Re: [Freeipa-users] error; Allocation of a new value

[Martin Babinsky]

On 11/24/2016 07:30 PM, lejeczek wrote:



On 24/11/16 17:14, lejeczek wrote:

hi

I see this:

2 ranges matched

  Range name: xx.id_range
  First Posix ID of the range: 195240
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain:
S-1-5-21-1144915091-2252175215-702530032
  Range type: Active Directory domain range

  Range name: xx.xx.xx.xx.x_id_range
  First Posix ID of the range: 187500
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1
  Range type: local domain range

Number of entries returned 2

some time ago when I first set up IPA I migrated users from samba3's
ldap backend. Since then until today there was no new users I needed
to add but now I do.
First on the list range I think it is a remnant of AD trust which does
not exists any more (should it be removed?).
I'm not sure how to read those ranges info, one thing I notice is that
UIDs from migration are probably between 500 & 2000 and now if I
supply uid manually to user-add and gid (which is old Samba's domain
users group) then creation of new user succeeds.
Is this normal, expected?

mthx,
L


ok, solution(ldapmodify) to the problem:
https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html
but could some experts shed more light on it - I see that some time
ago(after migration/import) I actually created manually a user:
$ id netdevadmin
uid=187506(netdevadmin) gid=187506(netdevadmin)
groups=187506(netdevadmin)

today, after ldapmodify I create a new user but uids seem to come from
(what?) a different range??
$ id appmgr
uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr)

what's is happening?
regards
L



You are seeing this because you probably set dnaMaxValue too low (5000 
or so) and, as tha name of the attribute implies, it sets the maximum 
UID/GID for the range assigned by the plugin.


By default, the local IPA ID ranges are set to huge numbers (on my test 
VMs I have dnaMaxValue 24179) to aviod collisions with UIDs/GIDs of 
local users which are typically in the range of thousands/tens of 
thousands).


However, the changes done directly in the DNA plugin configuration are 
not reflected in ID range objects, that's why you may observe the 
disparity between ID range characteristics and actual UIDs/GIDs provisioned.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anyone else getting porn spam pretending to be replies to freeipa-users threads?

[Denis Müller]

Yeah, im getting spam too!

Denis


Am Freitag, den 25.11.2016, 00:15 -0500 schrieb TomK:

On 11/16/2016 11:23 AM, Sean Hogan wrote:


Yes... just got 2 of them from same address.. kimi rachel





Sean Hogan







Inactive hide details for Tony Brian Albers ---11/15/2016 11:54:35
PM---Hehe, just you wait Lachlan ;) /tonyTony Brian Albers ---11/15/2016
11:54:35 PM---Hehe, just you wait Lachlan ;) /tony

From: Tony Brian Albers 
>
To: "freeipa-users@redhat.com" 
>
Date: 11/15/2016 11:54 PM
Subject: Re: [Freeipa-users] anyone else getting porn spam pretending to
be replies to freeipa-users threads?
Sent by: 
freeipa-users-boun...@redhat.com





Hehe, just you wait Lachlan ;)

/tony

On 11/16/2016 01:56 AM, Lachlan Musicman wrote:


Gah, just happened to me. Wasn't porn, but was someone called Kimi and
the only content was "Heeey Lachlan, how's it going?"

L.

--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 16 November 2016 at 04:02, Martin Basti 

> wrote:



On 15.11.2016 17:32, Chris Dagdigian wrote:



Got a porn spam today that had a subject header of:

Re: [Freeipa-users] URL is changing on the browser


Have to admit that got through my spam filter and got me to open
the email.

It's clear that it was not a list message; looks like something
may be mining the public list archives to pull email addresses
and plausible sounding subject lines.

Mildly interested if anyone else got an email like this?

-Chris


 We are receiving those emails as well (different subjects, domains,
but the same content)


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project







--
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project









Getting the same.  The header is as follows.

I've blocked the two for now, to see how effective this would be but
previous IP changed again.


Mellowhost NET-148-163-124-128-25 (NET-148-163-124-128-1)
148.163.124.128 - 148.163.124.255
Input Output Flood LLC IOFLOOD (NET-148-163-0-0-1) 148.163.0.0 -
148.163.127.255




Return-Path: >
Received: from m40.bytekeys.com ([148.163.124.181]) by mx.perfora.net
  (mxeueus003 [74.208.5.3]) with ESMTP (Nemesis) id 0MhTU4-1cMSKS0KOo-00McNU
  for >; Thu, 24 Nov 2016 11:36:22 
+0100
Received: from localhost (unknown [107.178.101.40])
by m40.bytekeys.com (Postfix) with ESMTPSA id BBE4D22E71
for >; Thu, 24 Nov 2016 
10:35:33 + (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.1 m40.bytekeys.com BBE4D22E71
Date: Thu, 24 Nov 2016 16:35:18 +0600
To: t...@mdevsys.com
From: Kimi Rachel >
Reply-To: Kimi Rachel 
>
Subject: Re: Re: [Freeipa-users] Ping forwarded domain name.
Message-ID: <62e8e8f685dbfb70eec33b944d962877@localhost>
In-Reply-To: 
<731bb495-e534-8581-9da4-ae57f9f6b...@mdevsys.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="b1_62e8e8f685dbfb70eec33b944d962877"
Content-Transfer-Encoding: 7bit
Envelope-To: >

--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] anyone else getting porn spam pretending to be replies to freeipa-users threads?

[TomK]

On 11/16/2016 11:23 AM, Sean Hogan wrote:

Yes... just got 2 of them from same address.. kimi rachel





Sean Hogan







Inactive hide details for Tony Brian Albers ---11/15/2016 11:54:35
PM---Hehe, just you wait Lachlan ;) /tonyTony Brian Albers ---11/15/2016
11:54:35 PM---Hehe, just you wait Lachlan ;) /tony

From: Tony Brian Albers 
To: "freeipa-users@redhat.com" 
Date: 11/15/2016 11:54 PM
Subject: Re: [Freeipa-users] anyone else getting porn spam pretending to
be replies to freeipa-users threads?
Sent by: freeipa-users-boun...@redhat.com





Hehe, just you wait Lachlan ;)

/tony

On 11/16/2016 01:56 AM, Lachlan Musicman wrote:

Gah, just happened to me. Wasn't porn, but was someone called Kimi and
the only content was "Heeey Lachlan, how's it going?"

L.

--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 16 November 2016 at 04:02, Martin Basti > wrote:



On 15.11.2016 17:32, Chris Dagdigian wrote:



Got a porn spam today that had a subject header of:

Re: [Freeipa-users] URL is changing on the browser


Have to admit that got through my spam filter and got me to open
the email.

It's clear that it was not a list message; looks like something
may be mining the public list archives to pull email addresses
and plausible sounding subject lines.

Mildly interested if anyone else got an email like this?

-Chris


 We are receiving those emails as well (different subjects, domains,
but the same content)


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project






--
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project








Getting the same.  The header is as follows.

I've blocked the two for now, to see how effective this would be but 
previous IP changed again.



Mellowhost NET-148-163-124-128-25 (NET-148-163-124-128-1) 
148.163.124.128 - 148.163.124.255
Input Output Flood LLC IOFLOOD (NET-148-163-0-0-1) 148.163.0.0 - 
148.163.127.255





Return-Path: 
Received: from m40.bytekeys.com ([148.163.124.181]) by mx.perfora.net
 (mxeueus003 [74.208.5.3]) with ESMTP (Nemesis) id 0MhTU4-1cMSKS0KOo-00McNU
 for ; Thu, 24 Nov 2016 11:36:22 +0100
Received: from localhost (unknown [107.178.101.40])
by m40.bytekeys.com (Postfix) with ESMTPSA id BBE4D22E71
for ; Thu, 24 Nov 2016 10:35:33 + (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.1 m40.bytekeys.com BBE4D22E71
Date: Thu, 24 Nov 2016 16:35:18 +0600
To: t...@mdevsys.com
From: Kimi Rachel 
Reply-To: Kimi Rachel 
Subject: Re: Re: [Freeipa-users] Ping forwarded domain name.
Message-ID: <62e8e8f685dbfb70eec33b944d962877@localhost>
In-Reply-To: <731bb495-e534-8581-9da4-ae57f9f6b...@mdevsys.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="b1_62e8e8f685dbfb70eec33b944d962877"
Content-Transfer-Encoding: 7bit
Envelope-To: 

--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ping forwarded domain name.

[TomK]

On 11/24/2016 4:49 AM, Petr Spacek wrote:

On 24.11.2016 06:08, TomK wrote:

On 11/23/2016 3:28 AM, Martin Basti wrote:



On 23.11.2016 03:48, TomK wrote:

On 11/22/2016 10:22 AM, Martin Basti wrote:



On 22.11.2016 13:57, TomK wrote:

On 11/22/2016 2:59 AM, Martin Basti wrote:

Hey,


On 22.11.2016 06:33, TomK wrote:

Hey Guy's,

I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
over to
my dual Free IPA server.  The Free IPA servers are authoritative for
this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
and forwards dom.abc.xyz.

Do you have configured proper zone delegation for subdomain
dom.abc.xyz?
Proper NS and glue records
http://www.zytrax.com/books/dns/ch9/delegate.html



I cannot ping dom.abc.xyz.  Everything else, including client
registrations, work fine.  If Free IPA is authoritative on
dom.abc.xyz, should it not create DNS entries so the sub domain
can be
pinged as well?


What do you mean by "ping"?



/etc/resolv.conf also get's regenerated on reboot on the IPA Servers
and wanted to ask if you can point me to some materials online to
determine where can I permanently adjust the search to add
dom.abc.xyz
to the already present abc.xyz .  I wasn't able to locate what I
needed in my searches.

I'm using the latest v4.


It depends on what are you using, probably you have NetworkManager
there
that is editing /etc/resolv.conf

https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/





Martin



I Uninstalled NetworkManager.  Still changes.
ping dom.abc.com results in "ping: unknown host"

I'll have a look at the first link, ty.



ping (ICMP protocol) and DNS system are different things, do you have
hostname dom.abc.com with A record or it is a zone?

with ping command hostname "dom.abc.com" is resolved to IP address
first, do you have A record set for dom.abc.com in zone apex or what are
you trying to achieve with ping command?

for testing DNS try to use commands: dig, host, nslookup

Martin



Apologize for the long reply but it should give some background on
what it is that I'm doing.

1) dom.abc.com is a zone.  There is no A record for dom.abc.com in
FreeIPA (Confirmed by Petr).  I get the point Petr Spacek pointed out
in his comment as well.  What should it really point too? ( I kind of
answer this question below so please read on. )  Where I'm getting
this from is that in Windows Server 2012 abc.com returns the IP of any
of the participating AD / DNS servers within the cluster (The two
Windows Server 2012 are a combined clustered AD + DNS servers.).
Being able to resolve abc.xyz is handy.  During a lookup, I can get a
list of all the IP's associated with that domain which would indicate
all the DNS + AD servers online under that domain or serving that domain:


# nslookup abc.xyz
Server: 192.168.0.3
Address:192.168.0.3#53

Name:   abc.xyz
Address: 192.168.0.3
Name:   abc.xyz
Address: 192.168.0.1
Name:   abc.xyz
Address: 192.168.0.2
#

Again, where this is handy is when configuring sssd.conf for example
or other apps for that matter.  I can just point the app to
authenticate against the domain and I have my redundancy solved.
Windows Server 2012 does it, but FreeIPA didn't, so I threw the
question out there.


IPA uses SRV records heavily, all IPA related services have SRV records,
SSSD uses SRV records of IPA, client should use SRV record to connect to
the right service (or URI record - will be in next IPA). SRV records
work for IPA locations mechanism, we cannot achieve this with pure A
records.



Delegation from this Windows DNS works as expected.  Any lookup from
dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
this out. No issue with this.

I did see earlier that there is no A record for dom.abc.xyz in
FreeIPA. My reasons for asking if there was an IP on the subdomain in
FreeIPA were above but the missing IP on the subdomain isn't a major
issue for me.  Things are working without dom.abc.xyz resolving to an
IP.  What I was hoping for is to have a VIP for the IPA servers and
one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf.  (I
have the VIP for the windows server).  One forwarding to the other for
a given domain.  This is all for testing a) redundancy, b) forwarding,
a) authentication .

IE:

# cat /etc/resolv.conf
search dom.abc.xyz abc.xyz
nameserver 192.168.0.3< Win Cluster DNS VIP
nameserver 192.168.0.4< IPA Cluster DNS VIP

* Just what I want to achieve above.  VIP 192.168.0.4 doesn't exist on
my cluster yet.  I'm looking to integrate ucarp with the above IPA
servers.


2) More to the topic of my second question however, is that
/etc/resolv.conf, on the IPA servers themselves, get's rewritten on
restart.  Would like to know by what if I already uninstalled
NetworkManager?  When I configured the FreeIPA server, I used:

ipa-server-install --setup-dns --forwarder=192.168.0.3 -p "Hush!" -a
"Hush!" -r 

Re: [Freeipa-users] can(should) IPA issue/manage certificates...

[Fraser Tweedale]

On Thu, Nov 24, 2016 at 04:19:03PM +, lejeczek wrote:
> .. for entities outside of it's own domain?
> Would you use IPA this way?
> 
> I'm thinking - it would be nice that have one central point(console) and
> manage all my "virtual" domains certification, but, I'm not an expert on the
> subject.
> And if yes then what would be the steps?
> 
Can IPA manage certs for "external" entities?  No.

Should it be able to?  Maybe.  There have been some preliminary
discussions about use cases and how it could be implemented.

Do you want to elaborate on your use case?

(Bear in mind that, unless your IPA CA is chained to a publicly
trusted CA, certs issued by it will not be publicly trusted.)

Cheers,
Fraser

> mthx,
> L.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] error; Allocation of a new value

[lejeczek]

On 24/11/16 17:14, lejeczek wrote:

hi

I see this:

2 ranges matched

  Range name: xx.id_range
  First Posix ID of the range: 195240
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: 
S-1-5-21-1144915091-2252175215-702530032

  Range type: Active Directory domain range

  Range name: xx.xx.xx.xx.x_id_range
  First Posix ID of the range: 187500
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1
  Range type: local domain range

Number of entries returned 2

some time ago when I first set up IPA I migrated users 
from samba3's ldap backend. Since then until today there 
was no new users I needed to add but now I do.
First on the list range I think it is a remnant of AD 
trust which does not exists any more (should it be removed?).
I'm not sure how to read those ranges info, one thing I 
notice is that UIDs from migration are probably between 
500 & 2000 and now if I supply uid manually to user-add 
and gid (which is old Samba's domain users group) then 
creation of new user succeeds.

Is this normal, expected?

mthx,
L

ok, solution(ldapmodify) to the problem: 
https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html
but could some experts shed more light on it - I see that 
some time ago(after migration/import) I actually created 
manually a user:

$ id netdevadmin
uid=187506(netdevadmin) gid=187506(netdevadmin) 
groups=187506(netdevadmin)


today, after ldapmodify I create a new user but uids seem to 
come from (what?) a different range??

$ id appmgr
uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr)

what's is happening?
regards
L

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can't establish a trust to AD

[Alexander Bokovoy]

On to, 24 marras 2016, Denis Müller wrote:

Hello Guys, we need help to establish a trust from freeipa to ad. Ad
users should be able to access to linux environment, but linux users
not to ad environment.

our setup:

AD Domain:
domain.com, there we have two AD-Controllers installed wird Windows
Server 2008. All users are managed here.

IPA Domain:
wop.domain.com. We would like to sync users from ad to a specific group
to provide user-management in linux environments. In this subdomain we
have 2 ipa-servers: ipa01.wop.domain.com and ipa02.domain.com

Ipa version on both servers is: VERSION: 4.2.0, API_VERSION: 2.156

Both serves have "ipa-server-trust-ad" installed.

[root@ipa01 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin works as expected !



DNS konfiguration:
IPA-Side:

[root@ipa01 ~]# dig +short -t SRV 
_kerberos._udp.wop.domain.com
0 100 88 ipa02.wop.domain.com.
0 100 88 ipa01.wop.domain.com.

root@ipa01 ~]# dig +short -t TXT _kerberos.wop.domain.com
"WOP.DOMAIN.COM"

[root@ipa01 ~]# dig +short -t SRV 
_kerberos._udp.dc._msdcs.wop.domain.com.
0 100 88 ipa02.wop.domain.com.
0 100 88 ipa01.wop.domain.com.

[root@ipa01 ~]# dig +short -t SRV 
_kerberos._tcp.dc._msdcs.wop.domain.com.
0 100 88 ipa01.wop.domain.com.
0 100 88 ipa02.wop.domain.com.

AD-Side:

C:\Users\demueller>nslookup
Standardserver:  dc2.domain.com
Address:  192.168.3.9


set type=SRV
_kerberos._udp.wop.domain.com.

Server:  dc2.domain.com
Address:  192.168.3.9

Nicht autorisierende Antwort:
_kerberos._udp.wop.domain.com   SRV service location:
 priority   = 0
 weight = 100
 port   = 88
 svr hostname   = ipa01.wop.domainc.om
_kerberos._udp.wop.rto.de   SRV service location:
 priority   = 0
 weight = 100
 port   = 88
 svr hostname   = ipa02.wop.domain.com

ipa01.wop.domain.cominternet address = 192.168.11.75
ipa02.wop.domainc.ominternet address = 192.168.11.106

DNS looks fine, firewall too.

Providing trust:ipa trust-add --type=ad rto.de --trust-secret 
--server=dc2.domain.com

As a Result:

[root@ipa01 ~]# ipa trustdomain-find domain.com
 Domain name: domain.com
 Domain NetBIOS name: DOMAIN (It should be DC2, right?)
 Domain Security Identifier: S-1-5-21-746137067-2052111302-1801674531
 Domain enabled: True
-


ipa trust-fetch-domain domain.com

Logging:

[Thu Nov 24 13:43:44.167918 2016] [:error] [pid 9123] ipa: INFO: [jsonserver_session] 
admin@WOP.DOMAIN.COM: ping(): SUCCESS
[Thu Nov 24 13:43:44.306718 2016] [:error] [pid 9124] ipa: INFO: [jsonserver_session] 
admin@WOP.DOMAIN.COM: trustdomain_find(u'domain.com', 
None, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS
[Thu Nov 24 13:45:16.662862 2016] [:error] [pid 9123] ipa: INFO: 401
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure.  Minor code may provide more
information (Cannot contact any KDC for realm 'WOP.DOMAIN.COM)

I can't understand the problem.

It looks like IPA master's Kerberos configuration does not allow to
resolve KDCs of unknown realms via DNS.

What do you have in /etc/krb5.conf in the [libdefaults] section:

 dns_lookup_realm = false
 dns_lookup_kdc = false

or

 dns_lookup_realm = true
 dns_lookup_kdc = true
?

See manual page for krb5.conf for details on these options.


On AD side we create a trust certifiacte as explained hear:
http://www.freeipa.org/page/Active_Directory_trust_setup

I'm not sure what do you mean by 'trust certificate', there is no such
thing and no such requirement.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] error; Allocation of a new value

[lejeczek]

hi

I see this:

2 ranges matched

  Range name: xx.id_range
  First Posix ID of the range: 195240
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: 
S-1-5-21-1144915091-2252175215-702530032

  Range type: Active Directory domain range

  Range name: xx.xx.xx.xx.x_id_range
  First Posix ID of the range: 187500
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1
  Range type: local domain range

Number of entries returned 2

some time ago when I first set up IPA I migrated users from 
samba3's ldap backend. Since then until today there was no 
new users I needed to add but now I do.
First on the list range I think it is a remnant of AD trust 
which does not exists any more (should it be removed?).
I'm not sure how to read those ranges info, one thing I 
notice is that UIDs from migration are probably between 500 
& 2000 and now if I supply uid manually to user-add and gid 
(which is old Samba's domain users group) then creation of 
new user succeeds.

Is this normal, expected?

mthx,
L


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can't establish a trust to AD

[Jake]

4.2 is a one-way trust, by design. 

http://www.freeipa.org/page/V4/One-way_trust 

-Jake 


From: "Denis Müller"  
To: "freeipa-users"  
Sent: Thursday, November 24, 2016 7:48:50 AM 
Subject: [Freeipa-users] Can't establish a trust to AD 

Hello Guys, we need help to establish a trust from freeipa to ad. Ad users 
should be able to access to linux environment, but linux users not to ad 
environment. 

our setup: 

AD Domain: 
domain.com, there we have two AD-Controllers installed wird Windows Server 
2008. All users are managed here. 

IPA Domain: 
wop.domain.com. We would like to sync users from ad to a specific group to 
provide user-management in linux environments. In this subdomain we have 2 
ipa-servers: ipa01.wop.domain.com and ipa02.domain.com 

Ipa version on both servers is: VERSION: 4.2.0, API_VERSION: 2.156 

Both serves have "ipa-server-trust-ad" installed. 

[ [ mailto:root@ipa01 | root@ipa01 ] ~]# ipactl status 
Directory Service: RUNNING 
krb5kdc Service: RUNNING 
kadmin Service: RUNNING 
named Service: RUNNING 
ipa_memcached Service: RUNNING 
httpd Service: RUNNING 
pki-tomcatd Service: RUNNING 
smb Service: RUNNING 
winbind Service: RUNNING 
ipa-otpd Service: RUNNING 
ipa-dnskeysyncd Service: RUNNING 
ipa: INFO: The ipactl command was successful 

kinit admin works as expected ! 



DNS konfiguration: 
IPA-Side: 

[ [ mailto:root@ipa01 | root@ipa01 ] ~]# dig +short -t SRV 
_kerberos._udp.wop.domain.com 
0 100 88 ipa02.wop.domain.com. 
0 100 88 ipa01.wop.domain.com. 

[ mailto:root@ipa01 | root@ipa01 ] ~]# dig +short -t TXT 
_kerberos.wop.domain.com 
"WOP.DOMAIN.COM" 

[ [ mailto:root@ipa01 | root@ipa01 ] ~]# dig +short -t SRV 
_kerberos._udp.dc._msdcs.wop.domain.com. 
0 100 88 ipa02.wop.domain.com. 
0 100 88 ipa01.wop.domain.com. 

[ [ mailto:root@ipa01 | root@ipa01 ] ~]# dig +short -t SRV 
_kerberos._tcp.dc._msdcs.wop.domain.com. 
0 100 88 ipa01.wop.domain.com. 
0 100 88 ipa02.wop.domain.com. 

AD-Side: 

C:\Users\demueller>nslookup 
Standardserver: dc2.domain.com 
Address: 192.168.3.9 

> set type=SRV 
> _kerberos._udp.wop.domain.com. 
Server: dc2.domain.com 
Address: 192.168.3.9 

Nicht autorisierende Antwort: 
_kerberos._udp.wop.domain.com SRV service location: 
priority = 0 
weight = 100 
port = 88 
svr hostname = ipa01.wop.domainc.om 
_kerberos._udp.wop.rto.de SRV service location: 
priority = 0 
weight = 100 
port = 88 
svr hostname = ipa02.wop.domain.com 

ipa01.wop.domain.com internet address = 192.168.11.75 
ipa02.wop.domainc.om internet address = 192.168.11.106 

DNS looks fine, firewall too. 

Providing trust:ipa trust-add --type=ad rto.de --trust-secret 
--server=dc2.domain.com 

As a Result: 

[ [ mailto:root@ipa01 | root@ipa01 ] ~]# ipa trustdomain-find domain.com 
Domain name: domain.com 
Domain NetBIOS name: DOMAIN (It should be DC2, right?) 
Domain Security Identifier: S-1-5-21-746137067-2052111302-1801674531 
Domain enabled: True 
- 


ipa trust-fetch-domain domain.com 

Logging: 

[Thu Nov 24 13:43:44.167918 2016] [:error] [pid 9123] ipa: INFO: 
[jsonserver_session] [ file://admin%40wop.domain/ | admin@WOP.DOMAIN ] .COM: 
ping(): SUCCESS 
[Thu Nov 24 13:43:44.306718 2016] [:error] [pid 9124] ipa: INFO: 
[jsonserver_session] [ file://admin%40wop.domain/ | admin@WOP.DOMAIN ] .COM: 
trustdomain_find(u'domain.com', None, all=False, raw=False, version=u'2.156', 
pkey_only=False): SUCCESS 
[Thu Nov 24 13:45:16.662862 2016] [:error] [pid 9123] ipa: INFO: 401 
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure. Minor code may provide more information (Cannot 
contact any KDC for realm 'WOP.DOMAIN.COM) 

I can't understand the problem. 

On AD side we create a trust certifiacte as explained hear: 
[ http://www.freeipa.org/page/Active_Directory_trust_setup | 
http://www.freeipa.org/page/Active_Directory_trust_setup ] 





-- 
Manage your subscription for the Freeipa-users mailing list: 
https://www.redhat.com/mailman/listinfo/freeipa-users 
Go to http://freeipa.org for more info on the project 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipalib authentication

[Adam Bishop]

On 24 Nov 2016, at 16:18, Christian Heimes  wrote:
> for a service you can use a Kerberos keytab to authenticate. A keytab
> can be requested with ipa-getkeytab. The command will replace the
> password of the service with a random one.

Thanks everyone, I think using a key tab will be fine; having a manual step for 
initial configuration is not a huge burden.

I'll take a look at python-gssapi too.

Thanks again,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. GB 
197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, 
BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited 
by guarantee which is registered in England under company number 2881024, VAT 
number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, 
Bristol BS2 0JA. T 0203 697 5800.  


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] can(should) IPA issue/manage certificates...

[lejeczek]

.. for entities outside of it's own domain?
Would you use IPA this way?

I'm thinking - it would be nice that have one central 
point(console) and manage all my "virtual" domains 
certification, but, I'm not an expert on the subject.

And if yes then what would be the steps?

mthx,
L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipalib authentication

[Christian Heimes]

On 2016-11-24 16:27, Adam Bishop wrote:
> I'm writing a bit of code using ipalib directly, I'm a little stuck on 
> authentication though.
> 
> It works fine if grab a Kerberos ticket with kinit then run the code 
> interactively, but I'd like to run this as a daemon which makes maintaining a 
> ticket tricky.
> 
> What other options are there for authenticating to the API, avoiding calling 
> external tools like curl or kinit?

Hi Adam,

for a service you can use a Kerberos keytab to authenticate. A keytab
can be requested with ipa-getkeytab. The command will replace the
password of the service with a random one.

In order to use the keytab file from ipalib, simple set the env var
KRB5_CLIENT_KTNAME [1] to the absolute filename of the keytab file. You
can set it any time before you initialize FreeIPA's API. GSSAPI will
automatically pick up the keytab and use the first principal to
authenticate.

Christian

https://web.mit.edu/kerberos/krb5-1.14/doc/admin/env_variables.html




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipalib authentication

[Martin Basti]

On 24.11.2016 16:57, Alexander Bokovoy wrote:

On to, 24 marras 2016, Adam Bishop wrote:

I'm writing a bit of code using ipalib directly, I'm a little stuck on
authentication though.

It works fine if grab a Kerberos ticket with kinit then run the code
interactively, but I'd like to run this as a daemon which makes
maintaining a ticket tricky.

What other options are there for authenticating to the API, avoiding
calling external tools like curl or kinit?

Python API right now only accepts Kerberos ticket.

I think we have a ticket to improve on this but right now your options
are limited.


Might be possible to use python-gssapi and kinit_keytab function instead 
of kinit command?


Martin^2

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipalib authentication

[Alexander Bokovoy]

On to, 24 marras 2016, Adam Bishop wrote:

I'm writing a bit of code using ipalib directly, I'm a little stuck on
authentication though.

It works fine if grab a Kerberos ticket with kinit then run the code
interactively, but I'd like to run this as a daemon which makes
maintaining a ticket tricky.

What other options are there for authenticating to the API, avoiding
calling external tools like curl or kinit?

Python API right now only accepts Kerberos ticket.

I think we have a ticket to improve on this but right now your options
are limited.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipalib authentication

[Standa Laznicka]

On 11/24/2016 04:27 PM, Adam Bishop wrote:

I'm writing a bit of code using ipalib directly, I'm a little stuck on 
authentication though.

It works fine if grab a Kerberos ticket with kinit then run the code 
interactively, but I'd like to run this as a daemon which makes maintaining a 
ticket tricky.

What other options are there for authenticating to the API, avoiding calling 
external tools like curl or kinit?

Regards,

Adam Bishop

   gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. GB 
197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, 
BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited 
by guarantee which is registered in England under company number 2881024, VAT 
number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, 
Bristol BS2 0JA. T 0203 697 5800.



Hello Adam,

Nice to see someone interested in FreeIPA development. For questions 
about developing FreeIPA, feel free to contact other developers at 
freeipa-de...@redhat.com (in CC). You can also create a pull request on 
GitHub (https://github.com/freeipa/freeipa) if you'd like to share your 
code with the community.


As for your question, would it be feasible to use keytabs? Sure, you 
still have to perform kinit but there's no user action required (except 
for maintaining the keytab, of course).


Standa

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipalib authentication

[Adam Bishop]

I'm writing a bit of code using ipalib directly, I'm a little stuck on 
authentication though.

It works fine if grab a Kerberos ticket with kinit then run the code 
interactively, but I'd like to run this as a daemon which makes maintaining a 
ticket tricky.

What other options are there for authenticating to the API, avoiding calling 
external tools like curl or kinit?

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. GB 
197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, 
BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited 
by guarantee which is registered in England under company number 2881024, VAT 
number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, 
Bristol BS2 0JA. T 0203 697 5800.  


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] where to put computer accounts... ?

[lejeczek]

On 24/11/16 15:10, Simo Sorce wrote:

On Thu, 2016-11-24 at 12:59 +, lejeczek wrote:

.. in order to satisfy classic Samba (which still uses
openldap for user db backend but needs computer unix
account) which complains:
Failed to find a Unix account for yourcomp$

?

If this is on a client machine for its own computer account I would
think of adding it to the local user database, if you have to distribute
it via LDAP you'll have to create actual user accounts ion the directory
I guess.

Simo.


yes distributed, yes but where, just where all users go: 
cn=users,cn=accounts or some other container perhaps?
I don't suppose ipa host* tool would be the means to put 
these computers where "regular" hosts go?

mthx.
L

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] where to put computer accounts... ?

[Simo Sorce]

On Thu, 2016-11-24 at 12:59 +, lejeczek wrote:
> .. in order to satisfy classic Samba (which still uses 
> openldap for user db backend but needs computer unix 
> account) which complains:
> Failed to find a Unix account for yourcomp$
> 
> ?

If this is on a client machine for its own computer account I would
think of adding it to the local user database, if you have to distribute
it via LDAP you'll have to create actual user accounts ion the directory
I guess.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] where to put computer accounts... ?

[lejeczek]

.. in order to satisfy classic Samba (which still uses 
openldap for user db backend but needs computer unix 
account) which complains:

Failed to find a Unix account for yourcomp$

?
many thanks,
L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Can't establish a trust to AD

[Denis Müller]

Hello Guys, we need help to establish a trust from freeipa to ad. Ad users 
should be able to access to linux environment, but linux users not to ad 
environment.

our setup:

AD Domain:
domain.com, there we have two AD-Controllers installed wird Windows Server 
2008. All users are managed here.

IPA Domain:
wop.domain.com. We would like to sync users from ad to a specific group to 
provide user-management in linux environments. In this subdomain we have 2 
ipa-servers: ipa01.wop.domain.com and ipa02.domain.com

Ipa version on both servers is: VERSION: 4.2.0, API_VERSION: 2.156

Both serves have "ipa-server-trust-ad" installed.

[root@ipa01 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

kinit admin works as expected !



DNS konfiguration:
IPA-Side:

[root@ipa01 ~]# dig +short -t SRV 
_kerberos._udp.wop.domain.com
0 100 88 ipa02.wop.domain.com.
0 100 88 ipa01.wop.domain.com.

root@ipa01 ~]# dig +short -t TXT _kerberos.wop.domain.com
"WOP.DOMAIN.COM"

[root@ipa01 ~]# dig +short -t SRV 
_kerberos._udp.dc._msdcs.wop.domain.com.
0 100 88 ipa02.wop.domain.com.
0 100 88 ipa01.wop.domain.com.

[root@ipa01 ~]# dig +short -t SRV 
_kerberos._tcp.dc._msdcs.wop.domain.com.
0 100 88 ipa01.wop.domain.com.
0 100 88 ipa02.wop.domain.com.

AD-Side:

C:\Users\demueller>nslookup
Standardserver:  dc2.domain.com
Address:  192.168.3.9

> set type=SRV
> _kerberos._udp.wop.domain.com.
Server:  dc2.domain.com
Address:  192.168.3.9

Nicht autorisierende Antwort:
_kerberos._udp.wop.domain.com   SRV service location:
  priority   = 0
  weight = 100
  port   = 88
  svr hostname   = ipa01.wop.domainc.om
_kerberos._udp.wop.rto.de   SRV service location:
  priority   = 0
  weight = 100
  port   = 88
  svr hostname   = ipa02.wop.domain.com

ipa01.wop.domain.cominternet address = 192.168.11.75
ipa02.wop.domainc.ominternet address = 192.168.11.106

DNS looks fine, firewall too.

Providing trust:ipa trust-add --type=ad rto.de --trust-secret 
--server=dc2.domain.com

As a Result:

[root@ipa01 ~]# ipa trustdomain-find domain.com
  Domain name: domain.com
  Domain NetBIOS name: DOMAIN (It should be DC2, right?)
  Domain Security Identifier: S-1-5-21-746137067-2052111302-1801674531
  Domain enabled: True
-


ipa trust-fetch-domain domain.com

Logging:

[Thu Nov 24 13:43:44.167918 2016] [:error] [pid 9123] ipa: INFO: 
[jsonserver_session] admin@WOP.DOMAIN.COM: ping(): 
SUCCESS
[Thu Nov 24 13:43:44.306718 2016] [:error] [pid 9124] ipa: INFO: 
[jsonserver_session] admin@WOP.DOMAIN.COM: 
trustdomain_find(u'domain.com', None, all=False, raw=False, version=u'2.156', 
pkey_only=False): SUCCESS
[Thu Nov 24 13:45:16.662862 2016] [:error] [pid 9123] ipa: INFO: 401 
Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (Cannot 
contact any KDC for realm 'WOP.DOMAIN.COM)

I can't understand the problem.

On AD side we create a trust certifiacte as explained hear:
http://www.freeipa.org/page/Active_Directory_trust_setup




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ping forwarded domain name.

[Petr Spacek]

On 24.11.2016 06:08, TomK wrote:
> On 11/23/2016 3:28 AM, Martin Basti wrote:
>>
>>
>> On 23.11.2016 03:48, TomK wrote:
>>> On 11/22/2016 10:22 AM, Martin Basti wrote:


 On 22.11.2016 13:57, TomK wrote:
> On 11/22/2016 2:59 AM, Martin Basti wrote:
>> Hey,
>>
>>
>> On 22.11.2016 06:33, TomK wrote:
>>> Hey Guy's,
>>>
>>> I'm forwarding a domain dom.abc.xyz from a Windows Server 2012
>>> over to
>>> my dual Free IPA server.  The Free IPA servers are authoritative for
>>> this subdomain.  The Windows Server 2012 DNS is resolves on abc.xyz
>>> and forwards dom.abc.xyz.
>> Do you have configured proper zone delegation for subdomain
>> dom.abc.xyz?
>> Proper NS and glue records
>> http://www.zytrax.com/books/dns/ch9/delegate.html
>>
>>>
>>> I cannot ping dom.abc.xyz.  Everything else, including client
>>> registrations, work fine.  If Free IPA is authoritative on
>>> dom.abc.xyz, should it not create DNS entries so the sub domain
>>> can be
>>> pinged as well?
>>
>> What do you mean by "ping"?
>>
>>>
>>> /etc/resolv.conf also get's regenerated on reboot on the IPA Servers
>>> and wanted to ask if you can point me to some materials online to
>>> determine where can I permanently adjust the search to add
>>> dom.abc.xyz
>>> to the already present abc.xyz .  I wasn't able to locate what I
>>> needed in my searches.
>>>
>>> I'm using the latest v4.
>>
>> It depends on what are you using, probably you have NetworkManager
>> there
>> that is editing /etc/resolv.conf
>>
>> https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/
>>
>>
>>
>>
>>
>> Martin
>
>
> I Uninstalled NetworkManager.  Still changes.
> ping dom.abc.com results in "ping: unknown host"
>
> I'll have a look at the first link, ty.
>

 ping (ICMP protocol) and DNS system are different things, do you have
 hostname dom.abc.com with A record or it is a zone?

 with ping command hostname "dom.abc.com" is resolved to IP address
 first, do you have A record set for dom.abc.com in zone apex or what are
 you trying to achieve with ping command?

 for testing DNS try to use commands: dig, host, nslookup

 Martin

>>>
>>> Apologize for the long reply but it should give some background on
>>> what it is that I'm doing.
>>>
>>> 1) dom.abc.com is a zone.  There is no A record for dom.abc.com in
>>> FreeIPA (Confirmed by Petr).  I get the point Petr Spacek pointed out
>>> in his comment as well.  What should it really point too? ( I kind of
>>> answer this question below so please read on. )  Where I'm getting
>>> this from is that in Windows Server 2012 abc.com returns the IP of any
>>> of the participating AD / DNS servers within the cluster (The two
>>> Windows Server 2012 are a combined clustered AD + DNS servers.).
>>> Being able to resolve abc.xyz is handy.  During a lookup, I can get a
>>> list of all the IP's associated with that domain which would indicate
>>> all the DNS + AD servers online under that domain or serving that domain:
>>>
>>>
>>> # nslookup abc.xyz
>>> Server: 192.168.0.3
>>> Address:192.168.0.3#53
>>>
>>> Name:   abc.xyz
>>> Address: 192.168.0.3
>>> Name:   abc.xyz
>>> Address: 192.168.0.1
>>> Name:   abc.xyz
>>> Address: 192.168.0.2
>>> #
>>>
>>> Again, where this is handy is when configuring sssd.conf for example
>>> or other apps for that matter.  I can just point the app to
>>> authenticate against the domain and I have my redundancy solved.
>>> Windows Server 2012 does it, but FreeIPA didn't, so I threw the
>>> question out there.
>>
>> IPA uses SRV records heavily, all IPA related services have SRV records,
>> SSSD uses SRV records of IPA, client should use SRV record to connect to
>> the right service (or URI record - will be in next IPA). SRV records
>> work for IPA locations mechanism, we cannot achieve this with pure A
>> records.
>>
>>>
>>> Delegation from this Windows DNS works as expected.  Any lookup from
>>> dom.abc.xyz is forwarded too and handled by FreeIPA servers. Tested
>>> this out. No issue with this.
>>>
>>> I did see earlier that there is no A record for dom.abc.xyz in
>>> FreeIPA. My reasons for asking if there was an IP on the subdomain in
>>> FreeIPA were above but the missing IP on the subdomain isn't a major
>>> issue for me.  Things are working without dom.abc.xyz resolving to an
>>> IP.  What I was hoping for is to have a VIP for the IPA servers and
>>> one for the Windows Server 2012 DNS Cluster in /etc/resolv.conf.  (I
>>> have the VIP for the windows server).  One forwarding to the other for
>>> a given domain.  This is all for testing a) redundancy, b) forwarding,
>>> a) authentication .
>>>
>>> IE:
>>>
>>> # cat /etc/resolv.conf
>>> search dom.abc.xyz abc.xyz
>>> nameserver