you.
There is still the problem of the referer, but should be easy to fix
with a rewrite rule.
Simo.
> ~J
>
> On 8/18/15 3:02 PM, Simo Sorce wrote:
> > On Tue, 2015-08-18 at 18:01 -0400, Simo Sorce wrote:
> >> The load balancer would have to have the exact same name (
t;> not redirect to https? Reason is simple - offloading SSL to a load
> >> balancer on the front end. (this is for web only, not the LDAP or
> >> Kerberos)
> >>
> >> Thank you
> >> ~J
> >>
> >
> > You could try disabling t
On Tue, 2015-08-18 at 18:01 -0400, Simo Sorce wrote:
> The load balancer would have to have the exact same name (for the
> clients) as the IPA server, which may be challenging depending on the
> network configuration you have.
More on that issue here:
http://ssimo.org/blog/id_019.html
ell me the correct file?
> >
> > Thanks for a answer
> >
> > --
> >
> > mit freundlichen Grüssen / best regards,
> >
> > Günther J. Niederwimmer
> >
> >
> >
> Hi,
>
> IPA CA certificate is located here /etc/ipa/ca.crt on serv
Dogtag project component that implements the
secure storage for the Vault feature.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
/sssd/sssd.conf was moved
> to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring
> client configuration filesnscd daemon is not installed, skip
> configurationnslcd daemon is not installed, skip
> configuration/etc/ipa/default.conf could not be removed: [Errno 2
using kpasswd it may happen if a re-transmission
occurs, as kpasswd uses UDP, so the second request ends up with that
error, I think, not 100% sure.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/
(have ipa 4.1 and samba 4.1.12 here)
>
> Greetz
> Christoph Kaminski
>
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com
>2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com
>2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com
> From: Simo Sorce
> To: sipazzo
> Cc: Freeipa-users
> Sent: Tuesda
s
> a freeipa user with valid kerberos ticket it appears to work fine though. I
> cannot get it working from a remote client however. Is this error a red
> herring or should I be concerned about this? kvno and klist show same number.
What's the output of klist -kt /opt/oracle/ad
ation is
> not aware of the service used. If e.g. OTP was used to just get a
> response from some unprotected and unprivileged service the intercepted
> password can be used to log in with ssh as well. So I guess we need a
> careful discussion here.
The solution for this environments already exists and it is called
GSSAPI. You can obtain a ticket with 2FA and then use your TGT for 10 or
more hours. There is no need to invent broken ways to skip two factor
auth when we already have a way to make this easy *and* secure.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
u are not alone and can share experiences, ask for
help and in general get up to speed with various parts of the
infrastructure as you need it, not being forced to know everything like
a pro before even starting.
This is my humble opinion.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage y
p the 3rd replica agreements with the first
after you create agreements that connect the third to the second.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
r requirements?
>
> With the recent 'views' feature, you can set POSIX attributes for IPA
> users without touching the AD LDAP schema, even per-host.
Just for clarity:
note that use of these features will require an upgrade of your server
to the latest Centos 7.2 (whe
; Rather, it is a virtual view of some other data in the directory.
>
> --
> / Alexander Bokovoy
>
What this means is that you need to explicitly turn on schema compat on
each server you want to use to serve it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Fre
On Thu, 2015-06-18 at 10:47 -0500, James Benson wrote:
> Freeipa 4.1.4
Please run rpm -qi pki-base
> On 06/18/2015 10:28 AM, Simo Sorce wrote:
> > On Thu, 2015-06-18 at 10:08 -0500, James Benson wrote:
> >> Hi all,
> >> I'm a fairly advanced user, how
or:
> CA did not start in 300.0s
>
>
> I've modified the
> /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py to
> increase the timeout value, but no luck.
>
> Suggestions?
What pki-base package version do you have installed ?
Simo.
--
Simo Sorc
@ipadomain.net
> kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting
> client principal name
> [root@fe1 home]# kinit username
> Password for usern...@ipadomain.net:
> [root@fe1 home]# kvno host/fe1.ipadomain@ipadomain.net
> host/fe1.ipadomain@ipadomain.net: kvno = 1
This is normal, you can obtain a ticket (that's what kvno does) only if
you have a TGT (which is stored in the Credentials Cache).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ction(PSTRING const &, PSTRING const &,
> int, JSTRING const &) ()
> #23 0x08059106 in EXCO::Initiate(void) ()
> #24 0x0805a355 in EXCO::Edit(void) ()
> #25 0x080544f5 in main ()
>
> // Richard
>
> 2015-06-15 15:34 skrev Simo Sorce:
> > On Sun, 2015-06-14 at 20
volved that is
causing you trouble.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
.
I think we have a report about the "case" used to generate some
algorithm names, that get embedded in the QR code:
https://fedorahosted.org/freeipa/ticket/5047
It may be the same issue here.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freei
0 Jun 2 16:05 known_hosts
> drwxr-xr-x 2 root root 4096 May 28 01:13 krb5.include.d
> [root@ipaclient pubconf]#
>
> So... I am still looking for the actual location on disk that this is
> apparently being cached and cannot find it.
You won't find a "file" because
by that other replica, restart all IPA components and make sure
a round of replication happens. Then restore the krb5.conf file and
restart all.
> > Or it is better to destroy it and do a new install?
>
> That may be even faster for the making that particular replica up and running
> a
Is this expected? It's with 4.1.0.
> >> Yes, we have a bug for this, actually, few of them:
> >> https://fedorahosted.org/freeipa/ticket/4757
> >>
> >> The actual issue is due to https://fedorahosted.org/freeipa/ticket/4914
> >>
> >
> >Well, in this case the principal isn't changed at all, it's still
> >b...@example.test, which is why the password doesn't work. There probably
> >is no bob1 principal anywhere.
> Yep, and there is a note in the first bug (#4757) about that. I think
> ipa user-mod should be doing that rename for krbPrincipalName too but we
> need to fix password generation via kadmin as well because chances are
> that users changed their passwords via SSSD which leads to kadmin use.
Patch to fix this is sitting in the fedora-devel list for a month or so,
please review and ack it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ing here?
Have you recently changed the user password ?
If so this symptom may indicate you are having replication issues
between your servers, and one of the client is hitting the server that
didn't get the keys replicated to it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your
ed.org/freeipa/ticket/5010
>
> As this my first Fedora ticket, please forgive me If I didn't do it right
> 8-)
It's perfectly fine, thank you.
Simo.
> Cheers
>
> Chris
>
>
>
>
> From: Craig White
> To: Christopher Lamb/Switzerland/IBM@IBMCH, S
r completeness.
>
> thanks
>
> Chris
>
>
>
> From: Simo Sorce
> To: d...@redhat.com
> Cc: Rob Crittenden , Christopher
> Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com
> Date: 29.04.2015 03:31
> Subject: Re: [Freeipa-users] Fre
what we should do is to have a logout option that says "log in
with a different user" and redirect to anon kerberized page that allows
you to do form based login.
This would address the case where a domain user wants to log in as admin
w/o exiting their user session or destroying there ccache
On Mon, 2015-04-27 at 12:51 +0200, Martin Kosek wrote:
> On 04/26/2015 08:23 AM, Alexander Bokovoy wrote:
> >
> >
> > - Original Message -
> >> Hi Rob and Dimitri
> >>
> >> Migrating via Replica is the obvious way that I would have gone, had the
> >> FreeIPA /RedHat documentation not sugg
for external
users/groups (IIRC).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On Wed, 2015-04-08 at 10:11 +0200, Martin (Lists) wrote:
> Am 07.04.2015 um 18:27 schrieb Simo Sorce:
> > On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote:
> >> Hallo
> >>
> >> attached you can find the data from krb_child.log. As far as I can see
>
On Tue, 2015-04-07 at 22:01 -0400, Coy Hile wrote:
> > On Apr 7, 2015, at 2:58 PM, Simo Sorce wrote:
> >
> > On Tue, 2015-04-07 at 18:54 +, Coy Hile wrote:
> >> Quoting Simo Sorce :
> >>
> >>>>>
> >>>>>
&
On Tue, 2015-04-07 at 18:54 +, Coy Hile wrote:
> Quoting Simo Sorce :
>
> >> >
> >> >
> >> I guess that makes sense. Is it possible to add a user that simply
> >> doesn't have the posix attributes defined? In the particular case of
>
cy if you kinit manually ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On Tue, 2015-04-07 at 14:16 +, coy.h...@coyhile.com wrote:
> Quoting Simo Sorce
>
> > On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote:
> >> In MIT land, one can potentially have multiple instances tied (by
> >> convention) to a given user (that is, that admin
s or providing explicit
support in the new aname2lname plugin.
To do all this means adding new objects and configuration facilities to
handle these special non-users, we haven't yet found enough benefit in
adding support for these to warrant the work involved.
Simo.
--
Simo Sorce * Red Hat, I
I wrote a blog post to clarify a little bit how load balancers and
Kerberos interact: https://ssimo.org/blog/id_019.html
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
users nor really services, so
keeping it in cn=kerberos for now it is fine.
However do not use kadmin.local to create actual user principals please.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/l
e available on-demand computing power provided by
cloud operators, so distributing hashes is riskier than ever, especially
old hashes based on DES or MD5, but SHA-1 is not far down the list.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-user
On Thu, 2015-04-02 at 00:22 +0100, g.fer.or...@unicyber.co.uk wrote:
> Hi
>
> if you got the NTPs in sync and using the same timzeone on both it
> should be ok
All operations use UTC, so you can set whatever timezone you want on the
machines.
Simo.
--
Simo Sorce * Red Hat, In
whole keyset is encrypted with the
master key, so the hashes cannot be seen even if you have access to the
LDAP attribute.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote:
> But IPA is more complex and some operations will be performed directly
> against the specific server name, so you need to keep 2 sets of keys
> (one for the server name and one for the load balancer name), but that
> does not wo
On Tue, 2015-03-31 at 13:21 -0400, Brendan Kearney wrote:
> On Tue, 2015-03-31 at 12:53 -0400, Simo Sorce wrote:
> > On Tue, 2015-03-31 at 11:41 -0400, Brendan Kearney wrote:
> > > On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
> > > > On 03/31/2015 10:38 AM
;>>
> > >>>>>>>>> Matt
> > >>>>>>>>>
> > >>>>>>>>> 2015-03-31 13:56 GMT+02:00 Prashant Bapat :
> > >>>>>>>>>> Hi,
> > >>>>>>>>>>
> > >>>>>>>>>> I'm trying to get 2 FreeIPA servers in a replicated mode behind
> > >>>>>>>>>> a load
> > >>>>>>>>>> balancer, specifically Amazon ELB.
> > >>>>>>>>>>
> > >>>>>>>>>> I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf
> > >>>>>>>>>> but looks like
> > >>>>>>>>>> there is more to it than just this file.
> > >>>>>>>>>>
> > >>>>>>>>>> Any suggestions ?
> > >>>>>>>>>>
> > >>>>>>>>>> Thanks.
> > >>>>>>>>>> --Prashant
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IdM portfolio
> > Red Hat, Inc.
> >
>
> kerberos is load balancer friendly, if you pet it nicely.
>
> you generate a principal for the VIP. you then create a keytab for the
> VIP. you distribute the keytab via SCP (or other secure method) to all
> load balanced pool members. you must distribute the same exact keytab
> to all devices. the KVNO for the VIP principal must match in all copies
> put on the pool members. use "klist -Kket /path/to/file.keytab" to
> validate this on all pool members.
>
> there are additional steps you may want to take, in order to add the
> individual principal(s) to the same keytab, so that you can access the
> pool members themselves (not via the VIP). this requires that you
> distribute the keytab as above, and then add the individual principals
> to the local copy of the keytab file.
>
> example:
>
> you have created the principal ldap/ldap.domain.tld for your VIP
> you have created the keytab for ldap/ldap.domain.tld as ~/ldap.keytab
> you have copied the keytab file ~/ldap.keytab to server1, server2 and
> server3 as /etc/ldap.keytab
>
> you ssh to server1 and run kadmin.
> you then add a principal ldap/server1.domain.tld
> you then add the principal ldap/server1.domain.tld to the already
> existing keytab /etc/ldap.keytab.
> quit kadmin
>
> when you run "klist -Kket /etc/ldap.keytab" you should see two
> principals in it. the VIP name and the hostname.
>
> lather, rinse, repeat for all servers.
>
> keep in mind the administrative overhead of changing names of servers or
> VIPs.
>
> there are other tricks for doing kerberos stuff. i use the same VIP,
> but different ports in order to access an individual host/service behind
> the load balancer. this works because the name (of the VIP) stays the
> same and i just point a different front end port to an individual
> backend device/port.
>
This is all true if you just accept connections.
(Un?)fortunately we use delegation within IPA, which requires to use a
local key to contact the KDC. This action "fixates" what key we are
going to use to accept incoming context establishment requests. If a
principal name is not specified then the selected key is usually the
first in the keytab.
In an IPA setup that will usually be the server's specific key.
In order to use multiple keys in conjunction with IPA we'd have to
explicitly support. I am not sure if the SSL layer records which name
was used (perhaps it does if SNI is used, but almost certainly not is
SAN are used), or if multiple virtual hosts need to be used.
If we can know what name the client used then we could modify
mod_auth_gssapi to select a specific name to acquire creds and then
accept the connection with the correct keys. (Another option would be to
explicitly retry with each available key if something fails).
I am afraid I won't try to coerce mod_auth_kerb to do that, so this
option is probably something we can do only post 4.2 and only if we can
make appropriate modifications.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
tten WG we are also starting the process to
deprecate RC4 and 3DES and we have a ticket to stop using them by
default in FreeIPA too: https://fedorahosted.org/freeipa/ticket/4740
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
n
using GSSAPI/Krb5, an IP address cannot be resolved to a proper key as
keys are registerd into the KDC as
host/machine.fully.qualified.name@REALM.
It's the same thing as with HTTPS, the client need to know the "name" of
the server in order to be able to properly communicate with it.
d in using SELinux.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
> Stopping sssd: [ OK ]
> Starting sssd: [ OK ]
> # id 'MIDD\juser'
> id: MIDD\juser: No such user
>
> David Guertin
>
This is normal, users are "loaded in" when they actually try to Log In.
Simo.
-
a loadbalancer in front of my ipa servers.
> >>>>>
> >>>>> Are you talking about FreeIPA web interface? It is technically possible
> >>>>> to use
> >>>>> load-balancer but it will be really hacky. You would have to solve
> >>>>> certificates and also distribute shared keytabs and so on.
> >>>>>
> >>>>> I would recommend you to use "something" which issues HTTP redirect to
> >>>>> ipa
> >>>>> server 1/2/3/4/5 according to current state instead of using classical
> >>>>> load
> >>>>> balancer on the network level. Normal HTTP redirect will not force you
> >>>>> to mess
> >>>>> with certs and keytabs.
> >>>>>
> >>>>> --
> >>>>> Petr^2 Spacek
> >
> >
> > --
> > Petr Spacek @ Red Hat
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
he priority in the SRV records as replicas come and go?
Not yet.
> Is there more to it than this?
See above.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
David Guertin
>
An IPA server is always also a client of itself.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
On Mon, 2015-03-02 at 12:29 +, Roderick Johnstone wrote:
> On 27/02/15 20:04, Simo Sorce wrote:
> > On Fri, 2015-02-27 at 18:59 +, Roderick Johnstone wrote:
> >> On 27/02/15 18:33, Simo Sorce wrote:
> >>> On Fri, 2015-02-27 at 18:19 +, Roder
On Fri, 2015-02-27 at 18:59 +, Roderick Johnstone wrote:
> On 27/02/15 18:33, Simo Sorce wrote:
> > On Fri, 2015-02-27 at 18:19 +, Roderick Johnstone wrote:
> >> Hi
> >>
> >> I'm trying to migrate of my NIS databases to freeipa and have got to th
should I configure freeipa to do host lookups for aliases like NIS does?
While NIS supports hosts maps, FreeIPA strongly encourages the use of
DNS, as such we do not have direct means of providing or querying hosts
maps.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscrip
On Fri, 2015-02-20 at 11:44 +0100, Gianluca Cecchi wrote:
> On Fri, Feb 20, 2015 at 10:53 AM, Petr Vobornik wrote:
>
> > On 02/20/2015 09:44 AM, Martin Kosek wrote:
> >
> >> On 02/20/2015 02:00 AM, Dan Mossor wrote:
> >>
> >>> I just installed a new server on Fedora 21 Server, using the rolekit
>
On Fri, 2015-02-20 at 10:53 +0100, Petr Vobornik wrote:
> >> [Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173]
> [client
> >> 10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported
> >> mechanism was
> >> requested (, Unknown error), referer: https://vader.dom.net/ipa/ui/
>
need to be
> > really good in order to beat saved password in GMail style, IMO.
>
> I imagine Ipsilon based SSO when Ipsilon can make a decision which
> assertions to issue depending on the cert you have.
A lot of apps can't do certs.
I mentioned to someone (Nathan, did
plaintext of password encrypted or is it a
> hash that is encrypted?
All keys are hashes, they are stored into a asn.1 encoded structure that
is then encrypted with the master key.
> What encryption and or hashing used for that?
It depends on the supported keys.
Simo.
--
Simo
. The core of the DS
> processes it behind the closed doors so it is possible to reset but not
> to read.
> This is how LDAP works and not different from any modern directory server.
Keep in mind that the Kerberos keys are additionally encrypted with a
master password, so reading the att
e an host via foreman
> proxy, it will create the host in FreeIPA but if you want to use the
> FreeIPA PKI for puppet, you must manually add puppet service on your
> host, and then get the certificate.
This is something that has come up once before but I do not think we
have a ticket, it
nd that IPA clients have names in IPA
managed domains, the DNS server the clients actually point to does not
really matter as long as proper DNS resolution happens (either using
forwarding or delegation).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the
> to access the file.
> >
> > Acquiring the admin ticket doesn't switch the user ID nor add you
> > to the group..
> >
> >
> I thought the krb5 mount option would allow ticked based access to the
> file.
> Is the purpose of the krb5 mount option just used
o
> sec=krb5 mountpoint
> mount error(126): Required key not available
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>
> (root has an admin ticket aquired)
>
> Any hints for a newbie?
What does klist say ?
and what version of cifs-utils ?
Simo.
> --
rb5
>
> Shouldn't I be able to do the mount this way?
>
> -- john
You should be able to, what's the error ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
On Fri, 12 Dec 2014 13:49:24 -0500
Dmitri Pal wrote:
> On 12/12/2014 01:38 PM, Simo Sorce wrote:
> > On Fri, 12 Dec 2014 13:32:03 -0500
> > Dmitri Pal wrote:
> >
> >> On 12/12/2014 01:27 PM, Simo Sorce wrote:
> >>> On Fri, 12 Dec 2014 13:17:18 -0500
&
On Fri, 12 Dec 2014 13:32:03 -0500
Dmitri Pal wrote:
> On 12/12/2014 01:27 PM, Simo Sorce wrote:
> > On Fri, 12 Dec 2014 13:17:18 -0500
> > Dmitri Pal wrote:
> >
> >> On 12/12/2014 01:07 PM, Simo Sorce wrote:
> >>> On Thu, 11 Dec 2014 18:30:06 -0500
&
On Fri, 12 Dec 2014 13:17:18 -0500
Dmitri Pal wrote:
> On 12/12/2014 01:07 PM, Simo Sorce wrote:
> > On Thu, 11 Dec 2014 18:30:06 -0500
> > Dmitri Pal wrote:
> >
> >> On 12/11/2014 06:32 PM, free...@pettyvices.com wrote:
> >>> I'd like to be a
would like to hear opinions on the matter.
If we are using a FAST channel using the credentials of the host then
you may be able to know (probably requires changes in the KDC to
internally retain/convey the information).
This is possible via SSSD, but will not work via kinit done by a
generic user
gt; trying to setup sudo rules so that if the user is in a given user
> group, then the user can run "sudo su -" on the client to become root.
FWIW you should probably use just sudo -i it will avoid authorization
issues to run the su service.
Simo.
--
Simo Sorce * Red Hat, Inc * New
plication doesn't care about the DM password.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
ake it possible for AD users to access the Linux systems without
> > needing to create them in IPA.
>
>
> So the approach would be:
>
> 1) Install IPA (do not migrate users)
> 2) Establish trust with AD
> 3) Start switching client configuration from using LDAP wi
; issues with krb5 versions prior to 1.12 where capaths from
> >> krb5.conf were blocking work of the DAL driver.
> >
> >Alexander, could you open a ticket to prevent us from forgetting
> >about it?
> I'm not sure yet this is valid. For FreeIPA-FreeIPA trust we&
hich is the one used with ipa < 4.x
I am not exactly sure why we don't, I have a comment in the code that
explicitly calls out SALTTYPE_V4 as not supported, explaining we do not
support krb v4 though.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
klist -k /tmp/principal.keytab -e
> Keytab name: FILE:/tmp/principal.keytab
> KVNO Principal
The 2 enctypes are equivalent and can be interchanged afaik.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/ma
gt; not found [20906] 1416845396.10316: Getting credentials
> >>> usu...@fi.example.com ->
> >> imap/
> >>> zimbrafreeipa.fi.example@fi.example.com using ccache
> >> FILE:/tmp/krb5cc_0
> >>> [20906] 1416845396.10391: Retrieving usu...@fi.exampl
here is no good reason for this, since both freeIPA and Hadoop
> support modern encryptions, so I want to fix the script. Is there a
> way for a script to query IPA for the supported encryption types?
Why don't you just go with the defaults ?
Simo.
--
Simo Sorce * Red Hat, Inc * New Y
inary (like the
> > one on RHEL 6) that uses the old setkeytab control.
> >
> > We are working on a fix upstream and will land it asap.
> >
> > Simo.
> In the lines above i read that the bug is in FreeIPA 4.x.
>
> Does this bug also belongs to FreeIPA Release 3.3
y on the client but only when i
> execute:
>
> kvno -e des-cbc-crc afs/cellname
>
> If i execute aklog to obtain an afs token from tgt i get a
> afs/cellname@REALM service ticket without des-cbc-crc key.
This is probably because you got all default enctypes in the key, s
DES algorithms
at all.
On the KDC however you also need to change the list of allowed
enctypes in LDAP and in the KDC configuration file.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
On Tue, 11 Nov 2014 14:19:02 -0500
Simo Sorce wrote:
> On Tue, 11 Nov 2014 04:17:37 +
> Les Stott wrote:
>
> > > -Original Message-
> > > From: Fraser Tweedale [mailto:ftwee...@redhat.com]
> > > Sent: Tuesday, 11 November 2014 1:59 PM
> &g
t happened that way. So having a different
> > > CommonName doesn't help.
> > >
> > Do the CA certificates bear the same commonName? This is probably
> > what Firefox uses to determine if there are serial number
> > collisions.
> >
>
> It a
l
NOTE: this is a little off topic for the FreeIPA list, I think you'll
find more expertise on some Apache related user mailing lists.
Regards,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/m
will be useful.
Hope to see some of you online on Friday.
See the link below for more information on prerequisites and the list
of tests we planned.
Cheers,
Simo.
[1] https://fedoraproject.org/wiki/Test_Day:2014-11-07_Server
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription
You will also probably need to use the '-x
ipa-setup-override-restrictions' option.
Keep in mind that I have NOT tested this procedure, it may work or it
may fatally cripple your setup. At a minimum I strongly suggest you
exclude the services tied to the IPA Servers themselves. Tak
ike a bug in Gnome Accounts stuff, can you change your password
in a terminal using "passwd" ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.or
On Mon, 27 Oct 2014 17:50:13 +
"Trevor T Kates (Services - 6)" wrote:
> > -Original Message-
> > From: Simo Sorce [mailto:s...@redhat.com]
> > Sent: Monday, October 27, 2014 12:30 PM
> > To: Trevor T Kates (Services - 6)
> > Cc: freeipa-us
27;d appreciate it.
Uhmm sounds like a bug in reloading the info in the bind ldap plugin.
Can you restart named on one of the other servers and tell if the
warning goes away and/or if the client returns that server as
authoritative after the bounce ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
Duncan,
if you know python you can look into the ipa-replica-install tool, as
it does a full check of accessibility. You do not need all those tests
(as you do not need connection back from the server for example). But
you can take inspiration there to see how we test each service.
Simo.
--
Simo S
#x27;ve looked into all of the custom objectclasses and don't
> see anything that would indicate errors. I have some 5k+ records to
> migrate and don't want to have to manipulate the ldif and then create
> modify records just to get the data into IPA.
>
> Any suggestions to hel
to load
back the dumped DB, provided you first create all users and hosts and
services via the freeipa tools.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
ding on what kdb
database you used in the original realm.
for importing in IPA you'd have to use kdb5_util with some additional
options to prevent the driver from discarding your modify operations.
I would strongly advise you to test this in a throwaway setup because
it is likely you'll end u
to doing this?
> Make a host named broker.example.com
> ipa host-add broker.example.com --force
>
> --force will make sure to create the host object even if there is no
> such name in the DNS.
>
> Then create services for this host.
>
> You'll need to set
,
> > Server not found in Kerberos database
> > Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info):
> > TGS_REQ (6 etypes {18 17 16 23 3 1}) 172.16.107.107
> > <http://172.16.107.107>: LOOKING_UP_SERVER: authtime 0,
> > admin@ORION.LOCAL <mailto:admin@ORION.LOCAL> for ,
> > Server not found in Kerberos database
> > krb5kdc: Cannot determine realm for numeric host address - unable
> > to find realm of host
> > Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info):
> > TGS_REQ (6 etypes {18 17 16 23 3 1}) 172.16.107.107
> > <http://172.16.107.107>: LOOKING_UP_SERVER: authtime 0,
> > admin@ORION.LOCAL <mailto:admin@ORION.LOCAL> for ,
> > Server not found in Kerberos database
> > Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info):
> > TGS_REQ (6 etypes {18 17 16 23 3 1}) 172.16.107.107
> > <http://172.16.107.107>: LOOKING_UP_SERVER: authtime 0,
> > admin@ORION.LOCAL <mailto:admin@ORION.LOCAL> for ,
> > Server not found in Kerberos database
> > ---
> >
> > However DNS forward and reverse records DO seem to resolve:
> > ---
> > [root@kwtpocipa001 ~]# host 172.16.107.107
> > 107.107.16.172.in-addr.arpa domain name pointer
> > kwtpocipasol10u11.orion.local. [root@kwtpocipa001 ~]# host
> > kwtpocipasol10u11.orion.local kwtpocipasol10u11.orion.local has
> > address 172.16.107.107 ---
>
> I assume this is being run from your IPA server - it looks OK.
>
> >
> > And we can kinit and get a ticket:
> > ---
> > bash-3.2# kinit admin@ORION.LOCAL <mailto:admin@ORION.LOCAL>
> > Password for admin@ORION.LOCAL <mailto:admin@ORION.LOCAL>:
> > bash-3.2#
> > bash-3.2#
> > bash-3.2# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: admin@ORION.LOCAL <mailto:admin@ORION.LOCAL>
> > Valid startingExpiresService
> > principal 09/25/14 18:31:49 09/25/14 19:31:49
> > krbtgt/ORION.LOCAL@ORION.LOCAL
> > <mailto:krbtgt/ORION.LOCAL@ORION.LOCAL> renew until 10/02/14
> > 18:31:49 bash-3.2#
> > ---
> > Regards,
> > Traiano
>
> Hmm, not sure what is the problem. Simo, do you know?
Use a fully qualified name of the nfs server on the mount command, not
an IP address.
> I would just make sure that /etc/krb5.keytab on the NFS server (klist
> -kt /etc/krb5.keytab) has keys for both NFS and host service and all
> use the right fully qualified hostname.
Yes, having a nfs/fqdn@REALM key on the client is recommended and
necessary in some cases.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
On Mon, 22 Sep 2014 15:09:42 -0400
Dmitri Pal wrote:
> On 09/20/2014 05:19 PM, Simo Sorce wrote:
> > On Sat, 20 Sep 2014 19:44:28 +0200
> > Rob Verduijn wrote:
> >
> >> Hi again,
> >>
> >> Thank you for the quick response.
> >> I'v
mechs = krb5
> cred_store = client_keytab:/etc/gssproxy/%U.keytab
> cred_usage = initiate
> allow_any_uid = no
> trusted = yes
> euid = 48
>
>
>
> 2014-09-20 18:15 GMT+02:00 Simo Sorce :
>
> > On Sat, 20 Sep 2014 16:53:48 +0200
> > Rob Verduijn wrot
On Sat, 20 Sep 2014 11:38:16 -0500
Anthony Messina wrote:
> On Saturday, September 20, 2014 12:15:04 PM Simo Sorce wrote:
> > > [service/nfs-client]
> > >
> > > mechs = krb5
> > > cred_store = keytab:/etc/krb5.keytab
> > > cred_store =
roxy can find actual user's ccaches, though that
may comport some minor risk and will force you to run gss-proxy as root.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
On Thu, 18 Sep 2014 18:49:44 +0300
"Walid A. Shaari" wrote:
> Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and
> 3 clients?
The X509 certificate has always been provided as a commodity but never
required.
Keytabs are the only thing we require.
Simo.
--
5.keytab.
Note that you may want to do the same on clients. Create a nfs service
key for clients and stick it in /etc/krb5.keytab
It should work using the host key if you don't though.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users
101 - 200 of 896 matches
Mail list logo
