Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/08/2013 02:34 PM, Anthony Messina wrote: On Friday, March 08, 2013 08:09:20 AM Loris Santamaria wrote: 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for authenticated SSO mail sending Create the service in ipa, ipa service-add smtp/myserver.mydomain.com. On the mail server you should obtain the keytab with ipa-getkeytab and save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf : smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination Lastly, add to /etc/sasl2/smtpd.conf: pwcheck_method: saslauthd mech_list: GSSAPI PLAIN LOGIN Restart postfix and saslauthd and it should work. You *may* also need to update Postfix's environment: # Import environment for Kerberos v5 GSSAPI import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab Anthony, where were you declaring the above? In Squid, I've added the keytab to the service startup script. Presumably it would be somewhere similar? Dale -A ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRPzK1AAoJEAJsWS61tB+qPuIQAIfFv9uSxgjOx0iItVrOiTJ1 vPNd2pxQwednomutiHtZA8dTfXG1O/pEhbQFytpTm5Gmy4z3HKaVxq2Yb88ebzS5 ANm87rDmmQVRG9SOJhjVCyfFrlelM87Qtt0LBDvyPUUykuYh1j93TWH6E+QITWFJ r+wBn+dVvA4HbhXENpv2drPFMmmdJgRDjvHa4TL2kF8E62Tjp8EkeIwkcTVTK8px HypFZ1CrCh2ZxmNwG0akN4bipZWFzAoWlUXWWJmEwT8TutpaQrdvBIuhSab5UdWv nRsdzpfUpA8z0+qeF6cf2Inw0vCJFFrhezDzow3H/xEsaIEreAz/VriP5kavkoLr NJAZkX/BHCCqqUDGyAI3HYucgcVHlM5K+P4btT0ULZTzxCdeC9vv6IhPyeoeGjyS 9Ox+ipw8Yv+a/le7eFZIhwbU5VePjpAhJTflCya7Rj8YJ2+jBE5UWtut+qCVDduQ KIfZhDaT3o3Vi5aBzK/ziHhDiOg90Et0pyOgwb2u/Bsqqm3TJ7bg/GL9szA/dNH0 PQezfoazK1kE6rAItPvN3++5Xgo7kK0wMm4zNZyevAZ/McKikioec0P0HSLhZcyT /c8JLz3SbYPY2941DvR8n2yrb7vrV8ud6tc2pz0NL30I+2qCOUfr5INNBA+a7f3F leHvuBX3WxuY/ylxV3mW =52yq -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
On Tuesday, March 12, 2013 01:50:47 PM Dale Macartney wrote: # Import environment for Kerberos v5 GSSAPI import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab Anthony, where were you declaring the above? In Squid, I've added the keytab to the service startup script. Presumably it would be somewhere similar? Dale In /etc/postfix/main.cf -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
On Tuesday, March 12, 2013 08:53:59 AM Anthony Messina wrote: On Tuesday, March 12, 2013 01:50:47 PM Dale Macartney wrote: # Import environment for Kerberos v5 GSSAPI import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab Anthony, where were you declaring the above? In Squid, I've added the keytab to the service startup script. Presumably it would be somewhere similar? Dale In /etc/postfix/main.cf Sorry, I sent too fast. from man (5) postconf: import_environment (default: see postconf -d output) The list of environment parameters that a Postfix process will import from a non-Postfix parent process. Examples of relevant parameters: TZ Needed for sane time keeping on most System-V-ish systems. DISPLAY Needed for debugging Postfix daemons with an X-windows debugger. XAUTHORITY Needed for debugging Postfix daemons with an X-windows debugger. MAIL_CONFIG Needed to make postfix -c work. Specify a list of names and/or name=value pairs, separated by whitespace or comma. The name=value form is supported with Postfix version 2.1 and later. -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA 3.0 transitive trust, multiple domains
Hello, I'm currently testing forest trusts in v3.0 on CentOS 6.4. I've got a trust setup between my IPA forest (nix.ipatest.dom) and my Windows forest (ipatest.dom). I have gone though the setup procedure as outlined at http://freeipa.org/page/Howto/IPAv3_AD_trust_setup. Everything works as described in that document. However, now I want to add groups to IPA from another domain in the windows forest (us.ipatest.dom) but can't figure out how to proceed. When trying to add the a group from the US domain I get the following: [root@ipa01 ~]# ipa group-add-member ad_admins_external --external 'US \Domain Admins' [member user]: [member group]: ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain I understand the error, but am not sure how to get this to work. Creating a new trust between the IPA forest and the US domain results in the following error, presumably because it's a transitive trust: [root@ipa01 ~]# ipa trust-add --type=ad us.ipatest.dom --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: invalid Gettext('AD domain controller', domain='ipa', localedir=None): unsupported functional level Any help would be greatly appreciated! Thanks! Mark PRIVILEGED AND CONFIDENTIAL PLEASE NOTE: The information contained in this message is privileged and confidential, and is intended only for the use of the individual to whom it is addressed and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, or if any problems occur with transmission, please contact sender. Thank you. Please consider the environment before printing this e-mail. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Realm distrubuted across data centers
We have a single realm distributed across 2 data centers and 2 offices with 4 replicated IPA servers (2 in each data center). We are running IPA server and client v2.2.0 on all servers and replication appears to be functioning correctly. What I have noticed is that some servers in DC1, have no connectivity to the IPA servers in DC2, and when you try connecting to them from Office1 you sometimes get a long authentication delay. I suspect this is caused by a timeout waiting for an IPA server in DC2 to respond (which it can't). So I guess my question is, is there a 'best practices' approach to this scenario? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Realm distrubuted across data centers
I have no idea if this counts as best practice because I am not affiliated with the FreeIPA development team I personally think SRV records are probably the best idea in this situation. You would have to setup different zones to serve to each datacentre though if you know how to do that. It's not that tricky with views in bind. On 13 March 2013 12:40, Michael ORourke mrorou...@earthlink.net wrote: We have a single realm distributed across 2 data centers and 2 offices with 4 replicated IPA servers (2 in each data center). We are running IPA server and client v2.2.0 on all servers and replication appears to be functioning correctly. What I have noticed is that some servers in DC1, have no connectivity to the IPA servers in DC2, and when you try connecting to them from Office1 you sometimes get a long authentication delay. I suspect this is caused by a timeout waiting for an IPA server in DC2 to respond (which it can't). So I guess my question is, is there a 'best practices' approach to this scenario? __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users