Hi list (Simo ;)
Sorry for the bit off-topic question, but do we know whether Samba4 can now
share the same KDC with IPA server so that it can act as AD DC?
I heard MIT KDC functionality would have to be extended, but not sure whether
this is on the roundmap or not.
Many thanks,
Ondrej
Sent
Hi List,
Quick question, is something like SAML 2.0 support planned for IPA to help
establishing SSO for a web based applications? I mean something similar to ADFS.
Thanks,
Ondrej
___
Freeipa-users mailing list
Freeipa-users@redhat.com
Did you try tu run ypinit -c ?
Not sure now - it might be necessary to initialize the Nis subsystem.
O.
Odesláno ze Samsung Mobile
Původní zpráva
Od: Joseph, Matthew (EXP)
Datum:07. 01. 2014 15:52 (GMT+01:00)
Komu: Petr Spacek ,Rob Crittenden
Hi list,
Is there any howto describing Firefox (or IE, if possible) authenticating
against Apache web server using GSSAPI/Kerberos?
Both client server in the same IPA domain.
Ideally I would like to know FF and Apache setup + compatibility info (i.e.
does IE + IIS use the same thing or not)
: [Freeipa-users] IE or Firefox Apache Kerberos authentication
Hi,
On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote:
Is there any howto describing Firefox (or IE, if possible) authenticating
against Apache web server using GSSAPI/Kerberos?
Both client server in the same IPA domain
Mobile
Původní zpráva
Od: Simo Sorce s...@redhat.com
Datum:
Komu: Ondrej Valousek ovalou...@vendavo.com
Kopie: ch...@fluxcoil.net,freeipa-users@redhat.com
Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
On Mon, 2013-09-16 at 17:04 +, Ondrej
Because with NFS (v3 or v4) it is a bit more complicated.
With smbclient, you are actually not mounting the filesystem so that the
smbclient is happy with just your TGT.
With NFS, you typically need two tickets:
1. one host (or nfs) so that root can mount the filesystem using Kerberos
security
Just back to the Kerberized NFS. Any solution to RH bugzilla #786463 on the
horizon yet?
Expiring tickets will render the whole concept unusable otherwise.
Anyone?
O.
Odesláno ze Samsung Mobile
Původní zpráva
Od: Ondrej Valousek ovalou...@vendavo.com
Datum:
Komu
Or better, let sssd to serve maps for automounter, you save yourself a hassle
with configuring automount ldap backend :-)
Ondrej
On 12/22/2012 11:16 AM, Sigbjorn Lie wrote:
On 12/22/2012 10:24 AM, Johan Petersson wrote:
I can't get automount to work for some reason on a CentOS 6.3 testserver
Three notes:
1.
/export *(rw,sec=krb5,no_subtree_check,no_root_squash)
is better than
/export gss/krb5(rw,no_subtree_check,no_root_squash)
2. Kerberos library is still too picky about reverse DNS records - i.e. if the reverse DNS does not match the principal name in keytab, you
are most
Well, you do not need ACLs for that, just 'chmod g+s directory' will do.
But in general, I agree, this is insane requirement as nobody would ever think of it in Windows. Not happy w/ a traditional Unix
permissions? Go for ACLs.
The only pity is that the current Posix-draft hack widely used on
Sorry sir, but technically it is the sgid bit that is a gross hack.
The Posix draft for ACLs never got final approval, but it is pretty
standardized across most OSs, and works fine for any Linux OS that isn;t
on ancient kernels. It is also enabled by default on all file systems
that matter
what about this one?
http://code.google.com/p/macnfsv4/wiki/HOWTO
looks like rpc.idmapd on linux == nfsuserd on Mac
O.
On 09/19/2012 10:18 AM, Sigbjorn Lie wrote:
As usual, if someone is interested in sending me a Mac I'll be happy to do the
testing and submit
the results.
*grin* :)
You can get authentication failure if the user's home is on a NFS which is
failing to re-mount.
The stale NFS handle usually means the NFS server changed fsid of the exported
volume after its reboot.
This usually happens if you are exporting a LVM partition via NFS.
The workaround is to specify
Sorry, the parameter mentioned below has already been implemented :-)
On 09/13/2012 04:12 PM, Ondrej Valousek wrote:
I guess the easiest implementation would be using pre-defined variable in
automount map names.
The variable would be then defined by an automount process using the -D
parameter
That is actually the main benefit of the 'ldap.ADdomain' parameter. It will allow you to simplify configuration and allows easy load
balancing/failover functionality.
We are paying for NetApp support, too so if anyone is going to bug NetApp about
this, I am happy to join you.
Ondrej
On
try running 'kinit -R'?
On 08/24/2012 11:56 AM, David Sastre wrote:
Hello,
I'm having an issue with the web ui, it is returning Kerberos ticket
is no longer valid message regardless I have a valid ticket:
$ ssh sysadm@panoramix 'klist'
Ticket cache: FILE:/tmp/krb5cc_500
Default principal:
+1. Use DNS. I agree with Simo.
On 08/21/2012 10:04 AM, Simo Sorce wrote:
You are not alone but we strongly suggest to use a separate DNS domain for
FreeIPA server, and if possible for its clients. Either a same level domain or,
at least, a delegated zone.
For example:
corp.domain.com - AD
does
kinit -k host/sysvm-ipa.example@example.com
work for you?
On 07/10/2012 10:53 AM, free...@noboost.org wrote:
Hi All,
Server:
RHEL 6.3
ipa-admintools-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
*From:* Ondrej Valousek ondr...@s3group.cz
*To:* freeipa-users@redhat.com
*Sent:* Tuesday, July 10, 2012 9:12 AM
*Subject:* Re: [Freeipa-users] ipa samba win7
Do you have an AD for the win7 machine or is it just standalone
On 07/01/2012 11:03 PM, Natxo Asenjo wrote:
On Sun, Jul 1, 2012 at 10:39 PM, ondr...@s3group.com
mailto:ondr...@s3group.com wrote:
In fact, Netapp is (sadly to say) the only NFSv4 server in the whole world
that can provide you with a true NFSv4 ACLs (remember to turn them on
+1
On 05/22/2012 11:47 PM, greg.lehm...@csiro.au wrote:
Hi All,
Thanks for the new list. I hope the user list will still get to see
some of the design decisions. It would be nice to have input as a user to what
is going to be added feature wise to sssd.
Cheers,
Greg
-Original
Right, currently this affects direct maps only. With SSSD integration,
there's one extra glitch that if automounter starts before SSSD does,
the automounter only gets Connection refused from the sss module and
does not retry reading the maps.
That's nasty and should be probably fixed. I can
Your LDAP_URI is incorrect. Please make sure you follow the documentation
exactly.
Perhaps you actually wanted to say:
LDAP_URI=ldap:///dc=ipa,dc=domain,dc=nx;
Alternatively, if you do not specify the LDAP_URI parameter at all, autofs will
try SRV lookup against your default dnsdomain.
Also,
There are kerberized programs that expect to use gethostname() and use
that name to compose principals. If that name is not fully qualified
they will break.
Simo.
Normally, you should have both:
[root@ara tmp]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
No, unless you can alias them in the KDC.
Our KDC can technically supports aliases now, but we haven't added these
kind of aliases yet to it. And it is a bit controversial on whether we
want to.
In A windows domain you simply cannot have client residing in a DNA
domain that is not the same as
Hey sounds good to me, just glad it is working for you :). The only
other question/suggestion I have is that it looks like you aren't
leveraging kerberos in your configuration for SSO, You might want to
think about doing this as it can be a pretty nice configuration.
Essentially you would just
I fail to see why non-root processes should be trying to
read /etc/krb5.keytab at all. You should be generating a per-service
keytab with only the keys necessary for that service to authenticate
itself to the KDC. So you might have /etc/dovecot/dovecot.keytab which
is readable only by the
Dovecot is not running as root - can't read your krb5.keytab...?
On 01/30/2012 01:16 PM, Dale Macartney wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all
I'm working on a test lab setup at the moment with RHEL 6.2 running IPA
2.1 and experimenting with simple mail server setups. .
I wonder if the following simplified setup I am using with AD:
ldap.ADdomainmydomain.com
ldap.enable on
ldap.nssmap.attribute.uniqueMember Member
ldap.nssmap.objectClass.groupOfUniqueNames Group
ldap.nssmap.objectClass.posixAccount User
On 12/02/2011 04:06 PM, Stephen Gallagher wrote:
1) SSSD caching instead of nscd
Winbind has its own cache. We do not want to implement the yet another one
causing confusion, do we?
2) Support for multiple AD domains without trust
If needed, winbind itself should provide this
I have come across this already, BZ already created:
https://fedorahosted.org/sssd/ticket/1032
On 10/19/2011 10:25 PM, Sigbjorn Lie wrote:
The London/newyork dns sub-domains would be used for looking up srv records for
the local
kerberos/ldap servers only. The actual domain configured on the
, Ondrej Valousek wrote:
I have come across this already, BZ already created:
https://fedorahosted.org/sssd/ticket/1032
On 10/19/2011 10:25 PM, Sigbjorn Lie wrote:
The London/newyork dns sub-domains would be used for looking up srv records for
the local
kerberos/ldap servers only. The actual
Exactly! That was the biggest advantage of Centrify/Likewise/rest, but hopefully with the latest set of RFEs I have submitted against sssd,
it will no longer be any advantage.
On 10/05/2011 10:18 PM, Steven Jones wrote:
...the biggest thing for me so far is the ease of use, which with our
Gallagher wrote:
These are all great ideas, Ondrej. Would you mind opening RFE bugs for
them? You can file them upstream at https://fedorahosted.org/sssd or in
Red Hat Bugzilla https://bugzilla.redhat.com in the sssd component.
On Tue, 2011-10-04 at 16:29 +0200, Ondrej Valousek wrote:
Can you
I have ~50 servers and yes, we are using Centrify now - and yes, it is pain in
the ass (need to take care of the licenses).
But I have found out recently that sssd can do much of the Centrify's duty (authorization authentication) - well, it is not so polished,
but it seems to work well.
Well, small things like sssd can not renew machine credentials / sssd can not detect local site automatically in AD domain (no DC locator
implemented) / sssd can not detect/guess AD schema automatically / sssd won't configure the krb5 library for me.
Support for group policies central
Just wondering why would anyone want to sync freeIPA and AD - both can serve Linux systems fine, so if I already have AD, I no longer
require IPA.
My 2 cents...
Ondrej
On 09/29/2011 10:35 PM, Steven Jones wrote:
Hi,
In the documentation it says that new accounts in AD are syncd over to
Well, I think these advantages won't outweigh the extra complexity of having
two systems for the same thing.
But it is up to everyone's decision...
Ondrej
- the error messages of an AD might be strange to deal with for
unix/linux admins
- While I expect Microsoft to test AD patches with
I would recommend using Kerberos for authentication, i.e. parameter -Y
GSSAPI. That always worked for me...
On 09/14/2011 08:59 PM, Dan Scott wrote:
Hi,
I'm trying to perform an authenticated LDAP search against a FreeIPA
server (Fedora 15, freeipa-server-2.1.0-1.fc15.x86_64).
When I run:
Hrozek wrote:
On Tue, Aug 16, 2011 at 12:47:19PM +0200, Ondrej Valousek wrote:
Hi List,
Quick question - is there any plan to enable system-config-authentication to
enable/configure sssd on RH-5/6 systems?
Thanks,
Ondrej
I should be already possible in RHEL6 provided you tell authconfig
On 03.08.2011 23:52, Dmitri Pal wrote:
But this has not been even filed as an enhancement as no one cared about
such functionality until now.
What is your use case for this functionality?
Actually, I do not need such a functionality. I was asking because I know
Windows rotate keytabs so I
I agree with Simo, I would expect this from sssd instead, also given the fact that sssd will in future also handle winbind's net *
commands, this seems to me like a most natural way...
Ondrej
On 04.08.2011 16:28, Simo Sorce wrote:
SSSD is probably a more appropriate component for keytabs,
On 04.08.2011 16:53, Dmitri Pal wrote:
Yes but server can indicate in some attribute to the client that it is
time to start doing this and the client will do the change.
Would not be just easiest to steal some code from winbind? It is doing the same thing for Samba right? I guess it should
Hi List,
I have some questions regarding IPA:
1. On the IPA client side, which daemon is looking after machine Kerberos
host/ principal renewal?
2. If I installed Samba4 on the IPA server, what would happen? Is it
possible? Would I get 2xKDCs, 2xLDAP servers and 2x DNS server or is
Maybe stupid question, but I have to ask:
Why would anyone want to store user RSA keys in LDAP? Once you have IPA server with KDC installed, you can use Kerberos for authentication
as well.
And you get single sign on as a special bonus :-)
Ondrej
The information contained in this e-mail and
Hi list,
I have a problem with my IPA server:
Symptoms:
[root@polaris etc]# /etc/init.d/ipa start
Starting Directory Service
Starting dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
Failed to read
https://bugzilla.redhat.com/show_bug.cgi?id=652609
On 08.07.2011 14:35, Oliver Falk wrote:
Hi!
Why do you think winbind is broken? It works fine on my machines…
-of
*Von:*ondr...@s3group.cz [mailto:freeipa-users-boun...@redhat.com] *Im Auftrag
von *Ondrej Valousek
*Gesendet:* Freitag, 08
1. You can connect RH guests to AD - it works pretty much the same way as with IPA (IPA does many things the same way as AD). The only
slight difference you might find with Kerberos configuration. Check my blog: http://*ondarnfs*.blogspot.com for more
2. AD does *not* come for free. As far as I
Check your /etc/nsswitch.conf.
It must read:
automount: files ldap
If you have latest automounter installed you can also try:
# automount -m
.. to see if automounter really see all your maps
Ondrej
On 06.07.2011 23:16, Rob Crittenden wrote:
Pavel Zhukov wrote:
Thank you for help. but
Hi,
On 30.06.2011 17:29, Dmitri Pal wrote:
Can you please rephrase? Do you mean that instead of documenting what we already have or in addition to it, we should also document how to
configure automount with DNS?
Does DNS allow specifying the search base?
Can you please point on any doc/man
Hi List,
I have just noticed that the ipa-client-install fails miserably if the clients /etc/resolv.conf points to some foreign DNS server. The
symptoms are that KDC (on the IPA server) fails to locate self in Kerberos database:
Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes
The KDC is just trying to look up a service that was requested, it was the client that requested this host. Note that the host name used
is the detected IPA server. This can often be wrong if there is another server in your network with SRV records (such as AD).
Apparently not the KDC. I had to
On 30.06.2011 16:22, Simo Sorce wrote:
We are actively working on trying to never depend on reverse lookups.
Unfortunately there are still some bugs and limitations in various
libraries but we are working on fixing them.
Ok, thanks for explanation. I have also seen similar errors when talking
Hi List,
I am just wondering what's the situation regarding storing automounter maps in IPA? I see support for it on the roadmap but I am wondering
how it is going to be done, because:
1. sssd can not do it, and I think it is going to take a long time before it
will (due to the libc NSS
SUDO and automount.
https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
On 06/30/2011 11:08 AM, Ondrej Valousek wrote:
On 30.06.2011 16:55, Rob Crittenden wrote:
Look at the output of this for details: ipa help automount
I see, thanks!
It would be nice to update man pages like
56 matches
Mail list logo