from:"Simon Williams"

Re: [Freeipa-users] Installing on Ubuntu 16.04

2017-05-01 Thread Simon Williams

Don't worry about this during the install from the repository. I also got
that installing on Ubuntu recently. Running ipa-server-install later will
set up the missing data and pki-tomcat will start fine. At the point apt is
trying to start the service it can't start cleanly. The package configure
probably shouldn't be attempting to start it.

On Mon, 1 May 2017, 04:20 Robert L. Harris, 
wrote:

>
>Gave up on freeipa and Ubuntu 17.10.  Re-installed with 16.04 and some
> base packages which does include freeipa-client.  When I do an apt-get
> install on freeipa-server it runs along happily until I find this:
>
> .
> ...
> Setting up pki-server (10.2.6+git20160317-1) ...
> Job for pki-tomcatd.service failed because the control process exited with
> error code. See "systemctl status pki-tomcatd.service" and "journalctl -xe"
> for details.
> invoke-rc.d: initscript pki-tomcatd, action "start" failed.
> * pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
>Loaded: loaded (/etc/init.d/pki-tomcatd; bad; vendor preset: enabled)
>Active: failed (Result: exit-code) since Sun 2017-04-30 20:38:29 MDT;
> 3ms ago
>  Docs: man:systemd-sysv-generator(8)
>   Process: 9645 ExecStart=/etc/init.d/pki-tomcatd start (code=exited,
> status=5)
>
> Apr 30 20:38:29 ipa systemd[1]: Starting LSB: Start pki-tomcatd at boot
> time...
> Apr 30 20:38:29 ipa pki-tomcatd[9645]: ERROR:  No 'tomcat' instances
> installed!
> ... because no CA instance has been configured yet.
> pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it.
> pki-tomcatd.target is a disabled or a static unit, not starting it.
> Setting up pki-ca (10.2.6+git20160317-1) ...
> ...
> .
>
>
> I have been googling but can't find a relevant fix that resolves this.
> Any ideas?
>
> Robert
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

2017-04-20 Thread Simon Williams

Yesterday, Chrome on both my Ubuntu and Windows machines updated to
version 58.0.3029.81.  It appears that this version of Chrome will not
trust certificates based on Common Name.  Looking at the Chrome
documentation and borne out by one of the messages, from Chrome 58,
the subjectAltName is required to identify the DNS name of the host that
the certificate is issued for.  I would be grateful if someone could point
me in the direction of how to recreate my SSL certificates so that
the subjectAltName is populated.

Thanks in advance
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and DHCP

2015-10-18 Thread Simon Williams

Well, that's true, but I do do it indirectly. I assign fixed addresses for
servers by MAC address and host name in DHCP and manage the IP address of
that host through FreeIPA DNS. If you tell DHCP that a particular MAC
address is a particular host name, when that host requests a DHCP allocated
address, the DHCP server does a DNS lookup on the host name and gives the
machine a lease on the address. I have no idea if that is intended
behaviour or if it is something that isn't a good idea for some reason, I
discovered that it worked by accident! It has simplified my small setup
however as DNS and therefore FreeIPA control the fixed IP addresses of the
servers. I do have to remember to set up each fixed address's MAC address
and host name in the DHCP configuration when I create it, but it makes
reconfiguring fixed IP addresses a breeze. It ought to be possible to
script synchronisation of the DHCP configuration with the host information
in FreeIPA, but I only deal with a handful of machines,  so I've never
bothered.

On Sun, 18 Oct 2015 23:12 William Brown  wrote:

> On Fri, 2015-10-16 at 15:01 +0200, Nicola Canepa wrote:
> > Hello.
> > Is there a suggested way to have DHCP IP/MAC associations managed
> > through the IPA web interface?
> >
> > Thank you for any pointer.
>
> Hi,
>
> There is currently no way to manage DHCP with FreeIPA.
>
> --
> Sincerely,
>
> William Brown
> Software Engineer
> Red Hat, Brisbane
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Google Apps Directory Sync and Free-IPA

2014-04-28 Thread Simon Williams

I do have it working, but I have Atlassian Crowd sitting between FreeIPA
and the Google Apps log in.
On 28 Apr 2014 15:44, Simo Sorce s...@redhat.com wrote:

 On Mon, 2014-04-28 at 08:24 -0400, Dmitri Pal wrote:
  On 04/28/2014 08:22 AM, Chris Whittle wrote:
   Ha! that was my thread about SAML vs GADS but there ended up not being
   any info on how to actually use GADS with Free IPA.  It dropped after
   Simo saying he was going to work on getting docs for ipsilon (which
   from the conversation and I can gather is basically SAML) and I asked
   for someone who had experience with GADS so I started a new one for
   simplification.
 
  I do not think we have a better answer for you other than what Martin
  mentioned and SAML IdP Simo is working on.

 note that any other SAML IdP that has support for LDAP may work, for
 example http://picketlink.org/ may work for you if you have experience
 in setting up jboss based applications and know how to make your way in
 configuring such software. (I can't help here really).

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Samba 4 with IPA

2013-04-30 Thread Simon Williams

Hi

I don't know if anyone has tried what I want to do, I really just want to
know if it's possible at the moment. A few pointers to any information
would be helpful too!

I have an existing FreeIPA server running on a CentOS machine. It is used
to authenticate all users on the network. This works very well, but setting
up Windows workstations is a bit of a pain. I also want to provide some
network storage for the windows machines. To this end, I would like to set
up a Samba 4 server as a slave to FreeIPA so that the Windows workstations
could join an AD domain controlled by Samba 4, but actually authenticating
against FreeIPA. I really want to keep FreeIPA in the driving seat, but
would love to be able to make the Windows workstations behave as though
they were on a domain.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Samba 4 with IPA

2013-04-30 Thread Simon Williams

Thanks for all your help. I'll give it a go and see how far I get.
On 30 Apr 2013 19:37, Alexander Bokovoy aboko...@redhat.com wrote:

On Tue, 30 Apr 2013,
simon.williams@thehelpfulcat.**comsimon.willi...@thehelpfulcat.comwrote:

That is actually pretty good news. The real requirement is network
storage for the Windows workstations secured by FreeIPA authentication.
If I read what you’ve said correctly this is possible now. I can live
with the magical incantations to enrol any new Windows machines for
now. There are a few things that would work better if Windows thought
it was logging on to a domain, but we have lived without those features
for the last year. Once a Windows machine has been set up correctly,
which can be a bit hit and miss, the authentication works flawlessly .

To be clear, we have not tested this combination so you'll be in uncharted
waters.

Since TGT for these users would still be issued by FreeIPA KDC, it would
include MS-PAC with SIDs of these users in FreeIPA domain -- once you
have run ipa-adtrust-install, of course. Thus, smbd on IPA master would
be able to recognize them as FreeIPA users regardless where they come
from -- IPA or Windows machines, as long as Kerberos is in use.

Any reports of how such setup would actually behave are welcomed.

It sounds as though I can set up the file server now and then extend it
to do the AD DC bit when it is ready.

I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo
anywhere is there?

The only requirements for simplistic setup is to:
1. run file server on IPA master (you can make a dedicated replica for
that)
2. run ipa-adtrust-install on that master to setup Samba configuration
and enable KDC + directory server to handle SIDs
3. use 'net conf setparm ...' to setup shares, since Samba on IPA master
uses registry backend to store smb.conf configuration.

See
http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setup#**
Using_Samba_shareshttp://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares
for sample how to work with 'net conf setparm'.

For 'valid users' I guess you can use simply user names since these
would be our local ones.

Again, this is completely untested right now.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] LDAP authentication for 3rd party

2013-04-11 Thread Simon Williams

I use Atlassian products, but use Crowd to provide single signon. This
means that Crowd is the only application that needs to authenticate against
LDAP. I found that I had to tell Crowd that the server was 389 DS. I could
not get it to work set to OpenLDAP.

Regards

Simon
On 11 Apr 2013 23:36, Peter Brown rendhal...@gmail.com wrote:

On 12 April 2013 05:04, John Dennis jden...@redhat.com wrote:

On 04/11/2013 02:47 PM, Bartek Moczulski wrote:

hi,
I've got a problem with using IPA as authentication source over LDAP.
Generally there are two approaches to LDAP authentication:
1. bind using admin account and read passwords from user objects (but in
ipa you cannot read passwords through ldap, right?)
2. bind to authenticate - service tries to log in to ldap with user's
credentials. If login is successful authentication is also succesful -
this approach does not work because you cannot login to IPA ldap using
bare username, you need a full LDAP DN.

Most applications I know of that do bind as user to authenticate also
permit you to specify a format string into which the user name is inserted
(i.e. the format string is the dn, e.g.
uid=%u,cn=users,cn=accounts,**dc=example,dc=com)
-or- they do a search to discover the dn. If you application does not
support either approach it's broken IMHO.

I have used this method for Confluence, Jira, Stash, Icinga and Foreman.
I will be adding more applications in the future as well.
If the application doesn't support Kerberos it's the next best thing in my
opinion.
I have also use it to get email lists into dovecot and postfix.

One caveat I found is you need to tell Atlassian applications that FreeIPA
is a plain OpenLDAP server to get it to work.
Apart from that it works out of the box as they say.

Reading passwords and/or password hashes is not supported for security
reasons.

Now, I've got a 3rd party application supporting both mentioned above
appoaches and the question is - how to make it work with ipa?

thanks in advance,
Bartek.

__**_
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users

--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

__**_
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Where has my LDAP server gone!

2013-04-08 Thread Simon Williams

Thank you, that has solved the issue wonderfully! I do remember the update
hanging now you mention it, but I didn't put two and two together!

Regards

Simon
On 7 Apr 2013 21:47, Rob Crittenden rcrit...@redhat.com wrote:

 Simon Williams wrote:

 Hi

 I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of
 days ago and it upgraded FreeIPA to version 3. I use a couple of web
 applications that cannot use Kerberos, but can use LDAP to
 authenticate.  These stopped working. When I investigated the issue, I
 discovered that the LDAP server wasn't there any more. Google searches
 have proved fruitless and I can't find any documentation for v3. Can
 anyone tell me how to get my LDAP server back?


 There is a bug in 389-ds that is affecting some IPA upgrades. It causes
 the upgrade process to hang and breaking out of it leaves the LDAP server
 not listening to anything (note that if the upgrade outright fails we do
 restore things).

 What you want to do is this:

 1. service dirsrv stop (you MUST do this before editing dse.ldif)
 2. edit dse.ldif and set
 nsslapd-port: 389
 nsslapd-security: on
 3. service dirsrv start
 4. as root, ipa-ldap-updater --ldapi

 Updated 389-ds packages are being worked on.

 rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Where has my LDAP server gone!

2013-04-07 Thread Simon Williams

Hi

I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of days
ago and it upgraded FreeIPA to version 3. I use a couple of web
applications that cannot use Kerberos, but can use LDAP to authenticate.
These stopped working. When I investigated the issue, I discovered that the
LDAP server wasn't there any more. Google searches have proved fruitless
and I can't find any documentation for v3. Can anyone tell me how to get my
LDAP server back?

Regards

Simon
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] mod_nss issue.

2012-10-08 Thread Simon Williams

I have found a problem with mod_nss that appears to have been reported in
2010, but I cannot find any further reference to it.  The 2010 reference
contains a comment saying that it is an issue and needs to be fixed.  I
have not been able to find any issue tracking system for mod_nss and so
haven't been able to check on the status.

The problem is that mod_nss does not appear to respond with the correct
certificate when multiple name virtual servers are configured on an
instance of Apache.  It always responds with the certificate of the first
name virtual server defined.  It does process the other sites'
configurations because it complains if certificates with the aliases used
are not in the database.  This would not be an issue (for me) if mod_ssl
could be used for virtual servers other than the IPA server, but they
cannot co-exist.  If you try to mix them, mod_ssl complains that port 443
is being used for the IPA server, but it is not SSL aware.  I suppose it
would be possible to reconfigure the IPA name virtual server to use mod_ssl
bu exporting the certificate, but I really don't like to muck around with
the directory server configuration more than is necessary as it is vital
that it remains stable and secure.

Could anyone enlighten me as to whether this issue is being looked at or
even if it is fixed and the CentOS people (CentOS 6.3 standard repositories
all packages up to date as of yesterday) just aren't supplying a new enough
version of mod_nss.  At the moment, I can use my SSL secured sites as the
encryption works okay, but I cannot open them up as they report the wrong
host name in the certificate.

Regards

Simon Williams
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] mod_nss issue.

2012-10-08 Thread Simon Williams

I understand exactly where you are coming from Alexander and in an ideal
world the web sites that I want to get at externally would be on a
different server. I am not the normal type of FreeIPA user, being a very
small business with only a couple of users and half a dozen or so machines
and, currently, very limited resources. IPA makes it so easy to administer
the network however that I would be loathed not to use it! We are
developing software and I only have one server that I can dedicate to being
a stable host. I have two other machines on the network that are currently
always on and both are used for development both running Fedora, one x64
and one Arm. Neither of these machines could be considered stable. The
other machines are a mix of Windows and Fedora laptops, soon to have a Mac
added if my partner gets her way. I currently restrict access to the IPA
name virtual server by not having a publicly accessible name for it (and
using deny all, allow *local network*, but I don't think that does
anything as the incoming packets are routed using NAT, but it costs nothing
to have it there!). I realise that this is insecure as a request on port
443 that does not have a host name will be handled by the default and
therefore IPA name virtual server. That is something I still have to
address, but was intending to make the default name virtual server just
redirect to a 404 error page.

I had already found, read and tried the guide at the link you sent, that is
how I discovered that mod_ssl and mod_nss wouldn't co-exist.

Your comment Rob has started me thinking along different lines than I was.
If the mod_ssl/mod_nss incompatibility only exists if the same port and IP
address is used, since I specifically don't want the IPA server to be
available outside the local network, I could either use a different port
for the non-IPA name virtual servers (the gateway could still present 80
and 443 to the outside world since the gateway is redirecting the packets
anyway). Or a different virtual IP address on the server for the non-IPA
sites (only one NIC on the server and no free slots, so couldn't be
physically separate). This would kill two birds with one stone (ie. make
the IPA instance more secure and solve the certificate problem). It would
also make it easier to put the non-IPA web servers on a different machine
when I am in a position to do that.

Thank you both for your help. I think that you have prodded me in the
right direction for a workaround.

Regards

Simon Williams

On Mon, Oct 8, 2012 at 1:45 PM, Rob Crittenden rcrit...@redhat.com wrote:

Alexander Bokovoy wrote:

On Mon, 08 Oct 2012, Simon Williams wrote:

I have found a problem with mod_nss that appears to have been reported in
2010, but I cannot find any further reference to it. The 2010 reference
contains a comment saying that it is an issue and needs to be fixed. I
have not been able to find any issue tracking system for mod_nss and so
haven't been able to check on the status.

The problem is that mod_nss does not appear to respond with the correct
certificate when multiple name virtual servers are configured on an
instance of Apache. It always responds with the certificate of the first
name virtual server defined. It does process the other sites'
configurations because it complains if certificates with the aliases used
are not in the database. This would not be an issue (for me) if mod_ssl
could be used for virtual servers other than the IPA server, but they
cannot co-exist. If you try to mix them, mod_ssl complains that port 443
is being used for the IPA server, but it is not SSL aware. I suppose it
would be possible to reconfigure the IPA name virtual server to use
mod_ssl
bu exporting the certificate, but I really don't like to muck around with
the directory server configuration more than is necessary as it is vital
that it remains stable and secure.

Could anyone enlighten me as to whether this issue is being looked at or
even if it is fixed and the CentOS people (CentOS 6.3 standard
repositories
all packages up to date as of yesterday) just aren't supplying a new
enough
version of mod_nss. At the moment, I can use my SSL secured sites as the
encryption works okay, but I cannot open them up as they report the wrong
host name in the certificate.

I assume all this comes because you run these virtual servers on the
same instance as FreeIPA master itself, thus conflicting mod_ssl and
mod_nss.

Here is description how to make name-based SSL virtual hosts working in
FreeIPA environment using mod_ssl. This howto assumes you are using a
separate server than FreeIPA master to provide actual hosting for
the virtual hosts which also makes sense because one would need to apply
greater security protection to the KDC which runs on the same FreeIPA
host.

http://freeipa.org/page/**Apache_SNI_With_Kerberoshttp://freeipa.org/page/Apache_SNI_With_Kerberos

mod_nss doesn't support SNI because NSS

[Freeipa-users] Fwd: Re: Certificates for public facing web sites

2012-10-01 Thread Simon Williams

Fantastic, I knew about the flag, but thought it only worked on hosts. It
works on services too, which solves the problem.

Thank you.
-- Forwarded message --
From: Rob Crittenden rcrit...@redhat.com
Date: Oct 1, 2012 3:23 PM
Subject: Re: [Freeipa-users] Certificates for public facing web sites
To: Simon Williams simon.willi...@thehelpfulcat.com
Cc: freeipa-users@redhat.com

Simon Williams wrote:

 Hi

 Possibly a bit of a strange requirement, I don't really know!  I have a
 small business and am using IPA to manage our network.  I have migrated
 from an LDAP setup with a variety of different certificates lying around
 for different applications and find IPA much easier to administer,
 despite the fact that it probably overkill for a couple of users using
 half a dozen hosts.

 I have a few named virtual hosts that provide access to web based
 systems from outside the local network, but I do not have sufficient
 control over the external domain's DNS to add a subdomain with it's own
 DNS.  I can add A records and CNAME records to point to the virtual
 hosts, but I cannot add NS records to delegate name resolution to my own
 DNS.  The ISP I use does not allow dynamic DNS updates.  I would like to
 use FreeIPA to manage the SSL certificates for these virtual hosts using
 mod_nss and have already implemented this successfully for virtual hosts
 on the local domain, but since I do not control the public domain, I
 can't see how to achieve this.

 Please forgive me if I am missing something obvious, but I've only been
 using FreeIPA for two weeks and it is a testament to it's ease of use
 that I have managed to get as far as I have with it in that time unaided!

So the problem is your domain is example.com and is managed by IPA and you
want to create certificates for someothercorp.com?

You should be able to use the --force flag to create a host and create
services/issue certificates from that point.

rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users