Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
Hello I have been searchin the world wide web and all i can find is to upgrade SSSD, but I cant do that. Cant change those pkg for the statellite. Is there any other way? 2013/5/2 Axel Berlin acke...@gmail.com It dont come anything in the logs when i do it on the client. Got any other tips? 2013/5/2 Jakub Hrozek jhro...@redhat.com On Thu, May 02, 2013 at 11:46:16AM +0200, Axel Berlin wrote: On the client it dont return anything but on the server is returns following kinit: Keytab contains no suitable keys for host/ seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials But It is on the client that i should run it? The server dont have the 237-100 krb5.keytab flie Yes, on the client. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
On Thu, May 02, 2013 at 01:03:07PM +0200, Axel Berlin wrote: It dont come anything in the logs when i do it on the client. Got any other tips? You shouldn't see anything in the logs. kinit is a simple command-line utility. You should either see an error message printed to stdout or nothing (and $? set to 0) if kinit succeeded. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
[root@seadv-237-100 ~]# kinit -k host/seadv-237-100.d1.gameop.net [root@seadv-237-100 ~]# echo $? 0 What more can i try? I googled [be_get_account_info] (4): Request processed. Returned 1,11,Fast reply - offline all I can find is that I have to update some packeds but I cant do that cuse of the live stuff So is there any other workaround for this? Or do I have to live with to have to change the resolv.conf? 2013/5/6 Jakub Hrozek jhro...@redhat.com On Thu, May 02, 2013 at 01:03:07PM +0200, Axel Berlin wrote: It dont come anything in the logs when i do it on the client. Got any other tips? You shouldn't see anything in the logs. kinit is a simple command-line utility. You should either see an error message printed to stdout or nothing (and $? set to 0) if kinit succeeded. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
On Thu, May 02, 2013 at 10:55:40AM +0200, Axel Berlin wrote: Here is the logs output when I do id username sssd_d1.gameop.net.log (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/seadv-237-100.d1.gameop.net (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (1): ldap_sasl_bind failed (-2)[Local error] (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [child_sig_handler] (7): Waiting for child [20277]. I think here is the problem. Local error is not much descriptive, but the issue is most probably in the keytab. Does the following work: kinit -k host/seadv-237-100.d1.gameop.net I bet it would print the same error message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
On the client it dont return anything but on the server is returns following kinit: Keytab contains no suitable keys for host/ seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials But It is on the client that i should run it? The server dont have the 237-100 krb5.keytab flie 2013/5/2 Jakub Hrozek jhro...@redhat.com On Thu, May 02, 2013 at 10:55:40AM +0200, Axel Berlin wrote: Here is the logs output when I do id username sssd_d1.gameop.net.log (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/seadv-237-100.d1.gameop.net (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [sasl_bind_send] (1): ldap_sasl_bind failed (-2)[Local error] (Thu May 2 10:44:59 2013) [sssd[be[d1.gameop.net]]] [child_sig_handler] (7): Waiting for child [20277]. I think here is the problem. Local error is not much descriptive, but the issue is most probably in the keytab. Does the following work: kinit -k host/seadv-237-100.d1.gameop.net I bet it would print the same error message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
On Thu, May 02, 2013 at 11:46:16AM +0200, Axel Berlin wrote: On the client it dont return anything but on the server is returns following kinit: Keytab contains no suitable keys for host/ seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials But It is on the client that i should run it? The server dont have the 237-100 krb5.keytab flie Yes, on the client. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
It dont come anything in the logs when i do it on the client. Got any other tips? 2013/5/2 Jakub Hrozek jhro...@redhat.com On Thu, May 02, 2013 at 11:46:16AM +0200, Axel Berlin wrote: On the client it dont return anything but on the server is returns following kinit: Keytab contains no suitable keys for host/ seadv-237-100.d1.gameop@d1.gameop.net while getting initial credentials But It is on the client that i should run it? The server dont have the 237-100 krb5.keytab flie Yes, on the client. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
Hello.
Im trying to set up a redhat 6.1 to ipaserver.
What i have done.
On the Ipaserver
#ipa host-add --force --ip-address=192.168.237.1 seadv-.d1.gameop.net
#kinit admin
#ipa host-add-managedby --hosts=ipaserver.d1.gameop.net
seadv-237-1.d1.gameop.net
#ipa-getkeytab -s ipaserver.d1.gameop.net -p
host/seadv-237-1.d1.gameop.net-k /tmp/seadv-.keytab
#scp client1.keytab seadv-237-1.d1.gameop.net:/tmp
On Client 6.1
#yum install krb5-workstation oddjob-mkhomedir
#mv /tmp/client1.keytab /etc/krb5.keytab
#vim /etc/krb5.conf
[libdefaults]
default_realm = D1.GAMEOP.NET
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
D1.GAMEOP.NET = {
kdc = ipaserver.d1.gameop.net:88
admin_server = ipaserver.d1.gameop.net:749
default_domain = d1.gameop.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.d1.gameop.net = D1.GAMEOP.NET
d1.gameop.net = D1.GAMEOP.NET
#cd /etc/pam.d/
#vim fingerprint-auth
authrequired pam_env.so
authsufficientpam_fprintd.so
authrequired pam_deny.so
account required pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
passwordrequired pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#vim password-auth
authrequired pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid = 500 quiet
authsufficientpam_sss.so use_first_pass
authrequired pam_deny.so
account required pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
passwordsufficientpam_unix.so md5 shadow nullok try_first_pass
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#vim smartcard-auth
authrequired pam_env.so
auth[success=done ignore=ignore default=die] pam_pkcs11.so
wait_for_card card_only
authrequired pam_deny.so
account required pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
passwordrequired pam_pkcs11.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#vim system-auth
authrequired pam_env.so
authsufficientpam_fprintd.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid = 500 quiet
authsufficientpam_sss.so use_first_pass
authrequired pam_deny.so
account required pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
passwordsufficientpam_unix.so md5 shadow nullok try_first_pass
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#vim /etc/sssd/sssd.conf
[domain/d1.gameop.net]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = d1.gameop.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, ipaserver.d1.gameop.net
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
config_file_version = 2
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
Axel Berlin wrote: Hello. Im trying to set up a redhat 6.1 to ipaserver. What i have done. On the Ipaserver [ snip lots of config ] nameserver 192.168.232.41 I can id and ssh... So have i missed somthing whit the dns? I have tried to have the SRV records to only _ldap._tcp and _kerberos._tcp but that dont work either. Did you start/restart sssd after creating the configuration? You may want to add debug_level = 9 to the domains section and start again to bump up the logging. The logs go into /var/log/sssd. What are the permissions on /etc/krb5.keytab? Should be 0600 root:root. Is SELinux in enforcing mode? If so I'd check the audit log too. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
