[Freeipa-users] one step away from having freeipa work with vsphere ldap
Hello, I'm quite near to have users and groups working using ipa 3.3 as in CentOS 7 as this gives ability to do binds against compat tree. This is with the use of schema compatibility The last step I need is getting components of groups so that vSphere con enforce group membership permission over user set. The query from vsphere after my modifications when it searches for users belonging to groups is sort of ldapsearch -x -b cn=groups,cn=compat,dc=localdomain,dc=local ((objectClass=groupOfUniqueNames)(uniqueMember=uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local)) so I provided ldif modification for cn=groups, cn=compat this way schema-compat-entry-attribute: uniqueMember=%{member} but this produces somthing like this when I query for example a created group named esxpower to be used for power users # esxpower, groups, compat, localdomain.local dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top gidNumber: 163966 memberUid: gcecchi memberUid: vadmin uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local uniqueMember: uid=vadmin,cn=users,cn=accounts,dc=localdomain,dc=local cn: esxpower so the problem is I have to change the entry schema-compat-entry-attribute: uniqueMember=%{member} with a sort of function that gives cn=compat instead of cn=accounts in the line uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local I read also /usr/share/doc/slapi-nis-0.52/format-specifiers.txt but I didn't come to a sort of substitute function so that I can change %{member} with the same but with compat word instead of accounts I plan to detail all my steps once I can accomplish this. Thanks in advance, Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] one step away from having freeipa work with vsphere ldap
On Sun, Dec 7, 2014 at 3:44 PM, Gianluca Cecchi gianluca.cec...@gmail.com wrote: Hello, I'm quite near to have users and groups working using ipa 3.3 as in CentOS 7 as this gives ability to do binds against compat tree. This is with the use of schema compatibility The last step I need is getting components of groups so that vSphere con enforce group membership permission over user set. The query from vsphere after my modifications when it searches for users belonging to groups is sort of ldapsearch -x -b cn=groups,cn=compat,dc=localdomain,dc=local ((objectClass=groupOfUniqueNames)(uniqueMember=uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local)) so I provided ldif modification for cn=groups, cn=compat this way schema-compat-entry-attribute: uniqueMember=%{member} but this produces somthing like this when I query for example a created group named esxpower to be used for power users # esxpower, groups, compat, localdomain.local dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top gidNumber: 163966 memberUid: gcecchi memberUid: vadmin uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local uniqueMember: uid=vadmin,cn=users,cn=accounts,dc=localdomain,dc=local cn: esxpower so the problem is I have to change the entry schema-compat-entry-attribute: uniqueMember=%{member} with a sort of function that gives cn=compat instead of cn=accounts in the line uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local I read also /usr/share/doc/slapi-nis-0.52/format-specifiers.txt but I didn't come to a sort of substitute function so that I can change %{member} with the same but with compat word instead of accounts I plan to detail all my steps once I can accomplish this. Thanks in advance, Gianluca Tried with schema-compat-entry-attribute: uniqueMember=%regsub(%{member},^(.*)accounts(.*),%1compat%2) but it seems it works with some groups (the system groups) but not with the other ones I have created... ldapsearch -x -b cn=groups,cn=compat,dc=localdomain,dc=local gives # admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top gidNumber: 163960 memberUid: admin uniqueMember: uid=admin,cn=users,cn=compat,dc=localdomain,dc=local cn: admins but in esxpower group I see only the memberUid entry and not the uniqueMember entry # esxpower, groups, compat, localdomain.local dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top gidNumber: 163966 memberUid: gcecchi memberUid: vadmin cn: esxpower Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Problem adding group after update IPA from CentOS 6.6 to 7.0
Hello, I followed the guide here to migrate IPA from CentOS 6.6 to CentOS 7.0: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html Now, adding a group from console with command ipa group-add I get this kind of error: ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. the same if I add from web gui without specifying GID. Instead if I specify a GID it gets completed, both from console and web gui [root@c7server slapd-LOCALDOMAIN-LOCAL]# ipa group-add --gid 163969 Group name: mynewgroup Description: My New Group --- Added group mynewgroup --- Group name: mynewgroup Description: My New Group GID: 163969 I notice that previously created groups (from command line) in 6.5 got GIDs starting from 163961. The system generated groups admins and editors have 163960 and 163962. my dna config in migrated CentOS 7 server is this: dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Posix IDs dnaType: uidNumber dnaType: gidNumber dnaNextValue: 1101 dnaMaxValue: 1100 dnaMagicRegen: -1 dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaScope: dc=localdomain,dc=local dnaThreshold: 500 dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20141206144811Z modifyTimestamp: 20141206144811Z aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl permission:Modify DNA Range;allow (write) groupdn = ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=localdomain,dc=local;) My CentOS 6.5 server was created with command ipa-server-install without any options And after install, the creation of the first userid got this output [root@infra install]# ipa user-add First name: Gianluca Last name: Cecchi User login [gcecchi]: Added user gcecchi User login: gcecchi First name: Gianluca Last name: Cecchi Full name: Gianluca Cecchi Display name: Gianluca Cecchi Initials: GC Home directory: /home/gcecchi GECOS field: Gianluca Cecchi Login shell: /bin/sh Kerberos principal: gcecchi@LOCALDOMAIN.LOCAL Email address: gcecchi@localdomain.local UID: 163961 GID: 163961 Password: False Kerberos keys available: False So the GID was autoset to 163961 Could it be that sort of dnaNextRange: was not migrated from CentOS 6.5 to CentOS 7.0? I found this kind of information in manual about adding ranges... ldapmodify -x -D cn=Directory Manager -W -h server.example.com -p 389 Enter LDAP Password: *** dn: cn=POSIX IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify add: dnaNextRange dnaNextRange: 12340-12350 But I also see in CentOS 7 config thei line that I don't understand... aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl permission:Modify DNA Range;allow (write) groupdn = ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=localdomain,dc=local;) Inside the log file about the required schema update for CentOS 6.5 to be run before creating replica for CentOS 7 I see: 2014-12-06T11:42:10Z INFO Updating existing entry: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn =plugins,cn=config 2014-12-06T11:42:10Z DEBUG - 2014-12-06T11:42:10Z DEBUG Initial value 2014-12-06T11:42:10Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config 2014-12-06T11:42:10Z DEBUG dnascope: dc=localdomain,dc=local 2014-12-06T11:42:10Z DEBUG dnathreshold: 500 2014-12-06T11:42:10Z DEBUG cn: Posix IDs 2014-12-06T11:42:10Z DEBUG objectclass: 2014-12-06T11:42:10Z DEBUG top 2014-12-06T11:42:10Z DEBUG extensibleObject 2014-12-06T11:42:10Z DEBUG dnanextvalue: 163968 2014-12-06T11:42:10Z DEBUG dnamagicregen: 999 2014-12-06T11:42:10Z DEBUG dnafilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaI Dobject)) 2014-12-06T11:42:10Z DEBUG dnatype: 2014-12-06T11:42:10Z DEBUG uidNumber 2014-12-06T11:42:10Z DEBUG gidNumber 2014-12-06T11:42:10Z DEBUG dnamaxvalue: 163979 2014-12-06T11:42:10Z DEBUG dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local 2014-12-06T11:42:10Z DEBUG replace: (|(objectclass=posixAccount)(objectClass=posixGroup)) not found, skipping 2014-12-06T11:42:10Z DEBUG - 2014-12-06T11:42:10Z DEBUG Final value after applying updates 2014-12-06T11:42:10Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config 2014-12-06T11:42:10Z DEBUG dnascope: dc=localdomain,dc=local
Re: [Freeipa-users] Problem adding group after update IPA from CentOS 6.6 to 7.0
On Mon, Dec 8, 2014 at 3:47 PM, Gianluca Cecchi gianluca.cec...@gmail.com wrote: Hello, I followed the guide here to migrate IPA from CentOS 6.6 to CentOS 7.0: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html Now, adding a group from console with command ipa group-add I get this kind of error: ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. Based on info on og of CentOS 6.5 system, at the moment I solved the probelm this way and it seems it works. Let me know if you think I misunderstood anything. created /root/dna_addrange.ldif dn: cn=POSIX IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify add: dnaNextRange dnaNextRange: 163961-163979 - [root@c7server slapd-LOCALDOMAIN-LOCAL]# ldapmodify -x -D cn=Directory Manager -f /root/dna_addrange.ldif -W Enter LDAP Password: modifying entry cn=POSIX IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config Now the group create command automatically insert an unallocated GID 163965: [root@c7server slapd-LOCALDOMAIN-LOCAL]# ipa group-add Group name: testgroup Description: test group per generazione gid --- Added group testgroup --- Group name: testgroup Description: test group per generazione gid GID: 163965 Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
dna settings, so that group addition failed without explicitly specifying its GID. I solved as described here adding the missing dnaNextRange: 163961-163979: https://www.redhat.com/archives/freeipa-users/2014-December/msg00090.html Screenshot with permissions of VC1 https://drive.google.com/file/d/0BwoPbcrMv8mvdUgwanQzNWpBbkE/view?usp=sharing Some outputs of ldapsearch queries: [root@c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b cn=groups,cn=compat,dc=localdomain,dc=local cn=esxpower # extended LDIF # # LDAPv3 # base cn=groups,cn=compat,dc=localdomain,dc=local with scope subtree # filter: cn=esxpower # requesting: ALL # # esxpower, groups, compat, localdomain.local dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top gidNumber: 1639600010 memberUid: gcecchi uniqueMember: cn=esxnestedpower,cn=groups,cn=compat,dc=localdomain,dc=local cn: esxpower # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b cn=groups,cn=compat,dc=localdomain,dc=local cn=esxnestedpower # extended LDIF # # LDAPv3 # base cn=groups,cn=compat,dc=localdomain,dc=local with scope subtree # filter: cn=esxnestedpower # requesting: ALL # # esxnestedpower, groups, compat, localdomain.local dn: cn=esxnestedpower,cn=groups,cn=compat,dc=localdomain,dc=local objectClass: posixGroup objectClass: groupOfUniqueNames objectClass: top gidNumber: 1639600012 memberUid: gcecchi uniqueMember: uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local cn: esxnestedpower # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@c7server slapd-LOCALDOMAIN-LOCAL]# ldapsearch -x -b cn=users,cn=compat,dc=localdomain,dc=local uid=gcecchi # extended LDIF # # LDAPv3 # base cn=users,cn=compat,dc=localdomain,dc=local with scope subtree # filter: uid=gcecchi # requesting: ALL # # gcecchi, users, compat, localdomain.local dn: uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local objectClass: posixAccount objectClass: uniqueMember objectClass: inetOrgPerson objectClass: extensibleObject objectClass: top objectClass: organizationalPerson objectClass: person gecos: Gianluca Cecchi cn: Gianluca Cecchi uidNumber: 163961 gidNumber: 163961 loginShell: /bin/sh homeDirectory: /home/gcecchi uid: gcecchi # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Hope that this can help others trying to accomplish vSphere/IPA integration and feel free to comment as I'm far from an IPA expert and my main approach is RTFM and ask help... ;-) Gianluca Cecchi -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
OK. I will check requirements to write into The wiki Il 08/dic/2014 18:36 Dmitri Pal d...@redhat.com ha scritto: On 12/08/2014 11:44 AM, Gianluca Cecchi wrote: Hello, I finally was able to configure the integration between what in subject. I have made basic tests and all seems ok. If anyone wants to test further integration scenarios and also test with vSPhere 5.5, he/she then can report here and I will crosscheck eventually. My environment is based on pure vSphere 5.1 that I'm right now using in trial mode with vcenter server defined as a virtual appliance. NOTE that there is a bug in this version of vSphere regarding OpenLDAP integration in vShere WebClient, so that you are unable to change Base DN for groups after its initial configuration. In case you need to modify that field, you have to delete and recreate the whole LDAP definition. The bug is solved in vsphere 5.1 update 1a. As suggested in other threads on this and other lists, I used slapi-nis (schema compat) plugin. Initially I tested it on CentOS 6.6 with IPA 3.0.0-42 and slapi-nis-0.40-4. I was able to get both users and groups enumeration in vSphere client (using cn=accounts for bind definition), but then no authentication of defined users due to inability of IPA 3.0 to do bind on compat tree. I read on this list that I had to use IPA 3.3 and slapi-nis = 0.47.5, how is indeed provided now in CentOS 7 with: ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64 slapi-nis-0.52-4.el7.x86_64 So I migrated my IPA test server from CentOS 6.6 to another server in CentOS 7.0, following the chapter 6 of the detailed guide here (only some typos and use of systemctl commands for version 6 that should be read as service commands instead): https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html After update these were my two ldif files to adapt schema compat entries for vSphere 1) vsphere_usermod.ldif dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=uniqueMember - add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=inetOrgPerson - 2) vsphere_groupmod.ldif dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=groupOfUniqueNames - add: schema-compat-entry-attribute schema-compat-entry-attribute: uniqueMember=%regsub(%{member},^(.*)accounts(.*),%1compat%2) - Applied with the command: ldapmodify -x -D cn=Directory Manager -f /root/vsphere_usermod.ldif -W vsphere_usermod.ldif and ldapmodify -x -D cn=Directory Manager -f /root/vsphere_usermod.ldif -W vsphere_groupmod.ldif Configuration in vSphere Web Client under Identity Sources of Administration -- Sign-On and Discovery -- Configuration was this one Primary server URL: ldaps://c7server.localdomain.local:636 Base DN for users: cn=users,cn=compat,dc=localdomain,dc=local Domain name: localdomain.local Base DN for groups: cn=groups,cn=compat,dc=localdomain,dc=local Authentication type: Password Username: uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local NOTE: vadmin is a normal IPA user I created only for bind with no ESX permissions (it is only part of the default ipausers IPA group) NOTE: I used ldaps and as certificate I had to use the file /etc/ipa/ca.crt on IPA server, after copying to client where running the browser and renaming it to ca.cer without any modification at all. vSphere accepted it without any problem. My tests at the moment have been ok both in vSphere fat client (5.1 1471691) and vSphere Web Client (Version 5.1.0 Build 869765). I tried this: - add gcecchi IPA user at top vcenter server permissions level as a virtual machine user (sample) default role - verify gcecchi is able to connect both in fat and web clients - edit settings of the vm VC1 and verify that the add... button in hardware tab is greyed out - add the defined esxpower IPA group at VC1 permissions level granting it the virtual machine power user (sample) role - logout/login gcecchi and verify nothing changed in his permissions - add gcecchi to the IPA group esxpower - logout/login gcecchi and verify the user now can select the add... button in hardware tab of VC1 - logout gcecchi and remove gcecchi from IPA group esxpower - login as gcecchi in vSphere and verify that now the add... button is disabled again - create an IPA group named esxnestedpower and insert it in esxpower group - login as gcecchi in vSphere and verify he is still unable to add devices - modify IPA user gcecchi adding him to esxnestedpower group - logout/login gcecchi from vSphere and verify that now gcecchi is able to add device to VC1 NOTE: as my tests began in CentOS 6.6, I noticed that the IPA groups
Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi gianluca.cec...@gmail.com wrote: OK. I will check requirements to write into The wiki When I try to login with my Fedora OpenID account and choose as nickname my real name and press login actually it indefinitely remains on the blank page http://www.freeipa.org/page/Special:OpenIDLogin/ChooseName without enabling me to log in and begin to write anything. Tried from both Chrome and Fedora (on my Fedora 20 system) Similar problems when I used to use zanata to write oVirt Italian translation, but in that case with some difficulty I finally was able then to log in and begin to work... no way here This OpenID thing doesn't seem very usable in my opinion... Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
On Tue, Dec 9, 2014 at 12:50 AM, Gianluca Cecchi gianluca.cec...@gmail.com wrote: Tried from both Chrome and Fedora (on my Fedora 20 system) Correct: Tried from both Chrome and Firefox (on my Fedora 20 system) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
On Tue, Dec 9, 2014 at 10:50 AM, Martin Kosek mko...@redhat.com wrote: On 12/09/2014 12:50 AM, Gianluca Cecchi wrote: On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi gianluca.cec...@gmail.com wrote: OK. I will check requirements to write into The wiki Hello, now I was able to login and I created this draft page, you can check and feel free to review... http://www.freeipa.org/page/HowTo/vsphere5_integration -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
On Thu, Dec 11, 2014 at 10:19 AM, Petr Spacek pspa...@redhat.com wrote: Link to the how-to was added to: http://www.freeipa.org/page/HowTos#Virtualization -- Petr^2 Spacek thanks! Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] some problems after migrating from 3.0 to 3.3
On Fri, Dec 12, 2014 at 3:13 PM, Martin Basti mba...@redhat.com wrote: On 12/12/14 14:57, Gianluca Cecchi wrote: Hello, read inline comments. Hello, I migrated a CentOS 6.6 system with IPA 3.0 to a CentOS 7.0 system with IPA 3.3. The workflow was the one to create a replica and then decommission the old one (that now is with services stopped) with the commands: on old server: ipa-server-install --uninstall on new server: ipa-replica-manage del infra.localdomain.local --force [snip] It is not clear for me, did you use IPA DNS before upgrade, or you just install IPA DNS after upgrade? I followed chapter 6 of https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html In IPA 3.0 I preconfigured DNS and then installed IPA with # ipa-server-install and at the end Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password When I updated to 3.3, as part of the suggested documentation I created the replica file on old server and then used this command on new server: # ipa-replica-install --setup-ca --ip-address=192.168.1.81 -p my_password -w my_password -N --setup-dns --forwarder=192.168.1.254 -U /var/lib/ipa/replica-info-c7server.localdomain.local.gpg And this way it should automatically embed the dns part into IPA, correct? It works but the old IPA server hostname (with hostname=infra) is no more resovable [snip] IMO the behavior is expected, deleting old replica 'infra', should remove the DNS record of replica as well OK. I was able to access the web gui (this time..) and in fact the infra entry was not present neither in forward nor in reverse zone, so I added it and now it is ok: [root@c7server etc]# nslookup infra Server: 192.168.1.81 Address:192.168.1.81#53 Name: infra.localdomain.local Address: 192.168.1.62 try following command to detect if there is the infra replica record in LDAP $ ipa dnsrecord-find localdomain.local It now returns 22 entries and also the added one for infra hostname [root@c7server etc]# kinit admin Password for admin@LOCALDOMAIN.LOCAL: [root@c7server etc]# ipa dnsrecord-find localdomain.local Record name: @ NS record: c7server.localdomain.local. Record name: _kerberos TXT record: LOCALDOMAIN.LOCAL ... Record name: infra A record: 192.168.1.62 ... Thanks, I will check if web UI gives again the problem I had yesterday with the expired session message... Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] WebUI authentication problems
On Fri, Feb 20, 2015 at 10:53 AM, Petr Vobornik pvobo...@redhat.com wrote: On 02/20/2015 09:44 AM, Martin Kosek wrote: On 02/20/2015 02:00 AM, Dan Mossor wrote: I just installed a new server on Fedora 21 Server, using the rolekit deployment tool. Everything was installed and configured (I hope) properly, but I'm running into a problem. The version is freeipa-server-4.1.2-1.fc21.x86_64, and I can connect to the WebUI only after a restart of ipa.service. Hello I actually have quite similar problems in CentOS 7 too, with ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64 and related packages SO the same behavior that if I restart ipa service I'm able to connect (thanks btw, I didn't realize that, having big problems using the WebUI) and that my errors are of this type [Fri Feb 20 10:32:15.850834 2015] [auth_kerb:error] [pid 2029] [client 192.168.1.128:50147] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://c7server.localdomain.local/ipa/ui/ [Fri Feb 20 10:32:22.670791 2015] [auth_kerb:error] [pid 15793] [client 192.168.1.128:50150] krb5_get_init_creds_password() failed: Decrypt integrity check failed, referer: https://c7server.localdomain.local/ipa/ui/ This happens both from an external browser (I enabled form authentication) and from a firefox session launched from the ipa server itself after configuring it for kerberos. I don't want to mess with this thread so let me know if I have to open a dedicated thread specifying for example CentOS 7 or you think it is ok to get in here... so that I paste here other relevant info. Thanks in advance Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
To get the whole root environment you have to run su - root did you try with it? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] solaris 10 ad authentication happening with only one user
Il 15/Mar/2015 11:04 Ben .T.George bentech4...@gmail.com ha scritto: here is the getent passwd: skipped nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: b...@infra.com:x:531001104:531001104:ben:/home/infra.com/ben: auth:x:64348:64348:auth auth:/home/auth:/bin/sh shyam:x:64347:64347:shyam A:/export/home/shyam:/bin/bash jude:x:64346:64346:jude joseph:/export/home/jude:/bin/bash admin:x:64340:64340:Administrator:/home/admin:/bin/bash user ben is from AD and can able to su to that user.i have tried with other users and it's not happening. AD authentication is working some level and it restricted to only one user. b...@infra.com:x:531001104:531001104:ben:/home/infra.com/ben: auth:x:64348:64348:auth auth:/home/auth:/bin/sh shyam:x:64347:64347:shyam A:/export/home/shyam:/bin/bash jude:x:64346:64346:jude joseph:/export/home/jude:/bin/bash admin:x:64340:64340:Administrator:/home/admin:/bin/bash other than user ben all other users are local IPA users. how can i troubleshot this issue To be able to login, the user needs to have a shell that is the last field of the passed line that in your case is empty for Ben Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] solaris 10 ad authentication happening with only one user
On Mon, Mar 16, 2015 at 6:57 AM, Ben .T.George bentech4...@gmail.com wrote: HI the user Ben is from Ad, how can i assign shell to that user.? Regards, Ben Yes I know. I have not administered it so I have nt experience from a configuration point of view, but I think you have to extend your Active Directory with Identity Management for Unix, so that you can assign the necessary attributes for granting login access to Unix systems for your AD users. See here for an input... http://www.chriscowley.me.uk/blog/2013/12/16/integrating-rhel-with-active-directory/ Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek mko...@redhat.com wrote: Ah, I am not sure what control do they mean. But in general, when, it is always interesting to check the LDAP access logs to see the last failed request and then try the same search with ldapsearch and fix things. Martin see my previous e-mail: /var/log/dirsrv/slapd-REALM-NAME/ contains log and you will see which kind of queries vSphere is doing. Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On Fri, Mar 6, 2015 at 4:40 PM, Rich Megginson rmegg...@redhat.com wrote: [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 nentries=2 etime=0 notes=P [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1 vCenter SSO error: Error: Idm client exception: Control not found There's no error log debug level which will give us all of the controls received by the server or all of the controls sent back by the server. The TRACE level will give us some information. Could it be that the Control not found somehow related with page results control as described in https://bugzilla.redhat.com/show_bug.cgi?id=558099 Is the notes=P in ipa logs a setting managed by the server or by the type of the query done by the client? In my past IPA 3.3.3 logs I didn't find it at the end of the log line with nentries... Just an attempt... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/06/2015 09:39 AM, Herwono W Wijaya wrote: vCenter SSO works well with Univention LDAP. Then set up a wireshark session to capture traffic between vCenter SSO and Univention LDAP, then do the same with vCenter SSO and IPA. Then we can compare the TCP traffic dumps. And so we can then change the preface that at this moment explicitly contains: Preface The environment used to write this document is based on pure vSphere 5.1, used in trial mode with vCenter server configured as a virtual appliance. and update it covering 5.5 and hopefully 6.0 too... ;-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson rmegg...@redhat.com wrote: And so we can then change the preface that at this moment explicitly contains: Preface The environment used to write this document is based on pure vSphere 5.1, used in trial mode with vCenter server configured as a virtual appliance. and update it covering 5.5 and hopefully 6.0 too... ;-) I'm sorry - which preface? Link? The message was for Herwono... not for you ... He/she referred Here I want to make sure if FreeIPA can work with vCenter SSO, because I read it on this page: http://www.freeipa.org/page/HowTo/vsphere5_integration And at the top of the doc in the link there is the note about only 5.1 tested, while the version here is 5.5u2b. Have a nice weekend, to all the list ;-) Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source
On Thu, Mar 5, 2015 at 8:54 AM, Martin Kosek mko...@redhat.com wrote: I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember attribute and groupOfUniqueNames objectclass. I am not sure though why are also users updated (mostly question to Gialunca): dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=uniqueMember - add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=inetOrgPerson - For instance, uniqueMember is not valid objectclass. Also, if you are adding iNetOrgPerson objectclass, you should have all it's MUST attributes also generated - otherwise consuming programs may break if they depend on such attributes to exist. I see that sn is missing in my compat user entries. Can you show the cn=groups,cn=Schema Compatibility,cn=plugins,cn=config entry so that we can see if the uniqueMember attribute is really configured correctly? Thanks, Martin users' updates were force by vSphere originated queries. For example without adding iNetOrgPerson objectclass, when I wanted to bind a permission to a user and searched for users in vSPhere, I got this error 05/Dec/2014:22:59:21 +0100] conn=1831 op=34 SRCH base=cn=users,cn=compat,dc=localdomain,dc=local scope=2 filter=((objectClass=inetOrgPerson)(objectClass=inetOrgPerson)) attrs=description entryuuid givenName initials mail pwdaccountlockedtime shadowExpire sn title uid userPassword So I verified that adding inetOrgPerson I was then able to add users to permissions. Probably I have to check which are the MUST attributes for it so that we add the too As far as I understood, the use of compat was indeed to add uniqueMember that is expected to be there by vSphere, at least in 5.1 Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
On Fri, Mar 6, 2015 at 8:34 AM, Martin Kosek mko...@redhat.com wrote: On 03/06/2015 04:38 AM, Herwono W Wijaya wrote: Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin user can be used and always get an error for other users. You mean admin user from vCenter, not admin user from FreeIPA, right? Did you follow this HOWTO: http://www.freeipa.org/page/HowTo/vsphere5_integration Note that the vSphere integration topic is being discussed this week, CCing also Gialunca (author of the HOWTO), he may have some ideas where the problem is too. Martin The logs that let us know the kind of queries generated b vSPhere are in /var/log/dirsrv/slapd-REALM-NAME/ (at least for 3.3.3) Also, searching through my e-mails I found one direct contact using vSphere 5.5 and that was doing some tests with VMware support connected to his systems. It seems they found out that it almost all worked correctly when using accounts instead of compat BUT you can't log in. An action was the to add objectclass=groupOfUniqueNames to a single test group and they were able to login I asked more information about his setup if still in place and to eventually share with others. Stay tuned... Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] RHEL 5 client?
Il 01/Apr/2015 19:36 Rob Crittenden rcrit...@redhat.com ha scritto: Guertin, David S. wrote: I’ve just set up an IPA domain that is working with our RHEL 6 clients. (The servers are running RHEL 7.) But about half of our Linux servers are running RHEL 5, and I’d like to be able to add these as clients as well. Unfortunately I haven’t been able to get it working. Before I get too deep into debugging and log files, is this even possible? The documentation that I’ve been able to find is unclear on this. So far I’ve been looking at this thread: https://www.redhat.com/archives/freeipa-users/2013-July/msg00277.html and this document: https://www.freeipa.org/page/FreeIPAv1:ConfiguringRhelClients#Configuring_RHEL_5_as_an_IPA_Client but without much success. Is there documentation somewhere that describes the procedure, if indeed one exists? The 5.x ipa-client should work fine. What isn't working? rob I would go with identity mgmt guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/index.html And in particular chapter 2: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/setting-up-clients.html I don't think it requires a rhel 5.x ipa server. Hih, Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project