Re: [Freeipa-users] DNS zone delegation

[Adam Tkac]

On 02/01/2012 07:21 PM, Loris Santamaria wrote:

Hi,

I have a dns zone managed by IPA and I'm trying to delegate a zone
managed by Active Directory.

The IPA managed zone is called "corpfbk", and the AD one is
"ad.corpfbk".

I started by adding the proper glue records:

ipa dnsrecord-add corpfbk ns1.ad --a-rec=192.168.3.36
ipa dnsrecord-add corpfbk ns2.ad --a-rec=192.168.3.241

Then I add what I consider should be the zone delegation:

ipa dnsrecord-add corpfbk ad --ns-rec=ns1.ad.corpfbk.,ns2.ad.corpfbk.

Problem is, IPA DNS can't resolve any host in the ad.corpfbk zone,
except ns1 and ns2. Recursion is enabled in named.conf. Dig results:

dig @localhost ad.corpfbk NS +norecurse
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21862
;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;ad.corpfbk.IN  NS

;; ANSWER SECTION:
ad.corpfbk. 86400   IN  NS  ns1.ad.corpfbk.
ad.corpfbk. 86400   IN  NS  ns2.ad.corpfbk.

;; AUTHORITY SECTION:
corpfbk.86400   IN  NS  ipa01.central.corpfbk.
corpfbk.86400   IN  NS  ipa02.central.corpfbk.

;; ADDITIONAL SECTION:
ns1.ad.corpfbk. 86400   IN  A   192.168.3.36
ns2.ad.corpfbk. 86400   IN  A   192.168.3.241
ipa01.central.corpfbk.  86400   IN  A   192.168.3.6
ipa02.central.corpfbk.  86400   IN  A   192.168.3.16

It seems to me, and after testing with other non-IPA based DNS servers,
that the response shouldn't have and "Answer section", but it should
have an "authority section" pointing to ad.corpfbk.

I am doing something wrong? Should I file a bug?

You are right, ad.corpfbk. records should be in auth section. This seems 
like a bug in the bind-dyndb-ldap plugin. Please fill it with reference 
to this thread to bugzilla.redhat.com. Thank you in advance!


Regards, Adam

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Other distro clients

[Nigel Sollars]

Hi All,

I notice online people have already asked about Clients for other linux
distributions,  my addition to this is how far ( if any ) along is the
effort?.  Is there an svn / git repo I can grab sources / test packages for
say Debian or SuSE?.

Any info would be most welcomed

Nigel Sollars

-- 
“Science is a differential equation. Religion is a boundary condition.”

Alan Turing
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Other distro clients

[Dmitri Pal]

On 02/02/2012 09:59 AM, Nigel Sollars wrote:
> Hi All,
>
> I notice online people have already asked about Clients for other
> linux distributions,  my addition to this is how far ( if any ) along
> is the effort?.  Is there an svn / git repo I can grab sources / test
> packages for say Debian or SuSE?.
>
> Any info would be most welcomed
>

Some time ago SSSD was built for Suse. I am not sure it was maintained.
I am not aware of any effort to port ipa-client to Suse.
There is some effort to port ipa-client to Debian and Ubuntu but I do
not know where the code for this is.

> Nigel Sollars
>
> -- 
> “Science is a differential equation. Religion is a boundary condition.”
>   
>   
> Alan Turing
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Other distro clients

[Stephen Gallagher]

On Thu, 2012-02-02 at 10:44 -0500, Dmitri Pal wrote:
> On 02/02/2012 09:59 AM, Nigel Sollars wrote: 
> > Hi All, 
> > 
> > 
> > I notice online people have already asked about Clients for other
> > linux distributions,  my addition to this is how far ( if any )
> > along is the effort?.  Is there an svn / git repo I can grab
> > sources / test packages for say Debian or SuSE?.
> > 
> > 
> > Any info would be most welcomed
> > 
> > 
> 
> Some time ago SSSD was built for Suse. I am not sure it was
> maintained. I am not aware of any effort to port ipa-client to Suse.
> There is some effort to port ipa-client to Debian and Ubuntu but I do
> not know where the code for this is.

The port to Debian and Ubuntu is being spearheaded by Timo Aaltonen
(CCed). He has a PPA with a reasonably recent version of SSSD available
that can be used with FreeIPA v2.


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Authenticating From Windows 7 Host

[re frain]

Hi,

I'm trying to login to the realm from a windows host as a valid user.  My
user is able to authenticate, however I then get this message:  "Server
does not have a computer account for workstation trust".

The windows 7 client has been configured correctly, however I'm uncertain
if I have configured the "host" correctly within the FreeIPA UI
(permissions?).
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Other distro clients

[Timo Aaltonen]

02.02.2012 17:49, Stephen Gallagher kirjoitti:
> On Thu, 2012-02-02 at 10:44 -0500, Dmitri Pal wrote:
>> On 02/02/2012 09:59 AM, Nigel Sollars wrote: 
>>> Hi All, 
>>>
>>>
>>> I notice online people have already asked about Clients for other
>>> linux distributions,  my addition to this is how far ( if any )
>>> along is the effort?.  Is there an svn / git repo I can grab
>>> sources / test packages for say Debian or SuSE?.
>>>
>>>
>>> Any info would be most welcomed
>>>
>>>
>>
>> Some time ago SSSD was built for Suse. I am not sure it was
>> maintained. I am not aware of any effort to port ipa-client to Suse.
>> There is some effort to port ipa-client to Debian and Ubuntu but I do
>> not know where the code for this is.
> 
> The port to Debian and Ubuntu is being spearheaded by Timo Aaltonen
> (CCed). He has a PPA with a reasonably recent version of SSSD available
> that can be used with FreeIPA v2.

Yeah, trying to get it all ready for the next release (12.04), and
hoping to squeeze in SSSD 1.8 too. Have had less time lately to work on
these, but it's still possible to get most of it in before feature
freeze (feb 16th) and the rest as a freeze exception.

Here are links to the related launchpad teams, in case folks are willing
to test the packages (and file bugs!), once there's more to test:

https://launchpad.net/~ubuntu-389-directory-server
https://launchpad.net/~freeipa
https://launchpad.net/~sssd

t

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Dovecot IMAP with IPA 2.x?

[Craig T]

hi,

Has anyone setup Dovecot IMAP to work with IPA 2.x yet?
I'm thinking the best config would be to use;
* IMAPS between the mail clients and Dovecot server
* LDAPS with "Passdb LDAP with authentication binds" to connect to IPA?
  ref: http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds

cya

Craig

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?

[Dale Macartney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Craig

I am actually working on this very thing at the moment.

there is a very basic config here
(http://freeipa.org/page/Dovecot_Integration), however this is using pam
for everything

The end goal of course is sso in which I have managed to get gssapi for
authentication working and pam is used for the user lookups..

Here is what I have in a working state on rhel 6.2

#

yum install -y oddjob-mkhomedir
chkconfig oddjobd on
service oddjobd start

ipa-client-install -U -p admin -w redhat123 --mkhomedir

# configure dovecot
chkconfig dovecot on
sed -i 's/#protocols = imap pop3 lmtp/protocols = imap/g'
/etc/dovecot/dovecot.conf
sed -i "s-#mail_location-mail_location =
mbox:~/mail:INBOX=/var/spool/mail/%u-g" /etc/dovecot/conf.d/10-mail.conf
echo "userdb {" >> /etc/dovecot/conf.d/10-auth.conf
echo "  driver = static" >> /etc/dovecot/conf.d/10-auth.conf
echo "  args = uid=dovecot gid=dovecot home=/var/spool/mail/%u" >>
/etc/dovecot/conf.d/10-auth.conf
echo "}" >> /etc/dovecot/conf.d/10-auth.conf
sed -i 's/auth_mechanisms = plain/auth_mechanisms = gssapi/g'
/etc/dovecot/conf.d/10-auth.conf
sed -i "s/#auth_gssapi_hostname =/auth_gssapi_hostname = $(hostname)/g"
/etc/dovecot/conf.d/10-auth.conf
sed -i "s-#auth_krb5_keytab =-auth_krb5_keytab =
/etc/dovecot/krb5.keytab-g" /etc/dovecot/conf.d/10-auth.conf
sed -i "s/#auth_realms =/auth_realms = $(hostname --domain)/g"
/etc/dovecot/conf.d/10-auth.conf
sed -i "s/#auth_default_realm =/auth_default_realm = $(hostname
--domain)/g" /etc/dovecot/conf.d/10-auth.conf

kinit admin

ipa service-add imap/$(hostname)
ipa service-add imaps/$(hostname)
ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
/etc/dovecot/krb5.keytab
ipa-getkeytab -s ds01.example.com -p imaps/$(hostname) -k
/etc/dovecot/krb5.keytab
chown dovecot:dovecot /etc/dovecot/krb5.keytab

service dovecot restart



By having the system tapped into the ipa domain, pam allows dovecot to
pass user lookups successfully. With the gssapi changes to
/etc/dovecot/conf.d/10-auth.conf and using a keytab for the service
principles, users can log in successfully without issue (i have only
tested this with gssapi only at the moment)

successful authentication appears in /var/log/maillog as follows

Feb  2 22:50:45 mail04 dovecot: imap-login: Login:
user=, method=GSSAPI, rip=192.168.122.61,
lip=192.168.122.44, mpid=2216, TLS

the only issue I am presently facing is with the mail_location directive
in dovecot..

unless the users homedir actually exists you will get errors like this.

Feb  2 21:52:34 mail04 dovecot: imap(user1): Error: user user1:
Initialization failed: Initializing mail storage from mail_location
setting failed: mkdir(/home/user1/mail) failed: Permission denied
(euid=120163(user1) egid=120163(user1) missing +w perm: /home,
euid is not dir owner)

I have been experimenting with how best to address this, however I am
constantly being pushed back to the only way of having a userdir that
actually exists would be a homdir which would be created when a user
first logs in.

Yes, if you ssh to the dovecot server as the user (with oddjobd running
in the background) it will create the homedir  with no problems and the
issue is resolved, however users should not *have to* interactively log
into a server just to allow them to access mail.

my only thinking here is shared homedirs (nfs?) between clients and
servers, however my thoughts on this are "if dovecot is redirecting a
users mail to their homedir, then why do we need dovecot to access it
via imap when the mail will already appear in their homedir?"

does anyone have any thoughts on this?

Dale


On 02/03/2012 04:33 AM, Craig T wrote:
> hi,
>
> Has anyone setup Dovecot IMAP to work with IPA 2.x yet?
> I'm thinking the best config would be to use;
> * IMAPS between the mail clients and Dovecot server
> * LDAPS with "Passdb LDAP with authentication binds" to connect to IPA?
> ref: http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
>
> cya
>
> Craig
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPK408AAoJEAJsWS61tB+qjy4P/A5+y69wZg7hxg6xgohA6256
pTPEaSAi77zZZ1X3CgEbgGcRjlN8iRECbzb+2QDZ501uP4v+IrKSrE9VPwQuGIek
baLbHExVBhusUGxQ8l51aZrM0FZMtNnidCtGPVl7pp2EHcGGnquNdNs8T4FuNSfz
ngGaekSOWlvENUzYpMFxdxTJJZJ7+7ensV4Jaoe6MgOgGW8ytPuFxECO8kMrcqPq
tOJ1Vb4gaeAfJWLPnKSU1lw9nIMW8ze4ftxaSSbdyiLl8cU9LMC16Sz4Lrkg/B1c
PnT7thLI1yLjNfPwiGXQUtSc8VE/29f3g1D1ky0hnaZz1HYX34lQ85Eqw9hQ14lm
1/YY/M6DhFqiO3uxUSMRsL5iCWG6fP6LIxRrHZYenS20qRhEcjwi90z/DNqs5wH1
j5ERuTQFGFBfnhFX7bPs9EDrh736icQc1GJE8rOFvUnvenEZRCm/3NhxW1XrNmr0
lftzbE0X7U+eEANOsNzOS+37bxo3rfcPbafZFYfgyf7WUorEkMUvbRaUNaiGr6FS
cZyLU6jioJjVIqhDGnst5rP8JZdIcKI+Xfmmh0V3LoAGLzz+9NzncV+MV/Bq71uJ
UyJHArk5RJ4NDxTM34OjIvzl