Re: [Freeipa-users] Issues creating trust with AD.
On Wed, Feb 19, 2014 at 12:17:59AM +0200, Genadi Postrilko wrote: After i restarted SSSD nothing changed - still cannot login via ssh/su. I have increased debug level to 6: https://gist.github.com/anonymous/9081367 (krb5_child was empty) The LDAP extented operation which should fetch the user data of the AD user fails: (Tue Feb 18 11:34:57 2014) [sssd[be[linux.adexample.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Tue Feb 18 11:34:57 2014) [sssd[be[linux.adexample.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Operations error(1), (null) (Tue Feb 18 11:34:57 2014) [sssd[be[linux.adexample.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. hence the user is not available on the client and the login fails. Since winbind is working correctly on the server as shown by the wbinfo output below and the client is able to talk to the LDAP server in the IPA server I assume that there is an issue in processing the exop request or in the communication between the LDAP server and winbind. For the second you might want to check if there are any SELinux denials in your audit log. For the first you should enable debug logging for the LDAP server, see http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting for details. The log level which is needed here is 65536 'Plug-in debugging'. The logs might be too large for a mailing-list, fell free to send them to me directly. bye, Sumit Thank you. 2014-02-18 11:38 GMT+02:00 Sumit Bose sb...@redhat.com: On Tue, Feb 18, 2014 at 01:11:38AM +0200, Genadi Postrilko wrote: Thank you for the help! I have preformed downgrade: yum downgrade samba4* [root@ipaserver1 ~]# rpm -qa | grep samb samba4-python-4.0.0-58.el6.rc4.x86_64 samba4-winbind-4.0.0-58.el6.rc4.x86_64 samba4-common-4.0.0-58.el6.rc4.x86_64 samba4-winbind-clients-4.0.0-58.el6.rc4.x86_64 samba4-libs-4.0.0-58.el6.rc4.x86_64 samba4-client-4.0.0-58.el6.rc4.x86_64 samba4-4.0.0-58.el6.rc4.x86_64 And it worked ! *I am now able to perform login via ssh and su on to the ipaserver with AD users:* [root@ipaserver1 ~]# su gen...@adexample.com sh-4.1$ *and wbinfo and getent return values:* [root@ipaserver1 ~]# wbinfo -u ADEXAMPLE\administrator ADEXAMPLE\guest ADEXAMPLE\genadi ADEXAMPLE\krbtgt ADEXAMPLE\linux$ ADEXAMPLE\daniel [root@ipaserver1 ~]# wbinfo -g admins editors default smb group ad_users ADEXAMPLE\domain computers ADEXAMPLE\domain controllers ADEXAMPLE\schema admins ADEXAMPLE\enterprise admins ADEXAMPLE\domain admins ADEXAMPLE\domain users ADEXAMPLE\domain guests ADEXAMPLE\group policy creator owners ADEXAMPLE\read-only domain controllers ADEXAMPLE\enterprise read-only domain controllers ADEXAMPLE\dnsupdateproxy [root@ipaserver1 ~]# getent passwd gen...@adexample.com gen...@adexample.com:*:699001000:699001000::/home/adexample.com/genadi: Thanks a lot for confirming that -58 is working on the FreeIPA server. *After this success, i have tried to execute a login on client machine (using AD user), but it did not work:* [root@ipaclient1 ~]# su gen...@adexample.com su: user gen...@adexample.com does not exist *Also wbinfo and getent do not return value:* [root@ipaclient1 ~]# wbinfo -u [root@ipaclient1 ~]# wbinfo -g [root@ipaclient1 ~]# getent passwd gen...@adexample.com Winbind is not running on the IPA client. SSSD running on the IPA client use a LDAP extended operation to get the basic data about AD users and group. Please try to restart SSSD on the client. If this does not help, please send me the client's SSSD log files. bye, Sumit ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Grey button in Reset password in the gui
Dear all: I created a account of operator and added roles of user admin with reset /modify passwor priviges. but when he login , the reset password button is grey ? Any permission i should assign more... Now can only add this operator to admin group so all full access right. thks Barry ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Grey button in Reset password in the gui
On 19.2.2014 10:37, barry...@gmail.com wrote: Dear all: I created a account of operator and added roles of user admin with reset /modify passwor priviges. but when he login , the reset password button is grey ? Any permission i should assign more... Now can only add this operator to admin group so all full access right. thks Barry Hello, This link is enabled when logged in user has write permission for userpassword attribute. HTH -- Petr Vobornik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC - expected behaviour?
On Tue, Feb 04, 2014 at 04:11:12AM +, Les Stott wrote: If I access the host host1 and remove allow_all from its defined HBAC rules in the web ui, jane can still access host1 via ssh (actually tested login). I can see you've found the solution already but I'd like to go back to this part. You say that you have removed allow_all from its defined HBAC ruls in the WebUI. However, when I try this on my FreeIPA server, I don't see allow_all listed for any of my hosts (neither in the Direct nor Indirect Membership listing). Is it possible that you've added that host to allow_all on top of its Any Host (aka Host category: all) manually and then removed it? -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt
Hi Pavel, sdainard-admin is a Windows domain user, part of an external group 'ad_admins_external' which is a member of 'ad_admins', an ipa posix group. 'admins' groups is the built-in ipa admin group. ipa group-show admins Group name: admins Description: Account administrators group GID: 176820 Member users: admin Member groups: ad_admins Member of Sudo rule: ad_admins Indirect Member groups: ad_admins_external ipa group-show ad_admins Group name: ad_admins Description: miovision.corp admins GID: 176824 Member users: admin Member groups: ad_admins_external Member of groups: admins Member of Sudo rule: ad_admins, All Thanks, *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Wed, Feb 19, 2014 at 8:48 AM, Pavel Březina pbrez...@redhat.com wrote: On 02/18/2014 10:32 PM, Steve Dainard wrote: Hi Pavel, Very interesting, my IPA group membership in ad_admins isn't shown by that command on first run (new login) sdainard-ad...@miovision.corp@ubu1310:~$ id sdainard-admin uid=799002462(sdainard-ad...@miovision.corp) gid=799002462(sdainard-ad...@miovision.corp) groups=799002462(sdainard-ad...@miovision.corp), 799001380(accounting-share-acc...@miovision.corp), 799001417(protected-share-acc...@miovision.corp),799000519(enterprise adm...@miovision.corp),799001416(hr-share-access@ miovision.corp),799000512(domain adm...@miovision.corp),799000513(domain us...@miovision.corp),799002464(it - adm...@miovision.corp),799002469(kloperat...@miovision.corp),799002468( kladm...@miovision.corp) sdainard-ad...@miovision.corp@ubu1310:~$ sudo su [sudo] password for sdainard-ad...@miovision.corp: sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310. This incident will be reported. But after attempting the sudo command my groups do contain the IPA groups admins,ad_admins: sdainard-ad...@miovision.corp@ubu1310:~$ id sdainard-admin uid=799002462(sdainard-ad...@miovision.corp) gid=799002462(sdainard-ad...@miovision.corp) groups=799002462(sdainard-ad...@miovision.corp), 799001380(accounting-share-acc...@miovision.corp), 799001417(protected-share-acc...@miovision.corp),799000519(enterprise adm...@miovision.corp),799001416(hr-share-access@ miovision.corp),799000512(domain adm...@miovision.corp),799000513(domain us...@miovision.corp),799002464(it - adm...@miovision.corp),799002469(kloperat...@miovision.corp),799002468( kladm...@miovision.corp),*176820(admins),176824(ad_admins)* sdainard-ad...@miovision.corp@ubu1310:~$ sudo su [sudo] password for sdainard-ad...@miovision.corp: root@ubu1310:/home/miovision.corp/sdainard-admin# Sudo rule (I had to create this, apparently its a default rule, but didn't exist in my install on RHEL7 beta): Rule name: All Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all User Groups: ad_admins Can you tell me more information about admins and ad_admins groups and sdainard-admin? I would like to know how the membership is configured and what is their relation to AD. Dump of ipa user-show and ipa group-show should be enough, I think. I saw the new dns update option (and refresh timers!), thanks. *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | /Rethink Traffic/ *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Tue, Feb 18, 2014 at 5:27 AM, Pavel Březina pbrez...@redhat.com mailto:pbrez...@redhat.com wrote: On 02/17/2014 10:29 PM, Steve Dainard wrote: I can't reproduce consistently on any OS including Fedora 20, but I was able to trigger the issue on a Ubuntu 13.10 client. sssd: 1.11.1 sudo: 1.8.6p3-0ubuntu3 I have only just enabled the sudo logging so it should only contain the events below: sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su
Re: [Freeipa-users] Export data
Hi Martin, Thanks for your previous answer. And how can I export a list of DNS entries using ldapsearch? Regards, Suhail. DevOps BSkyB. From: Martin Kosek [mko...@redhat.com] Sent: 22 January 2014 13:30 To: Choudhury, Suhail; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Export data On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. You can either export them via ldapsearch: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' ... or for write a Python script to do what you want. Very simple example: $ kinit admin $ python from ipalib import api api.bootstrap() api.finalize() api.Backend.xmlclient.connect() users = api.Command.user_find() for user in users['result']:... print %s:%s:%s % (user['uid'][0], user['uidnumber'][0], user['gidnumber'][0]) ... admin:191360:191360 tuser:191361:191361 Martin Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this p! aragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
Similarly to users, you just use the right container: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=dns,dc=example,dc=com' There are plenty of resources online how to work with ldapsearch, ldapmodify and resulting LDIFs that could help get you started. Martin On 02/19/2014 04:33 PM, Choudhury, Suhail wrote: Hi Martin, Thanks for your previous answer. And how can I export a list of DNS entries using ldapsearch? Regards, Suhail. DevOps BSkyB. From: Martin Kosek [mko...@redhat.com] Sent: 22 January 2014 13:30 To: Choudhury, Suhail; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Export data On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. You can either export them via ldapsearch: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' ... or for write a Python script to do what you want. Very simple example: $ kinit admin $ python from ipalib import api api.bootstrap() api.finalize() api.Backend.xmlclient.connect() users = api.Command.user_find() for user in users['result']:... print %s:%s:%s % (user['uid'][0], user['uidnumber'][0], user['gidnumber'][0]) ... admin:191360:191360 tuser:191361:191361 Martin Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this! paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Windows client
When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly. Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM instead of windows.lan.domain@domain.com. Does anyone know why? I know the realm and the domain names are not quite the same (domain has a lan in it), but should that matter? On an unrelated note, in http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it should be ksetup /addkpasswd not ksetup /addkpassword ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Guys Any word on this? New logs are attached to the email. I am still not able to add clients using the replica. Let me know if you need any other information and thanks for you help. Shreeraj Change is the only Constant ! On Tuesday, February 18, 2014 1:18 PM, Shree shreerajkarul...@yahoo.com wrote: 1) I have got a step furthur. My replica is not running CA Service. To achieve this I had to remove the existing cert with this command pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force Now the replica looks like this skarulkar@ldap2 tmp]$ sudo ipactl status [sudo] password for skarulkar: Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [skarulkar@ldap2 tmp]$ 2) I am still not able to add client using ipa-client-install using the replica. Logs for replica install and client install are attached. Shreeraj Change is the only Constant ! On Tuesday, February 18, 2014 11:31 AM, Shree shreerajkarul...@yahoo.com wrote: Rob The logs are attached in the email chain. If you need fresh ones, I can try to replicate it again. Shreeraj Change is the only Constant ! On Tuesday, February 18, 2014 11:19 AM, Rob Crittenden rcrit...@redhat.com wrote: Shree wrote: Rob I am giving it a fresh start and I notice similar issues. 1) I wasn't able to use the --setup-ca while running the ipa-replica-install on the replica. It stopped the install after the ntpd step see below. Done configuring NTP daemon (ntpd). A CA is already configured on this system. This is left over from a previous failed installation. If the CA install fails early enough we don't log the fact that it was installed so the uninstall doesn't clean it up. 2) So I tried my install command again without the --setup-ca option. It went furthur although it completed it show one error see below. MY COMMAND: -- ipa-replica-install /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck the skip-conncheck was needed to complete the install. Connections checks were manually done. 14/31]: configuring lockout plugin [15/31]: creating indices [16/31]: enabling referential integrity plugin [17/31]: configuring ssl for ds instance ipa : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-MYDOMAIN.COM -n Server-Cert -p /etc/dirsrv/slapd-MYDOMAIN.COM/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv MYDOMAIN.COM' returned non-zero exit status 1 [18/31]: configuring certmap.conf [19/31]: configure autobind for root . Without logs there is no way to diagnose. This could leave you in a situation where the certificate fails to renew in 2 years and IPA suddenly stops working. 3) The replica installed fine I can access the same database from the replica's website. 4) I cannot add new clients. MY COMMAND: -- ipa-client-install --domain=mydomain.com --server=ldap2.mydomain.com --hostname=test500.mydomain.com -d ldap.mydomain.com = master ldap2.mydomain.com = replica No idea without seeing the logs. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client
On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly. Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM instead of windows.lan.domain@domain.com. Does anyone know why? I know the realm and the domain names are not quite the same (domain has a lan in it), but should that matter? Windows uses NetBIOS name$ as the machine name in TGT requests for the host. At this point we don't have means to correct this via IPA CLI. You need to use ldapmodify directly and add krbprincipalname: windows$DOMAIN.COM krbcanonicalname: HOST/windows.lan.domain@domain.com to the host entry. KrbPrincipalName can have multiple values and if there are more than one, KrbCanonicalName should be set to the canonical version which is the original KrbPrincipalName in IPA. On an unrelated note, in http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it should be ksetup /addkpasswd not ksetup /addkpassword Corrected, thanks! -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client
On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly. Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM instead of windows.lan.domain@domain.com. Does anyone know why? I know the realm and the domain names are not quite the same (domain has a lan in it), but should that matter? Windows uses NetBIOS name$ as the machine name in TGT requests for the host. At this point we don't have means to correct this via IPA CLI. You need to use ldapmodify directly and add krbprincipalname: windows$DOMAIN.COM krbcanonicalname: HOST/windows.lan.domain@domain.com Note that 'host' here should be lower case. Simo. to the host entry. KrbPrincipalName can have multiple values and if there are more than one, KrbCanonicalName should be set to the canonical version which is the original KrbPrincipalName in IPA. On an unrelated note, in http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it should be ksetup /addkpasswd not ksetup /addkpassword Corrected, thanks! -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client
On 19.2.2014 19:44, Simo Sorce wrote: On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly. Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM instead of windows.lan.domain@domain.com. Does anyone know why? I know the realm and the domain names are not quite the same (domain has a lan in it), but should that matter? Windows uses NetBIOS name$ as the machine name in TGT requests for the host. At this point we don't have means to correct this via IPA CLI. You need to use ldapmodify directly and add krbprincipalname: windows$DOMAIN.COM krbcanonicalname: HOST/windows.lan.domain@domain.com Note that 'host' here should be lower case. ... And please note that http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an option of last resort. Please use real trust between AD and IPA whenever possible: http://www.freeipa.org/page/Trusts Have a nice day! Petr^2 Spacek to the host entry. KrbPrincipalName can have multiple values and if there are more than one, KrbCanonicalName should be set to the canonical version which is the original KrbPrincipalName in IPA. On an unrelated note, in http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it should be ksetup /addkpasswd not ksetup /addkpassword Corrected, thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client
On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek pspa...@redhat.com wrote: On 19.2.2014 19:44, Simo Sorce wrote: On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly. Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM instead of windows.lan.domain@domain.com. Does anyone know why? I know the realm and the domain names are not quite the same (domain has a lan in it), but should that matter? Windows uses NetBIOS name$ as the machine name in TGT requests for the host. At this point we don't have means to correct this via IPA CLI. You need to use ldapmodify directly and add krbprincipalname: windows$DOMAIN.COM krbcanonicalname: HOST/windows.lan.domain@domain.com Note that 'host' here should be lower case. ... And please note that http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an option of last resort. Please use real trust between AD and IPA whenever possible: http://www.freeipa.org/page/Trusts Would not having an AD server be eligible for the option of last resort? Have a nice day! Petr^2 Spacek to the host entry. KrbPrincipalName can have multiple values and if there are more than one, KrbCanonicalName should be set to the canonical version which is the original KrbPrincipalName in IPA. On an unrelated note, in http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it should be ksetup /addkpasswd not ksetup /addkpassword Corrected, thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client
On 19.2.2014 20:10, Mauricio Tavares wrote: On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek pspa...@redhat.com wrote: On 19.2.2014 19:44, Simo Sorce wrote: On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly. Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM instead of windows.lan.domain@domain.com. Does anyone know why? I know the realm and the domain names are not quite the same (domain has a lan in it), but should that matter? Windows uses NetBIOS name$ as the machine name in TGT requests for the host. At this point we don't have means to correct this via IPA CLI. You need to use ldapmodify directly and add krbprincipalname: windows$DOMAIN.COM krbcanonicalname: HOST/windows.lan.domain@domain.com Note that 'host' here should be lower case. ... And please note that http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an option of last resort. Please use real trust between AD and IPA whenever possible: http://www.freeipa.org/page/Trusts Would not having an AD server be eligible for the option of last resort? Sure, when Samba 4 has an ability to create trust with IPA :-) Seriously, if you have non-trivial network with Windows clients you really need something for managing them - most likely AD or Samba 4. Unfortunately, Samba 4 is not able to create trust with IPA right now. Petr^2 Spacek to the host entry. KrbPrincipalName can have multiple values and if there are more than one, KrbCanonicalName should be set to the canonical version which is the original KrbPrincipalName in IPA. On an unrelated note, in http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it should be ksetup /addkpasswd not ksetup /addkpassword Corrected, thanks! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Unexpected error at the end of ipa-replica-install
Everything seems to be going well for all the 17 of 17 steps and then this [15/17]: configure clone certificate renewals [16/17]: configure Server-Cert certificate renewal [17/17]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Restarting the directory and certificate servers Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: CalledProcessError: Command '/sbin/service pki-cad stop pki-ca' returned non-zero exit status 4 [root@ldap3 ~]# Shreeraj Change is the only Constant !___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree wrote: 1) I have got a step furthur. My replica is not running CA Service. To achieve this I had to remove the existing cert with this command pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force Now the replica looks like this skarulkar@ldap2 tmp]$ sudo ipactl status [sudo] password for skarulkar: Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [skarulkar@ldap2 tmp]$ The tracking failed with: 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library: Improper format of Kerberos configuration file. It looks like it failed on this for most if not all the tracking. What does /etc/krb5.conf look like? 2) I am still not able to add client using ipa-client-install using the replica. The temporary krb5.conf that is used during enrollment has dns_lookup_kdc=True so it is probably trying to contact the other KDC and failing. What is the output of: $ rpm -q ipa-client rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
Choudhury, Suhail wrote: Hi Martin, Thanks for your previous answer. And how can I export a list of DNS entries using ldapsearch? He included the basics in his previous answer: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' You can append the command with the list of attributes you want, and suppress a bunch of the extraneous output with -LLL, so something like: $ ldapsearch -LLL -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' dn rob Regards, Suhail. DevOps BSkyB. From: Martin Kosek [mko...@redhat.com] Sent: 22 January 2014 13:30 To: Choudhury, Suhail; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Export data On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. You can either export them via ldapsearch: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' ... or for write a Python script to do what you want. Very simple example: $ kinit admin $ python from ipalib import api api.bootstrap() api.finalize() api.Backend.xmlclient.connect() users = api.Command.user_find() for user in users['result']:... print %s:%s:%s % (user['uid'][0], user['uidnumber'][0], user['gidnumber'][0]) ... admin:191360:191360 tuser:191361:191361 Martin Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this! p! aragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Here are a couple of things [skarulkar@ldap2 ~]$ rpm -q ipa-client ipa-client-3.0.0-26.el6_4.4.x86_64 and my /etc/krb5.conf looks like .. === includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MYDOMAIN.COM = { kdc = ldap2.mydomain.com:88 master_kdc = ldap2.mydomain.com:88 admin_server = ldap2.mydomain.com:749 default_domain = mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt default_domain = mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM [dbmodules] MYDOMAIN.COM = { db_library = ipadb.so } === Shreeraj Change is the only Constant ! On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden rcrit...@redhat.com wrote: Shree wrote: 1) I have got a step furthur. My replica is not running CA Service. To achieve this I had to remove the existing cert with this command pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force Now the replica looks like this skarulkar@ldap2 tmp]$ sudo ipactl status [sudo] password for skarulkar: Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [skarulkar@ldap2 tmp]$ The tracking failed with: 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library: Improper format of Kerberos configuration file. It looks like it failed on this for most if not all the tracking. What does /etc/krb5.conf look like? 2) I am still not able to add client using ipa-client-install using the replica. The temporary krb5.conf that is used during enrollment has dns_lookup_kdc=True so it is probably trying to contact the other KDC and failing. What is the output of: $ rpm -q ipa-client rob___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
root@test500 ~]# rpm -q ipa-client ipa-client-2.2.0-16.el6.x86_64 [root@test500 ~]# Shreeraj Change is the only Constant ! On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden rcrit...@redhat.com wrote: Shree wrote: Here are a couple of things [skarulkar@ldap2 ~]$ rpm -q ipa-client ipa-client-3.0.0-26.el6_4.4.x86_64 What is the version on the client that is failing to enroll? rob and my /etc/krb5.conf looks like .. === includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MYDOMAIN.COM = { kdc = ldap2.mydomain.com:88 master_kdc = ldap2.mydomain.com:88 admin_server = ldap2.mydomain.com:749 default_domain = mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt default_domain = mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM [dbmodules] MYDOMAIN.COM = { db_library = ipadb.so } === Shreeraj Change is the only Constant ! On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden rcrit...@redhat.com wrote: Shree wrote: 1) I have got a step furthur. My replica is not running CA Service. To achieve this I had to remove the existing cert with this command pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force Now the replica looks like this skarulkar@ldap2 mailto:skarulkar@ldap2 tmp]$ sudo ipactl status [sudo] password for skarulkar: Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [skarulkar@ldap2 mailto:skarulkar@ldap2 tmp]$ The tracking failed with: 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library: Improper format of Kerberos configuration file. It looks like it failed on this for most if not all the tracking. What does /etc/krb5.conf look like? 2) I am still not able to add client using ipa-client-install using the replica. The temporary krb5.conf that is used during enrollment has dns_lookup_kdc=True so it is probably trying to contact the other KDC and failing. What is the output of: $ rpm -q ipa-client rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree wrote: root@test500 ~]# rpm -q ipa-client ipa-client-2.2.0-16.el6.x86_64 [root@test500 ~]# You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484 Unfortunately our logging around discovery was rather horrible in 2.2.x so it is difficult to know exactly what is going on. I believe the problem is that it is still doing DNS discovery even though you've passed in a server name so it is setting up Kerberos to look up the KDC which it finds but can't talk to. This should be fixed in the 3.0 packages so updating to those is the preferred solution. For 2.x you can try the --force option which should make it skip some discovery. rob Shreeraj Change is the only Constant ! On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden rcrit...@redhat.com wrote: Shree wrote: Here are a couple of things [skarulkar@ldap2 mailto:skarulkar@ldap2 ~]$ rpm -q ipa-client ipa-client-3.0.0-26.el6_4.4.x86_64 What is the version on the client that is failing to enroll? rob and my /etc/krb5.conf looks like .. === includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MYDOMAIN.COM = { kdc = ldap2.mydomain.com:88 master_kdc = ldap2.mydomain.com:88 admin_server = ldap2.mydomain.com:749 default_domain = mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt default_domain = mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM [dbmodules] MYDOMAIN.COM = { db_library = ipadb.so } === Shreeraj Change is the only Constant ! On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Shree wrote: 1) I have got a step furthur. My replica is not running CA Service. To achieve this I had to remove the existing cert with this command pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force Now the replica looks like this skarulkar@ldap2 mailto:skarulkar@ldap2 mailto:skarulkar@ldap2 mailto:skarulkar@ldap2 tmp]$ sudo ipactl status [sudo] password for skarulkar: Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [skarulkar@ldap2 mailto:skarulkar@ldap2 mailto:skarulkar@ldap2 mailto:skarulkar@ldap2 tmp]$ The tracking failed with: 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library: Improper format of Kerberos configuration file. It looks like it failed on this for most if not all the tracking. What does /etc/krb5.conf look like? 2) I am still not able to add client using ipa-client-install using the replica. The temporary krb5.conf that is used during enrollment has dns_lookup_kdc=True so it is probably trying to contact the other KDC and failing. What is the output of: $ rpm -q ipa-client rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] About Windows client
Hello, I want to summarize our position regarding joining Windows systems into IPA. 1) If you already have AD we recommend using this system with AD and using trusts between AD and IPA. 2) If you do not have AD then use Samba 4 instead of it. It would be great when Samba 4 grows capability to establish trusts. Right now it can't but there is an effort going on. If you are interested - please contribute. 3) If neither of the two options work for you you can configure Windows system to work directly with IPA as described on the wiki. It is an option of last resort because IPA does not provide the services windows client expects. If this is good enough for you, fine by us. 4) Build a native Windows client (cred provider) for IPA using latest Kerberos. IMO this would be really useful if someone does that because we will not build this ourselves. With the native OTP support in IPA it becomes a real business opportunity to provide a native 2FA inside enterprise across multiple platforms. But please do it open source way otherwise we would not recommend you ;-) -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Rob You were right. After upgrading the client to the ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning during the client install that went something like = Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes = I continued by saying yes because in my case the master and the replica are in different VLANs and failover is not possible for me. I have tried in two hosts successfully and am hoping that does the trick. However I see one issue immediately that my sudo access does not seem to work now on the newly added clients! Do you know what might be happening? Shreeraj Change is the only Constant ! On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden rcrit...@redhat.com wrote: Shree wrote: root@test500 ~]# rpm -q ipa-client ipa-client-2.2.0-16.el6.x86_64 [root@test500 ~]# You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484 Unfortunately our logging around discovery was rather horrible in 2.2.x so it is difficult to know exactly what is going on. I believe the problem is that it is still doing DNS discovery even though you've passed in a server name so it is setting up Kerberos to look up the KDC which it finds but can't talk to. This should be fixed in the 3.0 packages so updating to those is the preferred solution. For 2.x you can try the --force option which should make it skip some discovery. rob Shreeraj Change is the only Constant ! On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden rcrit...@redhat.com wrote: Shree wrote: Here are a couple of things [skarulkar@ldap2 mailto:skarulkar@ldap2 ~]$ rpm -q ipa-client ipa-client-3.0.0-26.el6_4.4.x86_64 What is the version on the client that is failing to enroll? rob and my /etc/krb5.conf looks like .. === includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MYDOMAIN.COM = { kdc = ldap2.mydomain.com:88 master_kdc = ldap2.mydomain.com:88 admin_server = ldap2.mydomain.com:749 default_domain = mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt default_domain = mydomain.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM [dbmodules] MYDOMAIN.COM = { db_library = ipadb.so } === Shreeraj Change is the only Constant ! On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Shree wrote: 1) I have got a step furthur. My replica is not running CA Service. To achieve this I had to remove the existing cert with this command pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force Now the replica looks like this skarulkar@ldap2 mailto:skarulkar@ldap2 mailto:skarulkar@ldap2 mailto:skarulkar@ldap2 tmp]$ sudo ipactl status [sudo] password for skarulkar: Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [skarulkar@ldap2 mailto:skarulkar@ldap2 mailto:skarulkar@ldap2 mailto:skarulkar@ldap2 tmp]$ The tracking failed with: 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library: Improper format of Kerberos configuration file. It looks like it failed on this for most if not all the tracking. What does /etc/krb5.conf look like? 2) I am still not able to add client using ipa-client-install using the replica. The temporary krb5.conf that is used during enrollment has dns_lookup_kdc=True so it is probably trying to contact the other KDC and failing. What is the output of: $ rpm -q ipa-client rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users