Re: [Freeipa-users] ACI for ipa-getkeytab
My IPA version is 3.0.0 . Thanks 2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com: On 09/08/2014 06:52 PM, James James wrote: Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI example ( https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which can helps me ? Thanks for your help. Which version of IPA? There reason for the question is because in FreeIPA 4.0 the ACIs were significantly reworked. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [freeipa 3.0.0] Changing the DN in the signing request
Hi, I try to create replica to my IPA Server env. When I try to use : ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 At the end I have an error: [root@srv ~]# ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 Directory Manager (existing master) password: Preparing replica for rep.ipa.grp from srv.ipa.grp Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-rep.ipa.grp.gpg Adding DNS records for rep.ipa.grp Could not create forward DNS zone for the replica: Nameserver 'srv.ipa.grp.' does not have a corresponding A/ record -- Have you any idea about that? Or , is it an error? 10.1.1.183 is rep.ipa.grp (replica) 101.1.173 is srv.ipa.grp (IPA server) br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Error cretaing Replica
Hi, I try to create replica to my IPA Server env. When I try to use : ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 At the end I have an error: [root@srv ~]# ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 Directory Manager (existing master) password: Preparing replica for rep.ipa.grp from srv.ipa.grp Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-rep.ipa.grp.gpg Adding DNS records for rep.ipa.grp Could not create forward DNS zone for the replica: Nameserver 'srv.ipa.grp.' does not have a corresponding A/ record -- Have you any idea about that? Or , is it an error? 10.1.1.183 is rep.ipa.grp (replica) 101.1.173 is srv.ipa.grp (IPA server) br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Error cretaing Replica
By the way, When i try to ping rep.pa.grp from srv.ipa.grp cant resolve IP address. There is same result when I try to ping srv.ipa.grp from rep.pra.grp Is there a BIND problem? [root@srv ~]# kinit admin Password for ad...@ipa.grp: [root@srv ~]# ping rep.ipa.grp ping: unknown host rep.ipa.grp [root@rep ~]# ping srvipa.grp ping: unknown host srvipa.grp On 09-09-2014 10:42, Tevfik Ceydeliler wrote: Hi, I try to create replica to my IPA Server env. When I try to use : ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 At the end I have an error: [root@srv ~]# ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 Directory Manager (existing master) password: Preparing replica for rep.ipa.grp from srv.ipa.grp Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-rep.ipa.grp.gpg Adding DNS records for rep.ipa.grp Could not create forward DNS zone for the replica: Nameserver 'srv.ipa.grp.' does not have a corresponding A/ record -- Have you any idea about that? Or , is it an error? 10.1.1.183 is rep.ipa.grp (replica) 101.1.173 is srv.ipa.grp (IPA server) -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-prepare failed - could not create forward DNS zone
On 09/09/14 09:35, Tevfik Ceydeliler wrote: Hi, I try to create replica to my IPA Server env. When I try to use : ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 At the end I have an error: [root@srv ~]# ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 Directory Manager (existing master) password: Preparing replica for rep.ipa.grp from srv.ipa.grp Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-rep.ipa.grp.gpg Adding DNS records for rep.ipa.grp Could not create forward DNS zone for the replica: Nameserver 'srv.ipa.grp.' does not have a corresponding A/ record -- Have you any idea about that? Or , is it an error? 10.1.1.183 is rep.ipa.grp (replica) 101.1.173 is srv.ipa.grp (IPA server) Hello, can you resolve the srv.ipa.grp. address? $ dig A srv.ipa.grp. -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Error cretaing Replica
Another symptom is : -- [root@srv ~]# service named status rndc: connect failed: 127.0.0.1#953: connection refused named dead but pid file exists --- On 09-09-2014 11:00, Tevfik Ceydeliler wrote: By the way, When i try to ping rep.pa.grp from srv.ipa.grp cant resolve IP address. There is same result when I try to ping srv.ipa.grp from rep.pra.grp Is there a BIND problem? [root@srv ~]# kinit admin Password for ad...@ipa.grp: [root@srv ~]# ping rep.ipa.grp ping: unknown host rep.ipa.grp [root@rep ~]# ping srvipa.grp ping: unknown host srvipa.grp On 09-09-2014 10:42, Tevfik Ceydeliler wrote: Hi, I try to create replica to my IPA Server env. When I try to use : ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 At the end I have an error: [root@srv ~]# ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 Directory Manager (existing master) password: Preparing replica for rep.ipa.grp from srv.ipa.grp Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-rep.ipa.grp.gpg Adding DNS records for rep.ipa.grp Could not create forward DNS zone for the replica: Nameserver 'srv.ipa.grp.' does not have a corresponding A/ record -- Have you any idea about that? Or , is it an error? 10.1.1.183 is rep.ipa.grp (replica) 101.1.173 is srv.ipa.grp (IPA server) -- -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Error cretaing Replica
On 09/09/14 10:29, Tevfik Ceydeliler wrote: Another symptom is : -- [root@srv ~]# service named status rndc: connect failed: 127.0.0.1#953: connection refused named dead but pid file exists --- Please send logs, why bind failed. journalctl -u named And restart named On 09-09-2014 11:00, Tevfik Ceydeliler wrote: By the way, When i try to ping rep.pa.grp from srv.ipa.grp cant resolve IP address. There is same result when I try to ping srv.ipa.grp from rep.pra.grp Is there a BIND problem? [root@srv ~]# kinit admin Password for ad...@ipa.grp: [root@srv ~]# ping rep.ipa.grp ping: unknown host rep.ipa.grp [root@rep ~]# ping srvipa.grp ping: unknown host srvipa.grp On 09-09-2014 10:42, Tevfik Ceydeliler wrote: Hi, I try to create replica to my IPA Server env. When I try to use : ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 At the end I have an error: [root@srv ~]# ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 Directory Manager (existing master) password: Preparing replica for rep.ipa.grp from srv.ipa.grp Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-rep.ipa.grp.gpg Adding DNS records for rep.ipa.grp Could not create forward DNS zone for the replica: Nameserver 'srv.ipa.grp.' does not have a corresponding A/ record -- Have you any idea about that? Or , is it an error? 10.1.1.183 is rep.ipa.grp (replica) 101.1.173 is srv.ipa.grp (IPA server) -- -- Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system. -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Error cretaing Replica
Finally Found solution. check the file /etc/sysconfig/named and comment #ROOTDIR=/var/named/chroot line. And restart named service On 09-09-2014 11:29, Tevfik Ceydeliler wrote: Another symptom is : -- [root@srv ~]# service named status rndc: connect failed: 127.0.0.1#953: connection refused named dead but pid file exists --- On 09-09-2014 11:00, Tevfik Ceydeliler wrote: By the way, When i try to ping rep.pa.grp from srv.ipa.grp cant resolve IP address. There is same result when I try to ping srv.ipa.grp from rep.pra.grp Is there a BIND problem? [root@srv ~]# kinit admin Password for ad...@ipa.grp: [root@srv ~]# ping rep.ipa.grp ping: unknown host rep.ipa.grp [root@rep ~]# ping srvipa.grp ping: unknown host srvipa.grp On 09-09-2014 10:42, Tevfik Ceydeliler wrote: Hi, I try to create replica to my IPA Server env. When I try to use : ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 At the end I have an error: [root@srv ~]# ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 Directory Manager (existing master) password: Preparing replica for rep.ipa.grp from srv.ipa.grp Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-rep.ipa.grp.gpg Adding DNS records for rep.ipa.grp Could not create forward DNS zone for the replica: Nameserver 'srv.ipa.grp.' does not have a corresponding A/ record -- Have you any idea about that? Or , is it an error? 10.1.1.183 is rep.ipa.grp (replica) 101.1.173 is srv.ipa.grp (IPA server) -- -- -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
On Mon, Sep 8, 2014 at 11:44 AM, Gerardo Padierna asl.gera...@gmail.com wrote: Hello folks, hi, I'm setting up an IPA-server instance aimed to be used primarily for Linux/Unix clients ssh authentication (with kerberos). I've managed to successfully set up debian clients (via sssd and also on older debians, through libnss and pam_krb5). But for some reason I can't authenticate ssh on Solaris10 clients. On the Solaris box, I've followed the steps outiined here: http://www.freeipa.org/page/ConfiguringUnixClients and the nss part works fine (things like getent [group | passwd] and id user work), but unfortunaltely, the ssh user authentication fails with an error: sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No such file or directory On the solaris clients, does there need to be a keytab in /etc/krb5/ directory copied over from the IPA server? I have integrated omnios (open solaris derivative) with ipa using these notes: http://test.asenjo.nl/index.php/Omnios_ipa_client that info may or may not be useful for solaris 10 as I have zero experiece with older solaris versions. But in principle, yes, you need a host keytab to login using kerberos SSO. HTH. -- Regards, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
Hi Mohammad, This is for Solaris 11; it seems that some of the options for the pam.conf file are not available in Solaris 10 (I think it was the following options: auth definitive pam_user_policy.so.1 account requiredpam_tsol_account.so.1 password required pam_authtok_store.so.1 ... had to remove them from the pam.conf file..) Still didn't get the ssh auth to work... This may be a stupid question, but do you know if the keytab file must be _exactly_ the same as in the IPA server, or does it only need to contain the entries relevant for the (solaris) client? According to the link you're pointing me to, it seems to just take from the server keytab file those entries relevant for the client, create a new keytab file with that content, and copy it over to the client. Is such a 'stipped down' keytab file supposed to work for the client's auth? Regards, Gerardo El 08/09/14 a las #4, mohammad sereshki escribió: hi Please go ahead with below structure, It works! Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html [Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? View on www.redhat.com https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html Preview by Yahoo *From:* Gerardo Padierna asl.gera...@gmail.com *To:* freeipa-users@redhat.com *Sent:* Monday, September 8, 2014 2:14 PM *Subject:* [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working Hello folks, I'm setting up an IPA-server instance aimed to be used primarily for Linux/Unix clients ssh authentication (with kerberos). I've managed to successfully set up debian clients (via sssd and also on older debians, through libnss and pam_krb5). But for some reason I can't authenticate ssh on Solaris10 clients. On the Solaris box, I've followed the steps outiined here: http://www.freeipa.org/page/ConfiguringUnixClients and the nss part works fine (things like getent [group | passwd] and id user work), but unfortunaltely, the ssh user authentication fails with an error: sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No such file or directory On the solaris clients, does there need to be a keytab in /etc/krb5/ directory copied over from the IPA server? (I didn't have to set up a keytab file fo the legacy debian clients, and in the solaris-clients doc previously mentioned, there's no mention of it). Well, since I read somewhere the keytab file need to be there, I copied it over from the IPA server to the solaris clients, Then I get a different error: PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found This error seems to indicate that there isn't an matching entry found in the keytab file, so I added an entry for the solaris client, but I'm still getting the same 'Key table entry not found' error (it could be the entry I added is wrong, of course). But, for now, just want to be sure: On the solaris clients, do I need an /etc/krb5/krb5.keytab file? (if yes, why not in the non-sssd Debian hosts then?) Thanks in advance, -- *Gerardo Padierna Nanclares* Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware] Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A Tel: 961 208973 Email: asl.gera...@gmail.com mailto:asl.gera...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org http://freeipa.org/for more info on the project -- *Gerardo Padierna Nanclares* Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware] Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A Tel: 961 208973 Email: asl.gera...@gmail.com mailto:asl.gera...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] RHEL 7 Upgrade experience so far
On 2014-08-28 10:58, Nicklas Björk wrote: 2014-08-27T14:45:19Z DEBUG stderr=pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available Digging a bit further I found the following in /var/lib/pki-ca/logs/debug on the FreeIPA master. All lines share the common prefix [09/Sep/2014:14:30:27][TP-Processor6]. CMSServlet:service() uri = /ca/agent/ca/updateDomainXML CMSServlet::service() param name='name' value='/var/lib/pki/pki-tomcat' CMSServlet::service() param name='ncsport' value='8443' CMSServlet::service() param name='sport' value='None' CMSServlet::service() param name='operation' value='remove' CMSServlet::service() param name='adminsport' value='8443' CMSServlet::service() param name='list' value='caList' CMSServlet::service() param name='type' value='CA' CMSServlet::service() param name='agentsport' value='8443' CMSServlet::service() param name='host' value='replica.example.net' CMSServlet: caUpdateDomainXML start to service. UpdateDomainXML: processing... UpdateDomainXML process: authentication starts IP: 192.168.1.20 AuthMgrName: certUserDBAuthMgr CMSServlet: retrieving SSL certificate CMSServlet: certUID=CN=CA Subsystem,O=EXAMPLE.NET CertUserDBAuth: started CertUserDBAuth: Retrieving client certificate CertUserDBAuth: Got client certificate Authentication: client certificate found In LdapBoundConnFactory::getConn() masterConn is connected: true getConn: conn is connected true getConn: mNumConns now 2 returnConn: mNumConns now 3 SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=CA Subsystem,O=EXAMPLE.NET] authentication failure CMSServlet: curDate=Tue Sep 09 14:30:27 CEST 2014 id=caUpdateDomainXML time=5 What kind of authentication is it complaining about, and is it possible to repair it? Nicklas signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ACI for ipa-getkeytab
James James wrote: My IPA version is 3.0.0 . Thanks The permission 'Manage host keytab' should do the trick. rob 2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com mailto:d...@redhat.com: On 09/08/2014 06:52 PM, James James wrote: Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI example (https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which can helps me ? Thanks for your help. Which version of IPA? There reason for the question is because in FreeIPA 4.0 the ACIs were significantly reworked. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa server install fails on fedora 20
On Mon, Sep 8, 2014 at 7:41 PM, Dmitri Pal d...@redhat.com wrote:
On 09/08/2014 07:29 PM, Olga Kornievskaia wrote:
Thank you very much for your quick reply.
It is a brand new fedora 20 vm.
OK good.
Can you send or share the ipa server installation log?
Can you please suggest how I can do that? My original post was rejected by
the administrator of this list because I've included the install log that
compressed was over 5M.
Are you using a cert from AD and trying to chain to an AD CA?
I'm not specifying any cert options on the install command (i.e. I'm using
the default certs supplied with the install).
There is nothing that's running on port 443.
catalina.out is empty
system file is attached and reports that certificate is not in pkcs11
format.
pki-ca-spaw.XX.log does not appear to report errors (also attached)
Please let me know if I can enable any other debugging into that might
be useful in figuring this out.
Thank you.
On Mon, Sep 8, 2014 at 5:50 PM, Dmitri Pal d...@redhat.com wrote:
On 09/08/2014 03:49 PM, Olga Kornievskaia wrote:
Can somebody help with the following problem(s) I’ve encountered while
trying to install the freeipa server?
Problem #1:
On fedora 20, I have:
1. using yum install acquired the free-ipa-server package.
2. ran ipa-server-install
— that has failed with “CA did not start in 300s”
One thing that’s noticeable in the logs (the snippet is included below)
is that request for request '
https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus%27
has 443 as port as for before all the requests for 8443 (e.g.., same
(manual) request on port 8443 succeeds). Seems like an install script
somewhere has the wrong port ?
443 is the right port.
Do you have something already running on the same box on that port?
That might prevent things from installing and running.
Please try on a clean machine or VM.
Also more logs will be helpful.
Please see this [1] on how to troubleshoot.
The second problem is most likely an artifact of the incomplete install.
[1] http://www.freeipa.org/page/Troubleshooting
2014-09-08T19:21:07Z DEBUG Waiting for CA to start...
2014-09-08T19:21:08Z DEBUG request '
https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
2014-09-08T19:21:08Z DEBUG request body ''
2014-09-08T19:21:08Z DEBUG request status 503
2014-09-08T19:21:08Z DEBUG request reason_phrase u'Service Unavailable'
2014-09-08T19:21:08Z DEBUG request headers {'date': 'Mon, 08 Sep 2014
19:21:08 GMT', 'content-length': '299', 'content-type': 'text/html;
charset=iso-8859-1', 'connection': 'close', 'server': 'Apache/2.4.10
(Fedora) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3 Basic ECC mod_wsgi/3.5
Python/2.7.5'}2014-09-08T19:21:08Z DEBUG request body '!DOCTYPE HTML
PUBLIC -//IETF//DTD HTML 2.0//EN\nhtmlhead\ntitle503 Service
Unavailable/title\n/headbody\nh1Service Unavailable/h1\npThe
server is temporarily unable to service your\nrequest due to maintenance
downtime or capacity\nproblems. Please try again
later./p\n/body/html\n'
2014-09-08T19:21:08Z DEBUG The CA status is: Service Unavailable
Problem #2:
The next problem I’m encountering and doesn’t seem to be related to the
CA setup is on the next step of “kinit admin”. It fails with “generic pre
authentication failure while getting initial credentials
stracing kinit show that it tried to open file “/var/lib/sss/pubconf/
kdcinfo.GATEWAY.2WIRE.NET http://kdcinfo.gateway.2wire.net/”) and
fails with “no such file” error. “pubconf” dir only has empty
“krb5.include.d”.
I don’t know if this failure is due to the fact that the setup didn’t
run all the way and some configuration is missing or this is a separate
issue .
Are these bugs that need to be filled with bugzilla or am I doing
something incorrectly?
Any help would be appreciated.
Thank you.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
[Freeipa-users] unhappy replication?
Anyone seen this before -- 2 freshly kicked CentOS 7 installs: On the replica from the ipa-replica-install : reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. and then the errors file for 389-ds The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. ~K -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa server install fails on fedora 20
Olga Kornievskaia wrote:
On Mon, Sep 8, 2014 at 7:41 PM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:
On 09/08/2014 07:29 PM, Olga Kornievskaia wrote:
Thank you very much for your quick reply.
It is a brand new fedora 20 vm.
OK good.
Can you send or share the ipa server installation log?
Can you please suggest how I can do that? My original post was rejected
by the administrator of this list because I've included the install log
that compressed was over 5M.
If you have a web/ftp server available you can put it there for download.
I'd look at the catalina.* logs in /var/log/pki/pki-tomcat and debug in
the ca subdirectory. Those are more likely to hold startup failures.
journalctl may hold information on why it didn't start too.
Incidentally, the second problem is likely related to the first. The
installation didn't succeed so the system state is indeterminate.
rob
Are you using a cert from AD and trying to chain to an AD CA?
I'm not specifying any cert options on the install command (i.e. I'm
using the default certs supplied with the install).
There is nothing that's running on port 443.
catalina.out is empty
system file is attached and reports that certificate is not in
pkcs11 format.
pki-ca-spaw.XX.log does not appear to report errors (also attached)
Please let me know if I can enable any other debugging into that
might be useful in figuring this out.
Thank you.
On Mon, Sep 8, 2014 at 5:50 PM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:
On 09/08/2014 03:49 PM, Olga Kornievskaia wrote:
Can somebody help with the following problem(s) I’ve
encountered while trying to install the freeipa server?
Problem #1:
On fedora 20, I have:
1. using yum install acquired the free-ipa-server package.
2. ran ipa-server-install
— that has failed with “CA did not start in 300s”
One thing that’s noticeable in the logs (the snippet is
included below) is that request for request
'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus%27
has 443 as port as for before all the requests for 8443
(e.g.., same (manual) request on port 8443 succeeds). Seems
like an install script somewhere has the wrong port ?
443 is the right port.
Do you have something already running on the same box on that
port?
That might prevent things from installing and running.
Please try on a clean machine or VM.
Also more logs will be helpful.
Please see this [1] on how to troubleshoot.
The second problem is most likely an artifact of the
incomplete install.
[1] http://www.freeipa.org/page/Troubleshooting
2014-09-08T19:21:07Z DEBUG Waiting for CA to start...
2014-09-08T19:21:08Z DEBUG request
'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
2014-09-08T19:21:08Z DEBUG request body ''
2014-09-08T19:21:08Z DEBUG request status 503
2014-09-08T19:21:08Z DEBUG request reason_phrase u'Service
Unavailable'
2014-09-08T19:21:08Z DEBUG request headers {'date': 'Mon, 08
Sep 2014 19:21:08 GMT', 'content-length': '299',
'content-type': 'text/html; charset=iso-8859-1',
'connection': 'close', 'server': 'Apache/2.4.10 (Fedora)
mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3 Basic ECC
mod_wsgi/3.5 Python/2.7.5'}2014-09-08T19:21:08Z DEBUG request
body '!DOCTYPE HTML PUBLIC -//IETF//DTD HTML
2.0//EN\nhtmlhead\ntitle503 Service
Unavailable/title\n/headbody\nh1Service
Unavailable/h1\npThe server is temporarily unable to
service your\nrequest due to maintenance downtime or
capacity\nproblems. Please try again
later./p\n/body/html\n'
2014-09-08T19:21:08Z DEBUG The CA status is: Service Unavailable
Problem #2:
The next problem I’m encountering and doesn’t seem to be
related to the CA setup is on the next step of “kinit admin”.
It fails with “generic pre authentication failure while
getting initial credentials
stracing kinit show that it tried to open file
“/var/lib/sss/pubconf/kdcinfo.GATEWAY.2WIRE.NET
http://kdcinfo.gateway.2wire.net/”) and fails with “no such
file” error. “pubconf” dir only has empty “krb5.include.d”.
I don’t know if this failure is due to the fact that the
setup didn’t run all the way and some configuration is
missing or this is a separate issue .
Are these bugs that need to be filled with bugzilla or am I
doing something incorrectly?
Any help would be appreciated.
Re: [Freeipa-users] ACI for ipa-getkeytab
James James wrote: My user : realm-proxy is in a group (Smart Proxy Host Management) which has the Manager host keytab permission : Permission name: Manage host keytab Permissions: write Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment, Smart Proxy Host Management When I try to retreive a keytab from another host when my principal is the realm-proxy : [root@client1 ~]# kinit realm-pr...@example.com mailto:realm-pr...@example.com -k -t /tmp/freeipa.keytab [root@client1 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: realm-pr...@example.com mailto:realm-pr...@example.com Valid starting Expires Service principal 09/09/2014 14:35:50 09/10/2014 14:35:50 krbtgt/example@example.com mailto:example@example.com [root@client1 ~]# ipa-getkeytab --server=ipa.example.com http://ipa.example.com --principal=host/client1.example.com http://client1.example.com --keytab=/etc/krb5.keytab Operation failed! Insufficient access rights I can't retrieve the key .. I'd need to see the smart-proxy user, show --all --raw would be best. I just tested this on a RHEL-6 instance I had handy and it worked fine: # ipa user-add --first=test --last=user tuser1 --password # ipa role-add 'host keytab' --desc 'manage host keytabs' # ipa privilege-add 'manage host keytab' --desc 'manage host keytabs' # ipa privilege-add-permission 'manage host keytab' --permissions='manage host keytab' # ipa role-add-privilege 'host keytab' --privileges='manage host keytab' # ipa role-add-member --users=tuser1 'host keytab' # kinit tuser1 # ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p host/test.example.com Keytab successfully retrieved and stored in: /tmp/test.keytab rob 2014-09-09 16:14 GMT+02:00 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com: James James wrote: My IPA version is 3.0.0 . Thanks The permission 'Manage host keytab' should do the trick. rob 2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com: On 09/08/2014 06:52 PM, James James wrote: Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI example (https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which can helps me ? Thanks for your help. Which version of IPA? There reason for the question is because in FreeIPA 4.0 the ACIs were significantly reworked. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] unhappy replication?
On 09/09/2014 08:39 AM, Kat wrote: Anyone seen this before -- 2 freshly kicked CentOS 7 installs: On the replica from the ipa-replica-install : reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Is it possible that the replica was being initialized by another replica, or you tried to initialize it again while a replica init was already running? Error 10 Referral is returned by a replica when you attempt an ldap operation against it while it is being initialized i.e. the database is locked, so any other operation gets a busy signal and a referral to another replica. and then the errors file for 389-ds The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. This just means the replica has not been initialized yet. ~K -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] unhappy replication?
This brings up a question - if I just installed a master -- shouldn't I be able to create the replica immediately after (even if I did a migration from an old LDAP server?) Am I looking at some sort of wait until I'm done.. condition with the primary server? This is the only other replica so there is nothing there. I guess time to go digging around. It is 3.3.3 on CentOS 7.. I'll let you know if I fine anything else. Thanks. On 9/9/14 7:56 AM, Rich Megginson wrote: On 09/09/2014 08:39 AM, Kat wrote: Anyone seen this before -- 2 freshly kicked CentOS 7 installs: On the replica from the ipa-replica-install : reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Is it possible that the replica was being initialized by another replica, or you tried to initialize it again while a replica init was already running? Error 10 Referral is returned by a replica when you attempt an ldap operation against it while it is being initialized i.e. the database is locked, so any other operation gets a busy signal and a referral to another replica. and then the errors file for 389-ds The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. This just means the replica has not been initialized yet. ~K -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] unhappy replication?
On 09/09/2014 09:20 AM, Kat wrote: This brings up a question - if I just installed a master -- shouldn't I be able to create the replica immediately after (even if I did a migration from an old LDAP server?) Yes. Am I looking at some sort of wait until I'm done.. condition with the primary server? Well, it depends. Did you get the [10 Total update abortedLDAP error: Referral] from the primary or the secondary? This is the only other replica so there is nothing there. I guess time to go digging around. It is 3.3.3 on CentOS 7.. I'll let you know if I fine anything else. Thanks. On 9/9/14 7:56 AM, Rich Megginson wrote: On 09/09/2014 08:39 AM, Kat wrote: Anyone seen this before -- 2 freshly kicked CentOS 7 installs: On the replica from the ipa-replica-install : reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Is it possible that the replica was being initialized by another replica, or you tried to initialize it again while a replica init was already running? Error 10 Referral is returned by a replica when you attempt an ldap operation against it while it is being initialized i.e. the database is locked, so any other operation gets a busy signal and a referral to another replica. and then the errors file for 389-ds The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. This just means the replica has not been initialized yet. ~K -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa server install fails on fedora 20
On Tue, Sep 9, 2014 at 10:41 AM, Rob Crittenden rcrit...@redhat.com wrote:
Olga Kornievskaia wrote:
On Mon, Sep 8, 2014 at 7:41 PM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:
On 09/08/2014 07:29 PM, Olga Kornievskaia wrote:
Thank you very much for your quick reply.
It is a brand new fedora 20 vm.
OK good.
Can you send or share the ipa server installation log?
Can you please suggest how I can do that? My original post was rejected
by the administrator of this list because I've included the install log
that compressed was over 5M.
If you have a web/ftp server available you can put it there for download.
I have put the files in google drive and they should be accessible via this
link:
freeipa-install-logs -
https://drive.google.com/folderview?id=0B7NX-2naBL7GWXVIOS11YnZLZWMusp=sharing
Please let me know if there are problems accessing it.
I'd look at the catalina.* logs in /var/log/pki/pki-tomcat and debug in
the ca subdirectory. Those are more likely to hold startup failures.
I have included the debug, ca-spawn, and snippet of journalctl output
files. Personally, I wasn't able to find any error messages in there.
Thank you.
journalctl may hold information on why it didn't start too.
Incidentally, the second problem is likely related to the first. The
installation didn't succeed so the system state is indeterminate.
rob
Are you using a cert from AD and trying to chain to an AD CA?
I'm not specifying any cert options on the install command (i.e. I'm
using the default certs supplied with the install).
There is nothing that's running on port 443.
catalina.out is empty
system file is attached and reports that certificate is not in
pkcs11 format.
pki-ca-spaw.XX.log does not appear to report errors (also attached)
Please let me know if I can enable any other debugging into that
might be useful in figuring this out.
Thank you.
On Mon, Sep 8, 2014 at 5:50 PM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:
On 09/08/2014 03:49 PM, Olga Kornievskaia wrote:
Can somebody help with the following problem(s) I’ve
encountered while trying to install the freeipa server?
Problem #1:
On fedora 20, I have:
1. using yum install acquired the free-ipa-server package.
2. ran ipa-server-install
— that has failed with “CA did not start in 300s”
One thing that’s noticeable in the logs (the snippet is
included below) is that request for request
'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus%27
has 443 as port as for before all the requests for 8443
(e.g.., same (manual) request on port 8443 succeeds). Seems
like an install script somewhere has the wrong port ?
443 is the right port.
Do you have something already running on the same box on that
port?
That might prevent things from installing and running.
Please try on a clean machine or VM.
Also more logs will be helpful.
Please see this [1] on how to troubleshoot.
The second problem is most likely an artifact of the
incomplete install.
[1] http://www.freeipa.org/page/Troubleshooting
2014-09-08T19:21:07Z DEBUG Waiting for CA to start...
2014-09-08T19:21:08Z DEBUG request
'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus'
2014-09-08T19:21:08Z DEBUG request body ''
2014-09-08T19:21:08Z DEBUG request status 503
2014-09-08T19:21:08Z DEBUG request reason_phrase u'Service
Unavailable'
2014-09-08T19:21:08Z DEBUG request headers {'date': 'Mon, 08
Sep 2014 19:21:08 GMT', 'content-length': '299',
'content-type': 'text/html; charset=iso-8859-1',
'connection': 'close', 'server': 'Apache/2.4.10 (Fedora)
mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3 Basic ECC
mod_wsgi/3.5 Python/2.7.5'}2014-09-08T19:21:08Z DEBUG request
body '!DOCTYPE HTML PUBLIC -//IETF//DTD HTML
2.0//EN\nhtmlhead\ntitle503 Service
Unavailable/title\n/headbody\nh1Service
Unavailable/h1\npThe server is temporarily unable to
service your\nrequest due to maintenance downtime or
capacity\nproblems. Please try again
later./p\n/body/html\n'
2014-09-08T19:21:08Z DEBUG The CA status is: Service
Unavailable
Problem #2:
The next problem I’m encountering and doesn’t seem to be
related to the CA setup is on the next step of “kinit admin”.
It fails with “generic pre authentication failure while
getting initial credentials
Re: [Freeipa-users] unhappy replication?
Well - here is the problem and solution: Fails every time: Install master, enable migration, migrate existing LDAP config/users, setup replication, fails. Works every time: Install master, setup replication, enable migration, migrate existing LDAP config/users, works perfectly. So -- a problem with migration settings?? On 9/9/14 8:25 AM, Rich Megginson wrote: On 09/09/2014 09:20 AM, Kat wrote: This brings up a question - if I just installed a master -- shouldn't I be able to create the replica immediately after (even if I did a migration from an old LDAP server?) Yes. Am I looking at some sort of wait until I'm done.. condition with the primary server? Well, it depends. Did you get the [10 Total update abortedLDAP error: Referral] from the primary or the secondary? This is the only other replica so there is nothing there. I guess time to go digging around. It is 3.3.3 on CentOS 7.. I'll let you know if I fine anything else. Thanks. On 9/9/14 7:56 AM, Rich Megginson wrote: On 09/09/2014 08:39 AM, Kat wrote: Anyone seen this before -- 2 freshly kicked CentOS 7 installs: On the replica from the ipa-replica-install : reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Is it possible that the replica was being initialized by another replica, or you tried to initialize it again while a replica init was already running? Error 10 Referral is returned by a replica when you attempt an ldap operation against it while it is being initialized i.e. the database is locked, so any other operation gets a busy signal and a referral to another replica. and then the errors file for 389-ds The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. This just means the replica has not been initialized yet. ~K -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] unhappy replication?
The problem I see is simple - not being able to add additional replicas after the migration? On 9/9/14 9:24 AM, Rich Megginson wrote: On 09/09/2014 10:12 AM, Kat wrote: Well - here is the problem and solution: Fails every time: Install master, enable migration, migrate existing LDAP config/users, setup replication, fails. Works every time: Install master, setup replication, enable migration, migrate existing LDAP config/users, works perfectly. So -- a problem with migration settings?? Could be. Is it a problem if the only way you can successfully set things up is to do the latter procedure? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] unhappy replication?
On 09/09/2014 10:41 AM, Kat wrote: The problem I see is simple - not being able to add additional replicas after the migration? What I meant to say is - Is the workaround of setting replication first, then doing migration, acceptable? On 9/9/14 9:24 AM, Rich Megginson wrote: On 09/09/2014 10:12 AM, Kat wrote: Well - here is the problem and solution: Fails every time: Install master, enable migration, migrate existing LDAP config/users, setup replication, fails. Works every time: Install master, setup replication, enable migration, migrate existing LDAP config/users, works perfectly. So -- a problem with migration settings?? Could be. Is it a problem if the only way you can successfully set things up is to do the latter procedure? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA Version 3.0.0 Allow Self-Signed Certificates
I'm trying to find a way to enable FreeIPA to allow Self-Signed Certificates. I haven't found a way to enable that capability yet.. I've manually edited configuration files within /etc/dirsrv/slapd-EXAMPLE-COM, specifically the nsslapd-ssl-check-hostname, nsslapd-validate-cert options set to off and warn respectively. Not allowing self-signed certificates has caused me to not be able to establish a replicated server or integrate a device for SSO that provides a self signed certificate. Thanks for any input or insight, Eric -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
Dear below must be configured in the pam.conf also each host needs seperate keytab, solaris 11 is same as solaris 10 login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 krshauth required pam_unix_cred.so.1 krshauth required pam_krb5.so.1 ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 cronaccount requiredpam_unix_account.so.1 other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account sufficient pam_krb5.so.1 other account requiredpam_tsol_account.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 From: Gerardo Padierna asl.gera...@gmail.com To: mohammad sereshki mohammadseres...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, September 9, 2014 2:49 PM Subject: Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working Hi Mohammad, This is for Solaris 11; it seems that some of the options for the pam.conf file are not available in Solaris 10 (I think it was the following options: auth definitive pam_user_policy.so.1 account requiredpam_tsol_account.so.1 password required pam_authtok_store.so.1 ... had to remove them from the pam.conf file..) Still didn't get the ssh auth to work... This may be a stupid question, but do you know if the keytab file must be _exactly_ the same as in the IPA server, or does it only need to contain the entries relevant for the (solaris) client? According to the link you're pointing me to, it seems to just take from the server keytab file those entries relevant for the client, create a new keytab file with that content, and copy it over to the client. Is such a 'stipped down' keytab file supposed to work for the client's auth? Regards, Gerardo El 08/09/14 a las #4, mohammad sereshki escribió: hi Please go ahead with below structure, It works! Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? [Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? View on www.redhat.com Preview by Yahoo From: Gerardo Padierna asl.gera...@gmail.com To: freeipa-users@redhat.com Sent: Monday, September 8, 2014 2:14 PM Subject: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working Hello folks, I'm setting up an IPA-server instance aimed to be used primarily for Linux/Unix clients ssh authentication (with kerberos). I've managed to successfully set up debian clients (via sssd and also on older debians, through libnss and pam_krb5). But for some reason I can't authenticate ssh on Solaris10 clients. On the Solaris box, I've followed the steps outiined here: http://www.freeipa.org/page/ConfiguringUnixClients and the nss part works fine (things like getent [group | passwd] and id user work), but unfortunaltely, the ssh user authentication fails with an error: sshd auth.error PAM-KRB5 (auth):
Re: [Freeipa-users] Sane request?
On 09/08/2014 08:02 PM, Nordgren, Bryce L -FS wrote: Is it sane to request that freeipa store ssh keys for users who come into the environment via a trust? Not all of them, of course, but those who want to store public keys there. My freeipa server is mostly there to manage machines, and users (incl. me) mostly come in over trusts from the corporate AD. It'd sure be nice if I could put my laptop's public key on the freeipa server and use it everywhere. You are talking about this, right? https://fedorahosted.org/freeipa/ticket/4509 Food for thot. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ACI for ipa-getkeytab
SOLVED. realm-proxy has to be indirect member of : memberofindirect: cn=manage host keytab,cn=privileges,cn=pbac,dc=example,dc=com Thanks for your help. 2014-09-09 16:59 GMT+02:00 Rob Crittenden rcrit...@redhat.com: James James wrote: My user : realm-proxy is in a group (Smart Proxy Host Management) which has the Manager host keytab permission : Permission name: Manage host keytab Permissions: write Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment, Smart Proxy Host Management When I try to retreive a keytab from another host when my principal is the realm-proxy : [root@client1 ~]# kinit realm-pr...@example.com mailto:realm-pr...@example.com -k -t /tmp/freeipa.keytab [root@client1 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: realm-pr...@example.com mailto: realm-pr...@example.com Valid starting Expires Service principal 09/09/2014 14:35:50 09/10/2014 14:35:50 krbtgt/example@example.com mailto:example@example.com [root@client1 ~]# ipa-getkeytab --server=ipa.example.com http://ipa.example.com --principal=host/client1.example.com http://client1.example.com --keytab=/etc/krb5.keytab Operation failed! Insufficient access rights I can't retrieve the key .. I'd need to see the smart-proxy user, show --all --raw would be best. I just tested this on a RHEL-6 instance I had handy and it worked fine: # ipa user-add --first=test --last=user tuser1 --password # ipa role-add 'host keytab' --desc 'manage host keytabs' # ipa privilege-add 'manage host keytab' --desc 'manage host keytabs' # ipa privilege-add-permission 'manage host keytab' --permissions='manage host keytab' # ipa role-add-privilege 'host keytab' --privileges='manage host keytab' # ipa role-add-member --users=tuser1 'host keytab' # kinit tuser1 # ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p host/test.example.com Keytab successfully retrieved and stored in: /tmp/test.keytab rob 2014-09-09 16:14 GMT+02:00 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com: James James wrote: My IPA version is 3.0.0 . Thanks The permission 'Manage host keytab' should do the trick. rob 2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com mailto: d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com: On 09/08/2014 06:52 PM, James James wrote: Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI example ( https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which can helps me ? Thanks for your help. Which version of IPA? There reason for the question is because in FreeIPA 4.0 the ACIs were significantly reworked. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Sane request?
Sweet! Yes I am apparently talking about that. Consider this an independent request for that. :) You are talking about this, right? https://fedorahosted.org/freeipa/ticket/4509 This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] unhappy replication?
On 09/09/2014 12:55 PM, Rich Megginson wrote: On 09/09/2014 10:41 AM, Kat wrote: The problem I see is simple - not being able to add additional replicas after the migration? What I meant to say is - Is the workaround of setting replication first, then doing migration, acceptable? On 9/9/14 9:24 AM, Rich Megginson wrote: On 09/09/2014 10:12 AM, Kat wrote: Well - here is the problem and solution: Fails every time: Install master, enable migration, migrate existing LDAP config/users, setup replication, fails. Works every time: Install master, setup replication, enable migration, migrate existing LDAP config/users, works perfectly. So -- a problem with migration settings?? Could be. Is it a problem if the only way you can successfully set things up is to do the latter procedure? Would be nice to test this scenario at some point and reproduce it. I do not think the workaround is acceptable. One should be able to add the replicas after migration. Is this a timing issue? I mean can you add replica next day for example or never? If you never can add a replica after migration it is a problem and we should fix it. If you can't just for s short period of time then we should probably file a ticket and process it later. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Sane request?
On 09/09/2014 05:21 PM, Nordgren, Bryce L -FS wrote: Sweet! Yes I am apparently talking about that. Consider this an independent request for that. J Please add a comment to the ticket that you are an an independent requester of this feature. You are talking about this, right? https://fedorahosted.org/freeipa/ticket/4509 This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] unhappy replication?
On 9/9/14 3:18 PM, Dmitri Pal wrote: On 09/09/2014 12:55 PM, Rich Megginson wrote: On 09/09/2014 10:41 AM, Kat wrote: The problem I see is simple - not being able to add additional replicas after the migration? What I meant to say is - Is the workaround of setting replication first, then doing migration, acceptable? On 9/9/14 9:24 AM, Rich Megginson wrote: On 09/09/2014 10:12 AM, Kat wrote: Well - here is the problem and solution: Fails every time: Install master, enable migration, migrate existing LDAP config/users, setup replication, fails. Works every time: Install master, setup replication, enable migration, migrate existing LDAP config/users, works perfectly. So -- a problem with migration settings?? Could be. Is it a problem if the only way you can successfully set things up is to do the latter procedure? Would be nice to test this scenario at some point and reproduce it. I do not think the workaround is acceptable. One should be able to add the replicas after migration. Is this a timing issue? I mean can you add replica next day for example or never? If you never can add a replica after migration it is a problem and we should fix it. If you can't just for s short period of time then we should probably file a ticket and process it later. Sadly - no - I waited 24 hours after the migration from OpenLDAP to IPA and still could not do it. Going to try something else. Since the bug still exists migrating to 4.x directly - going to migrate to 3.3.5, THEN upgrade to 4.0.1 and then try the replica addition. I will let you know what happens. ~K -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] unhappy replication?
Kat wrote: On 9/9/14 3:18 PM, Dmitri Pal wrote: On 09/09/2014 12:55 PM, Rich Megginson wrote: On 09/09/2014 10:41 AM, Kat wrote: The problem I see is simple - not being able to add additional replicas after the migration? What I meant to say is - Is the workaround of setting replication first, then doing migration, acceptable? On 9/9/14 9:24 AM, Rich Megginson wrote: On 09/09/2014 10:12 AM, Kat wrote: Well - here is the problem and solution: Fails every time: Install master, enable migration, migrate existing LDAP config/users, setup replication, fails. Works every time: Install master, setup replication, enable migration, migrate existing LDAP config/users, works perfectly. So -- a problem with migration settings?? Could be. Is it a problem if the only way you can successfully set things up is to do the latter procedure? Would be nice to test this scenario at some point and reproduce it. I do not think the workaround is acceptable. One should be able to add the replicas after migration. Is this a timing issue? I mean can you add replica next day for example or never? If you never can add a replica after migration it is a problem and we should fix it. If you can't just for s short period of time then we should probably file a ticket and process it later. Sadly - no - I waited 24 hours after the migration from OpenLDAP to IPA and still could not do it. Going to try something else. Since the bug still exists migrating to 4.x directly - going to migrate to 3.3.5, THEN upgrade to 4.0.1 and then try the replica addition. I will let you know what happens. Honestly, I find it hard to believe that this is related to migration. All migration does is pull over users and groups over LDAP. Whether you set up the agreement before or after, it is going to do a full database dump. The only difference is that after it will get more data. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] unhappy replication?
On 09/09/2014 06:44 PM, Rob Crittenden wrote: Kat wrote: On 9/9/14 3:18 PM, Dmitri Pal wrote: On 09/09/2014 12:55 PM, Rich Megginson wrote: On 09/09/2014 10:41 AM, Kat wrote: The problem I see is simple - not being able to add additional replicas after the migration? What I meant to say is - Is the workaround of setting replication first, then doing migration, acceptable? On 9/9/14 9:24 AM, Rich Megginson wrote: On 09/09/2014 10:12 AM, Kat wrote: Well - here is the problem and solution: Fails every time: Install master, enable migration, migrate existing LDAP config/users, setup replication, fails. Works every time: Install master, setup replication, enable migration, migrate existing LDAP config/users, works perfectly. So -- a problem with migration settings?? Could be. Is it a problem if the only way you can successfully set things up is to do the latter procedure? Would be nice to test this scenario at some point and reproduce it. I do not think the workaround is acceptable. One should be able to add the replicas after migration. Is this a timing issue? I mean can you add replica next day for example or never? If you never can add a replica after migration it is a problem and we should fix it. If you can't just for s short period of time then we should probably file a ticket and process it later. Sadly - no - I waited 24 hours after the migration from OpenLDAP to IPA and still could not do it. Going to try something else. Since the bug still exists migrating to 4.x directly - going to migrate to 3.3.5, THEN upgrade to 4.0.1 and then try the replica addition. I will let you know what happens. Honestly, I find it hard to believe that this is related to migration. All migration does is pull over users and groups over LDAP. Whether you set up the agreement before or after, it is going to do a full database dump. The only difference is that after it will get more data. rob Well may be the data is so big that the replication gets stuck? May be there is some huge group membership issue or something like. Do you have a huge group? Multiples of huge groups? Do you use auto membership? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] unhappy replication?
some stats: ~2000 users ~275 groups ~largest groups = 150+ users (a couple dozen of these) ~K On 9/9/14 4:32 PM, Dmitri Pal wrote Well may be the data is so big that the replication gets stuck? May be there is some huge group membership issue or something like. Do you have a huge group? Multiples of huge groups? Do you use auto membership? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] unhappy replication?
On 09/09/2014 07:40 PM, Kat wrote: some stats: ~2000 users ~275 groups ~largest groups = 150+ users (a couple dozen of these) Does not sound offensive... May be we should take a look at your DS logs for the failed replication after migration. Any chance we can take a look? Is this the problem for the first replica or for any replica? I mean that if you add any new replica after the migration (install master and replica and then migrate then add another replica) you would be able to reproduce the problem. Is this the case? ~K On 9/9/14 4:32 PM, Dmitri Pal wrote Well may be the data is so big that the replication gets stuck? May be there is some huge group membership issue or something like. Do you have a huge group? Multiples of huge groups? Do you use auto membership? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
