gmail.com
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   31.07.2015 16:21
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 Sent by:freeipa-users-boun...@redhat.com



 Hi,
 I asked the very same question a few weeks ago, but no answer yet.
 http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174

 The only method I see is to install samba extensions in FreeIPA's LDAP
 directory, and bind samba with LDAP. There may be a lot of difficulties
 with password management doing this, that's why I'd like to get a better
 solution :)

 Anyone?


 --
 Youenn Piolet
 piole...@gmail.com


 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com:
   Hi Guys,

   I'm really struggeling getting a NON AD Samba server authing against a
   FreeIPA server:

   Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5
   CentOS 7.1 - FreeIPA 4.1

   Now this seems to be the way:

   https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA


   But as this, which I also found on the mailinglists:

   NOTE: Only Kerberos authentication will work when accessing Samba
   shares using this method. This means that Windows clients not joined
   to Active Directory forest trusted by IPA would not be able to access
   the shares. This is related to SSSD not yet being able to handle
   NTLMSSP authentication.

   It might not be that easy to have a Samba Shares only server.

   Any idea here how to accomplish ?

   Cheers,

   Matt

   --
   Manage your subscription for the Freeipa-users mailing list:
   https://www.redhat.com/mailman/listinfo/freeipa-users
   Go to http://freeipa.org for more info on the project
 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

[Matt .]

Hi Lucas,

Thank you for this reply.

In this case it simply should work as it shoul by creating the
symlinks, Or are there other issues we might get ?

Thanks,

Matt

2015-07-31 17:21 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com:
 On (31/07/15 16:03), Matt . wrote:
Hi Guys,

I'm really struggeling getting a NON AD Samba server authing against a
FreeIPA server:

Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5
CentOS 7.1 - FreeIPA 4.1

Now this seems to be the way:

https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

 As you can see this howto is mainly written for rpm based distributions.
 The most important difference between sssd 1.12.5 for ubuntu[1]
 and sssd = 1.12 in fedora[2] is packaging of sssd-libwbclient.

 sssd-libwbclient and libwbclient(from samba) use alternatives
 to switch between these libraries.


 Ubuntu 14.04
 root@48c613c6a3fc:/# ls -l /usr/lib/x86_64-linux-gnu/libwbclient*
 lrwxrwxrwx. 1 root root19 Jul  1 15:38
 /usr/lib/x86_64-linux-gnu/libwbclient.so.0 - libwbclient.so.0.11
 -rw-r--r--. 1 root root 43216 Jul  1 15:38
 /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11

 root@48c613c6a3fc:/# ls -l /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient*
 lrwxrwxrwx. 1 root root21 Jun 15 18:14
 /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0 -
 libwbclient.so.0.12.0
 -rw-r--r--. 1 root root 30800 Jun 15 18:14
 /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0


 Fedora 21
 bash-4.3# alternatives --display libwbclient.so.0.11-64
 libwbclient.so.0.11-64 - status is auto.
  link currently points to /usr/lib64/samba/wbclient/libwbclient.so.0.11
 /usr/lib64/samba/wbclient/libwbclient.so.0.11 - priority 10
 /usr/lib64/sssd/modules/libwbclient.so.0.12.0 - priority 5
 Current `best' version is /usr/lib64/samba/wbclient/libwbclient.so.0.11.


 So if you want to use this howto on ubuntu then you need to create
 symbolic links on your own.


 Feel free to update Howto page with additional information
 if you manage solve it on ubuntu.

 LS

 [1] https://launchpad.net/~sssd/+archive/ubuntu/updates
 [2] https://admin.fedoraproject.org/updates/sssd

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] LDAP to Free IPA Migration SSSD migration : example configuration of sssd.conf file?

[Matt Koch]

Hello,
I’m looking for an example sssd.conf migrationconfiguration that will allow for 
the user to seamlessly authenticate to LDAP or freeIPA prior to installation of 
the freeipa client. 

This would be during migration to generate kerberos hashes for each user while 
still providing legacy LDAP support until migration can be completed. Hopefully 
with minimal changes to our existing sssd.conf file. 


Hinted at here: 
(20.1.3.4. Migration Sequence - 
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Migrating_from_a_Directory_Server_to_IPA.html#migration-considerations
 

and here: 

The redhat documentation describes  
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Migrating_from_a_Directory_Server_to_IPA.html
27.1.2.3. Method 3: Using SSSD (Recommended)

SSSD can work with IdM to mitigate the user impact on migrating by generating 
the required user keys. For deployments with a lot of users or where users 
shouldn't be burdened with password changes, this is the best scenario.
• A user tries to log into a machine with SSSD.
• SSSD attempts to perform Kerberos authentication against the IdM 
server.
• Even though the user exists in the system, the authentication will 
fail with the error key type is not supported because the Kerberos hashes do 
not yet exist.
• SSSD then performs a plain text LDAP bind over a secure connection.
• IdM intercepts this bind request. If the user has a Kerberos 
principal but no Kerberos hashes, then the IdM identity provider generates the 
hashes and stores them in the user entry.
• If authentication is successful, SSSD disconnects from IdM and tries 
Kerberos authentication again. This time, the request succeeds because the hash 
exists in the entry.
That entire process is entirely transparent to the user; as far as users known, 
they simply log into a client service and it works as normal.


From:
https://www.redhat.com/archives/freeipa-users/2011-September/msg00138.html
Specifically, the way SSSD behaves is as follows: 
1) Try to authenticate with Kerberos. If Kerberos responds that there's no hash 
for this user, 
2) Ask FreeIPA if migration mode is enabled, if it is, 
3) Try to bind to FreeIPA LDAP using the same password. If this succeeds, we 
know that the password is valid 
4) Initiate a kerberos password-change to set the kerberos password equal to 
the LDAP password.

Thanks for your help!
-Matt





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Apache not starting because of cert password issue ?

[Matt .]

I'm facing a httpd server which won't start with ipa, so IPA fails to start.

As I'm really not able to find anything about it on the internet I
wonder if someone knows why it's logging this and how I can fix it.

[Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for
slot internal is incorrect.
[Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS
initialization failed. Certificate database: /etc/httpd/alias.
[Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library
Error: -8177 The security password entered is incorrect

Cheers,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Apache not starting because of cert password issue ?

[Matt .]

Hi,

No I'm testing some recovering strategies for the docs, so I need to
have that checked.

I have emailed Martin Kosek if he can enable the olders repo's again,
would be great!

Thanks,

Matt

2015-07-09 3:23 GMT+02:00 Nigel Sollars nsoll...@gmail.com:
 Would it not be wise to keep with current?

 There does seem to be alot of threads with issues regarding older versions.
 That being said there is a thread also with regards to LDAP which could be
 related also.

 Regards

 On Wed, Jul 8, 2015 at 9:19 PM, Matt . yamakasi@gmail.com wrote:

 Hi I found that but it didn't fix it, thanks btw.

 Now I'm looking for a way to install 4.1.2 on CentOS 7.x as it seems
 that the maintainer empties the repo after every release... so older
 versions are not there anymore.

 2015-07-09 3:17 GMT+02:00 Nigel Sollars nsoll...@gmail.com:
  Looks similar to a TLS/SSL issue in this thread,
 
 
  http://www.linuxquestions.org/questions/linux-server-73/centos-5-5-5-6-ssl-problem-874090/
 
  Hope this helps,
 
  Regards
 
  On Wed, Jul 8, 2015 at 5:04 PM, Matt . yamakasi@gmail.com wrote:
 
  I'm facing a httpd server which won't start with ipa, so IPA fails to
  start.
 
  As I'm really not able to find anything about it on the internet I
  wonder if someone knows why it's logging this and how I can fix it.
 
  [Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for
  slot internal is incorrect.
  [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS
  initialization failed. Certificate database: /etc/httpd/alias.
  [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library
  Error: -8177 The security password entered is incorrect
 
  Cheers,
 
  Matt
 
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project
 
 
 
 
  --
  “Science is a differential equation. Religion is a boundary condition.”
 
  Alan Turing




 --
 “Science is a differential equation. Religion is a boundary condition.”

 Alan Turing

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Apache not starting because of cert password issue ?

[Matt .]

I now get: [Thu Jul 09 02:50:18.815219 2015] [:error] [pid 16615]
Certificate not found: 'Server-Cert'

So, it's no good at all :)

2015-07-09 3:27 GMT+02:00 Nigel Sollars nsoll...@gmail.com:
 Fair enough :)

 On Wed, Jul 8, 2015 at 9:25 PM, Matt . yamakasi@gmail.com wrote:

 Hi,

 No I'm testing some recovering strategies for the docs, so I need to
 have that checked.

 I have emailed Martin Kosek if he can enable the olders repo's again,
 would be great!

 Thanks,

 Matt

 2015-07-09 3:23 GMT+02:00 Nigel Sollars nsoll...@gmail.com:
  Would it not be wise to keep with current?
 
  There does seem to be alot of threads with issues regarding older
  versions.
  That being said there is a thread also with regards to LDAP which could
  be
  related also.
 
  Regards
 
  On Wed, Jul 8, 2015 at 9:19 PM, Matt . yamakasi@gmail.com wrote:
 
  Hi I found that but it didn't fix it, thanks btw.
 
  Now I'm looking for a way to install 4.1.2 on CentOS 7.x as it seems
  that the maintainer empties the repo after every release... so older
  versions are not there anymore.
 
  2015-07-09 3:17 GMT+02:00 Nigel Sollars nsoll...@gmail.com:
   Looks similar to a TLS/SSL issue in this thread,
  
  
  
   http://www.linuxquestions.org/questions/linux-server-73/centos-5-5-5-6-ssl-problem-874090/
  
   Hope this helps,
  
   Regards
  
   On Wed, Jul 8, 2015 at 5:04 PM, Matt . yamakasi@gmail.com
   wrote:
  
   I'm facing a httpd server which won't start with ipa, so IPA fails
   to
   start.
  
   As I'm really not able to find anything about it on the internet I
   wonder if someone knows why it's logging this and how I can fix it.
  
   [Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for
   slot internal is incorrect.
   [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS
   initialization failed. Certificate database: /etc/httpd/alias.
   [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library
   Error: -8177 The security password entered is incorrect
  
   Cheers,
  
   Matt
  
   --
   Manage your subscription for the Freeipa-users mailing list:
   https://www.redhat.com/mailman/listinfo/freeipa-users
   Go to http://freeipa.org for more info on the project
  
  
  
  
   --
   “Science is a differential equation. Religion is a boundary
   condition.”
  
   Alan Turing
 
 
 
 
  --
  “Science is a differential equation. Religion is a boundary condition.”
 
  Alan Turing




 --
 “Science is a differential equation. Religion is a boundary condition.”

 Alan Turing

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Apache not starting because of cert password issue ?

[Matt .]

Hi I found that but it didn't fix it, thanks btw.

Now I'm looking for a way to install 4.1.2 on CentOS 7.x as it seems
that the maintainer empties the repo after every release... so older
versions are not there anymore.

2015-07-09 3:17 GMT+02:00 Nigel Sollars nsoll...@gmail.com:
 Looks similar to a TLS/SSL issue in this thread,

 http://www.linuxquestions.org/questions/linux-server-73/centos-5-5-5-6-ssl-problem-874090/

 Hope this helps,

 Regards

 On Wed, Jul 8, 2015 at 5:04 PM, Matt . yamakasi@gmail.com wrote:

 I'm facing a httpd server which won't start with ipa, so IPA fails to
 start.

 As I'm really not able to find anything about it on the internet I
 wonder if someone knows why it's logging this and how I can fix it.

 [Wed Jul 08 22:55:11.728828 2015] [:error] [pid 9243] Password for
 slot internal is incorrect.
 [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS
 initialization failed. Certificate database: /etc/httpd/alias.
 [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library
 Error: -8177 The security password entered is incorrect

 Cheers,

 Matt

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project




 --
 “Science is a differential equation. Religion is a boundary condition.”

 Alan Turing

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Userpassword randomly not working anymore.

[Matt .]

Hi Martin,

No problem I thought you guys needed a vacation but you are working on
4.2, wow sounds great!

I can provide that but it will take some time as I cannot see when it
happens so need to check.

I might can post it tomorrow!

Good luck there with the release!

Cheers,

Matt

2015-07-07 13:40 GMT+02:00 Martin Kosek mko...@redhat.com:
 On 07/05/2015 01:08 AM, Matt . wrote:
 Hi Guys,

 I created a bug where no response is on yet for a week, so I thought
 to ask the mailinglist if someone has seen this behaviour.

 Hi Matt,

 Sorry for the delay in the answer in Bugzilla, most of the team is now very
 busy with FreeIPA 4.2 finalization, so the responses are slower.

 In your case, I think we will need more data anyway, specifically what does it
 mean that The password of a user is randomly not working.

 If password reset is not behaving as it should, we will need full user entry
 *before* password reset (ipa user-show USER --all --raw), full user entry
 *after* password reset and password policy setting for the user (ipa
 pwpolicy-show).

 https://bugzilla.redhat.com/show_bug.cgi?id=1236322


 Description of problem:

 The password of a user is randomly not working anymore and needs a
 reset of the password.

 The user is added as passSyncManagersDNs entry and when this user sets
 a password for another user the expire is set to 2035, it does the
 same for itself.


 Version-Release number of selected component (if applicable):

 4.1


 How reproducible:

 Add a user to passSyncManagersDNs like described here:

 https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/pass-sync.html


 Steps to Reproduce:
 1. Add user to passSyncManagersDNs
 2. Reset this user his password, login and set the same password again
 so ti stays the same until 2035
 3. Wait for some days and try to login as this user the password is
 expired or damaged but still says in the GUI it expires in 2035

 Actual results:

 The password expires it get's currupted or so ?


 Expected results:

 It should not expire until 2035!



 I hope someone has a clue here as I can't get anything logged about it.

 Thanks,

 Matt



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA replica without CA, how to become CA

[Matt .]

Hi Rob,

OK, I had difficulties with that and try it.

What I actually did is:

Turned off IPA1 (to act it like a dead one) and removed it from ipa2.

Now when I install a new replica with ipa2 as it's master/source I get
complains there is no CA. So my ipa2 needs to become ca in some way.

I need to check but I thought I did what you said which didn't work...
I need to debug it an report you this evening.

Thanks,

Matt

2015-07-06 17:54 GMT+02:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:

 Hi All,

 I'm cleaning up and playing around with some old dev setups and
 reviewing these tests.

 This is a replica setup but the replica is no CA. Now I'm testing out
 how to manage cluster when I remove the ipa1 (CA)  and create a new
 replica with CA from the ipa2.

 IPA2 should become CA and out of that I can setup a replica again.
 What is my best approach to test this ?


 Hard to say given I have no insight into your topology, but to add a CA
 post-install use ipa-ca-install replica-file

 rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA replica without CA, how to become CA

[Matt .]

Rob,

Isn't it impossible to install a CA on a replica when it's master died ?

I know there is normally one CA, but this is kinda confusing me so I'm
testing out scenarios.

Thanks,

Matt

2015-07-06 18:10 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi Rob,

 OK, I had difficulties with that and try it.

 What I actually did is:

 Turned off IPA1 (to act it like a dead one) and removed it from ipa2.

 Now when I install a new replica with ipa2 as it's master/source I get
 complains there is no CA. So my ipa2 needs to become ca in some way.

 I need to check but I thought I did what you said which didn't work...
 I need to debug it an report you this evening.

 Thanks,

 Matt

 2015-07-06 17:54 GMT+02:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:

 Hi All,

 I'm cleaning up and playing around with some old dev setups and
 reviewing these tests.

 This is a replica setup but the replica is no CA. Now I'm testing out
 how to manage cluster when I remove the ipa1 (CA)  and create a new
 replica with CA from the ipa2.

 IPA2 should become CA and out of that I can setup a replica again.
 What is my best approach to test this ?


 Hard to say given I have no insight into your topology, but to add a CA
 post-install use ipa-ca-install replica-file

 rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA replica without CA, how to become CA

[Matt .]

Small update on this.

The replica without CA is not going to find any CA as the master is
dead so we need a CA.

The question is how to approach, you have a replica with only ldap
information and no CA.

Is it possible to create a split-brain like, install IPA1 as a normal
ipa server, so it becomes CA, but than ? I wonder if you can create a
(ipa1)replica from your replica2 with (ipa1)replica as your CA.

The reason why I saw this in my tests is from older docs. The docs say
to create a replica server but never mentioned the CA in it... so I'm
quite sure that lots of people have a replica installation between 2
servers which only has one CA.

Discussing this with Simo on IRC it seems to be some nice writing to
have in the docs and now I found out... I'm trying to create this
using my tests.

But some unclear things have to be made clear first.

Cheers,

Matt

2015-07-06 19:01 GMT+02:00 Matt . yamakasi@gmail.com:
 Rob,

 Isn't it impossible to install a CA on a replica when it's master died ?

 I know there is normally one CA, but this is kinda confusing me so I'm
 testing out scenarios.

 Thanks,

 Matt

 2015-07-06 18:10 GMT+02:00 Matt . yamakasi@gmail.com:
 Hi Rob,

 OK, I had difficulties with that and try it.

 What I actually did is:

 Turned off IPA1 (to act it like a dead one) and removed it from ipa2.

 Now when I install a new replica with ipa2 as it's master/source I get
 complains there is no CA. So my ipa2 needs to become ca in some way.

 I need to check but I thought I did what you said which didn't work...
 I need to debug it an report you this evening.

 Thanks,

 Matt

 2015-07-06 17:54 GMT+02:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:

 Hi All,

 I'm cleaning up and playing around with some old dev setups and
 reviewing these tests.

 This is a replica setup but the replica is no CA. Now I'm testing out
 how to manage cluster when I remove the ipa1 (CA)  and create a new
 replica with CA from the ipa2.

 IPA2 should become CA and out of that I can setup a replica again.
 What is my best approach to test this ?


 Hard to say given I have no insight into your topology, but to add a CA
 post-install use ipa-ca-install replica-file

 rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA replica without CA, how to become CA

[Matt .]

Hi All,

I'm cleaning up and playing around with some old dev setups and
reviewing these tests.

This is a replica setup but the replica is no CA. Now I'm testing out
how to manage cluster when I remove the ipa1 (CA)  and create a new
replica with CA from the ipa2.

IPA2 should become CA and out of that I can setup a replica again.
What is my best approach to test this ?

Cheers,

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project