Re: [Freeipa-users] freeIPA function basics from user's perspective
On 03/11/2015 07:57 AM, Robert Erzen wrote: Thanks for your input. Since I have most users on Windows clients, I will have to consider implementing AD and join Linux servers in. Any thought on that? br I think the best would be to read my blogs. Jan 20, 2015 An Introduction to Interoperability Challenges in the Modern Enterprise http://rhelblog.redhat.com/2015/01/20/an-introduction-to-interoperability-challenges-in-the-modern-enterprise/ Jan 22, 2015 Closing the Integration Gap http://rhelblog.redhat.com/2015/01/22/closing-the-integration-gap/ Jan 28, 2015 Aspects of Integration http://rhelblog.redhat.com/2015/01/28/aspects-of-integration/ Feb 04, 2015 Overview of Direct Integration Options http://rhelblog.redhat.com/2015/02/04/overview-of-direct-integration-options/ Feb 19, 2015 Overview of Indirect Active Directory Integration Using Identity Management (IdM) http://rhelblog.redhat.com/2015/02/19/overview-of-indirect-active-directory-integration-using-identity-management-idm/ Feb 26, 2015 Active Directory and Identity Management (IdM) Trusts – Exactly Where Are My Users? http://rhelblog.redhat.com/2015/02/26/active-directory-and-identity-management-idm-trusts-exactly-where-are-my-users/ -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Need to replace cert for ipa servers
#yiv2229194538 #yiv2229194538 -- _filtered #yiv2229194538
{font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv2229194538
{panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv2229194538
{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv2229194538
{font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv2229194538
{font-family:Consolas;panose-1:2 11 6 9 2 2 4 3 2 4;} _filtered #yiv2229194538
{panose-1:2 5 6 4 5 5 5 2 2 4;} _filtered #yiv2229194538
{font-family:Menlo;panose-1:0 0 0 0 0 0 0 0 0 0;}#yiv2229194538 #yiv2229194538
p.yiv2229194538MsoNormal, #yiv2229194538 li.yiv2229194538MsoNormal,
#yiv2229194538 div.yiv2229194538MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv2229194538 a:link,
#yiv2229194538 span.yiv2229194538MsoHyperlink
{color:blue;text-decoration:underline;}#yiv2229194538 a:visited, #yiv2229194538
span.yiv2229194538MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}#yiv2229194538 pre
{margin:0in;margin-bottom:.0001pt;font-size:10.0pt;}#yiv2229194538
p.yiv2229194538MsoAcetate, #yiv2229194538 li.yiv2229194538MsoAcetate,
#yiv2229194538 div.yiv2229194538MsoAcetate
{margin:0in;margin-bottom:.0001pt;font-size:8.0pt;}#yiv2229194538
span.yiv2229194538HTMLPreformattedChar {font-family:Consolas;}#yiv2229194538
p.yiv2229194538msonormal, #yiv2229194538 li.yiv2229194538msonormal,
#yiv2229194538 div.yiv2229194538msonormal
{margin-right:0in;margin-left:0in;font-size:12.0pt;}#yiv2229194538
p.yiv2229194538msochpdefault, #yiv2229194538 li.yiv2229194538msochpdefault,
#yiv2229194538 div.yiv2229194538msochpdefault
{margin-right:0in;margin-left:0in;font-size:12.0pt;}#yiv2229194538
span.yiv2229194538msohyperlink {}#yiv2229194538
span.yiv2229194538msohyperlinkfollowed {}#yiv2229194538
span.yiv2229194538htmlpreformattedchar {}#yiv2229194538
span.yiv2229194538emailstyle19 {}#yiv2229194538 p.yiv2229194538msonormal1,
#yiv2229194538 li.yiv2229194538msonormal1, #yiv2229194538
div.yiv2229194538msonormal1
{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;color:black;}#yiv2229194538
span.yiv2229194538msohyperlink1
{color:blue;text-decoration:underline;}#yiv2229194538
span.yiv2229194538msohyperlinkfollowed1
{color:purple;text-decoration:underline;}#yiv2229194538
span.yiv2229194538htmlpreformattedchar1 {color:black;}#yiv2229194538
span.yiv2229194538emailstyle191 {color:#1F497D;}#yiv2229194538
p.yiv2229194538msochpdefault1, #yiv2229194538 li.yiv2229194538msochpdefault1,
#yiv2229194538 div.yiv2229194538msochpdefault1
{margin-right:0in;margin-left:0in;font-size:10.0pt;}#yiv2229194538
span.yiv2229194538BalloonTextChar {}#yiv2229194538
span.yiv2229194538EmailStyle33 {color:#1F497D;}#yiv2229194538
.yiv2229194538MsoChpDefault {font-size:10.0pt;} _filtered #yiv2229194538
{margin:1.0in 1.0in 1.0in 1.0in;}#yiv2229194538 div.yiv2229194538WordSection1
{}#yiv2229194538
This issue has now gotten much worse and we are unable to enroll clients. We
are getting an error saying the server does not have a cert:
Do you want download the CA cert from http://ipa1.example.com/ipa/config/ca.crt
?
(this is INSECURE) [no]: yes
Cannot obtain CA certificate
'http://ipa1.example.com/ipa/config/ca.crt' doesn't have a certificate.
Can we somehow replace our certs and revert back to the original one's issue by
the dogtag server so we have a standard configuration or is there a clean way
to fix this issue?
Thank you
I was told the GoDaddy certs were just imported using certutil -a but in
looking at the certs the original certs were actually replaced. This is only in
/etc/dirsrv/slapd-REALM-COM: Certificate Nickname
Trust Attributes
SSL,S/MIME,JAR/XPI GD_CA
CT,C,CNWF_GD
u,u,u The certs in /etc/dirsrv/slapd-PKI-CA are still the originals:
[root@ipa2-corp ~]# certutil -L -d /etc/dirsrv/slapd-PKI-IPA/ Certificate
Nickname Trust Attributes
SSL,S/MIME,JAR/XPI IPADOMAIN.COM
IPA CA CT,C,Server-Cert
u,u,u I am not even sure how this even works or
if it can be fixed? Should/Can we go back to using the original dogtag certs?
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Wednesday, March 04, 2015 2:57 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Need to replace cert for ipa servers On 03/04/2015
04:32 PM, sipazzo wrote:
Good afternoon, we have a freeipa 3.0.42 installation running on redhead 6.6
with a mix of rhel 5, rhel6 and Solaris clients. It was originally configured
with the built in dogtag certificate CA and then one of my co-workers added our
[Freeipa-users] ipa-server setup with external CA fails
We¹re trying to setup IPA with it acting as an intermediate CA against our test Active Directory environment. The first part goes well: # ipa-server-install -a admin-pass ‹hostname=server.domain.com -n unix.test.osuwmc -p password -P password -r UNIX.TEST.OSUWMC --external-ca ‹external-ca-type=mscs We send our CSR off to our AD admin and he signs it on gives us the cert. We go to import the cert with: # ipa-server-install --external-cert-file=/root/ipa.crt It blows up when trying to create the RA cert. 2015-03-10T21:17:55Z DEBUG Process finished, return code=0 2015-03-10T21:17:55Z DEBUG stdout= Certificate request generated by Netscape certutil Phone: (not specified) Common Name: IPA RA Email: (not specified) Organization: UNIX.TEST.OSUWMC State: (not specified) Country: (not specified) -BEGIN NEW CERTIFICATE REQUEST- MIICcTCCAVkCAQAwLDEZMBcGA1UEChMQVU5JWC5URVNULk9TVVdNQzEPMA0GA1UE AxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DavkHxe PoY8q6UWCAHKWOCCv8PvU7J5scsmdLfjSyN8rIgq8pGoICAqawm9lZntD8G/7sJQ H2bNDe08DooGbdTLHB2j3JViUUlQn2YlWw7IXm6mgwxStGLSS/G+CnyVPdGWV48X GHb7GLLNYD8nhpzNzqVGsVMTyV/dqD7y8srbpPjmAqH+VjKLDSmr3pgV2IvOUEpW wePYJW7h4FBQtwQpPgo30oXMqXa/ob8RJ4NQ74Uv6irq9G2IXNpKhAbHB1YZ+DGm FJFlURdxey0FUbDn1WqMeVLa6SMURZI1zncMxB6bwgax/2VdYVeYHiVU9GgGmw0F VgUjgpg0RMCaSQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAI1YCN5oS2o5+fky jTNCeWFq+oEyHcuPtGzBAA5HMNEsoFvIY0sut+lf7Upw/ZHvV/F09DPwT+Xrm8yp D0e6F6HawEV+NvKYk2kmpK9xxyOi0raBz1WuvlmqwGhiTOxpk+nIW5wiNhiOJmzd xLojqGnkP5tBuYtHXUFqps7KDknsk5VxoAGe3/ZvsDvqlYXF93V+/nXv90X2yEKH +wLUCDtS5WRWtnxTs1bWsMjBsTyDcv8XBdWqDO/4DVLs9HjHijfsUtUqg8bR5dU1 kVM+yLXVogJPBMN79SJQ1un8IWNMHCallsX3urNbXxYuSlqsh6UCdRLXFW44jJIK xAmXvOg= -END NEW CERTIFICATE REQUEST- 2015-03-10T21:17:55Z DEBUG stderr= Generating key. This may take a few moments... 2015-03-10T21:17:55Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1149, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data IndexError: list index out of range 2015-03-10T21:17:55Z DEBUG [error] IndexError: list index out of range 2015-03-10T21:17:55Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-server-install, line 1170, in main ca_signing_algorithm=options.ca_signing_algorithm) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 520, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1149, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data 2015-03-10T21:17:55Z DEBUG The ipa-server-install command failed, exception: IndexError: list index out of range I¹ve looked at the debug log. I believe this is the part that¹s most helpful. [10/Mar/2015:17:17:24][localhost-startStop-1]: SelfTestSubsystem::runSelfTestsAtStartup(): ENTERING . . . [10/Mar/2015:17:17:24][localhost-startStop-1]: SelfTestSubsystem::runSelfTestsAtStartup():running CAPresence [10/Mar/2015:17:17:24][localhost-startStop-1]: SelfTestSubsystem::runSelfTestsAtStartup():running SystemCertsVerification [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=signing [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed:caSigningCert cert-pki-ca [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Fai lure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate verification [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=ocsp_signing [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Fai lure][CertNickName=ocspSigningCert cert-pki-ca] CIMC certificate verification [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=sslserver
Re: [Freeipa-users] ipa-server setup with external CA fails
On 03/11/2015 11:13 AM, Gould, Joshua wrote: We¹re trying to setup IPA with it acting as an intermediate CA against our test Active Directory environment. The first part goes well: # ipa-server-install -a admin-pass ‹hostname=server.domain.com -n unix.test.osuwmc -p password -P password -r UNIX.TEST.OSUWMC --external-ca ‹external-ca-type=mscs We send our CSR off to our AD admin and he signs it on gives us the cert. We go to import the cert with: # ipa-server-install --external-cert-file=/root/ipa.crt It blows up when trying to create the RA cert. 2015-03-10T21:17:55Z DEBUG Process finished, return code=0 2015-03-10T21:17:55Z DEBUG stdout= Certificate request generated by Netscape certutil Phone: (not specified) Common Name: IPA RA Email: (not specified) Organization: UNIX.TEST.OSUWMC State: (not specified) Country: (not specified) -BEGIN NEW CERTIFICATE REQUEST- MIICcTCCAVkCAQAwLDEZMBcGA1UEChMQVU5JWC5URVNULk9TVVdNQzEPMA0GA1UE AxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DavkHxe PoY8q6UWCAHKWOCCv8PvU7J5scsmdLfjSyN8rIgq8pGoICAqawm9lZntD8G/7sJQ H2bNDe08DooGbdTLHB2j3JViUUlQn2YlWw7IXm6mgwxStGLSS/G+CnyVPdGWV48X GHb7GLLNYD8nhpzNzqVGsVMTyV/dqD7y8srbpPjmAqH+VjKLDSmr3pgV2IvOUEpW wePYJW7h4FBQtwQpPgo30oXMqXa/ob8RJ4NQ74Uv6irq9G2IXNpKhAbHB1YZ+DGm FJFlURdxey0FUbDn1WqMeVLa6SMURZI1zncMxB6bwgax/2VdYVeYHiVU9GgGmw0F VgUjgpg0RMCaSQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAI1YCN5oS2o5+fky jTNCeWFq+oEyHcuPtGzBAA5HMNEsoFvIY0sut+lf7Upw/ZHvV/F09DPwT+Xrm8yp D0e6F6HawEV+NvKYk2kmpK9xxyOi0raBz1WuvlmqwGhiTOxpk+nIW5wiNhiOJmzd xLojqGnkP5tBuYtHXUFqps7KDknsk5VxoAGe3/ZvsDvqlYXF93V+/nXv90X2yEKH +wLUCDtS5WRWtnxTs1bWsMjBsTyDcv8XBdWqDO/4DVLs9HjHijfsUtUqg8bR5dU1 kVM+yLXVogJPBMN79SJQ1un8IWNMHCallsX3urNbXxYuSlqsh6UCdRLXFW44jJIK xAmXvOg= -END NEW CERTIFICATE REQUEST- 2015-03-10T21:17:55Z DEBUG stderr= Generating key. This may take a few moments... 2015-03-10T21:17:55Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1149, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data IndexError: list index out of range 2015-03-10T21:17:55Z DEBUG [error] IndexError: list index out of range 2015-03-10T21:17:55Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-server-install, line 1170, in main ca_signing_algorithm=options.ca_signing_algorithm) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 520, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1149, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data 2015-03-10T21:17:55Z DEBUG The ipa-server-install command failed, exception: IndexError: list index out of range I¹ve looked at the debug log. I believe this is the part that¹s most helpful. [10/Mar/2015:17:17:24][localhost-startStop-1]: SelfTestSubsystem::runSelfTestsAtStartup(): ENTERING . . . [10/Mar/2015:17:17:24][localhost-startStop-1]: SelfTestSubsystem::runSelfTestsAtStartup():running CAPresence [10/Mar/2015:17:17:24][localhost-startStop-1]: SelfTestSubsystem::runSelfTestsAtStartup():running SystemCertsVerification [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=signing [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed:caSigningCert cert-pki-ca [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Fai lure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate verification [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=ocsp_signing [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Fai lure][CertNickName=ocspSigningCert cert-pki-ca] CIMC certificate verification [10/Mar/2015:17:17:24][localhost-startStop-1]:
[Freeipa-users] Backwards compatability
Hi, We have a mix of Centos 6 and Centos 7 machines which we would like to manage with FreeIPA. I remember that setting up freeipa on Centos 6 can be a bit tricky although I found this method which works. https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html I imagine the Centos 7 client setup is somewhat more streamlined. Assuming we install freeipa on Centos 7, will our centos 6 clients have any problem connection? Any caveats which we should be aware of? Thanks, Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
On 03/11/2015 09:50 AM, Ben .T.George wrote: HI i can able to reach upto level that IPA user can able to login on solaris box, but how can i create home directories automatically on solaris while IPA user login. even i change the shell in IPA web interface that is getting affected. i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 All the options are still there. The menus got re-arranged a bit. Hopefully someone with a Solaris knowledge will help you with the rest. please anyone tell me where it is and how can i achieve this regards, Ben -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join Regards, Ben On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 09:50 AM, Ben .T.George wrote: HI i can able to reach upto level that IPA user can able to login on solaris box, but how can i create home directories automatically on solaris while IPA user login. even i change the shell in IPA web interface that is getting affected. i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 All the options are still there. The menus got re-arranged a bit. Hopefully someone with a Solaris knowledge will help you with the rest. please anyone tell me where it is and how can i achieve this regards, Ben -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Need to replace cert for ipa servers
sipazzo wrote: * * This issue has now gotten much worse and we are unable to enroll clients. We are getting an error saying the server does not have a cert: Do you want download the CA cert from http://ipa1.example.com/ipa/config/ca.crt ? (this is INSECURE) [no]: yes Cannot obtain CA certificate 'http://ipa1.example.com/ipa/config/ca.crt' doesn't have a certificate.j I don't see how this is at all related, or new. The CA cert exists in the filesystem in /usr/share/ipa/html/ca.crt. It wouldn't be affected by expiring certificates. Can we somehow replace our certs and revert back to the original one's issue by the dogtag server so we have a standard configuration or is there a clean way to fix this issue? You swapped out for the GoDaddy cert for a reason. I'd start there. Do you need to retain that cert or is it acceptable to try to revert back to IPA server certs? Note that going back could affect clients enrolled using the GoDaddy cert depending on how your machines are configured (if using SSSD then not likely a problem). As Dmitri said we mostly use Kerberos to communicate. rob Thank you I was told the GoDaddy certs were just imported using certutil -a but in looking at the certs the original certs were actually replaced. This is only in /etc/dirsrv/slapd-REALM-COM: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI GD_CACT,C,C NWF_GD u,u,u The certs in /etc/dirsrv/slapd-PKI-CA are still the originals: [root@ipa2-corp ~]# certutil -L -d /etc/dirsrv/slapd-PKI-IPA/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI IPADOMAIN.COM IPA CA CT,C, Server-Cert u,u,u I am not even sure how this even works or if it can be fixed? Should/Can we go back to using the original dogtag certs? *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Wednesday, March 04, 2015 2:57 PM *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Need to replace cert for ipa servers On 03/04/2015 04:32 PM, sipazzo wrote: Good afternoon, we have a freeipa 3.0.42 installation running on redhead 6.6 with a mix of rhel 5, rhel6 and Solaris clients. It was originally configured with the built in dogtag certificate CA and then one of my co-workers added our GoDaddy certificate to the certificate bundle. My understanding is this cert is used for communication between the ipa servers as well as the clients are also configured to trust the GoDaddy certificate. We recently had to get a new GoDaddy cert so our old one is revoked. I need to figure out how to either replace the existing revoked cert with the new one or add the new one to the bundle and then remove the revoked certificate so as not to break anything. Any help is appreciated. I am not strong with certificates so the more detail you can give the better. Thank you. You say it was running with the self signed IPA CA and than GoDaddy cert was added to the bundle. How was it added? IPA does not use certs for communication between the instances. It uses Kerberos. I am not sure the DoDaddy cert you added is even used in some way by IPA. It seems that your GoDaddy cert is an orthogonal trust so if you replaced the main key pair then you just need to distribute your new GoDaddy cert to the clients as you did on the first place. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
Hi Naxto, i think your solutions will work in my case. sems like both os's are same. using opensolaris anyway let me try this and will let you know the status Thanks regards, Ben On Wed, Mar 11, 2015 at 10:51 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Wed, Mar 11, 2015 at 8:36 PM, Rob Crittenden rcrit...@redhat.com wrote: Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join automount is not a technology that automatically creates directories, it just automatically mounts them on demand. I'm not aware of a way to automatically create directories on new-user logins in Solaris. I have not used 'official' solaris but using omnios (open solaris derivative) I have used this with their automounter: http://omnios.omniti.com/wiki.php/GeneralAdministration#Addinglocalusers Quite nifty. It should work with solaris as well (well, maybe with a little work). -- regards, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-server setup with external CA fails
On 03/11/2015 06:33 PM, Gould, Joshua wrote: We’re trying to setup RHEL7 with the latest updates. Our ipa-server shows ipa-server-4.1.0-18.el7.x86_64. On 3/11/15, 12:39 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 11:13 AM, Gould, Joshua wrote: We¹re trying to setup IPA with it acting as an intermediate CA against our test Active Directory environment. The first part goes well: # ipa-server-install -a admin-pass ‹hostname=server.domain.com -n unix.test.osuwmc -p password -P password -r UNIX.TEST.OSUWMC --external-ca ‹external-ca-type=mscs We send our CSR off to our AD admin and he signs it on gives us the cert. We go to import the cert with: # ipa-server-install --external-cert-file=/root/ipa.crt It blows up when trying to create the RA cert. 2015-03-10T21:17:55Z DEBUG Process finished, return code=0 2015-03-10T21:17:55Z DEBUG stdout= Certificate request generated by Netscape certutil Phone: (not specified) Common Name: IPA RA Email: (not specified) Organization: UNIX.TEST.OSUWMC State: (not specified) Country: (not specified) -BEGIN NEW CERTIFICATE REQUEST- MIICcTCCAVkCAQAwLDEZMBcGA1UEChMQVU5JWC5URVNULk9TVVdNQzEPMA0GA1UE AxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DavkHxe PoY8q6UWCAHKWOCCv8PvU7J5scsmdLfjSyN8rIgq8pGoICAqawm9lZntD8G/7sJQ H2bNDe08DooGbdTLHB2j3JViUUlQn2YlWw7IXm6mgwxStGLSS/G+CnyVPdGWV48X GHb7GLLNYD8nhpzNzqVGsVMTyV/dqD7y8srbpPjmAqH+VjKLDSmr3pgV2IvOUEpW wePYJW7h4FBQtwQpPgo30oXMqXa/ob8RJ4NQ74Uv6irq9G2IXNpKhAbHB1YZ+DGm FJFlURdxey0FUbDn1WqMeVLa6SMURZI1zncMxB6bwgax/2VdYVeYHiVU9GgGmw0F VgUjgpg0RMCaSQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAI1YCN5oS2o5+fky jTNCeWFq+oEyHcuPtGzBAA5HMNEsoFvIY0sut+lf7Upw/ZHvV/F09DPwT+Xrm8yp D0e6F6HawEV+NvKYk2kmpK9xxyOi0raBz1WuvlmqwGhiTOxpk+nIW5wiNhiOJmzd xLojqGnkP5tBuYtHXUFqps7KDknsk5VxoAGe3/ZvsDvqlYXF93V+/nXv90X2yEKH +wLUCDtS5WRWtnxTs1bWsMjBsTyDcv8XBdWqDO/4DVLs9HjHijfsUtUqg8bR5dU1 kVM+yLXVogJPBMN79SJQ1un8IWNMHCallsX3urNbXxYuSlqsh6UCdRLXFW44jJIK xAmXvOg= -END NEW CERTIFICATE REQUEST- 2015-03-10T21:17:55Z DEBUG stderr= Generating key. This may take a few moments... 2015-03-10T21:17:55Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1149, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data IndexError: list index out of range 2015-03-10T21:17:55Z DEBUG [error] IndexError: list index out of range 2015-03-10T21:17:55Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-server-install, line 1170, in main ca_signing_algorithm=options.ca_signing_algorithm) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 520, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1149, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data 2015-03-10T21:17:55Z DEBUG The ipa-server-install command failed, exception: IndexError: list index out of range I¹ve looked at the debug log. I believe this is the part that¹s most helpful. [10/Mar/2015:17:17:24][localhost-startStop-1]: SelfTestSubsystem::runSelfTestsAtStartup(): ENTERING . . . [10/Mar/2015:17:17:24][localhost-startStop-1]: SelfTestSubsystem::runSelfTestsAtStartup():running CAPresence [10/Mar/2015:17:17:24][localhost-startStop-1]: SelfTestSubsystem::runSelfTestsAtStartup():running SystemCertsVerification [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=signing [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed:caSigningCert cert-pki-ca [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F ai lure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate verification [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=ocsp_signing [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca [10/Mar/2015:17:17:24][localhost-startStop-1]:
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
This is how use the automounter to automatically create home directories for ipa users under /export/home/ and mount them under /home/ on Solaris 10, as well as copy over the profile files and assign appropriate owner and group: We first created a service account called auth in ipa to allow ldap lookups with no password expiration On the clients create a mkhomedir script in /usr/local/adm (or where ever you like):#!/bin/ksh -p HOMEDIRPATH=/home PHYSICALDIRPATH=/export/home hdir=~$1 phdir=$PHYSICALDIRPATH/$1 if [ -d $phdir ]; then echo localhost:$phdir exit fi mkdir -p $phdir #Perform ldap lookup to get user and group of logged in user GID=`ldapsearch -h idmserver.example.com -D uid=auth,cn=users,cn=accounts,dc=example,d c=com -w 'authpassword' -b cn=users,cn=accounts,dc=example,dc=com (uid=$1) | grep gid | cut -d -f2` #Copy profile filescp /etc/skel/.bash_profile $phdir/.bash_profile cp /etc/skel/.bashrc $phdir/.bashrc cp /etc/skel/.profile $phdir/.profile cp /etc/skel/.vimrc $phdir/.vimrc #Change the owner and group to logged in user chown -R $1:$GID $phdir echo localhost:$phdir ##END You need to change permissions on the mkhomedir script to 755 Login to client directly as root so you can move home directories around (edit /etc/ssh/sshd_config if needed to allow this) Ensure no one else is logged in Ensure nothing else is mounted in /export/homeCopy home directories to /export/home rsync -av /home/ /export/home/ Add this line to the /etc/auto_master file so the mkhomedir script runs at login /home /usr/local/adm/mkhomedir Remove original /home/ directories rm -rf /home/* Restart autofs so the change takes effect svcadm restart autofs Make sure you change your sshd_config back if you don't wish to allow root ssh access. From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ben .T.George Sent: Wednesday, March 11, 2015 11:22 AM To: dpal Cc: freeipa-users Subject: Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login from BZ While we value your interest in IPA Solaris support, the implementation of the DUA profile is not on our nearest schedule at the moment. We lack both knowledge and resources to focus on integration with Solaris. This is where we need a help (ideally patches) and contribution from the community to help us push these features in.I checked your example DUAConfigProfile and I think it cannot be just added to FreeIPA right away. E.g. for defaultServerList or preferredServerList, you would need to expand installers and ipa-replica-manage to handle these lists and update them when replica is added or updated to prevent it being outdated. printers or aliases serviceSearchDescriptor refers to objects not being available and so on. It is not as straightforward as it seems. What I think that we can work on is to work together onhttp://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10... and add all the steps needed to make IPA work on Solaris 10. I could for example prepare an updated page and you could review it. Would that work for you? this what i followed util now. but's not authenticate with AD, IPA user can login on solaris box On Wed, Mar 11, 2015 at 9:11 PM, Dmitri Pal d...@redhat.com wrote:On 03/11/2015 01:56 PM, Ben .T.George wrote: HI yea , i saw that mail thread and he claims that he achieved somehow. but not clear. and the steps mentioned is too technical for me. :) as i am very new to IPA it's bit confusing. later that thread also closed without proper explanation. i think you guys can contact him to change existing wiki :) as there are many solaris related documents which is pretty old. anyway still waiting for rply Have you found the BZ? They are very detailed. https://bugzilla.redhat.com/show_bug.cgi?id=815515 The DUA profile is attached to the bug. Regards,Ben On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal d...@redhat.com wrote:On 03/11/2015 01:18 PM, Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join I really do not know Solaris that well. There are some threads from this and last week about Solaris. You can find them in the mail archive for March. There are pointers to wikis and bugzillas in those threads. The bugzilla bugs have some extended info on how to configure Solaris clients. They were pretty detailed. May be they have the automount info you are looking for.
Re: [Freeipa-users] Extending IPA to include multiple (say 5) fields for MAC addresses per user
On 03/11/2015 03:43 PM, Steven Jones wrote: Hi, I have been asked to look at packetfence and linking it to IPA for authentication but I might need to allow users to login into their IPA info and add MAC addresses themselves, this is possible I think? Since ppl these days can have 3 mobile devices, (ipad, iphone and laptop) I would need multiple MAC fields so would have to extend IPA's schema? is this a good idea? I would treat the devices as hosts rather than extend user schema. But can you explain the use case and what you have in mind. Based on the PF site they support different LDAP servers for authentication so I am not sure any schema change would be needed. regards Steven -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-server setup with external CA fails
We’re trying to setup RHEL7 with the latest updates. Our ipa-server shows ipa-server-4.1.0-18.el7.x86_64. On 3/11/15, 12:39 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 11:13 AM, Gould, Joshua wrote: We¹re trying to setup IPA with it acting as an intermediate CA against our test Active Directory environment. The first part goes well: # ipa-server-install -a admin-pass ‹hostname=server.domain.com -n unix.test.osuwmc -p password -P password -r UNIX.TEST.OSUWMC --external-ca ‹external-ca-type=mscs We send our CSR off to our AD admin and he signs it on gives us the cert. We go to import the cert with: # ipa-server-install --external-cert-file=/root/ipa.crt It blows up when trying to create the RA cert. 2015-03-10T21:17:55Z DEBUG Process finished, return code=0 2015-03-10T21:17:55Z DEBUG stdout= Certificate request generated by Netscape certutil Phone: (not specified) Common Name: IPA RA Email: (not specified) Organization: UNIX.TEST.OSUWMC State: (not specified) Country: (not specified) -BEGIN NEW CERTIFICATE REQUEST- MIICcTCCAVkCAQAwLDEZMBcGA1UEChMQVU5JWC5URVNULk9TVVdNQzEPMA0GA1UE AxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DavkHxe PoY8q6UWCAHKWOCCv8PvU7J5scsmdLfjSyN8rIgq8pGoICAqawm9lZntD8G/7sJQ H2bNDe08DooGbdTLHB2j3JViUUlQn2YlWw7IXm6mgwxStGLSS/G+CnyVPdGWV48X GHb7GLLNYD8nhpzNzqVGsVMTyV/dqD7y8srbpPjmAqH+VjKLDSmr3pgV2IvOUEpW wePYJW7h4FBQtwQpPgo30oXMqXa/ob8RJ4NQ74Uv6irq9G2IXNpKhAbHB1YZ+DGm FJFlURdxey0FUbDn1WqMeVLa6SMURZI1zncMxB6bwgax/2VdYVeYHiVU9GgGmw0F VgUjgpg0RMCaSQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAI1YCN5oS2o5+fky jTNCeWFq+oEyHcuPtGzBAA5HMNEsoFvIY0sut+lf7Upw/ZHvV/F09DPwT+Xrm8yp D0e6F6HawEV+NvKYk2kmpK9xxyOi0raBz1WuvlmqwGhiTOxpk+nIW5wiNhiOJmzd xLojqGnkP5tBuYtHXUFqps7KDknsk5VxoAGe3/ZvsDvqlYXF93V+/nXv90X2yEKH +wLUCDtS5WRWtnxTs1bWsMjBsTyDcv8XBdWqDO/4DVLs9HjHijfsUtUqg8bR5dU1 kVM+yLXVogJPBMN79SJQ1un8IWNMHCallsX3urNbXxYuSlqsh6UCdRLXFW44jJIK xAmXvOg= -END NEW CERTIFICATE REQUEST- 2015-03-10T21:17:55Z DEBUG stderr= Generating key. This may take a few moments... 2015-03-10T21:17:55Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1149, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data IndexError: list index out of range 2015-03-10T21:17:55Z DEBUG [error] IndexError: list index out of range 2015-03-10T21:17:55Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-server-install, line 1170, in main ca_signing_algorithm=options.ca_signing_algorithm) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 520, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 1149, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data 2015-03-10T21:17:55Z DEBUG The ipa-server-install command failed, exception: IndexError: list index out of range I¹ve looked at the debug log. I believe this is the part that¹s most helpful. [10/Mar/2015:17:17:24][localhost-startStop-1]: SelfTestSubsystem::runSelfTestsAtStartup(): ENTERING . . . [10/Mar/2015:17:17:24][localhost-startStop-1]: SelfTestSubsystem::runSelfTestsAtStartup():running CAPresence [10/Mar/2015:17:17:24][localhost-startStop-1]: SelfTestSubsystem::runSelfTestsAtStartup():running SystemCertsVerification [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=signing [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed:caSigningCert cert-pki-ca [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F ai lure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate verification [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=ocsp_signing [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca
[Freeipa-users] IPA 4.1.0 in RHEL 7.1
First off congratulations on getting this out. Love the new UI, all pretty and integrates well with the access.redhat.com UI. Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was included in the 4.1.0 release, but near as I can tell it is not part of IPA 4.1.0 in RHEL 7.1. Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here: https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 worked, now it fails: Traceback (most recent call last): File ./freeipa.py, line 133, in module list_groups(api) File ./freeipa.py, line 71, in list_groups result = api.Command.host_find()['result'] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 755, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 880, in forward command = getattr(self.conn, name) File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' Is this expected? Is this a regression? Thanks again for your work. -Erinn signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join automount is not a technology that automatically creates directories, it just automatically mounts them on demand. I'm not aware of a way to automatically create directories on new-user logins in Solaris. rob Regards, Ben On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/11/2015 09:50 AM, Ben .T.George wrote: HI i can able to reach upto level that IPA user can able to login on solaris box, but how can i create home directories automatically on solaris while IPA user login. even i change the shell in IPA web interface that is getting affected. i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 All the options are still there. The menus got re-arranged a bit. Hopefully someone with a Solaris knowledge will help you with the rest. please anyone tell me where it is and how can i achieve this regards, Ben -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
==
[root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns
--forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg
--skip-conncheck
Checking forwarders, please wait ...
WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive dnssec-enable yes; to options {})
WARNING: DNSSEC validation will be disabled
==
The AD server is a win2k12r2.
regards
Steven
From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on
behalf of Dmitri Pal d...@redhat.com
Sent: Thursday, 12 March 2015 9:07 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/11/2015 03:49 PM, Steven Jones wrote:
Hi,
When I try to join a 7.1 based replica to an existing setup and use an AD
forwarder the command complains that the AD box isnt doing DNSSEC suggesting
to me it is present in 7.1?
Can you share the message that you get and what steps you take to get to
that message?
At the moment however I cant join a 7.1 based IPA server into a 6.6 based IPA
cluster. Or a 7.1 client to IPA, to 6.6 for that matter, 7.0 works fine
though.
regards
Steven
From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on
behalf of Erinn Looney-Triggs erinn.looneytri...@gmail.com
Sent: Thursday, 12 March 2015 8:15 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
First off congratulations on getting this out. Love the new UI, all pretty and
integrates well with the access.redhat.com UI.
Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was
included in the 4.1.0 release, but near as I can tell it is not part of IPA
4.1.0 in RHEL 7.1.
Third, there appears to be a behavior change from in ipalib. I cleaned up a
little inventory script for ansible, you can take a look at it here:
https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py
Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30
worked, now it fails:
Traceback (most recent call last):
File ./freeipa.py, line 133, in module
list_groups(api)
File ./freeipa.py, line 71, in list_groups
result = api.Command.host_find()['result']
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in
__call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 755, in
run
return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 776, in
forward
return self.Backend.rpcclient.forward(self.name, *args, **kw)
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 880, in forward
command = getattr(self.conn, name)
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 97, in
__get_conn
self.id, threading.currentThread().getName())
AttributeError: no context.rpcclient in thread 'MainThread'
Is this expected? Is this a regression?
Thanks again for your work.
-Erinn
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Extending IPA to include multiple (say 5) fields for MAC addresses per user
Hi, Hosts however would have to be joined by an admin? They also wouldnt be very IPA aware and stable from what I can see, ie joining a non-RH OS to IPA just looks an awful nightmare especially for 1+ devices plus with 3 different OSes at least (IOS, Win, Android, linux and apple and windows laptops plus others) and multiple versions and patch levels.um no, insanity beckons, LOL. I am still trying to figure out what is wanted so I am vague because so are criteria and I have never done this before. All I have is, free, open source, The idea is that an employee can have a zero config access / sign in to wifi for their device once initially connected. The solution must be robust and available ie close to 99.999% availability. IPA can do this as the backend and yes PF can use LDAP hence my interest. Packet fence can be active/passive HA so its possible. Virtualised across multiple ESXi hosts and SANs. I have a RFE in for a IPA howto section to be added to the PF manual as even the openldap section is empty. Or I might try and write it if I get the go ahead myself. The PF servers would be RHEL6.6 so Im hoping adding a service in IPA will simply work. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Dmitri Pal d...@redhat.com Sent: Thursday, 12 March 2015 9:15 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Extending IPA to include multiple (say 5) fields for MAC addresses per user On 03/11/2015 03:43 PM, Steven Jones wrote: Hi, I have been asked to look at packetfence and linking it to IPA for authentication but I might need to allow users to login into their IPA info and add MAC addresses themselves, this is possible I think? Since ppl these days can have 3 mobile devices, (ipad, iphone and laptop) I would need multiple MAC fields so would have to extend IPA's schema? is this a good idea? I would treat the devices as hosts rather than extend user schema. But can you explain the use case and what you have in mind. Based on the PF site they support different LDAP servers for authentication so I am not sure any schema change would be needed. regards Steven -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
On 03/11/2015 01:18 PM, Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join I really do not know Solaris that well. There are some threads from this and last week about Solaris. You can find them in the mail archive for March. There are pointers to wikis and bugzillas in those threads. The bugzilla bugs have some extended info on how to configure Solaris clients. They were pretty detailed. May be they have the automount info you are looking for. Regards, Ben On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/11/2015 09:50 AM, Ben .T.George wrote: HI i can able to reach upto level that IPA user can able to login on solaris box, but how can i create home directories automatically on solaris while IPA user login. even i change the shell in IPA web interface that is getting affected. i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 All the options are still there. The menus got re-arranged a bit. Hopefully someone with a Solaris knowledge will help you with the rest. please anyone tell me where it is and how can i achieve this regards, Ben -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Weird IPA shutdown issues
Hi all, I have a weird shutdown issue on an IPA instance (ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64) on CentOS (CentOS Linux release 7.0.1406) that's been working fine for at least six months, maybe longer. It's replicated to an identical instance that is having no problems. https://gist.github.com/briantopping/2fc430038b4ca6c80d05 https://gist.github.com/briantopping/2fc430038b4ca6c80d05 is the relevant snippets of /var/log/messages. It starts booting up, everything working, then systemd decides to shut down IPA for no apparent reason. I haven't touched any system software for several weeks. When the system is booting, runlevel reports unknown. It seems to be about the same time that it changes to N 3 that everything starts shutting down. My sense is systemd is configured with some dependency in the IPA processes that it (correctly) finds a fault and shut everything down. I just don't see anything in the messages above that would indicate such a fault. By the time it's over, even named is shut down! Systemd is new to me still, if I need to RTFM, I guess that's one answer, but I thought I would check here to see if I could get a better idea of how everything is wired. I am limping by on the second box for now, so this isn't an emergency. Thanks for any consideration to this! Brian signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
On Wed, Mar 11, 2015 at 8:36 PM, Rob Crittenden rcrit...@redhat.com wrote: Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join automount is not a technology that automatically creates directories, it just automatically mounts them on demand. I'm not aware of a way to automatically create directories on new-user logins in Solaris. I have not used 'official' solaris but using omnios (open solaris derivative) I have used this with their automounter: http://omnios.omniti.com/wiki.php/GeneralAdministration#Addinglocalusers Quite nifty. It should work with solaris as well (well, maybe with a little work). -- regards, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't add AD user group to IPA group
For troubleshooting this you need to enable debug_level=10 in sssd.conf in domain and pam sections. Restart sssd and try to login. OK, this has pinpointed the problem. The log file now shows: (Wed Mar 11 11:31:01 2015) [sssd[be[middlebury.edu]]] [sdap_save_user] (0x1000): Mapping user [guertin-s] objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to unix ID (Wed Mar 11 11:31:01 2015) [sssd[be[middlebury.edu]]] [sdap_idmap_sid_to_unix] (0x0080): Could not convert objectSID [S-1-5-21-1983215674-46037090-646806464-245906] to a UNIX ID It seems that this is due to incorrect ID range settings. So I have increased the ID range to 2,000,000, which ought to be enough for a RID of 245906: # ipa idrange-find 2 ranges matched Range name: CSNS.MIDDLEBURY.EDU_id_range First Posix ID of the range: 52880 Number of IDs in the range: 200 First RID of the corresponding RID range: 1 First RID of the secondary RID range: 201 Range type: local domain range Range name: MIDDLEBURY.EDU_id_range First Posix ID of the range: 1000 Number of IDs in the range: 200 Domain SID of the trusted domain: S-1-5-21-1983215674-46037090-646806464 Range type: Active Directory trust range with POSIX attributes Number of entries returned 2 But the problem still persists. I cannot SSH in as a user (getent passwd, id, etc. all still do show the users). David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/11/2015 03:49 PM, Steven Jones wrote: Hi, When I try to join a 7.1 based replica to an existing setup and use an AD forwarder the command complains that the AD box isnt doing DNSSEC suggesting to me it is present in 7.1? Can you share the message that you get and what steps you take to get to that message? At the moment however I cant join a 7.1 based IPA server into a 6.6 based IPA cluster. Or a 7.1 client to IPA, to 6.6 for that matter, 7.0 works fine though. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Erinn Looney-Triggs erinn.looneytri...@gmail.com Sent: Thursday, 12 March 2015 8:15 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA 4.1.0 in RHEL 7.1 First off congratulations on getting this out. Love the new UI, all pretty and integrates well with the access.redhat.com UI. Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was included in the 4.1.0 release, but near as I can tell it is not part of IPA 4.1.0 in RHEL 7.1. Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here: https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 worked, now it fails: Traceback (most recent call last): File ./freeipa.py, line 133, in module list_groups(api) File ./freeipa.py, line 71, in list_groups result = api.Command.host_find()['result'] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 755, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 880, in forward command = getattr(self.conn, name) File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' Is this expected? Is this a regression? Thanks again for your work. -Erinn -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
from BZ While we value your interest in IPA Solaris support, the implementation of the DUA profile is not on our nearest schedule at the moment. We lack both knowledge and resources to focus on integration with Solaris. This is where we need a help (ideally patches) and contribution from the community to help us push these features in. I checked your example DUAConfigProfile and I think it cannot be just added to FreeIPA right away. E.g. for defaultServerList or preferredServerList, you would need to expand installers and ipa-replica-manage to handle these lists and update them when replica is added or updated to prevent it being outdated. printers or aliases serviceSearchDescriptor refers to objects not being available and so on. It is not as straightforward as it seems. What I think that we can work on is to work together onhttp://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 ... and add all the steps needed to make IPA work on Solaris 10. I could for example prepare an updated page and you could review it. Would that work for you? this what i followed util now. but's not authenticate with AD, IPA user can login on solaris box On Wed, Mar 11, 2015 at 9:11 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 01:56 PM, Ben .T.George wrote: HI yea , i saw that mail thread and he claims that he achieved somehow. but not clear. and the steps mentioned is too technical for me. :) as i am very new to IPA it's bit confusing. later that thread also closed without proper explanation. i think you guys can contact him to change existing wiki :) as there are many solaris related documents which is pretty old. anyway still waiting for rply Have you found the BZ? They are very detailed. https://bugzilla.redhat.com/show_bug.cgi?id=815515 The DUA profile is attached to the bug. Regards, Ben On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 01:18 PM, Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join I really do not know Solaris that well. There are some threads from this and last week about Solaris. You can find them in the mail archive for March. There are pointers to wikis and bugzillas in those threads. The bugzilla bugs have some extended info on how to configure Solaris clients. They were pretty detailed. May be they have the automount info you are looking for. Regards, Ben On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 09:50 AM, Ben .T.George wrote: HI i can able to reach upto level that IPA user can able to login on solaris box, but how can i create home directories automatically on solaris while IPA user login. even i change the shell in IPA web interface that is getting affected. i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 All the options are still there. The menus got re-arranged a bit. Hopefully someone with a Solaris knowledge will help you with the rest. please anyone tell me where it is and how can i achieve this regards, Ben -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Extending IPA to include multiple (say 5) fields for MAC addresses per user
Hi, I have been asked to look at packetfence and linking it to IPA for authentication but I might need to allow users to login into their IPA info and add MAC addresses themselves, this is possible I think? Since ppl these days can have 3 mobile devices, (ipad, iphone and laptop) I would need multiple MAC fields so would have to extend IPA's schema? is this a good idea? regards Steven -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
Hi, When I try to join a 7.1 based replica to an existing setup and use an AD forwarder the command complains that the AD box isnt doing DNSSEC suggesting to me it is present in 7.1? At the moment however I cant join a 7.1 based IPA server into a 6.6 based IPA cluster. Or a 7.1 client to IPA, to 6.6 for that matter, 7.0 works fine though. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Erinn Looney-Triggs erinn.looneytri...@gmail.com Sent: Thursday, 12 March 2015 8:15 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA 4.1.0 in RHEL 7.1 First off congratulations on getting this out. Love the new UI, all pretty and integrates well with the access.redhat.com UI. Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was included in the 4.1.0 release, but near as I can tell it is not part of IPA 4.1.0 in RHEL 7.1. Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here: https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 worked, now it fails: Traceback (most recent call last): File ./freeipa.py, line 133, in module list_groups(api) File ./freeipa.py, line 71, in list_groups result = api.Command.host_find()['result'] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 755, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 880, in forward command = getattr(self.conn, name) File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' Is this expected? Is this a regression? Thanks again for your work. -Erinn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
HI yea , i saw that mail thread and he claims that he achieved somehow. but not clear. and the steps mentioned is too technical for me. :) as i am very new to IPA it's bit confusing. later that thread also closed without proper explanation. i think you guys can contact him to change existing wiki :) as there are many solaris related documents which is pretty old. anyway still waiting for rply Regards, Ben On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 01:18 PM, Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join I really do not know Solaris that well. There are some threads from this and last week about Solaris. You can find them in the mail archive for March. There are pointers to wikis and bugzillas in those threads. The bugzilla bugs have some extended info on how to configure Solaris clients. They were pretty detailed. May be they have the automount info you are looking for. Regards, Ben On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 09:50 AM, Ben .T.George wrote: HI i can able to reach upto level that IPA user can able to login on solaris box, but how can i create home directories automatically on solaris while IPA user login. even i change the shell in IPA web interface that is getting affected. i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 All the options are still there. The menus got re-arranged a bit. Hopefully someone with a Solaris knowledge will help you with the rest. please anyone tell me where it is and how can i achieve this regards, Ben -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Backwards compatability
On 03/11/2015 01:13 PM, Andrew Holway wrote: Hi, We have a mix of Centos 6 and Centos 7 machines which we would like to manage with FreeIPA. I remember that setting up freeipa on Centos 6 can be a bit tricky although I found this method which works. https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html I imagine the Centos 7 client setup is somewhat more streamlined. Assuming we install freeipa on Centos 7, will our centos 6 clients have any problem connection? Any caveats which we should be aware of? Thanks, Andrew Clients should work without any issues. The only thing to keep in mind is that IPA's remote management CLI should be used from the systems of the same versions as the server. In other words the ipa-admintools package that contains CLI would not work from CentOS 6 system against CentOS 7 system. But would work from 7 to 7. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
On 03/11/2015 01:56 PM, Ben .T.George wrote: HI yea , i saw that mail thread and he claims that he achieved somehow. but not clear. and the steps mentioned is too technical for me. :) as i am very new to IPA it's bit confusing. later that thread also closed without proper explanation. i think you guys can contact him to change existing wiki :) as there are many solaris related documents which is pretty old. anyway still waiting for rply Have you found the BZ? They are very detailed. https://bugzilla.redhat.com/show_bug.cgi?id=815515 The DUA profile is attached to the bug. Regards, Ben On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/11/2015 01:18 PM, Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join I really do not know Solaris that well. There are some threads from this and last week about Solaris. You can find them in the mail archive for March. There are pointers to wikis and bugzillas in those threads. The bugzilla bugs have some extended info on how to configure Solaris clients. They were pretty detailed. May be they have the automount info you are looking for. Regards, Ben On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/11/2015 09:50 AM, Ben .T.George wrote: HI i can able to reach upto level that IPA user can able to login on solaris box, but how can i create home directories automatically on solaris while IPA user login. even i change the shell in IPA web interface that is getting affected. i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 All the options are still there. The menus got re-arranged a bit. Hopefully someone with a Solaris knowledge will help you with the rest. please anyone tell me where it is and how can i achieve this regards, Ben -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SOLVED (Re: Weird IPA shutdown issues)
Okay, one of those as soon as you press send issues. The problem that wasn't obvious was that the tomcat service was enabled on the first box. Seems to be stable after removing that and rebooting. Whew!! On Mar 11, 2015, at 3:02 PM, Brian Topping brian.topp...@gmail.com wrote: Hi all, I have a weird shutdown issue on an IPA instance (ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64) on CentOS (CentOS Linux release 7.0.1406) that's been working fine for at least six months, maybe longer. It's replicated to an identical instance that is having no problems. https://gist.github.com/briantopping/2fc430038b4ca6c80d05 https://gist.github.com/briantopping/2fc430038b4ca6c80d05 is the relevant snippets of /var/log/messages. It starts booting up, everything working, then systemd decides to shut down IPA for no apparent reason. I haven't touched any system software for several weeks. When the system is booting, runlevel reports unknown. It seems to be about the same time that it changes to N 3 that everything starts shutting down. My sense is systemd is configured with some dependency in the IPA processes that it (correctly) finds a fault and shut everything down. I just don't see anything in the messages above that would indicate such a fault. By the time it's over, even named is shut down! Systemd is new to me still, if I need to RTFM, I guess that's one answer, but I thought I would check here to see if I could get a better idea of how everything is wired. I am limping by on the second box for now, so this isn't an emergency. Thanks for any consideration to this! Brian signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote: First off congratulations on getting this out. Love the new UI, all pretty and integrates well with the access.redhat.com UI. Thanks! Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was included in the 4.1.0 release, but near as I can tell it is not part of IPA 4.1.0 in RHEL 7.1. It did not make the cut. The DNSSEC feature is not in RHEL7 yet. But we are working on making this happen. Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here: https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30 worked, now it fails: Traceback (most recent call last): File ./freeipa.py, line 133, in module list_groups(api) File ./freeipa.py, line 71, in list_groups result = api.Command.host_find()['result'] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 755, in run return self.forward(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 776, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 880, in forward command = getattr(self.conn, name) File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 97, in __get_conn self.id, threading.currentThread().getName()) AttributeError: no context.rpcclient in thread 'MainThread' Is this expected? Is this a regression? Some things changed. I would leave for developers to take a look and provide more guidance. Thanks again for your work. -Erinn -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/11/2015 04:37 PM, Steven Jones wrote:
==
[root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns
--forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg
--skip-conncheck
Checking forwarders, please wait ...
WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive dnssec-enable yes; to options {})
WARNING: DNSSEC validation will be disabled
==
The AD server is a win2k12r2.
Thanks, I will follow up.
regards
Steven
From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf
of Dmitri Pal d...@redhat.com
Sent: Thursday, 12 March 2015 9:07 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/11/2015 03:49 PM, Steven Jones wrote:
Hi,
When I try to join a 7.1 based replica to an existing setup and use an AD
forwarder the command complains that the AD box isnt doing DNSSEC suggesting to
me it is present in 7.1?
Can you share the message that you get and what steps you take to get to
that message?
At the moment however I cant join a 7.1 based IPA server into a 6.6 based IPA
cluster. Or a 7.1 client to IPA, to 6.6 for that matter, 7.0 works fine though.
regards
Steven
From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf
of Erinn Looney-Triggs erinn.looneytri...@gmail.com
Sent: Thursday, 12 March 2015 8:15 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
First off congratulations on getting this out. Love the new UI, all pretty and
integrates well with the access.redhat.com UI.
Second, did DNSSEC not make the chop? It looks like for FreeIPA DNSSEC was
included in the 4.1.0 release, but near as I can tell it is not part of IPA
4.1.0 in RHEL 7.1.
Third, there appears to be a behavior change from in ipalib. I cleaned up a
little inventory script for ansible, you can take a look at it here:
https://github.com/ansible/ansible/blob/devel/plugins/inventory/freeipa.py
Before RHEL 7.1 the call to api.Command.hostgroup_find()['result'] on line 30
worked, now it fails:
Traceback (most recent call last):
File ./freeipa.py, line 133, in module
list_groups(api)
File ./freeipa.py, line 71, in list_groups
result = api.Command.host_find()['result']
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in
__call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 755, in run
return self.forward(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 776, in
forward
return self.Backend.rpcclient.forward(self.name, *args, **kw)
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 880, in forward
command = getattr(self.conn, name)
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 97, in
__get_conn
self.id, threading.currentThread().getName())
AttributeError: no context.rpcclient in thread 'MainThread'
Is this expected? Is this a regression?
Thanks again for your work.
-Erinn
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeIPA SSL authentication
thanks Dmitri, I am now testing two-way SSL auth to a Apache webserver using auth_kerb_module which authenticates to IPA, idea is that it will reverse proxy to another server which is under IPA domain. I will try out mod_nss and later PKINIT. thanks for the reply. -KSHK On Tue, Mar 10, 2015 at 7:10 PM, Dmitri Pal d...@redhat.com wrote: On 03/10/2015 01:19 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 03/10/2015 10:22 AM, Rob Crittenden wrote: K SHK wrote: hi, My hortonworks hadoop cluster is keberized with FreeIPA and works splendid :) I want to clarify if SSL authentication with out a login/password will work against FreeIPA... ie. client connects to apache webserver over SSL, and sets in username via http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername and the webserver will get the valid ticket from freeIPA... any idea what type of certificate and apache modules will be needed to accomplish this? IPA doesn't support user SSL certificates at the moment, so that's the first hurdle. It is being worked on for 4.2. You'd need to include the PKINIT EKU in the client cert, something that should be configurable when the work is done. The second problem is that the IPA PKINIT configuration is rather incomplete at the moment. I'm not sure if it is sufficient in it's current state, even with properly formatted certificates. And even further, Im not familiar enough with PKINIT to know whether a web-based SSL authentication is enough to get a ticket. rob I think it is but the biggest problem is remapping the identities from the cert to users in identity system - IPA in this case. I will file a ticket. https://fedorahosted.org/freeipa/ticket/4942 IIRC with PKINIT the principal is encoded in the certificate so no mapping is required. rob There are several use cases here: - do PKINIT on the client and then use ST to connect to IPA UI - this is already planned - use certificate auth via mod_nss directly to IPA. The challenge would be to deal with the case when there is no principal (or other good identifier) in the cert and you have to remap. Unfortunately we can't guarantee that principal is in the cert. Some known entities that we need to work with do not have the principal in the cert. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeIPA function basics from user's perspective
Thanks for your input. Since I have most users on Windows clients, I will have to consider implementing AD and join Linux servers in. Any thought on that? br -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-server setup with external CA fails
On 3/11/2015 10:13 PM, Gould, Joshua wrote: The selftests.log contradicts itself and I¹m not really sure where to look next. Any ideas? There's an existing ticket about the confusing selftest messages: https://fedorahosted.org/pki/ticket/1249 Could you post the full CA debug log (i.e. /var/log/pki/pki-tomcat/ca/debug)? The error might have happened much earlier. Thanks. -- Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] how can i create home directories automatically on solaris while IPA user login
HI i can able to reach upto level that IPA user can able to login on solaris box, but how can i create home directories automatically on solaris while IPA user login. even i change the shell in IPA web interface that is getting affected. i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 please anyone tell me where it is and how can i achieve this regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
