Re: [Freeipa-users] Switch to 3rd party SSL
Thanks Rob, I’ll give it a try! Andrew Chin On Jan 7, 2015, at 2:13 PM, Rob Crittenden rcrit...@redhat.com wrote: Andrew Chin wrote: Hello, I want to switch our FreeIPA 3.3.5 from using the FreeIPA CA self signed certificate to one signed by a commercial CA that browsers will recognize. The documentation at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP says The certificate in mysite.crt must be signed by the CA used when installing FreeIPA.” Does this preclude me from installing the commercial cert? If not, should I just follow the directions for IPA 4.1? Thanks, Andrew Chin That is rather confusing isn't it. IMHO It should really say that the cert is signed by your 3rd party CA. You'll also want to make sure that the issuing CA is trusted in your NSS databases as well. rob signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-09 10:11 GMT+01:00 Alexander Bokovoy aboko...@redhat.com: On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch Kerberos keys and map IDs of CIFS identities. These configurations are part of cifs-utils package which also supplies mount.cifs. I have no /etc/request-key.d/cifs.upcall.conf on my F21. Is it suppose to be there? This is what I have: [root@ipaserver etc]# cat request-key.conf ### # snip #OP TYPEDESCRIPTION CALLOUT INFOPROGRAM ARG1 ARG2 ARG3 ... #== === === === === create dns_resolver * * /sbin/key.dns_resolver %k create userdebug:* negate /bin/keyctl negate %k 30 %S create userdebug:* rejected/bin/keyctl reject %k 30 %c %S create userdebug:* expired /bin/keyctl reject %k 30 %c %S create userdebug:* revoked /bin/keyctl reject %k 30 %c %S create userdebug:loop:** |/bin/cat create userdebug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S negate * * * /bin/keyctl negate %k 30 %S [root@ipaserver etc]# ls request-key.d/ cifs.idmap.conf cifs.spnego.conf id_resolver.conf [root@ipaserver etc]# cat request-key.d/cifs.idmap.conf create cifs.idmap* * /usr/sbin/cifs.idmap %k [root@ipaserver etc]# cat request-key.d/cifs.spnego.conf create cifs.spnego* * /usr/sbin/cifs.upcall %k -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Replica Server's ipactl does not control named after reinstallation
Hi List, I've seen this happen on two occasions, now, in two different environments, one with RHEL6.6 and RHEL 6.3. I have issues with a replica sever, I delete the replication agreement, remove the server from ipa dns, run ipa-server-install --uninstall -U. Reboot the server, create new replication settings from the existing master, and restore the replica. Running ipactl status, I see: ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING No DNS service listed. Named is not running. ipactl restart Restarting Directory Service Shutting down dirsrv: MYDOM-COM...[ OK ] Starting dirsrv: MYDOM-COM...[ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached:[ OK ] Starting ipa_memcached:[ OK ] Restarting HTTP Service Stopping httpd:[ OK ] Starting httpd:[ OK ] Checking on named: service named status rndc: connect failed: 127.0.0.1#953: connection refused named is stopped # service named start Starting named:[ OK ] # service named status version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 CPUs found: 2 worker threads: 2 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running named (pid 25017) is running... But it does not resolve. Please what is happening and how can I fix this? I don't know what logs to provide, but please let me know what is necessary and I'll make them available. Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica Server's ipactl does not control named after reinstallation
Sina Owolabi wrote: Hi List, I've seen this happen on two occasions, now, in two different environments, one with RHEL6.6 and RHEL 6.3. I have issues with a replica sever, I delete the replication agreement, remove the server from ipa dns, run ipa-server-install --uninstall -U. Reboot the server, create new replication settings from the existing master, and restore the replica. Running ipactl status, I see: ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING No DNS service listed. Named is not running. ipactl restart Restarting Directory Service Shutting down dirsrv: MYDOM-COM...[ OK ] Starting dirsrv: MYDOM-COM...[ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached:[ OK ] Starting ipa_memcached:[ OK ] Restarting HTTP Service Stopping httpd:[ OK ] Starting httpd:[ OK ] Checking on named: service named status rndc: connect failed: 127.0.0.1#953: connection refused named is stopped # service named start Starting named:[ OK ] # service named status version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 CPUs found: 2 worker threads: 2 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running named (pid 25017) is running... But it does not resolve. Please what is happening and how can I fix this? I don't know what logs to provide, but please let me know what is necessary and I'll make them available. Bind is an optional service. You can either configure it at the time you install replica using the --setup-dns option or afterward using ipa-dns-install. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-09 18:12 GMT+01:00 Alexander Bokovoy aboko...@redhat.com So if you have all these configs right, can you add --verbose to mount.cifs arguments _before_ -o options? mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5 and you can enable debugging before mounting in /proc/fs/cifs/, see https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting -- [john@ipaserver ~]$ rpm -q cifs-utils cifs-utils-6.4-2.fc21.x86_64 [john@ipaserver mnt]# su root [root@ipaserver mnt]# kdestroy [root@ipaserver mnt]# kinit admin [root@ipaserver mnt]# klist Ticket cache: KEYRING:persistent:143444:krb_ccache_As3C1bl Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-09 22:40:37 2015-01-10 22:40:32 krbtgt/my@my.lan [root@ipaserver mnt]# [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5 mointpoint mount.cifs kernel mount options: ip=192.168.0.103,unc=\\ipaserver.MY.LAN\TheShare,sec=krb5,user=john,pass= mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) [fre jan 9 22:40:15 2015] CIFS VFS: Send error in SessSetup = -126 [fre jan 9 22:40:15 2015] CIFS VFS: cifs_mount failed w/return code = -126 [fre jan 9 22:40:49 2015] CIFS VFS: Send error in SessSetup = -126 [fre jan 9 22:40:49 2015] CIFS VFS: cifs_mount failed w/return code = -126 [fre jan 9 22:42:30 2015] fs/cifs/cifsfs.c: Devname: //ipaserver.MY.LAN/TheShare flags: 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Username: john [fre jan 9 22:42:30 2015] fs/cifs/connect.c: file mode: 0x1ed dir mode: 0x1ed [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 6 with uid: 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: UNC: \\ipaserver.MY.LAN\TheShare [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Socket created [fre jan 9 22:42:30 2015] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58 [fre jan 9 22:42:30 2015] fs/cifs/fscache.c: cifs_fscache_get_client_cookie: (0x88007a28dc00/0x8800736ee000) [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 7 with uid: 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Existing smb sess not found [fre jan 9 22:42:30 2015] fs/cifs/cifssmb.c: Requesting extended security. [fre jan 9 22:42:30 2015] fs/cifs/transport.c: For smb_command 114 [fre jan 9 22:42:30 2015] fs/cifs/transport.c: Sending smb: smb_len=78 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Demultiplex PID: 20875 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: RFC1002 header 0xb5 [fre jan 9 22:42:30 2015] fs/cifs/misc.c: checkSMB Length: 0xb9, smb_buf_length: 0xb5 [fre jan 9 22:42:30 2015] fs/cifs/transport.c: cifs_sync_mid_result: cmd=114 mid=1 state=4 [fre jan 9 22:42:30 2015] fs/cifs/cifssmb.c: Dialect: 2 [fre jan 9 22:42:30 2015] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92 [fre jan 9 22:42:30 2015] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92 [fre jan 9 22:42:30 2015] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 [fre jan 9 22:42:30 2015] fs/cifs/cifssmb.c: negprot rc 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x8080f3fd TimeAdjust: -3600 [fre jan 9 22:42:30 2015] fs/cifs/sess.c: sess setup type 5 [fre jan 9 22:42:30 2015] fs/cifs/cifs_spnego.c: key description = ver=0x2;host=ipaserver.MY.LAN;ip4=192.168.0.103;sec=krb5;uid=0x0;creduid=0x0;user=john;pid=0x5188 [fre jan 9 22:42:30 2015] CIFS VFS: Send error in SessSetup = -126 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 7) rc = -126 [fre jan 9 22:42:30 2015] fs/cifs/fscache.c: cifs_fscache_release_client_cookie: (0x88007a28dc00/0x8800736ee000) [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 6) rc = -126 [fre jan 9 22:42:30 2015] CIFS VFS: cifs_mount failed w/return code = -126 Is it okay that the verbose output says sec=krb5,user=john,pass= I did su from john... -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
On Thu, 8 Jan 2015 22:29:00 +0100 John Obaterspok john.obaters...@gmail.com wrote: Hello, I've tried to do the following on the client (and also on the ipaserver itself) where I want to the the ipaserver share mounted. [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o sec=krb5 mountpoint mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) (root has an admin ticket aquired) Any hints for a newbie? What does klist say ? and what version of cifs-utils ? Simo. -- john 2015-01-08 18:51 GMT+01:00 Simo Sorce s...@redhat.com: On Thu, 8 Jan 2015 10:01:50 +0100 John Obaterspok john.obaters...@gmail.com wrote: Hello, I have a samba share on the freeipa 4.1 server that I want to mount from another client that is part of the ipa domain I've tried: mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5 Shouldn't I be able to do the mount this way? -- john You should be able to, what's the error ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
On Thu, 08 Jan 2015, John Obaterspok wrote: Hello, I've tried to do the following on the client (and also on the ipaserver itself) where I want to the the ipaserver share mounted. [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o sec=krb5 mountpoint mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) (root has an admin ticket aquired) Any hints for a newbie? Do you have proper configuration in request-key.conf(5)? On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch Kerberos keys and map IDs of CIFS identities. These configurations are part of cifs-utils package which also supplies mount.cifs. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-09 10:11 GMT+01:00 Alexander Bokovoy aboko...@redhat.com: On Thu, 08 Jan 2015, John Obaterspok wrote: Hello, I've tried to do the following on the client (and also on the ipaserver itself) where I want to the the ipaserver share mounted. [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o sec=krb5 mountpoint mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) (root has an admin ticket aquired) Any hints for a newbie? Do you have proper configuration in request-key.conf(5)? I didn't know about those files, so if there are no defaults then I guess I don't have a proper configuration. On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch Kerberos keys and map IDs of CIFS identities. These configurations are part of cifs-utils package which also supplies mount.cifs. Thanks Alexander, -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Configure also-notify for freeipa DNS zones
On 8.1.2015 18:54, Baird, Josh wrote: I should also note that adding also-notify { 1.2.3.4; }; to /etc/named.conf on the IPA server does not actually trigger notifys for whatever reason. AFAIK also-notify specification in options {} section is not supported by bind-dyndb-ldap. Feel free to open feature request here: https://fedorahosted.org/bind-dyndb-ldap/newticket If you are RHEL customer then please contact your support representative, too. Have a nice day! Petr^2 Spacek -Original Message- From: Baird, Josh Sent: Thursday, January 08, 2015 9:35 AM To: freeipa-users@redhat.com Subject: Configure also-notify for freeipa DNS zones Hi, The docs state this: DNS slaves will transfer the whole zone periodically as is specified in zone's SOA record. DNS masters also send DNS NOTIFY messages to inform slaves about a change asynchronously. I have a need to execute zone transfers from my IPA server(s) to non-IPA slaves and I would like the IPA servers to send notifies each time the zone is updated/reloaded (eg, the also-notify option in BIND). Currently, the zone transfer is only executed once the refresh timer in the SOA expires. I don't see an option within IPA to configure the BIND also-notify option. How can I make my IPA DNS servers send notify's to my non-IPA slave servers so that zone transfers occur immediately after IPA zone updates? Thanks, Josh -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project