Re: [Freeipa-users] DNS zone delegation
On 02/01/2012 07:21 PM, Loris Santamaria wrote: Hi, I have a dns zone managed by IPA and I'm trying to delegate a zone managed by Active Directory. The IPA managed zone is called "corpfbk", and the AD one is "ad.corpfbk". I started by adding the proper glue records: ipa dnsrecord-add corpfbk ns1.ad --a-rec=192.168.3.36 ipa dnsrecord-add corpfbk ns2.ad --a-rec=192.168.3.241 Then I add what I consider should be the zone delegation: ipa dnsrecord-add corpfbk ad --ns-rec=ns1.ad.corpfbk.,ns2.ad.corpfbk. Problem is, IPA DNS can't resolve any host in the ad.corpfbk zone, except ns1 and ns2. Recursion is enabled in named.conf. Dig results: dig @localhost ad.corpfbk NS +norecurse ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21862 ;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4 ;; QUESTION SECTION: ;ad.corpfbk.IN NS ;; ANSWER SECTION: ad.corpfbk. 86400 IN NS ns1.ad.corpfbk. ad.corpfbk. 86400 IN NS ns2.ad.corpfbk. ;; AUTHORITY SECTION: corpfbk.86400 IN NS ipa01.central.corpfbk. corpfbk.86400 IN NS ipa02.central.corpfbk. ;; ADDITIONAL SECTION: ns1.ad.corpfbk. 86400 IN A 192.168.3.36 ns2.ad.corpfbk. 86400 IN A 192.168.3.241 ipa01.central.corpfbk. 86400 IN A 192.168.3.6 ipa02.central.corpfbk. 86400 IN A 192.168.3.16 It seems to me, and after testing with other non-IPA based DNS servers, that the response shouldn't have and "Answer section", but it should have an "authority section" pointing to ad.corpfbk. I am doing something wrong? Should I file a bug? You are right, ad.corpfbk. records should be in auth section. This seems like a bug in the bind-dyndb-ldap plugin. Please fill it with reference to this thread to bugzilla.redhat.com. Thank you in advance! Regards, Adam ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Other distro clients
Hi All, I notice online people have already asked about Clients for other linux distributions, my addition to this is how far ( if any ) along is the effort?. Is there an svn / git repo I can grab sources / test packages for say Debian or SuSE?. Any info would be most welcomed Nigel Sollars -- “Science is a differential equation. Religion is a boundary condition.” Alan Turing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Other distro clients
On 02/02/2012 09:59 AM, Nigel Sollars wrote: > Hi All, > > I notice online people have already asked about Clients for other > linux distributions, my addition to this is how far ( if any ) along > is the effort?. Is there an svn / git repo I can grab sources / test > packages for say Debian or SuSE?. > > Any info would be most welcomed > Some time ago SSSD was built for Suse. I am not sure it was maintained. I am not aware of any effort to port ipa-client to Suse. There is some effort to port ipa-client to Debian and Ubuntu but I do not know where the code for this is. > Nigel Sollars > > -- > “Science is a differential equation. Religion is a boundary condition.” > > > Alan Turing > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Other distro clients
On Thu, 2012-02-02 at 10:44 -0500, Dmitri Pal wrote: > On 02/02/2012 09:59 AM, Nigel Sollars wrote: > > Hi All, > > > > > > I notice online people have already asked about Clients for other > > linux distributions, my addition to this is how far ( if any ) > > along is the effort?. Is there an svn / git repo I can grab > > sources / test packages for say Debian or SuSE?. > > > > > > Any info would be most welcomed > > > > > > Some time ago SSSD was built for Suse. I am not sure it was > maintained. I am not aware of any effort to port ipa-client to Suse. > There is some effort to port ipa-client to Debian and Ubuntu but I do > not know where the code for this is. The port to Debian and Ubuntu is being spearheaded by Timo Aaltonen (CCed). He has a PPA with a reasonably recent version of SSSD available that can be used with FreeIPA v2. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Authenticating From Windows 7 Host
Hi, I'm trying to login to the realm from a windows host as a valid user. My user is able to authenticate, however I then get this message: "Server does not have a computer account for workstation trust". The windows 7 client has been configured correctly, however I'm uncertain if I have configured the "host" correctly within the FreeIPA UI (permissions?). ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Other distro clients
02.02.2012 17:49, Stephen Gallagher kirjoitti: > On Thu, 2012-02-02 at 10:44 -0500, Dmitri Pal wrote: >> On 02/02/2012 09:59 AM, Nigel Sollars wrote: >>> Hi All, >>> >>> >>> I notice online people have already asked about Clients for other >>> linux distributions, my addition to this is how far ( if any ) >>> along is the effort?. Is there an svn / git repo I can grab >>> sources / test packages for say Debian or SuSE?. >>> >>> >>> Any info would be most welcomed >>> >>> >> >> Some time ago SSSD was built for Suse. I am not sure it was >> maintained. I am not aware of any effort to port ipa-client to Suse. >> There is some effort to port ipa-client to Debian and Ubuntu but I do >> not know where the code for this is. > > The port to Debian and Ubuntu is being spearheaded by Timo Aaltonen > (CCed). He has a PPA with a reasonably recent version of SSSD available > that can be used with FreeIPA v2. Yeah, trying to get it all ready for the next release (12.04), and hoping to squeeze in SSSD 1.8 too. Have had less time lately to work on these, but it's still possible to get most of it in before feature freeze (feb 16th) and the rest as a freeze exception. Here are links to the related launchpad teams, in case folks are willing to test the packages (and file bugs!), once there's more to test: https://launchpad.net/~ubuntu-389-directory-server https://launchpad.net/~freeipa https://launchpad.net/~sssd t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Dovecot IMAP with IPA 2.x?
hi, Has anyone setup Dovecot IMAP to work with IPA 2.x yet? I'm thinking the best config would be to use; * IMAPS between the mail clients and Dovecot server * LDAPS with "Passdb LDAP with authentication binds" to connect to IPA? ref: http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Craig I am actually working on this very thing at the moment. there is a very basic config here (http://freeipa.org/page/Dovecot_Integration), however this is using pam for everything The end goal of course is sso in which I have managed to get gssapi for authentication working and pam is used for the user lookups.. Here is what I have in a working state on rhel 6.2 # yum install -y oddjob-mkhomedir chkconfig oddjobd on service oddjobd start ipa-client-install -U -p admin -w redhat123 --mkhomedir # configure dovecot chkconfig dovecot on sed -i 's/#protocols = imap pop3 lmtp/protocols = imap/g' /etc/dovecot/dovecot.conf sed -i "s-#mail_location-mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u-g" /etc/dovecot/conf.d/10-mail.conf echo "userdb {" >> /etc/dovecot/conf.d/10-auth.conf echo " driver = static" >> /etc/dovecot/conf.d/10-auth.conf echo " args = uid=dovecot gid=dovecot home=/var/spool/mail/%u" >> /etc/dovecot/conf.d/10-auth.conf echo "}" >> /etc/dovecot/conf.d/10-auth.conf sed -i 's/auth_mechanisms = plain/auth_mechanisms = gssapi/g' /etc/dovecot/conf.d/10-auth.conf sed -i "s/#auth_gssapi_hostname =/auth_gssapi_hostname = $(hostname)/g" /etc/dovecot/conf.d/10-auth.conf sed -i "s-#auth_krb5_keytab =-auth_krb5_keytab = /etc/dovecot/krb5.keytab-g" /etc/dovecot/conf.d/10-auth.conf sed -i "s/#auth_realms =/auth_realms = $(hostname --domain)/g" /etc/dovecot/conf.d/10-auth.conf sed -i "s/#auth_default_realm =/auth_default_realm = $(hostname --domain)/g" /etc/dovecot/conf.d/10-auth.conf kinit admin ipa service-add imap/$(hostname) ipa service-add imaps/$(hostname) ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k /etc/dovecot/krb5.keytab ipa-getkeytab -s ds01.example.com -p imaps/$(hostname) -k /etc/dovecot/krb5.keytab chown dovecot:dovecot /etc/dovecot/krb5.keytab service dovecot restart By having the system tapped into the ipa domain, pam allows dovecot to pass user lookups successfully. With the gssapi changes to /etc/dovecot/conf.d/10-auth.conf and using a keytab for the service principles, users can log in successfully without issue (i have only tested this with gssapi only at the moment) successful authentication appears in /var/log/maillog as follows Feb 2 22:50:45 mail04 dovecot: imap-login: Login: user=, method=GSSAPI, rip=192.168.122.61, lip=192.168.122.44, mpid=2216, TLS the only issue I am presently facing is with the mail_location directive in dovecot.. unless the users homedir actually exists you will get errors like this. Feb 2 21:52:34 mail04 dovecot: imap(user1): Error: user user1: Initialization failed: Initializing mail storage from mail_location setting failed: mkdir(/home/user1/mail) failed: Permission denied (euid=120163(user1) egid=120163(user1) missing +w perm: /home, euid is not dir owner) I have been experimenting with how best to address this, however I am constantly being pushed back to the only way of having a userdir that actually exists would be a homdir which would be created when a user first logs in. Yes, if you ssh to the dovecot server as the user (with oddjobd running in the background) it will create the homedir with no problems and the issue is resolved, however users should not *have to* interactively log into a server just to allow them to access mail. my only thinking here is shared homedirs (nfs?) between clients and servers, however my thoughts on this are "if dovecot is redirecting a users mail to their homedir, then why do we need dovecot to access it via imap when the mail will already appear in their homedir?" does anyone have any thoughts on this? Dale On 02/03/2012 04:33 AM, Craig T wrote: > hi, > > Has anyone setup Dovecot IMAP to work with IPA 2.x yet? > I'm thinking the best config would be to use; > * IMAPS between the mail clients and Dovecot server > * LDAPS with "Passdb LDAP with authentication binds" to connect to IPA? > ref: http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds > > cya > > Craig > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPK408AAoJEAJsWS61tB+qjy4P/A5+y69wZg7hxg6xgohA6256 pTPEaSAi77zZZ1X3CgEbgGcRjlN8iRECbzb+2QDZ501uP4v+IrKSrE9VPwQuGIek baLbHExVBhusUGxQ8l51aZrM0FZMtNnidCtGPVl7pp2EHcGGnquNdNs8T4FuNSfz ngGaekSOWlvENUzYpMFxdxTJJZJ7+7ensV4Jaoe6MgOgGW8ytPuFxECO8kMrcqPq tOJ1Vb4gaeAfJWLPnKSU1lw9nIMW8ze4ftxaSSbdyiLl8cU9LMC16Sz4Lrkg/B1c PnT7thLI1yLjNfPwiGXQUtSc8VE/29f3g1D1ky0hnaZz1HYX34lQ85Eqw9hQ14lm 1/YY/M6DhFqiO3uxUSMRsL5iCWG6fP6LIxRrHZYenS20qRhEcjwi90z/DNqs5wH1 j5ERuTQFGFBfnhFX7bPs9EDrh736icQc1GJE8rOFvUnvenEZRCm/3NhxW1XrNmr0 lftzbE0X7U+eEANOsNzOS+37bxo3rfcPbafZFYfgyf7WUorEkMUvbRaUNaiGr6FS cZyLU6jioJjVIqhDGnst5rP8JZdIcKI+Xfmmh0V3LoAGLzz+9NzncV+MV/Bq71uJ UyJHArk5RJ4NDxTM34OjIvzl