Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
Dovecot is not running as root - can't read your krb5.keytab...? On 01/30/2012 01:16 PM, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I'm working on a test lab setup at the moment with RHEL 6.2 running IPA 2.1 and experimenting with simple mail server setups. . I have mail being received base on pam lookups from IPA. The mail server is tapped into IPA via the ipa-client-install. I am using a default install of the dovecot rpm from RHN, and dovecot is listening via imap/imaps, however all authentication requests fail when attempting to login via imap.. I added the necessary keytabs for imap/mail.example.com and imaps/mail.example.com to /etc/krb5.keytab but this hasn't allowed authentication. has anyone set up dovecot through IPA before? Any recommendations? thanks all Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPJoodAAoJEAJsWS61tB+qgfAQALXxeXRMbC+8n6+ixmqYPOL3 q1YkUQ9YgCfbCpGQcNiR0g4lDWavTZkZSMUhR485qH858PpZ7Pmf7Wu1vE6xCWPB 2v2mdcwkhO9tdpYMiUCn4TN+cgxJcdpr4YlPECAA/K60ZoeSFFNtfjQnYUoMByn/ OCf19cw84sNFuJlCeBOGiCGWDKQWhOy2eXj68o0P1u8eZioOi+pAOD/c31p/JXXC 3jeG3d6l8wDrIXT5xHIbiXwx45k8Fg2kIAdAcZsbxUBC39QH558iQMUOkwIJ9UAi msOu60wfmoC8f99KZl1hRb6OAG59uPnMmzirVKyCfyRub/2mgUfThON59zyy8eb7 OLHzj5XDIX5Wb6+WyvP7X0QaPxLK75f/qzDoFONQrotVCa0JLb6zji6lt3SfVnFT s47ynT8pQznq1/wk3MkYPTDHTHYbOAwdPwlBD1R7UBY2gL2zXu6ixnypF5R1kaRY 5jnDeXF3vqOoOrdMBMX/fre4Dpx3wW3zSB4MsR4n9OZpooTkzIiRR6/3Qe7PZFNT CELaUi5jkwrVwk4datqGPcIestLc74bosVU+rJsMTGTRGFIBqP7L6w2dwVj2ZnHT okMySzEn2U2jIvxu4HAsFCjxZ5qmAY4S/yZsemKzqbyinyT9VdeEroqeUXDY5Y7o 9PG1gWdqAiZsGKBHTXDP =FOu6 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
On 01/30/2012 07:16 AM, Dale Macartney wrote: Hi all I'm working on a test lab setup at the moment with RHEL 6.2 running IPA 2.1 and experimenting with simple mail server setups. . I have mail being received base on pam lookups from IPA. The mail server is tapped into IPA via the ipa-client-install. I am using a default install of the dovecot rpm from RHN, and dovecot is listening via imap/imaps, however all authentication requests fail when attempting to login via imap.. I added the necessary keytabs for imap/mail.example.com and imaps/mail.example.com to /etc/krb5.keytab but this hasn't allowed authentication. has anyone set up dovecot through IPA before? Any recommendations? Hi Dale, Will you be so kind to share with the list a little bit more details about how to setup Dovecot with IPA? If you can provide step by step instructions we would publish them on the FreeIPA wiki. Thank you Dmitri thanks all Dale ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa migrate-ds failing when more than 1 namingcontext is available
Sigbjorn Lie wrote: On 01/27/2012 07:42 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On 01/27/2012 06:15 PM, Sigbjorn Lie wrote: On 01/27/2012 03:55 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On Fri, January 27, 2012 15:37, Rob Crittenden wrote: Stephen Gallagher wrote: On Fri, 2012-01-27 at 15:11 +0100, Sigbjorn Lie wrote: Hi The first naming context returned from the LDAP server is always chosen when using migrate-ds. This makes my import fail when I attempt to import users and groups from a previous LDAP server having more than 1 naming contexts available. The migrate-ds script should accept an option to specify what base_dn I would like to import from. Is there such an option today? I cannot find it... Not currently. I noticed this earlier in the week and opened a ticket on it, https://fedorahosted.org/freeipa/ticket/2314 Just to add to this request, if the original LDAP server has a defaultNamingContext attribute, it should be honored for auto-detecting which base to migrate. I'll update the 2314 to ensure we don't forget about this. 389-ds just added support for defaultNamingContext. Ok, thank you. Anything I can do to work around this issue today? I suppose there is just a file that need to be hacked to set a set a value instead of the auto-detected value... ? /usr/lib/python*/site-packages/ipalib/plugins/migration.py ~line 620 you'll see a block starting with the comment retrieve DS base DN. Comment out the next 8 lines by prefixing them with # (these query to get the namingContext then pull the first value out). Add: ds_base_dn = 'dc=yourbasedn,dc=com' Alternatively you could always just add the above line to override what is detected. Commenting out just saves an LDAP lookup. Restart Apache. I already found that file and did that earlier today, however I was restarting tomcat6, not httpd... my bad. :) I have to specify --group-objectclass=posixGroup to get groups imported, that's fine. But I only get a few users imported. I see that by default it seem to be looking for objectclass=person. Only a few user accounts have that objectclass associated, so I add --user-objectclass=posixAccount as all users have this objectclass associated with their account. $ ipa migrate-ds --user-container='ou=people' --group-container='ou=group' --bind-dn='cn=directory manager' --user-objectclass=account --group-objectclass=posixGroup --schema=RFC2307 --continue ldap://ldapserver:399 ipa: ERROR: an internal error has occurred Not good. I look in the /var/log/httpd/error_log file, and I find: [Fri Jan 27 18:12:51 2012] [error] ipa: INFO: admin@NONE: ping(): SUCCESS [Fri Jan 27 18:12:52 2012] [error] ipa: ERROR: non-public: UnicodeDecodeError: 'utf8' codec can't decode byte 0xe5 in position 1: invalid continuation byte [Fri Jan 27 18:12:52 2012] [error] Traceback (most recent call last): [Fri Jan 27 18:12:52 2012] [error] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 228, in wsgi_execute [Fri Jan 27 18:12:52 2012] [error] result = self.Command[name](*args, **options) [Fri Jan 27 18:12:52 2012] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 432, in __call__ [Fri Jan 27 18:12:52 2012] [error] ret = self.run(*args, **options) [Fri Jan 27 18:12:52 2012] [error] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 738, in run [Fri Jan 27 18:12:52 2012] [error] return self.execute(*args, **options) [Fri Jan 27 18:12:52 2012] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/migration.py, line 634, in execute [Fri Jan 27 18:12:52 2012] [error] ldap, config, ds_ldap, ds_base_dn, options [Fri Jan 27 18:12:52 2012] [error] File /usr/lib/python2.6/site-packages/ipalib/plugins/migration.py, line 513, in migrate [Fri Jan 27 18:12:52 2012] [error] search_refs=True # migrated DS may contain search references [Fri Jan 27 18:12:52 2012] [error] File /usr/lib/python2.6/site-packages/ipalib/encoder.py, line 188, in new_f [Fri Jan 27 18:12:52 2012] [error] return f(*new_args, **kwargs) [Fri Jan 27 18:12:52 2012] [error] File /usr/lib/python2.6/site-packages/ipalib/encoder.py, line 199, in new_f [Fri Jan 27 18:12:52 2012] [error] return args[0].decode(f(*args, **kwargs)) [Fri Jan 27 18:12:52 2012] [error] File /usr/lib/python2.6/site-packages/ipalib/encoder.py, line 139, in decode [Fri Jan 27 18:12:52 2012] [error] return tuple(self.decode(m) for m in var) [Fri Jan 27 18:12:52 2012] [error] File /usr/lib/python2.6/site-packages/ipalib/encoder.py, line 139, in genexpr [Fri Jan 27 18:12:52 2012] [error] return tuple(self.decode(m) for m in var) [Fri Jan 27 18:12:52 2012] [error] File /usr/lib/python2.6/site-packages/ipalib/encoder.py, line 137, in decode [Fri Jan 27 18:12:52 2012] [error] return [self.decode(m) for m in var] [Fri Jan 27 18:12:52 2012] [error] File /usr/lib/python2.6/site-packages/ipalib/encoder.py, line 139, in decode [Fri Jan 27 18:12:52 2012] [error] return tuple(self.decode(m) for m in var) [Fri Jan 27
[Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
Hi guys, Next days I'm going to start a test deployment of FreeIPA 2.1 but the following days I'm planning to have a look on the new features FreeIPA 2.2 brings. Are you going to release a alpha/beta package anytime in the future? Thanks in advance Marco -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD
Hi, I'm doing a pre-implementation project for a customer having RHEL 5.7 workstations with KDE as their windows manager. When using KDE at a RHEL 5.7 (or 5.8 BETA) workstation connected to a IPA 2.1.3 running at RHEL 6.2 server, sssd will crash every time I attempt to unlock the screen. To work around the issue I switch to tty1, log in as root, and restart sssd. After attempting this several times (2-5 times), I can finally unlock the screen. I have attempted to update one workstation to 5.8 beta to see if the issue was resolved there. No such luck. Is this a known issue? The log displays the following: Jan 30 15:49:16 svg118 kdesktop_lock: on 0 Jan 30 15:49:21 svg118 kernel: sssd_be[9873] general protection rip:41dc3d rsp:7fffc57c9f10 error:0 Jan 30 15:49:22 svg118 sssd[be[no.ep.corp.local]]: Starting up Jan 30 15:49:33 svg118 sssd[be[no.ep.corp.local]]: Shutting down Jan 30 15:49:33 svg118 sssd[pam]: Shutting down Jan 30 15:49:33 svg118 kcheckpass[9896]: Authentication failure for username (invoked by uid 12345) Jan 30 15:49:33 svg118 sssd[nss]: Shutting down Jan 30 15:49:33 svg118 sssd: Starting up Jan 30 15:49:34 svg118 sssd[be[no.ep.corp.local]]: Starting up Jan 30 15:49:34 svg118 sssd[nss]: Starting up Jan 30 15:49:34 svg118 sssd[pam]: Starting up Jan 30 15:49:42 svg118 kernel: sssd_be[9928] general protection rip:41dc3d rsp:7fff70baba70 error:0 Jan 30 15:49:43 svg118 sssd[be[no.ep.corp.local]]: Starting up Jan 30 15:49:52 svg118 sssd[be[no.ep.corp.local]]: Shutting down Jan 30 15:49:52 svg118 sssd[pam]: Shutting down Jan 30 15:49:52 svg118 kcheckpass[9933]: Authentication failure for username (invoked by uid 12345) Jan 30 15:49:52 svg118 sssd[nss]: Shutting down Jan 30 15:49:52 svg118 sssd: Starting up Jan 30 15:49:52 svg118 sssd[be[no.ep.corp.local]]: Starting up Jan 30 15:49:52 svg118 sssd[pam]: Starting up Jan 30 15:49:52 svg118 sssd[nss]: Starting up Jan 30 15:49:59 svg118 kernel: sssd_be[9985] general protection rip:41dc3d rsp:7fff40912260 error:0 Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD
On Mon, 2012-01-30 at 16:01 +0100, Sigbjorn Lie wrote: Hi, I'm doing a pre-implementation project for a customer having RHEL 5.7 workstations with KDE as their windows manager. When using KDE at a RHEL 5.7 (or 5.8 BETA) workstation connected to a IPA 2.1.3 running at RHEL 6.2 server, sssd will crash every time I attempt to unlock the screen. To work around the issue I switch to tty1, log in as root, and restart sssd. After attempting this several times (2-5 times), I can finally unlock the screen. I have attempted to update one workstation to 5.8 beta to see if the issue was resolved there. No such luck. Is this a known issue? The log displays the following: Jan 30 15:49:16 svg118 kdesktop_lock: on 0 Jan 30 15:49:21 svg118 kernel: sssd_be[9873] general protection rip:41dc3d rsp:7fffc57c9f10 error:0 Jan 30 15:49:22 svg118 sssd[be[no.ep.corp.local]]: Starting up Jan 30 15:49:33 svg118 sssd[be[no.ep.corp.local]]: Shutting down Jan 30 15:49:33 svg118 sssd[pam]: Shutting down Jan 30 15:49:33 svg118 kcheckpass[9896]: Authentication failure for username (invoked by uid 12345) Jan 30 15:49:33 svg118 sssd[nss]: Shutting down Jan 30 15:49:33 svg118 sssd: Starting up Jan 30 15:49:34 svg118 sssd[be[no.ep.corp.local]]: Starting up Jan 30 15:49:34 svg118 sssd[nss]: Starting up Jan 30 15:49:34 svg118 sssd[pam]: Starting up Jan 30 15:49:42 svg118 kernel: sssd_be[9928] general protection rip:41dc3d rsp:7fff70baba70 error:0 Jan 30 15:49:43 svg118 sssd[be[no.ep.corp.local]]: Starting up Jan 30 15:49:52 svg118 sssd[be[no.ep.corp.local]]: Shutting down Jan 30 15:49:52 svg118 sssd[pam]: Shutting down Jan 30 15:49:52 svg118 kcheckpass[9933]: Authentication failure for username (invoked by uid 12345) Jan 30 15:49:52 svg118 sssd[nss]: Shutting down Jan 30 15:49:52 svg118 sssd: Starting up Jan 30 15:49:52 svg118 sssd[be[no.ep.corp.local]]: Starting up Jan 30 15:49:52 svg118 sssd[pam]: Starting up Jan 30 15:49:52 svg118 sssd[nss]: Starting up Jan 30 15:49:59 svg118 kernel: sssd_be[9985] general protection rip:41dc3d rsp:7fff40912260 error:0 Definitely not a known issue. Do you think you could attach gdb to the sssd_be process and try to get a backtrace for me to look at, please? signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa migrate-ds failing when more than 1 namingcontext is available
Dmitri Pal wrote: On 01/30/2012 09:23 AM, Simo Sorce wrote: On Mon, 2012-01-30 at 09:06 -0500, Rob Crittenden wrote: Like I said, this error is triggered before ignore is evaluated so if an unknown binary attribute is getting decoded it will cause this failure. The only solutions we have right now is to either load the schema into IPA temporarily for the migration, rremove it on the remote side or you could modify the query we make to find the remote entries to pull only certain attributes. This last one would be tricky to get right. The code looks like: (entries, truncated) = ds_ldap.find_entries( search_filter, ['*'], search_bases[ldap_obj_name], ds_ldap.SCOPE_ONELEVEL, time_limit=0, size_limit=-1, search_refs=True# migrated DS may contain search references ) You'd want to replace ['*'] with ['attr1','attr2','attr3',...]. It would be a rather long list and would need to cover both users and groups. TBH I think we should turn the code around and do this by default. We have no idea how to manage extra attributes anyway so we shouldn't get them all, only get those we understand. And turn the exclusion list into an inclusion list, so that if someone wants to import more data because they added additional schema to FreeIPA they are free to do so. The current way looks brittle. Simo. Agree, we need to open a BZ and ticket on this one. Oh I don't know. The reason we did it this way was to specifically put into the user's face those attributes that aren't being migrated. This way we don't find out much after the fact that some things weren't migrated properly forcing them to re-migrate. I'd certainly rather have a little pain at the beginning of the process and know I have everything I need rather than days/weeks/months later and realize something important was missed. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa migrate-ds failing when more than 1 namingcontext is available
On 01/30/2012 10:56 AM, Rob Crittenden wrote: Dmitri Pal wrote: On 01/30/2012 09:23 AM, Simo Sorce wrote: On Mon, 2012-01-30 at 09:06 -0500, Rob Crittenden wrote: Like I said, this error is triggered before ignore is evaluated so if an unknown binary attribute is getting decoded it will cause this failure. The only solutions we have right now is to either load the schema into IPA temporarily for the migration, rremove it on the remote side or you could modify the query we make to find the remote entries to pull only certain attributes. This last one would be tricky to get right. The code looks like: (entries, truncated) = ds_ldap.find_entries( search_filter, ['*'], search_bases[ldap_obj_name], ds_ldap.SCOPE_ONELEVEL, time_limit=0, size_limit=-1, search_refs=True# migrated DS may contain search references ) You'd want to replace ['*'] with ['attr1','attr2','attr3',...]. It would be a rather long list and would need to cover both users and groups. TBH I think we should turn the code around and do this by default. We have no idea how to manage extra attributes anyway so we shouldn't get them all, only get those we understand. And turn the exclusion list into an inclusion list, so that if someone wants to import more data because they added additional schema to FreeIPA they are free to do so. The current way looks brittle. Simo. Agree, we need to open a BZ and ticket on this one. Oh I don't know. The reason we did it this way was to specifically put into the user's face those attributes that aren't being migrated. This way we don't find out much after the fact that some things weren't migrated properly forcing them to re-migrate. I'd certainly rather have a little pain at the beginning of the process and know I have everything I need rather than days/weeks/months later and realize something important was missed. rob May be we should have a dry run option then or something like migrate-ds-test that will return two lists: List of all attributes detected and the list of attributes that we actually can migrate. For the ones we can't migrate we should explain why. Then migrate-ds should accept the second list as an input overriding the default *. How about that? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD
Sure. Ive left the office for today, will do so tomorrow. Im not very familiar with gdb. Any particular syntax / switches to add? Rgds, Siggi. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Stephen Gallagher sgall...@redhat.com wrote: On Mon, 2012-01-30 at 16:01 +0100, Sigbjorn Lie wrote: Hi, I'm doing a pre-implementation project for a customer having RHEL 5.7 workstations with KDE as their windows manager. When using KDE at a RHEL 5.7 (or 5.8 BETA) workstation connected to a IPA 2.1.3 running at RHEL 6.2 server, sssd will crash every time I attempt to unlock the screen. To work around the issue I switch to tty1, log in as root, and restart sssd. After attempting this several times (2-5 times), I can finally unlock the screen. I have attempted to update one workstation to 5.8 beta to see if the issue was resolved there. No such luck. Is this a known issue? The log displays the following: Jan 30 15:49:16 svg118 kdesktop_lock: on 0 Jan 30 15:49:21 svg118 kernel: sssd_be[9873] general protection rip:41dc3d rsp:7fffc57c9f10 error:0 Jan 30 15:49:22 svg118 sssd[be[no.ep.corp.local]]: Starting up Jan 30 15:49:33 svg118 sssd[be[no.ep.corp.local]]: Shutting down Jan 30 15:49:33 svg118 sssd[pam]: Shutting down Jan 30 15:49:33 svg118 kcheckpass[9896]: Authentication failure for username (invoked by uid 12345) Jan 30 15:49:33 svg118 sssd[nss]: Shutting down Jan 30 15:49:33 svg118 sssd: Starting up Jan 30 15:49:34 svg118 sssd[be[no.ep.corp.local]]: Starting up Jan 30 15:49:34 svg118 sssd[nss]: Starting up Jan 30 15:49:34 svg118 sssd[pam]: Starting up Jan 30 15:49:42 svg118 kernel: sssd_be[9928] general protection rip:41dc3d rsp:7fff70baba70 error:0 Jan 30 15:49:43 svg118 sssd[be[no.ep.corp.local]]: Starting up Jan 30 15:49:52 svg118 sssd[be[no.ep.corp.local]]: Shutting down Jan 30 15:49:52 svg118 sssd[pam]: Shutting down Jan 30 15:49:52 svg118 kcheckpass[9933]: Authentication failure for username (invoked by uid 12345) Jan 30 15:49:52 svg118 sssd[nss]: Shutting down Jan 30 15:49:52 svg118 sssd: Starting up Jan 30 15:49:52 svg118 sssd[be[no.ep.corp.local]]: Starting up Jan 30 15:49:52 svg118 sssd[pam]: Starting up Jan 30 15:49:52 svg118 sssd[nss]: Starting up Jan 30 15:49:59 svg118 kernel: sssd_be[9985] general protection rip:41dc3d rsp:7fff40912260 error:0 Definitely not a known issue. Do you think you could attach gdb to the sssd_be process and try to get a backtrace for me to look at, please? _ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
On 01/30/2012 11:42 AM, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Of course Dmitri Here you go. I was actually trying to resolve this for an automated kickstart process anyway. The details specific to dovecot are in the middle. # Connect server to IPA domain (ensure DNS is working correctly otherwise this step will fail) ipa-client-install -U -p admin -w mysecretpassword # install postfix if necessary (installed by default in rhel6) yum -y install postfix # set postfix to start on boot chkconfig postfix on # configure postfix with hostname, domain and origin details sed -i 's/#myhostname = host.domain.tld/myhostname = servername.example.com/g' /etc/postfix/main.cf sed -i 's/#mydomain = domain.tld/mydomain = example.com/g' /etc/postfix/main.cf sed -i 's/#myorigin = $mydomain/myorigin = $mydomain/g' /etc/postfix/main.cf # configure postfix to listen on all interfaces sed -i 's/#inet_interfaces = all/inet_interfaces = all/g' /etc/postfix/main.cf sed -i 's/inet_interfaces = localhost/#inet_interfaces = localhost/g' /etc/postfix/main.cf # apply postfix changes service postfix restart # Install dovecot yum -y install dovecot # set dovecot to start on boot chkconfig dovecot on # set dovecot to listen on imap and imaps only sed -i 's/#protocols = imap pop3 lmtp/protocols = imap imaps/g' /etc/dovecot/dovecot.conf # point dovecot to required mailbox directory (This is the section that was previously failing) echo mail_location = mbox:~/mail:INBOX=/var/mail/%u /etc/dovecot/dovecot.conf # reload dovecot to apply changes service dovecot restart # Apply working IPtables cat /etc/sysconfig/iptables EOF # Generated by iptables-save v1.4.7 on Tue Jan 10 12:17:41 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [29:4596] - -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT - -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT - -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -A INPUT -p icmp -j ACCEPT - -A INPUT -i lo -j ACCEPT - -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT - -A INPUT -j REJECT --reject-with icmp-host-prohibited - -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Tue Jan 10 12:17:41 2012 EOF With the above details, I am able to replicate a 100% working IPA authenticated mail server, allowing IPA users to retrieve mail via imap/imaps. I hope this helps. A lot! Thanks! http://freeipa.org/page/Dovecot_Integration Dale On 01/30/2012 01:46 PM, Dmitri Pal wrote: - ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD
On Mon, 2012-01-30 at 18:00 +0100, Sigbjorn Lie wrote: Sure. Ive left the office for today, will do so tomorrow. Im not very familiar with gdb. Any particular syntax / switches to add? Rgds, Siggi. You'll want to do this in a non-graphical terminal, so you can switch to it if KDE gets into trouble. First, install the sssd-debuginfo packages (debuginfo-install sssd) and install gdb (yum install gdb) Then run: gdb -p ($pidof sssd_be) Then in the gdb prompt, type 'cont' (this will resume execution of sssd_be). Now, switch back to KDE and unlock the screen. Then switch back to this virtual terminal. You should be back at the prompt, with GDB telling you that you received a SIGSEGV or SIGABRT. Type bt full and reply with all pages of output from that (there may be multiple, requiring you to hit enter to see them). signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD
Excellent, thank you. I will get this done tomorrow. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Stephen Gallagher sgall...@redhat.com wrote: On Mon, 2012-01-30 at 18:00 +0100, Sigbjorn Lie wrote: Sure. Ive left the office for today, will do so tomorrow. Im not very familiar with gdb. Any particular syntax / switches to add? Rgds, Siggi. You'll want to do this in a non-graphical terminal, so you can switch to it if KDE gets into trouble. First, install the sssd-debuginfo packages (debuginfo-install sssd) and install gdb (yum install gdb) Then run: gdb -p ($pidof sssd_be) Then in the gdb prompt, type 'cont' (this will resume execution of sssd_be). Now, switch back to KDE and unlock the screen. Then switch back to this virtual terminal. You should be back at the prompt, with GDB telling you that you received a SIGSEGV or SIGABRT. Type bt full and reply with all pages of output from that (there may be multiple, requiring you to hit enter to see them). ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Erinn I originally asked the question as I was thinking my auth attempts were failing when using ipa, however this was not the case. On closer inspection, i found that the authentication was successful yet dovecot was failing to read a missing mailbox. I found that dovecot was simply missing the mailbox_location directive, detailed below. mail_location = mbox:~/mail:INBOX=/var/mail/%u Once I restarted dovecot with this extra line, the authentication was again validated. I was then prompted to accept the self-signed certificate from dovecot and I was able to retrieve the mail as intended. Does this help clear things up? Dale On 01/30/2012 07:11 PM, Erinn Looney-Triggs wrote: On 01/30/2012 07:42 AM, Dale Macartney wrote: Of course Dmitri Here you go. I was actually trying to resolve this for an automated kickstart process anyway. The details specific to dovecot are in the middle. # Connect server to IPA domain (ensure DNS is working correctly otherwise this step will fail) ipa-client-install -U -p admin -w mysecretpassword # install postfix if necessary (installed by default in rhel6) yum -y install postfix # set postfix to start on boot chkconfig postfix on # configure postfix with hostname, domain and origin details sed -i 's/#myhostname = host.domain.tld/myhostname = servername.example.com/g' /etc/postfix/main.cf sed -i 's/#mydomain = domain.tld/mydomain = example.com/g' /etc/postfix/main.cf sed -i 's/#myorigin = $mydomain/myorigin = $mydomain/g' /etc/postfix/main.cf # configure postfix to listen on all interfaces sed -i 's/#inet_interfaces = all/inet_interfaces = all/g' /etc/postfix/main.cf sed -i 's/inet_interfaces = localhost/#inet_interfaces = localhost/g' /etc/postfix/main.cf # apply postfix changes service postfix restart # Install dovecot yum -y install dovecot # set dovecot to start on boot chkconfig dovecot on # set dovecot to listen on imap and imaps only sed -i 's/#protocols = imap pop3 lmtp/protocols = imap imaps/g' /etc/dovecot/dovecot.conf # point dovecot to required mailbox directory (This is the section that was previously failing) echo mail_location = mbox:~/mail:INBOX=/var/mail/%u /etc/dovecot/dovecot.conf # reload dovecot to apply changes service dovecot restart # Apply working IPtables cat /etc/sysconfig/iptables EOF # Generated by iptables-save v1.4.7 on Tue Jan 10 12:17:41 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [29:4596] -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Tue Jan 10 12:17:41 2012 EOF With the above details, I am able to replicate a 100% working IPA authenticated mail server, allowing IPA users to retrieve mail via imap/imaps. I hope this helps. Dale On 01/30/2012 01:46 PM, Dmitri Pal wrote: On 01/30/2012 07:16 AM, Dale Macartney wrote: Hi all I'm working on a test lab setup at the moment with RHEL 6.2 running IPA 2.1 and experimenting with simple mail server setups. . I have mail being received base on pam lookups from IPA. The mail server is tapped into IPA via the ipa-client-install. I am using a default install of the dovecot rpm from RHN, and dovecot is listening via imap/imaps, however all authentication requests fail when attempting to login via imap.. I added the necessary keytabs for imap/mail.example.com and imaps/mail.example.com to /etc/krb5.keytab but this hasn't allowed authentication. has anyone set up dovecot through IPA before? Any recommendations? Hi Dale, Will you be so kind to share with the list a little bit more details about how to setup Dovecot with IPA? If you can provide step by step instructions we would publish them on the FreeIPA wiki. Thank you Dmitri thanks all Dale ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users So I am a bit confused
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
On 01/30/2012 10:20 AM, Dale Macartney wrote: Hi Erinn I originally asked the question as I was thinking my auth attempts were failing when using ipa, however this was not the case. On closer inspection, i found that the authentication was successful yet dovecot was failing to read a missing mailbox. I found that dovecot was simply missing the mailbox_location directive, detailed below. mail_location = mbox:~/mail:INBOX=/var/mail/%u Once I restarted dovecot with this extra line, the authentication was again validated. I was then prompted to accept the self-signed certificate from dovecot and I was able to retrieve the mail as intended. Does this help clear things up? Dale So I am a bit confused here, is this working for you or not? It looked like you were asking a question to begin with, but then at then end you are saying it is 100% working? Just trying to figure out whether you need help, -Erinn Hey sounds good to me, just glad it is working for you :). The only other question/suggestion I have is that it looks like you aren't leveraging kerberos in your configuration for SSO, You might want to think about doing this as it can be a pretty nice configuration. Essentially you would just need to add service principles for the host in the form of imap and or pop, and change the auth line in your dovecot config to allow for gssapi auth, like so: sed -i -r s(\smechanisms =).*\1 gssapi plain Then assuming your user has a ticket, and their client is properly configured, they no longer need to do anything upon logging into their system, kerb will auth the rest. If you are on a multihomed system, you will need two additional changes, service principles for the other host name, and the following modification: sed -i -r 's#auth_gssapi_hostname.*auth_gssapi_hostname = $ALL' I got a little caught up when you referenced the /etc/krb5.keytab file as possibly part of the problem so I thought this was more a kerb issue. -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey Erinn, funny you mention that actually, I was adding service principles when i was first troubleshooting that. SSO is definitely on the planned cards for me to be honest. I'll send through the details to the list one I have a reproducible configuration :-) thanks for the positive feedback. Dale On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote: On 01/30/2012 10:20 AM, Dale Macartney wrote: Hi Erinn I originally asked the question as I was thinking my auth attempts were failing when using ipa, however this was not the case. On closer inspection, i found that the authentication was successful yet dovecot was failing to read a missing mailbox. I found that dovecot was simply missing the mailbox_location directive, detailed below. mail_location = mbox:~/mail:INBOX=/var/mail/%u Once I restarted dovecot with this extra line, the authentication was again validated. I was then prompted to accept the self-signed certificate from dovecot and I was able to retrieve the mail as intended. Does this help clear things up? Dale So I am a bit confused here, is this working for you or not? It looked like you were asking a question to begin with, but then at then end you are saying it is 100% working? Just trying to figure out whether you need help, -Erinn Hey sounds good to me, just glad it is working for you :). The only other question/suggestion I have is that it looks like you aren't leveraging kerberos in your configuration for SSO, You might want to think about doing this as it can be a pretty nice configuration. Essentially you would just need to add service principles for the host in the form of imap and or pop, and change the auth line in your dovecot config to allow for gssapi auth, like so: sed -i -r s(\smechanisms =).*\1 gssapi plain Then assuming your user has a ticket, and their client is properly configured, they no longer need to do anything upon logging into their system, kerb will auth the rest. If you are on a multihomed system, you will need two additional changes, service principles for the other host name, and the following modification: sed -i -r 's#auth_gssapi_hostname.*auth_gssapi_hostname = $ALL' I got a little caught up when you referenced the /etc/krb5.keytab file as possibly part of the problem so I thought this was more a kerb issue. -Erinn -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPJvSFAAoJEAJsWS61tB+qG9oP/0pDktSo4y5iRKEvMVOplSEx NFIl2cRm3OsjcOJuCMoFotMTFon90H6KxYQz0sYvtERZZWrB7nkpKneRGHZ/ri9R e4eEV/Edp/3yck8INAZ2COMGTKGCm8SFdN1ihnAU7QQ1EDC+kKq/pKUfxyq4LKH2 2KDkCnR02zRfjr+bzaL5tWZkNIAxifsFr6ycuT0GrX03y1KErjPAbre4BPjTq3lG b5xHkZBGVCfFp6bxdfQSs2d4BLcNOwCA1vW0KXAUy4ps1dS220ceeutO+9WbM6Y/ f0g1Iupsa/mIHIIAr6SBi0RGqSEUVkYaRzSxqRSEckfYAK+hPlnl5r46O1UxOFaw jaiizMTgkK3Q2skEtsaVSmPGleNoK0sefvf+Tkuea+1qdSdPUQaqiLwteLGo/QxR KsNPcO8+SN/YtXMynSw2bCY/uejn+NWNJVAW39vWsTlUV4+dtm0SIIcp8s57CLb0 3fZ2XLsfAajF83EucYv0BJE/flnZBQkLFEK6WdM0d/6jcEwn3RE17gOm/ufzvyVQ c3fpRinNSoO+nxwg/wzyljSkd2vsZFIB0oPSeapg+OTccQooXg/QKxGD2ViDIJeq y0pqV6wl3YreKTrdNFG4Eurz99EBG3vZcXFDq7JNd3NMo5nxrrExHDYU9brrTsyN E8BCvhI6AIwHW/5rwOlN =QFxQ -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to install or uninstall ipa
Hi, Yes it appears to be a ldap / dirsrv not starting issue.Cant see anything in the install log, I have raised a case with RH anyway. I ran the un-install 3 or 4 times and it finally cleaned up. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 31 January 2012 4:54 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] unable to install or uninstall ipa Steven Jones wrote: Example of install failure messages, == Warning: skipping DNS resolution of host vuwunicoipam001.unix.vuw.ac.nz The IPA Master Server will be configured with Hostname:vuwunicoipam001.unix.vuw.ac.nz IP address: 10.70.3.10 Domain name: unix.vuw.ac.nz The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/35]: creating directory server user [2/35]: creating directory server instance [3/35]: adding default schema [4/35]: enabling memberof plugin root: CRITICAL Failed to load memberof-conf.ldif: Command '/usr/bin/ldapmodify -h vuwunicoipam001.unix.vuw.ac.nz -v -f /usr/share/ipa/memberof-conf.ldif -x -D cn=Directory Manager -y /tmp/tmpkbE724' returned non-zero exit status 255 [5/35]: enabling referential integrity plugin root: CRITICAL Failed to load referint-conf.ldif: Command '/usr/bin/ldapmodify -h vuwunicoipam001.unix.vuw.ac.nz -v -f /usr/share/ipa/referint-conf.ldif -x -D cn=Directory Manager -y /tmp/tmpExKKnk' returned non-zero exit status 255 [6/35]: enabling winsync plugin root: CRITICAL Failed to load ipa-winsync-conf.ldif: Command '/usr/bin/ldapmodify -h vuwunicoipam001.unix.vuw.ac.nz -v -f /usr/share/ipa/ipa-winsync-conf.ldif -x -D cn=Directory Manager -y /tmp/tmppChSx9' returned non-zero exit status 255 [7/35]: configuring replication version plugin root: CRITICAL Failed to load version-conf.ldif: Command '/usr/bin/ldapmodify -h vuwunicoipam001.unix.vuw.ac.nz -v -f /usr/share/ipa/version-conf.ldif -x -D cn=Directory Manager -y /tmp/tmpqy9Fkp' returned non-zero exit status 255 [8/35]: enabling IPA enrollment plugin root: CRITICAL Failed to load enrollment-conf.ldif: Command '/usr/bin/ldapmodify -h vuwunicoipam001.unix.vuw.ac.nz -v -f /tmp/tmpoWPpcO -x -D cn=Directory Manager -y /tmp/tmpxbRGyx' returned non-zero exit status 255 [9/35]: enabling ldapi root: CRITICAL Failed to load ldapi.ldif: Command '/usr/bin/ldapmodify -h vuwunicoipam001.unix.vuw.ac.nz -v -f /tmp/tmpVSJoE2 -x -D cn=Directory Manager -y /tmp/tmpqsK_aD' returned non-zero exit status 255 [10/35]: configuring uniqueness plugin root: CRITICAL Failed to load unique-attributes.ldif: Command '/usr/bin/ldapmodify -h vuwunicoipam001.unix.vuw.ac.nz -v -f /tmp/tmpWJEh76 -x -D cn=Directory Manager -y /tmp/tmpzxvY9u' returned non-zero exit status 255 [11/35]: configuring uuid plugin root: CRITICAL Failed to load uuid-conf.ldif: Command '/usr/bin/ldapmodify -h vuwunicoipam001.unix.vuw.ac.nz -v -f /usr/share/ipa/uuid-conf.ldif -x -D cn=Directory Manager -y /tmp/tmpdYNh2T' returned non-zero exit status 255 root: CRITICAL Failed to load uuid-ipauniqueid.ldif: Command '/usr/bin/ldapmodify -h vuwunicoipam001.unix.vuw.ac.nz -v -f /tmp/tmpkEOmk2 -x -D cn=Directory Manager -y /tmp/tmp9ZDoXY' returned non-zero exit status 255 [12/35]: configuring modrdn plugin root: CRITICAL Failed to load modrdn-conf.ldif: Command '/usr/bin/ldapmodify -h vuwunicoipam001.unix.vuw.ac.nz -v -f /usr/share/ipa/modrdn-conf.ldif -x -D cn=Directory Manager -y /tmp/tmpofFRs8' returned non-zero exit status 255 root: CRITICAL Failed to load modrdn-krbprinc.ldif: Command '/usr/bin/ldapmodify -h vuwunicoipam001.unix.vuw.ac.nz -v -f /tmp/tmpDxRP25 -x -D cn=Directory Manager -y /tmp/tmpUexNQN' returned non-zero exit status 255 [13/35]: enabling entryUSN plugin root: CRITICAL Failed to load entryusn.ldif: Command '/usr/bin/ldapmodify -h vuwunicoipam001.unix.vuw.ac.nz -v -f /usr/share/ipa/entryusn.ldif -x -D cn=Directory Manager -y /tmp/tmpgsBw1B' returned non-zero exit status 255 = regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Monday, 30 January 2012 2:03 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] unable to install or uninstall ipa
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ;-) will do mate. I'm writing a list of items to cover at the moment actually. On 01/30/2012 08:02 PM, Dmitri Pal wrote: On 01/30/2012 02:50 PM, Dale Macartney wrote: Hey Erinn, funny you mention that actually, I was adding service principles when i was first troubleshooting that. SSO is definitely on the planned cards for me to be honest. I'll send through the details to the list one I have a reproducible configuration :-) And to the page, please thanks for the positive feedback. Dale On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote: On 01/30/2012 10:20 AM, Dale Macartney wrote: Hi Erinn I originally asked the question as I was thinking my auth attempts were failing when using ipa, however this was not the case. On closer inspection, i found that the authentication was successful yet dovecot was failing to read a missing mailbox. I found that dovecot was simply missing the mailbox_location directive, detailed below. mail_location = mbox:~/mail:INBOX=/var/mail/%u Once I restarted dovecot with this extra line, the authentication was again validated. I was then prompted to accept the self-signed certificate from dovecot and I was able to retrieve the mail as intended. Does this help clear things up? Dale So I am a bit confused here, is this working for you or not? It looked like you were asking a question to begin with, but then at then end you are saying it is 100% working? Just trying to figure out whether you need help, -Erinn Hey sounds good to me, just glad it is working for you :). The only other question/suggestion I have is that it looks like you aren't leveraging kerberos in your configuration for SSO, You might want to think about doing this as it can be a pretty nice configuration. Essentially you would just need to add service principles for the host in the form of imap and or pop, and change the auth line in your dovecot config to allow for gssapi auth, like so: sed -i -r s(\smechanisms =).*\1 gssapi plain Then assuming your user has a ticket, and their client is properly configured, they no longer need to do anything upon logging into their system, kerb will auth the rest. If you are on a multihomed system, you will need two additional changes, service principles for the other host name, and the following modification: sed -i -r 's#auth_gssapi_hostname.*auth_gssapi_hostname = $ALL' I got a little caught up when you referenced the /etc/krb5.keytab file as possibly part of the problem so I thought this was more a kerb issue. -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPJvqrAAoJEAJsWS61tB+qnecP/3JhcdNm/OQU+meGtP2TxjG2 Zjbhy12WF+Yxo1fW74W2cp21GdHbpvmCfQCCDRMtlCQso3kxpoEyPsU0Y+7+3kQ+ cL34l2f8jATvY6EqljxsGaeqstvfVSMtAUbWHbCJ3YOO4s2pYI3sfvENPL+bjOFV LzzgQ8CKnpspzyMoDapPnLFkfwNzGIjvnX7BMgy3pdJRk9oAHP8IRaa6U7H15Plu 7joC1ElbH09VyOhrjPwf7Jy9+3ayHeB/WLPJ4U0DR0rYsDjErFkDXA7R95Kw6MYQ N3DPsFELgIvxGxt5h8sXcbg9/MBpuPLtcpLaANoscNO76OLhy9qLSZjDgykbq6Kp zXOxNLWLwTHBWq8cv2Ul3H+WzM8mjYaE46VE9pksDAz0H+PljY5f0cHjUx/1sqqR cD/txgR32xZxGYJjfnODGwVrysNVpvqjsBysV7exdk4byldTXB4CbfhznyII+Ewk fIWh7h0gjx8U3uRAUcXZXNIcmmcyc9Z232J6hmlKN4Tc71GX/MLp7YfvGtVSbhzu rrlH16u7CAsi3DqMcwsb5zUW03CcJAp6qjmBoTHbSbhE4XmO6Gs+thlAkTKo1tzo ixdvApq3k8HcAlCvR9Uzwg90huWBmn9BcWAJY/DL5Sb6U5YbUwDzFX/gh9jgY1cr 8zYKbYb9LR9W8UqfwwpP =PkH/ -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] WebUI With Windows, Firefox, and MIT Kerberos
On 01/28/2012 01:53 PM, Erinn Looney-Triggs wrote: On 1/27/2012 4:53 PM, JR Aquino wrote: On Jan 27, 2012, at 5:31 PM, Jr Aquino wrote: Has anyone successfully gotten firefox in windows with firefox and mit kerberos? I've followed several how to's, but i cant get firefox to take/pass my tgt. The Key to success: network.negotiate-auth.gsslib: C:\Program Files\MIT\Kerberos\bin\gssapi32.dll I had been previously using lib\i386/gssapi32.lib and thats what was breaking it. The rest of the documentation on the FreeIPA site is sound. We could probably stand to add that 1 line to the doc at http://freeipa.com/page/ClientConfigurationGuide ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The only other thing I would add here, at least for me, was on an x86_64 install of windows I needed to use: C:\Program Files (x86)\MIT\Kerberos\bin\gssapi32.dll -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Done. Thanks to both of you for contributing. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] WebUI With Windows, Firefox, and MIT Kerberos
On Jan 30, 2012, at 6:12 PM, Adam Young wrote: On 01/28/2012 01:53 PM, Erinn Looney-Triggs wrote: On 1/27/2012 4:53 PM, JR Aquino wrote: On Jan 27, 2012, at 5:31 PM, Jr Aquino wrote: Has anyone successfully gotten firefox in windows with firefox and mit kerberos? I've followed several how to's, but i cant get firefox to take/pass my tgt. The Key to success: network.negotiate-auth.gsslib: C:\Program Files\MIT\Kerberos\bin\gssapi32.dll I had been previously using lib\i386/gssapi32.lib and thats what was breaking it. The rest of the documentation on the FreeIPA site is sound. We could probably stand to add that 1 line to the doc at http://freeipa.com/page/ClientConfigurationGuide ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The only other thing I would add here, at least for me, was on an x86_64 install of windows I needed to use: C:\Program Files (x86)\MIT\Kerberos\bin\gssapi32.dll -Erinn OPPS! One other line I needed to change for firefox to work in windows: network.auth.use-sspi: false ^ This tells firefox not to use the built-in AD based Kerberos/SSO. I didn't realize I had missed this until I went back through from scratch to retest. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users