[Freeipa-users] ACIerrors is httpd log

2016-11-23 Thread Jim Richard 
Honestly I’m not even sure if something is not working correctly :)

All I know is that my httpd, access and krb5 logs are filling up all my disk 
space extremely quickly and I have no idea why.

Centos 6.8 + IPA 3.0

One master and one replica.

Are these things related? 

How do I fix, where do I even start?

Thanks !

On the replica the httpd log is constantly getting spammed with:

[Thu Nov 24 05:55:18 2016] [error] ipa: INFO: 
host/phoenix-153.nym1.placeiq@placeiq.net: cert_request(u’actual cert 
removed….. , add=True): ACIError

and on the master the access log is filling up quickly with:

10.1.41.110 - - [24/Nov/2016:06:09:54 +] "POST /ca/agent/ca/displayBySerial 
HTTP/1.1" 200 10106

and finally also on the master’s krb5 log is filling up with:

Nov 24 06:11:45 sso-109.nym1.placeiq.net krb5kdc[19333](info): AS_REQ (4 etypes 
{18 17 16 23}) 10.1.60.130: ISSUE: authtime 1479967905, etypes {rep=18 tkt=18 
ses=18}, host/phoenix-130.nym1.placeiq@placeiq.net for 
krbtgt/placeiq@placeiq.net
Nov 24 06:11:45 sso-109.nym1.placeiq.net krb5kdc[19332](info): TGS_REQ (4 
etypes {18 17 16 23}) 10.1.60.87: ISSUE: authtime 1479967905, etypes {rep=18 
tkt=18 ses=18}, host/phoenix-087.nym1.placeiq@placeiq.net for 
ldap/sso-109.nym1.placeiq@placeiq.net
Nov 24 06:11:45 sso-109.nym1.placeiq.net krb5kdc[19332](info): TGS_REQ (4 
etypes {18 17 16 23}) 10.1.60.130: ISSUE: authtime 1479967905, etypes {rep=18 
tkt=18 ses=18}, host/phoenix-130.nym1.placeiq@placeiq.net for 
HTTP/sso-110.nym1.placeiq@placeiq.net
Nov 24 06:11:45 sso-109.nym1.placeiq.net krb5kdc[19333](info): TGS_REQ (1 
etypes {18}) 10.1.60.130: ISSUE: authtime 1479967905, etypes {rep=18 tkt=18 
ses=18}, host/phoenix-130.nym1.placeiq@placeiq.net for 
krbtgt/placeiq@placeiq.net
Nov 24 06:11:45 sso-109.nym1.placeiq.net krb5kdc[19333](info): AS_REQ (4 etypes 
{18 17 16 23}) 10.1.60.160: NEEDED_PREAUTH: 
host/phoenix-160.nym1.placeiq@placeiq.net for 
krbtgt/placeiq@placeiq.net, Additional pre-authentication required
Nov 24 06:11:45 sso-109.nym1.placeiq.net krb5kdc[19332](info): AS_REQ (4 etypes 
{18 17 16 23}) 10.1.60.160: ISSUE: authtime 1479967905, etypes {rep=18 tkt=18 
ses=18}, host/phoenix-160.nym1.placeiq@placeiq.net for 
krbtgt/placeiq@placeiq.net
Nov 24 06:11:45 sso-109.nym1.placeiq.net krb5kdc[19333](info): TGS_REQ (4 
etypes {18 17 16 23}) 10.1.60.160: ISSUE: authtime 1479967905, etypes {rep=18 
tkt=18 ses=18}, host/phoenix-160.nym1.placeiq@placeiq.net for 
HTTP/sso-110.nym1.placeiq@placeiq.net
Nov 24 06:11:45 sso-109.nym1.placeiq.net krb5kdc[19333](info): TGS_REQ (1 
etypes {18}) 10.1.60.160: ISSUE: authtime 1479967905, etypes {rep=18 tkt=18 
ses=18}, host/phoenix-160.nym1.placeiq@placeiq.net for 
krbtgt/placeiq@placeiq.net
Nov 24 06:11:45 sso-109.nym1.placeiq.net krb5kdc[19333](info): AS_REQ (4 etypes 
{18 17 16 23}) 10.1.60.175: NEEDED_PREAUTH: 
host/phoenix-175.nym1.placeiq@placeiq.net for 
krbtgt/placeiq@placeiq.net, Additional pre-authentication required
Nov 24 06:11:45 sso-109.nym1.placeiq.net krb5kdc[19332](info): AS_REQ (4 etypes 
{18 17 16 23}) 10.1.60.175: ISSUE: authtime 1479967905, etypes {rep=18 tkt=18 
ses=18}, host/phoenix-175.nym1.placeiq@placeiq.net for 
krbtgt/placeiq@placeiq.net


     
Jim Richard    
    
    

SYSTEM ADMINISTRATOR III
(646) 338-8905  

 




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ping forwarded domain name.

2016-11-23 Thread TomK 

On 11/23/2016 3:28 AM, Martin Basti wrote:



On 23.11.2016 03:48, TomK wrote:

On 11/22/2016 10:22 AM, Martin Basti wrote:



On 22.11.2016 13:57, TomK wrote:

On 11/22/2016 2:59 AM, Martin Basti wrote:

Hey,


On 22.11.2016 06:33, TomK wrote:

Hey Guy's,

I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
over to
my dual Free IPA server.  The Free IPA servers are authoritative for
this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
and forwards dom.abc.xyz.

Do you have configured proper zone delegation for subdomain
dom.abc.xyz?
Proper NS and glue records
http://www.zytrax.com/books/dns/ch9/delegate.html



I cannot ping dom.abc.xyz.  Everything else, including client
registrations, work fine.  If Free IPA is authoritative on
dom.abc.xyz, should it not create DNS entries so the sub domain
can be
pinged as well?


What do you mean by "ping"?



/etc/resolv.conf also get's regenerated on reboot on the IPA Servers
and wanted to ask if you can point me to some materials online to
determine where can I permanently adjust the search to add
dom.abc.xyz
to the already present abc.xyz .  I wasn't able to locate what I
needed in my searches.

I'm using the latest v4.


It depends on what are you using, probably you have NetworkManager
there
that is editing /etc/resolv.conf

https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/




Martin



I Uninstalled NetworkManager.  Still changes.
ping dom.abc.com results in "ping: unknown host"

I'll have a look at the first link, ty.



ping (ICMP protocol) and DNS system are different things, do you have
hostname dom.abc.com with A record or it is a zone?

with ping command hostname "dom.abc.com" is resolved to IP address
first, do you have A record set for dom.abc.com in zone apex or what are
you trying to achieve with ping command?

for testing DNS try to use commands: dig, host, nslookup

Martin



Apologize for the long reply but it should give some background on
what it is that I'm doing.

1) dom.abc.com is a zone.  There is no A record for dom.abc.com in
FreeIPA (Confirmed by Petr).  I get the point Petr Spacek pointed out
in his comment as well.  What should it really point too? ( I kind of
answer this question below so please read on. )  Where I'm getting
this from is that in Windows Server 2012 abc.com returns the IP of any
of the participating AD / DNS servers within the cluster (The two
Windows Server 2012 are a combined clustered AD + DNS servers.).
Being able to resolve abc.xyz is handy.  During a lookup, I can get a
list of all the IP's associated with that domain which would indicate
all the DNS + AD servers online under that domain or serving that domain:


# nslookup abc.xyz
Server: 192.168.0.3
Address:192.168.0.3#53

Name:   abc.xyz
Address: 192.168.0.3
Name:   abc.xyz
Address: 192.168.0.1
Name:   abc.xyz
Address: 192.168.0.2
#

Again, where this is handy is when configuring sssd.conf for example
or other apps for that matter.  I can just point the app to
authenticate against the domain and I have my redundancy solved.
Windows Server 2012 does it, but FreeIPA didn't, so I threw the
question out there.


IPA uses SRV records heavily, all IPA related services have SRV records,
SSSD uses SRV records of IPA, client should use SRV record to connect to
the right service (or URI record - will be in next IPA). SRV records
work for IPA locations mechanism, we cannot achieve this with pure A
records.



Delegation from this Windows DNS works as expected.  Any lookup from
dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
this out. No issue with this.

I did see earlier that there is no A record for dom.abc.xyz in
FreeIPA. My reasons for asking if there was an IP on the subdomain in
FreeIPA were above but the missing IP on the subdomain isn't a major
issue for me.  Things are working without dom.abc.xyz resolving to an
IP.  What I was hoping for is to have a VIP for the IPA servers and
one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf.  (I
have the VIP for the windows server).  One forwarding to the other for
a given domain.  This is all for testing a) redundancy, b) forwarding,
a) authentication .

IE:

# cat /etc/resolv.conf
search dom.abc.xyz abc.xyz
nameserver 192.168.0.3< Win Cluster DNS VIP
nameserver 192.168.0.4< IPA Cluster DNS VIP

* Just what I want to achieve above.  VIP 192.168.0.4 doesn't exist on
my cluster yet.  I'm looking to integrate ucarp with the above IPA
servers.


2) More to the topic of my second question however, is that
/etc/resolv.conf, on the IPA servers themselves, get's rewritten on
restart.  Would like to know by what if I already uninstalled
NetworkManager?  When I configured the FreeIPA server, I used:

ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a
"Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz

Notice I used the VIP of the

Re: [Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?

2016-11-23 Thread Chris Dagdigian 


100% correct. We are OK with losing GSSAPI authentication if we can 
operate in a different DNS domain than
the IPA server that "glues" together all of our various Active Directory 
trusts. We want password authentication
from Active Directory as our main concern with role-based access control 
coming in as a strong second desire.


The Redhat/IPA documentation and links that Alexander posted below on 
this are quite good and the issues on our end have generally come
from following more generic deployment instructions that don't cover the 
different-DNS-domain situation.


The quality of technical insight on this list has been fantastic. If our 
"different DNS" setup is of interest to
others I'd be happy to write up our architecture and configurations in 
more detail once this project settles
down. At the very least I should be able to prepare a concise "lessons 
learned" summary that details the
configuration settings that deviate from the norms advised in the more 
general-purpose instructions.


Regards,
Chris

Alexander Bokovoy wrote:

Apologies I must have been unclear. What I was trying to say is that
we are going for the "hosts in the different DNS domain" deployment 
scenario ...


- We have unique domain name and realm for IPA:  company-ipa.org
- We use company-aws.org in AWS and have  our own Active Directory 
servers for: company-aws.org
- We want to use ipa-client to bind our servers to company-ipa.org 
but use DNS names from company-aws.org for operation


Our end goal:
- We have many external AD forests we are linking to company-ipa.org 
one at a time
- End goal: operate hosts with DNS name "company-aws.org" as IPA 
clients of "company-ipa.org" using AD logins coming from the external 
trusts

This setup should work with password-based authentication. It will not
work with GSSAPI (Kerberos) authentication. I think this is what you are
aware of and accepted as the limitation.

For the benefit of others, here is the list of articles and
documentation of the topic of mixed DNS domains/hostnames with Active
Directory:

- High-level description:
http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/

- Documentation chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#ipa-in-ad-dns 



- Technical details:
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain

There is nothing we can do with the Active Directory limitations beyond
these documents.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?

2016-11-23 Thread Alexander Bokovoy 

On ke, 23 marras 2016, Chris Dagdigian wrote:



Sumit Bose wrote:

NO. It is the other way round.

It is_not_  recommended and will not even work properly to use the same
DNS domain for IPA and AD. Even worse with using the same realm for
both, this cannot work at all.

It is required to have a different realm name for the IPA domain and it
is important to use a different DNS domain as well (a bit is possible
with hosts in the same DNS domain but you loose functionality here).

Where did you find the recommendation to user the same DNS domain and
realm?



Apologies I must have been unclear. What I was trying to say is that
we are going for the "hosts in the different DNS domain" deployment 
scenario ...


- We have unique domain name and realm for IPA:  company-ipa.org
- We use company-aws.org in AWS and have  our own Active Directory 
servers for: company-aws.org
- We want to use ipa-client to bind our servers to company-ipa.org but 
use DNS names from company-aws.org for operation


Our end goal:
- We have many external AD forests we are linking to company-ipa.org 
one at a time
- End goal: operate hosts with DNS name "company-aws.org" as IPA 
clients of "company-ipa.org" using AD logins coming from the external 
trusts

This setup should work with password-based authentication. It will not
work with GSSAPI (Kerberos) authentication. I think this is what you are
aware of and accepted as the limitation.

For the benefit of others, here is the list of articles and
documentation of the topic of mixed DNS domains/hostnames with Active
Directory:

- High-level description:
 http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/

- Documentation chapter:
 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#ipa-in-ad-dns

- Technical details:
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain

There is nothing we can do with the Active Directory limitations beyond
these documents.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-11-23 Thread Bertrand Rétif 
- Mail original -

> De: "Florence Blanc-Renaud" 
> À: "Bertrand Rétif" , freeipa-users@redhat.com
> Envoyé: Mercredi 23 Novembre 2016 08:49:28
> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

> On 11/22/2016 06:06 PM, Bertrand Rétif wrote:
> > Hi Florence,
> >
> > Thanks for clarification.
> > Your explanation was very clear and I better understand
> >
> > Now my issue is that I need to start tracking "auditSigningCert
> > cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert
> > cert-pki-ca" on a server.
> >
> > I take a look on another server where they are properly tracked. However
> > getcert list return me "pin set" and not a "pinfile" as described in
> > your mail.
> > In "/etc/pki/pki-tomcat/alias" I do not see any pwdfile.txt file, so my
> > question is where do I get the PIN?
> >
> Hi Bertrand,

> With IPA 4.2.0 I believe that the pin is stored in
> /var/lib/pki/pki-tomcat/conf/password.conf, in the 'internal' field:
> $ grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
> internal=0123456789101

> HTH,
> Flo

> > Once again, thanks for your support, I tried to fix this issue for days!
> >
> > Regards
> > Bertrand
> >
> >
> > --
> > Bertrand Rétif
> > Phosphore Services Informatiques - http://www.phosphore.eu
> > Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44
> >
> > 
> >
> > *De: *"Florence Blanc-Renaud" 
> > *À: *"Bertrand Rétif" , freeipa-users@redhat.com
> > *Envoyé: *Mardi 22 Novembre 2016 13:17:34
> > *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> > pki-tomcat issue
> >
> > On 11/22/2016 11:50 AM, Bertrand Rétif wrote:
> > >
> > >
> > > *De: *"Florence Blanc-Renaud" 
> > > *À: *"Bertrand Rétif" ,
> > freeipa-users@redhat.com
> > > *Envoyé: *Mardi 22 Novembre 2016 11:33:45
> > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> > > pki-tomcat issue
> > >
> > > On 11/22/2016 10:07 AM, Bertrand Rétif wrote:
> > > >
> > >
> > 
> > > >
> > > > *De: *"Bertrand Rétif" 
> > > > *À: *freeipa-users@redhat.com
> > > > *Envoyé: *Mardi 25 Octobre 2016 17:51:09
> > > > *Objet: *Re: [Freeipa-users] Impossible to renew
> > certificate.
> > > > pki-tomcat issue
> > > >
> > > >
> > > >
> > >
> > 
> > > >
> > > > *De: *"Florence Blanc-Renaud" 
> > > > *À: *"Bertrand Rétif" ,
> > > > freeipa-users@redhat.com
> > > > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21
> > > > *Objet: *Re: [Freeipa-users] Impossible to renew
> > certificate.
> > > > pki-tomcat issue
> > > >
> > > > On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
> > > > > *De: *"Bertrand Rétif" 
> > > > >
> > > > > *À: *freeipa-users@redhat.com
> > > > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07
> > > > > *Objet: *Re: [Freeipa-users] Impossible to renew
> > > certificate.
> > > > > pki-tomcat issue
> > > > >
> > > > >
> > > > >
> > > >
> > >
> > 
> > > > >
> > > > > *De: *"Rob Crittenden" 
> > > > > *À: *"Bertrand Rétif" ,
> > > > > freeipa-users@redhat.com
> > > > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14
> > > > > *Objet: *Re: [Freeipa-users] Impossible to
> > renew
> > > > certificate.
> > > > > pki-tomcat issue
> > > > >
> > > > > Bertrand Rétif wrote:
> > > > > >> De: "Martin Babinsky" 
> > > > > >> À: freeipa-users@redhat.com
> > > > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49
> > > > > >> Objet: Re: [Freeipa-users] Impossible
> > to renew
> > > > certificate.
> > > > > pki-tomcat issue
> > > > > >
> > > > > >> On 10/18/2016 11:22 PM, Bertrand Rétif
> > wrote:
> > > > > >>> Hello,
> > > > > >>>
> > > > > >>> I had an issue with pki-tomcat.
> > > > > >>> I had serveral certificate that was
> > expired and
> > > > pki-tomcat
> > > > > did not start
> > > > > >>> anymore.
> > > > > >>>
> > > > > >>> I set the dateon the server before
> > certificate
> > > > expiration
> > > > > and then
> > > > > >>> pki-tomcat starts properly.
> > > > > >>> Then I try to resubmit the
> > certificate, but
> > > I get
> > > > below error:
> > > > > >>> "Profile caServerCert Not Found"
> > > > > >>>
> > > > > >>> Do you have any idea how I could fix
> > this issue.
> > > > > >>>
> > > > > >>> Please find below output of commands:
> > > > > >>>
> > > > > >>>
> > > > > >>> # getcert resubmit -i 20160108170324
> > > > > >>>
> > > > > >>> # getcert list -i 20160108170324
> > > > > >>> Number of certificates and requests being
> > > tracked: 7.
> > > > > >>> Request ID '20160108170324':
> > > > > >>> status: MONITORING
> > > > >

Re: [Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?

2016-11-23 Thread Chris Dagdigian 



Sumit Bose wrote:

NO. It is the other way round.

It is_not_  recommended and will not even work properly to use the same
DNS domain for IPA and AD. Even worse with using the same realm for
both, this cannot work at all.

It is required to have a different realm name for the IPA domain and it
is important to use a different DNS domain as well (a bit is possible
with hosts in the same DNS domain but you loose functionality here).

Where did you find the recommendation to user the same DNS domain and
realm?



Apologies I must have been unclear. What I was trying to say is that
we are going for the "hosts in the different DNS domain" deployment 
scenario ...


- We have unique domain name and realm for IPA:  company-ipa.org
- We use company-aws.org in AWS and have  our own Active Directory 
servers for: company-aws.org
- We want to use ipa-client to bind our servers to company-ipa.org but 
use DNS names from company-aws.org for operation


Our end goal:
- We have many external AD forests we are linking to company-ipa.org one 
at a time
- End goal: operate hosts with DNS name "company-aws.org" as IPA clients 
of "company-ipa.org" using AD logins coming from the external trusts


-Chris




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?

2016-11-23 Thread Sumit Bose 
On Wed, Nov 23, 2016 at 07:38:49AM -0500, Chris Dagdigian wrote:
> 
> < huge log sample deleted >
> 
> Sumit Bose wrote:
> > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [validate_tgt]
> > (0x0020): TGT failed verification using key for
> > [host/usaeilvdip001.company-aws@company-idm.org].
> > 
> > ok, it is the ticket validation which fails. You can get around this for
> > testing by setting 'krb5_validate = false' in the [domain/...] section
> > of sssd.conf. But please use this only for testing because this error
> > indicates that there are issues in your setup/configuration.
> 
> Much appreciated. Will test today.
> > But your host principal
> > host/usaeilvdip001.company-aws@company-idm.org looks odd as well.
> > Why is the host in the AD DNS domain, this calls for trouble.
> > Additionally I wonder why the realm part '@company-idm.org' was created
> > in lower-case while joining the IPA this should be created upper-case.
> > Or is this all due to sanitation?
> 
> { Capitalization problem was a sanitation error }
> 
> At the time we set up the IPA environment the only AD domain we had
> administrative control over
> was already in use and could not easily be reconfigured to meet the best
> practices for having an
> IPA server sit in the same domain name and realm
> 
> After reading the documentation and a lot of posts on redhat.com we decided
> that the IPA server
> would have to be in a completely new autonomous domain name, DNS zone and
> Kerberos realm. The
> IPA instructions (and ipa-client-install options) all seem to indicate that
> although not a best practice it
> is something that was supported although there is a loss of functionality to
> be expected.

NO. It is the other way round.

It is _not_ recommended and will not even work properly to use the same
DNS domain for IPA and AD. Even worse with using the same realm for
both, this cannot work at all.

It is required to have a different realm name for the IPA domain and it
is important to use a different DNS domain as well (a bit is possible
with hosts in the same DNS domain but you loose functionality here).

Where did you find the recommendation to user the same DNS domain and
realm?

bye,
Sumit

> 
> So we run servers as FQDN members of company-aws.org but they are IPA
> clients of company-ipa.org
> 
> My understanding is that if we:
> 
>  1. Bind a Linux IPA client to company-ipa.com
>  2. But configure the Linux client to have a hostname of
> client.company-aws.com
> 
> .. then what we primarily lose is kerberos related service functionality for
> logged-in users
> 
> Since our core need was for AD password authentication and RBAC control over
> Linux hosts we
> decided to move forward with this odd config.
> 
> Would be greatly interested if I'm way off base on use of totally autonomous
> IPA realms and domain names.
> 
> > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [get_and_save_tgt]
> > > (0x0020): 1242: [-1765328377][Server not found in Kerberos database]
> > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [map_krb5_error]
> > > (0x0020): 1303: [-1765328377][Server not found in Kerberos database]
> > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [k5c_send_data]
> > > (0x0200): Received error code 1432158209
> > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 
> > > [pack_response_packet]
> > > (0x2000): response packet size: [20]
> > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [k5c_send_data]
> > > (0x4000): Response sent.
> > > (Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [main] (0x0400):
> > > krb5_child completed successfully
> > > [root@usaeilvdip001 sssd]#
> > > 
> > > 
> > 
> > The logs indicate that the user actually come from the member domain in
> > the forest: usern...@nafta.company.org. But the [capath] section you
> > added to krb5.conf only contains the forest root.
> > 
> > > COMPANY-AWS.ORG = {
> > > 
> > >COMPANY-IDM.ORG = COMPANY-AWS.ORG
> > > 
> > > }
> > > 
> > > COMPANY-IDM.ORG = {
> > > 
> > >COMPANY-AWS.ORG = COMPANY-AWS.ORG
> > > 
> > > }
> > > 
> > 
> > Please try to add the member domain as well. The result might look like
> > this: (assuming COMPANY-AWS is the forest root, NAFTA is the member
> > domain and COMPANY-IDM is the IPA domain)
> > 
> > COMPANY-AWS.ORG = {
> > 
> >COMPANY-IDM.ORG = COMPANY-AWS.ORG
> > 
> > }
> > 
> > COMPANY-IDM.ORG = {
> > 
> >COMPANY-AWS.ORG = COMPANY-AWS.ORG
> >NAFTA.COMPANY.ORG = COMPANY-AWS.ORG
> > }
> > 
> > NAFTA.COMPANY.ORG = {
> >COMPANY-IDM.ORG = COMPANY-AWS.ORG
> > }
> 
> Thank you. I don't think our Linux client picked up the CAPATH changes
> needed
> but I think the IPA server did the proper thing deep down in that include
> directory that
> is referenced at the top of sssd.com.
> 
> Will check and verify.
> 
> 
> > You can test the configuration independent of SSSD by calling
> > 
> > kdestroy -A
> > kinit usern...@nafta.company.org
> > kvno

Re: [Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?

2016-11-23 Thread Chris Dagdigian 


< huge log sample deleted >

Sumit Bose wrote:
(Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [validate_tgt] 
(0x0020): TGT failed verification using key for 
[host/usaeilvdip001.company-aws@company-idm.org].


ok, it is the ticket validation which fails. You can get around this for
testing by setting 'krb5_validate = false' in the [domain/...] section
of sssd.conf. But please use this only for testing because this error
indicates that there are issues in your setup/configuration.


Much appreciated. Will test today.

But your host principal
host/usaeilvdip001.company-aws@company-idm.org looks odd as well.
Why is the host in the AD DNS domain, this calls for trouble.
Additionally I wonder why the realm part '@company-idm.org' was created
in lower-case while joining the IPA this should be created upper-case.
Or is this all due to sanitation?


{ Capitalization problem was a sanitation error }

At the time we set up the IPA environment the only AD domain we had 
administrative control over
was already in use and could not easily be reconfigured to meet the best 
practices for having an

IPA server sit in the same domain name and realm

After reading the documentation and a lot of posts on redhat.com we 
decided that the IPA server
would have to be in a completely new autonomous domain name, DNS zone 
and Kerberos realm. The
IPA instructions (and ipa-client-install options) all seem to indicate 
that although not a best practice it
is something that was supported although there is a loss of 
functionality to be expected.


So we run servers as FQDN members of company-aws.org but they are IPA 
clients of company-ipa.org


My understanding is that if we:

 1. Bind a Linux IPA client to company-ipa.com
 2. But configure the Linux client to have a hostname of 
client.company-aws.com


.. then what we primarily lose is kerberos related service functionality 
for logged-in users


Since our core need was for AD password authentication and RBAC control 
over Linux hosts we

decided to move forward with this odd config.

Would be greatly interested if I'm way off base on use of totally 
autonomous IPA realms and domain names.



(Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [get_and_save_tgt]
(0x0020): 1242: [-1765328377][Server not found in Kerberos database]
(Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [map_krb5_error]
(0x0020): 1303: [-1765328377][Server not found in Kerberos database]
(Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [k5c_send_data]
(0x0200): Received error code 1432158209
(Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [pack_response_packet]
(0x2000): response packet size: [20]
(Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [k5c_send_data]
(0x4000): Response sent.
(Tue Nov 22 16:02:48 2016) [[sssd[krb5_child[4369 [main] (0x0400):
krb5_child completed successfully
[root@usaeilvdip001 sssd]#




The logs indicate that the user actually come from the member domain in
the forest: usern...@nafta.company.org. But the [capath] section you
added to krb5.conf only contains the forest root.


COMPANY-AWS.ORG = {

   COMPANY-IDM.ORG = COMPANY-AWS.ORG

}

COMPANY-IDM.ORG = {

   COMPANY-AWS.ORG = COMPANY-AWS.ORG

}



Please try to add the member domain as well. The result might look like
this: (assuming COMPANY-AWS is the forest root, NAFTA is the member
domain and COMPANY-IDM is the IPA domain)

COMPANY-AWS.ORG = {

   COMPANY-IDM.ORG = COMPANY-AWS.ORG

}

COMPANY-IDM.ORG = {

   COMPANY-AWS.ORG = COMPANY-AWS.ORG
   NAFTA.COMPANY.ORG = COMPANY-AWS.ORG
}

NAFTA.COMPANY.ORG = {
   COMPANY-IDM.ORG = COMPANY-AWS.ORG
}


Thank you. I don't think our Linux client picked up the CAPATH changes 
needed
but I think the IPA server did the proper thing deep down in that 
include directory that

is referenced at the top of sssd.com.

Will check and verify.



You can test the configuration independent of SSSD by calling

kdestroy -A
kinit usern...@nafta.company.org
kvno host/usaeilvdip001.company-aws@company-idm.org

If kvno returns an error please rerun as

KRB5_TRACE=/dev/stdout kvno host/usaeilvdip001.company-aws@company-idm.org

and send the output.


Again, thanks for the time, attention and helpful replies.



HTH

bye,
Sumit


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?

2016-11-23 Thread Sumit Bose 
On Tue, Nov 22, 2016 at 11:17:37AM -0500, Chris Dagdigian wrote:
> 
> 
> Sumit Bose wrote:
> > Please send the full krb5_child.log with debug_level=10 in the
> > [domain/...] section of sssd.conf. My current guess is the ticket
> > validation fails. Which version of SSSD are you using?
> > 
> > bye,
> > Sumit
> 
> 
> This is a CentOS 7 client running SSSD-1.13
> 
> Thank you. Lots of interesting info in this log. I've sanitized hostnames,
> username and IP but that was it:
> 
> ### log data below 
> 
> 
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [main] (0x0400):
> krb5_child started.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [unpack_buffer]
> (0x1000): total buffer size: [158]
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [unpack_buffer]
> (0x0100): cmd [241] uid [1843770609] gid [1843770609] validate [true]
> enterprise principal [false] offline [false] UPN [usern...@company.org]
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [unpack_buffer]
> (0x0100): ccname: [KEYRING:persistent:1843770609] old_ccname:
> [KEYRING:persistent:1843770609] keytab: [/etc/krb5.keytab]
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [switch_creds]
> (0x0200): Switch user to [1843770609][1843770609].
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369
> [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [switch_creds]
> (0x0200): Switch user to [0][0].
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [k5c_check_old_ccache]
> (0x4000): Ccache_file is [KEYRING:persistent:1843770609] and is not active
> and TGT is  valid.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [k5c_precreate_ccache]
> (0x4000): Recreating ccache
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to
> [host/usaeilvdip001.company-aws@company-idm.org]
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369
> [find_principal_in_keytab] (0x4000): Trying to find principal
> host/usaeilvdip001.company-aws@company-idm.org in keytab.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [match_principal]
> (0x1000): Principal matched to the sample
> (host/usaeilvdip001.company-aws@company-idm.org).
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [become_user]
> (0x0200): Trying to become user [1843770609][1843770609].
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [main] (0x2000):
> Running as [1843770609][1843770609].
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [k5c_setup] (0x2000):
> Running as [1843770609][1843770609].
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [set_lifetime_options]
> (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [set_lifetime_options]
> (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [main] (0x0400): Will
> perform online auth
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369 [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [COMPANY.ORG]
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899271: Getting
> initial credentials for usern...@company.org
> 
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899337: FAST armor
> ccache: MEMORY:/var/lib/sss/db/fast_ccache_company-idm.org
> 
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899368: Retrieving
> host/usaeilvdip001.company-aws@company-idm.org -> 
> krb5_ccache_conf_data/fast_avail/krbtgt\/COMPANY.ORG\@COMPANY.ORG@X-CACHECONF:
> from MEMORY:/var/lib/sss/db/fast_ccache_company-idm.org with result:
> -1765328243/Matching credential not found
> 
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899415: Sending
> request (169 bytes) to COMPANY.ORG
> 
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.899575: Resolving
> hostname COMPANY.ORG
> 
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.900935: Initiating TCP
> connection to stream 192.141.1.15:88
> 
> (Tue Nov 22 16:02:47 2016) [[sssd[krb5_child[4369
> [sss_child_krb5_trace_cb] (0x4000): [4369] 1479830567.987925: Sending TCP
> request to stream 192.141.1.15:88
> 
> (Tue Nov 22 16:02:48

Re: [Freeipa-users] AD Trust users not resolving on clients: ipa_get_*_acct request failed

2016-11-23 Thread Jakub Hrozek 
On Wed, Nov 23, 2016 at 05:58:58PM +1100, Robert Sturrock wrote:
> Hi All.
> 
> I’m having a problem getting trust users to resolve on *any* IPA client (this 
> _was_ working well and I’m not sure what’s changed that may have caused it to 
> start failing - although we have recently updated to IPA 4.4, plus IPA DNS 
> enabled with delegation of ipa.example.com).
> 
> Whenever I try to lookup a trust user on a client (Ubuntu 16.04 with 
> sssd-1.13.4-1ubuntu1.1) I see:
> 
> # id usern...@example.com
> id: ‘usern...@example.com': no such user
> 
> The error message block in the sssd/domain log is:
> 
> > (Wed Nov 23 17:24:04 2016) [sssd[be[ipa.example.com]]] 
> > [sysdb_search_by_name] (0x0400): No such entry
> > (Wed Nov 23 17:24:04 2016) [sssd[be[ipa.example.com]]] [get_group_dn_list] 
> > (0x0040): find_domain_by_object_name failed.

The error happens here. Too bad we don't print the names of the group that
failed the find_domain_by_object_name() but I would guess a supplemetary
name is qualified with a domain that the client doesn't know for some reason.

The only suggestion I have is to run "id" for this user on the server
and check the domains of the supplementary groups that are returned.
Then check if the domains are expected. You can also run ldbsearch on
the client cache with objectclass=subdomain to check which trusted
domains the client knows about and whether they match the domains of the
supplementary groups on the server.

(This wouldn't fix the issue of course, but maybe help us understand
better where the error really is..)

Do you maybe use some non-default configuration on the server that
strips the domain names from the qualified name?

> > (Wed Nov 23 17:24:04 2016) [sssd[be[ipa.example.com]]] 
> > [ipa_s2n_get_user_done] (0x0040): get_group_dn_list failed.

> > (Wed Nov 23 17:24:04 2016) [sssd[be[ipa.example.com]]] [sdap_id_op_done] 
> > (0x4000): releasing operation connection
> > (Wed Nov 23 17:24:04 2016) [sssd[be[ipa.example.com]]] 
> > [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [12]: 
> > Cannot allocate memory.
> > (Wed Nov 23 17:24:04 2016) [sssd[be[ipa.example.com]]] [sdap_id_op_destroy] 
> > (0x4000): releasing operation connection
> > (Wed Nov 23 17:24:04 2016) [sssd[be[ipa.example.com]]] [acctinfo_callback] 
> > (0x0100): Request processed. Returned 3,12,Out of memory
> 
> 
> A more complete log is below.
> 
> The domain users resolve fine on each of the three IPA servers (all RHEL7 
> with ipa-server-4.4.0-12.el7.x86_64).
> 
> IPA domain is ipa.example.com.  AD domain is example.com.
> 
> I have looked at https://fedorahosted.org/sssd/wiki/Troubleshooting, but no 
> particular ideas are coming from that, so I guess I’m after some hints about 
> what to check or any further tests to try.
> 
> Regards,
> 
> Robert.
> 
> 
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] [sbus_dispatch] 
> (0x4000): dbus conn: 0xfd8480
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] [sbus_dispatch] 
> (0x4000): Dispatching.
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] [sbus_message_handler] 
> (0x2000): Received SBUS method 
> org.freedesktop.sssd.dataprovider.getAccountInfo on path 
> /org/freedesktop/sssd/dataprovider
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] 
> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] [be_get_account_info] 
> (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=mib]
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] [be_req_set_domain] 
> (0x0400): Changing request domain from [ipa.example.com] to [example.com]
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] 
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] 
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] 
> [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view 
> [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=mib))].
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] [sdap_print_server] 
> (0x2000): Searching 172.25.180.53
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] 
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with 
> [(&(objectClass=ipaUserOverride)(uid=mib))][cn=Default Trust 
> View,cn=views,cn=accounts,dc=ipa,dc=example,dc=com].
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] 
> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] [sdap_op_add] 
> (0x2000): New operation 21 timeout 6
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] [sdap_process_result] 
> (0x2000): Trace: sh[0xfd76d0], connected[1], ops[0xff6420], ldap[0xfded70]
> (Wed Nov 23 17:24:03 2016) [sssd[be[ipa.example.com]]] [sdap_process_message] 
> (0x4000): Message

Re: [Freeipa-users] Ping forwarded domain name.

2016-11-23 Thread Martin Basti 



On 23.11.2016 03:48, TomK wrote:

On 11/22/2016 10:22 AM, Martin Basti wrote:



On 22.11.2016 13:57, TomK wrote:

On 11/22/2016 2:59 AM, Martin Basti wrote:

Hey,


On 22.11.2016 06:33, TomK wrote:

Hey Guy's,

I'm forwarding a domain dom.abc.xyz from a Windows Server 2012 
over to

my dual Free IPA server.  The Free IPA servers are authoritative for
this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
and forwards dom.abc.xyz.
Do you have configured proper zone delegation for subdomain 
dom.abc.xyz?

Proper NS and glue records
http://www.zytrax.com/books/dns/ch9/delegate.html



I cannot ping dom.abc.xyz.  Everything else, including client
registrations, work fine.  If Free IPA is authoritative on
dom.abc.xyz, should it not create DNS entries so the sub domain 
can be

pinged as well?


What do you mean by "ping"?



/etc/resolv.conf also get's regenerated on reboot on the IPA Servers
and wanted to ask if you can point me to some materials online to
determine where can I permanently adjust the search to add 
dom.abc.xyz

to the already present abc.xyz .  I wasn't able to locate what I
needed in my searches.

I'm using the latest v4.


It depends on what are you using, probably you have NetworkManager 
there

that is editing /etc/resolv.conf

https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/ 





Martin



I Uninstalled NetworkManager.  Still changes.
ping dom.abc.com results in "ping: unknown host"

I'll have a look at the first link, ty.



ping (ICMP protocol) and DNS system are different things, do you have
hostname dom.abc.com with A record or it is a zone?

with ping command hostname "dom.abc.com" is resolved to IP address
first, do you have A record set for dom.abc.com in zone apex or what are
you trying to achieve with ping command?

for testing DNS try to use commands: dig, host, nslookup

Martin



Apologize for the long reply but it should give some background on 
what it is that I'm doing.


1) dom.abc.com is a zone.  There is no A record for dom.abc.com in 
FreeIPA (Confirmed by Petr).  I get the point Petr Spacek pointed out 
in his comment as well.  What should it really point too? ( I kind of 
answer this question below so please read on. )  Where I'm getting 
this from is that in Windows Server 2012 abc.com returns the IP of any 
of the participating AD / DNS servers within the cluster (The two 
Windows Server 2012 are a combined clustered AD + DNS servers.).  
Being able to resolve abc.xyz is handy.  During a lookup, I can get a 
list of all the IP's associated with that domain which would indicate 
all the DNS + AD servers online under that domain or serving that domain:



# nslookup abc.xyz
Server: 192.168.0.3
Address:192.168.0.3#53

Name:   abc.xyz
Address: 192.168.0.3
Name:   abc.xyz
Address: 192.168.0.1
Name:   abc.xyz
Address: 192.168.0.2
#

Again, where this is handy is when configuring sssd.conf for example 
or other apps for that matter.  I can just point the app to 
authenticate against the domain and I have my redundancy solved.  
Windows Server 2012 does it, but FreeIPA didn't, so I threw the 
question out there.


IPA uses SRV records heavily, all IPA related services have SRV records, 
SSSD uses SRV records of IPA, client should use SRV record to connect to 
the right service (or URI record - will be in next IPA). SRV records 
work for IPA locations mechanism, we cannot achieve this with pure A 
records.




Delegation from this Windows DNS works as expected.  Any lookup from 
dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested 
this out. No issue with this.


I did see earlier that there is no A record for dom.abc.xyz in 
FreeIPA. My reasons for asking if there was an IP on the subdomain in 
FreeIPA were above but the missing IP on the subdomain isn't a major 
issue for me.  Things are working without dom.abc.xyz resolving to an 
IP.  What I was hoping for is to have a VIP for the IPA servers and 
one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf.  (I 
have the VIP for the windows server).  One forwarding to the other for 
a given domain.  This is all for testing a) redundancy, b) forwarding, 
a) authentication .


IE:

# cat /etc/resolv.conf
search nix.mds.xyz mds.xyz
nameserver 192.168.0.3< Win Cluster DNS VIP
nameserver 192.168.0.4< IPA Cluster DNS VIP

* Just what I want to achieve above.  VIP 192.168.0.4 doesn't exist on 
my cluster yet.  I'm looking to integrate ucarp with the above IPA 
servers.



2) More to the topic of my second question however, is that 
/etc/resolv.conf, on the IPA servers themselves, get's rewritten on 
restart.  Would like to know by what if I already uninstalled 
NetworkManager?  When I configured the FreeIPA server, I used:


ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a 
"Hush!" -r DOM.ABC.XYZ -n dom.abc.xyz --hostname ipa01.dom.abc.xyz


Notice I used the

Re: [Freeipa-users] Samba in IPA / AD trust, best practise

2016-11-23 Thread Alexander Bokovoy 

On ke, 23 marras 2016, Troels Hansen wrote:



- On Nov 23, 2016, at 8:52 AM, Alexander Bokovoy aboko...@redhat.com wrote:


IPA client running Samba server currently can only be configured with
the way described in the wiki, with SSSD-provided libwbclient
replacement. It has own limitations, namely lack of NTLMSSP
(password-based) support.


Hmm, I have set up a "normal" IPA client, running Samba, using ipasam
on multiple occations, so I know for sure that it works, althoug I
haven't tested it in a AD trust environment.

Then you know how to set it up. It is not something we support out of
the box.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba in IPA / AD trust, best practise

2016-11-23 Thread Troels Hansen 


- On Nov 23, 2016, at 8:52 AM, Alexander Bokovoy aboko...@redhat.com wrote:

> IPA client running Samba server currently can only be configured with
> the way described in the wiki, with SSSD-provided libwbclient
> replacement. It has own limitations, namely lack of NTLMSSP
> (password-based) support.

Hmm, I have set up a "normal" IPA client, running Samba, using ipasam on 
multiple occations, so I know for sure that it works, althoug I haven't tested 
it in a AD trust environment.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project