Re: [Freeipa-users] best practices for subdomains
On 1.3.2014 23:20, Brendan Kearney wrote: i am using bind-dyndb-ldap outside of freeipa, and want to create _tcp.my-domain.com and _udp.my-domain.com subdomains. i have tried, but seem to come up short and nslookup fails for the records i try to create in the subdomains. some googling and searching in the wiki have not provided me with much go on. below is an attempt at _tcp.my-domain.com dn: idnsName=_tcp.my-domain.com.,cn=dns,dc=my-domain,dc=com dnsttl: 3600 idnsallowdynupdate: FALSE idnsallowsyncptr: FALSE idnsname: _tcp.my-domain.com. idnssoaexpire: 604800 idnssoaminimum: 86400 idnssoamname: server.my-domain.com. idnssoarefresh: 10800 idnssoaretry: 900 idnssoarname: root.server.my-domain.com. idnssoaserial: 1 idnsupdatepolicy: grant MY-DOMAIN.COM krb5-self * A; idnszoneactive: TRUE nsrecord: server.my-domain.com. objectclass: top objectclass: idnsZone objectclass: idnsRecord what is the correct way to create a subdomain? First of all, do you really want to create *subdomains* for _tcp and _udp or do you just need to create couple records like _ldap._tcp in a existing domain? It is very unusual to create separate subdomains for _tcp and _udp. I'm attaching small snippet which shows how to add _ldap._tcp SRV record to existing domain ipa.example. Please be so kind and send us information mentioned on https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#a3.Whatweneedtoknow We would like to know how users use bind-dyndb-ldap, which LDAP server is used outside FreeIPA and so on. Have a nice day! -- Petr^2 Spacek version: 1 dn: idnsname=ipa.example,cn=dns,dc=ipa,dc=example objectClass: idnsrecord objectClass: top objectClass: idnszone idnsName: ipa.example idnsSOAexpire: 1209600 idnsSOAminimum: 3600 idnsSOAmName: ns.ipa.example. idnsSOArefresh: 3600 idnsSOAretry: 900 idnsSOArName: hostmaster.ipa.example. idnsSOAserial: 1393602813 idnsZoneActive: TRUE idnsAllowDynUpdate: TRUE idnsAllowQuery: any; idnsAllowTransfer: none; idnsUpdatePolicy: grant IPA.EXAMPLE krb5-self * A; grant IPA.EXAMPLE krb5-se lf * ; grant IPA.EXAMPLE krb5-self * SSHFP; nSRecord: ns.ipa.example. dn: idnsname=ns,idnsname=ipa.example,cn=dns,dc=ipa,dc=example objectClass: idnsrecord objectClass: top idnsName: ns aRecord: 192.0.2.1 dn: idnsname=vm,idnsname=ipa.example,cn=dns,dc=ipa,dc=example objectClass: idnsrecord objectClass: top idnsName: vm aRecord: 192.0.2.222 dn: idnsname=_ldap._tcp,idnsname=ipa.example,cn=dns,dc=ipa,dc=example objectClass: idnsrecord objectClass: top idnsName: _ldap._tcp sRVRecord: 0 100 389 vm.ipa.example. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Cert auto-renew probem.
Today i found that i was unable to authenticate to FreeIPA. I logged into my IPA master, and found that the cert had expired. Which has never been a problem in the past. I did some googling, and found a few others with similar problems. but none quite matched the issue i'm seeing. The issue is this: [root@caroline0 PROD ~]# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20120203213023': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU expires: 2014-02-03 21:30:22 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20120203213048': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU expires: 2014-02-03 21:30:47 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20120203213112': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU expires: 2014-02-03 21:31:11 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Now, if i understand FreeIPA, the CA is FreeIPA itself, isnt it? If so, how could it be unreachable? What else might I be able to try to get past this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt
Hi Jakub, id info from earlier response: Very interesting, my IPA group membership in ad_admins isn't shown by that command on first run (new login) sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin uid=799002462(sdainard-admin@__miovision.corp) gid=799002462(sdainard-admin@__miovision.corp) groups=799002462(sdainard-__ad...@miovision.corp),__ 799001380(accounting-share-__acc...@miovision.corp),__ 799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise adm...@miovision.corp),__799001416(hr-share-access@__ miovision.corp),799000512(__domain adm...@miovision.corp),__799000513(domain us...@miovision.corp),__799002464(it - adm...@miovision.corp),__799002469(kloperators@__ miovision.corp),799002468(__kladm...@miovision.corp) sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su [sudo] password for sdainard-ad...@miovision.corp: sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310. This incident will be reported. But after attempting the sudo command my groups do contain the IPA groups admins,ad_admins: sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin uid=799002462(sdainard-admin@__miovision.corp) gid=799002462(sdainard-admin@__miovision.corp) groups=799002462(sdainard-__ad...@miovision.corp),__ 799001380(accounting-share-__acc...@miovision.corp),__ 799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise adm...@miovision.corp),__799001416(hr-share-access@__ miovision.corp),799000512(__domain adm...@miovision.corp),__799000513(domain us...@miovision.corp),__799002464(it - adm...@miovision.corp),__799002469(kloperators@__ miovision.corp),799002468(__kladm...@miovision.corp),*__ 176820(admins),176824(__ad_admins)* *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Mon, Feb 24, 2014 at 10:55 AM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Feb 24, 2014 at 10:46:19AM -0500, Pavel Brezina wrote: Hi, I wasn't able to reproduce with membership setup exactly like this. I have already seen similar problem once, unfortunately the user stopped responding before we could reach the root cause. I think it is correct from the sudo point of view, what is problematic here is missing group membership. It seems that membership of trusted user is not resolved correctly. Sumit, Jakub, do you have any ideas? Did you verify if id prints the expected groups for the user in question after he logs in? I think we need to first verify if the memberships are stored correctly to the cache.. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] F19 - F20 yum upgrade success report (WAS: Re: WARNING: Do not upgrade FreeIPA deployments to Fedora 20 final (yet))
On Saturday, March 01, 2014 04:18:11 AM Anthony Messina wrote: I've been waiting patiently for F20 to settle before upgrading my two VM installations of FreeIPA: ipa1 (original master) ipa2 (clone) I'm considering doing a yum upgrade this weekend and was wondering if any users had found any gotchas? One that I can think of is the addition of the following in F20's default /etc/krb5.conf: [libdefaults] ... default_ccache_name = KEYRING:persistent:%{uid} ... I've seen on some of my freshly installed F20 FreeIPA clients that this option is no longer present after ipa-client-install. On those clients, I've manually added it post client install and things seem to work OK with the exception of SELinux errors reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1001703 Should I place this option in /etc/krb5.conf on the masters before/after the yum upgrade (or at all)? Should I run ipactl stop prior to running the yum upgrade? Of note, I'm considering the yum upgrade option rather than creating F20 replicas of F19 masters due to: https://fedorahosted.org/pki/ticket/816 https://fedorahosted.org/389/ticket/47721 Any guidance is appreciated. Thanks, and have a good weekend. -A I can report to the list that I've upgraded my ipa1 and ipa2 machines from F19 to F20 via yum upgrade in SELinux permissive mode and things went swimmingly. As far as my concerns above, I added the following to /etc/krb5.conf after the upgrade, but before the reboot: default_ccache_name = KEYRING:persistent:%{uid} And I did not issue ipactl stop prior to the upgrade. The only post-upgrade issue I am seeing is invalid characters passed to dirsrv queries when using FreeIPA web interface: https://fedorahosted.org/freeipa/ticket/4214 Thanks again to the FreeIPA team! -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] best practices for subdomains
On Mon, 2014-03-03 at 09:33 +0100, Petr Spacek wrote: On 1.3.2014 23:20, Brendan Kearney wrote: i am using bind-dyndb-ldap outside of freeipa, and want to create _tcp.my-domain.com and _udp.my-domain.com subdomains. i have tried, but seem to come up short and nslookup fails for the records i try to create in the subdomains. some googling and searching in the wiki have not provided me with much go on. below is an attempt at _tcp.my-domain.com dn: idnsName=_tcp.my-domain.com.,cn=dns,dc=my-domain,dc=com dnsttl: 3600 idnsallowdynupdate: FALSE idnsallowsyncptr: FALSE idnsname: _tcp.my-domain.com. idnssoaexpire: 604800 idnssoaminimum: 86400 idnssoamname: server.my-domain.com. idnssoarefresh: 10800 idnssoaretry: 900 idnssoarname: root.server.my-domain.com. idnssoaserial: 1 idnsupdatepolicy: grant MY-DOMAIN.COM krb5-self * A; idnszoneactive: TRUE nsrecord: server.my-domain.com. objectclass: top objectclass: idnsZone objectclass: idnsRecord what is the correct way to create a subdomain? First of all, do you really want to create *subdomains* for _tcp and _udp or do you just need to create couple records like _ldap._tcp in a existing domain? It is very unusual to create separate subdomains for _tcp and _udp. I'm attaching small snippet which shows how to add _ldap._tcp SRV record to existing domain ipa.example. Please be so kind and send us information mentioned on https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#a3.Whatweneedtoknow We would like to know how users use bind-dyndb-ldap, which LDAP server is used outside FreeIPA and so on. Have a nice day! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users What distribution you use? Fedora Which distribution version you use? Fedora 20, with latest updates Which architecture you use? x86_64 on a qemu VM What plugin version you use? bind-dyndb-ldap-3.5-1.fc20.x86_64 Do you use bind-dyndb-ldap as part of FreeIPA installation? no, using openldap-servers-2.4.39-2.fc20.x86_64 Which version of BIND you use? bind-9.9.4-11.P2.fc20.x86_64 Please provide dynamic-db section from configuration file /etc/named.conf dynamic-db my-domain.com { library ldap.so; arg uri ldap://127.0.0.1/;; arg base cn=dns,dc=my-domain,dc=com; arg auth_method simple; arg bind_dn cn=Manager,dc=my-domain,dc=com; arg password *; arg psearch no; // arg serial_autoincrement yes; arg sync_ptr yes; arg dyn_update yes; arg connections 2; arg cache_ttl 300; arg verbose_checks yes; }; Do you have some other text based or DLZ zones configured? no Do you have some global forwarders configured in BIND configuration file? no Do you have some settings in global configuration object in LDAP? dn: cn=dns,dc=my-domain,dc=com cn: dns idnspersistentsearch: FALSE idnszonerefresh: 30 objectclass: top objectclass: nsContainer objectclass: idnsConfigObject without a doubt i want to use subdomains (or subzones, if that the correct term) for _tcp and _udp. kerberos, kerberos-adm, kerberos-master, kpasswd, ldap, nfs4, wpad and ntp are the SRV records i want to manage, and having them in the regular forward zone is not as clean, neat and organized as i want to be. also, i may want to have forward subdomains (sub.my-domain.com, for example, with testhost.sub.my-domain.com as an A record). the example included in the package did have a similar example on how to put a SRV into the zone, but again, i want to manage those records with a subdomain (or subzone, if that is the correct term). ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt
Sumit, Unfortunately 1.11.1 is the only version available for Ubuntu 13.10. I've also had the same problem with an updated version of Fedora 20, so I don't think its specific to this package version. *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Mon, Mar 3, 2014 at 2:01 PM, Steve Dainard sdain...@miovision.comwrote: Hi Jakub, id info from earlier response: Very interesting, my IPA group membership in ad_admins isn't shown by that command on first run (new login) sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin uid=799002462(sdainard-admin@__miovision.corp) gid=799002462(sdainard-admin@__miovision.corp) groups=799002462(sdainard-__ad...@miovision.corp),__ 799001380(accounting-share-__acc...@miovision.corp),__ 799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise adm...@miovision.corp),__799001416(hr-share-access@__ miovision.corp),799000512(__domain adm...@miovision.corp),__799000513(domain us...@miovision.corp),__799002464(it - adm...@miovision.corp),__799002469(kloperators@__ miovision.corp),799002468(__kladm...@miovision.corp) sdainard-ad...@miovision.corp@__ubu1310:~$ sudo su [sudo] password for sdainard-ad...@miovision.corp: sdainard-ad...@miovision.corp is not allowed to run sudo on ubu1310. This incident will be reported. But after attempting the sudo command my groups do contain the IPA groups admins,ad_admins: sdainard-ad...@miovision.corp@__ubu1310:~$ id sdainard-admin uid=799002462(sdainard-admin@__miovision.corp) gid=799002462(sdainard-admin@__miovision.corp) groups=799002462(sdainard-__ad...@miovision.corp),__ 799001380(accounting-share-__acc...@miovision.corp),__ 799001417(protected-share-__acc...@miovision.corp),__799000519(enterprise adm...@miovision.corp),__799001416(hr-share-access@__ miovision.corp),799000512(__domain adm...@miovision.corp),__799000513(domain us...@miovision.corp),__799002464(it - adm...@miovision.corp),__799002469(kloperators@__ miovision.corp),799002468(__kladm...@miovision.corp),*__ 176820(admins),176824(__ad_admins)* *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Mon, Feb 24, 2014 at 10:55 AM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Feb 24, 2014 at 10:46:19AM -0500, Pavel Brezina wrote: Hi, I wasn't able to reproduce with membership setup exactly like this. I have already seen similar problem once, unfortunately the user stopped responding before we could reach the root cause. I think it is correct from the sudo point of view, what is problematic here is missing group membership. It seems that membership of trusted user is not resolved correctly. Sumit, Jakub, do you have any ideas? Did you verify if id prints the expected groups for the user in question after he logs in? I think we need to first verify if the memberships are stored correctly to the cache.. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cert auto-renew probem.
On 03/03/2014 08:50 AM, Lager, Nathan T. wrote: Today i found that i was unable to authenticate to FreeIPA. I logged into my IPA master, and found that the cert had expired. Which has never been a problem in the past. I did some googling, and found a few others with similar problems. but none quite matched the issue i'm seeing. The issue is this: [root@caroline0 PROD ~]# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20120203213023': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU expires: 2014-02-03 21:30:22 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20120203213048': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU expires: 2014-02-03 21:30:47 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20120203213112': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU expires: 2014-02-03 21:31:11 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Now, if i understand FreeIPA, the CA is FreeIPA itself, isnt it? If so, how could it be unreachable? What else might I be able to try to get past this? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Seems like your certificates have expired. The best would be to set the time back and restart the services everything should come up again. There have been some bugs with the cert rotation and restart. I suggest you check the mail threads regarding making sure that you have the fixed version and that certificates are rotated. Sorry for the situation. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Using external KDC
Is it possible with FreeIPA to use an external KDC or pass some or all authentication to an external KDC? The KDC at our University may give me a one way trust if I describe my implementation plan for FreeIPA. Currently I use 389DS with PAM pass through using untrusted pam_krb5. I'd like to fully utilize FreeIPA without managing passwords since all my users already have University accounts. I just want to manage authorization for my systems, not authentication. Thanks - Trey ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using external KDC
On Mon, 2014-03-03 at 18:42 -0600, Trey Dockendorf wrote: Is it possible with FreeIPA to use an external KDC or pass some or all authentication to an external KDC? The KDC at our University may give me a one way trust if I describe my implementation plan for FreeIPA. Currently I use 389DS with PAM pass through using untrusted pam_krb5. I'd like to fully utilize FreeIPA without managing passwords since all my users already have University accounts. I just want to manage authorization for my systems, not authentication. You could set up a kerberos trust manually but at the moment we do not support it in the code or the utilities. SSSD in particular will have no place to find identity information if all you have is a kerberos trust, you'd need also an external identity store to point to, but there is no builtin code in SSSD to link the 2 domain at this point. We are planning on working on IPA-to-IPA trust, and possibly IPA-to-*other* so any requirements you can throw at us will be made part of the consideration and planning to add this kind of functionality in the future. NM B HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using external KDC
On 03/03/2014 07:47 PM, Simo Sorce wrote: On Mon, 2014-03-03 at 18:42 -0600, Trey Dockendorf wrote: Is it possible with FreeIPA to use an external KDC or pass some or all authentication to an external KDC? The KDC at our University may give me a one way trust if I describe my implementation plan for FreeIPA. Currently I use 389DS with PAM pass through using untrusted pam_krb5. I'd like to fully utilize FreeIPA without managing passwords since all my users already have University accounts. I just want to manage authorization for my systems, not authentication. You could set up a kerberos trust manually but at the moment we do not support it in the code or the utilities. SSSD in particular will have no place to find identity information if all you have is a kerberos trust, you'd need also an external identity store to point to, but there is no builtin code in SSSD to link the 2 domain at this point. We are planning on working on IPA-to-IPA trust, and possibly IPA-to-*other* so any requirements you can throw at us will be made part of the consideration and planning to add this kind of functionality in the future. NM B HTH, Simo. Can you describe your workflows because I have some idea in mind? Would you be OK if your accounts would be in IPA but the authentication would be proxied out? The idea is that you can use OTP RADIUS capability to proxy passwords to your main KDC. client ---OTP--- IPA --- OTP Proxy --- RADIUS --- Your KDC Disclaimer: that would defeat the purpose of Kerberos and the password will be sent over the wire but it seems that you are already in this setup. Would you be interested to give it a try? Would require latest SSSD and kerberos library on the client though but would work with LDAP binds too. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users