Re: [Freeipa-users] freeipa radius cisco
On Wed, 2013-01-16 at 17:44 +0100, Han Boetes wrote:
> +- entering group Kerberos {...}
> rlm_krb5: [hb] krb5_sname_to_principal failed: Hostname cannot be
> canonicalized
Something's wrong in your configuration
Probably the host name is not a fqdn or similar
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error: Realm not local to KDC
On Tue, 2013-01-15 at 17:57 -0500, Sylvain Angers wrote: > Some rhel6.2 have problem with authenticating against IPA v2.2 > while some others on same domain do not have issue but still get the > same > error "Failed to init credentials: Realm not local to KDC" > Because you are putting machines in the top domain I suspect your client is trying to resolve the realm via SRV records and finds those of the AD server. You may want to statically configure the default _realm and the [domain_realm] section in your client krb5.conf and turn off dns discovery in krb5.conf for those client. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa radius cisco
On Tue, 2013-01-15 at 16:39 +0100, Han Boetes wrote: > Hi, > > > Since most of our cisco images do not support encryption the apparent > way to go is using radius which is supported by most cisco devices. > > > What is the current status for making this wonderful idea work in the > real world. > We haven;t resumed work to integrate radius as a full feature component of FreeIPA yet, sorry. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Process conflict issue when restarting IPA
On Tue, 2013-01-15 at 09:15 -0500, Michael Mercier wrote: > On 2013-01-14, at 8:11 PM, Dmitri Pal wrote: > > > On 01/14/2013 05:59 PM, William Muriithi wrote: > >> Hello > >> > >> When I restart IPA through ipactl, I get the following message. All > >> seem to be working despite the message. I think it is pki-ca that is > >> running on tomcat > >> > >> Starting httpd: [Fri Jan 11 16:13:25 2013] [warn] worker > >> ajp://localhost:9447/ already used by another worker > >> [Fri Jan 11 16:13:25 2013] [warn] worker ajp://localhost:9447/ already > >> used by another worker > >> > >> I assume there may be a bug on the ipactl script, is this a correct > >> assumption? > >> > >> Regards > >> > >> William > >> > >> ___ > >> Freeipa-users mailing list > >> Freeipa-users@redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > Which version you are on? > > > > This issue seems to be addressed quite some time ago > > https://fedorahosted.org/freeipa/ticket/2333 > > https://bugzilla.redhat.com/show_bug.cgi?id=785791 > > I see the same issue as William on CentOS6.3 fully up-to-date... > > [root@test-1 ~]# rpm -qa|grep ipa > ipa-client-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > libipa_hbac-1.8.0-32.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > python-iniparse-0.3.1-2.1.el6.noarch > ipa-python-2.2.0-16.el6.x86_64 > ipa-admintools-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.8.0-32.el6.x86_64 > [root@test-1 ~]# yum update > Loaded plugins: fastestmirror > Loading mirror speeds from cached hostfile > base > | 3.7 kB 00:00 > extras > | 3.5 kB 00:00 > updates > | 3.5 kB 00:00 > Setting up Update Process > No Packages marked for Update > [root@service-1 ~]# ipactl restart > Restarting Directory Service > Shutting down dirsrv: > TEST-LOCAL...[ OK ] > PKI-IPA... [ OK ] > Starting dirsrv: > TEST-LOCAL...[ OK ] > PKI-IPA... [ OK ] > Restarting KDC Service > Stopping Kerberos 5 KDC: [ OK ] > Starting Kerberos 5 KDC: [ OK ] > Restarting KPASSWD Service > Stopping Kerberos 5 Admin Server: [ OK ] > Starting Kerberos 5 Admin Server: [ OK ] > Restarting DNS Service > Stopping named: [ OK ] > Starting named:[ OK ] > Restarting MEMCACHE Service > Stopping ipa_memcached:[ OK ] > Starting ipa_memcached:[ OK ] > Restarting HTTP Service > Stopping httpd:[ OK ] > Starting httpd: [Tue Jan 15 09:10:03 2013] [warn] worker > ajp://localhost:9447/ already used by another worker > [Tue Jan 15 09:10:03 2013] [warn] worker ajp://localhost:9447/ already used > by another worker >[ OK ] > Restarting CA Service > Stopping pki-ca: [ OK ] > Starting pki-ca: [ OK ] > [root@test-1 ~]# AFAIK it is a know harmless bug in that version of apache/ajp and can be safely ignored. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD permissions needed for setting up AD trusts
On Fri, 2013-01-11 at 10:52 +0100, Petr Spacek wrote: > On 11.1.2013 10:19, Alexander Bokovoy wrote: > > On Fri, 11 Jan 2013, David Juran wrote: > >> On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote: > >>> On 01/03/2013 12:28 PM, Petr Spacek wrote: > >>> > On 12/21/2012 01:19 PM, Sumit Bose wrote: > >>> >> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote: > >>> >>> Hi > >>> >>> > >>> >>> What permission level is needed for the AD user when creating an AD > >>> >>> trust? Can a regular domain user account do it, or is a domain > >>> >>> admin needed? > >>> >> > >>> >> The account used here must be a member of the Domain Admins group. > >>> >> > >>> >>> > >>> >>> If write access to the AD server is needed, then could someone > >>> >>> please tell me what the command will actually change in the AD server? > >>> >>> > >>> >> > >>> >> 'ipa trust-add' will only use LSA calls on the AD server. The most > >>> >> important one is CreateTrustedDomainEx2 > >>> >> (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the > >>> >> trust between the two domains. Additionally > >>> >> QueryTrustedDomainInfoByName > >>> >> (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the > >>> >> trust is already added and SetInformationTrustedDomain > >>> >> (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD > >>> >> server that the IPA server can handled AES encryption are used. > >>> > > >>> > Should we add this information to AD trusts documentation? > >>> > > >>> >>> The windows team at my place of work will want to know exactly what > >>> >>> the tool will do before they grant permission. > >>> > > >>> I have added this information to the AD trusts wiki page: > >>> http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain > >> > >> That link only gets me to an empty wiki page... > > It is moved to HOWTOs: > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain > > Should we create a redirection? At least for users digging in archives? I actually explicitly removed it to avoid clutter in the root :) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Aiisues to wathc out fro / anticipate when upgrading RHEL6.3 and IPA 2 to 6.4 and IPA 3
On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote: > HI, > > I assume RHEL 6.4 is GA shortly just how straigh forward is the upgrade from > one IPA version to another please? > regards Should just require an rpm upgrade and a restart and nothing else. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] gotcha for windows hosts: hostnames should not exceed 15 chars
On Thu, 2013-01-03 at 10:37 +0100, Han Boetes wrote: > Perhaps it's worth mentioning that hostnames for windows client can > not exceed 15 chars on this page. > > > http://freeipa.org/page/Windows_authentication_against_FreeIPA > > > > I ran into it and it costed me a day trying to fix it. I had to > reinstall my test machine to make it work properly. > Thanks a lot, I added a note to the page. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User's Cannot Reset Expire Passwords Without Password Being Reset First in WebUI
On Wed, 2013-01-02 at 17:47 -0500, Chris Natter wrote: > Hello, > > My users are running into a bit of a problem with password expiry and > the reset prompts. > > When they attempt to reset their password they end up recieving access > denied messages after going through the prompts to reset their > password > and entering their new desired passwords. > > The interesting thing is that if I reset the password via the Web UI > to anything, > and then have the user try again with the new password, they are able > to > successfully reset their password with no issues. > > Log snippets are below, I've sanitized them so the user in question is > 'juser'. > > Any help or guidance would be very appreciated. Thank you! > > They are probably failing to meet password policies but sshd is not using pam conversations. Set ChallengeResponseAuthentication yes in sshd_config, this should allow conversations and proper errors to show up. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] re-sync passwords after migration from LDAP to IPA ?
On Wed, 2013-01-02 at 18:36 +0100, Jan-Frode Myklebust wrote: > But... where do I find the LDAP passwords in IPA ? I see there's no > "userPassword" attribute on each user as I was expecting.., so where > is this hidden? And can it be compared against the SSHA from the old > directory ? Passwords are stored in both the userPassword attribute (SHA256 hash by deault) and the krbPrincipalKey attribute an opaque and encrypted object containing Kerberos Keys (RC4/3DES/AES keys). If you enabled trusts or samba integration you will also have RC4 hashes in the sambaNTpassword or ipaNThash attributes. None of these attributes are readable, so you will not see them. Only 'cn=Directory Manager' can retrieve them, because that account has super powers. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1)
On Wed, 2013-01-02 at 08:00 -0500, Stephen Gallagher wrote: > On 12/28/2012 10:23 AM, Michael B. Trausch wrote: > > On 12/28/2012 08:56 AM, Simo Sorce wrote: > >> However re-reading the ticket made me wonder. Is this happening on the > >> F18 machine or on the Centos 6.3 machine ? > > > > The sigsegv is happening on the Fedora 18 box, the one running FreeIPA > > 3.1.0. > > > > I am completely unable to install debug symbols for the following libraries: > > > > === > > Missing separate debuginfos, use: debuginfo-install > > cyrus-sasl-gssapi-2.1.25-2.fc18.x86_64 > > cyrus-sasl-lib-2.1.25-2.fc18.x86_64 cyrus-sasl-md5-2.1.25-2.fc18.x86_64 > > cyrus-sasl-plain-2.1.25-2.fc18.x86_64 glibc-2.16-28.fc18.x86_64 > > pcre-8.31-3.fc18.x86_64 sssd-client-1.9.3-1.fc18.x86_64 > > === > > > > When I run that command, I get the following message: > > > > === > > No debuginfo packages available to install > > === > > > > Which of course, is unhelpful. > > > > --- Mike > > > > > That's the problem with running Fedora pre-releases. If you don't > remember to disable the updates-testing repo, you get untested packages. > The latest version of cyrus-sasl that is in the stable repo is > cyrus-sasl-gssapi-2.1.23-36.fc18.x86_64. The reason you can't get the > debuginfo packages for cyrus-sasl is because the update was yanked from > the testing repo due to *drumroll* segfaults. > > I strongly recommend that you do the following: > 'yum clean all' (Purges your yum cache completely, so we don't get stale > data) > 'yum update fedora-release' (The latest version that is now in stable > disables updates-testing) > 'yum distro-sync' (This upgrades and downgrades all packages so that > they match what is in the enabled repositories, in this case it will > guarantee that you have the latest stable versions of all packages). > > Alternately you can wait until next week (January 8th) when Fedora 18 > stable is expected to be released (assuming that tomorrow's Go/No-Go > meeting does not delay it for another week) and install fresh from there. Thanks Stephen, I'll close the bug as invalid. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1)
On Thu, 2012-12-27 at 10:11 -0500, Michael B. Trausch wrote: > On 12/26/2012 10:23 AM, Simo Sorce wrote: > > It's missing the sasl library's debug info. > > > > Could you install cyrus-sasl-debuginfo and regenerate the stack trace > > from the core file ? > > > > I do not have a centos box handy. > > Done; updated stack trace is on the ticket now. Unfortunately all the interesting info is still missing :-/ However re-reading the ticket made me wonder. Is this happening on the F18 machine or on the Centos 6.3 machine ? If you can add to the ticket the exact rpm version of the following packages I can try to use the core file. freeipa-client/ipa-client krb5-libs cyrus-sasl Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] delegation questions: how to reset password for subordinate?
On Wed, 2012-12-26 at 15:57 -0800, David Copperfield wrote: > Hi all, > > > What are the user attributes that A manager should be granted with > read&write permissions to reset passwords for subordinate employees? > The typical implementation case: managers need to take care of > password reset requests for their subordinate employees. > > > I select 'userpassword' field the first time but it fails, then > combine it with other a few krb* fields but those don't help neither. > > > If you have the minimum field combinations to make the 'password > changing' delegation work, please feel free to post your results here. > Presently I just select ALL fields with read&right permissions to make > it work, but that definitely is a over kill and hurts privacy > potentially. You need write access to at least userPassword and krbPrincipalKey. Simo. P.S. David, please do not start a new thread by replying to old mails. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa client question
On Wed, 2012-12-26 at 10:00 -0500, Nate Marks wrote: > solved: I just removed the cache files. apparently that has to > happen manually. they don't get cleaned up with the client uninstall > or the package uninstalls. If you accept the ipa ca cert in the browser you may also have to remove the old one to be able to access the webui. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1)
On Tue, 2012-12-25 at 19:54 -0500, Michael B. Trausch wrote: > On 12/25/2012 07:53 PM, Simo Sorce wrote: > > Could you install the sasl debuginfo packages and provide a trace with > > debugging info ? > > Did I do it wrong on the ticket? It's missing the sasl library's debug info. Could you install cyrus-sasl-debuginfo and regenerate the stack trace from the core file ? I do not have a centos box handy. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1)
On Tue, 2012-12-25 at 18:34 -0500, Michael B. Trausch wrote: > On 12/25/2012 02:08 PM, Michael B. Trausch wrote: > > So, to summarize, all I really know is that there is an apparent NULL > > pointer dereferenced somewhere in the GSS library when called from > > ipa-getkeytab, and I don't have any apparent way to collect a stack > > trace or otherwise get anything more useful. :-/ > > > > So, in short, I'll definitely need some help to report this usefully. > > Hah! I got a core file. > > This has been reported in the FreeIPA tracker as #3317. Ah nvm my previous email, it looks like the gssapi v2 plugin of the sasl library. Could you install the sasl debuginfo packages and provide a trace with debugging info ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining Fedora 18 (FreeIPA 3.1.0) to CentOS 6.3 (FreeIPA 2.1.90rc1)
On Mon, 2012-12-24 at 21:30 -0500, Michael B. Trausch wrote: > On 12/23/2012 03:32 PM, Michael B. Trausch wrote: > > Whoops. Let's try this again, I failed to post it correctly the first > > time. > > Hrm. It'd seem I overlooked something... > > [776940.813555] ipa-getkeytab[28840]: segfault at 0 ip 7fa38cda61dc > sp 7fffbdf1bce0 error 6 in libgssapiv2.so.2.0.25[7fa38cda3000+7000] > > I guess I better get a bug filed if there isn't one already. I assume > that the bug should go to Fedora, and not the FreeIPA project, would > that be correct? Mike, what gssapi library is this ? This does not look like the MIT krb5 provided libgssapi, so you have non-standard gssapi libraries installed on your system ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Kerberos and Cisco
On Fri, 2012-12-21 at 18:23 -0500, Dmitri Pal wrote: > On 12/21/2012 05:40 PM, Mike Mercier wrote: > > Hi Bret, > > > > > > I tried this once in the past with no success. If I recall > > correctly (I can't find the reference anymore), Cisco (at least in > > IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This > > enctype disabled by default in FreeIPA. > > allow_weak_crypto = true > > in krb5.conf to enable it. These instructions are relevant only for a Linux based client. Bret, on top of changing the above on the server and restarting it, you need to add DES as an allowed enctype in the IPA server LDAP attribute that controls it(*) as well as explicitly specify you want a DES key when you use ipa-getkeytab to get a keytab for you device. (*) This attribute is called krbSupportedEncSaltTypes and is stored in cn=,cn=kerberos,cn= in your LDAP server. You probably want to add the value: des-cbc-crc:normal Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] disable user account in batch mode in IPA
On Fri, 2012-12-21 at 11:33 -0500, Qing Chang wrote: > I hope google did not skip me when searching for an answer. > > I'd like to disable inactive accounts migrated from OpneLDAP, so far > I can only do it per web UI. Because I have hundreds of accounts to > disable, I really appreciate if someone can provide a command line > for me. ipa user-disable shassan > I actually tried to figure out what attribute corresponds to "disabled" > but could not see it in ldapsearch output, for example: > > ldapsearch -LL -x -D 'cn=Directory Manager' -W -b 'dc=sri,dc=utoronto,dc=ca' > '(uid=shassan)' You have to explicitly request the 'nsAccountLock' attribute. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Kerberos and Cisco
On Fri, 2012-12-21 at 10:35 -0500, Bret Wortman wrote: > My network guy wants to use our FreeIPA server to authenticate users > on Cisco devices, but when we tried to import the keytab, it balked on > every one of the keys. > > > Has anyone done this? Any pointers if so? > Can you provide info on which Cisco device ? Pointer on their docs, and exact errors you received ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] login with kerberos on a webserver, just like with the ipa interface.
On Thu, 2012-12-20 at 16:38 +0100, Han Boetes wrote: > Hi, > > > I followed http://freeipa.org/page/Apache_SNI_With_Kerberos to enable > login in to a webserver with kerberos tickets. I followed everything > to the letter and all looks well. > > > I can log in with a username and password, but when I set the > httpd.conf entry to > > > KrbMethodK5Passwd off > > > > I can't log in. What works great with the ipa admin interface does not > work with this recipe. > > I even compared it to /etc/httpd/conf.d/ipa.conf and added the > KrbAuthRealms setting but to no avail. > > > > Adding KrbConstrainedDelegation on does not work alas. Although I am > using centos 6.3 > > > I checked the http logfiles and the /var/log/krb5kdc.log, everything > else on that host works fine. I can log in without a password and sudo > -s works like it should. > > > Please help me debugging this issue. What am I missing? Are you using the same fully qualified name you have a keytab for ? Do you see a ticket for the target server in the user ccache on the client ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Integrating Yubikey tokens into FreeIPA
On Wed, 2012-12-19 at 13:32 +, Dale Macartney wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> On 12/19/2012 01:20 PM, Simo Sorce wrote:
> > On Wed, 2012-12-19 at 12:30 +, Dale Macartney wrote:
> >> -BEGIN PGP SIGNED MESSAGE-
> >> Hash: SHA1
> >>
> >> Morning all
> >>
> >> Heres something I was working on last night with Gavin Spurgeon.
> >>
> >> If anyone would like to comment on better ways to achieve this, i'd love
> >> to here it so I can update my own procedures (and the article of course)
> >>
> >>
> https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/
> >>
> >> I hope some people find it useful.
> >
> > Hi Dale,
> > what problem do you have adding new schema ?
> we weren't able to add any objectIdentifier fields... when trying to
> search for existing schema entries, we received the below output.
>
> [root@ds01 ~]# ldapsearch -LLL -h localhost -D "cn=Directory Manager" -x
> -w redhat123 -b "cn=schema"
> dn: cn=schema
> objectClass: top
> objectClass: ldapSubentry
> objectClass: subschema
> cn: schema
For some reason the attribute you need to list are not returned by
default and needs to be explicitly listed, they are treated as
operatrional.
The search you need is:
ldapsearch -h localhost -x -b "cn=schema" "attributeTypes,objectClasses"
Note that you do not need any auth to read the schema by default.
> [root@ds01 ~]#
>
>
> We were trying to use this schema which what created by Michal, however
> we never managed to get it imported with the objectidentifier values there.
>
> dn: cn=yubikey,cn=config
> objectClass: SchemaConfig
> cn: yubikey
> #
> # YubiKey LDAP schema
> #
> # Author: Michal Ludvig
> # Consider a small PayPal donation:
> # http://logix.cz/michal/devel/yubikey-ldap/
> #
> # Common Logix OID structure
> # ...<...>
> ObjectIdentifier: {0}logixOID1.3.6.1.4.1.40789
> ObjectIdentifier: {1}YubiKeyPrjlogixOID:2012.11.1
> ObjectIdentifier: {2}YkSNMPYubiKeyPrj:1
> ObjectIdentifier: {3}YkLDAPYubiKeyPrj:2
> # YubiKey schema sub-tree
> ObjectIdentifier: {4}YkAttribute YkLDAP:1
> ObjectIdentifier: {5}YkObjectClass YkLDAP:2
> AttributeTypes: {0}( YkAttribute:1
> NAME 'yubiKeyId'
> DESC 'Yubico YubiKey ID'
> EQUALITY caseIgnoreIA5Match
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
> ObjectClasses: {0}( YkObjectClass:1
> NAME 'yubiKeyUser'
> DESC 'Yubico YubiKey User'
> SUP top
> AUXILIARY
> MAY ( yubiKeyId ) )
>
> we ended up having to settle for
>
> dn: cn=schema
> #
> attributeTypes: ( 1.3.6.1.4.1.40789.2012.11.1.2.1 NAME 'yubiKeyId' DESC
> 'Yubico YubiKey ID' EQUALITY caseIgnoreIA5Match SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.26{1
> objectClasses: ( 1.3.6.1.4.1.40789.2012.11.1.2.2 NAME 'yubiKeyUser' DESC
> 'Yubico YubiKey User' SUP top AUXILIARY MAY ( yubiKeyId ) )
>
>
> Is there any security restrictions on the schema or perhaps something
> done differently to normal LDAP? Unless of course I'm doing something silly.
>
> thoughts?
Ah no it's just that 389ds does not support the prettified OIDs yet. The
schema file you ended up importing is 100% equivalent to the one with
the OID prefix substitutions.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Integrating Yubikey tokens into FreeIPA
On Wed, 2012-12-19 at 12:30 +, Dale Macartney wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Morning all > > Heres something I was working on last night with Gavin Spurgeon. > > If anyone would like to comment on better ways to achieve this, i'd love > to here it so I can update my own procedures (and the article of course) > > https://www.dalemacartney.com/2012/12/19/integrating-yubikey-token-details-within-ldap-with-freeipa-and-red-hat-enterprise-linux-6/ > > I hope some people find it useful. Hi Dale, what problem do you have adding new schema ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.
On Tue, 2012-12-18 at 05:24 +, Johan Petersson wrote: > Hi, > > Unfortunately i still get the same error from the Appliance even after having > added both host and nfs principals in the IPA web interface. > > "failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: > 43787522 (Operation requires ``add'' privilege)" > > I get the impression that the Appliance does not recognize existing > principals since i still get the same create principal error. > So it seems that it does not cope with pre existing principals, at least not > from IPA Server. > I will contact Oracle about this issue and see what they say. Is there any support for using this appliance in an Active Directory domain ? It is possible that they have alternative instructions there. IIRC AD also does not allow you to create principals via the kadmin interface. However they may have tied the 'AD option; if any in knots so that it also doesn't work with anything but a real AD. IT would be nice to hear how Oracle justifies requiring high credentials on an appliance otherwise. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and Samba 4
On Mon, 2012-12-17 at 22:48 -0500, William Muriithi wrote: > > > I know this may be a loaded question, but I am asking it anyways. > > > > > > > > > Can anyone tell me what the current status and future plan for > IPA / > > > Samba 4 is? > > > > We plan to support setting up trusts with Samba4 just like we do > with AD > > when Samba4 will start supporting Cross-forest trusts. It currently > > doesn't. > > > > Simo. > > > Yes, its amazing samba4 has finally gone GA. Plan to set up an > instance as a backup AD to existing AD some day when I get some time. > Not well documented though, wish there was well writen book on it. > Anyway backup AD would be the best way to set some experience I am > assuming > > A related question, would there be any need to have a replica when > using trust if the AD is just one instance? What I am asking in > another way is, if the AD fail, wouldn't the FreeIPA fail to > authenticate users till AD issues are fixed? It depends on the case. In general the answer would be yes, however. - if you already have a cross-realm TGT you should still be able to access all IPA services as the AD KDC is not required until a renew is necessary. - if you do password based logins then sssd may cache offline credentials and still let you in (but you will not have a TGT, so you may not use kerberized services). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.
kadm5_create_principal, host/zfs1.home@HOME,
> client=admin@HOME, service=kadmin/server.home@HOME, addr=192.168.0.112
>
>
> And in the krb5kdc.log:
>
>
> Dec 17 23:15:23 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: root/zfs1.home@HOME
> for krbtgt/HOME@HOME, Client not found in Kerberos database
> Dec 17 23:15:23 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: CLIENT_NOT_FOUND: host/zfs1.home@HOME
> for krbtgt/HOME@HOME, Client not found in Kerberos database
All this is pretty much expected if this appliance tries to create
principals via the kadmin add API.
>
> If i add the host in IPA i instead get:
>
>
> Dec 17 23:48:18 server.home krb5kdc[4016](info): ...
> CONSTRAINED-DELEGATION s4u-client=admin@HOME
> Dec 17 23:48:35 server.home krb5kdc[4016](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: NEEDED_PREAUTH: admin@HOME for
> kadmin/server.home@HOME, Additional pre-authentication required
> Dec 17 23:48:35 server.home krb5kdc[4015](info): AS_REQ (7 etypes {18
> 17 16 23 24 3 1}) 192.168.0.112: ISSUE: authtime 1355784515, etypes
> {rep=18 tkt=18 ses=18}, admin@HOME for kadmin/server.home@HOME
I see no problem in here, so does the appliance cope with pre-existing
principals ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and Samba 4
On Mon, 2012-12-17 at 14:58 -0500, Steven Santos wrote: > I know this may be a loaded question, but I am asking it anyways. > > > Can anyone tell me what the current status and future plan for IPA / > Samba 4 is? We plan to support setting up trusts with Samba4 just like we do with AD when Samba4 will start supporting Cross-forest trusts. It currently doesn't. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
On Mon, 2012-12-17 at 11:00 -0800, Brian Cook wrote: > >>>>> > >>>>> Is it possible to lock out an user account on a set date? > >>>>> > >>>>> > >>>> > >>>> You should be able to set the krbPrincipalExpiration attribute to expire > >>>> an account on a set date. > >>>> > >>>> However note this: https://fedorahosted.org/freeipa/ticket/3305 > >>>> > >>>> > >>>> > >>>> It means ti will work with krb auth but not with ldap binds for now. > >>>> > >>>> > >>>> > >>> > >>> Thanks! That worked like a charm!! > >>> > >>> > >>> Is there any active ticket to have this property exposed for editing in > >>> the IPA CLI / WEBUI? > >>> > >> > >> No, an RFE ticket would be welcome though. > >> > > > > Ok, for the record: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=887988 > > > > > > Rgds, > > Siggi > > > > It would be better though to have a real account expiration setting in the UI > that not only set krbPrincipalExpiration but also locked the ldap user > account and any other appropriate actions. > > > Brian Brian, that's what #3305 above is for. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
On Mon, 2012-12-17 at 19:08 +0100, Sigbjorn Lie wrote: > > > On Mon, December 17, 2012 18:40, Simo Sorce wrote: > > On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: > > > >> Hi, > >> > >> > >> Is it possible to lock out an user account on a set date? > >> > > > > You should be able to set the krbPrincipalExpiration attribute to expire > > an account on a set date. > > > > However note this: https://fedorahosted.org/freeipa/ticket/3305 > > > > > > It means ti will work with krb auth but not with ldap binds for now. > > > > > > Thanks! That worked like a charm!! > > Is there any active ticket to have this property exposed for editing in the > IPA CLI / WEBUI? No, an RFE ticket would be welcome though. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User expiration on a certain date
On Mon, 2012-12-17 at 16:04 +0100, Sigbjorn Lie wrote: > Hi, > > Is it possible to lock out an user account on a set date? You should be able to set the krbPrincipalExpiration attribute to expire an account on a set date. However note this: https://fedorahosted.org/freeipa/ticket/3305 It means ti will work with krb auth but not with ldap binds for now. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell
On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: > Thank you for the responses. I was initially attempting to set this > value via the web UI and if I entered anything other than the hash > value of the user's public key it would get rejected. After thinking > about your response I realize that I really need to determine a method > of doing this via a HBAC rule. If I accomplish this with > authorized_keys then the user is restricted across the board and would > not be able to gain a shell on any system whereas HBAC would allow me > to restrict thier access as needed. We currently require users to > tunnel over SSH to gain access to certain sensitive web apps (like > Nessus) but those same users have shell access on a few boxes. > Thoughts?? One thing you could do is to use the override_shell parameter in sssd. However this one would override the shell for all users so just putting /sbin/nologin there would not work if you need some users to be able to log in (if you care only for root logins it would be enough). However you can still manage to use it to point to a script that would test something like whether the user belongs to a group or not, and if so run either /bin/bash or /bin/nologin This seem like a nice feature request for FreeIPA though, maybe we can extend HBAC to allow a special option to define a shell, maybe creating a special 'shell' service that sssd can properly interpret as a hint to set nologin vs the actual shell. Dmitri, should we open a RFE on this ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS: sub-domain or new domain
On Thu, 2012-12-13 at 09:21 +0100, Petr Spacek wrote: > > No trusts are better with completely separate root domains, they > > certainly can't work if you use the same domain. > Simo, can you elaborate this? I'm not experienced with trusts, but > IMHO there > should not be any difference between scenarios a) and b). > Correct, what I meant is that you can;t use the same domain for both AD and FreeIPA (so be careful if you use only the AD DNS server to create a separate DNS domain in AD DNS for freeIPA). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS: sub-domain or new domain
On Wed, 2012-12-12 at 10:45 -0800, Patrick Bakker wrote: > I just joined this list because I was curious about the recent > discussion that Rashard Kelly had started about whether to > use FreeIPA's integrated DNS or whether to disable DNS. I'm wondering > about a very similar thing. I have a bunch of Linux servers that I'd > like to start manage more centrally but we have Active Directory > running the network right now. > > > I looked at the bug attachment Petr Spacek recommended > (https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2) but > one thing I didn't see there is a discussion of whether to use an > entirely different domain. As this is the direction I'm inclined to > I'm curious if there is some good reason not to do it. > > > Suppose I have a company ACME Widgets which is running > acmewidgets.local under Active Directory. Does it simplify anything if > I were to run all my Linux boxes under FreeIPA under an entirely > different domain such as acme.local? It will avoid the need to do delegation but you will need to set up conditional forwarders if you want to resolve both domain from all machines. Also do not use .local that domain name is used by zeroconf style stuff and can cause issues (in a windows domain too), use something like .lan > Since I have completely separate DNS records I shouldn't need to worry > about any DNS integration. Will this complicate a future trust between > the AD domain acmewidgets.local and the FreeIPA domain acme.local if I > want to do that at some point? No trusts are better with completely separate root domains, they certainly can't work if you use the same domain. However there is at least 1 minor 'integration; step, you need conditional forwarders in both systems so one can forward queries to the other for its clients. > > Is the website planning to be updated again soon? Looking through the > documentation I only see old versions listed. Also, clicking the > roadmaps, future version plans, etc... appear to be updated. > We keep adding documentation as we produce it. Is there anything specific you find missing besides updated manuals ? We should have docs for 3.0/3.1 soon courtesy of Fedora 18. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] how to allow a remote realm user to be an IPA admin?
On Mon, 2012-12-10 at 14:25 +0200, Alexander Bokovoy wrote: > On Sun, 09 Dec 2012, Brian Cook wrote: > >How do you let a remote user be an admin for IPA? > You cannot do it, at least right now. > > > > >I followed the fedora group example > > > >external group:ad_admins_external > >Posix Group: ad_admins > > > >Then I made ad_admins a group member of ipa group 'admins' - > >theoretically now MSAD\Administrator is an IPA admin? I get the > >following. How does this work? > > Being able to perform IPA management operations means being able to bind > to IPA LDAP with the identity in question. For Kerberos authentication > LDAP server maps user principal to a DN of an object in LDAP. > > In case of trust users there are no LDAP objects that they represent > since the whole idea of a trust was to avoid replicating objects between > the realms, so while IPA KDC accepts AD realm's tickets for the users, > IPA LDAP server doesn't know what they map to in terms of LDAP objects. > > Thus, trust users cannot be used to bind for LDAP access. Note that this[1] DS tickeet needs to be implemented for us to be able, at some point to create a fallback mapping so we can map foreign user to a 'role' object in DS. This way we will be able to properly authorize remote users to operate on freeipa, even as admins at some point as long as we can map them to an object role based on a SAL mapping. This will take a while though. For the moment you need a real FreeIPA user to manage freeipa, you can think of foreign uses as 'guests' atm. Simo. [1] https://fedorahosted.org/389/ticket/534 -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NFS v4 integration how to
On Fri, 2012-12-07 at 13:40 +0100, Ondrej Valousek wrote: > Three notes: > > 1. > /export *(rw,sec=krb5,no_subtree_check,no_root_squash) > is better than > /export gss/krb5(rw,no_subtree_check,no_root_squash) It would be even better with root_squash imo :-) (as a default) > 2. Kerberos library is still too picky about reverse DNS records - > i.e. if the reverse DNS does not match the principal name in keytab, > you are most likely to fail. Can you open bugs about this. We do our best to make it work, unfortunately we have encountered time and again bugs all the way down to glibc (where we still have one to date :-/ ). > 3. We should still mention the rpc.idmapd settings I think - people > are still used to nfsv3 so this might be confusing to them. Yes, we discovered recently that for some reason rpc.idmapd is hell bent in looking only at its own config file and requires you set the default kerberos realm and doesn't ask libkrb5 for the default realm. So if you do not set it there it fails. We want to change this in time, but for the time being and on RHEL5/6 and current Fedoras it is what it is. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd cache
On Wed, 2012-12-05 at 14:20 +0100, Natxo Asenjo wrote: > hi, > > why would I want sssd to cache group/hostgroup/netgroup membership? > > Is the performance hit so huge on the ldap servers? Yes, and not only on servers, on the client too. > I ask this because Windows admins are used to apply membership of > groups to objects and the changes in a single site domain (or even in > a multisite domain with fast wan links) are replicated very fast, it > is nearly instantanous. So for those admins, having to wait x minutes > for the sssd cache to expire is, to put it mildly, strange. You can shorten the cache expiration time if you really need to, but going on the wire for each request is what we built SSSD to actually avoid. It is in fact not possible for SSSD to go straight to the wire. > What are the consequences of disabling the cache with an entry like this: > > entry_cache_timeout = 0 I think this would make the cache never expire actually, the opposite of what you want to do. However you can set it to a very low value I guess, the consequence will be that your traffic and the time needed to resolve each entry will be higher, sometime much higher. > in sssd.conf? > > Thanks in advance for your input. As a test to show why the cache is important do this: 1. Create a directory 2. create 100 files in this dirctory 3. chown each file to a different user and a different group each 4. stop sssd, wipe cache file and restart 5. do a ls -al of the directory 6. wait 10 seconds 7. do a second ls -al of the directory You should notice a difference in the time needed to run ls. Now bring down the cache time down to 5 seconds and repeat the above procedure. Feel free to report your numbers. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa
On Fri, 2012-11-30 at 16:16 +0100, Natxo Asenjo wrote: > On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange > wrote: > > On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote: > >> hi, > >> > >> sasl_allowed_username_list = ["ad...@ipa.example.com" ] > >> > >> if I leave this field commented out (default setting), everybody can > >> manage the kvm host. > > > > Oh it isn't very obvious, but in this log message: > > > >> >> > 2012-11-30 12:00:53.403+: 7786: error : > >> >> > virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in > > > > 'admin' is the identity being matched against. > > > > We ought to quote that string int he log message to make it more > > obvious. > > > > So I guess SASL/GSSAPI is not giving us back the REALM, just > > the username > > > > So you need to change your whitelist to leave out the realm. > > Bingo! > > Thanks. If I may just hijack this thread: is it possible to whitelist > groups instead of individual users to use virsh/virtual manager? > > I know sasl only deals with the authentication stuff, buy here you are > also authorizing in the whitelist. If this authorization could go > further to allow ipa groups, that would be ideal from an admin point > of view ;-) Natxo it sounds odd that you are getting back a non fully qualified principal name, are you sure your configuration is using SASL/GSSAPI ? What other directives have you configured ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] libvirt with vnc freeipa
Hi Natxo, On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote: > hi, > > I'm following the howto on > http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate > users voor virsh with ipa. > > I have it mostly working :-) except for the fact that libvirtd is not > respecting the sasl_allowed_username_list parameter. > > If I do not set it, and I have a realm ticket, then I may login virsh > or virtual manager and I get tickets for libvirt/vnc services. > > If I do set it, then it tells me the client is not in the whitelist, > so I cannot log in :-) > > > 2012-11-30 12:00:53.403+: 7786: error : > virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in > whitelist > 2012-11-30 12:00:53.403+: 7786: error : > virNetSASLContextCheckIdentity:150 : Client's username is not on the > list of allowed clients > 2012-11-30 12:00:53.403+: 7786: error : > remoteDispatchAuthSaslStep:2447 : authentication failed: > authentication failed > 2012-11-30 12:00:53.415+: 7781: error : virNetSocketReadWire:999 : > End of file while reading data: Input/output error > > Is this a question for the libvirt folks or is it ok to post it here? Seem more like a libvirt or maybe even a cyrus-sasl question but I would be interested in knowing what is going on. Have you used a full principal name including the realm in the list, or just the bare user names ? CCing libvirt-users. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA manual PAM setup help
On Thu, 2012-11-29 at 20:55 -0500, 小龙 陈 wrote: > And PAM is working! Excellent! > I've just finished a helper for setting up NSS and PAM for sssd. It > basically does the following: > > 1. Looks for 'passwd', 'shadow', 'group', 'services', 'netgroup', and > 'automount' > in /etc/nsswitch.conf and adds 'sss' to it. SSSD does not provide a shadow map so you shouldn't ad sss to shadow. It will do no harm though, it will just be a noop. > 2. Looks for pam_unix.so in every file in /etc/pam.d/, changes > 'required' > to 'sufficient', and adds an 'include' line for 'sss' right below > itq. /etc/pam.d/sss > contains the pam_sss.so lines. > > So far, I've tested sudo and su, and both are working :) > > Here's a link to the script: > https://github.com/chenxiaolong/ArchLinux-Packages/blob/master/freeipa/sss-auth-setup.py > > If someone is bored, I'd appreciate it if he/she would take a look at > it > for glaring issues. Cool stuff, I do not know Arch Linux default PAm stack configuration so I can;t tell with certainty that the replace you make is perfect, but I do not see anything stunningly bad. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: replica read-only
On Wed, 2012-11-14 at 16:47 -0200, Andre Rodrigues wrote: > thanks for the info Simo! > I work at a university and the current structure is: > a meta-directory that feeds a master 389-ds, and the master replicates > the data to two read-only directories, that are accessible to > customers. > any changes in the directory should be sent to the meta-directory, > which will apply the changes on the master. > Now I'm studying FreeIPA to see a possible exchange of 389DS for > FreeIPA (primarily by trust with ad). > This is not an appropriate structure for FreeIPA(nor a directory > actually) but a read-only FreeIPA would be best for us. Oh so you would want a completely read-only setup, no changes at all on any server in orer to drive everything from the meta-directory ? Don't think that will be possible. You can certainly use metadirectories to synchronize stuff but enforcing read-only behavior for everything simply does not cope with the feature set unless you want to strip freeipa of all the reasons to use it :) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica read-only
On Wed, 2012-11-14 at 10:26 -0800, Brian Cook wrote: > Having a read-only replica would be ideal for placement in a DMZ. See > active directory's read-only domain controller introduced in 2008 R2 > for just that use case. Hi Brian, yes we know about the DMZ use case, but that one goes beyond just the 'Read-Only' aspect. Although they call their DC a RODC, the 'ReadOnly' part is a bit misleading. A RODC is not much about being read-only, but more about information segregation, A RODC not only prevents modification of a lot of data, it also is not given most of the key material at all, requiring additional server2server protocols to deal with proxying some of the requests when key material is not available locally. When people ask about read-only replicas I am interested in their use case because it means usually they come from a setup where they have just NIS or LDAP (and no kerberos, or kerberos is completely separated) and used master-slave solutions. What I try to understand is if they are asking just because they are used to the setup or if there are actual deeper reasons for wanting a similar setup. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica read-only
On Wed, 2012-11-14 at 11:54 -0200, Andre Rodrigues wrote: > Hi, > I'm trying to setup replicas from my ipa server and > "ipa-replica-install" is based on multimaster replication. > Is there a way to set a ipa replica to be a slave/read-only? > No,at the moment replicas are full masters, we are investigating how to create read-only replicas in the future, but it will be a while. What is the reason you'd like a read-only replica ? Knowing use cases will help us decide how read-only replicas will need to behave in general. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa and cronjob
On Wed, 2012-11-14 at 00:22 -0600, Anthony Messina wrote: > On Wednesday, November 14, 2012 05:00:29 AM Simo Sorce wrote: > > On Tue, 2012-11-13 at 21:53 -0600, Anthony Messina wrote: > > > 1. Using automatic login with the lightdm display manager, I have it > > > run the > > > following script to remove any old Kerberos ccaches, then obtain a new > > > ticket > > > on behalf of the user, and set the appropriate permissions and > > > SELinux > > > context. Note that in this case, I echo the password to kinit -- If > > > I > > > exported a keytab, I would not be able to manually login with a known > > > password > > > if there were a problem. > > > > Just FYI, this is not strictly true, look at the -P, --password option > > of ipa-getkeytab > > Thanks. I didn't notice that option since I'd been using this method since > before I started using IPA. > > Is the password used to genterate a principle still usable after a keytab has > been exported? I seem to remember from my pre-IPA days of using a plain old > standalone MIT KDC that I couldn't use the password to authenticate after > they > keytab had been exported using kadmin. Again, I never really investigated > it, > but the password never seemed to work after the keytab was exported. If you ask kadmin to randomize the password, then you are basically *changing* the password at the time you export the keytab with a random one, so your *old* password won't work anymore and you do not know the new random one. But if you tell ipa-getkeytab to use a specific secret when generating the keytab that is what is used to generate the new keys, so whether you use pre-computed hashes in the keytab or manually regenerate them at kinit time using a password it makes no difference. Of course if you then change your password or get a new keytab you will change again keys so the repvious password/keytab won't work anymore. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa and cronjob
On Tue, 2012-11-13 at 21:53 -0600, Anthony Messina wrote: > 1. Using automatic login with the lightdm display manager, I have it > run the > following script to remove any old Kerberos ccaches, then obtain a new > ticket > on behalf of the user, and set the appropriate permissions and > SELinux > context. Note that in this case, I echo the password to kinit -- If > I > exported a keytab, I would not be able to manually login with a known > password > if there were a problem. Just FYI, this is not strictly true, look at the -P, --password option of ipa-getkeytab :-) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd/pam login issues after upgrade to 2.2.1 on Fedora 17
On Mon, 2012-11-12 at 09:51 -0600, Anthony Messina wrote: > On Monday, November 12, 2012 09:17:17 AM Anthony Messina wrote: > > > > I also find that when I do a manual ldapsearch for the non-upgraded > > > > clients as > > > > > > > > > follows: > > > > > > > > > > > > ldapsearch -x -D "cn=directory manager" -W -b > > > > cn=accounts,dc=messinet,dc=com "(&(objectClass=ipaHost)(fqdn=*))" dn > > > > > > > > > > > > > > > > the non-upgraded clients DO NOT appear in the list, but if I do the > > > > following: > > > > > > > > > > > > ldapsearch -x -D "cn=directory manager" -W -b > > > > cn=accounts,dc=messinet,dc=com "(&(objectClass=ipaHost))" dn > > > > > > > > > > > > > > > > the non-upgraded clients DO appear in the list. Somehow the addition of > > > > the fqdn=* in the filter "(&(objectClass=ipaHost)(fqdn=*))" prevents > > > > them from being displayed. > > > > > > > > > > > > > > > > There were no errors on any of the servers or clients during the > > > > upgrade. > > > > > > > > > > > > > > > > Your help is appreciated. I've tried to get this corrected all day > > > > without success. > > > > > > > > > > > > > > > > Thanks in advance. -A > > > > > > > > > > > > Hi, > > > > > > > > > > > > the SSSD depends on the fqdn attribute being present for the access > > > control mechanism. Also, the SSSD searches the directory anonymously, so > > > in order to get the same results, you should simply search the directory > > > with anonymous bind. > > > Can you check on the server how the host entries look like? > > > > > > > > > > > > For example: > > > ipa host-show ds.messinet.com --all --raw > > > > > > > > > > > > Is the FQDN attribute present in the directory at all? > > > > Yes it is present. The entry seems to appear similar to other > > entries. I'm wondering if for some reason it wasn't indexed (I don't know > > much about indexing), but only the hosts that are re-enrolled after the > > update are displayed with the above search. I'm thinking this may be > > related to > > http://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-2-2&id=ce11a7c0e > > 22ee8f70e14c43419f20be70176fe8c > > > > Is there a way to re-index the fqdn attribute? > > While this may be a red herring, I also do not find in my ipaupgrade.log any > attempt to re-index the fqdn attribute. These are the only entries for which > tasks are created. > > 2012-11-11T13:25:39Z INFO Creating task to index attribute: memberuid > 2012-11-11T13:25:45Z INFO Creating task to index attribute: memberOf > 2012-11-11T13:25:51Z INFO Creating task to index attribute: memberHost > 2012-11-11T13:25:57Z INFO Creating task to index attribute: memberUser > 2012-11-11T13:26:03Z INFO Creating task to index attribute: ntUniqueId > 2012-11-11T13:26:09Z INFO Creating task to index attribute: ntUserDomainId Seem like it may be the issue. Can you open a ticket on this ? Rich, do you have a quick pointer for recreating the fqdn index ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Process open FD table is full.
On Fri, 2012-11-02 at 08:38 +, Johan Sunnerstig wrote: > Looks a lot like a problem I have as well. > Check out the /proc/xxx/fd directory of the dirsrv process for your IPA > realm, in my case it's full of dead pointers to /var/tmp/ldap_xxx where xxx > will be the same on one IPA server(I have two in a multi-master setup). > These don't clear out until I restart the dirsrv process, so eventually > they'll fill up to the FD limit. For now I have a cron job performing a > staggered IPA restart on the two servers and a case open with RH, but I > haven't gotten any solution yet. > This is also RHEL 6.3 by the way, though the problem appeared in 6.2 for me. This looks a memory leak in libkrb5 or dirsrv leaving around so krb context. Those files are replay caches. Rich, can you investigate the use of libkrb5 in dirsrv ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for AMM users management
On Thu, 2012-11-01 at 17:09 -0400, Simo Sorce wrote: > On Thu, 2012-11-01 at 15:55 -0400, Simo Sorce wrote: > > On Thu, 2012-11-01 at 08:27 +0400, Pavel Zhukov wrote: > > > Hi all. > > > I'd like to use FreeIPA for AMM (advanced management module) user > > > management using this instruction [1]. I enabled option "use DNS for > > > find LDAP servers" and set root DN and Binding method "w/ Login > > > Credentials" but cannot login with IPA credentials. Logs of dirsrv > > > and kerberos are empty. DNS server works correctly. > > > > > > [1] - > > > http://publib.boulder.ibm.com/infocenter/bladectr/documentation/index.jsp?topic=/com.ibm.bladecenter.advmgtmod.doc/kp1bb_bc_mmug_configldap_ADrolebasedauthen.html > > > > I am not sure that bind w/ Login Credentials will work properly if they > > assume Active Directory. > > AD has a non standard authentication method that allows to not use a DN > > to identify a user. We do not support that authentication method. > > > > However you should at least see the bind attempt and an error message in > > the dirsrv access log. > > > > If you do not see that then something else is broken before a bind is > > even attempted, perhaps DNS discovery ? > > Ah btw, have you enabled SSL ? > FreeIPA enforces that simple binds be done on an encrypted channel.If > you try to bind with plain text credentials on an unencrypted channel > FreeIPA simply returns an error. Uhmm sorry this is not true for binds, it is true only for password changes (and SSSD enforces auth only via SSL, but it is client side enforcement). Sorry for the noise. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for AMM users management
On Thu, 2012-11-01 at 15:55 -0400, Simo Sorce wrote: > On Thu, 2012-11-01 at 08:27 +0400, Pavel Zhukov wrote: > > Hi all. > > I'd like to use FreeIPA for AMM (advanced management module) user > > management using this instruction [1]. I enabled option "use DNS for > > find LDAP servers" and set root DN and Binding method "w/ Login > > Credentials" but cannot login with IPA credentials. Logs of dirsrv > > and kerberos are empty. DNS server works correctly. > > > > [1] - > > http://publib.boulder.ibm.com/infocenter/bladectr/documentation/index.jsp?topic=/com.ibm.bladecenter.advmgtmod.doc/kp1bb_bc_mmug_configldap_ADrolebasedauthen.html > > I am not sure that bind w/ Login Credentials will work properly if they > assume Active Directory. > AD has a non standard authentication method that allows to not use a DN > to identify a user. We do not support that authentication method. > > However you should at least see the bind attempt and an error message in > the dirsrv access log. > > If you do not see that then something else is broken before a bind is > even attempted, perhaps DNS discovery ? Ah btw, have you enabled SSL ? FreeIPA enforces that simple binds be done on an encrypted channel.If you try to bind with plain text credentials on an unencrypted channel FreeIPA simply returns an error. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for AMM users management
On Thu, 2012-11-01 at 08:27 +0400, Pavel Zhukov wrote: > Hi all. > I'd like to use FreeIPA for AMM (advanced management module) user > management using this instruction [1]. I enabled option "use DNS for > find LDAP servers" and set root DN and Binding method "w/ Login > Credentials" but cannot login with IPA credentials. Logs of dirsrv > and kerberos are empty. DNS server works correctly. > > [1] - > http://publib.boulder.ibm.com/infocenter/bladectr/documentation/index.jsp?topic=/com.ibm.bladecenter.advmgtmod.doc/kp1bb_bc_mmug_configldap_ADrolebasedauthen.html I am not sure that bind w/ Login Credentials will work properly if they assume Active Directory. AD has a non standard authentication method that allows to not use a DN to identify a user. We do not support that authentication method. However you should at least see the bind attempt and an error message in the dirsrv access log. If you do not see that then something else is broken before a bind is even attempted, perhaps DNS discovery ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
On Wed, 2012-10-31 at 11:34 +1000, Peter Brown wrote: > Hi everyone, > > > I have been trying to work out how to achieve this. > I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix > and dovecot on my new mail server authenticating against Freeipa. > One last thing I would love to do it pull down the virtual users and > aliases for the domains my mailserver will be serving from freeipa. > Is this possible? > Is this all automatic due to sssd looking up the user details in the > ds? > Does it do the same for domains and email aliases or will I need extra > lookups to achieve this. A loong time ago I sue the excellent support in postfix to route mail based on data in ldap, however I have no idea how's dovecot support for that. FreeIPA will create a single domain for you atm, but you can indeed associate any email address to a user, however sssd does not have any facility to resolve a user by email address, so unless you just care about the default domain (in which case you can lookup users via sssd just like you would against /etc/passwd) I think you'll have to configure your daemons to lookup data directly via ldap. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Different primary group on different machines.
On Fri, 2012-10-26 at 09:36 +0200, Ondrej Valousek wrote: > Well, you do not need ACLs for that, just 'chmod g+s ' will > do. This is what makes people ask for changing the GID, which is suboptimal on many accounts. The reason why FreeIPA creates a User Private Group is that the default umask prettyt much everywhere allows the primary group access to new files created, so if the primary group is shared among users it means that by default users cannot expect privacy. This is not nice. > But in general, I agree, this is insane requirement as nobody would > ever think of it in Windows. Not happy w/ a traditional Unix > permissions? Go for ACLs. Default ACLs are very, very useful and enormously more powerful than the sgid bit. I strongly recommend using ACLs for complex default ownership requirements. > The only pity is that the current Posix-draft hack widely used on all > Linuxes is a mess and Rich-acl support is still nowhere in sight :-( Sorry sir, but technically it is the sgid bit that is a gross hack. The Posix draft for ACLs never got final approval, but it is pretty standardized across most OSs, and works fine for any Linux OS that isn;t on ancient kernels. It is also enabled by default on all file systems that matter normally. Rich-ACL, while cool and necessary for NFS ACL and better Windows ACL compatibility will also be much more complex than Posix ACLs, and does not add anything special for the default ACL use case. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Passsync details missing
On Tue, 2012-10-23 at 13:13 -0400, Dmitri Pal wrote: > On 10/23/2012 12:47 PM, Simo Sorce wrote: > > On Tue, 2012-10-23 at 12:16 -0400, Dmitri Pal wrote: > >> On 10/23/2012 07:50 AM, George Machitidze wrote: > >>> Hi > >>> > >>> I'm testing MS AD integration, following document contents > >>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/managing-sync-agmt.html > >>> > >>> For 8.4.2. (Creating Synchronization Agreements) we've got "--passsync > >>> secretpwd", but nowhere's said if user has to be created on MS AD > >>> side, or if any package has to be installed. > >> It is implied that this is the password of the administrative user that > >> you already have on the AD side. > > Nope, the password provided with that switch is used to create a special > > sysaccount user named 'passsync' in IPA. > > the DN of the user is: uid=passsync,cn=sysaccount,cn=etc,$suffix > > > > This user is used by the Windows Passsync plugin installed on AD domain > > controllers. So this password is what you need to use when configuring > > the Passync plugin together with the above dn template. > > > > Simo. > > > Then we should update our docs. Yes we should clarify our manpage by making it say: "Password for the IPA system user used by the Windows Passync plugin to synchronize passwords" Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Passsync details missing
On Tue, 2012-10-23 at 12:16 -0400, Dmitri Pal wrote: > On 10/23/2012 07:50 AM, George Machitidze wrote: > > Hi > > > > I'm testing MS AD integration, following document contents > > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/managing-sync-agmt.html > > > > For 8.4.2. (Creating Synchronization Agreements) we've got "--passsync > > secretpwd", but nowhere's said if user has to be created on MS AD > > side, or if any package has to be installed. > > It is implied that this is the password of the administrative user that > you already have on the AD side. Nope, the password provided with that switch is used to create a special sysaccount user named 'passsync' in IPA. the DN of the user is: uid=passsync,cn=sysaccount,cn=etc,$suffix This user is used by the Windows Passsync plugin installed on AD domain controllers. So this password is what you need to use when configuring the Passync plugin together with the above dn template. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Failed installation
On Fri, 2012-10-19 at 14:26 -0400, Dmitri Pal wrote: > On 10/18/2012 10:46 AM, Rob Crittenden wrote: > > Rob Crittenden wrote: > >> Bret Wortman wrote: > >>> Sorry, that wasn't clear at all, was it? The latest attempt was after I > >>> ran the cleanup. No joy; it's still failing at the same point and > >>> tomcat > >>> is definitely not running. > >> > >> In order to diagnose why dogtag is failing to install we need to see the > >> logs from /var/log/pki-ca and the full /var/log/ipaserver-install.log. > >> You can send them directly to me or Martin if you'd prefer. > >> > > > > To close the loop on this, I had Bret yum reinstall the pki-selinux > > package. For some reason sometimes it fails to load the required > > SELinux contents on install. > > Is there any way to make it more reliable? The dogtag selinux policy is being merged into the system policy. This should remove the issue completely in future Fedora versions. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Proven procedure for resetting admin password from CLI
On Thu, 2012-10-18 at 14:49 +0400, George Machitidze wrote: > Hello > > > I want to reset admin password for FreeIPA 2.x (F17), but I couldn't > find working procedure for that - all what I've found failed. > Do we have any verified method/docs? ipa passwd or kpasswd should work just fine. you should also be able to use ldappasswd if you prefer that. Can you tell exactly what failed an how ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo works for full access, but not on a per command or host level.
On Wed, 2012-10-17 at 09:53 -0600, Rich Megginson wrote: > On 10/17/2012 07:26 AM, Macklin, Jason wrote: > > Okay, > > > >Rule name: test4 > >Enabled: TRUE > >Command category: all > >Users: asteinfeld > >Hosts: dbduwdu062.dbr.roche.com > >Host Groups: tempsudo > > > > Client dbduwdu062 is matched in the rule by both the hosts and groups entry. > > > > /etc/nsswitch.conf has: > > > > Netgroups: files sss > > > > Getent netgroup tempsudo returns: > > > > [jmacklin@dbduwdu062 Desktop]$ getent netgroup tempsudo > > tempsudo (dbduwdu063.dbr.roche.com, -, dbr.roche.com) > > (dbduwdu062.dbr.roche.com, -, dbr.roche.com) > > > > To the previous ldapsearch request: > > > > [jmacklin@dbduwdu062 Desktop]$ ldapsearch -Y GSSAPI -H > > ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com" > > SASL/GSSAPI authentication started > > ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) > > additional info: Entry permanently locked. > > > > I am still scratching my head on this one... > > This means you cannot search using your kerberos ticket because the > corresponding entry is locked. Try using directory manager: > > ldapsearch -x -D "cn=directory manager" -W -H > ldap://dbduvdu145.dbr.roche.com "ou=SUDOers,dc=dbr,dc=roche,dc=com" > This sounds very wrong. If the user had a kerberos ticket in the first place it meant it successfully authenticated. If no krb ticket was available GSSAPI would have not started at all. This look like some odd error in directory server failing to recognize valid users ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Tue, 2012-10-16 at 14:51 -0700, Nathan Kinder wrote: > On 10/16/2012 02:40 PM, Simo Sorce wrote: > > On Tue, 2012-10-16 at 14:22 -0700, Nathan Kinder wrote: > >> On 10/16/2012 05:21 AM, Simo Sorce wrote: > >>> On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote: > >>>> Am 15.10.2012 15:50, schrieb Simo Sorce: > >>>>> On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: > >>>>>> Am 14.10.2012 23:14, schrieb Simo Sorce: > >>>>>>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: > >>>>>>> Right I am ok with sambaPwdMustChange not being set. That's all good. > >>>>>>> What about sambaPwdLastSet ? > >>>>>> Not set when a user is created new. > >>>>> It should be set when you give the user a password as long at the > >>>>> sambaSamAccount objectclass is added to the user. > >>>>> > >>>>>> When I change the password: > >>>>>> sambaPwdLastSet: 0 > >>>>> If this is when you set the password as an admin, it is expected. > >>>> Ok, understood. But it should change when the user resets his/her > >>>> password, right? > >>>> And that is not happening. > >>>> When the user sets his/her password the sambaPwdLastSet stays untouched. > >>> That's odd, how does the user change the password ? > >>> > >>>>>> Not working with samba! > >>>>>> Need to apply my script (see below). > >>>>> Let me ask one thing, are you changing the password as a user ? > >>>>> Or have you tested only setting the password as admin ? > >>>> I set the initial password as admin. > >>>> Then the user logs in to a server (sssd, ssh, ipa-member) and is > >>>> requested to change his/her password. This works but the sambaPwdLastSet > >>>> stays untouched. > >>> Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ? > >>> > >>>>> If the latter this applies: > >>>>> http://www.freeipa.org/page/NewPasswordsExpired > >>>> Checked it. But that was my understanding nevertheless. > >>>>> I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign > >>>>> > >>>>> > >>>>> Simo. > >>>>> > >>>> # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > >>>> --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign > I think that this needs to be --setattr=assign. The prefix should not > be included when specifying the magic value to trigger generation. Nathan, you were not included in the previous mails, but options have been tried and they seem to fail the same way (ie the actual passed in value is stored instead of generating a new value). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Tue, 2012-10-16 at 14:22 -0700, Nathan Kinder wrote: > On 10/16/2012 05:21 AM, Simo Sorce wrote: > > On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote: > >> Am 15.10.2012 15:50, schrieb Simo Sorce: > >>> On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: > >>>> Am 14.10.2012 23:14, schrieb Simo Sorce: > >>>>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: > >>>>> Right I am ok with sambaPwdMustChange not being set. That's all good. > >>>>> What about sambaPwdLastSet ? > >>>> Not set when a user is created new. > >>> It should be set when you give the user a password as long at the > >>> sambaSamAccount objectclass is added to the user. > >>> > >>>> When I change the password: > >>>> sambaPwdLastSet: 0 > >>> If this is when you set the password as an admin, it is expected. > >> Ok, understood. But it should change when the user resets his/her > >> password, right? > >> And that is not happening. > >> When the user sets his/her password the sambaPwdLastSet stays untouched. > > That's odd, how does the user change the password ? > > > >>>> Not working with samba! > >>>> Need to apply my script (see below). > >>> Let me ask one thing, are you changing the password as a user ? > >>> Or have you tested only setting the password as admin ? > >> I set the initial password as admin. > >> Then the user logs in to a server (sssd, ssh, ipa-member) and is > >> requested to change his/her password. This works but the sambaPwdLastSet > >> stays untouched. > > Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ? > > > >>> If the latter this applies: > >>> http://www.freeipa.org/page/NewPasswordsExpired > >> Checked it. But that was my understanding nevertheless. > >>> I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign > >>> > >>> > >>> Simo. > >>> > >> # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > >> --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign > >> --- > >> Added user "tuser2" > >> --- > >>User login: tuser2 > >>First name: Test > >>Last name: User2 > >>Full name: Test User2 > >>Display name: Test User2 > >>Initials: TU > >>Home directory: /home/tuser2 > >>GECOS field: Test User2 > >>Login shell: /bin/false > >>Kerberos principal: tus...@cl.atix > >>UID: 47378 > >>GID: 47378 > >>Password: False > >>Kerberos keys available: False > >> # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" > >> sambaSID > >> SASL/GSSAPI authentication started > >> SASL username: ad...@cl.atix > >> SASL SSF: 56 > >> SASL data security layer installed. > >> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > >> sambaSID: S-1-5-21-xx-xx-xx-assign > >> > >> The following objectclasses are being set when creating a new user: > >> # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" > >> objectClass > >> SASL/GSSAPI authentication started > >> SASL username: ad...@cl.atix > >> SASL SSF: 56 > >> SASL data security layer installed. > >> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > >> objectClass: top > >> objectClass: person > >> objectClass: organizationalperson > >> objectClass: inetorgperson > >> objectClass: inetuser > >> objectClass: posixaccount > >> objectClass: krbprincipalaux > >> objectClass: krbticketpolicyaux > >> objectClass: ipaobject > >> objectClass: sambaSAMAccount > >> objectClass: ipasshuser > >> objectClass: ipaSshGroupOfPubKeys > >> objectClass: mepOriginEntry > >> > >> Thanks for your help > > Seem like a DNA bug ... then, > > > > Nathan do you have any idea ? > What DNA configuration is used? >From a previous mail this look to be the config. Marc is this still correct ? Although my configurations looks ok, doesn't it? # ldapsearch -LLL -b "cn=SambaSID,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" -D "cn=Directory Manager" -x -W Enter LDAP Password: dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject dnatype: sambaSID dnaprefix: S-1-5-21-1310149461-105972258- dnainterval: 1 dnamagicregen: assign dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping)) dnascope: dc=atix,dc=cl cn: SambaSid dnanextvalue: 15400 -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] CentOS6.3 + Fedora17 + PackageKit / PolicyKit "problem"
On Tue, 2012-10-16 at 09:53 +0300, Antti Peltonen wrote: > Hi all, > > > Just playing around with my setup that consists of two FreeIPA domain > controllers on CentOS6.3 so the version of FreeIPA in use there is > 2.2.0 > > > So now after setting up my test laptop with Fedora 17 I proceeded to > do an client installation and it seems freeipa-client version on F17 > is also 2.2.0 but such things as sudo and sssd are much more recent > than on CentOS. This caused few grey hairs until I got the sudo > configuration to work by manipulating sssd.conf. > > > Now that my user provisioned in FreeIPA domain can logon to my laptop, > use sudo etc to install software I noticed a one little issue with > policykit + packagekit combination. When through X I try to install an > RPM package or do anything that requires admin rights it keeps asking > for the root users password and not my sudo enabled FreeIPA users. > > > If I have understood correctly packagekit advertises its request for > admin rights through dbus to policykit which reads its policy files > for matching description about the request. In this case the file > seems to > be: /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy > > > In this policy file there is a lot of stuff which at this point makes > no sense to me at all except that I guess that the > lines: auth_admin describe that policykit > should require user to enter an administrative level users password. > Now on basic F17 installation where after first boot you create your > first normal user account and give it an password there is an checkbox > for "Administrator" or something similar which seems to add this user > to be created in "wheel" and "adm" posix groups. When policykit > requires an administrative users password it asks for this local users > password if it is member of those groups (I guess) and if not it asks > for the root users password. > > > However when I add my FreeIPA user to the adm and wheel groups (silly > since my sudo rules in FreeIPA give me already a full sudo rights) > policykit does not seem to make a sense out of this situation and keep > asking for the root users password. Have you logged out and logged back in after you have done these changes ? Changes to group membership do not take effect until the user logs out and logs back in. > > Now after all this bad english and a load of factual errors the actual > question is: What needs to be configured and how to make FreeIPA > provisioned user to be "local administrator" in policykits mind? If > this is at all possible in current stage of development... It should make no difference where the user comes from, if it does it would be most likely a policykit bug/limitation/'feature' > > p.s. I use an PackageKit here as an example target for the PolicyKit > but I guess that anything to do with process rights elevation through > PolicyKit is affected - not just the PackageKit application. Understood, have you asked on policykit related mailing lists as well by chance ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote: > Am 15.10.2012 15:50, schrieb Simo Sorce: > > On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: > >> Am 14.10.2012 23:14, schrieb Simo Sorce: > >>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: > >>> Right I am ok with sambaPwdMustChange not being set. That's all good. > >>> What about sambaPwdLastSet ? > >> Not set when a user is created new. > > It should be set when you give the user a password as long at the > > sambaSamAccount objectclass is added to the user. > > > >> When I change the password: > >> sambaPwdLastSet: 0 > > If this is when you set the password as an admin, it is expected. > Ok, understood. But it should change when the user resets his/her > password, right? > And that is not happening. > When the user sets his/her password the sambaPwdLastSet stays untouched. That's odd, how does the user change the password ? > >> Not working with samba! > >> Need to apply my script (see below). > > Let me ask one thing, are you changing the password as a user ? > > Or have you tested only setting the password as admin ? > I set the initial password as admin. > Then the user logs in to a server (sssd, ssh, ipa-member) and is > requested to change his/her password. This works but the sambaPwdLastSet > stays untouched. Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ? > > If the latter this applies: > > http://www.freeipa.org/page/NewPasswordsExpired > Checked it. But that was my understanding nevertheless. > > > > I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign > > > > > > Simo. > > > # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign > --- > Added user "tuser2" > --- > User login: tuser2 > First name: Test > Last name: User2 > Full name: Test User2 > Display name: Test User2 > Initials: TU > Home directory: /home/tuser2 > GECOS field: Test User2 > Login shell: /bin/false > Kerberos principal: tus...@cl.atix > UID: 47378 > GID: 47378 > Password: False > Kerberos keys available: False > # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" > sambaSID > SASL/GSSAPI authentication started > SASL username: ad...@cl.atix > SASL SSF: 56 > SASL data security layer installed. > dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > sambaSID: S-1-5-21-xx-xx-xx-assign > > The following objectclasses are being set when creating a new user: > # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" > objectClass > SASL/GSSAPI authentication started > SASL username: ad...@cl.atix > SASL SSF: 56 > SASL data security layer installed. > dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetorgperson > objectClass: inetuser > objectClass: posixaccount > objectClass: krbprincipalaux > objectClass: krbticketpolicyaux > objectClass: ipaobject > objectClass: sambaSAMAccount > objectClass: ipasshuser > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > > Thanks for your help Seem like a DNA bug ... then, Nathan do you have any idea ? -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: > Am 14.10.2012 23:14, schrieb Simo Sorce: > > On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: > > Right I am ok with sambaPwdMustChange not being set. That's all good. > > What about sambaPwdLastSet ? > Not set when a user is created new. It should be set when you give the user a password as long at the sambaSamAccount objectclass is added to the user. > When I change the password: > sambaPwdLastSet: 0 If this is when you set the password as an admin, it is expected. > Not working with samba! > Need to apply my script (see below). Let me ask one thing, are you changing the password as a user ? Or have you tested only setting the password as admin ? If the latter this applies: http://www.freeipa.org/page/NewPasswordsExpired > BTW: when I create a user as follows: > ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > --setattr=SambaSID=assign > The SambaSID is: just assign. I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: > After me switching to > ldap passwd sync = only > I cannot see it changing the values if already set. > But for new users it might not be set. As I have some without these > attributes set. > If I create a new user (say tuser2) as follows: > # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > --addattr=sambaSID=S-1-5-21-1310149461-105972258-15305 > --- > Added user "tuser2" > --- > User login: tuser2 > First name: Test > Last name: User2 > Full name: Test User2 > Display name: Test User2 > Initials: TU > Home directory: /home/tuser2 > GECOS field: Test User2 > Login shell: /bin/false > Kerberos principal: tus...@cl.atix > UID: 47374 > GID: 47374 > Password: False > Kerberos keys available: False > # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > sambaPwdMustChange > dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > > That attribute is not set. Right I am ok with sambaPwdMustChange not being set. That's all good. What about sambaPwdLastSet ? > Then I'll set a temporary password: > > # ipa passwd tuser2 > New Password: > Enter New Password again to verify: > - > Changed password for "tus...@cl.atix" > - > > I'll change the temporary password: > > $ ssh tuser2@methusalix2 > tuser2@methusalix2's password: > Password expired. Change your password now. > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user tuser2. > Current Password: > New password: > Retype new password: > passwd: all authentication tokens updated successfully. > Connection to methusalix2 closed. > > I can login via ssh: > $ ssh tuser2@methusalix2 > tuser2@methusalix2's password: > Last login: Fri Oct 12 16:34:26 2012 from mobilix-20.gallien.atix > > And the ldap attribute is still not set: > # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > sambaPwdMustChange > dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > > So the access via samba fails: > $ smbclient -U tuser2 -L methusalix2 -D ATIX2 > Enter tuser2's password: > session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE > > When I fix the attribute manually: > # bash ~/add-sambapwdlastset2user.sh tuser2 > Wrong value. Modifying to proper one.. > SASL/GSSAPI authentication started > SASL username: ad...@cl.atix > SASL SSF: 56 > SASL data security layer installed. > modifying entry "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" Which attribute are you 'fixing' ? And how ? Can you should me the specific attribute you are 'fixing' before/after the password change and before/after the 'fix' ? > I can access samba as follows: > smbclient -U tuser2 -L methusalix2 -D ATIX2 > Enter tuser2's password: > Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6] > > Sharename Type Comment > .. > > So the initial setup seems to be the problem, right? There seem to be an issue somewhere indeed, we need to narrow down to the exact change, then I can look in the code and see what's going on in there, as sambaPwdLastSet should be changed by the code. > Besides: > It also looks like the Distributed Numerica Assignment Plugin seems to > be not working. As I always have to manually specify the SID of the user: > ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > --addattr=sambaSID=S-1-5-21-1310149461-105972258-15305 See Rob's answer for this. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Fri, 2012-10-12 at 13:20 +0200, Marc Grimme wrote: > Am 11.10.2012 18:12, schrieb Simo Sorce: > > On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: > >> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: > >>> > >> No they are integrated in the Kerberos Domain of IPA but not joined to > >> the samba domain. > >>> Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? > > Yes, you should use "ldap passwd sync = only" > Ok, I set it as suggested. > > > >> Further testing. > >> I have a user called tuser. > >> 1. Reset the password: > >> ipaserver1 # ipa passwd tuser > >> New Password: > >> Enter New Password again to verify: > >> > >> Changed password for "tu...@cl.atix" > >> > >> 2. Login to another server via ssh: > >> $ ssh tuser@methusalix2 > >> tuser@methusalix2's password: > >> Password expired. Change your password now. > >> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 > >> WARNING: Your password has expired. > >> You must change your password now and login again! > >> Changing password for user tuser. > >> Current Password: > >> New password: > >> Retype new password: > >> passwd: all authentication tokens updated successfully. > >> Connection to methusalix2 closed. > >> $ ssh tuser@methusalix2 > >> tuser@methusalix2's password: > >> Permission denied, please try again. > >> tuser@methusalix2's password: > >> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 > >> -bash-4.1$ > >> => SSH Login works (Kerberos PW is set). > >> 3. Let's browse Samba: > >> $ smbclient -U tuser -L methusalix2 > >> Enter tuser's password: > >> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE > >> > >> Any ideas what's going wrong? > > Uhmm seem one of the samba attributes has not been properly changed ... > Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set > (=0). > I adapted it on a few users and the problem with the > NT_STATUS_PASSWORD_MUST_CHANGE went away. > Still the problem is what happens when they change their password again. > It looks like ldap passwd sync=yes should normally keep track of that. > Any ideas how I can get that running? As far as I can see our code does set sambaPwdLastset as well (exactly to avoid samba complain about must set). Can you do a test password change an dverify if we always fail to set it ? And what are the values before/after the attempt (in either case) ? > You also mentioned that one can use ldappasswd to get Samba to change > the passwords per user. > How should this be done? > passwd program = /usr/bin/ldappasswd ?? Samba use the ldappasswd control when you set ldap passwd sync = only Nothing else is required > > > > This is IPA on RHEL6.3 ? > Yes RHEL6.3 plain. > > > > Can you check if the use has the attribute sambaPwdMustChange set ? > No not anywhere. See above (sambaPwdLastSet). Ok perfect, this means it is not used (as I thought) and was deprecated. (Dmitri this means we do not need to track) > > Apparently the IPA passoword plugin does not touch it. > No it doesn't. I'd say it should touch sambaPwdLastSet. Shouldn't it? It should and we have code in the 2.2 and 3.0 branches to do it. I wonder if we have a bug in the RHEL6.3 version, if you can do the test above we can try to narrow down what's happening. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Fri, 2012-10-12 at 09:38 -0400, Dmitri Pal wrote: > >> Can you check if the use has the attribute sambaPwdMustChange set ? > > Should we open a ticket to manage this attribute? I thought I had a reason why it wasn't needed, but I may be wrong. I want to make sure it is/isn't but if you want to track it immediately that is ok, we can always close as invlid later if it turns out it is not needed. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: > On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: > > On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote: > >> On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: > >> They are changing their passwords via ssh, sssd (kpasswd underneath) or > >> directly over kpasswd. > >> > >> BTW: What would be the recommended way to re change their password > >> afterwards again? > > > > Those methods are fine. > > Are you sure the affected users didn't change their password via their > > Windows clients ? Are their clients joined to the samba domain ? > No they are integrated in the Kerberos Domain of IPA but not joined to > the samba domain. > > > >> Probably (ldap passwd sync=Yes). Up to now I recommended to use > >> ssh/sssd combination for passwd change to those users. > >>> > >> I'm using samba 3.5 (part of RHEL6) and there seems to be no option > >> ldap sync. > >> The only relevant option I've set is ldap passwd sync = Yes. > > > > I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync'' > > and the 'only' option. It has been in samba for a long time (I think > > since 3.0.x) > Ok. Sorry I'm using > ldap passwd sync=Yes > Is that wrong? Yes, you should use "ldap passwd sync = only" > >> Not that I know of. > >> How can I do this? > > > > You can do it with a custom user and custom ACIs. > > > Further testing. > I have a user called tuser. > 1. Reset the password: > ipaserver1 # ipa passwd tuser > New Password: > Enter New Password again to verify: > > Changed password for "tu...@cl.atix" > > 2. Login to another server via ssh: > $ ssh tuser@methusalix2 > tuser@methusalix2's password: > Password expired. Change your password now. > Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user tuser. > Current Password: > New password: > Retype new password: > passwd: all authentication tokens updated successfully. > Connection to methusalix2 closed. > $ ssh tuser@methusalix2 > tuser@methusalix2's password: > Permission denied, please try again. > tuser@methusalix2's password: > Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 > -bash-4.1$ > => SSH Login works (Kerberos PW is set). > 3. Let's browse Samba: > $ smbclient -U tuser -L methusalix2 > Enter tuser's password: > session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE > > Any ideas what's going wrong? Uhmm seem one of the samba attributes has not been properly changed ... This is IPA on RHEL6.3 ? Can you check if the use has the attribute sambaPwdMustChange set ? Apparently the IPA passoword plugin does not touch it. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote: > On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: > > On Wed, 2012-10-10 at 17:11 +0200, Marc Grimme wrote: > >> Hello together, > >> we are running IPA on RHEL6.3 for quite some time. > >> We are also using IPA to provide the LDAP backend for our samba > >> configuration. > >> Normally everything is running quite ok. > >> > >> But from time to time some people inform me that their samba password is > >> not in sync with their password in IPA. > >> Mostly this is working but a few different people are informing me about > >> that. > >> So is there a way to "resync" the password to the ones in LDAP > >> (userPassword, sambaNTPassword)? > > > > We do not have code to do that now (although we have some code in 3.0 > > that is capable of doing that so it is technically possible), but this > > shouldn't happen in the first place. > > > > Do you have any information about how the password was changed by these > > users ? > They are changing their passwords via ssh, sssd (kpasswd underneath) or > directly over kpasswd. > > BTW: What would be the recommended way to re change their password > afterwards again? Those methods are fine. Are you sure the affected users didn't change their password via their Windows clients ? Are their clients joined to the samba domain ? > > Are you allowing samba to change the password ? > Probably (ldap passwd sync=Yes). Up to now I recommended to use > ssh/sssd combination for passwd change to those users. > > > > If so are you using the option 'ldap sync only = Only' ? If you do not > > use this setting that is most likely the problem. > > If you do then it may be a bug in samba. > I'm using samba 3.5 (part of RHEL6) and there seems to be no option > ldap sync. > The only relevant option I've set is ldap passwd sync = Yes. I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync'' and the 'only' option. It has been in samba for a long time (I think since 3.0.x) > > Have you given samba access for writing to the sambaNTPassword > > attribute ? > > (you shouldn't samba should be allowed only to read). > Not that I know of. > How can I do this? You can do it with a custom user and custom ACIs. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] F5 unit / APM module
On Thu, 2012-10-11 at 01:47 +, Steven Jones wrote: > Hi, > > hehe, I remember watching Simo on youtube some years back, he said > something along the lines of IPA as "simple" targeting admins from 7 > to 100 years old..beginning to feel im outside of that > criteria > > :) > > btw, > > http://www.youtube.com/watch?v=7rljVIVHT6o > > (your tagged simo) The Net does not forget! The Net does not forgive! :) > This is starting to get awfully involved! > > ;] > > Still worth a look, thanks. I still think we are on the right path when it comes to simplify a lot of the bits with tie together. Hopefully it will improve as time pass and some of the roughest edges are worn down. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Wed, 2012-10-10 at 17:11 +0200, Marc Grimme wrote: > Hello together, > we are running IPA on RHEL6.3 for quite some time. > We are also using IPA to provide the LDAP backend for our samba > configuration. > Normally everything is running quite ok. > > But from time to time some people inform me that their samba password is > not in sync with their password in IPA. > Mostly this is working but a few different people are informing me about > that. > So is there a way to "resync" the password to the ones in LDAP > (userPassword, sambaNTPassword)? We do not have code to do that now (although we have some code in 3.0 that is capable of doing that so it is technically possible), but this shouldn't happen in the first place. Do you have any information about how the password was changed by these users ? Are you allowing samba to change the password ? If so are you using the option 'ldap sync only = Only' ? If you do not use this setting that is most likely the problem. If you do then it may be a bug in samba. Have you given samba access for writing to the sambaNTPassword attribute ? (you shouldn't samba should be allowed only to read). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] confusing users
On Mon, 2012-10-08 at 22:59 +, Steven Jones wrote: > Hi, > > When a user logs in for the first time nad they have to set a new > password, if it doesnt meet the passowrd standard/policy it fails with > a "authentication token manipulation error" is it possible to get that > changed so it says "password does not meet policy"? Steven, I think this is a bug in RHEL, and should be fixed in the next update. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Query IPA for group membership
On Sat, 2012-10-06 at 08:12 +0200, Fred van Zwieten wrote: > Hang on..I don't see how this can work (I haven't tried it btw). > > > If I simply copy login to openvpn1 and call openvpn_auth_pam with that > file as a parameter, how can it magically know to query IPA for the > openvpn1 service as opposed to username/password? Must I not change > the openvpn1 file to have it check for the service? This is how it normally works with PAM enabled applications. Openvpn opens the PAM stack and tells it that 'openvpn1' is the name of the service performing an auth request. The PAM stack then opens the openvpn1 file to find what is the sepcific service configuration. The service name is passed in to all pam modules. In the PAM 'account' stack (which is run after the auth stack where the normal username/password can be used), the PAM framework will call pam_sss to check the account validity. This is where the pam_sss service will contact the sssd_pam daemon and tell it that service openvpn1 is trying to auth userX. The sssd_pam module checks the HBAC rules and tries to match user,machine,service to a rule. The rules will determine if the account is allowed on the machine for the specific service. If not pam_sss will return a suitable error in the account phase and openvpn should return an authentication error. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Query IPA for group membership
nstead of login. > > > > > > > > > So, I would like to add the next line: > > > > > > > > > openvpn_auth_pam.so group "openvpn" > > > > > > > > > Where a /etc/pam.d/group file would check whether > > > the user is member of the group "openvpn". If not, > > > false is returned and the login attempt (thru > > > openvpn) fails. > > > > > > > > > Is this possible? If not is there a better way? > > > > > > > > > Fred > > > > > > > > Can you step up from the implementation and explain > > what you want to accomplish? > > It seems that you want to use OpenVPN and do some > > access control checks when user connects to OpenVPN. > > Right? > > If you can describe the flow of operations we might > > be able guide you to the right solution. > > > > Also would be nice to understand what OS OpenVPN is > > running on. > > > > > > > > > > > > > > > > > ___ > > > Freeipa-users mailing list > > > Freeipa-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager for IdM portfolio > > Red Hat Inc. > > > > > > --- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > > > > > > > > > > > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Query IPA for group membership
On Fri, 2012-10-05 at 20:13 +0200, Fred van Zwieten wrote: > You are completely right :-) > > > Both IPA server and client are RHEL6.3 x86_64 boxes. > > > On the OpenVPN server (which is an IPA client), I have 2 OpenVPN > instances running, because different users must end up in different > subnet's > > > OpenVPN instance 1 listens on port 5 > OpenVPN instance 2 listens on port 50001 > > > Users for subnet 1 must connect and authenticate on instance 1 (and > get an IP in subnet 1) > Users for subnet 2 must connect and authenticate on instance 2 (and > get an IP in subnet 2) > > > Both OpenVPN instances use the login pam module. > > > In this setup I can not prevent users for subnet 2 to connect and > authenticate successfully on OpenVPN instance 1. > > > So, I would like to put the users for OpenVPN instance 1 in group > OpenVPN1 en users for OpenVPN instance 2 in group OpenVPN2 on IPA. > > > Next, the OpenVPN daemon must be able to check a user for membership. > Is it is not a member, false is returned, and the OpenVMN > authentication fails. > > > Documentation for the openvpn_auth_pam is here. > Fred, what you can do is to use different pams ervice names (if openvpn allows you to do that). Create 2 services openvpn1 and openvpn2 and the use HBAC to assign appropriate access control to those service for the openvpn concentrator. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Query IPA for group membership
On Fri, 2012-10-05 at 13:50 -0400, Dmitri Pal wrote: > On 10/05/2012 01:36 PM, Fred van Zwieten wrote: > > Hello, > > > > > > I have a IPA server running. This server has users who are member to > > various groups. I want to query the IPA server from an IPA client to > > know whether a user is a member to a group. > > > > > > I want to do this from the OpenVPN service using the > > openvpn_auth_pam.so. Normally one uses this like this: > > > > > > openvpn_auth_pam.so login > > > > > > This queries the PAM login (and thus IPA) is the username/password > > from openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs > > say you could use other modules instead of login. > > > > > > So, I would like to add the next line: > > > > > > openvpn_auth_pam.so group "openvpn" > > > > > > Where a /etc/pam.d/group file would check whether the user is member > > of the group "openvpn". If not, false is returned and the login > > attempt (thru openvpn) fails. > > > > > > Is this possible? If not is there a better way? > > > > > > Fred > > > Can you step up from the implementation and explain what you want to > accomplish? > It seems that you want to use OpenVPN and do some access control > checks when user connects to OpenVPN. Right? > If you can describe the flow of operations we might be able guide you > to the right solution. > > Also would be nice to understand what OS OpenVPN is running on. If the PAM stack is used fully (account phase at least) then HBAC may be a better way to do this sort of check. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Keep Samba password in sync with userpassword and kerberos password
On Mon, 2012-10-01 at 17:03 -0400, Qing Chang wrote: > In a thread on Freeipa-devel titled "freeIPA as a samba backend" there > is a statement as below: > = > IPA will keep all of your passwords in sync - userPassword, > sambaNTPassword, sambaLMPassword, and your kerberos passwords. > 389 cannot do this - the functionality that does this is provided by > an IPA password plugin. Openldap has a similar plugin, but I > think it is "contrib" and not "officially supported". > == > > Can someone please point me to where I can find this plugin and > configured it to keep all passwords listed above in sync? The plugin is automatically enabled in IPA, it is the only way to change passwords. > I am unable to find detailed information on password plugin in IPA 2.2 > doc. > > My intention is to provide my Windows users (accounts on IPA server) > IPA web interface only for changing their password. If you need to write a tool to change passwords keep in ming you can use ldappasswd and pass it old/new user password. > I am using Samba 3.0.23d as a standalone server because this is a last > version that does not check for SIDs strictly... > more recent versions of samba can also use the ldappasswd method. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] UID splitting policy and running out.
On Tue, 2012-10-02 at 21:41 +, Steven Jones wrote: > Hi, > > I just found that I had runout of UIDS when doing a winsync agreement. > > >From my understanding when you add a replica it takes 1/2 of the master's > >UIDs block...so a 2nd replica takes 1/2 of that again? > > In my case I rebuilt the replica's several times and the Master ended up with > only 2500 UIDs left... > > When I did a winsync then it wasnt happy. > > I'd suggest that as part of the winsync setup a ldapsearch is done to make > sure there are plenty left and allocate more if need be unless its a > virgin setupbut a large site with say 2 replicas would leave 25000 UIDs > on the master? not unusual for AD's to have 25000+ users I'd suggest. (we > have about 21000). > > or did I do something wrong? The DNA plugin should have reclaimed IDs when it was about to run off, can you please open a bug if that did not happen ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] [HOWTO] Bulk creating test users
Hello list, I wanted to share a simple way I use to create users for testing, it is something that I get regularly asked when we do testing so I thought it may turn useful to others. Assume we have a FreeIPA domain called freeipa.org and we want to create a few test users with a specific password, here is a simple script that does it (requires you kinit as admin first): - #!/bin/bash # Pass user name as first argument and password as second argument ipa user-add $1 --first Test --last User echo "test" | ipa passwd $1 ldappasswd -D uid=$1,cn=users,cn=accounts,dc=example,dc=org -w test -a test -s $2 - In this example no escaping is performed, so you'll need to add it to user names/password if you want to use characters that may cause shell expansion. Hope this helps. Simo. -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing
- Original Message - > Sigbjorn Lie wrote: > > On 09/20/2012 10:17 PM, Rob Crittenden wrote: > >> bind isn't my strongest suite. > >> > >> My guess is that this file is the ccache for bind. I'm guessing > >> that > >> 25 is the UID of the named user. If this is the case, then it > >> should > >> be safe to stop named, rename the file, and restart. Perhaps the > >> contexts have changed so when this gets re-created it will get > >> fixed > >> automagically. > >> > >> rob > >> > > You guessed well!! :) > > > > Stop named: > > # service named stop > > > > Enable selinux: > > # setenforce 1 > > > > Verify that error still exists: > > # service named start > > Starting named:[FAILED] > > > > Rename file: > > # cd /var/tmp > > # mv DNS_25 DNS_25_old > > > > Attempt to start named again: > > # service named start > > Starting named:[ OK ] > > > > Voila! > > > > A before and after shot: > > # ls -lZ DNS_25* > > -rw---. named named unconfined_u:object_r:named_tmp_t:s0 DNS_25 > > -rw---. named named system_u:object_r:tmp_t:s0 DNS_25_old > > > > What's the odds that this was the entire issue and that named will > > now > > keep running safe and sound? > > > > Hard to say. Because restorecon didn't fix the bad context I suspect > this isn't directly covered in policy. So if the file should get the > wrong context again you could be back in this position. It is > probably > worth filing a bug. I'm not entirely sure whether it should be > against > bind or selinux, but it'll get to the right folks either way > eventually. That file is the reply-cache, and it's context is set at runtime by the krb5 library. It did get out of sync because selinux was disabled, and restorecon, can't fix the label because the file is in a tmp directory, so it just takes the tmp_t context by default. If selinux is not completely disable this shouldn't happen anymore, however, should it happen you can simply remove the file, it is not vital and will get recreated after you restart named. Simo. -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password Expiration Grace Limit
On Fri, 2012-09-14 at 14:50 -0400, Dmitri Pal wrote: > On 09/14/2012 02:33 PM, Ott, Dennis wrote: > > There seems to be nothing in the documentation about a user being > > able to initiate a password change dialogue after their password has > > expired, yet it seems that one is able to do just that. There is a > > value in the ldap store, passwordGraceLimit, which is initialized to > > zero. I have modified that value but it seems to have no effect. > > > > > > > > I would like to limit this ability to just a few days, or > > alternatively, completely lock out the account once the password has > > expired. > > > > > > > > Does anyone have any insight as to how to do this? If not, is it > > planned for a future release? > > > > > > > > I suppose I could look at a script running daily that would lock the > > account if the user’s password has expired in the last X hours, but > > I was hoping for something builtin. > > > > > > > > Any help is appreciated. > > > > > > > > > AFAIR this is the first request of this kind. We allow to change the > password even after expiration. The main reason is that newly created > accounts need to change passwords so they are marked as immediately > expired. But it might take some time for user to actually log into the > system for the first time this is why we never thought about the use > case described. So I suspect we do not have any grace period enforced. > > It might be a bug. > > Simo, what do you think ? Sounds like material for a Feature Request. I think setting a grace period is a good idea, and have the nice side effect of automatically locking new accounts if the user never use them. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Questions about FreeIPA vs 389DS
On Fri, 2012-09-14 at 08:31 +0100, mailing lists wrote: > >>> the upcoming "IPAv3 Trust" feature seems very promising because AFAIK > >>> no sinchronization is necessary, but by using IPA it seems very > >>> restrictive to support current applications which need a LDAP > >>> hierarchical tree, custom schema with custom objectclassess and > >>> attributes, custom ACLs for applications.. I know about Directory > >>> Server virtual views, but I'm worried about the consequences of low > >>> level manipulation of the FreeIPA Directory Server instance. > >>> > >>> So how others are solving this paradox? > >>> they run 389DS with (fractional) replication towards (or from) > >>> FreeIPA 389DS? > >>> they add custom schemas to FreeIPA 389DS? > >>> the do low level manipulation of FreeIPA 389DS for ACLs, plugin > >>> activation, ...? > >>> what about upgrades after this modifications were done? > > If you need this level of flexibility and customization 389 DS is > > probably better for you than IPA. > > It seems that you want to do a lot of "do it yourself" things. IPA is > > more about "use as is with minor tweaks so that you do not need to do it > > yourself". > > I do not want "do it yourself" things if it isn't strictly necessary, > but for the external aplications, the legacy ones, etc... it is > necesary a minimum level de flexibility. My questions were about as > other admins did to solve this inconvenient. Really anyone was in a > similar situation? It is not clear to me what kind of flexibility you think you need. The user tree is flat, but you can create a custom subtree and use custom schema otherwise, just like with any LDAP server. I have yet to find an application that dictates a hierarchical tree for users. > I wonder if it is possible configure 389DS with samba4 to create a > forest trust with AD without FreeIPA No, samba4 DC does not support yet trust relationships. And Samba4 also only support using the embedded LDAP server, support for using third party directories has been dropped a long while ago. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On Mon, 2012-09-10 at 11:11 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: > >> What about defining a task in the SSSD krb5 provider instead of > >> pinging > >> it from the locator plugin. The task can run at a configurable > >> interval > >> or never and checks if the current KDC is available. If not it tries > >> the > >> next until it goes offline if no reachable KDC can be found and > >> updates > >> or deletes the info file for the locator plugin.. > >> > >> This leave us with the question how to ping a KDC properly, but this > >> we > >> have to find out for either case. > >> > > I am not a fan of generating load for the KDC unnecessarily. > > > > Simo. > > > > I tend to agree but this can be a real pain to debug because depending > on the current state of sssd you have to either check krb5.conf or the > sssd locator to see what KDC is configured. [moving to freeipa-devel] Yes but the solution is to do on-demand requests when something doesn't work. Because otherwise you still get the odd failure. Assume you check in 5 min intervals, and the KDC goes off 1 sec after the check, for 5 minutes you still have a wrong KDC in the locator and still get failures. So you loaded the KDC with ~300 request per day per client, and you still have high odds that on failure your locator file will still be 'wrong'. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: > What about defining a task in the SSSD krb5 provider instead of > pinging > it from the locator plugin. The task can run at a configurable > interval > or never and checks if the current KDC is available. If not it tries > the > next until it goes offline if no reachable KDC can be found and > updates > or deletes the info file for the locator plugin.. > > This leave us with the question how to ping a KDC properly, but this > we > have to find out for either case. > I am not a fan of generating load for the KDC unnecessarily. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
>>>
> > >>>>>[domain_realm]
> > >>>>> .mpls.local = MPLS.LOCAL
> > >>>>> mpls.local = MPLS.LOCAL
> > >>>>>
> > >>>>>[root@ipaclient ~]# more /etc/resolv.conf
> > >>>>># Generated by NetworkManager
> > >>>>>search mpls.local
> > >>>>>nameserver 172.16.112.5
> > >>>>>nameserver 172.16.112.8
> > >>>>>
> > >>>>>[root@ipaclient ~]# more /etc/krb5.conf
> > >>>>>#File modified by ipa-client-install
> > >>>>>
> > >>>>>[libdefaults]
> > >>>>> default_realm = MPLS.LOCAL
> > >>>>> dns_lookup_realm = true
> > >>>>> dns_lookup_kdc = true
> > >>>>> rdns = false
> > >>>>> ticket_lifetime = 24h
> > >>>>> forwardable = yes
> > >>>>>
> > >>>>>[realms]
> > >>>>> MPLS.LOCAL = {
> > >>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt
> > >>>>> }
> > >>>>>
> > >>>>>[domain_realm]
> > >>>>> .mpls.local = MPLS.LOCAL
> > >>>>> mpls.local = MPLS.LOCAL
> > >>>>>
> > >>>>>[root@ipaclient ~]# nslookup ipaserver
> > >>>>>Server:172.16.112.5
> > >>>>>Address:172.16.112.5#53
> > >>>>>
> > >>>>>Name:ipaserver.mpls.local
> > >>>>>Address: 172.16.112.5
> > >>>>>
> > >>>>>[root@ipaserver ~]#ifdown eth0
> > >>>>>
> > >>>>>[root@ipaclient ~]# nslookup ipaserver
> > >>>>>Server:172.16.112.8
> > >>>>>Address:172.16.112.8#53
> > >>>>>
> > >>>>>Name:ipaserver.mpls.local
> > >>>>>Address: 172.16.112.5
> > >>>>>
> > >>>>>[root@ipaclient ~]# nslookup ipaserver2
> > >>>>>Server:172.16.112.8
> > >>>>>Address:172.16.112.8#53
> > >>>>>
> > >>>>>Name:ipaserver2.mpls.local
> > >>>>>Address: 172.16.112.8
> > >>>>>
> > >>>>>Copy/paste from the DNS page on ipaserver/ipaserver2
> > >>>>>
> > >>>>>@ NS ipaserver.mpls.local.
> > >>>>> NS ipaserver2.mpls.local.
> > >>>>>_kerberos TXT MPLS.LOCAL
> > >>>>>_kerberos-master._tcp SRV 0 100 88 ipaserver
> > >>>>> SRV 0 100 88 ipaserver2
> > >>>>>_kerberos-master._udp SRV 0 100 88 ipaserver
> > >>>>>SRV 0 100 88 ipaserver2
> > >>>>>_kerberos._tcp SRV 0 100 88 ipaserver
> > >>>>> SRV 0 100 88 ipaserver2
> > >>>>>_kerberos._udp SRV 0 100 88 ipaserver
> > >>>>> SRV 0 100 88 ipaserver2
> > >>>>>_kpasswd._tcp SRV 0 100 464 ipaserver
> > >>>>> SRV 0 100 464 ipaserver2
> > >>>>>_kpasswd._udp SRV 0 100 464 ipaserver
> > >>>>> SRV 0 100 464 ipaserver2
> > >>>>>_ldap._tcp SRV 0 100 389 ipaserver
> > >>>>> SRV 0 100 389 ipaserver2
> > >>>>>_ntp._udp SRV 0 100 123 ipaserver
> > >>>>>SRV 0 100 123 ipaserver2
> > >>>>>ipaclient A 172.16.112.9
> > >>>>>ipaclient2 A 172.16.112.145
> > >>>>>ipaserver A 172.16.112.5
> > >>>>>ipaserver2 A 172.16.112.8
> > >>>>>zenoss A 172.16.112.6
> > >>>>>
> > >>>>>Thanks,
> > >>>>>Mike
> > >>>>>
> > >>>>I noticed that there is no domain line in the resolv.conf on the
> > >>>>client.
> > >>>>AFAIU in this case it would determine the domain by the gethostname and
> > >>>>in case of network being down it will fail over to the hosts file.
> > >>>>I wonder what is in your /etc/hosts?
> > >>>>Dose it have just a short host name?
> > >>>
> > >>>[root@ipaclient ~]# more /etc/hosts
> > >>>127.0.0.1localhost.localdomainlocalhost
> > >>>::1localhost6.localdomain6localhost6
> > >>>
> > >>>
> > >>>Add domain mpls.local to /etc/resolv.conf
> > >>>
> > >>>[root@ipaserver ~]#ifdown eth0
> > >>>
> > >>>[root@ipaclient ~]# kinit mike
> > >>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting
> > >>>initial credentials
> > >>>[root@ipaclient ~]# nslookup ipaserver
> > >>>Server:172.16.112.8
> > >>>Address:172.16.112.8#53
> > >>>
> > >>>Name:ipaserver.mpls.local
> > >>>Address: 172.16.112.5
> > >>>
> > >>>[root@ipaclient ~]# nslookup ipaserver2
> > >>>Server:172.16.112.8
> > >>>Address:172.16.112.8#53
> > >>>
> > >>>Name:ipaserver2.mpls.local
> > >>>Address: 172.16.112.8
> > >>>
> > >>>add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts
> > >>>
> > >>>[root@ipaserver ~]#ifup eth0
> > >>>
> > >>>[root@ipaclient ~]# kinit mike
> > >>>Password for mike@MPLS.LOCAL:
> > >>>
> > >>>[root@ipaserver ~]#ifdown eth0
> > >>>
> > >>>[root@ipaclient ~]# kinit mike
> > >>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting
> > >>>initial credentials
> > >>>[root@ipaclient ~]# nslookup -type=srv _kerberos-master._tcp
> > >>>Server:172.16.112.8
> > >>>Address:172.16.112.8#53
> > >>>
> > >>>_kerberos-master._tcp.mpls.localservice = 0 100 88
> > >>>ipaserver2.mpls.local.
> > >>>_kerberos-master._tcp.mpls.localservice = 0 100 88
> > >>>ipaserver.mpls.local.
> > >>>
> > >>>[root@ipaclient ~]# nslookup -type=srv _kerberos-master._udp
> > >>>Server:172.16.112.5
> > >>>Address:172.16.112.5#53
> > >>>
> > >>>_kerberos-master._udp.mpls.localservice = 0 100 88
> > >>>ipaserver.mpls.local.
> > >>>_kerberos-master._udp.mpls.localservice = 0 100 88
> > >>>ipaserver2.mpls.local.
> > >>>
> > >>>
> > >>>[root@ipaclient ~]# kinit mike
> > >>>kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting
> > >>>initial credentials
> > >>>
> > >>>[root@ipaserver ~]#ifup eth0
> > >>>
> > >>>[root@ipaclient ~]# kinit mike
> > >>>Password for mike@MPLS.LOCAL:
> > >>
> > >>I'd start with the sssd logs. Is it seeing the main server go offline
> > >>and not switching to the second one? Or is it going into offline mode?
> > >>
> > >>Do you have _srv_ or both servers listed in ipa_server in
> > >>/etc/sssd/sssd.conf?
> > >>
> > >>rob
> > >>
> > >Rob, may be I am missing something but how SSSD is related in this case?
> > >The test is done using kinit not SSSD.
> > >
> > >It would actually be an interesting test to try the same via SSSD for
> > >example do su to mike instead of kinit and see what would happen (watch
> > >SSSD logs with high debug level, 8 for example).
> > >If that works it would probably mean that kinit does not fail over
> > >properly. So this would be a Kerberos kinit bug not IPA/SSSD bug.
> > >
> >
> > SSSD controls the Kerberos locator. If SSSD isn't detecting that the
> > KDC is down then it is going to point the user to a non-working
> > server.
> >
> > rob
>
> The SSSD only creates the file used by the locator when the first auth
> request comes in trough the SSSD (in the case of IPA backed even an
> identity lookup would do because it's GSSAPI-encrypted).
>
> Bottom line, just logging in as root and performing kinit is not enough,
> kinit completely bypasses the SSSD and talks to the Kerberos server
> directly.
We have been discussing with Stephen about changing how the locator
plugin works.
Currently it is completely passive, ie it only reads a file and acts on
it.
We discussed about making the locator plugin able to 'ping' sssd and
ask it to refresh the status of the file.
However this is trickier than it sounds because we do not want to
contact sssd every single time DNS resolution is needed, so we may have
to put expiration timestamps or similar. We also need to properly back
off if sssd is not responding and so on.
Requires some careful design to avoid turning it into a worst case for
every resolution instead of an annoyances only once in a while.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
On Wed, 2012-09-05 at 15:41 -0400, John Dennis wrote: > On 09/05/2012 02:40 PM, george he wrote: > > Thanks a lot. It's deleted now! > > The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing > > to /usr/lib/..., but when I was struggling, I read on the web there was > > a post saying they should point to /usr/lib64/..., so I changed them. > > The weird thing is I THINK they were pointing to existing files, but now > > they are not. > > So I changed the links one more times to make them pointing to > > /usr/lib/..., restarted ipa, and host-del worked. > > Thanks again, guys. > > George > > Glad it's working. Obviously we would like to know how you got into this > situation and perhaps open a bug. But unfortunately since you've > manually changed links it's hard to know if the logic used to update an > existing system is robust or not. I recall when the issue of where to > locate native jars on 64bit came up there was a fair amount of back and > forth over where things would be installed and which links to introduce. > Unfortunately I do not recall the final resolution, it might be that the > tomcat instances were supposed to continue to point to /usr/lib/java and > links would be set up there to point to the 64bit version. In any event > I don't think we can file a bug at this point, but perhaps we need to > pay attention and see if anyone else gets bitten by this. I just recently had to fix this for my 'stable' install too, seem like we need to do better on upgrades going forward. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] time limiting users
On Tue, 2012-09-04 at 21:18 +, Steven Jones wrote: > Is it possible to limit when users can login? > Initially we had plans to do time based rules as part of HBAC. However we decided to step back and wait on that front. Time based rules sound simple, but are very complex, both to understand and implement. Especially as soon as you start considering timezones, how to express them reasonably and which one to consider (the server's timezone or the client's timezone ?) and so on ... So in a nutshell, no at the moment we do not support time based rules. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
- Original Message - > I have a RHEL ipa server setup and running. Its been running for a > while now, and suddenly, today, i'm having trouble authenticating to > it, or changing my password. > > The error i'm getting at the command line is: > > [lagern@ipaserver PROD ~]$ ipa passwd > Current Password: > New Password: > Enter New Password again to verify: > ipa: ERROR: cannot connect to > u'http://ipaserver.lafayette.edu/ipa/xml': Internal Server Error > > Looking at /var/log/httpd/error and access logs i see: > > [Wed Aug 22 13:18:07 2012] [error] [client gss_acquire_cred() failed: Unspecified GSS failure. Minor code may > provide more information (, Unknown error), referer: > https://ipaserver.lafayette.edu/ipa/xml > > I'm wading through google at the moment, to see if i can find a fix, > but i'm coming up empty. Can you check if the http keytab is ok ? kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu Does this command work ? Simo. -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Specifying load balancing to SSSD clients
- Original Message - > I think I'll raise a ticket then. Not that the _srv_ records don't > do > the right job. It's just that in my scenario they are unusable. I > can't be alone in deploying IPA in a network already "dominated" by > AD. > > For now (as I said in another reply), I'll randomly configure clients > to > either ipa1/ipa2 or ipa2/ipa1. You are not alone but we strongly suggest to use a separate DNS domain for FreeIPA server, and if possible for its clients. Either a same level domain or, at least, a delegated zone. For example: corp.domain.com -> AD unix.domain.com -> FreeIPA with forwards between them. Or domain.com -> AD domain.net -> FreeIPA again with forwards Or domain.com -> AD unix.domain.com -> FreeIPA with Ad delegating out the unix. subdomain to FreeIPA. In general we strongly suggest not using the same DNS domain for AD and FreeIPA domain as using the same domain name makes it impossible to have kerberos level interop between the 2 domains otherwise (cannot establish trust relationships if they use the same DNS domain and/or the same realm name for example). Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Which AD server is used by FreeIPA
- Original Message - > Hello, > I'm trying to build trust between FreeIPA and Windows Server 2008R2. > It is said that FreeIPA uses samba as the AD server, but I found > that 389 Directory Server is also installed. So which is used as the > directory service for FreeIPA. If it is samba, why 389 Director > Server is needed? Hi Tengda, FreeIPA uses some samba components to handle windows specific operations, but does NOT uses Samba as an AD server. In fact FreeIPa is not an AD compatible server and you cannot join Windows machines to it. This is why we focused on trusts relationships. Our model is based on keeping Windows and Linux machines separate. Windows machine will use their native AD enviornment, while Linux machine are joined to the FreeIPA domain and have linux-oriented management options not availbel in AD domains (HBAC, SElinux integration, netgroups, sudo integration and so on..). 389 Directory server i the informations tore for the FreeIPA server and all services use it to store/read data. HTH, Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Specifying load balancing to SSSD clients
- Original Message - > Thanks Simo, > > I was hoping for an alternative to the DNS _srv_ records due to the > Windows guys having exclusive use of those records (for now). > > Is it feasible for IPA communications to be "force" round robined > between two or more servers that are replicas of each other? If it's > a > possibility, I will raise a ticket. The easiest solution for now is to configure your clients by using the primary and backup options in SSSD, and just configure clients to have different orders, so that they will attach to separate servers by default. Ie client 1 has primary serves of "ipa1, ipa2", while client 2 has "ipa2, ipa1", and so on. Without control of name resolution on the server side at the moment we do not have other ways to do load balancing. Simo. > Thanks > > Duncan Innes | Linux Architect > > > > > -Original Message- > > From: Simo Sorce [mailto:sso...@redhat.com] > > Sent: 21 August 2012 08:04 > > To: Innes, Duncan > > Cc: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD > > clients > > > > - Original Message - > > > OK - thanks. > > > > > > But is there any way IPA can be tweaked to do this without an > > > "external" > > > product (albeit a Red Hat one)? Is it possible for the > > sssd clients > > > to round-robin their requests between 2 or more servers? > > > > At the monment only by using _srv_ records you could do some > > round-robin (assuming DNS supports it). > > > > Please do not use the load balancer as suggest in a previous > > reply, also using a A record would not work as machines > > joined to IPa need the 'correct' serve name to be able to > > perform GSSAPI authentication. A round-robin A record would > > make that fail. A round-robin CNAME record might work if your > > DNS server supports something like that. > > > > > Is this an sssd question or generic enough to be in this list? > > > > It's both, SSSD implements the client, but in FreeIPA domains > > we need a joint solution due to Kerberos requirements for DNS > > names. > > > > > Would this functionallity be of use to freeIPA in general? > > (my view = > > > yes) > > > > Yes. > > > > HTH, > > Simo. > > > > > Cheers > > > > > > Duncan Innes | Linux Architect > > > > > > > > > > > > > > > > > > From: Mark St. Laurent [mailto:mstla...@redhat.com] > > > Sent: 20 August 2012 15:15 > > > To: Innes, Duncan > > > Cc: freeipa-users@redhat.com > > > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD > > > clients > > > > > > > > > > > > > > http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing > > > / > > > > > > > > > Norman "Mark" St. Laurent > > > Federal Team: Senior Solutions Architect > > > Red Hat > > > 8260 Greensboro Drive, Suite 300 > > > McLean VA, 22102 > > > Email: m...@redhat.com > > > Cell: 703.772.1434 > > > > > > Check this Link out!!! Cool Stuff: http://mil-oss.org/ > > > > > > > > > > > > > > > From: "Duncan Innes" > > > To: freeipa-users@redhat.com > > > Sent: Monday, August 20, 2012 9:48:30 AM > > > Subject: [Freeipa-users] Specifying load balancing to > > SSSD clients > > > > > > Folks, > > > > > > Hopefully this isn't a dumb question, but I'm > > constrained by a few > > > things on my estate and would be looking to deploy > > something like the > > > following: > > > > > > 2 Datacentres > > > 2 IPA servers at each datacentre > > > > > > ipa1.domain.com \_ datacentre A > > > ipa2.domain.com / > > > > > > ipa3.domain.com \_ datacentre B > > > ipa4.domain.com / > > > > > > The datacentres are linekd, but bandwidth not great. > > > > > > Client's in datacentre A should therefore use > > ipa1.domain.com and > > > ipa2.domain.com as primary servers and only fail over to ipa3 & > > > ipa4 > > > when both 1 &
Re: [Freeipa-users] Specifying load balancing to SSSD clients
- Original Message - > OK - thanks. > > But is there any way IPA can be tweaked to do this without an > "external" > product (albeit a Red Hat one)? Is it possible for the sssd clients > to > round-robin their requests between 2 or more servers? At the monment only by using _srv_ records you could do some round-robin (assuming DNS supports it). Please do not use the load balancer as suggest in a previous reply, also using a A record would not work as machines joined to IPa need the 'correct' serve name to be able to perform GSSAPI authentication. A round-robin A record would make that fail. A round-robin CNAME record might work if your DNS server supports something like that. > Is this an sssd question or generic enough to be in this list? It's both, SSSD implements the client, but in FreeIPA domains we need a joint solution due to Kerberos requirements for DNS names. > Would this functionallity be of use to freeIPA in general? (my view = yes) Yes. HTH, Simo. > Cheers > > Duncan Innes | Linux Architect > > > > > > From: Mark St. Laurent [mailto:mstla...@redhat.com] > Sent: 20 August 2012 15:15 > To: Innes, Duncan > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD > clients > > > > http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/ > > > Norman "Mark" St. Laurent > Federal Team: Senior Solutions Architect > Red Hat > 8260 Greensboro Drive, Suite 300 > McLean VA, 22102 > Email: m...@redhat.com > Cell: 703.772.1434 > > Check this Link out!!! Cool Stuff: http://mil-oss.org/ > > > > > From: "Duncan Innes" > To: freeipa-users@redhat.com > Sent: Monday, August 20, 2012 9:48:30 AM > Subject: [Freeipa-users] Specifying load balancing to SSSD > clients > > Folks, > > Hopefully this isn't a dumb question, but I'm constrained by a > few > things on my estate and would be looking to deploy something > like the > following: > > 2 Datacentres > 2 IPA servers at each datacentre > > ipa1.domain.com \_ datacentre A > ipa2.domain.com / > > ipa3.domain.com \_ datacentre B > ipa4.domain.com / > > The datacentres are linekd, but bandwidth not great. > > Client's in datacentre A should therefore use ipa1.domain.com > and > ipa2.domain.com as primary servers and only fail over to ipa3 & > ipa4 > when both 1 & 2 are out of action. Clients would revert to > using > ipa1/ipa2 whenever either of them came back online. > > I understand this configuration has already been done as part of > https://fedorahosted.org/freeipa/ticket/2282 > > What I'm wondering is if I can force my clients to load balance > communication between ipa1 & ipa2. > > I don't have the ability to use the _srv_ records in DNS as > that's set > up for the AD servers on our network. I also can't create > separate DNS > servers for the Linux estate (not that I'd particularly want > to). > > Is there any current configuration that I can use to force load > balancing between ipa1/ipa2 under ideal conditions. Falling > back to > ipa2 when ipa1 is out of action. Falling back to (load balanced > perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action. > > Hope the description is reasonable. > > Thanks > > Duncan Innes | Linux Architect > > > > > Northern Rock plc is part of the Virgin Money group of companies. > > This e-mail is intended to be confidential to the recipient. If you > receive a copy in error, please inform the sender and then delete > this message. > > Virgin Money Personal Financial Service Limited is authorised and > regulated by the Financial Services Authority. Company no. 3072766. > > Virgin Money Unit Trust Managers Limited is authorised and regulated > by the Financial Services Authority. Company no. 3000482. > > Virgin Money Cards Limited. Introducer appointed representative only > of Virgin Money Personal Financial Service Limited. Company no. > 4232392. > > Virgin Money Management Services Limited. Company no. 3072772. > > Virgin Money Holdings (UK) Limited. Company no. 3087587. > > Each of the above companies is registered in England and Wales and > has its registered office at Discovery House, Whiting Road, Norwich > NR4 6EJ. > > Northern Rock plc. Authorised and regulated by the Financial Services > Authority. Registered in England and Wales (Company no. 6952311) > with its registered office at Northern Rock House, Gosforth, > Newcastle upon Tyne NE3 4PL. > > The above companies use the trading name Virgin Money. > > > _
Re: [Freeipa-users] IPA over the Internet - Security Implications
- Original Message - > Hi, > > Let us assume just the two systems directly connected to the > internet. I am specifically interested in what the security > implications would be, not ways to get around them (e.g. point-to- > point tunnel). I have read that kerberos was designed for untrusted > networks, just how untrusted can they be? I would say that it reallyt depends on your threat model. With recent versions of FreeIPa we disable by default using DES keys which were certainly not really secure anymore, given you can easily break DES encryption in a short enough period and without the need for expensive hardware these days. AES and RC4 which are the common ones used and even 3DES should be robust enough to allow to operate in safety, even if traffic is captured and rute force attacked, for the ticket validity period. We also always enabled by default required preauthentication for all principals, which avoid attacks against TGT packets. What you may want to do however is harden the LDAP server configuration a bit. You probably want to prevent anonymous connections and also make sure all connections always are encrypted by setting the right minssf limits. You need also to decide if you want to expose admin interfaces (kadmin, http) over the internet or only krb5/ldap. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
- Original Message - > On 08/08/2012 08:07 PM, Simo Sorce wrote: > > On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote: > >> On 08/08/2012 07:27 PM, Rob Ogilvie wrote: > >>> On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek > >>> wrote: > >>>> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it > >>>> with proper > >>>> SRV records (or let IPA to manage it). > >>> > >>> Ugh, I hope this doesn't end up pushing us back to NIS. > >>> > >>> If I can get our infrastructure guys to buy off on making a > >>> unix.mycompany.com subdomain in DNS, would I need to move all the > >>> hosts to be under that subdomain in DNS? I have some services > >> > >> Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill > >> it with SRV > >> records and leave this subdomain without hosts (maybe except IPA > >> servers ...). > >> It is not necessary to rename all hosts. > >> > >> Problem is simple - Kerberos libraries have to know where KDCs are > >> located - > >> and DNS is standardized way how to accomplish it. > >> > >> Let me quote another reply from this thread: > >> On 08/08/2012 06:14 PM, KodaK wrote: > >> > You*could* use something like puppet to manage your krb5.conf > >> > files > >> > (I have to with our AIX machines.) > >> > > >> > Also, it's important to note that your REALM does NOT need to > >> > match > >> > your dns domain name > >> > It's a convenience, and it's very, very helpful to do so, but > >> > it is > >> > possible to have a REALM called > >> > "MIDDLEEARTH" if you wanted. I'm not sure how IPA would deal > >> > with > >> > that, but I know you > >> > can do it in straight up Kerberos. > >> > >> > >>> configured that are difficult to rename the DNS domain of. > >>> Could, for > >>> instance, host-one.mycompany.com be part of the > >>> UNIX.MYCOMPANY.COM > >>> realm, given a MYCOMPANY.COM realm also exists? > >> > >> Yes, it could. > >> > >>> > >>> I could then put some SRV records into the subdomain's zone to > >>> point > >>> the kerberos stuff to the IPA server, change the domain on the > >>> IPA > >>> server, change the realm on the IPA server, re-register clients, > >>> and > >>> everything would be happy? > >> > >> I get lost in the renaming part. Can you describe your idea in > >> bigger detail? > >> > >>> > >>> Ugh... actually... now that I think about this, I don't think I > >>> want > >>> half my servers in a unix subdomain in DNS, which means DNS and > >>> realm > >>> wouldn't match... > >>> > >>> Thoughts? Aside from rebuilding the infrastructure I've built > >>> already? :-) > >> > >> Let all machines in MYCOMPANY.COM and use IPA realm > >> UNIX.MYCOMPANY.COM. > >> IMHO it is simplest way. > >> > >> > >> This limitation comes from Kerberos: You are trying to use *single > >> domain > >> name* for *two independent Kerberos realms* - it is principally > >> not possible. > > > > I just need to pint one one problem with leaving all machines under > > MYDOMAIN.COM, and that is if you later want to make a trust (option > > available starting from ipa 3.0) between the AD realm and the IPA > > realm, > > the machines in the mydomain.com domain will not be able to be > > accessed > > by the users of the AD realm. That is because the machines joined > > to the > > AD realm will think that the mydomain.com machines are always > > served up > > by the AD domain. > > > > On the IPA side you amy also have so issues as you will not be able > > to > > tell IPA clients that they need to ask the AD KDC for the hosts > > under > > mydomain.com > > > > So ultimately, I would put as many machines as you can under > > UNIX.MYDOMAIN.COM, to minimize confusion in case later on you want > > to > > establish a trust between the AD domain and the IPA domain. > > > > Simo. > > > Is possible to workaround these problems with hostname-realm > mappings? > > It is not clear solution, I know, but it should be doable for limited > set of > unix machines. > AFAIK Windows AD (I tested it with 2008 R2) has ability to set > hostname-realm > mappings through Group policy. Yes from the Linux side it is possible to map single hostnames to a realm, so the top domain could be generally mapped to the AD realm, and then single hosts mapped to the IPA realm. This is not possible for windows machines in the AD domain though (afaik). Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, 2012-08-08 at 12:16 -0700, Rob Ogilvie wrote: > On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce wrote: > > On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: > > > -I'm going to set up the IPA server with a new realm; > > > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record > > > up there for that? If so, what?) > > > > If your DNS people want to manually mange DNS for you then they need to > > create the unix.mydomain.com zone and manually create SRV and TXT > > records for kerberos and ldap IPA servers. > > Is there a doc that explains what those SRV and TXT records need to look like? When you install freeipa it will generate a zone file if DNS is not installed as well, that's probably the most complete example. > > > -I'm going to try registering testserver.mycompany.com server as part > > > of the UNIX.MYCOMPANY.COM realm. > > > > > > Sound reasonable and/or sane? :-) > > > > for the ipa server it should be in the unix.mydomain.com DNS zone to be > > useful. > > The IPA server needs to be part of the unix.mycompany.com domain, > then, and the IPA clients do not? The simplest setup is when all clients are part of the same DNS zone which is not shared with an AD setup. Unlike AD we do not force all client to be positioned in the same DNS zone, however if you have clients not belonging to the same DNS domain you may have to change the krb5.conf file on all members of the realm to add additional [domain_realm] mappings so that you can tell that clients in zone foo.net are also to be looked for in the UNIX.MYDOMAIN.COM realm and its KDC. We are going to make it simpler to add these domains centrally in FreeIPA and have SSSD automatically provide these appings on all clients, but this work is being done in v 3.0. For now it needs to be manually configured on each client. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: > So here's my plan, then... let me know if it seems like it'll make sense? > > -I'm going to uninstall everything IPA from the IPA server > (ovm-auth.mycompany.com) after I unregister the client machines. > > -I'm going to set up the IPA server with a new realm; > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record > up there for that? If so, what?) If your DNS people want to manually mange DNS for you then they need to create the unix.mydomain.com zone and manually create SRV and TXT records for kerberos and ldap IPA servers. If they want to avoid having to manage DNS for you they can delegate the subdomain to you and you can install DNS integration in IPA so critical DNS record are automatically managed for you. For tests you can also just use the FreeIPA intyegrate DNS server and create your own DNS server there the forwards to your official DNS servers for any query out of unix.mydomain.com (you point it to your current DNS server when install ask for forwarders). If you do this you will have to point your IPA clients to your IPA server for DNS. And unless you get a zone delegation only machine spointing directly at your server in their resolv.conf will be able to see the unix.mydomain.com zone. > -I'm going to try registering testserver.mycompany.com server as part > of the UNIX.MYCOMPANY.COM realm. > > Sound reasonable and/or sane? :-) for the ipa server it should be in the unix.mydomain.com DNS zone to be useful. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote: > On 08/08/2012 07:27 PM, Rob Ogilvie wrote: > > On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek wrote: > >> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper > >> SRV records (or let IPA to manage it). > > > > Ugh, I hope this doesn't end up pushing us back to NIS. > > > > If I can get our infrastructure guys to buy off on making a > > unix.mycompany.com subdomain in DNS, would I need to move all the > > hosts to be under that subdomain in DNS? I have some services > > Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill it with SRV > records and leave this subdomain without hosts (maybe except IPA servers > ...). > It is not necessary to rename all hosts. > > Problem is simple - Kerberos libraries have to know where KDCs are located - > and DNS is standardized way how to accomplish it. > > Let me quote another reply from this thread: > On 08/08/2012 06:14 PM, KodaK wrote: > > You*could* use something like puppet to manage your krb5.conf files > > (I have to with our AIX machines.) > > > > Also, it's important to note that your REALM does NOT need to match > > your dns domain name > > It's a convenience, and it's very, very helpful to do so, but it is > > possible to have a REALM called > > "MIDDLEEARTH" if you wanted. I'm not sure how IPA would deal with > > that, but I know you > > can do it in straight up Kerberos. > > > > configured that are difficult to rename the DNS domain of. Could, for > > instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM > > realm, given a MYCOMPANY.COM realm also exists? > > Yes, it could. > > > > > I could then put some SRV records into the subdomain's zone to point > > the kerberos stuff to the IPA server, change the domain on the IPA > > server, change the realm on the IPA server, re-register clients, and > > everything would be happy? > > I get lost in the renaming part. Can you describe your idea in bigger detail? > > > > > Ugh... actually... now that I think about this, I don't think I want > > half my servers in a unix subdomain in DNS, which means DNS and realm > > wouldn't match... > > > > Thoughts? Aside from rebuilding the infrastructure I've built already? :-) > > Let all machines in MYCOMPANY.COM and use IPA realm UNIX.MYCOMPANY.COM. > IMHO it is simplest way. > > > This limitation comes from Kerberos: You are trying to use *single domain > name* for *two independent Kerberos realms* - it is principally not possible. I just need to pint one one problem with leaving all machines under MYDOMAIN.COM, and that is if you later want to make a trust (option available starting from ipa 3.0) between the AD realm and the IPA realm, the machines in the mydomain.com domain will not be able to be accessed by the users of the AD realm. That is because the machines joined to the AD realm will think that the mydomain.com machines are always served up by the AD domain. On the IPA side you amy also have so issues as you will not be able to tell IPA clients that they need to ask the AD KDC for the hosts under mydomain.com So ultimately, I would put as many machines as you can under UNIX.MYDOMAIN.COM, to minimize confusion in case later on you want to establish a trust between the AD domain and the IPA domain. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, 2012-08-07 at 13:35 -0700, Rob Ogilvie wrote: > On Tue, Aug 7, 2012 at 1:24 PM, Simo Sorce wrote: > > Kerberos depends on proper name resolution. If a hostname cannot be > > resolved you cannot acquire tickets for it. > > So if your host ovm-c19-db does not have a DNS entry (either using IPA's > > DNS server or an external DNS server) you can't get tickets. > > also name resolution generally must match the hostname as that is what > > is used to register a client into ipa. > > That seems fair. DNS is well set up, though. ovm-c19-db. > exists in DNS and ovm-auth is able to resolve it by short hostname and > FQDN. On the client, hostname returns the FQDN, as well. > > Is there anything in my log entries that make it look like it's a DNS > problem? Again, I must stress, I'm new with Kerberos. Does klist -kt /etc/krb5.keytab return entries with the right hostname ? If that works does ipa host-find list it ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, 2012-08-07 at 13:00 -0700, Rob Ogilvie wrote: > Good Afternoon, > > > I'm testing FreeIPA for a proof-of-concept replacement of NIS on OEL > 6.3 (RHEL 6.3). I followed the guide to set up the FreeIPA server, > and it seems to be working great on the IPA server itself. I can ssh > in as admin, type my password, and I'm in. > > > I then have been struggling with getting it going on client systems. > As I'm not setting any of this up with DNS (I want this to be as > un-obtrusive as possible), I executed the following command: > > > ipa-client-install --no-dns-sshfp --no-ntp --server=ovm-auth. > --domain= > > > It asked me for admin's username and password and threw a warning > about getent passwd admin not returning anything. Sure enough, it > doesn't return anything on the client (although it does on the > server). > > > From the client, I'm able to kinit admin, type my password, and then > passwordlessly ssh over to the auth server. > > > I do see these entries in my log file on the client: > > > Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Failed to > initialize credentials using keytab [(null)]: Client > 'host/ovm-c19-db@' not found in Kerberos database. > Unable to create GSSAPI-encrypted LDAP connection. > Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Client not found > in Kerberos database > > > I'm pretty new at Kerberos, so am unsure exactly what this might mean. > Kerberos depends on proper name resolution. If a hostname cannot be resolved you cannot acquire tickets for it. So if your host ovm-c19-db does not have a DNS entry (either using IPA's DNS server or an external DNS server) you can't get tickets. also name resolution generally must match the hostname as that is what is used to register a client into ipa. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Multiple hostnames
On Tue, 2012-08-07 at 14:56 -0500, KodaK wrote: > I suspect I'm SOL on this one, but I'd like confirmation. > > We have two servers in an HA cluster: > > source: > > sla710ph1.unix.magellanhealth.com > > target: > > slahat01.unix.magellanhealth.com > > and a service name of: > > sla710ph.unix.magellanhealth.com > > The service name will float between the HA source and target. > > The DBAs tell me that in order for Oracle to work, the hostname has to > return the service name. > > There's absolutely no way to do this and remain kerberized, right? I > can't have two servers (with two different IP addresses) be "the same" > in IPA, right? Not sure what 'source' and 'target' means, I guess they are the names of 2 peers in an active/passive HA solution ? There are ways to deal with that. A simple way is to share the same keytab using the "common" name for the fqdn part of the service (means you have to copy and keep the keytab in sync whenever you reconfigure it). Of course the service must be able to be configured to pass a specific name (not use the hostname) or, even better not specify *any* name, and let gssapi check if any key is able to decrypt the incoming ticket ignoring the service name entirely. Other ways entail using a CNAME for the "common" name and have DNS switch it from one to the other 'hard' name. In that case clients will resolve the CNAME and then acquire a ticket for the correct target host. however name caching and TTL issue may make failing over this way less desirable. The CNAME trick works better for load balancing (using DNS round robin) in active/active solutions. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cross domain trust between two IPA servers
On Tue, 2012-08-07 at 16:36 +0100, Johnathan Phan wrote: > Hi Simo, > > This document here implies that this does it. > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html#basic-trust This document do not apply to Identity Management (FreeIPA in RHEL speak), it is for a classic Kerberos KDC. However it is a resonable guide to experiment with trusts. > However during testing it does not behave as expected. > > Do you have any documentation on how SSSD can be configured so that > when logging in on a server in a.example.com with a users that exists > in the IPA server responsible for domain b.example.com can happen. > Only based on the rights the group has in b.example.com. > > any reference material on how that could work will help me a long way. You should look into the fact SSSD can be defined to have multiple domains. This means tho that the 'receiving' machines need to be configured for both realms. This is one of the gotchas, given the current lack of actual integration, moving forward when we will have official integration manual configuration of a separate SSSD domain will not be necessary and group memberships will work better. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cross domain trust between two IPA servers
On Tue, 2012-08-07 at 14:54 +0100, Johnathan Phan wrote: > Hi everyone, > > Is it possible to create a cross domain trust between two IPA servers? > I would have thought FreeIPA would have dealt with this use case first > rather than jump directly into integrating with AD. Not yet, the reason we dealt with AD first is that there was more request for that use case. > The reason for this is because your more likely to have satellite > sites of Redhat servers you want to manage. > > Example of this is shown below. > > You require user details to be separated for two separate > organizations that merge together. In the interim period or > permanently you may want members data to be stored in the two separate > Realms for either legal reasons or for company structure reasons > (Management). As you do this quiet freqently with Microsoft AD > environments when corporations merge or buy one another out. Or a > parent company buys a smaller company but want to hook the two systems > together with out merging them completely to keep the companies > identity and major operations separate. > > Is there anyway to do this with two IPA servers? We are planning to add FreeIPA<->FreeIPA trusts in due course, and a kerberos level trust between 2 IPA servers can be done with some manual work, but there are some details when it comes to providing identity to the other domain that are missing. (Although SSSD can be configured easily enough to use 2 separate FreeIPA domains if really needed). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] whats the recommended way to change OU structures in IPA?
On Mon, 2012-08-06 at 16:07 +0100, Dale Macartney wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Afternoon all > > Although I can use any ldapmodify capable tool to do this, I was > wondering what the "recommended" way that we should be telling customers > who want to change OU trees? None, FreeIPA does not support non-flat trees at the moment, sorry. > e.g, say in a high school using IPA, they wished to create a parent OU > called cn=school accounts,dc=example,dc=com and inside that OU there are > two more OU's. One for staff and one for students? > > Presumably this is not possible through the webUI. It is not possible through any UI at the moment. We recommend you use groups to create organizational groups. You could use DS views [1] to then show them as trees in theory but we haven't any official guide on that for FeeeIPA yet. > Also what are the implications if I move a user that was created with > "ipa user-add" into a non-default OU? will it break anything? Whats the > best way to move an existing user into one of the above OU's? > > Any thoughts? WebUI and CLI tool will not behave properly if you try to change the DIT. Simo. [1] https://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Designing_the_Directory_Tree.html#Designing_the_Directory_Tree-Virtual_Directory_Information_Tree_Views -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Re-run install script?
On Thu, 2012-08-02 at 08:22 -0700, Kline, Sara wrote: > Copied from below: > I get the same error if I try to use ipa host-del although again this works > fine for other entries. > > I have tried everything that the documentation suggested to try and have > searched Google pretty extensively. I am not finding a way to clear this > error, and I am not finding anyone else who has this particular error either. > People taking systems down without notifying us happens more frequently than > I care to admit so this could potentially come up in our production > environment. I just want to make sure that there is a way to remove the > entries...by force if necessary. Or if I need to do a manual configuration to > get it to work then I will do that. Just need some guidance on if there is a > tool that will remove the bad entry or if it will just be a manual setup now. Can you see if there is any error in the https error log on the ipa server related to this error when running ipa host-del ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
