Re: [Freeipa-users] TLSA records in FreeIPA
On Tue, Sep 24, 2013 at 11:23:29AM -0600, Erinn Looney-Triggs wrote: I wanted to bring up the idea of integrating TLSA records into FreeIPA so that a host that is issued a certificate for say the web server (via dogtag) would also publish that information in DNS using a TLSA record. This is very much like how SSHFP records are handled now in FreeIPA. Has this been considered at all? Hm.. another nice idea would be to announce services via zeroconf/bonjour. I guess effectively its the same as having clients search in DNS who offers service XYZ which we already do for ker- beros, ldap etc. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] zeroconf/bonjour FreeIPA
On 25.9.2013 08:20, Christian Horn wrote: On Tue, Sep 24, 2013 at 11:23:29AM -0600, Erinn Looney-Triggs wrote: I wanted to bring up the idea of integrating TLSA records into FreeIPA so that a host that is issued a certificate for say the web server (via dogtag) would also publish that information in DNS using a TLSA record. This is very much like how SSHFP records are handled now in FreeIPA. Has this been considered at all? Hm.. another nice idea would be to announce services via zeroconf/bonjour. I guess effectively its the same as having clients search in DNS who offers service XYZ which we already do for ker- beros, ldap etc. Interesting idea. Do you know any real use cases? I have not seen Bonjour in real use except for network printers. Please create RFE ticket (request for enhancement) to prevent it from falling through the cracks: https://fedorahosted.org/freeipa/newticket I would recommend you to add your e-mail address to Cc field in the ticket to get latest updates. We can continue with discussion about use cases here and copy conclusions to the ticket later. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] zeroconf/bonjour FreeIPA
On Wed, Sep 25, 2013 at 08:52:53AM +0200, Petr Spacek wrote: On 25.9.2013 08:20, Christian Horn wrote: Hm.. another nice idea would be to announce services via zeroconf/bonjour. I guess effectively its the same as having clients search in DNS who offers service XYZ which we already do for ker- beros, ldap etc. Interesting idea. Do you know any real use cases? I have not seen Bonjour in real use except for network printers. It can be used for all protocols, so generic service dis- covery. So one could setup a client in a network and see oh, someone offers XMPP service. Here are printers announcing services. This DLNA server offers video streamin. I think the big window managers like gnome3 also started to use those and offer Please create RFE ticket (request for enhancement) to prevent it from falling through the cracks: https://fedorahosted.org/freeipa/newticket Will do, bringing it up there makes definitely sense. But really curious on how widely (or if at all) there is interest in this. I think this style of service discovery is currently more used in desktop environments than in server environments. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] zeroconf/bonjour FreeIPA
On Wed, Sep 25, 2013 at 09:07:17AM +0200, Christian Horn wrote: On Wed, Sep 25, 2013 at 08:52:53AM +0200, Petr Spacek wrote: On 25.9.2013 08:20, Christian Horn wrote: Hm.. another nice idea would be to announce services via zeroconf/bonjour. I guess effectively its the same as having clients search in DNS who offers service XYZ which we already do for ker- beros, ldap etc. Interesting idea. Do you know any real use cases? I have not seen Bonjour in real use except for network printers. It can be used for all protocols, so generic service dis- covery. So one could setup a client in a network and see oh, someone offers XMPP service. Here are printers announcing services. This DLNA server offers video streamin. I think the big window managers like gnome3 also started to use those and offer Traditionally avahi is used as zeroconf implementation on Linux. I think bonjour was Apple's implementation? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] zeroconf/bonjour FreeIPA
On Wed, 25 Sep 2013, Christian Horn wrote: On Wed, Sep 25, 2013 at 08:52:53AM +0200, Petr Spacek wrote: On 25.9.2013 08:20, Christian Horn wrote: Hm.. another nice idea would be to announce services via zeroconf/bonjour. I guess effectively its the same as having clients search in DNS who offers service XYZ which we already do for ker- beros, ldap etc. Interesting idea. Do you know any real use cases? I have not seen Bonjour in real use except for network printers. It can be used for all protocols, so generic service dis- covery. So one could setup a client in a network and see oh, someone offers XMPP service. Here are printers announcing services. This DLNA server offers video streamin. I think the big window managers like gnome3 also started to use those and offer Please create RFE ticket (request for enhancement) to prevent it from falling through the cracks: https://fedorahosted.org/freeipa/newticket Will do, bringing it up there makes definitely sense. But really curious on how widely (or if at all) there is interest in this. I think this style of service discovery is currently more used in desktop environments than in server environments. Before adding a support for this in FreeIPA it is worth to see if any of supposed clients would already have it supported. - OpenLDAP: - no support for zeroconf protocol though a request for adding that was filed in 2006: http://www.openldap.org/its/index.cgi/Contrib?id=4455 and abandoned since 2007. - MIT Kerberos: - no zeroconf support - Heimdal Kereberos: - no zeroconf support For Kerberos zeroconf integration represents some issues since it is generally not guaranteed that IP address of the client would stay the same through the life time of the zeroconf-based network application. Kerberos protocol has some support for NAT-ed clients (a closest scheme where a client IP may fluctuate during session time) so this might not be a big deal, also given that LL networks aren't really in use where Kerberos is in use. However, lack of zeroconf support in libkrb5 makes questionable whole excercise. After all, libkrb5 is able to configure itself, including default realm information, through SRV and TXT records of the default DNS domain supplied to the client. If any other services managed by IPA server (i.e. the ones we can see in 'ipa service-find') need to be exposed to zeroconf-enabled clients, some contextual information is needed in order to publish. A mere existence of the record in IPA database does not mean the service is actually available for use. In zeroconf it is duty of applications that provide the services to publish them to the zeroconf clients. This means when service is available, it is published (via avahi, for example). If service is not running, it is not published. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] zeroconf/bonjour FreeIPA
On Wed, Sep 25, 2013 at 10:43:16AM +0300, Alexander Bokovoy wrote: Before adding a support for this in FreeIPA it is worth to see if any of supposed clients would already have it supported. I was more having in mind to announce services that IPA learns about automatically, but the server offering the service should do that. - OpenLDAP: - MIT Kerberos: - Heimdal Kereberos: [...] After all, libkrb5 is able to configure itself, including default realm information, through SRV and TXT records of the default DNS domain supplied to the client. ACK, for those I rather see DNS based service discovery to be useful. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On 25.9.2013 10:17, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Martin I think that if you add proper schema to AD, you can have SSSD directly use SSH public keys stored in AD. Honza -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On Wed, 25 Sep 2013, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Not sure it makes sense given that one can manage these attributes in AD. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On 09/25/2013 10:30 AM, Alexander Bokovoy wrote: On Wed, 25 Sep 2013, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Not sure it makes sense given that one can manage these attributes in AD. True. This may then lead to a RFE for Services for Identity Management for UNIX Components AD extension... And when it's there, a similar RFE for SSSD to use the new attributes. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Does anyone know if there is a ssh key management solution for AD? If yes, I think it would be better to use this and enhance SSSD to fetch them from AD. The data can then be stored in the sssd cache on the IPA servers and distributed to the IPA clients with the LDAP exop we already use to make the AD users available to the clients. bye, Sumit Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On Wed, 25 Sep 2013, Sumit Bose wrote: On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Does anyone know if there is a ssh key management solution for AD? If yes, I think it would be better to use this and enhance SSSD to fetch them from AD. The data can then be stored in the sssd cache on the IPA servers and distributed to the IPA clients with the LDAP exop we already use to make the AD users available to the clients. Yes, there are few commercial solutions. Many of them use their own schemes so supporting them would need to work on multiple different schemes. http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 describes recommended practices. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On Wed, Sep 25, 2013 at 12:01:38PM +0300, Alexander Bokovoy wrote: On Wed, 25 Sep 2013, Sumit Bose wrote: On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Does anyone know if there is a ssh key management solution for AD? If yes, I think it would be better to use this and enhance SSSD to fetch them from AD. The data can then be stored in the sssd cache on the IPA servers and distributed to the IPA clients with the LDAP exop we already use to make the AD users available to the clients. Yes, there are few commercial solutions. Many of them use their own schemes so supporting them would need to work on multiple different schemes. http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 describes recommended practices. Thank you for the details. So it looks that this might be an interesting RFE. bye, Sumit -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where should new clients register?
On 09/25/2013 05:32 PM, Bret Wortman wrote: Does it make a difference which replica (or master) a new client registers with? I've traditionally tried to match them up with the closest ones, but if it doesn't make any real difference, I'll just grab whoever answers first and be done with it. It would matter if you would not use DNS autodiscovery as client use just the provided list of IPA servers to communicate with. However, if you use DNS autodiscovery, client (SSSD), will first use a (random) IPA server from the list of autodiscovered servers via DNS SRV records. You can verify in your sssd.conf: # grep ipa_server /etc/sssd/sssd.conf ipa_server = _srv_, vm-052.example.com When no DNS SRV record is found, it should fall back to the replica it was configured against. Things would change when DNS sites RFE is implemented and you could focus clients only to geographically close servers: https://fedorahosted.org/freeipa/ticket/2008 Thanks, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Query Tuning and a Recovery Question
On Mon, Sep 16, 2013 at 3:21 PM, Rob Crittenden rcrit...@redhat.com wrote: Rich Megginson wrote: On 09/16/2013 03:21 AM, Charlie Derwent wrote: Hi Update on the errors kinit charlesd kinit: Generic error (see e-text) while getting initial credentials krb5kdc.log - LOOKING_UP_CLIENT: charl...@example.com mailto:charl...@example.com for krbtg/example@example.com mailto:EXAMPLE.COM@EXAMPLE.**COM example@example.com, Server Error Starting the IPA service (dirsrv in particular) gives Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'ipa3.example.com http://ipa3.example.com' doesn't match any master server in LDAP: No master found because of error: {'matched': dc=example,dc=com', 'desc': 'No such object'} Shutting down The errors log has a load of different services schema-compat-plugin. dna-plugin, ipalockout_preop/postop all complaining in one way or another about being unable to retrieve entries or no entries being set up. I think you'll have to use the workaround where you change replication to use simple bind in order to initialize the consumer, then switch back to sasl/gssapi. Simo/Rob - which ticket was this? Does freeipa.org have the workaround? http://freeipa.org/page/**TroubleshootingGuide#Replica_**Re-Initializationhttp://freeipa.org/page/TroubleshootingGuide#Replica_Re-Initialization Sorry I hate leaving threads like this unresolved. So I had a go implementing the changes as shown above and I can see how and why it should have worked but whenever I tried to reinitialise from the remote server it still didn't load so I uninstalled the server removed the replication agreements by force and started from scratch and it's all good now. You might want to edit the line on the link so nsSaslMapFilterTemplate: (krbPrincipalName=@IDM.LAB.BOS.REDHAT.COM) reads nsSaslMapFilterTemplate: (krbPrincipalName=@$REALM) but it's kind of obvious anyway. Thanks for the help Charlie rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On 09/25/2013 06:34 AM, Martin Kosek wrote: On 09/25/2013 11:15 AM, Sumit Bose wrote: On Wed, Sep 25, 2013 at 12:01:38PM +0300, Alexander Bokovoy wrote: On Wed, 25 Sep 2013, Sumit Bose wrote: On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. Though note that winsync, one would loose all the SSO capabilities... Alexander, I am just thinking about possibilities. We now have the concept of external groups in FreeIPA which one can then use as members of normal POSIX groups and use them in HBAC or other policies. Would it be possible to create external users, i.e. user entries identified by FQDN/SID and then be able to assign selected set of user attributes (like SSH public key, home directory, shell...) which could then be leveraged by SSSD? Does anyone know if there is a ssh key management solution for AD? If yes, I think it would be better to use this and enhance SSSD to fetch them from AD. The data can then be stored in the sssd cache on the IPA servers and distributed to the IPA clients with the LDAP exop we already use to make the AD users available to the clients. Yes, there are few commercial solutions. Many of them use their own schemes so supporting them would need to work on multiple different schemes. http://tools.ietf.org/html/draft-ylonen-sshkeybcp-01 describes recommended practices. Thank you for the details. So it looks that this might be an interesting RFE. bye, Sumit Agreed. I filed a RFE ticket: https://fedorahosted.org/sssd/ticket/2099 Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users And to get back to the original question. When you have trusts and HBAC why do you need SSH keys? They do not add any value and become a burden to manage. You can use you Kerberos ticket to access systems you need and systems would check if you are allowed to access so I fail to see the need for the SSH in this case at all. What am I missing? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users