Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On 08/12/2012 12:05 PM, Simo Sorce wrote: - Original Message - On 08/08/2012 08:07 PM, Simo Sorce wrote: On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote: On 08/08/2012 07:27 PM, Rob Ogilvie wrote: On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek pspa...@redhat.com wrote: Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV records (or let IPA to manage it). Ugh, I hope this doesn't end up pushing us back to NIS. If I can get our infrastructure guys to buy off on making a unix.mycompany.com subdomain in DNS, would I need to move all the hosts to be under that subdomain in DNS? I have some services Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill it with SRV records and leave this subdomain without hosts (maybe except IPA servers ...). It is not necessary to rename all hosts. Problem is simple - Kerberos libraries have to know where KDCs are located - and DNS is standardized way how to accomplish it. Let me quote another reply from this thread: On 08/08/2012 06:14 PM, KodaK wrote: You*could* use something like puppet to manage your krb5.conf files (I have to with our AIX machines.) Also, it's important to note that your REALM does NOT need to match your dns domain name It's a convenience, and it's very, very helpful to do so, but it is possible to have a REALM called MIDDLEEARTH if you wanted. I'm not sure how IPA would deal with that, but I know you can do it in straight up Kerberos. configured that are difficult to rename the DNS domain of. Could, for instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM realm, given a MYCOMPANY.COM realm also exists? Yes, it could. I could then put some SRV records into the subdomain's zone to point the kerberos stuff to the IPA server, change the domain on the IPA server, change the realm on the IPA server, re-register clients, and everything would be happy? I get lost in the renaming part. Can you describe your idea in bigger detail? Ugh... actually... now that I think about this, I don't think I want half my servers in a unix subdomain in DNS, which means DNS and realm wouldn't match... Thoughts? Aside from rebuilding the infrastructure I've built already? :-) Let all machines in MYCOMPANY.COM and use IPA realm UNIX.MYCOMPANY.COM. IMHO it is simplest way. This limitation comes from Kerberos: You are trying to use *single domain name* for *two independent Kerberos realms* - it is principally not possible. I just need to pint one one problem with leaving all machines under MYDOMAIN.COM, and that is if you later want to make a trust (option available starting from ipa 3.0) between the AD realm and the IPA realm, the machines in the mydomain.com domain will not be able to be accessed by the users of the AD realm. That is because the machines joined to the AD realm will think that the mydomain.com machines are always served up by the AD domain. On the IPA side you amy also have so issues as you will not be able to tell IPA clients that they need to ask the AD KDC for the hosts under mydomain.com So ultimately, I would put as many machines as you can under UNIX.MYDOMAIN.COM, to minimize confusion in case later on you want to establish a trust between the AD domain and the IPA domain. Simo. Is possible to workaround these problems with hostname-realm mappings? It is not clear solution, I know, but it should be doable for limited set of unix machines. AFAIK Windows AD (I tested it with 2008 R2) has ability to set hostname-realm mappings through Group policy. Yes from the Linux side it is possible to map single hostnames to a realm, so the top domain could be generally mapped to the AD realm, and then single hosts mapped to the IPA realm. This is not possible for windows machines in the AD domain though (afaik). Simo. It should be doable via AD Group Policy: http://support.microsoft.com/kb/947706/en-us Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, Aug 7, 2012 at 7:03 PM, KodaK sako...@gmail.com wrote: It's hard to tell with the obfuscation, but is your DOMAIN the same as the one handled by the domain controller vm-mapsdc2? Indeed, it is You can only have one Kerberos realm named DOMAIN. How do they know about each other? For example, if you have the windows domain/Kerb realm MYCOMPANY.COM, you will not be able to have it coexist with an IPA server controlling the realm MYCOMPANY.COM. That's quite unfortunate. How can I work around this? Can I create the realm BLAH.MYCOMPANY.COM or maybe even NOTMYCOMPANY.COM without a DNS domain to match, or will I need to interface with the DNS admins? Is there a good document that describes the nature of these realms and their relation to DNS? If it's an oldschool NT type domain you should be OK, but if it's Active Directory (which uses Kerberos) you can't do it. It's an Active Directory domain. Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On 08/08/2012 05:42 PM, Rob Ogilvie wrote: On Tue, Aug 7, 2012 at 7:03 PM, KodaK sako...@gmail.com wrote: It's hard to tell with the obfuscation, but is your DOMAIN the same as the one handled by the domain controller vm-mapsdc2? Indeed, it is You can only have one Kerberos realm named DOMAIN. How do they know about each other? There are DNS SRV records for Kerberos KDC and realm names. Original Kerberos documentation mentions DNS is in: http://web.mit.edu/kerberos/www/krb5-1.10/krb5-1.10.2/doc/krb5-admin.html#Using-DNS Kerberos principles (not only DNS) are described in: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Using_Kerberos.html For example, if you have the windows domain/Kerb realm MYCOMPANY.COM, you will not be able to have it coexist with an IPA server controlling the realm MYCOMPANY.COM. That's quite unfortunate. How can I work around this? Can I create the realm BLAH.MYCOMPANY.COM or maybe even NOTMYCOMPANY.COM without a DNS domain to match, or will I need to interface with the DNS admins? Is there a good document that describes the nature of these realms and their relation to DNS? Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV records (or let IPA to manage it). You can configure each all servers and client statically with /etc/krb5.conf, but it is error-prone and not scalable. Configuration with AD and IPA with same domain name is not supported, because it confuses Kerberos libraries. Petr^2 Spacek If it's an oldschool NT type domain you should be OK, but if it's Active Directory (which uses Kerberos) you can't do it. It's an Active Directory domain. Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 11:06 AM, Petr Spacek pspa...@redhat.com wrote: Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV records (or let IPA to manage it). Absolutely, this is the best way. You can configure each all servers and client statically with /etc/krb5.conf, but it is error-prone and not scalable. You *could* use something like puppet to manage your krb5.conf files (I have to with our AIX machines.) Also, it's important to note that your REALM does NOT need to match your dns domain name It's a convenience, and it's very, very helpful to do so, but it is possible to have a REALM called MIDDLEEARTH if you wanted. I'm not sure how IPA would deal with that, but I know you can do it in straight up Kerberos. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
Rob, you may want to read through this whole FAQ, but this one covers what I'm talking about: http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#realms -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek pspa...@redhat.com wrote: Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV records (or let IPA to manage it). Ugh, I hope this doesn't end up pushing us back to NIS. If I can get our infrastructure guys to buy off on making a unix.mycompany.com subdomain in DNS, would I need to move all the hosts to be under that subdomain in DNS? I have some services configured that are difficult to rename the DNS domain of. Could, for instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM realm, given a MYCOMPANY.COM realm also exists? I could then put some SRV records into the subdomain's zone to point the kerberos stuff to the IPA server, change the domain on the IPA server, change the realm on the IPA server, re-register clients, and everything would be happy? Ugh... actually... now that I think about this, I don't think I want half my servers in a unix subdomain in DNS, which means DNS and realm wouldn't match... Thoughts? Aside from rebuilding the infrastructure I've built already? :-) Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On 08/08/2012 07:27 PM, Rob Ogilvie wrote: On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek pspa...@redhat.com wrote: Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV records (or let IPA to manage it). Ugh, I hope this doesn't end up pushing us back to NIS. If I can get our infrastructure guys to buy off on making a unix.mycompany.com subdomain in DNS, would I need to move all the hosts to be under that subdomain in DNS? I have some services Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill it with SRV records and leave this subdomain without hosts (maybe except IPA servers ...). It is not necessary to rename all hosts. Problem is simple - Kerberos libraries have to know where KDCs are located - and DNS is standardized way how to accomplish it. Let me quote another reply from this thread: On 08/08/2012 06:14 PM, KodaK wrote: You*could* use something like puppet to manage your krb5.conf files (I have to with our AIX machines.) Also, it's important to note that your REALM does NOT need to match your dns domain name It's a convenience, and it's very, very helpful to do so, but it is possible to have a REALM called MIDDLEEARTH if you wanted. I'm not sure how IPA would deal with that, but I know you can do it in straight up Kerberos. configured that are difficult to rename the DNS domain of. Could, for instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM realm, given a MYCOMPANY.COM realm also exists? Yes, it could. I could then put some SRV records into the subdomain's zone to point the kerberos stuff to the IPA server, change the domain on the IPA server, change the realm on the IPA server, re-register clients, and everything would be happy? I get lost in the renaming part. Can you describe your idea in bigger detail? Ugh... actually... now that I think about this, I don't think I want half my servers in a unix subdomain in DNS, which means DNS and realm wouldn't match... Thoughts? Aside from rebuilding the infrastructure I've built already? :-) Let all machines in MYCOMPANY.COM and use IPA realm UNIX.MYCOMPANY.COM. IMHO it is simplest way. This limitation comes from Kerberos: You are trying to use *single domain name* for *two independent Kerberos realms* - it is principally not possible. Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote: On 08/08/2012 07:27 PM, Rob Ogilvie wrote: On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek pspa...@redhat.com wrote: Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV records (or let IPA to manage it). Ugh, I hope this doesn't end up pushing us back to NIS. If I can get our infrastructure guys to buy off on making a unix.mycompany.com subdomain in DNS, would I need to move all the hosts to be under that subdomain in DNS? I have some services Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill it with SRV records and leave this subdomain without hosts (maybe except IPA servers ...). It is not necessary to rename all hosts. Problem is simple - Kerberos libraries have to know where KDCs are located - and DNS is standardized way how to accomplish it. Let me quote another reply from this thread: On 08/08/2012 06:14 PM, KodaK wrote: You*could* use something like puppet to manage your krb5.conf files (I have to with our AIX machines.) Also, it's important to note that your REALM does NOT need to match your dns domain name It's a convenience, and it's very, very helpful to do so, but it is possible to have a REALM called MIDDLEEARTH if you wanted. I'm not sure how IPA would deal with that, but I know you can do it in straight up Kerberos. configured that are difficult to rename the DNS domain of. Could, for instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM realm, given a MYCOMPANY.COM realm also exists? Yes, it could. I could then put some SRV records into the subdomain's zone to point the kerberos stuff to the IPA server, change the domain on the IPA server, change the realm on the IPA server, re-register clients, and everything would be happy? I get lost in the renaming part. Can you describe your idea in bigger detail? Ugh... actually... now that I think about this, I don't think I want half my servers in a unix subdomain in DNS, which means DNS and realm wouldn't match... Thoughts? Aside from rebuilding the infrastructure I've built already? :-) Let all machines in MYCOMPANY.COM and use IPA realm UNIX.MYCOMPANY.COM. IMHO it is simplest way. This limitation comes from Kerberos: You are trying to use *single domain name* for *two independent Kerberos realms* - it is principally not possible. I just need to pint one one problem with leaving all machines under MYDOMAIN.COM, and that is if you later want to make a trust (option available starting from ipa 3.0) between the AD realm and the IPA realm, the machines in the mydomain.com domain will not be able to be accessed by the users of the AD realm. That is because the machines joined to the AD realm will think that the mydomain.com machines are always served up by the AD domain. On the IPA side you amy also have so issues as you will not be able to tell IPA clients that they need to ask the AD KDC for the hosts under mydomain.com So ultimately, I would put as many machines as you can under UNIX.MYDOMAIN.COM, to minimize confusion in case later on you want to establish a trust between the AD domain and the IPA domain. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
So here's my plan, then... let me know if it seems like it'll make sense? -I'm going to uninstall everything IPA from the IPA server (ovm-auth.mycompany.com) after I unregister the client machines. -I'm going to set up the IPA server with a new realm; UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record up there for that? If so, what?) -I'm going to try registering testserver.mycompany.com server as part of the UNIX.MYCOMPANY.COM realm. Sound reasonable and/or sane? :-) Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: So here's my plan, then... let me know if it seems like it'll make sense? -I'm going to uninstall everything IPA from the IPA server (ovm-auth.mycompany.com) after I unregister the client machines. -I'm going to set up the IPA server with a new realm; UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record up there for that? If so, what?) If your DNS people want to manually mange DNS for you then they need to create the unix.mydomain.com zone and manually create SRV and TXT records for kerberos and ldap IPA servers. If they want to avoid having to manage DNS for you they can delegate the subdomain to you and you can install DNS integration in IPA so critical DNS record are automatically managed for you. For tests you can also just use the FreeIPA intyegrate DNS server and create your own DNS server there the forwards to your official DNS servers for any query out of unix.mydomain.com (you point it to your current DNS server when install ask for forwarders). If you do this you will have to point your IPA clients to your IPA server for DNS. And unless you get a zone delegation only machine spointing directly at your server in their resolv.conf will be able to see the unix.mydomain.com zone. -I'm going to try registering testserver.mycompany.com server as part of the UNIX.MYCOMPANY.COM realm. Sound reasonable and/or sane? :-) for the ipa server it should be in the unix.mydomain.com DNS zone to be useful. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce s...@redhat.com wrote: On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: -I'm going to set up the IPA server with a new realm; UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record up there for that? If so, what?) If your DNS people want to manually mange DNS for you then they need to create the unix.mydomain.com zone and manually create SRV and TXT records for kerberos and ldap IPA servers. Is there a doc that explains what those SRV and TXT records need to look like? -I'm going to try registering testserver.mycompany.com server as part of the UNIX.MYCOMPANY.COM realm. Sound reasonable and/or sane? :-) for the ipa server it should be in the unix.mydomain.com DNS zone to be useful. The IPA server needs to be part of the unix.mycompany.com domain, then, and the IPA clients do not? Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, 2012-08-08 at 12:16 -0700, Rob Ogilvie wrote: On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce s...@redhat.com wrote: On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: -I'm going to set up the IPA server with a new realm; UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record up there for that? If so, what?) If your DNS people want to manually mange DNS for you then they need to create the unix.mydomain.com zone and manually create SRV and TXT records for kerberos and ldap IPA servers. Is there a doc that explains what those SRV and TXT records need to look like? When you install freeipa it will generate a zone file if DNS is not installed as well, that's probably the most complete example. -I'm going to try registering testserver.mycompany.com server as part of the UNIX.MYCOMPANY.COM realm. Sound reasonable and/or sane? :-) for the ipa server it should be in the unix.mydomain.com DNS zone to be useful. The IPA server needs to be part of the unix.mycompany.com domain, then, and the IPA clients do not? The simplest setup is when all clients are part of the same DNS zone which is not shared with an AD setup. Unlike AD we do not force all client to be positioned in the same DNS zone, however if you have clients not belonging to the same DNS domain you may have to change the krb5.conf file on all members of the realm to add additional [domain_realm] mappings so that you can tell that clients in zone foo.net are also to be looked for in the UNIX.MYDOMAIN.COM realm and its KDC. We are going to make it simpler to add these domains centrally in FreeIPA and have SSSD automatically provide these appings on all clients, but this work is being done in v 3.0. For now it needs to be manually configured on each client. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 2:16 PM, Rob Ogilvie r...@axpr.net wrote: On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce s...@redhat.com wrote: On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: -I'm going to set up the IPA server with a new realm; UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record up there for that? If so, what?) If your DNS people want to manually mange DNS for you then they need to create the unix.mydomain.com zone and manually create SRV and TXT records for kerberos and ldap IPA servers. Is there a doc that explains what those SRV and TXT records need to look like? If you're not familiar with this document then you need to spend some quality time with it: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html :) In it you'll find: If a DNS server is already configured in the network, then the configuration in the IPA-generated file can be added to the existing DNS zone file. This allows IPA clients to find LDAP and Kerberos servers that are required for them to participate in the IPA domain. For example, this DNS zone configuration is created for an IPA server with the KDC and DNS servers all on the same machine in the EXAMPLE.COM realm: ; ldap servers _ldap._tcp IN SRV 0 100 389ipaserver.example.com. ;kerberos realm _kerberos IN TXT EXAMPLE.COM ; kerberos servers _kerberos._tcp IN SRV 0 100 88 ipaserver.example.com. _kerberos._udp IN SRV 0 100 88 ipaserver.example.com. _kerberos-master._tcp IN SRV 0 100 88 ipaserver.example.com. _kerberos-master._udp IN SRV 0 100 88 ipaserver.example.com. _kpasswd._tcp IN SRV 0 100 464ipaserver.example.com. _kpasswd._udp IN SRV 0 100 464ipaserver.example.com. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 12:31 PM, Simo Sorce s...@redhat.com wrote: Unlike AD we do not force all client to be positioned in the same DNS zone, however if you have clients not belonging to the same DNS domain you may have to change the krb5.conf file on all members of the realm to add additional [domain_realm] mappings so that you can tell that clients in zone foo.net are also to be looked for in the UNIX.MYDOMAIN.COM realm and its KDC. I just, as a test, with no DNS set up for this, ran things with DNS being mycompany.com, and the IPA domain being set up as ovm.mycompany.com and realm of OVM.MYCOMPANY.COM, and everything appears to be working great. The only piece is the ipa-client-install needs to specify the (non-DNS) domain, realm, and server, but that's no problem for me at all... Any thoughts about problems I might see? Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, 2012-08-07 at 13:00 -0700, Rob Ogilvie wrote: Good Afternoon, I'm testing FreeIPA for a proof-of-concept replacement of NIS on OEL 6.3 (RHEL 6.3). I followed the guide to set up the FreeIPA server, and it seems to be working great on the IPA server itself. I can ssh in as admin, type my password, and I'm in. I then have been struggling with getting it going on client systems. As I'm not setting any of this up with DNS (I want this to be as un-obtrusive as possible), I executed the following command: ipa-client-install --no-dns-sshfp --no-ntp --server=ovm-auth.domain --domain=domain It asked me for admin's username and password and threw a warning about getent passwd admin not returning anything. Sure enough, it doesn't return anything on the client (although it does on the server). From the client, I'm able to kinit admin, type my password, and then passwordlessly ssh over to the auth server. I do see these entries in my log file on the client: Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Failed to initialize credentials using keytab [(null)]: Client 'host/ovm-c19-dbdomain@REALM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Aug 7 12:52:56 ovm-c19-db [sssd[ldap_child[2010]]]: Client not found in Kerberos database I'm pretty new at Kerberos, so am unsure exactly what this might mean. Kerberos depends on proper name resolution. If a hostname cannot be resolved you cannot acquire tickets for it. So if your host ovm-c19-db does not have a DNS entry (either using IPA's DNS server or an external DNS server) you can't get tickets. also name resolution generally must match the hostname as that is what is used to register a client into ipa. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, Aug 7, 2012 at 1:24 PM, Simo Sorce s...@redhat.com wrote: Kerberos depends on proper name resolution. If a hostname cannot be resolved you cannot acquire tickets for it. So if your host ovm-c19-db does not have a DNS entry (either using IPA's DNS server or an external DNS server) you can't get tickets. also name resolution generally must match the hostname as that is what is used to register a client into ipa. That seems fair. DNS is well set up, though. ovm-c19-db.fqdn exists in DNS and ovm-auth is able to resolve it by short hostname and FQDN. On the client, hostname returns the FQDN, as well. Is there anything in my log entries that make it look like it's a DNS problem? Again, I must stress, I'm new with Kerberos. Thanks for your help! Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, 2012-08-07 at 13:35 -0700, Rob Ogilvie wrote: On Tue, Aug 7, 2012 at 1:24 PM, Simo Sorce s...@redhat.com wrote: Kerberos depends on proper name resolution. If a hostname cannot be resolved you cannot acquire tickets for it. So if your host ovm-c19-db does not have a DNS entry (either using IPA's DNS server or an external DNS server) you can't get tickets. also name resolution generally must match the hostname as that is what is used to register a client into ipa. That seems fair. DNS is well set up, though. ovm-c19-db.fqdn exists in DNS and ovm-auth is able to resolve it by short hostname and FQDN. On the client, hostname returns the FQDN, as well. Is there anything in my log entries that make it look like it's a DNS problem? Again, I must stress, I'm new with Kerberos. Does klist -kt /etc/krb5.keytab return entries with the right hostname ? If that works does ipa host-find list it ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, Aug 7, 2012 at 1:59 PM, Simo Sorce s...@redhat.com wrote: Does klist -kt /etc/krb5.keytab return entries with the right hostname ? It lists four entries, each with the correct FQDN: [root@ovm-c19-db ~]# klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 1 08/07/12 12:51:03 host/ovm-c19-db.domainname@DOMAINNAME 1 08/07/12 12:51:03 host/ovm-c19-db.domainname@DOMAINNAME 1 08/07/12 12:51:03 host/ovm-c19-db.domainname@DOMAINNAME 1 08/07/12 12:51:03 host/ovm-c19-db.domainname@DOMAINNAME If that works does ipa host-find list it ? It does, but not with a certificate listed (ovm-auth, the server, does have a certificate listed). Thanks! Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
I just found this additional log file entries on my IPA server. The vm-mapsdc2 is one of the domain controllers/DNS servers not associated with IPA other than being one of our authoritative DNS servers. Is something misconfigured in IPA on the server side? Aug 07 14:01:02 ovm-auth.domain krb5kdc[1180](info): AS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: NEEDED_PREAUTH: host/ovm-c19-db.domain@DOMAIN for krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required Aug 07 14:01:02 ovm-auth.domain krb5kdc[1178](info): AS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes {rep=18 tkt=18 ses=18}, host/ovm-c19-db.domain@DOMAIN for krbtgt/DOMAIN@DOMAIN Aug 07 14:01:02 ovm-auth.domain krb5kdc[1180](info): TGS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes {rep=18 tkt=18 ses=18}, host/ovm-c19-db.domain@DOMAIN for krbtgt/DOMAIN@DOMAIN Aug 07 14:01:02 ovm-auth.domain krb5kdc[1178](info): TGS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: UNKNOWN_SERVER: authtime 0, host/ovm-c19-db.domain@DOMAIN for ldap/vm-13thdc2.domain@DOMAIN, Server not found in Kerberos database Aug 07 14:01:02 ovm-auth.domain krb5kdc[1178](info): AS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: NEEDED_PREAUTH: host/ovm-c19-db.domain@DOMAIN for krbtgt/DOMAIN@DOMAIN, Additional pre-authentication required Aug 07 14:01:02 ovm-auth.domain krb5kdc[1180](info): AS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes {rep=18 tkt=18 ses=18}, host/ovm-c19-db.domain@DOMAIN for krbtgt/DOMAIN@DOMAIN Aug 07 14:01:02 ovm-auth.domain krb5kdc[1178](info): TGS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: ISSUE: authtime 1344373262, etypes {rep=18 tkt=18 ses=18}, host/ovm-c19-db.domain@DOMAIN for krbtgt/DOMAIN@DOMAIN Aug 07 14:01:02 ovm-auth.domain krb5kdc[1180](info): TGS_REQ (4 etypes {18 17 16 23}) 172.30.40.60: UNKNOWN_SERVER: authtime 0, host/ovm-c19-db.domain@DOMAIN for ldap/vm-mapsdc2.domain@DOMAIN, Server not found in Kerberos database ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, Aug 7, 2012 at 4:48 PM, Rob Ogilvie r...@axpr.net wrote: I just found this additional log file entries on my IPA server. The vm-mapsdc2 is one of the domain controllers/DNS servers not associated with IPA other than being one of our authoritative DNS servers. Is something misconfigured in IPA on the server side? It's hard to tell with the obfuscation, but is your DOMAIN the same as the one handled by the domain controller vm-mapsdc2? You can only have one Kerberos realm named DOMAIN. For example, if you have the windows domain/Kerb realm MYCOMPANY.COM, you will not be able to have it coexist with an IPA server controlling the realm MYCOMPANY.COM. If it's an oldschool NT type domain you should be OK, but if it's Active Directory (which uses Kerberos) you can't do it. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users