[Freeipa-users] Fwd: (no subject)
-- Forwarded message -- From: Михаил А avdush...@gmail.com Date: 2013/10/14 Subject: Re: [Freeipa-users] (no subject) To: d...@redhat.com Simplify the circuit. I have a windows server DC, IPA replica server. My job is to authenticate the user windows to your account on the client fedora and redhat. As I understand it when logging on IPA server running windows account - there is a request for vigdovs DC, found on the SRV record in DNS. Because the forest I site section in which is1 windows server and 1 IPA server, but at the request IPA server is not always refers to the neighbor windows dealing center I found this in the log d at debug level 5.We do not have network connectivity between sites, there is a single point-to-site, where network connectivity is available. Trust between the domains windows and IPA available. Log in to the central site, where there is network connectivity runs great, for example (ssh -l winuser@windomain ipa.client or ipa-replica-server -OK) 2013/10/12 Dmitri Pal d...@redhat.com On 10/11/2013 02:07 PM, Михаил А wrote: Maybe I have to explicitly specify the windows server which will address my IPA server to authenticate windows user on ipa-client? For example there is the IPA server p0129ipa01.ipa.sys local and Win DC p0129ad-dc01.sys.local. How do I specify that a request for authorization obviously gone to windows server or to any windows in the DC area? Because I do not have network connectivity to ports in other regions. A DNS-request is sent to all SRV-windows servers in a random order, depending can not compute. WIN DC in the subnet that corresponds to and authorizes the windows users outside of DC who, in a different subnet is not responsible for authorization (id winuser@windomain, getent passwd winuser@windomain, ssh -l winuser@windomain ipa-client) IPA-server fedora 19, ipa-client fedora19 and RedHat 6.x The configuration still puzzles me. Can you share your sanitized sssd.conf? Based on you description you have: Windows DCs IPAs Clients that are configured to use IPA and DC (at the same time? how?) Users coming from AD authenticating on the client My point is that you need to either: * Connect your SSSD to AD directly, then there is no IPA in picture * Connect you SSSD to IPA. In this case you can authenticate users that are native to IPA, synced to IPA from AD or you can use trusted users from AD accessing system if IPA and AD is in trust relationship * Connect your SSSD to AD as one domain to allow AD users to authenticate and create another domain that would connect SSSD to IPA. This is for non overlapping user sets between AD and IPA If you running some other configuration it is probably something that we do not recommend. We know people try to use one configuration to force user authentication against AD while other information including user setup comes from IPA, but we do not recommend this setup because we can't upgrade from it cleanly. 2013/10/11 Dmitri Pal d...@redhat.com On 10/11/2013 05:22 AM, Михаил А wrote: Good afternoon. In each region, I have a couple of controllers (windows and ipa). With the authorization server in the logs ipa (sssd log) I find that the request is not for the neighbor by location windows server, and randomly throughout the forest. Tell me is there a way to explicitly specify the IPA server on windows DC. Logs attached. there somewhere documentation about? I am not quite sure I understand you setup but I will try to give you some hints. If you want SSSD to access a specific IPA server or servers you can define primary and secondary servers explicitly in the SSSD configuration. See SSSD man pages. This can also be done via ipa-client-install command line starting IPA client 3.0 and SSSD 1.9 But that would sort of override the information coming from DNS. If you are looking for SSSD to support DNS sites then this functionality is available in SSSD in 1.11 if SSSD is joined directly to AD via AD provider. If you are looking for the same functionality when SSSD connects to IPA then it is still on the roadmap because IPA does not support sites. https://fedorahosted.org/freeipa/ticket/2008 next to the IPA server pk529ad-dc01.sys.local IPA server and knocks pk429ad-dc01.sys.local to another region ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to
[Freeipa-users] Default shell for new users
Is there any particular reason why /bin/sh is default shell for new domain users and not /bin/bash is? I know that /bin/sh is symlink to /bin/bash on Fedora but local user accounts are created with /bin/bash as default shell. Is it related to other supported UNIX-like systems that might not include bash or there is some other reason for such default vaule? Mateusz Marzantowicz ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Default shell for new users
On 10/14/2013 11:46 AM, Mateusz Marzantowicz wrote: Is there any particular reason why /bin/sh is default shell for new domain users and not /bin/bash is? I know that /bin/sh is symlink to /bin/bash on Fedora but local user accounts are created with /bin/bash as default shell. Is it related to other supported UNIX-like systems that might not include bash or there is some other reason for such default vaule? This is exactly the reason. /bin/sh is just the most common denominator when talking about shells on various client systems. But feel free to change the default to /bin/bash if you like: $ kinit admin $ ipa config-mod --defaultshell=/bin/bash HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Default shell for new users
ipa config-mod --defaultshell=/bin/bash ipa: ERROR: no modifications to be performed 2013/10/14 Martin Kosek mko...@redhat.com On 10/14/2013 11:46 AM, Mateusz Marzantowicz wrote: Is there any particular reason why /bin/sh is default shell for new domain users and not /bin/bash is? I know that /bin/sh is symlink to /bin/bash on Fedora but local user accounts are created with /bin/bash as default shell. Is it related to other supported UNIX-like systems that might not include bash or there is some other reason for such default vaule? This is exactly the reason. /bin/sh is just the most common denominator when talking about shells on various client systems. But feel free to change the default to /bin/bash if you like: $ kinit admin $ ipa config-mod --defaultshell=/bin/bash HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Default shell for new users
Then you probably have /bin/bash already set. Use # ipa config-show to verify. Martin On 10/14/2013 01:46 PM, Михаил А wrote: ipa config-mod --defaultshell=/bin/bash ipa: ERROR: no modifications to be performed 2013/10/14 Martin Kosek mko...@redhat.com On 10/14/2013 11:46 AM, Mateusz Marzantowicz wrote: Is there any particular reason why /bin/sh is default shell for new domain users and not /bin/bash is? I know that /bin/sh is symlink to /bin/bash on Fedora but local user accounts are created with /bin/bash as default shell. Is it related to other supported UNIX-like systems that might not include bash or there is some other reason for such default vaule? This is exactly the reason. /bin/sh is just the most common denominator when talking about shells on various client systems. But feel free to change the default to /bin/bash if you like: $ kinit admin $ ipa config-mod --defaultshell=/bin/bash HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
https://fedorahosted.org/freeipa/ticket/2008 is there a possibility to do the same for the SRV records windows servers? 2013/10/14 Михаил А avdush...@gmail.com -- Forwarded message -- From: Михаил А avdush...@gmail.com Date: 2013/10/14 Subject: Re: [Freeipa-users] (no subject) To: d...@redhat.com Simplify the circuit. I have a windows server DC, IPA replica server. My job is to authenticate the user windows to your account on the client fedora and redhat. As I understand it when logging on IPA server running windows account - there is a request for vigdovs DC, found on the SRV record in DNS. Because the forest I site section in which is1 windows server and 1 IPA server, but at the request IPA server is not always refers to the neighbor windows dealing center I found this in the log d at debug level 5.We do not have network connectivity between sites, there is a single point-to-site, where network connectivity is available. Trust between the domains windows and IPA available. Log in to the central site, where there is network connectivity runs great, for example (ssh -l winuser@windomain ipa.client or ipa-replica-server -OK) 2013/10/12 Dmitri Pal d...@redhat.com On 10/11/2013 02:07 PM, Михаил А wrote: Maybe I have to explicitly specify the windows server which will address my IPA server to authenticate windows user on ipa-client? For example there is the IPA server p0129ipa01.ipa.sys local and Win DC p0129ad-dc01.sys.local. How do I specify that a request for authorization obviously gone to windows server or to any windows in the DC area? Because I do not have network connectivity to ports in other regions. A DNS-request is sent to all SRV-windows servers in a random order, depending can not compute. WIN DC in the subnet that corresponds to and authorizes the windows users outside of DC who, in a different subnet is not responsible for authorization (id winuser@windomain, getent passwd winuser@windomain, ssh -l winuser@windomain ipa-client) IPA-server fedora 19, ipa-client fedora19 and RedHat 6.x The configuration still puzzles me. Can you share your sanitized sssd.conf? Based on you description you have: Windows DCs IPAs Clients that are configured to use IPA and DC (at the same time? how?) Users coming from AD authenticating on the client My point is that you need to either: * Connect your SSSD to AD directly, then there is no IPA in picture * Connect you SSSD to IPA. In this case you can authenticate users that are native to IPA, synced to IPA from AD or you can use trusted users from AD accessing system if IPA and AD is in trust relationship * Connect your SSSD to AD as one domain to allow AD users to authenticate and create another domain that would connect SSSD to IPA. This is for non overlapping user sets between AD and IPA If you running some other configuration it is probably something that we do not recommend. We know people try to use one configuration to force user authentication against AD while other information including user setup comes from IPA, but we do not recommend this setup because we can't upgrade from it cleanly. 2013/10/11 Dmitri Pal d...@redhat.com On 10/11/2013 05:22 AM, Михаил А wrote: Good afternoon. In each region, I have a couple of controllers (windows and ipa). With the authorization server in the logs ipa (sssd log) I find that the request is not for the neighbor by location windows server, and randomly throughout the forest. Tell me is there a way to explicitly specify the IPA server on windows DC. Logs attached. there somewhere documentation about? I am not quite sure I understand you setup but I will try to give you some hints. If you want SSSD to access a specific IPA server or servers you can define primary and secondary servers explicitly in the SSSD configuration. See SSSD man pages. This can also be done via ipa-client-install command line starting IPA client 3.0 and SSSD 1.9 But that would sort of override the information coming from DNS. If you are looking for SSSD to support DNS sites then this functionality is available in SSSD in 1.11 if SSSD is joined directly to AD via AD provider. If you are looking for the same functionality when SSSD connects to IPA then it is still on the roadmap because IPA does not support sites. https://fedorahosted.org/freeipa/ticket/2008 next to the IPA server pk529ad-dc01.sys.local IPA server and knocks pk429ad-dc01.sys.local to another region ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com
[Freeipa-users] Subsystem certs not renewed
Dear IPA users, My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade) suddenly stopped working for the CA part. I'm not sure this is the root of all the issues, but subsystem certificates was expired and not renewed: getcert list gives a similar output for all of them, and I don't know how to proceed. []# getcert list -c dogtag-ipa-renew-agent Request ID '20130902075915': status: MONITORING ca-error: No end-entity URL (-E) given, and no default known. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=RA Subsystem,O= expires: 2013-10-11 07:44:12 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Do you have any hints on how to solve? Many thanks in advance federico ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Subsystem certs not renewed
Federico Nebiolo wrote: Dear IPA users, My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade) suddenly stopped working for the CA part. I'm not sure this is the root of all the issues, but subsystem certificates was expired and not renewed: getcert list gives a similar output for all of them, and I don't know how to proceed. []# getcert list -c dogtag-ipa-renew-agent Request ID '20130902075915': status: MONITORING ca-error: No end-entity URL (-E) given, and no default known. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=RA Subsystem,O= expires: 2013-10-11 07:44:12 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Do you have any hints on how to solve? Try adding a host=fqdn to the [global] section in /etc/ipa/default.conf where host is the fqdn of your IPA master. I think you'll need to temporarily go back in time to the 11th for the renewal to succeed. You can force certmonger to try the renewal again with: # getcert resubmit -i 20130902075915 You'll want to do this for all certs affected by this. If this works please let us know and we'll make sure that host exists in default.conf when upgrades happen. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Renewing CA certificate
Folks, I wanted to touch base with y'all about how/if work is progressing on the ability to replace the CA certificate. My certificate is a subordinate of an AD CS instance and will be expiring in December, after two years. Some how, some way, without rebuilding I would like to be able to replace this subordinate CA. There is a ticket open for this, last I checked not much was said in the ticket: https://fedorahosted.org/freeipa/ticket/3304 -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Renewing CA certificate
Erinn Looney-Triggs wrote: Folks, I wanted to touch base with y'all about how/if work is progressing on the ability to replace the CA certificate. My certificate is a subordinate of an AD CS instance and will be expiring in December, after two years. Some how, some way, without rebuilding I would like to be able to replace this subordinate CA. There is a ticket open for this, last I checked not much was said in the ticket: https://fedorahosted.org/freeipa/ticket/3304 http://www.freeipa.org/page/V3/CA_certificate_renewal There was a discussion of this proposal on freeipa-devel, https://www.redhat.com/archives/freeipa-devel/2013-October/msg00073.html rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
On 10/14/2013 09:52 AM, ?? ? wrote: https://fedorahosted.org/freeipa/ticket/2008 is there a possibility to do the same for the SRV records windows servers? Yes, if you use latest SSSD against AD without IPA. If you want to use IPA with AD then SSSD is connected to IPA and IPA needs to provide this functionality. It is not implemented yet and not a high priority so far. Help and patches are definitely welcome. 2013/10/14 ?? ? avdush...@gmail.com mailto:avdush...@gmail.com -- Forwarded message -- From: *?? ?* avdush...@gmail.com mailto:avdush...@gmail.com Date: 2013/10/14 Subject: Re: [Freeipa-users] (no subject) To: d...@redhat.com mailto:d...@redhat.com Simplify the circuit. I have a windows server DC, IPA replica server. My job is to authenticate the user windows to your account on the client fedora and redhat. As I understand it when logging on IPA server running windows account - there is a request for vigdovs DC, found on the SRV record in DNS. Because the forest I site section in which is1 windows server and 1 IPA server, but at the request IPA server is not always refers to the neighbor windows dealing center I found this in the log d at debug level 5.We do not have network connectivity between sites, there is a single point-to-site, where network connectivity is available. Trust between the domains windows and IPA available. Log in to the central site, where there is network connectivity runs great, for example (ssh -l winuser@windomain ipa.client or ipa-replica-server -OK) 2013/10/12 Dmitri Pal d...@redhat.com mailto:d...@redhat.com On 10/11/2013 02:07 PM, ?? ? wrote: Maybe I have to explicitly specify the windows server which will address my IPA server to authenticate windows user on ipa-client? For example there is the IPA server p0129ipa01.ipa.sys local and Win DC p0129ad-dc01.sys.local. How do I specify that a request for authorization obviously gone to windows server or to any windows in the DC area? Because I do not have network connectivity to ports in other regions. A DNS-request is sent to all SRV-windows servers in a random order, depending can not compute. WIN DC in the subnet that corresponds to and authorizes the windows users outside of DC who, in a different subnet is not responsible for authorization (id winuser@windomain, getent passwd winuser@windomain, ssh -l winuser@windomain ipa-client) IPA-server fedora 19, ipa-client fedora19 and RedHat 6.x The configuration still puzzles me. Can you share your sanitized sssd.conf? Based on you description you have: Windows DCs IPAs Clients that are configured to use IPA and DC (at the same time? how?) Users coming from AD authenticating on the client My point is that you need to either: * Connect your SSSD to AD directly, then there is no IPA in picture * Connect you SSSD to IPA. In this case you can authenticate users that are native to IPA, synced to IPA from AD or you can use trusted users from AD accessing system if IPA and AD is in trust relationship * Connect your SSSD to AD as one domain to allow AD users to authenticate and create another domain that would connect SSSD to IPA. This is for non overlapping user sets between AD and IPA If you running some other configuration it is probably something that we do not recommend. We know people try to use one configuration to force user authentication against AD while other information including user setup comes from IPA, but we do not recommend this setup because we can't upgrade from it cleanly. 2013/10/11 Dmitri Pal d...@redhat.com mailto:d...@redhat.com On 10/11/2013 05:22 AM, ?? ? wrote: Good afternoon. In each region, I have a couple of controllers (windows and ipa). With the authorization server in the logs ipa (sssd log) I find that the request is not for the neighbor by location windows server, and randomly throughout the forest. Tell me is there a way to explicitly specify the IPA server on windows DC. Logs attached. there somewhere documentation about? I am not quite sure I understand you setup but I will try to give you some hints. If you want SSSD to access a specific IPA server or servers you can define primary and secondary servers explicitly in the SSSD configuration. See SSSD man pages. This can also be done via ipa-client-install command line
Re: [Freeipa-users] Default shell for new users
Adding freeipa-users list back to CC. Note that the default shell applies only for new users. To modify shell for a current user, use # ipa user-mod user --shell=/bin/bash Martin On 10/14/2013 01:55 PM, Михаил А wrote: [root@pk529ipa01 ~]# ipa config-show ... Default shell: /bin/bash ... but in new session -sh-4.2$ echo $SHELL /bin/sh -sh-4.2$ 2013/10/14 Martin Kosek mko...@redhat.com mailto:mko...@redhat.com Then you probably have /bin/bash already set. Use # ipa config-show to verify. Martin On 10/14/2013 01:46 PM, Михаил А wrote: ipa config-mod --defaultshell=/bin/bash ipa: ERROR: no modifications to be performed 2013/10/14 Martin Kosek mko...@redhat.com mailto:mko...@redhat.com On 10/14/2013 11:46 AM, Mateusz Marzantowicz wrote: Is there any particular reason why /bin/sh is default shell for new domain users and not /bin/bash is? I know that /bin/sh is symlink to /bin/bash on Fedora but local user accounts are created with /bin/bash as default shell. Is it related to other supported UNIX-like systems that might not include bash or there is some other reason for such default vaule? This is exactly the reason. /bin/sh is just the most common denominator when talking about shells on various client systems. But feel free to change the default to /bin/bash if you like: $ kinit admin $ ipa config-mod --defaultshell=/bin/bash HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Renewing CA certificate
On 10/14/2013 10:26 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: Folks, I wanted to touch base with y'all about how/if work is progressing on the ability to replace the CA certificate. My certificate is a subordinate of an AD CS instance and will be expiring in December, after two years. Some how, some way, without rebuilding I would like to be able to replace this subordinate CA. There is a ticket open for this, last I checked not much was said in the ticket: https://fedorahosted.org/freeipa/ticket/3304 http://www.freeipa.org/page/V3/CA_certificate_renewal There was a discussion of this proposal on freeipa-devel, https://www.redhat.com/archives/freeipa-devel/2013-October/msg00073.html rob Rob, Brilliant, thanks for the pointers to the info and the discussion. -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa sync agreement to AD DC is taking a very long time
On 10/14/2013 08:26 PM, janice.psyop wrote: Hi, I've been setting up an IPA server (centos 6.4) with AD trust (2008R2 domain) following the FC18 freeipa guide. Everything has gone smoothly until I ran the ipa-replica-manage connect command to the AD DC and it seems to be running (no errors on std out and ps says it is still running), but it has been running for six hours! We do have ~2000 user entries, but I didn't think it would take this long to sync up. It's definitely hung up. 2k users should be very quick to sync. The command I ran was this (see below) and the screen now just displays repeating Update in progress. I'm very tempted to kill it in case something is going horribly wrong (with the AD user accounts...) /usr/sbin/ipa-replica-manage connect --winsync --passsync=MySecretPass --binddn=CN=myipasyncuser,CN=Users,DC=domain,DC=com --bindpw=MySecretPass --cacert=/etc/openldap/cacerts/DC-CA.cer -v dc.domain.com http://dc.domain.com Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Is there any way to check the progress of this in case it is in fact hung up? The last few entries in the ipa/default.log is from six hours ago: Is there anything of interest in the 389 DS errors log? It's located at /var/log/dirsrv/slapd-realm/errors. Thanks, -NGK 2013-10-14T21:32:45Z2706MainThread ipa INFOAdded new sync agreement, waiting for it to become ready . . . 2013-10-14T21:32:46Z2706MainThread ipa INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 2013-10-14T21:32:46Z2706MainThread ipa INFOAgreement is ready, starting replication . . . thanks much, -J. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users