[Freeipa-users] user sync works, passsync eludes me
Here's what the log says: LDAP bind error in connect 81: Can't contact LDAP server Can not connect to ldap server in SyncPasswords I keep changing the passsync config values by re-running the msi with the modify option. I'm not sure if that's the way to do this, but my current options are: hostname: IPA server FQDN. it seems to resolve fine port number: 636 username: (i checked this in ldap:uid=passsync,cn=sysaccounts,cn=etc,dc=domain,dc=tld password: matches the one set in ipa-replica-manage connect --passsync option certtoken: string copied from the IPA server (/etc/dirsrv/slapd-MYHOST/pwdfile.txt) search base : same as win-subtree value so close, but stuck. thanks in advance for any help ! nate ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo made a bit easier to configure
On 12/20/2012 04:43 PM, Han Boetes wrote: Hi, I discovered that using this recipe makes setting up sudo-ldap very simple. Even when anonymous binds is disabled. TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT demand SASL_MECH GSSAPI BASE dc=domain,dc=com URI ldap://auth-ipa.domain.com http://auth-ipa.domain.com ROOTUSE_SASL on SUDOERS_BASE ou=SUDOers,dc=domain,dc=com SUDOERS_DEBUG 2 Of course you can set DEBUG to 0 once everything works. I'd like to share this since the docs on the freeipa site on how to set up sudo were quite a bit more complicated. # Han Hello Han, Thanks! I will forward this example to our doc guys to see if we can make the sudo client configuration example easier to follow. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] backup create restore
On 12/21/2012 01:07 PM, Артур Файзуллин wrote: HI! What about adding this functionality to IPA-server: create backup # ipa backup-create --create --output-file=pathtofile restore from backup # ipa-server-install --restore-from-backup=pathtofile I think this feature will be very usefull :) Hello Артур, We already have a ticket for this feature (you are right, it would be useful): https://fedorahosted.org/freeipa/ticket/3128 You can yourself to CC list to see a progress and to get echo when the ticket is finished. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeIPA 3.1.0 for Redhat Enterprise 6.3?
Hello David, FreeIPA 3.1 requires several major dependencies that are not available in RHEL 6.x versions - the most notable ones are PKI-CA of version 10.0 and 389-ds-base of version 1.3.0 which introduced transaction support. I think the easiest way to get version 3.1 would be to wait for next major version of Red Hat Enterprise Linux unless you want to compile and build yourself this dependency chain. Martin On 12/21/2012 02:06 AM, David Copperfield wrote: Hi Rob and all, Can FreeIPA be compiled and installed on Redhat Enterprise 6.3? Or I have to upgrade/install some underlying packages first? Thanks. --David --- *From:* Johan Petersson johan.peters...@sscspace.com *To:* Sigbjorn Lie sigbj...@nixtra.com *Cc:* freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Thursday, December 20, 2012 10:03 AM *Subject:* Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com mailto:sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com mailto:freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficientpam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com mailto:sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com mailto:freeipa-users@redhat.com Subject: Re:
Re: [Freeipa-users] two questions on IPA usage
On 12/20/2012 12:34 AM, David Copperfield wrote: Hi Howdy, Two questions on IPA usage are listed below. Please help. 1, How to reset a normal IPA user's password through web interface when the password is expired? when the normal user's password is close to expiration but still not expired, he/she can change it by self through the web interface https://ipaserver/. Otherwise he/she has to do ssh/kinit to update his/her password. But the problem is: quite some users are non tech-savy -- managers, marketing, sales -- and they have no ideas of Linux or Kerberos, what they can do is accessing a web interface and filling HTML forms. Hello David, This feature was introduced in FreeIPA 3.0, you can see the relevant ticket: https://fedorahosted.org/freeipa/ticket/2755 When your IPA server is upgraded to this version (it will be part of next RHEL 6 minor version release), Web UI users with expired password will be automatically offered a form to reset it. 2, When the freeIPA 3.0 and 3.1 series RPM will be available on Redhat 6? does IPA version 3.0/3.1 has backup/restore solutions, and merged CA LDAP instance and IPA LDAP instance? Merged CA/LDAP instance is available in FreeIPA 3.1 which is not available in RHEL-6. As for BackupRestore solution, a FreeIPA provided solution is not ready yet, but we have a ticket filed and planned already. You can take a look here: https://fedorahosted.org/freeipa/ticket/3128 HTH, Martin Presently the IPA version on redhat 6.3 is 2.2.0, I can wait if IPA 3.0 or 3.1 will comes out soon for redhat 6 and have the cool features. Thanks a lot. --Guolin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 2.2.0-16 still needs CLEANRUV and CLEANALLRUV
On 12/19/2012 11:24 PM, David Copperfield wrote: Hi howdy, This is trying to confirm whether we still need to perform the steps of cleaning RUV records, when a freeIPA master, or a replica is removed. Months back it was rumored that some work was being done on underlying 389 LDAP and the RNV cleaning steps would be obsoleted when IPA Masterreplica servers were removed, or removed and added back. The RUV staff could be found at http://directory.fedoraproject.org/wiki/Howto:CLEANRUV. Some one familiar with this topic please elaborate/confirm. Thanks a lot. --David Hello David, automatic clean up of RUV records is available from FreeIPA 3.0. You can see a relevant ticket: https://fedorahosted.org/freeipa/ticket/2303 With FreeIPA 3.0, CLEANALLRUV task is automatically run when a replica is being deleted. The task will clean all relevant RUV records on all FreeIPA replicas. In FreeIPA 2.2.x and earlier, a manual RUV clean up procedure is needed (as described in the 389 DS wiki page) to clean deprecated RUV data. HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] login with kerberos on a webserver, just like with the ipa interface.
Sorry I couldn't reply earlier, somehow I don't receive my own messages. I had set chrome to --auth-server-whitelist=ipa-server.domain.com, and not --auth-server-whitelist=*domain.com On Thu, Dec 20, 2012 at 5:33 PM, Simo Sorce s...@redhat.com wrote: On Thu, 2012-12-20 at 16:38 +0100, Han Boetes wrote: Hi, I followed http://freeipa.org/page/Apache_SNI_With_Kerberos to enable login in to a webserver with kerberos tickets. I followed everything to the letter and all looks well. I can log in with a username and password, but when I set the httpd.conf entry to KrbMethodK5Passwd off I can't log in. What works great with the ipa admin interface does not work with this recipe. I even compared it to /etc/httpd/conf.d/ipa.conf and added the KrbAuthRealms setting but to no avail. Adding KrbConstrainedDelegation on does not work alas. Although I am using centos 6.3 I checked the http logfiles and the /var/log/krb5kdc.log, everything else on that host works fine. I can log in without a password and sudo -s works like it should. Please help me debugging this issue. What am I missing? Are you using the same fully qualified name you have a keytab for ? Do you see a ticket for the target server in the user ccache on the client ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- # Han ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fwd: user sync works, passsync eludes me
Nevermind. I was mucking up the certificate. got it fixed. -- Forwarded message -- From: Nate Marks npma...@gmail.com Date: Fri, Dec 21, 2012 at 6:36 AM Subject: user sync works, passsync eludes me To: freeipa-users@redhat.com Here's what the log says: LDAP bind error in connect 81: Can't contact LDAP server Can not connect to ldap server in SyncPasswords I keep changing the passsync config values by re-running the msi with the modify option. I'm not sure if that's the way to do this, but my current options are: hostname: IPA server FQDN. it seems to resolve fine port number: 636 username: (i checked this in ldap:uid=passsync,cn=sysaccounts,cn=etc,dc=domain,dc=tld password: matches the one set in ipa-replica-manage connect --passsync option certtoken: string copied from the IPA server (/etc/dirsrv/slapd-MYHOST/pwdfile.txt) search base : same as win-subtree value so close, but stuck. thanks in advance for any help ! nate ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fwd: passync LDAP error in queryusername
I solved this and I'll share my ignorance just in case it helps someone else: It wasn't clear to me that passsync needed the search base on the IPA server rather than the search base for the ad server. *facepalm* -- Forwarded message -- From: Nate Marks npma...@gmail.com Date: Fri, Dec 21, 2012 at 9:47 AM Subject: passync LDAP error in queryusername To: freeipa-users@redhat.com 32: no such object deferring password change for newinclude I'm baffled. I think I made the search base exactly the same as the DN I found in LDP. Capitalized OU and DC. no spaces. the ad dn for the search base is 'OU=syncinclude,OU=syncroot,DC=testdomain,DC=corp' it detected the password change for 'CN=newinclude,OU=syncinclude,OU=syncroot,DC=testdomain,DC=corp' Any tips ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] disable user account in batch mode in IPA
I hope google did not skip me when searching for an answer. I'd like to disable inactive accounts migrated from OpneLDAP, so far I can only do it per web UI. Because I have hundreds of accounts to disable, I really appreciate if someone can provide a command line for me. I actually tried to figure out what attribute corresponds to disabled but could not see it in ldapsearch output, for example: ldapsearch -LL -x -D 'cn=Directory Manager' -W -b 'dc=sri,dc=utoronto,dc=ca' '(uid=shassan)' Thanks you. Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo made a bit easier to configure
On Fri, Dec 21, 2012 at 06:42:40PM +0100, Natxo Asenjo wrote: On Thu, Dec 20, 2012 at 4:43 PM, Han Boetes hboe...@gmail.com wrote: Hi, I discovered that using this recipe makes setting up sudo-ldap very simple. Even when anonymous binds is disabled. Thanks! I have not yet used sudo with IPA, but it sure is in the pipeline and this comes in handy ;-) URI ldap://auth-ipa.domain.com can this be a srv record? Cannot test it right now but this would of course be the most ideal situation. I haven't tried this myself, but maybe something like: URI ldap://dc=example,dc=com might work. If not, I'm pretty sure SRV records would just work if you leverage the integration with the SSSD :-) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] two questions on IPA usage
On 12/21/2012 08:31 AM, Martin Kosek wrote: On 12/20/2012 12:34 AM, David Copperfield wrote: Hi Howdy, Two questions on IPA usage are listed below. Please help. 1, How to reset a normal IPA user's password through web interface when the password is expired? when the normal user's password is close to expiration but still not expired, he/she can change it by self through the web interface https://ipaserver/. Otherwise he/she has to do ssh/kinit to update his/her password. But the problem is: quite some users are non tech-savy -- managers, marketing, sales -- and they have no ideas of Linux or Kerberos, what they can do is accessing a web interface and filling HTML forms. Hello David, This feature was introduced in FreeIPA 3.0, you can see the relevant ticket: https://fedorahosted.org/freeipa/ticket/2755 When your IPA server is upgraded to this version (it will be part of next RHEL 6 minor version release), Web UI users with expired password will be automatically offered a form to reset it. 2, When the freeIPA 3.0 and 3.1 series RPM will be available on Redhat 6? does IPA version 3.0/3.1 has backup/restore solutions, and merged CA LDAP instance and IPA LDAP instance? Merged CA/LDAP instance is available in FreeIPA 3.1 which is not available in RHEL-6. As for BackupRestore solution, a FreeIPA provided solution is not ready yet, but we have a ticket filed and planned already. You can take a look here: https://fedorahosted.org/freeipa/ticket/3128 To elaborate a bit. 1) backup and restore This is a loaded topic. There are two major use cases that are confused. One is business continuity driven and another is data corruption driven. For business continuity case here are our current recommendations and I do not think there is anything else needed. a) Run sufficient amount of replicas in different data centers b) Backup the whole image of one of the replicas that has all the components you use periodically so that if you have to start over you have an image to use and create other replicas from. In case of disaster the procedure would be - boot this image, create other replicas from it and install following normal procedures. You are up and running back within minutes. c) For an easier snapshoting it might make sense to run a replica in a VM so you can easily make a copy of it. The recommendation above is pretty sufficient for the business continuity case. It is not however for the data corruption case. The ticket mentioned will be focusing on the data corruption case (when data is removed or DB gets corrupted and needs to be restored) and we have plans to look into this use case in the upcoming year. 2) Merged DB is 3.1 and will be supported in RHEL7 HTH, Martin Presently the IPA version on redhat 6.3 is 2.2.0, I can wait if IPA 3.0 or 3.1 will comes out soon for redhat 6 and have the cool features. Thanks a lot. --Guolin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: passync LDAP error in queryusername
On 12/21/2012 10:54 AM, Nate Marks wrote: I solved this and I'll share my ignorance just in case it helps someone else: It wasn't clear to me that passsync needed the search base on the IPA server rather than the search base for the ad server. *facepalm* May be we can make the docs clear. Can you point to the place that confused you? -- Forwarded message -- From: *Nate Marks* npma...@gmail.com mailto:npma...@gmail.com Date: Fri, Dec 21, 2012 at 9:47 AM Subject: passync LDAP error in queryusername To: freeipa-users@redhat.com mailto:freeipa-users@redhat.com 32: no such object deferring password change for newinclude I'm baffled. I think I made the search base exactly the same as the DN I found in LDP. Capitalized OU and DC. no spaces. the ad dn for the search base is 'OU=syncinclude,OU=syncroot,DC=testdomain,DC=corp' it detected the password change for 'CN=newinclude,OU=syncinclude,OU=syncroot,DC=testdomain,DC=corp' Any tips ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/20/2012 07:13 PM, Johan Petersson wrote: Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? Red Hat has a clear support statement on the matter. https://access.redhat.com/knowledge/articles/261973 We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/20/2012 07:13 PM, Johan Petersson wrote: Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Re: [Freeipa-users] Kerberos and Cisco
Hi Bret, I tried this once in the past with no success. If I recall correctly (I can't find the reference anymore), Cisco (at least in IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This enctype disabled by default in FreeIPA. Thanks, Mike On Fri, Dec 21, 2012 at 10:35 AM, Bret Wortman bret.wort...@damascusgrp.com wrote: My network guy wants to use our FreeIPA server to authenticate users on Cisco devices, but when we tried to import the keytab, it balked on every one of the keys. Has anyone done this? Any pointers if so? Thanks, and happy holidays! -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Kerberos and Cisco
On 12/21/2012 05:40 PM, Mike Mercier wrote: Hi Bret, I tried this once in the past with no success. If I recall correctly (I can't find the reference anymore), Cisco (at least in IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This enctype disabled by default in FreeIPA. allow_weak_crypto = true in krb5.conf to enable it. Thanks, Mike On Fri, Dec 21, 2012 at 10:35 AM, Bret Wortman bret.wort...@damascusgrp.com mailto:bret.wort...@damascusgrp.com wrote: My network guy wants to use our FreeIPA server to authenticate users on Cisco devices, but when we tried to import the keytab, it balked on every one of the keys. Has anyone done this? Any pointers if so? Thanks, and happy holidays! -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Kerberos and Cisco
Thanks, all. I'll report back. -- Bret Wortman http://bretwortman.com/ http://twitter.com/bretwortman On Friday, December 21, 2012 at 6:23 PM, Dmitri Pal wrote: On 12/21/2012 05:40 PM, Mike Mercier wrote: Hi Bret, I tried this once in the past with no success. If I recall correctly (I can't find the reference anymore), Cisco (at least in IOS 12.4 that I tested) only supports the DES-CBC-CRC enctype. This enctype disabled by default in FreeIPA. allow_weak_crypto = true in krb5.conf to enable it. Thanks, Mike On Fri, Dec 21, 2012 at 10:35 AM, Bret Wortman bret.wort...@damascusgrp.com (mailto:bret.wort...@damascusgrp.com) wrote: My network guy wants to use our FreeIPA server to authenticate users on Cisco devices, but when we tried to import the keytab, it balked on every one of the keys. Has anyone done this? Any pointers if so? Thanks, and happy holidays! -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com (mailto:Freeipa-users@redhat.com) https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com (mailto:Freeipa-users@redhat.com) https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ (http://www.redhat.com/carveoutcosts/) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users