Re: [Freeipa-users] FreeIpa Server + NFSv4 Kerberos mount problem.

2016-10-09 Thread Arthur Morales Sampaio 
Alan, thank you very much for your prompt answer, I didnt completely
understand your point.

So basically FreeNAS would be incompatible with FreeIPA? If that is the
case, my alternative would be to set up another NFS server?

Did you by any chance get this working before? The reason why I am asking
you this is just because I have followed so many guides already and I even
tried a separate Ubuntu NFS server which also didn't work.

If this approach of using FreeIPA + NFSv4 works is there any recommended
scenario that would lead to a working solution between them?

Thank you very much.
Arthur.

On Sat, Oct 8, 2016 at 6:05 PM Alan Latteri 
wrote:

> I think you problem is FreeNAS and not IPA itself.  In FreeNAS 10 they
> will have built in IPA functionality.
>
> On Oct 8, 2016, at 5:47 PM, Arthur Morales Sampaio 
> wrote:
>
> Good morning, my name is Arthur and I am working on the integration of
> FreeIPA and NFSv4 mounting for home directory sharing for authenticated
> users.
>
> This is the first time I am doing this so the problem could be simple.
> It's been already a week that I have been struggling with this and I don't
> know where else to ask for help. I have read pretty much everything that is
> to be read online regarding Freeipa integration.
>
> Here is my scenario:
> - FreeIPA server 4.2.0 - Centos7
> - FreeNAS (NFSv4 server) 10 - FreeBSD (bundled with FreeNAS)
> - Client Ubuntu 16.04. Installed IPA client using ipa-client-install and
> imported LDAP credentials. Kerberos login is working properly I can log
> into the machines using IPA users. But can't mount NFS4 using sec=krb5
> option.
>
> I have a functional FreeIPA server with Kerberos authentication working
> properly. But I can't get NFSv4 authenticated to work in freeipa-clients.
>
> Following is the error that I am getting:
>
>
>
> I know that this might not be enough detail for me to get help for this
> problem. But the thing is that I don't know how to enable a more verbosity
> functionality for this.
>
> The desired behavior would be to create mounts for home directories of
> users and enable kerberos security to mount them. Meaning that I need only
> the owners to be able to mount them.
>
> This is something that is very confusing for me. Wouldn't I be required to
> somehow pass to the mount command the username or any credentials of the
> kerberos user just so the NFS server would know *WHO* is trying to mount
> the directory?
>
> I really exhausted my resources in trying to fix this issue.
>
> Does FreeIPA work with NFSv4?
>
> I sincerely appreciate your help on this one.
>
> Best regards,
> Arthur
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIpa Server + NFSv4 Kerberos mount problem.

2016-10-08 Thread Arthur Morales Sampaio 
Good morning, my name is Arthur and I am working on the integration of
FreeIPA and NFSv4 mounting for home directory sharing for authenticated
users.

This is the first time I am doing this so the problem could be simple. It's
been already a week that I have been struggling with this and I don't know
where else to ask for help. I have read pretty much everything that is to
be read online regarding Freeipa integration.

Here is my scenario:
- FreeIPA server 4.2.0 - Centos7
- FreeNAS (NFSv4 server) 10 - FreeBSD (bundled with FreeNAS)
- Client Ubuntu 16.04. Installed IPA client using ipa-client-install and
imported LDAP credentials. Kerberos login is working properly I can log
into the machines using IPA users. But can't mount NFS4 using sec=krb5
option.

I have a functional FreeIPA server with Kerberos authentication working
properly. But I can't get NFSv4 authenticated to work in freeipa-clients.

Following is the error that I am getting:



I know that this might not be enough detail for me to get help for this
problem. But the thing is that I don't know how to enable a more verbosity
functionality for this.

The desired behavior would be to create mounts for home directories of
users and enable kerberos security to mount them. Meaning that I need only
the owners to be able to mount them.

This is something that is very confusing for me. Wouldn't I be required to
somehow pass to the mount command the username or any credentials of the
kerberos user just so the NFS server would know *WHO* is trying to mount
the directory?

I really exhausted my resources in trying to fix this issue.

Does FreeIPA work with NFSv4?

I sincerely appreciate your help on this one.

Best regards,
Arthur
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-08-17 Thread Arthur Fayzullin 
any news? I've tried to make selinux permissive and write new policy,
that didn't help.

require {
type ipa_var_lib_t;
type named_t;
class dir read;
class file { write open lock read getattr };
}

#= named_t ==
allow named_t ipa_var_lib_t:dir read;
allow named_t ipa_var_lib_t:file { write open lock read getattr };


22.07.2016 13:04, Roberto Cornacchia пишет:
> Ben and Petr,
>
> Thanks for your inputs, I'll keep an eye on those bug reports.
>
> Roberto
>
> On 22 July 2016 at 09:51, Petr Spacek  > wrote:
>
> On 22.7.2016 04:43, Ben Lipton wrote:
> > I'm not familiar enough with Fedora release engineering to know
> how this gets
> > fixed permanently, but I'll share some investigation I've done.
> >
> > This appears to be due to a change in the
> selinux-policy-targeted package that
> > happened recently. As of the latest version, named-pkcs11 tries
> to run as type
> > named_t instead of unconfined_service_t, but it isn't allowed to
> read the
> > files from IPA [1]. When I downgraded to the selinux-policy and
> > selinux-policy-targeted packages from [2] I was able to start
> named-pkcs11, so
> > that might be a workaround you can use for now. Ultimately, the
> patch that
> > fixes [3] might need to be backported to F23.
>
> This is being tracked as
> https://bugzilla.redhat.com/show_bug.cgi?id=1357665
>
> Stay tuned.
>
> Petr^2 Spacek
>
> >
> > Ben
> >
> > [1]
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.756:705): avc:  denied  { read }
> for pid=11616
> > comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195
> > scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir
> permissive=1
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.756:706): avc:  denied  { getattr
> } for
> > pid=11616 comm="named-pkcs11"
> >
> 
> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object"
> > dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
> permissive=1
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.756:707): avc:  denied  { read
> write } for
> > pid=11616 comm="named-pkcs11" name="generation" dev="dm-0"
> ino=731584
> > scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
> permissive=1
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.757:708): avc:  denied  { open }
> for pid=11616
> > comm="named-pkcs11"
> >
> 
> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
> > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
> permissive=1
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.757:709): avc:  denied  { lock }
> for pid=11616
> > comm="named-pkcs11"
> >
> 
> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
> > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
> permissive=1
> >
> > [2] http://koji.fedoraproject.org/koji/buildinfo?buildID=758088
> > [3] https://bugzilla.redhat.com/show_bug.cgi?id=1333106
> >
> > On 07/21/2016 05:51 PM, Roberto Cornacchia wrote:
> >> UPDATE:
> >>
> >> Tried again the whole procedure with ipa-dns-install, and it
> DOES work with
> >> SElinux disable, and still fails with SElinux enabled.
> >>
> >> So the error "Failed to enumerate object store in
> /var/lib/softhsm/tokens/"
> >> makes sense.
> >>
> >> Can someone help me fix it?
> >>
> >> $ ll -Z /var/lib/ipa/dnssec/
> >> total 12
> >> -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 
>  30 Jul 21
> >> 22:50 softhsm_pin*
> >> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0
> 4096 Jul 21
> >> 22:50 tokens/
> >>
> >>
> >>
> >> On 21 July 2016 at 23:11, Roberto Cornacchia
> mailto:roberto.cornacc...@gmail.com>
> >>  >> wrote:
> >>
> >> - FC23
> >> - IPA 4.2.4
> >>
> >> After a dnf update, bind was updated (no ipa updates),
> >> and named-pkcs11 doesn't start anymore.
> >>
> >>
> >> $ /usr/sbin/named-pkcs11 -d 9 -g
> >> 21-Jul-2016 23:08:50.332 starting BIND
> >> 9.10.3-P4-RedHat-9.10.3-13.P4.fc23  -d 9 -g
> >> 21-Jul-

Re: [Freeipa-users] question about automount config

2016-06-07 Thread Arthur Fayzullin 
I have done like You said. Here is output:

[root@nfsclient ~]# automount -vvvf
1  Starting automounter version 5.1.1-3.fc23, master map auto.master
2  using kernel protocol version 5.02
3  mounted indirect on /misc with timeout 300, freq 75 seconds
4  mounted indirect on /net with timeout 300, freq 75 seconds
5  mounted indirect on /home with timeout 300, freq 75 seconds
6  lookup_read_map: lookup(sss): getautomntent_r: No such file or directory
7  attempting to mount entry /home/afayzullin
8  >> mount.nfs4: Connection timed out
9  mount(nfs): nfs: mount failure nfserver.ciktrb.ru:/home/afayzullin on
/home/afayzullin
10 failed to mount /home/afayzullin
11 re-reading map for /home
12 attempting to mount entry /home/afayzullin

from string 1 till 6 is startup output. I have googled by
'getautomntent_r', it has shown some closed threads that should be fixed
(line 3, 4, 5 shows that it is ok)
from line 7 I try to login as afayzullin and autofs tries to mount it as
I wish, but for some reason it can not.
How can I know why it can not do it? Where to look for it?

also I have put debug_level=6 in [autofs] at /etc/sssd/sssd.conf and
here is a piece from /var/log/sssd/sssd_autofs.log

(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [accept_fd_handler] (0x0400):
Client connected!
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [sss_cmd_get_version]
(0x0200): Received client version [1].
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [sss_cmd_get_version]
(0x0200): Offered version [1].
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [sss_autofs_cmd_setautomntent]
(0x0400): Got request for automount map named auto.home
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [sss_parse_name_for_domains]
(0x0200): name 'auto.home' matched without domain, user is auto.home
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [setautomntent_send] (0x0400):
Requesting info for automount map [auto.home] from []
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [lookup_automntmap_step]
(0x0400): Requesting info for [auto.h...@ciktrb.ru]
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [sss_dp_issue_request]
(0x0400): Issuing request for [0x558ed3ebab90:0:auto.h...@ciktrb.ru]
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [sss_dp_get_autofs_msg]
(0x0400): Creating autofs request for [ciktrb.ru][4105][mapname=auto.home]
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [sss_dp_internal_get_send]
(0x0400): Entering request [0x558ed3ebab90:0:auto.h...@ciktrb.ru]
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [lookup_automntmap_step]
(0x0400): Requesting info for [auto.h...@ciktrb.ru]
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [sysdb_autofs_entries_by_map]
(0x0400): Getting entries for map auto.home
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [lookup_automntmap_step]
(0x0400): setautomntent done for map auto.home
(Tue Jun  7 15:59:58 2016) [sssd[autofs]]
[sss_autofs_cmd_setautomntent_done] (0x0400): setautomntent found data
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [sss_dp_req_destructor]
(0x0400): Deleting request: [0x558ed3ebab90:0:auto.h...@ciktrb.ru]
(Tue Jun  7 15:59:58 2016) [sssd[autofs]]
[sss_autofs_cmd_getautomntbyname] (0x0400): Requested data of map
auto.home key afayzullin
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [getautomntbyname_process]
(0x0080): No key named [afayzullin] found
(Tue Jun  7 15:59:58 2016) [sssd[autofs]]
[sss_autofs_cmd_getautomntbyname] (0x0400): Requested data of map
auto.home key /
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [getautomntbyname_process]
(0x0080): No key named [/] found
(Tue Jun  7 15:59:58 2016) [sssd[autofs]]
[sss_autofs_cmd_getautomntbyname] (0x0400): Requested data of map
auto.home key *
(Tue Jun  7 15:59:58 2016) [sssd[autofs]] [sss_autofs_cmd_endautomntent]
(0x0400): endautomntent called

While manual mount works fine:
# mount -vvv -t nfs4 nfserver.ciktrb.ru:/home/afayzullin /mnt
mount.nfs4: timeout set for Tue Jun  7 17:07:25 2016
mount.nfs4: trying text-based options
'vers=4.2,addr=10.254.1.167,clientaddr=10.254.1.168'
[root@nfsclient ~]# echo $?
0
[root@nfsclient ~]# mount -l
nfserver.ciktrb.ru:/home/afayzullin on /mnt type nfs4
(rw,relatime,seclabel,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=10.254.1.168,local_lock=none,addr=10.254.1.167)

$ ssh nfsclient
Creating home directory for afayzullin.
Last login: Tue Jun  7 17:34:14 2016
Could not chdir to home directory /home/afayzullin: No such file or
directory
-bash-4.3$ ll /mnt
итого 0
-rw-rw-r--. 1 afayzullin afayzullin 0 июн  7 17:00 test

but home is empty
# ll /home/
итого 0

So what steps should I take next?

24.05.2016 18:01, Prasun Gera пишет:
> You can stop the autofs daemon, and run it in foreground with
> automount -fvv. Then try to access the mount point in parallel. The
> logs from the foreground run should shed some light. Also, does your
> autofs setup work without kerberos ? As a first step it to work with
> non-kerberised nfs. 
>
> On Mon, May 23, 2016 at 11

Re: [Freeipa-users] question about automount config

2016-05-30 Thread Arthur Fayzullin 
thanks! I'll try to debug at my test environment.


24.05.2016 18:01, Prasun Gera пишет:
> You can stop the autofs daemon, and run it in foreground with
> automount -fvv. Then try to access the mount point in parallel. The
> logs from the foreground run should shed some light. Also, does your
> autofs setup work without kerberos ? As a first step it to work with
> non-kerberised nfs. 
>
> On Mon, May 23, 2016 at 11:06 AM, Arthur Fayzullin  <mailto:art...@deus.pro>> wrote:
>
> Good day, colleagues!
> I am confused about how automount work and howto configure it. I have
> tried to configure it according to
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
> document (paragraph 9.1.1 and chapter 20).
> I have tried to make it work on 3 servers:
> 1. ipa server;
> 2. nfs server (node00);
> 3. nfs client (postgres).
>
>
> *** so here how it configured on ipa server:
> $ ipa automountlocation-tofiles amantai
> /etc/auto.master:
> /-  /etc/auto.direct
> /home   /etc/auto.home
> ---
> /etc/auto.direct:
> ---
> /etc/auto.home:
> *   -sec=kr5i,rw,fstype=nfs4 node00.glavsn.ab:/home/&
>
> maps not connected to /etc/auto.master:
>
> $ ipa service-find nfs
> --
> 2 services matched
> --
>   Основной: nfs/node00.glavsn...@glavsn.ab
>   Keytab: True
>   Managed by: node00.glavsn.ab
>
>   Основной: nfs/postgres.glavsn...@glavsn.ab
>   Keytab: True
>   Managed by: postgres.glavsn.ab
>
>
> *** here is nfs server config:
> $ sudo klist -k
> Пароль:
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> 
> --
>1 host/node00.glavsn...@glavsn.ab
>1 host/node00.glavsn...@glavsn.ab
>1 host/node00.glavsn...@glavsn.ab
>1 host/node00.glavsn...@glavsn.ab
>2 nfs/node00.glavsn...@glavsn.ab
>2 nfs/node00.glavsn...@glavsn.ab
>2 nfs/node00.glavsn...@glavsn.ab
>2 nfs/node00.glavsn...@glavsn.ab
>
> $ cat /etc/exports
> /home *(rw,sec=sys:krb5:krb5i:krb5p)
>
> $ sudo firewall-cmd --list-all
> public (default, active)
>   interfaces: bridge0 enp1s0
>   sources:
>   services: dhcpv6-client nfs ssh
>   ports: 8001/tcp
>   masquerade: no
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
> $ getenforce
> Enforcing
>
>
> *** here nfs client config:
> # klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> 
> --
>1 host/postgres.glavsn...@glavsn.ab
>1 host/postgres.glavsn...@glavsn.ab
>1 host/postgres.glavsn...@glavsn.ab
>1 host/postgres.glavsn...@glavsn.ab
>1 nfs/postgres.glavsn...@glavsn.ab
>1 nfs/postgres.glavsn...@glavsn.ab
>1 nfs/postgres.glavsn...@glavsn.ab
>1 nfs/postgres.glavsn...@glavsn.ab
>
> # firewall-cmd --list-all
> FedoraServer (default, active)
>   interfaces: ens3
>   sources:
>   services: cockpit dhcpv6-client ssh
>   ports:
>   protocols:
>   masquerade: no
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
> # mount -l  (contains next string)
> auto.home on /home type autofs
> (rw,relatime,fd=25,pgrp=960,timeout=300,minproto=5,maxproto=5,indirect)
>
> # ll /home/afayzullin
> ls says that it cannot access /home/afayzullin: no such file or
> directory
>
> I have run
> # ipa-client-automount --location=amantai
> on client and it has completed successfully.
>
> I have tried to disable selinux, drop iptables rules. And now I am
> little confused about what to do next. May if someone has faced with
> automount config can give me some advice, or if there is any howto
> config automount, or some can advise howto debug this situation?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] question about automount config

2016-05-23 Thread Arthur Fayzullin 
Good day, colleagues!
I am confused about how automount work and howto configure it. I have
tried to configure it according to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
document (paragraph 9.1.1 and chapter 20).
I have tried to make it work on 3 servers:
1. ipa server;
2. nfs server (node00);
3. nfs client (postgres).


*** so here how it configured on ipa server:
$ ipa automountlocation-tofiles amantai
/etc/auto.master:
/-  /etc/auto.direct
/home   /etc/auto.home
---
/etc/auto.direct:
---
/etc/auto.home:
*   -sec=kr5i,rw,fstype=nfs4 node00.glavsn.ab:/home/&

maps not connected to /etc/auto.master:

$ ipa service-find nfs
--
2 services matched
--
  Основной: nfs/node00.glavsn...@glavsn.ab
  Keytab: True
  Managed by: node00.glavsn.ab

  Основной: nfs/postgres.glavsn...@glavsn.ab
  Keytab: True
  Managed by: postgres.glavsn.ab


*** here is nfs server config:
$ sudo klist -k
Пароль:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal

--
   1 host/node00.glavsn...@glavsn.ab
   1 host/node00.glavsn...@glavsn.ab
   1 host/node00.glavsn...@glavsn.ab
   1 host/node00.glavsn...@glavsn.ab
   2 nfs/node00.glavsn...@glavsn.ab
   2 nfs/node00.glavsn...@glavsn.ab
   2 nfs/node00.glavsn...@glavsn.ab
   2 nfs/node00.glavsn...@glavsn.ab

$ cat /etc/exports
/home *(rw,sec=sys:krb5:krb5i:krb5p)

$ sudo firewall-cmd --list-all
public (default, active)
  interfaces: bridge0 enp1s0
  sources:
  services: dhcpv6-client nfs ssh
  ports: 8001/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

$ getenforce
Enforcing


*** here nfs client config:
# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal

--
   1 host/postgres.glavsn...@glavsn.ab
   1 host/postgres.glavsn...@glavsn.ab
   1 host/postgres.glavsn...@glavsn.ab
   1 host/postgres.glavsn...@glavsn.ab
   1 nfs/postgres.glavsn...@glavsn.ab
   1 nfs/postgres.glavsn...@glavsn.ab
   1 nfs/postgres.glavsn...@glavsn.ab
   1 nfs/postgres.glavsn...@glavsn.ab

# firewall-cmd --list-all
FedoraServer (default, active)
  interfaces: ens3
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

# mount -l  (contains next string)
auto.home on /home type autofs
(rw,relatime,fd=25,pgrp=960,timeout=300,minproto=5,maxproto=5,indirect)

# ll /home/afayzullin
ls says that it cannot access /home/afayzullin: no such file or directory

I have run
# ipa-client-automount --location=amantai
on client and it has completed successfully.

I have tried to disable selinux, drop iptables rules. And now I am
little confused about what to do next. May if someone has faced with
automount config can give me some advice, or if there is any howto
config automount, or some can advise howto debug this situation?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeRadius and FreeIPA

2016-01-18 Thread Arthur Fayzullin 
Thank for such good explanation! that has pointed my search.
 I have succeed in integration freeradius with freeipa by help of
William Brown and his blog. Thanks to Him :-)
Links to related articles in his blog:
first part: https://firstyear.id.au/entry/22
second part: https://firstyear.id.au/entry/45

with a little difference taken from this guide:
http://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7
I additionally defined
base_dn =
server =
parameters in /etc/raddb/mods-enabled/ldap file.

everything works fine. now it would be fine to define different admin
level for different users on different network devices.
But anyway everything works!!! Thanks to all!

1 little question left: what does
ipa radiusproxy-add
command do? what is its purpose? why everything works without it?

14.12.2015 15:12, Alexander Bokovoy пишет:
> On Wed, 09 Dec 2015, Randy Morgan wrote:
>> Hello,
>>
>> We are setting up our wireless to authenticate against FreeRadius and
>> FreeIPA.  I am looking for any instructions on how to integrate
>> radius with IPA.  We can get them talking via kerberos, but when we
>> have a wireless client attempt to authenticate against them, the
>> password gets stripped out and only the username gets passed on,
>> resulting in a failed logon attempt.
>>
>> As we have studied the problem we have identified the communication
>> protocols used by wireless to pass on the user credentials to
>> radius.  Wireless uses EAP as it's primary protocol.  We are running
>> Xirrus wireless APs and from what we can learn, they act only as a
>> pass through conduit for the client.  Ideally we would like them to
>> speak PEAP TTLS, this would allow kerberos to process from the client
>> to the IPA server, we are still researching this.
>>
>> Are there any instructions on how to integrate FreeRadius 3.0.10 with
>> FreeIPA 3.3.5?  Any help would be appreciated.
> We see this question asked periodically. What we ask always prior to
> answering it is what it would be used for? What authentication
> mechanisms RADIUS is supposed to provide to its clients?
>
> FreeRADIUS authenticating against IPA is easy. However, depending on
> what authentication mechanisms are required it will be either not
> possible to achieve or will definitely degrade security of the setup.
>
> A general approach is to use following setup to use PAP authentication:
>  1. Installing the 'freeradius-ldap' rpm from yum
>  2. chmod 775 /etc/raddb/certs (so radiusd can write cert files)
>  3. Change your 'authorize' and 'authenticate' sections of
>  /etc/raddb/radiusd.conf to:
>   authorize {
>ldap
>  }
>  authenticate {
>Auth-Type LDAP {
>ldap
>}
>  }
>
> During PAP a plaintext password is passed to the RADIUS server
> (encrypted with a weak MD5 shared secret).
>
> When the RADIUS server receives the users plaintext password in the
> conventional configuration it simply compares the received password with
> the stored password. The issue with IPA is there is no stored plaintext
> password to compare to, therefore you cannot use conventional PAP with
> IPA.
>
> But FreeRADIUS permits you to do other things with PAP besides just
> comparing the received password against the stored password for the
> user. You can instruct FreeRADIUS to use what they call an
> "authentication oracle", or at the risk of loose terminology to "proxy"
> the authentication to another authentication server (not to be confused
> with radius proxy where the radius transaction is proxied to another
> radius server).
>
> There are two authentication oracles FreeRADIUS can use
>
> * LDAP
> * Kerberos
>
> In this scenario the plantext password received by the RADIUS server is
> used to authenticate against the oracle. For LDAP it does a simple bind.
> For Kerberos it does a kinit. If the authentication succeeds the RADIUS
> server ACK's the PAP. The thing to note here is this is still occurring
> with PAP but no password comparison is being performed.
>
> There is a third "oracle" FreeRADIUS can utilize, namely Active
> Directory, but in this case the protocol is not PAP, the ntlm_auth
> helper from Samba is used instead with the RADIUS server communicating
> with ntlm_auth which communicates with AD.
>
> The suggestion of using strong passwords is always a good idea. The
> password transmission between the client and the radius server only
> enjoys weak protection so a strong password is especially important.
> Communication between the RADIUS server and it's oracles can be quite
> strong and is generally not a concern if things are configured properly.
>
> Now, there is an issue if you would want to authenticate Windows clients
> using MS CHAPv2 because that implies that FreeRADIUS would want to fetch
> a weak NTLM hash to do negotiation on its own side.
>
> To achieve that, one would need to give up the hashes to FreeRADIUS
> instance. We consider them weak as they can

Re: [Freeipa-users] error while installin ipa-replica with ca

2016-01-11 Thread Arthur Fayzullin 
Bingo!!!
that it is!!!
dm password contains % - symbol!

I am not sure but with previous versions that have not caused any problem.

Thanks a lot!

11.01.2016 16:48, Martin Kosek пишет:
> On 01/11/2016 12:01 PM, Arthur Fayzullin wrote:
>> Good day, Colleagues!
>>
>> And Happy New Year!
>>
>> I have tried to install test stend with ipa v4.2 and 2 master-master
>> servers.
>>
>> files /etc/hosts on both servers contain:
>> 127.0.0.1   localhost localhost.localdomain localhost4
>> localhost4.localdomain4
>> ::1 localhost localhost.localdomain localhost6
>> localhost6.localdomain6
>>
>> 10.254.1.114 radipa00.test.ckt radipa00
>> 10.254.1.154 radipa01.test.ckt radipa01
>>
>> prepare key for replica server:
>> [root@radipa00 ipa]# ipa-replica-prepare --ip-address=10.254.1.154
>> radipa01.test.ckt
>>
>> copy it to replica:
>> [root@radipa00 ipa]# scp /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
>> r...@radipa01.test.ckt:/var/lib/ipa/
>>
>> then on replica start installation:
>> [root@radipa01 ~]# ipa-replica-install --setup-ca --setup-kra
>> --mkhomedir --ssh-trust-dns --ip-address=10.254.1.154 --setup-dns
>> --forwarder=77.88.8.7 --forwarder=77.88.8.3
>> /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
>>
>> and!!! I have got such error:
>>   [2/23]: configuring certificate server instance
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
>> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
>> '/tmp/tmpvgc4S6'' returned non-zero exit status 1
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
>> installation logs and the following files/directories for more information:
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
>> /var/log/pki-ca-install.log
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
>> /var/log/pki/pki-tomcat
>>   [error] RuntimeError: CA configuration failed.
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> log file contains this error:
>> [root@radipa01 ~]# less /var/log/pki/pki-ca-spawn.2016050634.log
>> 'application_version': '[APPLICATION_VERSION]'}
>> 2016-01-11 15:06:34 pkispawn: ERROR... Deployment file could
>> not be parsed correctly.  This might be because of unescaped '%%'
>> characters.  You must escape '%%' characters in deployment files
>> (example - 'setting=foobar').
>> 2016-01-11 15:06:34 pkispawn: ERROR... Interpolation error
>> ('%' must be followed by '%' or '(', found: '%')
>>
>> I have reproduced that error several times with cenos7 and fedora23
>> installations.
>>
>> I am really confused if I am doing something wrong or may it is
>> something else...
>> what it can be?
>> 
>> Best wishes!
> CCing Endi. There used to be an error, when DM password (used also for Dogtag)
> contained special characters, PKI installer choked on it. I could not find the
> bug number right now.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] error while installin ipa-replica with ca

2016-01-11 Thread Arthur Fayzullin 
Good day, Colleagues!

And Happy New Year!

I have tried to install test stend with ipa v4.2 and 2 master-master
servers.

files /etc/hosts on both servers contain:
127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6

10.254.1.114 radipa00.test.ckt radipa00
10.254.1.154 radipa01.test.ckt radipa01

prepare key for replica server:
[root@radipa00 ipa]# ipa-replica-prepare --ip-address=10.254.1.154
radipa01.test.ckt

copy it to replica:
[root@radipa00 ipa]# scp /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
r...@radipa01.test.ckt:/var/lib/ipa/

then on replica start installation:
[root@radipa01 ~]# ipa-replica-install --setup-ca --setup-kra
--mkhomedir --ssh-trust-dns --ip-address=10.254.1.154 --setup-dns
--forwarder=77.88.8.7 --forwarder=77.88.8.3
/var/lib/ipa/replica-info-radipa01.test.ckt.gpg

and!!! I have got such error:
  [2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpvgc4S6'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
/var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

log file contains this error:
[root@radipa01 ~]# less /var/log/pki/pki-ca-spawn.2016050634.log
'application_version': '[APPLICATION_VERSION]'}
2016-01-11 15:06:34 pkispawn: ERROR... Deployment file could
not be parsed correctly.  This might be because of unescaped '%%'
characters.  You must escape '%%' characters in deployment files
(example - 'setting=foobar').
2016-01-11 15:06:34 pkispawn: ERROR... Interpolation error
('%' must be followed by '%' or '(', found: '%')

I have reproduced that error several times with cenos7 and fedora23
installations.

I am really confused if I am doing something wrong or may it is
something else...
what it can be?

Best wishes!

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeRadius and FreeIPA

2015-12-12 Thread Arthur Fayzullin 
I think these are the good points to start:
https://www.eduroam.us/node/90
http://wiki.freeradius.org/modules/Rlm_krb5

I You'll be succeeded how-to will be awesome ;-)

09.12.2015 19:52, Randy Morgan пишет:
> Hello,
>
> We are setting up our wireless to authenticate against FreeRadius and
> FreeIPA.  I am looking for any instructions on how to integrate radius
> with IPA.  We can get them talking via kerberos, but when we have a
> wireless client attempt to authenticate against them, the password
> gets stripped out and only the username gets passed on, resulting in a
> failed logon attempt.
>
> As we have studied the problem we have identified the communication
> protocols used by wireless to pass on the user credentials to radius. 
> Wireless uses EAP as it's primary protocol.  We are running Xirrus
> wireless APs and from what we can learn, they act only as a pass
> through conduit for the client.  Ideally we would like them to speak
> PEAP TTLS, this would allow kerberos to process from the client to the
> IPA server, we are still researching this.
>
> Are there any instructions on how to integrate FreeRadius 3.0.10 with
> FreeIPA 3.3.5?  Any help would be appreciated.
>
> Randy
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] some documentation issues

2015-05-11 Thread Arthur Fayzullin 
В Пн, 11/05/2015 в 11:35 -0400, Dmitri Pal пишет:
> AFAIR some time ago we stopped fetching host cert by default. There was 
> no use of it so we decided not issue a cert that has not practical use.
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Director of Engineering for IdM portfolio
> Red Hat, Inc.
> 

Yes, I have noticed it from reference debian instalation and from EL7&fedora 
instalation. But this step is present in documentation, and it containes 
mistake.

Also, I have one question about
/etc/ipa/default.conf
file.

it looks something like this:
[global]
basedn = dc=,dc=
realm = 
domain = 
server = .
xmlrpc_uri = https://./ipa/xml
enable_ra = True

is there any way to configure it for HA? in case I will get one freeipa server 
replica down.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] some documentation issues

2015-05-11 Thread Arthur Fayzullin 
Have a nice day!

I think that I have found somethings that are mispresent and unpresent in 
documentation.
I have tried to configure debian jessie as a freeipa client. This has been done 
in 2 ways:

* reference instalation:
I have installed freeipa-client package from sid and configured host by running 
ipa-client-install command.

* manual instalation:
I have installed packages that've been installed as dependencies during 
reference installation. And I have done steps described here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/linux-manual.html
Evrything seems to work fine (and even sudo rules) exept 1 thing: I could not 
get host certificate by certmonger.
comparing to reference installation I have found that ipa-client-install also 
makes 1 more config file:
/etc/ipa/default.conf
but this step is not described in documentation. so this is unpresent.
Another thing that I think is present with mistake:
according to documentation I should give this command to get host-certificate:

# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K 
HOST/ipaclient.example.com -N 'CN=ipaclient.example.com,O=EXAMPLE.COM'

and we can see that 'HOST' is capitalised, but it should in small letters.

Thanks for reading!


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fedora Core IPTables or FirewallID?

2014-08-27 Thread Arthur Fayzullin 
I've got something like this:

$ sudo firewall-cmd --permanent --list-all
[sudo] password for afayzullin:
public (default)
  interfaces:
  sources:
  services: dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp ssh
  ports: 7389/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

26.08.2014 20:37, Mark Heslin пишет:
> Chris,
>
> My understanding is that firewalld "services" are where we're heading
> but I'm not entirely
> sure how much or how little of these are fully supported/available yet.
>
> I've copied Thomas - he'll know :-)
>
> -m
>
>
>
> On 08/26/2014 10:26 AM, Chris Whittle wrote:
>> Here is what I found that seems to work from
>> http://adam.younglogic.com/2013/04/firewall-d-for-freeipa/
>>
>> It only has to be ran once...
>>
>> cat >/etc/firewalld/services/kerberos.xml <> 
>> 
>>   kerberos
>>   Kerberos
>>   
>>   
>> 
>> EOD
>>
>>   cat >/etc/firewalld/services/kpasswd.xml <> 
>> 
>>   kpasswd
>>   kpasswd
>>   
>>   
>> 
>> EOD
>>
>>   cat >/etc/firewalld/services/ldap.xml <> 
>> 
>>   ldap
>>   Lightweight Directory Access Protocol
>>   
>> 
>> EOD
>>
>>   cat >/etc/firewalld/services/ldaps.xml <> 
>> 
>>   ldaps
>>   Lightweight Directory Access Protocol over
>> SSL
>>   
>> 
>> EOD
>>
>>   firewall-cmd --permanent --zone=public --add-service=dns
>>   firewall-cmd --permanent --zone=public --add-service=http
>>   firewall-cmd --permanent --zone=public --add-service=https
>>   firewall-cmd --permanent --zone=public --add-service=kerberos
>>   firewall-cmd --permanent --zone=public --add-service=kpasswd
>>   firewall-cmd --permanent --zone=public --add-service=ldap
>>   firewall-cmd --permanent --zone=public --add-service=ldaps
>>   firewall-cmd --permanent --zone=public --add-service=ntp
>>   firewall-cmd --reload
>>
>>
>>
>> On Tue, Aug 26, 2014 at 9:22 AM, Mark Heslin > > wrote:
>>
>> Hi Chris,
>>
>> Take a look at the attached snippet - it will walk you through
>> configuring firewalld
>> with named chains on RHEL 7. You don't have to use named chains
>> but makes managing
>> multiple chains cleaner. Do make sure you 'mask' iptables - only
>> using 'disable' can still cause
>> conflicts in some circumstances.
>>
>> This is extracted from the recently published reference
>> architecture "Integrating OpenShift Enterprise
>> with IdM in RHEL 7":
>>
>>https://access.redhat.com/articles/1155603 (The redhat.com
>>  links are not yet in place).
>>
>> The context here was for an IdM server but I also used the same
>> approach for the IdM replica
>> and RHEL 7 clients.
>>
>> hth,
>>
>> -m
>>
>>
>>
>> On 08/25/2014 10:22 PM, Chris Whittle wrote:
>>> I've got my server up and running great with one exception every
>>> time I reboot I have to login and flush the iptables or nothing
>>> can connect.
>>>
>>> I've found a ton of fixes and none seem to work, I'm on FC20
>>> does anyone have experience with it and wouldn't mind helping?
>>>
>>>
>>
>>
>> -- 
>>
>> Red Hat Reference Architectures
>>
>> Follow Us: https://twitter.com/RedHatRefArch
>> Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
>> Like Us: https://www.facebook.com/rhrefarch
>>
>>
>
>
> -- 
>
> Red Hat Reference Architectures
>
> Follow Us: https://twitter.com/RedHatRefArch
> Plus Us: https://plus.google.com/u/0/b/114152126783830728030/
> Like Us: https://www.facebook.com/rhrefarch
>
>

-- 
С уважением, Артур Файзуллин

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Install FreeIPA 4 on ubuntu

2014-08-22 Thread Arthur Fayzullin 
Can confirm that does work :)

21.08.2014 12:40, Lukas Slebodnik пишет:
> On (20/08/14 20:27), Chris Whittle wrote:
>> Is there instructions anywhere?  My FreeIPA 3 on CentOS died so I'm
>> starting over
> You can try FreeIPA 3.3. on CentOS 7
>
> bash-4.2# yum info ipa-server
> Loaded plugins: fastestmirror
> Loading mirror speeds from cached hostfile
>  * base: mirror.raystedman.net
>  * extras: mirror.solarvps.com
>  * updates: centos.mirror.constant.com
> Available Packages
> Name: ipa-server
> Arch: x86_64
> Version : 3.3.3
> Release : 28.el7.centos
> Size: 1.2 M
> Repo: base/7/x86_64
> Summary : The IPA authentication server
> URL : http://www.freeipa.org/
> License : GPLv3+
> Description : IPA is an integrated solution to provide centrally managed
> : Identity (machine, user, virtual machines, groups, 
> authentication
> : credentials), Policy (configuration settings, access control
> : information) and Audit (events, logs, analysis thereof). If you
> : are installing an IPA server you need to install this package 
> (in
> : other words, most people should NOT install this package).
>
> LS
>

-- 
С уважением, Артур Файзуллин

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-server and conrainers

2014-06-10 Thread Arthur Fayzullin 
Running IPA as a bunch of containers can reduce size of each one. Of
course then total size will be much greater.

10.06.2014 18:10, Jan Pazdziora пишет:
> On Tue, Jun 10, 2014 at 05:27:40PM +0600, Arthur Fayzullin wrote:
>> HI!
>> Alexandr, I've seen Your presentation at RedHat forum. Very good
>> presentation! :)
>> I've got a question about FreeIPA from that presentation. Of course
>> question is not only for You.
>> So, the question:
>> Are there any plans for integration freeipa-server with containers?
>> * working freeipa as a single container;
> We have testing FreeIPA in Fedora 20 container at
>
>   https://registry.hub.docker.com/u/adelton/fedora20-freeipa-server/
>
> However, at this point the size of that image is over 1.2 GB so we
> were not announcing it yet as we try to find ways to make the image
> smaller and thus more easily consumable.
>

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA-server and conrainers

2014-06-10 Thread Arthur Fayzullin 
HI!
Alexandr, I've seen Your presentation at RedHat forum. Very good
presentation! :)
I've got a question about FreeIPA from that presentation. Of course
question is not only for You.
So, the question:
Are there any plans for integration freeipa-server with containers?
* working freeipa as a single container;
* working freeipa as a bunch of containers (ldap-containers,
dns-containers, dogtag-containers and other components containers).

-- 
С уважением, Артур Файзуллин

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] DDNS with DHCPD and IPA

2014-04-09 Thread Arthur Fayzullin 
If this
http://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update is it,
then it is quite not easy to understand what is it about.
here, in mail-list it was much more understandable.

10.04.2014 00:20, Dmitri Pal ?:
> On 04/09/2014 11:58 AM, Andy Tomlin wrote:
>> Ok, I added a howto page
>
> Thanks
> Martin, should be link it from HowTo page?
>>
>>
>> On Fri, Apr 4, 2014 at 5:51 PM, Andy Tomlin > > wrote:
>>
>> Remove foot from mouth... sure.
>>
>> -Original Message-
>> From: freeipa-users-boun...@redhat.com
>> 
>> [mailto:freeipa-users-boun...@redhat.com
>> ] On Behalf Of Dmitri Pal
>> Sent: Friday, April 4, 2014 4:45 PM
>> To: freeipa-users@redhat.com 
>> Subject: Re: [Freeipa-users] DDNS with DHCPD and IPA
>>
>> On 04/03/2014 07:50 PM, Andy Tomlin wrote:
>> > Awesome, adding the grant line with my key (DDNS_UPDATE) did the
>> > trick. This makes it perform exactly like old config.
>> >
>> > Thanks for the help. Someone should put this example in the docs.
>>
>> Would you mind writing a HowTo on our wiki?
>>
>> >
>> > -Original Message-
>> > From: freeipa-users-boun...@redhat.com
>> 
>> > [mailto:freeipa-users-boun...@redhat.com
>> ] On Behalf Of William Brown
>> > Sent: Thursday, April 3, 2014 3:29 PM
>> > To: freeipa-users@redhat.com 
>> > Subject: Re: [Freeipa-users] DDNS with DHCPD and IPA
>> >
>> > On Thu, 2014-04-03 at 11:02 -0700, Andy Tomlin wrote:
>> >> That would be my preference, would then work same as bind/dhcpd
>> >> before switching to ipa. I just dont know how to do it correctly.
>> >>
>> >>
>> > This assumes dhcp and named are on the same system.
>> >
>> > For an unrelated project I wrote some docs here:
>> >
>> >
>> http://tollgate.readthedocs.org/en/3.0.1/fedora-deploy.html#core-netwo
>> > rk
>> >
>> > And the example config files referenced are:
>> >
>> >
>> https://github.com/micolous/tollgate/tree/master/docs/example/fedora
>> >
>> > The important parts are:
>> >
>> > rndc-confgen -a -r keyboard -b 256
>> > chown named:named /etc/rndc.key
>> >
>> > In named.conf add after the options section:
>> >
>> > include "/etc/rndc.key";
>> >
>> > In the zone (In ipa you will need to add this permission)
>> >
>> > grant rndc-key wildcard * ANY;
>> >
>> > Then in dhcpd:
>> >
>> >
>> > include "/etc/rndc.key";
>> >
>> > And to the dhcpd range:
>> >
>> >
>> >   zone dhcp.example.lan. {
>> >   primary 127.0.0.1;
>> >   key "rndc-key";
>> >   }
>> >
>> >
>> >   zone 0.4.10.in-addr.arpa. {
>> >   primary 127.0.0.1;
>> >   key "rndc-key";
>> >   }
>> >
>> >
>> > This should coexist peacefully with freeipa, but try to make
>> sure your
>> > DDNS updated zone is say dhcp.example.com
>>  rather than a zone you care
>> about.
>> > Consider you have a domain controller called x.example.com
>> , and you
>> > allow DDNS to example.com . If someone set
>> their hostname to x, they
>> > could take over the DNS records for your DC. Better to have a
>> second
>> > zone to prevent this.
>> >
>> > --
>> > William Brown > >
>> >
>> > ___
>> > Freeipa-users mailing list
>> > Freeipa-users@redhat.com 
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>> > ___
>> > Freeipa-users mailing list
>> > Freeipa-users@redhat.com 
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com 
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redha

Re: [Freeipa-users] sssd off after authconfig update

2014-03-24 Thread Arthur Faizullin 
FIX! Sssd keeps running after I've done this command, but anyway I have
to do:
# chkconfig sssd on
or it will not start at next boot.

24.03.2014 19:11, Arthur Faizullin пишет:
> OK! everything work right!
> 29.12.2013 13:13, Arthur пишет:
>> Ok. I'll try to check that. I am away right now.
>> 26.12.2013 10:19, Christian Horn пишет:
>>> Hi,
>>>
>>> On Thu, Dec 26, 2013 at 11:59:28AM +0600, Arthur Faizullin wrote:
>>>> As I mentioned earlier in my previous topic, when I do:
>>>> # authconfig ­­--enablemkhomedir ­­update
>>>> that somehow makes sssd off (disables autostart), so I should do:
>>>> # chkconfig sssd on
>>>> os: EL6 (CentOS)
>>>> ipa version: 3.0 (from repository)
>>>> That is not a big problem, but anyway that is not right.
>>>> If it is normal way, then it is not mentioned in documentation.
>>> Well, when calling authconfig you do not provide any new data
>>> (IPA servers or such) which could be used by sssd.  Is the following
>>> leaving sssd enabled?
>>>
>>> # authconfig --enablemkhomedir --enablesssd --update
>>>
>>>
>>> Christian
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sssd off after authconfig update

2014-03-24 Thread Arthur Faizullin 
OK! everything work right!
29.12.2013 13:13, Arthur пишет:
> Ok. I'll try to check that. I am away right now.
> 26.12.2013 10:19, Christian Horn пишет:
>> Hi,
>>
>> On Thu, Dec 26, 2013 at 11:59:28AM +0600, Arthur Faizullin wrote:
>>> As I mentioned earlier in my previous topic, when I do:
>>> # authconfig ­­--enablemkhomedir ­­update
>>> that somehow makes sssd off (disables autostart), so I should do:
>>> # chkconfig sssd on
>>> os: EL6 (CentOS)
>>> ipa version: 3.0 (from repository)
>>> That is not a big problem, but anyway that is not right.
>>> If it is normal way, then it is not mentioned in documentation.
>> Well, when calling authconfig you do not provide any new data
>> (IPA servers or such) which could be used by sssd.  Is the following
>> leaving sssd enabled?
>>
>> # authconfig --enablemkhomedir --enablesssd --update
>>
>>
>> Christian
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] About Windows client

2014-03-22 Thread Arthur 

Dmitri Pal wrote:

On 03/20/2014 11:15 PM, Arthur Faizullin wrote:

HI!
I've got some thoughts on 4-th point: there is a http://pgina.org/ pgina
project, may be them are able to do such thing.


Yes pgina is one of the options.
Someone would have to take it and integrate with MIT Kerberos for 
Windows if it is not already doing so.
But I suspect that it would be more a project in itself that would 
leverage code from MIT and may be pgina to integrate different parts.
The biggest part figuring out the domain affiliation. I mean the use 
cases like this:
a) The system is domainless but user authentictaes with user name and 
password against IPA
b) The system is domainless but user authentictaes with user name and 
OTP against IPA
c) The system is in an AD domain trusted by IdM domain but user 
authenticates with user name and password against IPA because he is in 
IdM domain.
d) The system is in an AD domain trusted by IdM domain but user 
authenticates with user name and password against IPA because he is in 
IdM domain.


More to research. We can help with guidance if someone wants to run 
with it.


Thanks
Dmitri



20.02.2014 04:23, Dmitri Pal пишет:

Hello,

I want to summarize our position regarding joining Windows systems
into IPA.

1) If you already have AD we recommend using this system with AD and
using trusts between AD and IPA.
2) If you do not have AD then use Samba 4 instead of it. It would be
great when Samba 4 grows capability to establish trusts. Right now it
can't but there is an effort going on. If you are interested - please
contribute.
3) If neither of the two options work for you you can configure
Windows system to work directly with IPA as described on the wiki. It
is an option of last resort because IPA does not provide the services
windows client expects. If this is good enough for you, fine by us.
4) Build a native Windows client (cred provider) for IPA using latest
Kerberos. IMO this would be really useful if someone does that because
we will not build this ourselves. With the native OTP support in IPA
it becomes a real business opportunity to provide a native 2FA inside
enterprise across multiple platforms. But please do it open source way
otherwise we would not recommend you ;-)



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



My friend agreed to try. He is C# programmer. But the problem that has 
low knowledge about kerberos, GSSAPI, and I could not told him what is 
wrong with current pgina's ldap plugin.
He does not want to subscribe to freeipa mail-lists, so may be I shall 
give him your (Dmitri) e-mail?

He speaks russian :)

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] SSSD Failover does not work

2014-03-20 Thread Arthur Faizullin 
Will it be represented in documentation&wiki? :)

25.02.2014 18:33, Jakub Hrozek пишет:
> On Tue, Feb 25, 2014 at 10:28:19AM +0100, Stanislav Zidek wrote:
>>> Date: Fri, 17 Jan 2014 09:46:08 -0500
>>> From: Dmitri Pal 
>>> To: freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] SSSD Failover does not work
>>> Message-ID: <52d94230.6080...@redhat.com>
>>> Content-Type: text/plain; charset=ISO-8859-1
>>>
>>> You would need to up the debug_level to 6 on SSSD, restart it, then
>>> simulate the situation and provide sanitized logs and sssd configuration
>>> file.
>> Hi and sorry for late reply, I've been ill and then lots of work waited
>> for me ;)
>>
>> I tried to further debug the issue and I was able to make it work by
>> adding the second ipa server also to directives ldap_uri and krb5_server
>> (it was probably my mistake to put it only to ipa_server) - of course in
>> /etc/sssd/sssd.conf
>>
>> Here is my working /etc/sssd/sssd.conf in case anyone finds it useful
>> (or someone has a comment - feel free to tell me how to make things better):
>>
>> [domain/kajot.cz]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = kajot.cz
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> ipa_hostname = <<>>
>> chpass_provider = ipa
>> ipa_server = id1.kajot.cz, id2.kajot.cz
>>
>> # For the SUDO integration
>> sudo_provider = ldap
>> ldap_uri = ldap://id1.kajot.cz, ldap://id2.kajot.cz
>> ldap_sudo_search_base = ou=sudoers,dc=kajot,dc=cz
>> ldap_sasl_mech = GSSAPI
>> ldap_sasl_authid = host/redmine.kajot.cz
>> ldap_sasl_realm = KAJOT.CZ
>> krb5_server = id1.kajot.cz, id2.kajot.cz
>>
>>
>> ldap_sudo_smart_refresh_interval = 120
>> ldap_sudo_full_refresh_interval = 300
>>
>> [sssd]
>> services = nss, pam, ssh, sudo
>> config_file_version = 2
>>
>> domains = kajot.cz
>>
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>>
>> P.S. I hope it gets posted to the right place, Thunderbird and digest
>> mode is probably not very good combination.. If it goes wrong, sorry in
>> advance.
>>
>> S.
>>
> Ah, I didn't realize you were mixing several provider types. It's the
> right thing to do for sudo intergration with RHEL-6, unfortunately.
>
> In 6.6 there will be (and there already is in 7.0 and upstream 1.9.6 and
> later) a native sudo_provider=ipa so you'll be able to streamline your
> configuration even more.
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] About Windows client

2014-03-20 Thread Arthur Faizullin 
HI!
I've got some thoughts on 4-th point: there is a http://pgina.org/ pgina
project, may be them are able to do such thing.

20.02.2014 04:23, Dmitri Pal пишет:
> Hello,
>
> I want to summarize our position regarding joining Windows systems
> into IPA.
>
> 1) If you already have AD we recommend using this system with AD and
> using trusts between AD and IPA.
> 2) If you do not have AD then use Samba 4 instead of it. It would be
> great when Samba 4 grows capability to establish trusts. Right now it
> can't but there is an effort going on. If you are interested - please
> contribute.
> 3) If neither of the two options work for you you can configure
> Windows system to work directly with IPA as described on the wiki. It
> is an option of last resort because IPA does not provide the services
> windows client expects. If this is good enough for you, fine by us.
> 4) Build a native Windows client (cred provider) for IPA using latest
> Kerberos. IMO this would be really useful if someone does that because
> we will not build this ourselves. With the native OTP support in IPA
> it becomes a real business opportunity to provide a native 2FA inside
> enterprise across multiple platforms. But please do it open source way
> otherwise we would not recommend you ;-)
>
>

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sssd off after authconfig update

2013-12-28 Thread Arthur 
Ok. I'll try to check that. I am away right now.
26.12.2013 10:19, Christian Horn пишет:
> Hi,
>
> On Thu, Dec 26, 2013 at 11:59:28AM +0600, Arthur Faizullin wrote:
>> As I mentioned earlier in my previous topic, when I do:
>> # authconfig ­­--enablemkhomedir ­­update
>> that somehow makes sssd off (disables autostart), so I should do:
>> # chkconfig sssd on
>> os: EL6 (CentOS)
>> ipa version: 3.0 (from repository)
>> That is not a big problem, but anyway that is not right.
>> If it is normal way, then it is not mentioned in documentation.
> Well, when calling authconfig you do not provide any new data
> (IPA servers or such) which could be used by sssd.  Is the following
> leaving sssd enabled?
>
> # authconfig --enablemkhomedir --enablesssd --update
>
>
> Christian
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] sssd off after authconfig update

2013-12-25 Thread Arthur Faizullin 
Hi!

As I mentioned earlier in my previous topic, when I do:
# authconfig ­­--enablemkhomedir ­­update
that somehow makes sssd off (disables autostart), so I should do:
# chkconfig sssd on
os: EL6 (CentOS)
ipa version: 3.0 (from repository)
That is not a big problem, but anyway that is not right.
If it is normal way, then it is not mentioned in documentation.

Is it something to open bug-report? (and what is it about: documentation
or software?)
_
Best regards, Arthur Fayzullin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] reboot required after ipa-client-install?

2013-11-07 Thread Arthur 
I do not know, may be I am wrong somewhere, but I did not make any extra 
things with config files, just run ipa-client-install and everything 
seemed works fine.

that worked for f17, f18, f19 with ipa-server on CentOS 6.3&6.4.

Jakub Hrozek wrote:

On Thu, Nov 07, 2013 at 09:44:21AM +0200, Alexander Bokovoy wrote:

On Wed, 06 Nov 2013, Dean Hunter wrote:


After building a new VM and configuring the IPA 3.3.2 client, Gnome
seems to only perform a local log-in until the system is rebooted. SSH
works with IPA, but not Gnome. Is this correct? Is there anything less
disruptive than a reboot that I can do?

Restart gdm.service?
I'm not sure how gdm handles PAM auth.

I think the reason is actually nsswitch.conf, not PAM. Usually
applications need to be restarted in order to notice changes to
nsswitch.conf. That's also the reason why recent Fedora releases put
"sss" to nsswitch.conf by default.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] reboot required after ipa-client-install?

2013-11-06 Thread Arthur Faizullin 
I have not rebooted whale machine. everything worked fine.
May be just try to restart gdm?
# systemctl restart gdm.service

В Ср, 06/11/2013 в 22:13 -0600, Dean Hunter пишет:
> After building a new VM and configuring the IPA 3.3.2 client, Gnome
> seems to only perform a local log-in until the system is rebooted. SSH
> works with IPA, but not Gnome. Is this correct? Is there anything less
> disruptive than a reboot that I can do?
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] question about generating certificates

2013-11-06 Thread Arthur Faizullin 
I have found what that means. It is again something with access rights.
Rob Crittenden  says that it is better to generate
certificates at:
/etc/pki/tls/private/postgresql.key
/etc/pki/tls/certs/postgresql.crt
and if these files owner is postgres then postgresql is starting well,
but I do not know if certmonger will keep be tracking these file in case
of owner changed.

В Чт, 07/11/2013 в 10:49 +0600, Arthur Faizullin пишет:
> В Ср, 06/11/2013 в 14:52 +0200, Alexander Bokovoy пишет:
> > On Wed, 06 Nov 2013, Arthur Faizullin wrote:
> > >Исаев Виталий Анатольевич  has give me advise that the
> > >problem may be in Selinux.
> > >so I has stoped tracking previous request by
> > >$ sudo ipa-getcert stop-tracking -i 20131106075356
> > >
> > >and has generated new request
> > ># ipa-getcert request -f /var/lib/certmonger/requests/server.crt
> > >-k /var/lib/certmonger/requests/server.key -K
> > >postgresql/postgresql.example.com -N CN=postgresql.example.com -D
> > >postgresql.example.com
> > >
> > >that made desired files to appear at /var/lib/certmonger/requests/
> > >that is okay! :)
> > >but! I want them in /var/lib/pgsql/9.3/data/
> > >so what is the problem? why not just copy them at that directory?
> > >the problem is that when I list cert requests, I see this:
> > >Request ID '20131106113520':
> > >   status: MONITORING
> > >   stuck: no
> > >   key pair storage:
> > >type=FILE,location='/var/lib/certmonger/requests/server.key'
> > >   certificate:
> > >type=FILE,location='/var/lib/certmonger/requests/server.crt'
> > >   CA: IPA
> > >   issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > >   subject: CN=postgresql.example.com,O=EXAMPLE.COM
> > >   expires: 2015-11-07 11:35:20 UTC
> > >   eku: id-kp-serverAuth,id-kp-clientAuth
> > >   pre-save command:
> > >   post-save command:
> > >   track: yes
> > >   auto-renew: yes
> > >
> > >we can see that file location in that list is defined at request time.
> > >
> > >Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
> > >there any other solution?
> > certmonger does run under certmonger_t SELinux type and system_r role.
> > It can already write to file contexts named certmonger_*_t and cert_t. For
> > storing certificates you would need to use cert_t file context.
> > 
> > mkdir -p /var/lib/pgsql/9.3/data/certs
> > semanage fcontext -a -t cert_t  '/var/lib/pgsql/9.3/data/certs(/.*)?'
> > restorecon -R -v /var/lib/pgsql/9.3/data/certs
> > 
> > I would advise you against placing the files directly in
> > /var/lib/pgsql/9.3/data as opposed to the subdirectory. It is safer to
> > specify path to the certificate in pgsql configuration.
> 
> I have tried it, but I still get this answer:
> # ipa-getcert request -f /var/lib/pgsql/9.3/data/certs/server.crt
> -k /var/lib/pgsql/9.3/data/certs/server.key -K
> postgresql/postgresql.example.com -N CN=postgresql.example.com -D
> postgresql.example.com
> The parent of location "/var/lib/pgsql/9.3/data/certs/server.crt" must
> be a valid directory.
> 
> What does "valid directory" mean?
> 
> > 
> > >And I think that there mast be note at documentation about such
> > >situations with Selinux.
> > Yes. You can also install selinux-policy-devel package and read
> > certmonger_selinux (8) manpage.
> > 
> > Can you open a ticket against FreeIPA documentation.
> 
> Is bug opened by Dmitri Pal enough?
> https://bugzilla.redhat.com/show_bug.cgi?id=1027265
> > 
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] question about generating certificates

2013-11-06 Thread Arthur Faizullin 
I have done as You said!
# ipa-getcert request -f /etc/pki/tls/certs/postgresql.crt
-k /etc/pki/tls/private/postgresql.key -K
postgresql/postgresql.example.com -N CN=postgresql.example.com -D
postgresql.example.com

# ipa-getcert list
Request ID '20131107050729':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/pki/tls/private/postgresql.key'
certificate: type=FILE,location='/etc/pki/tls/certs/postgresql.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=postgresql.example.com,O=EXAMPLE.COM
expires: 2015-11-08 05:07:29 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: 
post-save command: 
track: yes
auto-renew: yes

at startup a get such errors:
< 2013-11-07 12:06:58.997 YEKT >FATAL:  could not load server
certificate file "/etc/pki/tls/certs/postgresql.crt": Permission denied
< 2013-11-07 12:10:23.550 YEKT >FATAL:  could not load server
certificate file "/etc/pki/tls/certs/postgresql.crt": Permission denied

but after I've changed owner:
# chown postgres /etc/pki/tls/certs/postgresql.crt
# chown postgres /etc/pki/tls/private/postgresql.key
# ll /etc/pki/tls/certs/postgresql.crt 
-rw---. 1 postgres root 1318 Ноя  7
11:07 /etc/pki/tls/certs/postgresql.crt
# ll /etc/pki/tls/private/postgresql.key 
-rw---. 1 postgres root 1704 Ноя  7
11:07 /etc/pki/tls/private/postgresql.key

it seems to be starting well!
But since I've changed the owner of key-file and certificate-file will
certmonger still be monitoring these files?


В Чт, 07/11/2013 в 10:53 +0600, Arthur Faizullin пишет:
> В Ср, 06/11/2013 в 08:44 -0500, Rob Crittenden пишет:
> > Dmitri Pal wrote:
> > > On 11/06/2013 07:01 AM, Arthur Faizullin wrote:
> > >> Исаев Виталий Анатольевич  has give me advise that the
> > >> problem may be in Selinux.
> > >> so I has stoped tracking previous request by
> > >> $ sudo ipa-getcert stop-tracking -i 20131106075356
> > >>
> > >> and has generated new request
> > >> # ipa-getcert request -f /var/lib/certmonger/requests/server.crt
> > >> -k /var/lib/certmonger/requests/server.key -K
> > >> postgresql/postgresql.example.com -N CN=postgresql.example.com -D
> > >> postgresql.example.com
> > >>
> > >> that made desired files to appear at /var/lib/certmonger/requests/
> > >> that is okay! :)
> > >> but! I want them in /var/lib/pgsql/9.3/data/
> > >> so what is the problem? why not just copy them at that directory?
> > >> the problem is that when I list cert requests, I see this:
> > >> Request ID '20131106113520':
> > >>  status: MONITORING
> > >>  stuck: no
> > >>  key pair storage:
> > >> type=FILE,location='/var/lib/certmonger/requests/server.key'
> > >>  certificate:
> > >> type=FILE,location='/var/lib/certmonger/requests/server.crt'
> > >>  CA: IPA
> > >>  issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > >>  subject: CN=postgresql.example.com,O=EXAMPLE.COM
> > >>  expires: 2015-11-07 11:35:20 UTC
> > >>  eku: id-kp-serverAuth,id-kp-clientAuth
> > >>  pre-save command:
> > >>  post-save command:
> > >>  track: yes
> > >>  auto-renew: yes
> > >>
> > >> we can see that file location in that list is defined at request time.
> > >>
> > >> Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
> > >> there any other solution?
> > >
> > > I think yes. And I recall this is not the first time this comes up.
> > > My memory might be failing me but I vaguely remember that we discussed 
> > > this.
> > > However I could not find any bug or ticket on the matter so I created this
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1027265
> > 
> > Typically in Fedora and RHEL certs are expected to go into 
> > /etc/pki/tls/certs and keys into /etc/pki/tls/private. These directories 
> > have the correct SELinux contexts.
> > 
> > rob
> 
> as with krb5 keytab, which recomended to keep in specified directory
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/services.html
> I thought that ssl keys also should be keeped in specified directory.
> 
> > 
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] question about generating certificates

2013-11-06 Thread Arthur Faizullin 
В Ср, 06/11/2013 в 08:44 -0500, Rob Crittenden пишет:
> Dmitri Pal wrote:
> > On 11/06/2013 07:01 AM, Arthur Faizullin wrote:
> >> Исаев Виталий Анатольевич  has give me advise that the
> >> problem may be in Selinux.
> >> so I has stoped tracking previous request by
> >> $ sudo ipa-getcert stop-tracking -i 20131106075356
> >>
> >> and has generated new request
> >> # ipa-getcert request -f /var/lib/certmonger/requests/server.crt
> >> -k /var/lib/certmonger/requests/server.key -K
> >> postgresql/postgresql.example.com -N CN=postgresql.example.com -D
> >> postgresql.example.com
> >>
> >> that made desired files to appear at /var/lib/certmonger/requests/
> >> that is okay! :)
> >> but! I want them in /var/lib/pgsql/9.3/data/
> >> so what is the problem? why not just copy them at that directory?
> >> the problem is that when I list cert requests, I see this:
> >> Request ID '20131106113520':
> >>status: MONITORING
> >>stuck: no
> >>key pair storage:
> >> type=FILE,location='/var/lib/certmonger/requests/server.key'
> >>certificate:
> >> type=FILE,location='/var/lib/certmonger/requests/server.crt'
> >>CA: IPA
> >>issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >>subject: CN=postgresql.example.com,O=EXAMPLE.COM
> >>expires: 2015-11-07 11:35:20 UTC
> >>eku: id-kp-serverAuth,id-kp-clientAuth
> >>pre-save command:
> >>post-save command:
> >>track: yes
> >>auto-renew: yes
> >>
> >> we can see that file location in that list is defined at request time.
> >>
> >> Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
> >> there any other solution?
> >
> > I think yes. And I recall this is not the first time this comes up.
> > My memory might be failing me but I vaguely remember that we discussed this.
> > However I could not find any bug or ticket on the matter so I created this
> > https://bugzilla.redhat.com/show_bug.cgi?id=1027265
> 
> Typically in Fedora and RHEL certs are expected to go into 
> /etc/pki/tls/certs and keys into /etc/pki/tls/private. These directories 
> have the correct SELinux contexts.
> 
> rob

as with krb5 keytab, which recomended to keep in specified directory
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/services.html
I thought that ssl keys also should be keeped in specified directory.

> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] question about generating certificates

2013-11-06 Thread Arthur Faizullin 
В Ср, 06/11/2013 в 14:52 +0200, Alexander Bokovoy пишет:
> On Wed, 06 Nov 2013, Arthur Faizullin wrote:
> >Исаев Виталий Анатольевич  has give me advise that the
> >problem may be in Selinux.
> >so I has stoped tracking previous request by
> >$ sudo ipa-getcert stop-tracking -i 20131106075356
> >
> >and has generated new request
> ># ipa-getcert request -f /var/lib/certmonger/requests/server.crt
> >-k /var/lib/certmonger/requests/server.key -K
> >postgresql/postgresql.example.com -N CN=postgresql.example.com -D
> >postgresql.example.com
> >
> >that made desired files to appear at /var/lib/certmonger/requests/
> >that is okay! :)
> >but! I want them in /var/lib/pgsql/9.3/data/
> >so what is the problem? why not just copy them at that directory?
> >the problem is that when I list cert requests, I see this:
> >Request ID '20131106113520':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >type=FILE,location='/var/lib/certmonger/requests/server.key'
> > certificate:
> >type=FILE,location='/var/lib/certmonger/requests/server.crt'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > subject: CN=postgresql.example.com,O=EXAMPLE.COM
> > expires: 2015-11-07 11:35:20 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> >we can see that file location in that list is defined at request time.
> >
> >Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
> >there any other solution?
> certmonger does run under certmonger_t SELinux type and system_r role.
> It can already write to file contexts named certmonger_*_t and cert_t. For
> storing certificates you would need to use cert_t file context.
> 
> mkdir -p /var/lib/pgsql/9.3/data/certs
> semanage fcontext -a -t cert_t  '/var/lib/pgsql/9.3/data/certs(/.*)?'
> restorecon -R -v /var/lib/pgsql/9.3/data/certs
> 
> I would advise you against placing the files directly in
> /var/lib/pgsql/9.3/data as opposed to the subdirectory. It is safer to
> specify path to the certificate in pgsql configuration.

I have tried it, but I still get this answer:
# ipa-getcert request -f /var/lib/pgsql/9.3/data/certs/server.crt
-k /var/lib/pgsql/9.3/data/certs/server.key -K
postgresql/postgresql.example.com -N CN=postgresql.example.com -D
postgresql.example.com
The parent of location "/var/lib/pgsql/9.3/data/certs/server.crt" must
be a valid directory.

What does "valid directory" mean?

> 
> >And I think that there mast be note at documentation about such
> >situations with Selinux.
> Yes. You can also install selinux-policy-devel package and read
> certmonger_selinux (8) manpage.
> 
> Can you open a ticket against FreeIPA documentation.

Is bug opened by Dmitri Pal enough?
https://bugzilla.redhat.com/show_bug.cgi?id=1027265
> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] question about generating certificates

2013-11-06 Thread Arthur Faizullin 
Исаев Виталий Анатольевич  has give me advise that the
problem may be in Selinux.
so I has stoped tracking previous request by
$ sudo ipa-getcert stop-tracking -i 20131106075356

and has generated new request
# ipa-getcert request -f /var/lib/certmonger/requests/server.crt
-k /var/lib/certmonger/requests/server.key -K
postgresql/postgresql.example.com -N CN=postgresql.example.com -D
postgresql.example.com

that made desired files to appear at /var/lib/certmonger/requests/
that is okay! :)
but! I want them in /var/lib/pgsql/9.3/data/
so what is the problem? why not just copy them at that directory?
the problem is that when I list cert requests, I see this:
Request ID '20131106113520':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/certmonger/requests/server.key'
certificate:
type=FILE,location='/var/lib/certmonger/requests/server.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=postgresql.example.com,O=EXAMPLE.COM
expires: 2015-11-07 11:35:20 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: 
post-save command: 
track: yes
auto-renew: yes

we can see that file location in that list is defined at request time.

Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
there any other solution?

And I think that there mast be note at documentation about such
situations with Selinux.

В Ср, 06/11/2013 в 14:16 +0600, Arthur Faizullin пишет:
> Hi, everyone!
> I feel myself very uncomfortable asking this question, since usually I
> found documentation easy to understand&read. (Thanks for that!)
> But there is the point, that I could not understand.
> That point is generating certificates using IPA CA.
> I have read about this:
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/request-service-service.html
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/certmongerX.html
> https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/getting-started.txt
> but I did not get the point! :(
> So, I have build test environment as shown in attached document, if you
> need details, you may look at it.
> for short I have 2 servers:
> 1. IPA-server:ipaserver.example.com
> 2. PostgreSQL-server: postgresql.example.com
> PostgreSQL was chosen as an example (nor bad, nor good)
> and I try to generate key&certificate:
> 
> $ sudo ipa-getcert request -f /home/tuser/server.crt
> -k /home/tuser/server.key -K postgresql/postgresql.example.com -N
> CN=postgresql.example.com -D postgresql.example.com
> 
> I get this answer:
> 
> New signing request "20131106075356" added.
> 
> But what to do with this answer? I can get list of requests, but that
> does not make it more clear:
> 
> $ ipa-getcert list
> Error connecting to DBus.
> Please verify that the message bus (D-Bus) service is running.
> [tuser@postgresql ~]$ sudo ipa-getcert list
> Number of certificates and requests being tracked: 2.
> Request ID '20131101115647':
>   status: MONITORING
>   stuck: no
>   key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
> Machine Certificate - postgresql.example.com',token='NSS Certificate DB'
>   certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
> Certificate - postgresql.example.com',token='NSS Certificate DB'
>   CA: IPA
>   issuer: CN=Certificate Authority,O=EXAMPLE.COM
>   subject: CN=postgresql.example.com,O=EXAMPLE.COM
>   expires: 2015-11-02 11:56:48 UTC
>   eku: id-kp-serverAuth,id-kp-clientAuth
>   pre-save command: 
>   post-save command: 
>   track: yes
>   auto-renew: yes
> Request ID '20131106075356':
>   status: NEED_KEY_PAIR
>   stuck: no
>   key pair storage: type=FILE,location='/home/tuser/server.key'
>   certificate: type=FILE,location='/home/tuser/server.crt'
>   CA: IPA
>   issuer: 
>   subject: 
>   expires: unknown
>   pre-save command: 
>   post-save command: 
>   track: yes
>   auto-renew: yes
> 
> __
> Best regards, Arthur Fayzullin
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Redhat IPA as a SSL CA

2013-10-15 Thread Arthur Faizullin 
Is it
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
about the same?

В Пт, 19/07/2013 в 10:56 +0530, M.R Niranjan пишет:
> On 07/19/2013 06:57 AM, craig.free...@noboost.org wrote:
> > Hi,
> > 
> > I've been using Redhat IPA 2.2 as our internal CA quite successfully
> > for a while and managing in it from the IPA management website. 
> > 
> > I'm struggling to find precise information about the SSL certs and
> > management at a CLI level.
> > 
> > 1) Can I submit SSL CSR via cli?
> Yes, you could using ipa cert-request command
> 
> Example:
> 
> 1. Add the host for which you are generating request.
> 
> # ipa host-add webserver1.example.org
> 
> 2. Create a CSR (i.e private key and certificate request using openssl
> command)
> 
>   A. Generate private key:
> 
>   [root@test1 certs]# openssl genrsa 1024 > server.key
> 
>   B. Generate CSR:
> 
>   [root@test1 certs]#  openssl req -new -key server.key -out server.csr
> 
> 3. Submit the certificate request:
> 
> # ipa cert-request /etc/pki/tls/certs/server.csr
> 
> 4. Get the signed Certificate out using ipa cert-show command
> 
> Example:
> [root@test1 certs]# ipa cert-show 12 --out=/etc/pki/tls/certs/server.crt
> 
> > 2) Where are the approved client SSL certs kept in IPA?
> > 
> 
> They are stored in Directory Server in 2 places
> 
> 1. Domain Suffix tree
> dn:fqdn=webserver1.example.org,cn=computers,cn=accounts,dc=example,dc=org
> 
> 2. CA store in DS. Certificate system of IPA stores certificate in it's
> ldap store (ou=certificateRepository,ou=ca,o=ipaca)
> 
> 
> > 
> > cya
> > 
> > Craig
> > 
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa-client on Debian Wheezy

2013-07-18 Thread Arthur 
В Fri, 12 Jul 2013 19:57:09 +0200
Alexandre Ellert  пишет:

> Thanks for pointing that bug, compilation succeeded if adding
> "X-Python-Version: 2.7" to debian/control file. Now, testing
> functionality... I can give you some feedback if you want (i'm new
> here. Is there only RHEL/Fedora users on this mailing list ?)
> 
> Le 12 juil. 2013 à 19:36, Alexander Bokovoy  a
> écrit :
> 
> > On Fri, 12 Jul 2013, Alexandre Ellert wrote:
> >> Hi,
> >> 
> >> I'm currently trying to get a functional .deb package working on
> >> Debian Wheezy. I have tried to recompile a package from Ubuntu
> >> Precise (https://launchpad.net/~freeipa/+archive/ppa) without
> >> success.
> >> 
> >> First error was about compiling ipa-join :
> >> ipa-join.c: In function ‘callRPC’:
> >> ipa-join.c:174:20: error: ‘struct xmlrpc_curl_xportparms’ has no
> >> member named ‘gssapi_delegation’ => Fix : Add
> >> backport-gssapi-delegation.patch to package xmlrpc-c and then
> >> install resulting libxmlrpc-core-c3-dev.deb and
> >> libxmlrpc-core-c3.deb
> >> 
> >> Now, recompile again with new patched libxmlrpc-core-c3...
> >> compilation go further, but I'm stuck at the end of process of
> >> building .deb : dh_install --list-missing dh_install:
> >> usr/share/man/man1/ipa-client-automount.1.gz exists in debian/tmp
> >> but is not installed to anywhere dh_install:
> >> usr/sbin/ipa-client-automount exists in debian/tmp but is not
> >> installed to anywhere make[1]: quittant le répertoire
> >> « /root/freeipa-ppa/freeipa-3.2.0 » dh_install dh_installdocs
> >> dh_installchangelogs dh_installexamples
> >>  dh_installman
> >>  dh_installcatalogs
> >>  dh_installcron
> >>  dh_installdebconf
> >>  dh_installemacsen
> >>  dh_installifupdown
> >>  dh_installinfo
> >>  dh_python2
> >> E: dh_python2:145: extension for python2.6 is missing. Build
> >> extensions for all supported Python versions (`pyversions -vr`) or
> >> adjust X-Python-Version field or pass --no-guessing-versions to
> >> dh_python2 make: *** [binary] Erreur 3 dpkg-buildpackage: erreur:
> >> debian/rules binary a produit une erreur de sortie de type 2
> >> 
> >> Any idea or me advice about how to backport freeipa-client to
> >> wheezy ?
> > Perhaps, you can fix it in a manner similar to
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628827
> > 
> > -- 
> > / Alexander Bokovoy
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

That is great! I have to use some debian servers. It would be good to
add them to IPA-domain :)

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] question about bind 10 plans

2013-07-02 Thread Arthur 

29.04.2013 15:09, Артур Файзуллин пишет:

В Пн., 29/04/2013 в 09:48 +0200, Petr Spacek пишет:

On 29.4.2013 08:40, Артур Файзуллин wrote:

В Пн., 29/04/2013 в 08:11 +0300, Alexander Bokovoy пишет:

Bind 10 module is on our radar.

There is not much to add. I'm in touch with one Bind 10 developer and we are
discussing various possibilities of integration.

Let me know if you are interested in aplha/beta testing. I will send you an
e-mail as soon as we have some testable code.


Yes, I am interested in that :)
Now I have some resources to do that, I do not know about future, but
know I do :)

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
I am even interested in just bind10 ldap-backend, not allready 
IPA-server with bind10.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA as Samba 4 Backend

2013-07-02 Thread Arthur 

28.06.2013 18:57, Simo Sorce пишет:

On Fri, 2013-06-28 at 14:09 +0800, Mail Robot wrote:

Hi everyone,


I am new to this mailing list.


At the moment I would like to migrate all of my users from Microsoft
Active Directory to Open Source, and what I have in mind is getting it
into Samba 4.


In extending the functionality of it, I decided to intergrate FreeIPA
as the backend to Samba 4.


I saw some obsolete reference on how to use FreeIPA as Samba 4
backend, but I don't know where are the new reference.


Herewith I would seek advise on how to go for my mission.

Sorry to foil your plans but FreIPa cannot be used as an LDAP backend to
Samba4.
We abandoned that path a few years ago as it became clear it was highly
unlikely it would work.

What we've done is that we change our integratioj strategy and
introduced cross-realm trusts that would with Active Directory. In the
future this should work also with Samba4, but Samba4 code base currently
lacks support for cross-forest trusts.

Simo.

Does it mean, that I can not make cross-realm trust between IPA-server & 
Samba4-server at this time?


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] NFS Auto-Mount Home Directories

2013-05-12 Thread Arthur 

11.05.2013 21:23, Dean Hunter пишет:

Please help me find instructions on configuring NFS auto-mount user home
directories. The FreeIPA Guide very carefully says:

   IMPORTANT
   FreeIPA does not set up or configure autofs. That must be done
   separately. FreeIPA works with an existing autofs deployment.

I have a couple of problems trying to configure autofs:

1) I can not load an existing home directory on a client to the NFS
serve and retain all the SELinux attirbutes.

2) An SELinux problem prevents oddjob_mkhomedir from creating an NFS
home directory for a new user.

I have opened bug reports, but I was hoping that I was making obvious
mistakes that a documented procedure would illuminate.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

May I did not get your question, but look here
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/automount.html

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Getting Samba to authenticate against FreeIPA

2013-03-23 Thread Arthur Fayzullin 

24.03.2013 04:27, Martin пишет:

Hello, apologize if this is a faq.

We're trying to set up a file server that authenticate all users against
a FreeIPA-server. The systems are up to date CentOS 6 machines and
everything works just swell for logins and NFS4-mounts. However, we're
completely stuck on samba.

We've tried to figure out how to make a samba 3 use PAM, ldap or
whatever (and that way authenticate towards FreeIPA) and right now we're
trying Samba 4 because we hoped that would be simpler. So far we're out
of luck.

What we want is just a stand alone samba server (there's no windows
servers on this network) that is connected to FreeIPA. It sounds like a
pretty basic thing to get to work, but apparently that's not the case.

...help? Maybe someone has a working config they could share?

/Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

This is about samba-sharea, but may be can help
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cifs.html

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] libsssd_sudo as dependency to ipa-client

2013-03-21 Thread Arthur Fayzullin 

HI!
I have configured sssd_sudo integration on EL6.4 and it works nice!
But then I've checked this:
[afaizullin@domen00 ~]$ sudo package-cleanup --leaves
[sudo] password for afaizullin:
Loaded plugins: fastestmirror
libertas-usb8388-firmware-5.110.22.p23-3.1.el6.noarch
libhugetlbfs-utils-2.12-2.el6.x86_64
libsss_sudo-1.9.2-82.4.el6_4.x86_64
libtopology-0.3-7.el6.x86_64
libunistring-0.9.3-5.el6.x86_64

so if I or someone will activate yum "clean_requirements_on_remove" 
option, there is probability that libsss_sudo package will be removed as 
orphaned dependency.
That is why I think, that this package should be dependency to 
ipa-client package.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users