Re: [Freeipa-users] http service keytab for cname virtual host
On Thu, 2012-03-29 at 20:43 +0200, Natxo Asenjo wrote: > > On Thu, Mar 29, 2012 at 8:25 PM, Simo Sorce wrote: > Your configuration looks right, but I went back and looked at > your logs > and I saw a permission denied error. > > I would check that the apache user can access the keytab > file: /etc/httpd/conf/webserver01_http.keytab > If you are using RHEL/Fedora, also check the audit.log file in > case the > file is mislabeled and SELinux is preventing access to it. > > Bingo! selinux was indeed blocking it. > > :-) > > A few years ago I would have inmediately looked at selinux (or even > disabled it right away during the installation), but since fedora 12 > you guys have actually made it just work (TM), so I never thought of > that. > > This is really awesome, I am thoroughly enjoying ipa. > Yes SeLinux works well, use audit2allow to make a custom policy or apply the right label and don't disable SELinux please :-) If you have problems we can help, documenting on this list how to properly configure SELinux with IPA related deployments is considered on topic and will make up useful documentation for others. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
On Thu, Mar 29, 2012 at 8:25 PM, Simo Sorce wrote: > Your configuration looks right, but I went back and looked at your logs > and I saw a permission denied error. > > I would check that the apache user can access the keytab > file: /etc/httpd/conf/webserver01_http.keytab > If you are using RHEL/Fedora, also check the audit.log file in case the > file is mislabeled and SELinux is preventing access to it. > Bingo! selinux was indeed blocking it. :-) A few years ago I would have inmediately looked at selinux (or even disabled it right away during the installation), but since fedora 12 you guys have actually made it just work (TM), so I never thought of that. This is really awesome, I am thoroughly enjoying ipa. Thanks! -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
On Thu, 2012-03-29 at 08:58 +0200, Natxo Asenjo wrote: > On Wed, Mar 28, 2012 at 11:36 PM, Simo Sorce wrote: > > > CNAMEs should work just fine with the host's HTTP/A-name@REALM > key. > In fact I just tested a virtual host on my ipa server using a > cname and > it worked. > > great! > > > Can you post your (sanitized) mod_auth_kerb configuration ? > Also what browser are you testing with ? > > sure: > > > ServerName vhost.ipa.domain.tld > ServerAdmin webmas...@domain.tld > DocumentRoot /var/www/html/vhost1 > LogLevel debug > CustomLog/var/log/httpd/vhost1.access.log combined > ErrorLog /var/log/httpd/vhost1.error.log > > > AuthType Kerberos > AuthName "Kerberos Login" > KrbMethodNegotiate on > KrbMethodK5Passwd off > KrbServiceName HTTP > KrbAuthRealms IPA.DOMAIN.TLD > Krb5KeyTab /etc/httpd/conf/webserver01_http.keytab > KrbSaveCredentials on > Require valid-user > > > > > If you kdestroy and then kinit clean, and then try to access > the server > *only* using the CNAME you should see the browser has acquired > a ticket > for HTTP/A-name, You can use klist to verify. If this works > you know it > is a server side issue only. If you do not have the ticket, > there may be > a DNS/browser issue. > > yes, I get a HTTP/A-name ticket and a 500 internal server error on the > browser. So you are right, we have an apache issue only. If you can > shed some light on the the mod_kerb config that will be great. > Your configuration looks right, but I went back and looked at your logs and I saw a permission denied error. I would check that the apache user can access the keytab file: /etc/httpd/conf/webserver01_http.keytab If you are using RHEL/Fedora, also check the audit.log file in case the file is mislabeled and SELinux is preventing access to it. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] passwd sync
Steven Jones wrote: 8><-- It cannot be a wildcard: if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) { pwdata.changetype = IPA_CHANGETYPE_DSMGR; break; } but it is multivalued. 8><-- This is over my head 8><-- What exactly are you trying to do? Defeat password sync for uid=*,cn=staff,cn=accounts,dc=etc ? Because I don't think passSyncManagersDNs is what you want for that, unless I'm mistaken. 8>< Ok, so at present when I setup a new user with a temp password in IPA and give it to the user they have to set a new one on first login to a client. Once password(s) flow through from AD I don't want the reset password feature in IPA to be functional when a user "first" logs in. That is what the passsyncmanagersdn does, bypasses policy checks. It doesn't look at the individual entry being replicated, it looks at the user who is bound and doing the replication. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] hosts/clients joining IPA but dns updating not working
Hello, please post output from: # klist -kt /etc/krb5.keytab We still need this to better understand logs. I'm not sure if keytab contains right keys. -- Petr Spacek On 03/27/2012 09:47 PM, Steven Jones wrote: Hi Its possible the uninstall from one IPA realm didnt work properly before I joined it to another? Anyway I have incl both logs just in case. There is a suggestion that the kerberos ticket isnt right? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Martin Kosek [mko...@redhat.com] Sent: Tuesday, 27 March 2012 10:04 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] hosts/clients joining IPA but dns updating not working On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote: Hi, I just started adding hosts/clients but DNS isnt being updated for the client(s). Screenshot of error is attached Hello Steven, there is something wrong with your host keytab. As written in the output, ipa-client-install could not get a TGT for host/vuwunicorh6w...@ods.vuw.ac.nz and thus nsupdate which performs the DNS update failed. Can you please attach a relevant portion of ipaclient-install.log so that we can get more information about why it failed? Alternatively, you can list credentials in the keytab with this command yourself: # klist -kt /etc/krb5.keytab To test obtaining the TGT from the host keytab and thus reproducing this issue, you can run this command: # kinit -k -t /etc/krb5.keytab host/vuwunicorh6w...@ods.vuw.ac.nz The command output itself, or KRB5KDC logs in IPA server should provide a hint why the kinit fails. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
On Wed, Mar 28, 2012 at 11:36 PM, Simo Sorce wrote: > > CNAMEs should work just fine with the host's HTTP/A-name@REALM key. > In fact I just tested a virtual host on my ipa server using a cname and > it worked. > great! > Can you post your (sanitized) mod_auth_kerb configuration ? > Also what browser are you testing with ? > sure: ServerName vhost.ipa.domain.tld ServerAdmin webmas...@domain.tld DocumentRoot /var/www/html/vhost1 LogLevel debug CustomLog/var/log/httpd/vhost1.access.log combined ErrorLog /var/log/httpd/vhost1.error.log AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms IPA.DOMAIN.TLD Krb5KeyTab /etc/httpd/conf/webserver01_http.keytab KrbSaveCredentials on Require valid-user > If you kdestroy and then kinit clean, and then try to access the server > *only* using the CNAME you should see the browser has acquired a ticket > for HTTP/A-name, You can use klist to verify. If this works you know it > is a server side issue only. If you do not have the ticket, there may be > a DNS/browser issue. > yes, I get a HTTP/A-name ticket and a 500 internal server error on the browser. So you are right, we have an apache issue only. If you can shed some light on the the mod_kerb config that will be great. TIA. -- Groeten, Natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users