Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

2015-03-30 Thread Andrew Holway
Hi, As far as I understand it Kerberos service tickets are granted for a user to access a particular principle (host/service@REALM) and cannot be reused. Kerberos uses symmetric key cryptography so, if someone were able to access the memory of the machine, then they may indeed be able to snoop

Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

2015-03-30 Thread Petr Spacek
On 30.3.2015 09:28, Andrew Holway wrote: Hi, As far as I understand it Kerberos service tickets are granted for a user to access a particular principle (host/service@REALM) and cannot be reused. Kerberos uses symmetric key cryptography so, if someone were able to access the memory of the

Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

2015-03-30 Thread Martin Basti
On 30/03/15 04:27, Gokulnath wrote: Thanks for getting back. 1. As security Kerberos can ticket and in memory can be taken and that session key Can be used to gain access every where. Primarily this because the plan is to use the solution in cloud. 2. Can I disable DNS as well? And have IPA

Re: [Freeipa-users] IPA Client using Source Code

2015-03-30 Thread Jakub Hrozek
On Mon, Mar 30, 2015 at 02:18:00PM +0530, Yogesh Sharma wrote: Hi List, We have trying to install IPA-Client using source code. Why? While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it. I

Re: [Freeipa-users] IPA Client using Source Code

2015-03-30 Thread Jakub Hrozek
On Mon, Mar 30, 2015 at 02:53:39PM +0530, Yogesh Sharma wrote: Hi Jakub: FreeIPA package is not available in Amazon Linux running on EC2 Instance. We tried to install individually packages but it is breaking at many place. It is not 1.x. We had a directory with this name and I extracted

Re: [Freeipa-users] ipa-cliebt-automount problem

2015-03-30 Thread Günther J . Niederwimmer
Hello, Am Sonntag, 29. März 2015, 22:25:07 schrieb Rob Crittenden: Dmitri Pal wrote: On 03/29/2015 06:00 PM, Günther J. Niederwimmer wrote: Hello, My automount is not working correct? I have a centos 7 with cr Update, this is IPA 4.1 and sssd 1.12 I have this Error in the logs

Re: [Freeipa-users] AD users and IPA's sudo

2015-03-30 Thread Jakub Hrozek
On Mon, Mar 30, 2015 at 08:09:43AM +, Alexander Frolushkin wrote: Hello everyone. We have a IPA 3 and AD domain trust. Users from AD successfully logs on to linux servers via ssh and hbac rules works fine with external groups. But not a sudo rules. When rule defines as 'who' IPA users

Re: [Freeipa-users] IPA Client using Source Code

2015-03-30 Thread Natxo Asenjo
On Mon, Mar 30, 2015 at 10:48 AM, Yogesh Sharma yks0...@gmail.com wrote: Hi List, We have trying to install IPA-Client using source code. While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it.

Re: [Freeipa-users] IPA Client using Source Code

2015-03-30 Thread Yogesh Sharma
Sure. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Mon, Mar 30, 2015 at 3:05

[Freeipa-users] AD users and IPA's sudo

2015-03-30 Thread Alexander Frolushkin
Hello everyone. We have a IPA 3 and AD domain trust. Users from AD successfully logs on to linux servers via ssh and hbac rules works fine with external groups. But not a sudo rules. When rule defines as 'who' IPA users rule works well. If it is defines external group for corresponding AD group

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

2015-03-30 Thread Jakub Hrozek
On Mon, Mar 30, 2015 at 05:36:00AM +0100, g.fer.or...@unicyber.co.uk wrote: Hey Guys Not sure if I am missing any bit but this was the thing in the end: http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html I managed to have it working and I have

[Freeipa-users] IPA Client using Source Code

2015-03-30 Thread Yogesh Sharma
Hi List, We have trying to install IPA-Client using source code. While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it. I will update if I found anything. gcc -DHAVE_CONFIG_H -I. -I. -I.

Re: [Freeipa-users] IPA Client using Source Code

2015-03-30 Thread Yogesh Sharma
Hi Jakub: FreeIPA package is not available in Amazon Linux running on EC2 Instance. We tried to install individually packages but it is breaking at many place. It is not 1.x. We had a directory with this name and I extracted the tar in same folder hence showing like this :). We are using 3.0.2

Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

2015-03-30 Thread Dmitri Pal
On 03/29/2015 10:27 PM, Gokulnath wrote: Thanks for getting back. 1. As security Kerberos can ticket and in memory can be taken and that session key Can be used to gain access every where. Primarily this because the plan is to use the solution in cloud. You can use Kerberos in the cloud. It

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-30 Thread Dmitri Pal
On 03/29/2015 10:56 PM, Matt . wrote: Hi, I just tot home and typing from my cell so i'm suite short in words Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos ticket error now I don't kinit

Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

2015-03-30 Thread Gokulnath
Thanks for the update. The reason for weigh in the Kerberos option is to have that as an option to disable if needed, security is more important. I had to say this because there was a question on why I would disable it. I agree that the otp should definitely provide some additional layer of

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-30 Thread Sumit Bose
On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: Hi, I just tot home and typing from my cell so i'm suite short in words Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos ticket

[Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Gould, Joshua
SSO works intermittently. I’m having trouble tracing the issue. Here is what I see from /var/log/secure. Where should I look for more detail to figure out why the SSO login is failing? Mar 30 08:47:39 mid-ipa-vp01 sshd[9317]: Starting session: shell on pts/0 for root from 10.34.149.105 port

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Sumit Bose
On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould, Joshua wrote: SSO works intermittently. I’m having trouble tracing the issue. Here is what I see from /var/log/secure. Where should I look for more detail to figure out why the SSO login is failing? assuming you have a valid Kerberos ticket

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Gould, Joshua
I configured the .k5login per the RH docs. $ cat .k5login adm-faru03@TEST.OSUWMC TEST.OSUWMC\adm-faru03 $ I upped the debugging to DEBUG3 but I can¹t make sense of the error. Can you help? I¹m getting better but I can¹t get this one yet. Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: Connection

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

2015-03-30 Thread Lukas Slebodnik
On (30/03/15 05:36), g.fer.or...@unicyber.co.uk wrote: Hey Guys Not sure if I am missing any bit but this was the thing in the end: http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html I managed to have it working and I have documented all those nasty bits

Re: [Freeipa-users] anonymous binds limits?

2015-03-30 Thread Janelle
For LDAP-only clients, I see an issue with performance on the dirsrv backends, and much of it has to do with 2 things: 1. Anonymous binds (1000's because of 7000+ hosts) 2. unindexed searches -- perhaps the biggest problem and working on troubleshooting that and figuring out how to fix it.

Re: [Freeipa-users] IPA Client using Source Code

2015-03-30 Thread Gokulnath
Yes that's right, Fedora works great. Gokul Sent from iPhone On Mar 30, 2015, at 4:35 AM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Mar 30, 2015 at 02:53:39PM +0530, Yogesh Sharma wrote: Hi Jakub: FreeIPA package is not available in Amazon Linux running on EC2 Instance. We tried

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Jan Pazdziora
On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould, Joshua wrote: SSO works intermittently. I’m having trouble tracing the issue. Here is what I see from /var/log/secure. Where should I look for more detail to figure out why the SSO login is failing? What OS versions is this and how was the

Re: [Freeipa-users] Freeipa Server down !!

2015-03-30 Thread Martin Kosek
On 03/30/2015 04:23 AM, Rob Crittenden wrote: Dmitri Pal wrote: On 03/29/2015 06:35 AM, Peter Fern wrote: On 29/03/15 05:46, Rob Crittenden wrote: Should be back up now. rob Appears to be dead again. It is in fact down again. The quote is exceeded in the openshift gear. I cleaned up

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Sumit Bose
On Mon, Mar 30, 2015 at 10:09:00AM -0400, Gould, Joshua wrote: I configured the .k5login per the RH docs. $ cat .k5login adm-faru03@TEST.OSUWMC TEST.OSUWMC\adm-faru03 The second line is not needed. Please note that .k5login must only be read-writable for the owner. Can you check by calling

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Gould, Joshua
It¹s actually my IPA server which is also a client, so both are 7.1. My memory is fuzzy as far as the client on the server. Isn¹t it setup already as part of the server install? On 3/30/15, 10:45 AM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould,

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

2015-03-30 Thread Gonzalo Fernandez Ordas
Hi Jakub Yes, I can also include that. The configuration I was showing was a simple one, mainly I focused on the library set as it is usually the most problematic part in old distributions, but I will also include your comment as indeed makes more sense. As I was suggesting in the post, sssd

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

2015-03-30 Thread Gonzalo Fernandez Ordas
Yes, you are right. I was using the enumerate on my testing I forgot to disable the enumerate when I was templating the configuration. On 30/03/2015 07:21, Lukas Slebodnik wrote: On (30/03/15 05:36), g.fer.or...@unicyber.co.uk wrote: Hey Guys Not sure if I am missing any bit but this was

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Gould, Joshua
Sorry I mis-read your question! We’re trying SSO from the test domain conroller via ssh (putty) to the test IPA server. Unix.test.osuwmc is the IPA realm. Test.osuwmc is the AD realm. IPA server is RHEL 7.1 Windows AD DC is Windows Server 2008 R2 They have a two way trust and we’re mapping

Re: [Freeipa-users] IPA Client using Source Code

2015-03-30 Thread Gonzalo Fernandez Ordas
You need the development package. that should be popt-devel If you are still using amazon you have to modify the sources to include the devel Otherwise if you feel very crafty you can get to a site such us: http://rpm.pbone.net/ and look for the relevant development package which got the

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Jan Pazdziora
On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote: We’re trying SSO from the test domain conroller via ssh (putty) to the test IPA server. Unix.test.osuwmc is the IPA realm. Test.osuwmc is the AD realm. IPA server is RHEL 7.1 Windows AD DC is Windows Server 2008 R2 They

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Jan Pazdziora
On Mon, Mar 30, 2015 at 10:50:11AM -0400, Gould, Joshua wrote: It¹s actually my IPA server which is also a client, so both are 7.1. My memory is fuzzy as far as the client on the server. Isn¹t it setup already as part of the server install? So you are logging in from the server to the server?

[Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup

2015-03-30 Thread Srdjan Dutina
Hi, I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists. I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add trust to AD domains and trusts. But after initial

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Gould, Joshua
The include is there: # head /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = UNIX.TEST.OSUWMC dns_lookup_realm = true # ls -l

[Freeipa-users] Centralized logging/audit - looking for use cases or experience

2015-03-30 Thread Martin Kosek
Hello list! I have recently started investigating FreeIPA and centralized logging/audit, capturing, processing and visualization of the logs centrally in an ELK instance or similar. This is a pretty loaded topic, audit/centralized log processing is a big task beyond IPA itself, which is also one

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Gould, Joshua
On 3/30/15, 11:56 AM, Dmitri Pal d...@redhat.com wrote: # auth_to_local = RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ auth_to_local = RULE:[1:$1 $0](^ * TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ If you use the plugin then this RULE should not be needed. Have you tried

Re: [Freeipa-users] anonymous binds limits?

2015-03-30 Thread Gokulnath
Perform vlv indexing on those attributes and tune the directory for memory. Gokul Sent from iPhone On Mar 30, 2015, at 11:02 AM, Rob Crittenden rcrit...@redhat.com wrote: Dmitri Pal wrote: On 03/30/2015 10:15 AM, Janelle wrote: For LDAP-only clients, I see an issue with performance on the

Re: [Freeipa-users] IPA Client using Source Code

2015-03-30 Thread Yogesh Sharma
Thanks Sir. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Mon, Mar 30, 2015 at

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-30 Thread Matt .
Hi, I tried to trace some stuff but this doesn't give me much more info. What I see at the moment in the /var/log/httpd/acces_log is exactly what happens but without the info I need to get a better view: 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 258 10.10.0.121 -

Re: [Freeipa-users] anonymous binds limits?

2015-03-30 Thread Dmitri Pal
On 03/30/2015 10:15 AM, Janelle wrote: For LDAP-only clients, I see an issue with performance on the dirsrv backends, and much of it has to do with 2 things: 1. Anonymous binds (1000's because of 7000+ hosts) 2. unindexed searches -- perhaps the biggest problem and working on troubleshooting

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Dmitri Pal
On 03/30/2015 11:17 AM, Gould, Joshua wrote: The include is there: # head /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm =

Re: [Freeipa-users] anonymous binds limits?

2015-03-30 Thread Rob Crittenden
Dmitri Pal wrote: On 03/30/2015 10:15 AM, Janelle wrote: For LDAP-only clients, I see an issue with performance on the dirsrv backends, and much of it has to do with 2 things: 1. Anonymous binds (1000's because of 7000+ hosts) 2. unindexed searches -- perhaps the biggest problem and working

Re: [Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup

2015-03-30 Thread Dmitri Pal
On 03/30/2015 11:12 AM, Srdjan Dutina wrote: Hi, I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists. I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add