Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On Thu, 16 Jan 2014, Petr Spacek wrote: On 15.1.2014 23:13, KodaK wrote: For the record, I spent quite a long time on this and finally gave up. I never found a work-around other than providing the entire DN, which I wasn't about to do. Did you try the slapi-nis from FreeIPA 3.3.3? Just for the record, so we will know if it works or not. Note that it might not build or work well on RHEL 6.x. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
OK, there is definitely something going on in the client then. Are there multiple domains configured in sssd.conf? On 15.1.2014 13:56, Bret Wortman wrote: The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how to reduce us properly to just foo.com. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Jan 16, 2014, at 4:42 AM, Jan Cholasta jchol...@redhat.com wrote: OK, there is definitely something going on in the client then. Are there multiple domains configured in sssd.conf? On 15.1.2014 13:56, Bret Wortman wrote: The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? -- Jan Cholasta smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
I think you can just comment out the whole [domain/] section in sssd.conf and restart sssd. Does that solve the problem? If not, could you please post your sssd.conf here? On 16.1.2014 11:21, Bret Wortman wrote: Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how to reduce us properly to just foo.com. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Jan 16, 2014, at 4:42 AM, Jan Cholasta jchol...@redhat.com wrote: OK, there is definitely something going on in the client then. Are there multiple domains configured in sssd.conf? On 15.1.2014 13:56, Bret Wortman wrote: The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? -- Jan Cholasta -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
It did. I just needed the motivation to figure out which version was correct. So I experimented on my own workstation this morning before anyone else got in and rolled out a corrected version. Thanks for your help, everyone! On 01/16/2014 11:52 AM, Jan Cholasta wrote: I think you can just comment out the whole [domain/] section in sssd.conf and restart sssd. Does that solve the problem? If not, could you please post your sssd.conf here? On 16.1.2014 11:21, Bret Wortman wrote: Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how to reduce us properly to just foo.com. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Jan 16, 2014, at 4:42 AM, Jan Cholasta jchol...@redhat.com wrote: OK, there is definitely something going on in the client then. Are there multiple domains configured in sssd.conf? On 15.1.2014 13:56, Bret Wortman wrote: The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? -- Jan Cholasta smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
I'm glad that fixed it, but I would still be interested in what went wrong. Could you tell me what was the difference between foo.com and .foo.com domain configuration? I'm also curious how did such configuration got into sssd.conf in the first place, ipa-client-install should have created only one domain. On 16.1.2014 18:19, Bret Wortman wrote: It did. I just needed the motivation to figure out which version was correct. So I experimented on my own workstation this morning before anyone else got in and rolled out a corrected version. Thanks for your help, everyone! On 01/16/2014 11:52 AM, Jan Cholasta wrote: I think you can just comment out the whole [domain/] section in sssd.conf and restart sssd. Does that solve the problem? If not, could you please post your sssd.conf here? On 16.1.2014 11:21, Bret Wortman wrote: Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how to reduce us properly to just foo.com. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Jan 16, 2014, at 4:42 AM, Jan Cholasta jchol...@redhat.com wrote: OK, there is definitely something going on in the client then. Are there multiple domains configured in sssd.conf? On 15.1.2014 13:56, Bret Wortman wrote: The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? -- Jan Cholasta -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd problem with SSSD and SSH keys
Here was the original sssd.conf. IPA created one, and I think in our early confusion over IPA, we created the other accidentally, and as we were trying to get puppet to enforce our system configs (we have a lot of developers who love to tinker with things they don't understand, which at this point includes me, I guess) we ended up postponing figuring out whether we could do away with the .foo.net one until today: --- [domain/foo.com] cach_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = zw129.foo.com chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_tls_cacert = /etc/ipa/ca.crt [domain/.foo.com] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = FOO.COM ipa_domain = .foo.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=com dns_discovery_domain = .foo.com [sssd] services = nss, pam, ssh config_file_version = 2 domains = .foo.com, foo.com [nss] [pam] [sudo] [autofs] [ssh] --- Bret On 01/16/2014 12:47 PM, Jan Cholasta wrote: I'm glad that fixed it, but I would still be interested in what went wrong. Could you tell me what was the difference between foo.com and .foo.com domain configuration? I'm also curious how did such configuration got into sssd.conf in the first place, ipa-client-install should have created only one domain. On 16.1.2014 18:19, Bret Wortman wrote: It did. I just needed the motivation to figure out which version was correct. So I experimented on my own workstation this morning before anyone else got in and rolled out a corrected version. Thanks for your help, everyone! On 01/16/2014 11:52 AM, Jan Cholasta wrote: I think you can just comment out the whole [domain/] section in sssd.conf and restart sssd. Does that solve the problem? If not, could you please post your sssd.conf here? On 16.1.2014 11:21, Bret Wortman wrote: Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how to reduce us properly to just foo.com. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Jan 16, 2014, at 4:42 AM, Jan Cholasta jchol...@redhat.com wrote: OK, there is definitely something going on in the client then. Are there multiple domains configured in sssd.conf? On 15.1.2014 13:56, Bret Wortman wrote: The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters. Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA? -- Jan Cholasta smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] export users/groups from one ipa server to another
Hi All, Looking for the quickest and easiest way to export users from one freeipa server and install on another. I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment. I am setting up an identical freeipa server in a Production Environment. The two environments will not be configured to talk to each other. They will both have there own replicas. I simply want to export the users and groups I created in freeipa in DR, and import them (preserving details and passwords) into the freeipa server in Production. What is the recommendation? Is there an ipa tool? Or will ldif exports suffice? Thanks in advance, Les ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
On 17.1.2014 07:24, Les Stott wrote: Hi All, Looking for the quickest and easiest way to export users from one freeipa server and install on another. I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment. I am setting up an identical freeipa server in a Production Environment. The two environments will not be configured to talk to each other. They will both have there own replicas. I simply want to export the users and groups I created in freeipa in DR, and import them (preserving details and passwords) into the freeipa server in Production. What is the recommendation? Is there an ipa tool? Or will ldif exports suffice? IMHO you can create a replica (including CA and DNS if you have CA and DNS on the original master) and then disconnect this new replica from the original master and move it to production. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
On 01/17/2014 07:24 AM, Les Stott wrote: Hi All, Looking for the quickest and easiest way to export users from one freeipa server and install on another. I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment. I am setting up an identical freeipa server in a Production Environment. The two environments will not be configured to talk to each other. They will both have there own replicas. I simply want to export the users and groups I created in freeipa in DR, and import them (preserving details and passwords) into the freeipa server in Production. What is the recommendation? Is there an ipa tool? Or will ldif exports suffice? Thanks in advance, Les I think the best way would be to use the ipa migrate-ds command. It should work both with stand alone Directory Servers and IPA too. You may just need to play with --userignoreobjectclass amd userignoreattribute to not migrate Kerberos related attributes and objectclasses if for example your other DS has a different realm. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users