Re: [Freeipa-users] question about bind 10 plans
В Пн., 29/04/2013 в 08:11 +0300, Alexander Bokovoy пишет: Bind 10 module is on our radar. Nice to hear that :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] question about bind 10 plans
On 29.4.2013 08:40, Артур Файзуллин wrote: В Пн., 29/04/2013 в 08:11 +0300, Alexander Bokovoy пишет: Bind 10 module is on our radar. There is not much to add. I'm in touch with one Bind 10 developer and we are discussing various possibilities of integration. Let me know if you are interested in aplha/beta testing. I will send you an e-mail as soon as we have some testable code. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] nsupdate refused
Hello, On 28.4.2013 19:50, Jakub Hrozek wrote: get a single machine to be able to perform any update, and have this as one of the entries in my bind update policy: grant SERVICE\047foreman.collmedia@collmedia.net wildcard * ANY; String SERVICE/ipaserver.example@example.com in the example is full principal name including Kerberos REALM. The string SERVICE has to be replaced with real service name. Everything is case sensitive! See http://www.zytrax.com/tech/survival/kerberos.html#terminology for some Kerberos basics. Your zone update policy should include something like grant host/\047foreman.collmedia@collmedia.net wildcard * ANY; This example contains an error: Character '/' in principal name has be to replaced with \047. The corrected example is: grant host\047foreman.collmedia@collmedia.net wildcard * ANY; -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] question about bind 10 plans
В Пн., 29/04/2013 в 09:48 +0200, Petr Spacek пишет: On 29.4.2013 08:40, Артур Файзуллин wrote: В Пн., 29/04/2013 в 08:11 +0300, Alexander Bokovoy пишет: Bind 10 module is on our radar. There is not much to add. I'm in touch with one Bind 10 developer and we are discussing various possibilities of integration. Let me know if you are interested in aplha/beta testing. I will send you an e-mail as soon as we have some testable code. Yes, I am interested in that :) Now I have some resources to do that, I do not know about future, but know I do :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Kerberos delegation error on replica
That was exactly it. Server 2 had a HTTP principal but no ldap principal. I added a principal for ldap as well and it's working fine now. Thanks a bunch. :) Regards Johan -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: den 26 april 2013 15:50 To: Johan Sunnerstig; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Kerberos delegation error on replica Johan Sunnerstig wrote: Hi. I have two IPA servers in a multi master setup, running IPA 3.0. They've been working fine for the last ~16 months and started life as 2.2 servers. Recently the follow error started showing up, I'm not sure when exactly since I only discovered it when I was checking the status of an account the other day. ipa1: ~ ipa user-status user --- Account disabled: False --- Server: ipa1.domain.tld Failed logins: 0 Last successful authentication: 2013-04-26T11:20:06Z Last failed authentication: 2013-04-26T08:44:08Z Time now: 2013-04-26T11:20:06Z Server: ipa2.domain.tld failed: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE) Number of entries returned 2 The same exact thing happens on the other replica. Everything else works as far as I can tell, replication is fine and either one will issue TGT's and so forth. Basically aside from the above I can't find anything wrong. The following shows up in the krb5kdc.log on the both the servers: Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain@domain.tld for ldap/ipa2.domain@domain.tld, No such file or directory Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain@domain.tld for ldap/ipa2.domain@domain.tld, No such file or directory One of the servers must be missing from the s4u2proxy delegation list. Are all the servers in here? # ldapsearch -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com and # ldapsearch -x -b cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com I'm guessing that it is missing one or more memberPrincipal. The format is be memberPrincipal: service/$FQDN@$REALM rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
Hello. Im trying to set up a redhat 6.1 to ipaserver. What i have done. On the Ipaserver #ipa host-add --force --ip-address=192.168.237.1 seadv-.d1.gameop.net #kinit admin #ipa host-add-managedby --hosts=ipaserver.d1.gameop.net seadv-237-1.d1.gameop.net #ipa-getkeytab -s ipaserver.d1.gameop.net -p host/seadv-237-1.d1.gameop.net-k /tmp/seadv-.keytab #scp client1.keytab seadv-237-1.d1.gameop.net:/tmp On Client 6.1 #yum install krb5-workstation oddjob-mkhomedir #mv /tmp/client1.keytab /etc/krb5.keytab #vim /etc/krb5.conf [libdefaults] default_realm = D1.GAMEOP.NET dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] D1.GAMEOP.NET = { kdc = ipaserver.d1.gameop.net:88 admin_server = ipaserver.d1.gameop.net:749 default_domain = d1.gameop.net pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .d1.gameop.net = D1.GAMEOP.NET d1.gameop.net = D1.GAMEOP.NET #cd /etc/pam.d/ #vim fingerprint-auth authrequired pam_env.so authsufficientpam_fprintd.so authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #vim password-auth authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #vim smartcard-auth authrequired pam_env.so auth[success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequired pam_pkcs11.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #vim system-auth authrequired pam_env.so authsufficientpam_fprintd.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #vim /etc/sssd/sssd.conf [domain/d1.gameop.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = d1.gameop.net id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipaserver.d1.gameop.net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] config_file_version = 2
Re: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir
Axel Berlin wrote: Hello. Im trying to set up a redhat 6.1 to ipaserver. What i have done. On the Ipaserver [ snip lots of config ] nameserver 192.168.232.41 I can id and ssh... So have i missed somthing whit the dns? I have tried to have the SRV records to only _ldap._tcp and _kerberos._tcp but that dont work either. Did you start/restart sssd after creating the configuration? You may want to add debug_level = 9 to the domains section and start again to bump up the logging. The logs go into /var/log/sssd. What are the permissions on /etc/krb5.keytab? Should be 0600 root:root. Is SELinux in enforcing mode? If so I'd check the audit log too. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO
On 04/29/2013 08:31 PM, Aly Khimji wrote: Hey Pavel/Guys, Do you see anything in the new logs that might help? I saw this bug https://bugzilla.redhat.com/show_bug.cgi?id=871160 that reports this issue exactly. However its reported as fixed but I am still having the same issue. I am building out a new test environment and I am also deploying a FC18 client which seems to have newer sssd/libsss_sudo packages that i suppose haven't made it up stream yet Currently installed on my client libsss_sudo-1.9.2-82.7.el6_4.x86_64 sssd-client-1.9.2-82.7.el6_4.x86_64 libsss_idmap-1.9.2-82.7.el6_4.x86_64 libsss_autofs-1.9.2-82.el6.x86_64 sssd-1.9.2-82.7.el6_4.x86_64 I've increased the logging to 10, just incase it helps. here it the sss_sudo log for a login, then sudo attempt Thx Aly Hi, I'm sorry for such a late answer. The logs says, that in the time of using sudo, the user akhimji is not present in the cache, which should not happen if you managed to log in. I will try to reproduce the issue first thing tomorrow and let you know. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users