Re: [Freeipa-users] Failed to remove host
On 11/26/2014 08:33 AM, Vaclav Adamec wrote: Hi, I'm encounter strange behavior, I run host removing from web UI and it failed with error Some entries were not deleted : host not found but it's still showing in list. Via cmd: ipa host-find -- 1 host matched -- Host name: Principal name: host/@ Password: True Member of host-groups: all Indirect Member of netgroup: Indirect Member of HBAC rule: Keytab: True Number of entries returned 1 ipa host-del ipa: ERROR: : host not found can you please advice ? Thanks a lot Vasek freeipa-server-4.1.0-1.fc20.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 Vasku, I suspect there was a replication conflict and this particular host has modified DN. You can verify with # ipa host-find --all --raw | grep dn: If this is the case, you can find some hints how to remove replication conflicts here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#repl-conflicts HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Failed to remove host
Thanks, that's it. Not very clear how to fix it (example with uid converted to host issue is not working) but at least I known what's wrong Vasek On Wed, Nov 26, 2014 at 8:58 AM, Martin Kosek mko...@redhat.com wrote: On 11/26/2014 08:33 AM, Vaclav Adamec wrote: Hi, I'm encounter strange behavior, I run host removing from web UI and it failed with error Some entries were not deleted : host not found but it's still showing in list. Via cmd: ipa host-find -- 1 host matched -- Host name: Principal name: host/@ Password: True Member of host-groups: all Indirect Member of netgroup: Indirect Member of HBAC rule: Keytab: True Number of entries returned 1 ipa host-del ipa: ERROR: : host not found can you please advice ? Thanks a lot Vasek freeipa-server-4.1.0-1.fc20.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 Vasku, I suspect there was a replication conflict and this particular host has modified DN. You can verify with # ipa host-find --all --raw | grep dn: If this is the case, you can find some hints how to remove replication conflicts here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#repl-conflicts HTH, Martin -- -- May the fox be with you ... /\ (~( ) ) /\_/\ (_=---_(@ @) ( \ / /|/\|\ V -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa Blocking Sites?
I have a stupid question (LOL) should or can freeIpa Have internet connection? On Tuesday, November 25, 2014 10:36 PM, Rolf Nufable rolf_16_nufa...@yahoo.com wrote: Actually the problem was that I was accessing our site from outside our network now, our domain in the network locally is named example.com, and the outside website is also at the domain example.com so I guess what freeipa does is it looks for the website inside our local network.. On Tuesday, November 25, 2014 10:32 PM, Outback Dingo outbackdi...@gmail.com wrote: You probably want like a squid or oops proxy filter if you mean for filtering web traffic. On Wed, Nov 26, 2014 at 4:51 PM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Nov 26, 2014 at 04:31:38AM +, Rolf Nufable wrote: Goodmorning Is there a function in freeipa that blocks websites? Hi Rolf, FreeIPA does not have this feature. It is a centralised identity management system providing authentication and access control for hosts and services managed by an organisation. HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] scripting question
I'm trying to debug a script that is supposed to auto-setup kerberos for Hadoop. Its not working, and I've boiled down the problem to the fact that for some reason, it wants to use DES as the encryption type. There is no good reason for this, since both freeIPA and Hadoop support modern encryptions, so I want to fix the script. Is there a way for a script to query IPA for the supported encryption types? -- http://www2.charitydynamics.com/site/PageServer?pagename=Boundless_Email_Client -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] scripting question
Richard Betel wrote: I'm trying to debug a script that is supposed to auto-setup kerberos for Hadoop. Its not working, and I've boiled down the problem to the fact that for some reason, it wants to use DES as the encryption type. There is no good reason for this, since both freeIPA and Hadoop support modern encryptions, so I want to fix the script. Is there a way for a script to query IPA for the supported encryption types? You can find it in cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com $ ldapsearch -Y GSSAPI -s base -b cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbDefaultEncSaltTypes rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa Blocking Sites?
On 11/26/2014 05:14 AM, Rolf Nufable wrote: I have a stupid question (LOL) should or can freeIpa Have internet connection? It depends on the needs. Usually it is hidden behind the Firewall internally but there are some cases when it makes sense to run it on the Internet. What is the problem you are trying to solve? On Tuesday, November 25, 2014 10:36 PM, Rolf Nufable rolf_16_nufa...@yahoo.com wrote: Actually the problem was that I was accessing our site from outside our network now, our domain in the network locally is named example.com, and the outside website is also at the domain example.com so I guess what freeipa does is it looks for the website inside our local network.. On Tuesday, November 25, 2014 10:32 PM, Outback Dingo outbackdi...@gmail.com wrote: You probably want like a squid or oops proxy filter if you mean for filtering web traffic. On Wed, Nov 26, 2014 at 4:51 PM, Fraser Tweedale ftwee...@redhat.com mailto:ftwee...@redhat.com wrote: On Wed, Nov 26, 2014 at 04:31:38AM +, Rolf Nufable wrote: Goodmorning Is there a function in freeipa that blocks websites? Hi Rolf, FreeIPA does not have this feature. It is a centralised identity management system providing authentication and access control for hosts and services managed by an organisation. HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org http://freeipa.org/ for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org http://freeipa.org/ for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa Blocking Sites?
On 11/26/2014 01:36 AM, Rolf Nufable wrote: Actually the problem was that I was accessing our site from outside our network now, our domain in the network locally is named example.com, and the outside website is also at the domain example.com so I guess what freeipa does is it looks for the website inside our local network.. I looks for a name and DNS resolves it. So if DNS resolved to the internal one then the internal will be used. If there is a route to the external and DNS returned is then it will be external. It is really not IPA's capability we are talking about here. On Tuesday, November 25, 2014 10:32 PM, Outback Dingo outbackdi...@gmail.com wrote: You probably want like a squid or oops proxy filter if you mean for filtering web traffic. On Wed, Nov 26, 2014 at 4:51 PM, Fraser Tweedale ftwee...@redhat.com mailto:ftwee...@redhat.com wrote: On Wed, Nov 26, 2014 at 04:31:38AM +, Rolf Nufable wrote: Goodmorning Is there a function in freeipa that blocks websites? Hi Rolf, FreeIPA does not have this feature. It is a centralised identity management system providing authentication and access control for hosts and services managed by an organisation. HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org http://freeipa.org/ for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org http://freeipa.org/ for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Kerberos error: PREAUTH_FAILED: KRB5KRB_AP_ERR_BAD_INTEGRITY
Hello, Simo, do you have an idea what may be causing the problem? Maria, generally, you can try to do two things on Zimbra server: $ kinit -kt path to keytab used by Zimbra server imap/zimbrafreeipa.example@fi.example.com It should succeed. This will very that content of the keytab is okay. Regarding KRB5_TRACE trick: You have to find init script or systemd unit file which is used to start Zimbra server process. Edit that script and add KRB5_TRACE to it before the actual server start. Let us know your findings :-) Petr^2 Spacek On 25.11.2014 19:02, Maria Jose Yañez Dacosta wrote: Sorry for delay in answering, I've been testing a few things before going back to ask. Thanks for the advice, I'll be careful with security :). I also tried as is explained in the url you shared with me and as you suspected that isn't the problem either. I installed Wireshark, packet capture shows me these errors: error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) e-text: PREAUTH_FAILED Where the origin of these packages is the FreeIPA server and the destination is the Zimbra server. I think this may be causing problems. I'm ashamed to say this, but haven't known as I have to do to debug Imap process on the server using KRB5_TRACE. Thanks so much for all your help and if you have more suggestions, it would be appreciated. Have a good day. 2014-11-25 15:00 GMT-02:00 freeipa-users-requ...@redhat.com: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. Re: Is it possible to set up SUDO with redudancy? (Lukas Slebodnik) 2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) -- Message: 1 Date: Tue, 25 Nov 2014 09:02:59 +0100 From: Lukas Slebodnik lsleb...@redhat.com To: William Muriithi william.murii...@gmail.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Is it possible to set up SUDO with redudancy? Message-ID: 20141125080259.gb2...@mail.corp.redhat.com Content-Type: text/plain; charset=utf-8 On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi william.murii...@gmail.com wrote: Evening, After looking at almost all the SUDO documentation I could find, it looks one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red hat advice to add in sssd config file. services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM krb5_server = grobi.idm.coe.muc.redhat.com The implications of adding above is that SUDO would break if the hardcoded ipa is not available even if there is another replica somewhere in the network. Is that correct assumption? Is there a better way of doing it that I have missed? Which version of sssd do you have? sssd = 1.10 has native ipa suod providers and you don't need to use sudo_provider = ldap. LS -- Message: 2 Date: Tue, 25 Nov 2014 10:11:42 +0100 From: Petr Spacek pspa...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. Message-ID: 547447ce.8090...@redhat.com Content-Type: text/plain; charset=windows-1252 On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: Thank you for your prompt reply :). I still don't discover what caused the problem, but now I could get more information about the problem. I run the command that you commented me, I did as follows: - kinit usuipa - kvno imap/zimbrafreeipa.example@fi.example.com (I said in my previous mail fi.example.com but should have said zimbrafreeipa.example.com. Forgiveness!!). Then run klist and got this: 11/24/14 14:04:53 11/25/14 14:04:50 krbtgt/ fi.example@fi.example.com 11/24/14 14:05:52 11/25/14 14:04:50 imap/ zimbrafreeipa.fi.example@fi.example.com Then run KRB5_TRACE=/dev/stdout kvno imap/ zimbrafreeipa.example@fi.example.com and got this: --- OUTPUT --- [20649] 1416845334.9690: Getting credentials usu...@fi.example.com - imap/ zimbrafreeipa.fi.example@fi.example.com using ccache FILE:/tmp/krb5cc_0 [20649] 1416845334.27562: Retrieving usu...@fi.example.com - imap/
Re: [Freeipa-users] Kerberos error: PREAUTH_FAILED: KRB5KRB_AP_ERR_BAD_INTEGRITY
On Wed, Nov 26, 2014 at 06:04:21PM +0100, Petr Spacek wrote: Hello, Simo, do you have an idea what may be causing the problem? Maybe there is a version mismatch between the keys on the server and on the client? On the IPA server you can check with #kadmin.local getprinc imap/zimbrafreeipa.example@fi.example.com on the IMAP server klist -k -t path to keytab used by Zimbra server the KVNO should be the same, if not you can generate a fresh keytab with ipa-getkeytab. hth bye, Sumit Maria, generally, you can try to do two things on Zimbra server: $ kinit -kt path to keytab used by Zimbra server imap/zimbrafreeipa.example@fi.example.com It should succeed. This will very that content of the keytab is okay. Regarding KRB5_TRACE trick: You have to find init script or systemd unit file which is used to start Zimbra server process. Edit that script and add KRB5_TRACE to it before the actual server start. Let us know your findings :-) Petr^2 Spacek On 25.11.2014 19:02, Maria Jose Yañez Dacosta wrote: Sorry for delay in answering, I've been testing a few things before going back to ask. Thanks for the advice, I'll be careful with security :). I also tried as is explained in the url you shared with me and as you suspected that isn't the problem either. I installed Wireshark, packet capture shows me these errors: error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) e-text: PREAUTH_FAILED Where the origin of these packages is the FreeIPA server and the destination is the Zimbra server. I think this may be causing problems. I'm ashamed to say this, but haven't known as I have to do to debug Imap process on the server using KRB5_TRACE. Thanks so much for all your help and if you have more suggestions, it would be appreciated. Have a good day. 2014-11-25 15:00 GMT-02:00 freeipa-users-requ...@redhat.com: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. Re: Is it possible to set up SUDO with redudancy? (Lukas Slebodnik) 2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) -- Message: 1 Date: Tue, 25 Nov 2014 09:02:59 +0100 From: Lukas Slebodnik lsleb...@redhat.com To: William Muriithi william.murii...@gmail.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Is it possible to set up SUDO with redudancy? Message-ID: 20141125080259.gb2...@mail.corp.redhat.com Content-Type: text/plain; charset=utf-8 On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi william.murii...@gmail.com wrote: Evening, After looking at almost all the SUDO documentation I could find, it looks one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red hat advice to add in sssd config file. services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM krb5_server = grobi.idm.coe.muc.redhat.com The implications of adding above is that SUDO would break if the hardcoded ipa is not available even if there is another replica somewhere in the network. Is that correct assumption? Is there a better way of doing it that I have missed? Which version of sssd do you have? sssd = 1.10 has native ipa suod providers and you don't need to use sudo_provider = ldap. LS -- Message: 2 Date: Tue, 25 Nov 2014 10:11:42 +0100 From: Petr Spacek pspa...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. Message-ID: 547447ce.8090...@redhat.com Content-Type: text/plain; charset=windows-1252 On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: Thank you for your prompt reply :). I still don't discover what caused the problem, but now I could get more information about the problem. I run the command that you commented me, I did as follows: - kinit usuipa - kvno imap/zimbrafreeipa.example@fi.example.com (I said in my previous mail fi.example.com but should have said zimbrafreeipa.example.com. Forgiveness!!). Then run klist and got this: 11/24/14 14:04:53 11/25/14
Re: [Freeipa-users] Centos5 - freeipa - AD trust
Thank you, it works like a charm, especially the ipa-advise. One last question: is there a way to login on the centos5 without entering the whole realm name, but just the netbios. Currently I can log on centos6 with adnetbios\user, but on centos5 I need to provide ssh ipaCentos5 -l user@domain.fully.qualified I don't have tested yet with putty, from windows, maybe it doesn't matter. Regards, Nicolas Zin - Mail original - De: Alexander Bokovoy aboko...@redhat.com À: Nicolas Zin nicolas@savoirfairelinux.com Cc: freeipa-users@redhat.com Envoyé: Mardi 25 Novembre 2014 16:40:57 Objet: Re: [Freeipa-users] Centos5 - freeipa - AD trust On Tue, 25 Nov 2014, Nicolas Zin wrote: Hi, I successfully create a trust relationship between a freeipa 3.3 realm (on Centos 7) and a windows 2008 AD. Now I add some machine clients to my IPA realm, and try to connect to them with my AD credential: - connecting to the 2 freeipa server: no problem - connecting to a Centos6 machine: no problem - connecting to a Centos5 machine: fail to say it differently: - when connecting to the Centos5 with a Freeipa Realm user it works - when connecting to the Centos5 with a AD Realm user, it fails I just want a confirmation: it fails because centos5 is packaged with sssd 1.9 and do not support cross realm? (and indeed, it cannot works) or is it possible to make it working? and my error is somewhere else? Right, RHEL5/CentOS5 cannot see AD users directly like other SSSD systems. If you enabled compat tree integration when running 'ipa-adtrust-install', you may try to configure CentOS5 machine to use compat tree. This has some limitations but it exposes both IPA and AD users and allows to authenticate AD users against LDAP in compat tree. See http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf for details. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos5 - freeipa - AD trust
On Wed, 26 Nov 2014, Nicolas Zin wrote: Thank you, it works like a charm, especially the ipa-advise. One last question: is there a way to login on the centos5 without entering the whole realm name, but just the netbios. Currently I can log on centos6 with adnetbios\user, but on centos5 I need to provide ssh ipaCentos5 -l user@domain.fully.qualified I don't have tested yet with putty, from windows, maybe it doesn't matter. Not supported yet in slapi-nis, good finding. You can file a ticket at https://fedorahosted.org/slapi-nis/ so that it wouldn't be lost. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] scripting question
On Wed, 26 Nov 2014 10:28:00 -0500 Richard Betel emte...@gmail.com wrote: I'm trying to debug a script that is supposed to auto-setup kerberos for Hadoop. Its not working, and I've boiled down the problem to the fact that for some reason, it wants to use DES as the encryption type. There is no good reason for this, since both freeIPA and Hadoop support modern encryptions, so I want to fix the script. Is there a way for a script to query IPA for the supported encryption types? Why don't you just go with the defaults ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos error: PREAUTH_FAILED: KRB5KRB_AP_ERR_BAD_INTEGRITY
On Wed, 26 Nov 2014 18:04:21 +0100 Petr Spacek pspa...@redhat.com wrote: Hello, Simo, do you have an idea what may be causing the problem? The most probable explanation is that the Zimbra server has the wrong key. Unfortuinately there isn't enough data in the email to guess further. Simo. Maria, generally, you can try to do two things on Zimbra server: $ kinit -kt path to keytab used by Zimbra server imap/zimbrafreeipa.example@fi.example.com It should succeed. This will very that content of the keytab is okay. Regarding KRB5_TRACE trick: You have to find init script or systemd unit file which is used to start Zimbra server process. Edit that script and add KRB5_TRACE to it before the actual server start. Let us know your findings :-) Petr^2 Spacek On 25.11.2014 19:02, Maria Jose Yañez Dacosta wrote: Sorry for delay in answering, I've been testing a few things before going back to ask. Thanks for the advice, I'll be careful with security :). I also tried as is explained in the url you shared with me and as you suspected that isn't the problem either. I installed Wireshark, packet capture shows me these errors: error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31) e-text: PREAUTH_FAILED Where the origin of these packages is the FreeIPA server and the destination is the Zimbra server. I think this may be causing problems. I'm ashamed to say this, but haven't known as I have to do to debug Imap process on the server using KRB5_TRACE. Thanks so much for all your help and if you have more suggestions, it would be appreciated. Have a good day. 2014-11-25 15:00 GMT-02:00 freeipa-users-requ...@redhat.com: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. Re: Is it possible to set up SUDO with redudancy? (Lukas Slebodnik) 2. Re: Setting up a Kerberized IMAP Server. (Petr Spacek) -- Message: 1 Date: Tue, 25 Nov 2014 09:02:59 +0100 From: Lukas Slebodnik lsleb...@redhat.com To: William Muriithi william.murii...@gmail.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Is it possible to set up SUDO with redudancy? Message-ID: 20141125080259.gb2...@mail.corp.redhat.com Content-Type: text/plain; charset=utf-8 On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi william.murii...@gmail.com wrote: Evening, After looking at almost all the SUDO documentation I could find, it looks one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red hat advice to add in sssd config file. services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] sudo_provider = ldap ldap_uri = ldap://grobi.idm.coe.muc.redhat.com ldap_sudo_search_base = ou=sudoers,dc=idm,dc=coe,dc=muc,dc=redhat,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ tiffy.idm.coe.muc.redhat.com ldap_sasl_realm = IDM.COE.MUC.REDHAT.COM krb5_server = grobi.idm.coe.muc.redhat.com The implications of adding above is that SUDO would break if the hardcoded ipa is not available even if there is another replica somewhere in the network. Is that correct assumption? Is there a better way of doing it that I have missed? Which version of sssd do you have? sssd = 1.10 has native ipa suod providers and you don't need to use sudo_provider = ldap. LS -- Message: 2 Date: Tue, 25 Nov 2014 10:11:42 +0100 From: Petr Spacek pspa...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Setting up a Kerberized IMAP Server. Message-ID: 547447ce.8090...@redhat.com Content-Type: text/plain; charset=windows-1252 On 24.11.2014 17:45, Maria Jose Ya?ez Dacosta wrote: Thank you for your prompt reply :). I still don't discover what caused the problem, but now I could get more information about the problem. I run the command that you commented me, I did as follows: - kinit usuipa - kvno imap/zimbrafreeipa.example@fi.example.com (I said in my previous mail fi.example.com but should have said zimbrafreeipa.example.com. Forgiveness!!). Then run klist and got this: 11/24/14 14:04:53 11/25/14 14:04:50 krbtgt/ fi.example@fi.example.com 11/24/14 14:05:52 11/25/14 14:04:50 imap/ zimbrafreeipa.fi.example@fi.example.com Then run KRB5_TRACE=/dev/stdout kvno imap/
Re: [Freeipa-users] Services and Keytabs for load-balanced hostnames
Thanks Alexander. Reviewing the proxy requirements now. On Tue, Nov 25, 2014 at 3:32 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Tue, 25 Nov 2014, Dimitar Georgievski wrote: My case for HTTP load balancing is little different. Ideally I would like to use a real load balancer (A10 in this case) for balancing HTTP and HTTPS services. Would that be possible? Based on the info in this thread, and Apache configuration for IPA (ipa.conf) the following steps were performed - Added host for sso.example.com - Added service for HTTP/sso.example.com - added new entry for HTTP/sso.example.com to /etc/httpd/conf/ipa.keytab. This keytab is listed in the conf.d/ipa.conf under the Location '/ipa' groups of directives. ipa-getkeytab -s `hostname` -p HTTP/sso.example.com -k /etc/httpd/conf/ipa.keytab - modifed the conf.d/ipa-rewrite.conf and ipa-pki-proxy.conf to redirect requests to sso.example.com The login page loads but unfortunately authentication is failing with HTTP 401 (unauthorized) response from the server. I wonder what I am doing wrong. Can you show your /var/log/krb5kdc.log, lines concerning HTTP/sso.example.com principal at the time you are trying to access IPA UI. FreeIPA limits service principals' ability to impersonate user principals (or any other principals). FreeIPA UI runs as HTTP/ principal and is given permission to impersonate user principal when talking to ldap/ service. This setup is explicit and requires additional configuration for those Kerberos principals which ask for additional access. For more detailed description read my article at http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy- with-FreeIPA/index.html -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project