[Freeipa-users] MIT Kerbetos Samba 4
Hi list (Simo ;) Sorry for the bit off-topic question, but do we know whether Samba4 can now share the same KDC with IPA server so that it can act as AD DC? I heard MIT KDC functionality would have to be extended, but not sure whether this is on the roundmap or not. Many thanks, Ondrej Sent from my command line -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SAML 2.0 support
Hi List, Quick question, is something like SAML 2.0 support planned for IPA to help establishing SSO for a web based applications? I mean something similar to ADFS. Thanks, Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
Did you try tu run ypinit -c ? Not sure now - it might be necessary to initialize the Nis subsystem. O. Odesláno ze Samsung Mobile Původní zpráva Od: Joseph, Matthew (EXP) Datum:07. 01. 2014 15:52 (GMT+01:00) Komu: Petr Spacek ,Rob Crittenden ,d...@redhat.com,freeipa-users@redhat.com Předmět: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues So looking at NIS documentation I noticed my /var/yp folder did not have the same folders/files as it should. It should have a Makefile, nicknames, binding (folder) and mydomainname (folder) I created a folder which matched my domainname and ypbind was finally able to start. But I can't do a ypcat since it can't find the maps which I would assume live under that domainname folder. Any ideas? -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Tuesday, January 07, 2014 9:23 AM To: Petr Spacek; Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues I forgot to show my current configuration. Yp.conf - Domain mydomain.ca server primaryIPA Domain mydomain.ca server secondaryIPA /etc/sysconfig/network --- NISDOMAIN=mydomain.ca Nsswitch.conf --- has nis added for passwd/group/automount I've been trying different combinations of adding the nsslapd-pluginarg0: 1023 and running ypserv on the same port. Should nsslapd and ypserv be running on the same port when I do the netstat command? -Original Message- From: Petr Spacek [mailto:pspa...@redhat.com] Sent: Tuesday, January 07, 2014 6:59 AM To: Joseph, Matthew (EXP); Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues On 7.1.2014 11:22, Joseph, Matthew (EXP) wrote: When I run ypcat on the IPA servers it states that ypbind can't communicate. I started ypbind on the secondary IPA server so now I can run ypcat. Is running ypbind on the IPA servers necessary? According to all of the documentation I read it doesn't mention anything about ypbind on the servers. Yup, I checked the status of the port to make sure nothing else was using it. I configured it for an empty port below 1024. You can use command netstat -lpn (as root) and check if the process is listening on the correct port and interface. Petr^2 Spacek -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, January 06, 2014 6:13 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, I can add the old UNIX servers using NIS to the secondary IPA server but not the primary. The servers can ping the primary with no issues. I didn't think the IPA servers could run ypcat? Either way neither of the servers can run the ypcat commands. Can't run them how? Nope, ypbind was stopped when those errors came up. Can you confirm that nothing else is bound to the port? rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, January 02, 2014 2:58 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, All of the IPA services are running. When I tried running the ipa-compat-manage enable and ipa-nis-manage enable they are both loaded and running. On the IPA master you should be able to run something like: $ ypcat -h `hostname` -d your nis domain name passwd This will confirm basic operation on the server. If you can run the same on a client it will rule out firewall issues. Is a ypbind process already running on these clients? That might explain the 'address in use' error. rob The firewall is not the issue, I am positive about that. What do you mean by looking at the compat tree from the IPA server? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Thursday, January 02, 2014 12:13 PM *To:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] NIS Compat issues On 01/02/2014 11:05 AM, Joseph, Matthew (EXP) wrote: Hello, I've recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I've configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the
[Freeipa-users] IE or Firefox Apache Kerberos authentication
Hi list, Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Many thanks for any hints. Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
Thanks, Is the article about http principals for apache still relevant? I would guess that with gss-proxy (F19) it is much simpler. Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Christian Horn ch...@fluxcoil.net Datum: Komu: freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Not aware of a includes all-guide, but would start here: - adding the HTTP service principal: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-service-entry-cmd http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#adding-service-entry - when you host multiple kerberized sites on the server (access required a Red Hat subscription): https://access.redhat.com/site/solutions/206623 - apache side config: http://modauthkerb.sourceforge.net/configure.html - firefox client side config: http://www.grolmsnet.de/kerbtut/firefox.html Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
Thanks, I hoped that with gssproxy I could use a single central /etc/krb5.keytab (with all necessary principals) for nfs, apache, dhcpd,... and not worrying about file permissions. The beauty would be saved work with copying principals to separate files. Is it true? Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Simo Sorce s...@redhat.com Datum: Komu: Ondrej Valousek ovalou...@vendavo.com Kopie: ch...@fluxcoil.net,freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication On Mon, 2013-09-16 at 17:04 +, Ondrej Valousek wrote: Thanks, Is the article about http principals for apache still relevant? I would guess that with gss-proxy (F19) it is much simpler. You still need a princiapl and a keytab yes. Here instructions if you want to use iot with GSS-Proxy: https://fedorahosted.org/gss-proxy/wiki/Apache HTH, Simo. Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Christian Horn ch...@fluxcoil.net Datum: Komu: freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Not aware of a includes all-guide, but would start here: - adding the HTTP service principal: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-service-entry-cmd http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#adding-service-entry - when you host multiple kerberized sites on the server (access required a Red Hat subscription): https://access.redhat.com/site/solutions/206623 - apache side config: http://modauthkerb.sourceforge.net/configure.html - firefox client side config: http://www.grolmsnet.de/kerbtut/firefox.html Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberized nfsv4 client
Because with NFS (v3 or v4) it is a bit more complicated. With smbclient, you are actually not mounting the filesystem so that the smbclient is happy with just your TGT. With NFS, you typically need two tickets: 1. one host (or nfs) so that root can mount the filesystem using Kerberos security 2. second user TGT so that you can actually read the (already) mounted filesystem But you can run gssd with the -n argument which tells it not to look for SPNs (actually this is not SPN, we are talking about UPN in this case), but take a TGT from already pre-created kerberos database in /tmp So yes, with a bit of effort you can use kerberized NFS even from a client not joined to IPA domain. Ondrej -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of natxo asenjo Sent: Wednesday, August 28, 2013 11:44 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] kerberized nfsv4 client hi, probably a stupid question but why do we need to have a host spn in the kerberos domain for the nfsv4 client to work? I do not need a host spn principal to access a cifs share on a Windows AD environment, I can just kinit user@AD.domain from my laptop that is not joined to the AD domain and once I got the ticket I can use smbclient -k or with the nautilus file manager I can browse to the shares get the cifs tickets accessing the shares. With kerberized nfsv4 the host needs to be joined to the ipa domain or it will not work, and that is a shame, but there surely is a perfectly valid reason for this that I have not found yet. Thanks for your insights on this matter. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem with Kerberised NFS mount
Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the horizon yet? Expiring tickets will render the whole concept unusable otherwise. Anyone? O. Odesláno ze Samsung Mobile Původní zpráva Od: Ondrej Valousek ovalou...@vendavo.com Datum: Komu: and...@wasielewski.co.uk,freeipa-users@redhat.com Předmět: RE: [Freeipa-users] Problem with Kerberised NFS mount Hard to say. In general, when dealing w/ nfs kerberos, I would advise to: ● Upgrade to the latest fedora ● Make sure idmapper is configured and working fine ● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can handle aes keys). Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Andrew Wasielewski and...@wasielewski.co.uk Datum: Komu: freeipa-users@redhat.com Předmět: [Freeipa-users] Problem with Kerberised NFS mount Hello everyone, I am setting up FreeIPA for a small home network. However I have a problem mounting NFS shares with Kerberos enables - see syslog output below. My NFS, KDC and FreeIPA servers are all on the same host. I am running the NFS mount directly on the server, which has local firewall disabled - I get the same outcome on a remote client, but this surely eliminates any network issues. These are my NFS exports, which are visible both locally and remotely with showmount -e:- [root@server ~]# exportfs -av exporting gss/krb5:/home exporting gss/krb5i:/home exporting gss/krb5p:/home The command mount -t nfs4 -o sec=krb5 server.wasielewski.co.uk:/home /mnt/test_mnt hangs indefinitely. However without the Kerberos export options the NFS share can be mounted both locally and remotely without problem. I read in a post that the serializing key with enctype 18 and size 32 entry in syslog means I am trying to use an unsupported key with AES256 encryption (I can find very little about enctype numbers though); however I appear to have an AES256 service principal: [root@server etc]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list -e slot KVNO Principal - 1 2 host/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96) 2 2 host/server.wasielewski.co...@wasielewski.co.uk (aes128-cts-hmac-sha1-96) 3 2 host/server.wasielewski.co...@wasielewski.co.uk (des3-cbc-sha1) 4 2 host/server.wasielewski.co...@wasielewski.co.uk (arcfour-hmac) 5 5 nfs/server.wasielewski.co...@wasielewski.co.uk (aes256-cts-hmac-sha1-96) My versions are: Fedora 17 (kernel 3.8.13-100.fc17.x86_64) FreeIPA 2.2.2 krb5 1.10.2 nfs-utils 1.2.6 I have read of this issue being fixed by downgrading nfs-utils to 1.2.5; however that is not possible due to conflict with systemd. Everything else appears to work OK e.g. domain login, automap etc. When I try to mount the Kerberised NFS share, *nothing* appears in /var/log/krb5kdc.log Here is my syslog output when attempt the mount: Jul 12 01:13:10 server rpc.gssd[31628]: dir_notify_handler: sig 37 si 0x7fffe59b94f0 data 0x7fffe59b93c0 Jul 12 01:13:10 server rpc.gssd[31628]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48) Jul 12 01:13:10 server rpc.gssd[31628]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Jul 12 01:13:10 server rpc.gssd[31628]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt48) Jul 12 01:13:10 server rpc.gssd[31628]: process_krb5_upcall: service is 'null' Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: Full hostname for 'server.wasielewski.co.uk' is 'server.wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK while getting keytab entry for 'SERVER.WASIELEWSKI.CO.UK$@WASIELEWSKI.CO.UK' Jul 12 01:13:10 server rpc.gssd[31628]: No key table entry found for root/server.wasielewski.co...@wasielewski.co.uk while getting keytab entry for 'root/server.wasielewski.co...@wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: Success getting keytab entry for 'nfs/server.wasielewski.co...@wasielewski.co.uk' Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035 Jul 12 01:13:10 server rpc.gssd[31628]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK' are good until 1373659035 Jul 12 01:13:10 server rpc.gssd[31628]: using FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK as credentials cache for machine creds Jul 12 01:13:10 server rpc.gssd[31628]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_WASIELEWSKI.CO.UK Jul 12 01:13:10 server rpc.gssd[31628]: creating context using fsuid 0 (save_uid 0) Jul 12 01:13:10 server rpc.gssd[31628]: creating tcp client for server server.wasielewski.co.uk Jul 12 01:13:10 server rpc.gssd[31628]: DEBUG: port
Re: [Freeipa-users] Automount problems
Or better, let sssd to serve maps for automounter, you save yourself a hassle with configuring automount ldap backend :-) Ondrej On 12/22/2012 11:16 AM, Sigbjorn Lie wrote: On 12/22/2012 10:24 AM, Johan Petersson wrote: I can't get automount to work for some reason on a CentOS 6.3 testserver with the NFS and IPA server on the same server. Was going to set this up for some other configuration testing but are stuck on this instead. :) Feels like i am missing something basic but can't figure it out. Followed the guide and tried a variety of automount maps but nothing works. Had automount working before installing IPA Client with: auto.master: /home/etc/auto.home auto.home *servername:/home/ I can mount /home from the client: mount -t nfs4 -o sec=krb5 servername:/home /mnt /etc/sysconfig/autofs: LDAP_URI=ldap://servername; SEARCH_BASE=cn=default,cn=automount,dc=home MAP_OBJECT_CLASS=automountMap ENTRY_OBJECT_CLASS=automount MAP_ATTRIBUTE=automountMapName ENTRY_ATTRIBUTE=automountKey VALUE_ATTRIBUTE=automountInformation Getting this from debug lvl logging on autofs: Dec 22 09:13:00 client2 automount[4528]: connected to uri ldap://servername Dec 22 09:13:00 client2 automount[4528]: read_one_map: lookup(ldap): searching for (objectclass=automount) under automountmapname=auto.direct,cn=default,cn=automount,dc=home Dec 22 09:13:00 client2 automount[4528]: do_get_entries: lookup(ldap): query succeeded, no matches for (objectclass=automount) Dec 22 09:13:00 client2 automount[4528]: read_one_map: lookup(ldap): done updating map Dec 22 09:13:00 client2 automount[4528]: st_ready: st_ready(): state = 0 path /- So what am i missing here? Hi, In your /etc/auto.master, do you still have the following line as the last line in the file? If not, add it back in. +auto.master Do you still have a specific map for auto.home in your /etc/auto.master? If so, add +auto.home to the end of your /etc/auto.home file. (Provided you named the automount map auto.home in IPA too...) In your /etc/nsswitch.conf file, make sure your automount line looks like this: automount: files ldap Let me know how you get on. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NFS v4 integration how to
Three notes: 1. /export *(rw,sec=krb5,no_subtree_check,no_root_squash) is better than /export gss/krb5(rw,no_subtree_check,no_root_squash) 2. Kerberos library is still too picky about reverse DNS records - i.e. if the reverse DNS does not match the principal name in keytab, you are most likely to fail. 3. We should still mention the rpc.idmapd settings I think - people are still used to nfsv3 so this might be confusing to them. Ondrej On 12/07/2012 01:13 PM, Christian Horn wrote: On Fri, Dec 07, 2012 at 01:02:01PM +0100, Petr Spacek wrote: I accidentally found following how-to: http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA Did somebody try it? Did it work? Looks good, althou I like the 'nfsroot' style of nfsv4. My notes are at http://fluxcoil.net/doku.php/software/nfs/01_setup_with_ipa . Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Different primary group on different machines.
Well, you do not need ACLs for that, just 'chmod g+s directory' will do. But in general, I agree, this is insane requirement as nobody would ever think of it in Windows. Not happy w/ a traditional Unix permissions? Go for ACLs. The only pity is that the current Posix-draft hack widely used on all Linuxes is a mess and Rich-acl support is still nowhere in sight :-( Ondrej On 10/26/2012 09:07 AM, Natxo Asenjo wrote: On Thu, Oct 25, 2012 at 9:11 PM, KodaKsako...@gmail.com wrote: We have many different development groups, but people can be members of multiple groups. For collaboration, they'd like it when creating a file to have that file have a group ownership of foo on machine-A, but bar on machine-B. I'd like to help the end users do this themselves so that I don't have to maintain separate files on each machine (one of the reasons I put in IPA in the first place. :) ) I think what you need are filesystem acls. With acls you can specify that new files in a dir structure will have predefined default groups so all members of that particular group will be able to modify the files. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Different primary group on different machines.
Sorry sir, but technically it is the sgid bit that is a gross hack. The Posix draft for ACLs never got final approval, but it is pretty standardized across most OSs, and works fine for any Linux OS that isn;t on ancient kernels. It is also enabled by default on all file systems that matter normally. I agree with you that the sgid bit is a big hack here and that default ACL rules are much more flexible in general. Rich-ACL, while cool and necessary for NFS ACL and better Windows ACL compatibility will also be much more complex than Posix ACLs, and does not add anything special for the default ACL use case. Frankly speaking, I do not care too much if it is cool or not. What I do care about, is a real cross-platform compatibility necessary for commercial production usage. Posix-draft ACLs never got any final approval and are compatible across most of Linuxes (Windows uses something completely different and SunOS with its zfs filesystem, too). Moreover, there is NFSv4 which also comes with something different as you know and appliances like Netapp NAS does _only_ support NFSv4 ACL semantics. So whereas Posix ACLs might be perfect solution for most users/admins, future is somewhere else. I do not want to start any flame here, I just want a simple thing, I want to use ACLs which are robust enough to be really cross-platform compatible and widely supported so I know I they will be supported even in 5-10 years. Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NFS on Mac
what about this one? http://code.google.com/p/macnfsv4/wiki/HOWTO looks like rpc.idmapd on linux == nfsuserd on Mac O. On 09/19/2012 10:18 AM, Sigbjorn Lie wrote: As usual, if someone is interested in sending me a Mac I'll be happy to do the testing and submit the results. *grin* :) Regards, Siggi On Wed, September 19, 2012 10:08, Petr Spacek wrote: On 09/17/2012 10:32 PM, Steven Jones wrote: If anyone has MAC instructions' I'd love a copy pls. As usual, we can create account on freeipa.org wiki if anybody is interested in creating a how-to. That is the best place to share. Let us know! Petr^2 Spacek -- *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] *Sent:* Tuesday, 18 September 2012 6:47 a.m. *To:* george he *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] NFS on Mac On 09/17/2012 02:21 PM, george he wrote: sounds to me the link may work for nfs version 3 only. Now with IPA and NFS4, there got to be something more. George I do not know the exact steps on mac because the is no ipa-client on Mac so you would have to configure the machine to be an IPA client manually. This would mean that you need to authenticate with kerberos and then make the nfs part use the credential cache of the logged in user (if you are planning to use it for users mounting shares). This is what needs to happen conceptually. I know that people have done in the past but I do not think there are instructions. Once you manged to do it please see the presentation how to setup secure NFS on Linux http://rhsummit.files.wordpress.com/2012/03/dickson_the_evolution_nfs_protocol.pdf May be it will give you some hints and pointers. The only known problem with this slide deck is that on slide 18 after kinit admin and before ipa-getkeytab you need to add service for the NFS server ipa service-add nfs/`hostname`@EXAMPLE HTH -- *From:* Dmitri Pald...@redhat.com *To:* freeipa-users@redhat.com *Sent:* Monday, September 17, 2012 11:20 AM *Subject:* Re: [Freeipa-users] NFS on Mac On 09/17/2012 11:07 AM, george he wrote: Hello all, I have IPA server and NFS server set up on a computer running centos 6.3. Is there a way to set up a mac laptop to access the data on the NFS server? The laptop does not have a static IP. DNS is not configured with IPA. If yes, how do I config the mac? Is this what you are looking for? http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stale NFS file handle
You can get authentication failure if the user's home is on a NFS which is failing to re-mount. The stale NFS handle usually means the NFS server changed fsid of the exported volume after its reboot. This usually happens if you are exporting a LVM partition via NFS. The workaround is to specify fsid of the exported volume manually in /etc/exports HTH, Ondrej On 09/12/2012 08:26 PM, george he wrote: Hello, My ipa server and my nfs server are the same machine running centos 6.3. The server was accidentally down and rebooted. But then I got authentication failsure on some clients when tried to log on through gdm, and blue screen (no desktop, no panels) on some others. On some clients that I was on before the server was downthe, I got Stale NFS file handle. Yet on some other clients, everything is fine. All clients are running centos 6.3, too. Is there a way (e.g. restarting some services) to get the above problems away instead of rebooting the clients? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Automount cross-location support
Sorry, the parameter mentioned below has already been implemented :-) On 09/13/2012 04:12 PM, Ondrej Valousek wrote: I guess the easiest implementation would be using pre-defined variable in automount map names. The variable would be then defined by an automount process using the -D parameter. The other option (maybe easier) would be to ask sssd developers to add another option to sssd - say: ldap_autofs_search_base so you could specify a different search base for every site Ondrej On 09/13/2012 03:55 PM, Sigbjorn Lie wrote: Hi, I opened a request a while ago for Automount cross-location support. https://bugzilla.redhat.com/show_bug.cgi?id=768177 https://fedorahosted.org/freeipa/ticket/1699# I see from the comments that it's uncertain how this can be implemented. Could the Virtual Views in 389-ds be used to implement this the cross location maps? I'm picturing the ability to add a virtual automount map to an automount location, where you select an existing map from one of the other automount locations to display. All changes to the map will be done in the original map in it's orignal automount location, but it will be displayed in both automount locations. Any thoughts to that solution? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] netapp filer AD + ipa: possible?
That is actually the main benefit of the 'ldap.ADdomain' parameter. It will allow you to simplify configuration and allows easy load balancing/failover functionality. We are paying for NetApp support, too so if anyone is going to bug NetApp about this, I am happy to join you. Ondrej On 09/07/2012 10:07 AM, Sigbjorn Lie wrote: Yes it would be great if NetApp would do that. The ldap.ADdomain option is used to configure the NetApp LDAP client from AD SRV DNS records. It would be great (and should be easy for NetApp) to have an option for ldap.IPAdomain. I don't remember exactly why I did not use this for IPA, as far as I remember most things worked, but I stumbeled across some issue. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem with webui: kerberos ticket no longer valid
try running 'kinit -R'? On 08/24/2012 11:56 AM, David Sastre wrote: Hello, I'm having an issue with the web ui, it is returning Kerberos ticket is no longer valid message regardless I have a valid ticket: $ ssh sysadm@panoramix 'klist' Ticket cache: FILE:/tmp/krb5cc_500 Default principal: ad...@domain.com Valid starting ExpiresService principal 08/24/12 10:42:57 08/25/12 10:42:53 krbtgt/domain@domain.com 08/24/12 10:43:19 08/25/12 10:42:53 HTTP/panoramix.domain@domain.com Following the advice in: https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Troubleshooting-UI.html I have obtained this log: $ ssh -X sysadm@panoramix 'export NSPR_LOG_MODULES=negotiateauth:5; export NSPR_LOG_FILE=/tmp/moz.log; firefox' 973989664[7f8b38e5b040]: using REQ_DELEGATE 973989664[7f8b38e5b040]: service = panoramix.domain.com 973989664[7f8b38e5b040]: using negotiate-gss 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init() 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0] 973989664[7f8b38e5b040]: Sending a token of length 1375 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==] 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028] 973989664[7f8b38e5b040]: No output token to send, exiting 973989664[7f8b38e5b040]: using REQ_DELEGATE 973989664[7f8b38e5b040]: service = panoramix.domain.com 973989664[7f8b38e5b040]: using negotiate-gss 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init() 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0] 973989664[7f8b38e5b040]: Sending a token of length 1375 973989664[7f8b38e5b040]: using REQ_DELEGATE 973989664[7f8b38e5b040]: service = panoramix.domain.com 973989664[7f8b38e5b040]: using negotiate-gss 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::Init() 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=0] 973989664[7f8b38e5b040]: Sending a token of length 1375 973989664[7f8b38e5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==] 973989664[7f8b38e5b040]: entering nsAuthGSSAPI::GetNextToken() 973989664[7f8b38e5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028] 973989664[7f8b38e5b040]: No output token to send, exiting Relevant portions of apache's access and error logs with LogLevel Debug are: 172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] POST /ipa/session/json HTTP/1.1 401 1856 https://panoramix.domain.com/ipa/ui/; Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6 172.22.249.66 - ad...@domain.com [24/Aug/2012:11:43:52 +0200] POST /ipa/session/json HTTP/1.1 401 - https://panoramix.domain.com/ipa/ui/; Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6 172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] GET /ipa/session/login_kerberos HTTP/1.1 401 1856 https://panoramix.domain.com/ipa/ui/; Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6 172.22.249.66 - ad...@domain.com [24/Aug/2012:11:43:52 +0200] GET /ipa/session/login_kerberos HTTP/1.1 200 - https://panoramix.domain.com/ipa/ui/; Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6 172.22.249.66 - - [24/Aug/2012:11:43:52 +0200] POST /ipa/session/json HTTP/1.1 401 1856 https://panoramix.domain.com/ipa/ui/; Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6 172.22.249.66 - ad...@domain.com [24/Aug/2012:11:43:52 +0200] POST /ipa/session/json HTTP/1.1 401 - https://panoramix.domain.com/ipa/ui/; Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6) Gecko/20120717 Firefox/10.0.6 [Fri Aug 24 11:43:52 2012] [error] [client 172.22.249.66] File does not exist: /var/www/htdocs/panoramix.domain.com/ca [Fri Aug 24 11:43:52 2012] [info] Initial (No.1) HTTPS request received for child 194 (server panoramix.domain.com:443) [Fri Aug 24 11:43:52 2012] [debug] src/mod_auth_kerb.c(1939): [client 172.22.249.66] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://panoramix.domain.com/ipa/ui/ [Fri Aug 24 11:43:52 2012] [info] Connection to child 194 closed (server panoramix.domain.com:443, client 172.22.249.66) [Fri Aug 24 11:43:52 2012] [info] Connection to
Re: [Freeipa-users] Specifying load balancing to SSSD clients
+1. Use DNS. I agree with Simo. On 08/21/2012 10:04 AM, Simo Sorce wrote: You are not alone but we strongly suggest to use a separate DNS domain for FreeIPA server, and if possible for its clients. Either a same level domain or, at least, a delegated zone. For example: corp.domain.com - AD unix.domain.com - FreeIPA with forwards between them. Or domain.com - AD domain.net - FreeIPA again with forwards Or domain.com - AD unix.domain.com - FreeIPA with Ad delegating out the unix. subdomain to FreeIPA. In general we strongly suggest not using the same DNS domain for AD and FreeIPA domain as using the same domain name makes it impossible to have kerberos level interop between the 2 domains otherwise (cannot establish trust relationships if they use the same DNS domain and/or the same realm name for example). ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Failed to initialize credentials using keytab
does kinit -k host/sysvm-ipa.example@example.com work for you? On 07/10/2012 10:53 AM, free...@noboost.org wrote: Hi All, Server: RHEL 6.3 ipa-admintools-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Odd Error in /var/log/messages: Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Decrypt integrity check failed Jul 10 18:15:42 sysvm-ipa rhnsd[2194]: Red Hat Network Services Daemon starting up, check in interval 240 minutes. Jul 10 18:15:43 sysvm-ipa certmonger: Error setting up ccache for local host service using default keytab. I checked the servers ketab and as far as I can tell, it seems fine? [root@sysvm-ipa etc]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com 2 host/sysvm-ipa.example@example.com cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa samba win7
Well, if you want to integrate Windows machines, you'd better to stick with Samba (you can try Samba 4 if you prefer the IPA-like integration). IPA itself looks and feels like AD but it is not compatible with AD - it is intended mainly for Linux machines. Ondrej On 07/10/2012 03:25 PM, george he wrote: Hi Ondrej, The win7 is standing alone. I don't have an AD for it. I used to have a samba domain controller that took care of user authentication for both linux and winxp machines. Thanks, George *From:* Ondrej Valousek ondr...@s3group.cz *To:* freeipa-users@redhat.com *Sent:* Tuesday, July 10, 2012 9:12 AM *Subject:* Re: [Freeipa-users] ipa samba win7 Do you have an AD for the win7 machine or is it just standalone machine? Ondrej On 07/10/2012 03:01 PM, george he wrote: Hello all, I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed by a win7 machine, which is not a member of the ipa realm? Should I set the file server as a domain controller? How do I deal with the passdb backend option? I guess I can set it to ldapsam, but the user information is kept on the ipa server, not the file server. What else should I take care of before I start? ps. my ipa version is 2.2, running on fc17. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] nfs4 acl
On 07/01/2012 11:03 PM, Natxo Asenjo wrote: On Sun, Jul 1, 2012 at 10:39 PM, ondr...@s3group.com mailto:ondr...@s3group.com wrote: In fact, Netapp is (sadly to say) the only NFSv4 server in the whole world that can provide you with a true NFSv4 ACLs (remember to turn them on using options nfs.v4.acl = on). The nasty hack Rob mentioned will only provide you with POSIX Acls mapped to the NFSv4 acls - which will consequently cripple down the whole ACLs the NFS server is providing. So if you want a nice, fully fledged NFSv4 ACLs, go to Netapp or Solaris based NFSv4 server. Forget about Linux. ok, thanks for confirming what I was already thinking. We do have Netapp (and very happy customers, I must say). When you say 'Solaris based' do you mean nexenta/openindiana? That still is a very nice choice to have, it would be great to have a linux based one, but still. -- natxo The real problem is that no Linux filesystem I am aware of can store NFSv4 ACLs natively - there are some patches for ext4 but I doubt they did make its way for the production. The future seems to be richacl friendly filesystem, but I do not know anything about it, too. The only filesystem that can store NFSv4 ACLs is Suns ZFS so hence you should be able to built your own NFS server based on OpenSolaris or some clones. Actually, you might want to check this: http://www.bestbits.at/richacl/ to see if your kernel has this patch - if yes, there is quite a good chance you could do it on Linux, too. Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [SSSD] New mailing list: sssd-users
+1 On 05/22/2012 11:47 PM, greg.lehm...@csiro.au wrote: Hi All, Thanks for the new list. I hope the user list will still get to see some of the design decisions. It would be nice to have input as a user to what is going to be added feature wise to sssd. Cheers, Greg -Original Message- From: sssd-devel-boun...@lists.fedorahosted.org [mailto:sssd-devel- boun...@lists.fedorahosted.org] On Behalf Of Stephen Gallagher Sent: Wednesday, 23 May 2012 3:41 AM To: Development of the System Security Services Daemon; freeipa- us...@redhat.com; freeipa-inter...@redhat.com Subject: [SSSD] New mailing list: sssd-users For quite some time, we have used the sssd-devel mailing list for development and user configuration issue discussions. As the project has grown, it becomes more and more clear that we need to separate these topics into their own lists. So as of today, we now have a new mailing list for user questions. You can subscribe at https://fedorahosted.org/mailman/listinfo/sssd-users This list will be considerably less noisy for our users as they will not be bombarded with patch review emails and other development-centric issues. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automount questions
Right, currently this affects direct maps only. With SSSD integration, there's one extra glitch that if automounter starts before SSSD does, the automounter only gets Connection refused from the sss module and does not retry reading the maps. That's nasty and should be probably fixed. I can imagine having to restart sssd for whatever reason - autofs should be able to handle this elegantly (i.e. retry connection). -- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automount questions
Your LDAP_URI is incorrect. Please make sure you follow the documentation exactly. Perhaps you actually wanted to say: LDAP_URI=ldap:///dc=ipa,dc=domain,dc=nx; Alternatively, if you do not specify the LDAP_URI parameter at all, autofs will try SRV lookup against your default dnsdomain. Also, there is no nee for debugging automount with -d now, you can also try: automount -m which causes automount to dump all tables. Ondrej On 03/11/2012 09:09 PM, Natxo Asenjo wrote: hi, First question: according to the docs in http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/configuring-automount.html#Configuring_Automount-Configuring_autofs_on_Linux when configuring autofs you can choose to enter LDAP_URI in two ways, the lazy on (+1) or the specific one. The 'lazy' one requires a srv record query, in the specific one one enters the ldap server we want to query. In my limited experience, the srv record query does not work., the other one does. This is the relevant piece of /etc/sysconfig/autofs config that does not work: LDAP_URI=ldap:///ipa.domain.nx; if I query this domain for an srv ldap record it works: [root@ipaclient01 sysconfig]# dig -t srv _ldap._tcp.ipa.domain.nx +short 0 100 389 kdc.ipa.domain.nx. But autofs cannot find it: Mar 11 20:44:39 ipaclient01 automount[3236]: Starting automounter version 5.0.5-39.el6_2.1, master map auto.master Mar 11 20:44:39 ipaclient01 automount[3236]: using kernel protocol version 5.02 Mar 11 20:44:39 ipaclient01 automount[3236]: lookup_nss_read_master: reading master files auto.master Mar 11 20:44:39 ipaclient01 automount[3236]: parse_init: parse(sun): init gathered global options: (null) Mar 11 20:44:39 ipaclient01 automount[3236]: lookup_read_master: lookup(file): read entry /misc Mar 11 20:44:39 ipaclient01 automount[3236]: lookup_read_master: lookup(file): read entry /net Mar 11 20:44:39 ipaclient01 automount[3236]: lookup_read_master: lookup(file): read entry +auto.master Mar 11 20:44:39 ipaclient01 automount[3236]: lookup_nss_read_master: reading master files auto.master Mar 11 20:44:39 ipaclient01 automount[3236]: parse_init: parse(sun): init gathered global options: (null) Mar 11 20:44:39 ipaclient01 automount[3236]: lookup_nss_read_master: reading master ldap auto.master Mar 11 20:44:39 ipaclient01 automount[3236]: parse_server_string: lookup(ldap): Attempting to parse LDAP information from string auto.master. Mar 11 20:44:39 ipaclient01 automount[3236]: parse_server_string: lookup(ldap): mapname auto.master Mar 11 20:44:39 ipaclient01 automount[3236]: parse_ldap_config: lookup(ldap): ldap authentication configured with the following options: Mar 11 20:44:39 ipaclient01 automount[3236]: parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech: GSSAPI Mar 11 20:44:39 ipaclient01 automount[3236]: parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: host/ipaclient01.ipa.domain...@ipa.domain.nx c redential cache: (null) Mar 11 20:44:39 ipaclient01 automount[3236]: parse_init: parse(sun): init gathered global options: (null) Mar 11 20:44:39 ipaclient01 automount[3236]: get_dc_list: Could not turn dn ipa.domain.nx into a domain Mar 11 20:44:39 ipaclient01 automount[3236]: do_reconnect: lookup(ldap): failed to find available server When I enter the LDAP_URI=kdc.ipa.domain.nx with an specific search base, it works perfectly. Second question: is it normal that one has to restart the autofs service after adding an automount key in a direct map for the client to see it? If I do not do it, then the client does not see the new key so it cannot mount it either. Third question: is it safe to restart the autofs service when people have mounted shares on a client? Thanks in advance. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
There are kerberized programs that expect to use gethostname() and use that name to compose principals. If that name is not fully qualified they will break. Simo. Normally, you should have both: [root@ara tmp]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 19 host/ara.prague.s3group@dublin.ad.s3group.com 19 host/a...@dublin.ad.s3group.com right? Ondrej Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
No, unless you can alias them in the KDC. Our KDC can technically supports aliases now, but we haven't added these kind of aliases yet to it. And it is a bit controversial on whether we want to. In A windows domain you simply cannot have client residing in a DNA domain that is not the same as the domain controller. This is a pretty hard limitation and we do not want to add it to FreeIPA. Now why does it matter in this case ? It matter because, by forcing a single DNS Domain windows can univocally say a- a.b.c given the b.c part is forced on all clients joined to that domain. This does not hold true for FreeIPA. You could have foo.bar.example.com and foo.rab.example.com ie 2 host with the same short name but in different subdomains. if we alias both foo's and then we try to obtain a ticket for host/foo@REALM then the KDC does not know which foo you refer to. And if we alias only one then the second foo will simply fail to use the shortname. So the solution is to always use fully qualified names, which seem a pretty decent compromise that shouldn't really cause issues in the vast majority of cases. Simo. I understand now, thanks. But still I see 2 limitations in this: 1. I dare to say most people do not care that they CAN join foo.rab.example.com machine to the bar.example.com domain - to me, it is only confusing. In fact, this is a complete new information to me. I still believe we should produce at least a small warning if we find that DNS domain IPA domain. 2. You see problems like this - there is nowhere said that your `hostname` must be FQDN as the OS itself happily accept both. Either case, the ipa-client-install script should be able to detect such a case and offer some solution at least (I have a faint feeling there is even BZ already opened against this). Ondrej Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
Hey sounds good to me, just glad it is working for you :). The only other question/suggestion I have is that it looks like you aren't leveraging kerberos in your configuration for SSO, You might want to think about doing this as it can be a pretty nice configuration. Essentially you would just need to add service principles for the host in the form of imap and or pop, and change the auth line in your dovecot config to allow for gssapi auth, like so: sed -i -r s(\smechanisms =).*\1 gssapi plain Then assuming your user has a ticket, and their client is properly configured, they no longer need to do anything upon logging into their system, kerb will auth the rest. If you are on a multihomed system, you will need two additional changes, service principles for the other host name, and the following modification: sed -i -r 's#auth_gssapi_hostname.*auth_gssapi_hostname = $ALL' I got a little caught up when you referenced the /etc/krb5.keytab file as possibly part of the problem so I thought this was more a kerb issue. Exactly, I was confused by this as well - I would like to see this working, too. But I would say we would need to do something with the permissions on /etc/krb5.keytab which is now (by default) only readable by root. We need to address this problem more in general as when inegrating Bind DNS server, you hit the same thing. I would say something like ACL entry would help. Ondrej Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
I fail to see why non-root processes should be trying to read /etc/krb5.keytab at all. You should be generating a per-service keytab with only the keys necessary for that service to authenticate itself to the KDC. So you might have /etc/dovecot/dovecot.keytab which is readable only by the dovecot user. The problem with allowing access to /etc/krb5.keytab is that it means that an exploit in another process (especially a mail server!) could gain access to the keys necessary to impersonate your host in kerberized applications on the network. That's really dangerous. Right, but that's exactly what is happening with kerberized BIND, right? As far as I understand, you need to chown /etc/krb5.keytab to 'named' first. In general, you are probably right, the only problem is that most of the Linux kerberized services expect krb5.keytab in /etc. Moreover, in situation where winbind (or later maybe even sssd, for example) maintains the system Kerberos database, we would need some means to tell him to maintain more database files on multiple locations - and that is too messy. Maybe a time to introduce some simple database layer on the top of the /etc/krb5.keytab which would handle the permissions correctly? Applications/services would need to talk to this layer and not krb5.keytab directly. Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
Dovecot is not running as root - can't read your krb5.keytab...? On 01/30/2012 01:16 PM, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I'm working on a test lab setup at the moment with RHEL 6.2 running IPA 2.1 and experimenting with simple mail server setups. . I have mail being received base on pam lookups from IPA. The mail server is tapped into IPA via the ipa-client-install. I am using a default install of the dovecot rpm from RHN, and dovecot is listening via imap/imaps, however all authentication requests fail when attempting to login via imap.. I added the necessary keytabs for imap/mail.example.com and imaps/mail.example.com to /etc/krb5.keytab but this hasn't allowed authentication. has anyone set up dovecot through IPA before? Any recommendations? thanks all Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPJoodAAoJEAJsWS61tB+qgfAQALXxeXRMbC+8n6+ixmqYPOL3 q1YkUQ9YgCfbCpGQcNiR0g4lDWavTZkZSMUhR485qH858PpZ7Pmf7Wu1vE6xCWPB 2v2mdcwkhO9tdpYMiUCn4TN+cgxJcdpr4YlPECAA/K60ZoeSFFNtfjQnYUoMByn/ OCf19cw84sNFuJlCeBOGiCGWDKQWhOy2eXj68o0P1u8eZioOi+pAOD/c31p/JXXC 3jeG3d6l8wDrIXT5xHIbiXwx45k8Fg2kIAdAcZsbxUBC39QH558iQMUOkwIJ9UAi msOu60wfmoC8f99KZl1hRb6OAG59uPnMmzirVKyCfyRub/2mgUfThON59zyy8eb7 OLHzj5XDIX5Wb6+WyvP7X0QaPxLK75f/qzDoFONQrotVCa0JLb6zji6lt3SfVnFT s47ynT8pQznq1/wk3MkYPTDHTHYbOAwdPwlBD1R7UBY2gL2zXu6ixnypF5R1kaRY 5jnDeXF3vqOoOrdMBMX/fre4Dpx3wW3zSB4MsR4n9OZpooTkzIiRR6/3Qe7PZFNT CELaUi5jkwrVwk4datqGPcIestLc74bosVU+rJsMTGTRGFIBqP7L6w2dwVj2ZnHT okMySzEn2U2jIvxu4HAsFCjxZ5qmAY4S/yZsemKzqbyinyT9VdeEroqeUXDY5Y7o 9PG1gWdqAiZsGKBHTXDP =FOu6 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NetApp Filer with IPA?
I wonder if the following simplified setup I am using with AD: ldap.ADdomainmydomain.com ldap.enable on ldap.nssmap.attribute.uniqueMember Member ldap.nssmap.objectClass.groupOfUniqueNames Group ldap.nssmap.objectClass.posixAccount User ldap.nssmap.objectClass.posixGroup Group ldap.rfc2307bis.enable on would also work with IPA domains. I understand this would require NetApp to somehow join the IPA domain creating normal computer account, but I like the fact that I do not have to specify ldap server manually - NetApp finds it via DNS. Given the fact that IPA NS structure is pretty much similar to AD, it should just work, but I haven't tried yet Other bonus would be the possibility of using Kerberized NFSv4 w/ Netapp. Ondrej On 12/12/2011 11:55 AM, Sigbjorn Lie wrote: Hi, I've used OnTAP 7.3.3 with IPA. Using LDAP lookups for users/groups and netgroups so far, using autenticated connections to the IPA LDAP server. Have not been able to get LDAPS working yet. I still have kerberos for NFSv4 left to configure. I used the following OnTAP config: options ldap.base dc=test,dc=local options ldap.base.group cn=groups,cn=compat,dc=test,dc=local options ldap.base.netgroup cn=ng,cn=compat,dc=test,dc=local options ldap.base.passwd cn=users,cn=accounts,dc=test,dc=local options ldap.servers ipa01.test.local options ldap.name uid=s-netapp,cn=users,cn=accounts,dc=test,dc=local options ldap.passwd passwordforbinduser options ldap.minimum_bind_level simple options ldap.usermap.attribute.unixaccount uid options ldap.servers ipa01.test.local options ldap.port389 options ldap.ssl.enable off options ldap.usermap.attribute.unixaccount uid options ldap.usermap.attribute.windowsaccount ntUserDomainId options ldap.enable on Regards, Siggi On Mon, December 12, 2011 07:07, Craig T wrote: Hi, Has anyone tried configuring a NetApp Fas 270 filer to work with IPA? I had it working perfectly via LDAP auth with 389 Directory Server (No IPA config) earlier, however I'm new to IPA and I'm not sure about the importance of being part of the IPA REALM for a device that will just use LDAP auth? cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IMPORTANT: Your input requested: SSSD LDAP Provider vs Winbind
On 12/02/2011 04:06 PM, Stephen Gallagher wrote: 1) SSSD caching instead of nscd Winbind has its own cache. We do not want to implement the yet another one causing confusion, do we? 2) Support for multiple AD domains without trust If needed, winbind itself should provide this functionality. 3) One-to-one mapping of identity domain to authentication domain (so you're not exposing your password to multiple authentication domains until you find the right one, as with traditional PAM). Yes, That's true, but honestly, who is using it, is it worth the effort? I am not saying no, of course, everything has its own special use. What I think that we need is the *simplicity*. We need to have a clear and simple rules where to go if windows/ipa/... backend is needed. Most system admins see sssd as a cleverer libnss_ldap.so provider - and that is how it should stay, I believe Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The concept of sites...
I have come across this already, BZ already created: https://fedorahosted.org/sssd/ticket/1032 On 10/19/2011 10:25 PM, Sigbjorn Lie wrote: The London/newyork dns sub-domains would be used for looking up srv records for the local kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP base would still be the ipa.domain.com. Sync with AD would still be done between ipa.domain.com- ad.domain.com. Rgds, Siggi On Wed, October 19, 2011 22:15, Steven Jones wrote: Ah right, yes, one realm. However how would you password sync with AD? So sayLondon.ad.ms.com and Newyork.ad.ms.com With NY as the head So with london.ipa.unix.com and newyork.ipa.unix.com Is there still only one winsync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 9:11 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] The concept of sites... I see your point with a messy dns infrastructure, however this would happen in the background. You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: Hi, I think AD sort of does this which they have now backed away from? From my very limited understanding having sub-domains/realms seems to be counter-productivein that trying to do cross-realm trusts/passwords/user info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 8:14 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcp insrv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcp insrv0 100 389 london-ipa-server2 Now point the client's DNS search entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain Sites within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The concept of sites...
Hi Siggi, I see and agree fully - we need something like this... Ondrej On 10/20/2011 11:55 AM, Sigbjorn Lie wrote: Hi Ondrej, Thanks. That RFE is for SSSD client only. I would like to see the management of sites within the IPA webui/cli. Regards, Siggi On Thu, October 20, 2011 09:02, Ondrej Valousek wrote: I have come across this already, BZ already created: https://fedorahosted.org/sssd/ticket/1032 On 10/19/2011 10:25 PM, Sigbjorn Lie wrote: The London/newyork dns sub-domains would be used for looking up srv records for the local kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP base would still be the ipa.domain.com. Sync with AD would still be done between ipa.domain.com- ad.domain.com. Rgds, Siggi On Wed, October 19, 2011 22:15, Steven Jones wrote: Ah right, yes, one realm. However how would you password sync with AD? So sayLondon.ad.ms.com and Newyork.ad.ms.com With NY as the head So with london.ipa.unix.com and newyork.ipa.unix.com Is there still only one winsync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 9:11 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] The concept of sites... I see your point with a messy dns infrastructure, however this would happen in the background. You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: Hi, I think AD sort of does this which they have now backed away from? From my very limited understanding having sub-domains/realms seems to be counter-productivein that trying to do cross-realm trusts/passwords/user info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 8:14 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcp in srv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcp in srv0 100 389 london-ipa-server2 Now point the client's DNS search entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain Sites within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin
Re: [Freeipa-users] Question on AD to freeipa sync
Exactly! That was the biggest advantage of Centrify/Likewise/rest, but hopefully with the latest set of RFEs I have submitted against sssd, it will no longer be any advantage. On 10/05/2011 10:18 PM, Steven Jones wrote: ...the biggest thing for me so far is the ease of use, which with our limited capability staff/useradmins has to be a god send. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
Submitted RFEs #743503,#743505,#743505 and #743509 into RedHat bugzilla (I have no login to fedorahosted.org so I could not submit to upstream). Take them as a wish-list only and feel free to close them if they do not fit into the IPA roadmap. Thanks! Ondrej On 10/04/2011 04:47 PM, Stephen Gallagher wrote: These are all great ideas, Ondrej. Would you mind opening RFE bugs for them? You can file them upstream at https://fedorahosted.org/sssd or in Red Hat Bugzilla https://bugzilla.redhat.com in the sssd component. On Tue, 2011-10-04 at 16:29 +0200, Ondrej Valousek wrote: Can you provide more information here? We DO have support for automatic detection based on DNS SRV records. Does a DC locator use some other mechanism? Example AD domain CONTOSO.COM used on 3 sites - Prague,Cork, Dublin. I have machine in Prague and I want it to join CONTOSO.COM. Now if I used: dns_discovery_domain = contoso.com sssd would try to connect to any DC in the domain - even the one in Dublin, completely ignoring sites. I have to use: dns_discovery_domain = Prague._sites.contoso.com To force it to use Prague DCs only. My understanding is, that the DC locator tries to communicate with DC's first to determine local site and remote DC's are only used if no valid/working DC can be found in the local site (Prague in this case). I'm not sure what you mean by this? Do you mean you don't want to have to specify ldap_schema = rfc2307bis and have it instead auto-detected? That's trickier than it sounds. well this is a really small one. I would say it would be perfectly sufficient to introduce something like: ldap_schema=msrfc2307bis which would be equivalent to: ldap_user_object_class = user ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_schema = rfc2307bis also, the ldap bind mechanism negotiation could be potentially improved, now I have to explicitly specify ldap_sasl_mech = GSSAPI otherwise sssd tries to use SASL/EXTERNAL which fails when communicating to AD controllers. What features of the krb5 library do you mean? SSSD provides a locator plugin that manages several features of the krb5 library, including kinit and kpasswd. The thing is that not all Linux apps are using sssd so we have to remember to configure /etc/krb5.conf. too. When using Centrify, all I need to do is: # adjoin contoso.com ..which takes care of everything - /etc/nsswitch.conf, krb5.conf, PAM modules, eeeverything. If I wanted to use sssd for the same job I have to: 1. configure (manually) /etc/samba/smb.conf 2. net ads join (- just to get machine creds) 3. configure (manually) sssd.conf 4. configure (manually) PAM modules 5. configure (manually) krb5.conf I understand that much of this is probably not sssd duty, but it would be helpful to have some script around which would do the same job. __ The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 __ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
I have ~50 servers and yes, we are using Centrify now - and yes, it is pain in the ass (need to take care of the licenses). But I have found out recently that sssd can do much of the Centrify's duty (authorization authentication) - well, it is not so polished, but it seems to work well. Ondrej On 10/03/2011 10:51 PM, Steven Jones wrote: I have 200+servers and 250 linux desktops and growing.cant manage those with local access with 1.5 adminsyou also cant manage them with AD unless you buy centrify/likewise or quest software or similar and thats very expensive and a pain in the ass. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
Well, small things like sssd can not renew machine credentials / sssd can not detect local site automatically in AD domain (no DC locator implemented) / sssd can not detect/guess AD schema automatically / sssd won't configure the krb5 library for me. Support for group policies central management auditing (Centrify nicely fills the OperatingSystem attribute for me) would be also nice. Most of this is understandable as much of these requests are either AD-specific (hard to blame sssd here) or a RFE is already opened for such a functionality. Anyway, it is still a way better than the classic libnss_ldap.so. :-) Ondrej On 10/04/2011 02:09 PM, Stephen Gallagher wrote: As the lead SSSD developer, I can't help but chime in here and ask what polish you'd like to see:) The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
Just wondering why would anyone want to sync freeIPA and AD - both can serve Linux systems fine, so if I already have AD, I no longer require IPA. My 2 cents... Ondrej On 09/29/2011 10:35 PM, Steven Jones wrote: Hi, In the documentation it says that new accounts in AD are syncd over to freeIPA, so IPA sets the UID as it arrives? What happens if the user is an existing one and has a UID they want to retain, does that transfer over and get used? Also how do you set permissions and groups? does the new user just go into a default group and then you login to freeIPA and set them up? or can you put the GIDs into AD and they get transferred and the user put into the right groups automagically? Looks like I can set this sort of thing how I want in the sync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
Well, I think these advantages won't outweigh the extra complexity of having two systems for the same thing. But it is up to everyone's decision... Ondrej - the error messages of an AD might be strange to deal with for unix/linux admins - While I expect Microsoft to test AD patches with Windows clients I do not expect them to test linux/unix clients. Resulting in possi- bility that patches of the AD break the communication to linux/unix clients. - Having important infrastructure like idendification/directory services running on OpenSource software is a good thing, apply all the OpenSource advantages here like beeing able to audit the code etc. Christian The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.1 - Authenticated LDAP search
I would recommend using Kerberos for authentication, i.e. parameter -Y GSSAPI. That always worked for me... On 09/14/2011 08:59 PM, Dan Scott wrote: Hi, I'm trying to perform an authenticated LDAP search against a FreeIPA server (Fedora 15, freeipa-server-2.1.0-1.fc15.x86_64). When I run: [root@kelvin ~]# ldapsearch -D uid=guser,cn=users,cn=accounts,dc=example,dc=com -w 'guserpassword' -b cn=accounts,dc=example,dc=com -h kelvin.example.com -v uid=guser -ZZ -c -d1 I receive the following error: ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20 Full details shown in attachment. Can anyone help me figure out what I'm doing wrong? Thanks, Dan Scott http://danieljamesscott.org ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authconfig-gtk sssd
Hi Jakub, Ok, I have already found out - sorry for the noise. Still I have a few questions about sssd-ldap plugin (strange DNS SRV usage, inability to detect krb5 realm automatically) - which forum is the best for this type of questions? sssd-devel? Thanks, Ondrej On 16.08.2011 14:32, Jakub Hrozek wrote: On Tue, Aug 16, 2011 at 12:47:19PM +0200, Ondrej Valousek wrote: Hi List, Quick question - is there any plan to enable system-config-authentication to enable/configure sssd on RH-5/6 systems? Thanks, Ondrej I should be already possible in RHEL6 provided you tell authconfig to use only the features SSSD supports. As man authconfig(1) states: - When the configuration settings allow use of SSSD for user information services and authentication, SSSD will be automatically used instead of the legacy services and the SSSD configuration will be set up so there is a default domain populated with the settings required to connect the services. - You may end up with using nss-ldap if you told authconfig to use netgroups with an SSSD release that does not support it yet, for example. There are currently no plans to expand the support in RHEL5 beyond what is there now (--enablesssd and --enablesssdauth that enable the NSS and PAM modules). ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
On 03.08.2011 23:52, Dmitri Pal wrote: But this has not been even filed as an enhancement as no one cared about such functionality until now. What is your use case for this functionality? Actually, I do not need such a functionality. I was asking because I know Windows rotate keytabs so I was expecting IPA might as well. I guess there is no big press for it now but I would say in general we should support it as well - for security reasons if not for anything else. Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
I agree with Simo, I would expect this from sssd instead, also given the fact that sssd will in future also handle winbind's net * commands, this seems to me like a most natural way... Ondrej On 04.08.2011 16:28, Simo Sorce wrote: SSSD is probably a more appropriate component for keytabs, given in the IPA case it is a primary user of the keytab for validation purposes. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
On 04.08.2011 16:53, Dmitri Pal wrote: Yes but server can indicate in some attribute to the client that it is time to start doing this and the client will do the change. Would not be just easiest to steal some code from winbind? It is doing the same thing for Samba right? I guess it should not be that different in IPA. But it is only a wild guess... Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Some questions regarding IPA, DNS and Samba4
Hi List, I have some questions regarding IPA: 1. On the IPA client side, which daemon is looking after machine Kerberos host/ principal renewal? 2. If I installed Samba4 on the IPA server, what would happen? Is it possible? Would I get 2xKDCs, 2xLDAP servers and 2x DNS server or is it possible for Samba4 to re-use the existing IPA repository? 3. Can I use the Adam's LDAP plugin for BIND to deploy a DNS server with Active Directory integrated zone running on Linux? Many thanks, Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys
Maybe stupid question, but I have to ask: Why would anyone want to store user RSA keys in LDAP? Once you have IPA server with KDC installed, you can use Kerberos for authentication as well. And you get single sign on as a special bonus :-) Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Unable to start IPA server after server reboot
Hi list, I have a problem with my IPA server: Symptoms: [root@polaris etc]# /etc/init.d/ipa start Starting Directory Service Starting dirsrv: EXAMPLE-COM... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'matched': 'cn=masters,cn=ipa,cn=etc,dc=example,dc=com', 'desc': 'No such object'} Shutting down Shutting down dirsrv: EXAMPLE-COM... [ OK ] PKI-IPA... [ OK ] I am able to start the services (dirsrv, named, krb5kdc) separately though and then read the configuration fine: [root@polaris log]# kinit admin Password for ad...@example.com: [root@polaris etc]# ldapsearch -Y GSSAPI -h localhost -b cn=masters,cn=ipa,cn=etc,dc=example,dc=com SASL/GSSAPI authentication started SASL username: ad...@example.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=masters,cn=ipa,cn=etc,dc=example,dc=com with scope subtree # filter: (objectclass=*) # requesting: ALL # # masters, ipa, etc, example.com dn: cn=masters,cn=ipa,cn=etc,dc=example,dc=com objectClass: nsContainer objectClass: top cn: masters # polaris.example.com, masters, ipa, etc, example.com dn: cn=polaris.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com objectClass: top objectClass: nsContainer cn: polaris.example.com # CA, polaris.example.com, masters, ipa, etc, example.com dn: cn=CA,cn=polaris.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com objectClass: nsContainer objectClass: ipaConfigObject objectClass: top ipaConfigString: enabledService ipaConfigString: startOrder 50 cn: CA . Does it ring any bell to you? Note that the IPA server was running fine right after the installation Thanks! Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Alternatives to freeipa
https://bugzilla.redhat.com/show_bug.cgi?id=652609 On 08.07.2011 14:35, Oliver Falk wrote: Hi! Why do you think winbind is broken? It works fine on my machines… -of *Von:*ondr...@s3group.cz [mailto:freeipa-users-boun...@redhat.com] *Im Auftrag von *Ondrej Valousek *Gesendet:* Freitag, 08. Juli 2011 14:30 *An:* freeipa-users@redhat.com *Betreff:* Re: [Freeipa-users] Alternatives to freeipa Authconfig will definitely help you to configure nsswitch.conf and Kerberos (i.e. the easy bits), but the hard work with configuring winbind or ldap library has to be done manually anyway (assuming winbind is working correctly - unfortunately winbind is hopelessly broken in the last versions of Samba and none seems to care). Ondrej On 08.07.2011 14:18, Stephen Gallagher wrote: Last I heard, authconfig-tui was deprecated and could be expected not to work with SSSD (aka for freeipa-client). What you want to use is either authconfig-gtk (if you need a graphical interface) or just use authconfig from the command-line and pass it the appropriate arguments. See 'authconfig --help' for details. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Alternatives to freeipa
1. You can connect RH guests to AD - it works pretty much the same way as with IPA (IPA does many things the same way as AD). The only slight difference you might find with Kerberos configuration. Check my blog: http://*ondarnfs*.blogspot.com for more 2. AD does *not* come for free. As far as I know the license for AD controller + all CALs for guests costs quite some money 3. Yes, with freeIPA and all the installers, the things are quite easy. With AD you have to do lot of things manually, but it will work. In summary I would say it is worth considering if you already have an AD controller in place. Ondrej On 06.07.2011 22:30, Steven Jones wrote: Not knowing much about connection to AD directly with RH guestshopefully some ppl do... Advantages for AD 1) Zero first cost Disadvantages 1) Manual setup 2) managability? access control? other things? From 3 days of googling I can find few or little info on the usefulness and practicality of connecting and using AD for linux authentication and authorisation in Enterprise situationsis it really used in an Enterprise? it looks like it might be OK for say 5 users where security isnt a concern for instance If anyone has actual experience to share that would be good regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA automount
Check your /etc/nsswitch.conf. It must read: automount: files ldap If you have latest automounter installed you can also try: # automount -m .. to see if automounter really see all your maps Ondrej On 06.07.2011 23:16, Rob Crittenden wrote: Pavel Zhukov wrote: Thank you for help. but automount doesn't work anyway. cat /etc/sysconfig/autofs | egrep -v #.* TIMEOUT=300 BROWSE_MODE=no MOUNT_NFS_DEFAULT_PROTOCOL=4 LOGGING=debug USE_MISC_DEVICE=yes MAP_OBJECT_CLASS=automountMap ENTRY_OBJECT_CLASS=automount MAP_ATTRIBUTE=automountMapName ENTRY_ATTRIBUTE=automountKey VALUE_ATTRIBUTE=automountInformation LDAP_URI=ldap://freeipa.home.zhukoff.net; SEARCH_BASE=cn=default,cn=automount,dc=home,dc=zhukoff,dc=net cat /var/log/messages | grep automount Jul 6 22:35:31 ipaclient automount[1257]: st_expire: state 1 path /net Jul 6 22:35:31 ipaclient automount[1257]: expire_proc: exp_proc = 139679846762240 path /net Jul 6 22:35:31 ipaclient automount[1257]: expire_cleanup: got thid 139679846762240 path /net stat 0 Jul 6 22:35:31 ipaclient automount[1257]: expire_cleanup: sigchld: exp 139679846762240 finished, switching from 2 to 1 Jul 6 22:35:31 ipaclient automount[1257]: st_ready: st_ready(): state = 2 path /net Jul 6 22:36:00 ipaclient automount[1257]: st_expire: state 1 path /misc Jul 6 22:36:00 ipaclient automount[1257]: expire_proc: exp_proc = 139679846762240 path /misc Jul 6 22:36:00 ipaclient automount[1257]: expire_cleanup: got thid 139679846762240 path /misc stat 0 Jul 6 22:36:00 ipaclient automount[1257]: expire_cleanup: sigchld: exp 139679846762240 finished, switching from 2 to 1 Jul 6 22:36:00 ipaclient automount[1257]: st_ready: st_ready(): state = 2 path /misc mount | grep autofs .. (some /dev and /sys) /etc/auto.misc on /misc type autofs (rw,relatime,fd=7,pgrp=1257,timeout=300,minproto=5,maxproto=5,indirect) -hosts on /net type autofs (rw,relatime,fd=13,pgrp=1257,timeout=300,minproto=5,maxproto=5,indirect) Can you check the 389-ds access log on the server when you restart the autofs service on the client? This should show us if it is connecting, what it is searching for and how many (if any) entries it found. Note that 389-ds buffers the access log so it could be a few seconds before you see any output. rob Pavel On Wed, 06 Jul 2011 09:11:29 -0400 Rob Crittenden rcrit...@redhat.com wrote: Pavel Zhukov wrote: Hi all I'm trying to install and configure FreeIPA and automount https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount /etc/sysconfig/autofs MAP_OBJECT_CLASS=automountMap ENTRY_OBJECT_CLASS=automount MAP_ATTRIBUTE=automountMapName ENTRY_ATTRIBUTE=automountKey VALUE_ATTRIBUTE=automountInformation LDAP_URI=ldap://freeipa.home.zhukoff.net; ##SEARCH_BASE=cn=dafault,cn=automount,dc=home,dc=zhukoff,dc=net SEARCH_BASE=cn=automount,dc=home,dc=zhukoff,dc=net $ showmount -e freeipa.home.zhukoff.net Export list for freeipa.home.zhukoff.net: /share/man 192.168.12.0/16 /home 192.168.12.0/16 $ ipa automountkey-find default auto.master Key: /- Mount information: auto.direct Key: /share Mount information: auto.share Number of entries returned 2 $ ipa automountkey-find default auto.share Key: man Mount information: -ro,soft,rsize=8192,wsize=8192 freeipa.home.zhukoff.net:/share/man Number of entries returned 1 $ ipa automountkey-find default auto.master Key: /- Mount information: auto.direct Key: /share Mount information: auto.share Number of entries returned 2 /var/log/messages: Jul 4 00:40:51 ipaclient automount[2227]: st_expire: state 1 path /net Jul 4 00:40:51 ipaclient automount[2227]: expire_proc: exp_proc = 139786245711616 path /net Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: got thid 139786245711616 path /net stat 0 Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: sigchld: exp 139786245711616 finished, switching from 2 to 1 Jul 4 00:40:51 ipaclient automount[2227]: st_ready: st_ready(): state = 2 path /net But automount doesn't work. Mount nothing. Can anybody help me? Two suggestions for /etc/sysconfig/autofs on ipaclient: 1. Set LOGGING=debug 2. Set SEARCH_BASE to cn=default,cn=automount,dc=home,dc=zhukoff,dc=net. Your commented-out line has default misspelled. Don't forget to restart autofs service rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automounter maps
Hi, On 30.06.2011 17:29, Dmitri Pal wrote: Can you please rephrase? Do you mean that instead of documenting what we already have or in addition to it, we should also document how to configure automount with DNS? Does DNS allow specifying the search base? Can you please point on any doc/man page that describes how to configure DNS for automount. We might add it as a reference into the doc. Is this what you are looking for? First of all, I believe you guys in Redhat did a great job with the IPA. Why? Because with all the install scripts and the framework around it, you managed to integrate all services (DNS, Kerberos, LDAP) into simply manageable Identity management for Linux. Normal IT admin no longer has to dig various howtos in the Internet. Just run the install script and you get something very similar to Active Directory - robust and standard-based system. The key thing is for me the simplicity and the scripts around it. One should no longer be afraid of setting up all the services separately. From the client's prospective, You already covered Kerberos configuration and NSS, that's fine. Because of the reasons I outlined above I also believe that the *ipa-client-install* script should take care of the automounter, too (or at least offer the autofs configuration) - and this includes everything. As a helping hand I offer my adds to your existing howtos (I have already checked its functionality). [root@draco etc]# cat /etc/sysconfig/autofs: ... LDAP_URI=ldap:///dc=example,dc=com; # let the automounter discover LDAP server on its own [root@draco etc]# cat /etc/autofs_ldap_auth.conf autofs_ldap_sasl_conf usetls=no tlsrequired=no authrequired=yes authtype=GSSAPI clientprinc=host/draco.prague.s3group@example.com # taken from klist -k / This is I believe the best configuration you can get for autofs. It is not difficult (as you can see) so the ipa-client-install script should be able to take care of it automatically. And finally, regarding your question - see man auto.master. The DNS SRV lookup ability was added there because I asked autofs maintainer Ian Kent from Redhat to do it and he was kind enough to implement it for us (he actually grabbed a piece of Samba code to make it working). If you feel there should be something more (like you mentioned getting the search base from DNS as well), talk to him, I am sure he will help you. The ldap server SRV lookup has been there for quite some time so it is in RHEL5/6 already. Thanks! Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect
Hi List, I have just noticed that the ipa-client-install fails miserably if the clients /etc/resolv.conf points to some foreign DNS server. The symptoms are that KDC (on the IPA server) fails to locate self in Kerberos database: Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: NEEDED_PREAUTH: ad...@example.com for krbtgt/example@example.com, Additional pre-authentication required Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: ISSUE: authtime 1309425108, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for krbtgt/example@example.com Jun 30 11:11:49 polaris krb5kdc[1279](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: UNKNOWN_SERVER: authtime 0, ad...@example.com for HTTP/*polaris.prague.s3group.com*@EXAMPLE.COM, *Server not found in Kerberos database* Question: Should probably try to autoconfigure /etc/resolv.conf as well or at least warn user that join might fail? Thanks, Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect
The KDC is just trying to look up a service that was requested, it was the client that requested this host. Note that the host name used is the detected IPA server. This can often be wrong if there is another server in your network with SRV records (such as AD). Apparently not the KDC. I had to fix the resolv.conf on the *client* in order to resolve the problem. Problem was in reverse records - company DNS server returned /polaris.prague.s3group.com/ (this rendered the error on KDC) for the IP of the IPA server whereas the correct one should be /polaris.example.com /(as per the DNS server running on the IPA server). When the clients resolv.conf pointed to the company DNS, it did not work. I had to fix resolv.conf manually to make it working. The resolver is a bit of a chicken and egg problem. Hard to look anything up if you don't have one configured. The installer should prompt that the detected settings are ok. Were they ok and we still went to the wrong place? Ok let me explain it more. The machine I was running the ipa-client-install was using company DNS server. On that DNS server I made a forward rule for 'example.com' domain. Therefore, once I ran # ipa-client-install --domain=example.com .. the tool was able to detect everything correctly, BUT the wrong DNS server (which was left behind in /etc/resolv.conf) returned wrong names from its reverse zone. I believe it should be fairly easy for the installer to do few sanity checks to see whether the reverse DNS lookup works well... Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect
On 30.06.2011 16:22, Simo Sorce wrote: We are actively working on trying to never depend on reverse lookups. Unfortunately there are still some bugs and limitations in various libraries but we are working on fixing them. Ok, thanks for explanation. I have also seen similar errors when talking to AD based KDC - I take it I have experienced the similar dependency - probably in MIT libraries, right? But it would be just perfect if this dependency is gone, that's true. Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Automounter maps
Hi List, I am just wondering what's the situation regarding storing automounter maps in IPA? I see support for it on the roadmap but I am wondering how it is going to be done, because: 1. sssd can not do it, and I think it is going to take a long time before it will (due to the libc NSS limitations) 2. automounter has its own ldap support Ian has recently added DNS SRV support for the automounter and I have verified that I can store maps in Active Directory (accessing via ldap/gssapi) so I am thinking the same should be possible right now even with IPA, just a small DS schema extension would be needed. Does anyone know? Thanks, Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automounter maps
Hmm, To me, these instructions are very vague - for example it completely omits LDAP security configuration for the automounter (stored in /etc/autofs_ldap_auth.conf). How does the automounter bind to the ldap server? Anonymously? I would not recommend it. I would recommend to configure automounter to use the host/ principal in the local Kerberos system database and bind using SASL/GSSAPI instead. It is more secure and elegant solution. Ondrej On 30.06.2011 17:26, Adam Young wrote: Good point. Take a look at the test day instructions, I found them very useful for setting up both SUDO and automount. https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount On 06/30/2011 11:08 AM, Ondrej Valousek wrote: On 30.06.2011 16:55, Rob Crittenden wrote: Look at the output of this for details: ipa help automount I see, thanks! It would be nice to update man pages like: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html to say something like: LDAP_URI=ldap:///dc=example,dc=com; SEARCH_BASE=cn=location,cn=automount,dc=example,dc=com So people know more automounter's ability to locate ldap server via DNS SRV Thanks! Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users