[Freeipa-users] Custom scripts

2015-09-18 Thread Andreas Ladanyi 
Hi,

iam looking for a possibility to add custom script which will be
executed after creating a new user.

Iam using the latest release of FreeIPA 4.2 from COPR in Fedora 22.

I found this post in the archive from 2011:

https://www.redhat.com/archives/freeipa-users/2011-September/msg00076.html

Is this in principle also the way in FreeIPA 4.2 ?

regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Add custom script

2015-09-18 Thread Andreas Ladanyi 
Hi,

iam looking for a possibility to add custom script which will be
executed after creating a new user.

Iam using the latest release of FreeIPA 4.2 from COPR in Fedora 22.

I found this post in the archive from 2011:

https://www.redhat.com/archives/freeipa-users/2011-September/msg00076.html

Is this in principle also the way in FreeIPA 4.2 ?

regards,
Andreas

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Add custom script

2015-09-18 Thread Andreas Ladanyi 
Hi,


Sorry, my last post was with wrong link.


iam looking for a possibility to add custom script which will be
executed after creating a new user.

Iam using the latest release of FreeIPA 4.2 from COPR in Fedora 22.

I found this post in the archive:

http://freeipa-users.redhat.narkive.com/cgjMKenp/user-custom-script

Is this in principle also the way in FreeIPA 4.2 ?

regards,
Andreas

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install error

2015-09-25 Thread Andreas Ladanyi 
Hi,

I want to install ipa client: ipa-client-install -d

I get the following error:

Verifying that "MyFreeIPA Server" (realm None) is an IPA server
Init LDAP connection to: "MyFreeIPA Server"
Error checking LDAP: Connect error: TLS error -8054:You are attempting
to import a cert with the same issuer/serial as an existing cert, but
that is not the same cert.
Skip "MyFreeIPA Server" : cannot verify if this is an IPA server
Discovery result: UNKNOWN_ERROR; ...
Validated servers:
Failed to verify that "MyFreeIPA Server" is an IPA Server.
This may mean that the remote server is not up or is not reachable due
to network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
"MyFreeIPA Server" : Provided interactively)
Installation failed. Rolling back changes.
IPA client is not configured on this system.


selinux on the ipa client and ipa server ist permissive, iptables is empty.

It seems to be a problem with the SSL certificate of freeipa.


About the client:

rpm -qi ipa-client
Name: ipa-client
Version : 4.1.0
Release : 18.el7.centos.4


About the freeipa server:

rpm -qi freeipa-server
Name: freeipa-server
Version : 4.1.4
Release : 1.fc21


regards,
Andy



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replace with 3rd part certificates

2016-06-27 Thread Andreas Ladanyi 
Hi,

i try to replace the self signed certificate from the ipa installation
with this description:

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

ipa-server-certinstall -w -d mysite.key mysite.crt

The tool ask for the private key unlock passwort. The private key was
generated without passwort. I tried out to press only the enter key, but
it doesnt help. So iam confused. The certificate and keyfile are in PEM
format.

For testing I converted the private key with:

openssl rsa -in -out

because i want to know if openssl ask me for a password, but it doesnt.

My version number is FreeIPA 4.1.


regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Andreas Ladanyi 
Hi,

i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2

When i want to start IPA with ipactl start i run into the situation
starting pki-tomcat take a long time and ipactl aborts the starting
process and shutdown services. So IPA doesnt start.

ipactl start:

Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service

...hangs...

Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl


systemctl status shows the errors:

ipa.service 
 
loaded failed failedIdentity, Policy, Audit
kadmin.service  
 
loaded failed failedKerberos 5 Password-changing and Administration
pki-tomcatd@pki-tomcat.service  
 
loaded failed failedPKI Tomcat Server pki-tomcat


Which logfiles are important to analyse this issue of IPA ?


Andreas




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Andreas Ladanyi 
Here are some more infos.

journal -xe tells me some error:

INFO: Initializing ProtocolHandler ["http-bio-8443"]
Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by
tomcatjss
Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported
by NSS
Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS

..

org.apache.jasper.servlet.TldScanner scanJars
INFO: At least one JAR was scanned for TLDs yet contained no TLDs.
Enable debug logging for this logger for a complete list o

...

org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with JAR file
[/var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar], exists:
[false], canRead: [false]
org.apache.catalina.startup.ClassLoaderFactory validateFile
roblem with JAR file
[/var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar], exists: [false],
canRead: [false]
org.apache.catalina.startup.ClassLoaderFactory validateFile
WARNING: Problem with JAR file
[/var/lib/pki/pki-tomcat/lib/tomcat7-websocket.jar], exists: [false],
canRead: [false]
org.apache.catalina.startup.ClassLoaderFactory validateFile
Problem with JAR file
[/var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar], exists: [false],
canRead: [false]
org.apache.catalina.startup.Catalina stopServer
SEVERE: Could not contact localhost:8005. Tomcat may not be running.
org.apache.catalina.startup.Catalina stopServer
SEVERE: Catalina.stop:
java.net.ConnectException: Connection refused

.

pki-tomcatd@pki-tomcat.service: Control process exited, code=exited status=1

> Hi,
>
> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
>
> When i want to start IPA with ipactl start i run into the situation
> starting pki-tomcat take a long time and ipactl aborts the starting
> process and shutdown services. So IPA doesnt start.
>
> ipactl start:
>
> Starting Directory Service
> Starting krb5kdc Service
> Starting kadmin Service
> Starting ipa_memcached Service
> Starting httpd Service
> Starting pki-tomcatd Service
>
> ...hangs...
>
> Failed to start pki-tomcatd Service
> Shutting down
> Aborting ipactl
>
>
> systemctl status shows the errors:
>
> ipa.service   
>
> loaded failed failedIdentity, Policy, Audit
> kadmin.service
>
> loaded failed failedKerberos 5 Password-changing and Administration
> pki-tomcatd@pki-tomcat.service
>
> loaded failed failedPKI Tomcat Server pki-tomcat
>
>
> Which logfiles are important to analyse this issue of IPA ?
>
>
> Andreas
>
>
>
>


-- 

Karlsruher Institut für Technologie (KIT)
Fakultät für Informatik
ATIS – Abteilung Technische Infrastruktur

Dipl.-Ing. Andreas Ladanyi
- Systemadministrator -

Am Fasanengarten 5, Gebäude 50.34, Raum 013
76131 Karlsruhe

Telefon: +49 721 608 - 4 3663
Fax: +49 721 608 - 4 6699
E-Mail: andreas.lada...@kit.edu
www.atis.informatik.kit.edu

www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum 
in der Helmholtz-Gemeinschaft

Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA doesnt start

2016-06-30 Thread Andreas Ladanyi 
>
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> WARNING: Problem with JAR file
> [/var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar], exists:
> [false], canRead: [false]
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> roblem with JAR file
> [/var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar], exists: [false],
> canRead: [false]
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> WARNING: Problem with JAR file
> [/var/lib/pki/pki-tomcat/lib/tomcat7-websocket.jar], exists: [false],
> canRead: [false]
> org.apache.catalina.startup.ClassLoaderFactory validateFile
> Problem with JAR file
> [/var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar], exists: [false],
> canRead: [false]
rpm -qa | grep tomcat
tomcatjss-7.1.3-1.fc23.noarch
tomcat-servlet-3.1-api-8.0.32-5.fc23.noarch
tomcat-8.0.32-5.fc23.noarch
tomcat-jsp-2.3-api-8.0.32-5.fc23.noarch
tomcat-el-3.0-api-8.0.32-5.fc23.noarch
tomcat-lib-8.0.32-5.fc23.noarch

ls -la /var/lib/pki/pki-tomcat/lib/
insgesamt 20
drwxrwx---. 2 pkiuser pkiuser 4096 28. Jun 15:59 .
drwxrwx---. 8 pkiuser pkiuser 4096 22. Mai 2015  ..
lrwxrwxrwx. 1 pkiuser pkiuser   41 28. Jun 15:59 annotations-api.jar ->
/usr/share/tomcat/lib/annotations-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   38 28. Jun 15:59 catalina-ant.jar ->
/usr/share/tomcat/lib/catalina-ant.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 catalina-ha.jar ->
/usr/share/tomcat/lib/catalina-ha.jar
lrwxrwxrwx. 1 pkiuser pkiuser   34 28. Jun 15:59 catalina.jar ->
/usr/share/tomcat/lib/catalina.jar
lrwxrwxrwx. 1 pkiuser pkiuser   46 28. Jun 15:59
catalina-storeconfig.jar -> /usr/share/tomcat/lib/catalina-storeconfig.jar
lrwxrwxrwx. 1 pkiuser pkiuser   41 28. Jun 15:59 catalina-tribes.jar ->
/usr/share/tomcat/lib/catalina-tribes.jar
lrwxrwxrwx. 1 pkiuser pkiuser   45 28. Jun 15:59 commons-collections.jar
-> /usr/share/tomcat/lib/commons-collections.jar
lrwxrwxrwx. 1 pkiuser pkiuser   38 28. Jun 15:59 commons-dbcp.jar ->
/usr/share/tomcat/lib/commons-dbcp.jar
lrwxrwxrwx. 1 pkiuser pkiuser   38 28. Jun 15:59 commons-pool.jar ->
/usr/share/tomcat/lib/commons-pool.jar
lrwxrwxrwx. 1 pkiuser pkiuser   35 28. Jun 15:59 jasper-el.jar ->
/usr/share/tomcat/lib/jasper-el.jar
lrwxrwxrwx. 1 pkiuser pkiuser   32 28. Jun 15:59 jasper.jar ->
/usr/share/tomcat/lib/jasper.jar
lrwxrwxrwx. 1 pkiuser pkiuser   36 28. Jun 15:59 jasper-jdt.jar ->
/usr/share/tomcat/lib/jasper-jdt.jar
lrwxrwxrwx. 1 pkiuser pkiuser   36 22. Mai 2015  log4j.properties ->
/etc/pki/pki-tomcat/log4j.properties
lrwxrwxrwx. 1 pkiuser pkiuser   43 28. Jun 15:59 tomcat7-websocket.jar
-> /usr/share/tomcat/lib/tomcat7-websocket.jar
lrwxrwxrwx. 1 pkiuser pkiuser   36 28. Jun 15:59 tomcat-api.jar ->
/usr/share/tomcat/lib/tomcat-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   39 28. Jun 15:59 tomcat-coyote.jar ->
/usr/share/tomcat/lib/tomcat-coyote.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 tomcat-dbcp.jar ->
/usr/share/tomcat/lib/tomcat-dbcp.jar
lrwxrwxrwx. 1 pkiuser pkiuser   43 28. Jun 15:59 tomcat-el-2.2-api.jar
-> /usr/share/tomcat/lib/tomcat-el-2.2-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   43 28. Jun 15:59 tomcat-el-3.0-api.jar
-> /usr/share/tomcat/lib/tomcat-el-3.0-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   40 28. Jun 15:59 tomcat-i18n-es.jar ->
/usr/share/tomcat/lib/tomcat-i18n-es.jar
lrwxrwxrwx. 1 pkiuser pkiuser   40 28. Jun 15:59 tomcat-i18n-fr.jar ->
/usr/share/tomcat/lib/tomcat-i18n-fr.jar
lrwxrwxrwx. 1 pkiuser pkiuser   40 28. Jun 15:59 tomcat-i18n-ja.jar ->
/usr/share/tomcat/lib/tomcat-i18n-ja.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 tomcat-jdbc.jar ->
/usr/share/tomcat/lib/tomcat-jdbc.jar
lrwxrwxrwx. 1 pkiuser pkiuser   36 28. Jun 15:59 tomcat-jni.jar ->
/usr/share/tomcat/lib/tomcat-jni.jar
lrwxrwxrwx. 1 pkiuser pkiuser   44 28. Jun 15:59 tomcat-jsp-2.2-api.jar
-> /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   44 28. Jun 15:59 tomcat-jsp-2.3-api.jar
-> /usr/share/tomcat/lib/tomcat-jsp-2.3-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 tomcat-juli.jar ->
/usr/share/tomcat/lib/tomcat-juli.jar
lrwxrwxrwx. 1 pkiuser pkiuser   48 28. Jun 15:59
tomcat-servlet-3.0-api.jar ->
/usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   48 28. Jun 15:59
tomcat-servlet-3.1-api.jar ->
/usr/share/tomcat/lib/tomcat-servlet-3.1-api.jar
lrwxrwxrwx. 1 pkiuser pkiuser   37 28. Jun 15:59 tomcat-util.jar ->
/usr/share/tomcat/lib/tomcat-util.jar
lrwxrwxrwx. 1 pkiuser pkiuser   42 28. Jun 15:59 tomcat-util-scan.jar ->
/usr/share/tomcat/lib/tomcat-util-scan.jar
lrwxrwxrwx. 1 pkiuser pkiuser   42 28. Jun 15:59 tomcat-websocket.jar ->
/usr/share/tomcat/lib/tomcat-websocket.jar
lrwxrwxrwx. 1 pkiuser pkiuser   39 28. Jun 15:59 websocket-api.jar ->
/usr/share/tomcat/lib/websocket-api.jar

For example:
ls -la /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar -> File is not available
ls -la /usr/share/tomcat/lib/tomcat-jsp-2.3-api.jar -> File is ok.



> org.apache.catalina.startup.Catal

Re: [Freeipa-users] FreeIPA doesnt start

2016-07-01 Thread Andreas Ladanyi 
Hi Fraser.
>>> Hi,
>>>
>>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
>>>
>>> When i want to start IPA with ipactl start i run into the situation
>>> starting pki-tomcat take a long time and ipactl aborts the starting
>>> process and shutdown services. So IPA doesnt start.
>> Sounds like 
>> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/
>>
> I concur - it is likely to be the same issue.  A new release of pki
> on f23 is going to happen in the next day or so.  If it is the same
> issue, that will fix it.
yes it was the same issue. I could fix it.

Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA doesnt start

2016-07-01 Thread Andreas Ladanyi 
Hi Tomasz,
> On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote:
>> Hi,
>>
>> i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2
>>
>> When i want to start IPA with ipactl start i run into the situation
>> starting pki-tomcat take a long time and ipactl aborts the starting
>> process and shutdown services. So IPA doesnt start.
> Sounds like 
> https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/
Thank you. You are right. The not imported certificate profiles in ldap
during upgrade process is the problem. I solved this issue with the
information of the above link.


Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

2016-07-01 Thread Andreas Ladanyi 
Hi,
> For the time being and as far as I can see until IPA 4.3.1, the procedure is 
> messy and difficult.
> The following thread will be a big help:
> https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html
>
> I think I succeeded at last, but further tests remain.
Is it possible to backport the working procedure from 4.3.1 to 4.2 in
Fedora 23 ?
>
>
regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

2016-07-06 Thread Andreas Ladanyi 

Hi,

is it possible that ipa-server-certinstall couldnt handle private keys 
without password ?


i would test it with a self-signed certificate and test private key file 
secured with password, but i dont know whats happen after entering a 
valid private key unlock password. Could i stop the certificate import 
process at this point, so no change will happen to my productive ipa 
server ?


regards,
Andreas

Hi,

i try to replace the self signed certificate from the ipa installation
with this description:

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

ipa-server-certinstall -w -d mysite.key mysite.crt

The tool ask for the private key unlock passwort. The private key was
generated without passwort. I tried out to press only the enter key, but
it doesnt help. So iam confused. The certificate and keyfile are in PEM
format.

For testing I converted the private key with:

openssl rsa -in -out

because i want to know if openssl ask me for a password, but it doesnt.

My version number is FreeIPA 4.1.


regards,
Andreas





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

2016-07-06 Thread Andreas Ladanyi 

Hi Rob,

Hi,

is it possible that ipa-server-certinstall couldnt handle private keys
without password ?


You can file an RFE at https://fedorahosted.org/freeipa/newticket
It seems that ipa-server-certinstall couldnt handle private keys with 
passwort, too. See my result below.





i would test it with a self-signed certificate and test private key file
secured with password, but i dont know whats happen after entering a
valid private key unlock password. Could i stop the certificate import
process at this point, so no change will happen to my productive ipa
server ?


I would not recommend experimenting with random certificates.

It should be possible to add a password to your private key. A quick 
google found 
http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key

Thats a great idea. I have done so and tested again:

openssl rsa -des3 -in private.key -out private_key_with_pw.key

ipa-server-certinstall -w certificate.pem private_key_with_pw.key

After entering the password to unlock private key i get the message:

Insufficient access:  Invalid credentials



Andreas

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment

2016-07-15 Thread Andreas Ladanyi 
Hi,
> Hi all,
>
> I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has
> been a pain point for quite some time.  I've heard that FreeIPA might
> be a solution worth exploring.
>
> I would like to try to avoid user visible disruption if possible,
> however.  This means that we would like to keep our Kerberos realm
> name, keep AFS cross-realm authentication working, etc.  UIDs
> remaining the same would be good; I'd have to think about
We dont use cross realm. We created a new realm with new name. We used
ipa migrade-ds to migrate users/groups with uids.

Because we couldnt migrate the user passwords from old to new realm, we
reset the users password in the new IPA realm and let the users input a
new password once.
>
> Essentially all of our clients are various flavors of Debian; mostly
> Jessie (we have an unfortunate number of older machines that I hope to
> upgrade soon).
>
> Has anyone done something like this before?  Anyone have any ideas
> what the migration path would look like or whether this is even
> possible? 
I have the same situation. We have an old MIT Kerberos / OpenLDAP system
which we have  to migrate. We use FreeIPA 4.2 on Fedora 23 and the
current OpenAFS release and simply said: it works. Our first milestone
was to migrate webplattforms and all behind them (apache with kerberos
auth and data in AFS) first and after them with more experience with the
afs / freeipa combination we want to migrate the user homes and client
desktops.

>
> Thanks,
>
> Grant Wu
> gran...@andrew.cmu.edu 
regards,
Andreas


smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Moving from ca to ca-less without pki

2016-07-29 Thread Andreas Ladanyi 

Hi,

is it simply possible to move from ca to a ca-less environment in ipa ? 
Because its ok for me to only use certificates in web and ldap 
components. I use freeipa 4.2 , fedora 23.


regards,
Andreas

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Adding cross realm trust principals

2014-07-21 Thread Andreas Ladanyi 

Hello,

i want to migrate an existing MIT Kerberos Realm to IPA and want to 
setup a cross realm trust relationship. I exactly have the problem 
discussed on this Mailinglist 
https://www.redhat.com/archives/freeipa-users/2013-November/msg00213.html and 
want to ask if there is now a new way to create trust principals without 
using "kadmin.local -x ipa-setup-override-restrictions".


Regards,
Andreas

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Objectclass ipaobject

2014-07-28 Thread Andreas Ladanyi 
Hi,

iam looking for the ldif file where i could find the objectclass
definition of ipaobject.

I could find the following entries:

objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA
objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' )

attributeTypes: (2.16.840.1.113730.3.8.3.1 NAME 'ipaUniqueID' DESC
'Unique identifier' EQUALITY caseIgnoreMatch ORDERING
caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
'IPA v2' )

in the file 60basev2.ldif.

So the objectclass ipaobject seems to have one auxiliary attribute only
? Where could i find the rest of the objectclass definition ?

cheers,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Extending FreeIPA 3

2014-09-18 Thread Andreas Ladanyi 

Hi,

i'am using centos 6.5 and ipa-server 3.0.0, 37.el6 package.


I want to expose a ldap attribute in the Web UI and red the following 
slides:

https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf

My problem ist that i cant find a plugin location path 
/usr/share/ipa/ui/js/plugins , the /js/plugins part does not exist.


The slides are for version 3.3. Iam using 3.0.0. Was the plugin subdir 
changed / renamed ?


regards,
Andreas

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Migrate KRB DB hashes to IPA LDAP

2014-10-08 Thread Andreas Ladanyi 
Hello,

i have the following situation:

OpenLDAP with user entries. No userPassword hashes are available.
MIT Kerberos with principals and password hashes in the KRB DB.

I have migrated the user and group accounts via "ipa migrate-ds ..."
successfully.

Now, is it possible to get out the kerberos user principal password
hashes from the KRB own DB to the appropriate krbPassword. IPA LDAP
attribute, so the users could login without any extra user action ?

cheers,
Andy



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrate KRB DB hashes to IPA LDAP

2014-10-13 Thread Andreas Ladanyi 
On my old system from which i migrated the users/group accounts uses the 
Kerberos own DB without LDAP for the principals.


I could dump the master key :

kdb5_util dump filename K/M@REALM

Now i have a lot of numbers in the dumpfile. Which number belongs to 
which LDAP attribute in the (test) FreeIPA 389 LDAP System (Simon called 
it a throwaway system :-) )


I dont know the data structure of the KRB own DB.

cheers,
Andy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrate KRB DB hashes to IPA LDAP

2014-11-04 Thread Andreas Ladanyi 
> On Mon, 13 Oct 2014 17:30:58 +0200
> Andreas Ladanyi  wrote:
>
>> On my old system from which i migrated the users/group accounts uses
>> the Kerberos own DB without LDAP for the principals.
>>
>> I could dump the master key :
>>
>> kdb5_util dump filename K/M@REALM
>>
>> Now i have a lot of numbers in the dumpfile. Which number belongs to 
>> which LDAP attribute in the (test) FreeIPA 389 LDAP System (Simon
>> called it a throwaway system :-) )
>>
>> I dont know the data structure of the KRB own DB.
> And you shouldn't really care, you should use the kdb5 utils to load
> back the dumped DB, provided you first create all users and hosts and
> services via the freeipa tools.
>
> Simo.

Ok, i dumped the kerberos DB with kdb5_util and get the dumped file with
all principals.

So now if i unterstand you correctly, if have to create all users/group/service 
principals with the freeipa tools first ?

How can i import the dumped principals in to the 389 LDAP ? I cant see any 
options in the kdb5_ldap_util to import the principals and hashes from the 
dumped KRB DB file to 389 LDAP ?


Andreas




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Migration Webpage doesnt work

2014-11-06 Thread Andreas Ladanyi 
Hi,

i migrated user data with the ipa migrate-ds script without problems.
The users in the old OpenLDAP doesnt have a userPasswort and only the
kerberos principal from local KRB DB was used for authentification.
After migration FreeIPA doesnt have a userPassword and there is no
Kerberos hash.

Know i tried out the /ipa/migration webpage and want to set a
userPassword/Kerberos hash for a user in FreeIPA. The result was the
error message i entered the wrong password or/and username.

Now my question is what is the requirement for the migration webpage to
work ? The documentation says that migration webpage takes a cleartext
password and generates the kerberos hash. Does the migration page need a
userPassword entry ?

I tried out to reset the pssword of a user in the WebUI and the
migration webpage works with this password from the manual passwort reset ?!

cheers,
Andreas




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS

2014-11-12 Thread Andreas Ladanyi 
Hi,

I set up the 389 LDAP server to support des-cbc-crc enctype.

I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
(single-DES). I created the principal with:

kadmin.local -x ipa-setup-override-restrictions

The result is:

Principal: afs/cellname@Realm
Key: vno 1, des-cbc-crc, no salt
Key: vno 1, aes256-cts-hmac-sha1-96, no salt

Seems like the principal was set correctly with single-des.

I execute a "kinit username" and got my tgt.

kvno -e des-cbc-crc afs/cellname
kvno: KDC has no support for encryption type while getting credentials
for afs/cellname@REALM

kvno -e aes256-cts-hmac-sha1-96  afs/cellname
afs/celln...@pp.ipd.kit.edu: kvno = 1

Iam wondering that i dont get a ticket with des-cbc-crc enctype from
FreeIPA Kerberos server.

Any ideas ?


cheers,
Andreas




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS

2014-11-13 Thread Andreas Ladanyi 
>> Hi,
>>
>> I set up the 389 LDAP server to support des-cbc-crc enctype.
>>
>> I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
>> (single-DES). I created the principal with:
>>
>> kadmin.local -x ipa-setup-override-restrictions
> Please don't do this, use the ipa service-add and ipa-getkeytab
> commands instead.
I cant use ipa service-add, because for OpenAFS i need a service
principal called:

afs/cellname@REALM , the cellname could be any name. In my case the
cellname is the same like the domainname.

With ipa service-add i could only add principals like service/FQDN@REALM.
>
>> The result is:
>>
>> Principal: afs/cellname@Realm
>> Key: vno 1, des-cbc-crc, no salt
>> Key: vno 1, aes256-cts-hmac-sha1-96, no salt
>>
>> Seems like the principal was set correctly with single-des.
>>
>> I execute a "kinit username" and got my tgt.
>>
>> kvno -e des-cbc-crc afs/cellname
>> kvno: KDC has no support for encryption type while getting credentials
>> for afs/cellname@REALM
>>
>> kvno -e aes256-cts-hmac-sha1-96  afs/cellname
>> afs/celln...@pp.ipd.kit.edu: kvno = 1
>>
>> Iam wondering that i dont get a ticket with des-cbc-crc enctype from
>> FreeIPA Kerberos server.
>>
>> Any ideas ?
> des-cbc-crc is disabled at different levels, you need to set
> allow_weak_crypro = yes in krb5.conf to enabled use of DES algorithms
> at all.
I have already done this on the client side.
> On the KDC however you also need to change the list of allowed
> enctypes in LDAP and in the KDC configuration file.
ok, i already add the supportedenctypes and defaultencsalttypes in the
389 LDAP enctype  list of the kerberos realm.

In which KDC file do i have to change the enctypes on FreeIPA server ?
kdc.conf ? What should i add to get the FreeIPA KDC delivering single-des ?
>
> Simo.
>
cheers,
Andreas


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS

2014-11-14 Thread Andreas Ladanyi 

> [root@cc21 ~]# ipa host-add --force afs-cellname.ipacloud.test
> ---
> Added host "afs-cellname.ipacloud.test"
> ---
>  Host name: afs-cellname.ipacloud.test
>  Principal name: host/afs-cellname.ipacloud.t...@ipacloud.test
>  Password: False
>  Keytab: False
>  Managed by: afs-cellname.ipacloud.test
ok, i have done a "ipa host-add --force afscellname (in my case equal to
the domainname)"
> [root@cc21 ~]# ipa service-add --force afs/afs-cellname
> --
> Added service "afs/afs-celln...@ipacloud.test"
> --
>  Principal: afs/afs-celln...@ipacloud.test
>  Managed by: afs-cellname.ipacloud.test
> [root@cc21 ~]# ipa service-show afs/afs-cellname
>  Principal: afs/afs-celln...@ipacloud.test
>  Keytab: False
>  Managed by: afs-cellname.ipacloud.test
> [root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-cellname   -k
> /tmp/afs.keytab Keytab successfully retrieved and stored in:
> /tmp/afs.keytab
ok, i have done a "ipa service-add --force afs/cellname (in my case
equal to the domainname)"
>
> As you can see there is no problem at all -- all you need is to have a
> host entry with the same name as afs-cellname. Note that the host
> afs-cellname doesn't even need to exist in DNS.
>
> However, your primary problem would be in a different area. You'll need
> to enable weak crypto at KDC server, Kerberos clients, and LDAP servers.
>
> krb5.conf (on both IPA masters and clients):
> [libdefaults]
>  allow_weak_crypto = true
done.
>
> /var/kerberos/krb5kdc/kdc.conf (on IPA masters):
> [realms]
> IPACLOUD.TEST = {
>   supported_enctypes = aes256-cts-hmac-sha1-96:normal
> aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
> arcfour-hmac-md5:normal des-cbc-crc:v4
> }
>
done
> Finally, you need to modify
> cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test
> and add des-cbc-crc:v4 to supported Kerberos encryption types with
> krbSupportedEncSaltTypes
> attribute. You have to use ldapmodify as cn=Directory Manager for that
> as we don't allow admins to modify these entries directly.
i used the jexplorer to modify the entries.
>
> A simplified approach would be to use ipa-ldap-updater with your own
> update file (which should have a name like -.update where
>  is something between 01 and 90):
>
> [root@cc21 ~]# cat 20-weak-enctypes.update dn:
> cn=$REALM,cn=kerberos,$SUFFIX
> add: krbSupportedEncSaltTypes: des-cbc-crc:v4
>
> [root@cc21 ~]# ipa-ldap-updater ./20-weak-enctypes.update Directory
> Manager password:
> Parsing update file './20-weak-enctypes.update'
> Updating existing entry:
> cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test
> Done
> The ipa-ldap-updater command was successful
>
> Only after that you'll get ipa-getkeytab to generate weaker encryption
> type-based keys. 
ok.

getprinc of the afs/cellname@REALM principal says:

Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, camellia128-cts-cmac, no salt
Key: vno 1, camellia256-cts-cmac, no salt
Key: vno 1, des-cbc-crc, no salt

It looks like the single-des key was created.
 

If i ask for a tgt and a afs/cellname@REALM tgs ticket with kinit and
aklog (from OpenAFS) i only get an AES256 key, but none single-DES ticket.

>From the client pc:

kvno -e des-cbc-crc afs/cellname principal
kvno: KDC has no support for encryption type while getting credentials
for afs/cellname@REALM

kvno -e aes256-cts afs/cellname principal
afs/cellname@REALM: kvno = 1

> However, we have a problem in FreeIPA 4.x that an
> attempt to force only a specific encryption type in ipa-getkeytab is
> ignored and instead only enctypes from krbDefaultEncSaltTypes attribute
> are generated. This bug is tracked with
> https://fedorahosted.org/freeipa/ticket/4718
i use the FreeIPA 3.3.5 with Fedora on the single IPA Master.


cheers,
Andreas

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS

2014-11-17 Thread Andreas Ladanyi 
>
 Hi,

 I set up the 389 LDAP server to support des-cbc-crc enctype.

 I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
 (single-DES). I created the principal with:

 kadmin.local -x ipa-setup-override-restrictions
>>> Please don't do this, use the ipa service-add and ipa-getkeytab
>>> commands instead.
>> I cant use ipa service-add, because for OpenAFS i need a service
>> principal called:
>>
>> afs/cellname@REALM , the cellname could be any name. In my case the
>> cellname is the same like the domainname.
> [root@cc21 ~]# ipa host-add --force afs-cellname.ipacloud.test
> ---
> Added host "afs-cellname.ipacloud.test"
> ---
>  Host name: afs-cellname.ipacloud.test
>  Principal name: host/afs-cellname.ipacloud.t...@ipacloud.test
>  Password: False
>  Keytab: False
>  Managed by: afs-cellname.ipacloud.test
> [root@cc21 ~]# ipa service-add --force afs/afs-cellname
> --
> Added service "afs/afs-celln...@ipacloud.test"
> --
>  Principal: afs/afs-celln...@ipacloud.test
>  Managed by: afs-cellname.ipacloud.test
> [root@cc21 ~]# ipa service-show afs/afs-cellname
>  Principal: afs/afs-celln...@ipacloud.test
>  Keytab: False
>  Managed by: afs-cellname.ipacloud.test
> [root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-cellname   -k
> /tmp/afs.keytab Keytab successfully retrieved and stored in:
> /tmp/afs.keytab
>
> As you can see there is no problem at all -- all you need is to have a
> host entry with the same name as afs-cellname. Note that the host
> afs-cellname doesn't even need to exist in DNS.
>
> However, your primary problem would be in a different area. You'll need
> to enable weak crypto at KDC server, Kerberos clients, and LDAP servers.
>
> krb5.conf (on both IPA masters and clients):
> [libdefaults]
>  allow_weak_crypto = true
>
> /var/kerberos/krb5kdc/kdc.conf (on IPA masters):
> [realms]
> IPACLOUD.TEST = {
>   supported_enctypes = aes256-cts-hmac-sha1-96:normal
> aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
> arcfour-hmac-md5:normal des-cbc-crc:v4
> }
>
> Finally, you need to modify
> cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test
> and add des-cbc-crc:v4 to supported Kerberos encryption types with
> krbSupportedEncSaltTypes
> attribute. You have to use ldapmodify as cn=Directory Manager for that
> as we don't allow admins to modify these entries directly.
>
> A simplified approach would be to use ipa-ldap-updater with your own
> update file (which should have a name like -.update where
>  is something between 01 and 90):
>
> [root@cc21 ~]# cat 20-weak-enctypes.update dn:
> cn=$REALM,cn=kerberos,$SUFFIX
> add: krbSupportedEncSaltTypes: des-cbc-crc:v4
>
> [root@cc21 ~]# ipa-ldap-updater ./20-weak-enctypes.update Directory
> Manager password:
> Parsing update file './20-weak-enctypes.update'
> Updating existing entry:
> cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test
> Done
> The ipa-ldap-updater command was successful
>
> Only after that you'll get ipa-getkeytab to generate weaker encryption
> type-based keys. 

Thats interesting. Now i can receive afs/cellname@REALM service tickets
with des-cbc-crc and aes256 key on the client but only when i execute:

kvno -e des-cbc-crc afs/cellname

If i execute aklog to obtain an afs token from tgt i get a
afs/cellname@REALM service ticket without des-cbc-crc key.

> However, we have a problem in FreeIPA 4.x that an
> attempt to force only a specific encryption type in ipa-getkeytab is
> ignored and instead only enctypes from krbDefaultEncSaltTypes attribute
> are generated. This bug is tracked with
> https://fedorahosted.org/freeipa/ticket/4718
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS

2014-11-18 Thread Andreas Ladanyi 
Hi Simo,
>> Thats interesting. Now i can receive afs/cellname@REALM service
>> tickets with des-cbc-crc and aes256 key on the client but only when i
>> execute:
>>
>> kvno -e des-cbc-crc afs/cellname
>>
>> If i execute aklog to obtain an afs token from tgt i get a
>> afs/cellname@REALM service ticket without des-cbc-crc key.
> This is probably because you got all default enctypes in the key, so
> the KDC is sending you a ticket with the strongest keytype for which it
> has a shared key with the service.
>
>>> However, we have a problem in FreeIPA 4.x that an
>>> attempt to force only a specific encryption type in ipa-getkeytab is
>>> ignored and instead only enctypes from krbDefaultEncSaltTypes
>>> attribute are generated. This bug is tracked with
>>> https://fedorahosted.org/freeipa/ticket/4718
> This is the bug that is causing your last issue ^^
>
> One way around it is to use an older ipa-getkeytab binary (like the one
> on RHEL 6) that uses the old setkeytab control.
>
> We are working on a fix upstream and will land it asap.
>
> Simo.
In the lines above i read that the bug is in FreeIPA 4.x.

Does this bug also belongs to FreeIPA Release 3.3.6 (which i use in
Fedora) or only 4.x  ?

Thanks a lot,
Andreas






smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work

2014-12-01 Thread Andreas Ladanyi 
Hi,

Server: FreeIPA 3.3.5, Fedora 20
Client: Ubuntu 14.04

ipa-getkeytab -s freeipaserver -p principal@REALM  -k
/tmp/principal.keytab -e des3-hmac-sha1 -P

only results in:

klist -k /tmp/principal.keytab -e
Keytab name: FILE:/tmp/principal.keytab
KVNO Principal

--
   5 principal@REALM (des3-cbc-sha1)


/var/kerberos/krb5kdc/kdc.conf:

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 restrict_anonymous_to_tgt = true

[realms]
REALM = {
  master_key_type = aes256-cts
  max_life = 7d
  max_renewable_life = 14d
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  default_principal_flags = +preauth
;  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
  pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
  supported_enctypes = aes256-cts-hmac-sha1-96:normal
aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
arcfour-hmac-md5:normal des-cbc-crc:v4 des3-hmac-sha1:normal
 }

I added the "des3-hmac-sha1:normal" entry in "supported_enctypes" parameter.

There is also an attributes entry krbDefaultEncSaltTypes and
krbSupportedEncSaltTypes with the value "des3-hmac-sha1:normal" in 389 LDAP.


cheers,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-getkeytab -e des3-hmac-sha1 doesnt work

2014-12-02 Thread Andreas Ladanyi 
> On Mon, 01 Dec 2014 11:53:11 +0100
> Andreas Ladanyi  wrote:
>
>> Hi,
>>
>> Server: FreeIPA 3.3.5, Fedora 20
>> Client: Ubuntu 14.04
>>
>> ipa-getkeytab -s freeipaserver -p principal@REALM  -k
>> /tmp/principal.keytab -e des3-hmac-sha1 -P
>>
>> only results in:
>>
>> klist -k /tmp/principal.keytab -e
>> Keytab name: FILE:/tmp/principal.keytab
>> KVNO Principal
> The 2 enctypes are equivalent and can be interchanged afaik.
>
> Simo.
>
Ok.

Another question: Is it possible to generate keys with no salt instead
of Version 5 (normal) salt ?

I want to generate a des3 key with no salt:

ipa-getkeytab -s freeipaserver -p principal@REALM -k
/tmp/principal.keytab -e des3-hmac-sha1:v4 -P

The answer is:

Bad or unsupported salt type.
Failed to create key material

I configured the des3-hmac-sha1:v4 in LDAP and in kdc.conf


Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Cross-Realm authentification

2014-12-03 Thread Andreas Ladanyi 
Hi,

iam trying to setup a cross-realm relationship.

Generated krbtgt cross-realm principals on both KDCs with the same
password and kvno:

krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5)
krbtgt/REALM_A@REALM_B

getprinc on REALM_A KDC for principal krbtgt/REALM_B@REALM_A:

Number of keys: 4
Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
Key: vno 1, des3-cbc-sha1, Version 5
Key: vno 1, arcfour-hmac, Version 5
MKey: vno 1

getprinc on REALM_A KDC for principal krbtgt/REALM_A@REALM_B:

Number of keys: 4
Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
Key: vno 1, des3-cbc-sha1, Version 5
Key: vno 1, arcfour-hmac, Version 5
MKey: vno 1

getprinc on REALM_B KDC for principal krbtgt/REALM_B@REALM_A:

Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
MKey: vno 1

getprinc on REALM_B KDC for principal krbtgt/REALM_A@REALM_B:

Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
MKey: vno 1


I set up the [capaths] section in the krb5.conf client config:

[capaths]
REALM_A = {
REALM_B = .
}
REALM_B = {
REALM_A = .
}



TEST for the REALM_B (FreeIPA) System:

1. kinit user: get a krbtgt/REALM_B@REALM_B

2. kvno krbtgt/REALM_A@REALM_B: get cross-realm ticket
krbtgt/REALM_A@REALM_B: kvno = 1

3. kvno host/( FQDN of host in REALM_A )@REALM_A:
kvno: KDC returned error string: PROCESS_TGS while getting credentials
for host/( FQDN of host in REALM_A )@REALM_A.

4. kvno user@REALM_A:
kvno: KDC returned error string: PROCESS_TGS while getting credentials
for user@REALM_A.


Because i get a cross realm ticket in step 2 iam the opinion i setup the
cross realm ticket correctly on both sides. I think only step 3/4 is the
problem because i dont get tickets for a user/host principal in the REALM_A


Any ideas ?

Andreas




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross-Realm authentification

2014-12-04 Thread Andreas Ladanyi 
Am 03.12.2014 um 14:53 schrieb Alexander Bokovoy:
> On Wed, 03 Dec 2014, Andreas Ladanyi wrote:
>> Hi,
>>
>> iam trying to setup a cross-realm relationship.
>>
>> Generated krbtgt cross-realm principals on both KDCs with the same
>> password and kvno:
>>
>> krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5)
>> krbtgt/REALM_A@REALM_B
>>
>> getprinc on REALM_A KDC for principal krbtgt/REALM_B@REALM_A:
>>
>> Number of keys: 4
>> Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
>> Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
>> Key: vno 1, des3-cbc-sha1, Version 5
>> Key: vno 1, arcfour-hmac, Version 5
>> MKey: vno 1
>>
>> getprinc on REALM_A KDC for principal krbtgt/REALM_A@REALM_B:
>>
>> Number of keys: 4
>> Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
>> Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
>> Key: vno 1, des3-cbc-sha1, Version 5
>> Key: vno 1, arcfour-hmac, Version 5
>> MKey: vno 1
>>
>> getprinc on REALM_B KDC for principal krbtgt/REALM_B@REALM_A:
>>
>> Number of keys: 6
>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>> Key: vno 1, DES cbc mode with CRC-32, no salt
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 4
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
>> Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
>> MKey: vno 1
>>
>> getprinc on REALM_B KDC for principal krbtgt/REALM_A@REALM_B:
>>
>> Number of keys: 6
>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>> Key: vno 1, DES cbc mode with CRC-32, no salt
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 4
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
>> Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
>> MKey: vno 1
>>
>>
>> I set up the [capaths] section in the krb5.conf client config:
>>
>> [capaths]
>> REALM_A = {
>>REALM_B = .
>>}
>> REALM_B = {
>>REALM_A = .
>>}
> You need this section on both realm's KDCs.
>
>

I have done this now on all (2) KDCs without a restart of kerberos
service. The error message is the same like in my first mail.

-- 

Dipl.-Ing. (FH) Andreas Ladanyi

ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik
Karlsruher Institut für Technologie (KIT)

Am Fasanengarten 5, Gebäude 50.34, Raum 013
76131 Karlsruhe
Telefon: +49 721 608-43663

E-Mail: andreas.lada...@kit.edu

www.atis.informatik.kit.edu
www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum 
in der Helmholtz-Gemeinschaft




smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross-Realm authentification

2014-12-05 Thread Andreas Ladanyi 

> I'm also getting errors but they are different to yours. Here is what I
> did:
>
> (on master.f21.test, realm F21.TEST):
> [root@master ~]# kadmin.local -x ipa-setup-override-restrictions -r
> F21.TEST
> Authenticating as principal root/ad...@f21.test with password.
> kadmin.local:  addprinc -requires_preauth krbtgt/IPA5.TEST
> WARNING: no policy specified for krbtgt/ipa5.t...@f21.test; defaulting
> to no policy
> Enter password for principal "krbtgt/ipa5.t...@f21.test": Re-enter
> password for principal "krbtgt/ipa5.t...@f21.test": Principal
> "krbtgt/ipa5.t...@f21.test" created.
> kadmin.local:  addprinc -requires_preauth krbtgt/f21.t...@ipa5.test
> WARNING: no policy specified for krbtgt/f21.t...@ipa5.test; defaulting
> to no policy
> Enter password for principal "krbtgt/f21.t...@ipa5.test": Re-enter
> password for principal "krbtgt/f21.t...@ipa5.test": Principal
> "krbtgt/f21.t...@ipa5.test" created.
> kadmin.local:  q
>
> added following to the /etc/krb5.conf:
> [libdefaults]
> dns_lookup_realm = true
>
> [domain_realms]
> .ipa5.test = IPA5.TEST
> ipa5.test = IPA5.TEST
Why only one domain and one realm if you have two REALMs ?

On this position i have another question:

I have 2 REALMs and one DNS domain.

.domainname_X = REALM A
domainname_X = REALM A
.domainname_X = REALM B
domainname_X = REALM B

Could this work clear ?



On my first "kvno -S host hostname_in_foreign_domain" i saw that the
temporary realm wasnt choosen correct. So i had to delete one REALM
entry in the domain_realm section to get kvno -S chooses the correct (
foreign ) temporary realm.



>
> [capaths]
> F21.TEST = {  IPA5.TEST = . }
> IPA5.TEST = {  F21.TEST = . }
>
>
>
> (on ipa-05-m.ipa5.test, realm IPA5.TEST):
> [root@ipa-05-m ~]# kadmin.local -x ipa-setup-override-restrictions -r
> IPA5.TEST
> Authenticating as principal admin/ad...@ipa5.test with password.
> kadmin.local:  addprinc -requires_preauth krbtgt/F21.TEST
> WARNING: no policy specified for krbtgt/f21.t...@ipa5.test; defaulting
> to no policy
> Enter password for principal "krbtgt/f21.t...@ipa5.test": Re-enter
> password for principal "krbtgt/f21.t...@ipa5.test": Principal
> "krbtgt/f21.t...@ipa5.test" created.
> kadmin.local:  addprinc -requires_preauth krbtgt/ipa5.t...@f21.test
> WARNING: no policy specified for krbtgt/ipa5.t...@f21.test; defaulting
> to no policy
> Enter password for principal "krbtgt/ipa5.t...@f21.test": Re-enter
> password for principal "krbtgt/ipa5.t...@f21.test": Principal
> "krbtgt/ipa5.t...@f21.test" created.
> kadmin.local:  q
>
Ok, i see one difference: i didnt use the "-requires_preauth" flag. Why
did you use them ?
> and similar changes to /etc/krb5.conf.
>
> Then I tried to get a ticket to host/master.f21.t...@f21.test while
> being an ad...@ipa5.test:
I tried out this on the IPA box to connect to the non IPA box (foreign
realm).
>
> [root@ipa-05-m ~]# kinit admin
> Password for ad...@ipa5.test: [root@ipa-05-m ~]#
> KRB5_TRACE=/dev/stderr kvno -S host master.f21.test
> [22351] 1417689782.154516: Convert service host (service with host as
> instance) on host master.f21.test to principal
> [22351] 1417689782.158724: Remote host after forward canonicalization:
> master.f21.test
> [22351] 1417689782.158814: Remote host after reverse DNS processing:
> master.f21.test
> [22351] 1417689782.158849: Get host realm for master.f21.test
> [22351] 1417689782.158899: Use local host master.f21.test to get host
> realm
> [22351] 1417689782.158946: Look up master.f21.test in the domain_realm
> map
> [22351] 1417689782.158999: Look up .f21.test in the domain_realm map
> [22351] 1417689782.159023: Temporary realm is F21.TEST
> [22351] 1417689782.159044: Got realm F21.TEST for host master.f21.test
> [22351] 1417689782.159071: Got service principal
> host/master.f21.t...@f21.test
> [22351] 1417689782.159098: Getting credentials ad...@ipa5.test ->
> host/master.f21.t...@f21.test using ccache KEYRING:persistent:0:0
> [22351] 1417689782.159237: Retrieving ad...@ipa5.test ->
> host/master.f21.t...@f21.test from KEYRING:persistent:0:0 with result:
> -1765328243/Matching credential not found
> [22351] 1417689782.159297: Retrieving ad...@ipa5.test ->
> krbtgt/f21.t...@ipa5.test from KEYRING:persistent:0:0 with result:
> -1765328243/Matching credential not found
> [22351] 1417689782.159411: Retrieving ad...@ipa5.test ->
> krbtgt/ipa5.t...@ipa5.test from KEYRING:persistent:0:0 with result:
> 0/Success
> [22351] 1417689782.159453: Starting with TGT for client realm:
> ad...@ipa5.test -> krbtgt/ipa5.t...@ipa5.test
> [22351] 1417689782.159502: Retrieving ad...@ipa5.test ->
> krbtgt/f21.t...@ipa5.test from KEYRING:persistent:0:0 with result:
> -1765328243/Matching credential not found
> [22351] 1417689782.159530: Requesting TGT krbtgt/f21.t...@ipa5.test
> using TGT krbtgt/ipa5.t...@ipa5.test
> [22351] 1417689782.159576: Generated subkey for TGS request:
> aes256-cts/54E6
> [22351] 1417689782.159628: etypes requested in TGS request:
> aes256-cts, aes128-cts, des3-cbc

Re: [Freeipa-users] Cross-Realm authentification

2014-12-05 Thread Andreas Ladanyi 
Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy:
>

>>> Ok, i see one difference: i didnt use the "-requires_preauth" flag. Why
>>> did you use them ?
>> Because this is recommended by MIT documentation. The link between
>> realms has to be protected well, including preauth and good passwords
>> for the cross-realm principals.
>>
>>
>>> Is it possible or a good idea to add my trust domain, which isnt a AD
>>> domain, manualy to IPA 3.3 ?
>> Well, you can hack of course, that's up to you. I haven't checked that
>> myself and cannot give you definitive answer on this path, though.
At this time i havent an idea off the steps in detail how to do that.
>>


 We may reconsider this check and instead of KRB5KRB_AP_ERR_ILL_CR_TKT
 return KRB5_PLUGIN_NO_HANDLE to allow fallback to krb5.conf-defined
 capaths but I remember we had some issues with krb5 versions prior to
 1.12 where capaths from krb5.conf were blocking work of the DAL
 driver.
>>> I use MIT Kerberos 1.6 from OpenCSW on Solaris and FreeIPA 3.3.5. So
>>> this shouldnt be a problem ?!
Sorry i made a little typing mistake. The foreign realm ist MIT Kerberos
1.9.2 and not 1.6
>> 1.6 does not support cross-realm communication as support for RFC6806
>> was added only in 1.7. So I don't think your setup would have any chance
>> to work at all.
> Hm.. on the other hand, 1.6 documentation talks about it:
> http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Cross_002drealm-Authentication
>
> So may be their changelogs aren't as complete as they should be. :)
>
> With the link above you can also see with disabling preauth on the
> cross-realm krbtgt records is recommended.
>
> But I think most of your issues were because of the 88 port not being
> available and no other means to traverse firewall were configured. 
I will look particular for that.

There is no firewall between the two KDCs.

> That
> is, aside from the fact that IPA will reject cross-realm tickets because
> of how we programmed DAL driver as I explained above.


I dont know in detail what DAL is doing.

OK, it sounds like with IPA my setup wont be very easy :-)



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project