Re: [Freeipa-users] does ptr records an admin have to take care of manually? testing!
sitest2 Regards, Sergey Ivanov | serge...@gmail.com bitmessage: BM-NBaNYkjtB5QBtoqvNYHvoEbNQqVMPBZD digitalnote: ddeDtD1zUPvLBsxC5K8NSiAiXJeKeGpH1fd4ad41UuBU\ EUyKzT7JoND26FrJNdsies7EwoiSTKhMi5KEqyn525ZD2LAA3JCjQ On Wed, Apr 27, 2016 at 9:12 AM, lejeczek <pelj...@yahoo.co.uk> wrote: > hi, > > regular server install with --setup-dns > then clients to follow, but I see there: > > Missing reverse record(s) for address(es): > > does that mean that by default server install process does not include > reverse zones? > These need to be set up manually/independently ? > > many thanks > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Some problems with uninstalling and reinstalling of ipa-client.
Hi, I have a few problems with ipa client installations against ipa server. The history which led to these problems are tho following. 1. I have first installed Freeipa server on Fedora-20, and was testing and evaluating how it works and what are the features for a while. 2. While I was evaluating, Red Hat published RHEL-7. I tested ipa-client integration from RHEL-7 destkops to Fedora's FreeIPA server. It was working fine. Also I noticed that the features I needed exists in RHEL-7 supported IPA server. 3. Because there was no way to upgrade or migrate data from Fedora's FreeIPA to RHEL-7 IPA, I made new fresh installation of IPA server on RHEL-7 and wanted to move clients off Fedora's domain and join new one, although they had the same domain name for DNS and kerberos. 4. I ran ipa-client-install --uninstall on RHEL-7 destkop, and rebooted it when prompted. 5. I ran ipa-client-install to joun new IPA servers, it reported success. Now I have the following working: 1. I can ssh passwordless and without ssh public keys from hosts which have good kerberos ticket obtained from RHEL-7 ipa server to this problematic desktop computer. 2. I can see users there by typing id username. 3. Password sudo authentication against IPA on this computer. What does not work: 1. local login with IPA credentials: complains about wrong password. 2. SSH from other hosts with password authentication, - the same wrong password. I tried as a temporary workaround and created local user entry in /etc/shadow by --- getent passwd username /etc/passwd pwconv chpasswd username:anotherpassword ^D --- and was able to login with this password, both local and remotely with ssh. Interesting, I've verified: IPA password works for sudo but not for login. But: 1. I was not able to use Gnome desktop environment: all windows were black rectangles. KDE was working fine. 2. I was not able to point firefox to new IPA server: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial) Where firefox stores these certificates, and how I can replace the one from Fedora's FreeIPA server authority by new ones? -- Regards, Sergey Ivanov | serge...@gmail.com http://www.linkedin.com/pub/sergey-ivanov/8/270/a09 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] feature request
Dear IPA developers, I'd like to describe what we are doing and ask about existing ways to do it easier, or if there is no such ways - to propose creating some tools to ease such way of migration. We are preparing for migration to IPA. In our organization we were using kerberos servers for authentication together with /etc/passwd files for managing user access to hosts. In our organization we also are using kerberos together with .htacces files for web authentication. And kerberos with pam for mail services, - both IMAP and SMTP via dovecot. I asked some time ago and got reply here in this mailing list, that there is no way to use kdb_util to dump kerberos database and get from the dump values for inserting into IPA's ldap kerberos principle fields for user entries. So, we ended up using special web page, which authenticate our users against existing kerberos servers and after successful authentication reset password for this user in IPA. We did not want password in IPA to be in expired state, so that users must change once more at first login. As a workaround we are using 2 different kerberos connection caches for each session: one for administrator for setting up user password to something unique, and second - for authenticating with this unique password as a user, just to reset it to the value he requested by user though web form. I think there would be pretty many similar cases. May be having customizable web form on IPA server itself, authenticating for user against some old external authentication system from which the migration is being performed would be the best. If not, than at least some standard way to drop privileges from administrator to user, for setting up password or maybe even other fields, would be great. -- Regards, Sergey Ivanov | serge...@gmail.com http://www.linkedin.com/pub/sergey-ivanov/8/270/a09 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Is kerberos DB import to IPA possible?
Hi, I am looking for deployment of freeIPA in our organization. We have kerberos servers used for authentication on our computers and in applications, while users are mostly defined in /etc/passwd. For migration of user's password I have tried the way we usually do replicating password changes from master kerberos server to slaves. I did kdb5_util dump on old servers, transferred the dump to machine running FreeIPA, and was not able to do kdb5_util load -update, because of Kerberos database constraints violated. Is there a way to import into freeIPA kerberos servers dump of kerberos principals, dumped by kdb5_util? -- Regards, Sergey Ivanov | serge...@gmail.com http://www.linkedin.com/pub/sergey-ivanov/8/270/a09 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users