Re: [Freeipa-users] FreeIPA as Samba Backend, Existing Users Fail

2017-01-18 Thread Youenn PIOLET 
Hi,

ipa-adtrust-install populates the ipaNTHash in LDAP for each user/group,
but you still need a samba backend to read these new attributes.
Do you use ipasam.so ?
If you don't, you should recompile your version of FreeIPA, move ipasam.so
to your password backend directory containing other .so files, and put this
in your smb.conf :

passdb backend = ldapsam:ldap//ipaserver


Procedure / best practices may have change now, if anyone from redhat is
around to confirm...
I just can tell it's working with any Centos 7 and FreeIPA > 4.1.4 server.

--
Youenn Piolet
piole...@gmail.com


2017-01-13 19:33 GMT+01:00 Armaan Esfahani <armaan.esfah...@advancedopen.com
>:

> Upon running the ldapmodify command, I receive an “ldap_bind: No such
> object (32)” error, any suggesions?
>
>
>
> On 1/13/17, 8:37 AM, "Sumit Bose" <freeipa-users-boun...@redhat.com on
> behalf of sb...@redhat.com> wrote:
>
>
>
> On Wed, Jan 11, 2017 at 04:00:57PM -0500, Armaan Esfahani wrote:
>
> > Hi, I have setup a Samba server to use FreeIPA as a password
> backend, however whenever I try to use existing users to login I get
> “NT_STATUS_LOGON_FAILURE”.
>
> >
>
> > Looking at the sssd_nss log on my ipa server, I get the following
> error “(Wed Jan 11 15:56:11 2017) [sssd[nss]] [fill_sid] (0x0020): Missing
> SID.”  On all existing accounts, whereas all new accounts function properly
> (after resetting their passwords).
>
> >
>
> >
>
> >
>
> > Anyone have any ideas?
>
>
>
> Maybe the sidgen task was run during ipa-adtrust-install, please see
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Windows_Integration_Guide/creating-
> trusts.html#create-trust-existing-idm
>
> how to run it.
>
>
>
> HTH
>
>
>
> bye,
>
> Sumit
>
>
>
> >
>
>
>
> > --
>
> > Manage your subscription for the Freeipa-users mailing list:
>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> > Go to http://freeipa.org for more info on the project
>
>
>
> --
>
> Manage your subscription for the Freeipa-users mailing list:
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

2017-01-09 Thread Youenn PIOLET 
Hey there,

I got the same issue after upgrading my servers to 4.4.0
The problem comes from duplicate entries in :
cn=permissions,cn=pbac,dc=example,dc=com

I think FreeIPA upgrade fails to create ACL on pbac specific entries,
resulting in a conflict entry creation.

The problem is that SSSD on Ubuntu 14.04 is crashing when reading pbac
where cn contains symbol "+".
You should check if you got these conflict entries in
cn=permissions,cn=pbac,dc=example,dc=com and remove them.

Ubuntu authentication was working for me directly after the suppression.

Regards,

--
Youenn Piolet
piole...@gmail.com


2017-01-09 8:56 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>:

> On Fri, Jan 06, 2017 at 11:48:07AM -0500, Andy Brittingham wrote:
> > Sorry for the delay, was doing some troubleshooting.
> >
> > Here is what I know now:
> >
> > The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu
> > 14.04).
> >
> > SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work.
> >
> > Users in the admin group can't log into these hosts.
> >
> > I created a newadmins group and assigned a new user to it. When I add the
> > "User Administrator" role the new user can't log into the hosts with
> older
> > sssd.
> >
> > As soon as I delete the "User Administrator" role, new user has access
> > again.
>
> So is it a role membership or a group membership that makes the
> difference?
>
> >
> > I've pasted the last bit of logs from a sssd_domain log below. I'd be
> happy
> > to forward the entire log, or additional logs if they will be helpful.
>
> The log only captures a user lookup, not a login, sorry..
>
> (This might be expected if you log in e.g. with an SSH key, in which
> case journald should be the first thing to look at at least to poinpoint
> which piece denied access..)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA 4.4.0: clcache_load_buffer_bulk error

2017-01-05 Thread Youenn PIOLET 
Hi,
Got the same messages :)
(and I almost got all other problems you posted on this list since your 4.4
upgrade)

If anyone can tell us if we have to do anything to clean problematic CSN...

Happy new year to all freeipa-users!
--
Youenn Piolet
piole...@gmail.com


2016-12-24 9:33 GMT+01:00 <dan.finkelst...@high5games.com>:

> Since upgrading to IPA 4.4.0 and CentOS-7.3, our master has been
> outputting the follow line repeatedly in its slapd error logs:
>
>
>
> [24/Dec/2016:08:11:36.684385818 +] clcache_load_buffer_bulk -
> changelog record with csn (585e436900150004) not found for DB_NEXT
>
>
>
> What does it mean and, if repair is needed, what should I do?
>
>
>
> Thanks and regards,
>
> Dan
>
>
>
> [image: id:image001.jpg@01D1C26F.0E28FA60] <http://www.high5games.com/>
>
> *Daniel Alex Finkelstein*| Lead Dev Ops Engineer
>
> *dan.finkelst...@h5g.com <dan.finkelst...@h5g.com>* | 212.604.3447
>
> One World Trade Center, New York, NY 10007
>
>
>
> www.high5games.com
>
> Play High 5 Casino <https://apps.facebook.com/highfivecasino/> and Shake
> the Sky <https://apps.facebook.com/shakethesky/>
>
> Follow us on: Facebook <http://www.facebook.com/high5games>, Twitter
> <https://twitter.com/High5Games>, YouTube
> <http://www.youtube.com/High5Games>, Linkedin
> <http://www.linkedin.com/company/1072533?trk=tyah>
>
>
>
> *This message and any attachments may contain confidential or privileged
> information and are only for the use of the intended recipient of this
> message. If you are not the intended recipient, please notify the sender by
> return email, and delete or destroy this and all copies of this message and
> all attachments. Any unauthorized disclosure, use, distribution, or
> reproduction of this message or any attachments is prohibited and may be
> unlawful.*
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

2016-12-21 Thread Youenn PIOLET 
Hi Adrian,

You can use basic_ldap_auth to connect to FreeIPA using LDAP instead of
negotiate_kerberos_auth :

auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \

-b "cn=accounts,dc=example,dc=com" \

-f uid=%s -h  -ZZ
auth_param basic children 10

auth_param basic realm infra.msv

auth_param basic credentialsttl 30 second



Regards,

--
Youenn Piolet
piole...@gmail.com


2016-12-21 17:53 GMT+01:00 Ing. Adrian Hernández Yeja <ay...@uci.cu>:

> Hi folks, I need authenticate my users against a squid proxy server using
> FreeIPA. I know is possible (https://www.freeipa.org/page/
> Squid_Integration_with_FreeIPA_using_Single_Sign_On) but my users are not
> necessarily authenticated in a FreeIPA domain, so my question is if it's
> possible to allow this requirement either a third application or a specific
> configuration.
>
> Regards.
>
> La @universidad_uci es Fidel. Los jóvenes no fallaremos.
> #HastaSiempreComandante
> #HastalaVictoriaSiempre
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Server replication stopped working

2016-09-27 Thread Youenn PIOLET 
Hi Ludwig,

Version:
389-ds-base-1.3.4.0-33.el7_2.x86_64

The timestamp probably matches the last time I've done a ipa-replica-manage
re-initialize.
I have to do it every day (many times a day actually!), as replication is
broken, This CSN changes all the time.

My main goal is to rebuilt everything from a clean base.
I've got no master without errors.

What is the easiest way to rebuilt everything?
ipa-[cs]replica-manage re-initialize isn't very effective.

Thanks by advance,
Regards

--
Youenn Piolet
piole...@gmail.com


2016-09-26 9:42 GMT+02:00 Ludwig Krispenz <lkris...@redhat.com>:

>
> On 09/25/2016 09:35 PM, Youenn PIOLET wrote:
>
> Hi there,
>
> Same issue for me in a my 15 ipa-servers multi-master grid just after the
> update.
> The replication is completely broken except on 3/15 nodes.
>
> This is the second time I have to fully reinitialize the whole cluster for
> similar reason. I don't know what to do to clean this mess...
> For more information: this cluster has been initialized on a fedora 4.1.4
> more than one year ago then complemetely migrated to Centos 7, IPA 4.2.
>
> what is the exact version of 389-ds-base you are running ?
>
> did these errors come out of the blue or are they related to some
> activities ? The csn which is not found has a timestamp of "Thu, 22 Sep
> 2016 15:59:08 GMT" did anything happen around this time ?
>
>
> Example on fr-master03 error logs:
>
> [25/Sep/2016:19:27:31 +] NSMMReplicationPlugin - changelog program -
> agmt="cn=meTofr-master01.domain" (fr-master01:389): CSN
> 57e3ffcc0003001a not found, we aren't as up to date, or we purged
> [25/Sep/2016:19:27:31 +] NSMMReplicationPlugin -
> agmt="cn=meTofr-master01.domain" (fr-master01:389): Data required to
> update replica has been purged. The replica must be reinitialized.
> [25/Sep/2016:19:27:31 +] NSMMReplicationPlugin -
> agmt="cn=meTofr-master01.domain" (fr-master01:389): Incremental update
> failed and requires administrator action
> ipa: INFO: The ipactl command was successful
> [25/Sep/2016:19:27:35 +] agmt="cn=meTofr-master02.domain"
> (fr-master02:389) - Can't locate CSN 57e3ffcc0003001a in the changelog
> (DB rc=-30988). If replication stops, the consumer may need to be
> reinitialized.
> [25/Sep/2016:19:27:35 +] NSMMReplicationPlugin - changelog program -
> agmt="cn=meTofr-master02.domain" (fr-master02:389): CSN
> 57e3ffcc0003001a not found, we aren't as up to date, or we purged
> [25/Sep/2016:19:27:35 +] NSMMReplicationPlugin -
> agmt="cn=meTofr-master02.domain" (fr-master02:389): Data required to
> update replica has been purged. The replica must be reinitialized.
> [25/Sep/2016:19:27:35 +] NSMMReplicationPlugin -
> agmt="cn=meTofr-master02.domain" (fr-master02:389): Incremental update
> failed and requires administrator action
>
> Regards,
>
> --
> Youenn Piolet
> piole...@gmail.com
>
>
> 2016-09-23 17:51 GMT+02:00 Mike Driscoll <mike.drisc...@oracle.com>:
>
>> Hello.  I have four IPA servers replicating in full mesh.  All four
>> servers are running ipa-server-4.2.0-15.0.1.el7_2.19.x86_64.
>>
>> This was working for some time but now I see that no replication is
>> occurring automatically at present.
>>
>> When I update a user attribute on an IPA server, I see errors like these:
>> [22/Sep/2016:16:53:49 -0700] attrlist_replace - attr_replace
>> (nsslapd-referral, ldap://ldap03.xx.com:389/o%3Dipaca) failed.
>> [22/Sep/2016:16:58:56 -0700] NSMMReplicationPlugin - agmt="cn=
>> masterAgreement1-ldap03.xx.com <http://masteragreement1-ldap03.xx.com>
>> -pki-tomcat" (ldap03:389): Incremental update failed and requires
>> administrator action
>>
>> I can reinitialize without errors.
>> ipa-csreplica-manage re-initialize --from=ldap01.xx.com
>> <http://ldap04.us.oracle.com>
>> ipa-replica-manage re-initialize --from=ldap01.xx.com
>> Afterwards I see my attribute (and other) changes are replicated on each
>> server I re-initialize from.  But subsequently, replication doesn’t seem to
>> be happening.
>>
>> I reinitialized according to the steps in Table 8.7, “Replication
>> Errors”, but subsequent replication isn’t occurring.  Any suggestions?  Is
>> it safe to identify one of my four servers as containing up-to-date data,
>> then sever and reinstate replication relationships with the other three?
>>
>> Mike
>>
>>
>>
>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http

Re: [Freeipa-users] Server replication stopped working

2016-09-25 Thread Youenn PIOLET 
Hi there,

Same issue for me in a my 15 ipa-servers multi-master grid just after the
update.
The replication is completely broken except on 3/15 nodes.

This is the second time I have to fully reinitialize the whole cluster for
similar reason. I don't know what to do to clean this mess...
For more information: this cluster has been initialized on a fedora 4.1.4
more than one year ago then complemetely migrated to Centos 7, IPA 4.2.

Example on fr-master03 error logs:

[25/Sep/2016:19:27:31 +] NSMMReplicationPlugin - changelog program -
agmt="cn=meTofr-master01.domain" (fr-master01:389): CSN
57e3ffcc0003001a not found, we aren't as up to date, or we purged
[25/Sep/2016:19:27:31 +] NSMMReplicationPlugin -
agmt="cn=meTofr-master01.domain" (fr-master01:389): Data required to update
replica has been purged. The replica must be reinitialized.
[25/Sep/2016:19:27:31 +] NSMMReplicationPlugin -
agmt="cn=meTofr-master01.domain" (fr-master01:389): Incremental update
failed and requires administrator action
ipa: INFO: The ipactl command was successful
[25/Sep/2016:19:27:35 +] agmt="cn=meTofr-master02.domain"
(fr-master02:389) - Can't locate CSN 57e3ffcc0003001a in the changelog
(DB rc=-30988). If replication stops, the consumer may need to be
reinitialized.
[25/Sep/2016:19:27:35 +] NSMMReplicationPlugin - changelog program -
agmt="cn=meTofr-master02.domain" (fr-master02:389): CSN
57e3ffcc0003001a not found, we aren't as up to date, or we purged
[25/Sep/2016:19:27:35 +] NSMMReplicationPlugin -
agmt="cn=meTofr-master02.domain" (fr-master02:389): Data required to update
replica has been purged. The replica must be reinitialized.
[25/Sep/2016:19:27:35 +] NSMMReplicationPlugin -
agmt="cn=meTofr-master02.domain" (fr-master02:389): Incremental update
failed and requires administrator action

Regards,

--
Youenn Piolet
piole...@gmail.com


2016-09-23 17:51 GMT+02:00 Mike Driscoll <mike.drisc...@oracle.com>:

> Hello.  I have four IPA servers replicating in full mesh.  All four
> servers are running ipa-server-4.2.0-15.0.1.el7_2.19.x86_64.
>
> This was working for some time but now I see that no replication is
> occurring automatically at present.
>
> When I update a user attribute on an IPA server, I see errors like these:
> [22/Sep/2016:16:53:49 -0700] attrlist_replace - attr_replace
> (nsslapd-referral, ldap://ldap03.xx.com:389/o%3Dipaca) failed.
> [22/Sep/2016:16:58:56 -0700] NSMMReplicationPlugin - agmt="cn=
> masterAgreement1-ldap03.xx.com <http://masteragreement1-ldap03.xx.com>
> -pki-tomcat" (ldap03:389): Incremental update failed and requires
> administrator action
>
> I can reinitialize without errors.
> ipa-csreplica-manage re-initialize --from=ldap01.xx.com
> <http://ldap04.us.oracle.com>
> ipa-replica-manage re-initialize --from=ldap01.xx.com
> Afterwards I see my attribute (and other) changes are replicated on each
> server I re-initialize from.  But subsequently, replication doesn’t seem to
> be happening.
>
> I reinitialized according to the steps in Table 8.7, “Replication Errors”,
> but subsequent replication isn’t occurring.  Any suggestions?  Is it safe
> to identify one of my four servers as containing up-to-date data, then
> sever and reinstate replication relationships with the other three?
>
> Mike
>
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and NFSv4 with krb5 security

2016-06-30 Thread Youenn PIOLET 
Hi,
First questions (sorry if it's obvious):
- Do you have a valid token on the client? (obtained with kinit)
- Did you import the keytab for NFS service on the server?
- Did you put "domain = yourdomain.tld" in your NFS server config file? On
your client?
- Depending on your (ipa? nfs?) version you may have to enable weak crypto
(I saw this everywhere but never had to do it for a reason I still ignore)

I'm far from being the most informed people on this list, but I think it
may be the first things to check.

Hope this helps,
Regards
--
Youenn Piolet
piole...@gmail.com


2016-06-30 21:47 GMT+02:00 Joanna Delaporte <joannadelapo...@gmail.com>:

> I need some pointers for getting NFSv4 to use krb5 authorization in my IPA
> realm.
>
> My realm is new. I have just migrated some users from an NIS domain to the
> IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS
> server and client, and automaps using the recommended methods in the RHEL 7
> Storage and Domain Auth/Policy guides.
>
> In the exports file on the nfsserver, as long as I
> have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount.
> However, when I remove sys, I no longer am able to mount. I have
> root_squash set.
>
> Automount hangs when I restart it, while trying to mount the first NFS
> directory.
>
> If I try to mount on the command line, I get this:
> root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt
> mount.nfs4: access denied by server while mounting arcturus:/
>
> If I take out sec=krb5, it works. It just rolls back to sec=sys (confirmed
> with mountstats).
> I am not seeing anything related to the mount attempts on the nfsserver
> logs, but I'm not sure I am looking in the right logs.
>
> I don't see anything happening in the ipaserver's krb5kdc.log, or httpd
> error or access logs.
>
> What am I missing?
>
> Thanks!
> Joanna
>
>
>
> --
>
>
> Joanna Delaporte
> Linux Systems Administrator | Parkland College
> joannadelapo...@gmail.com
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Again and again... Replication issues

2016-06-23 Thread Youenn PIOLET 
Hi there,

## BACKGROUND ##
Due to a huge mess and split brain issues on my 15 server ipa cluster, I
had to manually reset all 14 replicas and clean old ruv on the last server.
After everything seemed clean in LDAP, dse.ldif and other files, I rebuilt
each replica and replication agreements.

If I navigate through my LDAP, I can see in ou=csusers,cn=config the
following things:

Replication Manager *masterAgreement1-*-pki-tomcat on
servers that have initialy built replicas
Replication Manager *cloneAgreement1-*-pki-tomcat on servers
that have initialy built replicas

I've got a mesh of replicas (4 agreements per replica).

Centos 7.2, fresh IPA 4.2.0 everywhere

The agreement I generated with ipa-replica-manage connect and
ipa-csreplica-manage connect don't appear in ou=csusers,cn=config. I
supposed that this node is related to first generation of replica
(ipa-replica-prepare, and initial clone process).

## PROBLEM ##
Today everything seems to work except on the master.

I got the following logs on my PKI master server:

> slapi_ldap_bind - Error: could not bind id [cn=replication
> manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such
> object) errno 0 (Success).


And a few of these in replicas:

> Can't locate CSN 576ba1120406 in the changelog (DB rc=-30988). If
> replication stops, the consumer may need to be reinitialized.

 ... this one may be unrelated and liked to network latency I guess.

cn=replication manager,cn=config] doesn't exist on the master... I don't
know why.
The master is actually a promoted replica from my previous cluster.

On the master I can see a :
cn: Replication Manager *cloneAgreement1*--pki-tomcat

- What should I do to stop the cn=replication manager,cn=config error
message ?
- Can I safely remove Replication Manager *cloneAgreement1*--pki-tomcat on my master that is not a clone anymore (his own
previous master is destroyed) ?

Thanks by advance,
--
Youenn Piolet
piole...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

2016-06-22 Thread Youenn PIOLET 
Hi Günther,

I wrote this wrapper last year, maybe this will help.

https://github.com/uZer/rootools/blob/master/pki/freeipa/gencerts.sh

If you use cnames:
==
$ ipa host-add cname.domain --force
$ ipa service-add service/fqdn
$ ipa service-add service/cname.domain --force
$ ipa service-add-host service/cname.domain --host fqdn

In nss.conf
==
#NSSPassPhraseDialog builtin
NSSPassPhraseDialog file:/etc/apache2/password.conf


In your virtual host:
==

NSSEngine on
NSSNickname certifnickname
NSSCertificateDatabase /path/to/db
NSSProtocol TLSv1.1,TLSv1.2

NSSVerifyClient none

# Update this with current recommended ciphersuites
NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
  ...

Hope this is still correct, feel free to push request ;)

Regards,


--
Youenn Piolet
piole...@gmail.com


2016-06-21 19:41 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:

> Günther J. Niederwimmer wrote:
>
>> Hello Rob,
>>
>> Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden:
>>
>>> Günther J. Niederwimmer wrote:
>>>
>>>> Hello,
>>>>
>>>> Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:
>>>>
>>>>> Günther J. Niederwimmer wrote:
>>>>>
>>>>>> Hello
>>>>>> I found any Help for the IPA Certificate but I found no way to import
>>>>>> the
>>>>>> IPA CA ?
>>>>>> I like to create a webserver with a owncloud virtualhost and other..
>>>>>>
>>>>>> But it is for me not possible to create the /etc/httpd/alias correct ?
>>>>>>
>>>>>> I found this in IPA DOCS
>>>>>>
>>>>>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
>>>>>>
>>>>>> but with this command line I have a Error /etc/ipa/ca.crt have wrong
>>>>>> format ?
>>>>>>
>>>>>> Have any a link with a working example
>>>>>>
>>>>>
>>>>> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
>>>>> clients so the documentation is written from that perspective.
>>>>>
>>>>
>>>> Yes.
>>>>
>>>> You can grab a copy from any enrolled system, including an IPA Master.
>>>>> Otherwise the command looks ok assuming you were sitting in
>>>>> /etc/httpd/alias when the command was executed (-d .).
>>>>>
>>>>
>>>> Yes ;-).
>>>> but certutil mean it is a wrong format from the Certificate
>>>>
>>>
>>> $ mkdir /tmp/testdb && cd /tmp/testdb
>>> $ certutil -N -d .
>>> $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
>>>
>>
>> On my system I have this message after install ca.crt
>>
>> p11-kit: objects of this type cannot be created ?
>> is this correct ?
>>
>
> I'm not sure.
>
> A other question, have I to change the Attribute (?), IPA-server create /
>> IMPORT this ca.crt with -t "CT,C,C"
>>
>
> It isn't super important. The order of those fields is SSL, S/MIME,
> code-signing. Chances are S/MIME will never be used and code-signing is
> used in some older releases but only once at install, so not having those
> set isn't a big deal.
>
> If you want things to be consistent you can use certutil -M -d . -t CT,C,C
> -n 'EXAMPLE.COM IPA CA'
>
> rob
>
>
>
>> $ certutil -L -d .
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>> SSL,S/MIME,JAR/XPI
>>>
>>> EXAMPLE.COM IPA CA   CT,,
>>>
>>> I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You
>>> can use openssl for that:
>>>
>>> $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt
>>>
>>> Something is wrong on my system !!
>>>>
>>>> for me it is not possible to have on a enrolled ipa-client a working
>>>> webserver (apache) with mod_NSS
>>>>
>>>> The last Tests apache mean it is th

Re: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

2016-06-22 Thread Youenn PIOLET 
Hi,

Can you provide the output of :
certutil -L -d /etc/dirsrv/slapd-/ on replicas that can't
start the PKI?
Your CA Cert attributes should be CT,C,C

I experience the same issue as you every two replica I install. The fix is :
certutil -d /etc/dirsrv/slapd-/ -A -t "CT,C,C" -n " IPA CA" -i /etc/ipa/ca.crt
and restart ipa server.

https://www.redhat.com/archives/freeipa-users/2013-August/msg00088.html

Can you also provide the following line of the file generated by following
commands:

$ ipa certprofile-show --out /tmp/caIPAserviceCert.cfg caIPAserviceCert
$ grep policyset.serverCertSet.1.default.params.name
/tmp/caIPAserviceCert.cfg

Regards,

--
Youenn Piolet
piole...@gmail.com


2016-06-22 16:26 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:

> Tomasz Torcz wrote:
>
>> On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote:
>>
>>> [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083]
>>>>>> CertificateOperationError: Certificate operation cannot be completed:
>>>>>> Unable to communicate with CMS (Internal Server Error)
>>>>>> [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
>>>>>> [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa:
>>>>>> INFO: [jsonserver_session] ad...@pipebreaker.pl:
>>>>>> cert_find(version=u'2.164'): CertificateOperationError
>>>>>>
>>>>>>  How to fix those?
>>>>>>
>>>>>
>>>>> You'll need to look at the dogtag debug log for the reason it threw a
>>>>> 500,
>>>>> it's in /var/log/pki-tomcat/ca or something close to that.
>>>>>
>>>>
>>>>
>>>> I've looked into the logs but I'm not wiser.  Is there a setting to
>>>> get
>>>> rid of java traceback from logs and get more useful messages?  There
>>>> seem
>>>> to be a problem with SSL connection to port 636, maybe because it seems
>>>> to use
>>>> expired certificate?
>>>>
>>>
>>> Not that I know of. The debug log is sure a firehose but you've
>>> identified
>>> the problem.
>>>
>>> $ echo | openssl s_client  -connect okda.pipebreaker.pl:636  | openssl
>>>> x509 -noout
>>>> depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
>>>> verify return:1
>>>> depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
>>>> verify error:num=10:certificate has expired
>>>> notAfter=Nov 17 12:19:28 2015 GMT
>>>> verify return:1
>>>> depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
>>>> notAfter=Nov 17 12:19:28 2015 GMT
>>>> verify return:1
>>>> DONE
>>>>
>>>
>>> Run getcert list and look at the expiration dates. What you want to do is
>>> kill ntpd, set the date back to say a week before the oldest date,
>>> restart
>>> the dirsrv, restart the pki-tomcat/pki-cad service then restart
>>> certmonger.
>>> This should force a renewal attempt.
>>>
>>
>> Expiration date look fine:
>>
>> root@okda ~$ getcert list
>> Number of certificates and requests being tracked: 1.
>> Request ID '20131116123125':
>>  status: CA_UNREACHABLE
>>  ca-error: Server at https://okda.pipebreaker.pl/ipa/xml failed
>> request, will retry: 4301 (RPC failed at server.  Certificate operation
>> cannot be completed: Unable to communicate with CMS (503)).
>>  stuck: no
>>  key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>  certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>  CA: IPA
>>  issuer: CN=Certificate Authority,O=PIPEBREAKER.PL
>>  subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL
>>  expires: 2017-12-10 19:44:31 UTC
>>  principal name: HTTP/okda.pipebreaker...@pipebreaker.pl
>>  key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>  eku: id-kp-serverAuth,id-kp-clientAuth
>>  pre-save command:
>>  post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>  track: yes
>>  auto-renew: yes
>>
>>
>>It's in 2017. The output seem quite short, on the other replica
>> "getcert list" returns 9 certificates.
>>
>
> The 503 suggests

Re: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates

2016-05-26 Thread Youenn PIOLET 
Hi there,

For your information :
I just realised today that the certificate signing using web interface was
still broken.

I've got 3 caIPAserviceCert.cfg files on my system :

Locate  caIPAserviceCert.cfg output
1. New profile :  /usr/share/ipa/profiles/caIPAserviceCert.cfg
2. Old broken profile : /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
3. Old broken profile :
/var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg
LDAP profile version was not OK, back to the older version of profile. I
fixed it back.

FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem
> which stores profile configuration in LDAP.
>

I think my Dogtag (in IPA web interface) was still using the files (and
replacing the LDAP entry after a while? Or did it happen when a added a new
replica?).

I've replaced :
2. /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
3. /var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg

with new profile versions.

Now everything works, including the web interface.
I'll let you know if my profile got changed back again in LDAP after a
while, but I guess now I replaced the files there are no risks. I wonder if

Thanks again for your previous help Fraser, I hope these information may
help you finding the bug that could be related to replica installation with
old profiles still present in master filesystem.

Cheers,
--
Youenn Piolet
piole...@gmail.com


2016-05-10 16:23 GMT+02:00 Youenn PIOLET <piole...@gmail.com>:

> Thank you so much Fraser,
> My PKI is now working perfectly!
>
> Cheers
>
> --
> Youenn Piolet
> piole...@gmail.com
>
>
> 2016-05-10 15:01 GMT+02:00 Fraser Tweedale <ftwee...@redhat.com>:
>
>> On Tue, May 10, 2016 at 02:33:43PM +0200, Youenn PIOLET wrote:
>> > Hi Fraser, thanks a lot for your quick reply!
>> >
>> > Could you confirm whether you are on RHEL / CentOS 7.2, and if so,
>> > > whether it was installed at 7.2 or an upgrade from 7.1 or an earlier
>> > > version?
>> > >
>> >
>> > This is a replica that was previously installed in CentOS 7.1.
>> > I don't exactly remember but I think I used COPR repository to install
>> > FreeIPA 4.2 and then upgraded CentOS to 7.2.
>> >
>> > Also, I remember my pki got broken after upgrading this replica in 7.2.
>> I
>> > had to renew the replica's certificate and force-sync to successfully
>> > launch pki-tomcatd. Now this replica is my pki master.
>> >
>> Thanks for the background.  Every piece of evidence can help find
>> the bug :)
>>
>> >
>> > > > ### certprofile
>> > > > $ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert
>> > > > ---
>> > > > Profile configuration stored in file 'caIPAserviceCert.cfg'
>> > > > ---
>> > > >   Profile ID: caIPAserviceCert
>> > > >   Profile description: Standard profile for network services
>> > > >   Store issued certificates: TRUE
>> > > >
>> > > You do not include the caIPAserviceCert.cfg in the diffs below,
>> > > however, I suspect you will find it to be identical to
>> > > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg.  Could you
>> > > please confirm this?
>> > >
>> >
>> > Ah true... I did not realised I was actually writing a new file!
>> > And you're right, diff is the same (except 2 profileId/classId lignes
>> that
>> > don't exist in template + enableBy that differs)
>> >
>> > FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem
>> > > which stores profile configuration in LDAP.  The file output by the
>> > > ``ipa certprofile-show`` command will have come from LDAP; this is
>> > > the version that's actually in use in your IPA installation.
>> > >
>> >
>> > Thanks a lot for your answers.
>> >
>> > So now, what would you suggest me to do?
>> > Replace my /tmp/caIPAserviceCert.cfg with your suggested values and
>> import
>> > to LDAP ?
>> >
>> I'd recommend copying the IPA template from
>> /usr/share/ipa/profiles/caIPAserviceCert.cfg, then filling out the
>> params manually and updating the profile.  There are four config
>> params that require substitutions; fill them out like below:
>>
>> - policyset.serverCertSet.1.default.params.name=CN=$
>> request.req_subject_name.cn$, o=YOUR-DOMAIN
>>
>>   (note the SINGLE '$'s; they are double '$$' in the template)
>>
>

Re: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates

2016-05-10 Thread Youenn PIOLET 
Hi Fraser, thanks a lot for your quick reply!

Could you confirm whether you are on RHEL / CentOS 7.2, and if so,
> whether it was installed at 7.2 or an upgrade from 7.1 or an earlier
> version?
>

This is a replica that was previously installed in CentOS 7.1.
I don't exactly remember but I think I used COPR repository to install
FreeIPA 4.2 and then upgraded CentOS to 7.2.

Also, I remember my pki got broken after upgrading this replica in 7.2. I
had to renew the replica's certificate and force-sync to successfully
launch pki-tomcatd. Now this replica is my pki master.


> > ### certprofile
> > $ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert
> > ---
> > Profile configuration stored in file 'caIPAserviceCert.cfg'
> > ---
> >   Profile ID: caIPAserviceCert
> >   Profile description: Standard profile for network services
> >   Store issued certificates: TRUE
> >
> You do not include the caIPAserviceCert.cfg in the diffs below,
> however, I suspect you will find it to be identical to
> /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg.  Could you
> please confirm this?
>

Ah true... I did not realised I was actually writing a new file!
And you're right, diff is the same (except 2 profileId/classId lignes that
don't exist in template + enableBy that differs)

FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem
> which stores profile configuration in LDAP.  The file output by the
> ``ipa certprofile-show`` command will have come from LDAP; this is
> the version that's actually in use in your IPA installation.
>

Thanks a lot for your answers.

So now, what would you suggest me to do?
Replace my /tmp/caIPAserviceCert.cfg with your suggested values and import
to LDAP ?

Cheers,


> > And a diff between them :
> >
> > $ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg
> > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
> > 1,2d0
> > < profileId=caIPAserviceCert
> > < classId=caEnrollImpl
> > 15c13
> > < policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
> > ---
> > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8
> > 22c20
> > < policyset.serverCertSet.1.default.params.name=CN=$$
> > request.req_subject_name.cn$$, $SUBJECT_DN_O
> > ---
> > > policyset.serverCertSet.1.default.params.name=CN=$
> > request.req_subject_name.cn$, OU=pki-ipa, O=IPA
> > 48c46
> > <
> >
> policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://
> > $IPA_CA_RECORD.$DOMAIN/ca/ocsp
> > ---
> > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
> > 95,97c93,95
> > <
> >
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
> > <
> >
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
> > <
> policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://
> > $IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
> > ---
> > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=
> > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=
> > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=
> > https://ipa.example.com/ipa/crl/MasterCRL.bin
> > 100,109d97
> > < policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
> > < policyset.serverCertSet.10.constraint.name=No Constraint
> > <
> >
> policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
> > < policyset.serverCertSet.10.default.name=Subject Key Identifier
> Extension
> > Default
> > < policyset.serverCertSet.10.default.params.critical=false
> > < policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
> > < policyset.serverCertSet.11.constraint.name=No Constraint
> > < policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
> > < policyset.serverCertSet.11.default.name=User Supplied Extension
> Default
> > < policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
> >
> > Thanks by advance for your support,
> > Regards
> >
> > --
> > Youenn Piolet
> > piole...@gmail.com
> >
> >
> > 2016-03-31 9:41 GMT+02:00 Fraser Tweedale <ftwee...@redhat.com>:
> >
> > > On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin Štefany wrote:
> > > > Hello,
> > > >
> > > > I seem to be having some issues with IPA CA feature not generating
> > > > certificates with

Re: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates

2016-05-10 Thread Youenn PIOLET 
Hi Fraser, Martin,

I've got exactly the same problem with no DNS AltName and OU=pki-ipa,O=IPA
in the subject.

### certprofile
$ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert
---
Profile configuration stored in file 'caIPAserviceCert.cfg'
---
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE


### My /etc/pki/pki-tomcat/ca/CS.cfg :
http://pastebin.com/wnVWH8bq

### caIPAserviceCert
I'd like to send you my caIPAserviceCert.cfg, two of them are present on my
system:

- /usr/share/ipa/profiles/caIPAserviceCert.cfg :
http://pastebin.com/byddqgSF
- /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg :
http://pastebin.com/FFUTytDq

And a diff between them :

$ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg
/usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg
1,2d0
< profileId=caIPAserviceCert
< classId=caEnrollImpl
15c13
< policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
---
> policyset.serverCertSet.list=1,2,3,4,5,6,7,8
22c20
< policyset.serverCertSet.1.default.params.name=CN=$$
request.req_subject_name.cn$$, $SUBJECT_DN_O
---
> policyset.serverCertSet.1.default.params.name=CN=$
request.req_subject_name.cn$, OU=pki-ipa, O=IPA
48c46
<
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://
$IPA_CA_RECORD.$DOMAIN/ca/ocsp
---
> policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
95,97c93,95
<
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
<
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
< policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://
$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
---
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=
> policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=
> policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=
https://ipa.example.com/ipa/crl/MasterCRL.bin
100,109d97
< policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
< policyset.serverCertSet.10.constraint.name=No Constraint
<
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
< policyset.serverCertSet.10.default.name=Subject Key Identifier Extension
Default
< policyset.serverCertSet.10.default.params.critical=false
< policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
< policyset.serverCertSet.11.constraint.name=No Constraint
< policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
< policyset.serverCertSet.11.default.name=User Supplied Extension Default
< policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17

Thanks by advance for your support,
Regards

--
Youenn Piolet
piole...@gmail.com


2016-03-31 9:41 GMT+02:00 Fraser Tweedale <ftwee...@redhat.com>:

> On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin Štefany wrote:
> > Hello,
> >
> > I seem to be having some issues with IPA CA feature not generating
> > certificates with DNS SubjectAltNames.
> >
> > I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under
> > CentOS 7.2 / IPA 4.2 something's different.
> >
> > Here are the original steps which worked fine for my first use case ::
> >
> > $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25
> > $ ipa host-add mail.example.com
> > $ ipa service-add smtp/mail.example.com
> > $ ipa service-add smtp/mail1.example.com
> > $ ipa service-add-host smtp/mail.example.com --hosts=mail1.example.com
> > $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \
> >   -f /etc/pki/tls/certs/postfix.pem   \
> >   -N CN=mail1.example.com,O=EXAMPLE.COM \
> >   -D mail1.example.com -D mail.example.com \
> >   -K smtp/mail1.example.com
> > (and repeat for every next member of the cluster...)
> >
> > After this, I would get certificate with something like ::
> > $ sudo ipa-getcert list
> > Number of certificates and requests being tracked: 3.
> > Request ID '20150419153933':
> >   status: MONITORING
> >   stuck: no
> >   key pair storage:
> > type=FILE,location='/etc/pki/tls/private/postfix.key'
> >   certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem'
> >   CA: IPA
> >   issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >   subject: CN=mail1.example.com,O=EXAMPLE.COM
> >   expires: 2017-04-19 15:39:35 UTC
> >   dns: mail1.example.com,mail.example.com
> >   principal name: smtp/mail1.example@example.com
> >   key usage:
&g

Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA

2015-10-19 Thread Youenn PIOLET 
Hi Chris,

This may come from the ipa attributes added by adtrust on user/group
classes.
For example in 4.1.4: FreeIPA will add on each user the attribute (for
ipasam.so usage):

  ipaNTSecurityIdentifier: S-1-5-**-***

when standard samba attributes known by samba with ldapsam.so are:

  sambaSID: S-1-5-**-***

I guess as the OID must be different, your CIFS will not recognise the
attribute and won't be able to use it.
I also guess it is the same for the password hash that may not be using the
right algorithm.

You can check this directly in your IPA 365directory tree, and with dirsrv
logfiles.
I suppose you would see FreeNAS trying to search for specific attributes in
user objects that don't exist.

These informations are based on deduction but I'm not confident enough to
assure you this is a fact :)



--
Youenn Piolet
piole...@gmail.com


2015-10-17 16:47 GMT+02:00 Chris Tobey <tobeych...@hotmail.com>:

> Hi Youenn,
>
>
>
> Thank you for the response.
>
>
>
> I am sure the issue is related to the samba attributes not existing, but I
> am not fully clear on how to fix it.
>
>
>
> I was trying to find out the correct steps on a CentOS system, and I think
> it is something like:
>
> >yum remove samba-common
>
> >yum install samba4
>
> >yum install ipa-server-trust-ad
>
> >ipa-adtrust-install
>
>
>
> I thought the ipa-adtrust-install was supposed to add the samba
> attributes, but for some reason it still does not work.
>
>
>
> Does anyone have any insight in what steps I might have missed?
>
>
>
> Thanks,
>
> -Chris
>
>
>
> *From:* Youenn PIOLET [mailto:piole...@gmail.com]
> *Sent:* October-11-15 6:49 PM
> *To:* Chris Tobey
> *Cc:* freeipa-users@redhat.com; Matt .
> *Subject:* Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA
>
>
>
> Sorry for the double post.
>
>
>
> I forgot to say that my speech is about newest versions of FreeIPA.
>
> Maybe someone here knows something about IPA 3.0 ?
>
> I'm not sure it used to work with ipasam module. But I suppose the problem
> is the same: you need to generate Samba schema values for your IPA users in
> the directory.
>
>
>
> Cheers,
>
>
> --
>
> Youenn Piolet
>
> piole...@gmail.com
>
>
>
>
>
> 2015-10-12 0:41 GMT+02:00 Youenn PIOLET <piole...@gmail.com>:
>
> Hi Chris,
>
>
>
> First, to be sure were on the same page:
>
> Without IPA, to make CIFS users authenticate against directory in a
> classic LDAP implementation, you need to extend your LDAP tree with Samba
> schema. The FreeNAS documentation is a bit light on this subjet and
> previous FreeNAS versions (stable 9.3 included) used to mess up
> rfc2307bis/rfc2307. I think it is fixed now, and know nothing about your
> 9.2 version. Wrote some messy stuff about it here:
> https://github.com/uZer/rootools/blob/master/ldap/integrations/ldap.integration.freenas.md
>
>
>
> To make CIFS users authenticate or FreeIPA recent versions (I only tried
> with 4.1), I suggest you to start by reading some of our investigations in
> this thread:
>
>
>
> [Freeipa-users] Ubuntu Samba Server Auth against IPA
>
> https://www.redhat.com/archives/freeipa-users/2015-August/thread.html#0
>
>
>
> When we discuss about this in august, I've spend almost a week trying to
> make this integration with FreeNAS/FreeIPA work. I quit FreeNAS without
> fully understand why it didn't work, and moved our CIFS to a dedicated
> Centos server. Matt arrived with a similar situation in Ubuntu.
>
>
>
> To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default
> with ldapsam.so module. FreeIPA developpers have built a AD trust exchange
> possibility with a custom ipasam module that isn't compiled yet for Ubuntu
> or FreeNAS. This module gives the possibility to use IPA AD trust
> components (e.g. special schema in IPA's directory managing user/group
> NT SID)
>
>
>
> If you can't compile the module for FreeNAS / FreeBSD, you may need to
> extend 365directory with Samba schema.
>
> You will need to find a way to generate the new attributes when adding
> users or groups in FreeIPA, and a way to store password in a CIFS/NT
> understandable way. I don't suggest you to follow this dark path.
>
>
>
> You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;)
>
>
>
> Good luck in your experimentations, I hope you will succeed!
>
>
>
>
> --
>
> Youenn Piolet
>
> piole...@gmail.com
>
>
>
>
>
> 2015-10-11 2:06 GMT+02:00 Chris Tobey <tobeych...@hotmail.com>:
>
> Hi Everyone,
>
>
> I have a functioning FreeIPA server that manage

[Freeipa-users] FreeIPA Deployment and resiliency

2015-10-16 Thread Youenn PIOLET 
Hi there.

I'd like to integrate FreeIPA in a multi-location production environment.
We got servers in US/Europe/South America/Pacific Ocean with some high
latency links. The parc I manage is a mixed linux environment with less
than 1000 servers. I also plan to use FreeIPA as backend for Radius
authentication on various network equipments.

I plan to deploy a replica architecture similar to the recommandation
article in official Documentation:
http://www.freeipa.org/page/Deployment_Recommendations with two replicas
per region and at least one replica per DC. FreeIPA will become my DNS for
internal resolution.

FreeIPA servers will run on latest CentOS.

I've got two questions:

1) Version:
Should I wait for IPA 4.2 or is IPA 4.1.4 a good / stable / trust-full
solution for authentication, upgrade, maintainability, resilience ? Will
4.2.X be too young and unstable for a massive implementation ? I'm quite
interested about 4.2 but don't want to wait too long for a release on
Centos. How easy would be an upgrade of all replicas from 4.1.4 to 4.2 in
an IPA replication topology?

2) Resiliency:
How to make FreeIPA service resilient? Is there an official / easy and
secure way to converge to an other IPA server (with DNS?) when a replica is
down? I've got the chance to work on an MPLS network with the Anycast
possibility. Is it something workable with FreeIPA/Kerberos ?

Thanks by advance for your suggestions
--
Youenn Piolet
piole...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA

2015-10-11 Thread Youenn PIOLET 
Sorry for the double post.

I forgot to say that my speech is about newest versions of FreeIPA.
Maybe someone here knows something about IPA 3.0 ?
I'm not sure it used to work with ipasam module. But I suppose the problem
is the same: you need to generate Samba schema values for your IPA users in
the directory.

Cheers,

--
Youenn Piolet
piole...@gmail.com


2015-10-12 0:41 GMT+02:00 Youenn PIOLET <piole...@gmail.com>:

> Hi Chris,
>
> First, to be sure were on the same page:
> Without IPA, to make CIFS users authenticate against directory in a
> classic LDAP implementation, you need to extend your LDAP tree with Samba
> schema. The FreeNAS documentation is a bit light on this subjet and
> previous FreeNAS versions (stable 9.3 included) used to mess up
> rfc2307bis/rfc2307. I think it is fixed now, and know nothing about your
> 9.2 version. Wrote some messy stuff about it here:
> https://github.com/uZer/rootools/blob/master/ldap/integrations/ldap.integration.freenas.md
>
> To make CIFS users authenticate or FreeIPA recent versions (I only tried
> with 4.1), I suggest you to start by reading some of our investigations in
> this thread:
>
> [Freeipa-users] Ubuntu Samba Server Auth against IPA
> https://www.redhat.com/archives/freeipa-users/2015-August/thread.html#0
>
> When we discuss about this in august, I've spend almost a week trying to
> make this integration with FreeNAS/FreeIPA work. I quit FreeNAS without
> fully understand why it didn't work, and moved our CIFS to a dedicated
> Centos server. Matt arrived with a similar situation in Ubuntu.
>
> To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default
> with ldapsam.so module. FreeIPA developpers have built a AD trust exchange
> possibility with a custom ipasam module that isn't compiled yet for Ubuntu
> or FreeNAS. This module gives the possibility to use IPA AD trust
> components (e.g. special schema in IPA's directory managing user/group
> NT SID)
>
> If you can't compile the module for FreeNAS / FreeBSD, you may need to
> extend 365directory with Samba schema.
> You will need to find a way to generate the new attributes when adding
> users or groups in FreeIPA, and a way to store password in a CIFS/NT
> understandable way. I don't suggest you to follow this dark path.
>
> You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;)
>
> Good luck in your experimentations, I hope you will succeed!
>
>
> --
> Youenn Piolet
> piole...@gmail.com
>
>
> 2015-10-11 2:06 GMT+02:00 Chris Tobey <tobeych...@hotmail.com>:
>
>> Hi Everyone,
>>
>>
>> I have a functioning FreeIPA server that manages all my users and I would
>> like to also use it for my FreeNAS CIFS shares to authenticate against.
>>
>> Does anyone know what needs to be run on both servers to get this
>> working? I believe it has something to do with Samba properties on the
>> FreeIPA side.
>>
>>
>>
>> I had tried asking the FreeNAS forums but they were of no help (
>> https://forums.freenas.org/index.php?threads/freeipa-and-freenas-ldap-setup.37083/
>> ).
>>
>>
>>
>> I have seen similar requests and success stories, but no actual steps on
>> how to do it.
>>
>> Info:
>> FreeIPA v3.0.0-42 running on CentOS 6.6.
>> FreeNAS 9.2.1.9 (can use 9.3 if easier, was trying to get it working
>> before dealing with certs).
>>
>>
>>
>> Any help is appreciated.
>>
>>
>>
>> Thanks,
>>
>> -Chris
>>
>>
>>
>>
>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA

2015-10-11 Thread Youenn PIOLET 
Hi Chris,

First, to be sure were on the same page:
Without IPA, to make CIFS users authenticate against directory in a classic
LDAP implementation, you need to extend your LDAP tree with Samba schema.
The FreeNAS documentation is a bit light on this subjet and previous
FreeNAS versions (stable 9.3 included) used to mess up rfc2307bis/rfc2307.
I think it is fixed now, and know nothing about your 9.2 version. Wrote
some messy stuff about it here:
https://github.com/uZer/rootools/blob/master/ldap/integrations/ldap.integration.freenas.md

To make CIFS users authenticate or FreeIPA recent versions (I only tried
with 4.1), I suggest you to start by reading some of our investigations in
this thread:

[Freeipa-users] Ubuntu Samba Server Auth against IPA
https://www.redhat.com/archives/freeipa-users/2015-August/thread.html#0

When we discuss about this in august, I've spend almost a week trying to
make this integration with FreeNAS/FreeIPA work. I quit FreeNAS without
fully understand why it didn't work, and moved our CIFS to a dedicated
Centos server. Matt arrived with a similar situation in Ubuntu.

To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default
with ldapsam.so module. FreeIPA developpers have built a AD trust exchange
possibility with a custom ipasam module that isn't compiled yet for Ubuntu
or FreeNAS. This module gives the possibility to use IPA AD trust
components (e.g. special schema in IPA's directory managing user/group
NT SID)

If you can't compile the module for FreeNAS / FreeBSD, you may need to
extend 365directory with Samba schema.
You will need to find a way to generate the new attributes when adding
users or groups in FreeIPA, and a way to store password in a CIFS/NT
understandable way. I don't suggest you to follow this dark path.

You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;)

Good luck in your experimentations, I hope you will succeed!


--
Youenn Piolet
piole...@gmail.com


2015-10-11 2:06 GMT+02:00 Chris Tobey <tobeych...@hotmail.com>:

> Hi Everyone,
>
>
> I have a functioning FreeIPA server that manages all my users and I would
> like to also use it for my FreeNAS CIFS shares to authenticate against.
>
> Does anyone know what needs to be run on both servers to get this working?
> I believe it has something to do with Samba properties on the FreeIPA side.
>
>
>
> I had tried asking the FreeNAS forums but they were of no help (
> https://forums.freenas.org/index.php?threads/freeipa-and-freenas-ldap-setup.37083/
> ).
>
>
>
> I have seen similar requests and success stories, but no actual steps on
> how to do it.
>
> Info:
> FreeIPA v3.0.0-42 running on CentOS 6.6.
> FreeNAS 9.2.1.9 (can use 9.3 if easier, was trying to get it working
> before dealing with certs).
>
>
>
> Any help is appreciated.
>
>
>
> Thanks,
>
> -Chris
>
>
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-13 Thread Youenn PIOLET 
Hi,

I've seen the same issue recently on various clients using ipa 3.3 and ipa
4.* during the first join on a clean OS. Can't confirm it was working
before. Is it normal behavior?

Allow PTR sync is enabled.

Cheers,
Le 12 sept. 2015 7:44 AM, "Nathan Peters"  a
écrit :

>
> On 9/11/2015 10:32 AM, Simo Sorce wrote:
>
>> On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:
>>
>>> I have been trying to figure this out for a while now but when I join
>>> machine to FreeIPA, the installer properly creates forward DNS
>>> entries,and DNSSSHFP entries, but does not create reverse entries.
>>> Without the PTR records, kerberos logins are always failing on these
>>> machines.
>>>
>> I am interested in understanding what fails exactly, stuff should not
>> depend on reverse resolution can you give me an example of a failure ?
>>
>> For the PTR creation anyway have you enabled the option to allow setting
>> PTR records ?
>> There is a global DNS option (As awell as per-zone setting) called
>> "Allow PTR Sync" you may want to enable.
>>
>>
> When we attempt to login using kerberos on a machine that has no reverse
> DNS entry defined, we are instead prompted with a password prompt.  The
> password authentication still works but the ticket does not.
>
> From what I read, the Allow PTR Sync option is only used in conjunction
> with DNS IP address changes and does not apply to the initial join of the
> domain.
>
> Is the joining process supposed to create reverse DNS entries for the
> clients or just forward entries and SSHFP entries?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificate add subject alt Name

2015-09-10 Thread Youenn PIOLET 
Hi,

I'm not sure I understood all of your problem, but here are some
information that may help:
- First, you don't change a certificate, but you can revoke it a make a new
one
- If you need to add a SubjectAltName to a certificate, you may have
realized that the -D parameter makes the request to get rejected by FreeIPA
when you try this:

ipa-getcert request -d $NSSPATH -n $CERTNAME -p $PWDFILE -N
"CN=$FQDN,O=$DOMAIN" -D "$CNAME" -K $PRINCIPAL

You have to force FreeIPA to recognise the CNAME first.

$ ipa host-add cname.domain --force
$ ipa service-add service/fqdn
$ ipa service-add service/cname.domain --force
$ ipa service-add-host service/cname.domain --host fqdn

Then the ipa-getcert request will work.

I hope it helps (you or anyone else needing a subjectaltname in a
certificate).
Cheers,

--
Youenn Piolet
piole...@gmail.com


2015-09-09 18:12 GMT+02:00 Petr Spacek <pspa...@redhat.com>:

> On 5.9.2015 12:48, Günther J. Niederwimmer wrote:
> > Hello,
> >
> > System CentOS 7.
> >
> > is it possible to change a certificate to add a subject alt name?
> >
> > My "Problem" is, I have a Mail Server with name smtp.example.com and the
> > correct service certificates smtp/smtp.example.com & imap/example.com
> now I
> > make in my DNS Server (is a external system) a new Record "imap IN CNAME
> smtp"
> > but this is now missing in the certificate?
> >
> > The Problem I mean is DNSSEC, so I can't setup this with freeIPA and I
> don’t
> > have a host/imap.example.com.
>
> I'm sorry but I do not see how this is related to DNS. It might not be
> related
> to IPA at all.
>
> IPA only issues the cert. If the cert contains both subjectAltNames then
> the
> problem is likely in your DNS configuration or in configuration on the
> application server side (where you installed the cert).
>
> Unfortunately I'm not able to tell you more without more details - what
> application you use, what versions, how did you it configured, etc.
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Antwort: Re: Faulty LDAP record

2015-09-07 Thread Youenn PIOLET 
Hi,
Did you try to restart the directory server?
I had a similar experience in compat tree, maybe your problem is some kind
of "ghost" entry that will not reappear after a restart.

Regards,

--
Youenn Piolet
piole...@gmail.com


2015-09-07 13:25 GMT+02:00 Christoph Kaminski <
christoph.kamin...@biotronik.com>:

> I got the same error as in ldap browser:
>
> ldapmodify -h localhost -D "cn=Directory Manager" -W -x  < > dn:
> nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso
> > changetype: delete
> >
> > EOF
> Enter LDAP Password:
> deleting entry
> "nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso"
> ldap_delete: No such object (32)
> freeipa-users@redhat.com
> freeipa-users-boun...@redhat.com schrieb am 04.09.2015 17:10:01:
>
> > Von: Ludwig Krispenz <lkris...@redhat.com>
> > An: freeipa-users@redhat.com
> > Datum: 04.09.2015 17:08
> > Betreff: Re: [Freeipa-users] Faulty LDAP record
> > Gesendet von: freeipa-users-boun...@redhat.com
> >
> > On 09/04/2015 04:49 PM, Christoph Kaminski wrote:
> > Hi All,
> >
> > how can I delete a faulty user in IPA 4.1? The record in LDAP look like
> this:
> > nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa
> > +uid=zimt,cn=users,cn=accounts,dc=hso
> > this is a replication conflict entry, the user uid=zimt was added in
> > parallel on two servers. you should be able to delete it with ldapmodify
> >
> > ldapmodify .
> > dn: nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa
> > +uid=zimt,cn=users,cn=accounts,dc=hso
> > changetype: delete
>
> Greetz
> Christoph Kaminski
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberized NFS and home automount issues

2015-08-14 Thread Youenn PIOLET 
Hi,

I didn't know it was only possible to create home on the home nfs server :)
I changed my implementation on home nfs server to make a flat /home
directory (not mounted with autofs from an other directory of the same
server)

2) is now solved: I disabled autofs on the home nfs server, moved files and
mkhomedir now works perfectly.

1) the issue seems to be solved after this, but not instantaneously. I
still see errors on NFS server logs:
   WARNING: can't create tcp rpc_clnt to server ipa-server for user
with uid 0: RPC: Remote system error - No route to host
but it seems to be working. After creating a new user, I had to wait a few
seconds/minutes for home to be fetchable by autofs.

Thanks a lot.

--
Youenn Piolet
piole...@gmail.com


2015-08-14 7:14 GMT+02:00 Prasun Gera prasun.g...@gmail.com:

 Where are you trying to create the home directories ? Is your NFS server
 the same as the IPA server ? You can only create home directories on the
 NFS home server unless the nfs-client sees the export option
 no_root_squash. That is not recommended though.

 On Thu, Aug 13, 2015 at 9:49 AM, Youenn PIOLET piole...@gmail.com wrote:

 Hi,

 I'm currently trying to configure automount for home directories with
 Kerberized NFSv4.
 I'm  struggling with two issues that may or may not be related:

 1) Can't read my home directory. I have to type kinit manually first on
 each integrated client for this to work. I think it is related to the
 latest versions of sssd on Centos 7 / Fedora 21 (1.12.2-58), ipa of maybe
 nss, a 1 or 2 months outdate centos was working first and got broken after
 an update.

 2) Can't create home directories for new users : Permission denied for
 oddjob-mkhomedir script. I can also experience this as root : can't mkdir
 /home/someuser, permission denied (see my mount chain in freeipa below).
 Related to NFSv4?

 Here is my setup and various information:
 - I'm not using selinux
 - Exports :
 /home.shared *(rw,sec=krb5:krb5i:krb5p)
 - Mount chain :
 * -fstype=nfs4,sec=krb5i,rw,proto=tcp,port=2049,rsize=8192,wsize=8192
 home01.net:/home.shared/
 - Experienced on Centos 7 and Fedora 21
 - FreeIPA server 4.1.4
 - I used ipa-client-automount on clients and server.
 - Same behavior with/without a dedicated service principal on client
 - Some errors in NFS server logs :
 rpc.gssd - WARNING: can't create tcp rpc_clnt to server ipa-server
 for user with uid 0: RPC: Remote system error - No route to host -- at
 different times
 oddjobd: Error
 org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown: Could not
 determine security context for '1:###' -- before oddjob-mkhomedir on new
 user

 Have you got the same problems and did you manage to fix them?

 Thanks by advance,
 --
 Youenn Piolet
 piole...@gmail.com


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

2015-08-13 Thread Youenn PIOLET 
Hi Matt

- CentOS : Did you copy ipasam.so and change your smb.conf
accordingly? sambaSamAccount
is not needed anymore that way.
- Default IPA Way : won't work if your Windows is not part of a domain
controller. DOMAIN\username may work for some users using Windows 7 - not 8
nor 10 (it did for me but I was the only one at the office... quite useless)

This config may work on your CentOS (for the ipasam way):
workgroup = TEST
realm = TEST.NET
kerberos method = dedicated keytab
dedicated keytab file = FILE:/./samba.keytab
create krb5 conf = no
security = user
encrypt passwords = true
passdb backend = ipasam:ldaps://youripa.test.net
ldapsam:trusted = yes
ldapsuffix = test.net
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts


--
Youenn Piolet
piole...@gmail.com


2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com:

 Hi,

 OK the default IPA way works great actually when testing it as described
 here:

 http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

 On the samba server I can auth and see my share where I want to connect to.

 The issue is, on Windows I cannot auth, even when I do DOMAIN\username
 as username

 So, the IPA way should work.

 Any comments here ?

 Cheers,

 Matt

 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com:
  HI GUys,
 
  I'm testing this out and I think I almost setup, this on a CentOS samba
 server.
 
  I'm using the ipa-adtrust way of Youeen but it seems we still need to
  add (objectclass=sambaSamAccount)) ?
 
  Info is welcome!
 
  I will report back when I have it working.
 
  Thanks!
 
  Matt
 
  2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com
 :
  The next route I will try - is the one Youeen took, using ipa-adtrust
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   10.08.2015 10:03
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 
 
 
  Hi Chris,
 
  Okay this is good to hear.
 
  But don't we want a IPA managed Scheme ?
 
  When I did a ipa-adtrust-install --add-sids it also wanted a local
  installed Samba and I wonder why.
 
  Good that we make some progres on making it all clear.
 
  Cheers,
 
  Matt
 
  2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com
 :
  ldapsam + the samba extensions, pretty much as described in the
  Techslaves
  article. Once I have a draft for the wiki page, I will mail you.
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   09.08.2015 21:17
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
 IPA
 
 
 
  Hi,
 
  Yes I know about anything but which way did you use now ?
 
 
 
  2015-08-09 20:56 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  Hi Matt
 
  I am on OEL 7.1. - so anything that works on that should be good for
  RHEL
  and Centos 7.x
 
  I intend to add a how-to to the FreeIPA Wiki over the next few days.
 As
  we
  have suggested earlier, we will likely end up with several, one for
 each
  of
  the possible integration paths.
 
  Chris
 
 
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   09.08.2015 16:45
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
 IPA
 
 
 
  Hi Chris,
 
  This sounds great!
 
  What are you using now, both CentOS ? So Samba and FreeIPA ?
 
  Maybe it's good to explain which way you used now in steps too, so we
  can combine or create multiple howto's ?
 
  At least we are going somewhere!
 
  Thanks,
 
  Matt
 
  2015-08-09 14:54 GMT+02:00 Christopher Lamb
  christopher.l...@ch.ibm.com:
  Hi Matt
 
  My test integration of FreeIPA 4.x and Samba 4.x with the good old
  Samba
  Schema extensions) is up and working, almost flawlessly.
 
  I can add users and groups via the FreeIPA CLI, and they get the
  correct
  ObjectClasses / attributes required for Samba.
 
  So far I have not yet bothered to try the extensions to the WebUI,
  because
  it is currently giving me the classic Your session has expired.
 Please
  re-login. error which renders the WebUI useless.
 
  The only problem I have so far encountered managing Samba / FreeIPA
  users
  via FreeIPA CLI commands is with the handling of the attribute
  sambaPwdLastSet. This is the subject of an existing thread, also
  updated
  today.
 
  There is also an existing alternative to hacking group.py, using
 Class
  of
  Service (Cos) documented in this thread from February 2015
 
 
 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html
  .
  I have not yet tried it, but it sounds reasonable.
 
  Chris
 
 
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

2015-08-06 Thread Youenn PIOLET 
Hey guys,

I'll try to make a tutorial soon, sorry I'm quite in a rush these days :)

General idea:

On FreeIPA (4.1)
- `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier
attribude, also known as SID)
- regenerate each user password to build ipaNTHash attribute, not here by
default on users
- use your ldap browser to check ipaNTHash values are here on user objects
- create a CIFS service for your samba server
- Create user roles/permissions as described here:
http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
so
that CIFS service will be able to read ipaNTsecurityidentifier and
ipaNTHash attributes in LDAP (ACI)
- SCP ipasam.so module to your cifs server (this is the magic trick) : scp
/usr/lib64/samba/pdb/ipasam.so root@samba-server.domain:/usr/lib64/samba/pdb/
You can also try to recompile it.

On SAMBA Server side (CentOS 7...)
- Install server keytab file for CIFS
- check ipasam.so is here.
- check you can read password hash in LDAP with `ldapsearch -Y GSSAPI
uid=admin ipaNTHash` thanks to kerberos
- make your smb.conf following the linked thread and restart service

I don't know if it works in Ubuntu. I know sssd has evolved quickly and
ipasam may use quite recent functionalities, the best is to just try. You
can read in previous thread : If you insist on Ubuntu you need to get
ipasam somewhere, most likely to compile it yourself.

Make sure your user has ipaNTHash attribute :)

You may want to debug authentication on samba server, I usually do this:
`tail -f /var/log/samba/log* | grep username

Cheers
--
Youenn Piolet
piole...@gmail.com


2015-08-05 17:40 GMT+02:00 Matt . yamakasi@gmail.com:

 Hi,

 This sounds great to me too, but a howto would help to make it more
 clear about what you have done here. The thread confuses me a little
 bit.

 Can you paste your commands so we can test out too and report back ?

 Thanks!

 Matt

 2015-08-05 15:18 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
  Hi Youenn
 
  Good news that you have got an integration working
 
  Now you have got it going, and the solution is fresh in your mind, how
  about adding a How-to page on this solution to the FreeIPA wiki?
 
  Chris
 
 
 
  From:   Youenn PIOLET piole...@gmail.com
  To: Matt . yamakasi@gmail.com
  Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
  freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   05.08.2015 14:51
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 
 
 
  Hi guys,
 
  Thank you so much your previous answers.
  I realised my SID were stored in ipaNTsecurityidentifier, thanks to
  ipa-adtrust-install --add-sids
 
  I found an other way to configure smb here:
 
 http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
  It works perfectly.
 
  I'm using module ipasam.so I have manually scp to the samba server,
  Samba is set to use kerberos + ldapsam via this ipasam module.
  Following the instructions, I created a user role allowing service
  principal to read ipaNTHash value from the LDAP.
  ipaNTHash are generated each time a user changes his password.
  Authentication works perfectly on Windows 7, 8 and 10.
 
  For more details, the previously linked thread is quite clear.
 
  Cheers
 
  --
  Youenn Piolet
  piole...@gmail.com
 
 
  2015-08-05 11:10 GMT+02:00 Matt . yamakasi@gmail.com:
Hi Chris.
 
Yes, Apache Studio did that but I was not sure why it complained it
was already there.
 
I'm still getting:
 
IPA Error 4205: ObjectclassViolation
 
missing attribute sambaGroupType required by object class
sambaGroupMapping
 
When adding a user.
 
I also see class as fielname under my Last name, this is not OK
 also.
 
 
 
We sure need to make some howto, I think we can nail this down :)
 
Thanks for the heads up!
 
Matthijs
 
2015-08-05 7:51 GMT+02:00 Christopher Lamb 
 christopher.l...@ch.ibm.com:
 Hi Matt

 If I use Apache Directory Studio to add an attribute ipaCustomFields
 to
 cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown
below:

 #!RESULT OK
 #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy
 #!DATE 2015-08-05T05:45:04.608
 dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
 changetype: modify
 add: ipaCustomFields
 ipaCustomFields: Samba Group Type,sambagrouptype,true

 After that I then have a visible attribute ipaCustomFields as
 expected.

 When adding the attribute, the wizard offered me ipaCustomFields as
 attribute type in a drop down list.

 Once we get this cracked, we really must write a how-to on the
 FreeIPA
 Wiki.

 Chris



 From:   Christopher Lamb/Switzerland/IBM@IBMCH
 To: Matt . yamakasi@gmail.com
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   05.08.2015 07:31
 Subject:Re: [Freeipa

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

2015-08-04 Thread Youenn PIOLET 
Hi there,

I have difficulties to follow you at this point :)
Here is what I've done and what I've understood:

## SMB Side
- Testparm OK
- I've got the same NT_STATUS_NO_SUCH_USER when I try to connect.
- pdbedit -Lv output is all successfull but I can see there is a filter :
((uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have
sambaSamAccount.

## LDAP / FreeIPA side
- Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA
server to get samba LDAP extensions.
- I can see samba classes exist in LDAP but are not used on my group
objects nor my user objects
- I have add sambaSamAccount in FreeIPA default user classes,
and sambaGroupMapping to default group classes. In that state I can't
create user nor groups anymore, as new samba attributes are needed for
instantiation.
- I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true'
but I don't get what it does.
- I tried to add the samba.js plugin. It works, and adds the local option
when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2
(domain). It doesn't work and tells that sambagrouptype attribute doesn't
exist (but it should now I put sambaGroupType class by default...)

## Questions
0) Can I ask samba not to search sambaSamAccount and use unix / posix
instead? I guess no.
1) How to generate the user/group SIDs ? They are requested to add
sambaSamAccount classes.
This article doesn't seem relevant since we don't use domain controller
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html
and netgetlocalsid returns an error.
2) How to fix samba.js plugin?
3) I guess an equivalent of samba.js is needed for user creation, where can
I find it?
4) Is your setup working with Windows 8 / Windows 10 and not only Windows 7?

Thanks a lot for your previous and future answers

--
Youenn Piolet
piole...@gmail.com


2015-08-04 17:55 GMT+02:00 Matt . yamakasi@gmail.com:

 Hi,

 Yes, log is anonymised.

 It's strange, my user doesn't have a SambaPwdLastSet, also when I
 change it's password it doesn't get it in ldap.

 There must be something going wrong I guess.

 Matt

 2015-08-04 17:45 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
  Hi Matt
 
  I assume [username] is a real username, identical to that in the FreeIPA
  cn=accounts, cn=users tree? (i.e. you anonymised the log extract).
 
  You user should be a member of the appropriate samba groups that you
 setup
  in FreeIPA.
 
  You should check that the user attribute SambaPwdLastSet is set to a
  positive value (e.g. 1). If not you get an error in the Samba logs - I
  would need to play around again with a test user to find out the exact
  error.
 
  I don't understand what you mean about syncing the users local, but we
 did
  not need to do anything like that.
 
  Chris
 
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH
  Cc: freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   04.08.2015 15:33
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 
 
 
  Hi Chris,
 
  A puppet run added another passdb backend, that was causing my issue.
 
  What I still experience is:
 
 
  [2015/08/04 15:29:45.477783,  3]
  ../source3/auth/check_samsec.c:399(check_sam_security)
check_sam_security: Couldn't find user 'username' in passdb.
  [2015/08/04 15:29:45.478026,  2]
  ../source3/auth/auth.c:288(auth_check_ntlm_password)
check_ntlm_password:  Authentication for user [username] -
  [username] FAILED with error NT_STATUS_NO_SUCH_USER
 
 
  I also wonder if I shall still sync the users local, or is it needed ?
 
  Thanks again,
 
  Matt
 
  2015-08-04 14:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com
 :
  Hi Matt
 
  From our smb.conf file:
 
  [global]
 security = user
 passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com
 ldap suffix = dc=my,dc=silly,dc=example,dc=com
 ldap admin dn = cn=Directory Manager
 
  So yes, we use Directory Manager, it works for us. I have not tried with
  a
  less powerful user, but it is conceivable that a lesser user may not see
  all the required attributes, resulting in no such user errors.
 
  Chris
 
 
 
 
  From:   Matt . yamakasi@gmail.com
  To: Christopher Lamb/Switzerland/IBM@IBMCH
  Cc: freeipa-users@redhat.com freeipa-users@redhat.com
  Date:   04.08.2015 13:32
  Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
 
 
 
  Hi Chris,
 
  Thanks for the heads up, indeed local is 4 I see now when I add a
  group from the GUI, great thanks!
 
  But do you use Directory Manager as ldap admin user or some other
  admin account ?
 
  I'm not sure id DM is needed and it should get that deep into IPA.
  Also when starting samba it cannot find such user as that sounds
  quite known as it has no UID.
 
  From your config I see you use DM, this should work ?
 
  Thanks!
 
 
  Matt
 
 
 
 
 
 

 --
 Manage your subscription for the Freeipa-users

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

2015-07-31 Thread Youenn PIOLET 
Hi,
I asked the very same question a few weeks ago, but no answer yet.
http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174

The only method I see is to install samba extensions in FreeIPA's LDAP
directory, and bind samba with LDAP. There may be a lot of difficulties
with password management doing this, that's why I'd like to get a better
solution :)

Anyone?


--
Youenn Piolet
piole...@gmail.com


2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com:

 Hi Guys,

 I'm really struggeling getting a NON AD Samba server authing against a
 FreeIPA server:

 Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5
 CentOS 7.1 - FreeIPA 4.1

 Now this seems to be the way:

 https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

 But as this, which I also found on the mailinglists:

 NOTE: Only Kerberos authentication will work when accessing Samba
 shares using this method. This means that Windows clients not joined
 to Active Directory forest trusted by IPA would not be able to access
 the shares. This is related to SSSD not yet being able to handle
 NTLMSSP authentication.

 It might not be that easy to have a Samba Shares only server.

 Any idea here how to accomplish ?

 Cheers,

 Matt

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] CIFS share with no active directory

2015-07-15 Thread Youenn PIOLET 
Hi,

My question is quite simple, yet I didn't find any answer on the Internet
regarding how to do it :)

How can I configure a linux samba server to use FreeIPA for authentication,
without having clients to join an active directory domain when using
Windows 8?

I followed this article :
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

It works like a charm on Windows 7. Though, most of my users are using
Windows 8 and authentication doesn't work (NT_STATUS_NO_SUCH_USER)

What I understand is that Windows 8 is passing [usern...@domain.ipa]@[COMPUTER]
as login instead of [username]@[DOMAIN.IPA].

Is there any solution for this?

Thanks,

--
Youenn Piolet
piole...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project