from:"Richard Megginson"

Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)

2012-06-05 Thread Richard Megginson

- Original Message -
 On Mon, Jun 04, 2012 at 03:32:36PM +0300, Alexander Bokovoy wrote:
  On Mon, 04 Jun 2012, Martin Kosek wrote:
  I did another round of testing and this is what I found so far:
  
  1) freeipa.spec.in was missing python-crypto BuildRequires (you
  fixed
  that)
  
  2) Unit tests need to be updated, currently there is about a dozen
  test
  case errors, e.g. extra ipakrbprincipalalias attribute in services
  or
  new ipakrbprincipal objectclass for hosts
  Ok, will fix.
  
  3) Replication did not work too well for me this time.
  ipa-replica-install reported just one issue during installation
  process:
  
  2012-06-04T09:42:51Z DEBUG   [24/30]: enabling S4U2Proxy
  delegation
  2012-06-04T09:42:51Z DEBUG args=/usr/bin/ldapmodify -h
  vm-057.idm.lab.bos.redhat.com -v -f /tmp/   tmpifHccf -x -D
  cn=Directory Manager -y /tmp/tmppqaAdV
  2012-06-04T09:42:51Z DEBUG stdout=
  2012-06-04T09:42:51Z DEBUG
  stderr=ldap_initialize( ldap://vm-057.idm.lab.bos.redhat.com )
  ldapmodify: wrong attributeType at line 5, entry
  cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=idm,
  dc=lab,dc=bos,dc=redhat,dc=com
  
  2012-06-04T09:42:51Z CRITICAL Failed to load
  replica-s4u2proxy.ldif:
  Command '/usr/bin/ldapmodify -h   vm-057.idm.lab.bos.redhat.com -v
  -f /tmp/tmpifHccf -x -D cn=Directory Manager -y /tmp/tmppqaAdV'
  returned non-zero exit status 247
  Found and fixed. The issue was in not following RFC2849 when
  specifying
  multiple changetype operations, you need to split their definitions
  by a
  single line with '-' on it.
  
  I squashed the fix back to the original patch.
  
  But this may be just a symptom of some bigger issue. After the
  installation finished, DS did not start, it kept reporting
  Kerberos
  issues:

Does ps -ef|grep slapd show the ns-slapd process running?

  
  [04/Jun/2012:05:46:00 -0400] set_krb5_creds - Could not get
  initial
  credentials for principal
  [ldap/vm-057.idm.lab.bos.redhat@idm.lab.bos.redhat.com] in
  keytab
  [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see
  e-text))
  [04/Jun/2012:05:46:00 -0400] - slapd started.  Listening on All
  Interfaces port 389 for LDAP requests
  [04/Jun/2012:05:46:00 -0400] - Listening on All Interfaces port
  636 for
  LDAPS requests
  [04/Jun/2012:05:46:00 -0400] - Listening
  on /var/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket for LDAPI requests

These last three lines mean the server is up and running.

  [04/Jun/2012:05:46:00 -0400] slapd_ldap_sasl_interactive_bind -
  Error:
  could not perform interactive bind for id [] mech [GSSAPI]: LDAP
  error
  -2 (Local error) (SASL(-1): generic failure: GSSAPI Error:
  Unspecified
  GSS failure.  Minor code may provide more information (Credentials
  cache
  file '/tmp/krb5cc_498' not found)) errno 0 (Success)
  [04/Jun/2012:05:46:00 -0400] slapi_ldap_bind - Error: could not
  perform
  interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
  [04/Jun/2012:05:46:00 -0400] NSMMReplicationPlugin -
  agmt=cn=meTovm-125.idm.lab.bos.redhat.com (vm-125:389):
  Replication
  bind with GSSAPI auth failed: LDAP error -2 (Local error)
  (SASL(-1):
  generic failure: GSSAPI Error: Unspecified GSS failure.  Minor
  code may
  provide more information (Credentials cache file '/tmp/krb5cc_498'
  not
  found))

These error messages should only appear at startup, and should go away once all 
of the ipa components (especially kdc) are up and running.

  
  When I run ipactl restart, dirsrv started and I was able to
  kinit.
  Maybe it is timing issue?
  
  
  4) Patch Add separate attribute to store trusted domain SID
  still has
  a wrong service part of the principal to be removed (s/ldap/cifs):
  
  +dn3 = DN(u'cn=ipa-cifs-delegation-targets',
  api.env.container_s4u2proxy, self.suffix)
  +member_principal3 = ldap/%(fqdn)s@%(realm)s %
  dict(fqdn=replica, realm=realm)
  +
  
  This leaves CIFS entry in the S4U2Proxy configuration even after
  replica
  uninstallation.
  Fixed and squashed back to the original patch.
  
  Btw. these are the packages I use:
  389-ds-base-1.2.10.4-2.fc17.x86_64
  krb5-server-1.10-5.fc17.x86_64
  samba4-4.0.0-123alpha21.fc17.x86_64
  Same here. For me anything newer 1.2.10.4-2 will blow 389-ds.
 
 
 I tested your latest tree against w2k8r2 and was able to create an
 validate the trust. So ACK to the functional part.
 
 bye,
 Sumit
 
  
  --
  / Alexander Bokovoy
  
  ___
  Freeipa-devel mailing list
  Freeipa-devel@redhat.com
  https://www.redhat.com/mailman/listinfo/freeipa-devel
 
 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Unifying the PKI and IPA Directory Server instances

2011-11-01 Thread Richard Megginson

- Original Message -
 
 
 
 We had a brief discussion on unifying the PKI and IPA Directory
 Server instances. Here are my notes from it. Please fill out the
 details and correct me if I've mis-stated anything below.
 
 
 Issues:
 
 
 

Do IPA and PKI use different suffixes?

 
 1.
 
 Both make changes to Config. One identified conflict is he
 configuration of the Uniqueness plugin

It may be easy to enhance this plugin and other plugins to allow different 
configuration per subtree.

 2.
 
 PKI uses Directory Manager. This is insecure. Can it use a differen,
 limited admin?

Or use ldapi?  I don't think ldapjdk can use ldapi.

 3.
 
 Index strategies are different

Use a union?  e.g. if ipa needs attribute a indexed for equality only, but 
PKI needs it indexed for presence and substring only, then we can just index it 
for eq, sub, and pres.

 4.
 
 make sure we have a union of the required sets of plugins
 5.
 
 PKI needs to set D.S. Default Name context

What is this?

 6.
 
 If PKI uses the IPA datastore for users, it needs to creat the user
 with all the right prerequisites (object class, defaults)

If both PKI and IPA use structural objectclasses, we may have to create 
corresponding auxiliary objectclasses so that you can mix-in both sets of 
objectclasses while having only one structural objectclass per entry.

 7.
 
 PKI puts users in groups using “member of” so that should still work
 for the IPA tree
 
 
 
 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)

Re: [Freeipa-devel] Unifying the PKI and IPA Directory Server instances

2 matches

Site Navigation

Mail list logo

Footer information