Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
On mån, 2012-06-18 at 10:49 -0400, Brian Wheeler wrote: Is there any way to integrate FreeIPA into an environment such as ours or am I going to have to continue with my homegrown way of doing things? I wonder if the (very) new IPA AD trust feature could solve at least some of your problems. Have a look at http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this can be tested. -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab and mandatory password change
On 06/18/2012 11:58 AM, Darran Lofthouse wrote: Just experienced some weird behaviour on my Fedora 17 installation, just wanted to check if this was expected. I have the default config that requires a user to change their password the first time they run kinit. However I created a user and immediately used ipa-getkeytab as this user will be a non-interactive process, despite the ipa-getkeytab resetting the secret for the user the first attempt at authentication failed as the user was still told to change their password. I do not think we have anticipated this use. The ipa-getkeytab is designed for the host and services keytabs not for users. I suggest that use a service principal rather than a user principal to run those jobs. You can also file an RFE to allow keytabs for users if you think that services would not work for you. My expectation would have been that any update to the secret should meet the requirement for the user to change their password. Regards, Darran Lofthouse. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
On Mon, Jun 18, 2012 at 7:24 PM, Rob Crittenden rcrit...@redhat.com wrote If you could provide an ldif for one of the groups to be migrated we can tell you. dn: cn=management-team,ou=groups,dc=domain,dc=com objectClass: posixGroup cn: management-team gidNumber: 10004 description: Management team of SomeCompany memberUid: some.user0 memberUid: some.user1 memberUid: some.user2 regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. I think the problem is that my current installation use memberUid attribute in group object and free-ipa uses memberUid in user object. I find the compatibility plugin so I think after migration it will allow me to use IPA in legacy environment. The problem is how to preform migration? Can I use migrate script for this or should I write my own? regards, Maciek Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication
Hi all, As mentioned on IRC today I've finished my write up of using Apache with SNI and kerberos authentication with an IPA backend I'd be interested in any feedback: http://freeipa.org/page/Apache_SNI_With_Kerberos Kind regards, James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
I will look into that. I've got nearly a year before I have to do my machine migrations, so one would assume that this feature would stabilize by the time I get around to doing an actual implementation. I'll play with it and see if I can make it work. Although, the instructions do mention validating it from the windows side of things which may stop me dead in the water since I have no access. Brian On 06/19/2012 03:17 AM, David Juran wrote: On mån, 2012-06-18 at 10:49 -0400, Brian Wheeler wrote: Is there any way to integrate FreeIPA into an environment such as ours or am I going to have to continue with my homegrown way of doing things? I wonder if the (very) new IPA AD trust feature could solve at least some of your problems. Have a look at http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this can be tested. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
Maciej Sawicki wrote: On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. I think the problem is that my current installation use memberUid attribute in group object and free-ipa uses memberUid in user object. I find the compatibility plugin so I think after migration it will allow me to use IPA in legacy environment. The problem is how to preform migration? Can I use migrate script for this or should I write my own? Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa installation problem
george he wrote: Hello all, While waiting for more suggestions on my thread is not an IPA v2 Server, I tried to install ipa server on other machines running fc16 and fc15. When server is on fc16, I get the same error as when it's on fc17, wget failed: No route to host. when server is on fc15, wget still failed, but the reason was Connection refused. Seems to me there's something else to do after running ipa-server-install on the server. This is unrelated to IPA. We do no network configuration changes, only start services. The client is doing a simple wget which just issues an HTTP request. The network stack is saying it can't talk to the IPA server so I'd start there. wireshark might be helpful. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
On tis, 2012-06-19 at 13:26 +0100, James Hogarth wrote: I wonder if the (very) new IPA AD trust feature could solve at least some of your problems. Have a look at http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this can be tested. The initial documentation looks like it's describing a full two way trust - in principal would a one way trust be feasible? Allow the AD users (or a selection thereof) access to the systems part of the IPA domain but not vice versa? AFAIK, that is the only thing currently implemented. -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa installation problem
Hello Rob, Can it be that the httpd service is not running properly? On all servers, I can only run wget on the server itself successfully... At least on fc15, the client was able to contact the server, but the connection was refused. maybe the configuration part of httpd? On other machines in the same lab, I have set up two web servers in the usual way and they both run with no problem. Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, June 19, 2012 9:32 AM Subject: Re: [Freeipa-users] ipa installation problem george he wrote: Hello all, While waiting for more suggestions on my thread is not an IPA v2 Server, I tried to install ipa server on other machines running fc16 and fc15. When server is on fc16, I get the same error as when it's on fc17, wget failed: No route to host. when server is on fc15, wget still failed, but the reason was Connection refused. Seems to me there's something else to do after running ipa-server-install on the server. This is unrelated to IPA. We do no network configuration changes, only start services. The client is doing a simple wget which just issues an HTTP request. The network stack is saying it can't talk to the IPA server so I'd start there. wireshark might be helpful. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
On Tue, 2012-06-19 at 13:26 +0100, James Hogarth wrote: I wonder if the (very) new IPA AD trust feature could solve at least some of your problems. Have a look at http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this can be tested. The initial documentation looks like it's describing a full two way trust - in principal would a one way trust be feasible? Allow the AD users (or a selection thereof) access to the systems part of the IPA domain but not vice versa? Well, at the moment we only set up a two way trust but the windows admins would certainly be able to delete the outgoing trust right after it is created, it should cause trouble for win users that want to access ipa hosts. We may take an RFE about creating only a one way trust, but it won't be there by 3.0 I think. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
On Tue, 2012-06-19 at 09:14 -0400, Brian Wheeler wrote: I will look into that. I've got nearly a year before I have to do my machine migrations, so one would assume that this feature would stabilize by the time I get around to doing an actual implementation. I'll play with it and see if I can make it work. Although, the instructions do mention validating it from the windows side of things which may stop me dead in the water since I have no access. you need the windows domain credentials to set up the trust, so you definitely need collaboration from the windows domain admins. w/o that collaboration there isn't much you can really do in any case. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
Well, at the moment we only set up a two way trust but the windows admins would certainly be able to delete the outgoing trust right after it is created, it should cause trouble for win users that want to access ipa hosts. We may take an RFE about creating only a one way trust, but it won't be there by 3.0 I think. Gotcha - I know here I'll probably end up with a requirement for windows users to access one or more of my linux systems (and web interfaces) with their windows AD credentials but there is no way the Windows team (or IT Security) would want my users in IPA to be able to log into the windows clients etc in the enterprise. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa installation problem
george he wrote: Hello Rob, Can it be that the httpd service is not running properly? On all servers, I can only run wget on the server itself successfully... At least on fc15, the client was able to contact the server, but the connection was refused. maybe the configuration part of httpd? On other machines in the same lab, I have set up two web servers in the usual way and they both run with no problem. I don't know what to tell you. This problem is independent of IPA. It means that the client doesn't know how to get to the server (no route to host) Connection refused would suggest that the server isn't accepting connections. You could use netstat to confirm that it is listening on ports 80 and 443, I think you'll find it is. IPA doesn't do anything particularly clever with the web server, just configures it to use mod_nss as an SSL listener. Since wget is using port 80 you aren't even using any changes made by IPA. And no route to host suggests it isn't even getting that far. You might try shutting down iptables on the server and client and try that. rob Thanks, George *From:* Rob Crittenden rcrit...@redhat.com *To:* george he george_...@yahoo.com *Cc:* freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Tuesday, June 19, 2012 9:32 AM *Subject:* Re: [Freeipa-users] ipa installation problem george he wrote: Hello all, While waiting for more suggestions on my thread is not an IPA v2 Server, I tried to install ipa server on other machines running fc16 and fc15. When server is on fc16, I get the same error as when it's on fc17, wget failed: No route to host. when server is on fc15, wget still failed, but the reason was Connection refused. Seems to me there's something else to do after running ipa-server-install on the server. This is unrelated to IPA. We do no network configuration changes, only start services. The client is doing a simple wget which just issues an HTTP request. The network stack is saying it can't talk to the IPA server so I'd start there. wireshark might be helpful. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa installation problem
Hello Rob, netstat |grep 443 returned nothing, but lsof -i :80 (or :443) returned things like this: httpd 4206 apache 5u IPv6 846355 TCP *:http (LISTEN) is the IPv6 here a problem? Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, June 19, 2012 10:43 AM Subject: Re: [Freeipa-users] ipa installation problem george he wrote: Hello Rob, Can it be that the httpd service is not running properly? On all servers, I can only run wget on the server itself successfully... At least on fc15, the client was able to contact the server, but the connection was refused. maybe the configuration part of httpd? On other machines in the same lab, I have set up two web servers in the usual way and they both run with no problem. I don't know what to tell you. This problem is independent of IPA. It means that the client doesn't know how to get to the server (no route to host) Connection refused would suggest that the server isn't accepting connections. You could use netstat to confirm that it is listening on ports 80 and 443, I think you'll find it is. IPA doesn't do anything particularly clever with the web server, just configures it to use mod_nss as an SSL listener. Since wget is using port 80 you aren't even using any changes made by IPA. And no route to host suggests it isn't even getting that far. You might try shutting down iptables on the server and client and try that. rob Thanks, George *From:* Rob Crittenden rcrit...@redhat.com *To:* george he george_...@yahoo.com *Cc:* freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Tuesday, June 19, 2012 9:32 AM *Subject:* Re: [Freeipa-users] ipa installation problem george he wrote: Hello all, While waiting for more suggestions on my thread is not an IPA v2 Server, I tried to install ipa server on other machines running fc16 and fc15. When server is on fc16, I get the same error as when it's on fc17, wget failed: No route to host. when server is on fc15, wget still failed, but the reason was Connection refused. Seems to me there's something else to do after running ipa-server-install on the server. This is unrelated to IPA. We do no network configuration changes, only start services. The client is doing a simple wget which just issues an HTTP request. The network stack is saying it can't talk to the IPA server so I'd start there. wireshark might be helpful. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
OOps, forgot to reply to list last time. On 06/19/2012 10:42 AM, Simo Sorce wrote: On Tue, 2012-06-19 at 09:14 -0400, Brian Wheeler wrote: I will look into that. I've got nearly a year before I have to do my machine migrations, so one would assume that this feature would stabilize by the time I get around to doing an actual implementation. I'll play with it and see if I can make it work. Although, the instructions do mention validating it from the windows side of things which may stop me dead in the water since I have no access. you need the windows domain credentials to set up the trust, so you definitely need collaboration from the windows domain admins. w/o that collaboration there isn't much you can really do in any case. I've got rights to join machines to the domain, would that be sufficient? Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab and mandatory password change
On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal d...@redhat.com wrote: On 06/18/2012 11:58 AM, Darran Lofthouse wrote: Just experienced some weird behaviour on my Fedora 17 installation, just wanted to check if this was expected. I have the default config that requires a user to change their password the first time they run kinit. However I created a user and immediately used ipa-getkeytab as this user will be a non-interactive process, despite the ipa-getkeytab resetting the secret for the user the first attempt at authentication failed as the user was still told to change their password. I do not think we have anticipated this use. The ipa-getkeytab is designed for the host and services keytabs not for users. I suggest that use a service principal rather than a user principal to run those jobs. You can also file an RFE to allow keytabs for users if you think that services would not work for you. My expectation would have been that any update to the secret should meet the requirement for the user to change their password. Darren- I'm not sure if you went further with this, but if you do change the password through other means, you then will be able to get a copy of the keytab for the user with ipa-getkeytab. I tried it out because the thought of not being able to get a keytab for a user was concerning. I agree that the service keytabs make more sense for these instances (I was also told this by Simo in another thread), but I keep being told by the application people that I need to use a user principal, which, thankfully works. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts)
On Fri, Jun 15, 2012 at 6:09 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote: Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos principals or must you use the cn=accounts,cn=users container? I'm thinking this for script-authenticated machine accounts (might be of form user-hostname@REALM or user/hostname@REALM) that need to authenticate to another machine and just a way to separate them from the regular user accounts in cn=accounts,cn=users. If you need to authenticate machines you probably want to use the machine keytab in /etc/krb5.keytab which contains a host/fqdn@REALM principal. The principal is stored in cn=computers,cn=accounts in the computer object if the machine is joined to IPA. for machines you do not want to join or if you want to use a different service principal name you should create a new service principal with 'ipa service-add' which will create a principal object in cn=services user-hostname or user/hostname are not common choices, while kerberos does not enforce any particular convention on names you usually want to use service/fqdn@REALm convention. Where 'service' is the service name. Many services already have conventions for the principal name (for example HTTP/fqdn@REALM for http servers). If your scripts are arbitrary you may decide to create your own script principal (useful if you want to assign special ACIs to it in IPA as you can reference the service account under cn=services in ACIs in theory. I couldn't agree more. Here's the situation though. I'm trying to use IPA for a Cyrus IMAP Murder configuration. This involves machine-to-machine authentication, but it's not really the machine, it's a process on the machine. It's a process client authenticating itself to a process server. The client constantly authenticates using a script to obtain keys from a keytab. The server is authenticated when the client connects to it. I was thinking like you are suggesting, to use service principals, but I'm being told that user principals are the way to go on the client end of things. Not wanting to mix service users in with my regular users, I thought about putting them in sysaccounts. I should probably take this up on the kerberos list, but I was trying to do this within the constructs of IPA. I've read that kerberos is indifferent to user vs service principals. Is this true also of IPA besides the organization of the keys? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts)
On Tue, 2012-06-19 at 09:28 -0700, Stephen Ingram wrote: On Fri, Jun 15, 2012 at 6:09 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote: Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos principals or must you use the cn=accounts,cn=users container? I'm thinking this for script-authenticated machine accounts (might be of form user-hostname@REALM or user/hostname@REALM) that need to authenticate to another machine and just a way to separate them from the regular user accounts in cn=accounts,cn=users. If you need to authenticate machines you probably want to use the machine keytab in /etc/krb5.keytab which contains a host/fqdn@REALM principal. The principal is stored in cn=computers,cn=accounts in the computer object if the machine is joined to IPA. for machines you do not want to join or if you want to use a different service principal name you should create a new service principal with 'ipa service-add' which will create a principal object in cn=services user-hostname or user/hostname are not common choices, while kerberos does not enforce any particular convention on names you usually want to use service/fqdn@REALm convention. Where 'service' is the service name. Many services already have conventions for the principal name (for example HTTP/fqdn@REALM for http servers). If your scripts are arbitrary you may decide to create your own script principal (useful if you want to assign special ACIs to it in IPA as you can reference the service account under cn=services in ACIs in theory. I couldn't agree more. Here's the situation though. I'm trying to use IPA for a Cyrus IMAP Murder configuration. This involves machine-to-machine authentication, but it's not really the machine, it's a process on the machine. It's a process client authenticating itself to a process server. The client constantly authenticates using a script to obtain keys from a keytab. The server is authenticated when the client connects to it. I was thinking like you are suggesting, to use service principals, but I'm being told that user principals are the way to go on the client end of things. Not wanting to mix service users in with my regular users, I thought about putting them in sysaccounts. I should probably take this up on the kerberos list, but I was trying to do this within the constructs of IPA. I've read that kerberos is indifferent to user vs service principals. Is this true also of IPA besides the organization of the keys? Yes with IPA you can use service principals to initiate context w/o problems. That's why I suggested you use a service principal. AD has a limitation that you must use an actual user to initiate a context, that may be where the suggestion is coming from. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication
On Tue, 2012-06-19 at 13:04 +0100, James Hogarth wrote: Hi all, As mentioned on IRC today I've finished my write up of using Apache with SNI and kerberos authentication with an IPA backend I'd be interested in any feedback: http://freeipa.org/page/Apache_SNI_With_Kerberos Very nice writeup! I see you use mod_ssl, can this configuration be obtained with mod_nss as well ? I was going to try it but on an ipa server we use mod_nss and would like to avoid having to find out how to reconfigure stuff to use mod_ssl. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts)
On Tue, Jun 19, 2012 at 6:54 PM, Simo Sorce s...@redhat.com wrote: Yes with IPA you can use service principals to initiate context w/o problems. That's why I suggested you use a service principal. AD has a limitation that you must use an actual user to initiate a context, that may be where the suggestion is coming from. I was just wondering how to to use a service principal coupled to a host in the case of a webapp. We all know those, applications that require binding to a database with a login/pass combo in a file. And was assuming that creating a service principal and then creating a postgresql role with the name of the principal would not work, that I could not login postgresql with that kerberos principal. It turns out it does work! I can create service principals and have them connect to our postgresql servers. Awesome! I need to test this more thouroughly, but this is looking great security wise. Thanks for the tip! :-) -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication
On Tue, Jun 19, 2012 at 2:04 PM, James Hogarth james.hoga...@gmail.comwrote: Hi all, As mentioned on IRC today I've finished my write up of using Apache with SNI and kerberos authentication with an IPA backend I'd be interested in any feedback: http://freeipa.org/page/Apache_SNI_With_Kerberos nice! I will try it shortly. Thanks! -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab and mandatory password change
On Tue, Jun 19, 2012 at 9:55 AM, Simo Sorce s...@redhat.com wrote: On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote: On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal d...@redhat.com wrote: On 06/18/2012 11:58 AM, Darran Lofthouse wrote: Just experienced some weird behaviour on my Fedora 17 installation, just wanted to check if this was expected. I have the default config that requires a user to change their password the first time they run kinit. However I created a user and immediately used ipa-getkeytab as this user will be a non-interactive process, despite the ipa-getkeytab resetting the secret for the user the first attempt at authentication failed as the user was still told to change their password. I do not think we have anticipated this use. The ipa-getkeytab is designed for the host and services keytabs not for users. I suggest that use a service principal rather than a user principal to run those jobs. You can also file an RFE to allow keytabs for users if you think that services would not work for you. My expectation would have been that any update to the secret should meet the requirement for the user to change their password. Darren- I'm not sure if you went further with this, but if you do change the password through other means, you then will be able to get a copy of the keytab for the user with ipa-getkeytab. I tried it out because the thought of not being able to get a keytab for a user was concerning. I agree that the service keytabs make more sense for these instances (I was also told this by Simo in another thread), but I keep being told by the application people that I need to use a user principal, which, thankfully works. Ask them why, I am curious about the requirement. I'm still waiting for responses. The only thing I've been told thus far is that since there are multiple processes authenticating to their respective servers, it might be difficult to direct each to the proper credential cache. If you use one user to auth to each server process then there is only one credential cache. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication
Simo Sorce wrote: On Tue, 2012-06-19 at 13:04 +0100, James Hogarth wrote: Hi all, As mentioned on IRC today I've finished my write up of using Apache with SNI and kerberos authentication with an IPA backend I'd be interested in any feedback: http://freeipa.org/page/Apache_SNI_With_Kerberos Very nice writeup! I see you use mod_ssl, can this configuration be obtained with mod_nss as well ? I was going to try it but on an ipa server we use mod_nss and would like to avoid having to find out how to reconfigure stuff to use mod_ssl. Simo. mod_nss doesn't support SNI yet because the NSS support isn't complete yet (though getting closer). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] TGT invalid after KDC restart?
Hi, Does a users kerberos tickets become invalid after a restart of the KDC who granted the tickets? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] TGT invalid after KDC restart?
On 06/19/2012 05:37 PM, Sigbjorn Lie wrote: Hi, Does a users kerberos tickets become invalid after a restart of the KDC who granted the tickets? Should not. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Do clients have to be in teh same DNS zone / FQDN as the IPA servers / Kerberos Realm?
My IPA servers are say ipa1 and 2.ipa.example.com I have existing linux servers that I would rather not change the FQDN on, say server1.example.com Do I actually have to make the client server1.ipa.example.com or can I leave it as is at server1.example.com? Would that give any IPA problems? or is it just poor practice? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users