Re: [Freeipa-users] Windows client logon
On Mon, 2011-09-19 at 10:58 -0400, Jimmy wrote: I think you're on to something here. I just reset the user's password on IPA and get the password expired message but I get that regardless of what I enter for the user's password. I'm confused as to why I can make the user auth work with a normal KDC but I'm having so much trouble with IPA-KDC. Going to wipe the Win7 config and start fresh on that system. Not sure wht you are having trouble, the KDC component of IPA is a stock MIT KDC with LDAP backend. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I wonder if changing the defaults to exclude the use of AES would help in your case. Not ideal, but apparently something funny is going on there. Simo. On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: I have a WinXP client configured to authenticate now but it looks like FreeIPA is sending the ticket encrypted with AES and XP does not support AES. The user is getting authenticated, just not able to decrypt the ticket. Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: Once I changed the password for 'admin' I now get this error on the windows system: Insufficient system resources exist to complete the requested service and get this in the log no matter if I use the correct(changed) password or if I use a known bad password: Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required I even deleted the user and all associated profile information on the windows system and still it won't work any more. Ok somehow we generate a key the windows client doesn't like or know how to work with. While MIT's clients are just fine with. The way we generate keys is by setting a special random seed that is handed back to the client when the preauth error is generated, perhaps Windows is not liking what it sees ? Any chance you can try with an older client, I wonder if it is a regression in win7 ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
What error exactly do you get on the client side ? Simo. On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: I have a WinXP client configured to authenticate now but it looks like FreeIPA is sending the ticket encrypted with AES and XP does not support AES. The user is getting authenticated, just not able to decrypt the ticket. Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: Once I changed the password for 'admin' I now get this error on the windows system: Insufficient system resources exist to complete the requested service and get this in the log no matter if I use the correct(changed) password or if I use a known bad password: Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required I even deleted the user and all associated profile information on the windows system and still it won't work any more. Ok somehow we generate a key the windows client doesn't like or know how to work with. While MIT's clients are just fine with. The way we generate keys is by setting a special random seed that is handed back to the client when the preauth error is generated, perhaps Windows is not liking what it sees ? Any chance you can try with an older client, I wonder if it is a regression in win7 ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
Ah stupid me, When using Windows XP you must generate a keytab that does not use the AES enctype. If you include the AES enctype when generating keys for the host, you are telling the KDC that the host knows how to use AES. You should probably just use arcfour only for WinXP as that client only understand RC4 and DES, and DES is not worth using. Simo. On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: I have a WinXP client configured to authenticate now but it looks like FreeIPA is sending the ticket encrypted with AES and XP does not support AES. The user is getting authenticated, just not able to decrypt the ticket. Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: Once I changed the password for 'admin' I now get this error on the windows system: Insufficient system resources exist to complete the requested service and get this in the log no matter if I use the correct(changed) password or if I use a known bad password: Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required I even deleted the user and all associated profile information on the windows system and still it won't work any more. Ok somehow we generate a key the windows client doesn't like or know how to work with. While MIT's clients are just fine with. The way we generate keys is by setting a special random seed that is handed back to the client when the preauth error is generated, perhaps Windows is not liking what it sees ? Any chance you can try with an older client, I wonder if it is a regression in win7 ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Mon, 2011-09-19 at 16:17 -0400, Jimmy wrote: According to this: http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.html there are a ton of encryption options that XP does support, but I always get this error if I define anything specific in the keytab: I know for a fact that stock WinXp supports only RC4 and DES, no 3DES nor AAES support there. If you create the host keytab with only RC4 you should be able to make WinXp happy. Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316462970, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: BAD_ENCRYPTION_TYPE: authtime 0, o...@pdh.csp for host/crm1.pdh@pdh.csp, KDC has no support for encryption type There is a fix for Win7. I have a technet article I will post the link as soon as I can. Yes please let me know the link, I will try to investigate any Win7/W2K8 issues with AES and random salts asap, but not this week probably. I had the Win7 system working with the freeipa 'admin' user before I changed the admin user password, now it's broken. The MIT KFW client can authenticate and get a ticket, but I need to get the native windows authentication working. Understood. If AES is the issue, you could reconfigure FreeIPA to not allow AES, not ideal, but it would be the fastest solution. Although it will probably require also to change all passwords. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add user - custom script
On Fri, 2011-09-16 at 11:29 +0300, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Can you describe what kind of operations you need to do? Have you looked at the automembership plugin? I'm doing a SSH login on to a filer, creating a home folder ZFS dataset for the new user, setting quota and ACL on the newly created dataset, and adding files from a skeleton folder into the home folder. It might be a stupid question but... you seem to do all the operation described above on the filer. I am not quite clear what part of it, if any, needs to be run on the server side, I mean on the IPA. Or you actually want to be able to create an account on the server side and make it trapped and send the event to the filer and run a script there? We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound like something that will take a lot of time to accomplish. Attached untested patch is a proof of concept. If /etc/ipa/server.conf has following setting: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! As a proof of concept sounds nice, but as is this would be bad, as changes to /etc/ipa/server.conf are not replicated through all masters. So a change on one server would require manual synchronization to all others or users create from one server will trigger something while users create through another will trigger something else. Also the issue is that this script is run as the apache user so you'd have to give that user access as root (passwordless private ssh key ? brrr). For things like this I think we should provide a more sophisticated mechanism in many ways, maybe we should discuss on freeipa-devel Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab -P[entering into the main keytab /etc/krb5.keytab] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P This is not how it works. You must define all types in one single go. Every time you invoke ipa-getkeytab for a principal you are discarding any previous key in the KDC, and only the last one is available. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Debian clients?
On Fri, 2011-09-16 at 15:19 +, Johan Sunnerstig wrote: Hello. I'm wondering if anyone has used FreeIPA with Debian clients, and if so, what client software you opted to use? Right now I have nss-pam-ldapd (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb software that's included in Debian 6 working decently. By that I mean I can use it to allow logins as expected, but so far I haven't worked out allowing or disallowing login based on group membership. Obviously the best solution would be a real IPA client, but has anyone attempted this? I mucked around a bit with the SSSD included in the Debian repos(1.2.1) but didn't get it to work. Though in all fairness I didn't try THAT hard since it seems like SSSD has evolved quite a bit since 1.2.1. Is the SSSD route worthwhile? SSSD is certainly the preferred client as it has many, many useful features others lack including simplified configuration in a ipa-specific backend. But 1.2.1 is too old. I really just need group based logins, sudo controls I can handle based on groups with Puppet, but again, if the real client route isn't too much work that's of course preferable. I hope this makes sense, late friday and I have a horrible headache, so if it doesn't I apologize in advance. :) There is some work being done to make ipa-client -install more cross platforms, and we also have some contrib scripts, but we do not have a complete ipa-client-install script for debian based distributions yet. So you'll have to manually (or script) configure all components for now. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote: This was installed using yum. I need to be able to authenticate users against Kerberos from a Windows client machine and it fails at login saying the username/password is incorrect. The krb5kdc.log shows: Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed These logs say that either the password is wrong, or the clock on your windows client is way off (more than 5 min. skew) wrt the ipa server. I know the user's password I'm using is correct because I can kinit with that username/password on the IPA server. I used the ipa-getkeytab to set the machine password, but I'm not sure that it's doing what I would normally do in a stand alone MIT Kerberos server using kadmin. Using ksetup on the windows7 client I can reconfigure for a couple different realms and authentication works just fine, but I'm missing something on the IPA config that would allow the same authentication. The reason to have a password (windows) or a keytab (unix) for the machine is to be able to validate the account against a possible rouge KDC+attacker at login prompt pair. But you are not even getting to the validation step as you are failing to get a TGT for the user in the first place. If the user password is right and your Freeipa REALM name is indeed PDH.CSP then it is probably clock skew. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Thu, 2011-09-15 at 17:51 -0400, Jimmy wrote: I'm still working on this... I was reading this post in the archives: http://www.mail-archive.com/freeipa-users@redhat.com/msg02049.html Dmitri's statement There might be some MIT documentation about how to join a Windows machine to MIT KDC. If this can be done I am sure the same can be done with IPA. should be true, but for the windows system to use authentication I have to be able to set the host password in Kerberos. There doesn't seem to be a way to do that in the FreeIPA interface. I would normally do that in kadmin if working directly in kerberos, but that's not possible either. *IS* there a way to set the host password so that machines can provide user authentication for a windows client? Use ipa-getkeytab with the -P option to specify a 'password' to use to generate the keys instead of letting it generate a random password. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Multi-tennancy and Freeipa
On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: Can Freeipa accommodate a mufti-tennant environment? i.e. I work for a managed service provider that currently uses LDAP for authentication for both our users and our customer's users. But Customer A cannot see Customer B's data due to access control on our directory. Each customer has at least one LDAP service account in their container in the tree that can only view that customer's container and my company container. At the moment we do not have the ability to move accounts into sub containers. It is a feature we may want to implement in future, but we kept the tree intentionally flat to avoid misuse we've seen as quite common in products like AD. Would we have to do something like create realms for each customer? Then configure trusts from customer realm to ours? EXAMPLE.COM - our realm CUSTOMERA.EXAMPLE.COM - customer a realm ... so on This may work onve ipa v3 is out. Building multiple realms (in multiple servers/VMs) is possible but trust relationship management is not fully backed in yet. What about data within the directory? Currently our DIT is like: o=MyCompany,dc=example,dc=com o=CustomerA,dc=excample,dc=com If you create multiple realms you'll have to do it with multiple servers with current IPA. Would seperating by realms automatically divide that up? What about would Customer A be able to see any Customer B users using multiple realms alone or would we have to take additional precautions? In general ACIs can be used to limit who sees what. It may be possible to use the current flat view on the server and constrain access to specific users/groups using a bit of custom schema in order to label entries, and custom ACIs. Of course you would want to turn off anonymous access to the directory and encrypt all traffic with SSL or GSSAPI at that point. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Multi-tennancy and Freeipa
On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote: On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: Can Freeipa accommodate a mufti-tennant environment? i.e. I work for a managed service provider that currently uses LDAP for authentication for both our users and our customer's users. But Customer A cannot see Customer B's data due to access control on our directory. Each customer has at least one LDAP service account in their container in the tree that can only view that customer's container and my company container. At the moment we do not have the ability to move accounts into sub containers. It is a feature we may want to implement in future, but we kept the tree intentionally flat to avoid misuse we've seen as quite common in products like AD. Would we have to do something like create realms for each customer? Then configure trusts from customer realm to ours? EXAMPLE.COM - our realm CUSTOMERA.EXAMPLE.COM - customer a realm ... so on This may work onve ipa v3 is out. Building multiple realms (in multiple servers/VMs) is possible but trust relationship management is not fully backed in yet. What about data within the directory? Currently our DIT is like: o=MyCompany,dc=example,dc=com o=CustomerA,dc=excample,dc=com If you create multiple realms you'll have to do it with multiple servers with current IPA. Would seperating by realms automatically divide that up? What about would Customer A be able to see any Customer B users using multiple realms alone or would we have to take additional precautions? In general ACIs can be used to limit who sees what. It may be possible to use the current flat view on the server and constrain access to specific users/groups using a bit of custom schema in order to label entries, and custom ACIs. Of course you would want to turn off anonymous access to the directory and encrypt all traffic with SSL or GSSAPI at that point. Replying to myself, custom schema may not be necessary. It may be possible to use just ACIs and non-posix groups together w/o adding additional schema, that would make the problem simpler, although ACIs need to be built carefully not to cripple the admins view. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Multi-tennancy and Freeipa
On Wed, 2011-09-14 at 15:19 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote: On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: Can Freeipa accommodate a mufti-tennant environment? i.e. I work for a managed service provider that currently uses LDAP for authentication for both our users and our customer's users. But Customer A cannot see Customer B's data due to access control on our directory. Each customer has at least one LDAP service account in their container in the tree that can only view that customer's container and my company container. At the moment we do not have the ability to move accounts into sub containers. It is a feature we may want to implement in future, but we kept the tree intentionally flat to avoid misuse we've seen as quite common in products like AD. Would we have to do something like create realms for each customer? Then configure trusts from customer realm to ours? EXAMPLE.COM - our realm CUSTOMERA.EXAMPLE.COM - customer a realm ... so on This may work onve ipa v3 is out. Building multiple realms (in multiple servers/VMs) is possible but trust relationship management is not fully backed in yet. What about data within the directory? Currently our DIT is like: o=MyCompany,dc=example,dc=com o=CustomerA,dc=excample,dc=com If you create multiple realms you'll have to do it with multiple servers with current IPA. Would seperating by realms automatically divide that up? What about would Customer A be able to see any Customer B users using multiple realms alone or would we have to take additional precautions? In general ACIs can be used to limit who sees what. It may be possible to use the current flat view on the server and constrain access to specific users/groups using a bit of custom schema in order to label entries, and custom ACIs. Of course you would want to turn off anonymous access to the directory and encrypt all traffic with SSL or GSSAPI at that point. Replying to myself, custom schema may not be necessary. It may be possible to use just ACIs and non-posix groups together w/o adding additional schema, that would make the problem simpler, although ACIs need to be built carefully not to cripple the admins view. Simo. The management framework only supports a single realm as well, even if you could manage to insert the data. The ACIs solution would work with a single-realm model ... except that it also means each customer needs to do very careful access control when using kerberos for now, as we do not have a way to constrain which users can get tickets for which services in the same REALM. This is something we want to introduce in v3.0 anyways for various reasons. So going forward, segmentation of users should become simpler. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] backup and upgrade/transition to new versions
On Mon, 2011-09-12 at 10:57 -0700, Stephen Ingram wrote: I've seen mentioned on this list before that it is better to just image the entire system as a backup rather than actually try to figure out where the specific files are that relate to the various components of IPA. What I'm wondering is what if you want to upgrade the distribution say from Fedora 15 to 16. How would this work as related to a production IPA install? I also know that some of our installations that begin on Fedora would end up on Redhat so that customers could take advantage of support. Is there any mechanism by which these upgrades could work? I would suggest that the best way to deal with changing radically the underlying OS is to make a replica on a new machine and then get rid of the old one if possible. If multiple replicas are already available I would just wipe out the machine, re-install, then replicate again. Just pay attention to backup things that may be only on the first master (for example the CA if you used selfsign). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5kdc process at 100%
On Fri, 2011-09-09 at 19:28 -0400, Dmitri Pal wrote: On 09/09/2011 03:14 PM, Smith, Martin R. [smma0...@stcloudstate.edu] wrote: I have linked a zip the whole directory from abrt. After typing abrt-cli -l it outputted: - Directory: /var/spool/abrt/ccpp-2011-09-09-13:41:51-972 count: 1 executable: /usr/sbin/krb5kdc package:krb5-server-1.9.1-5.fc15 time: Fri 09 Sep 2011 01:41:51 PM CDT uid:0 - Link to crash.zip This appears to be my current ldap openldap-2.4.24-3.fc15.x86_64. Can you please file a BZ? https://bugzilla.redhat.com I assume it is on Fedora 15 right? FWIW I think I reproduced this yesterday evening. I will take a deeper look at it next week if it reproduces again. It seem to happen only when multiple worker processes are in use and one of them segfaults. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5kdc process at 100%
On Fri, 2011-09-09 at 05:09 +, Smith, Martin R. [smma0...@stcloudstate.edu] wrote: When I attach gdb to the process, I have tried the main process and the four child processes, it provides no output. Here are the steps I'm taking: 1. On freeipa-server run htop and find the pid (or ps aux) 1. Shows one parent PID and four child processes 1. 934 root 20 0 46784 2656 388 S 0.0 0.1 0:00.00 `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4 2. 1939 root 20 0 78664 4460 2056 S 0.0 0.1 0:00.26 | `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4 3. 1938 root 20 0 78664 4460 2056 S 0.0 0.1 0:00.26 | `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4 4. 1936 root 20 0 78664 4460 2056 S 0.0 0.1 0:00.26 | `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4 5. 1935 root 20 0 78664 4212 1808 S 0.0 0.1 0:00.26 | `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4 2. run sudo gdb 1. attach 934 2. press c 3. Wait for output… 2. Attempt to login with user that has an expired password. 3. Now the krb5kdc process 934 starts running at 100% and the user is unable to login. 4. Only way to get the process back to normal is to type service ipa restart I've never debugged a program before so if I'm missing a step please let me know. Ok, let's simplify the problem first. apperently you have a quadcore cpu so by default we configured krb5kdc to spawn 4 worker processes. Let's bring it down to not spawning any worker process so we can simplify debugging. Go to /etc/sysconfig/krb5kdc and remove the -w 4 argument from it. Then simply do a service krb5kdc restart (no need to restart the whole ipa service for this). If krb5kdc locks up again, gdb the process like you have done before but do not press c, type 'bt' instead and copy the log then you can exit gdb. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5kdc process at 100%
Is the ns-slapd instance for the ipa domain running when this happens ? Simo. On Thu, 2011-09-08 at 17:56 +, Smith, Martin R. [smma0...@stcloudstate.edu] wrote: Update: It appears to lockup immediately after a user with an expired password attempts to login. This happens when a user attempts to login at the freeipa-server itself or one of the clients. From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Smith, Martin R. [smma0...@stcloudstate.edu] Sent: Thursday, September 08, 2011 12:49 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] krb5kdc process at 100% Hello all, I’m running a fairly new install of Freeipa-server and we are running into a problem that is preventing users from logging in. We have two SSH servers that authenticate to our freeipa-server and after 15 min to 4 hrs of runtime the process Krb5kdc will consume 100% of the processor and the freeipa-server will no longer respond to ldap requests from the other machines. Here are some specs: The freeipa-server is running as a virtual machine on a Xen 5.6 box Fedora 15 with all current updates The /home directory is a NFS mount to a different server, also running freeipa-client I updated the freeipa-server package to the “testing” repo today, the problem still exists. The only additional components I’ve installed are fail2ban, and rsyslog. Some of the error messages include: (krb5kdc.log) Sep 08 12:10:23 client1.fake.com krb5kdc[1867](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH: host/client1.fake@fake.com for krbtgt/fake@fake.com, Additional pre-authentication required (pki-ca-system-log) Attached. This log is from the freeipa-server, it appears to be complaining that it can’t connect to itself. I can provide more logs to a personal email if needed. Thanks for your help in resolving this issue. -Martin Smith ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5kdc process at 100%
Also any chance you can attach gdb to the krb5kdc process and take a backtrace ? Hopefully we will find out where it is hanging. Simo. On Thu, 2011-09-08 at 14:04 -0400, Simo Sorce wrote: Is the ns-slapd instance for the ipa domain running when this happens ? Simo. On Thu, 2011-09-08 at 17:56 +, Smith, Martin R. [smma0...@stcloudstate.edu] wrote: Update: It appears to lockup immediately after a user with an expired password attempts to login. This happens when a user attempts to login at the freeipa-server itself or one of the clients. From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Smith, Martin R. [smma0...@stcloudstate.edu] Sent: Thursday, September 08, 2011 12:49 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] krb5kdc process at 100% Hello all, I’m running a fairly new install of Freeipa-server and we are running into a problem that is preventing users from logging in. We have two SSH servers that authenticate to our freeipa-server and after 15 min to 4 hrs of runtime the process Krb5kdc will consume 100% of the processor and the freeipa-server will no longer respond to ldap requests from the other machines. Here are some specs: The freeipa-server is running as a virtual machine on a Xen 5.6 box Fedora 15 with all current updates The /home directory is a NFS mount to a different server, also running freeipa-client I updated the freeipa-server package to the “testing” repo today, the problem still exists. The only additional components I’ve installed are fail2ban, and rsyslog. Some of the error messages include: (krb5kdc.log) Sep 08 12:10:23 client1.fake.com krb5kdc[1867](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH: host/client1.fake@fake.com for krbtgt/fake@fake.com, Additional pre-authentication required (pki-ca-system-log) Attached. This log is from the freeipa-server, it appears to be complaining that it can’t connect to itself. I can provide more logs to a personal email if needed. Thanks for your help in resolving this issue. -Martin Smith ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Test scenario
On Mon, 2011-09-05 at 21:15 +, Steven Jones wrote: No im looking at this in a fairly agnostic way.what I am looking for are real world scenarios that I can test potential LDAP type solutions against to determine the best for our needsbut you are right the sssd link in is a killer.. BUT I have to prove to my management which solution is the bestI have an uphill struggle as they want to use AD but they also want all the bells and whistles, except they dont know what that means.so I need to construct test cases where I can say here are (say) 5 cases, I want to get them to sign off on as what they want. So I need to use logic against their gut feel.or I'll end up managing a pile of crap In v3 we are planning on having external groups where you can put users from trusted domains. So you can reference these groups locally and are free to determine memberships. That will allow to use HBAC. That said you can only controil HBAC stuff on freeipa-enabled servers. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Extending Schema, CLI and Web UI for use with Samba 3 (groups!)
On Tue, 2011-08-16 at 16:50 -0400, Dmitri Pal wrote: Should we open a ticket and have a way to just turn this integration on? Something like ipa-server-install install flag --samba-integration. Then it will translate into enabling all of the above at the install time or after. It may conflict with the adtrust work if not done right, so I would prefer to do this as part of the 3.0-Trust work. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
On Thu, 2011-08-04 at 10:25 -0400, Dmitri Pal wrote: On 08/04/2011 03:52 AM, Ondrej Valousek wrote: On 03.08.2011 23:52, Dmitri Pal wrote: But this has not been even filed as an enhancement as no one cared about such functionality until now. What is your use case for this functionality? Actually, I do not need such a functionality. I was asking because I know Windows rotate keytabs so I was expecting IPA might as well. I guess there is no big press for it now but I would say in general we should support it as well - for security reasons if not for anything else. I created a BZ. I am not sure certmonger is the right component https://bugzilla.redhat.com/show_bug.cgi?id=728263 But at least it will be on the plate of the right person to make the decision and propose alternative approaches. SSSD is probably a more appropriate component for keytabs, given in the IPA case it is a primary user of the keytab for validation purposes. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Some questions regarding IPA, DNS and Samba4
On Wed, 2011-08-03 at 10:22 +0200, Ondrej Valousek wrote: Hi List, I have some questions regarding IPA: 1. On the IPA client side, which daemon is looking after machine Kerberos host/ principal renewal? Keytabs are random secrets and do not need to expire as cracking them is consider a problem out of current computational reach unlike users passwords which use a much smaller set of values and is less randomic in nature. 1. If I installed Samba4 on the IPA server, what would happen? Is it possible? Would I get 2xKDCs, 2xLDAP servers and 2x DNS server or is it possible for Samba4 to re-use the existing IPA repository? Nothing would work as they would want to use the same ports (LDAP, KDC, kpasswd ...). No Samba4 cannot use FreeIPA's LDAP because Windows client wants a perfect copy of AD's schema and DIT so samba4 has to use the embedded LDAP and KDC. 1. Can I use the Adam's LDAP plugin for BIND to deploy a DNS server with Active Directory integrated zone running on Linux? The bind-dyndb-ldap plugin can be used to store any kind of data. And it properly allows bind to set record on DNS Updates. so yes, you can, but you may want to use a tool to make it easier to modify LDAP records then. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys
On Wed, 2011-08-03 at 13:46 -0400, Stephen Gallagher wrote: On Wed, 2011-08-03 at 13:41 -0400, Ian Stokes-Rees wrote: On 8/3/11 1:02 PM, Stephen Gallagher wrote: So I guess what I'm saying is not Don't use centrally managed key storage, but rather If you use the key anywhere but in this administrative domain, do not put it in centrally-managed storage that anyone but you can ever gain access to it. Yes, I appreciate the distinction you raise. Regarding your last comment quoted above, to the best of my knowledge that is impossible. I regularly have discussions with people saying an administrator could always do X,Y and Z to access your supposedly private data -- if there are ways in which I could be wrong about that, I'd love to know them. Otherwise I believe that the key risks from a centralized keystore are: * ease of compromise by an unscrupulous administrator * extent of compromise if attacker gains administrative privs to central keystore (although it sounds like the RH DRM system could significantly reduce that) * risk of compromise due to security vulnerabilities in central keystore software I think the general consensus is that you are always exposed to some degree of risk, and it is necessary to evaluate the risks versus the benefits. There are some lovely lakes in northern Maine where you can probably use your laptop without too much risk of compromised privacy, or closer to home, I'm sure most of us can remember a day when we got lots of useful work done on a computer with no network connection and were excited when we got one new piece of software every few months. In my risk/benefit world, a centralized keystore would be really useful. And for the record, if any one of the computers I use is compromised with a keyboard scanner or theft of my private ssh or X.509 keys, then I'm in a whole world of pain, and not a small amount of inconvenience (and risk of malicious attacks) to the various systems I regularly access. Best I can tell, that isn't too different from most people in my situation, and short of that nice cabin in Maine, is simply the reality (risk) of the kind of work I do, and the people I do it for. Well, there exist central storage approaches that don't allow even the local admin access to the data. The trade-off of course is that they can't reinstate your access if you forget the password. In other words, you can set a password that is used as a symmetric key for encrypting your data in the central store. It's still central and can be retrieved from anywhere, but only you know how to read it. In these situations to allow recovery you can have all data encrypted a second time with a central store public key. But the corresponding private key is not stored in a place accessible online and gaining access to the means to recover keys is subject to logging on a specialized system which audits everything you do and notifies all interested parties automatically when you access anyone's keys. That can be done but it is expensive, something we can plan for a the future, but not something we can do in the short term. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys
On Tue, 2011-08-02 at 16:27 -0400, Dmitri Pal wrote: On 08/02/2011 02:15 PM, Ian Stokes-Rees wrote: Is there some mechanism to store private keys (e.g. ssh, pgp, gpg, X.509) in FreeIPA, tied to a user account, so only the user (via kerb token or with password prompt) can fetch the token? If FreeIPA doesn't make this possible, can anyone suggest a good mechanism to have, effectively, a user keystore that would sync passwords with FreeIPA nicely. I am thinking, in particular, of the scenario where users forget their password -- we'd strongly prefer to just reset it for them (24 hours, one login) in a way that didn't mean also re-issuing all passphrase-secured identity tokens. Not now however: https://fedorahosted.org/freeipa/ticket/754 https://fedorahosted.org/freeipa/ticket/237 https://fedorahosted.org/freeipa/ticket/521 Replaced the last one with: https://fedorahosted.org/freeipa/ticket/1560 Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dead Freeipa
On Wed, 2011-07-27 at 15:53 -0600, Rich Megginson wrote: On 07/27/2011 03:40 PM, Steven Jones wrote: regards Thanks. To follow up from IRC: If Steven starts up dirsrv manually, then krb, then named then httpd, everything works fine. Not sure what the ipa script is doing that kills dirsrv immediately upon startup. The only case where ipactl stops dirsrv is when it fails to find information with the ldapsearch done immediately after dirsrv starts. Is it possible the dirsrv init script returns before dirsrv is actually ready to serve requests ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Alternatives to freeipa
On Fri, 2011-07-08 at 14:29 +0200, Ondrej Valousek wrote: Authconfig will definitely help you to configure nsswitch.conf and Kerberos (i.e. the easy bits), but the hard work with configuring winbind or ldap library has to be done manually anyway (assuming winbind is working correctly - unfortunately winbind is hopelessly broken in the last versions of Samba and none seems to care). What is broken ? I certainly do care. Please reply privately, as this is not the right place to discuss other projects bugs. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Alternatives to freeipa
On Fri, 2011-07-08 at 14:50 +0200, Ondrej Valousek wrote: https://bugzilla.redhat.com/show_bug.cgi?id=652609 Last comment, as this is totally OT. Winbindd has been *designed* to use the users primary SID as the primary GID, there are reasons as to why that's needed for CIFS* You may argue you don't like the behavior, you can try to ask upstream to change it (unlikely to happen but hey), but it is not broken. It works as advertised (ie primary gidnumber is ignored on user entries, please do not spread FUD. Simo. *For the same reason we ignore the old primary group Sid ldap attribute on samba DCs with an ldap backend and instead force to use the primary gid to determine the primary group sid. The reason is that we cannot handle properly when admins mess up and put a primary sid and a primary gid that do not translate into each other. So the only reasonable thing to do in this case to avoid problems is to just ignore the 'non-authoritative' setting on the backend being used. On a Samba server with LDAP the authoritative id the gidNumber. On AD (obviously) the authoritative one is the primary group Sid, so gidNumber is ignored. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining realm failed because of failing XML-RPC request FreIPA V2
On Fri, 2011-07-08 at 14:45 -0400, Rob Crittenden wrote: McDougall, Ryan P. [mcry0...@stcloudstate.edu] wrote: When joining a client to a FreeIPA server installed on F15, I get the error quoted in the subject. The install of the server went well with no errors during the process. I’ve been looking all over and I can’t seem to find anything related to this on the forums and I haven’t heard back from anyone yet in IRC. Is this a known issue? This is caused by a recent update to libcurl that removed its ability to delegate tickets. Bugs have been opened against curl to add support for delegation and a bug against xmlrpc-c to take advantage of this new API. There is currently on ETA on a fix. The only workaround I've come up with so far is: - On the server: manually add a host entry for your client: ipa host-add client.example.com - Add the --force flag to ipa-client-install. This will allow it to continue past the enrolment failure - On the client: kinit admin - On the client: ipa-getkeytab -s ipa.example.com -p client.example@example.com -k /etc/krb5.keytab - On the client: service sssd restart There will be no SSL server cert in /etc/pki/nssdb because certmonger can't communicate with the IPA backend. The other option is to downgrade curl to a previously working version, although the upgrade was supposedly a security fix and the fix was to remove this functionality ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect
On Thu, 2011-06-30 at 15:52 +0200, Ondrej Valousek wrote: The KDC is just trying to look up a service that was requested, it was the client that requested this host. Note that the host name used is the detected IPA server. This can often be wrong if there is another server in your network with SRV records (such as AD). Apparently not the KDC. I had to fix the resolv.conf on the client in order to resolve the problem. Problem was in reverse records - company DNS server returned polaris.prague.s3group.com (this rendered the error on KDC) for the IP of the IPA server whereas the correct one should be polaris.example.com (as per the DNS server running on the IPA server). When the clients resolv.conf pointed to the company DNS, it did not work. I had to fix resolv.conf manually to make it working. The resolver is a bit of a chicken and egg problem. Hard to look anything up if you don't have one configured. The installer should prompt that the detected settings are ok. Were they ok and we still went to the wrong place? Ok let me explain it more. The machine I was running the ipa-client-install was using company DNS server. On that DNS server I made a forward rule for 'example.com' domain. Therefore, once I ran # ipa-client-install --domain=example.com .. the tool was able to detect everything correctly, BUT the wrong DNS server (which was left behind in /etc/resolv.conf) returned wrong names from its reverse zone. I believe it should be fairly easy for the installer to do few sanity checks to see whether the reverse DNS lookup works well... We are actively working on trying to never depend on reverse lookups. Unfortunately there are still some bugs and limitations in various libraries but we are working on fixing them. That said if you want to use your main DNS for client, you can simply fix issues by adding reverse records into it at least for IPA servers. Or give the IPA machine a subnet and forward requests for that subnet too. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] adding PTR record for a host on the network
On Tue, 2011-06-28 at 19:06 -0400, Tim Hildred wrote: Should look like this: ipa dnsrecord-add 22.168.192.in-addr.arpa 4 --ptr-rec rhel6.mysandbox.com. Does the first part need a trailing . after arpa? I saw something (https://fedorahosted.org/freeipa/ticket/1129) that looked like what I got when I pasted what you provided into a terminal. However, when I added a . on the end of arpa and removed it from mysandbox.com., I got: Record name: 4 PTR record: rhel6.mysandbox.com., rhel6.mysandbox.com Even so, when I try to do: [root@rhel6 ~]# host 192.168.22.4 Host 4.22.168.192.in-addr.arpa. not found: 3(NXDOMAIN) Thanks for having a look! Have you just recently created the 22.168.192.in-addr.arpa zone ? One thing we still haven't addressed is that when you create new zones you have to restart named before it will serve them. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD/IPA Full Name
On Thu, 2011-06-23 at 13:48 +0100, Attila Bogár wrote: When I change a user's full name in IPA, usermod --cn=New Name, IPA pushes back the full name into the (read-only) Name: attribute succesfully. So this workaround does exactly what I want, though I'm wondering if anyone knows what consequences it could have, that IPA is changing read-only attributes in the AD? The Full Name field is not read-only in AD. It is exactly the attribute in which you are supposed to put the user's Full Name. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Insufficient access during winsync agreement
On Tue, 2011-06-21 at 10:01 +0100, Attila Bogár wrote: On 20/06/11 16:37, Attila Bogár wrote: I'm trying to set up the AD-FreeIPA sync agreement and I'm always getting this error: # ipa-replica-manage connect --winsync --binddn cn=IPA Sync,cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert /root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v This is solved now. Directory Manager password was missing from the command line. (-p). admin user's privileges via kerberos are insufficient to set up a replica agreement as I see. Could you please add this to the documentation example in the docs, I think upcoming users would appreciate this. http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server If the command didn't give you an error it is a bug, can you please open a ticket ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS zone transfers
On Tue, 2011-06-21 at 12:12 +0200, Adam Tkac wrote: On 06/16/2011 09:38 PM, Loris Santamaria wrote: El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribió: On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote: Hi, I would like to use my freeIPA v2 server as my master name server and have other normal (non ldap based) bind servers as caching / secondary name servers. Ideally the clients would query only the secondary servers and the secondary name servers would perform regular zone transfers from the master server. So I'm trying to setup zone transfer in my IPA based name server. First of all I see that the attribute idnsAllowTransfer referenced in the bind-dyndb-ldap documentation is not really supported in the schema installed in IPA. Next, using a global allow-transfer in named.conf doesn't work also. A global allow-transfer should work, have you restarted named after setting it ? If it doesn't work we may have a bug. I'm adding to named.conf options section: allow-transfer { 127.0.0.1; }; then I restart named and try a zone transfer on the same host: # host -l ipa.corpfbk. 127.0.0.1 ; Transfer failed. Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: Host ipa.corpfbk not found: 9(NOTAUTH) ; Transfer failed. In the logs I get: Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH) Hello Loris, the bind-dyndb-ldap plugin currently doesn't support zone transfers but you should receive SERVFAIL error in this case, not NOTAUTH. Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk zone? Can you please post output of dig @127.0.0.1 ipa.corpfbk SOA here? Adam, Thanks for the reply. Loris, sorry for the confusion, I mistakenly thought we already implemented this feature. The implementation is not particularly difficult, and we plan to have support for zone transfers in one of the next 2.x releases, as soon as UI changes can be made and tested. Follow future release announcements, we will have this feature listed when it is ready. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SRV record to tell w2k8 machines to use IPA server for ldap
On Fri, 2011-06-17 at 02:15 -0400, Tim Hildred wrote: Hello; I have a VM running FreeIPA, and have the DNS SRV records referencing ldap and kerberos mentioned in the documentation. In trying to set the domain of my Win2k8 VM to mysandbox.com, i get an error that the DNS name does not exist after running the query for _ldap._tcp.dc._msdcs.mysandbox.com which is different than the example given for an LDAP SRV record. So what SRV record has to exist that will allow my W2k8 VM to join mysandbox.com domain? ipa dnsrecord-add ___ Sorry Tim, but FreeIPA cannot be a direct Domain Controller for Windows clients. Unfortunately Windows Clients can only join AD domains and stuff that behave *exactly* like AD down to very fine details. There is actually a write-up here [1] on how to hook-up a windows client to use FreeIPA as an authentication source, but that is not the same thing as joining a domain. Depending on your needs it may be enough though. Also note that we have not tested this guide with v2 or recent Windows clients. If you want an alternative to AD for your Windows clients I can suggest trying Samba4, it is still not complete, but has enough basic AD infrastructure to work for single domain deployments, with some minor restrictions. Simo. [1] http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_ %28Windows/Linux%29_-_Step_by_step -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change UID range
On Tue, 2011-06-14 at 07:42 -0400, Stephen Gallagher wrote: The decision to make the range start at 1 billion was made specifically BECAUSE the chances of a company having that many users was statistically unlikely. Correction we start at 1Million and we get a 100k range randomly within the 1M-2B range, so almost 10k different possible buckets. The chance 2 installations end up getting the same bucket are very low. owever you can always force the UID to be used at user creation by explicitly specifying the IDs you want. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Configuring IPA replicas
On Mon, 2011-06-13 at 15:23 +0200, Sigbjorn Lie wrote: Hi, I have successfully configured one IPA replica, now I'm trying to configure a second replica, but I'm not having much success. I've attached the output of ipa-replica-install -d. I get as far as [4/11]: configuring certificate server instance. The machine is configured in the same way as the 2 first machines. They are all F15, updated with all available packages from the official repos. The installation fails when it's trying to connect to the dogtag server on the ipa replica it's just configured, with a Invalid clone_uri message. (See the attached file for details). I'm not sure where to start looking. The only difference from the 2 first IPA servers, is that this server is located at another subnet, over a site-to-site VPN connection. Any suggestions to what might be wrong? I have never seen this error, have you created a new replica package with ipa-replica-prepare to create the second replica ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
Just to add on the advice, not to detract, On Tue, 2011-06-14 at 01:10 +, JR Aquino wrote: 1) Create an HBAC Rule or rules: choose allow or deny Do yourself a favor and never use deny rules, they are there if you *really* need them, but you do not want to use them if you can avoid them :) 2) add users/usergroups to the rule 3) add hosts/hostgroups to the rule 4) disable the default 'allow all' rule Remember that by default if a user isn't explicitly allowed the behavior of HBAC is to deny (that's why we have a default allow_all rule) Now any system that has SSSD 1.5 will enforce those HBAC rules. And if it doesn't we really want to know as it is going to be a security issue. Simo. For systems that do not support sssd, I have been working on a proof of concept authorization module for HBAC written in python. -JR On Jun 13, 2011, at 5:32 PM, Steven Jones wrote: Hi, Ive seen/read it.and I have a hard copy on my desk in front of me right now I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to endand often its gives you written instructions on visual tasks so if you are not in the right bit of the gui you go nowhere.So it needs far more screenshots and wizards regards From: JR Aquino [jr.aqu...@citrix.com] Sent: Tuesday, 14 June 2011 11:53 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login So how do I stop that? When will we see some documentation on doing user admin tasks like this? Have a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Inconsistant first login behaviour
On Thu, 2011-06-09 at 20:32 +, Steven Jones wrote: Hi, In which case I would expect it should happen across all clients in the same way and not some... Indeed it should, if a brand new user with an admin set password is used and a specific machine does not force you to change a password, please open a bug against the specific distro version, feel free to assign it to the sssd components or pam_krb5 components depending on what you are using on the specific machine. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New user first login behaviour (Fedora 15)
On Thu, 2011-06-09 at 04:20 +, Steven Jones wrote: Hi, hmmm..I can login to the workstation via ssh using the ipa password for thingbut no home directory has been created... You need to configure pam_mkhomedir if you want that done. We cannot do that from ipa-client-install because we have no data on how you are going to set up your home directories. We have no idea if you want local ones or if you are going to setup a NFS mountpoint on /home or if you are going to use automonut/autofs or whatever . You can run the authconfig gui (or CLI) and select the option of creating home directories at login if they are not available yet. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Kerberos problem with account with changed attributes
On Thu, 2011-06-09 at 13:04 +0200, tomasz.napier...@allegro.pl wrote: Hi, Due to a bug in one of our maintanace scripts, I had to manually change some attributes for one of the users, e.g.: uid and uidNumber. I did it using /usr/sbin/ipa-moduser --setattr=uid=username --setattr=uidNumber=1221 1221 (yeah, last argument is really user's uid ;) After that user canno use any of the ipa-* scripts, he's getting: Connection to database failed: Invalid credentials: SASL(-14): authorization failure: I suppose is a problem with inconsistency in ldap and Kerberos database (probably Kerberos still has old data) My question is how to fix that without generating new user (I really have to avoid that due to fact that this environment has some compliance restictions) Use ldapsearch to check what is the DN, it is probably still something like: cn=1211,cn=users,cn=accounts, ... then use ldapmodrdn -r cn=1211,cn=users,cn=acc. cn=username This will rename the user properly and a plugin will take care of renaming also the kerberos principal. Local client caches may need some purging to properly pick up the new value. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2, adding Samba attributes
On Thu, 2011-06-09 at 12:44 +0200, John S. Skogtvedt wrote: Hello, has anybody tried to integrate Samba with FreeIPA 2? I searched and found a mailing list post from 2009 with a solution using the 389 DNA plugin, but later posts indicated that the solution outlined wasn't correct (and probably out of date). My impression from what I've read is that there is no way of doing it other than configuring FreeIPA to add samba object classes, and specifying the required attributes when adding a user. The problem then is that adding users won't be possible from the web interface, because of required samba attributes (unless one instead later adds the necessary object classes and attributes). Is this correct? You can modify the UI behavior wrt what classes and attribute to store. If so, I wonder how much work it might be to either add a small hack to the web interface to add the necessary attributes, or to write a web interface plugin which adds a user with the necessary attributes. Any pointers would be appreciated (I know python). I think it'd be useful to be able to add template values as well as objectclasses in ipaConfig, e.g. something like: ipaUserAttrs: sambaSid: ...-$uid, where $uid is expanded when the user is created. You probably want to use the DNA plugin to generate the sambaSid for you once you have a domain SID, it's not too difficult and will be much less error prone. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sync passwords with AD or not per user
On Wed, 2011-06-08 at 10:27 -0400, Rob Crittenden wrote: Rich Megginson wrote: On 06/07/2011 03:41 PM, Steven Jones wrote: Hi, For most users I will want to allow the same password in AD as in freeipaso a linux or windows desktop will work with a linux or windows service.but for some specific financial servers/services I need a stricter password capability to meet our audit criteria. In 389 you can set password policy on a per-user or per-subtree basis. With a little extra work, you could probably get this working on a per-group or per-role basis as well. This should apply to IPA as well, depending on how they have implemented support for password policy. We have per-group password policy but we don't use the 389-ds password policy engine. What I don't know is what happens if you set a lousy password in AD whether that gets replicated to IPA. Will it be rejected, accepted? The ipa-pwd-extop module has a list of users that can set passwords w/o having them quality checked. The passsync user is normally one of these users. And passwords replicated from windows are not quality checked. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS in freeipa
Clients get added automatically to DNS in 2 ways: 1. At install time by the ipa-client-install script 2. at run time, if configured to do so, sssd can run dynamic updates using the host keytab. Clients that do not have sssd support must use some other way. For example a cron job with enough privileges to access the host keytab and run dnsupdate. Simo. On Wed, 2011-06-08 at 20:07 +, Steven Jones wrote: So for now I have to add the client(s) to DNS manually? and it will get fixed? or will it always be like this? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 8 June 2011 2:25 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] DNS in freeipa fedora15 also appears in DNS when I add it as a client. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 8 June 2011 2:19 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] DNS in freeipa Hi, When I add a RHEL 6.1 client o free-ipa it appears in the ldap/dns section under policy, not so RHEL5.6, is this correct? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Inconsistant first login behaviour
On Wed, 2011-06-08 at 22:31 +, Steven Jones wrote: So then using the ipa-client-install script I joined them each in turn to IPAfor F15 and 6.1 clients they now accept the IPA password2 without an issue...for RHEL 5.6 it initially asked to reset the passwordand I only had 1 hour..later logins are fine. Steven, so the problem is that you got a bogus warning, but it is working properly beyond that ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Inconsistant first login behaviour
On Wed, 2011-06-08 at 22:56 +, Steven Jones wrote: Bogus except it wouldnt allow me to login unless I changed my password, yes. Was this right after you used an administrative account to change the user password ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Difficulty installing freeipa
On Fri, 2011-06-03 at 16:38 -0500, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: I've given up on freeipa v2 due to lack of compatibility with hosts I manage. This is all on freeipa v1. The server started as Fedora 13, and I upgraded to Fedora 14 in an attempt to fix the problems. Brian, I am curious, what compatibility are you lacking ? I can't think any difference in the supported list of clients, with v2 we have native sssd support that was not available in v1, but the legacy support is basically identical. Can you elaborate on which problem you found on which clients ? Thanks, Simo -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bug in ipa user-add
On Tue, 2011-05-31 at 02:17 +, Steven Jones wrote: Hi, So the docs should cover this at the least Sorry Steve, that's basic shell behavior, and you'll fine info in the bash man pages. Nothing to do with the IPA commands. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Can FreeIPA v2 be used as Zimbra external LDAP authenticator?
On Fri, 2011-05-27 at 17:26 -0600, David L. Willson wrote: Rob Crittenden: Thank you for your help! This is RESOLVED, and I want to make some notes here, because finding the magic combination of syntax has been... trying. Products affected: FreeIPA 2.0.1, Zimbra 7.1 OSE NOTES: 'humperdinck' is my IPA server and 'z7' is my Zimbra Collaboration Server. I'm NOT removing my real values, because think docs work better when you just paste in what you really used. 0. From a shell prompt on the Zimbra server, import the CA certificate, and restart Zimbra services. $ wget http://humperdinck.rmsel.org/ipa/errors/ca.crt $ mv ca.crt humperdinck_ca.crt $ sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file humperdinck_ca.crt $ sudo su - zimbra $ zmcontrol stop zmcontrol start 1. From the Zimbra admin console, connect a domain to the IPA server for external LDAP authentication. On the left, under Configuration, expand Domains, and select (click) the Domain you want to authenticate with IPA. In the toolbar, click Configure Authentication In the drop-down list-box, choose External LDAP Type your IPA server's FQDN in LDAP Server name:, do NOT check Use SSL, check Enable StartTLS LDAP Filter is exactly this, WITH parentheses, and NO spaces. (uid=%u) My LDAP Search Base is exactly this, with NO parentheses, and NO spaces. You'll need to change the domain components, of course. cn=accounts,dc=rmsel,dc=org Click next TWICE (ie: do NOT check Use DN/Password to bind to external server) Enter a username or full email and the matching password. (must be valid, NON-EXPIRED credentials) dlwillson ** Click Test. Celebrate. 2. If you're not celebrating, use the same credentials with kinit at the shell prompt on any Kerberos client machine to confirm validity. kinit dlwillson enter password 3. If the credentials are valid, use ldapsearch from the shell on your Zimbra server to test LDAP binding/searching. $ sudo su - zimbra $ ldapsearch --help $ ldapsearch -D uid=dlwillson,cn=users,cn=accounts,dc=rmsel,dc=org -w '**' -b cn=accounts,dc=rmsel,dc=org -h humperdinck.rmsel.org -v -ZZ uid=dlwillson 4. I hope you're celebrating by now, because if not, you're in for a rough time, perhaps. HTH, cheers, YMMV, YATLTL Thank you for the very nice write-up. I am curious if you are going to enable GSSAPI authentication in Zimbra too (Zimbra support GSSAPI/Krb5 auth for IMAP and apparently should support it for the web interface too at some point). It would be awesome to get a similar writeup of how to configure it in that case. I am sure many users would be delighted to be able to do SSO against the mail server (ie no need to enter any password at all after login). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
On Thu, 2011-05-26 at 05:51 +, Steven Jones wrote: Quickly as Im late. We are setting up cross realm from AD to a school who runs MIT Kerberos with openldap underneathA windows client in our domain can then connect to a school resource where its connected to the school's centralised setup So its possible, yes. Not with freeipa from what Ive seen posted, yet...next version I am assuming so. Freeipa does not give you UI or tools to do it, although creating a Kerberos trust is a very simple matter using kadmin.local to create the proper principals. Everything else would work like in the Kerberos+openldap setup in the school you meantion. So it is technically possible, we simply do not yet make it easy for you by providing wrappers. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberos to keberos inter-realm trusts
On Wed, 2011-05-25 at 04:23 +, Steven Jones wrote: Can IPA do this? Technically MIT Kerberos can do that, but we do not have any infrastructure to properly handle trusts yet at the identity level. Cross-Realm trusts are the focus of version 3.0 Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
On Wed, 2011-05-25 at 17:00 -0400, Dan Scott wrote: Hello, I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has been released. But I have a few questions: 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? Yes but you should configure them as normal LDAP+Krb clients not FreeIPA clients. 2. Can Fedora 14 (and older, and Windows and Mac) clients authenticate against FreeIPA 2 servers? Yes as normal LDAP+Krb clients. 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring an upgrade from Fedora 14 to 15 along the way). You need to perform an actual data migration, I suggest you install a separate box with F15 + freeipa v2 and migrate accounts from the v1 instance. Direct upgrades from v1 to v2 by way of an rpm upgrade are not possible. Overall, my questions boil down to this: Can I migrate systems as and when possible/convenient, or do I have to do 'everything' in one go? You don't have to do everything in one go, except for the server instances (unless you can live for a while in a split brain situation). I looked through the documentation, but the V2 docs currently seem quite developer-centric, does anyone have any links for me? Take a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/ Still a work in progress but there is a lot already. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS denied for clients
On Mon, 2011-05-23 at 23:09 +, Steven Jones wrote: Hi, Seems there is a change from 6.1 beta /earlier IPA to laterI now find that clients cant use dns as its deniedas attached screenshotis this setting in IPA itself? or named.conf? Are your clients in the same subnet or in another ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS denied for clients
On Tue, 2011-05-24 at 20:10 +, Steven Jones wrote: Hi, ive been expanding the POC, they used to be all on one. Ahthey are now on different subnetsthe DHCP subnet 53.xx, server subnet 81.xx and server management subnet 87.xx. Ok then you need to consult the bind manual an apply the proper allows as Adam suggested in the other message. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS denied for clients
On Tue, 2011-05-24 at 21:09 +, Steven Jones wrote: Hi, yes Ive done thisproblem is when its integrated into IPA I didnt know if this was the right/approved way to do it. IPA manages just the zones for now. Everything that goes in the main configuration section is handled through named.conf Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] help! IPA server she explode!
On Thu, 2011-05-19 at 01:41 +, Steven Jones wrote: I have an internal ajax error! :( the logs say, Ping me later on IRC, I'd like you to run some commands, and it will be easier done interactively. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL client to IPA
On Wed, 2011-05-18 at 03:18 +, Steven Jones wrote: Im getting, SASL bind failed! As I said earlier this is happening because you changed the admin password with a random secret when you passed -p admin in the previous attempt. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL client to IPA
On Wed, 2011-05-18 at 20:30 +, Steven Jones wrote: Which is why I asked rob how to reset it which I didso its not that?..at least it makes no obvious sense that it is? Once you reset the password as Rob told you all is fine again. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA server as a DNS server and design things
On Wed, 2011-05-18 at 23:07 +, Steven Jones wrote: Qs, 1) We have a single master only for freeipa 2.0? so from what I can read the replicas are passive? ie do they answer LDAP queries and also DNS queries if DNS is integrated? but simply dont have a gui? or are they totally inert? Im thinking of this as we really want 2 active DNS servers minimum... We do not enable the DNS on replicas by default, it is an admin choice on which replicas they want to enable the DNS service. When you install the replica you can pass the --setup-dns flag. If you forgot to do so or if you later change idea and want to install the DNS piece you can simply run ipa-dns-install on the replica you want to have another DNS available. 2) We discussed its better to have DNS as a stub domain off the main domain.so Linux servers will be unix.vuw.ac.nz.should I do the same for the reverse lookup? That depends on your network topology. At the moment we do create a reverse zone for you by default, but you can use it, disable it, or just remove it if you have reverse lookups handled elsewhere. In future though we plan to improve the DNS plugin so that it will automatically update also the reverse zone (if managed by IPA) on clients dynamic DNS updates. Should I cleave off part of the class B? say 2 x 24s? problem then becomes what do I do with mixed environments where I have windows web front ends and linux db backends..or user areas where I cant do that... It is not necessary, although I would recommend that you properly set the ptr records at least for your servers in the DNS that is managing your reverse zones. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Startup issues
On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote: I've noticed that if the machine running IPA is very busy at startup, the IPA services will not be online when the machine is started. I noticed this is as my test virtualization host has had it's power cord knocked out a few times. When I restart the host machine, all the virtual machines is started at the same time, causing (a lot) higher than normal latency for each virtual machine. This causes the IPA daemons to start, while during the startup one or several IPA daemons fails due to dependencies of other daemons which is not started yet, and all the IPA daemons is stopped as not all the IPA daemons started successfully. I've noticed that the default behavior of the ipactl command is to shut down all the IPA daemons, if any of the IPA daemons should fail during startup. This can be seen in the logs of the individual services, as some is started successfully, just to receive a shutdown signal shortly after. It seem to be the pki-ca which shut down my IPA services this morning. When rebooting the virtual machine running the IPA daemons during normal load of the host machine, all the IPA daemons start successfully. Logging on to the IPA server and manually starting the IPA daemons after the load of the host machine has decreased also works. I suggest changing the startup scripts to allow (a lot) longer startup times for the IPA daemons prior to failing them. At the moment we just run service name start and wait until it is done. If the pki-cad service timeouts and returns an error I think we need to open a bug against the dogtag component as that is the cause. Can you open a bug in the freeipa trac with logs showing that service is responsible for the failure ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL client to IPA
On Fri, 2011-05-13 at 11:11 +0200, Jakub Hrozek wrote: On 05/13/2011 06:00 AM, Steven Jones wrote: [root@vuwunicoipamt01 etc]# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz -p admin The second -p overrides the first. And also probably changed the admin password to rubbish. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] extending FreeIPA
On Wed, 2011-05-04 at 17:41 -0700, Stephen Ingram wrote: I currently maintain a directory with MTA configuration data in it (among other items). I'm wondering what is the best way to add to the FreeIPA schema without stepping on current and future schema additions that might conflict with what I add. I know at one time you were expecting to add information for Postfix and other common server programs. Was this schema ever prepared and agreed upon, or is it best to use some special branch to put this all under? Ok it seem we are confusing 2 things here, on one side schema extensions (new attributes and objectclasses) and on the other side DIT structure (subtrees within the tree where to put your information). If you use standard schema or schema you made yourself after you got assigned a base OID there should be no issue at all. if you do your own schema please be careful in trying to use a prefix for attribute and objectclass names so that you do not risk future name conflicts). For the DIT part it really depends on what you need to do. If you just need to add attributes to users then you have no other option but to attach them to the users and that's fine it shouldn't cause any issue. If you need to add entirely new objects I can suggest to create a cn=custom container as a top level subtree (ie at the same level of cn=accounts and cn=etc, ... And within it do what you need to do. This way it will not conflict with anything we may add in future. Also, although I read Adam Young's blog article about how to extend the WebUI, I'm having difficulty adding attributes within the existing structure. For example, on the user page, is there a prescribed way of adding say, the mailAlternateAddress attribute such that it shows as a field in the WebUI? I will let Adma reply to this one. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa client install
On Wed, 23 Mar 2011 20:43:24 -0400 Rob Crittenden rcrit...@redhat.com wrote: Uzor Ide wrote: I have manually enrolled and configured the client. I am able to log into the client and access nfs4 shares. What I am wondering is if there are anything that the client would miss by joining this way. The client authenticate to the ipa-server through sssd. I would like to know if HBAC and centrally managed SUDO and other policy enforcements will fail to work because the manual enrolment. Note that host certificate was not generated because of the manual joining. I guess it means by how you manually joined but based on what you can do I think you covered the major details. If you have a host service principal in /etc/krb5.keytab and a correctly configured sssd then you are fine for HBAC and nss (users, groups, etc). SUDO works through nss_ldap so you should be fine there as well. To avoid confusion (if possible :) sudo uses the nss_ldap config file, but not the nss_ldap code. So all you need to do is to read the sudo docs to find which file you need to touch. Of course because sudo doesn't go though sssd (yet) it will not work properly in offline mode, unfortunately. ipa-client-install doesn't do anything too special, it just makes sure the environment is sane and then sets up sssd.conf, krb5.conf, fetches a host service principal and uses certmonger to get an SSL server cert. This last step is done as a convenience, it otherwise isn't used by IPA. But if you wanted to setup an HTTP server that uses the same PKI as IPA you'd have a certificate and key available. cheers -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Delete AD replica failure
On Sun, 20 Mar 2011 18:28:12 +0100 Sigbjorn Lie sigbj...@nixtra.com wrote: Hi, I just did a fresh installation of FreeIPA 2 on a host called ipa1, created a replica on a second server called ipa2. I then created a winsync replica to an AD domain on the ipa1 host. I noticed that I forgot the --win-subtree option and decided to delete the replication agreement: # ipa-replica-manage -H ipa1.ix.nowhere.com del dc01.ad.nowhere.com Directory Manager password: Unable to delete replica dc01.ad.nowhere.com: {'desc': Can't contact LDAP server} This is not the correct command to use. If I did a force a got a bit more output, where it complains about the ipa2 replica server not having a sync agreement with the dc01 server. # ipa-replica-manage -v -f -H ipa1.ix.nowhere.com del dc01.ad.nowhere.com Directory Manager password: Unable to connect to replica dc01.ad.nowhere.com, forcing removal Forcing removal on 'dc01.ad.nowhere.com' 'ipa2.ix.nowhere.com' has no replication agreement for 'dc01.ad.nowhere.com' Is this intended behavior or a bug? Intended, to remove the AD replication link you need to 'disconnect' the AD server. Use: ipa-replica-manage disconnect dc01.ad.nowhere.com After re-creating the sync agreement with the win-subtree option, IPA synced with AD successfully. Great, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
- Original Message - Steven Jones wrote: Ok, However I cant LDAP/Ipa authenticate stillon either client.. So what next? sssd handles logins, you can try turning up the log level on that (though I suspect it wasn't the reboot that fixed this but restarting sssd). If sssd was never used before then what was needed was a restart of the services using it (sshd, gdm), as nsswitch.conf is never re-read by glibc, you can't use the new users until those services are restarted after nsswitch.conf is modified. I think we also offer to restart the client after ipa-client-install exactly as a way to restart all services that may depend on picking up this change. That reboot is not necessary if you manually restart all services after that, but if you don't than you better do a reboot as we suggest. As part of ipa-client-install sssd is restarted and tested via 'getent passwd admin'. This should be visible in /var/log/ipaclient-install.log. Did this command succeed? Even if this succeed, authentication via gdm or ssh can still fail until the services are restarted. Just pointing out this fact as a help point for other users testing ipa-client-install in future. Simo. -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On Tue, 8 Mar 2011 19:05:45 -0500 (EST) Stephen Gallagher sgall...@redhat.com wrote: On Mar 8, 2011, at 5:45 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 8- Looks like you have no host key in the keytab. That's the root of the problem. Seems like IPA-client-install failed to populate it. Rob, do you have any insight here? does /var/log/ipaclient-install.log show any error ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Time bug
On Fri, 4 Mar 2011 15:16:36 +1300 Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, Americans are funny ppl they put the date format as month then day.the problem is in the real world, its day then month So I have registered 1 client and 2 ipa masters as of 4th march 2011 NZST, but the IPA server's gui says I registered them a month in the future, ie 3rd April 2011 GMT+12 NZSTvery neat... ;] So you need some sort of detection script/software to sort that I suspect.or fix the display format in the gui...? Possibly this might not be helping with my issues as all my machines think its NZST while the IPA master server's software might be thinking they are telling it April? hence security certificates etc go boom? No, it is just a display issue in the UI, internally all software uses unix timestamps and UTC. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] limit access to a specific CN
On Tue, 15 Feb 2011 14:09:07 -0500 Peter Doherty dohe...@hkl.hms.harvard.edu wrote: On Feb 15, 2011, at 14:02 , Rob Crittenden wrote: Peter Doherty wrote: Hello, I'm running Fedora 14 and freeipa 1.2.2-6 Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com) and then create an account that can edit that cn as much as they want, but can't edit the other ones (ie: accounts, groups...)? Any pointers to documentation would be useful. Unfortunately I'm not 100% clear on my terminology, so google searches are leading me a bit astray. What would you put into this container? 389-ds certainly supports doing this, depending on what exactly you want to do IPA may or may not support it. For example, we look for a type of entry only within a given container, so you can't put users into another location. rob The first thing I'm looking to do with it is have a web server that has account information stored in LDAP, and to allow users to to ldap authentication. The users logging into the web server would be different from the posix groups that are managed by FreeIPA. I want to replace htaccess and htpasswd files and use LDAP instead. It seems like I could create a subsection in LDAP and set up apache to bind and auth against that. But I also want a seperate ldap admin account that can only edit this section, and not the rest of the FreeIPA data. Thanks. It is possible to do using LDAP tools and then setting an ACI on the container to give the user you want full control on that container. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa Windows 7 client authentication
On Wed, 9 Feb 2011 16:13:39 + Brett Maton mat...@ltresources.co.uk wrote: I can't get a Windows 7 client to authenticate against Freeipa (ver 2.0.0.pre2) running on Fedora 14. Brett, can you tell me what krb5-server package do you have installed ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa Windows 7 client authentication
On Wed, 9 Feb 2011 16:13:39 + Brett Maton mat...@ltresources.co.uk wrote: Hi, I can't get a Windows 7 client to authenticate against Freeipa (ver 2.0.0.pre2) running on Fedora 14. Feb 09 16:03:22 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.0.2: NEEDED_PREAUTH: mat...@example.com for krbtgt/example@example.com, Additional pre-authentication required Feb 09 16:03:22 krb5kdc[32355](info): preauth (timestamp) verify failure: Decrypt integrity check failed Feb 09 16:03:22 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.0.2: PREAUTH_FAILED: mat...@example.com for krbtgt/example@example.com, Decrypt integrity check failed Feb 09 16:03:23 krb5kdc[32355](info): preauth (timestamp) verify failure: Decrypt integrity check failed Feb 09 16:03:23 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.0.2: PREAUTH_FAILED: mat...@example.com for krbtgt/example@example.com, Decrypt integrity check failed Any help with where to start looking or what might be wrong would be greatly appreciated. Either the password is wrong or the time on your client is not within 5 min. of the time on the KDC. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA future releases.
On Fri, 4 Feb 2011 15:00:46 -0600 Hemminger, Corey Lee. [heco0...@stcloudstate.edu] heco0...@stcloudstate.edu wrote: I have 2 questions. First is a possible idea of when FreeIPA v2 will go gold and have the final stable release? This will help me with my lab and small data center planning. Also second is more of a suggestion, and that you guys should look at incorporating DHCP into IPA like you did DNS. Also for it to be able to dynamically update the DNS with machines that connect to the network. I work inside but separate from a college campus network and we have laptops coming and going from our network and being a research lab we are always tearing machines down and rebuilding them and renaming them. You should be able to configure named to accept DNS updates from your dhcp server adding configuration to allow a specific IP (that of the dhcp) to update any entry. However we will evaluate whether integrating DHCP is something we can do for a future release, or maybe something people are willing to contribute. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
On Tue, 1 Feb 2011 12:38:50 -0500 Peter Doherty dohe...@hkl.hms.harvard.edu wrote: If I want to start from scratch with the new Beta release, how would I dump the entire LDAP/KRB database so that I could import it into a new server? The Docs mention doing regular backups, but they don't even tell how to backup the data, whether to backups files (which ones?!) or to dump the data into a file, and backup that. database dumps + filesystem backups Can I convert from the 1.9 alpha to a 2.0beta freeipa instance? Not easy, and it depends on what you mean by convert. A simple rpm update will give you issues because we still made minor changes to the DIT and schema between the 1.9 alpha and the beta. If you have many keys in your kerberos database I can describe a procedure that *should* work to dump the keys and reload them in a new server where you manually/script migrate the users/host/services data by using the ipa user-add/host-add/srvice-add commands. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to start the krb5kdc
On Thu, 27 Jan 2011 19:20:02 -0500 James Roman james.ro...@ssaihq.com wrote: On 1/27/11 12:58 PM, Simo Sorce wrote: On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote: So it looks like the replication password issue was a red herring as far as the kerberos is concerned. I issued the command ipa-replica-manage synch ipaserver1.domain.com from the working ldap replica and no longer get password expiration errors in the error logs. However, I still can not get the krb5kdc process on ipaserver1 to start when it uses the local (ldap://127.0.0.1/) LDAP database. If I perform an LDAP search of the kdc account using the Directory Manager account, both kdc entries are identical, so it does not seem to be the password for the KDC account that is preventing the krb5kdc service from starting. Could it be the service or host principals? Should I init from ipaserver2 - ipaserver1 (Note: ipaserver1 is the winsync server)? ipaserver1: FC 11 ipa-server-1.2.2-2.fc11.i586 ipaserver2: FC10 ipa-server-1.2.2-1.fc10.i386 I am surprised you get back INVALID CREDENTIALS as an error when the KDC tries to log in using the data in ldappwd, given it works against the other server ... If you search with directory manager the accounts on both servers, do you get back an identical userPassword field ? Simo. Yes, when I check the passwords are also identical. Odd. Have you ever played with DS password policies by chance ? Can you search explicitly for the paswwordExpirationTime on both uid=kdc accounts and see if it set by chance ? You need to search explicitly for the attribute as it is not returned by default. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to start the krb5kdc
On Fri, 28 Jan 2011 09:20:37 -0500 James Roman james.ro...@ssaihq.com wrote: OK. Now I feel like an idiot. I swear that was the first thing I checked. It seems the password policy on this server was set at the base, instead of cn=users. We have a script that reports on expiring accounts in the cn=accounts branch, but not under cn=etc. I now know what to fix. Thanks. Rirst of all. I am glad this was resolved, it looked puzzling indeed. I just want to note that we do not support using the DS password policy in ipa as we already have the kerberos pw policy, that's why the uid=kdc was not protected against it. In v2 we perfected the pw policies check so that the kerberos policies covers also binds done against DS directly. I also am adding a patch so that uid=kdc is protected in case DS policy is enabled nonetheless for whatever reason. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to start the krb5kdc
On Fri, 28 Jan 2011 17:39:14 -0500 James Roman james.ro...@ssaihq.com wrote: On 01/28/2011 10:39 AM, Simo Sorce wrote: Rirst of all. I am glad this was resolved, it looked puzzling indeed. I just want to note that we do not support using the DS password policy in ipa as we already have the kerberos pw policy, that's why the uid=kdc was not protected against it. In v2 we perfected the pw policies check so that the kerberos policies covers also binds done against DS directly. Just to clarify, in v2 Kerberos password policies also cover ldap binds? Yes with have a bind pre/post op plugin that enforces the same account/password policies for ldap binds too. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] admin password
On Thu, 2011-01-27 at 09:09 -0500, Uzor Ide wrote: Hi all How do I make admin password not to expire immediately after changing it? It is always set to expire even if you use kpasswd to change it ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to start the krb5kdc
On Tue, 25 Jan 2011 12:04:25 -0500 James Roman james.ro...@ssaihq.com wrote: I noticed today that one of our FreeIPA 1.2.2 servers has stopped issuing tickets. When I attempt to restart all the IPA services the krb5kdc service failed to restart with the following error: krb5kdc: Unable to access Kerberos database - while initializing database for realm DOMAIN.COM I don't see any issues with the local LDAP database, or the kdc account in the LDAP database. I suspect the problem is with the ticket granting ticket on the problem server, but am unsure how to go about validating this assertion. I have not tried to restart the ipa services on the working server for fera that it might stop working. Do you see errors in /var/log/krb5kdc.log ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to start the krb5kdc
On Tue, 25 Jan 2011 15:58:35 -0500 James Roman james.ro...@ssaihq.com wrote: On 1/25/11 2:44 PM, Simo Sorce wrote: On Tue, 25 Jan 2011 14:33:14 -0500 James Romanjames.ro...@ssaihq.com wrote: On 01/25/2011 12:42 PM, Simo Sorce wrote: On Tue, 25 Jan 2011 12:04:25 -0500 James Romanjames.ro...@ssaihq.com wrote: I noticed today that one of our FreeIPA 1.2.2 servers has stopped issuing tickets. When I attempt to restart all the IPA services the krb5kdc service failed to restart with the following error: krb5kdc: Unable to access Kerberos database - while initializing database for realm DOMAIN.COM I don't see any issues with the local LDAP database, or the kdc account in the LDAP database. I suspect the problem is with the ticket granting ticket on the problem server, but am unsure how to go about validating this assertion. I have not tried to restart the ipa services on the working server for fera that it might stop working. Do you see errors in /var/log/krb5kdc.log ? Simo. The error above is the only one that repeats in the krb5kdc.log when I attempt to restart the krb5kdc service. The actual error that is shown in standard out is: Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm DOMAIN.COM - see log file for details Ok can you check the dirsrv logs and see if the KDC is actually trying (and perhaps getting auth refused) at all ? /var/log/dirsrv/slapd-DOMAIN-COM/access should show your KDC attempts to access the LDAP server and bind as the uid=kdc. user. Simo. Looks like an authentication failure: [25/Jan/2011:15:11:29 -0500] conn=391 op=0 BIND dn=uid=kdc,cn=sysaccounts,cn=etc,dc=domain,dc=com method=128 version=3 [25/Jan/2011:15:11:29 -0500] conn=391 op=0 RESULT err=49 tag=97 nentries=0 etime=0 [25/Jan/2011:15:11:29 -0500] conn=391 op=-1 fd=73 closed - B1 The ldappwd file on both systems look identical. I don't think that the SSL certificate comes into the equation, but I have no way of knowing whether it initiates TLS or not. No in ipa 1.2.x the kdc is configured to use ldap://127.0.0.1 with no auth. I wonder if your local DS is having problems. Can you change krb5.conf to point to the other server (maybe using ldaps:// so as to not expose the password in the clear) and see if the krb5kdc will start that way ? Don't use this in production, just as a test to identify where the problem lies. if it turns out it is the local DS that is having issues, then we can try to force sync it again. Ah btw, on what distribution version is this? what 389-ds base version are you using ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8
On Thu, 20 Jan 2011 11:03:12 +0530 Aravind GV aravind...@gmail.com wrote: Hi Simo, Great repossess from you but still issue is not solved completely. After applying your patch iam getting below mention error [root@dirsrv ~]# ipa-replica-manage connect --winsync --binddn CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --cacert /root/bgkerb.cer 10.0.65.28 --passsync asd312ASD --bindpw asd312ASD -v Added CA certificate /root/bgkerb.cer to certificate database for dirsrv.agv.com *unexpected error: basic_replication_setup() takes exactly 5 arguments (3 given)* I am sorry Aravind, but at the moment I do not have a test environment that lets me test winsync replication. Hopefully this new patch should fix the remaining regressions. Simo. -- Simo Sorce * Red Hat, Inc * New York From 5c9952b5e166dde222bc8c5433ca97480432a980 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Wed, 19 Jan 2011 09:53:59 -0500 Subject: [PATCH] Fix ipa-replica-manage regressions with winsync Avoids ipa-replica-manage to throw up errors. Fixes: https://fedorahosted.org/freeipa/ticket/807 --- install/tools/ipa-replica-manage |7 ++- ipaserver/install/dsinstance.py |1 + ipaserver/install/replication.py |8 +--- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 80974545761399cec46032c8ae2b6689aa4ff7fd..20eb93c26748c71e097a38f40cb58c0215a643e1 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -26,7 +26,7 @@ from ipapython import ipautil from ipaserver.install import replication, dsinstance, installutils from ipaserver import ipaldap from ipapython import version -from ipalib import errors, util +from ipalib import api, errors, util CACERT = /etc/ipa/ca.crt @@ -355,6 +355,11 @@ def force_sync(realm, thishost, fromhost, dirman_passwd): def main(): options, args = parse_options() +# Just initialize the environment. This is so the installer can have +# access to the plugin environment +api.bootstrap(in_server=True) +api.finalize() + dirman_passwd = None realm = krbV.default_context().default_realm diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 378e0123405ed1222129d899573974fba9089a55..5da9d17d4417031920495254ff566ee235234bfb 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -180,6 +180,7 @@ class DsInstance(service.Service): self.dercert = None self.idstart = None self.idmax = None +self.subject_base = None if realm_name: self.suffix = util.realm_to_suffix(self.realm_name) self.__setup_sub_dict() diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 21e6bcc4970f5d534df882f98327ace9119db983..756bb5595226d49e31edf5ce5afd12d26ac26758 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -625,7 +625,8 @@ class ReplicationManager: # there is no other side to get a replica ID from # So we generate one locally replica_id = self._get_replica_id(self.conn, self.conn) -self.basic_replication_setup(self.conn, replica_id) +self.basic_replication_setup(self.conn, replica_id, + self.repl_man_dn, self.repl_man_passwd) #now add a passync user allowed to access the AD server self.add_passsync_user(self.conn, passsync_pw) @@ -638,8 +639,9 @@ class ReplicationManager: logging.info(Agreement is ready, starting replication . . .) #Finally start replication -return self.start_replication(self.conn, ad_conn, - self.repl_man_dn, self.repl_man_passwd) +ret = self.start_replication(ad_conn) +if ret != 0: +raise RuntimeError(Failed to start replication) def convert_to_gssapi_replication(self, r_hostname, r_binddn, r_bindpw): r_conn = ipaldap.IPAdmin(r_hostname, port=PORT, cacert=CACERT) -- 1.7.3.4 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8
On Wed, 19 Jan 2011 12:52:54 +0530 Aravind GV aravind...@gmail.com wrote: Hi All Please help me in adding a synchronization agreement. I followed ( http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/) but the example given in 4.4. Creating Synchronization Agreements is not correct. There is no more option add in ipa-replica-manage command. After googling they suggested me to use connect instead of add. This command worked but it stopped directory server and thorws following errors. Jakub Hrozek suggested me to get logs from /var/log/ipareplica-install.log. But this file is not at all created only ipaclient-install.log ipaserver-install.log are the two files in that there is no reference to ipa-replica-mange command. I have installed ipa v2 from http://jdennis.fedorapeople.org repo. [root@dirsrv ~]# ipa-replica-manage connect --winsync --binddn CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD --cacert /root/bgkerb.cer 10.0.65.28 -v --passsync asd312ASD INFO:root:args=/sbin/service dirsrv stop INFO:root:stdout=Shutting down dirsrv: AGV-COM...[ OK ] PKI-IPA...[ OK ] INFO:root:stderr= unexpected error: DsInstance instance has no attribute 'subject_base' I have opened ticket 807[1] to track this. Would you be available to test a patch ? Simo. [1] https://fedorahosted.org/freeipa/ticket/807 -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8
On Wed, 19 Jan 2011 09:28:45 -0500 Simo Sorce sso...@redhat.com wrote: On Wed, 19 Jan 2011 12:52:54 +0530 Aravind GV aravind...@gmail.com wrote: Hi All Please help me in adding a synchronization agreement. I followed ( http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/) but the example given in 4.4. Creating Synchronization Agreements is not correct. There is no more option add in ipa-replica-manage command. After googling they suggested me to use connect instead of add. This command worked but it stopped directory server and thorws following errors. Jakub Hrozek suggested me to get logs from /var/log/ipareplica-install.log. But this file is not at all created only ipaclient-install.log ipaserver-install.log are the two files in that there is no reference to ipa-replica-mange command. I have installed ipa v2 from http://jdennis.fedorapeople.org repo. [root@dirsrv ~]# ipa-replica-manage connect --winsync --binddn CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD --cacert /root/bgkerb.cer 10.0.65.28 -v --passsync asd312ASD INFO:root:args=/sbin/service dirsrv stop INFO:root:stdout=Shutting down dirsrv: AGV-COM...[ OK ] PKI-IPA...[ OK ] INFO:root:stderr= unexpected error: DsInstance instance has no attribute 'subject_base' I have opened ticket 807[1] to track this. Would you be available to test a patch ? Simo. [1] https://fedorahosted.org/freeipa/ticket/807 Can you test this patch and see if it solves your issue completely ? You should be able to manually fix it without having to redo the whole install by simplky editing the dsinstance.py file and adding the line you see in the patch. Simo. -- Simo Sorce * Red Hat, Inc * New York From a6128d4f7fc21d284ce2d8e154e4f8cdc7d9964d Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Wed, 19 Jan 2011 09:53:59 -0500 Subject: [PATCH] Initialize subject_base by default. Avoids ipa-replica-manage to throw up errors. Fixes: https://fedorahosted.org/freeipa/ticket/807 --- ipaserver/install/dsinstance.py |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 859d5c8ff737dad3ba96b162e90c7d1bae4e0d11..4fd7a00279c73c5b41e2d7ad5999c1af91eefbf8 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -180,6 +180,7 @@ class DsInstance(service.Service): self.dercert = None self.idstart = None self.idmax = None +self.subject_base = None if realm_name: self.suffix = util.realm_to_suffix(self.realm_name) self.__setup_sub_dict() -- 1.7.3.4 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8
On Wed, 19 Jan 2011 22:22:45 +0530 Aravind GV aravind...@gmail.com wrote: Hi Simo, Thanks for responding to my email. I updated /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py with the patch ie added extra line self.subject_base = None Now i am getting different error [root@dirsrv ~]# ipa-replica-manage connect --winsync --binddn CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --cacert /root/bgkerb.cer bgkerb.test02.com --passsync asd312ASD --bindpw asd312ASD -v Directory Manager password: INFO:root:args=/sbin/service dirsrv stop INFO:root:stdout=Shutting down dirsrv: AGV-COM...[ OK ] PKI-IPA...[ OK ] *INFO:root:stderr=* *unexpected error: 'Env' object has no attribute 'ra_plugin'* Regards, AGV On Wed, Jan 19, 2011 at 8:29 PM, Simo Sorce sso...@redhat.com wrote: On Wed, 19 Jan 2011 09:28:45 -0500 Simo Sorce sso...@redhat.com wrote: On Wed, 19 Jan 2011 12:52:54 +0530 Aravind GV aravind...@gmail.com wrote: Hi All Please help me in adding a synchronization agreement. I followed ( http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/) but the example given in 4.4. Creating Synchronization Agreements is not correct. There is no more option add in ipa-replica-manage command. After googling they suggested me to use connect instead of add. This command worked but it stopped directory server and thorws following errors. Jakub Hrozek suggested me to get logs from /var/log/ipareplica-install.log. But this file is not at all created only ipaclient-install.log ipaserver-install.log are the two files in that there is no reference to ipa-replica-mange command. I have installed ipa v2 from http://jdennis.fedorapeople.org repo. [root@dirsrv ~]# ipa-replica-manage connect --winsync --binddn CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD --cacert /root/bgkerb.cer 10.0.65.28 -v --passsync asd312ASD INFO:root:args=/sbin/service dirsrv stop INFO:root:stdout=Shutting down dirsrv: AGV-COM...[ OK ] PKI-IPA...[ OK ] INFO:root:stderr= unexpected error: DsInstance instance has no attribute 'subject_base' I have opened ticket 807[1] to track this. Would you be available to test a patch ? Simo. [1] https://fedorahosted.org/freeipa/ticket/807 Can you test this patch and see if it solves your issue completely ? You should be able to manually fix it without having to redo the whole install by simplky editing the dsinstance.py file and adding the line you see in the patch. Simo. -- Simo Sorce * Red Hat, Inc * New York Attached a corrected patch that should fix this second problem too. Simo. -- Simo Sorce * Red Hat, Inc * New York From e61bc661f49470b6be509b6187313f70edfa09f9 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso...@redhat.com Date: Wed, 19 Jan 2011 09:53:59 -0500 Subject: [PATCH] Fix ipa-replica-manage regressions with winsync Avoids ipa-replica-manage to throw up errors. Fixes: https://fedorahosted.org/freeipa/ticket/807 --- install/tools/ipa-replica-manage |7 ++- ipaserver/install/dsinstance.py |1 + 2 files changed, 7 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 80974545761399cec46032c8ae2b6689aa4ff7fd..20eb93c26748c71e097a38f40cb58c0215a643e1 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -26,7 +26,7 @@ from ipapython import ipautil from ipaserver.install import replication, dsinstance, installutils from ipaserver import ipaldap from ipapython import version -from ipalib import errors, util +from ipalib import api, errors, util CACERT = /etc/ipa/ca.crt @@ -355,6 +355,11 @@ def force_sync(realm, thishost, fromhost, dirman_passwd): def main(): options, args = parse_options() +# Just initialize the environment. This is so the installer can have +# access to the plugin environment +api.bootstrap(in_server=True) +api.finalize() + dirman_passwd = None realm = krbV.default_context().default_realm diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 859d5c8ff737dad3ba96b162e90c7d1bae4e0d11..4fd7a00279c73c5b41e2d7ad5999c1af91eefbf8 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -180,6 +180,7 @@ class DsInstance(service.Service): self.dercert = None self.idstart = None self.idmax = None +self.subject_base = None if realm_name: self.suffix = util.realm_to_suffix(self.realm_name) self.__setup_sub_dict() -- 1.7.3.4 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to change Admin password
On Wed, 12 Jan 2011 13:58:31 -0500 Uzor Ide ide4...@gmail.com wrote: Hello List We are having problem with changing/reseting password. Even the admin password cannot be changed. During login users with expired passwords are warned that their password has expired and forced to change their password. But when the type new password, the operation fails with error Authentication token manipulation error When I tried the change the admin krb5 password from the ipa-server I got the following error Cannot contact any KDC for requested realm while getting initial credentials That's surprising because the KDC hostname resolves properly. This what's in the krb5kdc.log each time Jan 12 13:30:27 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.12: ISSUE: authtime 1294857027, etypes {rep=18 tkt=18 ses=18}, ad...@mycompany.com for kadmin/ chang...@mycompany.com Jan 12 13:30:39 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.12: NEEDED_PREAUTH: kadmin/ chang...@mycompany.com for krbtgt/mycompany@uzdomain.ca, Additional pre-authentication required Jan 12 13:30:40 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.12: ISSUE: authtime 1294857040, etypes {rep=18 tkt=18 ses=18}, kadmin/chang...@mycompany.com for krbtgt/ mycompany@uzdomain.ca The server is freeipa-2.0 -beta and O/S is fedora 13 Any help will be greatly appreciated Is ipa_kpasswd running ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
On Tue, 07 Dec 2010 10:51:55 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: On Mon, 2010-12-06 at 13:53 -0500, Simo Sorce wrote: Hi Simo, I pushed the patch in git just today :) Your patch indeed helps :) I've adapted it to the fc14 srpm, compiled it, and at least the extop plugin now uses the openldap libraries: http://sailer.fedorapeople.org/ipa-1.2.2-5.fc14.jnx.src.rpm The unreliability of ipa-getkeytab seems now gone, and the krb5 kdc now issues nfs tickets (the ASN.1 parse error is now gone). Great, we will steal your port of the patch and release new Fedora packages then :) However krb5nfs still does not work, it hangs now (instead of giving me an instantaneous error). Will investigate further. Let us know if you solve this problem. Thank you, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
On Sat, 04 Dec 2010 10:57:13 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: Hi, after upgrading a F12 freeipa server to F14, krb5 nfs no longer works. 1) ipa-getkeytab works only very unreliably. I get the following about 4 out of 5 times: # ipa-getkeytab -s 192.168.1.2 -p nfs/client..xxx -k /etc/krb5.keytab Operation failed! Unable to set key ipa-delservice, ipa-addservice and other ipa- commands seem to work fine, though. 2) I get the following log from rpc.gssd on the client: # rpc.gssd -f -v -v -v -v -v beginning poll dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c) handle_gssd_upcall: 'mech=krb5 uid=0 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c) process_krb5_upcall: service is 'null' Full hostname for 'server..xxx' is 'server..xxx' Full hostname for 'client..xxx' is 'client..xxx' Key table entry not found while getting keytab entry for 'root/client.@.xxx' Success getting keytab entry for 'nfs/client.@.xxx' WARNING: Generic error (see e-text) while getting initial ticket for principal 'nfs/client.@.xxx' using keytab 'WRFILE:/etc/krb5.keytab' ERROR: No credentials found for connection to server server..xxx doing error downcall dir_notify_handler: sig 37 si 0x7d2a1170 data 0x7d2a1040 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 dir_notify_handler: sig 37 si 0x7d2a16b0 data 0x7d2a1580 destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1c 3) In the server's kdc log, I find the following: Dec 04 02:09:08 server..xxx krb5kdc[6933](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.220: LOOKING_UP_CLIENT: nfs/client.@.xxx for krbtgt/@.xxx, unable to decode stored principal key data (ASN.1 structure is missing a required field) Does anybody have an idea how I could get krb5 nfs working again? We are seeing an issue with F14 DS where it has been built against opneldap libraries while we still have plugins built against mozldap. We have a patch that should be solving some issues against ipav2, if that checks out we will se if we can backport them to ipa 1.2.2 but it may take a little while. Meanwhile you may want to try to downgrade 389-ds (make sure you backup your data first). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
On Mon, 06 Dec 2010 18:31:37 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: On Mon, 2010-12-06 at 10:55 -0500, Simo Sorce wrote: Hi Simo, thanks for your response! We are seeing an issue with F14 DS where it has been built against opneldap libraries while we still have plugins built against mozldap. Where would that help? just for the ipa-getkeytab reliability issue? Yes, that is probably a side effect of the problem we're solving. Because after the kerberos keys are in the client's keytab, how is ldap even involved in the nfs issues? Keys are stored in ldap and asn.1 encoding is generated using ldap libraries before storing it. If that operation fails it may generate malformed entries that the KDC later can't properly decode. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client
On Mon, 06 Dec 2010 19:43:29 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: On Mon, 2010-12-06 at 13:35 -0500, Simo Sorce wrote: Keys are stored in ldap and asn.1 encoding is generated using ldap libraries before storing it. If that operation fails it may generate malformed entries that the KDC later can't properly decode. Which patch are you talking about? Is it included in the current alpha (binaries)? I pushed the patch in git just today :) Upgrade to the current alpha might be a better idea than trying to downgrade, or am I overlooking something? V2 will need a migration, upgrades are not really possible as we have added/changed a ton of schema and other things in the LDAP tree. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Secure nfs4 and Fedora 14
On Thu, 11 Nov 2010 13:44:55 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: Since I upgraded about two days ago from a fully up-to-date and working Fedora13 system to Fedora14, I am unable to mount the krb5p nfs4 shares of the freeipa server (which is itself running a fully up-to-date Fedora12). rpc.gssd on the client reports the following: beginning poll dir_notify_handler: sig 37 si 0x7fff99e83030 data 0x7fff99e82f00 dir_notify_handler: sig 37 si 0x7fff99e7f930 data 0x7fff99e7f800 dir_notify_handler: sig 37 si 0x7fff99e82ef0 data 0x7fff99e82dc0 handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt38) handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt38) process_krb5_upcall: service is 'null' Full hostname for 'server..xxx' is 'server..xxx' Full hostname for 'clnt..xxx' is 'clnt..xxx' Key table entry not found while getting keytab entry for 'root/clnt.@.xxx' Success getting keytab entry for 'nfs/clnt.@.xxx' Successfully obtained machine credentials for principal 'nfs/clnt.@.xxx' stored in ccache 'FILE:/tmp/krb5cc_machine_.XXX' INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_.XXX' are good until 1289651734 using FILE:/tmp/krb5cc_machine_.XXX as credentials cache for machine creds using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_.XXX creating context using fsuid 0 (save_uid 0) creating tcp client for server server..xxx DEBUG: port already set to 2049 creating context with server n...@server..xxx WARNING: Failed to create krb5 context for user with uid 0 for server server..xxx WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_.XXX for server server..xxx WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server server..xxx Full hostname for 'server..xxx' is 'server..xxx' Full hostname for 'clnt..xxx' is 'clnt..xxx' Key table entry not found while getting keytab entry for 'root/clnt.@.xxx' Success getting keytab entry for 'nfs/clnt.@.xxx' INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_.XXX' are good until 1289651734 INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_.XXX' are good until 1289651734 using FILE:/tmp/krb5cc_machine_.XXX as credentials cache for machine creds using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_.XXX creating context using fsuid 0 (save_uid 0) creating tcp client for server server..xxx DEBUG: port already set to 2049 creating context with server n...@server..xxx WARNING: Failed to create krb5 context for user with uid 0 for server server..xxx WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_.XXX for server server..xxx WARNING: Failed to create machine krb5 context with any credentials cache for server server..xxx doing error downcall dir_notify_handler: sig 37 si 0x7fff99e83030 data 0x7fff99e82f00 dir_notify_handler: sig 37 si 0x7fff99e83030 data 0x7fff99e82f00 dir_notify_handler: sig 37 si 0x7fff99e82f30 data 0x7fff99e82e00 dir_notify_handler: sig 37 si 0x7fff99e7dfb0 data 0x7fff99e7de80 dir_notify_handler: sig 37 si 0x7fff99e7dfb0 data 0x7fff99e7de80 dir_notify_handler: sig 37 si 0x7fff99e7dfb0 data 0x7fff99e7de80 dir_notify_handler: sig 37 si 0x7fff99e7dfb0 data 0x7fff99e7de80 destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt39 destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt38 I need to downgrade the kernel and krb5* to the Fedora13 version to get nfs4 working again. Does anybody have an idea why it no longer works? What is the current party line with respect to nfs4 encryption types? The admin guide on the freeipa web page still requires des-cbc-crc. But MIT Kerberos seems to become increasingly hostile against des. And yes, I do have allow_weak_crypto = true in krb5.conf/libdefaults Starting with F14 you can use any crypto for NFS. However DES should still just work if you have a DES key. This looks like a kernel/rpc.gssd bug, I would file a ticket against those components. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replica not syncing 'memberOf' attributes
On Wed, 6 Oct 2010 10:26:48 -0400 Dan Scott danieljamessc...@gmail.com wrote: Hi, I have master and slave FreeIPA servers. I recently upgraded the slave by wiping, re-installing Fedora 13 and re-creating the replication using ipa-replica-prepare and ipa-replica-install. For some reason, the slave is having difficulty replicating the memberOf attribute. I can attach an LDAP viewer to the replica, and view the schema, but the memberOf attributes are missing. Also, the master server contains the lines: - Entry cn=admins,cn=groups,cn=accounts,dc=example,dc=com -- attribute memberOf not allowed NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=example,dc=com: 20 NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica dc=example,dc=com does not match the data in the changelog. Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. [06/Oct/2010:09:58:33 -0400] - skipping cos definition cn=account inactivation,cn=accounts,dc=example,dc=com--no templates found The rest of the replication appears to be working correctly (as far as I can tell). I have tried using ipa-replica-manage init and synch to try to fix the replication, but I suspect this has something to do with the schema definition. Does anyone have any pointers/ideas for how I can fix this? Dan, the memberof attribute is explicitly not replicated, and should be simply re-generated on the receiving replica when member attributes are replicated. Are the IPA versions on the master and the replica the same ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 389-ds to free-ipa transition; transparent?
On Thu, 2 Sep 2010 16:26:26 -0700 Brian LaMere br...@cukerinteractive.com wrote: 389 access control is pretty powerful and flexible. There's usually a way to do what you want to do without having to resort to using subtrees (as in AD). http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Managing_Access_Control.html aye - I already have everything on that side of the house working perfectly, in exactly the way I want it. However, part of how I have that is based on ACIs attached to specific ou units. So if it could probably be made to work without resorting to ACIs for individual OUs, then...ok. I want PMs to be able to make people that are customers, but not people who are People (that sounds horrible, but you know what I mean...heh). That's just one of example of many, including batch processes that make changes to specific ou units reserved for the activities of those processes. Perhaps I'll just install FreeIPA and see, then. Brian, for non user/group/host objects you fully own and control you can use whatever directory structure you want as long as you do not put them under the cn=accounts subtree and keep them generally away from any IPA controlled subtree. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSS problems with eDirectory
On Mon, 26 Jul 2010 09:33:22 -0400 Stephen Gallagher sgall...@redhat.com wrote: I was discussing this with Dmitri this morning. I propose that we should probably do the following: After retrieving the user entry, verify whether the entry contains at least one memberOf attribute. If it does, continue processing as we do now (since it will be more efficient). If not, then we should slip into compatibility mode where we will search all groups for member=userdn Does this seem sensible? yes and no. Actually we should really have a switch that tells us whether we fully trust memberof to give us the complete picture (IPA case) or if we should use it only as a hint (AD and servers that do not use memberof at all). In AD for example we currently return only direct memberships because in AD member/memberof are linked attributes, this means memberof does not contains DNs of indirect group memberships. I believe eDirectory is probably the same even when their memberof-equivalent attribute is set (assuming they support nesting at all). Of course we can also have a switch to allow searching for nested groups or not, so that we do not cause unnecessary searches on deployments that do not use any form of nesting. The parameter should actually probably be an integer that determines the level of nesting we allow to search at runtime, with 0 meaning none and any other value up to a maximum we define allowing deeper and deeper nesting. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSS problems with eDirectory
On Thu, 22 Jul 2010 17:59:03 -0400 Dmitri Pal d...@redhat.com wrote: [snip] Uhmmm this may be a side effect of your directory not having memberof I think we need to add special code to handle servers that use rfc2307bis schema but that do not use memberof. Are we sure that this is the case? Is there any chance we can get a schema file that shows what is the schema used on the server? May be it is one of the early drafts of the rfc2307bis that is implemented in the server? I think the ldapsearch results listing any one user and a group he is a member in your server of will be very helpful. memberof is not required by rfc2307bis. Actually it is not even mentioned by rfc2307bis, so it is our fault if we depend on it. rfc2307bis actually mentions only uniquemember. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD Cache
On Wed, 30 Jun 2010 15:39:48 -0400 Dan Scott danieljamessc...@gmail.com wrote: This has worked, now the client reports that user belongs to the correct groups. It also appears to correctly refresh the cache when I login. I have added and removed my user from a few groups and this is correctly reflected by the results of the 'id' command. Ok this is the expected behavior. Maybe the cache was corrupted? Unlikely, maybe your SSSD went offline and wasn't able to get back online for some reason until you restarted it ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem with FreeIPA and Samba 3...
On Wed, 16 Jun 2010 21:41:08 +0200 Stjepan Gros sg...@zemris.fer.hr wrote: Hi all, I'm trying to integrate Samba 3 into FreeIPA domain. After following the instructions given in this mailing list (http://www.mail-archive.com/freeipa-users@redhat.com/msg00111.html) I'm unable to add new users. The ipa-adduser command complains with the following error message: A database error occurred: Object class violation: missing attribute sambaSID required by object class sambaSamAccount It seems as if ipa-dna plugin isn't working, i.e. isn't adding sambaSID attribute. Here are the relevant entries from LDAP (with mangled domains): dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: nsContainer cn: Distributed Numeric Assignment Plugin nsslapd-pluginInitfunc: dna_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginPath: libdna-plugin nsslapd-plugin-depends-on-type: database nsslapd-pluginId: Distributed Numeric Assignment nsslapd-pluginVersion: 1.2.5 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Distributed Numeric Assignment plugin # sambaGroupType, Distributed Numeric Assignment Plugin, plugins, config dn: cn=sambaGroupType,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: sambaGroupType dnatype: sambaGroupType dnainterval: 0 dnamagicregen: ASSIGN dnafilter: (objectClass=sambaGroupMapping) dnanextvalue: 2 # SambaSid, Distributed Numeric Assignment Plugin, plugins, config dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject dnatype: sambaSID dnaprefix: S-1-5-21-2932961863-1130097162-856551529 dnainterval: 1 dnamagicregen: assign dnafilter: (|(objectclass=sambaSamAccount)(objectclass=sambaGroupMapping)) dnascope: dc=example,dc=com cn: SambaSid dnanextvalue: 15277 Can someone sched ligth on what's going on, or how to debug these problems? In the log files (/var/log/dirsrv/dirsrv-EXAMPLE-COM) there is nothing useful. SG P.S. dnaprefix has to end with hyphen, but I don't believe it's the problem. It is not, the instructions in that thread are wrong. We already debugged them with another user, and there are quite a few things that need to be changed. First of all sambaGroupType is a fixed value, not a counter, so the DNA configuration for it just need to be removed. Second, in IPa v1.2.2 we are still using the embedded DNA plugin, so the DNS in that configuration are incorrect for v1.2.2, the DN to be used IIRC is cn=ipa-dna,cn=plugins,cn=config There may be something else we found I am missing, but these 2 are pretty fundamental things. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NFS4 after client upgrade to Fedora 13
On Thu, 27 May 2010 12:27:49 -0400 Simo Sorce sso...@redhat.com wrote: Tom, apologies, I meant Thomas, not enough sleep I gues :/ Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NFS4 after client upgrade to Fedora 13
On Thu, 27 May 2010 23:58:28 +0200 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: For some reason I have no clue about, it does not like my credentials cache (/tmp/krb5cc_1591) when not run from the console. I suspect an SELinux issue in this case, because manually starting it will run it as unconfined. Can you check /var/log/audit/audit.log ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Give laptops bidirectional anywhere access to freeipa and /home/
On Wed, 12 May 2010 12:24:00 -0500 Rob Townley rob.town...@gmail.com wrote: The main difference between tinc vpns and traditional vpns is that tinc is bidirectional and does not require the user to enter a username password. So if the computer is turned on, the remote machine is reachable by the IT department. If it is a windows machine, you may want to verify antivirus signatures are up-to-date. FusionInventory could be used to push software. Yes, it is a machine level as opposed to user level vpn. tinc would have to run all machines to make it the easiest to use. With freeipa, that could be easy. The keys currently are RSA public / private keypairs. Does not have existing code to work with ldap / kerberos as far as i know. Looks interesting, do you know what's the difference between tinc and something like openvpn ? Is it just the fact that tinc allows inbound connections, or is there more ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Is sssd currently useable with freeipa v2 ?
On Sat, 01 May 2010 22:43:22 -0400 Rob Crittenden rcrit...@redhat.com wrote: The default configuration in hbac uses the model denied unless explicitly allowed which is why all your logins failed. We don't currently have any default rules set up, I wonder if we should have some basic ones for demonstration purposes and to sort of bootstrap things. I think we should have a default *explicit* permit all rule that admins will promptly remove as soon as they have decided what is their final configuration. Otherwise it will make things too nasty for people that are setting it up for the first time. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password Attribute Syncing Support
On Thu, 18 Mar 2010 19:47:35 -0400 Walter Meyer wgme...@gmail.com wrote: Sorry I should have linked to the manual for it: http://www.postini.com/webdocs/gads/admin The Google Apps utility actually syncs passwords from LDAP to Google Apps, not the other way around. The manual says that the utility supports password attributes in MD5, SHA1, or Clear Text. So I am wondering how they are stored in the IPA DS. By default we use Salted SHA (SSHA) for the userPassword attribute. You can change it by changing the passwordStorageScheme attribute (see chapter 7 of the directory server guide), but you will probably have to perform a password change for each user that needs synchronization if you already have passwords set, because the hash can be changed only when the clear text password is available. I have to say though that MD5/SHA1 are considered weak today, esp MD5. Also you should make sure you understand the implication of exposing your internal passwords over the network. By using the same hash for google apps it means you users will send their IPA password to google for authentication (hopefully over HTTPS) so if someone can phish or mitm them they will have the right password for both google apps *and* your company resources. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
On Wed, 17 Mar 2010 15:24:18 -0400 James Roman james.ro...@ssaihq.com wrote: To actually disable the plugin you need a restart after you change the config, but please *do not* do that unless you want trouble :) The memberof plugin does not change group memberships it only updates the memberof attribute to keep it in sync with the member ones. Simo. Just to clarify, we never disabled the 389 MemberOf plugin. My original ldif dump after the upgrade to 1.2.5 had the 389 DS memberOf plugin disabled. So it never was enabled. This probably meant little to us from a functional standpoint because we already had the FreeIPA ipa_memberof plugin installed and enabled. Do I need both of them enabled? Or will that cause additional misery? Of the two, ipa-memberof and 389's memberOf plugin, which should I enable? Oh sorry, no I misunderstood. You can't have both enabled they would interfere, only one or the other. The 389 memberof plugin is probably better now, as we merge all the code we developed for ipa in there. But unless you have specific problems you can just leave it as it is. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Needed_Preauth Issue
On Mon, 08 Mar 2010 18:15:05 -0600 David Christensen da...@adurotec.com wrote: I have two servers that I have installed the ipa-client on, both of these servers are configured the same way however one is providing single sign on, the other is not and instead prompts for a password when a user logs in I did verify that DNS is configured correctly for both servers. I issue kinit prior to logging into either server and verified that I have a valid ticket for both servers, but the failing server remains unchanged. When I look at the krb5kdc.log I see the following for the server that is prompting for a password: Mar 08 23:25:53 ipa1.example.net krb5kdc[12320](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.200.3.131: NEEDED_PREAUTH: dav...@example.net for krbtgt/example@example.net, Additional pre-authentication required Mar 08 23:25:53 ipa1.example.net krb5kdc[12320](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.200.3.131: ISSUE: authtime 1268090753, etypes {rep=18 tkt=18 ses=18}, dav...@example.net for krbtgt/example@example.net Where else should I look to find the root cause of this issue? What typically causes this type of symptom? NEEDED_PREAUTH is perfectly natural, you have it for every principal as it is our default. If you don't see your client requesting a ticket for host/your.server.fqdn@EXAMPLE.NET then that is going to be an issue. If you obtained a ticket for your server and it still falls back to password auth I suggest looking at the server's logs. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users