Re: [Freeipa-users] question about bind 10 plans
В Пн., 29/04/2013 в 08:11 +0300, Alexander Bokovoy пишет: Bind 10 module is on our radar. Nice to hear that :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] question about bind 10 plans
On 29.4.2013 08:40, Артур Файзуллин wrote: В Пн., 29/04/2013 в 08:11 +0300, Alexander Bokovoy пишет: Bind 10 module is on our radar. There is not much to add. I'm in touch with one Bind 10 developer and we are discussing various possibilities of integration. Let me know if you are interested in aplha/beta testing. I will send you an e-mail as soon as we have some testable code. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] nsupdate refused
Hello, On 28.4.2013 19:50, Jakub Hrozek wrote: get a single machine to be able to perform any update, and have this as one of the entries in my bind update policy: grant SERVICE\047foreman.collmedia@collmedia.net wildcard * ANY; String SERVICE/ipaserver.example@example.com in the example is full principal name including Kerberos REALM. The string SERVICE has to be replaced with real service name. Everything is case sensitive! See http://www.zytrax.com/tech/survival/kerberos.html#terminology for some Kerberos basics. Your zone update policy should include something like grant host/\047foreman.collmedia@collmedia.net wildcard * ANY; This example contains an error: Character '/' in principal name has be to replaced with \047. The corrected example is: grant host\047foreman.collmedia@collmedia.net wildcard * ANY; -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] question about bind 10 plans
В Пн., 29/04/2013 в 09:48 +0200, Petr Spacek пишет: On 29.4.2013 08:40, Артур Файзуллин wrote: В Пн., 29/04/2013 в 08:11 +0300, Alexander Bokovoy пишет: Bind 10 module is on our radar. There is not much to add. I'm in touch with one Bind 10 developer and we are discussing various possibilities of integration. Let me know if you are interested in aplha/beta testing. I will send you an e-mail as soon as we have some testable code. Yes, I am interested in that :) Now I have some resources to do that, I do not know about future, but know I do :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Kerberos delegation error on replica
That was exactly it. Server 2 had a HTTP principal but no ldap principal.
I added a principal for ldap as well and it's working fine now.
Thanks a bunch. :)
Regards
Johan
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: den 26 april 2013 15:50
To: Johan Sunnerstig; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Kerberos delegation error on replica
Johan Sunnerstig wrote:
Hi.
I have two IPA servers in a multi master setup, running IPA 3.0.
They've been working fine for the last ~16 months and started life as 2.2
servers.
Recently the follow error started showing up, I'm not sure when exactly
since I only discovered it when I was checking the status of an account the
other day.
ipa1: ~ ipa user-status user
---
Account disabled: False
---
Server: ipa1.domain.tld
Failed logins: 0
Last successful authentication: 2013-04-26T11:20:06Z
Last failed authentication: 2013-04-26T08:44:08Z
Time now: 2013-04-26T11:20:06Z
Server: ipa2.domain.tld failed: Insufficient access: SASL(-1):
generic failure: GSSAPI Error: Unspecified GSS failure. Minor code
may provide more information (KDC returned error string:
NOT_ALLOWED_TO_DELEGATE)
Number of entries returned 2
The same exact thing happens on the other replica.
Everything else works as far as I can tell, replication is fine and either
one
will issue TGT's and so forth. Basically aside from the above I can't find
anything wrong.
The following shows up in the krb5kdc.log on the both the servers:
Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4
etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0,
HTTP/ipa1.domain@domain.tld for
ldap/ipa2.domain@domain.tld,
No such file or directory Apr 26 13:37:09 ipa1.domain.tld
krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x:
NOT_ALLOWED_TO_DELEGATE: authtime 0,
HTTP/ipa1.domain@domain.tld
for ldap/ipa2.domain@domain.tld, No such file or directory
One of the servers must be missing from the s4u2proxy delegation list.
Are all the servers in here?
# ldapsearch -x -b
cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com
and
# ldapsearch -x -b
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
I'm guessing that it is missing one or more memberPrincipal.
The format is be memberPrincipal: service/$FQDN@$REALM
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
Hello.
Im trying to set up a redhat 6.1 to ipaserver.
What i have done.
On the Ipaserver
#ipa host-add --force --ip-address=192.168.237.1 seadv-.d1.gameop.net
#kinit admin
#ipa host-add-managedby --hosts=ipaserver.d1.gameop.net
seadv-237-1.d1.gameop.net
#ipa-getkeytab -s ipaserver.d1.gameop.net -p
host/seadv-237-1.d1.gameop.net-k /tmp/seadv-.keytab
#scp client1.keytab seadv-237-1.d1.gameop.net:/tmp
On Client 6.1
#yum install krb5-workstation oddjob-mkhomedir
#mv /tmp/client1.keytab /etc/krb5.keytab
#vim /etc/krb5.conf
[libdefaults]
default_realm = D1.GAMEOP.NET
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
D1.GAMEOP.NET = {
kdc = ipaserver.d1.gameop.net:88
admin_server = ipaserver.d1.gameop.net:749
default_domain = d1.gameop.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.d1.gameop.net = D1.GAMEOP.NET
d1.gameop.net = D1.GAMEOP.NET
#cd /etc/pam.d/
#vim fingerprint-auth
authrequired pam_env.so
authsufficientpam_fprintd.so
authrequired pam_deny.so
account required pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
passwordrequired pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#vim password-auth
authrequired pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid = 500 quiet
authsufficientpam_sss.so use_first_pass
authrequired pam_deny.so
account required pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
passwordsufficientpam_unix.so md5 shadow nullok try_first_pass
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#vim smartcard-auth
authrequired pam_env.so
auth[success=done ignore=ignore default=die] pam_pkcs11.so
wait_for_card card_only
authrequired pam_deny.so
account required pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
passwordrequired pam_pkcs11.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#vim system-auth
authrequired pam_env.so
authsufficientpam_fprintd.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid = 500 quiet
authsufficientpam_sss.so use_first_pass
authrequired pam_deny.so
account required pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
passwordsufficientpam_unix.so md5 shadow nullok try_first_pass
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#vim /etc/sssd/sssd.conf
[domain/d1.gameop.net]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = d1.gameop.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, ipaserver.d1.gameop.net
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
config_file_version = 2
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
Axel Berlin wrote: Hello. Im trying to set up a redhat 6.1 to ipaserver. What i have done. On the Ipaserver [ snip lots of config ] nameserver 192.168.232.41 I can id and ssh... So have i missed somthing whit the dns? I have tried to have the SRV records to only _ldap._tcp and _kerberos._tcp but that dont work either. Did you start/restart sssd after creating the configuration? You may want to add debug_level = 9 to the domains section and start again to bump up the logging. The logs go into /var/log/sssd. What are the permissions on /etc/krb5.keytab? Should be 0600 root:root. Is SELinux in enforcing mode? If so I'd check the audit log too. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO
On 04/29/2013 08:31 PM, Aly Khimji wrote: Hey Pavel/Guys, Do you see anything in the new logs that might help? I saw this bug https://bugzilla.redhat.com/show_bug.cgi?id=871160 that reports this issue exactly. However its reported as fixed but I am still having the same issue. I am building out a new test environment and I am also deploying a FC18 client which seems to have newer sssd/libsss_sudo packages that i suppose haven't made it up stream yet Currently installed on my client libsss_sudo-1.9.2-82.7.el6_4.x86_64 sssd-client-1.9.2-82.7.el6_4.x86_64 libsss_idmap-1.9.2-82.7.el6_4.x86_64 libsss_autofs-1.9.2-82.el6.x86_64 sssd-1.9.2-82.7.el6_4.x86_64 I've increased the logging to 10, just incase it helps. here it the sss_sudo log for a login, then sudo attempt Thx Aly Hi, I'm sorry for such a late answer. The logs says, that in the time of using sudo, the user akhimji is not present in the cache, which should not happen if you managed to log in. I will try to reproduce the issue first thing tomorrow and let you know. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
