Re: [Freeipa-users] unable to logout of IPA
On 09/08/2012 02:05 AM, Dmitri Pal wrote: On 07/27/2012 10:30 AM, Petr Spacek wrote: On 07/27/2012 03:28 PM, John Dennis wrote: On 07/27/2012 02:06 AM, Dan Scott wrote: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? It's only tangentially relevant. IPA does use session cookies. IPA logout destroys the session on the server making the session cookie stored in the browser invalid. However, SSO (Single Sign-On) continues to work as it's supposed to. As long as you have valid credentials in your kerberos cache you'll be automatically logged in (albeit with a brand new session and session cookie). All this is by design. You can logout of IPA which destroys your session, but unless you also destroy your credentials the automatic SSO process will be applied the next time you visit the web UI. Would it be possible to add login as another user functionality? I mean destroy session ignore any Kerberos tickets start form-based auth? IMHO it could be handy, at least for demonstration purposes. Please log a ticket. https://fedorahosted.org/freeipa/ticket/3064 Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 09/08/2012 05:03 PM, Dmitri Pal wrote:
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with
FreeIPA (all systems CentOS 6.3). I have 2 ipa servers
(ipaserver / ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group
cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
getting initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration
DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Server:172.16.112.5
Address:172.16.112.5#53
Name:ipaserver.mpls.local
Address: 172.16.112.5
[root@ipaserver ~]#ifdown eth0
[root@ipaclient ~]# nslookup ipaserver
Server:
Re: [Freeipa-users] openindiana ldap client
On 09/09/2012 04:25 PM, Sigbjorn Lie wrote: On 09/07/2012 08:38 PM, Dmitri Pal wrote: On 09/02/2012 12:58 PM, Sigbjorn Lie wrote: On 09/02/2012 04:37 PM, Natxo Asenjo wrote: hi, Recently I have been playing with the zfs for its native nfs4 acl capabilities. I have used openindiana for this. For those wondering about openindiana, it is a distribution of the former opensolaris code. I got the ldap client to work for retrieveing user/group info from ipa using the ldapclient command: # ldapclient manual \ -a authenticationMethod=none \ -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \ -a domainName=*ipa.asenjo.nx* \ -a defaultServerList=kdc.ipa.asenjo.nx \ -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \ -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter] you need to enable the ldap/client service: # svcadm enable ldap/client:default [enter] After which, modify /etc/nsswitch.conf to add the ldap provider for passwd and group: passwd: files ldap group: files ldap That's it, test it: # id admin uid=64280(admin) gid=64280(admins) groups=64280(admins) # getent passwd admin admin:x:64280:64280:Administrator:/home/admin:/bin/bash So it works. The kerberos stuff will be next ... One thing I have not yet gotten to work is that these changes are not persistent accross reboots. The ldapclient config stays, but the service ldap/client does not start (stays disabled) and nsswitch.conf missess the ldap entries. So far I am fixing this from cfengine (gotta love it). So apparently, for solaris 10 and newer versions, the procedure outlined in http://freeipa.com/page/ConfiguringSolarisClients is no longer necessary as far as the ldap client is concerned. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hi, I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I use a DUAProfile with ldapclient. This stays configured and the ldap/client service is enabled across reboots. There is a DUAProfile included by default with IPA, but it requires some tweaking to support more than just the basic features. See this bugzilla for a more comprehensive example: https://bugzilla.redhat.com/show_bug.cgi?id=815515 There is also some more info about configuring Solaris clients in this bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=815533 Siggi, can you please review http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html and confirm that this is correct and has the latest? If you find some inconsistency would mind filing a fedora doc bug? There are some issues in that document. I have been working with Rob with regards to the previous 2 bugzilla doc bug's I opened: https://bugzilla.redhat.com/show_bug.cgi?id=815533 https://bugzilla.redhat.com/show_bug.cgi?id=815515 These BZ covers configuring a DUA profile and configuring Solaris 10 as an IPA client. I presume Rob's work will become the new Solaris 10 IPA Client documentation for both Fedora and RHEL? Thanks for update. We might ask you for a final review. The Fedora and RHEL documentation is a bit different in this regard. For Fedora we can easily document the information you provided. For RHEL we need to find some other avenue to deliver the information because Red Hat support organization can't be responsible for proper configuration of the non RHEL operating systems so we can't have it in the Red Hat documentation. But we will figure it out. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
On 08/24/2012 04:43 PM, Rob Crittenden wrote:
Nathan Lager wrote:
This did not seem to help...
What else isn't working? Does the UI work? Do clients on other
machines work? Does user lookup still work?
rob
Was this issue ever resolved?
On 08/22/2012 06:02 PM, Rob Crittenden wrote:
Nathan Lager wrote:
[root@ipaserver PROD krb5kdc]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@ipaserver PROD krb5kdc]# rpm -qa | grep ipa-server
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
I'd try removing /tmp/krb5cc_48. This is the ccache used by Apache for
doing S4U2Proxy. No restart of httpd should be required.
rob
On 08/22/2012 04:08 PM, Rob Crittenden wrote:
Nathan Lager wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I tried the same, kinit, and then ipa passwd commands as before,
here's the output:
Aug 22 14:32:13 ipaserver.lafayette.edu krb5kdc[1438](info):
AS_REQ (4
etypes {18 17 16 23}) ipa-servers-ip: NEEDED_PREAUTH:
lag...@systems.lafayette.edu for
krbtgt/systems.lafayette@systems.lafayette.edu, Additional
pre-authentication required
Aug 22 14:32:19 ipaserver.lafayette.edu krb5kdc[1438](info):
AS_REQ (4
etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
krbtgt/systems.lafayette@systems.lafayette.edu
Aug 22 14:32:35 ipaserver.lafayette.edu krb5kdc[1438](info): TGS_REQ
(4 etypes {18 17 16 23}) ipa-servers-ip: ISSUE: authtime 1345660339,
etypes {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu for
HTTP/ipaserver.lafayette@systems.lafayette.edu
What version of IPA is this?
Does ipactl status show all services up?
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IBM Tivoli Identity Manager connector to manage IPA
On 08/24/2012 02:21 AM, Willem Bos wrote:
Hi Sylvian,
I'm not familiar with Tivoli but maybe it's able to generate HTTP
requests? I recently did a proof-of-concept (with help from this
mailing list) to provision IPA with usernames/passwords. It's really a
re-write of a post from Adam Young
(http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/)
and info from The IPA API documented at
https://fedorahosted.org/freeipa/browser/API.txt
In this procedure you should replace curl with Tivoli.
# Add the (IPA) account you want to use for provisioning to the
passSyncManagerDNs 'group' so that users that are created through
provisioning do not have to change their passwords at first login. In
this example I used 'admin' but you probably whant a dedicated user :
cat add_passsync_manager.ldif EOF
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=localdomain
EOF
ldapmodify -x -D cn=Directory Manager -W -f add_passsync_manager.ldif
# Check :
ldapsearch -LLL -x -D cn=Directory Manager -W -b
cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns
...
passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=localdomain
# The .json file is the 'add user' request that Tivoli should generate.:
cat add_user_test.json EOF
{
method:user_add,
params:[
[],
{
uid:test,
givenname:test,
sn:test,
userpassword:test
}
]
}
EOF
# Tivoli needs to be able to pass Kerberos credentials with the HTTP
request (the '--negotiate -u : ` part) :
kinit admin
curl -v \
--header referer:https://IPA_HOST/ipa \
--header Content-Type:application/json \
--header Accept:applicaton/json\
--negotiate -u : \
--delegation always \
--cacert /etc/ipa/ca.crt \
--data @add_user_test.json \
--request POST https://IPA_HOST/ipa/json
…
summary: Added user \test\,
…
# Check. The user should not be asked to change his password... :
kinit test
Regards,
Willem.
Sylvain,
I am very interested in finding out what did you decide to do to
implement this.
IMO it would be very beneficial to have a supported way for Tivoly to
connect to IPA and provision users.
Doing it via IPA interface as mentioned above is the right way to do it.
Do you have any pointer to IBM Tivoly documentation that comments on how
to create special connectors?
I would like to include this as an item for a long term IPA roadmap.
If you or anyone else have some information on the matter please help us
here.
I will open a ticket and capture all the recommendations there.
Thanks
Dmitri
On Thu, Aug 23, 2012 at 9:53 PM, Sylvain Angers sylvainang...@gmail.com
wrote:
Hello all,
Within our organisation, we use IBM Tivoli Identity Manager connectors to
provision user/group onto all our different type of system. Currently there
is as many connectors as we have unix box. As each unix box use local auth,
we use ITIM to push user/group to local files...We are investigating IPA
since a while, and now we wonder if a regular LDAP connector from IBM Tivoli
Identity manager could be use to feed IPA so we would have one connector to
manage our UNIX box via IPA. Our security folks would continue to have one
single interface to do user/group provisionning.
I found out that there is already an IITIM LDAP connector available, but Is
there such thing as ldap interface to manage ipa?
Or is the only way to get ITIM to manage IPA would be via new connector
build from remote ipa command lines?
Thank you!
--
Sylvain Angers
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
Dmitri Pal wrote:
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with
FreeIPA (all systems CentOS 6.3). I have 2 ipa servers
(ipaserver / ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group
cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
getting initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration
DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Server:172.16.112.5
Address:172.16.112.5#53
Name:ipaserver.mpls.local
Address: 172.16.112.5
[root@ipaserver ~]#ifdown eth0
[root@ipaclient ~]# nslookup ipaserver
Server:172.16.112.8
Address:
Re: [Freeipa-users] errors when one ipa server down
On Mon, Sep 10, 2012 at 09:08:07AM -0400, Rob Crittenden wrote:
Dmitri Pal wrote:
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with
FreeIPA (all systems CentOS 6.3). I have 2 ipa servers
(ipaserver / ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group
cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
getting initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration
DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]#
Re: [Freeipa-users] Prompting for expired passwords on AIX
On 08/09/2012 05:28 PM, KodaK wrote: I've kerberized a bunch of AIX machines, and I noticed when I was starting out that AIX allows people to connect that have expired passwords, and does not prompt for changes. 1) does anyone know what I need to do on AIX to make this happen (I don't hold out much hope for this.) 2) alternately, does anyone know what I'd have to do on Linux to change this behavior (maybe from that I can find something on AIX.) I plan on opening a ticket with IBM too, but I wanted to see if anyone has run into this before. Thanks! Was this issue ever resolved? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On Mon, 2012-09-10 at 15:20 +0200, Jakub Hrozek wrote:
On Mon, Sep 10, 2012 at 09:08:07AM -0400, Rob Crittenden wrote:
Dmitri Pal wrote:
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with
FreeIPA (all systems CentOS 6.3). I have 2 ipa servers
(ipaserver / ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group
cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
getting initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration
DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns
[Freeipa-users] Announcing FreeIPA v3.0.0 beta 3
The FreeIPA team is proud to announce version FreeIPA v3.0.0 beta 3. It can be downloaded from http://www.freeipa.org/page/Downloads. A build is available only for Fedora 17 via the freeipa-devel repo on www.freeipa.org: http://freeipa.org/downloads/freeipa-devel.repo . To install in Fedora 17 the updates repo repository needs to be enabled as well. For additional information see the AD Trust design page http://freeipa.org/page/IPAv3_AD_trust and the AD Trust testing page http://freeipa.org/page/IPAv3_testing_AD_trust. == Highlights since 3.0.0 beta 2 == * Cooperate with new 389-ds-base winsync POSIX plugin so that AD POSIX attribute can be synced with IPA. * Improvements to schema upgrade process. * Prevent last admin from being disabled. * Exclude some attributes from replication. * Notify success on add, delete and update in UI. * Set the e-mail attribute on new users by default. * Rename range commands to idrange, * Improvements to idrange command-line. * SSH public key format has been changed to OpenSSH-style public keys. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 should work but has not been fully tested. Proceed with caution. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed changelog == Alexander Bokovoy (4): * Recover from invalid cached kerberos credentials in ipasam * Fix ipasam ipaNThash magic regen to actually fetch updated password * Add ACI to allow regenerating ipaNTHash from ipasam * Ask for admin password in ipa-adtrust-install Jan Cholasta (1): * Use OpenSSH-style public keys as the preferred format of SSH public keys. John Dennis (4): * DN objects hash differently depending on case * ipactl exception not handled well * ipa user-find --manager does not find matches * prevent last admin from being disabled Martin Kosek (12): * Read DM password from option in external CA install * Fix client-only build * Fix managedBy label for DNS zone * Update Contributors.txt file * Make replica install more robust * Add safe updates for objectClasses * Allow localhost in zone ACIs * Transfer long numbers over XMLRPC * Fix DNS SOA serial parameters boundaries * Add range safety check for range_mod and range_del * Update DNS zone allow-query validation test * Cast DNS SOA serial maximum boundary to long Petr Viktorin (3): * Internationalization for public errors * Run ntpdate in verbose mode, not debug (i.e. no-op) mode * Add nsds5ReplicaStripAttrs to replica agreements Petr Vobornik (15): * Range Web UI * Revert change causing failure in test automation * Fix issue which broke setup of Web UI unit tests * Successful action notification * Password policy paging with proper sorting * Fixed search in HBAC test * Permissions: select only applicable options on type change * Notify success on add, delete and update * Fixed metadata serialization of Numbers and DNs * Added decimal checks to metadata validator * Generated metadata for testing updated * Fixed problem while deleting entry with unsaved changes * Allow localhost in zone ACIs - Web UI * Update of confirmation of actions * Reflect API change of SSH store in Web UI Rob Crittenden (8): * Don't generate password history error if history is set to 0. * Restrict the SELinux user map user MLS value to 0-1023 * Support the new Winsync POSIX API. * Set minimum of 389-ds-base to 1.2.11.8 to pick up cache warning. * Add version to replica prepare file, prevent installing to older version * Set the e-mail attribute using the default domain name by default * Fix some restart script issues found with certificate renewal. * Become IPA v3 beta 3 (3.0.0.pre3) Sumit Bose (27): * Use libsamba-security instead of libsecurity * ipadb_iterate(): handle match_entry == NULL * ipasam: cleanup explicit dependencies to samba libs * Make encode_ntlm_keys() public * ipasam: remove nt_lm_owf_gen() and dependency to libcliauth.so * ipasam: remove sid_peek_rid() * ipasam: replace strnequal() * ipasam: remove strlower_m() * ipasam: remove talloc_asprintf_strupper_m() * ipasam: replace sid_copy() * ipasam: replace sid_compose() * ipasam: Replace is_null_sid() * ipasam: Replace
Re: [Freeipa-users] errors when one ipa server down
On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: What about defining a task in the SSSD krb5 provider instead of pinging it from the locator plugin. The task can run at a configurable interval or never and checks if the current KDC is available. If not it tries the next until it goes offline if no reachable KDC can be found and updates or deletes the info file for the locator plugin.. This leave us with the question how to ping a KDC properly, but this we have to find out for either case. I am not a fan of generating load for the KDC unnecessarily. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
Simo Sorce wrote: On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: What about defining a task in the SSSD krb5 provider instead of pinging it from the locator plugin. The task can run at a configurable interval or never and checks if the current KDC is available. If not it tries the next until it goes offline if no reachable KDC can be found and updates or deletes the info file for the locator plugin.. This leave us with the question how to ping a KDC properly, but this we have to find out for either case. I am not a fan of generating load for the KDC unnecessarily. Simo. I tend to agree but this can be a real pain to debug because depending on the current state of sssd you have to either check krb5.conf or the sssd locator to see what KDC is configured. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On Mon, 2012-09-10 at 11:11 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: What about defining a task in the SSSD krb5 provider instead of pinging it from the locator plugin. The task can run at a configurable interval or never and checks if the current KDC is available. If not it tries the next until it goes offline if no reachable KDC can be found and updates or deletes the info file for the locator plugin.. This leave us with the question how to ping a KDC properly, but this we have to find out for either case. I am not a fan of generating load for the KDC unnecessarily. Simo. I tend to agree but this can be a real pain to debug because depending on the current state of sssd you have to either check krb5.conf or the sssd locator to see what KDC is configured. [moving to freeipa-devel] Yes but the solution is to do on-demand requests when something doesn't work. Because otherwise you still get the odd failure. Assume you check in 5 min intervals, and the KDC goes off 1 sec after the check, for 5 minutes you still have a wrong KDC in the locator and still get failures. So you loaded the KDC with ~300 request per day per client, and you still have high odds that on failure your locator file will still be 'wrong'. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Adding indexes for the automounter - odd results
Hi, I added indexes for automountKey, and automountmapname yesterday in my test environment to see if that would speed the automounters up a bit, and now the automounters does not always work. They manage to look up the map, but not the keys in the map. Restarting the automounter sometimes work for some maps, but then the other maps stop working. Below is an example from the messages file when doing doing ls /prog. Sep 10 19:55:22 mordor automount[3041]: lookup_mount: lookup(ldap): looking up nagios Sep 10 19:55:22 mordor automount[3041]: find_dc_server: trying server uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: sasl bind with mechanism GSSAPI succeeded Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): autofs_sasl_bind returned 0 Sep 10 19:55:22 mordor automount[3041]: connected to uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): searching for ((objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) under automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): getting first entry for automountKey=nagios Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): got answer, but no entry for ((objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) Sep 10 19:55:22 mordor automount[3041]: dev_ioctl_send_fail: token = 798 Sep 10 19:55:22 mordor automount[3041]: failed to mount /prog/nagios Sep 10 19:55:22 mordor automount[3041]: handle_packet: type = 3 Sep 10 19:55:22 mordor automount[3041]: handle_packet_missing_indirect: token 799, name os, request pid 3233 All folders return like this: ls: cannot access /prog/nagios: No such file or directory The 389-ds access log looks like this: [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn=fqdn=mordor.ix.test.com,cn=computers,cn=accounts,dc=ix,dc=test,dc=com [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 SRCH base=automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com scope=2 filter=((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) attrs=automountKey automountInformation [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 UNBIND [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 fd=86 closed - U1 Running the query manually return: ~$ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com '((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))' SASL/GSSAPI authentication started SASL username: u...@ix.test.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com with scope subtree # filter: ((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 Running this search without any filter returns: $ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com lot of stuff cut away # utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/utils, auto_prog, svg1, automount, ix.test.com dn: description=utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/util s,automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com description: utils -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountInformation: -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountKey: utils objectClass: automount objectClass: top lot of stuff cut away The two indexes I created are these: # automountkey, index, userRoot, ldbm database, plugins, config dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: automountkey objectClass: top objectClass: nsIndex nsSystemIndex: false nsIndexType: eq # automountmapname, index, userRoot, ldbm database, plugins, config dn: cn=automountmapname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=co nfig cn: automountmapname objectClass: top objectClass: nsIndex nsSystemIndex: false nsIndexType: eq And
[Freeipa-users] KRB5 keytab not always created or updated on RHEL 5
Hi, We are using pam_ldap + pam_krb5 on our RHEL 5 workstations. Sometimes when the user logs in, or unlocks his workstation the users kerberos keytab is not created or updated. Often, just locking the screen with the screensaver and unlocking again creates or updates the keytab file. I've had a look at /var/log/secure without getting any smarter. Does anyone have a suggestion to what might be going on here? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding indexes for the automounter - odd results
On 09/10/2012 01:59 PM, Sigbjorn Lie wrote: Hi, I added indexes for automountKey, and automountmapname yesterday in my test environment to see if that would speed the automounters up a bit, and now the automounters does not always work. They manage to look up the map, but not the keys in the map. Restarting the automounter sometimes work for some maps, but then the other maps stop working. Below is an example from the messages file when doing doing ls /prog. Sep 10 19:55:22 mordor automount[3041]: lookup_mount: lookup(ldap): looking up nagios Sep 10 19:55:22 mordor automount[3041]: find_dc_server: trying server uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: sasl bind with mechanism GSSAPI succeeded Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): autofs_sasl_bind returned 0 Sep 10 19:55:22 mordor automount[3041]: connected to uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): searching for ((objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) under automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): getting first entry for automountKey=nagios Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): got answer, but no entry for ((objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) Sep 10 19:55:22 mordor automount[3041]: dev_ioctl_send_fail: token = 798 Sep 10 19:55:22 mordor automount[3041]: failed to mount /prog/nagios Sep 10 19:55:22 mordor automount[3041]: handle_packet: type = 3 Sep 10 19:55:22 mordor automount[3041]: handle_packet_missing_indirect: token 799, name os, request pid 3233 All folders return like this: ls: cannot access /prog/nagios: No such file or directory The 389-ds access log looks like this: [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn=fqdn=mordor.ix.test.com,cn=computers,cn=accounts,dc=ix,dc=test,dc=com [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 SRCH base=automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com scope=2 filter=((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) attrs=automountKey automountInformation [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 UNBIND [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 fd=86 closed - U1 Running the query manually return: ~$ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com '((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))' SASL/GSSAPI authentication started SASL username: u...@ix.test.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com with scope subtree # filter: ((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 Running this search without any filter returns: $ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com lot of stuff cut away # utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/utils, auto_prog, svg1, automount, ix.test.com dn: description=utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/util s,automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com description: utils -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountInformation: -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountKey: utils objectClass: automount objectClass: top lot of stuff cut away The two indexes I created are these: # automountkey, index, userRoot, ldbm database, plugins, config dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: automountkey objectClass: top objectClass: nsIndex nsSystemIndex: false nsIndexType: eq # automountmapname, index, userRoot, ldbm database, plugins, config dn: cn=automountmapname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=co nfig cn: automountmapname objectClass: top objectClass:
Re: [Freeipa-users] Adding indexes for the automounter - odd results
On 09/10/2012 10:36 PM, Rich Megginson wrote: On 09/10/2012 01:59 PM, Sigbjorn Lie wrote: Hi, I added indexes for automountKey, and automountmapname yesterday in my test environment to see if that would speed the automounters up a bit, and now the automounters does not always work. They manage to look up the map, but not the keys in the map. Restarting the automounter sometimes work for some maps, but then the other maps stop working. Below is an example from the messages file when doing doing ls /prog. Sep 10 19:55:22 mordor automount[3041]: lookup_mount: lookup(ldap): looking up nagios Sep 10 19:55:22 mordor automount[3041]: find_dc_server: trying server uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: sasl bind with mechanism GSSAPI succeeded Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): autofs_sasl_bind returned 0 Sep 10 19:55:22 mordor automount[3041]: connected to uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): searching for ((objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) under automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): getting first entry for automountKey=nagios Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): got answer, but no entry for ((objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) Sep 10 19:55:22 mordor automount[3041]: dev_ioctl_send_fail: token = 798 Sep 10 19:55:22 mordor automount[3041]: failed to mount /prog/nagios Sep 10 19:55:22 mordor automount[3041]: handle_packet: type = 3 Sep 10 19:55:22 mordor automount[3041]: handle_packet_missing_indirect: token 799, name os, request pid 3233 All folders return like this: ls: cannot access /prog/nagios: No such file or directory The 389-ds access log looks like this: [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn=fqdn=mordor.ix.test.com,cn=computers,cn=accounts,dc=ix,dc=test,dc=com [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 SRCH base=automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com scope=2 filter=((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) attrs=automountKey automountInformation [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 UNBIND [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 fd=86 closed - U1 Running the query manually return: ~$ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com '((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))' SASL/GSSAPI authentication started SASL username: u...@ix.test.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com with scope subtree # filter: ((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 Running this search without any filter returns: $ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com lot of stuff cut away # utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/utils, auto_prog, svg1, automount, ix.test.com dn: description=utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/util s,automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com description: utils -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountInformation: -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountKey: utils objectClass: automount objectClass: top lot of stuff cut away The two indexes I created are these: # automountkey, index, userRoot, ldbm database, plugins, config dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: automountkey objectClass: top objectClass: nsIndex nsSystemIndex: false nsIndexType: eq # automountmapname, index, userRoot, ldbm database, plugins, config dn: cn=automountmapname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=co nfig cn:
[Freeipa-users] slow ssh
Hi, Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding indexes for the automounter - odd results
On 09/10/2012 03:01 PM, Sigbjorn Lie wrote: On 09/10/2012 10:36 PM, Rich Megginson wrote: On 09/10/2012 01:59 PM, Sigbjorn Lie wrote: Hi, I added indexes for automountKey, and automountmapname yesterday in my test environment to see if that would speed the automounters up a bit, and now the automounters does not always work. They manage to look up the map, but not the keys in the map. Restarting the automounter sometimes work for some maps, but then the other maps stop working. Below is an example from the messages file when doing doing ls /prog. Sep 10 19:55:22 mordor automount[3041]: lookup_mount: lookup(ldap): looking up nagios Sep 10 19:55:22 mordor automount[3041]: find_dc_server: trying server uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: sasl bind with mechanism GSSAPI succeeded Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): autofs_sasl_bind returned 0 Sep 10 19:55:22 mordor automount[3041]: connected to uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): searching for ((objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) under automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): getting first entry for automountKey=nagios Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): got answer, but no entry for ((objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) Sep 10 19:55:22 mordor automount[3041]: dev_ioctl_send_fail: token = 798 Sep 10 19:55:22 mordor automount[3041]: failed to mount /prog/nagios Sep 10 19:55:22 mordor automount[3041]: handle_packet: type = 3 Sep 10 19:55:22 mordor automount[3041]: handle_packet_missing_indirect: token 799, name os, request pid 3233 All folders return like this: ls: cannot access /prog/nagios: No such file or directory The 389-ds access log looks like this: [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn=fqdn=mordor.ix.test.com,cn=computers,cn=accounts,dc=ix,dc=test,dc=com [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 SRCH base=automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com scope=2 filter=((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) attrs=automountKey automountInformation [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 UNBIND [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 fd=86 closed - U1 Running the query manually return: ~$ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com '((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))' SASL/GSSAPI authentication started SASL username: u...@ix.test.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com with scope subtree # filter: ((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 Running this search without any filter returns: $ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com lot of stuff cut away # utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/utils, auto_prog, svg1, automount, ix.test.com dn: description=utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/util s,automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com description: utils -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountInformation: -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountKey: utils objectClass: automount objectClass: top lot of stuff cut away The two indexes I created are these: # automountkey, index, userRoot, ldbm database, plugins, config dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: automountkey objectClass: top objectClass: nsIndex nsSystemIndex: false nsIndexType: eq # automountmapname, index, userRoot, ldbm database, plugins, config dn:
[Freeipa-users] Do you use logrotate?
Hello, Does anyone use logrotate? If so can you share you configuration and recommendations with us? Is there anything that one should make sure while using logrotate with IPA? For example if the ownership of the log files changes due to wrong logrotate configuration the dis srv might not start. Have you seen something like this? Have you seen something else that would be valuable for others to consider when configuring logrotate with IPA? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slow ssh
Steven Jones wrote: Hi, Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? Run in verbose mode to see what it's doing, ssh -vv. It may be trying several auth mechanisms which can be slow. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question about migration and scripts variables
Back from hollidays... I have just trying --user-ignore-attribute=uidnumber,gidnumber, the server says that the posixAccount attribute requires uid and gid number. I will find another solution to solve my problem. James 2012/8/20 Rob Crittenden rcrit...@redhat.com James James wrote: Hi, my first question is about the migrate process. Is it possible to renumber the users during the migrate process (ipa migrate-ds) in a way that all imported users will have a new UID ? I haven't tested this but you might try --user-ignore-attribute=** uidnumber,gidnumber. my second question is about ipalib. I wanted to make a hook on the user creation. The hook works fine. I just want to know if there is a way to have the value of variables like the username, the name of the creator, the e-mail of the creator and stuff like that. The current user is available via: principal = getattr(context, 'principal') Using this you can look up that user: (binddn, bindattrs) = find_entry_by_attr(**krbprincipalname, principal, krbPrincipalAux) rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slow ssh
On 09/10/2012 05:16 PM, Steven Jones wrote: Hi, Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? Is it the problem on the SSH client or on the SSH server? Can you provide ssh configuration file(s) and sssd.conf? What version do you use (ssh and sssd)? Could it be that you tried the tech preview ipa-client SSH integration feature when installed ipa-client? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slow ssh
On Mon, Sep 10, 2012 at 4:16 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? Slow SSH is (in my experience, anyway) usually a DNS problem. Are you using IPA for DNS, or external? Either way, is reverse DNS working? I had an issue recently with users complaining about slow logins, but it turned out that bind on my primary IPA box died (I have no idea how.) Since resolv.conf goes in order, it would hit the primary, time out, then fail over to the other DNS servers. Once I restarted bind everything was fine again. I'm still investigating what happened, but there's only so much time in a day. As for auth mechanisms -- those are defined in your sshd_config, but why would you want to turn that off? That's the whole point of IPA. I'm probably misunderstanding something, though. :) -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding indexes for the automounter - odd results
On 09/10/2012 05:27 PM, Rich Megginson wrote: On 09/10/2012 03:01 PM, Sigbjorn Lie wrote: On 09/10/2012 10:36 PM, Rich Megginson wrote: On 09/10/2012 01:59 PM, Sigbjorn Lie wrote: Hi, I added indexes for automountKey, and automountmapname yesterday in my test environment to see if that would speed the automounters up a bit, and now the automounters does not always work. They manage to look up the map, but not the keys in the map. Restarting the automounter sometimes work for some maps, but then the other maps stop working. Below is an example from the messages file when doing doing ls /prog. Sep 10 19:55:22 mordor automount[3041]: lookup_mount: lookup(ldap): looking up nagios Sep 10 19:55:22 mordor automount[3041]: find_dc_server: trying server uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: sasl bind with mechanism GSSAPI succeeded Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): autofs_sasl_bind returned 0 Sep 10 19:55:22 mordor automount[3041]: connected to uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): searching for ((objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) under automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): getting first entry for automountKey=nagios Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): got answer, but no entry for ((objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) Sep 10 19:55:22 mordor automount[3041]: dev_ioctl_send_fail: token = 798 Sep 10 19:55:22 mordor automount[3041]: failed to mount /prog/nagios Sep 10 19:55:22 mordor automount[3041]: handle_packet: type = 3 Sep 10 19:55:22 mordor automount[3041]: handle_packet_missing_indirect: token 799, name os, request pid 3233 All folders return like this: ls: cannot access /prog/nagios: No such file or directory The 389-ds access log looks like this: [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn=fqdn=mordor.ix.test.com,cn=computers,cn=accounts,dc=ix,dc=test,dc=com [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 SRCH base=automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com scope=2 filter=((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) attrs=automountKey automountInformation [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 UNBIND [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 fd=86 closed - U1 Running the query manually return: ~$ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com '((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))' SASL/GSSAPI authentication started SASL username: u...@ix.test.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com with scope subtree # filter: ((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 Running this search without any filter returns: $ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com lot of stuff cut away # utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/utils, auto_prog, svg1, automount, ix.test.com dn: description=utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/util s,automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com description: utils -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountInformation: -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountKey: utils objectClass: automount objectClass: top lot of stuff cut away The two indexes I created are these: # automountkey, index, userRoot, ldbm database, plugins, config dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: automountkey objectClass: top objectClass: nsIndex nsSystemIndex: false nsIndexType: eq #
Re: [Freeipa-users] slow ssh
[email re-sent to list] Hi Steven, Try ssh -o GSSAPIAuthentication=no your.host.name If that doesn't change anything, try adding -v to the command line and see where the delay is happening. /David On 2012-09-10 23:16, Steven Jones wrote: Hi, Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Subject for certificate request in ipa-server-install
Hi Everybody, I want to change the defaut Certifcate Authority automatically added want you want to make a certificate request. There were a thread about something like ( https://www.redhat.com/archives/freeipa-users/2012-April/msg00021.html) that but I don't know if there is the quick and nice solution. James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding indexes for the automounter - odd results
On 09/10/2012 04:16 PM, Dmitri Pal wrote: On 09/10/2012 05:27 PM, Rich Megginson wrote: On 09/10/2012 03:01 PM, Sigbjorn Lie wrote: On 09/10/2012 10:36 PM, Rich Megginson wrote: On 09/10/2012 01:59 PM, Sigbjorn Lie wrote: Hi, I added indexes for automountKey, and automountmapname yesterday in my test environment to see if that would speed the automounters up a bit, and now the automounters does not always work. They manage to look up the map, but not the keys in the map. Restarting the automounter sometimes work for some maps, but then the other maps stop working. Below is an example from the messages file when doing doing ls /prog. Sep 10 19:55:22 mordor automount[3041]: lookup_mount: lookup(ldap): looking up nagios Sep 10 19:55:22 mordor automount[3041]: find_dc_server: trying server uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): auth_required: 2, sasl_mech GSSAPI Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: Attempting sasl bind with mechanism GSSAPI Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: getuser_func: called with context (nil), id 16385. Sep 10 19:55:22 mordor automount[3041]: sasl_bind_mech: sasl bind with mechanism GSSAPI succeeded Sep 10 19:55:22 mordor automount[3041]: do_bind: lookup(ldap): autofs_sasl_bind returned 0 Sep 10 19:55:22 mordor automount[3041]: connected to uri ldap://ipa01.ix.test.com:389 Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): searching for ((objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) under automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): getting first entry for automountKey=nagios Sep 10 19:55:22 mordor automount[3041]: lookup_one: lookup(ldap): got answer, but no entry for ((objectclass=automount)(|(automountKey=nagios)(automountKey=/)(automountKey=\2A))) Sep 10 19:55:22 mordor automount[3041]: dev_ioctl_send_fail: token = 798 Sep 10 19:55:22 mordor automount[3041]: failed to mount /prog/nagios Sep 10 19:55:22 mordor automount[3041]: handle_packet: type = 3 Sep 10 19:55:22 mordor automount[3041]: handle_packet_missing_indirect: token 799, name os, request pid 3233 All folders return like this: ls: cannot access /prog/nagios: No such file or directory The 389-ds access log looks like this: [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2012:19:59:47 +0200] conn=1821 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn=fqdn=mordor.ix.test.com,cn=computers,cn=accounts,dc=ix,dc=test,dc=com [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 SRCH base=automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com scope=2 filter=((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) attrs=automountKey automountInformation [10/Sep/2012:19:59:47 +0200] conn=1821 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 UNBIND [10/Sep/2012:19:59:47 +0200] conn=1821 op=4 fd=86 closed - U1 Running the query manually return: ~$ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com '((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a)))' SASL/GSSAPI authentication started SASL username: u...@ix.test.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com with scope subtree # filter: ((objectClass=automount)(|(automountKey=utils)(automountKey=/)(automountKey=\2a))) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 Running this search without any filter returns: $ ldapsearch -YGSSAPI -b automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com lot of stuff cut away # utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/utils, auto_prog, svg1, automount, ix.test.com dn: description=utils -vers\3D3\2Csec\3Dsys filer01:/volumes/p00/prog/util s,automountmapname=auto_prog,cn=svg1,cn=automount,dc=ix,dc=test,dc=com description: utils -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountInformation: -vers=3,sec=sys filer01:/volumes/p00/prog/utils automountKey: utils objectClass: automount objectClass: top lot of stuff cut away The two indexes I created are these: # automountkey, index, userRoot, ldbm database, plugins, config dn: cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: automountkey objectClass: top objectClass: nsIndex nsSystemIndex: false nsIndexType: eq # automountmapname, index, userRoot, ldbm database, plugins, config dn:
Re: [Freeipa-users] slow ssh
Hi, It seems to be in my test environment so its probably not a full DNS setup is some of the problem. I didnt select the preview but Ive seen ssh logins that happen without a password so I assume that's at least partially why. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 11 September 2012 10:12 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] slow ssh On 09/10/2012 05:16 PM, Steven Jones wrote: Hi, Not sure if this is an IPA issue but Im finding ssh takes long time to login. It looks like ssh is querying IPA for authentication mechanisms?...if so can I simply turn this off? and if so how? Is it the problem on the SSH client or on the SSH server? Can you provide ssh configuration file(s) and sssd.conf? What version do you use (ssh and sssd)? Could it be that you tried the tech preview ipa-client SSH integration feature when installed ipa-client? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Subject for certificate request in ipa-server-install
On 09/10/2012 06:18 PM, James James wrote: Hi Everybody, I want to change the defaut Certifcate Authority automatically added want you want to make a certificate request. There were a thread about something like (https://www.redhat.com/archives/freeipa-users/2012-April/msg00021.html) that but I don't know if there is the quick and nice solution. James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Ticket is still not addressed https://fedorahosted.org/freeipa/ticket/2614 You are welcome to provide patches to help with this effort. However may be there is a way to change some value in the CA configuration manually which I am not aware of to put the CA name you want. Worth asking people on #dogtag-pki -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
