Re: [Freeipa-users] Choosing the right way to create trust
On Tue, Feb 11, 2014 at 08:29:43PM +0200, Genadi Postrilko wrote: I work in environment where the AD is the DC of the windows machines , while the linux machines (RHEL 5\6) are not centrally managed. I would like to create an IPA server to manage the linux machines while creating a trust with AD. The current situation is all windows and linux machines are under .zone.corp domain. From what ive read at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html, i can create trust when IPA is a subdomain of AD domain or when the domains are separate. I'm not sure what is the method i should approach. Can IPA be a dc inside the AD domain? Or should i create a subdomain for linux and then move all the linux machines to the new domain (I hope not). I'm afraid you have to move the linux machines to a separate domain when you want to use trust. The reason is that Kerberos heavily depends DNS and e.g use the fully qualified host names and DNS SRV records to determine memberships to realm and KDCs in a realm. HTH bye, Sumit Any advice? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
On 02/11/2014 07:29 PM, Genadi Postrilko wrote: I work in environment where the AD is the DC of the windows machines , while the linux machines (RHEL 5\6) are not centrally managed. I would like to create an IPA server to manage the linux machines while creating a trust with AD. The current situation is all windows and linux machines are under .zone.corp domain. From what ive read at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html, i can create trust when IPA is a subdomain of AD domain or when the domains are separate. I'm not sure what is the method i should approach. Can IPA be a dc inside the AD domain? Or should i create a subdomain for linux and then move all the linux machines to the new domain (I hope not). Any advice? The key here is that for IPA and AD to be able to work together in a trust, they need to be in separate domains with realm matching this domains. In your case, it seems to me that a following scenario would work the best: * AD with domain zone.corp and realm ZONE.CORP * IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated from the AD DNS (or other DNS you use). More info here: http://www.freeipa.org/page/Trusts Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Are multiple dns databases possible in freeipa?
On 11.2.2014 20:47, Rob Crittenden wrote: m...@tdiehl.org wrote: Hi, I am in the process of evaluating ipa on Centos 6.5. So far I really like what I see but the one problem I cannot find a viable solution for is how can I do internal and external views with dns stored in ipa? Google seems to indicate that it is not possible but I thought I would ask here to be sure. My dns infrastructure serves different ip addresses depending on if the request originates from the internal network or from the Internet. In addition, internal hosts are able to do recursive look ups but for external hosts recursion is not allowed. I am thinking that if I can add a second dns database to ipa, I could then configure named.conf to operate using views. Is this possible/recommended? Is there a better solution that would not be a maintenance nightmare? Regards, Bind views are not currently supported, see this thread http://www.redhat.com/archives/freeipa-users/2013-October/msg5.html There is an upstream ticket on this as well, https://fedorahosted.org/freeipa/ticket/2802 Hello Tom, we can provide you configuration file for BIND 9 which allows you to load data for external view from a file and use LDAP (with FreeIPA CLI and WebUI) for internal view (or vice versa). Let me know if you are interested in this configuration. Could you describe your use case in detail? What are you trying to achieve, why etc.? We need to know use cases so we can design proper solution. Would sites be enough for you? See https://fedorahosted.org/freeipa/ticket/2008 Thank you for your time! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux user categories
On 02/11/2014 08:52 PM, Rob Crittenden wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob I am thinking you may be able to monkeypatch the validator in a custom plugin, like selinuxusermap-user.py which would: import ipalib.plugins.selinuxusermap( def custom_selinux_usermap_validator((ugettext, user): ... ipalib.plugins.selinuxusermap = custom_selinux_usermap_validator Then upgrade would not destroy the change. But of course, things may break as well if for example we change the params of this function. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to access systems
On Tue, Feb 11, 2014 at 02:00:56PM -0400, Terry Soucy wrote: We are transitioning from one IPA instance to a new IPA instance. The version of IPA instances is the same, and all is functioning normally on the existing IPA, but when I attempt to transition a host to the new IPA instance, I get the following in my logs when I attempt an SSH .. [sssd[be[dev.ca1.sfmc.co]]] [hbac_get_category] (5): Category is set to 'all'. [sssd[be[dev.ca1.sfmc.co]]] [hbac_get_category] (5): Category is set to 'all'. [sssd[be[dev.ca1.sfmc.co]]] [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply. [sssd[be[dev.ca1.sfmc.co]]] [hbac_get_category] (5): Category is set to 'all'. [sssd[be[dev.ca1.sfmc.co]]] [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply. [sssd[be[dev.ca1.sfmc.co]]] [ipa_hbac_evaluate_rules] (3): Access denied by HBAC rules [sssd[be[dev.ca1.sfmc.co]]] [be_pam_handler_callback] (4): Backend returned: (0, 6, NULL) [Success] Is this all SSSD prints when processing the rules? The HBAC rule, according to the test, Does the hbactest utility verify the rule should grant access? If so, then I would recomment upgrading as both hbactest and sssd share the same underlying library (hbactest just uses python bindings). will grant me access since I'm in the appropriate group Rule name: hbac_techops Host category: all Service category: all Description: TechOps Access Enabled: TRUE User Groups: ug-techops I'm not sure what No host specified, rule will never apply means. Normally this debug message means that the rule being processed contains neither the 'all' category nor a direct host that matches. I attempted to add the host to the rule rather than use a hostgroup, but the result is the same When you say the result is the same, do you also see No host specified ? This might sound strange, but are you sure that the client is connecting to the right server and there are no replication issues or similar? You can also verify that the rules that you expect to be downloaded are in fact stored in the sssd cache with: ldbsearch -H /var/lib/sss/db/cache_$domainname (ldbsearch is part of ldb-tools on Fedora/RHEL, not sure what package it is on Ubuntu) Server - RH 6.4, ipa-server-3.0.0-37.el6.x86_64 Client - Ubuntu 10, sssd 1.5.15-0ubuntu6~lucid2 This client is rather old, is there any chance you could try a newer version? There's been a number of fixes for HBAC since 1.5.15, including one crasher bug.. Perhaps Timo Aaltonen might have some newer builds for Lucid in his PPAs. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux user categories
Moving to freeipa-devel since we're going rather deep. On 02/12/2014 10:02 AM, Martin Kosek wrote: On 02/11/2014 08:52 PM, Rob Crittenden wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob I am thinking you may be able to monkeypatch the validator in a custom plugin, like selinuxusermap-user.py which would: import ipalib.plugins.selinuxusermap( def custom_selinux_usermap_validator((ugettext, user): ... ipalib.plugins.selinuxusermap = custom_selinux_usermap_validator Then upgrade would not destroy the change. But of course, things may break as well if for example we change the params of this function. Martin No, I don't think something like that will work; the validator is baked into the Param on creation. You'd have to replace `selinuxusermap.takes_params` with a copy that has a new `ipaselinuxuser` Param. -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. On Feb 12, 2014 10:49 AM, Martin Kosek mko...@redhat.com wrote: On 02/11/2014 07:29 PM, Genadi Postrilko wrote: I work in environment where the AD is the DC of the windows machines , while the linux machines (RHEL 5\6) are not centrally managed. I would like to create an IPA server to manage the linux machines while creating a trust with AD. The current situation is all windows and linux machines are under .zone.corp domain. From what ive read at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html , i can create trust when IPA is a subdomain of AD domain or when the domains are separate. I'm not sure what is the method i should approach. Can IPA be a dc inside the AD domain? Or should i create a subdomain for linux and then move all the linux machines to the new domain (I hope not). Any advice? The key here is that for IPA and AD to be able to work together in a trust, they need to be in separate domains with realm matching this domains. In your case, it seems to me that a following scenario would work the best: * AD with domain zone.corp and realm ZONE.CORP * IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated from the AD DNS (or other DNS you use). More info here: http://www.freeipa.org/page/Trusts Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
On Wed, 12 Feb 2014, Genadi Postrilko wrote: What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. What would it give to you? AD DC uses FQDN to decide which KDC is responsible to issue TGT (and other tickets). If it belongs to its own DNS domain, no attempt to issue cross-realm TGT will be done and Windows users will never get tickets to services running on these IPA machines. You would really need to address IPA machines by their host names in ipa.zone.corp domain and never by .zone.corp. At this point there is no need to keep them in .zone.corp. On Feb 12, 2014 10:49 AM, Martin Kosek mko...@redhat.com wrote: On 02/11/2014 07:29 PM, Genadi Postrilko wrote: I work in environment where the AD is the DC of the windows machines , while the linux machines (RHEL 5\6) are not centrally managed. I would like to create an IPA server to manage the linux machines while creating a trust with AD. The current situation is all windows and linux machines are under .zone.corp domain. From what ive read at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html , i can create trust when IPA is a subdomain of AD domain or when the domains are separate. I'm not sure what is the method i should approach. Can IPA be a dc inside the AD domain? Or should i create a subdomain for linux and then move all the linux machines to the new domain (I hope not). Any advice? The key here is that for IPA and AD to be able to work together in a trust, they need to be in separate domains with realm matching this domains. In your case, it seems to me that a following scenario would work the best: * AD with domain zone.corp and realm ZONE.CORP * IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated from the AD DNS (or other DNS you use). More info here: http://www.freeipa.org/page/Trusts Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
On 12.2.2014 11:32, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Genadi Postrilko wrote: What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. What would it give to you? AD DC uses FQDN to decide which KDC is responsible to issue TGT (and other tickets). If it belongs to its own DNS domain, no attempt to issue cross-realm TGT will be done and Windows users will never get tickets to services running on these IPA machines. You would really need to address IPA machines by their host names in ipa.zone.corp domain and never by .zone.corp. At this point there is no need to keep them in .zone.corp. Good point. May be that CNAMEs from old name to the new name (in IPA sub-tree) could solve your problem. Kerberos usually follows chain of CNAMEs so it should work. Petr^2 Spacek On Feb 12, 2014 10:49 AM, Martin Kosek mko...@redhat.com wrote: On 02/11/2014 07:29 PM, Genadi Postrilko wrote: I work in environment where the AD is the DC of the windows machines , while the linux machines (RHEL 5\6) are not centrally managed. I would like to create an IPA server to manage the linux machines while creating a trust with AD. The current situation is all windows and linux machines are under .zone.corp domain. From what ive read at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html , i can create trust when IPA is a subdomain of AD domain or when the domains are separate. I'm not sure what is the method i should approach. Can IPA be a dc inside the AD domain? Or should i create a subdomain for linux and then move all the linux machines to the new domain (I hope not). Any advice? The key here is that for IPA and AD to be able to work together in a trust, they need to be in separate domains with realm matching this domains. In your case, it seems to me that a following scenario would work the best: * AD with domain zone.corp and realm ZONE.CORP * IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated from the AD DNS (or other DNS you use). More info here: http://www.freeipa.org/page/Trusts ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
On Wed, Feb 12, 2014 at 11:45:50AM +0100, Petr Spacek wrote: On 12.2.2014 11:32, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Genadi Postrilko wrote: What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. What would it give to you? AD DC uses FQDN to decide which KDC is responsible to issue TGT (and other tickets). If it belongs to its own DNS domain, no attempt to issue cross-realm TGT will be done and Windows users will never get tickets to services running on these IPA machines. You would really need to address IPA machines by their host names in ipa.zone.corp domain and never by .zone.corp. At this point there is no need to keep them in .zone.corp. Good point. May be that CNAMEs from old name to the new name (in IPA sub-tree) could solve your problem. Kerberos usually follows chain of CNAMEs so it should work. This might work on the DNS level but the local hostname must match as well, because services like e.g. sshd will search their keytab entries with the help of the local hostname. It might be possible to configure the services to use other keytab entries but I think it would be easier to just move all hosts to a new domain then touching the configuration of every single service. bye, Sumit Petr^2 Spacek On Feb 12, 2014 10:49 AM, Martin Kosek mko...@redhat.com wrote: On 02/11/2014 07:29 PM, Genadi Postrilko wrote: I work in environment where the AD is the DC of the windows machines , while the linux machines (RHEL 5\6) are not centrally managed. I would like to create an IPA server to manage the linux machines while creating a trust with AD. The current situation is all windows and linux machines are under .zone.corp domain. From what ive read at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html , i can create trust when IPA is a subdomain of AD domain or when the domains are separate. I'm not sure what is the method i should approach. Can IPA be a dc inside the AD domain? Or should i create a subdomain for linux and then move all the linux machines to the new domain (I hope not). Any advice? The key here is that for IPA and AD to be able to work together in a trust, they need to be in separate domains with realm matching this domains. In your case, it seems to me that a following scenario would work the best: * AD with domain zone.corp and realm ZONE.CORP * IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated from the AD DNS (or other DNS you use). More info here: http://www.freeipa.org/page/Trusts ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 7 beta trust - slow domain user authentication to Linux hosts
On Mon, Feb 10, 2014 at 02:08:22PM -0500, Steve Dainard wrote: Sure: ... (0x0400): Attempting kinit for realm [MIOVISION.CORP] (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [validate_tgt] (0x0400): TGT verified using key for [host/snapshot-test.miolinux.c...@miolinux.corp]. (Mon Feb 10 10:15:06 2014) [[sssd[krb5_child[9879 [become_user] (0x0200): Trying to become user [799001323][799001323]. ... (0x0400): Attempting kinit for realm [MIOVISION.CORP] (Mon Feb 10 10:16:35 2014) [[sssd[krb5_child[9929 [validate_tgt] (0x0400): TGT verified using key for [host/snapshot-test.miolinux.c...@miolinux.corp]. (Mon Feb 10 10:16:40 2014) [[sssd[krb5_child[9929 [become_user] (0x0200): Trying to become user [799001323][799001323]. ... (0x0400): Attempting kinit for realm [MIOVISION.CORP] (Mon Feb 10 10:16:57 2014) [[sssd[krb5_child[9960 [validate_tgt] (0x0400): TGT verified using key for [host/snapshot-test.miolinux.c...@miolinux.corp]. (Mon Feb 10 10:17:01 2014) [[sssd[krb5_child[9960 [become_user] (0x0200): Trying to become user [799001323][799001323]. ... (0x0400): Attempting kinit for realm [MIOVISION.CORP] (Mon Feb 10 10:17:30 2014) [[sssd[krb5_child[10018 [validate_tgt] (0x0400): TGT verified using key for [host/snapshot-test.miolinux.c...@miolinux.corp]. (Mon Feb 10 10:17:34 2014) [[sssd[krb5_child[10018 [become_user] (0x0200): Trying to become user [799001323][799001323]. as you can see the time is spend to validate the ticket. For a user from a trusted domain this includes a request for a cross-realm TGT to a AD server and then a request to an IPA KDC for a service ticket for the local host. With debug_level 9 and higher the libkrb5 tracing is switched on which would in more detail show where the time is lost. It will also show which AD server is contacted. You mentioned in your other mail that with a different client the logins are faster. Are the two clients in the same network segment? Or is there a chance that the other client is nearer to the AD server? bye, Sumit ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] authentication against compat
hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? Any idea? Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. If I understand correctly, you're referring to the client side, are you? Or it is true for the server side as well? Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. It worked with IPA 3.3 because of what I wrote above -- I implemented LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP referral to the original entry's DN. If I understand correctly, you're referring to the client side, are you? No. Or it is true for the server side as well? It is purely server-side issue. slapi-nis 0.47.5 does not support proper authentication against compat tree that LDAP clients understand. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. It worked with IPA 3.3 because of what I wrote above -- I implemented LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP referral to the original entry's DN. If I understand correctly, you're referring to the client side, are you? No. Or it is true for the server side as well? It is purely server-side issue. slapi-nis 0.47.5 does not support proper authentication against compat tree that LDAP clients understand. OK, that's clear now. Sorry I wasn't aware of slapi-nis behaviour:) Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] By default on port 389 , any encryption between client and server
barry...@gmail.com wrote: Hi all: Some doc said it already build in TLS on 389 ... is it nsslapd-minssf on the dse.ldif? Yes. Should i need to set 636 ldaps ? or set higher nsslapd-minssf enough? Higher minssf should be enough. It will require GSSAPI or startTLS on a connection. What document tell the default secure connection of free ipa? I don't believe we have everything in one place. The LDAP security settings are available at https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/SecureConnections.html rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. It worked with IPA 3.3 because of what I wrote above -- I implemented LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP referral to the original entry's DN. If I understand correctly, you're referring to the client side, are you? No. Or it is true for the server side as well? It is purely server-side issue. slapi-nis 0.47.5 does not support proper authentication against compat tree that LDAP clients understand. Actually I'd like to authenticate shell users on Ubuntu. For the records I figured out, that switching from nscd to nslcd did the trick. Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 12.2.2014 15:01, Tamas Papp wrote: On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. It worked with IPA 3.3 because of what I wrote above -- I implemented LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP referral to the original entry's DN. If I understand correctly, you're referring to the client side, are you? No. Or it is true for the server side as well? It is purely server-side issue. slapi-nis 0.47.5 does not support proper authentication against compat tree that LDAP clients understand. Actually I'd like to authenticate shell users on Ubuntu. For the records I figured out, that switching from nscd to nslcd did the trick. BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD is ... obsolete. SSSD has some very nice features like off-line cache etc. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 03:04 PM, Petr Spacek wrote: On 12.2.2014 15:01, Tamas Papp wrote: On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. It worked with IPA 3.3 because of what I wrote above -- I implemented LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP referral to the original entry's DN. If I understand correctly, you're referring to the client side, are you? No. Or it is true for the server side as well? It is purely server-side issue. slapi-nis 0.47.5 does not support proper authentication against compat tree that LDAP clients understand. Actually I'd like to authenticate shell users on Ubuntu. For the records I figured out, that switching from nscd to nslcd did the trick. BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD is ... obsolete. SSSD has some very nice features like off-line cache etc. I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Thx, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] trouble creating a replica in the cloud
On 02/11/2014 05:02 PM, Todd Maugh wrote: Hey Guys, So I have my master and replica up in my datacenter. I have a client, I have a winsync agreement, I have a password sync. It's working lovely. So Now I have spun up an AWS instance of redh hat 6.5 (same as my master and first replica) I run the ipa replica and it fails ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'se-idm-01.boingo.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@boingo.com password: Execute check on remote master Check connection from master to remote replica 'se-idm-03.boingo.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3' returned non-zero exit status 1 [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Can't contact LDAP server I check the log file and this is what I get 2014-02-11T19:55:48Z DEBUG calling setup-ds.pl 2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3 2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) [11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) [14/02/11:14:57:53] - [Setup] Info Could not start the directory server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create prlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) '. Error: Unknown error 256 Could not start the directory server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the error log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) '. Error: Unknown error 256 [14/02/11:14:57:53] - [Setup] Fatal Error: Could not create directory server instance 'PKI-IPA'. Error: Could not create directory server instance 'PKI-IPA'. [14/02/11:14:57:53] - [Setup] Fatal Exiting . . . Log file is '-' Exiting . . . Log file is '-' Please help ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Bind failed. This usually happens when the system has an identity crisis and tries to bind to the interface that is not there. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Recommend version of Samba for a CentOS 6.5 IPA client?
On 02/11/2014 04:22 PM, Mark Gardner wrote: Before I go installing Samba for File Sharing. I wanted to make sure I was installing the correct version of Samba without conflicting with the Linux server being an IPA client. Currently installed sambaX packages: samba-client.x86_64 3.6.9-167.el6_5 @updates samba-common.x86_64 3.6.9-167.el6_5 @updates samba-winbind.x86_643.6.9-167.el6_5 @updates samba-winbind-clients.x86_643.6.9-167.el6_5 @updates samba4-libs.x86_64 4.0.0-60.el6_5.rc4 @updates So do I uninstall samba 3.6.9 and install the appropriate samba4 packages or just yum install samba? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not think things would work nicely in the current state of affairs. You can try but I suspect there will be conflicts. We are slowly working on this but it is not ready. I suggest you try Samba FS on a different system to avoid collisions and complications. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Peter Actually I mentioned earlier that my clients are in a separate VLAN and cannot access the master. We have made provisions for the master and the replica to sync by opening the needed ports in the firewall. We have also opened up ports between the clients and the replica. I have tested the connectivity for these ports. Perhaps you can tell me if what I am trying to achieve is even possible? i.e I seem to get stuck with making the replica with the --setup-ca option. Wthout that option I am able to create a replica and have it in sync with the master. However my ipa-client-install fails from clients as they try looking for the master for CA part of the install. Shreeraj Change is the only Constant ! On Wednesday, February 12, 2014 12:45 AM, Petr Spacek pspa...@redhat.com wrote: On 11.2.2014 23:53, Shree wrote: Following ports are opened between the 1) Between the master and the replica (bi directional) 2) client machine and the ipa replica (unidirectional). When the replica was up it worked fine as far as syncing was concerned. 80 tcp 443 tcp 389 tcp 636 tcp 88 tcp 464 tcp 88 udp 464 udp 123 udp Shreeraj Change is the only Constant ! On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal d...@redhat.com wrote: On 02/11/2014 05:05 PM, Shree wrote: Dimitri Sorry some the mail landed in my SPAM folder. Let answer your questions (thanks for your help man) Please republish it on the list. Do not reply to me directly. Did you set your first server with the CA? Does all ports that need to be open in the firewall between primary or server are actually open? What I have done so far is uninstalled the replica and tried to install it again using the --setup-ca option. Previously I had failures and when I removed the --setup-ca option the installation succeeded (in a way). I understand now that I really need to fix the CA installation errors first. 1)The workaround helped me go forward a bit but I got stuck at this point see below === [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). ipa : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1 Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ldap2.macosforge.org -cs_port 9445 -client_certdb_dir /tmp/tmp-ipJSsT -client_certdb_pwd -preop_pin OlGXcjPVXoQcuuQkGgoG - === 2) No we do not use IPA for a DNS server. 3)The reason for this could be that I had installed the replica without the --setup-ca. Shreeraj Change is the only Constant ! On Monday, February 10, 2014 12:43 PM, Dmitri Pal d...@redhat.com wrote: On 02/09/2014 07:44 AM, Rob Crittenden wrote: Shree wrote: Lukas Perhaps I should explain the design a bit and see if FreeIPA even supports this.Our replica is in a separate network and all the appropriate ports are opened between the master and the replica. The replica got created successfully and is in sync with the master (except the CA services which I mentioned earlier) Now,when I try to run ipa-client-install on hosts in the new network using the replica, it complains that about Cannot contact any KDC for realm. I am wondering it my hosts in the new network are trying to access the master for certificates since the replica does not have any CA services running? I couldn't find any obvious proof of this even running the install in a debug mode. Do I need to open ports between the new hosts and the master for CA services? At this point I cannot disable or move the master, it needs to function in its location but I need No, the clients don't directly talk to the CA. You'd need to look in /var/log/ipaclient-install.log to see what KDC was found and we were trying to use. If you have SRV records for both but we try to contact the hidden master
Re: [Freeipa-users] authentication against compat
On 02/12/2014 09:30 AM, Tamas Papp wrote: On 02/12/2014 03:04 PM, Petr Spacek wrote: On 12.2.2014 15:01, Tamas Papp wrote: On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND dn=uid=USER,cn=users,cn=compat,dc=foo method=128 version=3 [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97 nentries=0 etime=0 [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1 System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20). Non-compat authentication works fine and authorization against compat is also fine. What is err=10? slapi-nis module in RHEL 6.x (and CentOS) does not support bind against compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta). In older versions slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral. Unfortunately, there is virtually no client software that supports the referral on bind operation. In short, you cannot do LDAP bind against compat tree in RHEL before 7.0. I forgot to mention, the client would be Ubuntu 12.04 and it works/worked with IPA 3.3 and F20. It worked with IPA 3.3 because of what I wrote above -- I implemented LDAP BIND authentication in slapi-nis in IPA 3.3 instead of issuing LDAP referral to the original entry's DN. If I understand correctly, you're referring to the client side, are you? No. Or it is true for the server side as well? It is purely server-side issue. slapi-nis 0.47.5 does not support proper authentication against compat tree that LDAP clients understand. Actually I'd like to authenticate shell users on Ubuntu. For the records I figured out, that switching from nscd to nslcd did the trick. BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD is ... obsolete. SSSD has some very nice features like off-line cache etc. I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. Thx, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree wrote: Peter Actually I mentioned earlier that my clients are in a separate VLAN and cannot access the master. We have made provisions for the master and the replica to sync by opening the needed ports in the firewall. We have also opened up ports between the clients and the replica. I have tested the connectivity for these ports. Perhaps you can tell me if what I am trying to achieve is even possible? i.e I seem to get stuck with making the replica with the --setup-ca option. Wthout that option I am able to create a replica and have it in sync with the master. However my ipa-client-install fails from clients as they try looking for the master for CA part of the install. Clients don't talk to the CA, they talk to an IPA server which talks to the CA. I think we need to see /var/log/ipaclient-install.log to see what is going on. rob Shreeraj Change is the only Constant ! On Wednesday, February 12, 2014 12:45 AM, Petr Spacek pspa...@redhat.com wrote: On 11.2.2014 23:53, Shree wrote: Following ports are opened between the 1) Between the master and the replica (bi directional) 2) client machine and the ipa replica (unidirectional). When the replica was up it worked fine as far as syncing was concerned. 80 tcp 443 tcp 389 tcp 636 tcp 88 tcp 464 tcp 88 udp 464 udp 123 udp Shreeraj Change is the only Constant ! On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 02/11/2014 05:05 PM, Shree wrote: Dimitri Sorry some the mail landed in my SPAM folder. Let answer your questions (thanks for your help man) Please republish it on the list. Do not reply to me directly. Did you set your first server with the CA? Does all ports that need to be open in the firewall between primary or server are actually open? What I have done so far is uninstalled the replica and tried to install it again using the --setup-ca option. Previously I had failures and when I removed the --setup-ca option the installation succeeded (in a way). I understand now that I really need to fix the CA installation errors first. 1)The workaround helped me go forward a bit but I got stuck at this point see below === [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). ipa: ERRORcertmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1 Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ldap2.macosforge.org -cs_port 9445 -client_certdb_dir /tmp/tmp-ipJSsT -client_certdb_pwd -preop_pin OlGXcjPVXoQcuuQkGgoG - === 2) No we do not use IPA for a DNS server. 3)The reason for this could be that I had installed the replica without the --setup-ca. Shreeraj Change is the only Constant ! On Monday, February 10, 2014 12:43 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 02/09/2014 07:44 AM, Rob Crittenden wrote: Shree wrote: Lukas Perhaps I should explain the design a bit and see if FreeIPA even supports this.Our replica is in a separate network and all the appropriate ports are opened between the master and the replica. The replica got created successfully and is in sync with the master (except the CA services which I mentioned earlier) Now,when I try to run ipa-client-install on hosts in the new network using the replica, it complains that about Cannot contact any KDC for realm. I am wondering it my hosts in the new network are trying to access the master for certificates since the replica does not have any CA services running? I couldn't find any obvious proof of this even running the install in a debug mode. Do I need to open ports between the new hosts and the master for CA services? At this point I cannot disable or move the master, it needs to function in its location
Re: [Freeipa-users] trouble creating a replica in the cloud
Dmitri Pal wrote: On 02/11/2014 05:02 PM, Todd Maugh wrote: Hey Guys, So I have my master and replica up in my datacenter. I have a client, I have a winsync agreement, I have a password sync. It's working lovely. So Now I have spun up an AWS instance of redh hat 6.5 (same as my master and first replica) I run the ipa replica and it fails ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'se-idm-01.boingo.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@boingo.com password: Execute check on remote master Check connection from master to remote replica 'se-idm-03.boingo.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3' returned non-zero exit status 1 [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Can't contact LDAP server I check the log file and this is what I get 2014-02-11T19:55:48Z DEBUG calling setup-ds.pl 2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3 2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) [11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) [14/02/11:14:57:53] - [Setup] Info Could not start the directory server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create prlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) '. Error: Unknown error 256 Could not start the directory server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the error log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) '. Error: Unknown error 256 [14/02/11:14:57:53] - [Setup] Fatal Error: Could not create directory server instance 'PKI-IPA'. Error: Could not create directory server instance 'PKI-IPA'. [14/02/11:14:57:53] - [Setup] Fatal Exiting . . . Log file is '-' Exiting . . . Log file is '-' Please help ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Bind failed. This usually happens when the system has an identity crisis and tries to bind to the interface that is not there. Access Denied is a bit unexpected though it may have to do with the AWS network config. Any SELinux errors or anything in /var/log/messages? Running IPA in AWS is a bit strange because of the dynamic nature of AWS. Have you seen http://cloud-mechanic.blogspot.com/2013/10/diversion-kerberos-freeipa-in-aws-ec2.html rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
OK I thought CA is a part of IPA ? Below is from my master IPA server [root@ldap ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@ldap ~]# I can certainly send you a log if needed. Shreeraj Change is the only Constant ! On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden rcrit...@redhat.com wrote: Shree wrote: Peter Actually I mentioned earlier that my clients are in a separate VLAN and cannot access the master. We have made provisions for the master and the replica to sync by opening the needed ports in the firewall. We have also opened up ports between the clients and the replica. I have tested the connectivity for these ports. Perhaps you can tell me if what I am trying to achieve is even possible? i.e I seem to get stuck with making the replica with the --setup-ca option. Wthout that option I am able to create a replica and have it in sync with the master. However my ipa-client-install fails from clients as they try looking for the master for CA part of the install. Clients don't talk to the CA, they talk to an IPA server which talks to the CA. I think we need to see /var/log/ipaclient-install.log to see what is going on. rob Shreeraj Change is the only Constant ! On Wednesday, February 12, 2014 12:45 AM, Petr Spacek pspa...@redhat.com wrote: On 11.2.2014 23:53, Shree wrote: Following ports are opened between the 1) Between the master and the replica (bi directional) 2) client machine and the ipa replica (unidirectional). When the replica was up it worked fine as far as syncing was concerned. 80 tcp 443 tcp 389 tcp 636 tcp 88 tcp 464 tcp 88 udp 464 udp 123 udp Shreeraj Change is the only Constant ! On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 02/11/2014 05:05 PM, Shree wrote: Dimitri Sorry some the mail landed in my SPAM folder. Let answer your questions (thanks for your help man) Please republish it on the list. Do not reply to me directly. Did you set your first server with the CA? Does all ports that need to be open in the firewall between primary or server are actually open? What I have done so far is uninstalled the replica and tried to install it again using the --setup-ca option. Previously I had failures and when I removed the --setup-ca option the installation succeeded (in a way). I understand now that I really need to fix the CA installation errors first. 1)The workaround helped me go forward a bit but I got stuck at this point see below === [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). ipa : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1 Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ldap2.macosforge.org -cs_port 9445 -client_certdb_dir /tmp/tmp-ipJSsT -client_certdb_pwd -preop_pin OlGXcjPVXoQcuuQkGgoG - === 2) No we do not use IPA for a DNS server. 3)The reason for this could be that I had installed the replica without the --setup-ca. Shreeraj Change is the only Constant ! On Monday, February 10, 2014 12:43 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 02/09/2014 07:44 AM, Rob Crittenden wrote: Shree wrote: Lukas Perhaps I should explain the design a bit and see if FreeIPA even supports this.Our replica is in a separate network and all the appropriate ports are opened between the master and the replica. The replica got created successfully and is in sync with the master (except the CA services which I mentioned earlier) Now,when I try to run ipa-client-install on
Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Rob I really appreciate your help, please bear with me. At this point I need to take you back to my ipa-replica-install and what happened there. [1] My command: ipa-replica-install --setup-ca /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck This ended with a Done configuring NTP daemon (ntpd). A CA is already configured on this system. [2] So did a pkiremove with the following command # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force [3] Re ran the ipa-replica-install command in step 1 The install went a little further but ended below. Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). ipa : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1 Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname . ... Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed If I skip the --setup-ca option then the replica gets created without any CA services. The master and replica are in sync but I am unable to run a ipa-client-install using the replica. Now I need to fix this to get a replica in place correctly. Shreeraj On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden rcrit...@redhat.com wrote: Shree wrote: OK I thought CA is a part of IPA ? Below is from my master IPA server [root@ldap ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@ldap ~]# I can certainly send you a log if needed. It is part of IPA but the IPA server talks to it, not the clients directly. I can only speculate what the client is doing without seeing the log files, but I suspect both masters are in DNS and IPA is trying to enroll to the initial master which isn't available. rob Shreeraj Change is the only Constant ! On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden rcrit...@redhat.com wrote: Shree wrote: Peter Actually I mentioned earlier that my clients are in a separate VLAN and cannot access the master. We have made provisions for the master and the replica to sync by opening the needed ports in the firewall. We have also opened up ports between the clients and the replica. I have tested the connectivity for these ports. Perhaps you can tell me if what I am trying to achieve is even possible? i.e I seem to get stuck with making the replica with the --setup-ca option. Wthout that option I am able to create a replica and have it in sync with the master. However my ipa-client-install fails from clients as they try looking for the master for CA part of the install. Clients don't talk to the CA, they talk to an IPA server which talks to the CA. I think we need to see /var/log/ipaclient-install.log to see what is going on. rob Shreeraj Change is the only Constant ! On Wednesday, February 12, 2014 12:45 AM, Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com wrote: On 11.2.2014 23:53, Shree wrote: Following ports are opened between the 1) Between the master and the replica (bi directional) 2) client machine and the ipa replica (unidirectional). When the replica was up it worked fine as far as syncing was concerned. 80 tcp 443 tcp 389 tcp 636 tcp 88 tcp 464 tcp 88 udp 464 udp 123 udp Shreeraj Change is the only Constant ! On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com wrote: On 02/11/2014 05:05 PM, Shree wrote: Dimitri Sorry some the mail landed in my SPAM folder. Let answer your questions (thanks for your help man) Please republish it on the list. Do not
Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
On 02/12/2014 02:09 PM, Shree wrote: Rob I really appreciate your help, please bear with me. At this point I need to take you back to my ipa-replica-install and what happened there. [1] My command: ipa-replica-install --setup-ca /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck This ended with a Done configuring NTP daemon (ntpd). A CA is already configured on this system. [2] So did a pkiremove with the following command # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force [3] Re ran the ipa-replica-install command in step 1 The install went a little further but ended below. Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). ipa : ERRORcertmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1 Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname . ... Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed If I skip the --setup-ca option then the replica gets created without any CA services. The master and replica are in sync but I am unable to run a ipa-client-install using the replica. Now I need to fix this to get a replica in place correctly. Shreeraj On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden rcrit...@redhat.com wrote: Shree wrote: OK I thought CA is a part of IPA ? Below is from my master IPA server [root@ldap mailto:root@ldap ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@ldap mailto:root@ldap ~]# I can certainly send you a log if needed. It is part of IPA but the IPA server talks to it, not the clients directly. I can only speculate what the client is doing without seeing the log files, but I suspect both masters are in DNS and IPA is trying to enroll to the initial master which isn't available. rob Shreeraj Change is the only Constant ! On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Shree wrote: Peter Actually I mentioned earlier that my clients are in a separate VLAN and cannot access the master. We have made provisions for the master and the replica to sync by opening the needed ports in the firewall. We have also opened up ports between the clients and the replica. I have tested the connectivity for these ports. Perhaps you can tell me if what I am trying to achieve is even possible? i.e I seem to get stuck with making the replica with the --setup-ca option. Wthout that option I am able to create a replica and have it in sync with the master. However my ipa-client-install fails from clients as they try looking for the master for CA part of the install. Clients don't talk to the CA, they talk to an IPA server which talks to the CA. I think we need to see /var/log/ipaclient-install.log to see what is going on. rob Shreeraj Change is the only Constant ! On Wednesday, February 12, 2014 12:45 AM, Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com mailto:pspa...@redhat.com mailto:pspa...@redhat.com wrote: On 11.2.2014 23:53, Shree wrote: Following ports are opened between the 1) Between the master and the replica (bi directional) 2) client machine and the ipa replica (unidirectional). When the replica was up it worked fine as far as syncing was concerned. 80 tcp 443 tcp 389 tcp 636 tcp 88 tcp 464 tcp 88 udp 464 udp 123 udp Shreeraj Change is the only Constant ! On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com wrote: On 02/11/2014
Re: [Freeipa-users] SELinux user categories
On Feb 11, 2014, at 2:52 PM, Rob Crittenden rcrit...@redhat.com wrote:
Josh wrote:
On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com wrote:
Josh wrote:
I have a situation where I need to support more than 1024 categories
on a system. I modified the selinuxusermap.py file to check for the
number of categories I need but ipa still responds with the original
error message. Do I need to restart any of the services?
Here is the command that was run and the output after applying the
patch below:
ipa config-mod
--ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383'
ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user
'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must
match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]
Have you updated your SELinux policy to support a larger MCS range? If
not then this will get you past the IPA validator but it won't work
with SELinux. See semanage(8).
rob
Yes. I’m trying to set the SELinux categories in freeipa because when
you have lots of categories all semanage commands slow down (way down).
For other people’s knowledge, this requires recompilation of the
SELinux policy.
Ok, then your patch looks reasonable. The current code is for the default
values and we haven't had cause to make this configurable before now. You
might consider filing a ticket in our trac about this.
As it is for a very unique situation which most people won’t encounter I don’t
think it’s worth making configurable.
Also note that this change will be lost on your next IPA upgrade, and you'll
need to make this change on any IPA master you want these values to be
managed. The data will remain unchanged, but the original python values will
be restored if you update the packages.
I’m ok with that because the values only need to be set during initial setup.
Any idea why the validator isn’t being modified?
I don't believe validators are currently extensible in the IPA framework.
That might be something we need to look at as well.
regards
rob
Thanks for the help.
-josh
-josh
Thanks,
-josh
PS: This is the patch that was applied
---
/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py.cats
2014-02-11
13:18:19.868574971 -0500
+++ /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py
2014-02-11 13:20:03.563127380 -0500
@@ -99,9 +99,9 @@ def validate_selinuxuser(ugettext, user)
if not mls or not regex_mls.match(mls):
return _('Invalid MLS value, must match s[0-15](-s[0-15])')
m = regex_mcs.match(mcs)
-if mcs and (not m or (m.group(3) and (int(m.group(3)) 1023))):
-return _('Invalid MCS value, must match c[0-1023].c[0-1023] '
- 'and/or c[0-1023]-c[0-c0123]')
+if mcs and (not m or (m.group(3) and (int(m.group(3)) 16384))):
+return _('Invalid MCS value, must match c[0-16384].c[0-16384] '
+ 'and/or c[0-16384]-c[0-16384]')
return None
___
Freeipa-users mailing list
Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux user categories
Josh wrote: On Feb 11, 2014, at 2:52 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. As it is for a very unique situation which most people won’t encounter I don’t think it’s worth making configurable. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I’m ok with that because the values only need to be set during initial setup. Any idea why the validator isn’t being modified? I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob Thanks for the help. Sure. I'm glad we made at least obvious enough for you to be able to work around. So I'm just curious about the need for this. You mentioned that semanage slows way down. Have you talked to the SELinux team about this? They've been quite responsive to our needs in the past, they may be able to fix something for you as well. On a more general note, we haven't had a lot of user feedback on the SELinux user map feature. Do you have any other suggestions on things we might do to improve it? thanks rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux user categories
On Feb 12, 2014, at 3:20 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:52 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. As it is for a very unique situation which most people won’t encounter I don’t think it’s worth making configurable. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I’m ok with that because the values only need to be set during initial setup. Any idea why the validator isn’t being modified? I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob Thanks for the help. Sure. I'm glad we made at least obvious enough for you to be able to work around. So I'm just curious about the need for this. You mentioned that semanage slows way down. Have you talked to the SELinux team about this? They've been quite responsive to our needs in the past, they may be able to fix something for you as well. I’m not sure if my coworker has talked to them about it directly, no. I’ll ping him to see if it’s something we want to get worked on moving forward. On a more general note, we haven't had a lot of user feedback on the SELinux user map feature. Do you have any other suggestions on things we might do to improve it? Nothing directly but I can describe how we’re using it and where some of the perceived pain points are. Their impact is negligible though so we haven’t felt the need to investigate better ways to work around them. We’ve got a network of systems running both targeted and MLS SELinux policy. What this means is that we must define both valid selinux context is the user map. I.e. we define both staff_u:s0-s0:c0.c1023 and staff_u:s0-s15:c0.c1023 in the user map. We then use host groups and multiple user maps to map appropriately. Our commands might be easier to understand: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$staff_u:s0-s15:c0.c1023’ ipa hostgroup-add mls --desc=MLS SELinux Group” ipa hostgroup-add-member mls --hosts=mlshost1,mlshost2 ipa hostgroup-add targeted --desc=Targeted SELinux Group” ipa hostgroup-add-member targeted --hosts=appsrv1,appsrv2 ipa selinuxusermap-add staff_u --selinuxuser=staff_u:s0-s0:c0.c1023 ipa selinuxusermap-add staff_u_MLS --selinuxuser=staff_u:s0-s15:c0.c1023 ipa selinuxusermap-add-host staff_u --hostgroups=targeted ipa selinuxusermap-add-host staff_u_MLS --hostgroups=mls ipa selinuxusermap-add-user staff_u --groups=wheel ipa selinuxusermap-add-user staff_u_MLS --groups=wheel It might be more straightforward if we didn’t have to split the configuration like this but thanks to the flexibility of FreeIPA it’s very easy to do. Thanks, -josh thanks rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
Client's local hostname must match the DNS A record? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. If realmd is available for your distribution, then I would highly recommend using it to set up SSSD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 09:53 PM, Jakub Hrozek wrote: On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. If realmd is available for your distribution, then I would highly recommend using it to set up SSSD. It isn't in 12.04, but will be available in 14.04. Thanks for suggestion. tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 09:53 PM, Jakub Hrozek wrote: On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. If realmd is available for your distribution, then I would highly recommend using it to set up SSSD. It isn't in 12.04, but will be available in 14.04. Thanks for suggestion. https://launchpad.net/~sssd/+archive/updates -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Thu, 13 Feb 2014, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 09:53 PM, Jakub Hrozek wrote: On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. If realmd is available for your distribution, then I would highly recommend using it to set up SSSD. It isn't in 12.04, but will be available in 14.04. Thanks for suggestion. https://launchpad.net/~sssd/+archive/updates Ah, sorry, realmd is indeed not available for 12.04 because it wasn't written at that point yet. :) -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 11:29 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 09:53 PM, Jakub Hrozek wrote: On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswitch.conf was configured. Maybe with the upcoming 14.04 or do you have a working howto for 12.04? Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. If realmd is available for your distribution, then I would highly recommend using it to set up SSSD. It isn't in 12.04, but will be available in 14.04. Thanks for suggestion. https://launchpad.net/~sssd/+archive/updates I meant realmd is not in 12.04. tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 07:30 PM, Dmitri Pal wrote: Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. It was quite pathetic, when last time I tried on ubuntu. I'll try sssd again, if I have spare time. Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/12/2014 05:00 PM, Tamas Papp wrote: On 02/12/2014 07:30 PM, Dmitri Pal wrote: Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. It was quite pathetic, when last time I tried on ubuntu. I'll try sssd again, if I have spare time. Thanks, tamas Timo Aaltonen is your man then. ;-) -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
Is SSSD working for IPA sudo now? I saw this From Jakub Horozek in this list a little while back: Unfortunately with 6.5 there is still no sudo ipa provider, there might be with one in 6.6. So in order to download the sudo rules you need to configure the LDAP sudo provider manually. Will. On Wednesday, February 12, 2014 at 2:57 PM, Dmitri Pal wrote: On 02/12/2014 05:00 PM, Tamas Papp wrote: On 02/12/2014 07:30 PM, Dmitri Pal wrote: Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the central identity stores. If you plan to use it with IPA you ho not need to configure sssd manually. ipa-client-install will do the trick. Just install ipa-client package and run the command. It was quite pathetic, when last time I tried on ubuntu. I'll try sssd again, if I have spare time. Thanks, tamas Timo Aaltonen is your man then. ;-) -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ (http://www.redhat.com/carveoutcosts/) ___ Freeipa-users mailing list Freeipa-users@redhat.com (mailto:Freeipa-users@redhat.com) https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] trouble creating a replica in the cloud
thanks Guys, turns out this was a redhat bug in the 6.4 image of the aws instance, so I built in 6.5 and was able to get past it, but now I'm failing with this: Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: ObjectclassViolation: missing attribute idnsSOAserial required by object class idnsZone i tried attaching the log file but unfortunately its 30 mb trying to compress From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, February 12, 2014 10:36 AM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] trouble creating a replica in the cloud Dmitri Pal wrote: On 02/11/2014 05:02 PM, Todd Maugh wrote: Hey Guys, So I have my master and replica up in my datacenter. I have a client, I have a winsync agreement, I have a password sync. It's working lovely. So Now I have spun up an AWS instance of redh hat 6.5 (same as my master and first replica) I run the ipa replica and it fails ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'se-idm-01.boingo.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@boingo.com password: Execute check on remote master Check connection from master to remote replica 'se-idm-03.boingo.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3' returned non-zero exit status 1 [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Can't contact LDAP server I check the log file and this is what I get 2014-02-11T19:55:48Z DEBUG calling setup-ds.pl 2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3 2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) [11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) [14/02/11:14:57:53] - [Setup] Info Could not start the directory server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create prlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) '. Error: Unknown error 256 Could not start the directory server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the error log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) '. Error: Unknown error 256 [14/02/11:14:57:53] - [Setup] Fatal Error: Could not create directory server instance 'PKI-IPA'. Error: Could not create directory server instance 'PKI-IPA'. [14/02/11:14:57:53] - [Setup] Fatal Exiting . . . Log file is '-' Exiting . . . Log file is '-' Please help ___ Freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
On 12.2.2014 21:49, Genadi Postrilko wrote: Client's local hostname must match the DNS A record? I would recommend you to try it and report results. We can't be sure what will happen (in Kerberos libraries and applications) until you try that. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
